I Introduction
Over the last three decades, public key cryptosystems (DiffieHellman key exchange, the RSA cryptosystem, digital signature algorithm (DSA), and Elliptic curve cryptosystems) has become a crucial component of cyber security. In this regard, security depends on the difficulty of a definite number of theoretic problems (integer factorization or the discrete log problem). Table 1 represents the present status of several cryptosystems 128. Shor’s algorithm is wellknown in the field of cryptography given its potential application in cracking various cryptosystems, such as RSA algorithm and elliptic curve cryptography 129. These all public key cryptosystems can be attacked in polynomial time using Shor’s algorithm.
Cryptosystem  Broken by Quantum algorithms? 

DiffieHellman keyexchange 153  Broken 
RSA public key encryption 154  Broken 
Algebraically Homomorphic 155  Broken 
BuchmannWilliams keyexchange 157  Broken 
Elliptic curve cryptography 156  Broken 
NTRU public key encryption 159  Not broken yet 
McEliece public key encryption 158  Not broken yet 
Latticebased public key encryption 160  Not broken yet 
PostQuantum Cryptography offers secure alternatives. The goal of postquantum cryptography is to develop cryptographic systems that are secure against both quantum and classical computers, and compatible with existing communications protocols and networks. Apart from RSA, DSA, and ECDSA, there are other important classes of cryptographic systems which include Codebased, Latticebased, Hashbased, Multivariatequadraticequations and Secretkey cryptosystem.
Codebased cryptography 161 generally refers to cryptosystems in which the algorithmic primitive uses an error correcting code C. This primitive may consist of adding an error to a word of C or in computing a syndrome relatively to a parity check matrix of C. There are several codes for which efficient decoders are known. Fig 1 shows the several codes proposed and broken in codebased cryptography.
In 1949, Golay 162 discovered Golay codes. A binary Golay code is a linear errorcorrecting code used in digital communication. Golay codes are perfect codes in which the Hamming spheres surrounding the codewords fill the Hamming space without overlap. These spheres have a radius e, which can correct e errors and their codewords separated from each other by a distance d=e+1. Perfect codes possess complete boundeddistance decoders and satisfy the Hamming bound with equality. If Golay codes are augmented with bit interleaving technique, it enables us to correct burst errors 163.
Ii Preliminaries
In this section, some preliminaries and basic notations are given, which will be used throughout the chapter.

Linear code: Linear code C 164 of length n and dimension k over a field F is a k
dimensional subspace of the vector space
with q elements, a set of ndimensional vectors can be referred to as a [n, k] code and elements of bits such that F=GF(2)={0,1}. If the minimum Hamming distance of the code is d, then the code is called a [n, k, d] code. 
Hamming distance: A Hamming distance 163 is the number of positions in which two codewords (x, y) differ. Let C be a [n, k] linear code over and are two code words.
(1) 
Hamming weight: A Hamming weight 163 is defined as the number of nonzero positions in the codeword x. Let C be a [n, k] linear code over and is a code word, such that
(2) 
Generator matrix: A generator matrix 163 for C is a matrix G having the vectors of as rows, which forms a basis of C such that
(3) The matrix G generates the code as a linear map: for each message , we obtain the corresponding code word mG.

Dual code: Let C be a [n, k] linear code over . The dual code [26] of C is the set, such that .

Parity matrix: A generator matrix H is called paritycheck matrix 163 for codeword C, which is described by
(4)
Iii Prior work
Originally, Golay codes 162 were invented in the early 1950’s, and have experienced incredible responses in the last few years. In 1978, McEliece 158 proposed an asymmetric encryption cryptosystem based on Goppa codes, which remains unbroken, even after 15 years of adaptation of its proposal security parameters 165. Niederreiter 166 proposed a knapsacktype cryptosystem based on ReedSolomon codes. Sidelnikov and Shestakov 164 attacked the Niederreiter cryptosystem and proved that it is insecure using ReedSolomon codes as well as Goppa codes.
Sidelnikov 167 proposed a publickey cryptosystem based on binary ReedMuller codes. It offered a high security with transmission rate close to 1, and complexity of encryption and decryption process is low. Minder and Shokrollahi 168 attacked the Sidelnikov publickey cryptosystem which generates a private key from a known public key. It has been shown that running time of the attack is subexponential using low weight finding algorithms.
Janwa and Moreno 169 proposed a McEliece public key cryptosystems based on AlgebraicGeometric Codes (AGC). It shows the various aspects of McEliece cryptosystem, based on the larger class of qary algebraicgeometric Goppa codes and listed some open problems for future improvements. Faure and Minder 170 presented an algorithm based on algebraic geometry codes to recover the structure of algebraic geometry codes defined over a hyperelliptic code. In 2014, Couvreur et al. 171 constructed a polynomial time algorithm attack against public key cryptosystems based on algebraicgeometric codes.
In 2000, Monico et al. 172 showed an efficient way of using lowdensity parity check codes in McEliece cryptosystem. In 2007, Baldi et al. 173 introduced a new variant of McEliece cryptosystem, based on quasicyclic lowdensity parity check (QCLDPC) codes. Furthermore, they examined the relevant attacks against LDPC and QCLDPC. Londahl and Johansson 174 constructed a new version of McEliece cryptosystem based on convolutional codes. Landais and Tillich 175 implemented an attack against McEliece cryptosystem based on convolutional codes. Various researchers proposed modified McEliece cryptosystems by replacing Goppa codes and using different errorcorrecting codes, e.g. algebraic geometric codes (AGC), lowdensity parity check codes (LDPCC) or convolutional codes. However, all of these schemes have proven to be insecure, making Goppa codes a standard solution.
Iv McEliece Cryptosystem
McEliece cryptosystem is based on linear errorcorrecting code for creating public and private key. Binary Goppa code 158 is used as the errorcorrecting code in McEliece cryptosystem. The secret key can be drawn from the various alternate codes. Several versions of McEliece cryptosystem were proposed using various secret codes such as ReedSolomon codes, concatenated codes and Goppa codes. Interested researchers can study the original McEliece cryptosystem algorithm described in 158.
V Golay Codes
Golay codes can be classified into binary and ternary Golay codes. Furthermore, binary Golay codes are divided into extended (
) and perfect () binary Golay codes 162; 163. The extended binary Golay code is a [24, 12, 8] code, which encodes 12 bits of data into a word of 24bit length in such a way that any 3bit errors can be corrected or any 7bit errors can be detected.The perfect binary Golay code is a [23, 12, 7] code that is having a code word of length 23. It can be obtained from the extended binary Golay code by deleting one coordinate position. It is useful in the applications where a parity bit is added to each word for producing a halfrate code 176. It is constructed by a factorization over field such that: , and are irreducible polynomials of degree (m=11). These polynomials are reverse of each other and can generate the same cycle code words. Therefore, the generator matrix of perfect binary Golay code is , where is
the identity matrix. Matrix
is as follow:v.1 Binary extended Golay codes
In 1977, extended Golay codes 162 were used for error control on the Voyager 1 and 2 spacecraft launched towards Jupiter and Saturn. The perfect binary Golay code results into 3byte extended Golay code by adding a parity bit. Some special properties of extended Golay Codes are:

is a selfdual code with a generator matrix .

Parity check matrix for is 177.

Another generator and parity check matrix for are and respectively 178.

The weight of every code word in is a multiple of 4 and distance is 8.
The extended Golay code generated by the matrix , where is the identity matrix and matrix A is as shown below.
Vi McEliece Cryptosystem using extended Golay code
McEliece cryptosystem based on extended Golay code works similarly as McEliece cryptosystem, but it generates the secret matrix G with a different way, and different decoding procedure will be used for the decoding process. Golay code matrix A is having a cyclic structure, in which the second row is obtained by moving the first component to the last position. Similarly, each row of the matrix A can be obtained by a right shift of the previous row, except last one row. The matrix A is being a part of both the generator and the parity check matrices of extended Golay code; its decoding procedure is very simple. The main idea is to replace the Goppa code used in McEliece by an extended Golay code that can be efficiently decoded.
vi.1 Key generation
McEliece cryptosystem based on extended Golay code, encode 12bits of data in 24bit length of the word. Random permutation matrix (P) acts on generator matrix (G). Then, reorder the computed matrix and named it as . Compute
by the random invertible matrix (
S) and makes the public key () and secret key () correcting any 3bit of errors. Key generation is described in algorithm 1. The detailed algorithm of McEliece cryptosystem based on extended Golay code is given below.Algorithm 1: Key generation 
System parameters: Let F be a family of terror correcting () qary linear [n, k, d] codes, where . 
Input: [24, 12, 8] is an extended Golay which encodes (k=12) bits of data in a word of (n=24) bit length and any (t=3) bit errors can be corrected. 
Output matrices:

vi.2 Encoding
In encoding, the plaintext is a random nonzero binary vector of length k, i.e. (). A ciphertext () is the code word of the code with generator matrix and we choose random error vector () exactly of weight t. The encoding process is defined in the algorithm 2.
Algorithm 2: Encoding 
Input: Public key (), message (), error vector (). 
Output: Ciphertext () 
Compute 
Add error vector 
Return c 
vi.3 Decoding
The decoding process is defined in the algorithm 3. It uses the decoding procedure of extended Golay code, whereas original McEliece cryptosystem uses Patterson’s algorithm for the decoding process.
Algorithm 3: Decoding 
Input: Ciphertext (), Private key: () 
Output: Original message () 
Compute the encoded message , where e is calculated by calling subroutine . 
, compute message mS by row reducing []. 
Multiply mS by . 
Return m 
Here, we call a subroutine , which computes an error vector described in the algorithm 4. Therefore, on reading input a ciphertext (), it generates an output as the original message (). In step 1, it computes a syndrome using private key checks whether the weight of syndrome is less than or equal to 3. If yes, then it returns an error vector e=[]. Otherwise, it checks the weight of () is less than or equal to 2, then the error vector is e=[]. If it does not satisfy the first condition, then further it computes the second syndrome and checks whether the weight of syndrome is less than or equal to 3. If yes, then it returns an error vector e=[]. Otherwise, it checks the weight of () is less than or equal to 2, then the error vector is e=[]. In any case, if both the conditions do not satisfy and the error pattern e is not yet determined, then it requests retransmission. Finally, mS is found by row reducing form and the original message is computed by multiplying mS by .
Algorithm 4: ) 
Input: Ciphertext (), generator matrix (private): () 
Output: Error vector () 
Compute the first syndrome: 
If , then 
Return e [] 
Else If , then 
Return e [], where the word of length 12 with 1 in the 
position and 0 elsewhere in identity matrix. 
Else 
Compute the second syndrome: 
If , then 
Return e [] 
Else If , then 
Return e [] 
Else If the error pattern e is not yet determined, then request 
retransmission. 
vi.4 Security
The security of the proposed McEliece cryptosystem depends on the difficulty level to decode y into message m. The attacker will have a tough time trying to separate from because he/she does not know P and inverse of a matrix S, which are not publicly available. Therefore, an attacker cannot find an error because it’s hard to recover the specific structure of the matrix . Maximumlikelihood decoding can be used to recover error but making tables for big codes () coset leader is a timeconsuming and inefficient. It also needs more storage space and decoding time can be quite long also. Therefore, we rely on syndrome decoding of extended Golay code.
Vii Implementation of McEliece Cryptosystem based on Extended Golay Code
We have used a personal computer to implement McEliece cryptosystem based on extended Golay code with the following specification: CPU Intel Core i33217U 1.80 GHz, RAM 2.00 GB, OS Windows 8 Enterprise 32 bit and MATLAB 7.11.0 (R2010b).
We have used generator matrix G=[] to generate extended Golay code , where is the identity matrix. Fig. 2 shows the matrix A, which is obtained by adding a parity bit at the end of each codeword of perfect Golay code . We have used the random permutation matrix to compute as shown in Fig 3.
We have used the random function to generate a random invertible matrix S of binary numbers. The matrix is reordered and renamed as , then we computed , where is the encoding matrix. Fig. 4 represents the random invertible matrix S. Furthermore, encoding matrix results in public key:
, the private key consists of a random matrix
S, systematic generator matrix and efficient decoding algorithm such that (). We have used random plaintext m of length 12 and random error vector e of length is 24 having weight (). Then, we compute codeword by and encode it by computing ciphertext such that . Fig. 5 shows the computed matrix codeword, random error, and ciphertext.During decoding, we call a subroutine as described in Algorithm 4 for computing an error e by using private key . Further, we recovered the actual codeword such that . Fig 6 shows the calculated syndrome for error detection in the ciphertext.
Compute the error and actual codeword; we recover the plaintext by multiplying it with the inverse of S. Fig. 7 shows the actual message sent over the channel.
We have examined the McEliece cryptosystem using extended Golay code. The developed system is effective and secure until S is chosen sparse random matrix. It corrects up to threebit errors per codeword. Sparse matrices make it efficient and it allows a significant compression. Moreover, we have implemented the McEliece cryptosystem using extended Golay code and designed a finite state machine for its decoding component. In future, we will design McEliece cryptosystem using extended Golay code associated with bit interleaving technique to correct bursts of errors per codeword.
Viii Conclusion
In this paper, we have examined the McEliece cryptosystem using extended Golay code. The developed system is effective and secure until S is chosen sparse random matrix. It corrects up to threebit errors per codeword. Sparse matrices make it efficient and allows a significant compression. Moreover, we have implemented the proposed McEliece cryptosystem using MATLAB. In future, we will design of McEliece cryptosystem using extended Golay code associated with bit interleaving technique to correct bursts of errors per codeword.
Acknowledgments
Amandeep Singh Bhatia was supported by Maulana Azad National Fellowship (MANF), funded by Ministry of Minority Affairs, Government of India.
Comments
There are no comments yet.