DEVELOPMENT OF DIGITAL SIGNATURE ALGORITHM BASED ON THE NIEDERRITER CRYPTO-CODE SYSTEM

The development of computing resources in the post-quantum period calls into question the provision of the required level of stability of symmetric and asymmetric cryptography algorithms. The advent of a full-scale quantum computer based on the Shore and Grover algorithms greatly increases the capabilities of cybercriminals and reduces the resilience of cryptosystems used in protocols for basic security services. The article analyzes the main requirements for resistance to post-quantum cryptography algorithms. In such conditions, it is necessary to use modified cryptosystems that provide an integrated required level of stability and efficiency of cryptocurrencies. One such mechanism is the crypto-code constructs of McEliece and Niederriter, which provide the required indicators of durability, efficiency and reliability. The paper analyzes the construction of the crypto-code structure of the Nieder-riter on elliptical (EC), modified elliptical codes (MEC) shortened and / or extended, and defective codes, practical algorithms for their implementation. An advanced protocol for the formation of a digital signature using Niederriter crypto-code constructions is proposed.


Introduction
Formulation of the problem.The entry of mankind into the era of high technologies has made it possible to single out cyberspace (an abstract concept based on computer networks and Internet technologies) into a separate component of security and put it before information security and security of information.To ensure security, as a rule, symmetric cryptosystems with temporary strength are used, but fast (by 3-5 orders of magnitude) crypto transformations, in comparison with asymmetric cryptosystems that provide a provable level of security (strength is based on NP-complete problems), which allows them to be used in transmission key data of symmetric cryptosystems and form digital signature protocols (DS) providing the service of authenticity (authenticity of the message source).The rapid development of computing means provides a 2-fold increase in computing capabilities every 18 months, which significantly increases the scope of services in cyberspace.However, the analysis by US NIST specialists of traditional cryptography algorithms [1][2][3] and asymmetric cryptography algorithms, digital signature protocols (including algorithms using elliptic curves) showed that the computational capabilities in the post-quantum period are the use of full-scale quantum computers and the Grover and Shor hacking algorithms [4] -allow for polynomial time to break the cryptosystem data used in computer systems and networks of cyberspace, which casts doubt on the quality of providing basic security services: confidentiality, integrity and authenticity.In works [4][5][6][7] it is indicated that with the growth of computing capabilities, there is not only an expansion of IT services in almost all spheres of human activity, but also a significant increase in hybrid, providing a synergistic effect, attacks with elements of social engineering.Thus, a scientific and technical problem arises to provide basic security services based on alternative approaches that ensure, first of all, the cryptographic strength of the algorithms used.
Analysis of recent research and publications [1-4; 8-14] showed that with the advent of a full-scale quantum computer, the security of modern cryptosystems providing basic security services is being questioned.Therefore, NIST USA specialists are holding a competition for post-quantum cryptography algorithms.Among the algorithms-contestants that passed to the second round there are also crypto-code constructions (CCC).Thus, the consideration of the use of the Niederreiter CCC on algebraic geometric codes (AGC) (codes on elliptic curves and / or their modifications, on defective codes) in practical algorithms of security services for their modification / improvement is an urgent task.
The purpose of this article is to build a digital signature algorithm based on Niederreiter's crypto-code construction at AGC.
To solve this goal, it is necessary to solve the following tasks: -analyze the requirements for post-quantum cryptography algorithms; -research on the Niederreiter's crypto-code construction, practical algorithms.factors in the time О(lg 3 N) using О(lg N)-bits register, which is significantly faster than any classical factorization method.The advantages of using quantum registers are significant memory savings (N quantum bits can contain 2 N bits of information), the interaction between qubits makes it possible to affect the entire register in one operation (quantum parallelism).
Thus, Shor's algorithm called into question the very existence of asymmetric cryptography, since on its basis it is possible to effectively solve problems of discrete logarithm and other problems on the complexity of which cryptographic algorithms are based.This conclusion was confirmed in March 2018 in the report of the US NIST (Report on Post-Quantum Cryptography) [1][2], which notes that the emergence of full-scale quantum computers casts doubt on the cryptographic strength of asymmetric cryptography algorithms, and in February 2019, experts NIST USA, at the opening of the competition for post-quantum cryptography algorithms, stated that the algorithms on elliptic curves are also being questioned.Thus, humanity enters the socalled post-quantum period -a period of time in the future when classical methods will be significantly improved and quantum computers with the register lengths (in qubits) necessary for successful cryptanalysis and the mathematical and software necessary for their implementation will be created.The main problems that can be solved on a quantum computer include the following: 1) Shor's quantum factorization algorithm; 2) quantum Grover's algorithm for finding an element in an unsorted base; 3) Shor's quantum algorithm for solving the discrete logarithm in a finite field; 4) quantum algorithm for solving the discrete logarithm in the EC Shor point group; 5) quantum cryptanalysis algorithms for transformations into factor ring; 6) quantum crypto analysis algorithm Xiong and Wang and its improvement and the like.
Tabl. 1 shows the results of a comparative analysis of the complexity of factorization for classical and quantum algorithms, in tabl. 2 -the complexity of the implementation of Shor's method of discrete logarithm to the group of points EC.Presented in tabl.1-2, the results of comparisons indicate a significant reduction in energy costs for the implementation of breaking cryptoalgorithms of asymmetric cryptography, which include DS algorithms when using a quantum computer, which significantly reduces the level of "trust" in algorithms and protocols for providing basic security services: confidentiality, integrity and authenticity.
In the conditions of post-quantum cryptography, NIST experts suggest considering attacks of a special type (SIDE-CHANEL ATTACKS).The implementation of these attacks is aimed at finding vulnerabilities in the practical implementation of the cryptosystem, primarily the means of cryptographic protection.
The following classification of special attacks based on the following features was proposed: -control of the computing process; -the way to access the system or tool; -the method of direct attack and the like.Protection against special attacks can be based on features: -fixed number of calls to the hash function, data randomization; -independence of keys from values and the like.The main NIST requirements for safety in the postquantum period are: Safety requirements: -replacement of the ES standard FIPS 186; -replacement of key distribution standards SP 800-56A, SP 800-56B; -using the new standard in protocols: TLS, SSH, IPSec etc.; -security model for encryption and distribution is a "semantically secure encryption" scheme.Security model -IND-CCA2; Safety conditions: -attacker access to less than 2 64 selected ciphertext-key pairs; Resilience requirements: 1) 128-bit classic security / 64-bit quantum security (AES-128 security margin); 2) 128-bit classic security / 80-bit quantum security (SHA-256 / SHA3-256 safety margin) SHA-384 / SHA3-384); 3) 256-bit classic security / 128-bit quantum security (AES-256 security margin).
Thus, NIST USA suggests considering the following models: -for symmetric cryptography algorithms -under the conditions of the security model IND-CCA2 (Indistinguishability Adaptive Ciphertext Attack), which determines the resistance to an adaptive attack based on the selected text cipher; -for electronic digital signature -under the conditions of the security model EUF-CMA (existentially unforgeable under adaptive chosen message attacks); -for the key encapsulation protocol -under the conditions of the security model Canetti-Krawczyk (СК-safety).
As a preliminary criterion, NIST proposes an approach in which quantum attacks are limited to a set of fixed runtimes, or "depths," of the scheme.This parameter is named MAXDEPTH Possible values for the range MAXDEPTH: -2 40 logical gates, that is, the approximate number of gates that will be sequentially executed per year; -2 64 logic gates that modern classical computing architectures can execute sequentially in ten years; -not more than 2 96 logical gates, that is, an approximate number of gates, how atomic-scale qubits with the speed of light propagation time can perform over millennia.
Thus, the analysis showed that the use of EDS based on asymmetric cryptoalgorithms in the post-quantum period cannot provide a guaranteed level of cryptographic strength, and, accordingly, can be subject to a special type of attack based on a full-scale quantum computer.

Research on Niederreiter's crypto-code constructs
A special place among symmetric and asymmetric cryptosystems is occupied by asymmetric cryptosystems based on crypto-code constructions by McEliece and Niederreiter, who are participants in the NIST competition for a post-quantum algorithm and integrately provide not only the required level of cryptographic strength (when they are implemented in GF(2 10 -2 13 ), but also the reliability of the transmitted information based on error-correcting codes (a transmission method with forward error correction is implemented).However, a significant drawback is the difficulty of their practical implementation in the alphabet GF (2 10 -2 13 ), as well as significant energy costs.In addition, in the work of V.M. Sidelnikov [10] proposed a practical algorithm for cracking these structures using cyclic noise-immune codes.The essence of which is to find the elements of the generating matrix and remove the action of the masking matrices.The orthogonality of the generating and test matrices allows us to consider the effectiveness of the attack on the Niederreiter scheme.Sidelnikov proposes to use cascade or algebraic geometric codes as a promising direction for eliminating the revealed regularities -codes built on the basis of the algebra of the theory of error-correcting coding and geometric parameters of a curve, in particular, elliptic curves.
The general classification of crypto-code structures (CCC) is given in [4] (Fig. 1).The analysis carried out in works [4; 8-9] showed that these cryptosystems allow providing a provable (mathematically) level of security (strength is based on the NP-complete problem -decoding a random code), ensure the efficiency of crypto transformations at the level of encryption speed with traditional cryptography algorithms and reliability, due to the use of errorcorrecting codes.In addition, the report of NIST specialists [1][2] noted that it is crypto-code constructions that allow providing the required level of cryptographic strength in post-quantum cryptography.
The known methods of their construction on the basis of noise-resistant (algebraic geometric codes, AGK), mathematical models and practical algorithms are considered in works [4; 11-12].
Based on McEliese's crypto-code construction, first proposed in [11].As a secret (private key), the generating matrix of the linear (n, k, d) code on GF(q) -G, and masking matrices: non-degenerate k × k-matrix on GF(q) -Х, diagonal n × n-matrix D, permutation n × n-matrix -P.The permutation matrix implements the permutation of vector coordinates in the form of matrix multiplication.
The public key is the matrix GХ = X ⋅ G ⋅ P ⋅ D.
where vector сХ = i ⋅ GХ belongs to (n, k, d) code with the generator matrix GX, i -k-bit information vector, vector e -error vector of weight ≤ t, serves as an additional secret parameter (session key).
On the receiving side, the receiver, knowing the public key, and using the Berlekemp-Messi decoding algorithm (polynomial complexity), receives the original text.The exchange protocol between authorized users based on the McEliece crypto-code construction on algebraic geometric (elliptic, EC) codes is shown in Fig. 2.
Private key G, X, P, D Public key Session key е Secret key a 1 , …, n

Fig. 2. An exchange protocol in an asymmetric cryptosystem based on the McEliece CCC
To eliminate the drawback -the Sidelnikov attack implementation, it is proposed to use algebraic geometric codes, codes built on curves (as an example, on elliptic curves).Singular (supersingular) curves of 3 kinds are used to form the AGC (EC).
Algebrogeometric code along the curve X over GF(q) -this is a of length n ≤ N, code words C(с1, с2, …, сn) of which are given by the equality: This definition is equivalent to the matrix representation of the algebraic geometric code [4]: where G -generator matrix of dimension k×n, k = α -g+1, α=degX⋅degF of view ( ) However, the construction of the CCC on EC does not eliminate the disadvantage of significant energy consumption in practical implementation.To eliminate the disadvantage, it is proposed to use modified EC (MEC), proposed in works [4; 8].
Consider a cryptosystem based on Niederreiter's crypto-code construction, first proposed in [12].Private (private) key check matrix H -linear (n, k, d) code on GF(q), masking matrices: non-degenerate r × r-matrix on GF(q) -Х, diagonal n × n-matrix D, permutation n × n-matrix -P.Opened (public) key matrix where vector e -is a vector of length n and weight ≤ t, is computed in advance based on the equilibrium coding and is a transformed input sequence.On the receiving side, the recipient finds from q k solutions of expression Splitting of non-binary equilibrium vector on positional and binomial vectors ( ) where: n -is the total number of characters in the code (code length); w -is the weight of the codeword with elements from the set {0,1 ... g-1} q -is the power of the Galois field; A -equilibrium nonbinary sequence, A <M М -the cardinality of a non-binary equilibrium code is determined by the number of vectors of length n and weight w Formation of number A and its binary representation

Formation of a non-binary equilibrium sequence Partitioning a nonbinary equilibrium vector into positional and binomial vectors
Calculating AP from a positional vector Calculating AB from a binomial vector Fig. 4. Algorithm of the equilibrium coding EC in the crypto-code construction of the Niederreiter  This approach makes it possible to reduce the level of CCC formation over GF (2 2 -2 4 ).
For the Niederreiter CCC, an additional initialization vector is used that defines the codewords that satisfy the decoding algorithm.
The algorithm for forming a cryptogram in the modified Niederreiter CCC on MEC, taking into account the revealed regularity, is presented as a sequence of steps: Step 1. Input of information to be encoded, one of the elements of the set of suitable plain texts.Public key introduction EC X H .
Step 2. Formation of the error vector e, the weight of which does not exceed ≤ t -fixes elliptic code ability based on non-binary equilibrium coding algorithm.
Step 3. Formation of the initialization vector IV1.
Step 4. Formation of the truncated error vector: ex=e(A)-IV2.Step 5. Formation of a codogram: The algorithm for decoding the codogram in the modified Niederreiter CCC on MEC is presented as a sequence of steps: Step 1. Introduction of the codogram SX, that is decoded.Private key introduction -matrices X, P, D.
Step 2. Finding one of the possible solutions to the equation:
Step 7. Transformation of the vector e based on the use of a non-binary constant-weight code into an information sequence.Cryptographic harmed texts are texts obtained in the following ways [13][14]: -approach 1: damage to the original text, followed by encryption of the damaged text and / or its damage (Fig. 11); -approach 2: damage to the ciphertext (Fig. 12); -approach 3: causing damage to the original text and ciphertext of the damaged text (Fig. 13).To determine the optimal method, let us analyze the ratio of the number of required additional operations to implement the approach to the size of the resulting outgoing data using the example of the Niederreiter CCC.
The dependence of the group operations of the implementation of the NCCC on the field strength is given in Tabl.3. The ratio of these values shows the bit rate ratio for each additional operation (Table 5).Thus, the use of the approach when damaging the ciphertext with a modified CCC on MEC, shown in Fig. 12 (second approach) increases the throughput starting from the GF field (29).This method is the optimal approach for constructing a hybrid Niederreiter CCC (McEliece) on a MEC.
The information core of a certain text is understood as a defective CFT text, obtained by a cyclical transformation of the universal mechanism of causing damage Cm.
Universal damage mechanism Cm can be described by [4]: Thus, as a result, we have two ciphertext: (damage (СHD) and defective text (FТC)).Each of which makes no sense either in the alphabet of the original text, or in the alphabet of the ciphertext.In fact, the ciphertext of the original message (M) is represented as a combination of two defective ciphertexts, each of which, separately, cannot recover the original text.To restore the original sequence, there is no need to know intermediate defective sequences.

Development of a modified digital signature protocol based on crypto-code constructions
To ensure the service of authenticity in cyberspace, the DSS (Digital Signature Standard) protocol is used, which describes DSA (Digital Signature Algorithm) based on RSA and ElGamal algorithms.The main difference between asymmetric cryptoalgorithms is a relatively higher level of security in the El-Gamal algorithm and the ability to use elliptic curves to form the DS.However, the DS protocol on RSA provides faster DS shaping.Crypto resistance is based on the security of the applied algorithms RSA (NP-complete problemfactorization of a number), El-Gamal&#39;s algorithm (NP-complete problem -finding a discrete algorithm in a group of numbers, or in a group of points of an elliptic curve, depending on the use of the EC equation).However, in the current trends in the development of the post-quantum period, these algorithms may not provide the required level of cryptographic strength, and can be cracked in polynomial time.Therefore, a modified DSS protocol based on CCC is proposed, the block diagram is shown in Fig. 14.The sender uses personal data as key data: Session key CCC -e (error vector), and initialization vectors (IV1 -shortening symbols, IV2 -extension symbols МЕС).The receiver uses the MEC orthogonal parity check matrix and inverse masking matrices as the sender's public key.
Thus, the use of CCC in the DSS protocol will provide the required level of resistance in the postquantum period and the synergy and / or hybridity of modern attacks.

Conclusion
1.The analysis of computing resources in the postquantum period casts doubt on the use of traditional cryptography and public-key cryptography algorithms to provide security services.Further development and emergence of the quantum computer will allow cyber attackers to combine threats to achieve synergy and / or hybridity.In such conditions, it is necessary to modify and / or develop fundamentally new algorithms that provide the required level of cryptographic strength.
2. The scheme of the modified DSA protocol based on modified (hybrid) crypto-code constructions provides the required level of resistance to modern threats of the post-quantum period.The studies carried out confirm that the use of MEC (EC) provides speed at the level of the speed of crypto-transformations of symmetric cryptoalgorithms, provable cryptographic strength based on the complexity-theoretic problem of decoding a random code (provided by 10 30 -10 35 group operations), and reliability based on the use of a shortened algebraic geometric code (provided by Рош=10 -9 -10 -12 ).To further reduce the power of the alphabet (Galois fields to GF (2 4 -2 6 ) it is proposed to use systems based on defective codes that allow simultaneous formation of multichannel cryptosystems.

where
Pi(Xi, Yi, Zi) -projective points of the curve X, i.e. (Xi, Yi, Zi) -solutions of a homogeneous algebraic equation defining the curve X, of the generator functions at the points of the curve.
decryption is used based on the Berlekamp-Messi algorithm.The scheme of the exchange protocol in an asymmetric cryptosystem based on the Niederreiter cryptocode construction on elliptic codes is presented in the form of Fig.3.To use the EC in the Niederreiter CCC, the equilibrium coding of m-ary codes is used -the block diagram of the algorithm is shown in Fig.4.

Fig. 3 .
Fig. 3.An exchange protocol in an asymmetric cryptosystem based on the Niederreiter CCC on the EC

Table 3
Dependence of the software implementation on the field strength (the number of thousands of additional operations before encryption / after / amount)