A McEliece cryptosystem using permutation codes

2.1 A decoding algorithm using uncovering-by-bases

In this section, we review Bailey’s work on decoding algorithms for permutation codes. Consider a permutation group G ⊆ S _n with correction capacity r acting on the set Ω = [n]. For a permutation σ and i ∈ Ω, we use i ⋅ σ to denote the element σ(i). We start with defining a base for a permutation group, which is the analogue of a basis of a vector space. For more information, we refer to Seress [1], Chapter 4].

Given a base B = {b ₁, b ₂, …, b _m }, define subgroups G = G ^[0] and G ^[1], …, G ^[m], such that, G [ i ] ≔ σ ∈ G | σ ( b j ) = b j    for all  j ≤ i where i = 1, 2, …, m. It is easy to see that

We say that a base B is irredundant if G ^[i] ≠ G ^[i+1] for all i. A generating set S of G is called a strong generating set if S ∩ G [ i ] = G [ i ] for 1 ≤ i ≤ m, where S is the group generated by the set S. Given a group G, a base and a strong generating set for it can be constructed in nearly linear time in the size of the input using the Schreier–Sims algorithm. The orbits b _i ⋅ G ^[i−1] are called the fundamental orbits, and the (right) transversals R _i are the set of (right) coset representatives for G ^[i] mod G ^[i+1], with the requirement that the representative for the coset G ^[i+1] in G ^[i] is the identity for all i. They can be computed by keeping track of the permutations of G ^[i−1] that take b _i to each point in the orbit. It follows from the definition of a base that every permutation in G is uniquely defined by its action on the elements of a base. There exists an algorithm (Algorithm 1), called the element reconstruction algorithm that can reconstruct the permutation from its action on all the elements in the base.

Corresponding to the base B, we construct the fundamental orbits and the right transversals using the Schreier–Sims algorithm. Initially, we set σ to be the identity. We then find the permutation r ₁ in R ₁ such that b ₁ ⋅ r ₁ = x ₁. If x ₁ does not lie in the fundamental orbit of b ₁, that means no such σ exists and we can exit the procedure. We then replace (x ₁, …, x _m ) with x 1 ⋅ r 1 − 1 , … , x 1 ⋅ r m − 1 . In the i-th iteration, we check if x i ⋅ r 1 − 1 r 2 − 1 … r i − 1 − 1 lies in the orbit of G b i . If it does not, we exit the procedure; else we replace σ with σr _i ; where r _i is the permutation in the transversal R _i that takes b _i to x i ⋅ r 1 − 1 r 2 − 1 … r i − 1 − 1 . More details on the Schreier–Sims algorithm is available in Seress [1], Chapter 4].

It is known that every permutation group has an uncovering-by-bases [3], Proposition 7]. However, they have been constructed only for a few permutation groups. There is no known procedure to construct a small UBB for an arbitrary permutation group. Uncovering-by-bases can be used to decode as follows:

Let G be a permutation group acting on Ω. Consider a permutation g ∈ G in the list form and w was obtained after r or fewer errors were introduced to g. Note that w can have repeated entries and need not be a permutation. Let R be a subset of Ω of size less than or equal to r. Errors were introduced in positions from R. The set R is not known to the decoder a priory. Let U be a UBB for G. It is a consequence of the definition of a UBB that there exists a base B in U , which is completely disjoint from R. Thus, in the positions indexed by B, the lists w and g are identical. As B is a base, we can reconstruct the entire permutation g from just its action on the points in B. While the decoder does not know which base in U is the appropriate base B, it can just repeat this procedure for every base in U .

This algorithm is similar to permutation decoding for linear codes proposed by MacWilliams and Sloane [10], which involves using a subset of the automorphism group of the code that moves any errors out of the information positions.

2.2 Some constructions of uncoverings-by-bases

There are only a few examples of UBB that were constructed by Bailey. One of them is a symmetric group acting on 2-subsets, and the other is a wreath product of a regular permutation group with a symmetric group. We discuss them next.

2.3 An alternative decoding algorithm for wreath product

In this section, we present a simple decoding algorithm introduced by Bailey and Prellberg [12], which uses majority logic principles for the wreath product groups and compare its performance to the original UBB algorithm. For simplicity, we assume H to be the cyclic group C _m of order m, this algorithm can be extended to any regular group.

Input: For some g ∈ C _m ≀ S _n , w is constructed from g by introducing r or less errors. The list w is the input.

Output: We aim to recover the permutation g. Because d(g, w) ≤ r, there is a unique permutation in G with distance at most r from w.

The algorithm: To recover the permutation g = (h ₁, h ₂, …, h _n , σ) ∈ H ≀ S _n , it suffices to recover h and σ.

1. For each i ∈ [n], define σ(i) be the majority value of the second coordinates of w((j, i)), for each j ∈ [m]. This way, we can recover the permutation σ ∈ S _n .

2. For each i ∈ [n], let w _i,j be the first coordinate of w((j, i)), for each j ∈ [m], and let w i , j ′ = w i , j − w i , j mod m . Let w i ′ be the majority value of these w i , j ′ ’s for all j ∈ [m], and we define the permutation h _i ∈ C _m to be the permutation associated with the cyclic shift by w i ′ .

We refer to ref. [12] for a proof of correctness of the above algorithm.

Complexity analysis: We now estimate the complexity of this algorithm. The first part of the algorithm involves splitting the word into blocks and rewriting each symbol. This could be done in constant time for each position. Computing the value of the block label and the cyclic shift for each position involves some integer arithmetic, which would take a constant amount of time for each position. Thus, it takes O(mn) time. The second part of the algorithm involves finding the most frequently occurring value of the block value and cyclic shift in each block. Let’s consider the part where we find the most frequently occurring value of the cyclic shift. We maintain an auxiliary list of size m, with each position corresponding to the frequency of that cyclic shift. We iterate through the block, compute the cyclic shift for each location of the block, and update its frequency in the auxiliary list. This procedure takes O(m) time. We then go through the auxiliary list to find the most frequently occurring cyclic shift. We do a similar procedure for finding the action of σ on the block using an auxiliary list of size n and that would take O(n) time. This procedure is repeated for each block. For the final part of the algorithm, which involves converting the reconstructed word back to a permutation can be done with O(mn) arithmetic operations. Thus, the algorithm takes O(mn) time if m > n and O(n ²) time if n > m. This is faster than the UBB algorithm for the same group, which would take O(m ² n ²) time.

2.3.1 Decoding more than r errors

In fact, the algorithm described above can correct more than r errors, as long as the majority of elements in each block are correct. There are some error patterns with up to nr errors, which can be decoded using this algorithm. An error pattern is a certain set of positions where the errors are induced. Bailey obtained the following expression for the number of error patterns of a certain length, which can be corrected by this algorithm.

Let k be a positive integer. Let P _n,r (k) be the set of all partitions of k into at most n parts where each part is of size at most r. We write such a partition in the form π = ( i , f i ) | ∑ i i f i = k , where f _i is the number of times the number i appears in the partition. For a partition π, we define the quantity c _i to be c i = ∑ j = 1 i − 1 f i , which is the number of parts in π of size strictly less than i.

Theorem 2.3.

For an integer k ≤ nr, the following number of patterns of k errors can be corrected:

E n , r ( k ) = ∑ π ∈ P n , r ( k ) ∏ i = 1 r n − c i f i m i f i

Proof.

For a proof, we refer to Bailey [5], Section 6.7]. □

We ran simulations to find the proportion of error patterns, which can be corrected for the case m = 5. In this case, the minimal degree is 5 and has correction capacity 2. In practice, a much larger number of errors can be corrected, with a high probability of success.

Using a computer program, we calculated the value of E _n,r (k) for different values of k and obtained the value of E n , r ( k ) m n to obtain the probability that the alternate decoding algorithm succeeds. We plot this for n = 100 in Figure 1.

Figure 1:

Plot of fraction of errors that can be corrected for n = 100, m = 5.

We can deduce from the data that the algorithm can decode 95 percent of error patterns of length up to 19, 90 percent of error patterns of length up to 24, 80 percent of error patterns of length up to 31, and 50 percent of error patterns of length up to 46.

Interestingly, the number of errors that can be corrected increases with n (for a fixed probability of success). This is despite the minimal degree (correction capacity) remaining the same. We plot the number of errors, which can be plotted with 95 percent probability of success with respect to n, both in terms of absolute number of errors, which can be corrected, and in terms of the error rate, which is the ratio of the error induced to the degree of the permutation group. Unlike the correction capacity, which increases with n, the error rate seems to decrease slightly as n increases (Figure 2).

Figure 2:

Plot of error correction capacity with 95 % probability of success.

3.1 A McEliece cryptosystem using permutation codes

In this section, we present a public-key cryptosystem using permutation codes that is similar to the McEliece cryptosystem. The private key is kept secret, and the public key is available to the public.

• Private key Let G be a permutation group acting on n letters with a fast decoding algorithm. We choose a subgroup H ≤ G ≤ S _n and a permutation g from S _n . The private key is a set of generators {h ₁, …, h _s } of H and g. We will use the decoding algorithm in G as a decoding algorithm for H.

• Public key The public key is a set of elements { h ̂ i } = g − 1 h i g , which generate the conjugate group H ̂ = g − 1 H g . Note that a security assumption is that H ̂ does not have a fast decoding algorithm. Note that H ̂ might not be a subgroup of G.

• Encryption The plaintext is h ̂ of H ̂ . We introduce r errors in h ̂ to create the ciphertext c.

• Decryption Once we receive c, we compute gcg ⁻¹. We then use the fast decoding algorithm to obtain h, which is its nearest neighbor in H. We then compute h ̂ = g − 1 h g .

The conjugation map is an isometry of the Hamming space. The distance between h and H is equal to the distance between h ̂ and H ̂ . In the McEliece cryptosystem, the Hamming isometry is postmultiplication by a permutation matrix. The secret scrambler scrambles the basis of a linear code to create a new basis. It does not change the linear code. Here, the analogue to that would be the fact that we choose a random set of generators for the conjugate group as the public key.

3.2 The security of our cryptosystem

3.2.3 Information set decoding

Information set decoding is one of the more successful attacks on the McEliece cryptosystem. The original idea was proposed by Prange [16] in 1962, and many improvements on this basic attack have been proposed [17], 18]. For a [n, k] linear code, it involves picking k coordinates at random and trying to reconstruct the codeword from those positions. In this section, we recreate a version of Prange’s ISD attack for cryptosystems using permutation codes. We note that there are several notable improvements to Prange’s original ISD algorithm. It is not clear to us whether these improvements can translate to permutation codes as they extensively use the algebraic structure of linear codes. We refer the reader to Weger et al. [9], Section 5] for an excellent survey of the ISD algorithms. We prove a sufficient (but not necessary) condition for a permutation code based cryptosystem to be resistant to ISD attacks.

This algorithm is similar to the uncovering-by-bases decoding algorithm proposed by Bailey, except that, we do not know the UBB and thus the running time is not bounded by the size of the UBB. The correctness of this algorithm follows from the proof in Bailey [3], Proposition 7] in which he shows that given any r-subset of {1, …, n}, there exists a base for H disjoint from it. Each iteration is a success if none of the positions of c indexed by the chosen base have an error. This occurs with a finite nonzero probability because such a base exists. The performance of the ISD algorithm is identical for the groups H and H ̂ . This is because B is a base for H if and only if g ⁻¹ B is a base for H ̂ , and the algorithm picks a base at random where g is the secret conjugator.

Theorem 3.1.

Let k _max be the size of the irredundant base of largest size of H. The ISD algorithm succeeds in returning a plain text permutation h ∈ H ̂ with probability 1 − o(1) in time O 2 α ( k max , r ) n , where α ( k , r ) = H 2 r n − 1 − k n H 2 r n − k and H ₂(p) = −p log₂ p − (1 − p) log₂(1 − p) is the binary entropy function.

Proof.

The algorithm uses a procedure to choose an arbitrary base B for the group. At the same time, a set R of size r is chosen uniformly at random, and errors are induced in those positions. Before making concrete complexity estimates, we would like to make some observations. First, it is clear that if there are more error positions, the probability that the information set does not have any error reduces and the complexity of the attack increases with r. Also, if the size of the base chosen is small, the probability that the positions indexed by this base do not have any error positions is high. Thus, the complexity of the attack increases with k, the expectation of the length of the base.

Let E _B denote the event that the algorithm chooses subset B as a base for the group. Conditioned on the event E _B , an iteration of the algorithm succeeds if the sets R and B are disjoint. Because the set R is chosen uniformly at random from {1, …, n},

Pr [ Success | E B ] ≥ n − | B | r n r .

As this probability depends only on the size of B and not on the set B, we can obtain an expression for the probability of an iteration of the algorithm succeeding:

Pr [ Success ] ≥ ∑ k Pr [ Success ‖ B | = k ] Pr [ | B | = k ] = ∑ k n − k r n r Pr [ | B | = k ] .

Let k _max be the size of the irredundant base of largest size of H. As the Pr[Success|E _B ] decreases as the size of the base increases, we can obtain the following lower bound on the probability of the algorithm succeeding:

Pr [ Success ] ≥ n − k max r n r

This is a Monte Carlo algorithm, which decodes correctly with probability Pr[Success], and otherwise returns false. If we repeat the algorithm till it succeeds, we obtain a Las Vegas algorithm that always decodes correctly but has a running time, which is a random variable with expectation 1/Pr[Success]. It is also important to note that as each iteration is independent, this attack can be effectively parallelized. Using the following well-known formula for binomials,

n r = Θ 2 H 2 r n n

we can show that this algorithm has expected complexity

(2) O 2 α ( k max , r ) n .

□

The running time of this algorithm increases with both error rate and information rate. The value of k _max, which is the size of the largest irredundant base of H, is the analogue of the rank of the permutation code H. For example, it can be shown that the value of k _max for the symmetric group S _n acting on 2-subsets of [n] is n − 1 or n − 2, depending on the parity of n [19], Theorem 1.1]. The security level of a cryptosystem is measured from the amount of computational resources needed to break it. A cryptosystem is said to be b-bit secure if it requires 2 ^b operations to be broken. For asymmetric cryptosystems, this security level is upper bounded by the running time of the best known attacks on them. Using the ISD attack, a necessary condition for our cryptosystem to have b-bit security is α(k _max, r)n ≥ b. If we want a cryptosystem with b-bit security, we need to choose a permutation code with the appropriate parameters.

So far, we have described a framework to develop cryptosystems using permutation codes and outlined generic attacks on those cryptosystems, whose effectiveness depend on the parameters of the chosen permutation code H. Next, we attempt to use the permutation codes described in Section 2.2 in our cryptosystems.

3.3 Our cryptosystem using wreath product groups

The security and the performance of our cryptosystem depend on the choice of the group H and its decoding algorithm. In this section, we explore using the wreath product groups with the alternate decoding algorithm discussed in Section 2.3. We show that it can be made resistant to information set decoding attacks using appropriate parameters. However, the decoding algorithm can be modified to work in the conjugate group H ̂ as well, which makes the cryptosystem insecure. Although this cryptosystem is insecure, it does provide a concrete example of a permutation code with an efficient decoding algorithm, which cannot be efficiently attacked using the ISD algorithm.

Let H be the wreath product group C _m ≀ S _n (more generally, we can take H to be a subgroup of C _m ≀ S _n with suboptimal decoding). We consider the case of m = 5 for different values of n, for different probabilities of correct decoding. Because the actual minimal degree of this group is 5, there will be cases in which the receiver of the encrypted word cannot decode correctly and will receive a wrong word. In these cases, the receiver will be able to tell that the decoding is wrong (possibly by using an appended hash function) and ask the sender to resend the message. Consider the case for which the probability of correct decoding is 0.9 and 0.95. We find the largest such value of r for which r errors are introduced and can be corrected for at least 0.9 or 0.95 fraction of the cases for different values of n, and estimate the amount of computational resources required for an ISD based attack to break the cryptosystem by plugging in this value of r into Equation (2). As we can see, the computational resources needed to break this cryptosystem are nontrivial and increase with n, although it is still not close to commercial levels of security. We also repeat this exercise for the case of m = 7. For m = 7, we can attain higher security levels for smaller values of n compared with m = 5. These results mean that, by increasing m and n to an appropriate amount, we can reach commercial levels of security such as 128 or 256 bits. Our analysis of larger values of m and n were limited by our computational resources, as our computer program for calculating the proportion of error patterns that can be corrected involves iterating over integer partitions, which is computationally intensive. Judging by the trend in the graphs, however, we can conclude that the values of m and n can be appropriately increased to attain larger levels of security. For example, we can attain 128 bit security using the algorithm 95 percent success rate with n = 1,645, and with 95 percent success rate, we can achieve the same with n = 1,257 (Figures 3 and 4).

Figure 3:

Security levels for m = 5.

Figure 4:

Security levels for m = 7.

3.4 Our cryptosystem using the symmetric group acting on 2-subsets

We now examine the use of a group whose decoding algorithm will not work on its conjugates. Because of its parameters, however, it can be trivially broken using ISD attacks.

Let G be the symmetric group S _m acting on Ω the set of all two subsets of {1, …, m}. Let n = m ( m − 1 ) 2 and we choose H to be a subgroup of G. However, H is also a subgroup of S _n . For that there is a relabeling of the two subsets of {1, 2, …, m} by elements of {1, 2, …, n}. This labeling is not publicly available. Thus publicly we see H ≤ G ≤ S _n .

We use the decoding algorithm using the UBB described in Section 2.2.1. As H is a subgroup of G, the same decoding algorithm can be used, although the decoding might be suboptimal because the minimal degree of H might be greater than G. Unlike the case of the alternative decoding algorithm for the wreath product groups, we cannot easily construct a UBB for the conjugate group H ̂ ≤ S n using the same techniques used to construct one for G. To recall, the UBB is constructed using the Hamiltonian cycles of a complete graph. Now the conjugation map is just relabeling. When this relabeling happens, the V-graphs changes arbitrarily making them not bases. There seems to be no way of constructing a UBB without finding the conjugator. Furthermore, note that, since H is a subgroup of G, there is insufficient information on the action of the G on the complete graph from which the UBB is constructed.

3.4.2 ISD attacks

The size of a base for H is less than log₂(m!) ≤ mlog₂ m. The number of bit operations required to break the cryptosystem using information set decoding is less than

H 2 m − 3 m ( m − 1 ) / 2 − 1 − m ⁡ log 2 m m ( m − 1 ) / 2 H 2 m − 3 m ( m − 1 ) / 2 − m ⁡ log 2 m m ( m − 1 ) 2 ,

which is upper bounded by a polynomial in m. Hence, we can use information set decoding to break this cryptosystem in polynomial time. To demonstrate this more clearly, we plotted this as a function of m (Figure 5), and we can see that the security level of even 80-bits is not attainable for reasonable values of m.

Figure 5:

Security of cryptosystem using 2-sets.

The key reason why the cryptosystem using this code is insecure is the parameters of the code. Both the rate of the code and the correction capacity are too low. What we are aiming for is a code where the quantities k/n (on average) and r/n are asymptotically constant, like the binary Goppa codes. This requirement is satisfied by the wreath product groups using the alternative probabilistic decoding algorithm.

3.5 An enhanced McEliece cryptosystem

Permutation codes are permutation groups, which have less structure than linear codes which are vector spaces. Linear codes can also be seen as permutation codes. Let q = p ^t where p is a prime and t a positive integer. A linear code of block size n over the field F q is an additive subgroup of F q n , and a permutation code of block size n is a subgroup of S _n . We now enhance the classical McEliece cryptosystem over linear codes using permutation codes. For this, we describe an embedding.

Embedding a linear code into the symmetric group. We start with a monomorphism from the abelian group of F q to the symmetric group S _tp where q = p ^t and p is a prime. The representation for F q is the polynomial representation. This means that F q ≡ F p [ x ] / ϕ ( x ) where ϕ(x) is an irreducible polynomial of degree t. This says that every element of F q is a polynomial α ₀ + α ₁ x + α ₂ x ² + ⋯ + α _t−1 x ^t−1. Now, we fix t disjoint cycles c ₀, c ₁, …, c _t−1 of length p in S _pt and order them. One can choose c ₀ = (1, 2, …, p) as the first cycle, c ₁ = (p + 1, …, 2p) as the second, and so on. Note that disjoint cycles commute. Now we define a map, which we call the basis map, from the additive group of F q to S _pt :

Thus, α 0 + α 1 x + α 2 x 2 + ⋯ + α t − 1 x t − 1 ↦ c 0 α 0 c 1 α 1 … c t − 1 α t − 1 . It is easy to check that this map is an embedding – a monomorphism. Note that the map depends on the choice of the cycles. Now if we have a vector space V of dimension n over the field F q , corresponding to a fixed ordered basis B of V, every element of V is a vector of size n over F q – the coordinate vector. These coordinate vectors depend on the fixed ordered basis of the vector space. Then, the embedding of this vector space in the symmetric group S p t n is done in the obvious way. A vector in V = ⟨v ₁, …, v _n ⟩, where the basis is B = ( v 1 , … , v n ) , is of the form ν ₁ v ₁ + ⋯ + ν _n v _n where ν _i are field elements – the coordinates. Then, v corresponds to the ordered tuple (ν ₁, …, ν _n ) of field elements. This ordered tuple is then mapped to an ordered tuple ( ν ̂ 1 , … , ν ̂ n ) in S p t n a direct product of n copies of S _pt in the obvious way, using the basis map already defined. This embedding respects addition in the field and then in the vector space. It also respects scalar multiplication as long as the scalar is in the prime subfield. Thus, a linear code S being a subspace of the vector space V can be embedded as an elementary abelian subgroup of the symmetric group – a permutation group.

Let S = ⟨s ₁, s ₂, …, s _d ⟩ be a d-dimensional subspace of a n-dimensional vector space V, which is a code with a good decoding algorithm. This code has a d × n generator matrix. This basis matrix depends on a fixed ordered basis B of V. One can define a classical McEliece cryptosystem based on this code S. As in a McEliece cryptosystem, we define the public key as S′ = ASP where A and P are the scrambler and permutation matrices, respectively. Now S′ is also a d × n matrix over F q . One can use the basis map defined earlier to transfer this matrix to a matrix S ₁ over S _pt . Here, S ₁ is constructed by taking the embedding of each element in S′. Then, each element of S ₁ is conjugated by g an element of the symmetric group S _pt and denoted by S ₁ as well. Thus, S ₁ = g ⁻¹ S ₁ g. Recall that this conjugation is just a relabeling of the permutations.

In this enhanced McEliece cryptosystem, the public key is the rows of the matrix S ₁. The whole structure of the classical McEliece cryptosystem S and S′ is secret and so is the basis map and the conjugator g. The plaintext is [a ₁, …, a _n ] where each a _i is in the F p the prime subfield of F q . Then, one computes a = ∏ i = 1 n ( S 1 [ i ] ) a i where S ₁[i] is the ith row of S ₁. Then, we introduce errors in a. This is the ciphertext.

On receiving the ciphertext, use the conjugator g to restore the original labeling. Then, one decomposes it as product of cycles. Then, one computes most of the a _i from the exponent. Then that gives rise to a vector of length n over F q via the embedding. Assume that this is the ciphertext for the classical McEliece cryptosystem. Decrypt it using the classical McEliece cryptosystem. We will get the plaintext [a ₁, …, a _n ] back.

There are few things to note. First, since the basis map is a secret, it enhances the classical McEliece cryptosystem. Thus, one might be able to use linear codes for the enhanced McEliece cryptosystem that is otherwise not secure. When it comes to cycles, computing the exponent has a lot of redundancy. Say, in a cycle after introducing errors, there is one point that gets repeated. Then, we can simply ignore the repeated points and compute the exponent. It is the action on one point that determines the exponent, when it comes to a cycle. Furthermore, a field element now has a permutation representation. Based on this representation, we might be able to introduce much more errors than is possible to fix for a permutation error correcting code. This topic, what is the right way to introduce errors and how many errors we can introduce, is left unsettled in this paper. Lastly, there is no need for the matrix S′. One can just move from S to S ₁ directly without using S′. In this case, use a scrambler matrix over the prime subfield. Then, the extra step in decoding can be avoided.

Assume now there is a classical McEliece cryptosystem over linear codes that is secure. Then, for a suitable ciphertext of the original McEliece cryptosystem, one can map it to S ₁ by the basis map. If the original plaintext is recovered from the ciphertext in the permutation setting, then that breaks the original McEliece cryptosystem. Note, we assume that the basis map is known in this case. The McEliece cryptosystem using Goppa codes has been remarkably resilient to both classical and quantum attacks. However, this McEliece cryptosystem is an enhanced version of the classical McEliece cryptosystem. It might be secure for other linear codes on which the original McEliece cryptosystem is not secure. Thus, this enhancement is bit more than a mere academic interest and deserves further study. However, at our present state of knowledge, it provides no respite from large key sizes that plagues the original McEliece cryptosystem.

3.6 Why use permutation codes?

So far, we have described a framework for using permutation codes in public-key cryptography and explored this framework using two particular permutation codes. The cryptosystem using wreath product groups can be made resistant to ISD attacks, but its decoding algorithm can be adapted for use in any of its conjugates too, which makes it unsuitable. On the other hand, for the symmetric group acting on 2-sets, the decoding algorithm cannot be modified for use in its conjugates, nor can the conjugator be uncovered easily from H and H ̂ . This is because the decoding algorithm depends on some very specific graph theoretical properties of the complete graph, and the conjugates of H cannot be modeled as the symmetric group acting on a complete graph. The parameters of this code mean that any cryptosystem using this is susceptible to ISD attacks. The question is, can we come up with a permutation code with parameters that make it resistant to ISD attacks and a decoding algorithm that cannot be modified for its conjugates? Our cryptosystem using such a permutation code would be secure against both kinds of attacks demonstrated earlier.

Permutation groups differ from vector spaces in their noncommutativity, and it is an interesting question to ask if this would lead to any significant improvements in key size, speed, etc. over traditional linear code based cryptosystems. For example, a rank k subspace of F q n needs k basis vectors to describe, each of length n. On the contrary, very large permutation groups can be generated by a very small number of generators [2], Theorem 1.13]. For example, the symmetric group can be generated by two of its elements (the transposition (1, 2) and the cycle (1, 2, …, n)). This is a characteristic shared by many nonabelian permutation groups. Thus, a cryptosystem using permutation codes can potentially achieve a quadratic reduction in key size compared to its linear code counterparts for the same level of security! A linear code based cryptosystem using a code of length n over F q would require a key of O(n ²) as one of the components of the public key is a k × n matrix. By contrast, consider a permutation group of comparable size that is a subgroup of S _n , which can be generated using just two generators. The space needed to store these generators would be just O(n). One of the common complaints against the McEliece cryptosystem is its very large key size. So, this would be a direction of research worth pursuing.