## INTRODUCTION

Post-quantum cryptography (PQC), as a popular cryptography terminology aiming at providing ‘Post-Quantum’ alternative to the currently existing number theory cryptography 1–3, has obtained great attention in recent years. In essence, PQC overlaps many existing cryptography branches including coding-based cryptography 4, 5, lattice-based cryptography, hash-based cryptography, and multivariate-quadratic-equations cryptography 6. However, driven largely by the possible invention of a large quantum computer in the near future, PQC becomes a new *buzz word* in cryptography communities and these non-number theory cryptography branches, especially the coding-based cryptography, have brought renewed attention.

In coding-based cryptography, there are two well-known public key encryption schemes, namely McEliece and Niederreiter cryptosystems 4, 5. McEliece cryptosystem was first proposed in 1978 4, which represents the first public key encryption scheme based on linear error-correcting codes. Compared with the classical RSA cryptosystem 7, the McEliece cryptosystem has two advantages: (i) the speeds of both encryption and decryption algorithms are faster; and (ii) with the increase of the key size, the security level also grows much faster. Niederreiter cryptosystem 5 is a dual encryption scheme proposed in 1986, which is not only ten times faster than the McEliece cryptosytem in terms of encryption speed, but also equivalent to the McEliece cryptosystem in terms of security. Following these two seminal works, over the past years, many efforts have been put in coding-based cryptography 8–14. For example, Stern has proposed a coding-based zero knowledge identification scheme in 1993 14; Courtois, Finiasz, and Sendrier have presented the first practical coding-based signature scheme in 2001 10. More recently, how to reduce the public key size and how to secure the parameter choice in coding-based cryptography are also deeply explored 15–19.

The *semantic security* (a.k.a indistinguishability) against adaptive chosen ciphertext attacks (IND-CCA2) is the strongest known notion of security for the public key encryption schemes. However, in coding-based cryptography, ‘IND-CCA2’ has not been widely discussed. To the best of our knowledge, only a few papers have touched this research issue 20–22. Because McEliece cryptosystem has some special architecture, some general IND-CCA2 conversions 23, 24, though they achieve IND-CCA2 versions of McEliece cryptosystem, may incur some redundancy. Therefore, Kobta and Imai have proposed two specific conversions to reduce the redundancy 20. Recently, Nojima *et al*. 21 have studied the semantic for the McEliece cryptosystem without random oracles. However, they only achieve the semantic security against the chosen plaintext attacks and the tight reductions are also questionable, especially for the Niederreiter cryptosystem. In Reference 22, Dowsley *et al*. have also discussed the CCA2 secure public key encryption scheme based on the McEliece assumption in the standard model, but their scheme needs some special constructions. Therefore, how to design an *efficient* and IND-CCA2 secure coding-based cryptosystem with/without random oracles is still worth of investigation.

In this paper, we propose an *efficient* IND-CCA2 secure public key encryption scheme based on coding theory. Concretely, we design our scheme based on the syndrome decoding (SD) problem, and use the provable security technique to get a tight reduction in the random oracle model 25. Compared with Niederreiter cryptosystem, only two additional hash operations are required in the proposed scheme. Thus, our scheme achieves fast encryption speed.

The remainder of this paper is organized as follows. In Section 2, we formalize the definition of public key encryption and the corresponding security model. In Section 3, we review the coding theory and the complexity assumption, the base of our proposed scheme. In Section 4, we present our efficient public key encryption scheme based on coding theory, following by its formal security proof and parameter selection in Section 5 and Section 6, respectively. Finally, we draw our conclusions in Section 7.