Journal of Cryptology

, Volume 29, Issue 1, pp 1–27 | Cite as

Enhanced Public Key Security for the McEliece Cryptosystem

  • Marco Baldi
  • Marco Bianchi
  • Franco Chiaraluce
  • Joachim Rosenthal
  • Davide Schipani


This paper studies a variant of the McEliece cryptosystem able to ensure that the code used as the public key is no longer permutation equivalent to the secret code. This increases the security level of the public key, thus opening the way for reconsidering the adoption of classical families of codes, like Reed–Solomon codes, that have been longly excluded from the McEliece cryptosystem for security reasons. It is well known that codes of these classes are able to yield a reduction in the key size or, equivalently, an increased level of security against information set decoding; so, these are the main advantages of the proposed solution. We also describe possible vulnerabilities and attacks related to the considered system and show what design choices are best suited to avoid them.


McEliece cryptosystem Niederreiter cryptosystem Error correcting codes Reed–Solomon codes Public key security 



The authors would like to thank Jean-Pierre Tillich and Ayoub Otmani for having pointed out the subcode vulnerability for the private code.


  1. 1.
    M. Baldi, M. Bianchi, F. Chiaraluce, Optimization of the parity-check matrix density in QC-LDPC code-based McEliece cryptosystems, in Proceedings of the IEEE International Conference on Communications (ICC 2013) - Workshop on Information Security over Noisy and Lossy Communication Systems. (Budapest, Hungary 2013)Google Scholar
  2. 2.
    M. Baldi, M. Bianchi, F. Chiaraluce, Security and complexity of the McEliece Cryptosystem based on QC-LDPC codes. IET Inf. Secur. 7(3), 212–220 (2013)Google Scholar
  3. 3.
    M. Baldi, M. Bianchi, N. Maturo, F. Chiaraluce, Improving the efficiency of the LDPC code-based McEliece cryptosystem through irregular codes, in Proceedings of the IEEE Symposium on Computers and Communications (ISCC 2013). (Split, Croatia, 2013)Google Scholar
  4. 4.
    M. Baldi, M. Bodrato, F. Chiaraluce, A new analysis of the McEliece cryptosystem based on QC-LDPC codes, in Security and Cryptography for Networks. LNCS, vol. 5229 (Springer, Berlin/Heidelberg, 2008), pp. 246–262Google Scholar
  5. 5.
    M. Baldi, F. Chiaraluce, Cryptanalysis of a new instance of McEliece cryptosystem based on QC-LDPC codes, in Proceedings of the IEEE International Symposium on Information Theory (ISIT 2007) (Nice, France, 2007), pp. 2591–2595Google Scholar
  6. 6.
    M. Baldi, F. Chiaraluce, R. Garello, F. Mininni, Quasi-cyclic low-density parity-check codes in the McEliece cryptosystem, in Proceedings of the IEEE International Conference on Communications (ICC 2007) (Glasgow, Scotland, 2007), pp. 951–956Google Scholar
  7. 7.
    A. Becker, A. Joux, A. May, A. Meurer, Decoding random binary linear codes in \(2^{n/20}\): How 1 + 1 = 0 improves information set decoding, in EUROCRYPT 2012. LNCS, vol. 7237 (Springer-Verlag 2012), pp. 520–536Google Scholar
  8. 8.
    T.P. Berger, P. Loidreau, How to mask the structure of codes for a cryptographic use. Des. Codes Cryptogr. 35, 63–79 (2005)Google Scholar
  9. 9.
    E. Berlekamp, R. McEliece, H. van Tilborg, On the inherent intractability of certain coding problems. IEEE Trans. Inf. Theory 24(3), 384–386 (1978)Google Scholar
  10. 10.
    D.J. Bernstein, T. Chou, P. Schwabe, McBits: fast constant-time code-based cryptography, in Proceedings of the Cryptographic Hardware and Embedded Systems (CHES 2013). LNCS, vol. 8086 (Springer, 2013), pp. 250–272Google Scholar
  11. 11.
    D.J. Bernstein, T. Lange, C. Peters, Attacking and defending the McEliece cryptosystem, in Post-Quantum Cryptography. LNCS, vol. 5299 (Springer, Berlin/Heidelberg, 2008), pp. 31–46Google Scholar
  12. 12.
    D.J. Bernstein, T. Lange, C. Peters, Smaller decoding exponents: ball-collision decoding, in CRYPTO 2011. LNCS, vol. 6841 (Springer-Verlag, 2011), pp. 743–760Google Scholar
  13. 13.
    D.J. Bernstein, T. Lange, C. Peters, Wild McEliece incognito. In: B.-Y. Yang (ed.) Post-Quantum Cryptography: PQCrypto 2011. LNCS, vol. 7071 (Springer 2011), pp. 244–254Google Scholar
  14. 14.
    A. Canteaut, Attaques de cryptosystemes a mots de poids faible et construction de fonction t-resilentes. PhD Thesis, Universitè Paris (1996)Google Scholar
  15. 15.
    N. Chen, Z. Yan, Complexity analysis of Reed-Solomon decoding over \(GF(2^m)\) without using syndromes. EURASIP J. Wirel. Commun. Netw. Article ID 843634 (2008)Google Scholar
  16. 16.
    N. Courtois, M. Finiasz, N. Sendrier, How to achieve a McEliece-based digital signature scheme, in ASIACRYPT 2001. LNCS, vol. 2248 (Springer, Berlin/Heidelberg, 2001), pp. 157–174Google Scholar
  17. 17.
    A. Couvreur, P. Gaborit, V. Gauthier-Umaña, A. Otmani, J.-P. Tillich, Distinguisher-based attacks on public-key cryptosystems using Reed-Solomon codes. Des. Codes Cryptogr. (2014). doi: 10.1007/s10623-014-9967-z
  18. 18.
    N. Döttling, R. Dowsley, J. Müller-Quade, A.C.A Nascimento, A CCA2 Secure Variant of the McEliece Cryptosystem. IEEE Trans. Inf. Theory 58(10), 6672–6680 (2012)Google Scholar
  19. 19.
    R. Dowsley, J. Müller-Quade, A.C.A. Nascimento, A CCA2 secure public key encryption scheme based on the McEliece assumptions in the standard model, in Topics in Cryptology - CT-RSA 2009. LNCS, vol. 5473 (Springer, Berlin/Heidelberg, 2009), pp. 240–251Google Scholar
  20. 20.
    M. Elia, J. Rosenthal, D. Schipani, Polynomial evaluation over finite fields: new algorithms and complexity bounds. Appl. Algebra Eng. Commun. Comput. 23(3–4), 129–141 (2011)Google Scholar
  21. 21.
    J.-C. Faugère, A. Otmani, L. Perret, J.-P. Tillich, A distinguisher for high rate McEliece cryptosystems, in Proceedings of the IEEE Information Theory Workshop (ITW 2011). (Paraty, Brazil, 2011), pp. 282–286Google Scholar
  22. 22.
    E. Fujisaki, T. Okamoto, Secure integration of asymmetric and symmetric encryption schemes, in CRYPTO ’99: Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology. LNCS, vol. 6110 (Springer-Verlag 1999), pp. 537–554Google Scholar
  23. 23.
    E.M. Gabidulin, A.V. Paramonov, O.V. Tretjakov, Ideals over a non-commutative ring and their application in cryptography, in D.W. Davies (ed.) Advances in Cryptology - EUROCRYPT 91. LNCS, vol. 547 (Springer Verlag, 1991)Google Scholar
  24. 24.
    E.M. Gabidulin, O. Kjelsen, How to avoid the Sidelnikov-Shestakov attack, in Error Control, Cryptology, and Speech Compression. LNCS, vol. 829 (Springer, Berlin/Heidelberg 1994), pp. 25–32Google Scholar
  25. 25.
    V. Gauthier-Umaña, A. Otmani, J.-P. Tillich, A distinguisher-based attack on a variant of McEliece’s cryptosystem based on Reed-Solomon codes.
  26. 26.
    Y. Hamdaoui, N. Sendrier, A non asymptotic analysis of information set decoding. Cryptology ePrint Archive, Report 2013/162 (2013)Google Scholar
  27. 27.
    G. Kabatiansky, E. Krouk, S. Semenov, Error Correcting Coding and Security for Data Networks: Analysis of the Superchannel Concept. (Wiley, 2005)Google Scholar
  28. 28.
    K. Kobara, H. Imai, Semantically secure McEliece public-key cryptosystems - conversions for McEliece PKC. In: K. Kwangjo, (ed.) Proceedings of the 4th International Workshop on Practice and Theory in Public Key Cryptosystems (PKC 2001). LNCS, vol. 1992 (Springer, 2001), pp. 19–35Google Scholar
  29. 29.
    I. Marquez-Corbella, R. Pellikaan, Error-correcting pairs for a public-key cryptosystem, in Proceedings of the Code-based Cryptography Workshop (CBC 2012) (Lyngby, Denmark, 2012)Google Scholar
  30. 30.
    A. May, A., Meurer, E. Thomae, Decoding random linear codes in \(O(2^{0.054n})\), in ASIACRYPT 2011. LNCS, vol. 7073 (Springer-Verlag, 2011), pp. 107–124Google Scholar
  31. 31.
    R.J. McEliece, A public-key cryptosystem based on algebraic coding theory. DSN Progress Report, 114–116 (1978)Google Scholar
  32. 32.
    L. Minder, Cryptography based on error correcting codes. Ph.D. thesis, École Polytechnique Fédérale de Lausanne (2007)Google Scholar
  33. 33.
    R. Misoczki, J.-P. Tillich, N. Sendrier, P.S.L.M. Barreto, MDPC-McEliece: New McEliece variants from moderate density parity-check codes. Cryptology ePrint Archive, Report 2012/409 (2012)Google Scholar
  34. 34.
    C. Monico, J. Rosenthal, A. Shokrollahi, Using low density parity check codes in the McEliece cryptosystem, in Proceedings of the IEEE International Symposium on Information Theory (ISIT 2000) (Sorrento, Italy, 2000), p. 215Google Scholar
  35. 35.
    H. Niederreiter, Knapsack-type cryptosystems and algebraic coding theory. Probl. Contr. Inf. Theory 15, 159–166 (1986)Google Scholar
  36. 36.
    A. Otmani, J.P. Tillich, L. Dallot, Cryptanalysis of two McEliece cryptosystems based on quasi-cyclic codes, in Proceedings of the First International Conference on Symbolic Computation and Cryptography (SCC 2008) (Beijing, China, 2008)Google Scholar
  37. 37.
    A. Ourivski, E.M. Gabidulin, Column scrambler for the GPT cryptosystem. Discret. Appl. Math. 128, 207–221 (2003)Google Scholar
  38. 38.
    R. Overbeck, Structural attacks for public key cryptosystems based on Gabidulin codes. J. Cryptol. 21(2), 280–301 (2008)Google Scholar
  39. 39.
    E. Persichetti, On a CCA2-secure variant of McEliece in the standard model. Cryptology ePrint Archive, Report 2012/268 (2012)Google Scholar
  40. 40.
    C. Peters, Information-set decoding for linear codes over \(\mathbb{F}_q\), in N. Sendrier (ed.) Post-Quantum Cryptography. LNCS, vol. 6061 (Springer, Berlin/Heidelberg, 2010), pp. 81–94Google Scholar
  41. 41.
  42. 42.
    K. Preetha Mathew, S. Vasant, S., Venkatesan, C. Pandu Rangan, An efficient IND-CCA2 secure variant of the Niederreiter encryption scheme in the standard model, in Information Security and Privacy. LNCS, vol. 7372 (Springer-Verlag, 2012), pp. 166–179Google Scholar
  43. 43.
    H. Rashwan, E.M. Gabidulin, B. Honary, Security of the GPT cryptosystem and its applications to cryptography. Secur. Commun. Netw. 4(8), 937–946 (2011)Google Scholar
  44. 44.
    R. Rastaghi, An efficient CCA2-secure variant of the McEliece cryptosystem in the standard model. Cryptology ePrint Archive, Report 2013/040 (2013)Google Scholar
  45. 45.
    D. Schipani, M. Elia, J. Rosenthal, On the decoding complexity of cyclic codes up to the BCH bound, in Proceedings of the IEEE International Symposium on Information Theory (ISIT 2011) (Saint Petersburg, Russia, 2011), pp. 835–839Google Scholar
  46. 46.
    V.M Sidelnikov, S.O. Shestakov, On insecurity of cryptosystems based on generalized Reed-Solomon codes, Discret. Math. Appl. 2(4), 439–444 (1992)Google Scholar
  47. 47.
    V.G. Umana, G. Leander, Practical key recovery attacks on two McEliece variants, in C. Cid, J.C. Faugère, (eds.) Proceeedings of the 2nd International Conference on Symbolic Computation and Cryptography, (Egham, UK, 2010), pp. 27–44Google Scholar
  48. 48.
    C. Wieschebrink, Cryptanalysis of the Niederreiter public key scheme based on GRS subcodes. In: N. Sendrier (ed.) Post-Quantum Cryptography (PQCrypto 2010). LNCS, vol. 6061 (Springer, 2010), pp. 61–72Google Scholar

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • Marco Baldi
    • 1
  • Marco Bianchi
    • 1
  • Franco Chiaraluce
    • 1
  • Joachim Rosenthal
    • 2
  • Davide Schipani
    • 2
  1. 1.Università Politecnica delle MarcheAnconaItaly
  2. 2.University of ZurichZurichSwitzerland

Personalised recommendations