Selecting parameters for secure McEliece-based cryptosystems

  • Robert Niebuhr
  • Mohammed Meziani
  • Stanislav Bulygin
  • Johannes Buchmann
Regular Contribution


In 1994, Shor showed that quantum computers will be able to break cryptosystems based on the problems of integer factorization and the discrete logarithm, for example, RSA or ECC. Code-based cryptosystems are promising alternatives to public-key schemes built on these problems, and they are believed to be secure against quantum computer attacks. In this paper, we solve the problem of selecting optimal parameters for the McEliece cryptosystem that are expected to provide security at least until a given year and give detailed recommendations. Our analysis is based on the lower bound complexity estimates by Sendrier and Finiasz, and the security requirements model proposed by Lenstra and Verheul. This security model uses assumptions about Moore’s Law and other developments in order to estimate the attained security level for a given year.


Post-quantum cryptography Codes McEliece Key length Moore’s Law Parameters 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Lenstra A.K., Verheul E.R.: Selecting cryptographic key sizes. J. Cryptol. 14(4), 255–293 (2001)MathSciNetzbMATHGoogle Scholar
  2. 2.
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In SFCS’94: Proceedings of the 35th Annual Symposium on Foundations of Computer Science, IEEE Computer Society, pp. 124–134 (1994)Google Scholar
  3. 3.
    McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. DNS Progress Report, pp. 114–116 (1978)Google Scholar
  4. 4.
    Grover, L.K.: A fast quantum mechanical algorithm for database search. Annual Symposium on Theory of Computing, pp. 212–219 (1996)Google Scholar
  5. 5.
    Szewczyk G.: The dynamic ciphers: new concept of long-term content protecting. Annales Universitatis Apulensis Series Oeconomica 2(10), 34 (2008)Google Scholar
  6. 6.
    Bernstein, D.J.: Grover vs. McEliece. Proceedings of PQCrypto 2010, LNCS 6061, pp.73–80 (2010)Google Scholar
  7. 7.
    Dinh, H., Moore, C., Russell, A.: The McEliece cryptosystem resists quantum fourier sampling attacks. CoRR, vol. abs/1008.239. (2010)
  8. 8.
    Eisenbarth, Th.: Cryptography and cryptanalysis for embedded systems. Dissertation, Ruhr Universitaet, Bochum (2009)Google Scholar
  9. 9.
    Berger, T.P., Cayrel, P.-L., Gaborit, P., Otmani, A.: Reducing key length of the mceliece cryptosystem. In: Progress in Cryptology–Africacrypt’ 2009, LNCS 5580, pp. 77–97. Springer, Berlin (2009)Google Scholar
  10. 10.
    Misoczki, R., Barreto, P.S.L.M.: Compact McEliece keys from Goppa codes. In: Jacobson, M.J. Jr., Rijmen, V., Safavi-Naini, R. Selected Areas in Cryptography, pp. 376–392. Springer, Berlin (2009)Google Scholar
  11. 11.
    Monico, C., Rosenthal, J., Shokrollahi, A.: Using low density parity check codes in the McEliece cryptosystem. In: Proceedings of IEEE ISIT 2000, p. 215. Sorrento, Italy (2000)Google Scholar
  12. 12.
    Otmani, A., Tillich, J.-P., Dallot, L.: Cryptanalysis of Two McEliece Cryptosystems Based on Quasi-Cyclic Codes. Preprint (2008)
  13. 13.
    Gauthier, V., Leander, G.: Practical key recovery attacks on two McEliece variants. Cryptology ePrint Archive, Report 2009/509, (2009)
  14. 14.
    Faugère J.-C., Otmani A., Perret L., Tillich J.-P.: Algebraic cryptanalysis of McEliece variants with compact keys. In: Gilbert, H. (ed.) EUROCRYPT, LNCS Vol. 6110, pp. 279–298. Springer, Berlin (2010)Google Scholar
  15. 15.
    Faugère, J.-C., Otmani, A., Perret, L., Tillich, J.-P.: Algebraic cryptanalysis of McEliece variants with compact keys–towards a complexity analysis. In SCC’10: Proceedings of the 2nd International Conference on Symbolic Computation and Cryptography, pp. 45–55 (2010)Google Scholar
  16. 16.
    Wieschebrink, C.: Two NP-complete problems in coding theory with an application in code based cryptography. In: IEEE International Symposium on Information Theory–ISIT’2006, pp. 1733–1737. Seattle, USA, IEEE (2006)Google Scholar
  17. 17.
    Overbeck R.: Structural attacks for public key cryptosystems based on gabidulin codes. J. Cryptol. 21(2), 280–301 (2008)MathSciNetzbMATHCrossRefGoogle Scholar
  18. 18.
    MacWilliams, F.J., Sloane, N.J.A.: The theory of error correcting codes. North-Holland Pub. Co., New York (1977)Google Scholar
  19. 19.
    Berlekamp E., McEliece R., van Tilborg H.: On the inherent intractability of certain coding problems. IEEE Trans. Inform. Theory 24(3), 384–386 (1978)zbMATHCrossRefGoogle Scholar
  20. 20.
    Overbeck, R., Sendrier, N.: Code-based cryptography. In: Post Quantum Cryptography, pp. 95–146. Springer, Heidelberg (2008)Google Scholar
  21. 21.
    Biswas, B.: Implementational aspects of code-based cryptography. PhD Thesis, INRIA, Paris, France (2010)Google Scholar
  22. 22.
    Overbeck, R., Engelbert, D., Schmidt, A.: A Summary of Mceliece-Type Cryptosystems and their Security. Cryptology ePrint Archive, Report 2006/162, (2006)
  23. 23.
    Adams C.M., Meijer H.: Security-related comments regarding McEliece public-key cryptosystem. IEEE Trans. Inf. Theory 35(2), 454–455 (1989)MathSciNetCrossRefGoogle Scholar
  24. 24.
    Lee, P.J., Brickell, E.F.: An observation on the security of McEliece’s public-key cryptosystem. In: EUROCRYPT’88, LNCS, pp. 275–280 (1988)Google Scholar
  25. 25.
    Stern, J.: A method for finding codewords of small weight. In: Proceedings of Coding Theory and Applications, pp. 106–113 (1989)Google Scholar
  26. 26.
    Canteaut, A., Chabanne, H.: A further improvement of the work factor in an attempt at breaking McEliec’s cryptosystem. Research Report RR-2227, INRIA (1994)Google Scholar
  27. 27.
    Canteaut A., Chabaud F.: A new algorithm for finding minimum-weight words in a linear code: application to McEliece’s cryptosystem and to narrowsense BCH codes of length 511. IEEE Trans. Inf. Theory 44(1), 367–378 (1998)MathSciNetzbMATHCrossRefGoogle Scholar
  28. 28.
    Bernstein D.J., Lange T., Peters C.: Attacking and defending the McEliece cryptosystem. In: Buchmann, J., Ding, J. (eds) PQCrypto, LNCS Vol. 5299, pp. 31–46. Springer, Berlin (2008)Google Scholar
  29. 29.
    Finiasz M., Sendrier N.: Security bounds for the design of code-based cryptosystems. In: Matsui, M. (ed.) Advances in Cryptology—ASIACRYPT 2009, LNCS Vol. 5912, pp. 88–105. Springer, Berlin (2009)Google Scholar
  30. 30.
    Fossorier M.P.C., Kobara K., Imai H.: Modeling Bit Flipping Decoding Based on Nonorthogonal Check Sums With Application to Iterative Decoding Attack of McEliece Cryptosystem. IEEE Transactions on Information Theory 53(1), 402–411 (2007)MathSciNetCrossRefGoogle Scholar
  31. 31.
    Al Jabri, A.Kh.: A statistical decoding algorithm for general linear block codes. In: Proceedings of the 8th IMA International Conference on Cryptography and Coding, pp. 1–8. Springer, Berlin (2001)Google Scholar
  32. 32.
    Overbeck, R.: Statistical decoding revisited. In: ACISP’2006, LNCS, vol. 4058, pp. 283–294. Springer (2006)Google Scholar
  33. 33.
    Peters, C., Bernstein, D.J., Lange, T., van Tilborg, H.: Explicit Bounds for Generic Decoding Algorithms for Code-based Cryptography. In Proc. of the International Workshop on Coding and Cryptography, WCC’2009, pp. 68–180 (2009)Google Scholar
  34. 34.
    Niebuhr, R., Cayrel, P.-L., Bulygin, S., Buchmann, J.: On lower bounds for information set decoding over \({\mathbb{F}_q}\). In: Cid, C., Faugere, J.-C. (eds.) SSC’ 2010. pp. 143–157 (2010)Google Scholar
  35. 35.
    Niebuhr, R., Cayrel, P.-L., Bulygin, S., Buchmann, J.: On lower bounds for information set decoding over \({\mathbb{F}_q}\) and on the effect of partial knowledge. Submitted to Mathematics in Computer Science, Special Issue “Symbolic Computation and Cryptography II” (2011)Google Scholar
  36. 36.
    Bernstein, D.J., Lange, T., Peters, C.: Smaller decoding exponents: ball-collision decoding. Cryptology ePrint Archive, Report 2010/585. (2010) (to appear at CRYPTO 2011)
  37. 37.
    Faugère, J.-C., Gauthier, V., Otmani, A., Perret, L., Tillich, J.-P.: A Distinguisher for High Rate McEliece Cryptosystems. Cryptology ePrint Archive, Report 2010/331 (2010)
  38. 38.
    Johansson T., Jonsson F.: On the complexity of some cryptographic problems based on the general decoding problem. IEEE Trans. Inf. Theory 48, 2669–2678 (2002)MathSciNetzbMATHCrossRefGoogle Scholar
  39. 39.
    Menezes, A., Qu, M., Stinson, D., Wang, Y.: Evaluation of security level of cryptography: Esign signature scheme. CRYPTREC Project, Japan (2001)Google Scholar
  40. 40.
    Colm, O.E., Scott, M.: Pairing calculation on supersingular genus 2 curves. In SAC’06: Proceedings of the 13th International Conference on Selected areas in Cryptography, pp. 302–316. Springer, Berlin (2007)Google Scholar
  41. 41.
  42. 42. Intel core 2 Quad Q6600. (2007)
  43. 43.
    Moore, G.E.: Cramming more components onto integrated circuits. In Electronics, vol. 38, p. 8 (1965)Google Scholar
  44. 44.
  45. 45.
    Sendrier, N.: On the security of the McEliece public-key cryptosystem. In: Blaum, M., Farrell, P.G., van Tilborg, H. (eds.) Information, Coding and Mathematics, Proceedings of Workshop honoring Prof. Bob McEliece on his 60th birthday, pp. 141–163. Kluwer, Dordrecht (2002)Google Scholar

Copyright information

© Springer-Verlag 2012

Authors and Affiliations

  • Robert Niebuhr
    • 1
  • Mohammed Meziani
    • 2
  • Stanislav Bulygin
    • 2
  • Johannes Buchmann
    • 1
  1. 1.Fachbereich Informatik, Kryptographie und ComputeralgebraTechnische Universität DarmstadtDarmstadtGermany
  2. 2.CASED—Center for Advanced Security Research DarmstadtDarmstadtGermany

Personalised recommendations