How to Achieve a McEliece-Based Digital Signature Scheme

  • Nicolas T. Courtois
  • Matthieu Finiasz
  • Nicolas Sendrier
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2248)


McEliece is one of the oldest known public key cryptosystems. Though it was less widely studied than RSA, it is remarkable that all known attacks are still exponential. It is widely believed that code-based cryptosystems like McEliece do not allow practical digital signatures. In the present paper we disprove this belief and show a way to build a practical signature scheme based on coding theory. Its security can be reduced in the random oracle model to the well-known syndrome decoding problem and the distinguishability of permuted binary Goppa codes from a random code. For example we propose a scheme with signatures of 81-bits and a binary security workfactor of 283.


digital signature McEliece cryptosystem Niederreiter cryptosystem Goppa codes syndrome decoding short signatures 


  1. 1.
    A. Barg. Some new NP-complete coding problems. Problemy Peredachi Informatsii, 30:23–28, 1994 (in Russian).MathSciNetGoogle Scholar
  2. 2.
    A. Barg. Handbook of Coding theory, chapter 7-Complexity issues in coding theory. North-Holland, 1999.Google Scholar
  3. 3.
    E. R. Berlekamp, R. J. McEliece, and H. C. van Tilborg. On the inherent intractability of certain coding problems. IEEE Transactions on Information Theory, 24(3), May 1978.Google Scholar
  4. 4.
    A. Canteaut and F. Chabaud. A new algorithm for finding minimum-weight words in a linear code: Application to McEliece’s cryptosystem and to narrow-sense BCH codes of length 511. IEEE Transactions on Information Theory, 44(1):367–378, January 1998.zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    N. Courtois, M. Finiasz, and N. Sendrier. How to achieve a McEliece-based digital signature scheme. Cryptology ePrint Archive, Report 2001/010, February 2001. et RR-INRIA 4118.
  6. 6.
    K. Kobara and H. Imai. Semantically secure McEliece public-key cryptosystems-Conversions for McEliece PKC-. In PKC’2001, LNCS, Cheju Island, Korea, 2001. Springer-Verlag.Google Scholar
  7. 7.
    P. J. Lee and E. F. Brickell. An observation on the security of McEliece’s publickey cryptosystem. In C. G. Günther, editor, Advances in Cryptology-EUROCRYPT’88, number 330 in LNCS, pages 275–280. Springer-Verlag, 1988.Google Scholar
  8. 8.
    Y. X. Li, R. H. Deng, and X. M. Wang. On the equivalence of McEliece’s and Niederreiter’s public-key cryptosystems. IEEE Transactions on Information Theory, 40(1):271–273, January 1994.zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    P. Loidreau and N. Sendrier. Weak keys in McEliece public-key cryptosystem. IEEE Transactions on Information Theory, 47(3):1207–1212, April 2001.zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    F. J. MacWilliams and N. J. A. Sloane. The Theory of Error-Correcting Codes. North-Holland, 1977.Google Scholar
  11. 11.
    R. J. McEliece. A public-key cryptosystem based on algebraic coding theory. DSN Prog. Rep., Jet Prop. Lab., California Inst. Technol., Pasadena, CA, pages 114–116, January 1978.Google Scholar
  12. 12.
    H. Niederreiter. Knapsack-type crytosystems and algebraic coding theory. Prob. Contr. Inform. Theory, 15(2):157–166, 1986.MathSciNetGoogle Scholar
  13. 13.
    J. Patarin. Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms. In Eurocrypt’96, LNCS, pages 33–48, 1996.Google Scholar
  14. 14.
    J. Patarin, L. Goubin, and N. Courtois. 128-bit long digital signatures. In Cryptographers’ Track Rsa Conference 2001, San Francisco, April 2001. Springer-Verlag. to appear.Google Scholar
  15. 15.
    E. Petrank and R. M. Roth. Is code equivalence easy to decide? IEEE Transactions on Information Theory, 43(5):1602–1604, September 1997.zbMATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    A. Vardy. The Intractability of Computing the Minimum Distance of a Code. IEEE Transactions on Information Theory, 43(6):1757–1766, November 1997.zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    N. Sendrier. Finding the permutation between equivalent codes: the support splitting algorithm. IEEE Transactions on Information Theory, 46(4):1193–1203, July 2000.zbMATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    J. Stern. A method for finding codewords of small weight. In G. Cohen and J. Wolfmann, editors, Coding theory and applications, number 388 in LNCS, pages 106–113. Springer-Verlag, 1989.CrossRefGoogle Scholar
  19. 19.
    J. Stern. A new identification scheme based on syndrome decoding. In D. R. Stinson, editor, Advances in Cryptology-CRYPTO’93, number 773 in LNCS, pages 13–21. Springer-Verlag, 1993.Google Scholar
  20. 20.
    J. Stern. Can one design a signature scheme based on error-correcting codes ? In Asiacrypt 1994, number 917 in LNCS, pages 424–426. Springer-Verlag, 1994. Rump session.CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Nicolas T. Courtois
    • 1
    • 2
  • Matthieu Finiasz
    • 1
    • 3
  • Nicolas Sendrier
    • 1
  1. 1.Projet CodesINRIA RocquencourtLe Chesnay - CedexFrance
  2. 2.Systémes Information Signal (SIS)Toulon UniversityLa Garde CedexFrance
  3. 3.Ecole Normale SupérieureParis

Personalised recommendations