Cryptanalysis of the Original McEliece Cryptosystem

  • Anne Canteaut
  • Nicolas Sendrier
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1514)


The class of public-key cryptosystems based on error-correcting codes is one of the few alternatives to the common algorithms based on number theory.We here present an attack against these systems which actually consists of a new probabilistic algorithm for finding minimum-weight words in any large linear code. This new attack notably points out that McEliece cipher with its original parameters does not provide a sufficient security level.


  1. CC98.
    A. Canteaut and F. Chabaud. A new algorithm for finding minimum-weight words in a linear code: application to McEliece’s cryptosystem and to narrowsense BCH codes of length 511. IEEE Transactions on Information Theory, IT-44(1):367–378, 1998.CrossRefMathSciNetGoogle Scholar
  2. KS60.
    J.G. Kemeny and J.L. Snell. Finite Markov chains. Springer-Verlag, 1960.Google Scholar
  3. LB88.
    P.J. Lee and E.F. Brickell. An observation on the security of McEliece’s public-key cryptosystem. In C.G. Günter, ed., Advances in Cryptology-EUROCRYPT’88, number 330 in Lecture Notes in Computer Science, pages 275–280. Springer-Verlag, 1988.Google Scholar
  4. LDW94.
    Y.X. Li, R.H. Deng, and X.M. Wang. On the equivalence of McEliece’s and Niederreiter’s public-key cryptosystems. IEEE Transactions on Information Theory, IT-40(1):271–273, 1994.MathSciNetGoogle Scholar
  5. Leo88.
    J.S. Leon. A probabilistic algorithm for computing minimum weights of large error-correcting codes. IEEE Transactions on Information Theory, 34(5):1354–1359, 1988.CrossRefMathSciNetGoogle Scholar
  6. McE78.
    R.J. McEliece. A public-key cryptosystem based on algebraic coding theory. JPL DSN Progress Report, pages 114–116, 1978.Google Scholar
  7. Nie86.
    H. Niederreiter. Knapsack-type cryptosystems and algebraic coding theory. Problems of Control and Information Theory, 15(2):159–166, 1986.zbMATHMathSciNetGoogle Scholar
  8. Omu72.
    J.K. Omura. Iterative decoding of linear codes by a modulo-2 linear programm. Discrete Math, (3):193–208, 1972.Google Scholar
  9. Sen94.
    N. Sendrier. On the structure of a randomly permuted concatenated code. In P. Charpin, ed., EUROCODE 94-Livre des résumés, pages 169–173. INRIA, 1994.Google Scholar
  10. Sen95.
    N. Sendrier. On the structure of a randomly permuted concatenated code. Technical Report RR-2460, INRIA, January 1995.Google Scholar
  11. Sen96.
    N. Sendrier. An algorithm for finding the permutation between two equivalent binary codes. Technical Report RR-2853, INRIA, April 1996.Google Scholar
  12. SS92.
    V.M. Sidelnikov and S.O. Shestakov. On cryptosystems based on generalized Reed-Solomon codes. Diskretnaya Math, 4:57–63, 1992.MathSciNetGoogle Scholar
  13. Ste89.
    J. Stern. A method for finding codewords of small weight. In G. Cohen and J. Wolfmann, eds., Coding Theory and Applications, number 388 in Lecture Notes in Computer Science, pages 106–113. Springer-Verlag, 1989.CrossRefGoogle Scholar
  14. Ste93.
    J. Stern. A new identification scheme based on syndrome decoding. In D.R. Stinson, ed., Advances in Cryptology-CRYPTO’93, number 773 in Lecture Notes in Computer Science, pages 13–21. Springer-Verlag, 1993.Google Scholar
  15. Vér95.
    P. Véron. Probleme SD, Opérateur Trace, schémas d’identification et codes de Goppa. PhD thesis, Université de Toulon et du Var, 1995.Google Scholar
  16. vT94.
    J. van Tilburg. Security-analysis of a class of cryptosystems based on linear error-correcting codes. PhD thesis, Technische Universiteit Eindhoven, 1994.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Anne Canteaut
    • 1
  • Nicolas Sendrier
    • 1
  1. 1.INRIA - projet CODESLe ChesnayFrance

Personalised recommendations