Vulnerabilities of “McEliece in the World of Escher”

  • Dustin Moody
  • Ray PerlnerEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9606)


Recently, Gligoroski et al. proposed code-based encryption and signature schemes using list decoding, blockwise triangular private keys, and a nonuniform error pattern based on “generalized error sets.” The general approach was referred to as McEliece in the World of Escher. This paper demonstrates attacks which are significantly cheaper than the claimed security level of the parameters given by Gligoroski et al. We implemented an attack on the proposed 80-bit parameters which was able to recover private keys for both encryption and signatures in approximately 2 hours on a single laptop. We further find that increasing the parameters to avoid our attack will require parameters to grow by (at least) two orders of magnitude for encryption, and may not be achievable at all for signatures.


Information set decoding Code-based cryptography McEliece PKC McEliece in the World of Escher 


  1. [BJMM12]
    Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes in 2\(^{n/20}\): how 1 + 1 = 0 improves information set decoding. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 520–536. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  2. [BLP11]
    Bernstein, D.J., Lange, T., Peters, C.: Smaller decoding exponents: ball-collision decoding. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 743–760. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  3. [FS09]
    Finiasz, M., Sendrier, N.: Security bounds for the design of code-based cryptosystems. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 88–105. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  4. [Gli]
    Gligoroski, D.: A new code based public key encryption and signature scheme based on list decoding. Presented at Workshop on Cybersecurity in a Post-Quantum World, NIST, Gaithersburg MD, USA (2015)Google Scholar
  5. [GMRZ13]
    Gaborit, P., Murat, G., Ruatta, O., Zemor, G.: Low rank parity check codes and their application to cryptography. In: Parker, M.G., Budaghyan, L., Helleseth, T. (eds.) The International Workshop on Coding and Cryptography (WCC 2013), Bergen, Norway, p. 13, April 2013. ISBN: 978-82-308-2269-2Google Scholar
  6. [GRSZ14]
    Gaborit, P., Ruatta, O., Schrek, J., Zémor, G.: RankSign: an efficient signature algorithm based on the rank metric. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 88–107. Springer, Heidelberg (2014)Google Scholar
  7. [GSJB14]
    Gligoroski, D., Samardjiska, S., Jacobsen, H., Bezzateev, S.: McEliece in the World of Escher. Cryptology ePrint Archive, Report 2014/360 (2014).
  8. [LB88]
    Lee, P.J., Brickell, E.F.: An observation on the security of McEliece’s public-key cryptosystem. In: Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 275–280. Springer, Heidelberg (1988)CrossRefGoogle Scholar
  9. [Leo88]
    Leon, J.: A probabilistic algorithm for computing minimum weights of large error-correcting codes. IEEE Trans. Inf. Theory 34(5), 1354–1359 (1988)CrossRefMathSciNetGoogle Scholar
  10. [LT13]
    Landais, G., Tillich, J.-P.: An efficient attack of a McEliece cryptosystem variant based on convolutional codes. In: Gaborit, Philippe (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 102–117. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  11. [McE78]
    McEliece, R.J.: A Public-Key Cryptosystem Based On Algebraic Coding Theory. Deep Space Network Progress Report 44, pp. 114–116 (1978)Google Scholar
  12. [MMT11]
    May, A., Meurer, A., Thomae, E.: Decoding random linear codes in \(\tilde{\cal O}(2^{0.054n})\). In: Lee, D.H., Wang, Xiaoyun (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 107–124. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  13. [MTSB12]
    Misoczki, R., Tillich, J.-P., Sendrier, N., Barreto, P.S.L.M.: MDPC-McEliece: New McEliece Variants from Moderate Density Parity-Check Codes. Cryptology ePrint Archive, Report 2012/409 (2012).
  14. [OT11]
    Otmani, A., Tillich, J.-P.: An efficient attack on all concrete KKS proposals. In: Yang, Bo-Yin (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 98–116. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  15. [Per14]
    Perlner, R.: Optimizing information set decoding algorithms to attack cyclosymmetric MDPC codes. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 220–228. Springer, Heidelberg (2014)Google Scholar
  16. [Pra62]
    Prange, E.: The use of information sets in decoding cyclic codes. IRE Tran. Inf. Theory 8(5), 5–9 (1962)CrossRefMathSciNetGoogle Scholar
  17. [Ste89]
    Stern, J.: A method for finding codewords of small weight. In: Cohen, G., Wolfmann, J. (eds.) Coding Theory and Applications. LNCS, vol. 388, pp. 106–113. Springer, Heidelberg (1989)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.National Institute of Standards and TechnologyGaithersburgUSA

Personalised recommendations