Reducing Key Length of the McEliece Cryptosystem

  • Thierry P. Berger
  • Pierre-Louis Cayrel
  • Philippe Gaborit
  • Ayoub Otmani
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5580)


The McEliece cryptosystem is one of the oldest public-key cryptosystems ever designed. It is also the first public-key cryptosystem based on linear error-correcting codes. Its main advantage is to have very fast encryption and decryption functions. However it suffers from a major drawback. It requires a very large public key which makes it very difficult to use in many practical situations. A possible solution is to advantageously use quasi-cyclic codes because of their compact representation. On the other hand, for a fixed level of security, the use of optimal codes like Maximum Distance Separable ones allows to use smaller codes. The almost only known family of MDS codes with an efficient decoding algorithm is the class of Generalized Reed-Solomon (GRS) codes. However, it is well-known that GRS codes and quasi-cyclic codes do not represent secure solutions. In this paper we propose a new general method to reduce the public key size by constructing quasi-cyclic Alternant codes over a relatively small field like \({\mathbb{F}}_{2^8}\). We introduce a new method of hiding the structure of a quasi-cyclic GRS code. The idea is to start from a Reed-Solomon code in quasi-cyclic form defined over a large field. We then apply three transformations that preserve the quasi-cyclic feature. First, we randomly block shorten the RS code. Next, we transform it to get a Generalised Reed Solomon, and lastly we take the subfield subcode over a smaller field. We show that all existing structural attacks are infeasible. We also introduce a new NP-complete decision problem called quasi-cyclic syndrome decoding. This result suggests that decoding attack against our variant has little chance to be better than the general one against the classical McEliece cryptosystem. We propose a system with several sizes of parameters from 6,800 to 20,000 bits with a security ranging from 280 to 2120.


public-key cryptography McEliece cryptosystem Alternant code quasi-cyclic 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Baldi, M., Chiaraluce, G.F.: Cryptanalysis of a new instance of McEliece cryptosystem based on QC-LDPC codes. In: IEEE International Symposium on Information Theory, Nice, France, March 2007, pp. 2591–2595 (2007)Google Scholar
  2. 2.
    Berlekamp, E., McEliece, R., van Tilborg, H.: On the inherent intractability of certain coding problems. IEEE Transactions on Information Theory 24(3), 384–386 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Bernstein, D.J., Lange, T., Peters, C.: Attacking and defending the mceliece cryptosystem. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 31–46. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  4. 4.
    Biswas, B., Sendrier, N.: Mceliece cryptosystem implementation: theory and practice. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 47–62. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Shokrollahi, A., Monico, C., Rosenthal, J.: Using low density parity check codes in the McEliece cryptosystem. In: IEEE International Symposium on Information Theory (ISIT 2000), Sorrento, Italy, p. 215 (2000)Google Scholar
  6. 6.
    Canteaut, A., Chabanne, H.: A further improvement of the work factor in an attempt at breaking McEliece’s cryptosystem. In: EUROCODE 1994, pp. 169–173. INRIA (1994)Google Scholar
  7. 7.
    Canteaut, A., Chabaud, F.: Improvements of the attacks on cryptosystems based on error-correcting codes. Technical Report 95–21, INRIA (1995)Google Scholar
  8. 8.
    Canteaut, A., Chabaud, F.: A new algorithm for finding minimum-weight words in a linear code: Application to McEliece’s cryptosystem and to narrow-sense BCH codes of length 511. IEEE Transactions on Information Theory 44(1), 367–378 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Canteaut, A., Sendrier, N.: Cryptanalysis of the original McEliece cryptosystem. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 187–199. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  10. 10.
    Cayrel, P.L., Otmani, A., Vergnaud, D.: On Kabatianskii-Krouk-Smeets Signatures. In: Carlet, C., Sunar, B. (eds.) WAIFI 2007. LNCS, vol. 4547, pp. 237–251. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Engelbert, D., Overbeck, R., Schmidt, A.: A summary of McEliece-type cryptosystems and their security. Journal of Mathematical Cryptology 1, 151–199 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Gaborit, P.: Shorter keys for code based cryptography. In: Proceedings of the 2005 International Workshop on Coding and Cryptography (WCC 2005), Bergen, Norway, pp. 81–91 (March 2005) Google Scholar
  13. 13.
    Gaborit, P., Girault, M.: Lightweight code-based authentication and signature. In: IEEE International Symposium on Information Theory (ISIT 2007), Nice, France, March 2007, pp. 191–195 (2007)Google Scholar
  14. 14.
    Gaborit, P., Lauradoux, C., Sendrier, N.: Synd: a fast code-based stream cipher with a security reduction. In: IEEE International Symposium on Information Theory (ISIT 2007), Nice, France, March 2007, pp. 186–190 (2007)Google Scholar
  15. 15.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: A ring-based public key cryptosystem. In: Buhler, J. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  16. 16.
    Kobara, K., Imai, H.: Semantically secure mceliece public-key cryptosystems-conversions for mceliece pkc. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 19–35. Springer, Heidelberg (2001)Google Scholar
  17. 17.
    Lee, P.J., Brickell, E.F.: An observation on the security of mcEliece’s public-key cryptosystem. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 275–280. Springer, Heidelberg (1988)CrossRefGoogle Scholar
  18. 18.
    Leon, J.S.: A probabilistic algorithm for computing minimum weights of large error-correcting codes. IEEE Transactions on Information Theory 34(5), 1354–1359 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Li, Y.X., Deng, R.H., Wang, X.-M.: On the equivalence of McEliece’s and Niederreiter’s public-key cryptosystems. IEEE Transactions on Information Theory 40(1), 271–273 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    MacWilliams, F.J., Sloane, N.J.A.: The Theory of Error-Correcting Codes, 5th edn. North-Holland, Amsterdam (1986)zbMATHGoogle Scholar
  21. 21.
    McEliece, R.J.: A Public-Key System Based on Algebraic Coding Theory, pp. 114–116. Jet Propulsion Lab. (1978); DSN Progress Report 44Google Scholar
  22. 22.
    Minder, L., Shokrollahi, A.: Cryptanalysis of the Sidelnikov cryptosystem. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 347–360. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  23. 23.
    Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Problems Control Inform. Theory 15(2), 159–166 (1986)MathSciNetzbMATHGoogle Scholar
  24. 24.
    Otmani, A., Tillich, J.P., Dallot, L.: Cryptanalysis of two McEliece cryptosystems based on quasi-cyclic codes (2008) (preprint)Google Scholar
  25. 25.
    Sendrier, N.: On the concatenated structure of a linear code. Appl. Algebra Eng. Commun. Comput. (AAECC) 9(3), 221–242 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
  26. 26.
    Sendrier, N.: Cryptosystèmes à clé publique basés sur les codes correcteurs d’erreurs. Ph.D thesis, Université Paris 6, France (2002)Google Scholar
  27. 27.
    Sidelnikov, V.M.: A public-key cryptosystem based on binary Reed-Muller codes. Discrete Mathematics and Applications 4(3) (1994)Google Scholar
  28. 28.
    Sidelnikov, V.M., Shestakov, S.O.: On the insecurity of cryptosystems based on generalized Reed-Solomon codes. Discrete Mathematics and Applications 1(4), 439–444 (1992)Google Scholar
  29. 29.
    Stern, J.: A method for finding codewords of small weight. In: Cohen, G.D., Wolfmann, J. (eds.) Coding Theory 1988. LNCS, vol. 388, pp. 106–113. Springer, Heidelberg (1989)CrossRefGoogle Scholar
  30. 30.
    van Tilburg, J.: On the mceliece public-key cryptosystem. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 119–131. Springer, Heidelberg (1990)Google Scholar
  31. 31.
    Wieschebrink, C.: Two NP-complete problems in coding theory with an application in code based cryptography. In: IEEE International Symposium on Information Theory, July 2006, pp. 1733–1737 (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Thierry P. Berger
    • 1
  • Pierre-Louis Cayrel
    • 2
  • Philippe Gaborit
    • 1
  • Ayoub Otmani
    • 3
  1. 1.Université de Limoges, XLIM-DMILimoges CedexFrance
  2. 2.Département de mathématiquesUniversité Paris 8SAINT-DENIS cedex 02France
  3. 3.GREYC – EnsicaenUniversité de CaenCaen CedexFrance

Personalised recommendations