Wild McEliece Incognito

  • Daniel J. Bernstein
  • Tanja Lange
  • Christiane Peters
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7071)


The wild McEliece cryptosystem uses wild Goppa codes over finite fields to achieve smaller public key sizes compared to the original McEliece cryptosystem at the same level of security against all attacks known. However, the cryptosystem drops one of the confidence-inspiring shields built into the original McEliece cryptosystem, namely a large pool of Goppa polynomials to choose from.

This paper shows how to achieve almost all of the same reduction in key size while preserving this shield. Even if support splitting could be (1) generalized to handle an unknown support set and (2) sped up by a square-root factor, polynomial-searching attacks in the new system will still be at least as hard as information-set decoding.

Furthermore, this paper presents a set of concrete cryptanalytic challenges to encourage the cryptographic community to study the security of code-based cryptography. The challenges range through codes over F 2,F 3, …, F 32, and cover two different levels of how much the wildness is hidden.


McEliece cryptosystem Niederreiter cryptosystem Goppa codes wild Goppa codes list decoding 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Augot, D., Barbier, M., Couvreur, A.: List-decoding of binary Goppa codes up to the binary Johnson bound (2010),; Citations in this document: §2
  2. 2.
    Berger, T.P., Loidreau, P.: How to mask the structure of codes for a cryptographic use. Designs, Codes and Cryptography 35, 63–79 (2005), MR 2006d:94038,; Citations in this document: §1, §3, §3
  3. 3.
    Berlekamp, E.R.: Algebraic coding theory. Aegean Park Press (1984) ISBN 0894120638; Citations in this document: §2Google Scholar
  4. 4.
    Bernstein, D.J.: List decoding for binary Goppa codes. In: IWCC [10], pp. 62–80 (2011),; Citations in this document: §2
  5. 5.
    Bernstein, D.J.: Simplified high-speed high-distance list decoding for alternant codes. In: PQCrypto 2011 [27], pp. 200–216 (2011),; Citations in this document: §2, §2
  6. 6.
    Bernstein, D.J., Lange, T., Peters, C.: Wild McEliece. In: SAC 2010 [7], pp. 143–158 (2011),; Citations in this document: §1, §1, §1, §1, §1, §1, §2, §2, §2, §3, §4, §4
  7. 7.
    Biryukov, A., Gong, G., Stinson, D.R. (eds.): Selected areas in cryptography—17th international workshop, SAC 2010, Waterloo, Ontario, Canada, August 12-13, 2010, revised selected papers. Lecture Notes in Computer Science, vol. 6544. Springer, Heidelberg (2011); See [6]Google Scholar
  8. 8.
    Certicom: Certicom ECC Challenge (1997),; Citations in this document: §4, §4
  9. 9.
    Charpin, P. (ed.): Livre des résumés—EUROCODE 94, Abbaye de la Bussière sur Ouche, France (October 1994); See [20] Google Scholar
  10. 10.
    Chee, Y.M., Guo, Z., Ling, S., Shao, F., Tang, Y., Wang, H., Xing, C. (eds.): Coding and cryptology—third international workshop, IWCC 2011, Qingdao, China, May 30-June 3, 2011, proceedings. Lecture Notes in Computer Science, vol. 6639. Springer, Heidelberg (2011); See [4]Google Scholar
  11. 11.
    Goppa, V.D.: A new class of linear error correcting codes. Problemy Peredachi Informatsii 6, 24–30 (1970); Citations in this document: §2, §2MathSciNetzbMATHGoogle Scholar
  12. 12.
    Goppa, V.D.: Rational representation of codes and (L,g)-codes. Problemy Peredachi Informatsii 7, 41–49 (1971); Citations in this document: §2MathSciNetzbMATHGoogle Scholar
  13. 13.
    Kim, K. (ed.): Public key cryptography: proceedings of the 4th international workshop on practice and theory in public key cryptosystems (PKC 2001) Held on Cheju Island, February 13-15, 2001. Lecture Notes in Computer Science, vol. 1992. Springer, Heidelberg (2001); See [14] Google Scholar
  14. 14.
    Kobara, K., Imai, H.: Semantically secure McEliece public-key cryptosystems—conversions for McEliece PKC. In: PKC 2001 [13], pp. 19–35 (2001), MR 2003c:94027; Citations in this document: §4Google Scholar
  15. 15.
    McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. JPL DSN Progress Report, 114–116 (1978),; Citations in this document: §1
  16. 16.
    Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Problems of Control and Information Theory 15, 159–166 (1986); Citations in this document: §1, §4MathSciNetzbMATHGoogle Scholar
  17. 17.
    Patterson, N.J.: The algebraic decoding of Goppa codes. IEEE Transactions on Information Theory 21, 203–207 (1975); Citations in this document: §2MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Peters, C.: Information-set decoding for linear codes over F q. In: PQCrypto 2010 [22], pp. 81–94 (2010),; Citations in this document: §1, §3, §4, §4, §4, §5
  19. 19.
    RSA Laboratories: The RSA Factoring Challenge (1991),; Citations in this document: §4
  20. 20.
    Sendrier, N.: On the structure of a randomly permuted concatenated code. In: EUROCODE 94 [9], pp. 169–173 (1994); Citations in this document: §3, §3Google Scholar
  21. 21.
    Sendrier, N.: Finding the permutation between equivalent linear codes: the support splitting algorithm. IEEE Transactions on Information Theory 46, 1193–1203 (2000), MR 2001e:94017,; Citations in this document: §1 MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Sendrier, N. (ed.): Post-quantum cryptography, third international workshop, PQCrypto, Darmstadt, Germany, May 25-28, 2010. Lecture Notes in Computer Science, vol. 6061. Springer, Heidelberg (2010); See [18], [25]Google Scholar
  23. 23.
    Stein, W. (ed.): Sage Mathematics Software (Version 4.4.3), The Sage Group (2010); Citations in this document: §4
  24. 24.
    Sugiyama, Y., Kasahara, M., Hirasawa, S., Namekawa, T.: Further results on Goppa codes and their applications to constructing efficient binary codes. IEEE Transactions on Information Theory 22, 518–526 (1976); Citations in this document: §2MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Wieschebrink, C.: Cryptanalysis of the Niederreiter public key scheme based on GRS subcodes. In: PQCrypto 2010 [22], pp. 61–72 (2010); Citations in this document: §3Google Scholar
  26. 26.
    Wikipedia: RSA Factoring Challenge—Wikipedia, The Free Encyclopedia (2011), (accessed July 01, 2011); Citations in this document: §4
  27. 27.
    Yang, B.-Y. (ed): Post-quantum cryptography, fourth international workshop, PQCrypto, Taipei, Taiwan, November 29-December 02, 2011. Lecture Notes in Computer Science, vol. 7071. Springer, Heidelberg (2011); See [5]Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Daniel J. Bernstein
    • 1
  • Tanja Lange
    • 2
  • Christiane Peters
    • 3
  1. 1.Department of Computer ScienceUniversity of Illinois at ChicagoChicagoUSA
  2. 2.Department of Mathematics and Computer ScienceTechnische Universiteit EindhovenEindhovenNetherlands
  3. 3.Department of MathematicsTechnical University of DenmarkKgs. LyngbyDenmark

Personalised recommendations