Decoding One Out of Many

  • Nicolas Sendrier
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7071)


Generic decoding of linear codes is the best known attack against most code-based cryptosystems. Understanding and measuring the complexity of the best decoding techniques is thus necessary to select secure parameters. We consider here the possibility that an attacker has access to many cryptograms and is satisfied by decrypting (i.e. decoding) only one of them. We show that, for the parameter range corresponding to the McEliece encryption scheme, a variant of Stern’s collision decoding can be adapted to gain a factor almost \(\sqrt{N}\) when N instances are given. If the attacker has access to an unlimited number of instances, we show that the attack complexity is significantly lower, in fact the number of security bits is divided by a number slightly smaller than 3/2 (but larger than 1). Finally we give indications on how to counter those attacks.


Encryption Scheme Signature Scheme Linear Code Stream Cipher Multiple Instance 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Augot, D., Finiasz, M., Gaborit, P., Manuel, S., Sendrier, N.: SHA-3 proposal: FSB. Submission to the SHA-3 NIST Competition (2008),
  2. 2.
    Augot, D., Finiasz, M., Sendrier, N.: A fast provably secure cryptographic hash function. Cryptology ePrint Archive, Report 2003/230 (2003),
  3. 3.
    Barg, A.: Complexity issues in coding theory. In: Pless, V., Huffman, W. (eds.) Handbook of Coding Theory, vol. I, ch. 7, pp. 649–754. North-Holland (1998)Google Scholar
  4. 4.
    Berlekamp, E., McEliece, R., van Tilborg, H.: On the inherent intractability of certain coding problems. IEEE Trans. on Information Theory 24(3) (May 1978)Google Scholar
  5. 5.
    Bernstein, D.J., Lange, T., Peters, C.: Attacking and Defending the Mceliece Cryptosystem. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 31–46. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Bernstein, D.J., Lange, T., Peters, C.: Smaller Decoding Exponents: Ball-Collision Decoding. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 743–760. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  7. 7.
    Bernstein, D.J., Lange, T., Peters, C., Schwabe, P.: Really Fast Syndrome-Based Hashing. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT 2011. LNCS, vol. 6737, pp. 134–152. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  8. 8.
    Camion, P., Patarin, J.: The Knapsack Hash Function Proposed at Crypto’89 can be Broken. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 39–53. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  9. 9.
    Canteaut, A., Chabaud, F.: A new algorithm for finding minimum-weight words in a linear code: Application to McEliece’s cryptosystem and to narrow-sense BCH codes of length 511. IEEE Trans. on Information Theory 44(1), 367–378 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Coron, J.S., Joux, A.: Cryptanalysis of a provably secure cryptographic hash function. Cryptology ePrint Archive, Report 2004/013 (2004),
  11. 11.
    Courtois, N.T., Finiasz, M., Sendrier, N.: How to Achieve a McEliece-Based Digital Signature Scheme. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 157–174. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  12. 12.
    Dumer, I.: On minimum distance decoding of linear codes. In: Proc. 5th Joint Soviet-Swedish Int. Workshop Inform. Theory, Moscow, pp. 50–52 (1991)Google Scholar
  13. 13.
    Finiasz, M.: Parallel-CFS: Strengthening the CFS McEliece-Based Signature Scheme. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 159–170. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  14. 14.
    Finiasz, M., Sendrier, N.: Security Bounds for the Design of Code-Based Cryptosystems. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 88–105. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Fischer, J.B., Stern, J.: An Efficient Pseudo-Random Generator Provably as Secure as Syndrome Decoding. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 245–255. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  16. 16.
    Gaborit, P., Girault, M.: Lightweight code-based identification and signature. In: IEEE Conference, ISIT 2007, pp. 191–195. IEEE, Nice (2007)Google Scholar
  17. 17.
    Gaborit, P., Laudaroux, C., Sendrier, N.: Synd: a very fast code-based stream cipher with a security reduction. In: IEEE Conference, ISIT 2007, pp. 186–190. IEEE, Nice (2007)Google Scholar
  18. 18.
    Johansson, T., Jönsson, F.: On the complexity of some cryptographic problems based on the general decoding problem. IEEE-IT 48(10), 2669–2678 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Lee, P.J., Brickell, E.F.: An Observation on the Security of McEliece’s Public-Key Cryptosystem. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 275–280. Springer, Heidelberg (1988)CrossRefGoogle Scholar
  20. 20.
    Leon, J.: A probabilistic algorithm for computing minimum weights of large error-correcting codes. IEEE Trans. on Information Theory 34(5), 1354–1359 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    McEliece, R.: A public-key cryptosystem based on algebraic coding theory. DSN Prog. Rep., Jet Prop. Lab., California Inst. Technol., Pasadena, CA pp. 114–116 (January 1978)Google Scholar
  22. 22.
    Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Prob. Contr. Inform. Theory 15(2), 157–166 (1986)MathSciNetzbMATHGoogle Scholar
  23. 23.
    Overbeck, R., Sendrier, N.: Code-based cryptography. In: Bernstein, D., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 95–145. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  24. 24.
    Peters, C.: Curves, Codes, and Cryptography. Ph.D. thesis, Technische Universiteit Eindhoven (2011)Google Scholar
  25. 25.
    Prange, E.: The use of information sets in decoding cyclic codes. IRE Transactions IT-8, S5–S9 (1962)MathSciNetGoogle Scholar
  26. 26.
    Saarinen, M.J.: Linearization Attacks against Syndrome Based Hashes. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 1–9. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  27. 27.
    Stern, J.: A Method for Finding Codewords of Small Weight. In: Wolfmann, J., Cohen, G. (eds.) Coding Theory 1988. LNCS, vol. 388, pp. 106–113. Springer, Heidelberg (1989)CrossRefGoogle Scholar
  28. 28.
    Stern, J.: A New Identification Scheme Based on Syndrome Decoding. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 13–21. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  29. 29.
    Véron, P.: Improved identification schemes based on error-correcting codes. AAECC 8(1), 57–69 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  30. 30.
    Wagner, D.: A Generalized Birthday Problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–303. Springer, Heidelberg (2002)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Nicolas Sendrier
    • 1
  1. 1.INRIA Paris-Rocquencourt, Project-Team SECRETFrance

Personalised recommendations