Implementing CFS

  • Gregory Landais
  • Nicolas Sendrier
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7668)


CFS is the first practical code-based signature scheme. In the present paper, we present the initial scheme and its evolutions, the attacks it had to face and the countermeasures applied. We compare the different algorithmic choices involved during the implementation of the scheme and aim to provide guidelines to this task. We will show that all things considered the system remains practical. Finally, we present a state-of-the-art software implementation of the signing primitive to prove our claim. For eighty bits of security our implementation produces a signature in 1.3 seconds on a single core of Intel Xeon W3670 at 3.20 GHz. Moreover the computation is easy to distribute and we can take full profit of multi-core processors reducing the signature time to a fraction of second in software.


CFS digital signature scheme software implementation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Courtois, N.T., Finiasz, M., Sendrier, N.: How to Achieve a McEliece-Based Digital Signature Scheme. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 157–174. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    McEliece, R.: A public-key cryptosystem based on algebraic coding theory. DSN Prog. Rep., Jet Prop. Lab., California Inst. Technol., Pasadena, CA, 114–116 (January 1978)Google Scholar
  3. 3.
    Beuchat, J.L., Sendrier, N., Tisserand, A., Villard, G.: FPGA implementation of a recently published signature scheme. Rapport de recherche 5158, INRIA (2004)Google Scholar
  4. 4.
    Faugère, J.C., Gauthier, V., Otmani, A., Perret, L., Tillich, J.P.: A distinguisher for high rate McEliece cryptosystems. In: ITW 2011, Paraty, Brazil, pp. 282–286 (October 2011)Google Scholar
  5. 5.
    Finiasz, M.: Parallel-CFS: Strengthening the CFS McEliece-Based Signature Scheme. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 159–170. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  6. 6.
    Berlekamp, E., McEliece, R., van Tilborg, H.: On the inherent intractability of certain coding problems. IEEE Transactions on Information Theory 24(3) (May 1978)Google Scholar
  7. 7.
    Prange, E.: The use of information sets in decoding cyclic codes. IRE Transactions IT-8, S5–S9 (1962)Google Scholar
  8. 8.
    Stern, J.: A Method for Finding Codewords of Small Weight. In: Cohen, G., Wolfmann, J. (eds.) Coding Theory 1988. LNCS, vol. 388, pp. 106–113. Springer, Heidelberg (1989)CrossRefGoogle Scholar
  9. 9.
    Bernstein, D.J., Lange, T., Peters, C.: Smaller Decoding Exponents: Ball-Collision Decoding. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 743–760. Springer, Heidelberg (2011)Google Scholar
  10. 10.
    May, A., Meurer, A., Thomae, E.: Decoding Random Linear Codes in \(\tilde{\mathcal{O}}(2^{0.054n})\). In: Lee, D., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 107–124. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  11. 11.
    Wagner, D.: A Generalized Birthday Problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–303. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Camion, P., Patarin, J.: The Knapsack Hash Function Proposed at Crypto 1989 Can Be Broken. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 39–53. Springer, Heidelberg (1991)Google Scholar
  13. 13.
    Coron, J.S., Joux, A.: Cryptanalysis of a provably secure cryptographic hash function. Cryptology ePrint Archive, Report 2004/013 (2004),
  14. 14.
    Overbeck, R., Sendrier, N.: Code-based cryptography. In: Bernstein, D., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 95–145. Springer (2009)Google Scholar
  15. 15.
    Johansson, T., Jönsson, F.: On the complexity of some cryptographic problems based on the general decoding problem. IEEE-IT 48(10), 2669–2678 (2002)zbMATHCrossRefGoogle Scholar
  16. 16.
    Sendrier, N.: Decoding One Out of Many. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 51–67. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  17. 17.
    Dumer, I.: On minimum distance decoding of linear codes. In: Proc. 5th Joint Soviet-Swedish Int. Workshop Inform. Theory, Moscow, pp. 50–52 (1991)Google Scholar
  18. 18.
    Finiasz, M., Sendrier, N.: Security Bounds for the Design of Code-Based Cryptosystems. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 88–105. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  19. 19.
    Becker, A., Joux, A., May, A., Meurer, A.: Decoding Random Binary Linear Codes in 2n/20: How 1 + 1 = 0 Improves Information Set Decoding. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 520–536. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  20. 20.
    Patterson, N.: The algebraic decoding of Goppa codes. IEEE Transactions on Information Theory 21(2), 203–207 (1975)MathSciNetzbMATHCrossRefGoogle Scholar
  21. 21.
    Massey, J.: Shift-register synthesis and BCH decoding. IEEE Transactions on Information Theory 15(1), 122–127 (1969)MathSciNetzbMATHCrossRefGoogle Scholar
  22. 22.
    Berlekamp, E.: Algebraic Coding Theory. Aegen Park Press (1968)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Gregory Landais
    • 1
  • Nicolas Sendrier
    • 1
  1. 1.Project-Team SECRETINRIA Paris-RocquencourtFrance

Personalised recommendations