A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors

  • Qian Guo
  • Thomas Johansson
  • Paul Stankovski
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10031)


Algorithms for secure encryption in a post-quantum world are currently receiving a lot of attention in the research community, including several larger projects and a standardization effort from NIST. One of the most promising algorithms is the code-based scheme called QC-MDPC, which has excellent performance and a small public key size. In this work we present a very efficient key recovery attack on the QC-MDPC scheme using the fact that decryption uses an iterative decoding step and this can fail with some small probability. We identify a dependence between the secret key and the failure in decoding. This can be used to build what we refer to as a distance spectrum for the secret key, which is the set of all distances between any two ones in the secret key. In a reconstruction step we then determine the secret key from the distance spectrum. The attack has been implemented and tested on a proposed instance of QC-MDPC for 80 bit security. It successfully recovers the secret key in minutes.

A slightly modified version of the attack can be applied on proposed versions of the QC-MDPC scheme that provides IND-CCA security. The attack is a bit more complex in this case, but still very much below the security level. The reason why we can break schemes with proved CCA security is that the model for these proofs typically does not include the decoding error possibility.


CCA-security Key-recovery attack Post-quantum cryptography QC-MDPC Reaction attack 


  1. 1.
    Augot, D., Batina, L., Bernstein, D.J., Bos, J., Buchmann, J., Castryck, W., Dunkelman, O., Güneysu, T., Gueron, S., Hülsing, A., et al.: Initial recommendations of long-term secure post-quantum systems (2015).
  2. 2.
    Baldi, M., Chiaraluce, F., Garello, R., Mininni, F.: Quasi-cyclic low-density parity-check codes in the McEliece cryptosystem. In: Proceedings of IEEE International Conference on Communications, ICC 2007, Glasgow, Scotland, 24–28, pp. 951–956. IEEE (2007).
  3. 3.
    Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes in \(2^{\frac{n}{20}}\): how \(1+1=0\) improves information set decoding. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 520–536. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-29011-4_31 CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998). doi: 10.1007/BFb0055718 CrossRefGoogle Scholar
  5. 5.
    Bernstein, D.J., Buchmann, J., Dahmen, E.: Post-Quantum Cryptography. Springer, Heidelberg (2009)CrossRefMATHGoogle Scholar
  6. 6.
    Berson, T.A.: Failure of the McEliece public-key cryptosystem under message-resend and related-message attack. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 213–220. Springer, Heidelberg (1997). doi: 10.1007/BFb0052237 CrossRefGoogle Scholar
  7. 7.
    Canteaut, A., Sendrier, N.: Cryptanalysis of the original Mceliece cryptosystem. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 187–199. Springer, Heidelberg (2000). doi: 10.1007/3-540-49649-1_16 Google Scholar
  8. 8.
    Chaulet, J., Sendrier, N.: Worst case QC-MDPC decoder for McEliece cryptosystem. In: IEEE International Symposium on Information Theory, ISIT 2016, Barcelona, Spain, 10–15 July 2016, pp. 1366–1370. IEEE (2016).
  9. 9.
    Chen, L., Jordan, S., Liu, Y.K., Moody, D., Peralta, R., Perlner, R., Smith-Tone, D.: Report on post-quantum cryptography. National Institute of Standards and Technology Internal Report 8105 (2016)Google Scholar
  10. 10.
    Chou, T.: QcBits: constant-time small-key code-based cryptography. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 280–300. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53140-2_14 CrossRefGoogle Scholar
  11. 11.
    Flajolet, P., Sedgewick, R.: Analytic Combinatorics. Cambridge University Press, New York (2009)CrossRefMATHGoogle Scholar
  12. 12.
    Gallager, R.G.: Low-Density Parity-Check Codes. Ph.D. thesis, MIT Press, Cambridge (1963)Google Scholar
  13. 13.
    Goppa, V.D.: A new class of linear correcting codes. In: Problemy Peredachi Informatsii vol. 6, pp. 24–30 (1970)Google Scholar
  14. 14.
    Hall, C., Goldberg, I., Schneier, B.: Reaction attacks against several public-key cryptosystem. In: Varadharajan, V., Mu, Y. (eds.) ICICS 1999. LNCS, vol. 1726, pp. 2–12. Springer, Heidelberg (1999). doi: 10.1007/978-3-540-47942-0_2 CrossRefGoogle Scholar
  15. 15.
    Heyse, S., Maurich, I., Güneysu, T.: Smaller keys for code-based cryptography: QC-MDPC McEliece implementations on embedded devices. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 273–292. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40349-1_16 CrossRefGoogle Scholar
  16. 16.
    Hoffstein, J., Pipher, J., Schanck, J.M., Silverman, J.H., Whyte, W., Zhang, Z.: Choosing Parameters for NTRUEncrypt. Cryptology ePrint Archive, Report 2015/708 (2015).
  17. 17.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: A ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). doi: 10.1007/BFb0054868 CrossRefGoogle Scholar
  18. 18.
    Howgrave-Graham, N., Nguyen, P.Q., Pointcheval, D., Proos, J., Silverman, J.H., Singer, A., Whyte, W.: The impact of decryption failures on the security of NTRU encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 226–246. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-45146-4_14 CrossRefGoogle Scholar
  19. 19.
    Howgrave-Graham, N., Silverman, J.H., Singer, A., Whyte, W.: NTRU Cryptosystems: NAEP: Provable Security in the Presence of Decryption Failures. IACR Cryptology ePrint Archive 2003, 172 (2003)Google Scholar
  20. 20.
    Johansson, T., Jönsson, F.: On the complexity of some cryptographic problems based on the general decoding problem. IEEE Trans. Inf. Theory 48(10), 2669–2678 (2002)MathSciNetCrossRefMATHGoogle Scholar
  21. 21.
    Kobara, K., Imai, H.: Semantically secure McEliece public-key cryptosystems -conversions for McEliece PKC. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 19–35. Springer, Heidelberg (2001). doi: 10.1007/3-540-44586-2_2 CrossRefGoogle Scholar
  22. 22.
    Löndahl, C., Johansson, T.: A new version of McEliece PKC based on convolutional codes. In: Chim, T.W., Yuen, T.H. (eds.) ICICS 2012. LNCS, vol. 7618, pp. 461–470. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34129-8_45 CrossRefGoogle Scholar
  23. 23.
    MacWilliams, F.J., Sloane, N.J.A.: The Theory of Error Correcting Codes, vol. 16. Elsevier, Amsterdam (1977)MATHGoogle Scholar
  24. 24.
    von Maurich, I., Güneysu, T.: Lightweight code-based cryptography: QC-MDPC McEliece encryption on reconfigurable devices. In: Proceedings of the conference on Design, Automation & Test in Europe, p. 38. European Design and Automation Association (2014)Google Scholar
  25. 25.
    von Maurich, I., Güneysu, T.: Towards side-channel resistant implementations of QC-MDPC McEliece encryption on constrained devices. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 266–282. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-11659-4_16 Google Scholar
  26. 26.
    von Maurich, I., Heberle, L., Güneysu, T.: IND-CCA secure hybrid encryption from QC-MDPC niederreiter. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 1–17. Springer, Heidelberg (2016). doi: 10.1007/978-3-319-29360-8_1 CrossRefGoogle Scholar
  27. 27.
    Maurich, I.V., Oder, T., Güneysu, T.: Implementing QC-MDPC McEliece encryption. ACM Trans. Embed. Comput. Syst. (TECS) 14(3), 44 (2015)Google Scholar
  28. 28.
    McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. DSN Prog. Rep. 42–44, 114–116 (1978)Google Scholar
  29. 29.
    Misoczki, R., Tillich, J.P., Sendrier, N., Barreto, P.S.: MDPC-McEliece: New McEliece variants from moderate density parity-check codes. In: 2013 IEEE International Symposium on Information Theory Proceedings (ISIT), pp. 2069–2073. IEEE (2013)Google Scholar
  30. 30.
    Overbeck, R., Sendrier, N.: Code-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 95–145. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  31. 31.
    Repka, M., Zajac, P.: Overview of the Mceliece cryptosystem and its Security. Tatra Mountains Math. Publ. 60(1), 57–83 (2014)MathSciNetMATHGoogle Scholar
  32. 32.
    Sendrier, N.: Decoding one out of many. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 51–67. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25405-5_4 CrossRefGoogle Scholar
  33. 33.
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, 20–22 November 1994, Santa Fe, New Mexico, USA, pp. 124–134. IEEE Press (1994)Google Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.Department of Electrical and Information TechnologyLund UniversityLundSweden

Personalised recommendations