![Table 4: Work factor (log2) of ISD attacks estimated as in [40] for GRS codes with n = 346, defined over F347, and m = 1 + r−3 n , z = 1, 2, 3, 4.](/figures/table-4-work-factor-log2-of-isd-attacks-estimated-as-in-40-2rpi6z05.webp)
![Table 3: Work factor (log2) of ISD attacks estimated as in [40] for GRS codes with n = 546, defined over F547, and m = 1 + r−3 n , z = 1, 2, 3, 4.](/figures/table-3-work-factor-log2-of-isd-attacks-estimated-as-in-40-3g8p8hbc.webp)
ZurichOpenRepositoryand
Archive
UniversityofZurich
UniversityLibrary
Strickhofstrasse39
CH-8057Zurich
www.zora.uzh.ch
Year:2016
EnhancedpublickeysecurityfortheMcEliececryptosystem
Baldi,Marco;Bianchi,Marco;Chiaraluce,Franco;Rosenthal,Joachim;Schipani,Davide
Abstract: ThispaperstudiesavariantoftheMcEliececryptosystemabletoensurethatthecodeused
asthepublickeyisnolongerpermutationequivalenttothesecretcode.Thisincreasesthesecuritylevel
ofthepublickey,thusopeningthewayforreconsideringtheadoptionofclassicalfamiliesofcodes,like
Reed–Solomoncodes,thathavebeenlonglyexcludedfromtheMcEliececryptosystemforsecurityreasons.
Itiswellknownthatcodesoftheseclassesareabletoyieldareductioninthekeysizeor,equivalently,
anincreasedlevelofsecurityagainstinformationsetdecoding;so,thesearethemainadvantagesofthe
proposedsolution.Wealsodescribepossiblevulnerabilitiesandattacksrelatedtotheconsideredsystem
andshowwhatdesignchoicesarebestsuitedtoavoidthem.
DOI:https://doi.org/10.1007/s00145-014-9187-8
PostedattheZurichOpenRepositoryandArchive,UniversityofZurich
ZORAURL:https://doi.org/10.5167/uzh-128304
JournalArticle
AcceptedVersion
Originallypublishedat:
Baldi,Marco;Bianchi,Marco;Chiaraluce,Franco;Rosenthal,Joachim;Schipani,Davide(2016).En-
hancedpublickeysecurityfortheMcEliececryptosystem.JournalofCryptology,29(1):1-27.
DOI:https://doi.org/10.1007/s00145-014-9187-8
Enhanced public key security for
the McEliece cryptosystem
Marco Baldi
1
, Marco Bianchi
1
, Franco Chiaraluce
1
,
Joachim Rosenthal
2
, and Davide Schipani
2
1
Universit`a Politecnica delle Marche, Ancona, Italy,
{m.baldi,m.bianchi,f.chiaraluce}@univpm.it
2
University of Zurich, Zurich, Switzerl and,
{rosenthal,davide.schipani}@math.uzh.ch
Abstract
This paper studies a variant of the McEliece cryptosystem able to
ensure that the code used as the public key is no longer permutation-
equivalent to the secret code. This increases the security level of the
public key, thus opening the way for reconsidering the adoption of clas-
sical families of codes, like Reed-Solomon codes, that have been longly
excluded from the McEliece cryptosystem for security reasons. It is well
known that codes of these classes are able to yield a reduction in the key
size or, equivalently, an increased level of security against information set
decoding; so, these are the main advantages of the proposed solution. We
also describe possible vulnerabilities and attacks related to the considered
system, and show what design choices are best suited to avoid them.
Keywords: McEliece cryptosystem, Niederreiter cryptosystem, e r r or correct-
ing codes, Reed-Solomon codes, public key security.
1 Introduction
The McEliece cryptosystem [31] is one of the most promising public-key cryp-
tosystems able to resist attacks based on quantum computers. In fact, differently
from cryptosystems exploiting integer factorization or discrete logarithms, it re -
lies on the hardness of decoding a linear block code without any visible structure
[9].
The material in this paper was presented in part at the Seventh International Workshop
on Coding and Cryptography (WCC 2011), Paris, France, April 2011. The Research was
supported in part by the Swiss National Science Foundation under grants No. 132256, 149716,
and in part by the MIUR project “ESCAPADE” (grant RBFR105NLC) under the “FIRB -
Futuro in Ricerca 2010” funding program.
1
The original McEliece cryptosy st em adopts the generator matr ix of a binary
Goppa code as the private key, and exploits a dens e transformation matrix and a
permutation matrix to disguise the secret key into the publi c one. It has resisted
cryptanalysis for more than thirty years, since no polynomial-time attack to the
system has been devised up to now; however, the increased compu ti ng power
and the availability of optimized attack pr ocedures have required to update its
original parameters [11].
The main advantage of the McEliece cr y pt osy st em consists in its fast en cr y p -
tion and decry pt ion procedures, which require a significantly lower number of
operations with respect to alternative solutions (like RSA). However, the ori g-
inal McEli ec e cryptosys te m has two main disadvantages: low e nc r yp ti on rate
and large key size, both due to the binary Goppa codes it is based on. When
adopting Goppa codes, a first improvement is obtained through the variant pro-
posed by Niederreiter [35], which uses parity-check matrices instead of generator
matrices. A further reduction in the pu bl ic key size can be obtained by replacing
binary Goppa codes with non-binary Goppa codes, and paying attention that
polynomial enumeration is prevented [13].
A significant improvement would be obtained if other families of codes could
be included in the system, allowing a more efficie nt code design and a more
compact repre se ntation of their matrices. In particular, the use of G en e r al-
ized Reed-Solomon (GRS) codes could yield significant advantages. In fact,
GRS codes are maximum distance separable codes, which ensures th ey achieve
maximum error correction capability under bounded-distance decoding. In the
McEliece system, this translates into shorte r keys for the same security level, or
a higher security level for the same key s iz e, with respect to binary Goppa codes
(having the same code rate). In fact, Goppa codes are subfield subcodes of GRS
codes and the subcoding procedure makes them less efficient than GRS c odes.
However, this also makes them secure against key recovering attacks, while
the algebraic structure of GR S codes, when exposed in the public key (also in
permuted form), makes them insecure against attacks aimed at recovering the
secret code, like the Sidelnikov-Shestakov attack [ 46 ].
Many attempts of replacing Goppa codes with other families of codes have
exposed the system to security threats [38], [48], and some recent proposals
based on Quasi-Cyclic and Quasi -D yadic codes have also been broken [47]. Low-
Density Parity-Check (LDPC) codes, in pr in cip le , could offer high design flexi-
bility and compact keys. However, also the use of LDPC codes may expose the
system to severe flaws [34, 5, 6, 36]. Nevertheless, it is still possible to exploit
Quasi-Cyclic LD PC codes to des ign a variant of the system that is immune to
any known attack [4, 2, 1, 3].
The idea in [4] is to replace the permutation matrix used in the original
McEliece cryptosystem with a denser transformation matrix. The transforma-
tion matrix used i n [4] is a sparse matrix and its de ns i ty must be chosen as a
trade-off between two opposite effects [1]: i) increasing the density of th e public
code parity-check matrix, so that it is too difficult, for an opponent, to search
for low weight codewords in its dual code and ii) limitin g the propagation of the
intentional errors, so that they are still correctable by the legitimate receiver.
2
The advantage of replacing the permutation with a more general transformation
is that the code used as the public key is no longer permutation equivalent to
the secret code. This increases th e security of the public key, as it prevents
an attacker from exploiting the permutation equivalence when trying to recover
the secret code structure.
We elaborate on this approach by introdu cin g a more effective class of trans-
formation matrices and by generalizing th eir form also to the non-binary case.
The new proposal is based on the fact that there exist some classes of dense
transformation matrices that have a limited propagation effect on the inten-
tional error vectors. The use of these matrices allows to better disguise the
private key into the p ub lic one, with a controlled error propagation effect. So,
we propose a modified cryptosystem that can restore the use of advantageous
families of codes, like GRS codes, by ensuring increased public key security.
The rest of the p aper is organized as follows. In Section 2, we describe the
proposed s ys te m, both in th e Mc Eli ec e and Nie de r r e ite r versions. Des ign iss u es
are discussed in Section 3. In Section 4, a compar is on with other variants of the
classic McEliece cryptosystem is developed. In Section 5, two kinds of attacks
are considered, namely the information set decoding attack and the attack based
on a particular kind of di s tin guis h er able to tell the p ub li c matrices from random
ones. We will show that both these attacks can be avoided, by choos ing proper
values of the parameters. In Section 6, key size and complexity are computed,
and then compared with other solutions. Finally, in Se ct ion 7, some conclusions
are drawn.
2 Description of the cryptosystem
The proposed cr yp tos ys te m takes as its basis the classi cal McEliece cryptosys-
tem, whose block scheme is reported in Fig. 1, where u denotes a cleartext
message and x its associated cipherte xt . The main components of this system
are:
• A private linear block code generator matrix G
• A public linear block code generator matrix G
′
• A secret scrambling matrix S
• A secret permutation matrix P
• A secret intentional err or vector e
In the figure, Y
−1
denotes the inverse of matrix Y.
As for the original system, the proposed cryptosystem can be implemented
in the classical McEliece form or, alt er n atively, in the Niederreiter version. In
both cases, the main element that differentiates the proposed solution from the
original cryptosystem is the replacement of the permutation matrix P with a
dense transformation matrix Q, whose design is described next.
3
Alice
e
Bob
unsecure
channel
Goppa
encoder
intentional
errors
permutation
G
' =
S
-1
G P
-1
public key
G
'
P S
G
descramblingGoppa
decoder
u x x u
private key
Figure 1: The original McEliece cryptosystem.
2.1 Matrix Q
The matrix Q is a non-singular n × n matrix having the form
Q = R + T, (1)
where R is a dense n × n matrix and T is a sparse n × n matrix. The matrices
R, T and Q have elements in F
q
, with q ≥ 2.
The matrix R is obtained starting from two sets, A and B, each containing
w matrices having size z × n, z ≤ n, defined over F
q
: A = {a
1
, a
2
, . . . , a
w
},
B = {b
1
, b
2
, . . . , b
w
}. We also define a =
P
w
i=1
a
i
. The matrices in A and B
are secret and randomly chosen; then, R is obtained as:
R =
a
1
a
2
.
.
.
a
w
T
·
b
1
b
2
.
.
.
b
w
, (2)
where
T
denotes transposition. Starting from (2), we make some simplifying
assumptions, aimed at reducing the amount of secret data th at is needed to be
stored. In fact, for the instances of the pr oposed cryptosystem, we will focus
on two distin ct cases, both with w = 2: i) a
1
= a, a
2
= 0 and ii) b
2
= 1 + b
1
,
where 0 and 1 represent, respectively, the all-zero and the all-one z ×n matrices.
In both these cases, the matrix R has rank z and there is no need to store nor
choose the matrix b
2
. For this reason, in order to simplify the notation, we
will replace b
1
with b in the following. This obviously does not prevent th e
applicability of the general form (2) of the matrix R.
Concerning the matrix T, it is obtained in the form of an n × n n on-s in gul ar
sparse matrix having elements in F
q
and average row and column weight equal
to m ≪ n, where m is not necessarily an integer value. We provide more details
on its design in Section 2.4.
4