Attacking and Defending the McEliece Cryptosystem

Authors:
Daniel J. Bernstein;Tanja Lange;Christiane Peters
Affiliations:
Department of Mathematics, Statistics, and Computer Science (M/C 249), University of Illinois at Chicago, Chicago, USA IL 60607---7045;Department of Mathematics and Computer Science, Technische Universiteit Eindhoven, Eindhoven, Netherlands 5600 MB;Department of Mathematics and Computer Science, Technische Universiteit Eindhoven, Eindhoven, Netherlands 5600 MB
Venue:
PQCrypto '08 Proceedings of the 2nd International Workshop on Post-Quantum Cryptography
Year:
2008

Citing 5
Cited 32

An observation on the security of McEliece's public-key cryptosystem

Lecture Notes in Computer Science on Advances in Cryptology-EUROCRYPT'88
A method for finding codewords of small weight

Proceedings of the 3rd International Colloquium on Coding Theory and Applications
On the McEliece Public-Key Cryptosystem

CRYPTO '88 Proceedings of the 8th Annual International Cryptology Conference on Advances in Cryptology
Cryptoanalysis of the Original McEliece Cryptosystem

ASIACRYPT '98 Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology
A new algorithm for finding minimum-weight words in a linear code: application to McEliece's cryptosystem and to narrow-sense BCH codes of length 511

IEEE Transactions on Information Theory

Reducing Key Length of the McEliece Cryptosystem

AFRICACRYPT '09 Proceedings of the 2nd International Conference on Cryptology in Africa: Progress in Cryptology
MicroEliece: McEliece for Embedded Devices

CHES '09 Proceedings of the 11th International Workshop on Cryptographic Hardware and Embedded Systems
Security Bounds for the Design of Code-Based Cryptosystems

ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Provably Secure Code-Based Threshold Ring Signatures

Cryptography and Coding '09 Proceedings of the 12th IMA International Conference on Cryptography and Coding
A lattice-based threshold ring signature scheme

LATINCRYPT'10 Proceedings of the First international conference on Progress in cryptology: cryptology and information security in Latin America
Wild McEliece

SAC'10 Proceedings of the 17th international conference on Selected areas in cryptography
List decoding for binary Goppa codes

IWCC'11 Proceedings of the Third international conference on Coding and cryptology
Faster 2-regular information-set decoding

IWCC'11 Proceedings of the Third international conference on Coding and cryptology
Smaller decoding exponents: ball-collision decoding

CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
McEliece and niederreiter cryptosystems that resist quantum fourier sampling attacks

CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
Algebraic cryptanalysis of mceliece variants with compact keys

EUROCRYPT'10 Proceedings of the 29th Annual international conference on Theory and Applications of Cryptographic Techniques
Grover vs. mceliece

PQCrypto'10 Proceedings of the Third international conference on Post-Quantum Cryptography
Information-set decoding for linear codes over Fq

PQCrypto'10 Proceedings of the Third international conference on Post-Quantum Cryptography
A timing attack against the secret permutation in the mceliece PKC

PQCrypto'10 Proceedings of the Third international conference on Post-Quantum Cryptography
Practical power analysis attacks on software implementations of mceliece

PQCrypto'10 Proceedings of the Third international conference on Post-Quantum Cryptography
Low-reiter: niederreiter encryption scheme for embedded microcontrollers

PQCrypto'10 Proceedings of the Third international conference on Post-Quantum Cryptography
A smart card implementation of the mceliece PKC

WISTP'10 Proceedings of the 4th IFIP WG 11.2 international conference on Information Security Theory and Practices: security and Privacy of Pervasive Systems and Smart Devices
Decoding one out of many

PQCrypto'11 Proceedings of the 4th international conference on Post-Quantum Cryptography
Implementation of mceliece based on quasi-dyadic goppa codes for embedded devices

PQCrypto'11 Proceedings of the 4th international conference on Post-Quantum Cryptography
Simplified high-speed high-distance list decoding for alternant codes

PQCrypto'11 Proceedings of the 4th international conference on Post-Quantum Cryptography
Decoding random linear codes in Õ(20.054n)

ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security
Private identification of RFID tags

FPS'11 Proceedings of the 4th Canada-France MITACS conference on Foundations and Practice of Security
Quantum McEliece public-key cryptosystem

Quantum Information & Computation
Decoding random binary linear codes in 2n/20: how 1 + 1 = 0 improves information set decoding

EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
Efficient implementation of a CCA2-Secure variant of mceliece using generalized srivastava codes

PKC'12 Proceedings of the 15th international conference on Practice and Theory in Public Key Cryptography
Broadcast attacks against code-based schemes

WEWoRC'11 Proceedings of the 4th Western European conference on Research in Cryptology
Solutions for the storage problem of mceliece public and private keys on memory-constrained platforms

ISC'12 Proceedings of the 15th international conference on Information Security
Towards one cycle per bit asymmetric encryption: code-based cryptography on reconfigurable hardware

CHES'12 Proceedings of the 14th international conference on Cryptographic Hardware and Embedded Systems
A new version of mceliece PKC based on convolutional codes

ICICS'12 Proceedings of the 14th international conference on Information and Communications Security
McBits: fast constant-time code-based cryptography

CHES'13 Proceedings of the 15th international conference on Cryptographic Hardware and Embedded Systems
Smaller keys for code-based cryptography: QC-MDPC mceliece implementations on embedded devices

CHES'13 Proceedings of the 15th international conference on Cryptographic Hardware and Embedded Systems
Computational aspects of retrieving a representation of an algebraic geometry code

Journal of Symbolic Computation

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper presents several improvements to Stern's attack on the McEliece cryptosystem and achieves results considerably better than Canteaut et al. This paper shows that the system with the originally proposed parameters can be broken in just 1400 days by a single 2.4GHz Core 2 Quad CPU, or 7 days by a cluster of 200 CPUs. This attack has been implemented and is now in progress.This paper proposes new parameters for the McEliece and Niederreiter cryptosystems achieving standard levels of security against all known attacks. The new parameters take account of the improved attack; the recent introduction of list decoding for binary Goppa codes; and the possibility of choosing code lengths that are not a power of 2. The resulting public-key sizes are considerably smaller than previous parameter choices for the same level of security.