See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/225156488

Cryptanalysis of the Original McEliece

Conference Paper in Lecture Notes in Computer Science · October 1998

DOI: 10.1007/3-540-49649-1_16

CITATIONS READS

58 606

2 authors:

Anne Canteaut Nicolas Sendrier

National Institute for Research in Computer Science an… National Institute for Research in Computer Science an…
195 PUBLICATIONS 5,520 CITATIONS 90 PUBLICATIONS 3,872 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Anne Canteaut on 26 May 2014.

The user has requested enhancement of the downloaded file.

 Cryptanalysis of the Original McEliece
Cryptosystem

Anne Canteaut and Nicolas Sendrier

INRIA - projet CODES

BP 105
78153 Le Chesnay, France

Abstract. The class of public-key cryptosystems based on error-correc-

ting codes is one of the few alternatives to the common algorithms based
on number theory. We here present an attack against these systems which
actually consists of a new probabilistic algorithm for finding minimum-
weight words in any large linear code. This new attack notably points
out that McEliece cipher with its original parameters does not provide
a sufficient security level.

1 Introduction

Since the concept of public-key cryptography appeared in 1977, searching for

secure public-key cryptosystems and identification schemes has been one of the
most active areas in the field of cryptology. Many public-key ciphers emerged
just after the invention of RSA and their underlying problems were as varied
as computing a discrete logarithm, solving a knapsack problem, inverting some
polynomial equations over a finite field. . . . But the development of some crypt-
analysis methods have finally made most of them insecure. Twenty years after
the fundamental paper of Diffie and Hellman, public-key cryptography has the-
refore become dangerously dependent on only two problems: integer factoring
and discrete logarithm. However the class of public-key ciphers and identifica-
tion schemes based on error-correcting codes still resists cryptanalysis. It relies
on the hardness of decoding or equivalently of finding a minimum-weight co-
deword in a large linear code with no visible structure. The most famous of
these systems are McEliece and Niederreiter ciphers [McE78,Nie86] — which
are equivalent from the security point of view — and the identification sche-
mes proposed by Stern [Ste89] and Véron [Vér95]. They are at the moment one
of the few alternatives to the common public-key algorithms based on number
theory. Studying their security seems therefore essential in order to anticipate a
possible important progress in factoring methods for example. Moreover these
public-key ciphers are particularly interesting since they run much faster than
any algorithm relying on number theory.
In this paper we present an attack on these cryptosystems which consists of a
new probabilistic algorithm for finding minimum-weight codewords in any linear
code. We first briefly present in Section 2 some public-key cryptosystems based

K. Ohta and D. Pei (Eds.): ASIACRYPT’98, LNCS 1514, pp. 187–199, 2000.
c Springer-Verlag Berlin Heidelberg 2000
188 A. Canteaut and N. Sendrier

on error-correcting codes. Section 3 then describes a new algorithm for finding

minimum-weight words in any linear code. Using Markov chain theory we show
in Section 4 how to compute the number of elementary operations it requires.
In Section 5 we finally use these results to evaluate the security of these public-
key cryptosystems. We notably prove that the parameters which were originally
proposed by McEliece for his cryptosystem make it insecure.

2 Some Cryptosystems Based on Error-Correcting Codes

The class of public-key cryptosystems based on the hardness of decoding or

of finding a minimum-weight word in a large code contains both McEliece and
Niederreiter ciphers and some zero-knowledge identification schemes like the one
proposed by Stern.

2.1 McEliece and Niederreiter Public-Key Ciphers

McEliece cryptosystem uses as a secret key a linear binary code chosen in a

family Γ of [n, k]-linear codes with error-correcting capability t for which an
efficient decoding algorithm is known. In his original paper [McE78], McEliece
proposed to choose this secret code amongst the irreducible binary Goppa codes
of length 1024, dimension 524 and minimum distance 101.

– private key: it is composed of an [n, k]-linear binary code C chosen in the

family Γ , a random k × k binary invertible matrix S and a random n × n
permutation matrix P .
– public key: it consists of the k × n matrix G0 defined by G0 = SGP where
G is a generator matrix of the secret code C.
– encryption: the ciphertext corresponding to the k-bit message m is x =
mG0 + e, where e is a random n-bit error-vector of weight t.
– decryption: the decryption procedure consists in computing xP −1 = mSG+
eP −1 and using a fast decoding algorithm for C to recover mS. The message
is then given by m = (mS)S −1 .

By definition the public key is therefore a generator matrix for an other linear
code C 0 which is equivalent to C. A ciphertext in McEliece cryptosystem then
corresponds to a word of the public code C 0 with t corrupted positions.
Niederreiter proposed a dual version of this system [Nie86] where the public-
key is a parity-check matrix H 0 of a code C 0 equivalent to the secret code. A
plaintext m is here an n-bit vector of weight t and the associated ciphertext x
corresponds to the syndrome of m relatively to the public code, x = mH 0t .
McEliece and Niederreiter cryptosystems are actually equivalent from the se-
curity point of view when set up for corresponding choices of parameters [LDW94].
But for given parameters Niederreiter cipher presents many advantages. First of
all it allows a public key in systematic form at no cost for security whereas this
 Cryptanalysis of the Original McEliece Cryptosystem 189

would reveal a part of the plaintext in McEliece system. The public key in Nie-
derreiter system is then (n − k)/n times smaller than in McEliece version. The
systematic form of the public matrix H 0 and the low-weight of vector m signifi-
cantly reduce the computational cost involved in the encryption in Niederreiter
system. For [1024,524,101]-binary codes its transmission rate, i.e. the number of
information symbols divided by the number of transmitted symbols, is smaller
that in McEliece system. Another disadvantage of McEliece system is that it
is easy to recover the plaintext if it has been encrypted twice with the same
public-key. On the contrary Niederreiter cipher is deterministic since encrypting
a given plaintext always leads to the same ciphertext.
Table 1 sums up the characteristics of these systems when they both use
[1024,524,101]-binary codes. It then shows that it is preferable to use the version
proposed by Niederreiter.

McEliece Niederreiter RSA

[1024,524,101] [1024,524,101] 1024-bit modulus
binary code binary code public exponent = 17
public-key size 67,072 bytes 32,750 bytes 256 bytes
number of information bits
transmitted per encryption 512 276 1024
transmission rate 51.17 % 56.81 % 100 %
number of binary operations
performed by the encryption 514 50 2,402
per information bit
number of binary operations
performed by the decryption 5,140 7,863 738,112
per information bit

Table 1. Performance of McEliece, Niederreiter and RSA public-key ciphers

We give for information the values corresponding to the RSA system with
a 1024-bit modulus n = pq when the public exponent is 17 — we here suppose
that RSA encryption and decryption uses Karatsuba’s method for large integer
multiplication. These results point out that these public-key systems run much
faster than RSA (about 50 times faster for encryption and 100 times faster for
decryption). Their main disadvantages are the size of the public key and the lack
of related signature scheme.

Cryptanalysis Methods There are mainly two guidelines to cryptanalyze

McEliece cryptosystem :
– recover the original structure of the secret code from a generator (or parity-
check) matrix of an equivalent code.
– decode the public code which has no visible structure.
190 A. Canteaut and N. Sendrier

The first class of attacks imposes some conditions on the family of secret codes Γ .
For given length, dimension and minimal distance the family Γ must be large
enough to avoid any enumeration. This aims at protecting the system from the
attack which consists in enumerating all the elements of Γ until a code equivalent
to the public code is found. This can be performed with an algorithm due to
Sendrier [Sen96] which is able to determine from two generator matrices whether
they correspond to equivalent codes and then to recover the permutation. A
second condition is that a generator or parity-check matrix of a permutation
equivalent code gives no information about the structure of the secret code, that
means that the fast decoding algorithm requires some parameters of the secret
code besides a generator matrix G0 . This dismisses many families of codes like
generalized Reed-Solomon codes [SS92] or concatenated codes [Sen94,Sen95].
But the family of irreducible Goppa codes is well-suited to such systems
insofar as at present there exists no algorithm which is able to compute the
characteristic parameters of a Goppa code from one of its permuted generator
matrix. This class can even be extended to all [1024,524,101]-binary Goppa codes
defined by a monic square-free polynomial of degree 50 in GF (1024)[X] which
has no root in GF (1024). The cardinality of Γ is then 2498.5 . In the case where the
used family of codes satisfies the above properties, the equivalent code C 0 defined
by the public key presents no visible structure; recovering a plaintext from the
corresponding ciphertext then comes down to decoding any linear code.

2.2 Stern’s Public-Key Identification Scheme

Stern presented at Crypto’93 [Ste93] a public-key identification scheme which

relies on the hardness of finding a low-weight codeword of given syndrome. This
scheme uses an [n, k]-random linear code over GF (2). All users share a fixed
parity-check matrix H for this code and an integer w slightly below the expected
value for the minimal distance of a random linear code. Each user receives a
secret key s which is an n-bit vector of weight w. His public key is then the
syndrome sH t . Any user can identify himself to another one by proving he
knows s without revealing it thanks to an interactive zero-knowledge protocol.
The minimal parameters proposed by Stern are n = 512, k = 256 and w = 56.
Véron [Vér95] also proposed a dual version of this scheme similar to McEliece’s
original approach: it uses a generator matrix of the code instead of a parity-check
matrix. He then suggested a new choice for the parameters in order to reduce
the number of transmitted bits: n = 512, k = 120 and w = 114.

3 A new Algorithm for Finding Low-weight Codewords

Let C be a linear binary code of length n, dimension k and minimum distance

d about which nothing is known but a generator matrix. We now develop an
algorithm for finding a word of weight w in C where w is closed to d. This
algorithm can also be used for decoding up to the correction capability t = b d−1
2 c.
If a message x is composed of a codeword corrupted by an error-vector e of weight
 Cryptanalysis of the Original McEliece Cryptosystem 191

w ≤ t, e can be recovered with this algorithm since it is the only minimum-weight

word in the linear code C ⊕ x. Decoding an [n, k]-linear code then comes down
to finding the minimum-weight codeword in an [n, k + 1]-code.

Let N = {1, · · · , n} be the set of all coordinates. For any subset I of N , G =

(V, W )I denotes the decomposition of matrix G onto I, that means V = (Gi )i∈I
and W = (Gj )j∈N \I , where Gi is the ith column of matrix G. The restriction
of an n-bit vector x to the coordinate subset I is denoted by x|I = (xi )i∈I . As
usual wt(x) is the Hamming weight of the binary word x.

Definition 1. Let I be a k-element subset of N . I is an information set for the

code C if and only if G = (Idk , Z)I is a systematic generator matrix for C.

Our algorithm uses a probabilistic heuristic proposed by Stern [Ste89] which

generalizes the well-known information set decoding method. But instead of ex-
ploring a set of randomly selected systematic generator matrices by performing
at each iteration a Gaussian elimination on an (n×k)-matrix as most algorithms
do [LB88,Leo88], we choose at each step the new information set by modifying
only one element of the previous one. This procedure is similar to the one used
in the simplex method and it was first introduced in [Omu72]. If I is an infor-
mation set and G = (Idk , Z)I the corresponding systematic generator matrix,
I 0 = (I \ {λ}) ∪ {µ} is still an information set for the code if and only if the
coefficient Zλ,µ equals 1. In this case, the systematic generator matrix associated
with I 0 is obtained from the previous one by a simple pivoting procedure which
only requires k(n − k)/2 binary operations. Using this iterative method then
leads to the following algorithm:

Initialization:
Randomly choose an information set I and apply a Gaussian elimination in
order to obtain a systematic generator matrix (Idk , Z)I .

Until a codeword of weight w will be found:

1. Randomly split I in two subsets I1 and I2 where |I1 | = bk/2c and |I2 | =
dk/2e. The rows of Z are then split in two parts Z1 and Z2 . Randomly select
a σ-element subset L of the redundant set J = N \ I.

2. For each linear combination Λ1 (resp. Λ2 ) of p rows of matrix Z1 (resp. Z2 ),

compute Λ1|L (resp. Λ2|L ) and store all these values in a hash table with
2σ entries.

3. Using the hash table consider all pairs of linear combinations (Λ1 , Λ2 ) such
that Λ1|L = Λ2|L and check whether wt((Λ1 + Λ2 )|J\L ) = w − 2p.

4. Randomly choose λ ∈ I and µ ∈ J such that Zλ,µ = 1. Replace I with

(I \ {λ}) ∪ {µ} by updating matrix Z by a pivoting operation.
192 A. Canteaut and N. Sendrier

A codeword c of weight w is then exhibited when the selections I, I1 and L

satisfy
wt(c|I1 ) = wt(c|I2 ) = p and wt(c|L ) = 0 (1)
Parameters p and σ have to be chosen in order to minimize the running-time of
the algorithm.

4 Theoretical Running-Time
We give here an explicit and computable expression for the work factor of this
algorithm, i.e. the average number of elementary operations it requires. This
analysis is essential in particular for finding the values of parameters p and σ
which minimize the running-time of the algorithm.

4.1 Modelization of the Algorithm by a Markov Chain

The average number of iterations performed by the algorithm is not the same as
the one performed by the initial Stern’s algorithm since the successive informa-
tion sets are not independent anymore. Hence the algorithm must be modelized
by a discrete-time stochastic process.
Let c be the codeword of weight w to recover and supp(c) its support. Let
I be the information set and I1 , I2 and L the other selections corresponding
to the i-th iteration. The i-th iteration can then be represented by a random
variable Xi which corresponds to the number of non-zero bits of c in I. This
random variable then takes its values in the set {1, . . . , w}. But if this number
equals 2p we have to distinguish two cases depending of whether condition (1)
is satisfied or not. The state space of the stochastic process {Xi }i∈N is therefore
E = {1, . . . , 2p − 1} ∪ {(2p)S , (2p)F } ∪ {2p + 1, . . . , w} where
Xi = u iff |I ∩ supp(c)| = u, ∀u ∈ {1, . . . , 2p − 1} ∪ {2p + 1, . . . , w}
Xi = (2p)F iff |I ∩ supp(c)| = 2p and (|I1 ∩ supp(c)| = 6 p or |L ∩ supp(c)| = 6 0)
Xi = (2p)S iff |I1 ∩ supp(c)| = |I2 ∩ supp(c)| = p and |L ∩ supp(c)| = 0
The success space is then S = {(2p)S } and the failure space is F = E \ {(2p)S }.
Definition 2. A stochastic process {Xi }i∈N is a Markov chain if the probabi-
lity that it enters a certain state only depends on the last state it occupied. A
Markov chain {Xi }i∈N is homogeneous if for all states u and v, the conditional
probability P r[Xi = v/Xi−1 = u] does not depend on i.

Proposition 1. The stochastic process {Xi }i∈N associated with the algorithm
is an homogeneous Markov chain.
Proof. The selections I, I1 , I2 and L corresponding to the i-th iteration only
depend on the previous information window since I1 , I2 and L are randomly
chosen. We then have for all i and for all (u0 , u1 , · · · , ui ) ∈ E,
P r[Xi = ui /Xi−1 = ui−1 , Xi−2 = ui−2 , · · · X0 = u0 ] = P r[Xi = ui /Xi−1 = ui−1 ]
 Cryptanalysis of the Original McEliece Cryptosystem 193

Furthermore this probability does not depend on the iteration. Hence there exists
a matrix P such that :
∀i ∈ N, ∀(u, v) ∈ E 2 , P r[Xi = v/Xi−1 = u] = Pu,v
The Markov chain {Xi }i∈N is therefore completely determined by its initial
probability vector π0 = (P r[X0 = u])u∈E and its transition matrix P . Both
of these quantities can be easily determined as two successive information sets
differ from only one element.
Proposition 2. The transition matrix P of the homogeneous Markov chain as-
sociated with the algorithm is given by:
k − u n − k − (w − u) u w − u
Pu,u = × + × for all u 6∈ {(2p)S , (2p)F }
k n−k k n−k
u n − k − (w − u)
Pu,u−1 = × for all u 6= 2p + 1
k n−k
k−u w−u
Pu,u+1 = × for all u 6= 2p − 1
k n−k
Pu,v = 0 for all v ∈
/ {u − 1, u, u + 1}
 
k − 2p n − k − (w − 2p) 2p w − 2p
P(2p)F ,(2p)F = (1 − β) × + ×
k n−k k n−k
 
2p + 1 n − k − (w − (2p + 1))
P2p+1,(2p)F = (1 − β) ×
k n−k
 
k − (2p − 1) w − (2p − 1)
P2p−1,(2p)F = (1 − β) ×
k n−k
 
2p + 1 n − k − (w − (2p + 1))
P2p+1,(2p)S =β ×
k n−k
 
k − (2p − 1) w − (2p − 1)
P2p−1,(2p)S =β ×
k n−k
 
k − 2p n − k − (w − 2p) 2p w − 2p
P(2p)F ,(2p)S =β × + ×
k n−k k n−k
P(2p)S ,(2p)S = 1 and P(2p)S ,u = 0 for all u 6= (2p)S
2p

k−2p


n−k−w+2p
p k/2−p σ
where β = P r[Xi = (2p)S / |I ∩ supp(e)| = 2p] = k

n−k


k/2 σ
The initial probability vector π0 is
w

n−w


u k−u
π0 (u) = n

if u 6∈ {(2p)F , (2p)S }
k
w

n−w


(1 − β) 2p k−2p
π0 ((2p)F ) = n


k
w

n−w


β 2p k−2p
π0 ((2p)S ) = n


k
194 A. Canteaut and N. Sendrier

The only persistent space of this Markov chain, i.e. a maximal state subset
which cannot be left once it is entered, exactly corresponds to the success space
S. Since this subset contains only one state which is an absorbing state, i.e. a
state which once entered is never left, this chain is by definition an absorbing
chain. A basic property of absorbing Markov chains with a finite state space is
that, no matter where the process starts, the probability that the process is in
an absorbing state after n steps tends to 1 as n tends to infinity. We then deduce
that our algorithm converges.

Expected Number of Iterations The absorbing chain property also enables

us to compute the average number of iterations performed by the algorithm.

Proposition 3. [KS60] If {Xi }i∈N is a finite absorbing Markov chain with tran-
sition matrix P , and Q is the sub-stochastic matrix corresponding to transitions
among the transient states — the non-persistent states —, i.e. Q = (Pu,v )u,v∈F
then (Id − Q) has an inverse R called the fundamental matrix of the chain and
∞
X
R= Qm = (Id − Q)−1 .
m=0

The average number of iterations performed by the algorithm can then be

deduced from this fundamental matrix.

Theorem 1. The expectation of the number of iterations N required until

{Xi }i∈N reaches the success state (2p)S is given by:
X X
E(N ) = π0 (u) Ru,v
u∈F v∈F

where R is the corresponding fundamental matrix.

Proof.
∞
X
E(N ) = nP r[Xn ∈ S and Xn−1 ∈ F]
n=0
∞ n−1
X X
= P r[Xn ∈ S and Xn−1 ∈ F]
n=0 m=0

Applying Fubini’s theorem, we get

∞
X ∞
X
E(N ) = P r[Xn ∈ S and Xn−1 ∈ F]
m=0 n=m+1
X∞
= P r[Xm ∈ F]
m=0
 Cryptanalysis of the Original McEliece Cryptosystem 195

∞ X X
X
= P r[Xm = v / X0 = u]
m=0 u∈F v∈F
X ∞
X X X X
= π0 (u) (Qm )u,v = π0 (u) Ru,v
u∈F v∈F m=0 u∈F v∈F

Variance of the Number of Iterations The fundamental matrix also gives

the variance of the number of iterations, which estimates the deviation from
the average work factor of the effective computational time required by the
algorithm.

Theorem 2. The variance of the number of iterations N required until {Xi }i∈N
reaches the success state is given by:
!2
X X X
V (N ) = π0 (u) (2Ru,v − δu,v )Ev (N ) − π0 (u)Eu (N )
u∈F v∈F u∈F

where δi,j is the Kronecker symbol and Eu (N ) is the average number of iterations
performed by the process when it starts in state u, i.e.
X
Eu (N ) = Ru,v
v∈F

Distribution of the Number of Iterations Besides the average number

of iterations we often want to estimate the probability that the algorithm will
succeed after a fixed number of iterations. But the approximation given by Tche-
bychev’s inequality is usually very rough. A much more precise evaluation is ob-
tained by raising the transition matrix of the Markov chain to the corresponding
power. We actually have:

Proposition 4. Let P be the transition matrix of the Markov chain associa-

ted with the algorithm. If P = L−1 ΛL where Λ is a diagonal matrix, then the
probability that the algorithm will succeed after N iterations is given by
X

π0 (u) L−1 ΛN L u,(2p)
S
u∈E

4.2 Average Number of Operations by Iteration

We now give an explicit expression of the average number of operations perfor-

med at each iteration.


1. There are exactly k/2p linear combinations of p rows of matrix Z1 (resp.
Z2 ); computing each of them on a σ-bit selection and putting it in the hash
table requires pσ binary additions.
196 A. Canteaut and N. Sendrier

2. The average number of pairs (Λ1 , Λ2 ) such that (Λ1 + Λ2 )|L = 0 is equal to
2
p )
(k/2
2σ . For each of them we perform 2p − 1 additions of (n − k − σ)-bit words
for computing (Λ1 + Λ2 )|J\L and a weight-checking.


3. We need K(p k/2 p + 2σ ) more operations to perform the dynamic memory
allocation where K is the size of a computer word (K=32 or 64).
4. The average work factor involved in the pivoting procedure for updating
matrix Z is 12 k(n − k).
Hence the average number of elementary operations performed at each iteration
is:
 

k/2 2    
k/2 p k/2 σ k(n − k)
Ωp,σ = 2pσ + 2p(n − k − σ) σ + K p +2 + (2)
p 2 p 2

Proposition 5. Suppose that the number of codewords of weight w is Aw . The

overall work factor required by the algorithm is:
Ωp,σ E(N )
Wp,σ = (3)
Aw
where E(N ) is given by Theorem 1 and Ωp,σ by Equation (2).
Since each term in the previous expression can be explicitly computed, we
are now able to determine the parameters p and σ which minimize the work
factor required by the algorithm when the size of the code and the weight w
of the searched codeword are given. Such a theoretical expression of the work
factor is commonly used to assess the efficiency of an algorithm and to decide
whether a given problem is computationally feasible. It is also applied to the
automatic optimization of the parameters. But the sharpest optimization can
only be performed by replacing in Equation (3) the theoretical value of Ωp,σ by
the effective average CPU time of an iteration.

5 Cryptanalysis of McEliece Cryptosystem

5.1 Work Factor Versus Probability of Success
Table 2 gives the optimal parameters and the number of binary operations in-
volved in an attack of the previous cryptosystems.
Cryptanalyzing McEliece cipher with its original parameters then requires
264.2 binary operations [CC98]. This new attack is certainly still infeasible but
it runs 128 times faster than Lee-Brickell’s attack [LB88]. As a comparison
the cryptanalysis of Stern’s identification scheme using van Tilburg’s algorithm
has an average number of iterations of 257.0 , and an estimated work factor of
272.9 [vT94]. An obvious method for speeding up the cryptanalysis consists in
distributing the algorithm: using a network of 1000 computers we only need
254.2 operations for breaking McEliece cipher.
 Cryptanalysis of the Original McEliece Cryptosystem 197

cryptosystem McEliece Stern Véron

code [1024,524] [512,256] [512,120]
w 50 56 114
optimal parameters p = 2, σ = 18 p = 2, σ = 15 p = 2, σ = 13
average number
of iterations 9.85 1011 2.16 1014 1.74 1012
standard deviation of
the number of iterations 9.85 1011 2.16 1014 1.74 1012

work factor 264.2 269.9 261.2

Table 2. Work factor required for cryptanalyzing some public-key systems based on
error-correcting codes

But the standard deviation of the number of iterations involved in cryptana-

lyzing all these systems roughly equals its average. This spread implies that an
infeasible average work factor is not sufficient to guarantee that these cryptosy-
stems are secure: it is necessary to estimate the probability that our algorithm
will be successful after a feasible number of iterations. This can be done by raising
the transition matrix of the associated Markov chain to the corresponding power
as described in Proposition 4. We then obtain that the work factor required for
decoding a [1024,524,101]-binary code up to its error-correcting capability with
probability 0.5 only represents 69 % of the average work factor. And if the work
factor is limited to 251 , i.e. to 108 iterations, the probability that a message in
McEliece cipher will be decrypt is 10−4 . Since 1000 iterations of the optimized
algorithm are performed in 10 minutes on a workstation DEC alpha at 433 MHz,
decrypting one message out of 10,000 requires 2 months and 14 days with 10 such
computers (see Figure 1). The relatively high proportion of decrypted messages
in a reasonable time implies that McEliece system with its original parameters
is not secure as long as the enemy has a few ten fast workstations. A similar
study shows that the parameters proposed in Stern’s identification scheme make
it much more secure. An eleven-month computation time on 10 DEC alpha en-
ables us to recover the secret key of a user in only one case out of 100,000. This
only implies that the lifetime of the keys must be less than one year. The para-
meters proposed by Véron significantly reduce the number of transmitted bits
in each identification procedure but they impose a much shorter lifetime of the
keys since 56 days on 10 of our workstations are sufficient to find the secret key
of a user with a probability greater than 1/3500.

5.2 Partial Attacks on McEliece and Niederreiter Cryptosystems

McEliece and Niederreiter cryptosystems otherwise present some weaknesses
since the knowledge of a small number of bits of the plaintext is sufficient to
recover it in its entirety. The knowledge of some plaintext bits in McEliece ci-
pher allows to accordingly reduce the dimension of the code we consider in the
198 A. Canteaut and N. Sendrier

55 39.52

3 3
54 3 3 19.76
3
3
3
53 3 9.88
log2 (Wopt ) 3 CPU
(months)
52 3 4.94

51 3 2.47

50
0.02 0.04 0.06 0.08 0.1 0.12
success rate (%)
Fig. 1. Computational effort required for cryptanalyzing McEliece cryptosystem as a
function of the proportion of messages successfully decrypted: the CPU time is given
for 10 workstations DEC alpha at 433 MHz in parallel.

attack. If we assume that 250 binary operations is a feasible work factor, it is

then possible to decode up to distance 50 a [1024,404]-binary code with our al-
gorithm. This means that the knowledge of 120 plaintext bits (i.e. 23 % of the
plaintext) is sufficient to recover the whole plaintext in a reasonable time.
A similar attack on Niederreiter cryptosystem consists in assuming that some
error positions are known by the enemy. The problem is then to determine the
distance up to which a [1024,524]-binary code can be decoded. If the work factor
is limited to 250 binary operations, we obtain that the knowledge of 15 error
positions out of the 50 introduced in McEliece and Niederreiter systems enables
us to recover the plaintext. This small proportion notably implies that generating
the error-vector with a noisy channel is insecure if this provides some errors whose
weight is too small.

6 Conclusion

We have then proved that the security of McEliece cipher is insufficient when its
original parameters are used. But this public-key system is still a valid alterna-
tive to RSA once its parameters are modified. For example if the secret key is
chosen amongst the Goppa codes of length 2048, dimension 1608 and minimum
distance 81, the average work factor of our attack is roughly 2100 . Even with
these parameters the performance of McEliece cipher remains much better than
the one of RSA: the costs of encryption and decryption per information bit with
Niederreiter’s version are respectively 45 times and 70 times lower than with
RSA-1024. But the huge size of the public-key (more than 88000 bytes in this
case) may often dissuade from using this cipher.
 Cryptanalysis of the Original McEliece Cryptosystem 199

References
CC98. A. Canteaut and F. Chabaud. A new algorithm for finding minimum-weight
words in a linear code: application to McEliece’s cryptosystem and to narrow-
sense BCH codes of length 511. IEEE Transactions on Information Theory,
IT-44(1):367–378, 1998.
KS60. J.G. Kemeny and J.L. Snell. Finite Markov chains. Springer-Verlag, 1960.
LB88. P.J. Lee and E.F. Brickell. An observation on the security of McEliece’s
public-key cryptosystem. In C.G. Günter, editor, Advances in Cryptology -
EUROCRYPT’88, number 330 in Lecture Notes in Computer Science, pages
275–280. Springer-Verlag, 1988.
LDW94. Y.X. Li, R.H. Deng, and X.M. Wang. On the equivalence of McEliece’s and
Niederreiter’s public-key cryptosystems. IEEE Transactions on Information
Theory, IT-40(1):271–273, 1994.
Leo88. J.S. Leon. A probabilistic algorithm for computing minimum weights of
large error-correcting codes. IEEE Transactions on Information Theory,
34(5):1354–1359, 1988.
McE78. R.J. McEliece. A public-key cryptosystem based on algebraic coding theory.
JPL DSN Progress Report, pages 114–116, 1978.
Nie86. H. Niederreiter. Knapsack-type cryptosystems and algebraic coding theory.
Problems of Control and Information Theory, 15(2):159–166, 1986.
Omu72. J.K. Omura. Iterative decoding of linear codes by a modulo-2 linear pro-
gramm. Discrete Math, (3):193–208, 1972.
Sen94. N. Sendrier. On the structure of a randomly permuted concatenated code.
In P. Charpin, editor, EUROCODE 94 - Livre des résumés, pages 169–173.
INRIA, 1994.
Sen95. N. Sendrier. On the structure of a randomly permuted concatenated code.
Technical Report RR-2460, INRIA, January 1995.
Sen96. N. Sendrier. An algorithm for finding the permutation between two equivalent
binary codes. Technical Report RR-2853, INRIA, April 1996.
SS92. V.M. Sidelnikov and S.O. Shestakov. On cryptosystems based on generalized
Reed-Solomon codes. Diskretnaya Math, 4:57–63, 1992.
Ste89. J. Stern. A method for finding codewords of small weight. In G. Cohen
and J. Wolfmann, editors, Coding Theory and Applications, number 388 in
Lecture Notes in Computer Science, pages 106–113. Springer-Verlag, 1989.
Ste93. J. Stern. A new identification scheme based on syndrome decoding. In D.R.
Stinson, editor, Advances in Cryptology - CRYPTO’93, number 773 in Lec-
ture Notes in Computer Science, pages 13–21. Springer-Verlag, 1993.
Vér95. P. Véron. Problème SD, Opérateur Trace, schémas d’identification et codes
de Goppa. PhD thesis, Université de Toulon et du Var, 1995.
vT94. J. van Tilburg. Security-analysis of a class of cryptosystems based on linear
error-correcting codes. PhD thesis, Technische Universiteit Eindhoven, 1994.

View publication stats