I can't understand how Niederreiter cryptosystem works. If $c=mH^{'T}$ than why we cannot compute $m$ directly by multiplying $c$ with the $(H^{'T})^{-1}$? Can you give me an example of a "fast decoding algorithm"?
Thank you!
Asked
Active
Viewed 416 times
2 Answers
1
In the Niederreiter system, the plaintext is mapped to some error vector of weight $t$, where the code correction capability is $d=2t+1.$
With the trapdoor information (permutation) this can be decoded by the legitimate receiver by syndrome decoding.
Without the trapdoor information, this is equivalent to decoding a random vector, which is hard, as in the McEliece cryptosystem.
kodlu
- 25,146
- 2
- 30
- 63
0
Since the parity check matrix H' is not squared (it has dimensions $n-k \times n$), one can not ouput the message $m$ from the ciphertext $c$.
Nevertheless, there is an attack named Lee-Brickell, which defines the security McEliece, but was later found that can also be adapted to Niederreiter, showcasing the equivalence in security of both cryptosystems. The Lee-Brickell attack is based on extracting a full rank submatrix $H_{n-k} \in \mathbb{F}_2^{n-k \times n-k} $ which can be inversed so that the message is find randomly in a much smaller configuration space in $\mathbb{F}_2^{k}$.
