Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [mceliece]

McEliece cryptosystem is an asymmetric encryption algorithm and is a candidate for "post-quantum cryptography", as it is immune to attacks using Shor's algorithm and — more generally — measuring coset states using Fourier sampling.

McEliece cryptosystem is an asymmetric encryption algorithm and is a candidate for "post-quantum cryptography", as it is immune to attacks using Shor's algorithm and — more generally — measuring coset states using Fourier sampling.

McEliece consists of three algorithms:

  1. a probabilistic key generation algorithm which produces a public and a private key,
  2. a probabilistic encryption algorithm, and
  3. a deterministic decryption algorithm.
51 questions
12
votes
1 answer

Number of bit-operations required for information set decoding attacks on code-based cryptosystems?

This question is potentially relevant to NIST post-quantum cryptography standards, involving code-based cryptosystems such as McEliece, BIKE and HQC. This paper estimates the concrete number of bit operations required to perform the…
Ray Perlner
  • 341
  • 1
  • 5
12
votes
0 answers

Requirements for security against multi-target attacks, for McEliece and other code-based cryptosystems?

This question is potentially relevant to NIST post-quantum cryptography standards, involving code-based cryptosystems such as McEliece, BIKE and HQC. For these cryptosystems, it seems that an attacker can use a "decoding one out of many" strategy as…
Ray Perlner
  • 341
  • 1
  • 5
12
votes
1 answer

Efficient decoding of irreducible binary Goppa codes and the role of matrix P in McEliece cryptosystem

If we assume that the support for an irreducible binary Goppa code $\gamma_1, ..., \gamma_n$ is publicly known, when is it possible to efficiently decode the code? I know it's possible if one knows the generator polynomial $g(x)$, and also, if one…
Zuzana
  • 121
  • 2
12
votes
4 answers

Is key size the only barrier to the adoption of the McEliece cryptosystem, or is it considered broken/potentially vulnerable?

A recent paper showed that the McEliece cryptosystem is not, unlike RSA and other cryptosystems, weakened as drastically by quantum computing because strong Fourier sampling cannot solve the hidden subgroup problem. However, in 2008, new parameters…
user46
11
votes
1 answer

Is the Couvreur et al. polynomial time attack on McEliece practical?

There's a new e-print out on arXiv titled "A Polynomial Time Attack against Algebraic Geometry Code Based Public Key Cryptosystems" by Alain Couvreur, Irene Márquez-Corbella and Ruud Pellikaan: "We give a polynomial time attack on the McEliece…
fractal
  • 121
  • 2
7
votes
1 answer

Why doesn't “Classic McEliece” need scrambling?

The original McEliece scheme uses two random matrices S and P to scramble the generator matrix and uses $\mathsf S·\mathsf G·\mathsf P$ as the public key. The Niederreiter variant also does about the same thing. However, in the Classic McEliece…
Marian
  • 201
  • 1
  • 3
7
votes
1 answer

McEliece information set decoding attack vulnerability

Wikipedia states that McEliece is open to "information set decoding attack". What is an "information set decoding attack" and how serious is the vulnerability? (is it just a matter of choosing proper padding/parameters or is the issue…
bbozo
  • 277
  • 1
  • 7
6
votes
1 answer

How is McEliece chosen plaintext secure?

Suppose a challenger creates a McEliece encryption system where there is a public key consisting of a matrix $G$ representing some linear code, and a number $t$ for the number of errors. Then the adversary takes two messages $m_0$ and $m_1$ and uses…
Sam Jaques
  • 1,808
  • 9
  • 13
5
votes
1 answer

McEliece and cryptanalysis

What is the computational time to break McEliece on a quantum computer? I've seen that polynomial time algorithms exist, but for special conditions. What about the general case?
Dingo13
  • 2,917
  • 3
  • 29
  • 46
4
votes
1 answer

Is McEliece secure with non-binary Goppa codes?

A binary Goppa code with codewords of length $n$ bits that can fix $t$ errors with a polynomial over $GF(2^m)$ can encode $k = n - mt$ bits long data. That is one needs to add $mt$ check bits to fix $t$ bits. This means at most 1/m-th of the…
Calmarius
  • 280
  • 2
  • 7
4
votes
1 answer

Implementing the Mceliece Encryption - making the Generator Matrix

I am working on an implementation of the Mceliece Encryption system (MCE) and the Niederreiter encryption system. I have been through the basics of finite fields, polynomial arithmetic and some coding theory to understand it. In brief given MCE…
gautam
  • 78
  • 5
4
votes
2 answers

Basic attacks on McEliece; finding S and P

Take a McEliece cryptosystem with public generator matrix $G' = S G P$ where $G$ is a generator of a secret code with known fast decoding (not necessarily a Goppa code over $\mathbb{F}_2$), $S$ is random & non-singular and $P$ is a…
QuadrExAtt
  • 328
  • 2
  • 11
4
votes
1 answer

What is the impact of the Goppa code distinguisher on the CFS and McEliece?

What is the impact of the distinguisher for the high-rate Goppa codes (as published in "A Distinguisher for High Rate McEliece Cryptosystems") on the CFS signature scheme and the McEliece/Niederreiter cryptosystems? It seems that the distinguisher…
lumun
  • 41
  • 1
4
votes
1 answer

"pc" variant of McEliece—what is it?

It looks like the IETF draft specification of Classic McEliece has penciled in separate variants of the algorithm for so-called "pc" and "non-pc" variants (as well as the familiar "f" and non-"f" variants); presumably they're going to be assigned…
JamesTheAwesomeDude
  • 968
  • 7
  • 23
3
votes
2 answers

How is QKD (Quantum Key Distribution) advantageous over McEliece/AES?

I don't understand the popularity of the idea of QKD (often coupled with OTP). From what I can tell, a quantum-safe key exchange algorithm like McEliece has just as much security while operating over current networks, through repeaters, and not…
Evariste
  • 124
  • 6
1
2 3 4