Evolution of the McEliece Public Key Encryption Scheme

Abstract

The evolution of the McEliece encryption scheme is a long and thrilling research process. The code families supposed to securely reduce the key size of the original scheme were often cryptanalyzed and thus the future of the code-based cryptography was many times doubted. Yet from this long evolution emerged a great comprehension and understanding of the main difficulties and advantages that coding theory can offer to the field of public key cryptography. Nowadays code-based cryptography has become one of the most promising solutions to post-quantum cryptography. We analyze in this article the evolution of the main encryption variants coming from this field. We stress out the main security issues and point out some new ideas coming from the Rank based cryptography. A summary of the remaining secure variants is given in Fig. 2.

1 Introduction

Code-based cryptography appeared for the first time in 1978, when McEliece proposed the first public key encryption scheme which is not based on number theory primitives [McE78]. Instead he built a scheme for which the security stands on two problems, namely the hardness of the Syndrome Decoding Problem [BMvT78] and the difficulty to distinguish between a binary Goppa code and a random linear code [CFS01, FGO+13]. The scheme disposes of various advantages like

• the complexity of the encryption and decryption algorithms are equivalent to those of symmetric schemes and thus are very efficient compared to other public key schemes.

• the best attacks for solving the Syndrome Decoding Problem are exponential in the code length, which makes code-based schemes of high potential for post-quantum cryptography.

However code-based cryptography came with a big disadvantage: the size of the public keys was about five hundred thousands bits which was unacceptable at that time. Nevertheless the scientific community made a huge progress in reducing the key size of the McEliece PKC by proposing different structures like quasi-cyclic or quasi-dyadic codes. Nowadays the key size is no longer an issue and several practical implementations of the McEliece prove the efficiency and potential of the scheme [BS08, Str10b, CHP12, BCS13, HvMG13, MOG15].

Ever since Peter Shor introduced a polynomial time quantum computer algorithm for factoring integers over \(\mathbb {Z}\) and for computing logarithms in the multiplicative group \(\mathbb {F}_p\) [Sho94], the code-based cryptography became a serious candidate for public-key cryptography. The interest of the scientific community in this field is nowadays motivated by the latest announcement of the National Institute of Standards and Technology (NIST). They initiated the Post-Quantum crypto Project which aims to define new standards for quantum resistant cryptography and fixed the deadline for public key cryptographic algorithm submissions, for November 2017 (NIST-PQcrypto Project) (http://csrc.nist.gov/groups/ST/post-quantum-crypto/index.html). The purpose of this article is to give a complete evolution of the code-based encryption schemes and rank based encryption schemes. Proposing a global state-of-the-art, that includes both Rank distance and Hamming distance came in a natural manner since there are several facts relating these two topics

• both Hamming distance based schemes and Rank distance schemes sustain their security on the same problem, namely the Syndrome/Rank Syndrome Decoding Problem.

• the similarities do not end here since the properties of the code families that were used are quite equivalent, take for example the case of LRPC (in Rank metric) and LDPC codes (in Hamming metric) or Gabidulin (in Rank metric) and GRS codes (in Hamming metric).

• also the construction techniques are rather similar, for example the QC-LRPC (in Rank metric) and the QC-MDPC (in Hamming metric).

The article also provides a full section dedicated to the security arguments and analyze the main types of attack and it is organized as following. We begin with a preliminary section on the coding theory (Sect. 2). Then we give the necessary details on the McEliece scheme and the actual security arguments for it (see Sect. 3). In Sect. 4 we give the evolution of the McEliece variants starting with the binary Goppa codes up to nowadays. The same analysis is done in Sect. 5, for the Rank based encryption schemes. We conclude with some perspectives in this area.

2 Coding Theory

2.1 Preliminaries

Through this paper, we adopt the following notations: \(\mathbb {F}_q\) denotes the finite field with q elements, \({ \textsf {GL}}_k(\mathbb {F})\) denotes the set of \(k\times k\) invertible matrices over a field \(\mathbb {F}\). An [n, k] linear code \(\mathscr {C}\) over \(\mathbb {F}_{q^m}\) is a linear subspace of dimension k of the vector space \(\mathbb {F}_{q^m}^n\). Any element in \(\mathscr {C}\) is called a codeword. A generator matrix for a [n, k] linear code is a \(k\times n\) matrix (often denoted by \(\varvec{G}\)) whose rows form a basis for the code. The dual of \(\mathscr {C}\) denoted by \(\mathscr {C}^{\bot }\) is the linear code which consists of all vectors \(\varvec{y}\in \mathbb {F}_{q^m}^n\) such that \(\forall \; \varvec{c}\in \mathscr {C}\quad \varvec{y}\cdot \varvec{c}^T=0\). A parity-check matrix of \(\mathscr {C}\) is a generator matrix of its dual. It is also a \( (n-k) \times n\) matrix \(\varvec{H}\) of full rank that satisfies \(\varvec{H}\varvec{c}^T = \varvec{0}\) for all \(\varvec{c}\in \mathscr {C}\).

Minimum distance of a code. There are several metrics over the vector space \(\mathbb {F}_{q^m}^n\) that are known in the literature like the Lee distance, the Hamming distance, the Rank distance etc. In code-based cryptography there are only two of them that became famous: The Hamming distance \(\mathsf {d_{H}}\), that denotes the number of coordinates on which two vectors differ and The Rank distance \(\mathsf {d_{R}}\) defined as follows.

Definition 1

(Rank distance). The rank weight of a vector \(\varvec{x}= \left( x_{1},x_{2},...,x_{n}\right) \) in \(\mathbb {F}_{q^m}^n\) denoted by \(\left| {\varvec{x}} \right| _{q}\) is the dimension of the \(\mathbb {F}_{q}\)-vector space generated by \(\{x_1,\dots {},x_n\}\)

$$\begin{aligned} \left| {\varvec{x}} \right| _{q} = \dim \sum _{i=1}^n \mathbb {F}_{q}x_i. \end{aligned}$$

The rank distance \(\mathsf {d_{R}}(\varvec{x}, \varvec{y})\) is then given by:

$$\begin{aligned} \mathsf {d_{R}}(\varvec{x}, \varvec{y}) = \left| {\varvec{x}- \varvec{y}} \right| _{q} \end{aligned}$$

In the sequel, for a given vector \(\varvec{x}\in \mathbb {F}_{q^m}^n\), \(\left| {\varvec{x}} \right| \) will denote the Hamming weight of \(\varvec{x}\).

Definition 2

(Minimum distance). The minimum distance of a linear code is:

$$\begin{aligned}\begin{array}{cccl}\mathsf {d_{\min }}\left( \mathscr {C}\right) &{}=&{}\min \limits _{\begin{array}{c} (\varvec{c},\varvec{c}^*)\in \mathscr {C}\times \mathscr {C}\\ \varvec{c}\ne \varvec{c}^* \end{array}}&{}\mathsf {d}(\varvec{c},\varvec{c}^*)\\ \end{array} \end{aligned}$$

where \(\mathsf {d}\) is any of the aforementioned distances.

2.2 The General Decoding Problem

The initial purpose of a linear code is to provide an efficient tool for a reliable communication process and it was introduced by Claude Shannon [Sha48]. We explain here a simple case, namely binary linear codes over the Binary Symmetric Channel. Let \(\mathscr {C}\) be a [n, k, d] binary linear code with generator matrix \(\varvec{G}\) and parity check matrix \(\varvec{H}\), where d is the minimum distance of the code. Encoding a message \(\varvec{m}\) into a codeword \(\varvec{c}\) is equivalent to compute \(\varvec{c}=\varvec{m}\varvec{G}\). Then the codeword \(\varvec{c}\) is sent over a BSC(p), where p is the probability of flipping a bit. In other words the receiver obtains \(\varvec{z}= \varvec{c}\oplus \varvec{e}\in \mathbb {F}_2^n\) where \(\varvec{e}\) is the error vector. The problem the receiver needs to solve here is to recover \(\varvec{c}\) from \(\varvec{z}\), which is called the general decoding problem.

Since for any codeword \(\varvec{c}\) of \(\mathscr {C}\) we have \(\varvec{H}\varvec{c}^T= \varvec{0}_{n-k}\) we deduce that \(\varvec{H}\varvec{z}^T= \varvec{H}\varvec{e}^T\). Therefore the dual version of the later problem can be defined generally as follows:

Definition 3

(Syndrome Decoding Problem).

In the case of the Hamming distance we call it the Syndrome Decoding Problem and Rank Syndrome Decoding Problem in the case of the Rank distance. These problems are NP-complete [BMvT78, GZ16].

There are code families for which the later problem is no longer difficult and for which efficient decoding algorithms are known. In the next part we recall some of the linear codes that are used for cryptographic purpose.

2.3 Some Code Families

Reed-Muller codes. The Reed-Muller codes were introduced by David Muller [Mul54] and rediscovered shortly after with an efficient decoding algorithm by Irving Reed [Ree54].¹ The scientific community was highly interested in this family of codes and therefore discovered many structural properties of Reed-Muller codes. Recently Kudekar et al. proved that Reed-Muller codes achieve the capacity of the Erasure channel [KKM+17].

Definition 4

(Reed-Muller codes). Let m and r be two integers such that \(1\le r\le m\) and let \(n{\mathop {=}\limits ^{\text {def}}}2^m\). Then the \(r^{th}\) order Reed-Muller code \(\mathscr {R}(r,m)\) is the binary linear code defined as the set of all vectors \(\left( g(v_1,\dots ,v_m)\right) _{(v_1,\dots ,v_m)\in \mathbb {F}_2^m}\in \mathbb {F}_2^n\), where g ranges over the set of polynomials over \(\mathbb {F}_2\) in m variables with degree at most r.

$$\begin{aligned} \mathscr {R}(r,m) {\mathop {=}\limits ^{\text {def}}}\big \{\left( g(v_1,\dots ,v_m)\right) _{ (v_1,\dots ,v_m)\in \mathbb {F}_2^m}~|~g\in \mathbb {F}_2[x_1,\dots ,x_m] \;\deg g \le r \big \}. \end{aligned}$$

Generalized Reed-Solomon and Goppa codes. Generalized Reed-Solomon codes, or shortly GRS codes, were introduced by Reed and Solomon in [ISR60] and represent a powerful family of codes with many applications. Ten years after, a new class of codes, binary Goppa codes, was introduced by Valery Goppa [Gop70]. The main reason we detail Goppa codes in the same paragraph with GRS codes is because Goppa codes can be defined as subfield subcodes of GRS codes.

Definition 5

(Generalized Reed-Solomon codes). Let k and n be two integers such that \(1\le k <n \le q\) where \(q=p^m\) is a power of a prime number p. Let \((\varvec{x},\varvec{y})\in \mathbb {F}_q^n\times \mathbb {F}_q^n\) be a pair such that \(\varvec{x}\) is an n-tuple of distinct elements of \(\mathbb {F}_q\) and the elements \(y_i\) are nonzero elements in \(\mathbb {F}_q\). Then the Generalized Reed-Solomon code \(\mathbf {GRS}_{k}(\varvec{x},\varvec{y})\) is given by:

$$\begin{aligned} \mathbf {GRS}_{k}(\varvec{x},\varvec{y}){\mathop {=}\limits ^{\text {def}}}\left\{ (y_1f(x_1),\dots ,y_n f(x_n))\;|\; f\in \mathbb {F}_q[x], \;\deg (f)<k\right\} . \end{aligned}$$

The vector \(\varvec{x}\) is called the support of the code and \(\varvec{y}\) the multiplier vector. One can easily deduce that a generator matrix of \(\mathbf {GRS}_{k}(\varvec{x},\varvec{y})\) is given by

$$\begin{aligned} \varvec{G}= \begin{pmatrix} 1 &{} 1 &{} \dots &{} 1 \\ x_1&{}x_2&{}\dots &{}x_n\\ \vdots &{}\vdots &{}\vdots &{}\vdots \\ x_1^{k-1}&{}x_2^{k-1}&{}\dots &{}x_n^{k-1} \end{pmatrix} \begin{pmatrix} y_1&{} &{} &{} &{} \\ &{} y_2 &{} &{} 0 &{} \\ 0 &{} &{} \ddots &{} &{} \\ &{} &{} &{} &{} y_n \end{pmatrix}. \end{aligned}$$

Proposition 1

([MS86]Theorem 4, Chap. 10). The dual of a GRS code is also a GRS code and we have

$$\begin{aligned} \mathbf {GRS}_{k}(\varvec{x},\varvec{y})^{\bot }=\mathbf {GRS}_{n-k}(\varvec{x},\varvec{z}), \end{aligned}$$

where \(\varvec{z}\) is a non-zero codeword of the (n, 1, n) GRS code \(\mathbf {GRS}_{n-1}(\varvec{x},\varvec{y})^ \bot \).

We notice that the vector \(\varvec{z}\) with \(\forall \;1\le i\le n, z_i\ne 0\) exists since any non zero codeword of a [n, 1, n] GRS code has a Hamming weight equal to n.

Definition 6

(Alternant codes). A p-ary alternant code of order r associated to \((\varvec{x},\varvec{y})\in \mathbb {F}_{p^m}^n\times \mathbb {F}_{p_m}^n\) denoted by \(\mathbf {Alt}_{r}(\varvec{x},\varvec{y})\) is

$$\begin{aligned} \mathbf {Alt}_{r}(\varvec{x},\varvec{y}){\mathop {=}\limits ^{\text {def}}}\mathbf {GRS}_{r}(\varvec{x},\varvec{y})^\bot \cap \mathbb {F}_p^n. \end{aligned}$$

Definition 7

(Binary Goppa codes). Let \(\varvec{x}\in \mathbb {F}_{2^m}^n\) be a \(n-tuple\) of distinct elements and \(g \in \mathbb {F}_{2^m}[x]\) be a polynomial of degree t such that \(\forall \; i, g(x_i)\not = 0\). Let \(\varvec{y}{\mathop {=}\limits ^{\text {def}}}\left( 1/g(x_i),\dots ,1/g(x_n)\right) \) then the binary Goppa code is defined by

$$\begin{aligned} \mathbf {\Gamma }(\varvec{x},g){\mathop {=}\limits ^{\text {def}}}\mathbf {Alt}_{t}(\varvec{x},\varvec{y}). \end{aligned}$$

There are several decoding techniques for Goppa codes like for example the Berlekamp-Massey algorithm, the Extended Euclidean Algorithm or the Patterson algorithm [MS86, Chap. 12].

LDPC and MDPC codes. Another important class of linear codes is the family of low density parity check (LDPC) codes discovered by Gallager [Gal63]. He was motivated by the problem of finding “random-like” codes that could be decoded near the channel capacity with quasi-optimal performance and feasible complexity. Since LDPC were too complex for the technology at that time, they were forgotten for more than 30 years, and rediscovered by MacKay [Mac99] and Sipser and Spielman [SS96]. These codes were extended in a natural way to moderate density parity check codes in [OB09]. LDPC codes have many applications in communication field as well as in cryptography.

Definition 8

(LDPC/MDPC codes). A \((n,k,\omega )\)-code is a linear code defined by a \(k \times n\) parity-check matrix (\(k < n\)) where each row has weight \(\omega \).

• A LDPC code is a \((n,k,\omega )\)-code with \(\omega = O\left( 1\right) \), when \(n\rightarrow \infty \). [Gal63]

• A MDPC code is a \((n,k,\omega )\)-code with \(\omega = O\left( \sqrt{n}\right) \), when \(n\rightarrow \infty \). [OB09]

The theory of error correcting codes is not only a highly important tool in the communication field, it is also applied to public key cryptography. One of the oldest public key encryption scheme, namely the McEliece PKC [McE78], is based on several aspects from coding theory.

3 McEliece and Niederreiter Encryption Scheme

3.1 Description

The McEliece public key encryption scheme [McE78] is composed of three algorithms: key generation (\(\mathsf {KeyGen}\)), encryption (\(\mathsf {Encrypt}\)) and decryption (\(\mathsf {Decrypt}\)). The key generation algorithm takes as input the integers n, m, k, t, q such that \(k<n\) and \(t<n\) and outputs the public key/private key pair \((\mathsf {pk},\mathsf {sk})\).

\(\mathsf {KeyGen}(n,m,k,t,q)=(\mathsf {pk},\mathsf {sk})\)

1. 1.

   Pick a generator matrix \(\varvec{G}\) of a [n, k] code \(\mathscr {C}\) that can corrects t errors.

2. 2.

   Pick at random \(\varvec{S}\) in \({ \textsf {GL}}_k(\mathbb {F}_{q^m})\) and a \(n\times n\) permutation matrix \(\varvec{P}\).

3. 3.

   Compute \(\varvec{G}_\mathrm{pub}{\mathop {=}\limits ^{\text {def}}}\varvec{S}\varvec{G}\varvec{P}\).

4. 4.

   Return

   $$\begin{aligned} \mathsf {pk}=(\varvec{G}_\mathrm{pub},t)\,\, \text {and}\,\, \mathsf {sk}=(\varvec{S}, \varvec{P}). \end{aligned}$$

In order to encrypt a message \(\varvec{m}\in \mathbb {F}_{q^m}^k\) one applies the following function

\(\mathsf {Encrypt}(\varvec{m},\mathsf {pk})=\varvec{z}\)

1. 1.

   Generate a random error-vector \(\varvec{e}\in \mathbb {F}_{q^m}^n\) with \( \left| {\varvec{e}} \right| \le t\)

2. 2.

   Return \(\varvec{z}=\varvec{m}{\varvec{G}_\mathrm{pub}} \oplus \varvec{e}\)

The decryption takes as input a ciphertext \(\varvec{z}\) and the private key \(\mathsf {sk}\) and outputs the corresponding message \(\varvec{m}\)

\(\mathsf {Decrypt}(\varvec{z},\mathsf {sk})=\varvec{m}\)

1. 1.

   Compute \(\varvec{z}^{*}=\varvec{z}\varvec{P}^{-1}\) and \(\varvec{m}^* = \mathcal {D}ecode(\varvec{z}^{*},\varvec{H})\)

2. 2.

   Return \(\varvec{m}^* \varvec{S}^{-1}\).

\(\mathcal { {D}}{} { ecode(.,.)}\) is an efficient decoding algorithm for \(\mathscr {C}\). Notice that multiplying the error vector by a permutation does not change the weight of the vector. One can easily verify the correctness of the scheme by checking

$$\begin{aligned} \mathsf {Decrypt}(\mathsf {Encrypt}(\varvec{m},\mathsf {pk}),\mathsf {sk})=\varvec{m}. \end{aligned}$$

The Niederreiter public-key encryption scheme [Nie86] is similar to the McEliece’s scheme. It uses the dual code and thus the public key is a parity check matrix for the code. The message will be an error vector that is encrypted into a syndrome. In [LDW94] it is showed that the two schemes are equivalent in term of security.

3.2 Security Arguments

The security of all the variants à la McEliece is based on two facts: firstly the public code is supposed to be indistinguishable from a random code. If the later supposition is satisfied then in order to decrypt a cyphertext one has to solve the Syndrome Decoding Problem for a random code (see Definition 3), which is known as a difficult problem. There are three types of attacks known in the literature: Distinguishing Attacks, Message Recovery Attacks (MRA) and Key Recovery Attacks (KRA).

Distinguishing attacks. Even though the indistinguishably of the public code in the original McEliece scheme was not proved, there is a strong believe that this problem is hard. However, a recent breakthrough in this area was the distinguisher for high rate Goppa codes, proposed in [FGO+13]. It is based on the star product of two codes and uses the dimension of the square code in order to distinguish between a random linear code and a high rate Goppa code. This technique also works on high rate Alternant codes [FGO+13], Reed-Solomon codes [CGG+14], Reed-Muller codes [CB13, OTK15] etc.

Message Recovery Attacks. In this scenario an adversary aim to recover the plaintext from a given ciphertext. If the public code is indistinguishable from a random code then the MRA become equivalent to solving the Syndrome Decoding Problem. The most efficient algorithm to solve the Syndrome Decoding Problem is the Information Set Decoding (ISD). Details about the different variants of ISD and their complexity analysis are given in [CTS16]. However, the best variant has a complexity which is exponential in the codes parameters.

Key Recovery Attacks. The key recovery adversary aims to retrieve the private key from a given public key. If the cryptanalyst manages to efficiently recover the private key, then he can also decode and find all the messages that have been encrypted with that key. Therefore it is considered as the most powerful possible attack. In the KRA scenario the adversary is often reduced to solve the following problem.

Definition 9

(Permutation Code Equivalence Problem). Let \(\varvec{G}\) and \(\varvec{G}^*\) be the generating matrices for two [n, k] binary linear codes. Given \(\varvec{G}\) and \(\varvec{G}^*\) does there exist a \(k\times k\) binary invertible matrix \(\varvec{S}\) and \(n\times n\) permutation matrix \(\varvec{P}\) such that \(\varvec{G}^*=\varvec{S}\varvec{G}\varvec{P}\)?

The computational problem was studied by Petrank and Roth over the binary field [PR97], in which the authors proved that the problem is not NP-complete. The most common algorithm used to solve this problem is the Support Splitting Algorithm (SSA) [Sen00]. This algorithm is very efficient in the random case, but cannot be used in the case of codes with large Hulls or codes with large Permutation group such as Goppa codes, Reed-Muller codes, ... When the SSA is infeasible, other efficient technique can be employed such as the Minimum Weight Codewords approach. The idea is to use the subcode spanned by the set of minimum weight codewords and solve the code equivalence problem for the later code. Indeed, in the case of many linear codes, the code spanned by the set of minimum weight codewords is almost the entire code. This is the case of Polar codes and more generally of any Decreasing Monomial codes (see [BDOT16]). This technique was used to solve the code equivalence problem for Reed-Muller codes [MS07] and Polar codes [BCD+16]. The main step of this technique is the minimum weight codewords searching. The most efficient algorithms for this are derived from the Information Set Decoding algorithm.

Side-channel attacks. The importance of practical issues is crucial for designing a cryptosystem. A designer should be able to prove that the scheme can be securely implemented and that eventual side-channel attacks can easily be countered. In this scenario the attacker has the capability to access and monitor different parameters of the implementation, like for example a particular function in the decryption process. In a successful side-channel attack, the aforementioned advantage reveals information on the private message or on the private key of the scheme.

4 McEliece Variants

In the previous section, several security issues are revealed, fact that raised a fundamental question: What is the most appropriate code family for the McEliece scheme?

4.1 Binary Irreducible Goppa Codes

They were proposed in the original paper of McEliece [McE78]. Even though the original parameters were broken in [BLP08], they proposed a new set of secured parameters (see Fig. 1). Despite their well known structure there are no efficient key recovery or decoding attacks against binary irreducible Goppa codes. A distinguisher exists in the case of high rate Goppa codes [FGO+13]. But despite of this potential vulnerability there is no efficient algorithm for the moment exploiting the knowledge and the properties of the distinguisher. The existence of weak keys for Goppa codes was raised by Sendrier and Loidreau in [LS01].

Fig. 1.

Parameters and key size for McEliece with Goppa codes from [BLP08] and key size for the RSA scheme

We notice from Fig. 1 that the size of the public key is a real disadvantage of the McEliece scheme compared to the well known RSA encryption scheme [RSA78]. Therefore reducing the size of the keys is one of the starting points of a continuous research interest in this field. We mention the existence of a compact variant of the McEliece scheme based on quasi-dyadic Goppa codes due to Misoczki and Barreto [MB09], variant that is not yet broken in the binary case. The binary Goppa codes were also the most cryptanalyzed scheme from side-channel perspective. There are mainly two types of side-channel attacks classified by their goal:

1. 1.

   Recover the secret message [STM+08, AHPT11];

2. 2.

   Recover the private key (fully or partially) [Str13, Str10a, SSMS09, BCDR16].

In each article the authors propose to counter the leak and thus step towards a secure implementation of the scheme. Countermeasures and secured implementations are also proposed in [CHP12, DCCR13, BCS13].

4.2 Generalized Reed-Solomon Codes

This family was proposed for the first time by Niederreiter in [Nie86] but turned out to be an insecure solution. Indeed, six years after the article was published, Sidelnikov and Shestakov proposed a polynomial time attack against this variant [SS92]. Nevertheless the idea of using GRS codes was reconsidered more than ten years after by Berger and Loidreau when they proposed to consider subcodes of GRS codes [BL05]. Unfortunately this technique was also attacked in two steps by Wieschebrink [Wie06a, Wie09], using the square code structure.

Other attempts to repair the Niederreiter variant were proposed by Wieschebrink [Wie06b] who’s idea was to add random column to the generator matrix. But this variant turned out to be extremely unsecure against square code type attacks [CGG+14]. Nevertheless GRS codes are still of high interest for this community since several modified version of the McEliece scheme use this family of codes. For example Baldi et al. [BBC+16] proposed to change the permutation matrix, Tillich et al. [MCT16] propose to use them in a “\(u \mid u+v\)” construction, Wang [Wan16] propose to use a technique derived from Wieschebrink’s idea.

4.3 Reed-Muller Codes

Reed-Muller codes were proposed by Sidelnikov’s in [Sid94] and was firstly attacked by Minder and Shokrollahi [MS07]. In the case of Reed-Muller codes the Key Recovery Attack is reduced to solving the code equivalence problem since there is only one \(\mathscr {R}(r,m)\). Minder and Shokrollahi managed to solve this problem using a filtration type attack based on the structure properties of the minimum weight codewords. The complexity of their algorithm was dominated by the minimum weight codewords searching algorithm.

Recently, Chizhov and Borodin [CB14] proposed another attack that could solve the code equivalence problem, for some of the parameters of the Reed-Muller codes, in polynomial time. Their idea was to use two simple operations in order to find the first order Reed-Muller code given the \(r^{th}\) order Reed-Muller code. Indeed they noticed that the dual and the square code of a Reed-Muller code is still a Reed-Muller code. So they combined these operations in order to approach the \(\mathscr {R}(1,m)\). A modified version using the masking technique introduced by Wieschebrink was proposed in [GM13] and recently broken by Otmani and Talé-Kalachi [OTK15] using a square code type attack.

4.4 Algebraic-Geometry Codes

This family of codes was suggested by Janwa and Moreno [JM96]. Several articles discussed the potential vulnerabilities of this variant and proposed algorithms that could be deployed to attack in some particular cases [FM08, SS92]. Nevertheless they can not be generalized and suffer in terms of efficiency. In [CMCP14] Couvreur, Marquez-Corbella and Pellikaan proposed a polynomial type algorithm that works on codes from curves of arbitrary genus.

4.5 Concatenated Codes

Concatenated codes were the first family of probabilistic codes analyzed from a cryptographic point of view. Sendrier detailed in [Sen94, Sen98] the main vulnerabilities of ordinary concatenated codes.

4.6 LDPC Codes

Monico, Rosenthal and Shokrollahi were the first ones to propose and analyze a McEliece variant using low density parity check codes in [MRAS00]. Using the idea of Gaborit to consider quasi-cyclic codes [Gab05]² the new QC-LDPC cryptosystem was presented by Baldi and Chiaraluce in [BC07]. Both BCH codes and LDPC codes with quasi-cyclic structure were successfully cryptanalyzed by Otmani, Tillich and Dallot [OTD08]. In order to prevent the last attack, a modification based on increasing the weight of the codewords in the public code was proposed in [BBC08]. In the book of Baldi [Bal14] all the details about the thrilling combats defeating and attacking the LDPC codes are given.

4.7 Wild Goppa Codes

This code family is a natural extension from binary Goppa codes to non binary fields. It was proposed by Bernstein, Lange and Peters in [BLP10] and [BLP11]. Many of the proposed parameters were broken by Couvreur, Otmani and Tillich using filtration type techniques [COT14a, COT14b], for quadratic extensions.

4.8 Srivastava Codes

Srivastava codes were proposed in [Per12] in order to reduce the key length of the original McEliece scheme. The author uses Quasi-Dyadic Srivastava codes and gives another application of these types of codes for signature schemes. Even though the parameters for the signature were broken in [FOP+16], the parameters for the encryption scheme are still valid.

4.9 MDPC Codes

Moderate Density Parity-Check codes are probably the most suitable codes in a McEliece type scheme [MTSB13]. Many cryptographic arguments are in favour of this family of codes like efficiency, small key size when used with a quasi-cyclic structure and the most important to our opinion the lack of algebraic structure. Another security argument is the fact that the usual distinguisher does not work for MDPC codes. In a recent paper, weak keys of the QC-MDPC scheme are revealed [BDLO16]. However the authors show how to avoid vulnerable parameters.

4.10 Convolutional Codes

Convolutional codes represented among the shortest term solutions since between the proposed article by Londahl and Johansson [LJ12] and the efficient attack by Landais and Tillich [LT13] only one year passed.

4.11 Polar Codes

This family of codes was as unfortunate as convolutional code. The first variant using Polar codes was proposed by Shrestha and Kim [SK14] while the second one using subcodes of Polar codes was given in [HSEA14]. In [BCD+16] the first variant was attacked using the structure of the minimum weight codewords. The authors managed to solve the code equivalence problem for Polar codes and thus completely break the scheme.

To close this section we emphasize that there are code families which are not appropriate in this context due to their structural properties, namely the GRS codes, the Reed-Muller codes, the Polar codes ... However several classes of codes remain secure in a McEliece PKC such as original binary Goppa codes, LDPC and MDPC codes etc. A complete summary of the remaining secure code families is also given in Fig. 2. Meanwhile the scientific community developed a new idea, that consists in working with another metric, for instance the rank-metric. Nowadays, this part of the public-key cryptography is known under the name of rank-based cryptography.

5 Rank Based Encryption Schemes

The first rank-metric scheme was proposed in [GPT91] by Gabidulin, Paramonov and Tretjakov which is now called the GPT cryptosystem. This scheme can be seen as an analogue of the McEliece public key cryptosystem based on the class of Gabidulin codes. In the following, we present the class Gabidulin codes. In order to simplify the notation, for any x in \(\mathbb {F}_{q^m}\) and for any integer i, the quantity \(x^{q^{i}}\) is denoted by \(x^{[i]}\).

Definition 10

(Gabidulin code). Let \(\varvec{g}\in \mathbb {F}_{q^m}^{n}\) such that \(\left| {\varvec{g}} \right| _q=n\). The \((n,k)-\) Gabidulin code denoted by \(\mathscr {G}_{k}\left( \varvec{g}\right) \) is the code with a generator matrix \(\varvec{G}\) where:

$$\begin{aligned} \varvec{G}= \begin{pmatrix} g_{1}^{[0]} &{} \cdots {} &{} g_{n}^{[0]} \\ \vdots {} &{} &{} \vdots {} \\ g_{1}^{[k-1]} &{} \cdots {} &{} g_{n}^{[k-1]} \end{pmatrix}. \end{aligned}$$

(1)

A matrix of the form (1) is called a \(q-\) Vandermonde matrix. Gabidulin codes are known to have a good decoding capability [GPT91].

5.1 The General GPT Cryptosystem

The key generation algorithm of the general GPT cryptosystem takes as input the integers k, \(\ell \), n and m such that \(k<n\le m\) and \(\ell \ll n\) and outputs the public key/private key pair \((\mathsf {pk},\mathsf {sk})\).

\(\mathsf {KeyGen}(n,m,k,\ell ,q)=(\mathsf {pk},\mathsf {sk})\)

1. 1.

   Let \(\varvec{G}\in \mathcal {M}_{k,n}\left( \mathbb {F}_{q^m}\right) \) be a generator matrix of the Gabidulin code \(\mathscr {G}_{k}\left( \varvec{g}\right) \)

2. 2.

   Pick \(\varvec{S}\in { \textsf {GL}}_k(\mathbb {F}_{q^m})\), \(\varvec{X}\in \mathcal {M}_{k,\ell }\left( \mathbb {F}_{q^m}\right) \) and \(\varvec{P}\in { \textsf {GL}}_{n+\ell }(\mathbb {F}_{q})\).

3. 3.

   Compute \(\varvec{G}_\mathrm{pub}{\mathop {=}\limits ^{\text {def}}}\varvec{S}(\varvec{X}\mid \varvec{G}) \varvec{P}\) and \(t=\frac{n-k}{2}\)

4. 4.

   Return

   $$\begin{aligned} \mathsf {pk}=(\varvec{G}_\mathrm{pub},t)\,\, \text {and}\,\, \mathsf {sk}=(\varvec{S}, \varvec{P}). \end{aligned}$$

To encrypt a message \(\varvec{m}\in \mathbb {F}_{q^m}^{k}\), apply the following function

\(\mathsf {Encrypt}(\varvec{m},\mathsf {pk})=\varvec{z}\)

1. 1.

   Generate a random error-vector \(\varvec{e}\in \mathbb {F}_{q^m}^n\) with \( \left| { \varvec{e}} \right| _q \le t\)

2. 2.

   Return \(\varvec{z}=\varvec{m}{\varvec{G}_\mathrm{pub}} \oplus \varvec{e}\)

The decryption takes as input a ciphertext \(\varvec{z}\) and the private key \(\mathsf {sk}\) and outputs the corresponding message \(\varvec{m}\). \(\mathsf {Decrypt}(\varvec{z},\mathsf {sk})\) firstly computes \(\varvec{z}\varvec{P}^{-1}=\varvec{m}\varvec{S}\left( \varvec{X}\mid \varvec{G}\right) \,+\,\varvec{e}\varvec{P}^{-1}\). The last n components of \(\varvec{z}\varvec{P}^{-1}\) will satisfy \(\varvec{z}^\prime =\varvec{m}\varvec{S}\varvec{G}\,+\,\varvec{e}^\prime \) where \(\varvec{e}^\prime \) is a sub-vector of \(\varvec{e}\varvec{P}^{-1}\) hence \(\left| {\varvec{e}^\prime } \right| _q \le t\). It then applies a fast decoding algorithm of \(\mathscr {G}_{k}\left( \varvec{g}\right) \) to \(\varvec{z}^\prime \) and obtain \(\varvec{m}\varvec{S}\) and hence \(\varvec{m}\).

Security. In [Ove08], Overbeck proposed a very efficient attack on the GPT cryptosystem. Several works propose to resist to Overbeck’s attack either by taking a column scrambler matrix defined over the extension field \(\mathbb {F}_{q^m}\) [Gab08, GRH09, RGH11, GP14] or by taking special distortion matrix as in [Loi10, RGH10]. We describe in the following all existing variant of the GPT cryptosystem after the apparition of Overbeck’s attacks, and we give the state of the security of each variant.

5.2 GPT Cryptosystem with Column Scrambler on the Extension Field

The first paper that consider column scrambler matrix over the extension field is Gabidulin’s paper [Gab08]. The important points are Key generation and decryption; the encryption phase is without change. The author proposed to describe the system as follows:

Description of the Scheme. The key generation algorithm works as for the general GPT scheme, with the difference: \(\varvec{P}\) in \({ \textsf {GL}}_{n+\ell }(\mathbb {F}_{q^m})\) is such that there exist \( \varvec{Q}_{11}\) in \(\mathcal {M}_{\ell ,\ell }\left( \mathbb {F}_{q^m}\right) \), \(\varvec{Q}_{21}\) in \(\mathcal {M}_{n,\ell }\left( \mathbb {F}_{q^m}\right) \), \(\varvec{Q}_{22}\) in \(\mathcal {M}_{n,n}\left( \mathbb {F}_{q}\right) \) and \(\varvec{Q}_{12}\) in \(\mathcal {M}_{\ell ,n}\left( \mathbb {F}_{q^m}\right) \) with \(\left| {\varvec{Q}_{12}} \right| =s < t \) so that

$$\begin{aligned} \varvec{P}^{-1}=\left( \begin{bmatrix} \varvec{Q}_{11}&\varvec{Q}_{12}\\ \varvec{Q}_{21}&\varvec{Q}_{22} \end{bmatrix} \right) . \end{aligned}$$

(2)

The public key is \((\varvec{G}_\mathrm{pub},t_\mathrm{pub})\) with \(t_\mathrm{pub}= t - s\) and \(\varvec{G}_\mathrm{pub}=\varvec{S}\left( \varvec{X}\mid \varvec{G}\right) \varvec{P}. \)

Decryption. We have \(\varvec{c}\varvec{P}^{-1}=\varvec{m}\varvec{S}\left( \varvec{X}\mid \varvec{G}\right) \,+\,\varvec{e}\varvec{P}^{-1}\). Suppose that \(\varvec{e}= \left( \varvec{e}_1 \mid \varvec{e}_2 \right) \) where \(\varvec{e}_1 \in \mathbb {F}_{q^m}^\ell \) and \(\varvec{e}_2 \in \mathbb {F}_{q^m}^n\). We have:

$$\begin{aligned} \varvec{e}\varvec{P}^{-1}= \left( \varvec{e}_1 \varvec{Q}_{11} + \varvec{e}_2 \varvec{Q}_{21} \mid \varvec{e}_1 \varvec{Q}_{12} + \varvec{e}_2 \varvec{Q}_{22}\right) \end{aligned}$$

(3)

It is clear that

$$\begin{aligned} \left| {\varvec{e}_1 \varvec{Q}_{12} + \varvec{e}_2 \varvec{Q}_{22}} \right| \le \left| {\varvec{e}_1 \varvec{Q}_{12}} \right| + \left| {\varvec{e}_2 \varvec{Q}_{22}} \right| \le s + t-s. \end{aligned}$$

So the plaintext \(\varvec{m}\) is recovered by applying the decoding algorithm only to the last n components of \(\varvec{c}\varvec{P}^{-1}\).

Several authors also proposed other constructions of the column scrambler on the extension field. In [GRH09, RGH11] it is proposed for instance to choose a column scrambler matrix \(\varvec{P}^* = \varvec{T}\varvec{P}\) such that

$$\begin{aligned} \varvec{P}^{-1}=\left( \varvec{Q}_{1} \mid \varvec{Q}_{2}\right) \end{aligned}$$

(4)

where \(\varvec{Q}_{1} \in \mathcal {M}_{n,s}\left( \mathbb {F}_{q^m}\right) \) while \(\varvec{Q}_{2} \in \mathcal {M}_{n,(n - s)}\left( \mathbb {F}_{q}\right) \). This construction can be seen as a variant of the more general construction given in [Gab08] (see [OTKN16] for more details). In [GP13, GP14], another variant is also proposed. This variant consists to use a column scrambler matrix \(\varvec{P}\) such that

$$\begin{aligned} \varvec{P}^{-1} = \varvec{T}+ \varvec{Z}\end{aligned}$$

(5)

\(\varvec{T}\in { \textsf {GL}}_{n + \ell }(\mathbb {F}_{q})\) and \(\varvec{Z}\in \mathcal {M}_{n+\ell ,n+\ell }\left( \mathbb {F}_{q^m}\right) \) with \(\left| {\varvec{Z}} \right| = s \). However, this last variant was shown in [UG14] to be equivalent to the general GPT cryptosystem [GO01] and hence not secure.

Security. In was recently shown in [OTKN16] that the Gabidulin’s general construction [Gab08] is not secured, even if a more general column scrambler \(\varvec{P}^* = \varvec{T}\varvec{P}\varvec{Q}\) is considered (\(\varvec{T}, \varvec{Q}\in { \textsf {GL}}_{n+\ell }(\mathbb {F}_{q})\) and \(\varvec{P}\) being a matrix that the inverse is given by Eq. 2). This attack also implies and attack on the variant of [GRH09, RGH11] since the construction of [Gab08] is a generalization of the constructions given in [GRH09, RGH11, GP14, GP13].

5.3 GPT Cryptosystems with a Special Distortion Matrix

Loidreau reparation. The main objective of the Loidreau reparation [Loi10] is not to propose a new system, but to propose parameters that would prevent Overbeck’s attack. The idea is to take a very large \(\ell \) (\(\ell>>>n-k\)) and use a matrix \(\varvec{X}\in \mathcal {M}_{k,\ell }\left( \mathbb {F}_{q^m}\right) \) with a very low rank s such that \(s(n-k) \le \ell - a\) where a is a given integer. Even if the keys sizes of this reparation are small compared to what we have in the McEliece encryption scheme [McE78], they remain very large. It is the reason why the author of [RGH10] proposed the “smart approach” that aim to avoid Overbeck’s attack while keeping small keys sizes.

The smart approach. As in the Loidreau’s reparation, the only difference is on the generation of \(\varvec{X}\). The authors proposed to take a distortion matrix \(\varvec{X}\in \mathcal {M}_{k,\ell }\left( \mathbb {F}_{q^m}\right) \) that is a concatenation of a \(q-\)Vandermonde matrix \(\varvec{X}_1 \in \mathcal {M}_{k,a}\left( \mathbb {F}_{q^m}\right) \) and a random matrix \(\varvec{X}_2 \in \mathcal {M}_{k,\ell -a}\left( \mathbb {F}_{q^m}\right) \) with \(0< a < \ell \). More precisely, to design the public generator matrix, let \(\varvec{S}\in { \textsf {GL}}_k(\mathbb {F}_{q^m})\), \(\varvec{X}_2 \in \mathcal {M}_{k,\ell -a}\left( \mathbb {F}_{q^m}\right) \), \(\varvec{b}= \left( b_1, \cdots {}, b_a \right) \) and

$$\begin{aligned} \varvec{X}_1 = \begin{pmatrix} b_{1}^{[0]} &{} \cdots {} &{} b_{a}^{[0]} \\ \vdots {} &{} &{} \vdots {} \\ b_{1}^{[k-1]} &{} \cdots {} &{} b_{a}^{[k-1]} \end{pmatrix}. \end{aligned}$$

(6)

Select \(\varvec{P}\in { \textsf {GL}}_{n+\ell }(\mathbb {F}_{q})\) and compute

$$\begin{aligned} \varvec{G}_\mathrm{pub}= \varvec{S}\left( \varvec{X}_1 \mid \varvec{X}_2 \mid \varvec{G}\right) \varvec{P}\end{aligned}$$

Security. A successful cryptanalysis of the previous variants was recently propose in [HMR15]. We also emphasise that there is a recent Message Recovery Attack against the aforementioned variants by [GRS16, HTMR16].

5.4 LRPC Cryptosystem

Beside the Gabidulin codes and inspired by the class of MDPC/LDPC codes in Hamming metric, a new class of rank metric codes was recently proposed in [GMRZ13] namely Low Rank Parity Check codes. They are the adaptation of the MDPC/LDPC codes in the rank metric. The LRPC cryptosystem [GMRZ13] is thus the analogue of the MDPC McEliece scheme. The main advantage of the scheme is that it comes, as the MDPC PKC, with a quasi-cyclic version, which allows to drastically reduce the key size. The QC-LRPC scheme is therefore one of the most promising rank-based encryption scheme since it has many security arguments in its favour: compared to the Gabidulin codes, the LRPC codes have a weak algebraic structure and thus seem much more fitted for a cryptographic purpose. Secondly the QC-LRPC scheme is equivalent to the NTRU [HPS98] and thus benefit of a quite long research experience from a cryptanalytic point of view.

6 Conclusion and Perspectives

In this article we have given a state-of-the-art of the McEliece encryption scheme. We have also detailed the main security threats for the scheme and for each of the mentioned variants. The general idea is to choose an appropriate private code that will be masked into a public one. This technique opens a general security question of indistinguishability of the public code from a random code. Even though several variants remain secured against existing attacks there is no theoretical guaranty of their security. By that we mean there is no security proof for the aforementioned variants. For instance there is no formal proof of the indistinguishability of the public code from a random one. The table bellow summarizes the remaining secure code families in the McEliece scheme. We emphasize that this table is not complete, but the variants given are the principal ones known with parameters.

Fig. 2.

Key size in bits for the remaining secure code families in the McEliece scheme

Following McEliece’s idea a possible solution for this problem would be to find a new masking technique for which there is a formal proof of the indistinguishability of the public code from a random one. In [Wan16] the author propose a masking technique for which he proves that the public code is equivalent to a random code and thus reintroduce in the context all the structural codes that have been broken. Another solution was already proposed by Alekhnovich who proposed an innovative approach based on the difficulty of decoding purely random codes [Ale11]. Several authors were inspired by his work [DMN12, DV13, KMP14, ABD+16]. This two approaches open a new perspective for code-based cryptography.