LDPC codes in the McEliece

arXiv:0710.0142v2 [cs.IT] 11 Jan 2009

cryptosystem: attacks and

countermeasures
Marco BALDI 1
Polytechnic University of Marche, Ancona, Italy

Abstract. The McEliece cryptosystem is a public-key cryptosystem based on cod-

ing theory that has successfully resisted cryptanalysis for thirty years. The original
version, based on Goppa codes, is able to guarantee a high level of security, and is
faster than competing solutions, like RSA. Despite this, it has been rarely consid-
ered in practical applications, due to two major drawbacks: i) large size of the pub-
lic key and ii) low transmission rate. Several attempts have been made for overcom-
ing such drawbacks, but the adoption of most families of codes has not been possi-
ble without compromising the system security. Low-Density Parity-Check (LDPC)
codes are state-of-art forward error correcting codes that permit to approach the
Shannon limit while ensuring limited complexity. Quasi-Cyclic (QC) LDPC codes
are a particular class of LDPC codes, able to join low complexity encoding of QC
codes with high-performing and low-complexity decoding techniques based on the
belief propagation principle. In a previous work it has been proposed to adopt a
particular family of QC-LDPC codes in the McEliece cryptosystem to reduce the
key size and increase the transmission rate. It has been shown that such variant is
able to counter all the classic attacks, and also attacks that can compromise the se-
curity of previous LDPC-based versions. Recently, however, new attacks have been
found that are able to exploit a flaw in the transformation from the private key to
the public one. Such attacks can be effectively countered by changing the form of
some constituent matrices, without altering the system parameters. This change has
marginal effects on the complexity of the cryptosystem that, instead, preserves its
security against all known attacks. This work gives an overview of the QC-LDPC
codes-based McEliece cryptosystem and its cryptanalysis. Two recent versions are
considered, and their ability to counter all the currently known attacks is discussed.
A third version able to reach a higher security level is also proposed. Finally, it is
shown that the new QC-LDPC codes-based cryptosystem scales favorably when
larger keys are needed, as very recently pointed out by the successful implementa-
tion of an attack against the original cryptosystem.

Keywords. McEliece Cryptosystem, LDPC Codes, Cryptanalysis.

Introduction

First presented by Robert J. McEliece in 1978 [1], the McEliece cryptosystem represents
one of the most famous examples of error correcting codes-based public key cryptosys-
1 The author is with the Department of Biomedical Engineering, Electronics and Telecommunications,

Polytechnic University of Marche, Ancona, Italy; E-mail: [email protected].

tem. It adopts generator matrices of linear block codes as private and public keys, and
the combination of a dense transformation and a permutation to hide the structure of the
secret code into the public generator matrix. Its security lies in the difficulty of decoding
a large linear code having no visible structure, that is an NP complete problem [2]. The
McEliece cryptosystem has successfully resisted cryptanalysis for thirty years, and no
algorithm able to realize a total break in a reasonable time has been found up to now.
Attacks achieving the lowest work factors aim at solving the general decoding prob-
lem, that consists in deriving the error vector affecting a codeword of an (n, k)-linear
block code (i.e., having length n and dimension k). It can be shown that this problem can
be translated into that of finding the minimum weight codeword in an (n, k + 1)-linear
block code, so the McEliece cryptosystem can also be attacked by means of algorithms
aimed at finding low weight codewords.
A first decoding attack was already proposed by McEliece in his paper [1] and is
based on the principle of information set decoding. It consists in selecting k bits of the
ciphertext and inverting the encoding map, hoping that none of them is in error. This
attack has been further improved by Lee and Brickell [3], who proposed a systematic
procedure for validating the decoded words and showed that the attack can be attempted
also when the chosen information set is affected by a small number of errors.
More recent decoding attacks are instead based on probabilistic algorithms searching
for low weight codewords. Stern’s algorithm [4] is among the most famous ones, and
it has been later improved by Canteaut and Chabaud [5]. Very recently, Bernstein et al.
have proposed a highly efficient implementation of the attack based on Stern’s algorithm
[6], that is able to achieve a speedup of about 12. The improved algorithm has been run
on a computer cluster, and an encrypted codeword of the original McEliece cryptosystem
has been correctly deciphered, thus proving the feasibility of an attack for the original
choice of the system parameters.
Despite this, no polynomial time attack has been found up to now, and the system
remains secure, provided that large enough keys are adopted in order to reach suitable
work factors on modern computers. In addition, the McEliece cryptosystem can be con-
sidered to be a post-quantum cryptographic system [7], since no polynomial time algo-
rithm able to exploit quantum computers for an attack has been found up to now. On the
contrary, Shor presented a quantum polynomial time algorithm for calculating discrete
logarithms that should be able to break RSA, DSA and ECDSA [8].
Moreover, the original version of the McEliece cryptosystem, based on binary
Goppa codes with irreducible generator polynomials, can be two or three orders of mag-
nitude faster than RSA. However, unlike RSA, the original McEliece cryptosystem has
been rarely considered in practical applications, due to its two major drawbacks: large
keys and low transmission rates. Many attempts have been made for replacing Goppa
codes with other families of codes in order to overcome such drawbacks, but they al-
ways compromised the system security. This occurred for Generalized Reed-Solomon
Codes [9] and Reed-Muller codes [10]. Successful total break attacks have also been
conceived for some versions adopting Quasi-Cyclic (QC) codes [11] and Low-Density
Parity-Check (LDPC) codes [12,13].
LDPC codes represent the state of the art in forward error correction and are able to
approach the ultimate capacity bounds [14]. Their performance under belief propagation
decoding depends on the characteristics of their sparse parity-check matrices and their
design can be performed on a random basis. Thus, it is possible to obtain large families
of equivalent codes, that is the first requisite for their application in cryptography. The
adoption of LDPC codes in the McEliece cryptosystem can yield many advantages: the
sparse nature of their parity-check matrices could help to reduce the key size, at least
in principle, and their easy design could allow to increase the transmission rate. Unfor-
tunately, the usage of LDPC matrices as public keys can compromise the system secu-
rity [12,13,15]. For this reason, it has been proposed to adopt public keys in the form of
generator matrices of a particular family of QC-LDPC codes, that are structured LDPC
codes. Their structured character allows to reduce the key size though using dense gen-
erator matrices.
Even with this choice, the adoption of sparse and block-wise diagonal transforma-
tion matrices can still expose the cryptosystem to total break attacks [16]; so, the original
proposal has been recently revised in such a way to not include this kind of matrices.
The new cryptosystem is immune against all currently know attacks, it allows a signifi-
cant reduction in the key size with respect to the original version and achieves increased
transmission rate. Furthermore, the size of its public keys increases linearly with the code
dimension; so the new cryptosystem scales favorably when larger keys are needed for
facing the growing computational power of modern computers.
The paper is organized as follows: Section 1 describes the original McEliece cryp-
tosystem, while Section 2 is focused on its variants based on LDPC codes. In Section 3
the most dangerous attacks against the cryptosystem security are studied, together with
their possible countermeasures. Section 4 is devoted to the complexity assessment of the
considered cryptosystems and Section 5 concludes the paper.

1. The original McEliece cryptosystem

Inspired by the introduction of asymmetric cryptography by Diffie and Hellmann [17],

McEliece proposed his code-based public key cryptosystem starting from the observation
that a fast decoding algorithm exists for a general Goppa code, while the same does not
occur for a general linear code [1].
In the McEliece cryptosystem, Bob randomly chooses an irreducible polynomial of
degree t over GF (2m ), that corresponds to an irreducible Goppa code of length n = 2m
and dimension k ≥ n − tm, able to correct t or fewer errors in each codeword. Then,
Bob produces a k × n generator matrix G for the secret code, in reduced echelon form,
that will be part of his secret key. The remaining part of the secret key is formed by two
other matrices: a dense k × k non singular matrix S and a random n × n permutation
matrix P.
Then, Bob produces his public key as follows (the inverses of S and P are used here,
rather than in the decryption map, for consistency with the notation used for the new
proposals):

G′ = S−1 · G · P−1 . (1)

Alice, in order to send encrypted messages to Bob, fetches his public key G′ from
the public directory, divides her message into k-bit words, and applies the encryption
map as follows:

x = u · G′ + e, (2)
 public directory

G' = S -1 G P -1

G' e P S

u x unsecure x u
Alice G Bob
channel
Goppa intentional permutation Goppa descrambling
encoder errors decoder

Figure 1. The original McEliece cryptosystem.

where x is the ciphertext corresponding to the cleartext u and e is a random vector of t

intentional errors.
Bob, after having received the encrypted message x, inverts the secret permutation,
thus finding a codeword of the secret Goppa code affected by the vector of intentional
errors e · P, having weight t:

x′ = x · P = u · S−1 · G + e · P. (3)

By exploiting Goppa decoding, Bob is able to correct all the t intentional errors. Hence
he can obtain u · S−1 , due to the systematic form of G, and then recover u through
multiplication by S. The main blocks of the McEliece cryptosystem are shown in Figure
1.
In his original formulation, McEliece adopted Goppa codes with length n = 1024
and dimension k = 524, able to correct up to t = 50 errors. The key size is hence
n×k = 67072 bytes, and the transmission rate is k/n ≈ 0.5. On the other hand, the RSA
system with 1024-bit modulus and public exponent 17 has keys of just 256 bytes and
reaches unitary transmission rate (i.e., encryption has no overhead on the transmission).
However, it must be considered that the McEliece cryptosystem is significantly faster
than RSA: it requires 514 binary operations per bit for encoding and 5140 for decoding.
On the contrary, RSA requires 2402 and 738112 binary operations per bit for encoding
and decoding, respectively [5].

2. LDPC codes in the McEliece cryptosystem

In this section a recent version of the McEliece cryptosystem based on QC-LDPC codes
is described. It exploits the peculiarities of QC-LDPC codes for overcoming the draw-
backs of the original system and it is able to resist all attacks currently known.
First, some basic properties of QC-LDPC codes are reminded, then it is shown how
the McEliece cryptosystem should be modified in order to use these codes as private and
public keys without incurring in security issues.
2.1. QC-LDPC codes based on difference families

LDPC codes represent a particular class of linear block codes, able to approach chan-
nel capacity when soft decision decoding algorithms based on the belief propagation
principle are adopted [14].
An (n, k) LDPC code C is defined as the kernel of a sparse (n − k) × n parity-check
matrix H:

C = c ∈ GF (2)n : H · cT = 0 .

(4)

In order to achieve very good performance under belief propagation decoding, the parity-
check matrix H must have a low density of 1 symbols (typically on the order of 10−3 )
and absence of short cycles in the associated Tanner graph. The shortest possible cycles,
that have length four, are avoided when any pair of rows (columns) has supports with no
more than one overlapping position.
These conditions suffice to obtain good LDPC codes; so they can be designed
through algorithms that work directly on the parity-check matrix, aiming at maximizing
the cycles length, like the Progressive Edge Growth (PEG) algorithm [18]. The codes
obtained are unstructured, in the sense that the positions of 1 symbols in each row (or
column) of the parity-check matrix are independent of the others. This feature influences
complexity of the encoding and decoding stages, since the whole matrix must be stored
and the codec implementation cannot take advantage of any cyclic or polynomial na-
ture of the code. In this case, a common solution consists in adopting lower triangu-
lar or quasi-lower triangular parity-check matrices, that correspond to sparse generator
matrices, in such a way as to reduce complexity of the encoding stage [19].
Opposite to this approach, structured LDPC codes have also been proposed, whose
parity-check matrices have a very simple inner structure. Among them, QC-LDPC codes
represent a very important class, able to join easy encoding of QC codes with the aston-
ishing performance of LDPC codes. For this reason, QC-LDPC codes have been included
in several recent telecommunication standards and applications [20,21].
QC-LDPC codes have both length and dimension multiple of an integer p, that is,
n = n0 p and k = k0 p. They have the property that each cyclic shift of a codeword by
n0 positions is still a valid codeword. This reflects on their parity-check matrices, that
are formed by circulant blocks. A p × p circulant matrix A over GF (2) is defined as
follows:
 
a0 a1 a2 · · · ap−1
 ap−1 a0 a1 · · · ap−2 
 
A =  ap−2 ap−1 a0 · · · ap−3  , (5)
 
 .. .. .. . . .. 
 . . . . . 
a1 a2 a3 · · · a0

where ai ∈ GF (2), i = 0 . . . p − 1.
A simple isomorphism exists between the algebra of p × p binary circulant matrices
and the ring of polynomials GF (2)[x]/(xp +1). If we denote by X the unitary cyclic per-
mutation
Pp−1 matrix, the isomorphismP maps X into the monomial x and the circulant matrix
i p−1 i p
i=0 α i X into the polynomial i=0 αi x ∈ GF (2)[x]/(x + 1). This isomorphism
can be easily extended to matrices formed by circulant blocks.
 Let us focus attention on a particular family of QC-LDPC codes, having the parity-
check matrix formed by a single row of n0 circulant blocks, each with row (column)
weight dv :

H = [H0 |H1 | . . . |Hn0 −1 ] . (6)

If we suppose (without loss of generality) that Hn0 −1 is non singular, a valid generator
matrix for the code in systematic form can be expressed as follows:

T 
H−1n0 −1 · H0

T 
H−1n0 −1 · H1

 
G = I
..
,
 (7)
 . 

T
H−1
n0 −1 · Hn0 −2

where I represents the k × k identity matrix.

Very simple methods for designing parity-check matrices in the form (6), free of
length-4 cycles, are those exploiting differences families and their variants [22,23,24].
Such methods are based on the observation that, if we denote as hi , i = 0 . . . n0 − 1,
the vector containing the positions of 1 symbols in the first row of Hi , the absence of
length-4 cycles in H is ensured when all the hi ’s have disjoint sets of differences modulo
p. Sets of hi ’s with such property can be obtained on a random basis, so yielding large
families of codes with identical parameters [13].
All the codes in a family share the characteristics that mostly influence performance
of belief propagation decoding, that are: code length and dimension, parity-check matrix
density, nodes degree distributions and cycles length distribution. So, they have equiva-
lent error correction performance under belief propagation decoding.
In order to apply such codes within the framework of the McEliece cryptosystem, it
is interesting to assess their error correction capability over a channel that adds exactly t
errors in each codeword. This channel can be seen as a variant of the Binary Symmetric
Channel (BSC), and will be denoted as the McEliece channel in the following. This eval-
uation can be done through numerical simulations: Figure 2 shows the performance in
terms of Bit Error Rate (BER) and Frame Error Rate (FER) of three QC-LDPC codes that
will be of interest in the following. They have (n, k) = (16384, 12288), (24576, 16384)
and (49152, 32768), respectively.
It is important to note that the decoding radius of LDPC codes over the McEliece
channel cannot be determined analytically, as instead occurs for Goppa codes; so, we can
only choose values of t that are able to ensure an extremely low error rate.

2.2. McEliece cryptosystem adopting QC-LDPC codes

The adoption of QC-LDPC codes in the McEliece cryptosystem can yield important
advantages in terms of key size and transmission rate. As any other family of linear
block codes, QC-LDPC codes are exposed to the same attacks targeted to the original
cryptosystem; among them, decoding attacks represent the most dangerous ones (as it
will be shown in Section 3.3).
Moreover, the adoption of LDPC codes could expose the system to new attacks,
due to the sparse nature of their matrices. It was already observed in [12] that LDPC
 0
10

-1
10

-2
10

-3
10
n = 16384 n = 24576 n = 49152
-4
k = 12288 k = 16384 k = 32768
10

-5
10

-6
10
BER

FER

t
-7
10
0 100 200 300 400 500 600 700 800 900 1000 1100 1200 1300 1400 1500

Figure 2. Performance of some QC-LDPC codes over the McEliece channel.

matrices cannot be used for obtaining the public key, not even after applying a linear
transformation through a sparse matrix. In this case, the secret LDPC matrix could be
recovered through density reduction attacks, that aim at finding the rows of the secret
matrix by exploiting their low density [12,25].
One could think to replace LDPC matrices with their corresponding generator ma-
trices that, in general, are dense. Actually, this is what happens in the original McEliece
cryptosystem, where a systematic generator matrix for the secret Goppa code is used,
hidden through a permutation. However, a permutationally equivalent code of an LDPC
code is still an LDPC code, and the rows of its LDPC matrix could be found by searching
for low weight codewords in the dual of the secret code. We call this strategy attack to
the dual code: it aims at finding a sparse representation for the parity-check matrix of the
public code, that can be used for effective LDPC decoding.
So, when adopting LDPC codes in the McEliece cryptosystem, it does not suffice to
hide the secret code through a permutation, but it must be ensured that the public code
does not admit sparse characteristic matrices. For this reason, it has been proposed to
replace the permutation matrix P with a different transformation matrix, Q [13]. Q is a
sparse n × n matrix, with rows and columns having Hamming weight m > 1. This way,
the LDPC matrix of the secret code (H) is mapped into a new parity-check matrix that is
valid for the public code:

H′ = H · QT . (8)

Depending on the value of m, the density of H′ could be rendered high enough to avoid
attacks to the dual code.
 Table 1. Choices of the parameters for the QC-LDPC-based McEliece cryptosystem.
System n0 dv p m t′ Key size (bytes)
1 4 13 4096 7 27 6144
2 3 13 8192 11 40 6144
3 3 15 16384 13 60 12288

In the modified cryptosystem, Bob chooses a secret LDPC code by fixing its parity-
check matrix, H, and selects two other secret matrices: a k × k non singular scrambling
matrix S and an n × n non singular transformation matrix Q with row/column weight
m. Then, Bob obtains a systematic generator matrix G for the secret code and produces
his public key as follows:

G′ = S−1 · G · Q−1 . (9)

It should be noted that the public key is a dense matrix, so the sparse character of LDPC
codes does not help reducing the key length. However, when adopting QC-LDPC codes,
the characteristic matrices are formed by circulant blocks that are completely described
by a single row or column. This fact significantly reduces the key length that, moreover,
increases linearly with the code length.
The encryption map is the same as in the original cryptosystem: G′ is used for
encoding and a vector e of intentional errors is added to the encoded word. The Hamming
weight of vector e, in this case, is denoted as t′ . The decryption map must be slightly
modified with respect to the original cryptosystem. After having received a ciphertext,
Bob must invert the transformation as follows:

x′ = x · Q = u · S−1 · G + e · Q, (10)

thus obtaining a codeword of the secret LDPC code affected by the error vector e · Q
with weight ≤ t = t′ m. After that, Bob must be able to correct all the errors through
LDPC decoding and obtain u · S−1 , due to the systematic form of G. Finally, he can
recover u through multiplication by S.
It should be noted that the introduction of the transformation matrix Q in place
of the permutation matrix causes an error amplification effect (by a factor m). This is
compensated by the error correction capability of the secret LDPC code, that must be
able to correct t errors.
Based on this scheme, two possible choices of the system parameters have been
recently proposed, that are able to ensure different levels of security against currently
known attacks [26]. A third choice is here considered that demonstrates how the cryp-
tosystem scales favorably when larger keys are needed for facing efficient implementa-
tions of the attacks, as the one proposed recently. For the three codes considered (whose
performance is reported in Figure 2), t = 189, 440 and 780 has been assumed, respec-
tively, and m and t′ have been fixed accordingly. The considered values of the parameters
are summarized in Table 1. It should be noted that the key size is simply k0 n0 p, since the
whole matrix can be described by storing only the first row (or column) of each circulant
block.
 Table 2. Work factors of attacks to the dual code.
System n0 dv p m Max WF w(WF ≥ 280 )
1 4 13 4096 7 2153 179
2 3 13 8192 11 2250 127
3 3 15 16384 13 2340 124

3. Attacks and countermeasures

For the sake of conciseness, this section considers only the attacks that are able to achieve
the lowest work factors for the considered cryptosystem, together with their possible
countermeasures.

3.1. Attacks to the dual code

This kind of attacks exploits the fact that the dual of the public code, that is generated by
H′ , may contain low weight codewords, and such codewords can be searched through
probabilistic algorithms. Each row of H′ is a valid codeword of the dual code, so it has
at least Aw ≥ (n − k) codewords with weight w ≤ dc m, where dc = n0 dv is the row
weight of H.
It should be observed that dc ≪ n and the supports of sparse vectors have very
small (or null) intersection. So, by introducing an approximation, we can consider Aw ≈
(n − k). With similar arguments, and assuming a small m, we can say that the rows of
H′ have weight w ≈ dc m = n0 dv m.
One of the most famous probabilistic algorithms for finding low weight codewords is
due to Stern [4] and exploits an iterative procedure. When Stern’s algorithm is performed
on a code having length nS and dimension kS , the probability of finding, in one iteration,
one of Aw codewords with weight w is [27]:
w

nS −w

w−g

nS −kS /2−w+g
nS −kS −w+2g


g kS /2−g g kS /2−g l
Pw,Aw ≤ Aw · nS

· nS −kS /2

· nS −kS

, (11)
kS /2 kS /2 l

where g and l are two parameters whose values must be optimized as functions of the
total number of binary operations. So, the average number of iterations needed to find a
−1
low weight codeword is c ≥ Pw,A w
. Each iteration requires:

kS /2 2


(nS − kS )3 2g(nS − kS )
 
2 kS /2 g
N= + kS (nS − kS ) + 2gl + (12)
2 g 2l

binary operations, so the total work factor is WF = cN .

In the present case, Stern’s algorithm is used for attacking the dual of the public
code, so nS = n and kS = n − k. Table 2 reports the values of the maximum work
factor achieved (i.e., when w = dc m) by the considered solutions, together with the
minimum value of w needed to have work factor ≥ 280 (noted by w(WF ≥ 280 ) in
the figure). Based on these results, it seems that all the three systems can be considered
secure against attacks to the dual code.
3.2. OTD attacks

In the cryptosystem version proposed in [13], both S and Q were chosen sparse, with
non-null blocks having row/column weight m, and
 
Q0 0 0 0
 0 Q1 0 0 
Q= . (13)
 
 0 0 .. 0. 
0 0 0 Qn0 −1

This gave raise to an attack formulated by Otmani, Tillich and Dallot, that is here denoted
as OTD attack [16].
The rationale of this attack lies in the observation that, by selecting the first k
columns of G′ , an eavesdropper can obtain
 −1 
Q0 0 ... 0
 0 Q−1 1 ... 0 
G′≤k = S−1 ·  . . (14)
 
.. .. ..
 .. . . . 
0 0 . . . Q−1
n0 −2

Then, by inverting G′≤k and considering its block at position (i, j), he can obtain Qi Si,j ,
that corresponds to the polynomial

gi,j (x) = qi (x) · si,j (x) mod (xp + 1) . (15)

If both Qi and Si,j are sparse, it is highly probable that gi,j (x) has exactly m2 non-null
coefficients and that its support contains at least one shift xla · qi (x), 0 ≤ la ≤ p − 1.
Three possible strategies have been proposed for implementing this attack. Accord-
ing to the first strategy, the attacker can enumerate all the m-tuples belonging to the sup-
port of gi,j (x). Each m-tuple can be then validated through inversion of its correspond-
ing polynomial and multiplication by gi,j (x). If the resulting polynomial has exactly m
non-null coefficients, the m-tuple is a shifted version of qi (x) with very high probability.
The second strategy exploits the fact that it is highly probable that the Hadamard prod-
d
uct of the polynomial gi,j (x) with a d-shifted version of itself, gi,j (x) ∗ gi,j (x), gives a
shifted version of qi (x), for a specific value of d. The eavesdropper can hence calculate
d
all the possible gi,j (x) ∗ gi,j (x) and check whether the resulting polynomial has m non
null coefficients. As a third strategy, the attacker can consider the i-th row of the inverse
of G′≤k :

Ri = [Qi Si,0 |Qi Si,1 | . . . |Qi Si,n0 −2 ] . (16)

The linear code generated by

−1
· Ri = I|S−1 −1
 
GOT D3 = (Qi Si,0 ) i,0 Si,1 | . . . |Si,0 Si,n0 −2 (17)

admits an alternative generator matrix:

G′OT D3 = Si,0 GOT D3 = [Si,0 |Si,1 | . . . |Si,n0 −2 ] (18)

that coincides with a block row of matrix S. When matrix S is sparse, the code defined
by G′OT D3 contains low weight codewords. Such codewords coincide with the rows of
G′OT D3 and can be effectively searched through Stern’s algorithm.
With the choice of the parameters made in [13], that is almost coincident with the
first choice in Table 1, the three OTD attack strategies would require, respectively, 250.3 ,
236 and 232 binary operations. These low values can be easily reached with a standard
computer, so that cryptosystem must be considered broken.
However, the OTD attacks rely on the fact that both S and Q are sparse and that
Q has block-diagonal form. So, they can be effectively countered by adopting dense S
matrices, without altering the remaining system parameters. With dense S matrices the
eavesdropper cannot obtain Qi and Si,j , even knowing Qi Si,j , the probability that the
support of gi,j (x) contains that of at least one shift of qi (x) becomes extremely small
and the code generated by GOT D3 does not contain any more low weight codewords.
For preserving the ability of correcting all the intentional errors, it is important that
Q remains sparse (with row/column weight m). The choice of a dense S influences
complexity of the decoding stage, that, however, can be reduced by resorting to efficient
computation algorithms for circulant matrices [26].

3.3. Decoding attacks

As stated in the Introduction, the most promising attacks against the McEliece cryptosys-
tem are those aiming at solving the general decoding problem, that is to obtain the error
vector e used for encrypting a ciphertext.
It can be easily shown that e can be searched as the lowest weight codeword in the
extended code generated by
 ′
G
G′′ = . (19)
x
In order to evaluate the work factor of such attacks, we refer to Stern’s algorithm,
whose complexity can be easily evaluated in closed form, as already shown in Section
3.1. Stern’s algorithm has been further improved in [5] and, very recently, in [6]. Esti-
mating the work factor of such modified algorithms is more involved, and requires mod-
eling the attack through Markov chains. For this reason, we continue to refer to Stern’s
original formulation. For our purposes, it seems sufficient to take into consideration that
the adoption of optimized algorithms could result in a further speedup of about 12 times,
as reported in [6]. According with the expressions reported in Section 3.1, the work fac-
tor of a decoding attack against the original McEliece cryptosystem based on Stern’s
algorithm would be 263.5 .
In the considered cryptosystem based on QC-LDPC codes, an extra speedup could
result by considering the quasi-cyclic nature of the codes. This yields that every block-
wise cyclically shifted version of the ciphertext x is still a valid ciphertext. So, an eaves-
dropper could continue extending G′′ by adding shifted versions of x, and could search
for as many shifted versions of the error vector. Figure 3 reports the values of the work
factor of decoding attacks to the considered cryptosystem as functions of the number of
rows added to G′ . The three considered choices of the system parameters reach, respec-
tively, a minimum work factor of 265.6 , 275.8 and 2106.5 binary operations.
Being the smallest work factors reached by currently known attacks, these values
can be considered as the security levels of the three cryptosystems.
 115

110

105

100

95
log (WF)

90
2

85

80

75

70 System 1

System 2
65 System 3

0 200 400 600 800 1000 1200 1400 1600 1800 2000

Rows added

Figure 3. Work factor of decoding attacks based on Stern’s algorithm.

4. Complexity

In order to compare the considered cryptosystems with more consolidated solutions, it is

important to estimate the complexity of both its encryption and decryption stages.
The encryption complexity is dominated by LDPC encoding, that coincides with
calculating the product u · G′ . The number of binary operations needed by such task is
denoted as Cmul (u · G′ ). Further n operations must be considered for addition of the
intentional error vector e. So, the encryption complexity can be expressed as follows:

Cenc = Cmul (u · G′ ) + n. (20)

The computational cost of matrix multiplication can be reduced by exploiting the

fact that each matrix is formed by p × p binary circulant blocks. Due to the isomorphism
with the ring of polynomials GF (2)[x]/(xp + 1), efficient algorithms for polynomial
multiplication over finite fields can be adopted. We refer to the Toom-Cook method, that
is very efficient in the cases of our interest, but other strategies are possible [26].
As regards decryption complexity, it can be split into three contributions, corre-
sponding to: i) calculating the product x · Q, ii) decoding the secret LDPC code and iii)
calculating the product u′ · S. So, it can be expressed as follows:

Cdec = Cmul (x · Q) + CSP A + Cmul (u′ · S) , (21)

where CSP A is the number of operations required for LDPC decoding through the sum-
product algorithm. By referring to the implementation proposed in [28], we can express
CSP A as follows:
 Table 3. Parameters of the considered cryptosystems.
McEliece Niederreiter RSA QC-LDPC QC-LDPC QC-LDPC
(1024, 524) (1024, 524) 1024-bit mod. McEliece 1 McEliece 2 McEliece 3
public exp. 17
Key Size a 67072 32750 256 6144 6144 12288
Rate 0.51 0.57 1 0.75 0.67 0.67
kb 524 284 1024 12288 16384 32768
Cenc /k c 514 50 2402 658 776 1070
Cdec /k d 5140 7863 738112 4678 8901 12903

a Expressedin bytes.
b Informationblock length (bits).
c Number of binary operations per information bit for encryption.
d Number of binary operations per information bit for decryption.

CSP A = Iave · n [q (8dv + 12R − 11) + dv ] , (22)

where Iave is the average number of decoding iterations and q is the number of quanti-
zation bits used inside the decoder (both of them can be estimated through simulations).
By using Eq. (20) and (21), it is possible to estimate the encryption and decryption
cost in terms of binary operations per information bit. This has been done in Table 3, that
summarizes the main parameters of the considered cryptosystems and compares them
with those of more consolidated solutions (for the first three systems the complexity
estimates are reported from [5]).
It can be noticed that all the three systems based on QC-LDPC codes have shorter
keys and higher rates with respect to the original McEliece cryptosystem and the Nieder-
reiter version; so, they succeed in improving their main drawbacks. In particular, the first
QC-LDPC-based system, that reaches a security level comparable with that of the origi-
nal McEliece cryptosystem, has key size reduced by more than 10 times with respect to
it and more than 5 times with respect to the Niederreiter version. Furthermore, the new
system has increased transmission rate (up to 3/4).
The security level can be increased at the expenses of the transmission rate: the
second QC-LDPC-based system has same key size as the first one, but its transmission
rate is reduced from 3/4 to 2/3. As a counterpart, its security level is increased by a
factor of about 210 .
Larger keys can be adopted in order to reach higher security levels, that are needed
for facing efficient decoding attacks implemented on modern computers. The third QC-
LDPC-based system is able to reach a security level of 2106.5 by doubling the key size
(that is still more than 5 times smaller than in the original cryptosystem). It should be
noted that the system scales favorably when larger keys are needed, since the key size
grows linearly with the code length, due to the quasi-cyclic nature of the codes, while in
the original system it grows quadratically.
As concerns complexity, it can be observed that the first QC-LDPC-based cryptosys-
tem has encryption and decryption costs comparable with those of the original McEliece
cryptosystem. The Niederreiter version is instead able to significantly reduce the encryp-
tion cost. Encryption and decryption complexity increases for the other two QC-LDPC-
based variants, but it still remains considerably lower with respect to RSA. On the other
hand, RSA has the smallest keys and reaches unitary rate.
5. Conclusion

It has been shown that the adoption of LDPC codes in the framework of the McEliece
cryptosystem can help overcoming its drawbacks, that are large keys and low transmis-
sion rate. However, such choice must be considered carefully, since the sparse nature of
the characteristic matrices of LDPC codes can expose the system to classic as well as
newly developed attacks. In particular, the misuse of sparse transformation matrices can
expose the system to total break attacks, able to recover the secret key with reasonable
complexity.
The adoption of dense transformation matrices permits to avoid such attacks, and
the quasi-cyclic nature of the codes still allows to reduce the key size. Furthermore, the
McEliece cryptosystem based on QC-LDPC codes can exploit efficient algorithms for
polynomial multiplication over finite fields for encryption and low complexity LDPC
decoding algorithms for decryption, that reduce its computational complexity.
For these reasons, it seems that the considered variants of the McEliece cryptosystem
can be seen as a trade-off between its original version and other widespread solutions,
like RSA.

Acknowledgments

The author wishes to thank Franco Chiaraluce for his contribution and Raphael Overbeck
for helpful discussion on attacks.

References

[1] R. J. McEliece. A public-key cryptosystem based on algebraic coding theory. DSN Progress Report,
pages 114–116, 1978.
[2] E. Berlekamp, R. McEliece, and H. van Tilborg. On the inherent intractability of certain coding prob-
lems. IEEE Trans. Inform. Theory, 24:384–386, May 1978.
[3] P. Lee and E. Brickell. An observation on the security of McEliece’s public-key cryptosystem. In
Advances in Cryptology - EUROCRYPT 88, pages 275–280. Springer, 1988.
[4] J. Stern. A method for finding codewords of small weight. In G. Cohen and J. Wolfmann, editors,
Coding Theory and Applications, volume 388 of Lecture Notes in Computer Science, pages 106–113.
Springer, 1989.
[5] A. Canteaut and F. Chabaud. A new algorithm for finding minimum-weight words in a linear code:
application to McEliece’s cryptosystem and to narrow-sense BCH codes of length 511. IEEE Trans.
Inform. Theory, 44:367–378, January 1998.
[6] D. J. Bernstein, T. Lange, and C. Peters. Attacking and defending the McEliece cryptosystem. In Post-
Quantum Cryptography, volume 5299 of Lecture Notes in Computer Science, pages 31–46. Springer
Berlin / Heidelberg, 2008.
[7] D. J. Bernstein. Introduction to post-quantum cryptography, chapter 1, pages 1–14. Springer, 2009.
[8] P. W. Shor. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum
computer. SIAM J. Comput., 26(5):1484–1509, 1997.
[9] H. Niederreiter. Knapsack-type cryptosystems and algebraic coding theory. Probl. Contr. and Inform.
Theory, 15:159–166, 1986.
[10] V. M. Sidelnikov. A public-key cryptosystem based on binary Reed-Muller codes. Discrete Mathematics
and Applications, 4(3), 1994.
[11] P. Gaborit. Shorter keys for code based cryptography. In Proc. Int. Workshop on Coding and Cryptog-
raphy (WCC 2005), pages 81–90, Bergen, Norway, March 2005.
[12] C. Monico, J. Rosenthal, and A. Shokrollahi. Using low density parity check codes in the McEliece
cryptosystem. In Proc. IEEE International Symposium on Information Theory (ISIT 2000), page 215,
Sorrento, Italy, June 2000.
[13] M. Baldi and F. Chiaraluce. Cryptanalysis of a new instance of McEliece cryptosystem based on QC-
LDPC codes. In Proc. IEEE International Symposium on Information Theory (ISIT 2007), pages 2591–
2595, Nice, France, June 2007.
[14] T. J. Richardson and R. L. Urbanke. The capacity of low-density parity-check codes under message-
passing decoding. IEEE Trans. Inform. Theory, 47:599–618, February 2001.
[15] M. Baldi, F. Chiaraluce, R. Garello, and F. Mininni. Quasi-cyclic low-density parity-check codes in
the McEliece cryptosystem. In Proc. IEEE International Conference on Communications (ICC 2007),
Glasgow, Scotland, June 2007. to be presented.
[16] A. Otmani, J. P. Tillich, and L. Dallot. Cryptanalysis of two McEliece cryptosystems based on quasi-
cyclic codes. In Proc. First International Conference on Symbolic Computation and Cryptography (SCC
2008), Beijing, China, April 2008.
[17] W. Diffie and M. Hellman. New directions in cryptography. IEEE Trans. Inform. Theory, 22:644–654,
November 1976.
[18] X. Y. Hu, E. Eleftheriou, and D. M. Arnold. Regular and irregular progressive edge-growth Tanner
graphs. IEEE Trans. Inform. Theory, 51:386–398, January 2005.
[19] T. J. Richardson and R. L. Urbanke. Efficient encoding of low-density parity-check codes. IEEE Trans.
Inform. Theory, 47:638–656, February 2001.
[20] 802.16e 2005. IEEE Standard for Local and Metropolitan Area Networks - Part 16: Air Interface for
Fixed and Mobile Broadband Wireless Access Systems - Amendment for Physical and Medium Access
Control Layers for Combined Fixed and Mobile Operation in Licensed Bands, December 2005.
[21] CCSDS. Low Density Parity Check Codes for use in Near-Earth and Deep Space Applications. Techni-
cal Report Orange Book, Issue 2, Consultative Committee for Space Data Systems (CCSDS), Washing-
ton, DC, USA, September 2007. CCSDS 131.1-O-2.
[22] S. J. Johnson and S. R. Weller. A family of irregular LDPC codes with low encoding complexity. IEEE
Commun. Lett., 7:79–81, February 2003.
[23] T. Xia and B. Xia. Quasi-cyclic codes from extended difference families. In Proc. IEEE Wireless
Commun. and Networking Conf., volume 2, pages 1036–1040, New Orleans, USA, March 2005.
[24] M. Baldi and F. Chiaraluce. New quasi cyclic low density parity check codes based on difference
families. In Proc. Int. Symp. Commun. Theory and Appl. (ISCTA 05), pages 244–249, Ambleside, UK,
July 2005.
[25] M. Baldi. Quasi-Cyclic Low-Density Parity-Check Codes and their Application to Cryptography. PhD
thesis, Università Politecnica delle Marche, Ancona, Italy, November 2006.
[26] M. Baldi, M. Bodrato, and F. Chiaraluce. A new analysis of the McEliece cryptosystem based on QC-
LDPC codes. In Security and Cryptography for Networks, volume 5229 of Lecture Notes in Computer
Science, pages 246–262. Springer Berlin / Heidelberg, 2008.
[27] M. Hirotomo, M. Mohri, and M. Morii. A probabilistic computation method for the weight distribution
of low-density parity-check codes. In Proc. IEEE International Symposium on Information Theory (ISIT
2005), pages 2166–2170, Adelaide, Australia, September 2005.
[28] X. Y. Hu, E. Eleftheriou, D. M. Arnold, and A. Dholakia. Efficient implementations of the sum-product
algorithm for decoding LDPC codes. In Proc. IEEE Global Telecommunications Conference (GLOBE-
COM ’01), volume 2, pages 1036–1036E, San Antonio, TX, November 2001.