Content uploaded by Pierre-Louis Cayrel

Author content

All content in this area was uploaded by Pierre-Louis Cayrel

Content may be subject to copyright.

McEliece/Niederreiter PKC: sensitivity to fault

injection

PIERRE-LOUIS CAYREL

Center for Advanced Security Research Darmstadt,

CASED - Mornewegstrasse 32, 64293 Darmstadt, Germany

Email: pierre-louis.cayrel@cased.de

PIERRE DUSART

Université de Limoges, XLIM-DMI,

123 Av. Albert Thomas, 87060 Limoges Cedex, France.

Email: pierre.dusart@xlim.fr

Abstract—The McEliece and Niederreiter public key cryptosys-

tems (PKC) are presumed secure in a post quantum world [4]

because there is no efﬁcient quantum algorithm that solves the

hard problems upon which these cryptosystems are built. The

present article indicates, however, a different type of vulnerability

for such cryptosystems, namely fault injection. We present the

injection fault in the McEliece scheme using Goppa codes and in

two variants using quasi-cyclic alternant and quasi-dyadic codes,

and describe the main difference of those constructions in this

context.

I. INTRODUCTION

In 1978, R. J. McEliece presented the ﬁrst version of

the cryptosystem which was to become the reference in

coding-theory-based public key cryptography [14]. The origi-

nal McEliece construction uses Goppa codes. However, many

other families of codes have in the mean time been proven

suitable for the McEliece system.

Against such a scheme, two classes of attacks are efﬁ-

cent: decoding attacks and structural attacks. A good tradeoff

between error-correction capability and rate is necessary in

order to make codes resistant to direct decoding attacks.

Furthermore, a good McEliece-cryptosystem designer must

also choose codes which are structurally secure, as such

attacks are very efﬁcient whenever applicable (see [18] for

example).

The McEliece cryptosystem presents a good alternative to

the classic number theory encryption scheme. Its security has

been studied for years and a lot of distinct constructions have

been proposed in order to reduce the huge size of public

keys. After several improvements, the use of quasi-cyclic

alternant codes leads to a public key of 6,500 bits (see [3])

and 4,096 bits using quasi-dyadic Goppa codes [2]. These

two constructions appear to be secure against decoding and

structural attacks.

In the real world, it is also important to consider side

channel attacks on real implementations and hardware. A ﬁrst

study of side channel attacks on the McEliece construction was

done in [15]. We present here a fault injection study of those

schemes, and show that the quasi-cyclic and the quasi-dyadic

constructions present a weakness in this context. We focus our

analysis on the encryption scheme (a direct area of application

is satellite communication, which only involves encryption).

Our contribution

In their paper [15], the authors deal with side channel

(timing) attacks against the McEliece scheme, but do not

consider fault injection. In its classical form, the fault attack

features an adversary who tries to ﬁnd a secret key by

analysing faulty outputs, which it obtains by inserting faulty

inputs into the algorithm. More concretely, the adversary

compares faulty ciphertexts obtained by encrypting different

faulty plaintexts, or it compares a faulty ciphertext with an

unfaulty one. Our approach is to study the sensitivity of the

McEliece cryptosystem to fault injection. In particular, we

consider an adversary whose goal is to produce a denial of

service. In order to do so, it will try to provoke a fault which

cannot be corrected by the error-correcting capacity of the

code.

We focus on encryption (in this context, this is equivalent

to encoding) and on the parameters necessary for the matrix

design. Our intention is to show that code-based cryptosystems

are intrinsically fault-resistant; by contrast, in public key RSA

systems, injection of public parameters (modulus nand public

exponent e) will cause a change in the resulting ciphertext

if and only if the plaintext mis not identically 0 or 1.

With probability very close to one, therefore, the attacker will

be able to modify the ciphertext, thus causing an effective

interruption in communication. We show that the resistance of

McEliece cryptosystems to such an attack heavily depends on

the underlying code.

In particular, the very efﬁcient quasi-cyclic and quasi-dyadic

codes are not secure against this kind of attack, while the less

efﬁcient, original McEliece scheme based on Goppa codes is.

Although a similar study of the decryption algorithm for

code-based schemes is already in progress, this analysis is

considered out of the scope of the present paper.

Organisation

This paper is constructed as follows. Section 2 presents

as preliminaries the McEliece and Niederreiter PKC and

their new constructions (using quasi-cyclic alternant codes

and quasi-dyadic Goppa codes) which reduce the key size.

We describe the parameters for each of the three underlying

codes, including the classical Goppa code setting, in Section 3.

Section 4 provides further details about fault attacks. Section

5 outlines the security of the McEliece PKC against this kind

978-1-4244-6949-9/10/$26.00 ©2010 IEEE

KeyGen(1κ)(κis the security parameter)

1) Choose n,kand taccording to κ

2) Randomly pick a generator matrix G0of an [n, k, 2t+1]

binary Goppa code C

3) Randomly pick an n×npermutation matrix P

4) Randomly pick a k×kinvertible matrix S

5) Compute G=S×G0×P

6) Output pk := (G,t)and sk := (S,G0,P,γ),where γ

is a t-bounded decoding algorithm of C

Fig. 1. Key generation algorithm of the McEliece cryptosystem

of attacks. Section 6 discusses the security of the Niederreiter

scheme in this context. Section 7 concludes the paper.

II. PRELIMINARIES

A. The McEliece PKC

The McEliece PKC [14] represents one of the oldest public-

key cryptosystem in use today. It is also the ﬁrst public-

key cryptosystem based on linear error-correcting codes. The

principle is to select a linear code of length nand dimension

kthat is able to efﬁciently correct terrors. The chosen code

must then be transformed into a random-looking code. A

description of the original code and the transformations can

serve as the private key, while a description of the modiﬁed

code serves as the public key. McEliece’s original proposal

bases the construction on a binary Goppa code, and uses

a generator matrix of this code, which is then randomised.

The encryption function encodes a message into a codeword

of the public-key code and adds an error vector of weight

t. The decryption function basically decodes the ciphertext

by recovering the secret code through the trapdoor which

consists of the transformations. Niederreiter [17] also proposed

a public-key cryptosystem based on linear codes in which the

public key is a parity-check matrix. It is proved in [13] that

these two systems are equivalent in terms of security.

The McEliece cryptosystem [14] uses error-correcting codes

that have an efﬁcient decoding algorithm in order to build

trapdoor one-way functions.

The parameters of McEliece’s original construction are

[2m,2m−mt, ≥2t+1] where mand tare non-negative

integers. Additionally, a binary Goppa code can be decoded

by an efﬁcient t-bounded decoding algorithm. The principle

of the McEliece cryptosystem is to randomly pick a code C

among the family of binary Goppa codes. The private key is

the Goppa polynomial of C. The public key will be a generator

matrix that is obtained from the private key and by two random

linear transformations: the scrambling transformation S, which

sends the secret matrix Gto another generator matrix, and a

permutation transformation which reorders the columns of this

resulting matrix.

Figures 1 and 2 outline the key generation, encryption, and

respectively decryption algorithms.

Encrypt(pk,m∈Fk

2)

1) Randomly pick ein F2

of weight t

2) Compute c:= m×G+

e

3) Output c

Decrypt(sk,c∈Fn

2)

1) Compute z:= c×P−1

2) Compute y:= γ(z)

3) Output m:= y×S−1

Fig. 2. Encryption and decryption algorithms of the McEliece cryptosystem

B. Constructions to reduce the key size

A possible solution to the problem of the huge key size of

the McEliece scheme, is to take very sparse matrices. This

idea has been explored in [16], where the authors examined

the implications of using low density parity-check (LDPC)

codes. The authors showed that taking sparse matrices for

the linear transformations is an unsafe solution. A method

originating in [9] tries to minimise key size by using quasi-

cyclic codes [9], [1], [11], [10], [6]. This particular family of

codes fortunately has a very simple and compact description.

The ﬁrst proposal [9] uses subcodes of a primitive BCH cyclic

code. The size of the public key for this cryptosystem is only

12Kbits. Another approach attempts to combine the beneﬁts

of quasi-cyclicity and the sparse matrices of LDPC codes

appears in [1] . The authors propose a public key size that

is about 48Kbits. However, recent results [18] show that the

cryptosystems [9], [1] can be completely broken.

Two other constructions (unbroken up to date) use quasi-

cyclic alternant codes [3] and quasi-dyadic Goppa codes [2].

We focus on these two constructions.

Remark : In 2009, two new structural attacks have been

proposed against quasi-cyclic alternant codes and quasi-dyadic

Goppa codes : The ﬁrst is a Sidelnikov-Shestakov type attack

by Umana and Leander [12]; the second was proposed by

Faugère, Otmani, Perret, and Tillich [8] and carries the same

spirit as an earlier attack against quasi-cyclic BCH codes [18].

It seems that binary Goppa codes, and those codes alone,

require an attack strategy that is different from the techniques

published so far. Note that no structural attacks have so far

been found against binary Goppa codes.

1) Quasi-cyclic alternant codes [3]: Let q=pdfor some

d>0,and pa prime power. An alternant code A(L, D)over

Fpis deﬁned by:

•a sequence L∈(Fq)nof distinct elements with n≤p;

•a sequence D∈(Fq)nof nonzero elements;

•easily decodable (t/2errors) syndromes from H=

Tp(vdmt(L)·diag(D)).

A Goppa code G(L, g)over Fpis an alternant code where:

•L∈(Fq)nsatisﬁes g(L)=0,and D=(1/g(L)) for

some monic polynomial g(x)∈Fq[x]of degree t;

•good error correction capability (all tdesign errors) in

characteristic 2.

We can also see an alternant code as a subﬁeld subcode of

a Generalized Reed-Solomon code over a ﬁnite ﬁeld. For a

more extensive treatment of this topic, we recommend [3].

Another type of alternant codes exhibit a desirable property,

namely quasi-cyclicity, and thus allow for the entire parity

check matrix to be generated by its ﬁrst row.

Let lbe an integer value. A quasi-cyclic matrix H(in

systematic form) is a matrix of the form:

H=(I|A),

where Ais a circulant matrix, that is, a matrix of the form:

A=⎛

⎜

⎜

⎜

⎝

a1a2a3··· al

ala1a2··· al−1

.

.

..

.

..

.

..

.

..

.

.

a2a3a4··· a1

⎞

⎟

⎟

⎟

⎠,

where (a1,a

2,a

3,··· ,a

l)is any vector in Fl

2.

Clearly, Hcan easily be generated from the vector

(a1,a

2,a

3,··· ,a

l)(which is the ﬁrst row of A).

2) Quasi-dyadic Goppa codes [2]: In what follows, all

vector and matrix indices are numbered from zero onwards.

Deﬁnition 1: Given a ring Rand a vector h=

(h0,...,h

n−1)∈R

n,thedyadic matrix Δ(h)∈R

n×nis

the symmetric matrix with components Δij =hi⊕jwhere ⊕

stands for bitwise exclusive-or on the binary representations

of the indices. The sequence his called its signature.Theset

of dyadic n×nmatrices over Ris denoted Δ(Rn).Given

t>0,Δ(t, h)denotes Δ(h)truncated to its ﬁrst trows.

One can recursively characterize a dyadic matrix when nis

a power of 2: any 1×1matrix is dyadic, and for k>0,any

2k×2kdyadic matrix Mhas the form

M=AB

BA

where Aand Bare 2k−1×2k−1dyadic matrices. It is not

hard to see that the signature of a dyadic matrix coincides with

its ﬁrst row. Dyadic matrices form a commutative subring of

Rn×nas long as Ris commutative.

Deﬁnition 2: Adyadic permutation is a dyadic matrix Πi∈

Δ({0,1}n)whose signature is the i-th row of the identity

matrix.

A dyadic permutation is clearly an involution, i.e. (Πi)2=

I.Thei-th row (or equivalently the i-th column) of the dyadic

matrix deﬁned by a signature hcan be written Δ(h)i=hΠi.

Deﬁnition 3: Aquasi-dyadic matrix is a (possibly non-

dyadic) block matrix whose component blocks are dyadic

submatrices.

C. Niederreiter Cryptosystem

An encryption scheme that is a dual of the McEliece

cryptosystem and equivalent in terms of security [13] is the

Niederreiter construction [17]. The main difference between

the McEliece and Niederreiter cryptosystems lies in the de-

scription of the codes. The Niederreiter encryption scheme

describes codes by means of parity-check matrices. As before,

however, this matrix forms part of the secret key, and is

transformed by scrambling and permuting into the public key.

The encryption algorithm takes as input words of weight t,

Fig. 3. Key generation algorithm of the Niederreiter cryptosystem

KeyGen(1κ)

1) Choose n,k, and taccording to the security parameter

κ

2) Randomly pick a (n−k)×nparity-check matrix H0

of an [n, k, 2t+1] binary Goppa code C

3) Randomly pick an n×npermutation matrix P

4) Randomly pick an (n−k)×(n−k)invertible matrix

S

5) Compute H:= S×H0×P

6) Output pk := (H,t)and sk := (S,H0,P,γ),where γ

is a t-bounded decoding algorithm of C

Fig. 4. Encryption and decryption algorithms of the Niederreiter cryptosys-

tem

Encrypt(pk,

m∈W

2,n,t)

1) Compute c:= H×mT

2) Output c

Decrypt(sk,c∈Fn−k

2)

1) Compute z:= S−1×c

2) Compute y:= γ(z)

3) Output m:= y×P−1

where tis the number of errors that can be decoded. We denote

by Wq,n,t the words of Fn

qof weight t.

Figures 3 and 4 outline the key generation, encryption, and

respectively decryption algorithms.

III. PARAMETERS

A. Generic construction using binary Goppa codes

A secure encryption construction (security level of 280

binary operations) could be based on a [512,256,128] binary

Goppa code. Better security can be achieved by increasing the

parameters as shown in Table 1.

TAB LE I

SUGGESTED PARAMETERS OF GOPPA CODES FOR DIFFERENT SECURITY

LEVELS

security level n k t Public key size (bits)

80 512 256 128 460,647

112 640 384 128 1,047,600

128 768 512 128 1,537,536

192 1280 768 256 4,184,415

B. Quasi-cyclic alternant codes over F28

In [3], the authors present a new way to describe the public

key matrix using a quasi-cyclic alternant code Cof parameters

[459,255,101]28for a public key of 8,100 bits and a security

level of 280 binary operations. For a public key of 13000 bits

and a security level of 2100 binary operations, one should use

a[612,408,101]28code. More values are given in Table II,

from [3] which describes these parameters.

The authors of [3] proposed no parameters for binary quasi-

cyclic alternant codes, but it seems that such codes are still

secure against to structural attacks.

TAB LE I I

SUGGESTED PARAMETERS OF QUASI-CYCLIC ALTERNANT CODES FOR

DIFFERENT SECURITY LEVELS

security level n k t Public key size (bits)

80 450 225 128 6,800

90 558 279 128 8,500

110 744 372 128 14,600

C. Quasi-dyadic binary Goppa codes

In [2], the authors present a new way to describe the public

key matrix using quasi-dyadic Goppa code Cof parameters

[512,256,128] for a public key of 4,096 bits and a security of

280 binary operations and a code of parameters [768,512,128]

for a public key of 8,192 bits and a security of 2128 binary

operations. The next table from [2] describes these parameters:

TABLE III

SUGGESTED PARAMETERS OF QUASI-DYADIC BINARY GOPPA CODES FOR

DIFFERENT SECURITY LEVELS

security level n k t Public key size (bits)

80 512 256 128 4,096

112 640 384 128 6,144

128 768 512 128 8,192

192 1280 768 256 12,288

IV. FAULT INJECTION

Bernstein et al. have recently implemented [5] a code based

cryptosystem (the Stern scheme) on a low resource device.

Securing the implemented scheme against side channel attack

is the next step in a real world context. The two constructions

in [3], [2], which feature small descriptions of public keys, are

also implementable on smart cards, therefore it is paramount

to prove them secure.

A. Description of fault injection

Any system can make mistakes in computation. These

errors could be caused internally (due to a poor quality of

component, which generates fuzzy electric noise) or externally

(speciﬁc areas of a circuit board are bombarded with heavy

radiation, which disturbs the normal execution of a program).

The external stress can be intentional (pirate’s attack) or due

to the speciﬁc environment in which the system is placed

(e.g. space radiations for satellite). Many hardware systems

are sensitive to this kind of attacks. In case of a pirate attack,

the fault injection is the ﬁrst step in a fault attacks. This fault

can be exploited to ﬁnd conﬁdential data in secure devices

or in order to compromise the system by creating a denial

of service (DoS). In the case of an encryption device, a

failure is randomly returned for some of the faulty calls.

These failures may propagate to the system boundary and thus

become observable by the attacker. He can exploit theses faults

to ﬁnd secret keys in the cryptographic device.

In case of malfunctions due to environment disturbances,

the device should be fault tolerant: should function correctly

(though possibly at reduced efﬁciency) in spite of the faults.

Furthermore, in the case of for instance satellite components,

it might be impossible to change or to ﬁx a faulty device. The

system must be tested before the launching. The fault injection

is often used with stress testing and is widely considered to

be an important part of developing robust software.

Hence, for speciﬁc environment or security context, fault

injection must be also taken into account.

In the following, we study whether fault occurrences on

the public key of a coding based scheme could alter the

device’s capacity to communicate (this information is saved

on the internal components of the system). The goal of this

attacker is to cause a denial of service, which would render

communication useless as decoding becomes incorrect.

B. Fault model

We consider a single one-bit fault on the used variables,

corresponding to a ﬂip on a memory cell. We study for each

construction the effect of a fault on one variable of the scheme.

For all schemes, if the input message mis affected by the fault

and transformed to m, encryption will proceed as usual. The

decryption operation will thus compute m, and not the good

value m. Hence an error on the input message will be not

corrected by the scheme. Hence, for the next sections, we say

that a fault on mis out of the scope.

C. Countermeasures

Errors in encryption systems are classically corrected by

inversion: if a message is encrypted, then decrypted correctly,

the encryption was faultless. Though a good solution, this

method is inapplicable in some cases, such as public key

encryption systems – where the device knows the public key

only – or when decryption is too inefﬁcient. In this case, the

alternative is to have dedicated hardware (in fact two identical

devices) which computes the encryption twice.

Countermeasures to other side channel attacks against the

McEliece scheme have been presented in [15].

V. FAU LT INJECTION ON THE MCELIECE ENCRYPTION

SCHEME

We describe in this section the sensitivity of the McEliece

PKC against fault injection.

A. Fault on variables of McEliece Encryption

The McEliece encryption works in the following way: each

plaintext vector mis multiplied by the encryption matrix G,

and an error eis added to the result. Thus,

c:= m×G+e.

There are three cases to study, depending on the variable

affected by the fault: m,Gor e.

1) If mis corrupted, the scheme can’t correct this entry.

2) If the fault affects entry gij on row iand column jof

G, the output of m×Gis faulty if and only if the i-th

coordinate of mis not zero.

We assume the entries of Gto be random, therefore there

gij =0with probability 1/2, while the i-th entry of m

is 0w.p . 1/2. Therefore, the probability that a fault in

coordinate gij will give the wrong output is 1/4.

Supposing that the fault has an effect on the product

m×G(which we denote for clarity by m×

G)we

analyse the consequences of adding an error vector eof

ﬁxed weight t(the error correction capability is t)to

this product.

•If the error has its ith coordinate equal to 1 (prob-

ability of t

n) the fault has no effect and we correct

t−1errors.

•If the error has its ith coordinate equal to 0, then

the fault carries over and we have to correct t+1

errors.

If the choice of tis such that correcting t+1 errors does

not gives a unique codeword, we don’t ﬁnd the original

message m, but several possible candidates. This sce-

nario can be prevented if one chooses an error of weight

tsuch that the presence of up to a certain number rof

faults does not affect the decoding efﬁciency (choose t

and rs.t. t+r≤t).

3) If the fault appears in the vector e, we have two cases:

•If the fault decreases the weight of e, the scheme

will correctly decrypt the t−1remaining errors

and will retrieve the correct m(as the scheme can

correct up to terrors).

•If the fault increases the weight of e, the scheme

will decrypt cincorrectly, as t+1errors remain.

With our fault model (a random fault on one bit) with

restricted perimeter (fault in Gor e, but not on m), the scheme

effectively decodes the ciphertext in approximately 1/4of the

cases: if a fault occurs, it can be on 1 bit of the nk bits of G

or on 1 bit of the nbits of e.

On G:

•a ﬂip 0 to 1 has an effect if mi=1and ei=0,

•a ﬂip 1 to 0 has an effect if mi=1and ei=1.

On e, a ﬂip has an effect if ei=0, but no effect in the

other case (ei=1).

Hence, the probability that the scheme does not correct a

fault is as follows:

P1=P(erroriseffective)

=P(error is effective | error is on G)P(error is on G)

+P(error is effective| error is on e)

=P(error on G)[P(Gij :0→1)P(mi=1)P(ej=0)

+P(Gij :1→0)P(mi=1)P(ej= 1)]

+P(error on e)[P(ej:0→1)]

=kn

kn +n×1

2×1

2×(1 −t/n)+1

2×1

2×(t/n)

+n

kn +n×(1 −t/n)≈1/4.

B. Constructions with reduced codes

The advantage of this construction lies in the reduced

public-key size. The size SzPK of the public-key (G, t)

essentially originates in the description of G; we occasionally

refertoafaultinGby the general term public-key fault. We

suppose that this error was spread across lrows. If the row i

is affected, the fault carries over to the product m×Gonly if

mi=1, and the ﬁnal result is corrupted if the fault appears in

bit jof the error e. In the ﬁrst case, there is no consequence if

the lerrors are spread over the positions where mi=0.Ifwe

suppose that mhas weight w, the probability that the plaintext

has exactly kerrors is (n−w

l−k)(w

k)

(n

l),as we choose klines where

mi=1. In the second case, the errors have no consequence if

the ﬂip is not correlated to the corresponding element ej.As

the weight of eis t, we have a probability of 1−(t

k)

(n

k)that Gij

equals ej=0and a probability of 1−(n−t

k)

(n

k)that Gij equals

ej=1.

Hence the probability that the scheme does not correct a

fault is :

P2=SzPK

SzPK+nl

k=1 (n−w

l−k)(w

k)

(n

l)1−(t

k)+(n−t

k)

2(n

k)

+n

SzPK+n×(1 −t/n).

As mis random, we have w≈n/2. Hence,

P2≈SzPK

SzPK+nl

k=1 (n/2

l−k)(n/2

k)

(n

l)1−(t

k)+(n−t

k)

2(n

k)

+n

SzPK+n×(1 −t/n).

As kn > SzP K and generally l>1,P2>P

1and the

classical construction with Goppa codes is more secure.

For example, with the parameters l=8,n = 512,SzPk =

4096 and t= 128, we ﬁnd P2=0.81.

VI. FAULT INJECTION ON THE NIEDERREITER

ENCRYPTION SCHEME

A. Construction on Goppa codes

Here, the fault can only be on H. If we consider the

Niederreiter version, where the encryption is a product HmT

with H=SH0P(a masked Goppa code parity check matrix)

and mis a plaintext of weight t; the probability that a fault

injection (in the matrix H) has an effect is t/n instead of 1/4

as in the McEliece case.

B. Constructions with quasi-cyclic alternant codes

In this case, we simply store the ﬁrst row of the matrix

H, Hand the vector m, and we shift this vector to obtain the

matrix-vector product. So in this context, a fault injection will

have an effect on several rows of the matrix-vector product.

In the notation of [3], the length of the code is N:= qm−

1=l×N0and we reconstruct the lrows of the matrix from

the one we stored (by using a circular permutation).

The probability that a block of size lcontains no error is

(N−l

t)

(N

t).

Therefore, the probability that the fault has an effect is:

1−(N−l

t)

(N

t).

With the parameters detailled in Section 2, we obtain a

probability of more than 0.97 that fault injection is effective.

This result holds for all sets of proposed parameters.

The use of quasi-cyclic matrices presents a weakness with

regard to the fault injection.

C. Construction with quasi-dyadic binary Goppa codes

As in the quasi-cyclic case, we just store a row of the parity

check matrix in order to construct the whole matrix, thus the

injected fault will affect several rows. A fault on a block hk

of the matrix signature results in one fault per line (on line i,

the column j=i⊕kis affected).

The computation of the probability of an effect of a fault

injection is the same as described above with the parameters

detailled in Section 2, we obtain a probability greater than

0.97 for all the proposed parameters.

Therefore, Niederreiter constructions on quasi-dyadic

Goppa codes are vulnerable to fault injection attacks.

VII. CONCLUSION

The McEliece PKC is resistant to fault injections due to

the underlying code’s capacity to correct faults that might

occur. We just have to choose parameters that are large enough

in order to counter this fault injection. Choosing a greater

error correcting capacity than strictly necessary allows for the

correction of faults due to external or internal stimuli.

In the cases of quasi-cyclic and quasi-dyadic matrices, the

construction is implementable on low resource devices due to

the small public key size, but the scheme is more sensitive to

fault injections. The use of compact matrices, generated by a

single stored row, implicitly leads to the diffusion of the fault,

as this faulty row is reused several times.

It’s now possible[19] to implement McEliece cryptosystem

on a smartcard. For an embedded device, we have to ﬁnd a

compromise between the size of the public key and the security

with respect to fault injection.

Though considered outside the scope of this paper, the

decryption algorithms in the McEliece and Niederreiter con-

structions are also vulnerable to fault injections. An analysis

of this topic is already in progress.

REFERENCES

[1] M. Baldi and G. F. Chiaraluce, Cryptanalysis of a new instance of

McEliece cryptosystem based on QC-LDPC codes, IEEE International

Symposium on Information Theory, 2007, Nice, France, pages 2591–

2595

[2] P. Barreto and R. Misoczki, Compact McEliece Keys from Goppa Codes,

Accepted for SAC’2009,

http://eprint.iacr.org/2009/187

[3] T. Berger, P.-L. Cayrel, P. Gaborit and A. Otmani, Reducing Key Length

of the McEliece Cryptosystem, AfricaCrypt 2009, LNCS, page 77–97

[4] D.J. Bernstein, J. Buchmann and E. Dahmen, Post-Quantum Cryptog-

raphy, Springer, Berlin, 2009, ISBN 978-3-540-88701-0.

[5] P.-L. Cayrel, P. Gaborit and E. Prouff, Secure Implementation of the

Stern Authentication and Signature Schemes for Low-Resource Devices,

Eighth Smart Card Research and Advanced Application Conference

CARDIS 2008 In G. Grimaud and F.-X. Standaert, editors, Lecture Notes

in Computer Science, Vol. 5189, pages 191-205, 2008

[6] P.-L. Cayrel, A. Otmani and D. Vergnaud, On Kabatianskii-Krouk-

Smeets Signatures, Proceedings of the ﬁrst International Workshop on

the Arithmetic of Finite Fields (WAIFI 2007), Springer Verlag Lecture

Notes, Madrid, Spain, pages 237–251

[7] P. Dusart, G. Letourneux and O. Vivolo, Differential Fault Analysis on

A.E.S , Lecture Notes in Computer Science Volume 2846/2003, Applied

Cryptography and Network Security, 2003, pp. 293–306

[8] J.-C. Faugère, A. Otmani, L. Perret and J.-P. Tillich, Algebraic Crypt-

analysis of McEliece Variants with Compact Keys, Eurocrypt 2010.

[9] P. Gaborit, Shorter keys for code based cryptography Proceedings of

the 2005 International Workshop on Coding and Cryptography (WCC

2005), Bergen, Norway pages 81–91

[10] P. Gaborit and M. Girault, Lightweight code-based authentication and

signature, IEEE International Symposium on Information Theory (ISIT

2007), Nice, France pages 191–195

[11] P. Gaborit, C. Lauradoux and N. Sendrier, SYND: a Fast Code-Based

Stream Cipher with a Security Reduction, IEEE International Sympo-

sium on Information Theory (ISIT 2007), pages 186–190

[12] V. Gauthier Umana and G. Leander, Practical Key Re-

covery Attacks On Two McEliece Variants, 2009, Preprint,

http://eprint.iacr.org/2009/509.pdf

[13] Y. X. Li, R. H. Deng and X.-M. Wang, On the equivalence of McEliece’s

and Niederreiter’s public-key cryptosystems, IEEE Transactions on In-

formation Theory, volume 40, number 1, 1994, pages 271-273

[14] R. J. McEliece, A Public-Key System Based on Algebraic Coding Theory,

Jet Propulsion Lab, DSN Progress Report 44, 1978, pages 114-116

[15] H. G. Molter, R. Overbeck, A. Shoufan, F. Strenzke and E. Tews, Side

Channels in the McEliece PKC, The Second international Workshop

on Post-Quantum Cryptography PQCRYPTO 2008, Lecture Notes in

Computer Science, Vol. 5299.

[16] C. Monico, J. Rosenthal and A. Shokrollahi, Using low density parity

check codes in the McEliece cryptosystem, IEEE International Sympo-

sium on Information Theory (ISIT 2000), 2000, Sorrento, Italy, 215

[17] H. Niederreiter, Knapsack-type cryptosystems and algebraic coding

theory, Problems Control Inform. Theory, Vol. 15, number 2, pages 159-

166, 1986

[18] A. Otmani, J.P. Tillich and L. Dallot, Cryptanalysis of McEliece Cryp-

tosystem Based on Quasi-Cyclic LDPC Codes, in Proceedings of First

International Conference on Symbolic Computation and Cryptography,

Beijing, China, LMIB Beihang University, April 28-30 2008, p. 69-81

[19] F. Strenzke, A Smart Card Implementation of the McEliece PKC,

WISTP’10.

We are grateful to Cristina Onete for her useful rewriting

comments.