Content uploaded by Franco Chiaraluce
Author content
All content in this area was uploaded by Franco Chiaraluce
Content may be subject to copyright.
A variant of the McEliece cryptosystem
with increased public key security
Marco Baldi1, Marco Bianchi1, Franco Chiaraluce1,
Joachim Rosenthal2, and Davide Schipani2?
1Universit`a Politecnica delle Marche, Ancona, Italy
{m.baldi,m.bianchi,f.chiaraluce}@univpm.it
2University of Zurich, Zurich, Switzerland
{rosenthal,davide.schipani}@math.uzh.ch
Abstract. We propose a new variant of the McEliece cryptosystem
which ensures that the code used as the public key is not permutation-
equivalent to the secret code. This allows to increase the security of the
public key, and to reconsider possible adoption of classical families of
codes, like Reed-Solomon codes. A reduction in the key size or, equiva-
lently, an increased level of security against information set decoding are
the main advantages of the modified cryptosystem. As a drawback, the
domain of intentional error vectors must be restricted, but we show that
this has no significant impact on the security level.
Keywords: McEliece cryptosystem, error-correcting codes, public key
security.
1 Introduction
The McEliece cryptosystem [8] is one of the most promising public-key cryptosys-
tems able to resist attacks based on quantum computers. In fact, differently from
cryptosystems exploiting integer factorization or discrete logarithms, it relies on
the hardness of decoding a linear block code without any visible structure [3].
The original McEliece cryptosystem adopts the generator matrix of a bi-
nary Goppa code as the private key, and exploits a dense transformation matrix
and a permutation matrix to disguise the secret key into the public one. No
polynomial-time attack to the system has been devised up to now; however, the
increased computing power and the availability of optimized attack procedures
have required to update its original parameters [4].
The main advantage of the McEliece cryptosystem consists in its fast encryp-
tion and decryption procedures, which require a significantly lower number of
operations with respect to alternative solutions (like RSA). However, the origi-
nal McEliece cryptosystem has two main disadvantages: low encryption rate and
large key size, both due to the binary Goppa codes it is based on. When adopting
?The Research was supported in part by the Swiss National Science Foundation under
grant No. 132256.
inria-00607772, version 1 - 11 Jul 2011
Author manuscript, published in "WCC 2011 - Workshop on coding and cryptography (2011) 173-182"
174
Goppa codes, a first improvement is obtained through the variant proposed by
Niederreiter [10], which uses parity-check matrices instead of generator matrices.
A significant improvement in both these aspects would be obtained if other
families of codes could be included in the system. In particular, the use of Reed-
Solomon (RS) codes could yield significant advantages. In fact, RS codes are
maximum distance separable codes, which ensures they achieve maximum error
correction capability. In the McEliece system, this translates into shorter keys
for the same security level, or a higher security level for the same key size, with
respect to binary Goppa codes (having the same code rate).
Many attempts of replacing Goppa codes with other families of codes have
exposed the system to security threats [13], [18]. Some recent proposals based on
Quasi-Cyclic and Quasi-Dyadic codes have also been broken [17]. Low-Density
Parity-Check (LDPC) codes, in principle, should offer high design flexibility and
compact keys. However, also the applicability of such a class of codes may expose
the system to flaws [9], [11]. Nevertheless, it is still possible to exploit Quasi-
Cyclic LDPC codes to design a variant of the system that is immune to any
known attack [1].
The idea in [1] is to replace the permutation matrix P, used in the original
McEliece cryptosystem, with a dense transformation matrix Q. The matrix Q
used in [1] is a sparse matrix and its density must be chosen as a trade-off
between two opposite effects: i) increasing the density of the public code parity-
check matrix so that it is too difficult to search for low weight codewords in its
dual code and ii) limiting the propagation of the intentional errors so that they
are still correctable by the legitimate receiver.
We improve this approach by introducing a more effective class of Qmatrices
and by generalizing their form also to the non-binary case. The new proposal is
based on the fact that there exist some classes of dense Qmatrices that have
a limited propagation effect on the intentional error vectors. The use of these
matrices allows to better disguise the private key into the public one, with a
controlled error amplification effect. So, we propose a modified cryptosystem
that can restore the use of advantageous families of codes, as RS codes, by
ensuring increased public key security. In the proposed cryptosystem, the domain
of possible error vectors needs to be restricted depending on the choice of Q.
However, we will show that this restriction has a limited effect on the system
security.
2 Description of the cryptosystem
The main features of the proposed system are as follows. Bob chooses his secret
key as the k×nsystematic generator matrix Gof a linear block code over GF(p).
He also chooses other two secret matrices: a k×knon-singular scrambling matrix
Sand an n×nnon-singular transformation matrix Q. The public key is:
G0=S−1·G·Q−1.(1)
inria-00607772, version 1 - 11 Jul 2011
175
So, in general, differently from the original McEliece cryptosystem, the public
code is not permutation-equivalent to the private code.
Alice, after obtaining Bob’s public key, applies the following encryption map:
x=u·G0+e,(2)
where xis the ciphertext corresponding to the cleartext u, and eis a vector of
intentional errors. After receiving x, Bob inverts the transformation as follows:
x0=x·Q=u·S−1·G+e·Q,(3)
thus obtaining a codeword of the secret code affected by the error vector e·Q.
Bob shall be able to correct all the errors and get u·S−1, thanks to the systematic
form of G. He can then obtain uthrough multiplication by S.
2.1 Choice of Q
In general, the use of a transformation matrix Qin place of a permutation matrix
causes an error propagation effect. However, if Qis chosen within a given class
of matrices, this effect can be controlled or even eliminated, when needed. For
the latter purpose, let us consider a first form of Q, called Q1, obtained as the
sum of a permutation matrix P1and a rank-1 matrix R, that is:
Q1=R+P1,(4)
with
R=aT·b=a1a2· · · anT·b1b2· · · bn,(5)
where aand bare two random vectors over GF(p) and Tdenotes transposition.
If Q1is full rank, Q−1
1can be used to generate the public code.
In the choice of Q1it is important to avoid some special cases which could
allow an attacker to derive a code that is permutation-equivalent to the secret
one, thus bringing security back to that of the classical McEliece system.
Let us suppose the j-th element of bis zero and that P1has a symbol 1 at
position (i, j). In this case, the j-th column of Q1is completely null, except for
its element at row i. Since Q−1
1=b
Q/|Q|, where b
Qis the adjoint matrix and |Q|
is the determinant of Q1, it follows from the definition of b
Qthat the i-th column
of Q−1
1is completely null, except for its element at row j(that is not necessarily
equal to 1, except for the binary case). So, the i-th column of Q−1
1has the effect
of a column permutation (apart from multiplication by a constant), like in the
original McEliece cryptosystem.
In order to avoid such a flaw, we impose that all the elements of bare
non-zero. We then restrict the generation of intentional error vectors to vectors
e= [e1, e2, . . . , en] such that:
n
X
i=1
aiei= 0.(6)
inria-00607772, version 1 - 11 Jul 2011
176
This requires that ais disclosed as part of the public key, and ensures that
the product e·Rgives the all-zero vector, so that the legitimate receiver gets:
e0=e·Q1=e·R+e·P1=e·P1.(7)
So, the weight of e0is exactly coincident with that of e. If we work on GF(p), with
p > 2, we can replace the permutation matrix with a generalized permutation
matrix with non-zero values randomly selected among the p−1 non-zero elements
of GF(p). More generally, we can consider to use mmatrices of the latter type,
the ith one being denoted by Πi. So, in place of (4), we have:
Qm=R+Π1+Π2+. . . +Πm.(8)
Provided that only intentional error vectors that satisfy (6) are used, a ma-
trix Qmas in (8) allows to amplify the number of intentional errors (at most)
by a factor m. Such controlled error amplification effect can be compensated
by using codes with a high error correction capability, as it occurs for LDPC
codes [1]. Moreover, the use of Qm(through its inverse) allows to disguise the
private matrix of a code over GF(p) in a way that, at least in principle, is much
stronger than what can be done by using a permutation matrix (as in the orig-
inal McEliece system). An even more general form of Qmcan be designed by
replacing the rank-1 matrix Rwith a rank-z(z≥1) matrix, thus modifying
condition (6) accordingly with a set of zconstraints.
2.2 Design issues
As we have seen in Section 2.1, null elements must be avoided in bto prevent
the public code from being (almost) permutation-equivalent to the secret one.
Focusing on the binary case, this imposes that bis the all-one vector. How-
ever, in such a case, further issues exist in the design of Q. For example, let
us consider aas an all-one vector too, so that R=1, and suppose that only
one random permutation matrix is used (as in (4)). It is easy to verify that the
public code has the following parity-check matrix:
H0=H·QT,(9)
where His the parity-check matrix of the private code. In the special case of
Q1=1+P1, we have H0=H·1+H·PT
1. By assuming a regular H(i.e. with
constant row and column weights), two cases are possible:
–If the rows of Hhave even weight, H·1=0and H0=H·PT
1.
–If the rows of Hhave odd weight, H·1=1and H0=1+H·PT
1.
In both cases, the public code has a parity-check matrix that is simply a per-
muted version of that of the secret code (or its complementary). This reduces the
security to that of the original McEliece cryptosystem, that discloses a permuted
version of the secret code. Such security level is not sufficient when adopting, for
inria-00607772, version 1 - 11 Jul 2011
177
example, LDPC codes, since the permuted version of the secret Hmatrix can be
attacked by searching for low weight codewords in the dual of the secret code.
A more general formulation of the flaw follows from the consideration that
Q1=1+P1has a very special inverse. First of all, let us consider that Q1
is invertible only when it has even size. This is obvious since, for odd size, Q1
has even row/column weight; so, the sum of all its rows is the zero vector. If we
restrict ourselves to even size Q1matrices, it is easy to show that their inverse
has the form Q−1
1=1+PT
1, due to the property of permutation matrices (as
orthogonal matrices) to have their inverse coincident with the transpose.
So, Q−1
1has the same form of Q1and, as in the case of H, disclosing G0=
S−1GQ−1
1might imply disclosing a generator matrix of a permuted version
of the secret code or its complementary (depending on the parity of its row
weight). Therefore, the form Q1=1+P1might reduce the security to that of
the permutation used in the original McEliece cryptosystem.
Based on these considerations, one could think that adopting a vector a
different from the all-one vector could avoid the flaw. However, by considering
again that Q−1
1=b
Q/|Q|, it is easy to verify that a weight-1 row in Q1produces
a weight-1 row in Q−1
1and a weight-(n−1) row in Q1produces a weight-(n−1)
row in Q−1
1. It follows that Q−1
1contains couples of columns having Hamming
distance 2. Since their sum is a weight-2 vector, the sum of the corresponding
columns of the public matrix results in the sum of two columns of S−1G. Starting
from this fact, an attacker could try to solve a system of linear equations with
the aim of obtaining a permutation-equivalent representation of the secret code,
at least for the existing distance-2 column pairs.
So, our conclusion concerning the binary case is that the choice of Qas in
(4) should be avoided. A safer Qis obtained by using an Rmatrix with rank
z > 1 and by adding more than one permutation matrices to it (i.e. m > 1). This
obviously has the drawback of requiring codes with increased error correction
capability; so, in this work, we will focus on non-binary codes and m= 1.
3 Comparison with previous cryptosystems
Other proposals for increasing key security have been made in the past, such
as using a distortion matrix together with rank codes in the GPT cryptosystem
[5] and exploiting the properties of subcodes in variants of the McEliece and
the GPT cryptosystems [2]. Unfortunately, cryptanalysis has shown that such
approaches exhibit security flaws [13], [18].
The idea of using a rank-1 matrix with the same structure we consider can
also be found in [6]. However, such a matrix was added to the secret matrix
(rather than multiplied) and no selection of the error vectors was performed, so
that a completely different solution was implemented.
Instead, the idea of replacing the permutation in the McEliece cryptosystem
with a more general transformation matrix is already present in the variant of the
GPT cryptosystem adopting a column scrambler [12], [16] and in cryptosystems
based on full decoding [7, sec. 8.3]. These proposals are shortly examined next.
inria-00607772, version 1 - 11 Jul 2011
178
3.1 Comparison with the modified GPT cryptosystem
Apart from the code extension and the inclusion of an additive distortion ma-
trix, in the modified GPT cryptosystem the public generator matrix is obtained
through right-multiplication by a non-singular matrix that is not necessarily a
permutation matrix. So, in principle, it is the same idea of a more general trans-
formation matrix as in the proposed cryptosystem. However, in order to preserve
the ability to correct the intentional error vectors, the GPT cryptosystem works
in the rank metric domain and adopts rank distance codes, as Gabidulin codes.
Unfortunately, the properties of Gabidulin codes make it possible to exploit
the effect of the Frobenius automorphism on the public generator matrix in order
to mount a polynomial-time attack [13]. Differently from the GPT cryptosystem,
the proposed solution still exploits Hamming distance codes and is able to replace
the permutation matrix with a more general transformation matrix by properly
selecting the error vectors.
3.2 Comparison with full-decoding cryptosystems
The main idea behind full-decoding cryptosystems in [7] is to let the intentional
error vectors have any arbitrary weight. This way, an attacker would be forced
to try full-decoding of the public code, that is known to be a NP-complete task.
Obviously, the legitimate receiver must be able to decode any intentional error
vector with reasonable complexity; so, the problem of full decoding must be
transformed from a one-way function to a trapdoor function. For this purpose,
the main idea is to use a transformation that maps a set of error vectors with
weight ≤tinto a set of arbitrary weight intentional error vectors.
If this transformation is represented by the n×nmatrix M, the public code
(as proposed first in [7]) would be G0=G·M. The basic point for obtaining
a trapdoor function is to make Alice use only those error vectors that can be
expressed as e0=e·M, where eis a weight-terror vector. This way, when Bob
uses the inverse of the secret matrix Mto invert the transformation, he re-maps
each arbitrary weight error vector into a correctable error vector. Unauthorized
users would instead be forced to try full-decoding over arbitrary weight error
vectors; so, the trapdoor is obtained.
In order to exploit the full-decoding problem, Alice must use, for encryption,
only those error vectors that can be anti-transformed into correctable error vec-
tors. So, some information on the transformation used to originate them must
be disclosed. A solution is that the first p < n rows of Mare made public
[7]. However, it has been proved that, this way, the security reduces to that of
the original McEliece cryptosystem, and an attacker does not have to attempt
full-decoding, but only normal decoding.
Further variants aim at better hiding the secret transformation matrix in
its disclosed version [7]. In the last variant, a generator matrix of a maximum
distance-tanticode is used to hide the secret transformation. This way, after
inverting the secret transformation, the error vector remains correctable for the
legitimate receiver. To our knowledge, the latter version has never been proved
inria-00607772, version 1 - 11 Jul 2011
179
to be insecure nor to reduce to the same problem of the original McEliece cryp-
tosystem. However, the construction based on anticodes seems quite unpractical.
Differently from full-decoding cryptosystems, our proposal still relies on the
same problem as the original McEliece cryptosystem (that is, normal decoding);
so, we need to perform only a selection of the random error vectors (without
any transformation). For this reason, the information “leakage” on the secret
transformation that is needed in the proposed cryptosystem is considerably lower
with respect to what happens in full-decoding cryptosystems.
4 Attacks against the proposed cryptosystem
A first concern about the proposed cryptosystem is to verify that it is actually
able to provide increased key security, with respect to previous variants of the
McEliece cryptosystem, in such a way as to allow the use of widespread families
of codes (as RS and Generalized RS codes) without incurring in the attacks that
have prevented their use up to now.
From the comparison with the variants described in Sections 3.1 and 3.2,
we infer that previous attacks targeted to those cryptosystems do not succeed
against the proposed one, due to the differences in the family of codes used and
in the information leakage on the secret transformation. Concerning the latter
point, we observe that, even if the whole matrix R(and not only the vector a)
were public, an attacker would not gain much information. In fact, in this case,
he could compute x·R=u·G0·R. However, Rhas rank zn, so G0·Ris
not invertible. Moreover, multiplication by G0·Ronly provides a dimension-z
syndrome of u, whose decoding is known to be a hard problem [3].
The most powerful attack procedures seem to be those techniques that at-
tempt information set decoding (ISD) on the public code; so we estimate the
security level of the proposed cryptosystem against them.
4.1 ISD attacks
In [4] the authors have proposed some smart speedup techniques to reduce the
Stern algorithm work factor (WF) over the binary field, this way obtaining a
theoretical WF close to 260. Their attack was implemented on a big cluster of
computers that was able to break the McEliece cryptosystem with original pa-
rameters (n= 1024, k= 524, w= 50). As a consequence, the authors have pro-
posed some new set of system parameters in order to increase the security level.
The information set decoding attack is not polynomial in the code dimension,
since it aims at decoding a random linear code without exploiting any structural
property (even if present) and this task is notoriously non-polynomial. One of
the biggest improvements presented in [4] is a smart way to find kindependent
columns in the public generator matrix at each iteration without performing
Gaussian reduction on all such columns. A further improvement consists in the
pre-computation of the sum of some rows during the reduction.
inria-00607772, version 1 - 11 Jul 2011
180
In [15], Peters points out that these speedups are efficient on very small
fields. As it results from the table available in [14], for q > 16 these speedups
are not relevant and the algorithm is quite similar to Stern’s one. The difference
relies on guessing not only perror positions but also perror values in the k
independent columns, due to the field cardinality. Finiasz and Sendrier have
proposed a further improvement that could yield a slight modification in the
WF, resulting in a maximum increase of 26or a maximum decrease close to 23.
In Table 1 we report some values of the WF when using RS codes in the
variant of the McEliece cryptosystem we propose. They were computed through
the PARI/GP script available in [14], that allows the estimation of the security
level, although it is not extremely accurate (it can be about 4-8 times higher
than the actual value). The reported WF values are the lowest ones obtained
for each set of parameters. Based on Table 1, we can compare the proposed
cryptosystem with the instances of the McEliece system presented in [4].
Example 1 To reach WF >280, the (1632, 1269) Goppa code is suggested,
resulting in a public-key size of 460647 bits (that is the lowest possible value for
this code, obtained by storing the non-systematic part of H, as in the Niederreiter
cryptosystem). With the new variant we can consider the RS code with n= 255,
k= 195, t= 30, having an estimated WF ≈286.06 and an actual WF ≈284.18
(found through the C program available in [14]). The public key size for this
code, due to storing the 195 ×255 matrix G0and the 1 ×255 vector a, both with
elements over GF(256), is 399840 bits, that is about 13% less than (the minimum
size of) that obtained by the revised McEliece cryptosystem [4]. The security
level of the two systems remains comparable when the constraint expressed by a
is imposed on the intentional error vectors of the modified cryptosystem. In fact,
as it will be shown in the next subsection, the introduction of each constraint
results in a decreased WF for the ISD attack of 23at most.
Example 2 As another example, we can consider the Goppa code suggested in
[4] to achieve WF ≥2128, which has n= 2960, k= 2288, yielding a key length
of 1537536 bits. An RS code with the same rate (0.77), defined over GF(512),
is reported in Table 1 and has n= 511, k= 395. The corresponding key size
for the proposed McEliece system is 1821204 bits (that is slightly bigger than
the one in the Niederreiter system proposed in [4]), but the security level grows
up to 2158.67 (more precisely, it is estimated as 2155.89 with the C program from
[14]). This value remains very high even when we consider the presence of the
constraint expressed by aon the intentional error vectors.
4.2 Exploiting the knowledge on error vectors
It is important to assess whether the constraints imposed on the intentional error
vectors used in the proposed cryptosystem have consequences on its security.
For this purpose, a conservative approach consists in considering, in the WF
computations, a reduced number of intentional errors, that is, t0=t−z, where
inria-00607772, version 1 - 11 Jul 2011
181
Table 1. Work factor (log2) of ISD attacks on RS codes.
RS codes with n= 127 defined over GF(128)
Rate 0.75 0.73 0.72 0.70 0.69 0.67 0.65 0.64 0.62 0.61 0.59 0.57 0.56 0.54 0.53
t16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
WF 49.2 50.1 51.0 51.7 52.3 52.8 53.3 53.7 54.0 54.2 54.3 54.4 54.4 54.4 54.2
RS codes with n= 255 defined over GF(256)
Rate 0.81 0.80 0.78 0.76 0.75 0.73 0.72 0.70 0.69 0.67 0.65 0.64 0.62 0.61 0.59
t24 26 28 30 32 34 36 38 40 42 44 46 48 50 52
WF 79.0 81.6 83.9 86.1 87.9 89.6 91.1 92.4 93.5 94.4 95.2 95.8 96.2 96.5 96.7
RS codes with n= 511 defined over GF(512)
Rate 0.94 0.93 0.91 0.90 0.89 0.88 0.87 0.86 0.84 0.83 0.82 0.81 0.80 0.78 0.77
t16 19 22 25 28 31 34 37 40 43 46 49 52 55 58
WF 81.3 90.1 98.1 105.6 112.4 118.8 124.7 130.2 135.3 140.0 144.3 148.4 152.1 155.5 158.7
zis the number of constraints we impose on the intentional error vectors. This
approach is conservative in the sense that we assume that the attacker exactly
knows both the position and value of zerrors, while he actually knows only
their values. This has been done in Table 2. As we can observe from the values
obtained (and their comparison with those reported in Table 1, corresponding
to z= 0), we have a WF decrease close to 23when zis increased by 1. So, the
security level for the considered parameters does not vary significantly for low
values of z.
Table 2. Work factor (log2) of ISD attacks on RS codes with n= 255, defined over
GF(256), when z= 1 or z= 2 constraints are imposed on the error vectors.
Rate 0.81 0.80 0.78 0.76 0.75 0.73 0.72 0.70 0.69 0.67 0.65 0.64 0.62 0.61 0.59
t24 26 28 30 32 34 36 38 40 42 44 46 48 50 52
WF (z= 1) 75.9 78.6 81.1 83.3 85.3 87.0 88.6 90.0 91.2 92.2 93.0 93.7 94.2 94.6 94.8
WF (z= 2) 72.8 75.6 78.2 80.5 82.6 84.5 86.1 87.6 88.9 89.9 90.9 91.6 92.2 92.6 92.9
5 Conclusion
We have introduced a variant of the McEliece cryptosystem that, by replacing
the secret permutation matrix with a more general transformation matrix, is
able to avoid that the public code is permutation-equivalent to the secret code.
This allows to prevent attacks against classical families of codes, as RS codes,
and to reconsider them as possible good candidates in this framework.
We have assessed the security level of the proposed cryptosystem by consid-
ering up-to-date attack procedures, and we have compared it with the classical
McEliece cryptosystem and the Niederreiter variant. Our results show that the
proposed solution, by exploiting RS codes, is able to guarantee the same security
level with reduced key size or, equivalently, an increased security level with a
similar key size.
inria-00607772, version 1 - 11 Jul 2011
182
References
1. Baldi, M., Bodrato, M., Chiaraluce, F.: A new analysis of the McEliece cryp-
tosystem based on QC-LDPC codes. In: Security and Cryptography for Networks,
Lecture Notes in Computer Science, vol. 5229, pp. 246–262. Springer Berlin / Hei-
delberg (2008)
2. Berger, T.P., Loidreau, P.: How to mask the structure of codes for a cryptographic
use. Designs, Codes and Cryptography 35, 63–79 (2005)
3. Berlekamp, E., McEliece, R., van Tilborg, H.: On the inherent intractability of
certain coding problems. IEEE Trans. Inform. Theory 24(3), 384–386 (May 1978)
4. Bernstein, D.J., Lange, T., Peters, C.: Attacking and defending the McEliece cryp-
tosystem. In: Post-Quantum Cryptography, Lecture Notes in Computer Science,
vol. 5299/2008, pp. 31–46. Springer Berlin / Heidelberg (2008)
5. Gabidulin, E.M., Paramonov, A.V., Trejakov, O.V.: Ideals over a non-commutative
ring and their application in cryptography. D. W. Davies, Ed., Advances in Cryp-
tology - EUROCRYPT 91, Lecture Notes in Computer Science 547, Springer Verlag
(1991)
6. Gabidulin, E.M., Kjelsen, O.: How to avoid the Sidel’nikov-Shestakov attack. In:
Error Control, Cryptology, and Speech Compression, Lecture Notes in Computer
Science, vol. 829, pp. 25–32. Springer Berlin / Heidelberg (1994)
7. Kabatiansky, G., Krouk, E., Semenov, S.: Error Correcting Coding and Security
for Data Networks: Analysis of the Superchannel Concept. John Wiley & Sons
(2005)
8. McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. DSN
Progress Report pp. 114–116 (1978)
9. Monico, C., Rosenthal, J., Shokrollahi, A.: Using low density parity check codes in
the McEliece cryptosystem. In: Proc. IEEE International Symposium on Informa-
tion Theory (ISIT 2000). p. 215. Sorrento, Italy (Jun 2000)
10. Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Probl.
Contr. and Inform. Theory 15, 159–166 (1986)
11. Otmani, A., Tillich, J.P., Dallot, L.: Cryptanalysis of two McEliece cryptosystems
based on quasi-cyclic codes. In: Proc. First International Conference on Symbolic
Computation and Cryptography (SCC 2008). Beijing, China (Apr 2008)
12. Ourivski, A., Gabidulin, E.: Column scrambler for the GPT cryptosystem. Discrete
Applied Mathematics 128, 207–221 (2003)
13. Overbeck, R.: Structural attacks for public key cryptosystems based on Gabidulin
codes. Journal of Cryptology 21(2), 280–301 (2008)
14. Peters, C.: (2010), http://www.win.tue.nl/~cpeters/isdfq.html
15. Peters, C.: Information-set decoding for linear codes over Fq. In: Sendrier, N. (ed.)
Post-Quantum Cryptography, Lecture Notes in Computer Science, vol. 6061, pp.
81–94. Springer Berlin / Heidelberg (2010)
16. Rashwan, H., Gabidulin, E.M., Honary, B.: Security of the GPT cryptosystem and
its applications to cryptography. Security Comm. Networks (2010)
17. Umana, V.G., Leander, G.: Practical key recovery attacks on two McEliece vari-
ants. In: Cid, C., Faugere, J.C. (eds.) Proc. 2nd Int. Conf. on Symbolic Computa-
tion and Cryptography. pp. 27–44. Egham, UK (Jun 2010)
18. Wieschebrink, C.: Cryptanalysis of the Niederreiter public key scheme based on
GRS subcodes. In: Sendrier, N. (ed.) Post-Quantum Cryptography: PQCrypto
2010, LNCS, vol. 6061, pp. 61–72. Springer (2010)
inria-00607772, version 1 - 11 Jul 2011
