The McEliece

Cryptosystem
Introduction
This public key cryptosystem, introduced by McEliece
in 1978, is similar to the Merkle-Hellman napsack
cryptosystem in that it takes an easy case o! an "#-
problem and dis$uises it to look like the hard instance o!
the problem% In this cryptosystem, the problem that is
used is dra&n !rom the theory o! error-correctin$ codes%
The #roblem
'yndrome decodin$ o! linear codes (&hen considered as a decision
problem) is an "#-complete problem i! the number o! errors is not
bounded% Ho&e*er, there are classes o! linear codes &hich ha*e
*ery !ast decodin$ al$orithms% The basic idea o! the McEliece
system is to take one o! these linear codes and dis$uise it so that
+scar, &hen tryin$ to decrypt a messa$e, is !orced to use
syndrome decodin$, &hile ,ob, &ho set up the system, can remo*e
the dis$uise and use the !ast decodin$ al$orithm% McEliece
su$$ested usin$ Goppa Codes, &hich are linear codes &ith a !ast
decodin$ al$orithm, in the system, but any linear code &ith a $ood
decodin$ al$orithm can be used%
The Cryptosystem
-et C be an .n,k/-linear code &ith a !ast decodin$ al$orithm that
can correct t or !e&er errors% -et 0 be a $enerator matri1 !or C% To
create the dis$uise, let ' be a k k in*ertible matri1 (the
scrambler) and let # be an n n permutation matri1 (i%e%, ha*in$ a
sin$le 1 in each ro& and column and 23s e*ery&here else)% The
matri1,
03 4 '0#
is made public &hile ', 0 and # are kept secret by ,ob% 5or 6lice
to send a messa$e to ,ob, she blocks her messa$e into binary
*ectors o! len$th k% I! 1 is one such block, she randomly constructs
a binary n-*ector o! &ei$ht t (that is, she randomly places t 13s in a
7ero *ector o! len$th n), call it e and then sends to ,ob the *ector
y 4 103 8 e%
The Cryptosystem
+scar, upon interceptin$ this messa$e, &ould ha*e to !ind the
nearest code&ord to y o! the code $enerated by 03% This &ould
in*ol*e calculatin$ the syndrome o! y and comparin$ it to the
syndromes o! all the error *ectors o! &ei$ht t% 6s there are o!
these error *ectors, $ood choices o! n and t &ill make this
computation in!easible%
,ob, on the other hand, &ould calculate
y#
-1
4 (103 8 e)#
-1
4 1'0 8 e#
-1
4 1'0 8 e3
&here e3 is a *ector o! &ei$ht t (since #
-1
is also a permutation
matri1)% ,ob no& applies the !ast decodin$ al$orithm to strip o!! the
error *ector e3 and $et the code &ord (1')0%

n
t

The Cryptosystem
The *ector 1' can no& be obtained by multiplyin$ by 0
-1
on the
ri$ht (ho&e*er, i! ,ob had been smart, he &ould ha*e &ritten 0 in
standard !orm .I
k
6/, and then 1' &ould 9ust be the !irst k
positions o! 1'0 and this multiplication &ould not be needed)%
5inally, ,ob $ets 1 by multiplyin$ 1' on the ri$ht by '
-1
%
5or McEleice3s 0oppa Code e1ample, n 4 12:; and t 4 <2 &hich
$i*es +scar more than 12
82
syndromes to calculate%
6n E1ample
5or an e1ample &e shall use the (7,;) Hammin$ code &hich
corrects all sin$le errors% 6 $enerator matri1 !or this code is $i*en
by (note the cle*er choice)=
G=

1 2 2 2 1 1 2
2 1 2 2 1 2 1
2 2 1 2 2 1 1
2 2 2 1 1 1 1

and ,ob chooses the scrambler matri1

S=

1 1 2 1
1 2 2 1
2 1 1 1
1 1 2 2

6n E1ample
and the permutation matri1
P=

2 1 2 2 2 2 2
2 2 2 1 2 2 2
2 2 2 2 2 2 1
1 2 2 2 2 2 2
2 2 1 2 2 2 2
2 2 2 2 2 1 2
2 2 2 2 1 2 2

,ob makes public the $enerator matri1

G' =S G P=

1 1 1 1 2 2 2
1 1 2 2 1 2 2
1 2 2 1 1 2 1
2 1 2 1 1 1 2

6n E1ample
I! 6lice &ishes to send the messa$e 1 4 (1 1 2 1) to ,ob, she !irst
constructs a &ei$ht 1 error *ector, say e 4 (2 2 2 2 1 2 2) and
computes
y 4 103 8 e
4 (2 1 1 2 2 1 2) 8 (2 2 2 2 1 2 2)
4 (2 1 1 2 1 1 2)
&hich she then sends to ,ob%
>pon recei*in$ y, ,ob !irst computes y3 4 y#
-1
, &here
P
1
=

2 2 2 1 2 2 2
1 2 2 2 2 2 2
2 2 2 2 1 2 2
2 1 2 2 2 2 2
2 2 2 2 2 2 1
2 2 2 2 2 1 2
2 2 1 2 2 2 2

obtainin$ y3 4 (1 2 2 2 1 1 1)%
6n E1ample
"o& ,ob decodes y3 by the !ast decodin$ al$orithm (Hammin$
decodin$ in this e1ample)% The error occurs in position 7 (details
omitted)% ,ob no& has the code &ord y33 4 (1 2 2 2 1 1 2)%
,ecause o! the cle*er choice !or 0, ,ob kno&s that 1' 4 (1 2 2 2),
and he can no& obtain 1 by multiplyin$ by the matri1

S
1
=

1 1 2 1
1 1 2 2
2 1 1 1
1 2 2 1

obtainin$ 1 4 (1 2 2 2)'
-1
4 (1 1 2 1)%
?ra&backs
There are three ma9or concerns &ith the McEliece cryptosystem%
1% The si7e o! the public key (03) is @uite lar$e% >sin$ the 0oppa
code &ith parameters su$$ested by McEliece, the public key &ould
consist o! :
19
bits% This &ill certainly cause implementation
problems%
:% The encrypted messa$e is much lon$er than the plainte1t messa$e%
This increase o! the band&idth makes the system more prone to
transmission errors%
A% The cryptosystem can not be used !or authentication or si$nature
schemes because the encryption al$orithm is not one-to-one and the
total al$orithm is truly asymmetric (encryption and decryption do
not commute)%
'ecurity
The McEliece cryptosystem is considered to be !airly
secure% Ho&e*er, in 198B Cao and "am proposed a *ariant
o! the system usin$ only one matri1 to dis$uise the problem
and the !ollo&in$ year 'truik and Tilbur$ sho&ed ho& to
break the Cao-"am system%
0oppa Codes
6lthou$h &e &ill not describe the 0oppa Codes here, &e &ill
present a !e& !acts about them%
5or each irreducible polynomial o! de$ree t o*er 05(:
m
) there
corresponds a binary, irreducible 0oppa Code o! len$th n 4 :m,
dimension k n-tm and minimum distance d :t81% 6 !ast
decodin$ al$orithm, &ith runnin$ time nt, e1ists% 0oppa Codes are
easily set up once the irreducible polynomial is !ound% This is not
di!!icult since there are about :
mt
Dt irreducible polynomials o! de$ree
t o*er 05(:
m
)% 'o, a random polynomial o! de$ree t o*er 05(:
m
) &ill
be irreducible &ith probability 1Dt% 'ince there is a !ast al$orithm !or
testin$ irreduciblity, one can !ind one @uickly by simply $uessin$
and testin$%