Key Reduction of McElieces Cryptosystem Using List Decoding

Key Reduction of McEliece’s Cryptosyst em Using List Deco ding Morgan Barbier ∗ P aulo S. L. M. Barreto † Abstract Different v arian ts of the co de- b ased McEliece cryptosystem were pro- p osed to reduce the size of the pub lic key . All these v arian ts use very structured co des, which open th e do or to new attacks exploiting the un - derlying structure. In this pap er, we sho w that the dyadic v ariant can b e designed to resist all kn o wn attacks. In li ght of a new stud y on list decod ing algorithms for binary Goppa co d es, we explain how to increase the security level for giv en public keysizes. U sing the state-of-the-art list decod ing algorithm instead of unique deco ding, we exhibit a keysize gain of ab out 4% for the stand ard McEliece cryptosystem and up to 21% for the adjusted dyadic v arian t. 1 In tro duction The past few years ha ve seen a renewed interest in code-ba sed cryptosystems due to their r esistance to known quantum attacks [9]. The famo us McEliece asymmetric cryptosystem [19] is per haps the most studied of them. The priv ate key is the g enerator matrix of a co de C a nd the public key is obtained from this generator matrix by a per mutation of its columns followed by a m ultiplication by an random inv ertible matrix. This public key is thus a generator matrix of a co de C ′ equiv a lent to C . The encryption co nsists in enco ding the plain text int o a co deword c ′ ∈ C ′ using the public k ey and randomly adding as many error s as made po ssible b y the deco ding algorithm of C . The decr yption step consists in deco ding the cyphertext over C , thanks to the pr iv a te key . The McEliece cr yptosystem delivers hig h encryptio n and decryption sp eeds compared to other sy stems like RSA [2 0] but suffers from the larg e size of the asso cia ted keys w hich makes it unpr a ctical. Lately , a lot of effort has b een put int o the design of v a riants based on different c o de families in order to reduce the size of the keys. F or example, in 2 0 08, a solution was prop o sed for signature ∗ Computer Science lab oratory of ´ Ecole Polytec hnique - LIX - INRIA Saclay - ˆ Ile de F r ance morgan.b arbier@lix.po lytechnique.fr † Departmen t of Computer and D i gital Systems Engineering - Escola Polit ´ ecnica, Univ ersity of S˜ ao Paulo, Br azil pbarreto@larc.u sp.br 1 schemes using double-circula nt matrices [1]. In [4], the author s prop ose d a key reduction for the McE liece cryptosystem using qua si-cyclic alternant co des. The sa me year, a method using the sub-family o f cla s sical binar y Goppa co des, called quas i- dyadic codes, was int ro duce d in [20], adapting the idea fro m [4]. Another k ey reduction technique fo rmulated in [5] hides the structure of a sub c o de o f ge neralized Reed-Solo mon co des. Genera lly sp eaking , all o f these key reduction techniques inv olve the introduction of so me kind of additiona l structure. As a cr yptogra phic rule o f thum b, the presence of unneeded str uc tur e is often s een as a potential a ng le of attac k. Indeed, cryptanalys ts quickly prop osed new str uctural attacks aga inst the aforementioned v aria nts [14, 23, 27]. Roughly speak ing, we can distinguish b etw een t wo types o f attacks. The first type tries to rec ov er the plaintext from the cyphertex t, without the knowledge of the priv ate k ey . It is clear that increasing the num ber of err o rs during the encryption step will make this kind of attacks mor e difficult. Bernstein, Lange a nd P eters contributed to assess the effectiveness of such attacks in [11] by giving asymptotic analysis of differ e nt deco ding a lg orithms for co de-bas ed cryptogr aphy . Moreov er, w or k ing within a strict complexity mo del, Finias z and Sendr ie r exhibited low er bounds for system designers [15] by taking into a ccount the co sts of the b est deco ding attacks [2 7]. The second type of attacks consists in retrieving the priv ate k ey from the av ailable public one. Such an attac k was recently intro duced in [14] and boils down to computing a Gr o ebner bas is to find the structure o f an alternant co de. The McEliece v ariant with the par ameters propo sed in [4] is considered to be broken by this attack. While the dy adic instance from [20] is also vulner able, this v ariant can b e made more robust as shown in Section 3. This pap er is organis e d as follo ws. Section 2 is dev oted to the deco ding of bina ry Go ppa co des , most precisely on the corr ection radius of different deco ding algor ithms. In Section 3 we show how the dyadic v ariant can b e made more secure aga inst [14] and pr esent our results on keysize r eduction obtained using the b es t kno wn list decoding algorithm for the classica l and mo dified, hardened v ariants of the Mc E liece cryptos y stem. 2 List deco ding of binary Goppa Co des Since a ma jor par t o f the cryptanaly s is of co de-based cryptog r aphy is intimately linked to error correction, a natural idea is to add as man y errors a s poss ible during the encryption step, pr ovided that the r ecipient is still able to correct them. Deco ding a rando m co de is a hard problem; indeed it was shown that decoding ge neral co des is NP-co mplete [6]. The McEliece cr yptosystem originally used binary Goppa co des. Some v a riants are based on different t yp es o f co des ( e.g. [5]), but most o f them hav e bee n broken ( e.g. [23]). In 2 the follo wing, we brie fly recall the state of the art of the deco ding of binary Goppa codes , which a re per haps the most pro mising for McEliece cryptosystems. The first algebra ic deco ding algor ithm for classica l Goppa co des was prop osed by Patterson in 197 5 [25]. This algor ithm, basically a v a riation of the Berlek amp-Massey algor ithm [7], r uns in quadratic time in the co de length. P atterso n’s method per forms an unambiguous deco ding, up to the error ca pacity t of the co de. S ince classica l Goppa co des are a lternant, that is they are subfield s ubc o des o f generalised Reed-Solomon codes [18], w e are able to p erform the well-known Guruswami-Sudan list deco ding (GS-L D) algorithm [16]. This method makes it p ossible to correct up to the generic Johnson b ound given by n  1 − q 1 − 2 t n  error s, which is larger than t (see Figure 1 ). Consequently , this t yp e of deco ding do es not ensure the uniqueness of the r e tur ned co dewords a nymore. The GS-LD a lgorithm is or iginally not tailored to the bina ry Go ppa co des. Using sp ecific properties of binary Goppa co des, Be r nstein w as able to extend Patterson’s algo rithm to p erfor m a list deco ding up to n  1 − q 1 − 2 t +2 n  [8], which is lar g er than the gener ic J ohnson bo und. Recently , a tec hnical rep ort [2] revisits previous works to exhibit a list deco ding algorithm for square-fr e e binary Goppa co des which decodes up to the binary Johnson bound giv en by τ 2 , n 2  1 − q 1 − 4 t +2 n  , which is larger than the tw o former bo unds. As shown in Figure 1, the closer the normalized distance is to 0 . 5 , the b etter the bina ry Johnson b ound is co mpared to the others. W e will show in Section 3 that using binary Goppa co des with normalized minimum distanc e s closer to 0 . 5 ma kes it p oss ible to correc t more error s and ultimately , to reduce the size of the keys. List decoding algorithms basic ally in v olve tw o steps. The first stage finds, by interpola tion, a biv ariate polyno mial connecting the received word wit h the suppo rt of the c o de. The second step consists in finding the roots of this p olynomia l. The cos t of the algorithm from [2] is dominated b y the int erp ola tion step. This algorithm ha s an overall complexity of O ( n 2 ǫ − 5 ) and corrects up to (1 − ǫ ) τ 2 error s, wher e τ 2 is the binary Johnso n b ound. Deco ding τ 2 error s is obviously prohibitively exp ensive but tra de-offs b etw een running time and num b er o f correc ted err ors are easily a chiev ed, making it possible to keep the co st of list deco ding under control. The classica l McEliece or e q uiv a le nt ly the Niederre iter cryptos ystems [17, 21] suffer from chosen cypher text a ttacks [28]. Indeed, since a given pla intext can be encrypted to give different cyphertexts, an attack er could co mpare these different cyphertexts to extract the original plaintext. Different metho ds w ere prop osed to make these cryptosys tems more robust to chosen cyphertext a t- tacks [13, 2 4, 26 ] leading to so-called CCA2-secur e v ariants. When adding mor e error s than ca n b e uniquely correc ted, the decr yption step will r eturn a list of po tential plaintexts. As already rema rked in [10], CCA2-secur e v ar iants make 3 0 0.1 0.2 0.3 0.4 0.5 0 0.1 0.2 0.3 0.4 0.5 e/n : normalized capacity correction d/n : normalized distance Binary Johnson bound General Johnson bound Unique decoding bound Figure 1: Co mparison betw een the una mbiguous deco ding, gener ic and binary Johnson’s b ounds. it pos sible to distinguish the original plaint ext betw een all candida tes returned by the lis t decoding a lg orithm used in the dec r yption pro cess. Consequently , it is p ossible to make the task for an attacker muc h more difficult b y adding more er rors th an the correction capacity . Using CCA2-secur e v a riants and state-of-the-ar t list decoding algorithm, these extra-err ors only add a small burden on the r ecipient to find the original plaintext. 3 Key reduction Encrypting and decrypting with the McE liece cr yptosystem is significantly faster than with more widespr ead cryptos y stems based o n num b er theory s uch as the ubiquitous RSA [20]. The main and p erha ps only handicap holding back the McElie c e cryptosy s tem is the substantially la rger size of the public keys. W e prop ose to addr ess this problem not b y using a w ell structured code as is often the case, but by adding as many error s as p ermitted b y the bes t kno wn list deco ding algorithm [2]. F or a given k eysize, this increases the security level. Sy mmetr ically , this makes it p ossible to use shor ter keys while keeping a similar s ecurity level. Using a list deco ding alg orithm ca n thus lead to shorter keys at the expe ns e of a mo der ately increas e d decryption time. W e fo cus on the family of square-free binary Goppa co des, which includes the traditionally used family of irr educible bina ry Goppa co des . In this case the error ca pacity t is equa l to r the deg ree of Goppa p o lynomial. The algorithm deco ding the largest n umber of er rors for these codes is studied in [2]. This list deco ding algo rithm w orks for all alter nant co des, but using prop o s ition 1 4 improv es the correction r adius a nd leads to e ven shor ter keys. W e nu merica lly searched for co des par ameters yielding shor t k eys and cor r ecting up to ⌈ τ 2 ⌉ − 1. W e illustr a te the b enefits of lis t decoding by pr e s enting examples for b oth the generic and dyadic v ar iants. 3.1 Generic v arian t T ables 1, 2 and 3 show the k eysize reduction o btained using the b est known list deco ding a lgorithm [2], for workfactors (WF) equa l to 2 80 , 2 112 , 2 192 and 2 256 . F or each w orkfacto rs, McEliece k eysizes are given for Unambiguous Decoding (U.D.) and L is t Decoding (L.D.). The inv olved co des are defined by m , the degree of the extension wher e G and L are defined, the length n , the dimension k , the degree r of the Goppa polyno mial G , and τ 2 is the bina ry Johnson bound reached b y the lis t deco ding algorithm. The w or kfactors hav e been estimated using the complexity mode l and the low er b ounds g iven in [1 5]. T able 1: Co mparison b etw een the public keysize of gener ic McEliece cryptosys- tem using unambiguous and list deco ding for given workfactors. Metho d m n k r τ 2 WF Keysize gain (%) U.D. 11 18 93 1431 42 80.025 6 6112 2 L.D. 11 187 6 1 436 40 41 80.043 6318 40 4.4 3 U.D. 12 28 87 2191 58 112.00 2 1524936 L.D. 12 286 8 2 196 58 59 112.0 26 147571 2 3.23 U.D. 12 33 07 2515 66 128.00 7 1991880 L.D. 12 326 2 2 482 65 66 128.0 21 193596 0 2.81 U.D. 13 53 97 4136 97 192.00 3 5215496 L.D. 13 526 9 4 021 96 98 192.0 52 501820 8 3.78 U.D. 13 71 50 5447 1 3 1 256.00 2 9276241 L.D. 13 700 8 5 318 130 1 3 3 257.4 71 89874 2 0 3.11 T able 1 refers to the gener ic McE liece system where the size of the public keys is given by ( n − k ) × k = mk r . As shown in figure 1, us ing a list deco d- ing algorithm is all the more in teresting a s the normalized minimum dis tance (2 r + 1) /n gets clos er to 0 . 5, which has apparently a n adv ers e effect on the keysize. How ever, even in this unfavorable case, we were still able to exhibit a keysize reduction of ab out 4%. 3.2 Dy adic case The attack pr op osed by F aug` ere, Otmani, Perret and Tillich in [14] uses Gro eb- ner basis computatio ns to r ecov er the priv a te key fr om the o nly knowledge on the public one. It was sp ecifically desig ned to break the co mpact key McE lie ce 5 v ar iants prop osed in [4, 20], whic h use the structure of alternant co des. The v ar iant prop osed in [20 ] uses binar y Goppa co des in dyadic form, whic h are a lso alternant co des. The attack in [14] thus a pplies and can rec over an equiv a lent priv a te key in an a lter nant co de form. Ho wev er, this is not sufficient to break the system when using Goppa co des. Indeed, the attack do es not dir e ctly re- trieve the Goppa p o lynomial G o f degree r which is crucial to de c o de [2, 25], but finds a generator matrix o f an a lternant co de without a Goppa structure and with designed minimum distance r + 1. How ever, when using a Go ppa co de, the priv ate key is a generator matrix o f a co de with designed minimum distance 2 r + 1 thanks to the following pro p osition, demonstra ted in [2, 12]: Prop ositi on 1. L et G b e a squar e-fr e e p olynomial in F 2 m and L b e a list of n elements of F 2 m which ar e n ot r o ots of G . Th en Γ( L , G ) = Γ( L , G 2 ) , wher e Γ( L , G ) is the Gopp a c o de gener ate d by L and G . The direct consequence is that the attack er won’t b e a ble to deco de . Indeed, this attack r etrieves n/r v a riables Y and n v ar iables X suc h that Y i = G ( X i ) − 1 . In order to pr o tect against a p otential in terp olatio n of the Goppa polynomial G of degree r , we impose that r + 1 > n r , that is r ( r + 1) > n . Consequently , this attack do es no t totally break the McEliece v ar iant based on dyadic forms. Moreov er, as stated in [1 4], the a ttack b ecomes unpractical, for the moment, when the extension degree m is greater than 16. W orking with such an extension deg ree s lightly increases the public keysize of McEliec e compare d to the par ameters propo sed in [20], while stay- ing drastica lly smaller than with the generic form, as shown in tables 1, 2 and 3. T able 2 : Comparison b etw een the public keysize of dyadic McEliece cr yptosys- tem with r ( r + 1 ) > n using unambiguous a nd list deco ding for given workfactors. Metho d m n k r τ 2 WF Keysize gain (%) U.D. 11 1792 1088 64 82.518 1196 8 L.D. 11 1728 1024 6 4 67 82.976 112 64 5.88 U.D. 12 2944 1408 12 8 116.73 5 16896 L.D. 13 2816 1280 128 13 4 113.8 96 15360 9.09 L.D. 13 7680 1024 512 55 2 113.0 84 13312 21.21 U.D. 12 3200 1664 12 8 131.23 5 19968 L.D. 12 3072 1536 128 13 4 129.7 45 18432 7.69 U.D. 13 5888 2560 25 6 205.80 4 33280 L.D. 13 5632 2304 256 26 9 199.4 73 29952 10.00 U.D. 15 11 264 358 4 512 279.0 02 53760 L.D. 15 107 5 2 3072 51 2 539 25 8 .223 46080 14.2 9 6 T able 3 : Comparison b etw een the public keysize of dyadic McEliece cr yptosys- tem with m ≥ 16 using una mbiguous and list deco ding for given workfactors. Metho d m n k r τ 2 WF Keysize gain (%) U.D. 1 6 5120 1 024 256 81.765 163 84 L.D. 16 512 0 102 4 256 134 86.2 16 16384 0 U.D. 1 6 3840 1 792 128 113.78 5 28672 L.D. 16 563 2 153 6 256 269 116.40 0 24576 14.29 U.D. 1 6 5888 1 792 256 132.47 0 28672 L.D. 16 972 8 153 6 512 542 133.53 4 24576 14.29 U.D. 1 6 1075 2 2 560 512 199.0 67 40960 L.D. 16 1 0 752 2560 512 53 9 209.414 40960 0 U.D. 1 6 1177 6 3 584 512 264.8 46 57344 L.D. 16 1 9 456 3072 10 24 1085 267 .203 49152 1 4.29 In table 2, w e lo ok at the case of the dyadic v a riant with co unt ermea sure r ( r + 1) > n . The size of the public key no w becomes mk [20], removing the conflicting constraints on r . Key reduction up to 21% can now b e achieved. Finally , results o n the dy adic v ariant with co untermeasure m ≥ 1 6 ar e pr esented in table 3. As previously discussed, we exp ect better reductions than in the generic case. Indeed, o ur exp eriments show ed a k ey re ductio n of more than 14%. Note that in this ca se, the degr ee r of the Go ppa p olyno mial is the same as the dimension k o f the code. This is easily explained: the large extension degree beco mes such a str o ng co nstraint on the parameters that it remov es all freedom when choo sing the co de dimension. T able 4 displays the rec ommended k eysize s for cryptosys tems based on the Discrete Log a rithm Pro blem ov er finite fields (DLP), for different security levels [3, 22]. F or the sake of comparison, we also include the smallest keysizes o bta ined with McEliece v ariants although in all impartiality , it should be stressed that we lack s ufficient per sp ective to correc tly assess the true secur ity lev el of these fa irly new v ariants. While the keysizes fo r the McEliece cr yptosystem are s till la rger than their discrete logar ithm co unterparts, the g a p significantly narr ows when going a t higher se curity levels. Moreover, the costs for McEliece enc r yption and decryption ris e muc h mor e slowly with the security level than they do with DLP based or RSA sy stems [20]. 4 Conclusion In light o f the recent study on the list deco ding of binar y Goppa co des [2 ], we c ompared the size of public k eys for differe nt v ariants of the McEliece cryptosystem. W e sho wed that using list deco dable co des in McElie c e cr yp- tosystems deliver comp elling benefits. W e ex pla ined how to secure the dyadic 7 T able 4: Key size compar ison b etw een cry ptosystem base d on discrete logar ithm ov er finite fields and McElie c e cryptosystem using lis t deco ding. Security level Discrete Loga rithm McEliece ra tio 80 1024 11264 11.0 112 2048 13312 6.5 128 3072 18432 6.0 192 7680 29952 3.9 256 15360 46080 3.0 v ar iant aga inst currently known attacks while reducing the size of the keys using lis t deco ding . F or example, for a w orkfacto r of 2 80 , list deco ding lo wers the public keysize from 661,122 bits for the g eneric v a riant to 11,264 bits for the dyadic v ariant. It is w orth mentioning that contrary to previous attempts at reducing the McE lie ce k eysizes, using list deco ding does not int ro duce any additional structure that could b e used to attack the s y stem. Ac kno wledgemen ts The authors would like to thank Ma tthieu Finiasz, J´ erˆ ome Milan, Rafael Mis- o czki and Ayoub Otmani for stimulating discussio ns and impr oving the editorial quality , and to e x press his gr atitude to Nicola s Sendrier who kindly let us build on his softw are. The second author (P . Bar reto) is supp or ted by the Brazilia n Nationa l Coun- cil for Scientific and T echnological Developmen t (CNPq) under r e search pro duc- tivit y gr ant 303 163/ 2 009- 7. References [1] Car los Aguilar Melc hor, Pierre-Lo uis Ca yrel, and Philippe Gab o r it. A new efficien t threshold ring signature sc heme based on coding theory . In Johannes Buchmann and Jint ai Ding, editors , Post-Quant um Crypto gr aphy , volume 5299 of L e ctur e Notes in Computer S cienc e , pag e s 1–1 6. Springer Berlin / Heidelb er g, 2008 . [2] Daniel Augot, Mo rgan Bar bier, and Alain Couvreur . List-deco ding o f bi- nary Goppa co des up to the binar y Johnson b ound. T echnical rep ort, INRIA Saclay , 201 0. [3] Ela ine Barker, William Ba rker, William B ur r, Willia m Polk, and Miles Smid. Recommenda tio n for key ma na gement part 1: General (revised). Nist Sp e cial Pu blic ation 8 0057 , (1/ 3 ):1–14 2, 200 7. 8 [4] Thierr y Berger , Pierr e-Louis Cayrel, Philipp e Gab orit, a nd Ayoub O tmani. Reducing key leng th of the mceliece cryptosy stem. In Bar t Pr eneel, editor, Pr o gr ess in Cryptolo gy AFRICACR YPT 2009 , volume 5 580 of L e ct ur e Notes in Computer Scienc e , pages 7 7 –97. Springer Berlin / Heidelb erg , 2009. [5] Thierr y P . Berger and Pierre Loidrea u. How to mask the s tructure of co des for a cryptogr aphic us e. Designs, Co des and Crypto gr aphy , 35:63 –79, 2005. [6] Elwin Ber lek amp, Rob ert McElie ce, a nd Henk V an Tilb org . O n the inher- ent intractability of certain co ding problems. Information The ory, IEEE T ra nsactions on , 2 4(3):384 – 386, May 1 978. [7] Elwy n Be rlek amp. A lgebr aic c o ding the ory . Aegea n Park Pres s , 2 edition, 1984. [8] Daniel Bernstein. List deco ding for binary Goppa co des. http:/ /cr.y p.to/ codes/goppalist- 2 0081107.pdf , 200 8. [9] Daniel Bernstein, Johannes Buchmann, and Erik Dahmen, e ditors. Post- Quantum crypto gr aphy . Springer Berlin / Heidelb erg, 2009. [10] Daniel Bernstein, T anja Lang e, and Chris tia ne Peters. Attac king and de- fending the Mc E liece cryptosystem. In Jo hannes Buc hmann and J intai Ding, editor s, Post-Quantum Cry pto gr aphy , v olume 529 9 o f L e ctur e Notes in Computer Scienc e , pages 31 –46. Spr inger Berlin / Heidelber g, 20 08. [11] Daniel Bernstein, T anja Lange , a nd Chris tiane Peters. Explicit b o unds for generic deco ding algorithms for co de-base d cryptogr aphy . WCC 2009 , pages 16 8 –180 , May 200 9. [12] Daniel Bernstein, T anja Lange, and Christiane P eters. Wild McEliece. Cryptology ePrint Archiv e, Repor t 20 10/4 10, 201 0 . accepted a t SA C 2010. [13] Daniela Engelb ert, Raphael Overb eck, and Arthur Schmidt. A summary of McEliece-type cryptosys tems and their securit y . C r yptology ePrint Archiv e, Repo rt 20 06/1 62, 200 6 . [14] Jean- Charles F aug` ere, Ay oub Otmani, Ludo vic Perret, and Jea n-Pierr e Tillich. Algebraic cr yptanalysis of McEliece v ariants with compact keys. In Henri Gilb er t, editor, A dvanc es in Cryptolo gy EUR OCR YPT 2010 , v olume 6110 of L e ctu r e Notes in Computer Scienc e , pages 27 9–298 . Springer B erlin / Heidelb erg , 2010. [15] Matthieu Finiasz a nd Nicolas Sendr ier. Security bo unds for the design of co de-based cryptosystems. In Mitsuru Matsui, editor, A dvanc es in Cryp- tolo gy ASIACR Y PT 2009 , v olume 591 2 of L e ctur e Notes in Computer Scienc e , pages 88 –105 . Springer Berlin / Heidelb er g, 200 9. 9 [16] V e nk atesan Gurusw ami a nd Madhu Sudan. Impr ov ed deco ding of Reed- Solomon a nd a lgebraic - geometry co des. Information The ory, IEEE tr ans- actions on , 45 (6):1757 –176 7, 199 9. [17] Y ua n Xing Li, R.H. Deng , and Xin Me i W ang. On the equiv a le nce of McEliece’s and Niederreiter’s public-key cryptosys tems. Information Th e- ory, IEEE T r ansactions on , 40(1):2 71 –2 73, January 1 994. [18] Florence Jessie. MacWillia ms and Neil James Alexa nder Sloa ne. The the ory of err or-c orr e cting c o des. II . North-Holla nd Publishing Co., Amsterdam, 1977. North-Holland Mathematica l Library , V ol. 16. [19] Rob ert McE liece. A public-key crypto s ystem based on algebra ic c o ding theory . De ep Sp ac e Network Pr o gr ess R ep ort , 44:114 –116, 1978 . [20] Rafael Mis o czki and Paulo Barre to. Compact McEliec e keys from Goppa co des. Crypto logy ePrint Archiv e, Rep ort 200 9/18 7, 2009. [21] Hara ld Niederr eiter. Knapsa ck-t yp e crypto s ystems and algebraic coding theory . Pr oblems of Contr ol and Information The ory , pages 15(2):159– 166, 1986. [22] Hilarie Orman and Paul Hoffman. D etermining S tr engths F or Public K eys Use d F or Exchanging Symmetric Keys . Purple Streak Dev elopment and VPN Consor tium, april 200 4 . [23] Ayoub Otma ni, Jean-Pierr e Tillic h, a nd Lonard Dallot. Cr yptanalysis of t wo McEliece cryptosystems based o n qua si-cyclic co des. Mathematics in Computer Scienc e , 3:12 9–14 0 , 2010. [24] Raphael O verb eck and Nicolas Sendrier. Co de-based cryptogr aphy . In Daniel Bernstein, Johannes Buc hmann, and Erik Dahmen, editors, Post- Quantum Crypto gr aphy , page s 95–14 5. Springer Berlin / Heidelber g , 2009 . [25] Nicholas Patterson. The algebra ic deco ding of Goppa codes. Information The ory, IEEE T r ansactions on , 2 1 (2):203 – 207, Mar ch 1975. [26] David Poin tchev a l. Chosen-cipher text security for any o ne-wa y cryptosys- tem. In Hideki Imai a nd Y ulia ng Zheng, editor s, Public K ey Crypto gr aphy , volume 175 1 o f L e ctur e Notes in Computer Scienc e , pag es 129–14 6. Springer Berlin / Heidelb er g, 2000 . [27] Jacq ue s Stern. A metho d for finding co dewords of small weight . In Grard Cohen and J acques W o lfmann, editors, Co ding The ory and Applic ations , volume 388 of L e ctur e Notes in Computer S cienc e , page s 106–1 13. Spr ing er Berlin / Heidelb er g, 1989 . [28] Eric V er heul, Jero e n Doumen, a nd Henk V an Tilb or g . Sloppy Alice attacks! adaptive chosen c iphertext a ttacks o n the McEliece public-key cr yptosys- tem. In In formation, c o ding and mathematics: pr o c e e dings of workshop 10 honoring pr of. Bob McElie c e on his 60th birthday / e d. by Mario Blaum , pages 99 – 119, Boston, 2002. Kluw er Academic Publisher s. 11