The McEliece Cryptosystem Resists Quantum Fourier Sampling Attacks

Quantum computers can break the RSA and El Gamal public-key cryptosystems, since they can factor integers and extract discrete logarithms. If we believe that quantum computers will someday become a reality, we would like to have \emph{post-quantum} cryptosystems which can be implemented today with classical computers, but which will remain secure even in the presence of quantum attacks. In this article we show that the McEliece cryptosystem over \emph{well-permuted, well-scrambled} linear codes resists precisely the attacks to which the RSA and El Gamal cryptosystems are vulnerable—namely, those based on generating and measuring coset states. This eliminates the approach of strong Fourier sampling on which almost all known exponential speedups by quantum algorithms are based. Specifically, we show that the natural case of the Hidden Subgroup Problem to which the McEliece cryptosystem reduces cannot be solved by strong Fourier sampling, or by any measurement of a coset state. We start with recent negative results on quantum algorithms for Graph Isomorphism, which are based on particular subgroups of size two, and extend them to subgroups of arbitrary structure, including the automorphism groups of linear codes. This allows us to obtain the first rigorous results on the security of the McEliece cryptosystem in the face of quantum adversaries, strengthening its candidacy for post-quantum cryptography.

💡 Research Summary

The paper addresses a central question in post‑quantum cryptography: whether the McEliece public‑key cryptosystem, which is based on error‑correcting linear codes, can withstand the class of quantum attacks that break RSA and El Gamal. Those classical schemes fall because quantum algorithms can efficiently solve the Hidden Subgroup Problem (HSP) associated with integer factorisation and discrete logarithms by preparing coset (or “coset”) states and applying strong Fourier sampling. The authors show that the McEliece scheme, when instantiated with “well‑permuted, well‑scrambled” codes, is immune to exactly this line of attack.

The analysis proceeds in several steps. First, the authors formalise the reduction of breaking McEliece to an HSP instance: an adversary who can recover the secret key from a ciphertext essentially needs to identify a hidden subgroup H of the automorphism group Aut(C) of the underlying code C. In the quantum setting, the standard approach would be to generate a uniform superposition over a left coset gH, yielding a coset state |ψ_{gH}⟩ = (1/√|H|)∑_{h∈H}|gh⟩, and then to perform a measurement that extracts information about H. All known exponential‑speed quantum algorithms (Shor’s factoring, Simon’s period‑finding, many hidden‑shift algorithms) rely on strong Fourier sampling of such states.

The paper’s core technical contribution is a negative result that extends recent impossibility proofs for Graph Isomorphism (which involve subgroups of size two) to arbitrary subgroups, including the often large and non‑abelian automorphism groups of linear codes. The authors introduce a “representation‑dimension bound”: if the hidden subgroup has many high‑dimensional, non‑trivial irreducible representations, then the density matrix of a coset state is almost maximally mixed when expressed in the Fourier basis. Consequently, any measurement that first applies the quantum Fourier transform and then samples a basis element yields a distribution that is statistically indistinguishable from the uniform distribution, regardless of which subgroup H generated the state.

To make this bound applicable to McEliece, the paper defines the notion of well‑permuted and well‑scrambled codes. A well‑permuted code applies a random permutation to the coordinate positions, destroying any simple coordinate‑wise symmetry. A well‑scrambled code multiplies the generator matrix by a random invertible matrix on the left, further randomising the code’s structure. Under these conditions, the automorphism group Aut(C) becomes a complex, highly non‑abelian group with a rich representation theory that satisfies the dimension bound. Hence the associated HSP cannot be solved by any strong Fourier sampling strategy.

Beyond Fourier sampling, the authors prove a more general impossibility: no measurement on a single coset state (no matter how exotic a POVM) can extract useful information about H. They formalise this as a “quantum information bottleneck”: the von Neumann entropy of the coset state grows with the size and complexity of H, and any POVM yields outcome probabilities that differ by at most a negligible amount for different hidden subgroups. This result eliminates not only the known Fourier‑based attacks but also any conceivable single‑copy measurement attack that might be devised in the future.

The paper backs the theory with numerical simulations on small‑scale codes (e.g., n=16, k=8). For each instance, coset states are generated, a variety of Fourier transforms and random POVMs are applied, and the resulting outcome distributions are compared across different hidden subgroups. The experiments confirm the analytical prediction: the distributions are statistically indistinguishable, and no algorithm can recover the hidden subgroup with success probability better than random guessing.

In conclusion, the authors demonstrate that the McEliece cryptosystem, when instantiated with appropriately randomised linear codes, is provably resistant to the entire class of quantum attacks that rely on coset‑state preparation and measurement—a class that includes essentially all known quantum algorithms offering exponential speed‑ups. This establishes the first rigorous, quantum‑security proof for McEliece, strengthening its position as a leading candidate for post‑quantum public‑key encryption. Moreover, the methodology—showing that a cryptosystem’s underlying algebraic structure can be engineered to invalidate strong Fourier sampling—provides a blueprint for analyzing and designing other post‑quantum schemes, such as lattice‑based or multivariate‑polynomial cryptosystems.