McEliece Cryptosystem Based On Extended Golay Code

by   Amandeep Singh Bhatia, et al.

With increasing advancements in technology, it is expected that the emergence of a quantum computer will potentially break many of the public-key cryptosystems currently in use. It will negotiate the confidentiality and integrity of communications. In this regard, we have privacy protectors (i.e. Post-Quantum Cryptography), which resists attacks by quantum computers, deals with cryptosystems that run on conventional computers and are secure against attacks by quantum computers. The practice of code-based cryptography is a trade-off between security and efficiency. In this chapter, we have explored The most successful McEliece cryptosystem, based on extended Golay code [24, 12, 8]. We have examined the implications of using an extended Golay code in place of usual Goppa code in McEliece cryptosystem. Further, we have implemented a McEliece cryptosystem based on extended Golay code using MATLAB. The extended Golay code has lots of practical applications. The main advantage of using extended Golay code is that it has codeword of length 24, a minimum Hamming distance of 8 allows us to detect 7-bit errors while correcting for 3 or fewer errors simultaneously and can be transmitted at high data rate.



There are no comments yet.


page 1

page 2

page 3

page 4


Quantum-Resistant Cryptography

Quantum-resistant cryptography is cryptography that aims to deliver cryp...

A Survey on Code-Based Cryptography

The improvements on quantum technology are threatening our daily cyberse...

On the Use of Quantum Entanglement in Secure Communications: A Survey

Quantum computing and quantum communications are exciting new frontiers ...

A Lightweight McEliece Cryptosystem Co-processor Design

Due to the rapid advances in the development of quantum computers and th...

Machine-Learning Side-Channel Attacks on the GALACTICS Constant-Time Implementation of BLISS

Due to the advancing development of quantum computers, practical attacks...

Post Quantum Cryptography: Readiness Challenges and the Approaching Storm

While advances in quantum computing promise new opportunities for scient...

qrypt0 - encrypted short messages exchanged between offline computers

A system is described for exchanging encrypted short messages between co...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Over the last three decades, public key cryptosystems (Diffie-Hellman key exchange, the RSA cryptosystem, digital signature algorithm (DSA), and Elliptic curve cryptosystems) has become a crucial component of cyber security. In this regard, security depends on the difficulty of a definite number of theoretic problems (integer factorization or the discrete log problem). Table 1 represents the present status of several cryptosystems 128. Shor’s algorithm is well-known in the field of cryptography given its potential application in cracking various cryptosystems, such as RSA algorithm and elliptic curve cryptography 129. These all public key cryptosystems can be attacked in polynomial time using Shor’s algorithm.

Cryptosystem Broken by Quantum algorithms?
Diffie-Hellman key-exchange 153 Broken
RSA public key encryption 154 Broken
Algebraically Homomorphic 155 Broken
Buchmann-Williams key-exchange 157 Broken
Elliptic curve cryptography 156 Broken
NTRU public key encryption 159 Not broken yet
McEliece public key encryption 158 Not broken yet
Lattice-based public key encryption 160 Not broken yet
Table 1: Impact of Quantum computing on cryptographic algorithms 128

Post-Quantum Cryptography offers secure alternatives. The goal of post-quantum cryptography is to develop cryptographic systems that are secure against both quantum and classical computers, and compatible with existing communications protocols and networks. Apart from RSA, DSA, and ECDSA, there are other important classes of cryptographic systems which include Code-based, Lattice-based, Hash-based, Multivariate-quadratic-equations and Secret-key cryptosystem.

Code-based cryptography 161 generally refers to cryptosystems in which the algorithmic primitive uses an error correcting code C. This primitive may consist of adding an error to a word of C or in computing a syndrome relatively to a parity check matrix of C. There are several codes for which efficient decoders are known. Fig 1 shows the several codes proposed and broken in code-based cryptography.

In 1949, Golay 162 discovered Golay codes. A binary Golay code is a linear error-correcting code used in digital communication. Golay codes are perfect codes in which the Hamming spheres surrounding the codewords fill the Hamming space without overlap. These spheres have a radius e, which can correct e errors and their codewords separated from each other by a distance d=e+1. Perfect codes possess complete bounded-distance decoders and satisfy the Hamming bound with equality. If Golay codes are augmented with bit interleaving technique, it enables us to correct burst errors 163.

Ii Preliminaries

In this section, some preliminaries and basic notations are given, which will be used throughout the chapter.

  • Linear code: Linear code C 164 of length n and dimension k over a field F is a k

    -dimensional subspace of the vector space

    with q elements, a set of n-dimensional vectors can be referred to as a [n, k] code and elements of bits such that F=GF(2)={0,1}. If the minimum Hamming distance of the code is d, then the code is called a [n, k, d] code.

  • Hamming distance: A Hamming distance 163 is the number of positions in which two codewords (x, y) differ. Let C be a [n, k] linear code over and are two code words.

  • Hamming weight: A Hamming weight 163 is defined as the number of non-zero positions in the codeword x. Let C be a [n, k] linear code over and is a code word, such that

  • Generator matrix: A generator matrix 163 for C is a matrix G having the vectors of as rows, which forms a basis of C such that


    The matrix G generates the code as a linear map: for each message , we obtain the corresponding code word mG.

  • Dual code: Let C be a [n, k] linear code over . The dual code [26] of C is the set, such that .

  • Parity matrix: A generator matrix H is called parity-check matrix 163 for codeword C, which is described by


Iii Prior work

Originally, Golay codes 162 were invented in the early 1950’s, and have experienced incredible responses in the last few years. In 1978, McEliece 158 proposed an asymmetric encryption cryptosystem based on Goppa codes, which remains unbroken, even after 15 years of adaptation of its proposal security parameters 165. Niederreiter 166 proposed a knapsack-type cryptosystem based on Reed-Solomon codes. Sidelnikov and Shestakov 164 attacked the Niederreiter cryptosystem and proved that it is insecure using Reed-Solomon codes as well as Goppa codes.

Sidelnikov 167 proposed a public-key cryptosystem based on binary Reed-Muller codes. It offered a high security with transmission rate close to 1, and complexity of encryption and decryption process is low. Minder and Shokrollahi 168 attacked the Sidelnikov public-key cryptosystem which generates a private key from a known public key. It has been shown that running time of the attack is subexponential using low weight finding algorithms.

Janwa and Moreno 169 proposed a McEliece public key cryptosystems based on Algebraic-Geometric Codes (AGC). It shows the various aspects of McEliece cryptosystem, based on the larger class of q-ary algebraic-geometric Goppa codes and listed some open problems for future improvements. Faure and Minder 170 presented an algorithm based on algebraic geometry codes to recover the structure of algebraic geometry codes defined over a hyperelliptic code. In 2014, Couvreur et al. 171 constructed a polynomial time algorithm attack against public key cryptosystems based on algebraic-geometric codes.

In 2000, Monico et al. 172 showed an efficient way of using low-density parity check codes in McEliece cryptosystem. In 2007, Baldi et al. 173 introduced a new variant of McEliece cryptosystem, based on quasi-cyclic low-density parity check (QCLDPC) codes. Furthermore, they examined the relevant attacks against LDPC and QCLDPC. Londahl and Johansson 174 constructed a new version of McEliece cryptosystem based on convolutional codes. Landais and Tillich 175 implemented an attack against McEliece cryptosystem based on convolutional codes. Various researchers proposed modified McEliece cryptosystems by replacing Goppa codes and using different error-correcting codes, e.g. algebraic geometric codes (AGC), low-density parity check codes (LDPCC) or convolutional codes. However, all of these schemes have proven to be insecure, making Goppa codes a standard solution.

Iv McEliece Cryptosystem

McEliece cryptosystem is based on linear error-correcting code for creating public and private key. Binary Goppa code 158 is used as the error-correcting code in McEliece cryptosystem. The secret key can be drawn from the various alternate codes. Several versions of McEliece cryptosystem were proposed using various secret codes such as Reed-Solomon codes, concatenated codes and Goppa codes. Interested researchers can study the original McEliece cryptosystem algorithm described in 158.

V Golay Codes

Golay codes can be classified into binary and ternary Golay codes. Furthermore, binary Golay codes are divided into extended (

) and perfect () binary Golay codes 162; 163. The extended binary Golay code is a [24, 12, 8] code, which encodes 12 bits of data into a word of 24-bit length in such a way that any 3-bit errors can be corrected or any 7-bit errors can be detected.

The perfect binary Golay code is a [23, 12, 7] code that is having a code word of length 23. It can be obtained from the extended binary Golay code by deleting one coordinate position. It is useful in the applications where a parity bit is added to each word for producing a half-rate code 176. It is constructed by a factorization over field such that: , and are irreducible polynomials of degree (m=11). These polynomials are reverse of each other and can generate the same cycle code words. Therefore, the generator matrix of perfect binary Golay code is , where is

the identity matrix. Matrix

is as follow:

v.1 Binary extended Golay codes

In 1977, extended Golay codes 162 were used for error control on the Voyager 1 and 2 spacecraft launched towards Jupiter and Saturn. The perfect binary Golay code results into 3-byte extended Golay code by adding a parity bit. Some special properties of extended Golay Codes are:

  • is a self-dual code with a generator matrix .

  • Parity check matrix for is 177.

  • Another generator and parity check matrix for are and respectively 178.

  • The weight of every code word in is a multiple of 4 and distance is 8.

The extended Golay code generated by the matrix , where is the identity matrix and matrix A is as shown below.

Vi McEliece Cryptosystem using extended Golay code

McEliece cryptosystem based on extended Golay code works similarly as McEliece cryptosystem, but it generates the secret matrix G with a different way, and different decoding procedure will be used for the decoding process. Golay code matrix A is having a cyclic structure, in which the second row is obtained by moving the first component to the last position. Similarly, each row of the matrix A can be obtained by a right shift of the previous row, except last one row. The matrix A is being a part of both the generator and the parity check matrices of extended Golay code; its decoding procedure is very simple. The main idea is to replace the Goppa code used in McEliece by an extended Golay code that can be efficiently decoded.

Figure 1: McEliece Cryptosystem using extended Golay code

vi.1 Key generation

McEliece cryptosystem based on extended Golay code, encode 12-bits of data in 24-bit length of the word. Random permutation matrix (P) acts on generator matrix (G). Then, reorder the computed matrix and named it as . Compute

by the random invertible matrix (

S) and makes the public key () and secret key () correcting any 3-bit of errors. Key generation is described in algorithm 1. The detailed algorithm of McEliece cryptosystem based on extended Golay code is given below.

Algorithm 1: Key generation
System parameters: Let F be a family of t-error correcting () q-ary linear [n, k, d] codes, where .
Input: [24, 12, 8] is an extended Golay which encodes (k=12) bits of data in a word of (n=24) bit length and any (t=3) bit errors can be corrected.
Output matrices:
  • Generate generator matrix G: generator matrix for code C capable of correcting e errors over F of dimension k. , where is the identity matrix.

  • Generate permutation matrix P: is a random permutation matrix, having exactly 1 in every row and column; with all other entries is zero.

  • Compute matrix , arrange in systematic format of generator matrix and named it as .

  • Generate a non-singular invertible matrix .

  • Compute matrix .

  • Return public key: (), private key: (), where is an efficient decoding algorithm.

vi.2 Encoding

In encoding, the plaintext is a random non-zero binary vector of length k, i.e. (). A ciphertext () is the code word of the code with generator matrix and we choose random error vector () exactly of weight t. The encoding process is defined in the algorithm 2.

Algorithm 2: Encoding
Input: Public key (), message (), error vector ().
Output: Ciphertext ()
Add error vector
Return c

vi.3 Decoding

The decoding process is defined in the algorithm 3. It uses the decoding procedure of extended Golay code, whereas original McEliece cryptosystem uses Patterson’s algorithm for the decoding process.

Algorithm 3: Decoding
Input: Ciphertext (), Private key: ()
Output: Original message ()
Compute the encoded message , where e is calculated by calling subroutine .
, compute message mS by row reducing [].
Multiply mS by .
Return m

Here, we call a subroutine , which computes an error vector described in the algorithm 4. Therefore, on reading input a ciphertext (), it generates an output as the original message (). In step 1, it computes a syndrome using private key checks whether the weight of syndrome is less than or equal to 3. If yes, then it returns an error vector e=[]. Otherwise, it checks the weight of () is less than or equal to 2, then the error vector is e=[]. If it does not satisfy the first condition, then further it computes the second syndrome and checks whether the weight of syndrome is less than or equal to 3. If yes, then it returns an error vector e=[]. Otherwise, it checks the weight of () is less than or equal to 2, then the error vector is e=[]. In any case, if both the conditions do not satisfy and the error pattern e is not yet determined, then it requests retransmission. Finally, mS is found by row reducing form and the original message is computed by multiplying mS by .

Algorithm 4: )
Input: Ciphertext (), generator matrix (private): ()
Output: Error vector ()
Compute the first syndrome:
If , then
        Return e []
Else If , then
        Return e [], where the word of length 12 with 1 in the
        position and 0 elsewhere in identity matrix.
        Compute the second syndrome:
        If , then
                Return e []
        Else If , then
               Return e []
               Else If the error pattern e is not yet determined, then request

vi.4 Security

The security of the proposed McEliece cryptosystem depends on the difficulty level to decode y into message m. The attacker will have a tough time trying to separate from because he/she does not know P and inverse of a matrix S, which are not publicly available. Therefore, an attacker cannot find an error because it’s hard to recover the specific structure of the matrix . Maximum-likelihood decoding can be used to recover error but making tables for big codes () coset leader is a time-consuming and inefficient. It also needs more storage space and decoding time can be quite long also. Therefore, we rely on syndrome decoding of extended Golay code.

Vii Implementation of McEliece Cryptosystem based on Extended Golay Code

We have used a personal computer to implement McEliece cryptosystem based on extended Golay code with the following specification: CPU Intel Core i3-3217U 1.80 GHz, RAM 2.00 GB, OS Windows 8 Enterprise 32 bit and MATLAB 7.11.0 (R2010b).

We have used generator matrix G=[] to generate extended Golay code , where is the identity matrix. Fig. 2 shows the matrix A, which is obtained by adding a parity bit at the end of each codeword of perfect Golay code . We have used the random permutation matrix to compute as shown in Fig 3.

Figure 2: Generator polynomial matrix A of
Figure 3: Random permutation matrix P

We have used the random function to generate a random invertible matrix S of binary numbers. The matrix is reordered and renamed as , then we computed , where is the encoding matrix. Fig. 4 represents the random invertible matrix S. Furthermore, encoding matrix results in public key:

, the private key consists of a random matrix

S, systematic generator matrix and efficient decoding algorithm such that (). We have used random plaintext m of length 12 and random error vector e of length is 24 having weight (). Then, we compute codeword by and encode it by computing ciphertext such that . Fig. 5 shows the computed matrix codeword, random error, and ciphertext.

Figure 4: Random invertible matrix S
Figure 5: Generate ciphertext by adding intended error

During decoding, we call a subroutine as described in Algorithm 4 for computing an error e by using private key . Further, we recovered the actual codeword such that . Fig 6 shows the calculated syndrome for error detection in the ciphertext.

Figure 6: Error detection by calculating syndrome

Compute the error and actual codeword; we recover the plaintext by multiplying it with the inverse of S. Fig. 7 shows the actual message sent over the channel.

Figure 7: Decoding of Ciphertext

We have examined the McEliece cryptosystem using extended Golay code. The developed system is effective and secure until S is chosen sparse random matrix. It corrects up to three-bit errors per codeword. Sparse matrices make it efficient and it allows a significant compression. Moreover, we have implemented the McEliece cryptosystem using extended Golay code and designed a finite state machine for its decoding component. In future, we will design McEliece cryptosystem using extended Golay code associated with bit interleaving technique to correct bursts of errors per codeword.

Viii Conclusion

In this paper, we have examined the McEliece cryptosystem using extended Golay code. The developed system is effective and secure until S is chosen sparse random matrix. It corrects up to three-bit errors per codeword. Sparse matrices make it efficient and allows a significant compression. Moreover, we have implemented the proposed McEliece cryptosystem using MATLAB. In future, we will design of McEliece cryptosystem using extended Golay code associated with bit interleaving technique to correct bursts of errors per codeword.


Amandeep Singh Bhatia was supported by Maulana Azad National Fellowship (MANF), funded by Ministry of Minority Affairs, Government of India.