Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

Solving McEliece-1409 in One Day—Cryptanalysis with the Improved BJMM Algorithm

  • Conference paper
  • First Online:
Information Security (ISC 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 15258))

Included in the following conference series:

  • 116 Accesses

Abstract

Syndrome decoding problem (SDP) is the security assumption of the code-based cryptography. Three out of the four NIST-PQC round 4 candidates are code-based cryptography. Information set decoding (ISD) is known for the fastest existing algorithm to solve SDP instances with relatively high code rate. Security of code-based cryptography is often constructed on the asymptotic complexity of the ISD algorithm. However, the concrete complexity of the ISD algorithm has hardly ever been known. Recently, Esser, May and Zweydinger (Eurocrypt ’22) provided the first implementation of the representation-based ISD, such as May–Meurer–Thomae (MMT) or Becker–Joux–May–Meurer (BJMM) algorithm and solved the McEliece-1284 instance in the decoding challenge, revealing the practical efficiency of these ISDs.

In this work, we propose a practically fast depth-2 BJMM algorithm and provide the first publicly available GPU implementation. We solve the McEliece-1409 instance for the first time and present concrete analysis for the record. Cryptanalysis for NIST-PQC round 4 code-based candidates against the improved BJMM algorithm is also conducted. Our results provide both theoretical and practical evidence for the reliability of code-based NIST-PQC round 4 candidates.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 74.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://github.com/Crypto-TII/CryptographicEstimators.

  2. 2.

    https://github.com/vunguyen95/Review-ISD-Sieving.

  3. 3.

    The reference implementation for cuMMT is available at https://www.jstage.jst.go.jp/article/transfun/E106.A/3/E106.A_2022CIP0023/_pdf/.

  4. 4.

    Available at https://github.com/FloydZ/cryptanalysislib.

  5. 5.

    https://isd.mceliece.org/1347.html, published on February 26, 2023.

  6. 6.

    Tested on commit efc133e. We chose the parameters that minimize runtime.

  7. 7.

    We used \(\texttt {openssl speed -evp aes-}n \texttt {-cbc -bytes }b\texttt { -multi 32 -seconds 60}\) for AES-n. The blocklength is set to \(b = 16\) for AES-128 and \(b = 32\) otherwise.

References

  1. Albrecht, M., Bard, G.: The M4RI library. The M4RI Team (2023). https://bitbucket.org/malb/m4ri

  2. Albrecht, M.R., et al.: Classic McEliece: conservative code-based cryptography (2022)

    Google Scholar 

  3. Aragon, N., et al.: BIKE: bit flipping key encapsulation (2022)

    Google Scholar 

  4. Aragon, N., Lavauzelle, J., Lequesne, M.: decodingchallenge.org (2019). http://decodingchallenge.org

  5. Azarderakhsh, R., et al.: Supersingular isogeny key encapsulation. Submission NIST Post-Quantum Stand. Proj. 152, 154–155 (2017)

    Google Scholar 

  6. Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes in \(2^{n/20}\): how \(1+ 1= 0\) improves information set decoding. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 520–536. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_31

    Chapter  Google Scholar 

  7. Berlekamp, E., McEliece, R., Van Tilborg, H.: On the inherent intractability of certain coding problems (corresp.). IEEE Trans. Inf. Theory 24(3), 384–386 (1978)

    Article  Google Scholar 

  8. Bernstein, D.J., Chou, T.: CryptAttackTester: high-assurance attack analysis. In: CRYPTO 2024 (2024, to appear). https://eprint.iacr.org/2023/940

  9. Bernstein, D.J., Lange, T., Peters, C.: Attacking and defending the McEliece cryptosystem. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 31–46. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88403-3_3

    Chapter  Google Scholar 

  10. Both, L., May, A.: Decoding linear codes with high error rate and its impact for LPN security. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 25–46. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_2

    Chapter  Google Scholar 

  11. Canto Torres, R., Sendrier, N.: Analysis of information set decoding for a sub-linear error weight. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 144–161. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29360-8_10

    Chapter  Google Scholar 

  12. Castryck, W., Decru, T.: An efficient key recovery attack on SIDH. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023, Part V. LNCS, vol. 14008, pp. 423–447. Springer, Heidelberg (2023). https://doi.org/10.1007/978-3-031-30589-4_15

    Chapter  Google Scholar 

  13. Dumer, I.: On minimum distance decoding of linear codes. In: Proceedings of the 5th Joint Soviet-Swedish International Workshop Information Theory, pp. 50–52 (1991)

    Google Scholar 

  14. Esser, A., Bellini, E.: Syndrome decoding estimator. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds.) PKC 2022. LNCS, vol. 13177, pp. 112–141. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-97121-2_5

    Chapter  Google Scholar 

  15. Esser, A., May, A., Zweydinger, F.: McEliece needs a break - solving McEliece-1284 and quasi-cyclic-2918 with modern ISD. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022. LNCS, vol. 13277, pp. 433–457. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07082-2_16

    Chapter  Google Scholar 

  16. Esser, A., Verbel, J., Zweydinger, F., Bellini, E.: CryptographicEstimators: a software library for cryptographic hardness estimation. Cryptology ePrint Archive, Paper 2023/589 (2023). https://eprint.iacr.org/2023/589

  17. Esser, A., Zweydinger, F.: New time-memory trade-offs for subset sum - improving ISD in theory and practice. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023. LNCS, vol. 14008, pp. 360–390. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30589-4_13

    Chapter  Google Scholar 

  18. Guo, Q., Johansson, T., Nguyen, V.: A new sieving-style information-set decoding algorithm. Cryptology ePrint Archive, Paper 2023/247 (2023). https://eprint.iacr.org/2023/247

  19. Hamdaoui, Y., Sendrier, N.: A non asymptotic analysis of information set decoding. IACR Cryptol. ePrint Arch. 2013, 162 (2013). https://api.semanticscholar.org/CorpusID:17721683

  20. Indyk, P., Motwani, R.: Approximate nearest neighbors: towards removing the curse of dimensionality. In: Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing, pp. 604–613 (1998)

    Google Scholar 

  21. May, A., Meurer, A., Thomae, E.: Decoding random linear codes in \(\tilde{\cal{O}}(2^{0.054n})\). In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 107–124. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_6

    Chapter  Google Scholar 

  22. May, A., Ozerov, I.: On computing nearest neighbors with applications to decoding of binary linear codes. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 203–228. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_9

    Chapter  Google Scholar 

  23. McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. Deep Space Netw. Progr. Rep. 44, 114–116 (1978)

    Google Scholar 

  24. Melchor, C.A., et al.: Hamming quasi-cyclic (HQC). NIST PQC Round 2(4), 13 (2018)

    Google Scholar 

  25. Narisada, S., Fukushima, K., Kiyomoto, S.: Multiparallel MMT: faster ISD algorithm solving high-dimensional syndrome decoding problem. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E106.A(3), 241–252 (2023). https://doi.org/10.1587/transfun.2022CIP0023

  26. Narisada, S., Uemura, S., Okada, H., Furue, H., Aikawa, Y., Fukushima, K.: Solving McEliece-1409 in one day—cryptanalysis with the improved BJMM algorithm. Cryptology ePrint Archive, Paper 2024/393 (2024). https://eprint.iacr.org/2024/393

  27. Peters, C.: Information-set decoding for linear codes over \({\rm F}_{\rm q}\). In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 81–94. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12929-2_7

    Chapter  Google Scholar 

  28. Prange, E.: The use of information sets in decoding cyclic codes. IRE Trans. Inf. Theory 8(5), 5–9 (1962)

    Article  MathSciNet  Google Scholar 

  29. Sendrier, N.: Decoding one out of many. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 51–67. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_4

    Chapter  Google Scholar 

  30. Stern, J.: A method for finding codewords of small weight. In: Cohen, G., Wolfmann, J. (eds.) Coding Theory 1988. LNCS, vol. 388, pp. 106–113. Springer, Heidelberg (1989). https://doi.org/10.1007/BFb0019850

    Chapter  Google Scholar 

  31. Stevens, M.: MCCL, modular code cryptanalysis library (2024). https://github.com/codecryptanalysis/mccl

Download references

Author information

Authors and Affiliations

  1. KDDI Research, Inc., Fujimino, Japan

    Shintaro Narisada, Shusaku Uemura, Hiroki Okada & Kazuhide Fukushima

  2. The University of Tokyo, Bunkyo City, Japan

    Hiroki Okada, Hiroki Furue & Yusuke Aikawa

Authors
  1. Shintaro Narisada
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shusaku Uemura
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hiroki Okada
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hiroki Furue
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Yusuke Aikawa
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Kazuhide Fukushima
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shintaro Narisada .

Editor information

Editors and Affiliations

  1. Strativia, NIST Associate, Gaithersburg, MD, USA

    Nicky Mouha

  2. Stony Brook University, Stony Brook, NY, USA

    Nick Nikiforakis

Rights and permissions

Reprints and permissions

Copyright information

© 2025 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Narisada, S., Uemura, S., Okada, H., Furue, H., Aikawa, Y., Fukushima, K. (2025). Solving McEliece-1409 in One Day—Cryptanalysis with the Improved BJMM Algorithm. In: Mouha, N., Nikiforakis, N. (eds) Information Security. ISC 2024. Lecture Notes in Computer Science, vol 15258. Springer, Cham. https://doi.org/10.1007/978-3-031-75764-8_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-75764-8_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-75763-1

  • Online ISBN: 978-3-031-75764-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation