POSTQUANTUM CRYPTOGRAPHY, PART 1

Code-Based Cryptography:
State of the Art and Perspectives

Nicolas Sendrier | INRIA

Code-based cryptography is one of the few mathematical techniques that enables the construction of
public-key cryptosystems that are secure against an adversary equipped with a quantum computer. The
McEliece public-key encryption scheme and its variants are candidates for a postquantum public-key
encryption standard.

C ode-based cryptography is one of the main

postquantum techniques available, together with
lattice-based cryptography, multivariate cryptography,
essentially since then. McEliece’s original idea was to
use as ciphertext a word of a carefully chosen linear
error-correcting code—a binary Goppa code, in this
and hash-based cryptography. Robert McEliece pro- case—to which random errors were added.1 An arbi-
posed the first code-based cryptosystem in 1978.1 It trary basis of the code—a generator matrix—is the
belongs to a very narrow class of public-key primitives public key, allowing anyone to encrypt (see Figure 1).
that have resisted all cryptanalytic attempts up to now. Legitimate users who know a secret trapdoor—a fast
In this survey, I present the McEliece public-key (that is, polynomial time) decoding algorithm for the
encryption scheme’s basic principles and security code—can remove the errors and recover the cleartext.
assumptions,2 illustrating that the system is secure Adversaries are reduced to a generic decoding prob-
and practical despite its large key size. I also consider lem, which is believed to be hard on average, including
McEliece variants with compact keys; using quasi­ against quantum adversaries.
cyclic codes, it’s possible to design schemes with much
shorter keys. I review the principle of those construc- Security Assumptions
tions with a particular focus on quasicyclic moderate The scheme’s security relies on two computational
density parity check (MDPC) codes, which combine assumptions:
a good security proof with much shorter public keys,
allowing a simple and efficient key exchange protocol ■■ generic decoding is hard on average, and
with forward secrecy. ■■ the public key—a generator matrix—is hard to distin-
guish from a random matrix.
McEliece Scheme and Its Main Variants
The McEliece public-key encryption scheme was pro- By hard, I mean that the underlying computational
posed almost 40 years ago and hasn’t been threatened problem can’t be efficiently solved, or more to the

Authorized licensed use limited to: Technische Universitaet Muenchen. Downloaded on December 09,2024 at 14:03:21 UTC from IEEE Xplore. Restrictions apply.
44 July/August 2017 Copublished by the IEEE Computer and Reliability Societies  1540-7993/17/$33.00 © 2017 IEEE
 Linear expansion Add errors
Encryption
Public, reversible Public, one-way
Cleartext Code word Ciphertext
Public Trapdoor
Decryption
Invert expansion Remove errors

Figure 1. Code-based public-key encryption. The ciphertext is a noisy code word that only the legitimate user can correct to recover the
cleartext.

point, by choosing appropriately large sizes, those Parameters: A family ℱ of binary linear t-error correcting [n,k] codes
problems are intractable and thus, under these assump- Key generation: → (G, Φ) a key pair where
tions, the system is secure against any computationally public key: G ∈{0,1}k×n is a matrix which spans a code 〈G〉 ∈ ℱ
bounded adversary. private key: Φ is a t-bounded decoder for 〈G〉
Encryption: {0,1}k → {0,1}n
The twofold security proof has been implicitly x ↦ xG + e with e ∈ {0,1}n random of Hamming weight t
understood since the origin of the scheme but was first Decryption: {0,1}n → {0,1}k
stated in Nicolas Courtois and his colleagues’ “How to y ↦ Φ(y)G∗ with G∗ a right inverse of G
Achieve a McEliece-Based Digital Signature Scheme”3
and formally proven in my paper “On the Use of Struc- Figure 2. McEliece public-key encryption scheme.
tured Codes in Code Based Cryptography.”4 The first
problem, generic decoding, is nondeterministic poly-
nomial time (NP)-complete2 and is also believed to be Zero-knowledge authentication protocol. The first such
hard on average.5 Progress is possible and would then protocol was proposed by Jacques Stern in 1993.8 Some
require an increase in system parameters, but a signifi- variants have followed, and all amount to the same
cant breakthrough is unlikely. Much like factoring and idea: one party picks a code word x, keeps it secret, and
discrete logarithms for number theory–based crypto- publishes a noisy version of it, say y = x + e, with e of
systems, research on this topic must be maintained at small weight. Then, this party can prove interactively
the highest level to ensure enough confidence in the sys- to another party that it knows a code word close to the
tem and adjust its parameters when needed. public word y without ever revealing any information
The second problem, public-key indistinguishability, about x.
is much more open. To state it properly, the system must
be instantiated. For instance, McEliece proposed using Digital signature. There’s a generic way to produce
the family of binary Goppa codes, for which the indis- digital-signature schemes from zero-knowledge pro-
tinguishability assumption holds so far (except when tocols using the Fiat-Shamir paradigm.9 This can be
the code rate tends to 1,6 which is an irrelevant case for achieved using the Stern protocol. Note that, against
encryption). For some other families, Reed-Solomon quantum adversaries, the construction requires some
codes, concatenated codes, low-density parity check modifications.10 The resulting digital signature scheme
codes, and so on, the assumption doesn’t hold and the is easy to implement and enjoys relatively small key
corresponding instances of McEliece are unsafe. Pro- sizes (a few hundred bytes) but produces rather large
viding families of codes for which the indistinguish- signatures (one or a few hundred kilobytes).
ability assumption holds is a key issue in code-based Another method to build digital signatures is the
cryptography. “hash and sign” paradigm in which users consider the
Figure 2 gives a general description of the McEliece digest of the message to be signed as a ciphertext and
encryption scheme. Terminology refers to the coding produce the corresponding cleartext as the signature.
theory glossary in the sidebar. In this scenario, the public key can be used to check
the signature’s validity. Unfortunately, the McEliece
Other Cryptographic Primitives from Codes encryption primitive isn’t surjective and the para­
Public-key encryption can also be achieved with meters used for encrypting aren’t suitable for signing.
the Niederreiter scheme,7 which is equivalent to the Digital signature is nevertheless possible but requires
Mc­Eliece scheme in terms of security. In addition, families of binary Goppa codes of a rate close to 1,3 pre-
two other important functionalities can be achieved cisely the subclass of Goppa codes that is distinguish-
from codes: zero-knowledge authentication and digi- able from random.6 Even though this distinguisher
tal signatures. doesn’t lead to an effective attack, it invalidates the

Authorized licensed use limited to: Technische Universitaet Muenchen. Downloaded on December 09,2024 at 14:03:21 UTC from IEEE Xplore. Restrictions apply.
www.computer.org/security 45
 POSTQUANTUM CRYPTOGRAPHY, PART 1

A Coding Theory Glossary

I consider here only linear codes over the binary field F2 = {0,1} of
integers modulo 2. Codes over larger alphabets, any finite field
Fq with q elements, can be defined likewise and are sometimes
Code family: Among the issues and successes of coding theory,
one was to design “good” families of codes. Typically, the problem
was to find, for given but arbitrary large values of n and k, families
used in cryptography. Most statements and claims are valid in gen- of [n,k] codes for which an efficient (that is, polynomial time)
eral. Nonlinear codes also exist but are beyond this survey’s scope. t-bounded decoder could be devised, where t is a function of n and
k. The larger t, the better the code family.
Hamming distance: The distance between two words x and y of For cryptographic purposes, a family F of t-error correcting linear
same length is the number of coordinates in which they differ, [n,k] codes is chosen to provide the desired security level. Choosing
denoted dist(x,y). a code C in the family will naturally provide a pair (G,Φ) where G is a
generator matrix of C and Φ is a t-bounded decoder for C.
Hamming weight: The weight of a word x determined by its num-
ber of nonzero coordinates, denoted wt(x). Generic decoding: A generic decoder for binary linear [n,k] codes
is a mapping Ψ: {0,1}n × {0,1}k×n → {0,1}k. For a given instance x =
Linear code: A binary linear [n,k] code C of dimension k and Ψ(y,G), a measure of success is the Hamming distance between xG
length n ≥ k is a k-dimensional subspace of the vector space {0,1}n. and y, which must be as small as possible. In particular, a t-bounded
An element of a code is a code word. The code rate is the ratio k/n. generic decoder for [n,k] codes will be such that for all x ∈ {0,1}k, for
all G ∈{0,1}k×n, and all e ∈ {0,1}n of Hamming weight t or less, we
Generator matrix: A full-rank k × n matrix G ∈ {0,1}k×n whose have Ψ(xG + e,G) = x. Generic decoding is nondeterministic poly-
rows form a basis of C. C = {xG | x ∈ {0,1}k }. The mapping x ↦ xG nomial time (NP)-hard1 and difficult on average;2 the best known
expands any k-bit word into an n-bit code word. solution’s complexity grows exponentially with error weight t.3

Systematic generator matrix: A k × n generator matrix is in sys- References

tematic form if it contains a square k × k identity matrix, usually in 1. E.R. Berlekamp et al., “On the Inherent Intractability of Certain
its first k columns. The systematic form always exists and reduces Coding Problems,” IEEE Trans. Information Theory, vol. 24, no. 3,
the storage requirements from nk to (n − k)k bits. 1978, pp. 384–386.
2. M. Alekhnovich, “More on Average Case vs Approximation
Parity check matrix: A full-rank (n – k) × n matrix H ∈ Complexity,” Proc. 44th Symp. Foundations of Computer Science
{0,1}(n–k)×n whose rows are orthogonal to C. C ={y ∈ {0,1}n | yHT = 0}. (FOCS 03), 2003, pp. 298–307.
3. A. May and I. Ozerov, “On Computing Nearest Neighbors with
Bounded decoding: A t-bounded decoder for C[n,k] is a mapping Applications to Decoding of Binary Linear Codes, Advances in
Φ: {0,1}n → C such that for all y in {0,1}n and all x in C, dist(y,x) ≤ t Cryptology (EUROCRYPT 15), Part I, LNCS 9056, Springer, 2015,
implies Φ(y) = x. pp. 203–228.

security proof. Moreover, the scheme uses large pub- becomes harmless, whereas this was inadvisable in the
lic keys, has significant signing complexity, and doesn’t original scheme. A systematic public key reduces the
scale very well. public key size.

The Practice Implementation. To my knowledge, there’s no widely

Here I address McEliece’s semantic security, implemen- deployed cryptographic product using code-based
tation, and parameter selection. primitives. Still, there’s a practice, and researchers have
reported various efficient implementations in software
Semantic security. The McEliece encryption scheme and for embedded devices. The current state of the art
is very malleable. For instance, adding a code word to for software is McBits,12 which is fully protected against
a ciphertext produces the ciphertext of a cleartext dif- timing attacks and performs as well—if not better—
ferent from the original one. Also, a cleartext that’s than other asymmetric schemes.
encrypted twice with the same key is revealed.
Consequently, a semantically secure conversion is Parameter selection. To achieve “classical” security of
mandatory.11 An interesting side effect of such a con- 128 bits (the best-known attacks require at least 2128 ele-
version is that having a public key in systematic form mentary operations) with the original McEliece scheme

Authorized licensed use limited to: Technische Universitaet Muenchen. Downloaded on December 09,2024 at 14:03:21 UTC from IEEE Xplore. Restrictions apply.
46 IEEE Security & Privacy July/August 2017
 using binary Goppa codes, codes must be of dimension
k = 3,376 probably and length n = 4,096 correcting t =
60 errors. The public key size is 303,840 bytes (with a Circulant block: G=
matrix in systematic form), and the expansion between
the cleartext and the ciphertext is approximately 20 per-
cent. For the same security against quantum adversar-
ies, the block size must increase by a factor of 2, and the
key size by a factor of 4. G= G=

Pros and Cons

The pros of the McEliece scheme and its variants
include the following: spans a QC-code of index 2 both span a QC-code of index 3

■■ security is well understood, Figure 3. Block-circulant matrices.

■■ it has resisted 40 years of scrutiny, and
■■ it’s computationally efficient in encryption and
decryption. preceding row. It’s completely defined by its first row.
A block-circulant matrix is formed of circulant square
Cons include the following: blocks. The index of a block-circulant matrix comprises
the number of circulant blocks in each row. Its order is
■■ there’s no really practical digital-signature scheme, the size of the circulant blocks. I extend this terminol-
■■ the public key size is large (on the order of one mega- ogy to quasicyclic codes.
byte for long-term security), and Representing a block-circulant matrix requires only
■■ the code indistinguishability assumption needs to be the first row of each circulant block. When the index is
explored further. small, this leads to considerably smaller public keys.
Circulant binary matrices of size p × p form a com-
A New Trend: mutative ring isomorphic to the quotient ring of poly-
Compact Keys from Quasicyclic Codes nomial F2[x]/(xp − 1). To a circulant matrix whose first
By choosing a proper code family, it’s possible to row is (a0, a1, …, ap−1), I associate the polynomial a(x) =
restrict the choice of the public generator matrix G to a0 + a1x + … + ap−1xp−1. Matrix addition, multiplication,
block-circulant matrices (see Figure 3), allowing signifi- and inversion correspond to the same polynomial opera-
cant reduction of the public key’s storage requirements. tions modulo xp − 1. The Hamming weight of a(x) is the
A code spanned by a block-circulant matrix is quasicyclic. Hamming weight of the binary word (a0, a1, …, ap−1).
Phillipe Gaborit first proposed such constructions,13
and in “On the Use of Structured Codes in Code Based Algebraic Quasicyclic Codes
Cryptography,” I proved that the security proof in essen- Algebraic codes contain algebraic structure allowing
tially unchanged.4 The system is secure as long as mathematical description and fast decoding algorithms.
The coding theory domain is vast, but for cryptographic
■■ generic decoding in a quasicyclic code is hard, and purposes, we can restrict it to the subclass of alternant
■■ the public key is indistinguishable from a random codes, among which are the binary Goppa codes used
block-circulant matrix. by McEliece. If a McEliece-type cryptosystem uses a
family of alternant codes, it’s possible to derive from the
Much like for cyclic variants of lattice hard prob- public key an overdetermined system of multivariate
lems, there’s a consensus that generic decoding for polynomial equations over a finite field. If the hidden
quasi­cyclic codes remains hard. On the other hand, code is alternant, this polynomial system has a solution,
quasicyclic codes are more structured, and the code but finding it is intractable in general.
family must be chosen carefully. Note also that com- If the code rate is close to 1, the system is highly over-
pact keys can be obtained with other constructions, like determined, and the subsystem obtained by considering
block-dyadic matrices, with a similar effect on the key only low degree equations—though it can’t be solved—
size and security. has particular properties leading to a distinguisher.6
If the code is quasicyclic, the number of unknowns
Block-Circulant Matrices decreases, particularly when the index is small. Solv-
A circulant matrix is a square matrix in which each ing the system might become tractable as demon-
row is the rotation one element to the right of the strated in Jean-Charles Faugère and his colleagues’

Authorized licensed use limited to: Technische Universitaet Muenchen. Downloaded on December 09,2024 at 14:03:21 UTC from IEEE Xplore. Restrictions apply.
www.computer.org/security 47
 POSTQUANTUM CRYPTOGRAPHY, PART 1

Problem 1 (QC-MDPC decoding): Given s, h0 , h1

Parameters: block size p, row weight w, error weight t, ℛp = F2[x]/(xp − 1)
(p a prime, w even, w/2 odd, w and t are close to √2p) in ℛp with wt(h0) = wt(h1) = w/2, find e0 , e1 in ℛp such
Key generation: pick h0 and h1 in ℛp both of weight w/2 that wt(e0) + wt(e1) ≤ t and e0h0 + eihj = s.
public key: g = h1h0−1 The interested reader can easily check that whoever
private key: h0,h1 can solve that problem can perform the decryption in
Encryption: ℛp → ℛp × ℛp
m ↦ (mg + e0, mg + e1) with wt(e0) + wt(e1) = t Figure 4. Problem 1 is easy as long as w and t are both
Decryption: given a ciphertext (u0,u1) small compared to the code length. In fact, the product
solve u0h0 + u1h1 = e0h0 + e1h1 with wt(e0) + wt(e1) ≤ t of t by w must be of the same magnitude as the code
length n = 2p. Various known algorithms can solve that
Figure 4. Quasicyclic moderate density parity check (QC-MDPC)-McEliece scheme. problem; the exact decoding performance will depend
on the chosen algorithm and the parameters must be
validated using simulations or analysis.
“Algebraic Cryptanalysis of McEliece Variants with
Compact Keys.”14 Security proof. QC-MDPC-McEliece security is prov-
To say it crudely, the algebraic and the quasi­ ably reduced to the two following problems related to
cyclic structures combine to provide a simpler attack. sparse binary polynomials in the ring ℛp = F2[x]/(xp
Note that simpler doesn’t mean feasible, and not all − 1).4
compact-key variants of McEliece based on alternant Problem 2 (QC decoding): Given s,g in ℛp, find
codes have been broken so far. Nevertheless, pursuing e0 , e1 in ℛp such that wt(e0) + wt(e1) ≤ t and e0 + e1g = s.
this line of work requires a full understanding of how Problem 3 (QC-MDPC distinguishing): Given g
far the polynomial system solvers can go to solve the in ℛp, is there h0 ,h1 in ℛp such that wt(h0) + wt(h1) ≤ w
above-mentioned systems. and h1 + h0 g = 0?
Problem 2 is the generic decoding problem
Quasicyclic MDPC Codes restricted to quasicyclic codes. Problem 3 entails decid-
Another approach, proposed by Rafael Misoczki and ing whether a given quasicyclic code contains a word of
his colleagues in “MDPC-McEliece: New McEliece small weight. Those problems are exactly the quasicyclic
Variants from Moderate Density Parity-Check Codes,”15 counterparts of the two NP-complete problems stated
was to consider MDPC codes. An MDPC code pos- by Elwyn Berlekamp and his colleagues in “On the
sesses a moderately sparse parity check matrix, mean- Inherent Intractability of Certain Coding Problems.”2
ing that the rows have length n and Hamming weight They are believed to be hard on average, even though,
of order √n. Knowledge of the sparse parity check formally, the arguments Michael Alekhnovich gives in
matrix allows the decoding of an error of weight pro- “More on Average Case vs Approximation Complexity”
portional to √n. don’t hold for the noncyclic case.5
The public key is any generator matrix of that code.
Such a matrix is dense in general and doesn’t reveal Key exchange protocol. Because key generation is very
anything about the secret sparse parity check matrix. easy, QC-MDPC-McEliece is very well suited for
The sparse parity check matrix can be block circulant, exchanging session keys. Figure 5 shows a sketch of a
in which case the public generator matrix is also block key exchange protocol. At the end of the protocol, the
circulant and the corresponding MDPC code is quasi­ two parties involved, here Alice and Bob, share a secret
cyclic. The whole scheme can then be described in terms K, valid for one session, to typically be used as the key
of polynomials in the quotient ring ℛp = F2[x]/(xp−1). of a symmetric encryption scheme like the Advanced
Figure 4 shows the scheme for quasicyclic MDPC Encryption Standard. Because the public key g is used
(QC-MDPC) codes of index 2 and rate k/n = 1/2. only once, this protocol achieves forward secrecy, an
extremely desirable feature that protects past sessions
Parameter selection. For 128 bits of security, with against future compromises of secret keys.
QC-MDPC codes of index 2, the parameter sizes are This key exchange protocol is particularly simple,
­p = 9,857, w = 142, and t = 134, leading to a public key and its security, as for the encryption scheme, is prov-
of size 9,857 bits (about 1.2 Kbytes). Against quantum ably reduced to the hardness of Problems 2 and 3.
adversaries, the public key size must increase to 32,771
bits, about 4 Kbytes, instead of 1 Mbyte for the original Decoding failures. Finally, the current choice of parame-
Goppa-McEliece. ters in Misoczki and his colleagues’ “MDPC-McEliece:
New McEliece Variants from Moderate Density
Decoding. Decoding QC-MDPC codes consists of solv- Parity-Check Codes”15 leads to a small probability
ing the following problem. of failure with state-of-the-art MDPC decoders. This

Authorized licensed use limited to: Technische Universitaet Muenchen. Downloaded on December 09,2024 at 14:03:21 UTC from IEEE Xplore. Restrictions apply.
48 IEEE Security & Privacy July/August 2017
 Parameters: block size p, row weight w, error weight t, ℛp = F2[x]/(xp − 1)
(p a prime, w even, w/2 odd, w and t are close to √2p)

Alice Bob
g=hh −1
1 0
picks h0, h1 randomly in ℛp
with wt(h0) = wt(h1) = w/2
recovers e0, e1 by solving s = e0 + e1g
picks e0, e1 randomly in ℛp with wt(e0) + wt(e1) = t
sh0 = e0h0 + e1h1
(as in Problem 1, QC-MDPC decoding)

At the end of the protocol, Alice and Bob share the session key K = hash (e0, e1)

Figure 5. QC-MDPC key exchange protocol. The two parties involved, Alice and Bob, share a secret K, valid for one session, to be used as the key
of a symmetric encryption scheme like the Advanced Encryption Standard.

probability is low enough be a benign nuisance in nor- Code-based cryptography has a thorn on its side with
mal usage of the scheme. However, very recently Qian the absence of a satisfying digital-signature scheme. The
Guo and his colleagues demonstrated that error pat- most credible possibility at this time would be a non-
terns leading to decoding failures are correlated with interactive variant of Jacques Stern’s zero-knowledge
the secret key.16 If adversaries have the ability to collect authentication scheme,8 but this would mean rela-
many error patterns leading an MDPC decoding failure, tively large signature sizes (one or a few hundred kilo-
they can recover the secret. We can counter this attack bytes). Finding other, more convenient digital signature
by reducing the probability of a decoding failure to a primitives is certainly one of the major challenges in
small enough quantity. This can be achieved by increas- code-based cryptography today.
ing the block size (and thus the key size). The precise
amount by which to increase the block size is an open References
research question. 1. R.J. McEliece, A Public-Key Cryptosystem Based on Alge-
Finally, note that the forward secrecy key exchange braic Coding Theory, Deep Space Network progress
protocol presented here isn’t vulnerable to this attack report, Jet Propulsion Lab., California Inst. Technology,
because each public key is used only once. In the case of Jan. 1978, pp. 114–116.
a decoding failure, the protocol restarts from the begin- 2. E.R. Berlekamp et al., “On the Inherent Intractability of
ning with a fresh public key g. Certain Coding Problems,” IEEE Trans. Information The-
ory, vol. 24, no. 3, 1978, pp. 384–386.
3. N. Courtois, M. Finiasz, and N. Sendrier, “How to Achieve

A fter decades of research, code-based crypto­

graphy has reached a certain maturity. The
original McEliece encryption scheme is a very strong
a McEliece-Based Digital Signature Scheme,” Advances
in Cryptology (ASIACRYPT 01), LNCS 2248, Springer,
2001, pp. 157–174.
candidate as one of the future quantum-resistant stan- 4. N. Sendrier, “On the Use of Structured Codes in Code
dards for public-key encryption that must be defined Based Cryptography,” Coding Theory and Cryptogra-
in the coming decade. Its main limitation is a rela- phy III, S. Nikova, B. Preneel, and L. Storme, eds., 2009,
tively large key size (on the order of 1 Mbyte for the pp. 59–68.
quantum-resistant variant with long-term security), 5. M. Alekhnovich, “More on Average Case vs Approxima-
which makes it less suitable for some applications. tion Complexity,” Proc. 44th Symp. Foundations of Com-
The other interesting candidates for code-based puter Science (FOCS 03), 2003, pp. 298–307.
quantum-resistant cryptography are the variants based 6. J.-C. Faugère et al., “A Distinguisher for High-Rate
on QC-MDPC codes, which allow for much shorter Mc­Eliece Cryptosystems,” IEEE Information Theory
keys and could provide a simple and efficient key Workshop (ITW 11), 2011, pp. 282–286.
exchange protocol with forward secrecy. Moreover, 7. H. Niederreiter, “Knapsack-Type Cryptosystems and
its security provably reduces to the hardness of two Algebraic Coding Theory,” Problems of Control and
well-identified coding theory problems, both of which Information Theory, vol. 15, no. 2, 1986, pp. 157–166.
are believed to be hard. 8. J. Stern, “A New Identification Scheme Based on

Authorized licensed use limited to: Technische Universitaet Muenchen. Downloaded on December 09,2024 at 14:03:21 UTC from IEEE Xplore. Restrictions apply.
www.computer.org/security 49
 POSTQUANTUM CRYPTOGRAPHY, PART 1

Syndrome Decoding,” Advances in Cryptology (CRYPTO 15. R. Misoczki et al., “MDPC-McEliece: New McEliece
93), LNCS 773, Springer, 1993, pp. 13–21. Variants from Moderate Density Parity-Check Codes,”
9. A. Fiat and A. Shamir, “How to Prove Yourself: Practical Solu- Proc. IEEE Int’l Symp. Information Theory (ISIT 13), 2013,
tions to Identification and Signature Problems,” Advances in pp. 2069–2073.
Cryptography (CRYPTO 86), LNCS 263, Springer, 1982, 16. Q. Guo, T. Johansson, and P. Stankovski, “A Key Recov-
pp. 186–194. ery Attack on MDPC with CCA Security Using Decoding
10. D. Unruh, “Non-interactive Zero-Knowledge Proofs in the Errors,” Advances in Cryptology (ASIACRYPT 16), LNCS
Quantum Random Oracle Model,” Advances in Cryptogra- 10031, Springer, 2016, pp. 789–815.
phy (EUROCRYPT 15), LNCS 9057, Springer, 2015, pp.
755–784. Nicolas Sendrier is a senior research scientist at INRIA.
11. K. Kobara and H. Imai, “Semantically Secure McEliece His main research interests include the design and
Public-Key Cryptosystems—Conversions for McEliece analysis of code-based cryptographic primitives.
PKC,” Public Key Cryptography, LNCS 1992, Springer, 2001, Sendrier received a PhD in computer science from
pp. 19–35. University Paris 6. He’s a steering committee member
12. D.J. Bernstein et al., “McBits: Fast Constant-Time of the Postquantum Cryptography conference series.
Code-Based Cryptography,” Proc. Int’l Workshop Crypto­ Contact him at [email protected].
graphic Hardware and Embedded Systems (CHES 13), LNCS
8086, Springer, 2013, pp. 250–272.
13. P. Gaborit, “Shorter Keys for Code Based Cryptography,”
Proc. Int’l Workshop Coding and Cryptography (WCC 05),
2005, pp. 81–90.
14. J.-C. Faugère et al., “Algebraic Cryptanalysis of McEliece Vari- Read your subscriptions through
the myCS publications portal at
ants with Compact Keys,” Advances in Cryptology (EURO-
http://mycs.computer.org
CRYPT 10), LNCS 6110, Springer, 2010, pp. 279–298.

CALL FOR STANDARDS AWARD NOMINATIONS

IEEE COMPUTER SOCIETY HANS K ARLSSON
STANDARDS AWARD

A plaque and $2,000 honorarium is presented in recognition of

outstanding skills and dedication to diplomacy, team facilitation, and
joint achievement in the development or promotion of standards in the
computer industry where individual aspirations, corporate competition,
and organizational rivalry could otherwise be counter to the benefit
of society.

NOMINATE A COLLEAGUE FOR THIS AWARD!

DUE: 1 OCTOBER 2017

• Requires 3 endorsements.
• Self-nominations are not accepted.
• Do not need IEEE or IEEE Computer Society membership to apply.

Submit your nomination electronically: awards.computer.org | Questions: [email protected]

Authorized licensed use limited to: Technische Universitaet Muenchen. Downloaded on December 09,2024 at 14:03:21 UTC from IEEE Xplore. Restrictions apply.
50 IEEE Security & Privacy July/August 2017