# An Programmatic Introduction to the McEliece Cryptosystem

Project done by Daniel Medina and Yinwei (Charlie) Zhang.  For Dr. Rundell, Texas A&M Math 471, Spring Semester.

#### Abstract


## 1 Introduction

A great number of cryptosystems out there are based on number theory foundations. We chose our project to be about the McEliece cryptosystem as it is instead based in coding theory, and thus, it is different to other cryptosystems that we have learned throughout our cryptography classes. Furthermore, the McEliece cryptosystem is also interesting because it is said to be post quantum computing resistant. That is, there are no known quantum algorithms that would efficiently solve the problem where the security of McEliece relies on (the linear code decoding problem). In contrast, cryptographic algorithms that directly or indirectly rely on the prime factorization of large integers (such as RSA, elliptic curve cryptography or algorithms that rely on the discrete logarithm problem) are not post quantum secure as there is a quantum algorithm that can solve the factorization problem in polynomial time (Shor’s algorithm). We will start the paper by first introducing the definition and the properties of the McEliece cryptosystem. Then, we will elaborate on Goppa codes, which is the code that McEliece recommended to use and which has been shown to be more secure when using McEliece. We will also provide an implementation of the McEliece cryptosystem with Goppa codes in order to perform different tests and gather statistical data that would aid us to answer some of the proposed questions. We will finalize the paper with the conclusions found including some comparisons against RSA. 

## 2 McEliece

The McEliece cryptosystem is an asymmetric public key cryptographic system that uses error correcting codes for generating the public and private keys, and consequently, for the encryption and decryption processes. The McEliece cryptosystem makes use of binary Goppa codes in its original description, but any general linear code can be used. The parameters of the McEliece cryptosystem are n and t, where $n$ is the length of the code used and $t$ is the maximum number of errors that can be corrected by the code. The public key is then generated in the following way:

The size k of the code is calculated using $n$ and $t$.
A nonsingular $k \times k$ scramble matrix $S$ is randomly generated.
A nxn permutation matrix is randomly generated.
A generator matrix $G$ for a Goppa code $(n,k)$.

The matrix $G' = SGP$ is calculated and the public key consists of the pair $(G', t)$.

The private key will consist of the matrices $S$, $P$, and the generator matrix $G$ along with the Goppa polynomial $g(z)$ in order to be able to efficiently perform decoding. 

Then, the encryption scheme can be described as follows: Alice publishes her public key. Bob wants to encrypt and send a message $m$. Bob encrypts the message by first choosing a random vector $z$  of length $k$ and of weight $t$. The message $m$ is encoded using the matrix $G'$ found in the public key and the vector $z$ is added to the encoded message. The ciphertext is thus given by $C = mG' + z$.

Alice receives the ciphertext C and proceeds to decrypt using her private key.

By calculating $CP^{-1}$ Alice gets $(mS)G+zP^{-1}$. If CP{^-1} is decoded using the decoding algorithm for the chosen Goppa code, then  mSG will be obtained. The message m can finally be found by multiplying with the inverses of $S$ and $G: m = mSG(S^-1)G^{-1}$.


## 3 Goppa Codes

In his original paper [n], McEliece recommended the linear code that should be used, $G$, be a binary Goppa Code.  They are complex and require quite a bit of machinery in order to understand them.  Check the Appendix for explanations on GF, and general Goppa Codes.

**Definition 3.0 Parameters.**


**Definition 3.1: General Goppa Codes.**

Let $g(x)$ be an irreducible Goppa polynomial in $GF(p^m)$, where $p$ is a prime, $m$ is an integer, $GF$ is a Galois Field.  A Goppa polynomial is defined as a $g(x) = g_0 + g_1(x) + \dots + g_t(x^t) = \sum_{i=0}^{t}g_ix^i$.  Then pick $L = \{g(\alpha_1), g(\alpha_2), \dots, g(\alpha_3)\}$, a subset from $GF(2^m)$, such that $g(\alpha_i) \neq 0$.  

Then to generator valid Goppa codes, $C$, we define $R_c(z) = \sum_{i=1}^{n} \frac{c_i}{x - \alpha_i}$.  A codeword is valid if and only if $R_c(x) \equiv 0$ (mod $g(x)$).  Here, $\frac{}{}$.

A Goppa code $\Gamma(L, g(x))$ is the space of all the valid Goppa codes defined by $R_c(x) \equiv 0$ (mod $g(x)$).  

**Definition 3.2: Binary Goppa Codes.**

With binary Goppa codes, our Galois Field is $GF(2^m)$.  From before, $\Gamma(L, g(x)) = \Gamma(\alpha_1, \alpha_2, \dots, \alpha_n, g(x)) = \{ c \in GF(2^m) | \sum_{i=0}^{n-1} c_i \frac{c_i}{x - \alpha_i} \equiv 0 \text{ mod } g(x)\}$.

An equivalent approach is to define $GF(2)[X]/[X^{2^m - 1}-1]$.  Here, the Galois Field is a subspace of the Goppa polynomial, the factors of $X^{2^m - 1}-1$.  We find $L$ by finding $\alpha$, by finding 

**Definition 3.3: Goppa Code Generator Matrix.**

To find 

**Definition 3.4: Goppa Code Parity Check Matrix.**

**Example**

### 

## N Appendix


## References

