LEDAkem: A Post-quantum Key Encapsulation Mechanism Based on QC-LDPC Codes

  • Marco Baldi
  • Alessandro Barenghi
  • Franco Chiaraluce
  • Gerardo Pelosi
  • Paolo Santini
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10786)


This work presents a new code-based key encapsulation mechanism (KEM) called LEDAkem. It is built on the Niederreiter cryptosystem and relies on quasi-cyclic low-density parity-check codes as secret codes, providing high decoding speeds and compact keypairs. LEDAkem uses ephemeral keys to foil known statistical attacks, and takes advantage of a new decoding algorithm that provides faster decoding than the classical bit-flipping decoder commonly adopted in this kind of systems. The main attacks against LEDAkem are investigated, taking into account quantum speedups. Some instances of LEDAkem are designed to achieve different security levels against classical and quantum computers. Some performance figures obtained through an efficient C99 implementation of LEDAkem are provided.


Code-based cryptography Key encapsulation mechanism Niederreiter cryptosystem Post-quantum cryptography Quasi-cyclic low-density parity-check codes 



Paolo Santini was partly funded by Namirial SpA.


  1. 1.
    Aragon, N., Barreto, P.S.L.M., Bettaieb, S., Bidoux, L., Blazy, O., Deneuville, J.C., Gaborit, P., Gueron, S., Güneysu, T., Melchor, C.A., Misoczki, R., Persichetti, E., Sendrier, N., Tillich, J.P., Zémor, G.: BIKE: bit flipping key encapsulation (2017). http://bikesuite.org/files/BIKE.pdf
  2. 2.
    Baldi, M., Bianchi, M., Chiaraluce, F.: Optimization of the parity-check matrix density in QC-LDPC code-based McEliece cryptosystems. In: Proceedings of the IEEE ICC 2013 - Workshop on Information Security over Noisy and Lossy Communication Systems, Budapest, Hungary, June 2013Google Scholar
  3. 3.
    Baldi, M., Bodrato, M., Chiaraluce, F.: A new analysis of the McEliece cryptosystem based on QC-LDPC codes. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 246–262. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-85855-3_17CrossRefGoogle Scholar
  4. 4.
    Baldi, M.: QC-LDPC Code-Based Cryptography. SpringerBriefs in Electrical and Computer Engineering. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-02556-8CrossRefMATHGoogle Scholar
  5. 5.
    Baldi, M., Barenghi, A., Chiaraluce, F., Pelosi, G., Santini, P.: LEDAkem: Low dEnsity coDe-bAsed key encapsulation mechanism (2017). https://www.ledacrypt.org/
  6. 6.
    Baldi, M., Bianchi, M., Chiaraluce, F.: Security and complexity of the McEliece cryptosystem based on QC-LDPC codes. IET Inf. Secur. 7(3), 212–220 (2012)CrossRefGoogle Scholar
  7. 7.
    Baldi, M., Bianchi, M., Chiaraluce, F., Rosenthal, J., Schipani, D.: Enhanced public key security for the McEliece cryptosystem. J. Cryptol. 29(1), 1–27 (2016)MathSciNetCrossRefMATHGoogle Scholar
  8. 8.
    Bardet, M., Barelli, E., Blazy, O., Torres, R.C., Couvreur, A., Gaborit, P., Otmani, A., Sendrier, N., Tillich, J.P.: BIG QUAKE: BInary Goppa QUAsi-cyclic Key Encapsulation (2017). https://bigquake.inria.fr/files/2017/12/proposal.pdf
  9. 9.
    Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes in 2n/20: how 1 + 1 = 0 improves information set decoding. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 520–536. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_31CrossRefGoogle Scholar
  10. 10.
    Berger, T.P., Loidreau, P.: How to mask the structure of codes for a cryptographic use. Des. Codes Crypt. 35(1), 63–79 (2005)MathSciNetCrossRefMATHGoogle Scholar
  11. 11.
    Berlekamp, E., McEliece, R., van Tilborg, H.: On the inherent intractability of certain coding problems. IEEE Trans. Inf. Theory 24(3), 384–386 (1978)MathSciNetCrossRefMATHGoogle Scholar
  12. 12.
    Bernstein, D.J., Lange, T., Peters, C.: Smaller decoding exponents: ball-collision decoding. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 743–760. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-22792-9_42CrossRefGoogle Scholar
  13. 13.
    Cayrel, P.-L., Gueye, C.T., Mboup, E.H.M., Ndiaye, O., Persichetti, E.: Efficient implementation of hybrid encryption from coding theory. In: El Hajji, S., Nitaj, A., Souidi, E.M. (eds.) C2SI 2017. LNCS, vol. 10194, pp. 254–264. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-55589-8_17CrossRefGoogle Scholar
  14. 14.
    Chaulet, J., Sendrier, N.: Worst case QC-MDPC decoder for McEliece cryptosystem. In: Proceedings of the IEEE International Symposium on Information Theory (ISIT 2016), Barcelona, Spain, pp. 1366–1370, July 2016Google Scholar
  15. 15.
    Fabšič, T., Gallo, O., Hromada, V.: Simple power analysis attack on the QC-LDPC McEliece cryptosystem. Tatra Mt. Math. Pub. 67(1), 85–92 (2016)MathSciNetMATHGoogle Scholar
  16. 16.
    Fabšič, T., Hromada, V., Stankovski, P., Zajac, P., Guo, Q., Johansson, T.: A reaction attack on the QC-LDPC McEliece cryptosystem. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 51–68. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-59879-6_4CrossRefGoogle Scholar
  17. 17.
    Gaborit, P.: Shorter keys for code based cryptography. In: Proceedings of the International Workshop on Coding and Cryptography (WCC 2005), Bergen, Norway, pp. 81–90, March 2005Google Scholar
  18. 18.
    Goppa, V.D.: A new class of linear correcting codes. Probl. Pered. Inform. 6(3), 24–30 (1970)MathSciNetMATHGoogle Scholar
  19. 19.
    Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the 28th Annual ACM Symposium on the Theory of Computing, Philadelphia, PA, pp. 212–219, May 1996Google Scholar
  20. 20.
    Guo, Q., Johansson, T., Stankovski, P.: A key recovery attack on MDPC with CCA security using decoding errors. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 789–815. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53887-6_29CrossRefGoogle Scholar
  21. 21.
    Hofheinz, D., Hvelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. Cryptology ePrint Archive, Report 2017/604 (2017). https://eprint.iacr.org/2017/604
  22. 22.
    Kachigar, G., Tillich, J.-P.: Quantum information set decoding algorithms. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 69–89. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-59879-6_5CrossRefGoogle Scholar
  23. 23.
    Lee, P.J., Brickell, E.F.: An observation on the security of McEliece’s public-key cryptosystem. In: Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 275–280. Springer, Heidelberg (1988).  https://doi.org/10.1007/3-540-45961-8_25Google Scholar
  24. 24.
    Leon, J.: A probabilistic algorithm for computing minimum weights of large error-correcting codes. IEEE Trans. Inf. Theory 34(5), 1354–1359 (1988)MathSciNetCrossRefMATHGoogle Scholar
  25. 25.
    Li, Y.X., Deng, R., Wang, X.M.: On the equivalence of McEliece’s and Niederreiter’s public-key cryptosystems. IEEE Trans. Inf. Theory 40(1), 271–273 (1994)MathSciNetCrossRefMATHGoogle Scholar
  26. 26.
    Löndahl, C., Johansson, T.: A new version of McEliece PKC based on convolutional codes. In: Chim, T.W., Yuen, T.H. (eds.) ICICS 2012. LNCS, vol. 7618, pp. 461–470. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34129-8_45CrossRefGoogle Scholar
  27. 27.
    May, A., Meurer, A., Thomae, E.: Decoding random linear codes in \(\tilde{\cal{O}}(2^{0.054n})\). In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 107–124. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25385-0_6CrossRefGoogle Scholar
  28. 28.
    McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. DSN Progress Report, pp. 114–116 (1978)Google Scholar
  29. 29.
    Misoczki, R., Tillich, J.P., Sendrier, N., Barreto, P.S.L.M.: MDPC-McEliece: new McEliece variants from moderate density parity-check codes. In: 2013 IEEE International Symposium on Information Theory, pp. 2069–2073, July 2013Google Scholar
  30. 30.
    Misoczki, R., Barreto, P.S.L.M.: Compact McEliece keys from Goppa codes. In: Jacobson, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 376–392. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-05445-7_24CrossRefGoogle Scholar
  31. 31.
    Monico, C., Rosenthal, J., Shokrollahi, A.: Using low density parity check codes in the McEliece cryptosystem. In: Proceedings of the IEEE International Symposium on Information Theory (ISIT 2000), Sorrento, Italy, p. 215, June 2000Google Scholar
  32. 32.
    National Institute of Standards and Technology: Post-quantum crypto project, December 2016. http://csrc.nist.gov/groups/ST/post-quantum-crypto/
  33. 33.
    Niebuhr, R., Persichetti, E., Cayrel, P.L., Bulygin, S., Buchmann, J.: On lower bounds for information set decoding over \(f_q\) and on the effect of partial knowledge. Int. J. Inf. Coding Theory 4(1), 47–78 (2017)MathSciNetCrossRefMATHGoogle Scholar
  34. 34.
    Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Probl. Control Inf. Theory 15, 159–166 (1986)MathSciNetMATHGoogle Scholar
  35. 35.
    Otmani, A., Tillich, J.P., Dallot, L.: Cryptanalysis of two McEliece cryptosystems based on quasi-cyclic codes. In: Proceedings of the First International Conference on Symbolic Computation and Cryptography (SCC 2008), Beijing, China, April 2008Google Scholar
  36. 36.
    Peters, C.: Information-set decoding for linear codes over \(\mathbf{F}_{q}\). In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 81–94. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-12929-2_7CrossRefGoogle Scholar
  37. 37.
    Prange, E.: The use of information sets in decoding cyclic codes. IRE Trans. Inf. Theory 8(5), 5–9 (1962)MathSciNetCrossRefGoogle Scholar
  38. 38.
    Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. Cryptology ePrint Archive, Report 2017/1005 (2017). https://eprint.iacr.org/2017/1005
  39. 39.
    Sendrier, N.: Decoding one out of many. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 51–67. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25405-5_4CrossRefGoogle Scholar
  40. 40.
    Shooshtari, M.K., Ahmadian-Attari, M., Johansson, T., Aref, M.R.: Cryptanalysis of McEliece cryptosystem variants based on quasi-cyclic low-density parity check codes. IET Inf. Secur. 10(4), 194–202 (2016)CrossRefGoogle Scholar
  41. 41.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)MathSciNetCrossRefMATHGoogle Scholar
  42. 42.
    Stern, J.: A method for finding codewords of small weight. In: Cohen, G., Wolfmann, J. (eds.) Coding Theory 1988. LNCS, vol. 388, pp. 106–113. Springer, Heidelberg (1989).  https://doi.org/10.1007/BFb0019850CrossRefGoogle Scholar
  43. 43.
    de Vries, S.: Achieving 128-bit security against quantum attacks in OpenVPN. Master’s thesis, University of Twente, August 2016. http://essay.utwente.nl/70677/

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Università Politecnica delle MarcheAnconaItaly
  2. 2.Politecnico di MilanoMilanItaly

Personalised recommendations