McEliece Cryptosystem: Reducing the Key Size
with QC-LDPC codes
2023 19th International Conference on the Design of Reliable Communication Networks (DRCN) | 978-1-6654-7598-3/23/$31.00 ©2023 IEEE | DOI: 10.1109/DRCN57075.2023.10108339
Paula Pérez-Pacheco
Department of Computer Engineering and Systems
University of La Laguna
38271 La Laguna, Tenerife, Spain
alu0101060774@ull.edu.es
Abstract—Post-quantum cryptography is a growing area since
Shor showed that a quantum computer with enough qubits could
be used to break the most widely used public-key cryptographic
protocols today, such as RSA or those based on the discrete
logarithm problem. For this reason, it has become urgent to
design cryptosystems that are robust against quantum computer
attacks. One of them is the code-based McEliece cryptosystem,
which was originally proposed using Goppa codes in 1978. The
improved version of the original McEliece cryptosystem, called
Classic McEliece, made it as far as the fourth round of the NIST
Post-Quantum Cryptography standardization process launched
by the National Institute of Technology to update the standards
and include post-quantum cryptography in digital signatures,
encryption and key exchange. In this work we describe and
analyze two variants of the original cryptosystem designed to
overcome its main drawbacks, such as its large key size and
weakness against known attacks. In addition, both the recent
attack that allows the recovery of the private key with limited
complexity and the ways in which this attack can be prevented
by changing the shape of some constituent arrays in these two
new variants are discussed.
Index Terms—cryptography, McEliece cryptosystem, key size,
QC-LDPC codes
I. I NTRODUCTION
Code-based cryptography is apparently quantum resistant
and therefore its study has increased in recent years. Post-
quantum cryptography is a subfield of cryptography that deals
with cryptographic algorithms that are supposed to be robust
against quantum attacks. The National Institute of Standards
and Technology (NIST) is currently in the process of selecting
one or more public-key cryptographic algorithms through a
public, competition-like process called Post-Quantum Cryp-
tography Standardization Process. The new public-key cryp-
tography standards will specify one or more additional digital
signatures, public-key encryption, and key-establishment algo-
rithms to augment Federal Information Processing Standard.
Among all the proposals presented, there is one based on
the original McEliece Cryptosystem. The proposal is called
Classic McEliece: conservative code-based cryptography [1],
and was originally proposed using Goppa codes. Its security
is based on two assumptions, the indistinguishability of the
code family and the difficulty of decoding a generic linear
code. The decoding problem is a well-studied NP-complete
978-1-6654-7598-3/23/$31.00 ©2023 IEEE
Authorized licensed use limited to: Indian Institute Of Technology (Banaras Hindu University) Varanasi. Downloaded on August 21,2023 at 11:18:10 UTC from IEEE Xplore. Restrictions apply.
Pino Caballero-Gil
Department of Computer Engineering and Systems
University of La Laguna
38271 La Laguna, Tenerife, Spain
pcaballe@ull.edu.es
problem. On the other hand, although the indistinguishability
problem is considered simpler, the Classic McEliece solves
possible weakness by introducing a KEM.
The original McEliece cryptosystem was first introduced
by Robert McEliece in 1978 [2] and thus is one of the oldest
public-key cryptosystems. Until now, this cryptosystem has
had little acceptance, mainly because it requires a very large
key size. In this work, in addition to the original McEliece
cryptosystem based on Goppa codes [3], another proposal
of the McEliece cryptosystem based on Low-Density Parity-
Check (LDPC) codes [4] is analyzed as they are considered
good candidates for this purpose, as discussed below. These
codes have been repeatedly suggested as a possible basis for
the original McEliece scheme [5]–[9]. However, they have
some known weaknesses.
A particularly interesting class of LDPC codes are Qua-
sicyclic LDPC (QC-LDPC) codes, as they combine low-
complexity coding of QC codes with low-complexity, high-
performance decoding techniques.
This work introduces the study of a first variant of the
cryptosystem proposed in [9]. In addition, a second variant
of the cryptosystem also proposed in [9] is presented that
provides better overall security. However, from [10] we know
that these variants present problems that were solved by adding
a small modification as we will see next.
This document is structured as follows. Sections II to III
introduce, Goppa codes, LDPC codes, QC-LDPC codes and
the original McEliece cryptosystem. Section IV describes the
main details of the cryptanalysis of the McEliece cryptosystem
based on QC-LDPC codes, as well as two variants and the
problems with these variants and a modification that will give
us a final variant of the McEliece cryptosystem based on QC-
LDPC codes. The complexity of such schemes is analyzed in
Section V. Finally, the work closes with some conclusions and
future work.
II. P RELIMINARIES
A. Goppa Codes
Goppa codes are error correcting codes that were first
introduced in the paper [11].
 Thus, the parity-check matrix of the code is the adjacency
matrix of the graph:
 
0 1 0 1 0 0 0 0 0 0
1 0 1 0 0 0 1 1 1 0
 
H= 0 1 0 0 0 0 0 0 0 0
1 0 0 0 0 1 1 0 0 0
0 1 0 1 1 1 0 0 1 1
In conclusion, the code can be defined as the set of words
w such that wH = 0.
Fig. 1. Bipartite graph
C. QC-LDPC Codes
A first version of the McEliece cryptosystem based on
Binary Goppa codes are linear codes built on the finite field
LDPC codes was proposed in [5]. However, it was soon shown
F2 = {0, 1}. To build a Goppa code, the following parameters
that that cryptosystem could be broken with the so-called total
are necessary:
break attack. A new version of the cryptosystem was proposed
• m ∈ N,
that hides the structure of the secret code in the public code
• an auxiliary finite field defined by a primitive irreducible
m and adopts a public code whose dual does not contain very
binary polynomial, F2m = {0, 1, α, α2 , ..., α2 −2 }, low weight codewords. This new cryptosystem is the McEliece
• a polynomial g(x) of degree t ∈ N with coefficients in
Pt cryptosystem based on QC-LDPC codes and are defined in this
F2m , g(x) = g0 + g1 x + ... + gt xt = i=0 gi xi , and Section.
• a set L of n ∈ N elements of F2m , L = {L0 , ..., Ln−1 },
Quasi-cyclic (QC) codes were introduced in [12]. They are
such that Li ̸= Lj ∧ g(Li ) ̸= 0, ∀i, j ∈ {0, ..., n − 1}. linear block codes with dimension k = p × k0 and length
A Goppa code Γ(g, L) is formed by binary words of n bits n = p × n0 with the following properties:
w = (w1 , w2 , ..., wn ) that meet Eq. (1): • each n0 symbol section (sub-block) of a codeword is

( ) composed of k0 information symbols followed by r0 =

n−1 n0 − k0 parity checks;
X wi
w∈ Zn2 : Rw (x) = = 0 mod g(x) . (1) • each cyclic shift of a codeword by n0 symbols yields
i= 0
x − Li
another codeword.
B. LDPC codes The generator and parity-check matrices of a QC code can
Low-Density Parity-Check codes form a class of linear assume two alternative (and equivalent) forms: the “blocks
codes that are derived from sparse bipartite graphs. To build a circulant” form and the “circulants block” form. A matrix is
LDPC code, consider a bipartite graph X where nodes to the called circulant if it is a Toeplitz matrix of the form defined
left are called bit nodes (or variable nodes), and nodes to the by Eq. (2), and ∀i, ai = ai−p :
right are called check nodes (or constraint nodes). An LDPC  
code is built from X as follows: each left vertex is associated a0 a1 a2 · · · ap−1
with each bit of a codeword w if, for all check nodes, the sum
 a−1
 a0 a1 · · · ap−2 
of the neighboring bits (bits associated with the neighboring
 a−2 a−1
 a0 · · · ap−3  (2)
 .. .. .. .. .. 
nodes) is zero.  . . . . . 
Example. Consider the graph shown in Fig. 1. The variable a1−p a2−p a3−p ··· a0
nodes are denoted by v1 , ..., v10 while the constraint nodes are
denoted by r1 , ..., r5 . QC-LDPC codes are particular QC codes characterized
Each variable node is associated with a bit of a codeword. by parity-check matrices well suited for LDPC decoding
Thus, the LDPC code defined by the graph in Fig. 1 is the algorithms. Thus, specially interesting QC-LDPC codes are
set of words of length 10 such that, for each constraint node those having parity-check matrices H in the “circulants block”
r1 , ..., r5 , the sum of the bits associated with the adjacent form, but with the particular choice r0 = 1. In this case, H
variable nodes is equal to 0. In other words, the code is the assumes the form shown in Eq. (3) (single row of circulants):
set of words v = v1 ...v10 that satisfy the equations:
H = [H0 H1 · · · Hn0 −1 ] (3)
v2 ⊕ v4 = 0
Thus, the code has rate R = (n0 − 1)/n0 .
v1 ⊕ v3 ⊕ v7 ⊕ v8 ⊕ v9 = 0
Matrices in the form described in Eq. (3) can be com-
v2 = 0 pletely specified by a set B of n0 “base-blocks” B =
v1 ⊕ v6 ⊕ v7 = 0 {B0 , B1 , ..., Bn0 −1 }. Each base-block is a subset of the field
v2 ⊕ v4 ⊕ v5 ⊕ v6 ⊕ v9 ⊕ v10 = 0. of integers modulo p, Zp , and is associated with a circulant

Authorized licensed use limited to: Indian Institute Of Technology (Banaras Hindu University) Varanasi. Downloaded on August 21,2023 at 11:18:10 UTC from IEEE Xplore. Restrictions apply.
 block in H, Bi ↔ Hi , in the sense that Bi contains the Finally, Alice randomly chooses a permutation matrix P of
positions of the non-null entries in the first row of Hi . size 12 × 12
The matrix H is formed by a row {H0 , ..., Hn0 −1 } of n0  
1 0 0 0 0 0 0 0 0 0 0 0
binary circulant blocks with size p and row/column weight dv . 0 0 1 0 0 0 0 0 1 0 0 0
The generator matrix G, instead, is formed by a k × k identity 
0 0 0 0 0 0 0

0 1 0 0 0
matrix I (with k = k0 × p and k0 = n0 − 1), followed by a 
0 0 0 0 0 1 0

0 0 0 0 0
column of k0 binary circulant blocks with size p. If we suppose 
0 0 0 0 1 0 0

0 0 0 0 0
Hn0 −1 to be non-singular, G can be obtained as follows: 
0 1 0 0 0 0 0

0 0 0 0 0
P = 0 0 0 1 0 0 0
.

T  0 0 0 0 0
H−1
n0 −1 · H0

0 0 0 0 0 0 0


T  0 0 0 0 1
I H−1
n0 −1 · H1
  
 0 0 0 0 0 0 0 1 0 0 0 0
G= 
..
. (4)  
 0 0 0 0 0 0 0 0 0 1 0 0
 .   

T 0 0 0 0 0 0 0 0 0 0 1 0
H−1
n0 −1 · Hn0 −2
0 0 0 0 0 0 1 0 0 0 0 0
III. O RIGINAL M C E LIECE C RYPTOSYSTEM
The McEliece Cryptosystem introduced by Robert McEliece Then, she computes Gpub = SGP and publishes the pair
in 1978 is described below. (Gpub , t = 2) as her public key:
Algorithm. The McEliece Public-Key Cryptosystem.  
0 0 0 1 1 1 1 1 0 0 0 0
Security parameters: n, t ∈ N with t ≪ n; 1 1 1 0 1 0 0 0 1 0 1 1
Key creation: Choose a Goppa code G of dimension k, Gpub =
0
.
1 0 0 0 1 1 0 1 0 1 1
length n, and error correction capacity up to t. Then, generate 1 0 0 0 1 0 0 1 1 1 0 0
the corresponding matrices S, G and P where:
S is a random non-singular k × k matrix; If Bob wants to encrypt the message m = (1, 0, 1, 1) using
Alice’s public key, he first calculates:
G is the generating matrix of G of size k × n;
P is a random permutable n × n matrix; mGpub = (1, 1, 0, 1, 0, 0, 0, 0, 0, 1, 1, 1).
Public Key: (Gpub , t) with Gpub = SGP of size k ×n.
Then, he chooses a random vector e of weight t = 2:
Private key: (S, P, DG ) where DG is an efficient
decoding algorithm for G. e = (0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0).
Encryption: To encrypt the message m ∈ Zk2 , the sender Finally, he computes the ciphertext:
must randomly choose e ∈ Zn2 with Hamming weight t, and
compute the ciphertext c with the receiver’s public key Gpub :
c = mGpub + e = (1, 1, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1).
c = mGpub + e.
For Alice to decode c using her private key, she first
Decryption: To decrypt c, the receiver must compute cP −1 , calculates:
then apply DG to the result, and finally multiply by S −1 to
get the message m. cP −1 = (1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 1, 0).
Example. Suppose Bob wants to send a secret message
m to Alice by encrypting it with McEliece cryptosystem. To Then, she applies Patterson’s Algorithm [13] to cP −1 to
define her McEliece public key, Alice randomly chooses a get m′ = (0, 1, 1, 0), and finally calculates m′ S −1 to retrieve
non-singular matrix S of size 4 × 4: the original message m.
 
1 0 0 1 IV. A NALYSIS OF THE M C E LIECE C RYPTOSYSTEM BASED
0 1 0 0
S=  ON QC-LDPC
1 1 0 0
0 0 1 1 In the version of the McEliece cryptosystem based on QC-
LDPC proposed in [8], both S and Q were chosen sparse. In
Also, she chooses a Goppa code G with generating matrix G particular, the block-diagonal form for Q shown in Eq. (5)
of size 4 × 12: was adopted:
 
  Q0 0 0 0
1 1 0 1 1 0 0 0 0 0 0 1  0 Q1 0
1 0 
1 1 0 1 1 0 1 0 0 1 0 Q=
 
(5)
G=
0
. . .. 
1 1 0 1 0 1 0 0 1 0 0 0 0 0 
1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 Qn0 −1

Authorized licensed use limited to: Indian Institute Of Technology (Banaras Hindu University) Varanasi. Downloaded on August 21,2023 at 11:18:10 UTC from IEEE Xplore. Restrictions apply.
 A. Attacks
In a recent work [8], there is a proposal to adopt a particular
family of QCLDPC codes in the McEliece cryptosystem to
reduce the key size and increase the transmission rate. Very
recently, however, Otmani, Tillich and Dallot developed a new
attack that, exploiting a flaw in the transformation from the
private key to the public key, is able to recover the secret key
with very high probability [14]. They presented three attack
strategies, that will be denoted as OTD1, OTD2 and OTD3
in the following. Let’s describe the three OTD attacks, and
analyze the flaw in the private-public key map that originates
them.
The fundamental issue that validates the three so-called
OTD attack strategies described in [9] rely on the fact that
both S and Q are sparse and that matrix Q has block-diagonal
form. However, the three OTD attacks can be countered by
adopting dense S matrices, without altering the remaining
system parameters and Q matrices with special characteristics.
Then we will see a first variant of the cryptosystem that
is able to counter such attacks by adopting a different form
for its constituent matrices, without altering other parameters
and a second variant of the cryptosystem that provides overall
increased security.
B. First Variant
In this first variant, S could have row/column weight
approximately equal to k0 p/2, with odd weight blocks along
the main diagonal, and even weight blocks elsewhere, in order
to assure the non-singularity of S, so that no further check is
needed.
This modification has no effect on the number of errors to
be corrected by the secret code, since the error spreading is
only due to matrix Q, that is kept sparse (with row/column
weight m). On the other hand, the choice of a dense S
influences complexity of the decoding stage, that, however, can
be reduced by resorting to efficient computation algorithms for
circulant matrices. As concerns matrix Q, the choice of the
block-diagonal form is weak from the security viewpoint, so
in [10] they avoid it as we can see in next subsection. For
example, an alternative choice would consist in obtaining Q
from a matrix of n0 × n0 = 4 × 4 circulant blocks with weight
2, except those along the main diagonal, that have weight 1,
and by permuting randomly its block rows and columns. In
this case, the inclusion of very low weight blocks in matrix
Q could seem a flaw. However, the absence of the block-
diagonal structure prevents from attacking each single block,
and attacking a whole
row or column would be too involved
3
(it would require p p2 ≈ 281 attempts).
C. Second Variant
In the second variant, the following set of parameters is
considered: n0 = 3, dv = 13 and p = 8192. Both the
private and the public code, in this system, have dimension
k0 p = 16384 bit and length n0 p = 24576. Through numerical
simulations, the authors of [9] have verified that these QC-
LDPC codes are capable of correcting up to more than 470
Authorized licensed use limited to: Indian Institute Of Technology (Banaras Hindu University) Varanasi. Downloaded on August 21,2023 at 11:18:10 UTC from IEEE Xplore. Restrictions apply.
errors per frame. The matrix Q is formed by n0 × n0 = 3 × 3
circulating blocks of size p, and has a row/column weight
equal to m = 11. In this case, one possible choice is to obtain
Q from a matrix of n0 × n0 circulating blocks of weight 4,
except those on the main diagonal, which have weight 3 ,
and randomly permuting its block rows and columns. In this
case,

attacking an entire row or column of Q would require
p 2 p

131
4 3 ≈ 2 attempts. The matrix S, on the other hand, is
formed by k0 × k0 = 2 × 2 circulating blocks of size p and is
dense, with row/column weight approximately equal to k0 p/2.
All of its blocks have even row/column weight, except those
along the main diagonal, which have odd weight, to allow for
non-singularity of the matrix.
D. Modification
As we have seen with these two variants, it has been shown
that by replacing the permutation matrix used to obtain the
public key with a more general transformation matrix, code
sparseness can be hidden and the dual code attack avoided.
Unfortunately, the proposal of these variants still use only
sparse transforms, exposing it to a full break attack [14].
We have seen a simple modification that allows to avoid
this failure, thus obtaining a cryptosystem based on the QC-
LDPC code that is immune to any known attack [9]. This
version of the cryptosystem is able to reduce the key size
compared to the original version. Also, the size of the public
keys increases linearly with the size of the code; therefore,
it scales favorably when larger keys are needed to cope with
increasing computing power.
According to [10] the introduction of the matrix Q causes
an error propagation effect within each received frame. This
is compensated by the high error correction capability of the
QC-LDPC code, that must be able to correct up to t errors.
However, we must also note that, contrary to the McEliece
cryptosystem based on Goppa codes, which corrects all errors
of a certain weight, the decoding radius of LDPC codes is
usually unknown. So, there is a small probability that Bob
fails to recover the secret message. To prevent this Bob can
make a selection of the private code, rather than just picking
up the first code randomly generated. Moreover, when the
cryptosystem is used for data transmissions, an automatic
repeat requestprotocol can allow Alice to know whether Bob
is able to correct all the errors she has randomly introduced
or not. Indeed, Bob is able to detect uncorrected frames
through the parity check performed by the LDPC decoder,
and, consequently, he can request retransmission. In this case,
a new random vector is generated by Alice, and the procedure
is repeated until a correctable error pattern is obtained.
V. C OMPLEXITY
In this section, the encryption and decryption complexities
of the proposed cryptosystem are discussed. Encryption com-
plexity is due to multiplication of the cleartext by the code
generator matrix and to addition of intentional errors. It can
be expressed as shown in Eq. (6):
 TABLE I
C OMPARISON
Key Size (bytes) Enc Ops per bit Dec Ops per bit
O. McEliece
Niederreiter
57581
57581
817
48
2472
7890
RSA 1024 2402 4738112
QC-LDPC 2304 1206 1790
Cenc = Cmul (u · G′ ) + n
Here Cmul (u·G′ ) (where u is one of the blocks obtained by
dividing the message to be sent into k-bit blocks) represents
the number of operations needed for calculating the product
u · G′ and n binary operations are considered for the addition
of vector e.
The decryption complexity, instead, can be divided into
three parts, as shown in Eq. (7):
Cdec = Cmul (x · Q) + CSP A + Cmul (u′ · S)
Here Cmul (x · Q) and Cmul (u′ · S) represent the number
of operations needed for computing x · Q (where x is the
encrypted message) and u′ · S, respectively, while CSP A is
the number of operations required for LDPC decoding through
the sum-product algorithm. As concerns the public key length,
the proposed cryptosystem uses, as the public key, a generator
matrix, G′ , formed by k0 × n0 circulant blocks with size p.
Therefore, it can be completely described by k0 · n0 · p bits.
Table 1 shows some characteristics of the McEliece cryp-
tosystem based on QC-LDPC codes, and of the Original
McEliece (O. McEliece), Niederreiter, and RSA cryptosys-
tems. We consider the Goppa code parameters n = 1632,
k = 1269 and t = 33 to achieve 80 bit security. Under a
proper secure CCA2 conversion, they give a key size of 57581
bytes for both the McEliece cryptosystem and the Niederreiter
version. The encryption and decryption complexities, result in
approximately 817 and 2472 operations per bit, respectively,
for the McEliece cryptosystem and 48 and 7890 operations
per bit for the Niederreiter version. A similar level of security
(≈ 80) can be achieved by the QC-LDPC code-based cryp-
tosystem with n0 = 4, p = 6144 and dv = 13. In this case, the
size of the public key is 2304 bytes, that is, 25 times smaller
than in the McEliece and Niederreiter cryptosystems based
on Goppa code. The encryption and decryption complexities
result in 1, 206 and 1, 790 operations per bit, respectively.
Therefore, we can conclude that, to achieve the same level
of security, the QC-LDPC code-based cryptosystem can adopt
smaller keys and transmission speeds comparable or higher
than the classical McEliece and Niederreiter Goppa code-
based cryptosystems. Furthermore, this is not achieved at the
expense of significantly increased complexity.
Table 1 shows an important advance in overcoming the
main drawback of McEliece’s original cryptosystem as the
new cryptosystems based on QC-LDPC codes have very small
public keys and higher transmission rates. Note that resulting
in complexity of 28 0 − 29 0 is still insufficient compared to a
Authorized licensed use limited to: Indian Institute Of Technology (Banaras Hindu University) Varanasi. Downloaded on August 21,2023 at 11:18:10 UTC from IEEE Xplore. Restrictions apply.
128-bit security level offered by symmetric key based solutions
as RSA.
Security level (bit)
80
80
VI. C ONCLUSIONS
128
≈ 80 In this work, two implementations of the McEliece cryp-
tosystem based on QC-LDPC codes have been analyzed. As
shown, these variants overcome the main drawbacks of the
original version. As is typical in cryptography, this does not
(6) exclude that more attacks could be conceived in the future
and with respect to RSA, the proposed cryptosystems have
the advantage of very lower complexity, that is only slightly
increased with respect to the original McEliece version (that,
moreover, has a lower security level). Definitely, the main
contribution of this paper is to show that these variants can be
appropriately modified so that the main drawbacks related to
the large size of public keys and low transmission rates can be
overcome.Thus, the main effort in the ongoing work is focused
on trying to obtain a code-based cryptographic cryptosystem
(7) with a supporting security proof, similar to what has been
done in the related area of lattice-based cryptography [15]. We
will also analyze this same cryptosystem, the McEliece cryp-
tosystem, but now based on the analysis of the Quasi-Cyclic
Moderate-Density Parity-Check (QC-MDPC) from works such
as [16].
ACKNOWLEDGMENT
This research has been supported by the Cybersecurity Chair
of the University of La Laguna and the Eureka CELTIC-NEXT
project C2020/2-2 IMMINENCE funded by the CDTI. Thanks
are also due to the Ministry of Defense.
R EFERENCES
[1] Bernstein. D. J., Chou. T., Lange. T., Von Maurich. I., Misoczki.
R., Niederhagen. R., Persichetti. E., Peters. C., Schwabe. P., Sendrier.
N., Szefer. J., Wang. W., “Classic McEliece: conservative code-based
cryptography”, noviembre de 2017.
[2] Robert. J. McEliece, “A public-key cryptosystem based on algebraic
coding theory”, DSN Progress Report, 42(44):114–116, 1978.
[3] Berlekamp. E. R., “Goppa codes”, IEEE Transactions on Information
Theory, 19(5):590–592, 1973.
[4] Gallager. R. G., “Low-Density Parity-Check Codes”. M.I.T. Press, 1963.
[5] Monico. C., Rosenthal. J., and Shokrollahi. A., “Using low density
parity check codes in the McEliece cryptosystem”. In IEEE International
Symposium on Information Theory – ISIT’2000, page 215, Sorrento,
Italy, 2000.
[6] Baldi. M., Chiaraluce. F., and Garello. R., “On the usage of quasi-
cyclic low-density parity-check codes in the McEliece cryptosystem”.
In Proceedings of the First International Conference on Communication
and Electronics (ICEE’06), pages 305–310, October 2006.
[7] Baldi. M., Chiaraluce. F., Garello. R., and Mininni. F., “Quasi-cyclic
low-density parity-check codes in the McEliece cryptosystem”. In Com-
munications, 2007. ICC’07. IEEE International Conference on, pages
951 –956, june 2007.
[8] Baldi. M. and Chiaraluce. F., “Cryptanalysis of a new instance of
McEliece cryptosystem based on QC-LDPC codes”. In Information
Theory, 2007. ISIT 2007. IEEE International Symposium on, pages 2591
–2595, june 2007.
[9] Baldi. M., Bodrato. M., and Chiaraluce. F., “A new analysis of the
McEliece cryptosystem based on QC-LDPC codes”. In Proceedings
of the 6th international conference on Security and Cryptography for
Networks, SCN ’08, pages 246–262, Berlin, Heidelberg, 2008. Springer-
Verlag.
 [10] Baldi. M., Bianchi. M. and Chiaraluce. F., ‘Security and complexity
of the McEliece cryptosystem based on QC-LDPC codes”. Università
Politecnica delle Marche, 2013.
[11] Valerii D. Goppa., “A new class of linear correcting codes”, Problemy
Peredachi Informatsii, 6(3):24–30, 1970.
[12] Townsend. R., and Weldon. J., “Self-orthogonal quasi-cyclic codes,”
IEEE Trans. Inform. Theory, vol. 13, pages 183–195, Apr. 1967.
[13] Patterson. N., “The algebraic decoding of Goppa codes”. IEEE Trans-
actions on Information Theory, 21(2):203–207, Mar 1975.
[14] Otmani. A., Tillich. J. P., and Dallot. L., “Cryptanalysis of two McEliece
cryptosystems based on quasi-cyclic codes,” in Proc. First International
Conference on Symbolic Computation and Cryptography (SCC 2008),
Beijing, China, Apr. 2008.
[15] Micciancio. D., “Generalized compact knapsacks, cyclic lattices and
efficient one-way functions”. Computational Complexity (2007).
[16] Baldi. M., Barenghi. A., Chiaraluce. F., Pelosi. G., Santini. P., ”Perfor-
mance bounds for QC-MDPC codes decoders”. Code-Based Cryptogra-
phy Workshop, pages 95-122, 2022. Springer.

Authorized licensed use limited to: Indian Institute Of Technology (Banaras Hindu University) Varanasi. Downloaded on August 21,2023 at 11:18:10 UTC from IEEE Xplore. Restrictions apply.