A Survey on Code-based Cryptography

Violetta Weger1 , Niklas Gassner2 , and Joachim Rosenthal2

1
Department of Electrical and Computer Engineering, Technical University of
Munich, Theresienstrasse 90, 80333 Munich, Germany, [Link]@[Link]
2
Institute of Mathematics, University of Zurich, Winterthurerstrasse 190, 8057 Zurich,
Switzerland, {[Link], rosenthal}@[Link]
arXiv:2201.07119v5 [[Link]] 17 Jul 2024

July 18, 2024

Abstract
The improvements on quantum technology are threatening our daily cybersecurity, as
a capable quantum computer can break all currently employed asymmetric cryptosystems.
In preparation for the quantum-era the National Institute of Standards and Technology
(NIST) has initiated in 2016 a standardization process for public-key encryption (PKE)
schemes, key-encapsulation mechanisms (KEM) and digital signature schemes. In 2023,
NIST made an additional call for post-quantum signatures. With this chapter we aim at
providing a survey on code-based cryptography, focusing on PKEs and signature schemes.
We cover the main frameworks introduced in code-based cryptography and analyze their
security assumptions. We provide the mathematical background in a lecture notes style,
with the intention of reaching a wider audience.

1
Contents
1 Introduction 4
1.1 Organization of the Chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Preliminaries 6
2.1 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2 Algebraic Coding Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2.1 Basics on Hamming-Metric Codes . . . . . . . . . . . . . . . . . . . . 6
2.2.2 Matrix Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2.3 Generalized Reed-Solomon Codes . . . . . . . . . . . . . . . . . . . . . 13
2.2.4 Goppa Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2.5 Cyclic Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.6 LDPC Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2.7 Reed-Muller Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.2.8 Concatenated Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.2.9 (U, U + V )-Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.2.10 Product Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.2.11 Rank-Metric Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.2.12 Gabidulin Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.2.13 LRPC Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.2.14 Code Equivalence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.2.15 Lee Metric Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.2.16 Restricted Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.3 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.3.1 Public-Key Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.3.2 Key-Encapsulation Mechanisms . . . . . . . . . . . . . . . . . . . . . . 33
2.3.3 Digital Signature Schemes . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.3.4 Zero-Knowledge Protocols . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.3.5 Fiat-Shamir Transform . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.3.6 Multi-Party-Computations-in-the-Head . . . . . . . . . . . . . . . . . 40

3 Code-Based Public-Key Encryption Frameworks 42

3.1 McEliece Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.2 Niederreiter Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.3 Alekhnovich’s Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.3.1 The First Variant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.3.2 The Second Variant . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.4 Quasi-Cyclic Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.5 Augot-Finiasz Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.6 GPT Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

4 Code-based Signature Schemes 63

4.1 Hash-and-Sign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
4.1.1 CFS Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
4.1.2 RankSign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
4.2 Code-Based ZK Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

5 Security Analysis 74

2
 5.1 Problems from Coding Theory . . . . . . . . . . . . . . . . . . . . . . . . . . 74
5.2 NP-completeness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
5.2.1 Decoding Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
5.2.2 Code Equivalence Problems . . . . . . . . . . . . . . . . . . . . . . . . 83
5.2.3 Rank SDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
5.2.4 Lee SDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
5.2.5 Restricted SDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
5.3 Information Set Decoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
5.3.1 General Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
5.3.2 Overview Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
5.3.3 Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5.3.4 Prange’s Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
5.3.5 Stern’s Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
5.3.6 BJMM Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
5.3.7 Generalized Birthday Decoding Algorithms . . . . . . . . . . . . . . . 113
5.3.8 Asymptotic Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
5.3.9 Rank-metric ISD Algorithms . . . . . . . . . . . . . . . . . . . . . . . 116
5.3.10 Attacks on other Code-Based Problems . . . . . . . . . . . . . . . . . 121
5.4 Algebraic Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
5.5 Other Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

6 Historical Overview 128

7 Submissions to NIST 131

7.1 Round 4 Candidates: Classic McEliece, BIKE and HQC . . . . . . . . . . . . 134
7.1.1 Classic McEliece . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
7.1.2 Proposed Parameters for Classic McEliece . . . . . . . . . . . . . . . . 135
7.1.3 BIKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
7.1.4 Proposed Parameters for BIKE . . . . . . . . . . . . . . . . . . . . . . 137
7.1.5 HQC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
7.1.6 Proposed Parameters for HQC . . . . . . . . . . . . . . . . . . . . . . 138
7.2 Code-Based Signature Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . 139
7.2.1 Hash-and-sign schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
7.2.2 ZK Protocols and Fiat-Shamir Transform . . . . . . . . . . . . . . . . 143
7.2.3 ZK Protocols and MPCitH . . . . . . . . . . . . . . . . . . . . . . . . 147

8 Conclusion 155

3
1 Introduction
Current public-key cryptosystems are based on integer factorization or the discrete logarithm
problem over an elliptic curve or over a finite field. While there are no algorithms known
for classical computers to solve these problems efficiently, Shor’s algorithm allows a quantum
computer to solve these problems in polynomial time [244]. As research on quantum comput-
ers advances, the cryptographic community is searching for cryptosystems that will survive
attacks on quantum computers. This area of research is called post-quantum cryptography.
In 2016, the National Institute of Standards and Technology (NIST) has initiated a stan-
dardization process for post-quantum cryptosystems. Such cryptosystems can be based on any
hard problem, which cannot be solved by a capable quantum computer in polynomial time.
Preferably, these are NP-complete problems, i.e., at least as hard as the hardest problems in
NP.
The main candidates for post-quantum cryptography are:

• Code-based cryptography (CBC): CBC is using hard problems from algebraic coding
theory. Usually, this is the NP-complete problem of decoding a random linear code.

• Lattice-based cryptography: Lattice-based cryptography is based on hard prob-

lems over lattices, such as the NP-complete problems of finding the shortest vector,
respectively the closest vector to a given vector in a lattice. For an overview see [212].

• Multivariate cryptography: Multivariate cryptography is based on the NP-complete

problem of solving multivariate (quadratic) equations defined over some finite field. For
an overview see [114].

• Isogeny-based cryptography: Isogeny-based cryptography is based on finding the

isogeny map between two supersingular elliptic curves [162].

• Hash-based cryptography: These cryptosystems base their security on the security

of hash functions.

This survey only covers code-based cryptography, thus, we refer an interested reader to [70],
for an overview on post-quantum cryptography in general.
Code-based cryptography denotes any cryptographic system, which bases its security on
hard problems from algebraic coding theory. Classically, this problem is the decoding of a
random linear code. This problem was shown to be NP-complete in 1978, by Berlekamp,
McEliece and Van Tilborg in [68]. In the same year, McEliece proposed the first code-based
cryptosystem [195], in which one picks a code with underlying algebraic structure that allows
efficient decoding and then disguises this code as a seemingly random linear code. A message
gets encrypted as corrupted codeword. With the knowledge of the secret code, one can recover
the initial message, but an adversary faces the challenge of decoding a random linear code.
In 2022, NIST selected 4 cryptographic systems to get standardized, namely the lattice-
based encryption scheme KYBER [237], the lattice-based signature schemes DILITHIUM
[116] and FALCON [125] and the hash-based signature scheme SPHINCS+ [34]. However,
the standardization process of 2016 is not over yet, as three code-based schemes have moved
to the fourth and final round, namely Classical McEliece [14], HQC [5] and BIKE [20].

4
 The research in this area is, however, far from complete. In fact, in 2023, NIST has
reopened the standardization call for signature schemes. Within this new call, we can find
many code-based schemes and many new and interesting problems.
In this chapter we give an extensive survey on code-based cryptography, explaining the
mathematical background of such systems and the difficulties of proposing secure and at
the same time practical schemes. We cover the main proposals in the standardization call
and the approaches to break such systems. With the reopened standardization process for
digital signature schemes, we hope to reach different research communities to tackle this new
challenge together.

1.1 Organization of the Chapter

This chapter is organized as follows. In Section 2, we introduce some basics of algebraic
coding theory as well as the basics of asymmetric cryptography, such as public-key encryption
schemes and signature schemes. In particular, we aim at introducing all used coding-theoretic
objects in Section 2.2 and to describe on a high-level the considered cryptographic schemes in
2.3. This includes public-key encryption (PKE), key-encapsulation mechanism (KEM) and
signature schemes. In particular, we show how to construct a signature scheme via the Fiat-
Shamir transform on a Zero-Knowledge (ZK) protocol. We also cover the new methods, such
as protocols with helpers and Multi-Party Computations (MPC).
The main focus of this chapter will lay on Section 3 where we introduce the public-key
encryption frameworks by McEliece, Niederreiter, Alekhnovich as well as the quasi-cyclic
scheme, the GPT cryptosystem and the Faure-Loidreau cryptosystem.
In Section 4, we discuss some code-based signatures, starting with the first construction
method, namely hash-and-sign in Section 4.1, then moving to some classic code-based ZK
protocols in Section 4.2 and describe some new techniques, such as MPC-in-the-head.
In Section 5, we analyze the security of these systems, where we first focus on the decoding
problem of a random linear code: we present the proofs of NP-completeness in Section 5.2
and the best-known solvers for the underlying problems in Section 5.3. In the second part
of the security analysis, namely Section 5.4 we also present some algebraic attacks, which
clearly depend on the chosen secret code. For this section, we focus on two of the most
preferred codes, one being Reed-Solomon codes and the other being their rank metric analog,
Gabidulin codes. Finally, we end the security analysis by shortly reporting on some other
ways of attacking code-based systems, such as side-channel attacks, in Section 5.5.
In Section 6, we provide a historical overview on the main code-based PKE and signature
scheme proposals, stating their differences, in the notion of the given frameworks, and whether
they are broken.
In Section 7, we shortly cover the submissions to the NIST standardization process with
a focus on the finalists in Section 7.1: Classic McEliece, BIKE and HQC.
In Section 7.2, we present the 11 code-based signature schemes submitted to the reopened
standardization call and compare their performance in terms of signature and public key size
and their running times.

5
2 Preliminaries
In order to make this chapter as self-contained as possible, we present here a rather long
preliminary section, which hopefully makes this survey also accessible to non-experts. We
start with the notation used throughout this chapter, followed by the basics of algebraic
coding theory and defining all concepts and codes that will be used or mentioned and finally
presenting the basics of the considered schemes on a very high-level and with specific examples.

2.1 Notation
We denote by Fq the finite field with q elements, where q is a prime power and denote by F⋆q
its multiplicative group, i.e., Fq \ {0}. Throughout this chapter, we denote by bold upper case
or lower case letters matrices, respectively vectors, e.g. x ∈ Fnq and A ∈ Fk×n
q . The identity
matrix of size k is denoted by Idk . Sets are denoted by upper case letters and for a set S, we
denote by | S | its cardinality. By GLn (q) we denote the n × n invertible matrices over Fq .
Notation specific to only one part of this chapter will be defined right before they are used.

2.2 Algebraic Coding Theory

This section is designed to recall and/or introduce all definitions and coding theoretic objects
required in this chapter. Most proofs will be omitted or left as an exercise. For interested
readers that are completely new to algebraic coding theory we recommend the following books
[231, 67, 257, 190]. We also leave away the references to standard definitions and results, which
can be found in any book on coding theory. For more specific results, we will give a proper
reference.

2.2.1 Basics on Hamming-Metric Codes

In classical coding theory one considers the finite field Fq of q elements, where q is a prime
power.
Definition 1 (Linear Code). Let 1 ≤ k ≤ n be integers. Then, an [n, k] linear code C over
Fq is a k-dimensional linear subspace of Fnq .
Note that we emphasize the linearity, as a code is simply any subset C ⊆ Fnq .
The parameter n is called the length of the code, the elements in the code are called
codewords and R = k/n is called the rate of the code. In order to measure how far apart two
vectors are, we endow Fq with a metric. Usually, this is the Hamming metric.
Definition 2 (Hamming Metric). Let n be a positive integer. For x ∈ Fnq , the Hamming
weight of x is given by the size of its support, i.e.,

wtH (x) =| {i ∈ {1, . . . , n} | xi ̸= 0} | .

For x, y ∈ Fnq , the Hamming distance between x and y is given by the number of positions
in which they differ, i.e.,

dH (x, y) =| {i ∈ {1, . . . , n} | xi ̸= yi } | .

Note that the Hamming distance is induced from the Hamming weight, that is dH (x, y) =
wtH (x − y). Having defined a metric, one can also consider the minimum distance of a code,
i.e., the smallest distance achieved by its distinct codewords.

6
Definition 3 (Minimum Distance). Let C be a code over Fq . The minimum Hamming
distance of C is denoted by dH (C) and given by
dH (C) = min{dH (x, y) | x, y ∈ C, x ̸= y}.
Exercise 4. Show that for a linear code C, we have
dH (C) = min{wtH (x) | x ∈ C, x ̸= 0}.
Exercise 5. Give an example, where
dH (C) ̸= min{wtH (x) | x ∈ C, x ̸= 0}.
We denote by dH (x, C) the minimal distance between x ∈ Fnq and a codeword in C.
Let r be a positive integer. We define the Hamming ball as all the vectors which have at
most Hamming weight r, i.e.,
BH (r, n, q) = {x ∈ Fnq | wtH (x) ≤ r}.
Exercise 6. Show that
r  
X n
| BH (r, n, q) |= (q − 1)i .
i
i=0
The minimum distance of a code is an important parameter, since it is connected to the
error correction capability of the code.
We say that a code can correct up to t errors, if for all x ∈ Fnq with dH (x, C) ≤ t, there exists
exactly one y ∈ C, such that dH (x, y) ≤ t. A decoding algorithm D is an algorithm that is
given such a word x ∈ Fnq and returns the closest codeword, y ∈ C, such that dH (x, y) ≤ t.
The most interesting codes for applications are codes with an efficient decoding algorithm,
which clearly not every code possesses.
Exercise 7. Let C be a linear code over
j Fq kof length n and of minimum distance dH . Show
dH −1
that the code can correct up to t := 2 errors.
One of the most important bounds in coding theory is the Singleton bound, which provides
an upper bound on the minimum distance of a code.
Theorem 8 (Singleton Bound [249]). Let k ≤ n be positive integers and let C be an [n, k]
linear code over Fq . Then,
dH ≤ n − k + 1.
Exercise 9. Prove the Singleton Bound by showing that deleting dH − 1 of the positions is an
injective map.
A code that achieves the Singleton bound is called a maximum distance separable (MDS)
code. MDS codes are of immense interest, since they can correct the maximal amount of
errors for fixed code parameters.
Linear codes allow for an easy representation through their generator matrices, which have
the code as an image.
Definition 10 (Generator Matrix). Let k ≤ n be positive integers and let C be an [n, k]
linear code over Fq . Then, a matrix G ∈ Fk×n
q is called a generator matrix of C if
n o
C = xG | x ∈ Fkq ,

that is, the rows of G form a basis of C.

7
 We will often write ⟨G⟩ to denote the code generated by G.
One can also represent the code through a matrix H, which has the code as kernel.
Definition 11 (Parity-Check Matrix). Let k ≤ n be positive integers and let C be an [n, k]
(n−k)×n
linear code over Fq . Then, a matrix H ∈ Fq is called a parity-check matrix of C, if
n o
C = y ∈ Fnq | Hy⊤ = 0 .

For any x ∈ Fnq , we call xH⊤ a syndrome.

Exercise 12. Let k ≤ n be positive integers and let C be an [n, k] linear code over Fq . Let
H be a parity-check matrix of C. Show that C has minimum distance dH if and only if every
dH − 1 columns of H are linearly independent and there exist dH columns, which are linearly
dependent.
For x, y ∈ Fnq let us denote by ⟨x, y⟩ the standard inner product, i.e.,
n
X
⟨x, y⟩ = xi yi .
i=1

Then, we can define the dual of an [n, k] linear code C over Fq as the orthogonal space of C.
Definition 13 (Dual Code). Let k ≤ n be positive integers and let C be an [n, k] linear code
over Fq . The dual code C ⊥ is an [n, n − k] linear code over Fq , defined as

C ⊥ = {x ∈ Fnq | ⟨x, y⟩ = 0 ∀ y ∈ C}.

Exercise 14. Show that a parity-check matrix of C is in fact a generator matrix of C ⊥ .

Exercise 15. Show that the dual of an MDS code is an MDS code.
For x ∈ Fnq and S ⊆ {1, . . . , n} we denote by xS the vector consisting of the entries of x
indexed by S. While for A ∈ Fk×n q , we denote by AS the matrix consisting of the columns of
A indexed by S. Similarly, we denote by CS the code consisting of the codewords cS .
Observe that an [n, k] linear code can be completely defined by certain sets of k positions.
The following concept characterizes such defining sets.
Definition 16 (Information Set). Let k ≤ n be positive integers and let C be an [n, k] linear
code over Fq . Then, a set I ⊂ {1, . . . , n} of size k is called an information set of C if

| C |=| CI | .

Exercise 17. How many information sets can an [n, k] linear code have at most?
Exercise 18. Let C be an [n, k] linear code, I an information set and let G be a generator
matrix and H a parity-check matrix. Show that GI is an invertible matrix of size k. If
I C := {1, . . . , n} \ I is the complement set of I, then, HI C is an invertible matrix of size n − k.
Exercise 19. Let C be the code generated by G ∈ F2×4
5 , given as
 
1 3 2 3
G= .
0 4 4 3

Determine all information sets of this code.

8
Definition 20 (Systematic Form). Let k ≤ n be positive integers and C be an [n, k] linear
code over Fq . Then, there exist some permutation matrix P and some invertible matrix U
that bring G in systematic form, i.e.,


UGP = Idk A ,
k×(n−k)
where A ∈ Fq . Similarly, there exist some permutation matrix P′ and some invertible
′
matrix U , that bring H into systematic form as

U′ HP′ = B Idn−k ,

(n−k)×k
where B ∈ Fq .
Let us denote by VH (r, n, q) the volume of a ball in the Hamming metric, i.e.,

VH (r, n, q) =| BH (r, n, q) | .

The Gilbert-Varshamov bound [140, 260, 233] is one of the most prominent bounds in coding
theory and widely used in code-based cryptography since it provides a sufficient condition for
the existence of linear codes.
Theorem 21 (Gilbert-Varshamov bound). Let q be a prime power and let k ≤ n and dH be
positive integers, such that
VH (dH − 2, n − 1, q) < q n−k .
Then, there exists a [n, k] linear code over Fq with minimum Hamming distance at least dH .
The better known Gilbert-Varshamov bound is a statement on the maximal size of a
code, that is: let us denote by AH (n, d, q) the maximal size of a code in Fnq having minimum
Hamming distance d.
Theorem 22 (Gilbert-Varshamov Bound). Let q be a prime power and n, d be positive inte-
gers. Then,
qn
AH (n, d, q) ≥ .
VH (d − 1, n, q)
It turns out that random codes attain the asymptotic Gilbert-Varshamov bound with high
probability. This will be an important result for the asymptotic analysis of some algorithms.
Let us first give some notation: let 0 ≤ δ ≤ 1 denote the relative minimum distance, i.e.,
δ = d/n and let us denote by
1
R(δ) = lim sup logq AH (n, δn, q)
n→∞ n
the asymptotic information rate.
Definition 23 (Entropy Function). For a positive integer q ≥ 2 the q-ary entropy function
is defined as follows:

hq : [0, 1] → R,
x → x logq (q − 1) − x logq (x) − (1 − x) logq (1 − x).

9
Exercise 24. Show that for s ∈ [0, 1 − 1/q] we have that
1. VH (sn, n, q) ≤ q hq (s)n ,
2. VH (sn, n, q) ≥ q hq (s)n−o(n) ,
using Stirling’s formula.
Theorem 25 (The Asymptotic Gilbert-Varshamov Bound). For every prime power q and
δ ∈ [0, 1 − 1/q] there exists an infinite family C of codes with rate
R(δ) ≥ 1 − hq (δ).
Recall that in complexity theory we write f (n) = Ω(g(n)), if
f (n)
lim sup > 0.
n→∞ g(n)
For example, f (n) = Ω(n) means that f (n) grows at least polynomially in n.
Theorem 26. For every prime power q, δ ∈ [0, 1 − 1/q) and 0 < ε < 1 − hq (s) and sufficiently
large positive integer n. The following holds for
k = ⌈(1 − hq (δ) − ε)n⌉ .
If G ∈ Fk×n
q is chosen uniformly at random, the linear code C generated by G has rate at least
1 − hq (δ) − ε and relative minimum distance at least δ with probability at least 1 − e−Ω(n) .
Exercise 27. Prove Theorem 26 following these steps:
1. What is the probability for G to have full rank?
2. For each non-zero x ∈ Fkq show that xG is a uniformly random element.

3. Show that the probability that wtH (xG) ≤ δn is at most q (hq (δ)−1)n .
4. Use the union bound over all non-zero x and the choice of k to get the claim.
This was first proven in [56, 217] and shows that for a random code with large length, we
know what minimum Hamming distance to expect.
These results hold also more generally over any finite chain ring and for any additive
weight, see [81].
We also want to introduce the following two methods to get a new code from an old code:
puncturing and shortening. When we puncture a code we essentially delete all coordinates
indexed by a certain set in all codewords, while shortening can be regarded as the puncturing
of a special subcode.
Definition 28. Let C be an [n, k] linear code over Fq and let S ⊆ {1, . . . , n} be a set of size
s. Then, we define the punctured code C S in S as follows
C S = {(ci )i̸∈S | c ∈ C}.
Let us define C(S) to be the subcode containing all codewords which are 0 in S, that is
C(S) = {c ∈ C | ci = 0 ∀i ∈ S}.
Then, we define the shortened code CS in S to be
CS = C(S)S .

10
 Clearly, the punctured code C S has now length n − s. What happens to its dimension?
Exercise 29. Show that if s < d, the minimum distance of C, then C S has dimension k.
Shortening and puncturing of a code are heavily connected through the dual code:
Theorem 30. Let C be a linear [n, k] code over Fq with dual code C ⊥ . Let S ⊆ {1, . . . , n} be
a set of size s. Then
1. (C ⊥ )S = (C S )⊥ ,
2. (C ⊥ )S = (CS )⊥ .
Example 31. Let us consider the binary code generated by
 
1 0 0 1 1 0
G = 0 1 0 0 1 1 ,
0 0 1 1 1 1

and S = {4, 5}. Then, the punctured code C S has generator matrix
 
1 0 0 0
S
G = 0 1 0 1 .
0 0 1 1
Note that C(S) = {(1, 0, 1, 0, 0, 1), (0, 0, 0, 0, 0, 0)}, thus the generator matrix of CS is given by


GS = 1 0 1 1 .
Exercise 32. Show that Theorem 30 holds for this example.

2.2.2 Matrix Codes

Let us denote by Fn×m
q the n × m matrices over Fq .
Instead of considering subspaces in Fnq , we can also consider subspaces in Fm×n
q , referred
to as matrix codes.
Definition 33 (Matrix Codes). An Fq -linear subspace of Fn×m
q is called a matrix code.
Thus, instead of a k×n generator matrix G ∈ Fk×n q , we generate the code with k generating
matrices G1 , . . . , Gk ∈ Fm×n
q , then every codeword is of the form
C = λ1 G1 + · · · + λk Gk ,
for some λi ∈ Fq . Since these codes are only linear over Fq , they are also called Fq -linear
codes.
One can define the Hamming metric on such matrices, by either considering the number
of non-zero columns or the number of non-zero entries.
For a matrix A ∈ Fm×n q let us denote by ci ∈ Fmq its columns for i ∈ {1, . . . , n}, by rj ∈ Fq
n

its rows for j ∈ {1, . . . , m} and finally by ai,j its entries for (i, j) ∈ {1, . . . , n} × {1, . . . , m}.
Given A ∈ Fm×nq we define

wtH,c (A) = |{i ∈ {1, . . . , n} | ci ̸= 0}|,

wtH,v (A) = |{(i, j) ∈ {1, . . . , n} × {1, . . . , m} | ai,j ̸= 0}|.
We will specify which notion of Hamming metric we are using, whenever we use matrix codes.

11
Definition 34. Given a matrix A ∈ Fm×n q with rows a1 , . . . , am ∈ Fnq we define the vector-
ization of A to be vec(A) = (a1 , . . . , am ) ∈ Fmn
q .

The Hamming weight of vec(A) coincides with the second notion of Hamming metric of
matrices, i.e.,
wtH (vec(A)) = wtH,v (A).
Let Γ = {γ1 , . . . , γm } be a basis of Fqm over Fq . That is, we can write every element
a ∈ Fqm as
m
X
a= ai γi ,
i=1

with ai ∈ Fq .

Definition 35. Let Γ = {γ1 , . . . , γm } be a basis of Fqm over Fq . Then, we can define the
extension map

Γ : Fq m → Fm q
m
X
a= ai γi 7→ (a1 , . . . , am ).
i=1

By abuse of notation we will also use Γ to denote the extension map Γ : Fnqm → Fm×n
q , where
each entry is extended to a column.

The Hamming weight of the vector Γ−1 (A) = a ∈ Fnqm coincides with the first notion of
Hamming weight for matrices, i.e.,

wtH (Γ−1 (A)) = wtH,c (A). (2.1)

Exercise 36. Show that Equation (2.1) is independent of the choice of basis Γ.
The extension map can also be applied to a code itself, that is:

Definition 37. Let C ⊆ Fnqm be a linear code and let Γ be a basis of Fqm over Fq . The code
associated with Γ is given by
Γ(C) = {Γ(c) | c ∈ C}.

Note that since C ⊆ Fnqm was Fqm -linear, we get that Γ(C) ⊆ Fm×n
q is Fq -linear.
The dual code of a matrix code, requires a new inner product, which extends the previous
standard inner product. For this, recall that the trace of a matrix is the sum of the entries
on its diagonal.

Definition 38. Let A, B ∈ Fm×n

q , then we define their trace product as

Tr(AB⊤ ).

Definition 39. Let C ⊆ Fm×n

q be a linear matrix code, then its dual code is given by

C ⊥ = {A ∈ Fm×n
q | Tr(AB⊤ ) = 0 for all B ∈ C}.

This product is compatible with the standard inner product on Fnqm . For this we need the
following definition.

12
Definition 40. Let Γ = {γ1 , . . . , γm }, Γ′ = {γ1′ , . . . , γm
′ } be bases of F m over F . We say
q q
that Γ and Γ′ are orthogonal if
TrFq (γi γj′ ) = δi,j ,
where δi,j denotes the Kronecker delta function, i.e., it outputs 0 if i ̸= j and 1 if i = j, and
TrFq denotes the field trace, i.e.,

Tr : Fqm → Fq
m−1
i
X
a 7→ aq .
i=0

Proposition 41. Let C ⊆ Fnqm be a linear code. Let Γ, Γ′ be orthogonal bases of Fqm over Fq ,
then
Γ(C)⊥ = Γ′ (C ⊥ ).
Exercise 42. Show that Proposition 41 holds for the example

C = ⟨1, α⟩ ⊆ F28 ,

where F8 = F2 [α] and α3 = α + 1, Γ = {1, α, α2 }, Γ′ = {1, α2 , α}.

The new inner product is in fact also compatible with the vectorization:
Proposition 43. Let A, B ∈ Fm×n
q , then

Tr(A⊤ B) = ⟨vec(A), vec(B)⟩.

2.2.3 Generalized Reed-Solomon Codes

In order to give a self-contained chapter, we also want to introduce some of the most prominent
codes that are used in code-based cryptography. For this we start with Generalized Reed-
Solomon codes (GRS), [223].
Definition 44 (Generalized Reed-Solomon Code). Let k ≤ n ≤ q be positive integers. Let
α ∈ Fnq be an n-tuple of distinct elements, i.e., α = (α1 , . . . , αn ) with αi ̸= αj , for all
i ̸= j ∈ {1, . . . , n}. Let β ∈ Fnq be an n-tuple of nonzero elements, i.e., β = (β1 , . . . , βn ), with
βi ̸= 0 for all i ∈ {1, . . . , n}. The Generalized Reed-Solomon code of length n and dimension
k, denoted by GRSn,k (α, β) is defined as

GRSn,k (α, β) = (β1 f (α1 ), . . . , βn f (αn )) f ∈ Fq [x], deg(f ) < k .

In the case where β = (1, . . . , 1), we call the code GRSn,k (α, β) a Reed-Solomon (RS) code
and denote it by RSn,k (α).
Exercise 45. Show that the Vandermonde matrix
 
1 ··· 1
 α1 · · · αn 
 .. .. 
 
 . . 
k−1 k−1
α1 · · · αn

is a generator matrix of a RS code. Similarly, build a generator matrix of the GRSn,k (α, β)
code.

13
Exercise 46. Show that GRS codes are MDS codes, i.e.,

dH (GRSn,k (α, β)) = n − k + 1.

Observe that the dual code of a GRS code is again a GRS code.

Proposition 47. Let k ≤ n ≤ q be positive integers. Then

GRSn,k (α, β)⊥ = GRSn,n−k (α, γ),

where
n
Y
γi = βi−1 (αi − αj )−1 .
j=1
j̸=i

2.2.4 Goppa Codes

Another important family of codes in code-based cryptography is the family of classical q-ary
Goppa codes [143, 144, 145].
Let m be a positive integer, n = q m and Fqm be a finite field. Let G ∈ Fqm [x]. Then
define the quotient ring .
Sm = Fqm [x] ⟨G⟩ .

Lemma 48. Let α ∈ Fq be such that G(α) ̸= 0. Then (x − α) is invertible in Sm and

1 G(x) − G(α)
(x − α)−1 = − .
G(α) x−α

Definition 49 (Classical Goppa Code). Let α = (α1 , . . . , αn ) ∈ Fnqm , be such that αi ̸= αj

for all i ̸= j ∈ {1, . . . , n}, and G(αi ) ̸= 0 for all i ∈ {1, . . . , n}. Then we can define the
classical q-ary Goppa code as
n
( )
X ci
Γ(α, G) = c ∈ Fnq = 0 in Sm .
x − αi
i=1

Proposition 50. The Goppa code Γ(α, G) has minimum Hamming distance dH (Γ(α, G)) ≥
deg(G) + 1 and dimension k ≥ n − m deg(G).

In order to construct a parity-check matrix of a classical Goppa code, let us define β =

(G(α1 )−1 , . . . , G(αn )−1 ). The parity-check matrix of Γ(α, G) is then given by the weighted
Vandermonde matrix  
β1 ··· βn
 β1 α1 · · · βn αn 
H =  .. ..  .
 
 . . 
β1 α1r−1 · · · βn αnr−1
(n−k)×n
Note that H ∈ Fqm , but the code Γ(α, G) is the Fq -kernel of H.
From this construction, we can already see that strong connection between classical Goppa
codes and GRS codes. For this we define subfield subcodes and alternant codes in the follow-
ing.

14
Definition 51 (Subfield Subcode). Let C be an [n, k] linear code over Fqm . The subfield
subcode of C over Fq is then defined as
CFq = C ∩ Fnq .
Proposition 52. Let C be an [n, k] linear code over Fqm with minimum distance d. Then CFq
has dimension ≥ n − m(n − k) and minimum distance ≥ d.
Exercise 53. Prove Proposition 52 using the map
ϕ : Fnqm → Fnqm ,
(x1 , . . . , xn ) 7→ (xq1 − x1 , . . . , xqn − xn ).
A special case of subfield subcodes are the alternant codes, where one takes subfield
subcodes of GRS codes.
Definition 54 (Alternant Code). Let α ∈ Fnqm be pairwise distinct and β ∈ (F⋆qm )n . Then
the alternant code Am,n,k (α, β) is defined as
Am,n,k (α, β) = GRSm,n,k (α, β) ∩ Fnq .
Proposition 55. The alternant code Am,n,k (α, β) has dimension ≥ n − m(n − k) and mini-
mum distance ≥ n − k + 1.
Exercise 56. Prove Proposition 55.
Thus, classical Goppa codes are alternant codes, i.e., subfield subcodes of particular GRS
codes, where the weights βi are the inverses of the evaluations g(αi ), for a polynomial g.

2.2.5 Cyclic Codes

Another important family of codes is that of cyclic codes. They can be represented through
only one vector. Let c = (c1 , . . . , cn ) ∈ Fnq , then we denote by σ(c) its cyclic shift, i.e.,
σ(c1 , . . . , cn ) = (cn , c1 , . . . , cn−1 ).
We call a code cyclic, if the cyclic shift of any codeword is also a codeword.
Definition 57 (Cyclic Code). Let C be an [n, k] linear code over Fq . We say that C is cyclic
if σ(C) = C.
Proposition 58. Let k ≤ n = q −1 be positive integers and let α ∈ Fnq be such that αi = γ i−1 ,
for i ∈ {1, . . . , n} and γ a primitive element in Fq . Then RSn,k (α) is a cyclic code.
Exercise 59. Prove Proposition 58.
Pn−1
Note that any polynomial c(x) = i=0 ci xi ∈ Fq [x] of degree (at most) n − 1 corresponds
n
naturally to a vector c = (c0 , . . . , cn−1 ) ∈ Fq .
Proposition 60. Cyclic codes over Fq of length n correspond to ideals of Fq [x]/(xn − 1).
Exercise 61. Prove Proposition 60 using the map
φ : Fq [x]/(xn − 1) → Fnq ,
c(x) 7→ (c0 , . . . , cn−1 ).
In particular, what is φ(x · c(x))?

15
 Since we can see cyclic codes as ideals in Fq [x]/(xn −1), we can also consider the generator
polynomial of a cyclic code.

Definition 62 (Generator Polynomial). The generator polynomial of a cyclic code C ⊂ Fnq is

the unique monic generator of minimal degree of the corresponding ideal in Fq [x]/(xn − 1).

Proposition 63. Let C be a cyclic code over Fq of length n with generator polynomial g(x) =
P r i
i=0 gi x , where r is the degree of g. Then

1. g(x) | xn − 1.

2. C has dimension n − r.
(n−r)×n
3. A generator matrix G ∈ Fq of C is given by
 
g0 · · · gr
G=
 .. .. .

. .
g0 · · · gr

4. Let h(x) be such that g(x)h(x) = xn − 1, then ⟨g(x)⟩⊥ = ⟨h(x)⟩.

Exercise 64. Prove Proposition 63.

Exercise 65. How many cyclic codes over F3 of length 4 exist?
Note that the generator matrix in Proposition 63 is in a special form, such a matrix is
called a circulant matrix.
Exercise 66. Give the generator polynomial of RSn,k (α).
Exercise 67. Let us consider the code C over F3 generated by
 
1 0 1 0
G= .
0 1 0 1

1. Show that C is cyclic.

2. Find the generator polynomial of C.

3. Find the generator polynomial of C ⊥ .

Finally, since we know how to compute the polynomial product u(x)·v(x) ∈ Fq [x]/(xn −1),
we can define a new vector multiplication in Fnq .

Definition 68 (Rotation Matrix). Let u, v ∈ Fnq and define the rotation matrix as
 
u
 σ(u) 
rot(u) =  .
 
..
 . 
σ n−1 (u)

Let us denote by uv = urot(v).

16
Exercise 69. 1. Show that φ(uv) = u(x)v(x).

2. Show that uv = vu.

Finally, we introduce quasi-cyclic codes. For x = (x1 , . . . , xn ) ∈ Fnq and some ℓ ∈
{1, . . . , n} we denote by σℓ (x) its ℓ-cyclic shift, i.e.,

σℓ (x) = (x1+ℓ , . . . , xn+ℓ ),

where the indices i + ℓ should be considered modulo n.

Definition 70. An [n, k] linear code C is a quasi-cyclic (QC) code, if there exists ℓ ∈ N, such
that σℓ (C) = C.

In addition, if n = ℓa, for some a ∈ N, then it is convenient to write the generator matrix
composed into a × a circulant matrices.

2.2.6 LDPC Codes

Another interesting family of codes for cryptography are the low-density parity-check (LDPC)
codes introduced by Gallager [135]. The idea of LDPC codes is to have a parity-check ma-
trix that is sparse. These codes are usually defined over the binary, although they can be
generalized to arbitrary finite fields [108], for the applications in cryptography the binary
LDPC codes suffice. In order to define LDPC codes we introduce the notation of row-weight,
respectively column-weight of a matrix, which refers to the Hamming weight of each row,
respectively of each column. Thus, a matrix having row-weight w, asks for each row to have
Hamming weight w. Classically LDPC codes are defined as follows.

Definition 71. Let λ, ρ ∈ N. An [n, k] linear code C over F2 is called a (λ, ρ)-regular LDPC
(n−k)×n
code, if there exists a parity-check matrix H ∈ F2 of C which has column-weight λ and
row-weight ρ.

A more common definition for cryptographic applications reads as follows.

Definition 72. Let w ∈ N be a constant. An [n, k] linear code C over F2 is called a w-

(n−k)×n
low-density parity-check code, if there exists a parity-check matrix H ∈ F2 of C having
row-weight w.

Exercise 73. Show that the rate of an (λ, ρ)-regular LDPC code is given by 1 − λ/ρ.
(n−k)×n
For a parity-check matrix H ∈ F2 and a received vector x ∈ Fn2 we call the (n − k)
equations derived from Hx⊤ parity-checks, i.e.,
n
X
hij xj
j=1

for all i ∈ {1, . . . , n − k}. We say that a parity-check is satisfied if

n
X
hij xj = 0,
j=1

and else call it unsatisfied.

17
 LDPC codes are interesting from a coding-theoretic point of view, as they (essentially)
achieve Shannon capacity in a practical way. From a cryptographic stand point, these codes
are interesting as they have no algebraic structure, which might be detected by an attacker,
but nevertheless have an efficient decoding algorithm.
One decoding algorithm dates back to Gallager [135] and is called Bit-Flipping algorithm.
There have been many improvements (e.g. [263, 166, 191])). The algorithm is iterative and
its error correction capability increases with the code length. The idea of the Bit-Flipping
algorithm is that at each iteration the number of unsatisfied parity-check equations associ-
ated to each bit of the received vector is computed. Each bit which has more than b ∈ N
(some threshold parameter) unsatisfied parity-check equations is flipped and the syndrome is
updated accordingly. This process is repeated until either the syndrome becomes 0, or until
a maximal number of iteration M ∈ N is reached. In the later case we have a decoding failure.
The complexity of this algorithm is thus given by O(nwN ), where w is the row-weight of the
parity-check matrix and N is the average number of iterations.
One can also relax the condition on the row-weight of LDPC codes, to get moderate-
density parity-check (MDPC) codes [210].

Definition 74. An [n, k] linear code C over F2 is called a moderate-density parity-check code,
(n−k)×n p
if there exists a parity-check matrix H ∈ F2 having row-weight O( n log(n)).

Thus, the only difference to LDPC codes is that we allow a larger row-weight in the
parity-check matrix (for LDPC codes w was chosen constant in n). This might however lead
to an increase of iterations within the Bit-Flipping algorithm and decoding failures become
increasingly likely.

2.2.7 Reed-Muller Codes

Next, we introduce a class of codes, the Reed-Muller codes, introduced in [203] in 1954.
They are, similarly to Reed-Solomon codes, constructed as the evaluation of polynomials.
While Reed-Solomon codes only consider polynomials in one variable, Reed-Muller codes use
multivariate polynomials. For this part we follow [151].
Let p be a prime, q = pn and m, r be positive integers. Denote with Fq [x1 , . . . , xm ]≤r
the Fq -vector space of polynomials in m variables of degree at most r and fix an order
{α1 , α2 , . . . , αqm } of Fm
q .

Definition 75. The Reed-Muller code RMq (m, r) over Fq is defined as the image of the
evaluation map
m
ev : Fq [x1 , . . . , xm ]≤r → Fqq ,
f 7→ (f (α1 ), f (α2 ), . . . , f (αqm )).

We will note that there exist efficient decoding algorithms for Reed-Muller codes, the first
efficient decoding algorithm was published in [222].
For the case q = 2, we can compute dimension and minimum distance of RMq (m, r).

Proposition 76. Let r ≤ m. Then dimF2 (RM2 (m, r)) = ri=0 mi .

P

Proposition 77. Let r ≤ m. The minimum distance of RM2 (m, r) is 2m−r .

18
2.2.8 Concatenated Codes
Concatenated codes were first introduced by Forney [124], and use the basic idea of a double
encoding process through two codes.
Definition 78. Let C1 be an [n1 , k1 ] linear code of minimum distance d1 over Fq , called inner
code and C2 be an [n2 , k2 ] linear code of minimum distance d2 over Fqk1 , called outer code.
Then, the concatenated code C = C2 ◦ C1 is an [n1 n2 , k1 k2 ] linear code over Fq of minimum
distance at least d1 d2 .
The codewords of C are built as follows: for any u ∈ Fkqk21 , encode u using a generator
matrix G2 of C2 , receiving the codeword ((uG2 )1 , . . . , (uG2 )n2 ). Let us denote for a ∈ Fqk1
by a the corresponding vector in Fkq 1 having fixed a basis. As a next step we represent the
entries of each codeword as a vector in Fkq 1 and encode them using a generator matrix G1 of
C1 . Then, the codewords of C are of the form

((uG2 )1 G1 , . . . , (uG2 )n2 G1 ).

2.2.9 (U, U + V )-Codes

Given two codes C1 and C2 ⊆ Fnq , we can also construct new codes, for example using the
(U, U + V )-construction.
Definition 79. Let C1 , C2 ⊆ Fnq with dimension k1 , respectively k2 . Then, the (U, U +V )-code
of C1 , C2 is given by
C = {(u, u + v) | u ∈ C1 , v ∈ C2 }.
Proposition 80. Let C1 , C2 ⊆ Fnq with dimension k1 , respectively k2 and minimum Hamming
distance d1 , respectively d2 . Then, the (U, U + V )-code C ⊆ F2n
q has dimension k = k1 + k2
and minimum Hamming distance d = min{2d1 , d2 }.
Exercise 81. Prove Proposition  80. Hint: Show first that if G1 , G2 are generator matrices of
G1 G1
C1 , respectively C2 , then G = is a generator matrix of C.
0 G2
The encoding of a message (m1 , m2 ) gives then the codeword (m1 G1 , m1 G1 +m2 G2 ) and
a received word can be assumed of the form (r1 , r2 ) = (m1 G1 + e1 , m1 G1 + m2 G2 + e2 ) for
some error vector (e1 , e2 ). Note that a decoder for C would first decode r1 using the decoder
of C1 to get m1 . One can then take m1 G1 away from r2 and then use the decoder of C2 , to
recover m2 .
Exercise 82. Show that the Reed-Muller code RM2 (m, r) is a (U, U + V )-code for the code
C1 being a RM2 (m − 1, r) and C2 a RM2 (m − 1, r − 1) code.

2.2.10 Product Codes

Similar to concatenation of codes and the (U, U + V )-construction, we can also build the
tensor product of two codes C1 , C2 . For a matrix C ∈ Fk×n q let us denote by ci ∈ Fkq for
i ∈ {1, . . . , n} the columns of C, and similarly by ri ∈ Fnq for i ∈ {1, . . . , k} the rows of C.
Definition 83. Let C1 ⊆ Fnq 1 and C2 ⊆ Fnq 2 . Then, the product code of C1 , C2 is defined as

C = C1 ⊗ C2 = {C ∈ Fnq 1 ×n2 | ci ∈ C1 , rj ∈ C2 , i ∈ {1, . . . , n2 }, j ∈ {1, . . . , n1 }}.

19
 Let us define the Hamming weight of a matrix A to be the number of non-zero entries in
A.
Proposition 84. Let C1 ⊆ Fnq 1 and C2 ⊆ Fnq 2 of dimension k1 , respectively k2 and minimum
Hamming distance d1 , respectively d2 . Then, the tensor product code C1 ⊗ C2 ⊆ Fnq 1 ×n2 has
dimension k1 k2 and minimum Hamming distance d1 d2 .
Exercise 85. Show that every codeword of C1 ⊗ C2 is given by

G⊤
1 AG2 ,

for G1 ∈ Fkq 1 ×n1 a generator matrix of C1 , G2 ∈ Fkq 2 ×n2 a generator matrix of C2 and a matrix
A ∈ Fkq 1 ×k2 .
Exercise 86. Prove Proposition 84.
Note that this is very similar to the definition of concatenated codes, where the resulting
code also had length n1 n2 and dimension k1 k2 . However, for concatenated codes we only
know that d ≥ d1 d2 , while for tensor product codes, we know that their minimum distance is
exactly d1 d2 .

2.2.11 Rank-Metric Codes

Until now, we have considered classical coding theory, where the finite field is endowed with
the Hamming metric. However, there exist many more metrics, for example the rank metric
(introduced in [112, 230, 126]). In the following we introduce rank-metric codes, for which we
follow the notation of [146].
Definition 87 (Rank Metric). Let x, y ∈ Fnqm . The rank weight of x is defined as the
dimension of the Fq -vector space generated by its entries, i.e.,


wtR (x) = dimFq ⟨x1 , . . . , xn ⟩Fq

and the rank distance between x and y is given by

dR (x, y) = wtR (x − y).

Let C ⊆ Fnqm be a linear code, then its minimum rank distance is given by

dR (C) = min{wtR (c) | c ̸= 0, c ∈ C}.

The rank support of a vector x ∈ Fnqm is often given by

supp(x) = ⟨x1 , . . . , xn ⟩Fq ⊂ Fqm .

We will later see also two different notions of rank support.

Let Γ = {γ1 , . . . , γm } be a basis of Fqm over Fq . Using the extension map, i.e.,

Γ : Fqm → Fm×n
q
a 7→ Γ(a),

we can see that

wtR (a) = rk(Γ(a)). (2.2)

20
Exercise 88. Show that Equation (2.2) is independent of the choice of basis Γ.
Thus, the extension map is a Fq -linear isometry.
In fact, we can also endow Fm×n
q with the rank metric.
Definition 89 (Rank Metric). Let A, B ∈ Fn×m
q . The rank weight of A is given by the rank
of A, denoted by rk(A) and the rank distance between A and B is given by

dR (A, B) = rk(A − B).

Let C ⊆ Fm×n
q be a linear matrix code, then its minimum rank distance is given by

dR (C) = min{rk(C) | C ̸= 0, C ∈ C}.

Recall, that for C ⊆ Fnqm we defined the matrix code associated to Γ as

Γ(C) = {Γ(c) | c ∈ C} ⊆ Fm×n

q .

Proposition 90. Let Γ be a basis of Fqm over Fq . Let C ⊆ Fnqm be a linear code of dimension
k and minimum rank distance dR , then the associated matrix code Γ(C) ⊆ Fm×n q is a matrix
code of dimension km and minimum rank distance dR .
Thus, using the extension map any Fqm -linear code can also be seen as Fq -linear code,
however, the opposite is not true.
Example 91. Let us consider F4 = F2 [α] and α2 = α + 1, and Γ = {1, α}. The code C =
⟨(1, α)⟩ ⊆ F24 has dimension 1 and minimum rank distance 2. Then

C = {(0, 0), (1, α), (α, α + 1)}

and        
0 0 1 0 0 1 1 1
Γ(C) = , , , .
0 0 0 1 1 1 1 0
2×2
The code  ⊆
 Γ(C)  F2 has dimension 2 and minimum rank distance 2. However, consider
1 0 0 1
C′ = , ⊆ F2×2
2 has dimension 2 and minimum rank distance 1. We have
1 1 1 1
       
′ 0 0 1 0 0 1 1 1
C = , , ,
0 0 1 1 1 1 0 0

and
Γ−1 (C ′ ) = {(0, 0), (1 + α, α), (α, α + 1), (1, 1)} ⊆ F24 .
This subset of vectors is not a F4 -linear code as for example α(1, 1) = (α, α) ̸∈ Γ−1 (C ′ ).
Definition 92. The rank-metric ball of radius r is defined as

BR (r, n, m, q) = {x ∈ Fnqm | wtR (x) ≤ r}.

Proposition 93. The size of the rank-metric ball is approximately

|BR (r, n, m, q)| ∼ q r(n+m−r+1) ,

for large n, m.

21
 Given a vector x ∈ Fnqm of rank weight t, we can split the vector into

x = cR,

for c ∈ Ftqm and the entries ci are Fq -linearly independent, and R ∈ Ft×n
q of rank t.
Definition 94. The column support of a vector x ∈ Fnqm of rank weight t, with splitting cR,
is given by
suppC (x) = ⟨Γ(c)⊤ ⟩ ⊆ Fmq

and has dimension t.

The row support of a vector x ∈ Fnqm of rank weight t and splitting cR is given by

suppR (x) = ⟨R⟩ ⊆ Fnq

and has dimension t.

Exercise 95. Show that the definition of row and column support are independent of the
choice of splitting.
Recall that in the Hamming metric the support of x ∈ Fnqm is defined as the indices of
non-zero entries of x, i.e.,

suppH (x) = {i ∈ {1, . . . , n} | xi ̸= 0},

and the Hamming weight coincides with its size, i.e.,

wtH (x) = |suppH (x)|.

For the rank metric, whether we choose the row or column support, the rank weight of x
coincides with the dimension of the support, i.e.,

wtR (x) = dim(suppR (x)) = dim(suppC (x)).

For a vector x ∈ Fnqm of Hamming weight t there are nt many possible Hamming supports

of x, whereas if the rank weight is t, there are t q , respectively mt q many possible row
n  

supports, respectively column supports.

With the minimum rank distance we can also state a Singleton bound [112]:
Theorem 96 (Fq -linear Rank-Metric Singleton Bound). Let C ⊂ Fqn×m be a matrix code of
dimension k with minimum rank distance dR (C). Then

k ≤ max{n, m}(min{n, m} − dR (C) + 1).

Theorem 97 (Fqm -linear Rank-Metric Singleton Bound). Let C ⊂ Fnqm be a linear code of
dimension k with minimum rank distance dR (C). Then

k ≤ n − dR (C) + 1.

Codes achieving these bounds are called Maximum Rank Distance (MRD) codes.
Note that MDS codes have density 1 for q going to infinity, and density 0 for n going to
infinity. Similar results hold also for the rank metric: Fqm -linear MRD codes are dense for
q going to infinity by [204] and since dR (C) is bounded by m, have density 0 for n going to

22
infinity. It was shown in [149] that Fq -linear MRD codes are sparse for all parameter sets as
the field grows, with only very few exceptions. Unlike in the Hamming metric, we know that
Fqm -linear MRD codes exist for any set of parameters (with n ≤ m), by the seminal work of
Delsarte [112] and Gabidulin [126].
We also have a rank-analogue of the Gilbert-Varshamov bound, [134]. Let us denote by
AR (n, d, m, q) the maximal size of a code in Fnqm having minimum rank distance d.

Theorem 98 (Gilbert-Varshamov Bound in the Rank Metric). Let q be a prime power and
m, n, d be positive integers. Then,
q mn
AR (n, d, m, q) ≥ .
|BR (d − 1, n, m, q)|

We can also give the asymptotic version of this bound, for which we first define the relative
minimum rank distance to be δ = dR (C)/n and when considering the extension degree m as
function in n, we can define M = limn→∞ m(n)/n. Then, the rank-metric Gilbert-Varshamov
bound states, that
1
R(δ) = lim sup logqm AR (n, δn, m, q) ≥ (1 − δ)(1 − M ).
n→∞ n

As in the Hamming metric, we know by [186] that random codes attain the Gilbert-Varshamov
bound with high probability.

Proposition 99. Let C ⊆ Fnqm be a random linear code of dimension k. For n large enough,
we have that C has the relative minimum distance
p
δ = dR /n = M/2 + 1/2 − RM + (M − 1)2 /4

with high probability.

Interestingly, this bound does not depend on the field size q, which is in contrast to
its Hamming-metric counterpart.
√ In particular, if M = 1, which will often be the case for
applications, we get δ = 1 − R.

2.2.12 Gabidulin Code

In order to introduce the classical Gabidulin codes let us first recall the basics of q-polynomials.
A q-polynomial or linearized polynomial f of q-degree d over Fqm is a polynomial of the
form
d
i
X
f (x) = fi xq .
i=0

Let us denote by Pℓ the q-polynomials of q-degree up to ℓ over Fqm .

The classical Gabidulin code can now be defined in a similar fashion as the Reed-Solomon
code, i.e., as evaluation code.

Definition 100 (Classical Gabidulin Code). Let g1 , . . . , gn ∈ Fqm be linearly independent

over Fq and let k ≤ n ≤ m. The classical Gabidulin code C ⊂ Fnqm of dimension k is defined
as
C = {(f (g1 ), . . . , f (gn )) | f ∈ Pk−1 }.

23
Exercise 101. Show that classical Gabidulin codes are Fqm -linear MRD codes, by taking a
non-zero codeword c = (f (g1 ), . . . , f (gn )) and considering the Fq -dimension of the kernel of
the q-polynomial f .
In order to introduce the generalized Gabidulin codes, we first have to define the rank
analog of the Vandermonde matrix, i.e., the Moore matrix [202].

Definition 102 (Moore Matrix). Let (v1 , . . . , vn ) ∈ Fnqm and vi are Fq -linearly independent.
We denote by
Ms,k (v1 , . . . , vn ) ∈ Fk×n
qm

the s-Moore matrix:

v1 ··· vn
 
[s] [s]
 v1 ··· vn 
Ms,k (v1 , . . . , vn ) =  ,
 
.. ..
 . . 
[s(k−1)] [s(k−1)]
v1 · · · vn

where [i] = q i .

The definition of Gabidulin codes can also be generalized, e.g. [172]:

Definition 103 (Generalized Gabidulin Code). Let g1 , . . . , gn ∈ Fqm be linearly independent

over Fq and let s be coprime to m. The generalized Gabidulin code C ⊂ Fnqm of dimension k
is defined as the rowspan of Ms,k (g1 , . . . , gs ).

For s = 1, we can see that this coincides with the classical Gabidulin codes, which have
the generator matrix
···
 
g1 gn
 g1q ··· gnq 
M1,k (g1 , . . . , gn ) =  .. .. .
 
 . . 
k−1 k−1
g1q · · · gnq
Since the Moore matrix can be seen as a rank analog of a Vandermonde matrix, a gener-
alized Gabidulin code can be seen as a rank analog of a generalized Reed-Solomon code.

Theorem 104. The generalized Gabidulin code C ⊂ Fnqm of dimension k is a Fqm -linear MRD
code.

In addition, as in the Hamming metric we have nice duality results.

Proposition 105. Let C ⊂ Fnqm be a k dimensional generalized Gabidulin code, then C ⊥ ⊂ Fnqm
is a n − k dimensional generalized Gabidulin code.

This duality result holds (as in the Hamming metric) also more in general; for all Fqm -
linear MRD codes.

Proposition 106. Let C ⊂ Fnqm be a k-dimensional Fqm -linear MRD code, then C ⊥ ⊂ Fnqm is
a (n − k)-dimensional Fqm -linear MRD code.

The classical Gabidulin code has been the first rank-metric code introduced into code-
based cryptography in [127], which is known as the GPT system.

24
2.2.13 LRPC Codes
Other classes of rank-metric codes that are used in code-based cryptography are the rank
analogues of LDPC and MDPC codes, first defined in [129]. Instead of asking for a low
(respectively moderate) number of non-zero entries within each row of the parity-check matrix,
one now has to consider the Fq -subspace generated by the coefficients of the parity-check
matrix.
(n−k)×n
Definition 107 (Low Rank Parity-Check Code (LRPC)). Let H ∈ Fqm be a full rank
matrix, such that its coefficients hi,j generate an Fq -subspace F of small dimension d,

F = ⟨(hi,j )i,j ⟩Fq .

The code C ⊂ Fnqm having parity-check matrix H is called a Low Rank Parity-Check (LRPC)
code of dual weight d and support F .

2.2.14 Code Equivalence

For the newer problems used in code-based cryptography, we will also need the notion of code
equivalence.

Definition 108 (Isometry). Let us consider the space V endowed with the distance d. A
linear map φ : V → V is called isometry if it keeps the distance invariant. That is, for all
x, y ∈ V we have d(x, y) = d(φ(x), φ(y)).

Let us denote the set of all isometries for a fixed distance d by Id .

Proposition 109. The linear isometries of the Hamming metric in V = Fnq consist of mono-
mial transformations and automorphisms on Fq .

For cryptography, we mainly focus on a subset of the Hamming-metric isometries, namely

the monomial transformations Mn,q = (F⋆q )n ⋊ Sn . Any map φ ∈ Mn,q can be seen as a matrix
M = PD, where P is a n×n permutation matrix and D = diag(v) for v ∈ (F⋆q )n is a diagonal
matrix.

Proposition 110. The linear isometries of the rank metric in V = Fm×n

q for m ≤ n, are
given by GLm (q) ⋊ GLn (q) and automorphisms of Fq .

For applications in cryptography, we again only focus on φ ∈ GLm (q) ⋊ GLn (q).

Definition 111 (Code Equivalence). Let us consider V endowed with the distance d. Let
C1 , C2 ⊆ V be linear codes. We say C1 is equivalent to C2 , if there exists φ ∈ Id such that
φ(C1 ) = φ(C2 ).

Since IH = (F⋆q )n ⋊ (Aut(Fq ) × Sn ), we get two subclasses of code equivalence in the

Hamming metric.
In the lightest version, we have the permutation equivalence.

Definition 112 (Permutation Equivalence). We say that two codes C1 , C2 ⊆ Fnq are permu-
tation equivalent, if there exists a permutation of indices, which transforms C1 into C2 , that
is there exists σ ∈ Sn , such that σ(C1 ) = C2 .

When considering any monomial transformation, we get the linear equivalence.

25
Definition 113 (Linear Equivalence). We say that two codes C1 , C2 ⊆ Fnq are linear equiva-
lent, if there exists a map φ ∈ (F⋆q )n ⋊ Sn , such that φ(C1 ) = C2 .
Clearly, permutation equivalent codes are also linear equivalent codes.
 
1 0 2
Exercise 114. Consider the code C1 ⊆ F33 generated by G1 = and the code C2 ⊆ F33
  0 1 1
1 0 1
generated by G2 = . Are the two codes linear equivalent, permutation equivalent
0 1 0
or not equivalent?
Proposition 115. If C1 , C2 ⊆ Fnq are permutation equivalent codes, then for any generator
matrix G1 of C1 and G2 of C2 , there exists a n × n permutation matrix P and a matrix
S ∈ GLk (q) such that
SG1 P = G2 .
If C1 , C2 are linear equivalent codes, then for any generator matrix G1 of C1 and G2 of C2 ,
there exists a n × n permutation matrix P, a diagonal matrix diag(v) for v ∈ (F⋆q )n and a
matrix S ∈ GLk (q) such that
SG1 Pdiag(v) = G2 .
Exercise 116. Let C1 , C2 be linear equivalent codes. Show that C1⊥ is linear equivalent to C2⊥ .
Hint: Use the fact that G1 H⊤ 1 = 0 and SG1 Pdiag(v) = G2 .
Note that linear equivalent codes have the same minimum distance. Even more is true.
Definition 117 (Weight Enumerator). Let C ⊆ Fnq be a linear code. For any w ∈ {1, . . . , n},
let us denote by Aw (C) = |{c ∈ C | wtH (c) = w}| the weight enumerator of C.
Proposition 118. Let C1 , C2 ⊆ Fnq be linear equivalent codes, then for all w ∈ {1, . . . , n} we
have that
Aw (C1 ) = Aw (C2 ).
Definition 119 (Hull). Let C ⊆ Fnq be a linear code. Then the (Euclidean) hull of C is given
by
H(C) = C ∩ C ⊥ .
In [123] it was shown, that the hull of a random code is with high probability trivial, i.e.,
C ∩ C ⊥ = {0}.
Proposition 120. Let C ⊆ Fnq be chosen uniform at random. Then, w.h.p. H(C) = {0}.
Proof. For any c ∈ H(C), we have that c ∈ C, thus there exists m ∈ Fkq such that mG = c.
We also have that c ∈ C ⊥ , hence cG⊤ = 0. Thus, m(GG⊤ ) = 0 and counting the number of
c ∈ H(C) is equivalent to counting m ∈ Fkq with m(GG⊤ ) = 0. Since G ∈ Fk×n
q is a random
⊤ k×k
matrix, also GG ∈ Fq is random and has with probability
k
Y
(1 − q −i )
i=1

full rank. Due to the rank nullity theorem, we have

dim(ker(GG⊤ )) = k − rk(GG⊤ ) = 0,

w.h.p.

26
 Another way to prove this, is to note that any c ∈ H(C) must satisfy
 
G ⊤
c = 0.
H
 
G
Note that ⟨ ⟩ = C + C ⊥ , which is the smallest code containing C(C).
H
Again, we are interested in the dimension of the kernel of this matrix, and due to the rank-
nullity theorem in its rank. We can assume that G, H are in systematic form and perform
row operations to get  ′  
G Idk A
= .
H′ 0 AA⊤ + Idn−k
Hence its rank is given by k + rk(AA⊤ + Idn−k ). Assuming G was a random matrix, we also
have that A and AA⊤ + Idn−k are random matrices, which have with high probability full
rank.

Definition 121 (Automorphism Group). Let C ⊆ Fnq be a linear code. The automorphism
group of C is given by the linear isometries that map C to C.

Note that just like the hull, the automorphism group of a random linear code is w.h.p.
trivial [182], i.e., Aut(C) = {id}.
Exercise 122. Give the automorphism group of C = ⟨(1, 0, 0), (0, 1, 1) ⊆ F32 .
Exercise 123. Let φ ∈ Aut(C). Show that φ ∈ Aut(C ⊥ ).
Exercise 124. Let φ ∈ Aut(C). Show that φ ∈ Aut(C ∩ C ⊥ ).
Another invariant of isometries is the support of a code.

Definition 125 (Support of a Code). Let C ⊂ Fnq be a linear code. Then we define its
support to be
Supp(C) = {i ∈ {1, . . . , n} | ∃c ∈ C : ci ̸= 0}.

Clearly, for a non-degenerate code, the support will be {1, . . . , n}, however, as soon as we
go to subcodes of C, this will change.

Proposition 126. Let C1 , C2 ⊂ Fnq be linear equivalent. For any subcode D1 < C1 of dimension
r < k and support size s there exists D2 < C2 of dimension r with support size s.

Definition 127 (Rank-metric Equivalence). Let C1 , C2 ⊆ Fm×n q . We say that C1 is equivalent

to C2 if there exists φ ∈ GLm (q) ⋊ GLn (q) such that φ(C1 ) = C2 .

2.2.15 Lee Metric Codes

Let us consider Fp , for p > 3 a prime. Then we can define a different metric, called Lee
metric.

Definition 128 (Lee Metric). Let x ∈ Fp , and represent x ∈ {0, . . . , p − 1}. The Lee weight
of x is given by
wtL (x) = min{x, |p − x|}.

27
The largest possible Lee weight is thus M = (p − 1)/2. Let x ∈ Fnp . The Lee weight is then
extended additively on the entries, that is
n
X
wtL (x) = wtL (xi ).
i=1

Let x, y ∈ Fnp . Their Lee distance is induced by the Lee weight, that is
dL (x, y) = wt(x − y).
Let C ⊆ Fnp be a linear code. The minimum Lee distance of C is given by
dL (C) = min{wtL (c) | c ∈ C, c ̸= 0}.
Note that the Lee metric can be defined over any integer residue ring Z/mZ, for any
integer m. However, for the cryptographic purposes it is enough to consider prime fields.
Since the Lee metric coincides with the Hamming metric in F2 and F3 , we only focus on
primes p > 3.
Note that, wtH (v) ≤ wtL (v) ≤ M wtH (v) and the average Lee weight of the vectors in
Fnp is given by (M/2)n. We, thus, also get that linear code C ⊆ Fnp can correct more errors in
the Lee metric as in the Hamming metric, i.e.,
dH (C) ≤ dL (C).
Using the other bound, i.e., dL (C) ≤ M dH (C), we can easily adapt the Singleton bound
[243].
Theorem 129. Let C ⊆ Fnp be a linear code of dimension k. Then,
dL (C) ≤ M (n − k + 1).
Unfortunately, this bound in only tight in p = 5, n = 2, as shown in [82].
Exercise 130. Consider the symmetric representation {−(p − 1)/2, . . . , (p − 1)/2}. Show that
wtL (x) = |x|.
We denote by δ the relative minimum Lee distance, that is
dL (C)
δ= .
nM
Let us denote by VL (p, n, r) the Lee sphere of radius t
VL (p, n, t) := {mx ∈ Fnp | wtL (mx) = t},
and by
1
FL (p, T ) = lim logp (|VL (p, n, T nM )|)
n→∞ n
its asymptotic size. The exact formulas for the size of VL (p, n, t) and FL (p, T ) can be found
in [266, 137].
Let us denote by AL (n, d, p) the maximal size of a code in Fnp of minimum Lee distance d
and by
1
R(δ) = lim sup logp (A(n, d/(M n), p)).
n→∞ n
We can then state the Gilbert-Varshamov bound in the Lee-metric [31].

28
Theorem 131. Let p be a prime and n, d positive integers. Then,
R(δ) ≥ 1 − FL (p, δ).
In [81], it was shown that random Lee-metric codes attain with high probability the Lee-
metric GV bound, i.e., a random code has with high probability a relative minimum Lee
distance δ such that R(δ) = 1 − FL (p, δ).
We define a function sgn(x), that gives us the sign of an element in Fp .
n o
Definition 132 (Signum). For x ∈ Fp = − p−1 2 , . . . , 0, . . . , p−1
2 let

0
 if x = 0,
sgn(x) = 1 if x > 0,

−1 if x < 0.


For the symmetric representation of Fp , this corresponds to the common signum function.
Let us also define a matching function mt(x, y) that compares x and y and counts the
number of symbols that hold the same sign.
Definition 133 (Sign Matches). Let x, y ∈ Fnp and consider the number of matches in their
sign such that
mt(x, y) = |{i ∈ {1, . . . , n} | sgn(xi ) = sgn(yi ), xi ̸= 0, yi ̸= 0}|.
Finally, we introduce a function calculating the probability that a vector and a uniformly
random hash digest (in {±1}n ) have µ sign matches.
Definition 134 (Logarithmic Matching Probability (LMP)). For a fixed v ∈ Fnp and a
randomly chosen y ∈ {±1}n , the probability of y to have µ sign matches with v is
B(µ, wtH (v), 1/2),
where B(k, n, q) is the binomial distribution defined as
 
n k
B(k, n, q) = q (1 − q)n−k .
k
To ease notation, we write LMP(v, y) = − log2 (B(µ, wtH (v), 1/2)).
In [59], the authors computed the marginal distribution of entries where vectors are uni-
formly distributed in VL (p, n, w). Let E denote a random variable corresponding to the re-
alization of an entry of x ∈ Fnp . As n tends to infinity, we have the following result on the
distribution of the elements in x ∈ Fnp .
Lemma 135 ([59, Lemma 1]). For any x ∈ Fp , the probability that one entry of x is equal
to x is given by
1
pw (x) = exp(−βwtL (x)),
Z(β)
where Z(β) = p−1
P
i=0 exp(−βwtL (x)) denotes the normalization constant and β is the unique
solution to w = p−1
P
i=0 wtL (i)pw (x).
Definition 136 (Typical Lee Set). For a fixed weight w, let pw (x) be the probability from
Lemma 135 of the element x ∈ Fp . Then, we define the typical Lee set as
T (p, n, w) = x ∈ Fnp | xi = x for pw (x)n coordinates i ∈ {1, . . . , n}


That is the set of vectors, for which the element x occurs pw (x)n times.

29
2.2.16 Restricted Errors
Instead of considering a different metric on the vectors in Fnp , we can also restrict their entries.
Definition 137 (Restriction). Let us consider g ∈ F∗p of prime order z and the subgroup
E = {g i | i ∈ {1, . . . , z}} ⊂ F∗p . We say E is a restriction.
Let us denote by ⋆ the component-wise multiplication of vectors.
Proposition 138. (En , ⋆) is a commutative, transitive group isomorphic to (Fnz , +).
The isomorphism is given by

ℓ : En → Fnz ,
x = (g ℓ1 , . . . , g ℓn ) 7→ ℓ(x) = (ℓ1 , . . . , ℓn ).

This representation of vectors in En as vectors in Fnz is helpful to shorten the sizes of

objects. For the opposite direction of the isomorphism, we use the following abuse of notation

a = g ℓ(a) = (g ℓ(a)1 , . . . , g ℓ(a)n ),

for some ℓ(a) = (ℓ(a)1 , . . . , ℓ(a)n ) ∈ Fnz .

Proposition 139. Any linear map φ : En → En which acts transitively on En is simply given
by component-wise multiplication, i.e., φ(b) = a ⋆ b, for some a ∈ En .
Exercise 140. Prove Proposition 139
Let the map φ be the component-wise multiplication with a ∈ En . Then we can compactly
represent φ through the vector ℓ(a) ∈ Fnz . Additionally, the computation φ(b) = a ⋆ b is given
by an addition in Fnz ; namely ℓ(a) + ℓ(b).
Instead of the restriction E, we can also consider a restricted subgroup.
Definition 141 (Restricted Subgroup). Let (G, ⋆) ≤ (En , ⋆) with
ui
G = ⟨a1 , . . . , am ⟩ = {⋆m
i=1 ai | ui ∈ {1, . . . z}} ,

for some m < n. Then, we call G a restricted subgroup of E.

To construct elements e ∈ G, we can collect all the exponents of the generators ai into a
matrix. That is, we define the matrix MG ∈ Fm×nz as
   
ℓ(a1 )1 · · · ℓ(a1 )n ℓ(a1 )
MG =  ... ..  =  ..  .

.   . 
ℓ(am )1 · · · ℓ(am )n ℓ(am )

To check whether |G| = z m , it is enough to verify rank(MG ) = m. For the remainder, we

assume that this is the case. Hence, we can think of MG ∈ Fm×n
z as a generator matrix of
a m-dimensional code in Fnz . Thus, each codeword c ∈ ⟨MG ⟩ can be represented using an
information vector u ∈ Fmz , that is
c = uMG .
The corresponding e ∈ G has then the exponents ℓ(c).

30
Proposition 142. Let G be a restricted subgroup, where MG has full rank m. Then, ℓG is a
group homomorphism, where

ℓG : G → Fm
z ,
e = au1 1 um
⋆ · · · ⋆ am 7→ ℓG (e) = (u1 , . . . , um ).

Proposition 143. The linear maps φ : G → G, which act transitively on G, are still given
by component-wise multiplication with another element in G, i.e., for e ∈ G, φ(e) = e′ ⋆ e.

2.3 Cryptography
As coding theory is the art of reliable communication, this goes hand in hand with cryptogra-
phy, the art of secure communication. In cryptography we differ between two main branches,
symmetric cryptography and asymmetric cryptography.
In symmetric cryptography there are the two parties that want to communicate with each
other and prior to communication have exchanged some key, that will enable them a secure
communication. Such secret key exchange might be performed using protocols such as the
Diffie-Hellman key exchange [113], which itself lies in the realm of asymmetric cryptography.
More mathematically involved is the branch of asymmetric cryptography, where the two
parties do not share the same key. In this survey we will focus on two main subjects of
asymmetric cryptography, that were also promoted by the NIST standardization call [93],
namely public-key encryption (PKE) schemes and digital signature schemes.
Many of these cryptographic schemes seem very abstract when discussed in generality. To
get a grasp of the many definitions and concepts, we will also provide some easy examples.
First of all, let us recall the definition of a hash function. A hash function is a function that
compresses the input value to a fixed length. In addition, we want that it is computationally
hard to reverse a hash function and also to find a different input giving the same hash value.
In this chapter, we denote a publicly known hash function by Hash.

2.3.1 Public-Key Encryption

Let us start with public-key encryption (PKE) schemes. A PKE consists of three steps:

1. key generation,

2. encryption,

3. decryption.

The main idea is that one party, usually called Alice, constructs a secret key S and a connected
public key P. The public key, as the name suggests, is made publicly known, while the secret
key is kept private.
This allows another party, usually called Bob, to use the public key to encrypt a message
m by applying the public key, gaining the so called cipher c.
The cipher is now sent through the insecure channel to Alice, who can use her secret key
S to decrypt the cipher and recover the message m.
An adversary, usually called Eve, can only see the cipher c and the public key P. In order
for a public-key encryption scheme to be considered secure, it should be infeasible for Eve to

31
 Table 1: Public-Key Encryption

ALICE BOB

KEY GENERATION
Construct a secret key S
Construct a connected public key P
P
−→
ENCRYPTION
Choose a message m
Encrypt the message c = P(m)
c
←−
−
DECRYPTION
Decrypt the cipher m = S(c)

recover from c and P the message m. This also implies that the public key should not reveal
the secret key.
What exactly does infeasible mean, however? This is the topic of security. For a cryp-
tographic scheme, we define its security level to be the average number of binary operations
needed for an adversary to break the cryptosystem, that means either to recover the message
(called message recovery) or the secret key (called key recovery).
Usual security levels are 280 , 2128 , 2256 or even 2512 , meaning for example that an adversary
is expected to need at least 280 binary operations in order to reveal the message. These are
referred to as 80 bit, 128 bit, 256 bit, or 512 bit security levels.
Apart from the security of a PKE, one is also interested in the performance, including how
fast the PKE can be executed and how much storage the keys require. Important parameters
of a public-key encryption are

• the public key size,

• the secret key size,

• the ciphertext size,

• the decryption time.

These values are considered to be the performance of the public-key encryption. With ’size’
we intend the bits that have to be sent or stored for this key, respectively for the cipher.
Clearly, one prefers small sizes and a fast decryption.
As an example for a PKE, we can choose one of the most currently used schemes, namely
RSA [229].

Example 144 (RSA). 1. Key Generation: Alice chooses two distinct primes p, q and com-
putes n = pq and φ(n) = (p − 1)(q − 1). She chooses a natural number e < φ(n), which
is coprime to φ(n). The public key is P = (n, e) and the secret key is S = (p, q).

32
 2. Encryption: Bob chooses a message m and encrypts it by computing
c = me mod n.

3. Decryption: Alice can decrypt the cipher by first computing d and b such that
de + bφ(n) = 1.
Since  −b
cd = (me )d = m1−bφ(n) = m mφ(n) = m1−b = m,
she can recover the message m.
Eve sees n but there is no feasible algorithm to compute p and q.
Exercise 145. Assume that Alice has chosen p and q to have 100 digits. How large is the
public key size?
√
Exercise 146. Assume that the fastest known algorithm to factor n into p and q costs n
binary operations. In order to reach a security level of 280 binary operations, how large should
Alice choose p and q?
Exercise 147. To give you also a feeling for cryptanalysis; why should we always choose two
distinct primes? Or in other words; how can you attack RSA if p = q?

2.3.2 Key-Encapsulation Mechanisms

A key-encapsulation mechanism (KEM) is a way to transmit a key for symmetric cryptography
using an asymmetric cryptosystem.
Public-key systems are often not optimal to transmit longer messages. Instead, the two
parties use a public-key system to share a random m, usually a number or vector. Then both
parties use an agreed-on function, called key derivation function, to calculate a key M from
m.
The function is usually chosen to be a one-way function, meaning that computing back
m with only the knowledge of the function and M is not computationally feasible. With this
key, the parties can then encrypt their message.
Most KEM schemes are based on Shoup’s idea [245]. In Table 2 we give an outline, in
which we assume that a public-key system is given. For this, let Hash denote a hash function.

As mentioned before, it is often the case that instead of directly encrypting the key M ,
a random m is encrypted. From this m, both parties can generate a key using the agreed-on
key derivation function.
Example 148. For an example of a KEM we again consider RSA.
1. Key generation: Alice choose two distinct primes p, q and computes n = pq and φ(n) =
(p − 1)(q − 1). Alice also chooses a positive integer e < φ(n), which is coprime to φ(n).
The public key is given by P = (n, e) and the private key is given by (p, q).
2. Encryption: Bob chooses a random message m and computes its hash M = Hash(m).
He then performs the usual steps of RSA, that is: he encrypts c = me mod n and sends
this to Alice.
3. Decryption: Alice can compute d = e−1 mod φ(n) and computes cd = m mod n. Also
Alice can now compute the shared key M = Hash(m).

33
 Table 2: Key-Encapsulation Scheme

ALICE BOB

KEY GENERATION
Generate a secret key S
Construct a connected public key P
P
−→
ENCRYPTION
Choose a random message m
Generate a key M = Hash(m)
Use the public key P to encrypt
m as cipher c
c
←−
−
DECRYPTION
Using the secret key S, decrypt c to
get m
compute Hash(m) = M
COMMUNICATION
The parties may now communicate
with each other since they both pos-
sess a key to encrypt and decrypt
messages

2.3.3 Digital Signature Schemes

Digital Signature schemes aim at giving a guarantee of the legitimate origin of an object, such
as a digital message, exactly as signing a letter to prove that the sender of this letter is really
you.
In this process we speak of authentication, meaning that a receiver of the message can
(with some probability) be sure that the sender is legit, and of integrity, meaning that the
message has not been altered.
A digital signature scheme again consists of three steps:

1. key generation,

2. signing,

3. verification.

In digital signature schemes we consider two parties, one is the prover, that has to prove his
identity to the second party called verifier, that in turn, verifies the identity of the prover.
As a first step, the prover constructs a secret key S, which he keeps private and a public
key P, which is made public. The prover then chooses a message m, and creates a signature
s using his secret key S and the message m, getting a signed message (m, s).

34
 The verifier can easily read the message m, but wants to be sure that the sender really
is the prover. Thus, he uses the public key P and the knowledge of the message m on the
signature s to get authentication.

Table 3: Digital Signature Scheme

PROVER VERIFIER

KEY GENERATION
Construct a secret key S
Construct a connected public key P
P
−→
SIGNING
Choose a message m
Construct a signature s from S and
m
m,s
−−→
VERIFICATION
Verify the signature s using P and m

The security of a digital signature scheme introduces a new person, the impersonator. An
impersonator, tries to cheat the verifier and acts as a prover, however without the knowledge
of the secret key S. An impersonator wins if a verifier has verified a forged signature. This
comes with a certain probability, called cheating probability or soundness error. In order to
ensure integrity a digital signature should always involve a secret key as well as the message
itself.
Clearly, the secret key should still be infeasible to recover from the publicly known private
key, thus one still has the usual adversary, called Eve, and a security level, as in a public-key
encryption scheme.
The performance of a digital signature scheme consists of
• the communication cost, that is the total number of bits, that have been exchanged
within the process,
• the signature size,
• the public key size,
• the secret key size,
• the verification time.
An easy example for a signature scheme is given by turning the RSA public-key encryption
protocol into a signature scheme.
Example 149 (RSA Signature Scheme). 1. Key Generation: Alice chooses two distinct primes
p, q and computes n = pq and φ(n) = (p − 1)(q − 1). She chooses a natural number
e < φ(n), which is coprime to φ(n). She computes d and b such that
de + bφ(n) = 1.

35
 The public key is P = (n, e) and the secret key is S = (p, q, d).

2. Signing: Alice chooses a message m and signs it by computing

s = md mod n.

She then sends m, s to Bob.

3. Verification: Bob can verify the signature s by checking if

se = m mod n.

Exercise 150. How would an impersonator forge a signature provided that the impersonator
does not care about the content of the message m?

2.3.4 Zero-Knowledge Protocols

Since digital signature schemes can be constructed using the Fiat-Shamir transform [122] on
Zero-Knowledge (ZK) protocols, we will also introduce the concept of ZK protocols and then
of the transform itself.
The process and notation for a ZK protocols are similar to that of a digital signature
scheme. We have two parties, a prover and a verifier. Different to a digital signature scheme,
the prover does not want to prove his identity to the verifier, but rather convince the verifier
of his knowledge of a secret object, without revealing said object.
A ZK protocol consists of two stages: key generation and verification. The verification
process can consist of several communication steps between the verifier and the prover, in
particular, we are interested in the following scheme:

1. The prover prepares two commitments c0 , c1 , and sends them to the verifier.

2. The verifier randomly picks a challenge b ∈ {0, 1}, and sends it to the prover.

3. The prover provides a response rb that only allows to verify cb .

4. The verifier checks the validity of cb , usually by recovering cb using rb and the public
key.

A ZK protocol has three important attributes:

1. Zero-knowledge: this means that no information about the secret is revealed during the
process.

2. Completeness: meaning that an honest prover will always get accepted.

3. Soundness: for this, we want that an impersonator has only a small cheating probability
to get accepted.

Again, for the performance of the protocol, we have

• the communication cost,

• the secret key,

36
 Table 4: ZK Protocol

PROVER VERIFIER

KEY GENERATION
Construct a secret key S
Construct a connected public
key P
P
−→
VERIFICATION
Construct commitments c0 , c1
c0 ,c1
−−−→
Choose b ∈ {0, 1}
b
←−
−
Construct response rb
rb
−→
Verify cb using rb

• the public key size,

• the verification time.
In order to achieve an acceptable cheating probability, the protocols are often repeated
several times (called rounds) and only if each instance was verified will the prover be accepted.
Thus, if the ZK protocol previously had cheating probability α, after N such rounds we have
a cheating probability of αN .
There exist several techniques in order to compress the communication cost within N
rounds, for example the compression technique, first introduced in [3]. Let us explain this
method in detail.
Before the first round, the prover generates the commitments for all the N rounds, that
is cib for i ∈ {1, . . . , N } and b ∈ {0, 1}. The prover then sends the hash value

c = Hash c10 , c11 , . . . , cN N

0 , c1

to the verifier.
In the i-th round, after receiving the challenge b, the prover sets their response rb such
that the verifier can compute cib , and additionally includes ci1−b .
At the end of each round, the verifier uses rb to compute cib , and stores it together with
i
c1−b .
After the final round N , the verifier is able to check validity of the initial commitment c,
by computing the hash of all the stored cib .
This way, one hash is sent at the beginning of the protocol, and only one hash (instead
of two) is transmitted in each round and thus, the number of exchanged hash values reduces
from 2N to N + 1.
An easy example is again provided using the hardness of integer factorization, namely the
Feige-Fiat-Shamir protocol [121].

37
 Figure 1: Compression Technique for N Rounds

PROVER VERIFIER
Generate cib , for i ∈ {1, . . . , N } and b ∈
{0, 1}


Set c = Hash c10 , c11 , . . . , cN N
0 , c1
c
−→
←−−−−−−−−−−−−−−−−−−−−−−−
Repeat single round for N times
−−−−−−−−−−−−−−−−−−−−−−−−−→
Check validity of c

GENERIC i-th ROUND

←−−−−−−−−−−−−−−−−−−−−−−
Exchange additional messages
−−−−−−−−−−−−−−−−−−−−−−−→
Choose b ∈ {0, 1}
b
←−
−
Construct response rb
rb , ci1−b
−−−−−→
Store ci1−b , compute and store cib

Example 151 (Feige-Fiat-Shamir). 1. Key generation: The prover chooses two distinct
primes p, q and computes n = pq and some positive integer k. The prover chooses
s1 , . . . , sk coprime to n. The prover now computes
vi ≡ s−2
i mod n.
The public key is given by P = (n, v1 , . . . , vk ). The secret key is given by S =
(p, q, s1 , . . . , sk ).
2. Verification: The prover chooses a random integer c and a random sign σ ∈ {−1, 1} and
computes
x ≡ σc2 mod n
and sends this to the verifier. The verifier chooses the challenge b = (b1 , . . . , bk ) ∈ Fk2
and sends b to the prover. The prover then computes the response
Y
r≡c sj mod n
bj =1

and sends r to the verifier. The verifier can now check whether
Y
x ≡ ±r2 vj mod n.
bj =1

Eve, the impersonator, can see the public vi but she does not know the si . She can pick
a random r and b = (b1 , . . . , bk ) ∈ Fk2 . She then computes
Y
x ≡ r2 vj mod n
bj =1

38
and sends x to the verifier. The verifier will then challenge her with his b′ , but Eve simply
returns her r. If Eve has correctly chosen b = b′ , she will be verified.
Exercise 152. What is the cheating probability of this scheme? If you repeat this process t
times before accepting the prover, what is now your cheating probability?
Exercise 153. Let us assume that k = 10. How many times should you repeat this process in
order to reach a cheating probability of at least 2128 ?

2.3.5 Fiat-Shamir Transform

The Fiat-Shamir transform allows us to build a signature scheme from a ZK protocol. To
avoid the communication with the verifier that randomly picks a challenge, the challenge is
replaced with the seemingly random hash of the commitment and message.
The following table follows the general description of the Fiat-Shamir transform from
[122]. We assume that we are given a zero-knowledge identification scheme and a public hash
function Hash.
Table 5: Fiat-Shamir Transform

PROVER VERIFIER

KEY GENERATION
Given the public key P and the se-
cret key S of some ZK protocol and
a message m
Choose a commitment c
Compute a = Hash(m, c)
Compute a response r to the chal-
lenge a
The signature is the pair s = (a, r)
m,s
−−→
VERIFICATION
Use the response r and the
public key P to construct the
commitment c
Check if Hash(m, c) = a

Using the Fiat-Shamir transform we can turn the Feige-Fiat-Shamir ZK protocol into a
signature scheme.
Example 154 (Fiat-Shamir digital signature scheme). 1. Key Generation: Let Hash be a
publicly known hash function. The prover chooses a positive integer k and two distinct
primes p, q and computes n = pq. The prover chooses s1 , . . . , sk integers coprime to
n and computes vi ≡ s−2 i mod n for all i ∈ {1, . . . , k}. The secret key is given by
S = (p, q, s1 , . . . , sk ) and the public key is given by (n, v1 , . . . , vk ).

2. Verification: the prover chooses randomly c1 , . . . , ct < n and computes xi ≡ c2i mod n
for all i ∈ {1, . . . , t}. In order to bypass the communication with the verifier from before,

39
 the prover computes the first kt bits of

Hash(m, x1 , . . . , xt ) = (a1,1 , . . . , at,k ) = a.

Q
The prover now computes ri ≡ ci sj mod n for all i ∈ {1, . . . , t} and sends
aij =1
(m, a, r1 , . . . , rt ) to the verifier. The verifier computes
Y
zi ≡ ri2 vj mod n
ai,j =1

for all i ∈ {1, . . . , t} and checks if

Hash(m, z1 , . . . , zt ) = a.

2.3.6 Multi-Party-Computations-in-the-Head
Recall that any ZK protocol can be turned into a signature scheme via the Fiat-Shamir
transform. Assume that the used ZK protocol has a cheating probability of α and recall that
this probability might be quite large. In order to get a resulting signature scheme attaining
the security level 2λ , we require N rounds of the ZK protocol, such that αN < 2−λ .
Since the final signature is given by the communication cost within all N rounds, such
signature schemes usually suffer from large signature sizes.
One very prominent technique in order to reduce the signature size was introduced in
[159] and uses the idea of Multi-Party-Computations (MPC).
In an MPC we have N parties, called p1 , . . . , pN , each party is secretly provided a share si .
The parties wish to collectively compute a certain function of their shares, say f (s1 , . . . , sN ),
in such a way that the shares si remain only known to the party pi and an such that all shares
are required.
We say that an MPC protocol is

• correct, if the parties can correctly compute f (s1 , . . . , sN ),

• t-private, if any t shares (or less) do not reveal any information on f (s1 , . . . , sN ),

• secure, if f (s1 , . . . , sN ) does not reveal any information on si .

An easy way to achieve an MPC protocol is to use Secret Sharing (SS) schemes. The whole
theory of MPC and SS schemes is highly involved and we refer the interested reader to [87].
In a SS scheme, we have a dealer, who wants to share a secret message with the parties,
p1 , . . . , pN and again each party pi is provided with a share si . We introduce two parameters;
k ≤ n the decoding threshold and z < k the confidentiality threshold. These parameters take
care of the following two constraint:

1. A group of k ≤ n parties can decode the secret message using their shares.

2. A group of z < k parties do not gain any information about the secret from their shares.

The security goal for such a scheme is thus confidentiality, that is: no information about
the secret should be leaked from any z shares.
Important for this survey, will be additive sharing schemes. Let us, thus, start with a toy
example.

40
Example 155. Let us consider n = 4, k = 2, z = k − 1 = 1 and q = 5. The secret message
is some m ∈ F5 , we choose a random value r ∈ Fq and we use an encoding polynomial
p(x) = m + rx. The secret shares are then given by si = p(i) = m + ir.
Exercise 156. Consider the SS scheme in Example 155.
1. Show that the SS scheme attains privacy, i.e., an individual party with share si does
not gain information about m.

2. Show that the SS scheme is decodable, i.e., any two parties can recover m.
The more general construction, is called Shamir’s secret sharing scheme [241]. Given the
integers z = k − 1, k ≤ n < q and a polynomial p(x) ∈ Fq [x] of degree z, given by
z
X
p(x) = m + ri xi ,
i=1

where ri are chosen uniform at random from Fq . The secret shares are then given by si = p(i).
Exercise 157. Show that Shamir’s SS scheme is attains privacy and is decodable.
One can also construct a SS scheme with z < k − 1, e.g. using McEliece-Sarwate’s
construction [196]. Given the integers z < k ≤ n < q and a polynomial p(x) ∈ Fq [x] of degree
k − 1, given by
Xz k−z
X
p(x) = ri xi + mi xz−1+i ,
i=1 i=1

where ri are chosen uniform at random from Fq . The secret shares are then given by si = p(i).
Exercise 158. Show that McEliece-Sarwate’s SS scheme is attains privacy and is decodable.
Hint: Use the property of a k×n Vandermonde matrix, that each k×k submatrix is invertible.
For a more sophisticated SS scheme, we assume that the secret is given by s ∈ Fnq and all
N parties are provided with random si ∈ Fnq , such that N
P
i=1 si = s. Clearly, only if all N
parties open their shares, they can compute collectively
N
X
f (s1 , . . . , sN ) = si = s,
i=1

while any k < N parties cannot compute s.

For a secret s, we will use the notation [[s]] to denote a possible splitting into N additive
shares
[[s]] = (s1 , . . . , sN ).
The idea of MPC-in-the-head (MPCitH), introduced in [159] is to use MPC protocols to
build ZK protocols.
For this, assume we are given an MPC protocol in which N parties P1 , . . . , PN securely
and correctly evaluate a function f on a secret input s. Additionally, we require
• the secret s has a sharing [[s]] = (s1 , . . . , sN ) and each party Pi gets the input si ,

• for some functions φi , the party Pi computes the broadcast αi = φ(si ),

• the function f , such that f (α1 , . . . , αN ) = 1, and anything else evaluates to 0,

41
 • if N −1 parties reveal their shares si , or their broadcasts αi , they do not reveal anything
on the secret s.

The resulting ZK protocol, requires a trapdoor function F , which is easy to compute and
hard to invert. In code-based cryptography, this is usually the syndrome decoding problem.
Namely,

F : BH (t, n, q) → Fqn−k ,
e 7→ eH⊤ .

That is, we send vectors of Hamming weight at most t, to their syndromes for a fixed parity-
check matrix H. While this is easy to compute given H and e, it is hard to invert, that is:
given H, s find e. We say that the trapdoor function F has target y if, for the sought solution
x we have F (x) = y.
In the previous example of syndrome decoding, the target would be the syndrome of the
sought-after solution e and F is completely determined by H.
Assuming such a trapdoor function F and an MPC protocol, the resulting ZK protocol
works as follows. The main idea of the ZK protocol using MPCitH, is to run a MPC protocol
in the prover’s head, i.e., the prover simulates locally all the parties of the MPC protocol and
sends commitments to each party’s share. To check that the MPC protocol runs correctly,
the prover also sends the broadcasts αi .
The main benefit of MPCitH lies in the cheating probability. Since the MPC protocol is
N − 1-private, an impersonator not knowing the secret s, can guess any N − 1 many shares
and compute broadcasts and commitments to those. However, the last share sf is chosen
at random, and is not such that N
P
i=1 si = s. In fact, finding the last sf would require the
impersonator to invert the trapdoor function.
The verifier accepts the impersonator, only if the verifier challenges exactly the random
sf , i.e., b = f . In any other case, the impersonator is required so send sf in the response and
the verifier can check that the target y is not reached.
Thus, the new cheating probability is N1 . This allows us to reduce the number of rounds
required to achieve a certain security level and thus, in turn, the signature size. However, the
broadcast computation has to be performed in each such round N times, by the prover and
the verifier.

3 Code-Based Public-Key Encryption Frameworks

Code-based cryptography and in particular code-based PKEs first came up with the seminal
work of Robert J. McEliece in 1978 [195]. The main idea of code-based cryptography is to
base the security of the cryptosystem on the hardness of decoding a random linear code.
Since this problem is NP-hard, code-based cryptography is considered to be one of the most
promising candidates for post-quantum cryptography.
In a nutshell, McEliece’s idea as follows: the private key is given by a linear code C, which
can efficiently correct t errors. The public key is C ′ a disguised version of the linear code,
which should not reveal the secret code, in fact, should behave randomly.
While anyone with C ′ , the publicly known code, can encode their message and possibly
add some intentional errors, an attacker would only see a random code and in order to recover
the message would need to decode it.

42
 Table 6: ZK Protocol from MPC

PROVER VERIFIER

KEY GENERATION
Given MPC with secret s and
function f and φi
Given trapdoor function F with
target y.
Secret key S = s
Public key P = {f, F, y}
P
−→
VERIFICATION
For i ∈ {1, . . . , N }:
Compute αi = φi (si )
Compute ci = Hash(si , ρi )
for some random ρi .
c1 ,...,cN
−−−−−→
α1 ,...,αN
Check if f (α1 , . . . , αN ) = 1 −−−−−−→
Choose b ∈ {1, . . . , N }
b
←−
−
Response rb = {(si , ρi ) | i ̸= b}
rb
−→
For all i ̸= b:
Check ci = Hash(si , ρi )
Check αi = φi (si )
Check F (α1 , . . . , αN ) = y.

The constructor of the secret code however, can transform the encoded message to a
codeword of C, which is efficiently decodable.
The first code-based cryptosystem by McEliece uses the generator matrix G as a rep-
resentation of the secret code and in order to disguise the generator matrix, one computes
G′ = SGP, where S is an invertible matrix, thus only changing the basis of the code, and P
is a permutation matrix, thus giving a permutation equivalent code. In the encryption step
the message is then encoded through G′ and an intentional error vector e is added.
An equivalent [185] cryptosystem was proposed by Niederreiter in [206], where one uses
the parity-check matrix H, and the disguised parity-check matrix H′ = SHP, instead of the
generator matrix and the cipher is given by the syndrome of an error vector, i.e., s = H′ e⊤ .
The code-based system proposed by Alekhnovich uses the initial idea of McEliece, but
twists the disguising of the code, by adding a row to the parity-check matrix, which is a

43
erroneous codeword, thus making the error vector the main part of the secret key. The
idea of Alekhnovich, which is not considered practical has been the starting point of a new
framework, the quasi-cyclic scheme.
A different idea has been proposed by Augot and Finiasz in [32]. Here the secret is given
by the support of an error vector, which allows to insert an error of weight beyond the error
correction capacity. Thus, again the code can be made completely public.
Finally, the McEliece framework has also been introduced for the rank metric by Gabidulin,
Paramonov and Tretjakov and is usually denoted by the GPT system.
Clearly, all of these cryptosystems (except for Alekhnovich’s, which uses a random code)
have been originally proposed for a specific code. In the following we will introduce the idea
behind the systems as frameworks, thus without considering a specific code.

44
3.1 McEliece Framework
Although McEliece originally proposed in [195] to use a binary Goppa code as secret code,
one usually denotes by the McEliece framework the following. Alice, the constructor of the
system, chooses an [n, k] linear code C over Fq , which can efficiently decode t errors through
the decoding algorithm D. Instead of publishing a generator matrix G of this code, which
would then reveal to everyone the algebraic structure of C and especially how to decode,
one hides G through some scrambling: we compute G′ = SGP, for some invertible matrix
S ∈ GLk (q) and an n × n permutation matrix P. Hoping that the new matrix G′ and the
code it generates C ′ seem random (although C ′ is permutation equivalent to C), Alice then
publishes this disguised matrix G′ and the error correction capacity t of C.
Bob who wants to send a message m ∈ Fkq to Alice can then use the public generator
matrix G′ to encode his message, i.e., mG′ , and then adds a random error vector e ∈ Fnq of
Hamming weight up to t to it, i.e., the cipher is given by c = mG′ + e.
An eavesdropper, Eve, only knows G′ , t and the cipher c. In order to break the cryptosys-
tem and to reveal the message m, she would need to decode C ′ , which seems random to her.
Thus, she is facing an NP-complete problem and the best known solvers have an exponential
cost.
However, Alice can reverse the disguising by computing cP−1 , which results in a codeword
of C added to some error vector of weight up to t. That is

cP−1 = mSG + eP−1 .

Through the decoding algorithm D Alice gets mS and thus by multiplying with S−1 , she
recovers the message m.
Exercise 159. Consider re-encryption: Given the public generator matrix G. Bob encrypts
the message m getting c1 = mG + e1 and later with the same G the same message m again
getting c2 = mG + e2 . Is this safe?
Since this is the key part of this survey, we will provide a toy example explained in full
detail.
Example 160. Let C be the [7, 4] binary Hamming code, which can efficiently correct 1 error.
We take as generator matrix
 
1 0 0 0 1 1 0
 
 
0 1 0 0 1 0 1
G= 
.

0 0 1 0 0 1 1
 
0 0 0 1 1 1 1

We choose S ∈ GL4 (2) to be  

0 1 1 1
 
 
1 0 1 1
S=



1 0 1 0
 
0 0 1 1

45
 Table 7: McEliece Framework

ALICE BOB

KEY GENERATION
Choose a linear code C ⊆ Fnq of di-
mension k and error correction ca-
pacity t. Let G be a k ×n generator
matrix of C.
Choose randomly S ∈ GLk (q) and
an n × n permutation matrix P.
Compute G′ = SGP.
The public key is given by P =
(t, G′ ) and S = (G, S, P)
P
−→
ENCRYPTION
Choose a message m ∈ Fkq and a
random error vector e ∈ Fnq of
weight at most t
Encrypt the message c = mG′ + e
c
←−
−
DECRYPTION
Decrypt the cipher, by decoding
cP−1 = mSG + eP−1 to get mS,
and finally recover the message as
m = (mS)S−1

and the permutation matrix P to be

 
0 1 0 0 0 0 0
 
0 0 0 1 0 0 0
 
 

0 0 0 0 0 1 0

 
P = 1 0 0 0 0 0 0 .
 
 
 
0 0 0 0 1 0 0
 
 
0 0 1 0 0 0 0
 
0 0 0 0 0 0 1

We thus compute  
1 0 0 1 0 1 1
 
 
1 1 1 0 0 1 0
G′ = 



0 1 0 0 1 1 1
 
1 0 0 1 1 0 0

46
and publish (G′ , 1), since t = 1. The message we want to send is m = (1, 0, 1, 1) ∈ F42 and
thus we compute
mG′ = (0, 1, 0, 1, 0, 1, 0).
Now, we choose an error vector e ∈ F72 of Hamming weight 1, e.g.,

e = (1, 0, 0, 0, 0, 0, 0).

Thus, the cipher is given by

c = (1, 1, 0, 1, 0, 1, 0).
The constructor, who possesses P can compute

cP−1 = cP⊤ = (1, 1, 1, 1, 0, 0, 0).

We can now use the decoding algorithm of Hamming codes to recover mS = (1, 1, 1, 0) and
by multiplying with  
0 1 0 1
 
 
−1
1 0 0 1
S =  

0 1 1 1
 
0 1 1 0
we recover the message m = (1, 0, 1, 1).
In this toy example, an attacker which sees G′ , t, c has two possibilities:

1. recover the message directly,

2. recover the secret key.

The first type of attack could work as follows:

1. We bring G′ into a row-reduced form, that is for G′ = [A | B] we compute A−1 G′ ,

giving  
1 0 0 0 1 1 0
 
 
0 1 0 0 1 1 1
G= 
.

0 0 1 0 0 1 1
 
0 0 0 1 1 0 1

With G = [Id4 | C] we can also compute the parity-check matrix as H = [C⊤ | Id3 ],
that is  
1 1 0 1 1 0 0
 
H = 1 1 1 0 0 1 0 .
 
 
0 1 1 1 0 0 1

2. We can now compute the syndrome of c through H, i.e.,

⊤
s = cH = (1, 1, 0).

47
 ⊤
Note that this is also the syndrome of the error vector e, i.e., eH = s. Since there is
only one entry of e that is non-zero, we must have that the syndrome s is equal to the
column hi where ei ̸= 0. And in fact, s = h1 , thus we have found
e = (1, 0, 0, 0, 0, 0, 0)
and
c − e = mG′ = (0, 1, 0, 1, 0, 1, 0).
Note that the moment we know the error vector, we can use linear algebra to recover
the message. Since this is a toy example, we will also execute this step.
3. Denote by m = mA, then
(0, 1, 0, 1, 0, 1, 0) = mG′ = mAA−1 G′ = mG.
Since G = [Id4 | C], we have that
mG = (m, mC).
Hence, we can directly read off that m = (0, 1, 0, 1) and by multiplying with A−1 , we
recover m = (1, 0, 1, 1).
The second type of attack, namely a key-recovery attack, is in nature more algebraic. Knowing
that the secret code is a [7, 4] binary code that can correct one error, the suspicion that the
secret code is a Hamming code is natural. If not, one could proceed as follows.
1. We choose a set I ⊂ {1, . . . , n} of size k, which is a possible information set. Let us
denote by G′I the matrix consisting of the columns of G′ indexed by I.
2. We compute (G′I )−1 G′ to get an identity matrix in the columns indexed by I.
3. Choose the permutation matrix P′ which brings the identity matrix in the columns
indexed by I to the first k positions.
With this, if one chose I = {4, 2, 6, 3} (the order matters here only for the permutation
matrix) we recover G and will now finally be able to read off the secret code and thus also
know its decoding algorithm. With this, we can compute from G and G′ the matrices S and
P.
Although this example for the McEliece framework is clearly using a code that should not
be used in practice, it shows in a few easy steps the main ideas of the attacks. For example,
the minimum distance of a code should be large enough, since else an easy search for the
error vector will reveal the message, and also the public code parameters should not reveal
anything on the structure of the secret code, meaning that there should be many codes having
such parameters.
These two different kind of attacks aim at solving two different problems the security of
the McEliece system is based upon:
1. decoding the erroneous codeword, assuming that the code is random, should be hard,
2. the public code, which is permutation equivalent to the secret code, should not reveal
the algebraic structure of the secret code.
Only if both of these points are fulfilled is the security of the cryptosystem guaranteed.
We will see more on this in Section 5.

48
3.2 Niederreiter Framework
The Niederreiter framework [206] uses the parity-check matrix instead of the generator matrix,
resulting in an equivalently secure system [185]. Niederreiter originally proposed to use GRS
codes as secret codes, however, we will consider with the Niederreiter framework the more
general scheme.
Alice again chooses an [n, k] linear code C over Fq which can efficiently decode up to t
errors. She then scrambles a parity-check matrix H of C by computing H′ = SHP, for some
invertible matrix S ∈ GLn−k (Fq ) and an n × n permutation matrix P. She publishes the
seemingly random parity-check matrix H′ together with the error correction capacity t.
Bob can then encrypt a message m ∈ Fnq of Hamming weight up to t, simply by computing
the syndrome of m through the parity-check matrix H′ , i.e., the cipher is given by c = mH′⊤ .
While Eve would only have access to H′ , which looks random to her, t and c, she faces
an NP-hard problem and can only apply exponential time algorithms in order to recover m.
Alice, on the other hand, can recover the message by computing S−1 c, which results in a
syndrome of her code C, which she knows how to decode. That is

S−1 c⊤ = HPm⊤ ,
where Pm⊤ still has Hamming weight up to t. Thus, she recovers Pm⊤ and by multiplication
with P−1 , she recovers the message m.
We provide the same toy example for the Niederreiter framework.
Example 161. This time, we start with a parity-check matrix H of the [7, 4] binary Hamming
code, given by  
1 1 0 1 1 0 0
 
H = 1 0 1 1 0 1 0  .
 
 
0 1 1 1 0 0 1
We choose as invertible matrix S ∈ G3 (F2 ) the following
 
1 1 0
 
S = 0
 
1 1
 
0 0 1

and as permutation matrix we choose

 
0 0 1 0 0 0 0
 
0 0 0 0 1 0 0
 
 

1 0 0 0 0 0 0

 
P = 0 0 0 0 0 0 1 .
 
 
 
0 1 0 0 0 0 0
 
 
0 0 0 1 0 0 0
 
0 0 0 0 0 1 0

49
 Table 8: Niederreiter Framework

ALICE BOB

KEY GENERATION
Choose a linear code C ⊆ Fnq of di-
mension k that can efficiently cor-
rect t errors. Let H be a (n − k) × n
parity-check matrix of C
Choose randomly S ∈ GLn−k (q)
and an n × n permutation matrix
P. Compute H′ = SHP
The public key is given by P =
(t, H′ )
P
−→
ENCRYPTION
Choose a message m ∈ Fnq of
weight at most t
Encrypt the message
c⊤ = H′ m⊤
c
←−
−
DECRYPTION
Decrypt the cipher by decoding
S−1 c⊤ = HPm⊤ to get Pm⊤ ,
and finally recover the message as
m⊤ = P−1 (Pm⊤ )

With this, we compute

 
0 0 1 1 1 1 0
 
H′ = SHP = 0 1 1 1 0 0 1 .
 
 
1 0 0 1 0 1 1
The public key is given by H′ and t = 1. Assume that we want to send the message m =
(0, 0, 1, 0, 0, 0, 0) ∈ F72 . For this, we compute the cipher as the syndrome of m through H′ ,
i.e.,
c = m(H′ )⊤ = (1, 1, 0)
and send it to the constructor. The constructor which knows S and P first computes
S−1 c⊤ = HPm⊤ = (0, 1, 0)⊤ ,
and then uses the decoding algorithm of the Hamming code to get
mP⊤ = (0, 0, 0, 0, 0, 1, 0).
Finally multiplying this with P−1 we get the message m = (0, 0, 1, 0, 0, 0, 0).
The security is clearly equivalent to that of Example 160, due to the duality of G and H
and the attacks form Example 160 work here as well.

50
3.3 Alekhnovich’s Cryptosystems
Alekhnovich’s cryptosystem [15] marks the first code-based cryptosystem with a security
proof, i.e., it relies solely on the decoding problem. This seminal work lays the foundations of
modern code-based cryptography, where researchers try to construct code-based cryptosys-
tems with a provable reduction to the problem of decoding a random linear code.
There are two variants to this cryptosystem, both are relying on the following hard prob-
lem:
Problem 162. Given a code C, distinguish a random vector from an erroneous codeword of C.
Note that variations of these cryptosystem are used in [5, 20]. For the following description
of the two variants we rely on the survey [272] and for more details we also refer to [272].

3.3.1 The First Variant

The idea is not to keep the parity-check matrix or generator matrix of the code hidden, but a
random error vector. Thus, a random matrix A is chosen and to this one adds the row xA+e,
thus an erroneous codeword of the code generated by A is added resulting in the augmented
matrix H. Let us consider C to be Ker(H), that is the code having H as parity-check matrix.
One then publishes G, a generator matrix of C.
In this variant one only encrypts a single bit. One either sends as cipher an erroneous
codeword of C ⊥ or a random vector, depending if 0 or 1 was encrypted. Finally, using the
secret error vector e, one can compute the standard inner product of the cipher and e and
will recover the message, with some decryption failure.
More in detail, if the cipher was given by aG + e′ , for a random a ∈ Fn−k
2 and a random
error vector e′ ∈ Fn2 of weight t, then

⟨e, aG + e′ ⟩ = ⟨e, aG⟩ + ⟨e, e′ ⟩.

⊥ ′
√ ⟨e, aG⟩ = 0, since ′e ∈ C by construction. In addition, since wtH (e) = wtH (e ) =
Note that
t = o( n), we have that ⟨e, e ⟩ = 0 with high probability. If the cipher was given by a random
vector c ∈ Fn2 instead, then with probability 1/2 we get ⟨e, c⟩ = 1.
Thus, there is a decryption failure in the case m = 1 of probability 1/2. In order to get
a reliable system one can encrypt the message multiple times. A systematic description of
Alekhnovich’s First Variant can be found in Table 9.

We give an example of the first variant.

Example 163. Let  
1 1 0 0 0 0
 
 
1 0 1 0 0 0
A=

.

0 0 0 1 1 0
 
0 0 0 1 0 1
We choose m = (0, 1, 0, 1), e = (1, 0, 0, 0, 0, 0) and compute

mA + e = (0, 0, 1, 1, 0, 1).

51
 Table 9: Alekhnovich First Variant

ALICE BOB

KEY GENERATION
√
Let t ∈ o( n) and choose a random
matrix A ∈ Fk×n
2

Let e ∈ Fn2 be a random vector of

weight t and let x ∈ Fk2 be a random
vector
Compute y = xA + e and H⊤ =
(A⊤ , y⊤ )
Let C = ker(H) and choose a gen-
(n−k−1)×n
erator matrix G ∈ F2 of C
The public key is given by P =
(G, t) and the secret key is S = e
P
−→
ENCRYPTION
Choose a message m ∈ F2
If m = 0: choose a ∈ Fn−k−1
2
and e′ ∈ Fn2 of weight t at
random, send c = aG + e′
If m = 1: choose a random vector c ∈ Fn2
c
←−
−
DECRYPTION
Decrypt the cipher, by computing
b = ⟨e, c⟩.
If m = 0: b = 0 with high proba-
bility
If m = 1: b = 1 with probability
1/2

If we append this to the matrix A, we get the matrix

 
1 1 0 0 0 0
 

1 0 1 0 0 0

 
H = 0 0 0 1 1 0 .
 
 
 
0 0 0 1 0 1
 
0 0 1 1 0 1

The dual code C of H has a generator matrix

 
G= 0 0 0 1 1 1 .

52
 We encrypt 0 as

c0 = (0, 0, 0, 1, 1, 1) + (0, 1, 0, 0, 0, 0) = (0, 1, 0, 1, 1, 1),

and 1 as random vector

c1 = (1, 0, 1, 0, 0, 1).
To decrypt the cipher c, we compute ⟨e, c⟩. If we receive c0 , we compute that ⟨e, c0 ⟩ = 0.
If we receive c1 , we see that ⟨e, c1 ⟩ = 1.

3.3.2 The Second Variant

In this variant one generalizes the idea of the first variant and construct directly a matrix M
in which every row is an erroneous codeword.
n/2×n n×n/2
This is achieved by choosing at random A ∈ F2 , X ∈ F2 and E ∈ F2n×n having
row weight t. Then one computes the matrix M = XA + E.
Let C0 be a binary code of length n, that can correct codewords transmitted through a
binary symmetric channel (BSC) with transition probability t2 /n. Let us consider

φ : Fn2 → Fn2 ,
x 7→ Mx.

Define
C1 = φ−1 (C0 ) = {x ∈ Fn2 | φ(x) ∈ C0 },
C2 = Ker(A) and finally C = C1 ∩C2 . Let G ∈ Fk×n
2 be a generator matrix of C. This generator
matrix is made public, while the error vectors in E are kept secret.
k/2 k/2
To encrypt a message m ∈ F2 we first append a random vector r ∈ F2 to get x =
(m, r) ∈ Fk2 and then compute
c = xG + e,
for some random error vector e ∈ Fn2 of weight t.
To decrypt we now compute

y⊤ = Ec⊤ = E(xG + e)⊤

= E(xG)⊤ + Ee⊤
= XA(xG)⊤ + M(xG)⊤ + Ee⊤
= M(xG)⊤ + Ee⊤ ,

where we have used that Aa⊤ = 0 for all a ∈ C, in particular also for xG. Note that
z⊤ = M(xG)⊤ ∈ C0 , since C ⊆ C1 and φ(C1 ) = C0 . Finally, every row ei of E has weight t
and thus, ⟨ei , e⟩ = 1 with probability at most t2 /n. Thus, the decoding algorithm of C0 on y
gives z with high probability. Finally, we can solve the linear system

xG = φ−1 (z)

to get x and the first k/2 bits reveal the message m.

53
 Table 10: Alekhnovich Second Variant

ALICE BOB

KEY GENERATION
Choose random matrices A ∈
n/2×n n×n/2
F2 , X ∈ F2 and E ∈ Fn×n
2
of row weight t
Set M = XA + E ∈ GLn (2)
Let C0 be a binary code of length
n that can efficiently correct code-
words transmitted through a BSC
of transition probability t2 /n
Let φ be the map x 7→ Mx
Let C = φ−1 (C0 ) ∩ Ker(A)
Let G ∈ Fk×n
2 be a generator ma-
trix of C
The public key is given by P =
(G, t) and S = E
P
−→
ENCRYPTION
k/2
Choose a message m ∈ F2 and
k/2
choose randomly r ∈ F2 and
n
e ∈ F2 of weight t
Compute x = (m, r) ∈ Fk2 and c = xG + e
c
←−
−
DECRYPTION
Decrypt the cipher, by computing
y⊤ = Ec⊤ = z⊤ + Ee⊤
and use the decoding algorithm of
C0 on y to get z
Recover x from the linear system
xG = φ−1 (z) and thus m

3.4 Quasi-Cyclic Scheme

The quasi-cyclic scheme is inspired by the scheme of Alekhnovich, introduced in [9] and used
in [5]. Similarly to Alekhnovich’s schemes, it is a probabilistic approach to encryption schemes
and does not hide the initial code, which needs to be efficiently decodable. The message gets
encrypted as codeword to which an error, too large to decode, gets added. With the knowledge
of the private key parts of this error can be cancelled out resulting (with high probability) in
a vector which can be decoded to recover the message.
We present the scheme in the Hamming metric, but note that the scheme can also be
adapted to the rank metric.

54
 Let n be a positive integer, q be a prime power and R = Fq [x]/(xn − 1). Recall from
Section 2 that we identify vector a = (a0 , a1 , . . . , an−1 ) ∈ Fnq with the polynomial a(x) =
Pn−1 i
i=0 ai x ∈ R and vice versa.
The quasi-cyclic framework uses two types of codes:
1. An [n, k] linear code C over Fq , which can efficiently decode δ errors. A generator matrix
G ∈ Fk×n
q is made public.
2. A random quasi-cyclic [2n, n] code presented through a parity-check matrix
 
H = Idn | rot(h) ,

which does not require to be efficiently decodable and is also made public.
Recall that vector multiplication of any vector v and h is given by vrot(h), as this corresponds
to the polynomial multiplication v(x)h(x) ∈ R. √
Let w, wr and we be positive integers all in the range of n/2. These are publicly known
parameters.
The cryptosystem then proceeds as follows. Alice chooses a random h ∈ Fnq and an [n, k]
linear code C over Fq , that can efficiently correct t errors and chooses a generator matrix G
of C.
Alice then also chooses two elements y, z ∈ Fnq , corresponding to the vector y, z both of
Hamming weight w.
She publishes the generator matrix G, the random element h and s = y + hz, while y
and z are kept secret and can clearly not be recovered from s and h. In fact, we can write
 
Idn
s = (y, z)  ,
rot(h)

thus H = (Idn , rot(h)⊤ ) acts as quasi-cyclic parity-check matrix and (y, z) as unknown error
vector.
Bob, who wants to send a message m ∈ Fkp to Alice, can choose e ∈ Fnq of Hamming
weight we and two elements r1 , r2 ∈ Fnq , both of Hamming weight wr . He then computes
u = r1 + hr2 and
v = mG + sr2 + e.
The cipher is then given by c = (u, v).
The message m is thus encoded through the public G and an error vector sr2 +e is added,
where both r2 and e were randomly chosen by Bob. The only control Alice has on the error
vector is in s. This knowledge and also the additional information of Bob on r2 provided
through the vector u will allow Alice to decrypt the cipher.
In fact, Alice can use the decoding algorithm of C on v − uz, since

v − uz = mG + sr2 + e − (r1 + hr2 )z

= mG + (y + hz)r2 + e − r1 z − hr2 z
= mG + (yr2 − r1 z + e).
It follows that the decryption succeeds if wtH (yr2 − r1 z + e) ≤ t. Note that parameter sets
should be chosen such that this happens with high probability, but clearly the framework
does have a decoding failure rate (DFR).

55
 Table 11: Quasi-Cyclic Scheme

ALICE BOB

KEY GENERATION
Choose an [n, k] linear code C over
Fq , which can efficiently decode t
errors with
generator matrix G ∈ Fk×n
q and
choose h ∈ Fnq
Choose y, z ∈ Fnq of weight
wtH (y) = wtH (z) = w, compute
s = y + hz
The public key is P =
(G, h, s, we , wr ) and the secret
key is S = (y, z)
P
−→
ENCRYPTION
Choose a message m ∈ Fkq
Choose e ∈ Fnq such that wtH (e) = we
Choose r1 , r2 ∈ Fnq such that
wtH (r1 ) = wtH (r2 ) = wr
Compute u = r1 + hr2
Compute v = mG + sr2 + e
The cipher is c = (u, v)
c
←−
−
DECRYPTION
Compute c′ = v − uz and use the
decoding algorithm of C to recover
m

Remark 164. The reason why we can make the generator matrix of the efficiently decodable
code public, lies in the random choice of h, which determines the parity-check matrix H and
in the fact that the error added to the codeword has a weight larger than the error correction
capacity of the public code.
In fact, u and s are two syndromes through H of a vector with given weight, as
u = (r1 , r2 )H⊤
and s = (y, z)H⊤ . In order to recover (r1 , r2 ) or (y, z), an attacker would need to solve the
NP-hard syndrome decoding problem. In addition, since wtH (sr2 + e) > t even with the
knowledge of G and v an attacker can not uniquely determine the message m.
Since the algebraic code, which is efficiently decodable, is publicly known, the security of
this framework is different to that of the McEliece framework and the Niederreiter framework,
as it does not rely on the indistinguishability of the code.

56
Remark 165. However, we want to stress the fact, that the SDP is NP-hard for a completely
random code. The code with the double circulant parity-check matrix H is in fact not
completely random, and thus the question arises, if also this new problem lies in the complexity
class of NP-hard problems.
Example 166. We choose R = F2 [x]/(x7 + 1) and as code the binary repetition code of length
7, which can correct up to 3 errors. The generator matrix G is given by
 
G= 1 1 1 1 1 1 1 ,
and codewords with more ones than zeroes are decoded to (1, 1, 1, 1, 1, 1, 1), everything else
to (0, 0, 0, 0, 0, 0, 0). Further, we choose
h(x) = 1 + x + x2 ∈ R,
or equivalently h = (1, 1, 1, 0, 0, 0, 0) and w = wr = we = 1. We pick y(x) = 1, z(x) = x3 ,
both in R of weight w = 1, or equivalently y = (1, 0, 0, 0, 0, 0, 0), z = (0, 0, 0, 1, 0, 0, 0) and
compute
s(x) = y(x) + h(x)z(x) = 1 + x3 + x4 + x5 .
Equivalently one can compute
s = y + zrot(h) = (1, 0, 0, 1, 1, 1, 0).
The public key is then given by
P = (G, h, s, we , wr ),
the secret key is the pair
S = (y, z).
For this example, the message is m = (1) ∈ F12 . We also pick e(x) = x ∈ R, that is
e = (0, 1, 0, 0, 0, 0, 0) of weight we = 1 and r1 (x) = r2 (x) = x2 in R, that is r1 = r2 =
(0, 0, 1, 0, 0, 0, 0) of weight wr = 1. We can then compute
u(x) = r1 (x) + h(x)r2 (x) = x3 + x4 ,
or equivalently
u = r1 + r2 rot(h),
hence u = (0, 0, 0, 1, 1, 0, 0), and since s(x)r2 (x) = 1 + x2 + x5 + x6 of weight 5 > t we get
v = mG + sr2 + e = (1, 1, 1, 1, 1, 1, 1) + (1, 0, 1, 0, 0, 1, 1) + (0, 1, 0, 0, 0, 0, 0)
= (0, 0, 0, 1, 1, 0, 0).
We can then send the cipher
c = (u, v) = ((0, 0, 0, 1, 1, 0, 0), (0, 0, 0, 1, 1, 0, 0)).
To decrypt the cipher, we compute with the knowledge of the secret key S = (y, z) = (1, x3 )
that u(x)z(x) = 1 + x6 and compute
v − uz = (0, 0, 0, 1, 1, 0, 0) − (1, 0, 0, 0, 0, 0, 1)
= (1, 0, 0, 1, 1, 0, 1),
which gets decoded to to the codeword (1, 1, 1, 1, 1, 1, 1), from which we recover the message
m = (1).
Exercise 167. Repeat this example with the fixed public parameters G = (1, 1, 1, 1, 1, 1, 1),
h(x) = 1 + x + x2 , s(x) = 1 + x3 + x4 + x5 , we = wr = 1 and the secret key S = (1, x3 ), but
now Bob chooses e(x) = x4 , r1 (x) = 1, r2 (x) = x. Is the decryption successful in this case?

57
3.5 Augot-Finiasz Cryptosystem
In its original version the Augot-Finiasz (AF) cryptosystem uses polynomial reconstructions,
for this survey, however, we translate it into an easier formulation.
Similar to the quasi-cyclic framework, one can choose a code C which can efficiently decode
t errors and can make it public. The system does not rely on any hiding of the structured
code. The idea of the AF and the FL system is publish a structured code C = ⟨G⟩ which can
correct w erasures and t errors, usually this means that d > 2t + w. One then also publishes
a corrupted codeword y = m′ G + e′ , where the error vector e′ has weight w, but keeps the
support of e′ secret. Without the knowledge of the support, and as long as w > ⌊(d − 1)/2⌋,
an attacker cannot recover m′ or equivalently e′ .
To encrypt a message m, one chooses at random a vector e of weight t, a random α ∈ Fq ,
such that
supp(αe′ ) = supp(e′ )
and computes the cipher as
c = mG + αy + e.
Clearly, the cipher is still a corrupted codeword of C, where the error vector is

ẽ = αe′ + e.

If e′ and e are chosen at random then wtH (ẽ) ≥ w − t. Thus, as long as w − t > d−1 2 an
attacker can still not decode the cipher without knowing the secret error support.
On the other hand, the constructor of the scheme knows supp(e) and can use an erasure
decoder to get rid off supp(e′ ). Being left with at most t errors, the constructor of the system
can use the error-decoder of the public code and compute the m′ + αm. Finally, knowing m′
and ensuring that α is visible in the vector αm, one recovers the message m.
The decryption works, as

c = (m + α(1, m′ ))G + αe′ + e

and αe′ has support in S. Thus,

cS C = (m + α(1, m′ ))G + e,

and since wtH (e) ≤ t, we can decode the public code ⟨G⟩ and recover the message m +
α(1, m′ ). Although, we do not know α, we have chosen the message of y such that we can
read α of the first entry, namely (1, m′ ). Thus, we can remove α(1, m′ ) from the recovered
message and recover m.
Example 168. Let us give a toy example also for the AF system. Let us consider F16 = F2 [α],
where α4 = α + 1 and the Reed-Solomon code generated by
 
1 α α+1 α2 α2 + 1 α3 α3 + α
G= .
2 2
1 α α +1 α+1 α 3
α +α 2 α 3

This code has minimum distance d = n−k +1 = 6 and can thus correct 1 error and 3 erasures.
We choose the secret error support S = {1, 2, 4} and the error vector e′ = (1, α, 0, α2 , 0, 0, 0).
For the message m′ = (1, 1) we get

y = (1, 1)G + e′ = (1, α2 , α2 + α, α + 1, α2 + α + 1, α2 , α).

58
 Table 12: AF Cryptosystem

ALICE BOB

KEY GENERATION
Choose a generator matrix G ∈
Fk×n
q which can correct t errors and
w erasures
Choose e′ ∈ Fnq of weight w having
support in S
Choose (1, m′ ) ∈ Fkq
Compute y = (1, m′ )G + e′
The public key is P = (G, y, t) and
the secret key is S = (e′ )
P
−→
ENCRYPTION
Choose e ∈ Fnq with wtH (e) ≤ t
Choose α ∈ Fq
Encrypt m ∈ Fkq as c = mG + αy + e
c
←−
−
DECRYPTION
Puncture c in the positions indexed
by S
Decode cS C and recover α(1, m′ ) +
m and thus α as well as m.

Both G and y are made public. Bob wants to send the message (0, α2 ) to Alice and
chooses the scrambling α + 1 and the error vector e = (0, 0, α, 0, 0, 0, 0). The cipher is then
given by
c = (0, α2 )G + (α + 1)y + e
= (α2 + α + 1, α3 + α2 + α + 1, α3 + α2 + α + 1, α3 + 1, 1, α3 + 1, 0).
To decrypt, Alice first punctures in the secret positions {1, 2, 4}, thus only considering
cS C = (α3 + α2 + α + 1, 1, α3 + 1, 0)
and decodes using the punctured Reed-Solomon code
 
α+1 α +1 2 α 3 3
α +α
GS C =  ,
2
α +1 α 3
α +α 2 α3

getting the message (α+1, α2 +α+1) and the error vector (α, 0, 0, 0). Due to the construction
of the two messages, namely the first position of m is zero and the first position of m′ is one,
Alice can read of the first position the scrambling being α + 1 and thus recovers the message
m = (0, α2 ) = (1 + α, α2 + α + 1) − (α + 1, α + 1).

59
Exercise 169. 1. An attacker can guess α ∈ Fq and attack the AF system. What is the
security level of the above example?

2. Can we also choose different scramblings for y?

3. Repeat the example for Gabidulin codes and the rank metric.
The only requirement for the code C is thus, that the punctured code can still efficiently
decode.
The original system uses GRS codes, as a punctured GRS code is still a GRS code, and
has been attacked in [98].
Clearly, this framework is independent of the metric and hence, one could also employ the
rank metric. In fact, the rank-metric analog of the AF system has been proposed by Faure
and Loidreau [120], relying the security on the hardness of reconstructing p–polynomials.
Their original system proposes the use of Gabidulin codes and has been subject to algebraic
attacks [130].
Many repair attempts [262, 226, 225, 177] have been made, unfortunately all have been
broken in [79]. The idea of the attacks is to use list decoding of GRS codes, respectively of
Gabidulin codes.

3.6 GPT Cryptosystem

The Gabidulin-Paramonov-Tretjakov (GPT) cryptosystem was introduced in [127] and is
based on rank-metric codes. As usual, we pick an Fq -basis of Fqm and use this to identify
elements of Fqm with vectors in Fm q . The system we present is not following the original
proposal, which was broken [211], but an adapted formulation, and as before we present the
system as a framework, i.e., without choosing a family of codes for the secret code.
The GPT system proceeds as follows. Alice chooses an [n, k] linear rank-metric code C
over Fqm with error correction capacity t and generator matrix G. For some positive integer
λ, she then chooses S ∈ GLk (q m ), P ∈ GLn+λ (q) and X ∈ Fqk×λ
m of rank s ≤ λ. She publishes
the scrambled matrix G′ = S[X | G]P and the target weight t.
Bob can then encrypt his message m ∈ Fkqm , by computing

c = mG′ + e,

for some randomly chosen error vector e ∈ Fqn+λ

m with wtR (e) = t.
To decrypt, Alice can compute

cP−1 = mS[X | G] + eP−1 .

Since wtR (eP−1 ) = t, she can apply the decoding algorithm of the code C to the last n
positions of cP−1 to recover mS and thus also m.
A systematic description of the GPT system can be found in Table 13.
This framework is closely related to the McEliece framework, as the algebraic code which
can be efficiently decoded has to be kept secret and the matrix P acts as an isometry. In fact,
while for the Hamming metric P is chosen a permutation matrix, which fixes the Hamming
weight of a vector, in the rank metric we choose P to be a full rank matrix over Fq , which
thus fixes the rank weight of a vector over Fqm .
Exercise 170. Establish the Niederreiter version of the GPT system using the parity-check
matrix.

60
 Table 13: GPT Cryptosystem

ALICE BOB

KEY GENERATION
Choose a generator matrix G ∈
Fk×n
q m of a rank-metric code of rank
distance d = 2t + 1 and a positive
integer λ
Choose S ∈ GLk (q m ), P ∈
GLn+λ (q)
Choose a matrix X ∈ Fk×λ
q m of rank
s ≤ λ and compute G′ = S[X |
G]P.
The public key is P = (G′ , t) and
the secret key is S = (G, S, X, P)
P
−→
ENCRYPTION
Choose e ∈ Fn+λ
q m with wtR (e) ≤ t

Encrypt m ∈ Fkqm as c = mG′ + e

c
←−
−
DECRYPTION
Compute c′ = cP−1 and apply the
decoding algorithm to the last n po-
sitions to recover m′ = mS
Compute m = m′ S−1

Example 171. We give an example for n = 4, m = 5, k = 2 and s = λ = 1. We identify

F32 = F2 [α] with α5 = α2 + 1 and consider the Gabidulin code with generator matrix
 
1 α α2 α3
G= ,
1 α2 α4 α3 + α

which can correct up to 1 error. We further need a S ∈ GL2 (32) and a P ∈ GL5 (2) and X of
rank s ≤ λ = 1, so we take  
1 α
S= ,
0 1

61
and for simplicity  
0 0 1 0 0
 

1 0 0 0 0

 
P = 0 0 ,
 
1 0 0
 
 
0 0 0 0 1
 
0 0 0 1 0
and  
1
X= 
α2 + 1
We compute that
 
α + 1 α 3 + α α3 + α + 1 α4 + α3 + α2 1
G′ = S[X | G]P =  .
1 α2 α2 + 1 α3 + α α4

The public key is the pair

P = (G′ , 1),
the secret key is
P = (G, S, X, P).
We want to encrypt the message

m = (α + 1, α2 + 1).

We choose the error vector

e = (α3 + 1, 0, α3 + 1, α3 + 1, 0),

and compute

c = mG′ + e = (α3 + 1, α3 + α, α2 + 1, α3 + α2 + α + 1, α4 + α3 + 1).

To decrypt c, we compute

c′ = cP−1 = (α2 + 1, α3 + 1, α3 + α, α4 + α3 + 1, α3 + α2 + α + 1),

and use the decoding algorithm of Gabidulin codes to get

mS = (α + 1, α + 1),

and by multiplying with  

1 α
S−1 =  
0 1
we recover m.

62
4 Code-based Signature Schemes
We give two approaches of building a code-based signature, one is following the hash-and-sign
approach [138] of the CFS scheme [99], which can also be adapted to the rank metric and the
second one is through code-based ZK protocols, which can be turned into signature schemes
via the Fiat-Shamir transform.
We later discuss their benefits and limitations, but in summary, hash-and-sign schemes
often suffer from large public keys and distinguishing attacks, while signature schemes from
ZK protocols suffer from large signature sizes. In Section 7.2 we will then present the novel
submission to the additional standardization process of NIST and the respective solutions to
these drawbacks.

4.1 Hash-and-Sign
Hash-and-sign schemes follow directly the usual approach of transforming a public-key en-
cryption scheme into a signature scheme.
In fact, a public key encryption scheme relies on a trapdoor function f , which is easy to
compute and hard to invert. For the public key encryption scheme one applies f on a message
m and gets the cipher c = f (m). In order to recover the message, an attacker has to invert f ,
which is mathematically a hard problem. However, the constructor with the secret key has
access to f −1 .
Similarly, in a signature scheme, one can use the same trapdoor function f , or equivalently
the hard problem of computing f −1 . However, only the signer should have access to the
secret key and be able to sign in her name, thus, upon a message m the signer computes
the signature σ = f −1 (m) and everyone can verify the signature as f (σ) = m. For an
impersonator, however, to find a valid signature for a message is difficult.
We present the first such code-based hash-and-sign scheme, CFS [99], and its rank-metric
counterpart RankSign [27].

4.1.1 CFS Scheme

We present the CFS scheme as framework in Table 14.
In the CFS scheme, one starts with a message m to sign, and hopes that the hash of this
message is the syndrome of a low weight vector, i.e., Hash(m) = eH⊤ for wtH (e) ≤ t.
However, not many vectors are syndromes of low weight vectors.
Exercise 172. Show that in order for any vector to be a syndrome of a vector of weight up to
(d − 1)/2, we require a perfect code.
Since Hash(m) is very likely not a syndrome of a vector of weight up to t, one introduces
a counter i. That is, one checks whether Hash(m, i) = eH⊤ for some e of weight up to t, and
if this is not the case one chooses a different i.
For certain codes, this requires many iterations, which makes the signing process slow.
Thus, the authors of [99] propose the use of the only family of codes, which is suitable for
such an approach, namely high rate Goppa codes. In fact, high rate Goppa codes provide the
existence of such error vectors for a non-negligible proportion of syndromes.
Unfortunately, the use of high rate Goppa codes is not safe, due to the distinguisher in
[119]. Note that this distinguisher does not break the CFS scheme in general, as it only proves

63
that one of the two problems to which the security of the CFS scheme reduces can be solved
in polynomial time.
(n−k)×n
In the key generation process, one chooses a parity-check matrix H ∈ F2 of a binary
code that can efficiently correct t errors. One then hides the parity-check matrix as in the
Niederreiter framework, by choosing an n×n permutation matrix P and computing H′ = HP.
The public key is then given by P = (H′ , t) and the secret key by S = (H, P).
In the signing process, given a message m, one first chooses randomly i and uses the
decoding algorithm of C to find e, such that wtH (e) ≤ t and

eH⊤ = Hash(m, i),

if possible. The signature is then given by σ = (i, eP).

In the verification, the verifier checks that wtH (eP) ≤ t and if

ePH′⊤ = Hash(m, i).

Recall that Hash is a publicly known hash function.

Table 14: CFS

PROVER VERIFIER

KEY GENERATION
Choose a parity-check matrix H ∈
(n−k)×n
F2 of C, with error correction
capacity t
Choose an n × n permutation ma-
trix P
Compute H′ = HP. The public key
is then given by P = (H′ , t)
and the secret key by S = (H, P)
P
−→
SIGNING
Given a message m, choose random
i
Use the decoding algorithm of C to
find e, with wtH (e) ≤ t and eH⊤ =
Hash(m, i)
Sign as σ = (i, eP)
m,s
−−→
VERIFICATION
Check if wtH (eP) ≤ t and if
ePH′⊤ = Hash(m, i).

64
Exercise 173. Show that ePH′⊤ = Hash(m, i).
Remark 174. The signing time is inversely related to the proportion of vectors, which are
syndromes of error vectors of weight t ≤ d−1
2 and this proportion scales badly with the error
correction capacity of the code.
The benefits of the hash-and-sign approach is that the signature is a single vector and
thus quite small.
The public key on the other hand, is, as in the McEliece framework, a scrambled secret
parity-check matrix, and thus of size (n − k)k bits.
Additionally, the schemes can be vulnerable to distinguishers, i.e., an attacker might
retrieve the secret code, as seen in [99].

Example 175. Let us consider also here a small toy example. Let F8 = F2 [α] and α3 = α + 1.
Let us consider the Goppa polynomial

g(x) = x2 + x + 1

and the evaluation points

1, α, α + 1, α2 , α2 + α, α2 + 1, α2 + α + 1.

We can compute

g(1)−1 = 1,
g(α)−1 = g(α + 1)−1 = α2 ,
g(α2 )−1 = g(α2 + 1)−1 = α2 + α,
g(α2 + α)−1 = g(α2 + α + 1)−1 = α.

Then,
 
1 1 1 1 1 1 1
H̃ =   diag(1, α2 , α2 , α2 + α, α, α2 + α, α)
2 2 2
1 α α+1 α α +α α +1 α +α+1 2
 
1 α 2 α 2 2
α +α α 2
α +α α
= .
2 2 2
1 α+1 α +α+1 α +1 α +α+1 α+1 α +1 2

Using the basis Γ = {1, α, α2 }, the parity-check matrix of the Goppa code is then
 
1 0 0 0 0 0 0
 
0 0 0 1 1 1 1
 
 
 
0 1 1 1 0 1 0
H= 
.

1 1 1 1 1 1 1
 
 
0 1 1 0 1 1 0
 
0 0 1 1 1 0 1

65
The Goppa code ⟨H⟩⊥ has minimum distance at least 3, and can thus correct at least t = 1
error.
The prover chooses the permutation matrix P, permuting the first two columns and
publishes  
0 1 0 0 0 0 0
 
0 0 0 1 1 1 1
 
 
 
′
1 0 1 1 0 1 0
H = 
.

1 1 1 1 1 1 1
 
 
1 0 1 0 1 1 0
 
0 0 1 1 1 0 1
Note that any syndrome of a weight 1 vector is simply given by one column of H. Thus, there
exist 7 possible syndromes.
Given a message m and a random i = (1, 0, 1, 1), the prover computes the hash of (m, i).
We assume that the hash function outputs (1, 0, 1, 0, 0, 1, 0).
Unfortunately, this is not a syndrome of a weight one vector. The prover chooses a different
i and gets the hash (1, 0, 0, 1, 0, 0). Using the syndrome decoder of the Goppa code, the prover
finds
e = (0, 1, 0, 0, 0, 0, 0)
and computes the signature
σ = (i, (1, 0, 0, 0, 0, 0, 0)).

The verifier checks that eP has indeed weight 1 and computes

 ⊤
0 1 0 0 0 0 0
 
0 0 0 1 1 1 1
 
 
 
1 0 1 1 0 1 0
ePH′⊤ = (1, 0, 0, 0, 0, 0, 0) 

 = (1, 0, 1, 0, 0, 1, 0).

1 1 1 1 1 1 1
 
 
1 0 1 0 1 1 0
 
0 0 1 1 1 0 1

The verifier accepts the signature as

Hash(m, i) = (1, 0, 1, 0, 0, 1, 0).

The random i, is usually chosen as a seed, denoted by seed ∈ {0, 1}ℓ .

66
4.1.2 RankSign
RankSign [27], as a framework, is the rank-metric analog of CFS. The authors propose to use
augmented LRPC codes over an extension field Fqm and introduce a mixture of erasures and
errors, which can be efficiently decoded.
In the key generation process, instead of hiding the parity-check matrix H of the LRPC
code over Fqm as usual, i.e., using SHP, where S ∈ GLn−k (q m ) and P ∈ GLn (q), we first add
some random columns to H. This is similar to the scrambling used in the GPT system.

Table 15: RankSign

PROVER VERIFIER

KEY GENERATION
Choose S ∈ GLn−k (q m ), P ∈
GLn+t (q),
(n−k)×t′
Choose r, ℓ ∈ N, X ∈ Fqm
(n−k)×n
Choose H ∈ Fqm a parity-
check matrix of a LRPC code
Compute H′ = S(X | H)P
The keys are given by S =
(S, P, X, H),
and P = (H′ , ℓ, r)
P
−→
SIGNING
Choose ẽ ∈ Ftqm and a message m
Choose seed ∈ {0, 1}ℓ
Compute m′ = Hash(m | seed)
Set s′ = m′ (S−1 )⊤ − ẽX⊤
Find e′ , such that wtR (e′ ) = r and
e′ H⊤ = s′
m,σ
Set e = (ẽ | e′ )(P⊤ )−1 and σ = −−→
(e, seed)
VERIFICATION
Check if wtR (e) = r and if
eH′⊤ = Hash(m, seed)

(n−k)×t′
Let S ∈ GLn−k (q m ), P ∈ GLn+t (q) and X ∈ Fqm . Typically one sets t′ = t, but one
could also use other choices.
Then, one hides H by computing H′ = S(X | H)P.
While H′ and some integer ℓ are publicly known, the secret key is given by X, H, S, P.
In the signing process, one first chooses randomly ẽ ∈ Ftqm and hashes a message m and
a seed, denoted by seed ∈ {0, 1}ℓ to get m′ = Hash(m | seed) ∈ Fqn−k
m .

67
 Then one sets a syndrome
s′ = m′ (S−1 )⊤ − ẽX⊤
and tries to syndrome decode this syndrome s′ using H.
If one succeeds, that is, there exists a e′ ∈ Fnqm of rank weight r = t + r′ and such that

e′ H⊤ = s′ ,

then one defines

e = (ẽ | e′ )(P⊤ )−1
and sets the signature
σ = (e, seed).
If not, this process needs to be repeated until one succeeds.
In the verification, the verifier checks that wtR (e) = r = t + r′ , and if

eH′⊤ = m′ = Hash(m | seed).

Exercise 176. Show that eH′⊤ = m′ .

We want to note here that this signature scheme was later attacked in [111].

4.2 Code-Based ZK Protocols

As described in Section 2.3.5, digital signature schemes can be constructed from a ZK protocol
using the Fiat-Shamir transform [122]. In this section, we present two famous ZK protocols
for this purpose, namely the scheme by Cayrel, Véron and El Yousfi Alaoui (CVE) [90] and
scheme by Aguilar, Gaborit and Schrek (AGS) [3].
The CVE scheme [90] is an improvement of Stern’s [252] and Véron’s [261] protocols,
which are both based on the hardness of decoding a random binary code [68]. The CVE
scheme relies on codes over a large finite field. With this choice, the cheating probability for
q
a single round is reduced from 2/3 of Stern’s 3-pass scheme to 2(q−1) .
The idea of the scheme is the following: the secret key is given by a random error vector
of weight t and the public key is a parity-check matrix together with the syndrome of this
error vector. The challenges are requesting either a response that shows that the error vector
has indeed weight t or a response that shows that the error vector solves the parity-check
equations.
The scheme is of large interest, as it uses an actual random linear code, which is possible
since no decoding process is required. The security of this scheme, thus, fully relies on the
hardness of decoding a random linear code and not on the indistinguishability of a secret
code.

n
Let σ be a permutation of {1, . . . , n} and for v ∈ F⋆q and a ∈ Fnq we denote by

σv (a) = σ(v) ⋆ σ(a),

where ⋆ denotes the component-wise product.

We now show how the communication cost of this scheme is derived, following the rea-
soning of [42].

68
 Table 16: CVE Scheme

PROVER VERIFIER

KEY GENERATION
Choose the parameters q, n, k, t and
a hash function Hash
Choose e ∈ BH (t, n, q) and a
parity-check matrix
(n−k)×n
H ∈ Fq . Compute the syn-
drome
s = eH⊤ ∈ Fn−k
q .
P
The public key is given by P = −→
(H, s, t)
VERIFICATION
Choose u ∈ Fnq , a permutation σ,
n
v ∈ (F×
q )

Set c0 = Hash σ, v, uH⊤

Set c1 = Hash σv (u), σv (e)
c0 ,c1
−−−→
Choose z ∈ F⋆q
z
←−
−
Set y = σv (u + ze)
y
−→
Choose b ∈ {0, 1}
b
←−
−
If b = 0, set r = (σ, v)
If b = 1, set r = σv (e)
r
−→
If b = 0, accept if
c0 = Hash σ, v, σv−1 (y)H⊤ − zs

or
If b = 1, accept if wtH (σv (e)) = t and


c1 = Hash y − zσv (e), σv (e)

In order to represent a vector of length n and Hamming weight t over Fq , we can either
use the full vector, which requires n ⌈log2 (q)⌉ bits, or just consider its support, together with
the ordered non-zero entries, resulting in


t ⌈log2 (n)⌉ + ⌈log2 (q − 1)⌉

69
bits. Thus the most convenient choice for a given set of parameters n, t and q is


ψ(n, q, t) = min{n ⌈log2 (q)⌉ , t ⌈log2 (n)⌉ + ⌈log2 (q − 1)⌉ }.
Since random objects, such as the monomial transformation, are completely determined by
the seed for the pseudo-random generator, they can also be compactly represented as such,
whose length is denoted by lSeed . Also the length of the hash values will be denoted by lHash .
Using the compression technique for N rounds of the protocol we get the following average
communication cost:
 
ψ(n, q, t) + lSeed
lHash + N ⌈log2 (q − 1)⌉ + n ⌈log2 (q)⌉ + 1 + lHash + .
2
For the maximal communication cost, we take the maximum size of the response, and thus
we obtain
 
lHash + N ⌈log2 (q − 1)⌉ + n ⌈log2 (q)⌉ + 1 + lHash + max{ψ(n, q, t) , lSeed } .

Let us fix t = ⌊(dH − 1)/2⌋, for dH denoting the minimum distance of the Gilbert-
Varshamov bound. The authors of [90] have used the analysis due to Peters [214] to estimate
the information set decoding complexity, and have proposed two parameters sets:
- q = 256, n = 128, k = 64, t = 49, for 87-bits security, having a communication cost of
3.472 kB;
- q = 256, n = 208, k = 104, t = 78, for 128-bits security, having a communication cost
of 43.263 kB.
Exercise 177. Show the zero-knowledge property and the completeness property for the CVE
scheme.
An easy attempt for an impersonator would be to guess the challenge b before sending
the commitments.
Thus, the strategy if we guess b = 0, would be to choose an error vector e′ , which satisfies
the parity-check equations, that is
s = e′ H⊤ ,
and to forget about the weight condition. This can easily be achieved using linear algebra.
We denote by s0 the strategy for b = 0, which in detail requires to choose randomly u′ , σ ′
and v′ according to the scheme and to send the commitments c′0 = Hash(σ ′ , v′ , u′ H⊤ ) and
a random c′1 . When the impersonator received a z ∈ F⋆q , the impersonator now computes y′
according to the cheating error vector e′ , i.e.,
y′ = σv′ ′ (u′ + ze′ ).
The impersonator wins, if the verifier now asks for b = 0, since the verifier will check
−1
c′0 = Hash(σ ′ , v′ , σv′ ′ (y′ )H⊤ − zs)
−1
= Hash(σ ′ , v′ , σv′ ′ (σv′ ′ (u′ + ze′ ))H⊤ − zs)
= Hash(σ ′ , v′ , (u′ + ze′ )H⊤ − zs)
= Hash(σ ′ , v′ , u′ H⊤ + ze′ H⊤ − zs)
= Hash(σ ′ , v′ , u′ H⊤ + zs − zs).

70
If the verifier asks for b = 1, the impersonator looses.
Whereas the strategy if we guess b = 1, would be to choose an error vector e′ , which has the
correct weight, i.e., wtH (e′ ) = t, but does not satisfy the parity-check equations. We denote
by s1 the strategy for b = 1, which in detail requires to choose randomly u′ , σ ′ and v′ according
to the scheme and to send the commitments: a random c′0 and c′1 = Hash(σv′ ′ (u′ ), σv′ ′ (e′ )).
When the impersonator received a z ∈ F⋆q , the impersonator now computes y′ according to
the cheating error vector e′ , i.e.,
y′ = σv′ ′ (u′ + ze′ ).
The impersonator wins, if the verifier now asks for b = 1, since the verifier will check if
wtH (σv′ ′ (e′ )) = t and

c′1 = Hash(y′ − zσv′ ′ (e′ ), σv′ ′ (e′ ))

= Hash(σv′ ′ (u′ + ze′ ) − zσv′ ′ (e′ ), σv′ ′ (e′ ))
= Hash(σv′ ′ (u′ ) + σv′ ′ (ze′ ) − zσv′ ′ (e′ ), σv′ ′ (e′ )).

If the verifier asks for b = 0, the impersonator looses.

With this easy strategy, one would get a cheating probability of 1/2, which just corresponds
to choosing the challenge b correctly. However, by also guessing z correctly one can improve
the above strategy.
q
Proposition 178. The cheating probability of the CVE scheme is 2(q−1) .

Proof. We modify the easy strategies si , following [90]:

Let us denote by s′0 the improved strategy on s0 , which works as follows: recall that
e′ is chosen such that the parity-check equations are satisfied but not the weight condition.
Instead of randomly choosing the commitment c′1 , we choose a z ′ ∈ F⋆q and a second cheating
error vector ẽ of weight t, we compute a ỹ = σv′ ′ (u′ + z ′ e′ ) with this guess and compute

c′1 = Hash(ỹ − z ′ ẽ, ẽ).

When we receive a z from the verifier, we check if we made the correct choice, that is: if
z = z ′ , we send the pre-computed ỹ, and if z ̸= z ′ we compute y′ = σv′ ′ (u′ + ze′ ). If the
verifier asks for b = 0, we use the usual strategy of s0 and will get accepted, as before. If the
verifier asks for b = 1, we send as answer ẽ. If we have guessed correctly and z = z ′ , we will
get accepted also in this case as

c′1 = Hash(b̃y − zẽ, ẽ)

by definition.
Let us denote by s′1 the improved strategy on s1 , which works as follows: recall that e′
is chosen having the correct weight. Instead of randomly choosing the commitment c′0 , we
choose a z ′ ∈ F⋆q and compute a ỹ = σv′ ′ (u′ + z ′ e′ ) with this guess and compute

c′0 = Hash(σ ′ , v′ , u′ H⊤ + z ′ (e′ H⊤ − s)).

When we receive a z from the verifier, we check if we made the correct choice, that is: if
z = z ′ , we send the pre-computed ỹ, and if z ̸= z ′ we compute y′ = σv′ ′ (u′ + ze′ ). If the
verifier asks for b = 1, we use the usual strategy of s1 and will get accepted. If the verifier

71
asks for b = 0, we send as answer (σ ′ , v′ ). If we have guessed correctly and z = z ′ , we will get
accepted also in this case as
−1
c′0 = Hash(σ ′ , v′ , σv′ ′ (y′ )H⊤ − zs)
−1
= Hash(σ ′ , v′ , σv′ ′ (σv′ ′ (u′ + z ′ e′ ))H⊤ − zs)
= Hash(σ ′ , v′ , (u′ + z ′ e′ )H⊤ − zs)
= Hash(σ ′ , v′ , u′ H⊤ + z ′ e′ H⊤ − zs)
= Hash(σ ′ , v′ , u′ H⊤ + z ′ s − zs).
Thus, the probability that an impersonator following the strategy s′i will get accepted is
given by
1 1 1 q
P (b = i) + P (b = 1 − i) · P (z = z ′ ) = + · = ,
2 2 q−1 2(q − 1)
which concludes this proof.
The second ZK protocol we want to present is the scheme by Aguilar, Gaborit and Schrek
[3], which we will denote by AGS. This scheme is constructed upon quasi-cyclic codes over
F2 . Let us consider a vector a ∈ Fjk
2 divided into j blocks of k entries each, that is,
 
(1) (1) (j) (j)
a = a1 , . . . , ak , . . . , a1 , . . . , ak .

(k)
Let ρi denote a function that performs a block-wise cyclic shift of a by i positions, i.e.,
 
(k) (1) (1) (j) (j)
ρi (a) = a1−i mod k , . . . , ak−i mod k , . . . , a1−i mod k , . . . , ak−i mod k .

The idea is similar to that of the CVE scheme, but working with the generator matrix
instead.
The secret key consists of a message and an error vector, while the public key consists of
an erroneous codeword and the generator matrix. The challenges either require the proof of
the error vector having the correct weight or of the knowledge of the message.
When performing N rounds, the average communication cost is
 
lSeed + k + n + ψ(n, t, 2)
lHash + N ⌈log2 (k)⌉ + 1 + 2lHash + ,
2
while the maximum communication cost is
 
lHash + N ⌈log2 (k)⌉ + 1 + 2lHash + max{lSeed + k , n + ψ(n, t, 2)} .

In [3], three parameters sets are proposed:

- n = 698, k = 349, t = 70, for 81-bits security, having a communication cost of 2.5 kB;
- n = 1094, k = 547, t = 109, for 128-bits security, with communication cost of 28 kB.
Exercise 179. Show the zero-knowledge property and completeness for the AGS scheme.
We remark that in a code-based ZK protocol one does not require a code with an efficient
decoding algorithm. Which stands in contrast to the requirements for many of the code-based
public-key encryption schemes. Thus, choosing a random code the security of such schemes
is much closer related to the actual NP-hard problem of decoding a random linear code.

72
 Table 17: AGS Scheme

PROVER VERIFIER

KEY GENERATION
Choose the parameters n, k, t and a
hash function Hash
Choose m ∈ Fk2 and e ∈ BH (t, n, 2)
and
generator matrix G ∈ Fk×n
2 .
Compute the erroneous codeword
c = mG + e ∈ Fn2
P
The public key is given by P = −→
(G, c, t)
VERIFICATION
Choose u ∈ Fk2 ,
a permutation σ


Set c0 = Hash σ


Set c1 = Hash σ(uG)
c0 ,c1
−−−→
Choose z ∈ {1, . . . , k}
z
←−
−
(k)

Set c2 = Hash σ(uG + ρz (e))
c2
−→
Choose b ∈ {0, 1}
b
←−
−
(k)
If b = 0, set r = (σ, u + ρz (m))
If b = 1, set r =
(k)
(σ(uG), σ(ρz (e)))
r
−→


If b = 0, accept if c0 = Hash σ and
(k) (k)

c2 = Hash (u + ρz (m))G + ρz (c)
(k)
If b = 1, accept if wtH (ρz (e)) = t


and c1 = Hash σ(uG) and
(k)

c2 = Hash σ(uG) + σ(ρz (e))

Clearly, using any of the two code-based ZK protocols presented above and the Fiat-
Shamir transform one immediately gets a signature scheme.

73
5 Security Analysis
In the security analysis of a cryptographic scheme we make a difference between two main
attack approaches:

1. structural attacks,

2. non-structural attacks.

A structural attack aims at exploiting the algebraic structure of the cryptographic system.
Whereas a non-structural attack tries to combinatorically recover the message or the secret
key without exploiting any algebraic structure.
For example the security of the McEliece and Niederreiter type of cryptosystems rely on
two assumptions. The first one being

The public code is not distinguishable from a random code.

A structural attack would usually aim at exactly this assumption, and try to recover the
secret code, if the scrambled public version of it does not behave randomly.
Clearly, structural or algebraic attacks heavily depend on the chosen secret codes for the
cryptosystem, if the system depends on an algebraic code that is efficiently decodable, and is
not attacking the presented frameworks in general.
Assuming that this first assumption is met, however, the security of most code-based
cryptosystems relies also on this second assumption

Decoding a random linear code is hard/ infeasible.

A non-structural attack on the McEliece cryptosystem would, thus, assume that the public
code is in fact random, and rather try to decode this random code.
In general we also speak of attacks in terms of: key-recovery attacks, where an attacker
tries to recover the secret key (usually structural attacks), and message-recovery attacks,
where an attacker directly tries to decrypt the cipher without first recovering the secret key.
Code-based cryptography is rapidly advancing and new cryptosystems are basing their
security on novel problems from algebraic coding theory.
In the following we list the main problems used in cryptography and discuss their hardness.

5.1 Problems from Coding Theory

The most prominent problem in algebraic coding theory is the decoding problem:
Problem 180. Decoding Problem (DP) Let Fq be a finite field and k ≤ n be positive
integers. Given G ∈ Fk×nq , r ∈ Fnq and t ∈ N, is there a vector m ∈ Fkq and e ∈ Fnq of weight
less than or equal to t such that r = mG + e?
Note that the DP formulated through the generator matrix is equivalent to the syndrome
decoding problem, which is formulated through the parity-check matrix.
Problem 181. Syndrome Decoding Problem (SDP) Let Fq be a finite field and k ≤ n
(n−k)×n
be positive integers. Given H ∈ Fq , s ∈ Fqn−k and t ∈ N, is there a vector e ∈ Fnq such
that wtH (e) ≤ t and eH⊤ = s?

74
 These two problems are also equivalent to the Given Weight Codeword Problem:
Problem 182. Given Weight Codeword Problem (GWCP)
Let Fq be a finite field and k ≤ n be positive integers. Let k ≤ n be positive integers. Given
(n−k)×n
H ∈ Fq and w ∈ N, is there a vector c ∈ Fnq such that wtH (c) = w and cH⊤ = 0n−k ?
Theorem 183. The DP, SDP and GWCP are equivalent.
Proof. Let us start with showing that the DP and SDP are equivalent. For this we start with
an instance of DP, i.e., G, r, t. We can then transform this instance to an instance of the
SDP. In fact, we can bring G into systematic form, that is
 
G′ = Idk A

and immediately get a parity-check matrix for the same code

 
H = −A⊤ Idn−k .

We can then multiply H to the received vector r = mG + e, getting the syndrome

s = rH⊤ = eH⊤ .

Hence, if we can solve the SDP on the instance H, s, t, thus finding e, we have also solved
DP.
On the other hand, given an instance of SDP, i.e., H, s, t, we can find an instance of DP.
In fact, we can bring H into systematic form and read of a generator matrix G for the same
code. We can now solve xH⊤ = s and since this is a linear system of n − k equations in
n unknowns, we get N = q k possible solutions for x1 , . . . , xN . Note that for each of the q k
codewords c1 , . . . , cN , we have that ci +e is a possible solution. Thus, each of the q k solutions
xi correspond to some ci + e. Hence, any of the solutions xi can be used as received vector
r and we have recovered an instance of DP, as G, r, t. Hence, solving DP, i.e., finding e, also
solves the SDP instance.
Finally, it is enough to show that DP and SDP are also equivalent to GWCP.
Given an instance of DP, i.e., G, r, t we can add r as a row to the generator matrix, getting
 
G
G′ =   .
r

Note that the code generated by G′ is also generated by

 
G
 ,
e

as r = mG + e. The new code of dimension k + 1 has now as lowest weight codeword e of

weight t. Hence, we can compute the corresponding parity-check matrix H′ and solving the
GWCP on the instance H′ , t we recover the solution e to the DP instance.
On the other hand, given an instance H, w of GWCP, we can define an instance of SDP,
by taking the same parity-check matrix and setting the syndrome s = 0. Thus, a solver for
SDP, searching for a weight w vector e with eH⊤ = 0 also solves the GWCP instance.

75
 These three equivalent problems are the main problems used for code-based cryptography
and will thus be the main focus of the survey. In the next section, we show that the DP,SDP
and GWCP are NP-complete [68, 58].
There are, however, also other hard problems in coding theory. Recall from Section 2,
that there are several notions of code equivalence in the Hamming metric. In the lightest
version, we ask for two codes to be permutation equivalent.
Problem 184 (Permutation Equivalence Problem (PEP)). Given G, G′ ∈ Fk×n
q , find φSn ,
such that φ(⟨G⟩) = ⟨G′ ⟩.
This problem is clearly contained in the linear equivalence problem.
Problem 185 (Linear Equivalence Problem (LEP)). Given G, G′ ∈ Fqk×n , find φ ∈ (F⋆q )n ⋊ Sn ,
such that φ(⟨G⟩) = ⟨G′ ⟩.
On the other hand, we can also ask for a subcode-equivalence.
(n−k′ )×n
Problem 186 (Permuted Kernel Problem (PKP)). Given G ∈ Fk×n
q , H′ ∈ Fq find a
permutation matrix P such that H′ (GP)⊤ = 0.
This problem has first been introduced by Shamir in [242] and was formulated through
parity-check matrices, thus the name permuted kernel. In [235] it has been observed, that the
formulation of [242] is indeed equivalent to the subcode-equivalence problem.
′
Problem 187 (Subcode Equivalence Problem (SEP)). Given G ∈ Fk×n
q , G′ ∈ Fkq ×n , find
′
permutation matrix P such that ⟨G ⟩ ⊂ ⟨GP⟩.
Exercise 188. Show that PKP is equivalent to SEP.
In the following, we will thus only use the subcode equivalence formulation, also for PKP.

There also exists a relaxed version on PKP, which only asks to find a subcode of dimension
1.
′
Problem 189 (Relaxed PKP). Given G ∈ Fk×n
q , G′ ∈ Fkq ×n , find x ∈ Fkq and a permutation
matrix P such that xGP ∈ ⟨G′ ⟩.
Since PKP only asks for permutation equivalence it contains PEP and clearly, PKP con-
tains the Relaxed PKP.
The different code equivalence problems have a strong relation to the graph isomorphism
problem and live in different complexity classes, which we will exploit in the next section.
Clearly, one can also consider the decoding problem or the code equivalence problem in a
different metric.
Let us start with the Rank-metric analogue of the SDP.
Problem 190 (Rank SDP). Let Fqm be a finite field and k ≤ n be positive integers. Given
(n−k)×n
H ∈ Fq m , s ∈ Fn−k n
q m and t ∈ N, is there a vector e ∈ Fq m such that wtR (e) ≤ t and
⊤
eH = s?
Again, Rank SDP is equivalent to Rank DP or Rank GWCP, as the equivalence is inde-
pendent of the metric. In [133] the authors provide a randomized reduction from the SDP to
Rank SDP. While this gives great evidence of the hardness of the Rank SDP, it remains one
of the largest open problems in code-based cryptography whether Rank SDP is NP-complete
or not.

76
 We do get a different problem, however, when considering Fq -linear codes, i.e., matrix
codes.
Problem 191 (MinRank Problem). Given G1 , . . . , Gk ∈ Fm×n
q t ∈ N and R ∈ Fm×n
q , find
E ∈ Fqm×n of rank at most t, such that

R = λ1 G1 + · · · + λk Gk + E,

for some λ1 , . . . , λk ∈ Fq .
The MinRank problem is simply the DP for Fq -linear codes in the rank metric and clearly
equivalent to the respective SDP and GWCP. Note that unlike the Rank SDP, dealing with
Fqm -linear codes, the MinRank problem is known to be NP-complete. We will see the proof
in the next section and first cover some more hard problems.
Problem 192 (Lee SDP). Let Fp be a prime field and k ≤ n be positive integers. Given
(n−k)×n
H ∈ Fp , s ∈ Fn−k
p and t ∈ N, is there a vector e ∈ Fnp such that wtL (e) ≤ t and
eH⊤ = s?
The Lee SDP (again equivalent to Lee DP and Lee GWCP) has been proven to be NP-
complete in [266]. Thus, marking the Lee metric as a promising alternative for the Hamming
metric.
Problem 193 (Restricted SDP). Let Fp be a prime field, g ∈ Fp have prime order z and define

E = {g i | i ∈ {0, . . . , z − 1}}.
(n−k)×n
Let k ≤ n be positive integers. Given H ∈ Fp and s ∈ Fn−k
p , is there a vector e ∈ En
such that eH⊤ = s?
The Restricted SDP is not exactly the SDP with a different metric, but rather than asking
for e to have a certain weight, the Restricted SDP asks for all entries of e to live in a restricted
set E. Hence, we keep the linear condition eH⊤ = s and exchanged the non-linear constraint
wt(e) ≤ t with e ∈ En . In the next section, we give a proof on the NP-hardness of the
Restricted SDP.

5.2 NP-completeness
In this section, we give the definitions of several complexity classes and the techniques in
order to show that a problem belongs to such complexity class. We then show that DP (and
thus also SDP and GWCP) are NP-complete. We also provide the reduction of PEP to graph
isomorphism.
Let us start with a small introduction to complexity theory.
Let P denote a problem. In order to estimate how hard it is to solve P we have two main
complexity classes.

Definition 194. P denotes the class of problems that can be solved by a deterministic Turing
machine in polynomial time.

The concept of deterministic and non-deterministic Turing machines will exceed the scope
of this chapter, just note that ”can be solved by a deterministic Turing machine in polynomial
time” is the same as our usual ”can be solved in polynomial time”.

77
Example 195. Given a list S of n integers and an integer k, determine whether there is an
integer s ∈ S such that s > k? Clearly, this can be answered by going through the list and
checking for each element whether it is greater than k, thus it has running time at most n
and this problem is in P.

Definition 196. NP denotes the class of problems that can be solved by a non-deterministic
Turing machine in polynomial time.

Thus, in contrary to the popular belief that NP stands for non-polynomial time, it actually
stands for non-deterministic polynomial time. The difference is important: all problems in P
live inside NP!
To understand NP better, we might use the equivalent definition: A problem P is in NP
if and only if one can check that a candidate is a solution to P in polynomial time.
The example from before is thus also clearly in NP, since if given a candidate a, we can
check in polynomial time whether a ∈ S and whether a > k.
There are, however, interesting problems which are in NP, but we do not know whether
they are in P. Let us change the previous example a bit.

P Given a list S of n integers and an integer k, is there a set of integers T ⊆ S,

Example 197.
such that t = k? Since there are exponentially many subsets of S, there is no known
t∈T
algorithm to solve this problem in polynomial time and thus, we do not know whether it lives
P if given a candidate T , we can check in polynomial time if all t ∈ T are also in S
in P. But,
and if t = k, which clearly places this problem inside NP.
t∈T
The most important complexity class, for us, will be that of NP-hard problems. In order
to define this class, we first have to define polynomial-time reductions.
A polynomial-time reduction from R to P follows the following steps:

1. take any instance I of R,

2. transform I to an instance I ′ of P in polynomial time,

3. assume that (using an oracle) you can solve P in the instance I ′ in polynomial time,
getting the solution s′ ,

4. transform the solution s′ in polynomial time to get a solution s of the problem R in the
input I.

The existence of a polynomial-time reduction from R to P, informally speaking, means that

if we can solve P, we can also solve R and thus solving P is at least as hard as solving R.

Definition 198. P is NP-hard if for every problem R in NP, there exists a polynomial-time
reduction from R to P.

Informally speaking this class contains all problems which are at least as hard as the
hardest problems in NP.
Example 199. One of the most famous examples for an NP-hard problem is the subsetP sum
problem: given a set of integers S, is there a non-empty subset T ⊆ S, such that t = 0?
t∈T

78
 We want to remark here, that NP-hardness is only defined for decisional problems, that
are problems of the form ”decide whether there exists..” and not for computational/search
problems, that are problems of the form ”find a solution..”. However, considering for example
the SDP, in its decisional version, it asks whether there exists error vector e with certain con-
ditions. If one could solve the computational problem, that is to actually find such an error
vector e in polynomial time, then one would also be able to answer the decisional problem in
polynomial time. Thus, not being very rigorous, we call also the computational SDP NP-hard.

In order to prove that a problem P is NP-hard, fortunately we do not have to give a

polynomial-time reduction to every problem in NP: there are already problems which are
known to be NP-hard, thus it is enough to give a polynomial-time reduction from an NP-
hard problem to P.
Finally, NP-completeness denotes the intersection of NP-hardness and NP.

Definition 200. A problem P is NP-complete, if it is NP-hard and in NP.

Another complexity class is given by AM, respectively MA. In this class live the problems
that can be decided through an Arthur-Merlin protocol. (The only difference between AM
and MA is whether Arthur or Merlin first sends a message).
The protocol is similar to the ZK protocol we have seen before, with the prover Merlin
and the verifier Arthur. The protocol is a 3 pass protocol and does not need to have the
ZK property. The main difference lies in the power of the two parties: while Arthur still has
polynomial computational power, Merlin has infinite computation power (indeed Merlin is a
wizard).
We say that a problem P can be decided by the AM protocol if Merlin is able to convince
Arthur that the answer upon the instance I is ”no”. Merlin might be cheating, i.e., the answer
to I is actually ”yes”, and we allow for a soundness error of ≤ 1/3.
No NP-hard problem can live in AM, else we have AM=PH (the polynomial hierarchy)
and this implies a collapse of polynomial hierarchy.

5.2.1 Decoding Problem

Berlekamp, McEliece and van Tilborg famously proved in [68] the NP-completeness of the
syndrome decoding problem for the case of binary linear codes equipped with the Hamming
metric. In [58], Barg generalized this proof to an arbitrary finite field. Finally, the NP-
hardness proof has been generalized to arbitrary finite rings endowed with an additive weight
in [266], thus including famous metrics such as the homogeneous and the Lee metric.
In this section we provide the proof of NP-completeness for the SDP as in [58].

Problem 201. Syndrome Decoding Problem (SDP) Let Fq be a finite field and k ≤ n
(n−k)×n
be positive integers. Given H ∈ Fq , s ∈ Fqn−k and t ∈ N, is there a vector e ∈ Fnq such
that wtH (e) ≤ t and eH⊤ = s?
Note that the SDP is clearly in NP: given a candidate vector e we can check in polynomial
time if wtH (e) ≤ t and if eH⊤ = s. Thus, we are only left with showing the NP-hardness of the
SDP through a polynomial-time reduction. For this, we choose the 3-dimensional matching
(3DM) problem, which is a well-known NP-hard problem.

79
Problem 202. 3-Dimensional Matching (3DM) Problem
Let T be a finite set and U ⊆ T × T × T . Given U, T , decide if there exists a set W ⊆ U such
that | W |=| T | and no two elements of W agree in any coordinate.

Proposition 203. The SDP is NP-complete.

For the proof of Proposition 203 we follow closely [266].

Proof. We prove the NP-completeness by a polynomial-time reduction from the 3DM problem.
For this, we start with a random instance of 3DM with T of size t, and U ⊆ T × T × T of
size u. Let us denote the elements in T = {b1 , . . . , bt } and in U = {a1 , . . . , au }. From this we
build the matrix H⊤ ∈ Fu×3t
q , as follows:

• for j ∈ {1, . . . , t}, we set hi,j = 1 if ai [1] = bj and hi,j = 0 else,

• for j ∈ {t + 1, . . . , 2t}, we set hi,j = 1 if ai [2] = bj and hi,j = 0 else,

• for j ∈ {2t + 1, . . . , 3t}, we set hi,j = 1 if ai [3] = bj and hi,j = 0 else.

With this construction, we have that each row of H⊤ corresponds to an element in U , and
has weight 3. Let us set the syndrome s as the all-one vector of length 3t. Assume that we
can solve the SDP on the instances H, s and t in polynomial time. Let us consider two cases.
Case 1: First, assume that the SDP solver returns as answer ‘yes’, i.e., there exists an
e ∈ Fuq , of weight less than or equal to t and such that eH⊤ = s.

• We first observe that we must have wtH (e) =| suppH (e) |= t. For this note that each
row of H⊤ adds at most 3 non-zero entries to s. Therefore, we need to add at least t
rows to get s, i.e., | suppH (e) |≥ t and hence wtH (e) ≥ t. As we also have wtH (e) ≤ t
by hypothesis, this implies that wtH (e) =| suppH (e) |= t.

• Secondly, we observe that the weight t solution must be a binary vector. For this we
note that the matrix H⊤ has binary entries and has constant row weight three, and
since | suppH (e) |= t, the supports of the t rows of H⊤ that sum up to the all-one
vector have to be disjoint. Therefore, we get that the j-th equation from the system of
equations eH⊤ = s is of the form ei hi,j = 1 for some i ∈ suppH (e). Since hi,j = 1, we
have ei = 1.

Recall from above that the rows of H⊤ correspond to the elements of U . The t rows corre-
sponding to the support of e are now a solution W to the 3DM problem. This follows from
the fact that the t rows have disjoint supports and add up to the all-one vector, which implies
that each element of T appears exactly once in each coordinate of the elements of W .
Case 2: Now assume that the SDP solver returns as answer ‘no’, i.e., there exists no e ∈ Fuq
of weight at most t such that eH⊤ = s. This response is now also the correct response for the
3DM problem. In fact, if there exists W ⊆ U of size t such that all coordinates of its elements
are distinct, then t rows of H⊤ should add up to the all one vector, which in turn means the
existence of a vector e ∈ {0, 1}u of weight t such that eH⊤ = s.
Thus, if such a polynomial time solver exists, we can also solve the 3DM problem in
polynomial time.

Example 204. Let us consider T = {A, B, C, D} and

U = {(D, A, B), (C, B, A), (D, A, B), (B, C, D), (C, D, A), (A, D, A), (A, B, C)}.

80
Then the above construction would yield
 
0 0 0 1 1 0 0 0 0 1 0 0
 
 0 0 1 0 0 1 0 0 1 0 0 0 
 
 

 0 0 0 1 1 0 0 0 0 1 0 0 

 
H⊤ =  0 1 0 0 0 0 1 0 0 0 0 1 .
 
 
 
 0 0 1 0 0 0 0 1 1 0 0 0 
 
 
 1 0 0 0 0 0 0 1 1 0 0 0 
 
1 0 0 0 0 1 0 0 0 0 1 0

A solution to eH⊤ = (1, . . . , 1) would be e = (1, 0, 0, 1, 1, 0, 1) which corresponds to

W = {(D, A, B), (B, C, D), (C, D, A), (A, B, C)}.
Notice that the very same construction is used also in the problem of finding codewords
with given weight.
Proposition 205. The GWCP is NP-complete.
Proof. We again prove the NP-completeness by a reduction from the 3DM problem. To this
end, we start with a random instance of 3DM, i.e., T of size t, and U ⊆ T × T × T of size
u. Let us denote the elements in T = {b1 , . . . , bt } and in U = {a1 , . . . , au }. At this point, we
⊤
build the matrix H ∈ Fu×3t
q , like in the proof of Proposition 203.
(3tu+3t+u)×(3tu+3t)
Then we construct H⊤ ∈ Fq in the following way.
 
⊤
H Idu · · · Idu
 
− Id3t 0 ··· 0 
 
 
⊤
H = 0 − Idu 0 ,
 
 ..
 
..
.

 . 
 
0 0 − Idu
where we have repeated the size-u identity matrix 3t times in the first row. Let us set
w = 3t2 + 4tM and assume that we can solve the GWCP on the instance given by H, w in
polynomial time. Let us again consider two cases.
Case 1: In the first case the GWCP solver returns as answer ‘yes’, since there exists a
c ∈ F3tu+3t+u
q , of weight equal to w, such that cH⊤ = 03tu+3t . Let us write this c as
c = (c, c0 , c1 , . . . , c3t ),
where c ∈ Fuq , c0 ∈ F3t u ⊤
q and ci ∈ Fq for all i ∈ {1, . . . , 3t}. Then, cH = 03tu+3t gives the
equations
⊤
cH − c0 = 0,
c − c1 = 0,
..
.
c − c3t = 0.

81
 ⊤
Hence, we have that wtH (cH ) = wtH (c0 ) and
wtH (c) = wtH (c1 ) = · · · = wtH (c3t ).
Due to the coordinatewise additivity of the weight, we have that
⊤
wtH (c) = wtH (cH ) + (3t + 1)wtH (c).
⊤ ⊤
Since wtH (cH ) ≤ 3t, we have that wtH (cH ) and wtH (c) are uniquely determined as the
remainder and the quotient, respectively, of the division of wtH (c) by 3t + 1. In particular,
⊤
if wtH (c) = 3t2 + 4t, then we must have wtH (c) = t and wtH (cH ) = 3t. Hence, the first u
parts of the found solution c, i.e., c, give a matching for the 3DM in a similar way as in the
⊤
proof of Proposition 203. For this we first observe that cH is a full support vector and it
⊤
plays the role of the syndrome, i.e., cH = (x1 , . . . , x3t ), where xi ∈ F⋆q . Now, using the same
argument as in the proof of Proposition 203, we note that c has exactly t non-zero entries,
which corresponds to a solution of 3DM.
Case 2: If the solver returns as answer ‘no’, this is also the correct answer for the 3DM
problem. In fact, if there exists a W ⊆ U of size t, such that all coordinates of its elements
⊤
are distinct, then t rows of H should add up to the all one vector, which in turn means the
⊤
existence of a e ∈ {0, 1}u of support size t such that xeH = (x, . . . , x) =: c0 for any x ∈ F⋆q .
And thus, with c = xe a solution c to the GWCP with the instances constructed as above
should exist.
Thus, if such a polynomial time solver for the GWCP exists, we can also solve the 3DM
problem in polynomial time.
We remark that the bounded version of this problem, i.e., deciding if a codeword c with
wtH (c) ≤ w exists, can be solved by applying the solver of Problem 182 at most w many
times.
The computational versions of Problems 182 and 181 are at least as hard as their deci-
sional counterparts. Trivially, any operative procedure that returns a vector with the desired
properties (when it exists) can be used as a direct solver for the above problems.
Note that the problem on which the McEliece system is based upon is not exactly equiv-
alent to the SDP. In the McEliece system the parameter t is usually bounded by the error
correction capacity of the chosen code. Whereas in the SDP, the parameter t can be chosen
to be any positive integer. Thus, we are in a more restricted regime than in the SDP.
Problem 206 (Bounded SDP). Let Fq be a finite field and k ≤ n be positive integers. Given
(n−k)×n
H ∈ Fq , s ∈ Fn−k
q  and d ∈ N, such that every set of d − 1 columns of H is linearly
independent and w = 2 , is there a vector e ∈ Fnq such that wtH (e) ≤ w and eH⊤ = s?
d−1


This problem is conjectured to be NP-hard [58] and in [259] it is observed that this
problem is not likely to be in NP, since already verifying that any d − 1 columns are linearly
independent is not possible in polynomial time.
There have been attempts [160] to transform the McEliece system in such a way that the
underlying problem is closer or even exactly equivalent to the SDP, the actual NP-complete
problem. This proposal has been attacked shortly after in [176]. However, using a different
framework than the McEliece system, this is actually possible, for example by using the
quasi-cyclic framework or the AF system.
We also want to remark here, that the following generalization of the GWCP, i.e., Problem
182, is also NP-complete [259]:

82
 (n−k)×n
Problem 207. Let Fq be a finite field and k ≤ n be positive integers. Given H ∈ Fq
and w ∈ N, is there a vector c ∈ Fnq such that wtH (c) ≤ w and cH⊤ = 0n−k ?
In [259] this problem was called the minimum distance problem, since if one could solve
the above problem, then by running such solver on w ∈ {1, . . . , n} until an affirmative answer
is found, this would return the minimum distance of a code.
However, this does not mean that finding the minimum distance of a random code is
NP-complete. In fact, with the above problem one can prove the NP-hardness of finding the
minimum distance, but it is unlikely to be in NP, since in order to check whether a candidate
solution d really is the minimum distance of the code, one would need to go through (almost)
all codewords.

5.2.2 Code Equivalence Problems

Recall the different code equivalence problems, namely PEP, LEP, PKP and relaxed PKP:
Problem 208 (Permutation Equivalence Problem (PEP)). Given G, G′ ∈ Fk×n
q , find φ ∈ Sn ,
such that φ(⟨G⟩) = ⟨G′ ⟩.
Problem 209 (Linear Equivalence Problem (LEP)). Given G, G′ ∈ Fqk×n , find φ ∈ (F⋆q )n ⋊ Sn ,
such that φ(⟨G⟩) = ⟨G′ ⟩.
Exercise 210. Show that PEP ⊂ LEP, by showing a reduction from PEP to LEP.
′
Problem 211. Permuted Kernel Problem (PKP) Given G ∈ Fk×n
q , G′ ∈ Fkq ×n , find permuta-
′
tion matrix P such that ⟨G ⟩ ⊂ ⟨GP⟩.
Exercise 212. Show that PEP ⊂ PKP.
′
Problem 213. Relaxed PKP Given G ∈ Fk×n
q , G′ ∈ Fkq ×n , find x ∈ Fkq and a permutation
′
matrix P such that xGP ∈ ⟨G ⟩.
Exercise 214. Show that Relaxed PKP ⊂ PKP.
A graph G is usually denoted through its vertices V and edges E ⊂ V 2 , i.e., we write
G = (V, E). We say that G = (V, E) with |V | = v, |E| = e has incidence matrix B ∈ Fe×v
2 , if
B has entries bi,j with (
1 if i = (ℓ, j) ∈ E,
bi,j =
0 else.
That is the rows correspond to the edges and the columns to the vertices. Considering the
edge (a, b), we set a 1 in the position a and in the position b.
Since we consider undirected graphs, the condition e = (ℓ, j) ∈ E should be read as
unordered tuple, i.e., also e = (j, ℓ) ∈ E.
Example 215. The graph G with vertex set V = {1, 2, 3, 4} and edge set E = {(1, 2), (2, 3), (3, 4)}
has incidence matrix  
1 1 0 0
 
B = 0 1 1 0 .
 
 
0 0 1 1
Clearly, there are different incidence matrices, depending on the ordering of the edges.
As mentioned before, the code equivalence problems have a relation to the Graph Isomor-
phism problem, which states the following.

83
Problem 216 (Graph Isomorphism (GI) problem). Given G = (V, E), G ′ = (V, E ′ ), find f :
V → V , such that {u, v} ∈ E ↔ {f (u), f (v)} ∈ E ′ .

Theorem 217. There exists a reduction from GI to PEP.

We follow the proof of [215].

Proof. Let G = (V, E) and G ′ = (V, E ′ ) be an instance of GI. Let D and D′ be two incidence
matrices for G, respectively G ′ . We can transform this instance to an instance of PEP, by
e×(3e+v)
defining the two generator matrices in Fq
 
G = Ide Ide Ide D ,
 
G′ = Ide Ide Ide D′ .

Let us consider two cases. In the first case, the answer to GI is ”yes“, as there exists a
f : V → V , such that {f (u), f (v)} ∈ E ′ for all {u, v} ∈ E. Thus, there exists a permutation
of V which maps one graph to the other and the two incidence matrices D and D′ are such
that
QDP = D′
for some e × e permutation matrix Q and v × v permutation matrix P. Clearly, the codes
generated by G and G′ are then also permutation equivalent.
In the second case, we assume that the two graphs are not isomorphic, hence there exists
no permutation on V , which maps G to G ′ . Thus, no v × v permutation matrix P and no e × e
permutation matrix Q exists for which QDP = D′ .
The two codes generated by G1 and G2 are only permutation equivalent, if we can find
S ∈ GLn (2) and (3e + v) × (3e + v) permutation matrix P such that
 
SGP = S S S SD P = G′ .

Note that the first 3e columns of SG consist of all unit vectors of length e, each appearing
exactly three times. Hence, the first 3e columns of G2 are obtained by permuting the first 3e
columns of SG and thus, we also have the permutation matrix P = diag(S−1 , S−1 , S−1 , T),
where T is a v × v permutation matrix. Hence, if such S, P exist, we must have D′ = SDT,
which is against the assumption that G and G ′ are not isomorphic.

Due to this result, we know that PEP (and thus also LEP) are at least as hard as GI.
Since PKP is a subcode-equivalence problem it is equivalent to the subgraph isomorphism
problem and hence NP-complete [97]. However, the hardness of the relaxed version is not
known.
Problem 218 (Open Problem). How hard is Relaxed PKP?
Using an Arthur-Merlin protocol, we can show that any code-equivalence problem (PEP,
LEP or rank-metric) are not NP-hard (as we believe the polynomial hierarchy does not
collapse). We follow the proof given in [215].

Theorem 219. Assuming PH ̸= AM , code-equivalence is not NP-hard.

84
Proof. To show this, we construct the 3-pass Arthur-Merlin protocol. Both parties see the
instance (C1 , C2 ) and Merlin wants to convince Arthur, that the two codes are not equivalent.
Arthur chooses one of the codes, Ci , a random isometry φ and computes a generator
matrix G′ for φ(Ci ) and sends G′ to Merlin.
Merlin, with the infinite computational power, can compute which code Ci Arthur has
chosen and reply with i. If Merlin was honest, then only one of the codes C1 , C2 will be
equivalent to the sent C ′ = ⟨G′ ⟩.
If Merlin was cheating and C1 is equivalent to C2 , then Merlin has two choices and has a
success probability of 1/2.
By repeating this protocol for t rounds, we get a soundness error of 2−t that Arthur
accepts a cheating Merlin.

Due to Babai’s algorithm [36], we know that Graph Isomorphism (GI) takes at most
quasi-polynomial time to solve. Thus, a reduction from PEP to GI, i.e., showing that if we
can solve GI then we can also solve PEP, implies that PEP is easier than GI. In particular,
PEP should not be used for cryptography.
The reduction has been proposed in [54] and has a small drawback: it only works for codes
with trivial hull. Since random codes have w.h.p. a trivial hull, we call this a ”randomized”
reduction, meaning that it will not work for any instance, but it works w.h.p.
Before we can give the reduction, let us recall some graph theory.
A graph G consists of vertices V and edges E between the vertices, i.e., E ⊂ V × V.
We will focus on undirected graphs, thus whenever {u, v} ∈ E also {v, u} ∈ E and we
label the edges with a weight w(u, v).
We say that two weighted graphs G = (V, E) and G ′ = (V ′ , E ′ ) are isomorphic, if there
exists a bijective map f : V → V ′ with

1. {u, v} ∈ E ↔ {f (u), f (v)} ∈ E ′ ,

2. w(u, v) = w(f (u), f (v)).

Thus, we can focus on V = V ′ = {1, . . . , n} and maps f = σ ∈ Sn .

Problem 220 (Weighted Graph Isomorphism Problem). Given G = (V, E), G ′ = (V, E ′ ), find
σ ∈ Sn , such that {u, v} ∈ E ↔ {σ(u), σ(v)} ∈ E ′ and w(u, v) = w(σ(u), σ(v)).

Definition 221. The adjacency matrix of a weighted graph G is defined as the n × n matrix
A with entries (
w(i, j) if {i, j} ∈ E,
Ai,j =
0 else.

Since we are only interested in undirected graphs, the adjacency matrices are symmetric.

Proposition 222. Two graphs G, G ′ are isomorphic if and only if there exists a permutation
matrix P such that P⊤ AP = A′ .

This almost looks like what we need for PEP, except for the fact that in PEP (treating A
as generator matrix) we also accept SAP = A′ for any invertible matrix S, not necessarily
of the form P⊤ .
In fact, one can easily make an example of two graphs, where there exists S ∈ GLn (q), P ∈
Sn with SAP = A′ but the two graphs are clearly not isomorphic.

85
Example 223. Let G = (V, E) with V = {1, 2, 3, 4} and E = {w(1, 2) = 1, w(2, 3) =
1, w(2, 4) = 2} and G ′ = (V, E ′ ) with E ′ = {w(1, 1) = 3, w(1, 2) = 1, w(1, 3) = 1, w(1, 4) = 2}.

These graphs can clearly not be isomorphic. However, their adjacency matrices
   
0 1 0 0 3 1 1 2
   
   
1 0 1 2 ′
 1 0 0 0
A= 
 and A = 
 


0 1 0 0 1 0 0 0
   
0 2 0 0 2 0 0 0
   
1 0 1 2 1 0 0 0
generate the codes C = ⟨G⟩ with G =   and C ′ = ⟨G′ ⟩ with G′ =  ,
0 1 0 0 0 1 1 2
which are clearly permutation equivalent through the permutation σ = (2134). And there ex-
ists S ∈ GL4 (5), P ∈ S4 (the permutation matrix of σ) such that SAP = A′ , namely
 
0 1 0 0
 
 
1 0 0 0
S=  .

3 0 0 2
 
0 0 3 0
Luckily, in order to reduce PEP to GI, we do not have to start with an instance of GI
and transform it to an instance of PEP. Instead, we start from codes and transform them to
graphs.
Hence, the main question is: given G ∈ Fk×n
q , how to define a symmetric matrix in Fn×n
q ,
which can act as adjacency matrix?
For this [54] introduced the following: For C with trivial hull, we define

A = G⊤ (GG⊤ )−1 G.

Clearly, this matrix can only exist if GG⊤ is invertible, i.e., if the hull of C is trivial. The
matrix A ∈ Fn×n
q is symmetric, ⟨A⟩ = C and, moreover, independent of the choice of G.
In fact, taking any other generator matrix, SG, we get

(SG)⊤ (SG(SG)⊤ )−1 SG = G⊤ (GG⊤ )G.

Theorem 224. PEP is easier than weighted GI, for codes with trivial hull.

86
Proof. Assume that the codes in the instance of PEP (C, C ′ ) have trivial hulls. For arbitrary
generator matrices G, respectively G′ take
A = G⊤ (GG⊤ )−1 G,
A′ = G′⊤ (G′ G′⊤ )−1 G′ .
And define G, respectively G ′ , to have adjacency matrices A, A′ .
We now show that the answer to the constructed weighted GI instance is also the answer
to the PEP instance. In fact, σ(G) = G ′ if and only if σ(C) = C ′ .
For the first direction, note that for any choice of generator matrices, there exist S ∈
GLk (q) with SGP = G′ . However, since A is independent of the choice of basis, we can
ignore the S and get
A′ = (GP)⊤ (GP(GP)⊤ )−1 GP = P⊤ AP.
Thus, the two graphs are isomorphic.
The other direction is straightforward, as the P⊤ AP = A′ implies that the two codes ⟨A⟩
and ⟨A′ ⟩ are equivalent.
To reduce the LEP to PEP, one can use the closure of the code, introduced in [240].
Definition 225 (Closure of Code). Let C ⊂ Fnq . The closure of C is

Ce = {(αci )(i,α)∈[1,n]×F⋆q | (ci )i∈[1,n] ∈ C} ⊂ Fqn(q−1) .

Thus, if C = ⟨G⟩, with  

| |
 
 ⊤ ⊤
G = g1 · · · gn 

 
| |
then the generator matrix of the closure is given by
 
| | | | | |
 
G
e = g1⊤ αg1⊤ · · · αq−2 g1⊤ · · · gn⊤ αgn⊤ · · · αq−2 gn⊤ 

 
| | | | | |

for some primitive element α ∈ Fq . The closure Ce has still dimension k, but now length
n(q − 1).
Proposition 226. If there exists φ ∈ Mn,q with φ(C) = C ′ , then there exists σ ∈ Sn with
e = Ce′ .
σ(C)
Hence if G, G′ are such that there exists P ∈ Sn and v ∈ (F⋆q )n with SGPdiag(v) = G′ ,
for some S ∈ GLk (q), then S
eGePe =G e ′ , where
 
P1
 
P
e = ..
.  Q,


 
Pn

87
with Pi ∈ Sq−1 , capture the permutation of Fq , i.e., vi and Q is a block permutation matrix,
which keeps the blocks of (q − 1) columns together and captures P.
This reduction can always be done, however, depending on q it might have different
outcomes.
For this, let us consider the hull of the closure. Recall, that for most solvers and for the
reduction to GI, we want a small or trivial hull.
In fact, we can show that for q ≥ 4 the closure is weakly self dual, meaning Ce ⊂ Ce⊥ . Thus,
the hull has the largest possible dimension k as H(C)e = C.
e
This makes the reduction only interesting for q < 4.
Proposition 227. If q < 4, then Ce has w.h.p. a trivial hull. If q ≥ 4, then Ce is weakly self
dual.
Proof. To understand the hull of the closure, we have to compute
 
  − g1 −
| | |  
 − αg −

1

⊤  ⊤  
⊤
X = GG = g1 αg1 · · · α gn   q−2 ⊤  .
..
e e

  . 
| | |  
q−2
− α gn −
One can easily check that
n
X X
Xi,j = gℓ,i gℓ,j β2.
ℓ=1 β∈F⋆q

Now the question becomes, how does the sum of squares behave in Fq ? If there exists a
α ∈ F⋆q with α2 ̸= 1, then β 7→ αβ permutes F⋆q , hence
X X X
β2 = (αβ)2 = α2 β2,
β∈F⋆q β∈F⋆q β∈F⋆q

β 2 = 0.
P
which implies that β∈F⋆q
To find such α, with α2 ̸= 1, we need q ≥ 4. Thus, for q ≥ 4 we have X = 0 and

dim(H(C))
e = k − rk(G
eGe ⊤ ) = k.

Hence, for q ≥ 4, Ce ⊂ Ce⊥ , i.e., the closure is weakly self dual.

In fact, we can also handle q = 4, however, not with the classical dual defined through
the standard inner product.
Definition 228 (Hermitian Inner Product). For x, y ∈ Fnq let us denote by ⟨x, y⟩H the
Hermitian inner product, i.e.,
n
xi yip ,
X
⟨x, y⟩H =
i=1

where p = char(Fq )

88
 Note that the Hermitian inner product is not symmetric!
Thus, to define the Hermitian dual, we have to fix on which side we place the codewords.
Definition 229 (Hermitian Dual Code). Let k ≤ n be positive integers and let C be an [n, k]
linear code over Fq . The Hermitian dual code C ⋆ is an [n, n − k] linear code over Fq , defined
as
C ⋆ = {x ∈ Fnq | ⟨x, y⟩H = 0 ∀ y ∈ C}.
Definition 230 (Hermitian Parity-Check Matrix). Let k ≤ n be positive integers and let C
(n−k)×n
be an [n, k] linear code over Fq with Hermitian dual code C ⋆ . Then, a matrix H⋆ ∈ Fq
is called a Hermitian parity-check matrix of C, if H⋆ is a generator matrix of C ⋆ and

G((H⋆ )p )⊤ = 0.

Note that if H is the common parity-check matrix of C, then H1/p is a Hermitian parity-
check matrix. The Hermitian hull is then defined as H⋆ (C) = C ∩ C ⋆ .
The Hermitian dual and Hermitian hull are still invariants of isometries.
Exercise 231. Let C ⊂ Fnq be equivalent to C ′ . Then C ⋆ is equivalent to (C ′ )⋆ (and thus the
hulls are as well). Hint: Use again that SG((H⋆ )p )⊤ = 0 and GP = G′ .
Having this new definition of hull, we can define

A⋆ = (Gp )⊤ (G(Gp )⊤ )G,

again A⋆ is independent of the choice of generator matrix, symmetric and exists if C has
trivial Hermitian hull.
Similar to before, for random codes we assume that G is chosen uniform at random and
thus G(Gp )⊤ has full rank. Thus, random codes have w.h.p. trivial Hermitian hull.
The only thing left to check is that the closure of a code in F4 has w.h.p. trivial Hermitian
hull. For this let α be a primitive element in F4 and consider

 
− g12 −
 
− α2 g12 −
 
  
| | | | | | − αg12 −
 

...
  
X = G(
e Ge 2 )⊤ = 
g1⊤ αg1⊤ α2 g1⊤ · · · gn⊤ αgn⊤ α2 gn⊤  

.

  
| | | | | | − gn2
 
 −

− α2 gn2
 
−
 
− αgn2 −

One can easily check that

n
X n
X
2
Xi,j = gℓ,i gℓ,j (1 + α · α2 + α · α2 ) = 2
gℓ,i gℓ,j .
ℓ=1 ℓ=1

Thus, assuming G is random, the matrix X is random as well and has w.h.p. full rank.

89
 Even though LEP is not NP-hard, it is considered to be quantum-secure, as only expo-
nential cost solvers (classical and quantum) are known. Hence, it is a promising candidate
for post-quantum cryptography.
We can also consider code equivalence for Fq -linear codes endowed with the rank metric.
Problem 232 (Matrix Code Equivalence (MCE) Problem). Given G1 , . . . , Gk ∈ Fm×n q and
G′1 , . . . , G′k ∈ Fm×n
q . Find A ∈ GLm (q), B ∈ GL n (q), such that for all C ∈ ⟨G1 , . . . , Gk ⟩ we
have ACB = C′ for some C′ ∈ ⟨G′1 , . . . , G′k ⟩.
Similar to LEP is not NP-hard but believed to be quantum-secure. In fact, there exists
a polynomial time reduction from the Hamming code equivalence problem in [100]. A nice
summary on MCE can be found in [224].

5.2.3 Rank SDP

In [133], the authors provide a randomized reduction from the SDP to the Rank SDP. A
randomized reduction is a polynomial time reduction, which only works with high probability.

Proposition 233. There exists a randomized reduction from SDP to Rank SDP.

Proof. Instead of using the SDP, we use the equivalent GWCP, in both metrics. We start
with an instance of GWCP in the Hamming metric, namely G ∈ Fk×n q and t. Note that the
Rank GWCP is only defined over extension fields, Fqm . Thus, we consider α ∈ Fnqm a vector
with Fq -linearly independent entries.
Exercise 234. Show that for any x ∈ Fnq of wtH (x) = t the componentwise product x⋆α ∈ Fnqm
has rank weight wtR (x ⋆ α) = t.
For the code C = ⟨G⟩ ⊂ Fnq , we define C ′ = ⟨{α ⋆ c | c ∈ C}⟩ ⊂ Fnqm . Let G′ be a generator
matrix of C ′ . If the answer to the Hamming GWCP is yes, that is: there exists a c ∈ C of
Hamming weight t, then there also exists c ⋆ α in C ′ of rank weight t. However, if there was no
c ∈ C of Hamming weight t, note that there might still be a codeword c′ ∈ C ′ of rank weight
t, which is not of the form c ⋆ α. In fact, since we are now over the extension field, we have
generated many more codewords than simply those of the form c ⋆ α.
With high probability, (details can be found in [133]), the only codewords of rank weight
t are of the form c ⋆ α and thus the reduction works.

Example 235. Let us consider  

1 0 1
G= 
0 1 1

which generates the code C ⊂ F32 . If we let t = 1, then clearly there is no codeword in C of
Hamming weight 1. However, for F8 = F2 [α] and α3 = α + 1 and the code

C ′ = ⟨c ⋆ (1, α, α2 + α + 1) | c ∈ C}⟩

we do have a codeword of rank weight 1, for example

α(1, α, α2 + α + 1) ⋆ (1, 0, 1) + (1, α, α2 + α + 1) ⋆ (0, 1, 1) = (α, α, α).

It remains one of the largest open problems in code-based cryptography, whether there
exists a polynomial time reduction, which always works. That is

90
Problem 236 (Open Problem). Is the Rank SDP NP-hard?
As opposed to the Rank SDP, considering Fqm -linear codes endowed with the rank metric,
for Fq -linear codes the SDP is known to be NP-hard.
Theorem 237. The MinRank Problem is NP-complete.
Proof. We use a polynomial time reduction from the Hamming DP.
Exercise 238. Let x ∈ Fnq have Hamming weight t. Show that diag(x) ∈ Fn×n
q has rank weight
t.  
g
 1
 .. 
We start with an instance G =  .  ∈ Fk×n
q , r ∈ Fnq and t ∈ N. We transform the
 
gk
instance to a MinRank instance as
G1 = diag(g1 ), . . . , Gk = diag(gk ) ∈ Fqn×n
and
R = diag(r) ∈ Fqn×n .
Let us first assume that the Hamming DP instance has “yes” as a solution, i.e., there exists
a e ∈ Fnq of Hamming weight t such that r − e ∈ ⟨G⟩. In other words,
r − e = λ 1 g1 + · · · + λ k gk
for some λi ∈ Fq . Then the MinRank instance also has a solution “yes”. In fact, there exists
E = diag(e) of rank weight t such that
R − E = λ1 G1 + · · · + λk Gk ,
for the same λi ∈ Fq . On the other hand, if the Hamming DP instance has “no” as a solution,
i.e., there is no e ∈ Fq of Hamming weight t, such that r − e = λ1 g1 + · · · + λk gk , then the
MinRank instance also gives “no” as a solution. In fact, assume by contradiction, a E ∈ Fqn×n
exists of rank weight t, such that
R − E = λ1 G1 + · · · + λk Gk
for some λi ∈ Fq . Thus, if we denote by gij the ith entry of gj , then
     
r ··· 0 g1 ··· 0 g1k · · · 0
 1   1   
.. .. ..
.  − E = λ1  .  + · · · + λk  . .
     

     
0 · · · rn 0 · · · gn1 0 · · · gnk
Hence,  
Pk i
r − i=1 λi g1 · · · 0
 1 
E= . .. .
 
 
Pk i
0 · · · rn − i=1 λi gn
Hence E is again a diagonal matrix and we can denote its diagonal by e. In order for E to
have rank weight t, we need that t many entriesPof e are non-zero. Hence P there exists a
e ∈ Fnq of Hamming weight t, such that ej = rj − ki=1 λi gji , i.e., e = r − ki=1 λi gi , which is
a contradiction.

91
 The natural question arises, why one cannot prove the NP-hardness of Rank SDP using
the MinRank problem. In fact, starting with an instance of Rank SDP, i.e., an Fqm -linear
code, one can always define the corresponding Fq -linear code. However, for the polynomial
time reduction from MinRank to Rank SDP, the other direction is needed. That is, starting
with an instance of MinRank, transforming it to an instance of Rank SDP - and this already
fails, as not all Fq -linear codes can be lifted to an Fqm -linear code.

5.2.4 Lee SDP

Problem 239 (Lee SDP). Let Fp be a prime field and k ≤ n be positive integers. Given
(n−k)×n
H ∈ Fp , s ∈ Fn−k
p and t ∈ N, is there a vector e ∈ Fnp such that wtL (e) ≤ t and
eH⊤ = s?
The Lee SDP (again equivalent to Lee DP and Lee GWCP) has been proven to be NP-
complete in [266]. Since the proof follows exactly in the same manner as the reduction for
Hamming SDP, we leave it as an exercise.
Exercise 240. Show that Lee SDP is NP-complete using a reduction from 3DM.

5.2.5 Restricted SDP

The Restricted Syndrome Decoding Problem (R-SDP), first introduced in [42], reads as fol-
lows.
(n−k)×n
Problem 241 (Restricted SDP). Given g ∈ F∗p of prime order z, H ∈ Fp , s ∈ Fpn−k , and
E = {g i | i ∈ {1, . . . , z}} ⊂ F∗p , decide if there exists e ∈ En such that eH⊤ = s.
The Restricted SDP is strongly related to other well-known hard problems. For example,
when z = p − 1, the Restricted SDP is close to the classical SDP; if z = 1, the Restricted SDP
is similar to the Subset Sum Problem (SSP) over finite fields. Consequently, it is unsurprising
that the R-SDP is NP-complete for any choice of E.

Theorem 242. The Restricted SDP is NP-complete.

The proof is again similar to the reduction provided for the SDP.

Proof. Recall the NP-hard 3-Dimensional Matching (3DM) problem, where one is given the
instance T = {b1 , . . . , bt }, with |T | = t, U ⊂ T × T × T and |U | = u and asks whether there
exists a W ⊂ U with |W | = t and no two words in W coincide in any position.
Recall that the original SDP has a reduction from 3DM, through the following construc-
(3t)×u
tion: let H ∈ Fp be the incidence matrix, i.e., each column of H corresponds to a word
in U and the rows correspond to T × T × T , thus the rows {1, . . . , t} correspond to the first
position of the word u, the rows {t + 1, . . . , 2t} correspond to the second position of u and the
rows {2t+1, . . . , 3t} correspond to the third position of u. More formally, let T = {b1 , . . . , bt },
U = {a1 , . . . , au } and

• for j ∈ {1, . . . , t}, we set hi,j = 1 if ai [1] = bj and hi,j = 0 else,

• for j ∈ {t + 1, . . . , 2t}, we set hi,j = 1 if ai [2] = bj and hi,j = 0 else,

• for j ∈ {2t + 1, . . . , 3t}, we set hi,j = 1 if ai [3] = bj and hi,j = 0 else.

92
We also set s ∈ F3t
p be the all one vector.
From the original reduction, we know that any solution e ∈ Fup with He⊤ = s⊤ has weight
t and its support corresponds to the solution W . That is the columns of H indexed by the
support of e are the t words in W .
The polynomial reduction from 3DM to R-SDP uses this construction as well. Let T of
(3t)×u
size t and U ⊂ T × T × T of size u be an instance of 3DM. Let H ∈ Fp be the incidence
matrix and let  
H −g ⋆ H
H
e =  ∈ F(3t+u)×2u
p
Idu Idu
be a parity-check matrix. Let us consider the syndrome (s, s′ ) ∈ F3t+u p with s = (1−g 2 , . . . , 1−
g 2 ) ∈ F3t ′ u ′
p and s = (1 + g, . . . , 1 + g) ∈ Fp . Thus, the instance of R-SDP given by H and (s, s )
e
′ 2u
is asking for (e, e ) ∈ E such that
(e, e′ )H
e ⊤ = (s, s′ ),

where E = {g i | i ∈ {0, . . . , z −1}}. By assumption of R-SDP, we use a g of order 2 < z < q−1.
We consider two cases.
1. Assume that the R-SDP solver returns “yes”, i.e., there exists e, e′ ∈ Eu such that
(e, e′ )H
e ⊤ = (s, s′ ). Hence,

He⊤ − g ⋆ He′⊤ = (1 − g 2 , . . . , 1 − g 2 )⊤ ,
e + e′ = (1 + g, . . . , 1 + g).
Hence, for each i ∈ {1, . . . , u} we have ei + e′i = 1 + g. Let us assume (we later show
that this hypothesis is not needed, but it facilitates the proof) that the only elements
in E that add to 1 + g is 1 and g.
Hence, whenever ei = 1, we must have e′i = g and whenever ei = g, we must have e′i = 1.
Thus, we split e = e1 + eg and e′ = e′1 + e′g where e1 , e′1 ∈ {0, 1}u , eg , e′g ∈ {0, g}u and
supp(e1 ) = S = supp(e′g )
and
supp(e′1 ) = S C = supp(eg ).
From this also follows that
eg = g ⋆ e′1
and
e′g = g ⋆ e1 .

The first parity-check equation can now be reformulated as

He⊤ − g ⋆ He′⊤
=He⊤ ′⊤ ⊤ ′⊤
1 − g ⋆ Heg + Heg − g ⋆ He1
=He⊤ 2 ⊤ ′⊤ ′⊤
1 − g ⋆ He1 + g ⋆ He1 − g ⋆ He1
=(1 − g 2 ) ⋆ He⊤
1
=(1 − g 2 , . . . , 1 − g 2 ) = s′ ,

93
 thus, He⊤ 1 = (1, . . . , 1) is such that supp(e1 ) corresponds to a solution W of 3DM, as
in the classical reduction.
2. Assume that the R-SDP solver returns “no”, i.e., there exists no e, e′ ∈ Eu such that
(e, e′ )H
e ⊤ = (s, s′ ). Let us assume by contradiction, that the 3DM has a solution W.
We can then define S to be the indices of words in U belonging to the solution W .
Let us define e1 , e′1 ∈ {0, 1}u , eg , e′g ∈ {0, g}u with supp(e1 ) = S = supp(e′g ) and
supp(e′1 ) = S C = supp(eg ). From this also follows that eg = g ⋆ e′1 and e′g = g ⋆ e1 .
Then the vector (e1 + eg , e′1 + e′g ) ∈ E2u is a solution to the R-SDP, as in case 1, which
gives the desired contradiction, to the R-SDP solver returning “no”.
Note that the hypothesis, that only 1 and g in E add up to 1 + g is not necessary. For
this assume that there exists g i , g j ∈ E, with 0 ̸= i < j < z such that g i + g j = 1 + g. Thus,
the splitting of e and e′ is a bit more complicated:

e = e1 + eg + ei + ej ,
e′ = e′1 + e′g + e′i + e′j ,

where e1 , e′1 ∈ {0, 1}u ,eg , e′g ∈ {0, g}u ,ei , e′i ∈ {0, g i }u ,ej , e′j ∈ {0, g j }u with

supp(e1 ) = S1 = supp(e′g ),
supp(eg ) = S1′ = supp(e′1 ),
supp(ei ) = Si = supp(e′j ),
supp(ej ) = Si′ = supp(e′i ),

and the supports S1 , S1′ , Si , Si′ are distinct and partition {1, . . . , u}. Again it follows that

eg = g ⋆ e′1 ,
e′g = g ⋆ e1 ,
ej = g j−i ⋆ e′i ,
e′j = g j−i ⋆ ei .

Thus, rewriting the first parity-check equation, we get

He⊤ − g ⋆ He′⊤
=He⊤ ⊤ ⊤ ⊤
1 + Heg + Hei + Hej
− g ⋆ He′⊤ ′⊤ ′⊤ ′⊤
1 − g ⋆ Heg − g ⋆ Hei − g ⋆ Hej
=He⊤ ′⊤ ⊤
1 + g ⋆ He1 + Hei + g
j−i
⋆ He′⊤
i
− g ⋆ He′⊤ 2 ⊤ ′⊤
1 − g ⋆ He1 − g ⋆ Hei − g
j−i+1
⋆ He⊤
i
=(1 − g 2 ) ⋆ He⊤
1 + (1 − g
j−i+1
) ⋆ He⊤
i + (g
j−i
− g) ⋆ He′⊤
i
=(1 − g 2 , . . . , 1 − g 2 ) = s′ .

Since e1 , ei , e′i all have different supports, the only way to get 1 − g 2 in each entry, is to have
ei = e′i = 0. In fact, any other sum leads to a contradiction:
• If (1 − g 2 ) + (1 − g j−i+1 ) = 1 − g 2 then 1 = g j−i+1 and hence j = i − 1 which contradicts
j > i.

94
 • If (1 − g 2 ) + (g j−i − g) = 1 − g 2 then g j−i = g and hence j − i = 1. However, as then
g j + g i = g i (1 + g) = 1 + g, it follows that g i = 1, which contradicts i ̸= 0.
• If (1 − g 2 ) + (1 − g j−i+ ) + (g j−i − g) = 1 − g 2 , then 1 + g j−i = g j−i+1 + g = g(1 + g j−i )
and thus g = 1, which contradicts E ̸= F⋆q .

• If (1 − g j−i+1 ) + (g j−i − g) = 1 − g 2 , then g j−i − g j−i+1 = g − g 2 and hence g j−i (1 − g) =

g(1 − g) and thus j − i = 1, which is a contradiction again as in the second case.

5.3 Information Set Decoding

In this section we cover the main approach to solve the SDP, namely information set decoding
(ISD) algorithms. For this we will follow closely [265].
In the McEliece and the Niederreiter framework the secret code is usually endowed with
a particular algebraic structure to guarantee the existence of an efficient decoding algorithm
and is then hidden from the public to appear as a random code. In different frameworks, such
as the quasi-cyclic framework, the secret is actually purely the error vector and the algebraic
code is made public. In both cases an adversary has to solve the NP-complete problem of
decoding a random linear code.

An adversary would hence use the best generic decoding algorithm for random linear
codes. Two main methods are known until today for decoding random linear codes: ISD and
the generalized birthday algorithm (GBA). ISD algorithms are more efficient if the decoding
problem has only a small number of solutions, whereas GBA is more efficient when there are
many solutions. Also other ideas such as statistical decoding [12], gradient decoding [30] and
supercode decoding [57] have been proposed but fail to outperform ISD algorithms.

ISD algorithms are an important aspect of code-based cryptography since they predict
the key size achieving a given security level. ISD algorithms should not be considered as
attacks in the classical sense, as they are not breaking a code-based cryptosystem, instead
they determine the choice of parameters for a given security level.
Due to the duality of the decoding problem and the SDP also ISD algorithms can be for-
mulated through the generator matrix or the parity-check matrix. Throughout this survey,
we will stick to the parity-check matrix formulation.

The first ISD algorithm was proposed in 1962 by Prange [218] and interestingly, all im-
provements display the same structure: choose an information set, use Gaussian elimination
to bring the parity-check matrix in a standard form, assuming a certain weight distribution
on the error vector, we can go through smaller parts of the error vector and check if the
parity-check equations are satisfied. The assumed weight distribution of the error vector thus
constitutes the main part of an ISD algorithm.
In an ISD algorithm we fix a weight distribution and go through all information sets to
find an error vector of this weight distribution. This is in contrast to ‘brute-force attacks’
where one fixes an information set and goes through all weight distributions of the error
vector. In fact, due to this, ISD algorithms are in general not deterministic, since there are
instances for which there exists no information set where the error vector has the sought after
weight distribution. Clearly, a brute-force algorithm requires much more binary operations
than an ISD algorithm, thus, in practice we only consider ISD algorithms.

95
 For this section we will need to recall some notation: let S ⊆ {1, . . . , n} be a set of
size s, then for a vector x ∈ Fnq we denote by xS the vector of length s consisting of the
entries of x indexed by S. Whereas, for a matrix A ∈ Fk×n q , we denote by AS the matrix
consisting of the columns of A indexed by S. For a set S we denote by S C its complement.
For S ⊆ {1, . . . , n} of size s we denote by Fnq (S) the vectors in Fnq having support in S. The
projection of x ∈ Fnq (S) to Fsq is then canonical and denoted by πS (x). On the other hand,
we denote by σS (x) the canonical embedding of a vector x ∈ Fsq to Fnq (S).

5.3.1 General Algorithm

(n−k)×n
We are given a parity-check matrix H ∈ Fq of a code C, a positive integer t and a
syndrome s ∈ Fn−k
q , such that there exists a vector e ∈ Fnq of Hamming weight less than or
equal to t with syndrome s, i.e., eH⊤ = s. The aim of the algorithm is to find such a vector
e.

1. Find an information set I ⊂ {1, . . . , n} of size k for C.

2. Bring H into the systematic form corresponding to I, i.e., find an invertible matrix
(n−k)×(n−k) (n−k)×k
U ∈ Fq , such that (UH)I = A, for some A ∈ Fq and (UH)I C = Idn−k .

3. Go through all error vectors e ∈ Fnq having the assumed weight distribution (and in
particular having Hamming weight t).

4. Check if the parity-check equations, i.e., eH⊤ U⊤ = sU⊤ are satisfied.

5. If they are satisfied, output e, if not start over with a new choice of I.

Since the iteration above has to be repeated several times, the cost of such algorithm is
given by the cost of one iteration times the number of required iterations.
Clearly, the average number of iterations required is given as the reciprocal of the success
probability of one iteration and this probability is completely determined by the assumed
weight distribution.

5.3.2 Overview Algorithms

The first ISD algorithm was proposed in 1962 by Prange [218] and is sometimes referred to
as plain ISD. In this algorithm Prange makes use of an information set of a code, that in
fact contains all the necessary information to decode, in a clever way. For this we have to
assume that there is an information set where the error vector has weight 0 (thus all t errors
are outside of this information set). One now only has to bring the parity-check matrix into
systematic form according to this information set, which has a polynomial cost, this is called
an iteration of the algorithm. However, one has to find such an information set first. This is
done by trial and error, which results in a large number of iterations. Indeed, the assumption
that no errors happen in the information set is not very likely and thus the success probability
of one iteration is very low.
All the improvements that have been suggested to Prange’s simplest form of ISD (see for
example [83, 85, 84, 117, 171, 183, 258]) assume a more likely weight distribution of the error
vector, which results in a higher cost of one iteration but give overall a smaller cost, since less
iterations have to be performed.

96
 The improvements split into two directions: the first direction is following the idea of Lee
and Brickell [179] where they ask for v errors in the information set and t − v outside. The
second direction is Dumer’s approach [117], which is asking for v errors in k + ℓ bits, which
are containing an information set, and t − v in the remaining n − k − ℓ bits. Clearly, the
second direction includes the first direction by setting ℓ = 0.
Following the first direction, Leon [183] generalizes Lee-Brickell’s algorithm by introducing
a set of size ℓ outside the information set called zero-window, where no errors happen. In
1988, Stern [251] adapted the algorithm by Leon and proposed to partition the information
set into two sets and ask for v errors in each part and t − 2v errors outside the information
set (and outside the zero-window). In 2010, with the rise of code-based cryptography over a
general finite field Fq , Peters generalized these algorithms to Fq [214].
In 2011, Bernstein, Lange and Peters proposed the ball-collision algorithm [73], where they
reintroduce errors in the zero-window. In fact, they partition the zero-window into two sets
and ask for w errors in both and hence for t − 2v − 2w errors outside. This algorithm and its
speed-up techniques were then generalized to Fq by Interlando, Khathuria, Rohrer, Rosenthal
and Weger in [158]. In 2016, Hirose [153] generalized the nearest neighbor algorithm over Fq
and applied it to the generalized Stern algorithm.
An illustration of these algorithms is given in Figure 2, where we assume for simplicity
that the information set is in the first k positions and the zero-window is in the adjacent ℓ
positions.

Figure 2: Overview of algorithms following the splitting of Lee-Brickell, adapted from [73].

The second direction has resulted in many improvements, for example in 2009 Finiasz and
Sendrier [123] have built two intersecting subsets of the k+ℓ bits, which contain an information
set, and ask for v disjoint errors in both sets and t−2v in the remaining n−k−ℓ bits. Niebuhr,
Persichetti, Cayrel, Bulygin and Buchmann [205] in 2010 improved the performance of ISD
algorithms over Fq based on the idea of Finiasz and Sendrier.
In 2011, May, Meurer and Thomae [193] proposed the use of the representation technique
introduced by Howgrave-Graham and Joux [157] for the subset sum problem. Further im-
provements have been proposed by Becker, Joux, May and Meurer [61] in 2012 by introducing

97
overlapping supports. We will refer to this algorithm as BJMM. In 2015, May-Ozerov [194]
used the nearest neighbor algorithm to improve BJMM and finally in 2017, the nearest neigh-
bor algorithm over Fq was applied to the generalized BJMM algorithm by Gueye, Klamti and
Hirose [150].
These new approaches do not use set partitions of the support but rather a sum partition
of the weight. An illustration of these algorithms is given in Figure 3, where we again assume
that the k + ℓ bits containing an information set are in the beginning. The overlapping sets
are denoted by X1 and X2 and their intersection of size 2α(k + ℓ) is in blue. The amount of
errors within the intersection is denoted by δ.

Figure 3: Overview of the weight splitting in the different algorithms.

A very introductory reading on ISD algorithms is in the thesis of Weger [265], which we
also follow closely and for binary ISD algorithms, a very informative reading is the thesis of
Meurer [197].

It is important to remark (see [197]) that the BJMM algorithm, even if having the smallest
complexity until today, comes with a different cost: memory. In order to achieve a complexity
of 128 bits, BJMM needs about 109 terabytes of memory. In fact, Meurer observed that if one
restricts the memory to 240 (which is a reasonable restriction), BJMM and the ball-collision
algorithm are performing almost the same.
What is the possible impact on the cost of ISD algorithms when using a capable quantum
computer? In [69] the authors expect that quantum computers result in a square
√ root speed up
for ISD algorithms, since Grover’s search algorithm [147, 148] needs only O( N ) operations
to find an element in a set of size N , instead of O(N ) many. Thus, intuitively, the search
of an information set will become faster and thus the number of iterations needed in an ISD
algorithm will decrease.
Since all the improvements upon Prange’s algorithm were only focusing on decreasing
this number of iterations, the speed up for these algorithms will be smaller, than for the

98
original algorithm by Prange. Hence the authors predict that on a capable quantum computer
Prange’s algorithm will result as the fastest.

99
5.3.3 Techniques
In the following we introduce some speed-up techniques for ISD algorithms, mostly introduced
in [73] over F2 and later generalized to Fq in [158].

First of all, we want to fix the cost that we consider throughout this chapter of one
addition and one multiplication over Fq , i.e., we assume that one addition over Fq costs
⌈log2 (q)⌉ binary operations and one multiplication costs ⌈log2 (q)⌉2 binary operations. The
cost of the multiplication is clearly not using the fastest algorithm known but will be good
enough for our purposes. Also for the cost of multiplying two matrices we will always stick
to a broad estimate given by school book long multiplication, i.e., multiplying AB, where
k×n n×r 2
A ∈ Fq and B ∈ Fq will cost nkr ⌈log2 (q)⌉ + ⌈log2 (q)⌉ binary operations.

Number of Iterations One of the main parts in the cost of an information set decoding
algorithm is the average number of iterations needed. This number depends on the success
probability of one iteration. In turn, the success probability is completely given by the
assumed weight distribution of the error vector. Since in one iteration we consider a fixed
information set, the success probability of an iteration is given by the fraction of how many
vectors there are with the assumed weight distribution, divided by how many vectors there
are in general with the target weight t.
Example 243. For example, we are looking for e ∈ Fnq of Hamming weight t, and we assume
that the error vector has no errors inside
an information set I, and thus all t errors appear
in I C of size n − k. Since there are n−k t
t (q − 1) many vectors having support of size t in a
set
of size n − k and the total number of vectors of support t in a set of size n is given by
n t
t (q − 1) , we have that the success probability of one iteration is given by
  −1
n−k n
,
t t

and hence the number of iterations needed on average is given by

n − k −1 n
   
.
t t

Early Abort In some of the algorithms we have to perform a computation and the algo-
rithm only proceeds if the result of this computation satisfies a certain condition. In our case,
the condition is that the weight of the resulting vector does not exceed a target weight.
We thus compute one entry of the result and check the weight of this entry, before pro-
ceeding to the next entry. As soon as the weight of the partially computed vector is above
the target weight, we can stop the computation, hence the name early abort.
Example 244. To provide an example also for this technique, assume that we have to compute
xA, for x ∈ Fkq of Hamming weight t and A ∈ Fk×n q . Usually computing xA would cost
 
2
nt ⌈log2 (q)⌉ + ⌈log2 (q)⌉ binary operations.
However, assuming our algorithm only proceeds if wtH (xA) = w, we can use the method
of early abort, i.e., computing one entry of the resulting vector and checking its weight
simultaneously. For this we assume that the resulting vector is uniformly distributed. Since
we are over Fq , the probability that an entry adds to the weight of the full vector is given

100
by q−1 q
q . Hence we can expect that after computing q−1 w entries the resulting vector should
q
have reached the weight w, and after computing q−1 (w + 1) entries we should have exceeded
the target
 weight w and can abort.
 Since computing only one entry of the resulting vector
2
costs t ⌈log2 (q)⌉ + ⌈log2 (q)⌉ binary operations, the cost of this step is given by
q  
(w + 1)t ⌈log2 (q)⌉2 + ⌈log2 (q)⌉
q−1
binary operations, instead of
 
nt ⌈log2 (q)⌉2 + ⌈log2 (q)⌉ .
q
Clearly, this is a speed up, whenever q−1 (w + 1) < n.

Number of Collisions In some algorithms we want to check if a certain condition is verified

and only then we would proceed. This condition depends on two vectors x and y living in
some sets. S, respectively T . Hence the algorithm would go through all the vectors x ∈ S
and then through all the vectors y ∈ T in their respective sets and check if the condition
is satisfied for a fixed pair (x, y). If this is the case, such a pair is called a collision. The
subsequent steps of the algorithm would be performed on all the collisions, thus multiplying
the cost of these steps with the size of the set of all (x, y), i.e., | S || T |.
Instead, we can compute the average number of collisions we can expect on average.
Example 245. Let us also give an example for this technique; assume that we only proceed
whenever
x + y = s,
for a fixed s ∈ Fkq and for all x ∈ Fkq of Hamming weight v and all y ∈ Fkq of Hamming weight
w. To verify this condition we have to go through all possible x and y, thus costing
  
k k
(q − 1)v+w min{k, v + w} log2 (q)
v w
binary operations. As a subsequent step one would compute for all such (x, y) the vector
Ax − By, for some fixed A ∈ Fn×k q and B ∈ Fqn×k . Usually one would do this for all elements
in S = {(x, y) | x, y ∈ Fkq , wtH (x) = v, wtH (y) = w}, giving this step a cost of
  
k k
(q − 1)v+w min{k, v + w}n log2 (q) + log2 (q)2 .


v w
However, we only have to perform the subsequent steps as many times as on average we
expect a collision, i.e., a pair (x, y) such that x + y = s. Assuming a uniform distribution,
this amount is given by
k k v+w



v w (q − 1)
  
|S| k k
= < (q − 1)v+w−n .
qn qn v w
Thus computing Ax − By for all (x, y) ∈ S costs on average
  
k k
(q − 1)v+w−n min{k, v + w}n log2 (q) + log2 (q)2


v w
binary operations, which is clearly less than the previous cost.

101
Intermediate Sums In some algorithms we have to do a certain computation for all vectors
in a certain set. The idea of intermediate sums is to do this computation in the easiest case
and to use the resulting vector to compute the results for harder cases. This will become
clear with an example.
Example 246. Let A ∈ Fk×n
2 and assume that we want to compute xA for all x ∈ Fk2 of
Hamming weight t. This would usually cost
 
k
nt
t

binary operations.
Using the concept of intermediate sums helps to speed up this computation: we first
compute xA for all x ∈ Fk2 of Hamming weight 1, thus just outputting the rows of A which
is for free. As a next step, we compute xA for all x ∈ Fk2 of Hamming weight 2, which is the
same as adding two rows of A and hence costs k2 n binary operations. As a next step, we

compute xA for all x ∈ Fk2 of Hamming weight 3. This is the same as adding one row of A
to one of the already computed vectors from the previous step, thus this costs k3 n binary

operations. If we proceed in this way, until we compute xA for all x ∈ Fk2 of Hamming weight
t, this step costs
nL(k, t)
binary operations, where
t  
X k
L(k, t) = .
i
i=2

This is a speed up to the previous cost, since

t        
X k k k k
n =n + ··· + < nt .
i 2 t t
i=2

When generalizing this result to Fq , computing xA for all x ∈ Fkq of Hamming weight
1 does not come for free anymore. Instead we have to compute A · λ for all λ ∈ F⋆q which
costs kn ⌈log2 (q)⌉2 binary operations. Further, if we want to compute xA for all x ∈ Fkq of
Hamming weight 2, we have to add two multiples of rows of A. While there are still k2 many

rows, we now have (q − 1)2 multiples. Thus, this step costs k2 (q − 1)2 n ⌈log2 (q)⌉ binary

operations. Proceeding in this way, the cost of computing xA for all x ∈ Fkq of Hamming
weight t, is given by
Lq (k, t)n ⌈log2 (q)⌉ + kn ⌈log2 (q)⌉2
binary operations, where
t  
X k
Lq (k, t) = (q − 1)i .
i
i=2

Which is clearly less than the previous cost of

 
k  
(q − 1)t nt ⌈log2 (q)⌉2 + ⌈log2 (q)⌉
t

binary operations.

102
5.3.4 Prange’s Algorithm
In Prange’s algorithm we assume that there exists an information set I that is disjoint to the
support of the error vector supp(e), i.e.,

I ∩ supp(e) = ∅.

Of course, such an assumption comes with a probability whose reciprocal defines how many
iterations are needed on average if the algorithm ends. Note that Prange’s algorithm is not
deterministic, i.e., there are instances which Prange’s algorithm can not solve. For an easy
example, one can just take an instance where wtH (e) = t > n − k =| I C |. For a more elabo-
rate example, which also allows unique decoding, assume that we have a parity-check matrix,
which is such that each information set includes the first position. Then an error vector with
non-zero entry in the first position could never be found through Prange’s algorithm.

To illustrate the algorithm, let us assume that the information set is I = {1, . . . , k}, and
(n−k)×n
let us denote by J = I C . To bring the parity-check matrix H ∈ Fq into systematic
(n−k)×(n−k)
form, we multiply by an invertible matrix U ∈ Fq . Since we assume that no errors
occur in the information set, we have that e = (0k , eJ ) with wtH (eJ ) = t. We are in the
following situation:
 
  A ⊤
eH⊤ U⊤ = 0k eJ   = sU⊤ ,
Idn−k

(n−k)×k
for A ∈ Fq .
It follows that eJ = sU⊤ and hence we are only left with checking the weight of sU⊤ .
We will now give the algorithm of Prange in its full generality, i.e., we are not restricting
to the choice of I and J that we made before for simplicity.

Algorithm 1 Prange’s Algorithm over Fq in the Hamming metric

(n−k)×n
Input: H ∈ Fq , s ∈ Fn−k
q , t ∈ N.
Output: e ∈ Fq with eH⊤ = s and wtH (e) = t.
n

1: Choose an information set I ⊂ {1, ..., n} of size k and define J = I C .

(n−k)×(n−k)
2: Compute U ∈ Fq , such that

(UH)I = A and (UH)J = Idn−k ,

(n−k)×k
where A ∈ Fq .
3: ′
Compute s = sU . ⊤

4: if wtH (s′ ) = t then

5: Return e such that eI = 0k and eJ = s′ .
6: Start over with Step 1 and a new selection of I.

103
Theorem 247. Prange’s algorithm over Fq requires on average
 −1  
n−k n  
(n − k)2 (n + 1) ⌈log2 (q)⌉ + ⌈log2 (q)⌉2
t t

binary operations.

Proof. One iteration of Algorithm 1 only consists of bringing H into systematic form and
applying the same row operations
 on the syndrome; thus, the cost can be assumed equal to
⊤
that of computing U H s , i.e.,

(n − k)2 (n + 1)(⌈log2 (q)⌉ + ⌈log2 (q)⌉2 )

binary operations.
The success probability is given by having chosen the correct weight distribution of e. In
this case, we require that no errors happen in the chosen information set, hence the probability
is given by
  −1
n−k n
.
t t
Then, the estimated overall cost of Prange’s ISD algorithm over Fq is given as in the
claim.

Let us consider an example for Prange’s algorithm.

Example 248. Over F5 , we are given
 
3 2 1 4 3 0 4 4 3 4
 
2 3 4 0 1 2 3 2 4 2
 
 
 
3 0 3 1 4 0 2 2 0 0
H= 
,

2 3 0 2 3 1 4 4 3 0
 
 
0 2 3 0 2 0 3 4 2 4
 
2 3 4 0 2 2 0 0 1 2

s = (2, 4, 0, 2, 0, 4) and t = 2. We start by choosing an information set, since I1 = {1, 2, 3, 4}

is not an information set, our first choice might be I2 = {1, 2, 3, 5}. As a next step we compute
U to get H into systematic form. For this information set we have that
 
3 4 1 1 0 0 0 0 0 0
 
0 3 3 0 4 1 0 0 0 0 
 
 
 
4 4 2 0 4 0 1 0 0 0 
U2 H = 
 .

1 4 4 0 3 0 0 1 0 0 
 
 
2 0 2 0 2 0 0 0 1 0 
 
0 1 3 0 1 0 0 0 0 1

104
We apply the same on the syndrome, getting

s′2 = sU⊤
2 = (3, 2, 4, 3, 4, 1),

which is now unfortunately not of Hamming weight 2. Thus, we have to choose another infor-
mation set. This procedure repeats until the chosen information set succeeds. For example
for I = {7, 8, 9, 10}. In fact, if we now compute the systematic form we get
 
1 0 0 0 0 0 4 0 0 4
 
0 1 0 0 0 0 1 1 0 3 
 
 
 
0 0 1 0 0 0 4 2 1 1 
UH =   

0 0 0 1 0 0 0 4 4 0 
 
 
0 0 0 0 1 0 2 3 2 0 
 
0 0 0 0 0 1 2 4 4 3

and s′ = sU⊤ = (2, 0, 0, 4, 0, 0), which has Hamming weight 2. Thus,

e = (s′ , 0) = (2, 0, 0, 4, 0, 0, 0, 0, 0, 0).

5.3.5 Stern’s Algorithm

Stern’s algorithm [251] is one of the most used ISD algorithms, as it is considered one of the
fastest algorithms on a classical computer. In this algorithm we use the idea of Lee-Brickell
and allow errors inside the information set and in addition we partition the information set
into two sets and ask for v errors in both of them. Further, we also use the idea of Leon [183]
to have a zero-window of size ℓ outside the information set, where no errors happen.
Stern’s algorithm is given in Algorithm 2. But first we explain the algorithm and illustrate
it.
The steps are the usual: we first choose an information set and then bring the parity-check
matrix into systematic form according to this information set. We partition the information
set into two sets and define the sets S and T , where S takes care of all vectors living in one
partition and T takes care of all vectors living in the other partition. We can now check
whether two of such fixed vectors give us the wanted error vector.
To illustrate the algorithm, we assume that the information set is I = {1, . . . , k} and
that the zero-window is Z = {k + 1, . . . , k + ℓ}. Further, let us define J = (I ∪ Z)C =
{k + ℓ + 1, . . . , n}. We again denote by U the matrix that brings the parity-check matrix into
systematic form and write the error vector partitioned into the information set part I, the
zero-window part Z and the remaining part J, as e = (eI , 0ℓ , eJ ), with wtH (eI ) = 2v and
wtH (eJ ) = t − 2v. Thus, we get the following:
 
A⊤ B⊤
    
eH⊤ U⊤ = eI 0ℓ eJ  0ℓ×(n−k−ℓ)  = s1 s2 = sU ,
⊤
 
Idℓ
 
0(n−k−ℓ)×ℓ Idn−k−ℓ

(n−k−ℓ)×k
where A ∈ Fℓ×k
q and B ∈ Fq .

105
 From this we get the following two conditions

eI A⊤ = s1 , (5.1)
⊤
eI B + eJ = s2 . (5.2)

We partition the information set I into the sets X and Y , for the sake of simplicity, assume
that k is even and m = k/2. Assume that X = {1, . . . , m} and Y = {m + 1, . . . , k}. Hence,
we can write eI = (eX , eY ), and Condition (5.1) becomes

σX (eX )A⊤ = s1 − σY (eY )A⊤ . (5.3)

Observe that the σX is needed, as eX has length m but we want to multiply it to A⊤ ∈

Fk×ℓ
q . In the algorithm we will not use the embedding σX but rather Fkq (X), thus eX will
have length k, but only support in X.
In the algorithm, we define a set S that contains all vectors of the form σX (eX )A⊤ , i.e.,
of the left side of (5.3) and a set T that contains all vectors of the form s1 − σY (eY )A⊤ , i.e.,
of the right side of (5.3). Whenever a vector in S and a vector in T coincide, we call such a
pair a collision.
For each collision we define eJ such that Condition (5.2) is satisfied, i.e.,

eJ = s2 − eI B⊤

and if the weight of eJ is the remaining t − 2v, we have found the sought-after error vector.
We now give the algorithm of Stern in its full generality, i.e., we are not restricting to the
choice of I, J and Z, that we made before for illustrating the algorithm.

Theorem 249. Stern’s algorithm over Fq requires on average

m1 −1 m2 −1 n − k − ℓ −1 n
       

v v t − 2v t
  
· (n − k)2 (n + 1) ⌈log2 (q)⌉ + ⌈log2 (q)⌉2 + (m1 + m2 )ℓ ⌈log2 (q)⌉2
   
m2 v
+ ℓ Lq (m1 , v) + Lq (m2 , v) + (q − 1) ⌈log2 (q)⌉
v
m1 m2 2v



v (q − 1)
 
v q
+ min n − k − ℓ, (t − 2v + 1)
qℓ q−1
 
· 2v ⌈log2 (q)⌉2 + ⌈log2 (q)⌉

binary operations.

Proof. As in Prange’s algorithm, as a first step we bring H into systematic form and apply
the same row operations on the syndrome; a broad estimate for the cost is given by
 
(n − k)2 (n + 1) ⌈log2 (q)⌉ + ⌈log2 (q)⌉2

binary operations.

106
Algorithm 2 Stern’s Algorithm over Fq in the Hamming metric

(n−k)×n
Input: H ∈ Fq , s ∈ Fn−k
q , t ∈ N, k = m1 + m2 , ℓ < n − k and v < min{m1 , m2 , ⌊ 2t ⌋}.
Output: e ∈ Fnq with eH⊤ = s and wtH (e) = t.

1: Choose an information set I ⊂ {1, ..., n} of size k and choose a zero-window Z ⊂ I C of

size ℓ, and define J = (I ∪ Z)C .
2: Partition I into X of size m1 and Y of size m2 = k − m1 .
(n−k)×(n−k)
3: Compute U ∈ Fq , such that
     
A Idℓ 0
(UH)I =   , (UH)Z =   and (UH)J =  ℓ×(n−k−ℓ)  ,
B 0(n−k−ℓ)×ℓ Idn−k−ℓ

(n−k−ℓ)×k
where A ∈ Fℓ×k
q and B ∈ Fq .
 
4: Compute sU⊤ = s1 s2 , where s1 ∈ Fℓq and s2 ∈ Fn−k−ℓ
q .
5: Compute the set S

S = {(eX A⊤ , eX ) | eX ∈ Fkq (X), wtH (eX ) = v}.

6: Compute the set T

T = {(s1 − eY A⊤ , eY ) | eY ∈ Fkq (Y ), wtH (eY ) = v}.

7: for (a, eX ) ∈ S do
8: for (a, eY ) ∈ T do
9: if wtH (s2 − (eX + eY )B⊤ ) = t − 2v then
10: Return e such that eI = eX + eY , eZ = 0ℓ and eJ = s2 − (eX + eY )B⊤ .
11: Start over with Step 1 and a new selection of I.

To compute the set S, we can use the technique of intermediate sums. We want to compute
eX A⊤ for all eX ∈ Fkq (X) of Hamming weight v. Using intermediate sums, this costs

Lq (m1 , v)ℓ ⌈log2 (q)⌉ + m1 ℓ ⌈log2 (q)⌉2

binary operations.
Similarly, we can build set T : we want to compute s1 − eY A⊤ , for all eY ∈ Fkq (Y ) of
Hamming weight v. Using intermediate sums, this costs
 
m2
Lq (m2 , v)ℓ ⌈log2 (q)⌉ + m2 ℓ ⌈log2 (q)⌉2 + (q − 1)v ℓ ⌈log2 (q)⌉
v

binary operations. Note that the Lq (m2 , v)ℓ ⌈log2 (q)⌉ + m2 ℓ ⌈log2 (q)⌉2 part comes from com-
m
puting eY A⊤ , whereas the v2 (q − 1)v ℓ ⌈log2 (q)⌉ part comes from subtracting from each of

the vectors eY A⊤ the vector s1 .

In the remaining steps we go through all (a, eX ) ∈ S and all (a, eY ) ∈ T , thus usually the
cost of these steps should be multiplied by the size of S × T . However, since the algorithm

107
first checks for a collision, we can use instead of | S || T | the number of collisions we expect
on average.
More precisely: since S consists of all eX ∈ Fkq (X) of Hamming weight v, S is of size
m1 v and similarly T is of size m2 (q − 1)v .



v (q − 1) v
The resulting vectors eX A⊤ , respectively, s1 − eY A⊤ live in Fℓq , and we assume that they
are uniformly distributed. Hence, we have to check on average
m1 m2 2v



v v (q − 1)
qℓ
many collisions.
For each collision we have to compute

s2 − (eX + eY )B⊤ .

Since the algorithm only proceeds if the weight of

s2 − (eX + eY )B⊤

is t − 2v, we can use the concept of early abort.

Computing one entry of the vector s2 − (eX + eY )B⊤ costs
 
2v ⌈log2 (q)⌉2 + ⌈log2 (q)⌉

binary operations. Thus, we get that this step costs on average

q  
(t − 2v + 1)2v ⌈log2 (q)⌉2 + ⌈log2 (q)⌉
q−1
binary operations.
Finally, the success probability is given by having chosen the correct weight distribution
of e; this is exactly the same as over F2 and given by

n − k − ℓ n −1
    
m1 m2
.
v v t − 2v t

Thus, we can conclude.

Note that we usually set in Stern’s algorithm the parameter m1 = ⌊ k2 ⌋. Hence assuming
that k is even we get a nicer formula for the cost, being

k/2 −2 n − k − ℓ −1 n 
      
⌈log2 (q)⌉ + ⌈log2 (q)⌉2
v t − 2v t
 2   !
2 k/2 2v−ℓ q
· (n − k) (n + 1) + (q − 1) min n − k − ℓ, (t − 2v + 1) 2v
v q−1
    
2 k/2 v
+ kℓ ⌈log2 (q)⌉ + ℓ 2Lq (k/2, v) + (q − 1) ⌈log2 (q)⌉
v

binary operations.

108
5.3.6 BJMM Algorithm
In what follows we cover the BJMM algorithm proposed in [61], this is considered to be the
fastest algorithm over the binary, for this reason we will stick to the binary case also for this
paragraph.
In the previous ISD algorithms one always represented the entries of the error vector as
0 = 0 + 0 and 1 = 1 + 0 = 0 + 1, that is one was looking for a set partition of the support.
The novel idea of the algorithm is to use also the other representations, i.e., 0 = 0 + 0 = 1 + 1.
Thus, the search space for the smaller error vector parts become larger but the probability to
find the correct error becomes larger as well.
The idea of the BJMM algorithm is to write a vector e of some length n and weight v as
e = e1 + e2 , where e1 and e2 are both of length n and of weight v/2 + ε, thus we are asking
for an overlap in ε positions, which will cancel out.
The first part of all algorithms, which belong to the second direction of improvements,
is to perform a partial Gaussian elimination (PGE) step, that is for some positive integer
(n−k)×(n−k)
ℓ ≤ n − k one wants to find an invertible matrix U ∈ F2 , such that (after some
permutation of the columns)  
Idn−k−ℓ A
UH =  ,
0 B
(n−k−ℓ)×(k+ℓ) ℓ×(k+ℓ)
where A ∈ F2 and B ∈ F2 . Hence we are looking for e = (e1 , e2 ), with
e1 ∈ Fn−k−ℓ
2 of weight t − v and e2 ∈ Fk+ℓ
2 , of weight v. For the parity-check equations, we
also split the new syndrome sU = (s1 , s2 ) with s1 ∈ F2n−k−ℓ and s2 ∈ Fℓ2 , that is we want to
⊤

solve     
Idn−k−ℓ A e⊤ s⊤
UHe⊤ =   1  =  1 .
0 B e⊤
2 s⊤
2

The parity-check equations can thus be written as

e⊤ ⊤ ⊤
1 + Ae2 = s1 ,
Be⊤ ⊤
2 = s2 .

The idea of the algorithms using PGE is to solve now the second equation, i.e., to search for
e2 of length k + ℓ and weight v such that e2 B⊤ = s2 and then to define e1 = s1 − e2 A⊤ and
to check if this has then the remaining weight t − v.
Note that this is now a smaller instance of a syndrome decoding problem, for which we
want to find a list of solutions. The success probability of such a splitting of e is then given
be
k + ℓ n − k − ℓ n −1
   
.
v t−v t
An important part of such algorithms is how to merge two lists of parts of the error vector
together. For this we consider two lists L1 , L2 , a positive integer u < k, which denotes the
number of positions on which one merges, a target vector t ∈ Fu2 and a target weight w. For
a vector x, let us denote by x|u the vector consisting of the first u entries of x.

109
Algorithm 3 Merge

Input: The input lists L1 , L2 , the positive integers 0 < u < k and 0 ≤ v ≤ n, the matrix
k×(k+ℓ)
B ∈ F2 and the target t ∈ Fu2 .
Output: L = L1 ▷◁ L2 .

1: Lexicographically sort L1 and L2 according to (Bx⊤ i )|u , respectively (Byj )|u +t for xi ∈ L1
and yj ∈ L2 .
2: for (xi , yj ) ∈ L1 × L2 with (Bx⊤ ⊤
i )|u = (Byj )|u + t do
3: if wtH (xi + yj ) = w then
4: L = L ∪ {xi + yj }.
5: Return L.

Lemma 250. The average cost of the merge algorithm (Algorithm 3) is given by

(L1 + L2 )u(k + ℓ) + L1 log(L1 )

+L2 log2 (L2 ) + (k + ℓ) L1 · L2 2−u ,

where Li = |Li | for i = 1, 2.

Exercise 251. Prove Lemma 250.

The algorithm will use this merging process three times.
For the internal parameter v (which can be optimized), we also choose the positive integers
ε1 , ε2 (also up to optimization), and define

v1 = v/2 + ε1 ,
v2 = v1 /2 + ε2 .

We start with creating the two base lists B1 and B2 , which depend on a partition P1 , P2 of
{1, . . . , k + ℓ}, of same size, i.e., k+ℓ
2 :

Bi = {x ∈ Fk+ℓ
2 (Pi ) | wtH (x) = v2 /2}.

These lists have size  

(k + ℓ)/2
B= .
v2 /2
(1) (1) (1) (2) (2)
We now choose t1 ∈ Fu2 1 , which determines t2 = (s2 )|u1 +t1 . We also choose t1 , t3 ∈
Fu2 2 , which define
(2) (1) (2)
t2 = (t1 )|u2 + t1 ,
(2) (1) (2)
t4 = (t2 )|u2 + t3 .

(2)
Then, for a positive integer u2 and the four target vectors ti , for i ∈ {1, . . . , 4} we
(2)
perform the first four merges using Algorithm 3 to get Li = B1 ▷◁ B2 on u2 positions,
(2) (2)
weight v2 and target vector ti for i ∈ {1, . . . , 4}. The lists Li are expected to be of size
L2 = k+ℓ −u2 .


v2 2

110
 With the four new lists we then perform another two merges yielding
(1) (2) (2)
Li = L2i−1 ▷◁ L2i

(1)
on u1 positions, with weight v1 and target vectors ti for i ∈ {1, 2}. These lists are expected
to be of size L1 = k+ℓ

−u
v1 2
1.

As a last step we then merge the two new lists to get the final list
(1) (1)
L = L1 ▷◁ L2

on ℓ positions, with weight v and target vector s2 . The final list is expected to be of size
k+ℓ −ℓ


L= v 2 .
One important aspect of such algorithms is the following

We have to make sure that at least one representation of the solution lives in each list.

This can either be done by employing the probability of this happening in the success proba-
bility, thus increasing the number of iterations or by choosing u, the number of positions on
which one merges in such a way that we can expect that at least one representation lives in
the lists.
(1) (1)
In [61] the authors chose the second option: observe that the number of tuples (e1 , e2 ) ∈
(1) (1)
L1 × L2 that represent a single solution e2 ∈ L is given by
  
v k+ℓ−v
U1 = .
v/2 ε1
(1)
Hence choosing u1 = log2 (U1 ) ensures that L ≥ 1. Similarly, since we also represent ei as
(2) (2) (1)
sum of two overlapping vectors (e2i−1 , e2i ), we have that for each ei we have approximately
  
v1 k + ℓ − v1
U2 =
v1 /2 ε2

many representations. Thus, we can choose u2 = log2 (U2 ).

Proposition 252. Algorithm 4 has an average cost of

n n − k − ℓ −1 k + ℓ −1 
    
· (n − k − ℓ)2 (n + 1)
t t−v v
+ 4(2Bu2 (k + ℓ) + 2B log(B) + (k + ℓ)B 2 2−u2 )
+ 2(2L2 u1 (k + ℓ) + 2L2 log(L2 ) + (k + ℓ)L22 2−u1 )
+ (2L1 ℓ(k + ℓ) + 2L1 log(L1 ) + (k + ℓ)L21 2−ℓ )
  
k + ℓ −ℓ
+ 2 2(t − v + 1)v
v

binary operations.

111
Algorithm 4 BJMM

(n−k)×n
Input: 0 ≤ ℓ ≤ n − k, 0 ≤ u2 ≤ u1 ≤ ℓ, ε1 , ε2 , t, v < t, H ∈ F2 and s ∈ F2n−k .
Output: e ∈ Fn2 with wtH (e) = t and He⊤ = s⊤ .

1: Choose an n × n permutation matrix P.

(n−k)×(n−k)
2: Find U ∈ F2 , such that
 
Idn−k−ℓ A
UHP =  ,
0 B

(n−k−ℓ)×(k+ℓ) ℓ×(k+ℓ)
where A ∈ F2   and B ∈ F2 .
s⊤
3: Compute Us⊤ =  1 , where s1 ∈ F2n−k−ℓ , s2 ∈ Fℓ2 .
s⊤
2
4: Choose partitions P1 , P2 of {1, . . . , k + ℓ} of size (k + ℓ)/2.
5: Set n o
Bj = x ∈ F2k+ℓ (Pj ) | wtH (x) = v2 /2

for j ∈ {1, 2}.

(1) u (1) (1)
6: Choose t1 ∈ F2 1 , set t2 = (s2 )|u1 + t1
(2) (2) (2) (1) (2) (2) (1) (2)
7: Choose t1 , t3 ∈ Fu2 2 , set t2 = (t1 )|u2 + t1 and t4 = (t2 )|u2 + t3
8: for i ∈ {1, . . . , 4} do
(2)
9: Compute Li = B1 ▷◁ B1 using Algorithm 3 on u2 positions to get weight v2 and
(2)
target vectors ti .
10: for i ∈ {1, 2} do
(1) (2) (2)
11: Compute Li = L2i−1 ▷◁ L2i using Algorithm 3 on u1 positions to get weight v1 and
(1)
target vectors ti .
(1) (1)
12: Compute L = L1 ▷◁ L2 using Algorithm 3 on ℓ positions to get weight v and target
vector s2 .
13: for e2 ∈ L do
14: if wtH (s1 − e2 A⊤ ) = t − v then
15: Set e = (e1 , e2 ).
16: Return Pe.
17: Else start over at step 1.

112
5.3.7 Generalized Birthday Decoding Algorithms
(n−k)×n
In the syndrome decoding problem (SDP) we are given a parity-check matrix H ∈ Fq ,
a syndrome s ∈ Fn−k
q and a weight t ∈ N and want to find an error vector e ∈ F n , such that
q
s = eH⊤ and wtH (e) = t.
The first step of a generalized birthday algorithm (GBA) decoder is the partial Gaussian
elimination step, i.e., for some positive integer ℓ ≤ n − k we bring the parity-check matrix
into the form  
Idn−k−ℓ A
H′ =  ,
0 B
up to permutation of columns. We recall from the BJMM algorithm, that this leaves us with
solving the smaller SDP instance: find e2 ∈ Fk+ℓ
q of Hamming weight v ≤ t, such that

e2 B⊤ = s2 ,
ℓ×(k+ℓ)
for s2 ∈ Fℓq and B ∈ Fq .
This second step is usually performed using Wagner’s algorithm on a levels.
By abuse of notation, we write for the rest eB⊤ = s, instead of e2 B⊤ = s2 . In a Lee-
Brickell approach, one would now go through all possible e ∈ Fk+ℓ
q of weight v and check if
they satisfy the parity-check equations. The idea of GBA is to split the vector e further. Let
us start with GBA on one level, that is

e = (e1 , e2 )
 
(k+ℓ)/2
with ei ∈ Fq of weight v/2, for i ∈ {1, 2}. Hence we define B = B1 B2 , with
ℓ×(k+ℓ)/2
Bi ∈ Fq , for i ∈ {1, 2} and split the syndrome s = s1 + s2 . We hence want that

e1 B⊤ ⊤
1 + e2 B2 = s = s1 + s2 .

For this we define two lists

L1 = {(e1 , e1 B⊤ (k+ℓ)/2
1 − s1 ) | e1 ∈ Fq , wtH (e1 ) = v/2},
L2 = {(e2 , e2 B⊤ (k+ℓ)/2
2 − s2 ) | e2 ∈ Fq , wtH (e2 ) = v/2}.

We are then looking for an element

((e1 , x1 ), (e2 , x2 )) ∈ L1 × L2 ,

such that x1 + x2 = 0, which will then imply that

e1 B⊤ ⊤
1 + e2 B2 = s = s1 + s2 .

This idea can be generalized to a levels, thus splitting

(1) (1)
e = (e1 , . . . , e2a ),

113
 (1) (k+ℓ)/2a
where ei ∈ Fq of weight v/(2a ) and writing
 
B = B1 · · · B2a ,

ℓ×(k+ℓ)/2a
where Bi ∈ Fq and splitting s = s1 + · · · + s2a . For this we will need the merging
positions 0 ≤ u1 ≤ · · · ≤ ua = ℓ. One first constructs the base lists
(1) (1) (1) (1) a (1)
Lj = {(ej , ej B⊤
j − sj ) | ej ∈ Fq(k+ℓ)/2 , wtH (ej ) = v/2a },

for j ∈ {1, . . . , 2a } and then performs a merges: in the i-th merge we are given a parameter
0 ≤ ui ≤ v and we want to merge
(i+1) (i) (i)
Lj = L2j−1 ▷◁ui L2j .

For this let us define the merge L = L1 ▷◁u L2 first formally. Given Li = {(ei , xi )}, for
i ∈ {1, 2} and u
L1 ▷◁u L2 = {((e1 , e2 ), x1 + x2 ) | x1 + x2 =u 0},
where a =u b, denotes that a and b are equal on the first u positions. The merging process
follows the following algorithm

1. Lexicographically order the elements (ei , xi ) ∈ Li for i ∈ {1, 2} according to the first u
positions,

2. Search for a collision, i.e., x1 +x2 =u 0 and if found insert the corresponding ((e1 , e2 ), x1 +
x2 ) in L.

The general idea of GBA is that we will not use the probability that we can split e into
(e1 , . . . , e2a ) each having weight v/2a , but rather we want that the merging process of will
produce a solution with high probability. The average size of L is given by

| L1 || L2 |
L =| L1 ▷◁u L2 |= ,
qu

and thus, whenever L ≥ 1 we can be assured that this algorithm returns (on average) a
solution e.
This is only possible for large weights v. If we are in this case, there exists a further
(1)
improvement on the algorithm, where one does not take the whole lists Li but only 2b many
2b
such elements, and thus the algorithm works as long as 2qu ≥ 1.
Stern’s ISD algorithm is a special case of Wagner’s algorithm on one level, where ℓ = 0
and s1 = 0. However, in Stern’s algorithm one employs the probability of splitting the error
vector into (e1 , e2 ), rather than asking for

| L1 || L2 |
≥ 1.
qℓ
The idea of GBA or more precisely of Wagner’s approach was used in famous ISD papers
such as BJMM and MMT, where 3 levels turned out to be an optimal choice.

114
5.3.8 Asymptotic Cost
An important aspect of ISD algorithms (apart from the cost) is their asymptotic cost. The
idea of the asymptotic cost is that we are interested in the exponent e(R, q) such that for
large n the cost of the algorithm is given by q (e(R,q)+o(1))n . This is crucial in order to compare
different algorithms.
We consider codes of large length n, and consider the dimension and the error correction
capacity as functions in n, i.e., k, t : N → N. For these we define

lim t(n)/n = T,
n→∞
lim k(n)/n = R.
n→∞

If c(n, k, t, q) denotes the cost of an algorithm, for example Prange’s algorithm, then we are
now interested in
1
C(q, R, T ) = lim logq (c(n, k, t, q)).
n→∞ n

For this we often use Stirlings formula, that is

 
1 (α + o(1))n
lim logq = α logq (α) − β logq (β) − (α − β) logq (α − β).
n→∞ n (β + o(1))n

One of the most important aspects in computing the asymptotic cost, is that random
codes attain the asymptotic Gilbert-Varshamov bound with high probability, thus we are
allowed to choose a relative minimum distance δ such that R = 1 − Hq (δ).
Example 253. The asymptotic cost of Prange’s algorithm is easily computed as
  !
n − k −1 n

1
lim logq =
n→∞ n t t
− (1 − T ) logq (1 − T ) − (1 − R) logq (1 − R) + (1 − R − T ) logq (1 − R − T ).

Exercise 254. Prove that the asymptotic cost of Prange is equal to

Hq (T ) − (1 − R)Hq (T /(1 − R)).

For the more sophisticated algorithms such as Stern and BJMM, we will also have internal
parameters, such as ℓ, v, which will be chosen optimal, i.e., giving the smallest cost.
Note that we assume half-distance decoding, i.e., T = δ/2, thus C(q, R, δ/2) = e(R, q)
and then compute the largest value of e(R⋆ , q) by taking

R⋆ = argmax0<R<1 e(R, q).

With the asymptotic cost, we can now compare different ISD algorithms. For this, we
will restrict ourselves to the binary case, since we presented the BJMM algorithm only over
the binary. In the following table BJMM refers to the algorithm presented in [61], MMT to
[193], BCD to the algorithm from [73] and Stern and Prange refer to the algorithms of [251],
respectively [218].

115
 Algorithm e(R∗ , 2)
BJMM 0.1019
MMT 0.115
BCD 0.1163
Stern 0.1166
Prange 0.1208

Table 18: Asymptotic cost of different ISD algorithms over the binary

5.3.9 Rank-metric ISD Algorithms

Finally, we want to conclude this section on ISD algorithms explaining the idea of rank-metric
ISD algorithms.
For this we first recall that the Hamming support of an error vector e ∈ Fnqm is defined as

suppH (e) = {i ∈ {1, . . . , n} | ei ̸= 0}.

The Hamming weight of e is then given by the size of the Hamming support, i.e.,

wtH (e) =| suppH (e) |≤ n.

If we would want to go through all error vectors of a given Hamming weight t, there are
 
n
(q m − 1)t
t

many choices. This concept changes when we move to the rank-metric. The rank support of
an error vector e ∈ Fnqm is usually defined as the Fq -vector space spanned by the entries of e :

supp(e) = ⟨e1 , . . . , en ⟩Fq .

The rank weight of e is then defined as the Fq -dimension of the rank support, i.e.,

wtR (e) = dimFq (supp(e)).

If we want to go through all vectors of a given rank weight t, there are

t−1 m
q − qi
 
m Y
= ∼ q (m−t)t
t q qt − qi
i=0

many choices. Thus, it is quite clear, that to look for an error vector in the rank metric poses
a more costly problem than its Hamming metric counterpart.
However, depending whether m or n are smaller, we could also consider the row or column
support.

116
Example 255. Let us consider e = (1, α) ∈ F28 , where F8 = F2 [α] 3
 withα = α + 1 and the
1 0
basis Γ = {1, α, α2 }. Then e = cR, where c = (1, α) and R =   . Thus, the column
0 1
support of e is given by

suppC (e) = ⟨Γ(c)⊤ ⟩ = ⟨(1, 0, 0), (0, 1, 0)⟩ ⊂ F32

of dimension 3. Whereas the row support of e is given by

suppR (e) = ⟨R⟩ = ⟨(1, 0), (0, 1)⟩ ⊂ F22 .

Note that the column and row support can also be read of
 
1 0
 
Γ(e) = 0 1
 
 
0 0

as
suppR (e) = rowsp(Γ(e)) ⊂ Fnq
and
suppC (e) = colsp(Γ(e)) ⊂ Fm
q .

Thus,
1. if m ≤ n, we consider the column support of e. In this case we have mt q vector spaces
 

to go through.

2. If n ≤ m, we row support of e. In this case we have nt q many vector spaces.

 

In the following we give only the ideas of the combinatorial and algebraic algorithms to
solve the rank SDP. First observe that we can write e = βE, where β = (β1 , . . . , βt ) is a basis
of the support of the error vector e and E ∈ Ft×nq .
The first proposed rank ISD algorithm [91] performs a basis enumeration. That is, we
want to enumerate all possible choices for β. Since if we know β, then solving βEH⊤ = s has
quadratic complexity. This attack has approximately a complexity of q tm operations.
The second proposed rank ISD algorithm [209] enumerates all possible matrices E in-
stead, resulting in a cost of approximately q (t−1)(k+1) operations. These approaches are called
combinatorial attacks, as they solve the rank SDP through enumerations.
In [131] the authors give a Prange-like rank metric ISD algorithm. The algorithm is usually
called GRS, as abbreviation for the authors Gaborit, Ruatta, Schrek, not to be confused with
generalized Reed-Solomon codes. One first chooses whether to guess the row or column
support of e, depending whether n ≤ m, or m ≤ n. Let us first assume that m ≤ n and hence
we guess the column support.
Recalling that e = cR, if we know a basis of the column support {γ1 , . . . , γt } with γi ∈ Fm
q ,
such that Γ(ci ) = γi , we can write for each i ∈ {1, . . . , n}
t
X
ei = cj ri,j .
j=1

117
And over Fq
t
X
Γ(ei ) = γj ri,j .
j=1

Thus, we have nt unknowns ri,j and from s = eH⊤ we have m(n − k) equations.
Example 256. Let us consider F8 = F2 [α] with α3 = α + 1 and basis Γ = {1, α, α2 }. We are
given the parity-check matrix  
1 0 1 α2
H= 
0 1 α 1
and the syndrome s = (α2 , α + 1) ant t = 1.
We guess the column support of e to be ⟨(1, 1, 0) ⊂ F32 , this corresponds to c = (α + 1).
Hence  
1
 
ei = 1 ri .
 
 
0
We consider the 2 syndrome equations

e1 + e3 + α2 e4 = s1 = α2
e2 + αe3 + e4 = s2 = α + 1.

In order to write these equations over F2 we observe that α2 e4 = α2 (α + 1)r4 = (α2 + α + 1)r4
and αe3 = α(α + 1)r3 = (α2 + α)r3 . Hence we get the linear system of equations
   
1 0 1 1 0
    
1 0 1 1 r1 0
   
    
    
0 0 0 1 r2  1
   =  .
    
0 1 0 1 r3  1
    
   
0 1 1 1 r4 1
   
0 0 1 0 0

After solving the system, we get the unique solution r1 = 1, r2 = 0, r3 = 0, r4 = 1 and

recompute e = cR = (α + 1, 0, 0, α + 1), which indeed has rank weight 1.
Exercise 257. Perform the same example but guess the column support to be (1, 0, 0).
If we know the row support {r1 , . . . , rt } for SuppR (e) ⊂ Fnq , i.e., the rows of R, then we
can write for each i ∈ {1, . . . , n}
Xt
ei = cj ri,j ,
j=1

and using the basis Γ of Fqm over Fq we can write

t
X
Γ(ei ) = Γ(cj )ri,j .
j=1

118
Thus, over Fq we have mt unknowns and m(n − k) equations.
Let us use a neat trick for the next example: in order to bring the parity-check equations
to the base field, we need to know what to do with a multiplication. Let Γ = {γ1 , . . . , γm } be
a basis of Fqm over Fq . The multiplication with a ∈ Fqm is given by

ma : Fqm → Fqm
x 7→ xa.

This map can be extended to Fq as

Ma : Fqm → Fm
q
x 7→ Ma Γ(x),

where Ma ∈ Fm×m
q is defined through having the columns Γ(aγ1 ), . . . , Γ(aγm ).
Example 258. Let us consider F − 8 = F2 [α] with α3 = α + 1 and the basis Γ = {1, α, α2 }.
Multiplication with α2 is given by the matrix
 
0 1 0
 
Mα2 = 0 1 1 .
 
 
1 0 1

Then for any x ∈ F8 , we get that Γ(α2 x) = Mα2 Γ(x).

Algorithm 5 GRS Algorithm

(n−k)×n
Input: H ∈ Fqm , s ∈ Fn−k
q m and t ≤ r ≤ n − k.
Output: e ∈ Fqm with wtR (e) = t and He⊤ = s⊤ .
n

1: Choose random subspace S = ⟨s1 , . . . , sr ⟩ ⊂ Fnq of dimension r.

Write the error vector in terms of the basis s1 , . . . , st as ei = rj=1 eij sj , with unknowns
P
2:
eij ∈ Fq .
3: Solve the linear system of equations (over Fq ) implied by eH⊤ = s to obtain the eij .
4: if wtR (e) ≤ t then
5: Return e.
6: Else, go to Step 1.

The cost of the GRS algorithm is only given by guessing a subspace S ⊂ Fnq of dimension
r, which contains suppR (e).
Thus the success probability of one iteration is given by

|{S ⊂ Fnq | dim(S) = r, suppR (e) ⊂ S}| n − t n −1

   
P = = .
S ⊂ Fnq | dim(S) = r}| r−t q r q

All the other steps, namely writing e in terms of the basis of S and solving the linear system
of equations can be done in polynomial time.

119
 Thus, the GRS algorithm costs

n n − t −1
   
∼ q (n−r)t .
r q r−t q

In order to get an overdetermined system and thus a candidate solution for e, we only require
to have more equations than unknowns. Since there are rn many unknowns eij , and we have
m(n − k) equations over Fq , this forces us to choose r ≤ n − k.
Proposition 259. The GRS algorithm has an asymptotic cost of

n n − k −1
   
∼ q kt .
t q t q

Example 260. Let us consider F8 = F2 [α] with α3 = α + 1 and basis Γ = {1, α, α2 }. We are
given the parity-check matrix  
1 0 1 α2
H= ,
0 1 α 1

the syndrome s = (α2 , α + 1) and t = 1.

We guess the row support of e to be ⟨(1, 0, 0, 1) ⊂ F42 . Hence e1 = e4 = c and e2 = e3 = 0.
We consider the 2 syndrome equations

e1 + e3 + α2 e4 e1 + α2 e4 = s1 = α2
e2 + αe3 + e4 e4 = s2 = α + 1.

Using Mα2 , we can write the equations as

         
c0 c1 0 c 1
       0  
c1  + c1 + c2  = 0 , and c1  = 1 .
         
         
c2 c0 + c2 1 c2 0

From here we can already solve the system and get c = (α + 1). We recompute e = cR =
(α + 1, 0, 0, α + 1), which indeed has rank weight 1.
Exercise 261. Perform the same example but guess the row support to be (1, 1, 0, 0).
We say that the GRS algorithm is the rank-metric analog of Prange, as it searches for
S of dimension n − k with Supp(e) ⊂ S. While Prange’s algorithm in the Hamming metric
searches for I C of size n − k with SuppH (e) ⊂ I C .
Indeed, while Prange’s algorithm in the Hamming metric has the cost

n n − k −1
  
,
t t
the rank-metric analog has the cost

n n − k −1
   
.
t q t q

120
 The algebraic approach aims at translating the notion of the rank metric into an algebraic
setting. For example via linearized polynomials: in [131] and [29] it was observed that for
e ∈ Fnqm there exists a linearized polynomial of q-degree t of the form
t
i
X
f (x) = fi xq
i=0

annihilating the error vector, i.e., f (ei ) = 0 for all i ∈ {1, . . . , n}. This algorithm works well
for small choices of t, giving an approximate cost [131] of
(k+1)m
 
O (n − k)3 q t⌈ n ⌉−n .

Recently, a new benchmark for the complexity of the rank SDP has been achieved by
the paper [53], which solves the rank SDP using the well studied MinRank problem from
multivariate cryptography. This might be one of the major reasons why NIST did not choose
to finalize any of the code-based cryptosystem based on the rank metric, although they were
achieving much lower public key sizes; this area of code-based cryptography needs further
research before we can deem it secure.

5.3.10 Attacks on other Code-Based Problems

we have seen that ISD is the fastest algorithm to solve the Decoding Problem, the Syndrome
Decoding Problem or the Given Weight Codeword Problem, whether we use the Hamming
or the rank metric. This stays true also for the Lee metric [266] or restricted errors [77, 46],
clearly, adapted to the considered metrics.
When considering code-equivalence problems, one could expect other algorithms to be
faster. However, also in this case the fastest known algorithms rely on ISD [74]. In fact, we
have seen in Section 2, that two equivalent codes C and C ′ have the same weight enumerator

Wi (C) = |{c ∈ C | wt(c) = i}| = Wi (C ′ ).

Thus, the main algorithm to solve the code equivalence problem asks to find some low weight
codewords in C and C ′ using ISD, ordering them as

S = {bc1 , . . . , cN },

respectively

S ′ = {c′1 , . . . , c′N }
and then searching for an isometry that maps S to S ′ . Recall, that a code C ⊆ Fnq of dimension
k has on average
|B(q, n, r)|q k−n
many codewords of weight r, where B(q, n, r) denotes the balls of radius r in the respective
metric.
If we search for codewords of very small weight, we thus get smaller sets S, S ′ and it
becomes easier to find an isometry between the two sets. However, searching for a small
weight increases the cost of the ISD algorithm to find them. On the other hand, when
searching for a moderate weight r, the ISD algorithm has a small cost, but due to the large
size of S, S ′ it becomes harder to find an isometry.

121
5.4 Algebraic Attacks
In this section, we present some techniques which are used for algebraic attacks on certain
code-based cryptosystems. Most famously, is the square code attack, which is in general a
distinguisher attack. Distinguishers a priori want to show that the public code is in fact not
behaving randomly but like an algebraically structured code. Distinguishers can then further
imply a strategy on how to recover the structure of the secret code, e.g. the evaluation points
of a GRS code, or be used directly in a message recovery.
Definition 262. Let v = (v1 , . . . , vn ), w = (w1 , . . . , wn ) ∈ Fnq be two vectors. The Schur
product v ∗ w of v and w is the coordinatewise product of v and w, i.e.,

v ∗ w := (v1 w1 , . . . , vn wn ).

With this definition we can also define the Schur product of two linear codes.
Definition 263. Let C1 , C2 ⊂ Fnq be two linear codes. The Schur product of C1 and C2 is
defined as the Fq -span generated by the Schur product of all combinations of elements, i.e.,

C1 ∗ C2 := ⟨{c1 ∗ c2 | c1 ∈ C1 , c2 ∈ C2 }⟩ ⊂ Fnq .

For a linear code C ⊂ Fnq , we call C ∗ C the square code of C and denote it with C (2) .
Clearly for any code C ⊆ Fnq of dimension k, we have that
 
(2) k(k + 1)
dim(C ) ≤ min ,n .
2

However, for codes which have a lot of algebraic structure, this square code dimension
might be much smaller.
Proposition 264. Let k ≤ n ≤ q be positive integers. Then,

dim(GRSn,k (α, β)) = min{2k − 1, n}.

Exercise 265. Prove Proposition 264.

Whereas for a random linear code of dimension k, the expected dimension of its square
code is typically quadratic in the dimension k:
Theorem 266 ([86, Theorem 2.3]). For a random linear code C over Fq of dimension k and
length n, we have with high probability that
  
k+1
dim(C (2) ) = min ,n .
2

This clearly provides a distinguisher between random codes and algebraically structured
codes. Let us list some of the codes, which suffer from such a distinguisher

1. GRS codes: Proposition 264,

2. low-codimensional subcodes of GRS codes: [268],

3. Reed-Muller codes: [80],

122
 4. Polar codes: [115],

5. some Goppa codes: [106],

6. high rate alternant codes: [119],

7. algebraic geometry codes [105, 104].

Note that square code attacks often need to be performed on a modified version of the public
code, for example
1. the sum of two GRS codes: [101, 107],

2. GRS codes with additional random entries: [103],

3. expanded GRS codes: [102].

McEliece proposed to use classical binary Goppa codes as secret codes in [195], and no alge-
braic attack on this system has been developed. Thus, they are considered to be reasonably
secure and were chosen as the finalists for the NIST standardization process [14].
Recall that Goppa codes are heavily connected to GRS codes: let us consider a GRS code
over Fqm and some 1 ≤ λ ≤ m. The code C which contains all codewords of the GRS code
living in a fixed λ-dimensional Fq -vector subspace of Fqm is called a subspace subcode of a
GRS code.
• If we choose λ = m we get a GRS code, which provides very low key sizes for the
McEliece cryptosystem due to their large error correction capacity and only considering
ISD attacks. They are however insecure due to the square code attack.

• If we choose λ = 1 we get a Goppa code, which suffers from very large key sizes due
to their small correction capacity, but they are deemed to be secure against algebraic
attacks.
The proposal [167] and also [65] propose to use a different λ in the McEliece system,
trying to find a balance between the two extreme points and profiting from both advantages:
smaller key sizes than Goppa codes would provide and thwarting the vulnerability of GRS
codes. But also this suggestion has been attacked for λ ≥ m/2 by the square code attack in
[102]:

Let us summarize this in Table 19.

Note that for the rank-metric based cryptosystems a similar distinguisher exists for the
rank analogues of the Reed-Solomon codes, namely the Gabidulin codes: these attacks all
stem from the original attack of Overbeck [211] on the proposal [127] to use Gabidulin codes
in the GPT framework, but also includes the attack of [156] on its generalization [186, 221].
They main tool here is that instead of taking the square code, one performs the Frobenius
map on the code.

123
 dim C (2)


Code C
n o
Random Code min k(k+1)
2 , n (with high probability)
RS Code min{2k − 1, n}
n o
k(k+1) mr
Binary Goppa Codes min 2 − 2 (2r log2 (r) − r − 1) , n
[n, k = n − mr] (with high probability)
min O(mk 2 ), n

Expanded GRS Code
[mn, mk] (with high probability)

Table 19: Square code dimension of different codes

Let us consider an extension field Fqm of the base field Fq . We denote by [i] the ith
Frobenius power, q i . The Frobenius map can be applied to a matrix or a vector by doing so
coordinatewise, i.e., for a matrix M ∈ Fqk×n
m with entries (mj,ℓ ) we denote by M[i] the matrix
[i]
with entries (mj,ℓ ).

Definition 267. Let M ∈ Fk×n

q m and ℓ ∈ N, then we define the operator Λℓ as

(ℓ+1)k×n
Λℓ : Fk×n
q m → Fq m ,
 
M
 
 [1] 
M ,
M 7→ Λℓ (M) = 
 ..  .

 . 
 
M[ℓ]

The Frobenius attack now considers the rowspan of this new matrix.

Proposition 268 ([211], Lemma 5.1). If M is the generator matrix of an [n, k] Gabidulin
code and ℓ ≤ n − k − 1, then the subvector space spanned by the rows of Λℓ (M) is an [n, k + ℓ]
Gabidulin code.

Note that this is similar to Proposition 264, where one shows that the square code of a
GRS code is again a GRS code. And as the square code dimension of a GRS code is 2k − 1,
in this case the dimension of the rowspace of the Frobenius of a Gabidulin code is k + ℓ.
However, for a random code C, the Frobenius of this code should have dimension of order
kℓ.

Theorem 269 ([188]). Let M ∈ Fqk×n

m be a random matrix of full column rank over Fq . Then
Λℓ (M) has rank
min{(ℓ + 1)k, n},
with probability at least 1 − 4q −m .

The Frobenius map can thus distinguish between a Gabidulin code and a random code.

124
5.5 Other Attacks
We want to note here, that there exist also several other attacks on code-based cryptosystems,
such as: side-channel attacks and chosen-ciphertext attacks. Since these attacks are less
mathematically involved, we will just quickly cover them and refer interested readers to [88].

Side-channel attacks try to get information from the implementation of the cryptosystem,
which includes timing information, power consumption and many more. Thus, side-channel
attacks complement the algebraic and non-structural attacks we have discussed before by
considering also the physical security of the cryptosystem.
There have been many side-channel attacks on the McEliece cryptosystem (see for example
[254, 35, 253, 92, 227]) which aim for example at the timing/reaction attacks based on the
error weight or recover the error weight using a simple power analysis on the syndrome
computation.
Note that recently the information gained through side-channel attacks was used in ISD
algorithms in [154].
Another line of attacks is the chosen-ciphertext attack (CCA): in a chosen-ciphertext
attack we consider the scenario in which the attacker has the ability to choose ciphertexts ci
and to view their corresponding decryptions, i.e., the messages mi . In this scenario we might
speak of an oracle that is queried with ciphertexts. The aim of the attacker is to gain the
secret key or to get as much information as possible on the attacked system.
In an adaptive chosen-ciphertext attack (CCA2) the attacker wants to distinguish a target
ciphertext without consulting the oracle on this target. Thus, the attacker may query the
oracle on many ciphertext but the target one. This means that the new ciphertexts are
created based on responses (being the corresponding messages) received previously.
In this context we also speak of ciphertext indistinguishability, meaning that an attacker
can not distinguish ciphertexts based on the message they encrypt. We have two main
definitions:

1. Indistinguishability under chosen-plaintext attack (IND-CPA),

2. Indistinguishability under adaptive chosen-ciphertext attack (IND-CCA2).

These are usually defined over a game, which is played between an attacker and a chal-
lenger, where we assume that we have a public-key encryption scheme with a secret key S
and a publicly known public key P.
For IND-CPA, the attacker and the challenger are playing the following game.

1. The attacker sends two distinct messages m1 , m2 to the challenger.

2. The challenger selects one of the messages mi and sends the challenge ci , which is the
encrypted message mi .

3. The attacker tries to guess i.

We say that a system is IND-CPA secure if an attacker has only a negligible advantage over
randomly guessing i.

125
 For IND-CCA2, the attacker and the challenger are playing the following game.

1. The attacker sends two distinct messages m1 , m2 to the challenger.

2. The challenger selects one of the messages mi and sends the challenge ci , which is the
encrypted message mi .

3. The attacker may query a decryption oracle on any cipher but the target cipher ci .

4. The attacker tries to guess i.

We say that a system is IND-CCA2 secure if an attacker has only a negligible advantage over
randomly guessing i.
Let us consider the McEliece framework from Section 3.1.
The IND-CPA security for this framework translates as: the challenger preforms the key
generation, getting the secret key G ∈ Fqk×n and sends the public key G′ ∈ Fk×n q to the
k
attacker. The attacker chooses two messages m1 , m2 ∈ Fq and sends them to the challenger.
The challenger now chooses b ∈ {1, 2} and encrypts mb as

c = mb G′ + e,

for some random error vector of Hamming weight t. The challenger sends c back to the
attacker. The attacker tries to figure out whether m1 or m2 was encrypted.

Proposition 270. The classic McEliece framework is not IND-CPA secure.

Proof. The attacker can easily recover which message was encrypted by computing

c1 = m1 G′ ,
c2 = m2 G′ ,

and testing whether the received c has distance t from one of the codewords. Indeed, if m1
was encrypted, then
c − c1 = m1 G′ − m1 G′ + e = e
has weight t, whereas

c − c2 = m1 G′ − m2 G′ + e = (m1 − m2 )G′ + e

has weight larger than t, as any codeword (thus also (m1 − m2 )G′ ) has weight at least 2t + 1
and adding e, we can decrease the weight to at least t + 1.

Exercise 271. Show that the Niederreiter framework is not IND-CPA secure.
An easy fix for this issue is called random padding. Instead of choosing the message
m ∈ Fkq , we only choose a part of the message, say m′ ∈ Fℓq and choose the remaining k − ℓ
position at random, called r.

126
Proposition 272. The McEliece framework using random padding is IND-CPA secure.

Proof. The attacker has now chosen m1 , m2 ∈ Fℓq and sends them to the challenger. Assume
the challenger encrypts m1 as
c = (m1 , r)G′ + e,
and sends this back to the attacker. Let us split the public generator matrix into A ∈ Fℓ×n
q
(k−ℓ)×n
and B ∈ Fq , hence the ciphertext is

c = m1 A + rB + e.

The attacker can now compute

c1 = m1 A,
c2 = m2 A.

Taking these away from the received ciphertext, the attacker gets

c − c1 = rB + e,
c − c2 = rB + (m1 − m2 )A + e.

However, the only way to recover r or e is to solve the SDP.

Note that in [170] the authors gave conversions of the McEliece system to achieve CCA2
security.
For digital signature schemes, we have a similar notion to CCA and CPA, called Existential
UnForgeability under Chosen Message Attack (EUF-CMA).
The new game works as follows.

1. The challenger generates a secret key S and a public key P and sends P to the attacker.

2. The attacker chooses messages m1 , . . . , mN and sends them to the challenger.

3. The challenger generates the signatures (σ1 , . . . , σN ) and sends them to the attacker.

4. The attacker wins, if the attacker is able to generate a valid signature σ for some message
m ̸= mi .

The signature scheme is called EUF-CMA secure if no (efficient) adversary has a non-
negligible advantage in winning the game. Note that EUF-CMA security, thus, also asks for
signatures to behave indistinguishably from some random distribution.

127
6 Historical Overview
There have been many proposals especially for the McEliece framework. We will here only
list a small choice of them, which we hope represent well the major difficulties in proposing
new code-based cryptosystems.
McEliece proposed to use binary Goppa codes for his framework, and while the initially
proposed parameters are now broken with information set decoding [71], algebraic attacks are
only known for specific parameter sets of Goppa codes [106, 119]. In fact, for most parameter
sets, there is no algebraic property of binary Goppa codes known which distinguishes them
from a random code. The drawback of binary Goppa codes, however, is that they can only
correct a small amount of errors, leading to large generator matrices for cryptosystems to
reach a fixed security level, resulting in large key sizes.
Other proposals have tried to avoid this problem by using other classes of algebraic codes.
Several proposals are based on GRS codes, since these codes have the largest possible error
correction capability, but were ultimately broken: Sidelnikov-Shestakov proposed an attack
[247] which recovers parameters for the Niederreiter scheme [206], where GRS codes were
originally proposed.
Attempts to avoid this weakness [66, 43, 45, 48, 78, 168, 206, 167, 62] were often unsuc-
cessful, as GRS codes can be distinguished from random codes with the help of the square
code [268, 101, 107, 102, 178], since the square code of a GRS code has a very low dimension.
Other proposals have been made using non-binary Goppa codes [72], algebraic geometry
codes [161], LDPC and MDPC codes [47, 200, 199], Reed-Muller codes [248] and convolutional
codes [189], but most of them were unsuccessful in hiding the structure of the private code
[105, 106, 173, 198, 208].

The first rank-metric code based cryptosystem called GPT was proposed in 1991 by
Gabidulin, Paramonov and Tretjakov [127]. The authors suggest the use of Gabidulin codes,
which can be seen as the rank-metric analog of GRS codes. Similar to the distinguisher on
GRS codes, namely the square code attack, also Gabidulin codes suffer from a distinguisher
by Overbeck [211] using the Frobenius map. The GPT system was then generalized in [221],
but still suffers from an extended Frobenius distinguisher [156]. Since this proposal some
authors have tried to fix this security issue by tweaking the Gabidulin code [64, 220]. Other
rank-metric systems include [187, 128, 155].

Next, we want to list some of the most important proposals for code-based signature
schemes. The first code-based signature scheme was proposed in 2001 by Courtois, Finiasz and
Sendrier (CFS) [99]. Again this can be considered as a framework, but the code suggested by
the authors was a high rate Goppa code, for which, unfortunately, a distinguisher exists [119].
Another way to approach this problem is to relax the weight condition on the error vector.
This idea has been followed in [44] where low-density generator matrices were proposed, in
[142], where convolutional codes were suggested, and in [180], where they use Reed-Muller
codes. The proposals [44, 142] have been attacked in [216, 201] respectively.
Also notable are the signature schemes in [163, 164, 60, 132], which can at most be
considered as one-time signatures due to the attack in [89, 207].
In [152] the authors propose binary (U, U + V ) codes in a signature scheme and the
security relies on the problem of finding a closest codeword. However, the hull of such a code
is typically much larger than for a random linear code of the same length and dimension.
Thus, this proposal has been attacked in [109]. This problem has later been solved by the

128
 Code proposed in attack

Goppa [195, 14]

Wild Goppa [72] [106]
Interleaved Goppa [118]
GRS [206] [247]
Twisted RS [62] [178]
low-codimensional subcodes of GRS [66] [268]
Sum of GRS [43, 168] [101]
Expanded GRS [167] [102]
Subspace Subcodes of GRS [65] [102]
GRS and random columns [264, 267] [103]
(U, U + V ) RS [192]
Reed-Muller [248] [80, 198]
Polar [246] [115]
Algebraic geometry [161] [105, 104]
LDPC [47, 200] [208]
MDPC [199] [208]
Convolutional [189] [173]
Ordinary concatenated [238] [239]
Generalized concatenated [219]

Table 20: Proposals for the McEliece Framework

Code proposed in attack

Gabidulin [127, 221] [211, 156]

Subspace subcodes of Gabidulin [64]
Twisted Gabidulin [220]

Table 21: Proposals for the GPT framework

authors of Wave [110], by using generalized (U, U + V ) codes over the ternary and basing
the security on the farthest codeword problem. In addition, Wave provides a proof of the
preimage sampleable property (first introduced in [139]), which thwarts all attacks trying to

129
 Code proposed in attack

GRS (list decoding) [33] [98]

Gabidulin (list decoding) [120] [130]
Interleaved Gabidulin [262, 226, 225] [79]
Gabidulin [177] [79]

Table 22: Proposals for the AF framework

exploit the knowledge of signatures.

In [250] the authors propose a code-based signature scheme from the Lyubashevsky frame-
work, which was then broken in [17].
Also the code-equivalence problem has been used for a code-based signature scheme in
[75], which was attacked in [74]. The LESS signature scheme resolved the vulnerability in
[37].
A one-time signature scheme from quasi-cyclic codes has been proposed in [213]. Also this
proposal has been attacked in [234].
The signature scheme RaCoSS [232] submitted to NIST standardization process is similar
to the hash-and-sign approach of CFS but depending on some Bernoulli distributed vector.
This proposal has been broken (either see [269] or the comment section on the NIST website1 ).
Finally, the signature scheme pqsigRM [180] is an adaption of the broken CFS scheme
[99], where the authors propose the use of Reed-Muller codes instead of Goppa codes, this
proposal has also been cryptanalyzed2 .

In the rank metric, one of the most notable signature schemes is that of RankSign [27],
which has been attacked in [111]. Other rank-metric signature schemes include Durandal
[25], which is in the Lyubashevsky framework and MURAVE [175]. Note that, even though
Durandal has an EUF-CMA security proof, it has recently been broken [26].

Due to the Fiat-Shamir transform, we also include code-based ZK protocols here, although
the proposals until now all suffer from large signature sizes. The ZK protocols usually use
random codes, thus we will often not specify a particular proposed code.
The first code-based ZK protocol was proposed by Stern in 1993 [252] and recently after
also by Véron [261]. In this survey we have covered two improvements on their idea, namely
CVE [90] and AGS [3].
In a recent paper [42] the authors propose to use restricted error vectors in CVE, which
leads to smaller signature sizes.
Another approach to reduce the signature sizes is the quasi-cyclic version of Stern’s ZK
protocol, proposed in [76].
Also rank-metric ZK protocols have been proposed in the recent paper [63], with the aim
of turning it into a fully fledged rank-metric signature scheme.
1
[Link]
official-comments/[Link]
2
[Link]
official-comments/[Link]

130
7 Submissions to NIST
In 2016 the National Institute of Standards and Technology (NIST) started a competition to
establish post-quantum cryptographic standards for public-key cryptography and signature
schemes. Initially, 82 proposals were submitted of which 69 could participate in the first
round. 19 of these submissions were based on coding theory.
In 2020, the third round was announced. Of the initial candidates, 9 public-key systems
and 6 signature schemes still remain in this round. Three of the 9 public-key cryptosystems
are code-based, one of them being Classic McEliece [14], a Niederreiter-based adaption of the
initial McEliece cryptosystem.
The other two candidates put effort on avoiding the drawback of large public-key sizes.
BIKE [20] achieves this by combining circulant matrices with MDPC codes, whereas HQC
[5] is a proposal based on the quasi-cyclic scheme, which does not require using the algebraic
structure of the error-correcting code.
In this section, we will study these candidates in depth, for this we provide tables sum-
marizing the submissions that were eliminated in round 1, round 2 and finally the finalists of
round 3.
Table 23 contains all public-key encryption and key-encapsulation mechanism candidates,
which were eliminated in round one. All candidates use the Hamming metric (HM) or the
rank metric (RM). Key sizes will be given in kilobytes, pk denotes the public key and sk the
secret key.
Due to space limitations, we will sometimes abbreviate the McEliece framework with MF,
the Niederreiter framework with NF, the framework of Alekhnovich by AF, the quasi-cyclic
framework by QCF and finally a Diffie-Hellman approach by DH.
In addition to acronyms that were already introduced, we also abbreviate quasi-cyclic
(QC), Ideal Code (IC) and double-circulant (DC).
The given key sizes are for the parameter sets that were proposed for 128 bits of security
(however, some proposals contained multiple suggestions for parameter sets for this security
level).
All data is taken from the supporting documentations of the NIST proposals BIG QUAKE
[51], DAGS [49], Edon-K [141], LAKE [23], LEDAkem [39], LEDApkc [40], Lepton [271],
LOCKER [24], McNie [136], Ouroboros-R [7], QC-MDPC KEM [270], Ramstake [255] and
RLCE-KEM [264].

The reason for the drop out of BIG QUAKE was mainly discussed at CBC 20193 , and is
due to the large key sizes of the proposal, as it is ”still worse than completely unstructured
lattice KEM.” The reason for Lepton’s drop out, is a security issue that can be found in the
comment section of the NIST website4 .

3
[Link]
4
url[Link]
1/official-comments/[Link]

131
 Candidate Framework Code Metric Pk Size Reason for Drop Out
BIG QUAKE NF QC Goppa HM 25 − 103 large key sizes
DAGS MF dyadic GS HM 8.1 broken [55]
Edon K MF binary Goppa HM 2.6 broken [184]
LAKE NF IC, DC, LRPC RM 0.4 merged (ROLLO)
LEDAkem NF QC LDPC HM 3.5 − 6.4 merged (LedAcrypt)
LEDApkc MF QC LDPC HM 3.5 − 6.4 merged (LedAcrypt)
Lepton AF BCH HM 1.0 cryptanalysis
LOCKER NF IC, DC, LRPC RM 0.7 merged (ROLLO)
McNie MF/NF QC LRPC RM 0.3 − 0.5 broken [28] [174]
Ouroboros-R QCF DC LRPC RM 1.2 merged (ROLLO)
QC-MDPC KEM MF QC MDPC HM 1.2 − 2.6 N/A
Ramstake DH RS HM 26.4 broken [256]
RLCE-KEM MF GRS HM 118 − 188 broken [103]

Table 23: Code-based PKE/KEM submissions to NIST, eliminated in round 1

In Table 24 we list all code-based signature schemes that were eliminated during round
one, which in every case was due to cryptanalysis.
The table contains their signature sizes, public key sizes, secret key sizes (all in kilobytes)
and the recommended number of rounds necessary to ensure verification with a very high
probability.
For this a security level of 128-bit is fixed in the respective scheme. The signature size
of pqsigRM is taken from [181], all other data is taken from the supporting documentations
pqsigRM [180], RaCoSS [232] and RankSign [27].

Candidate Signature Size Pk Size Sk Size Rounds

pqsigRM 0.5 262 138 100
RaCoSS 0.3 169 100 100
RankSign 1.4 − 1.5 10 1.4 − 1.5 N/A

Table 24: Code-based signature submissions to NIST, eliminated in round 1

Table 25 contains all PKE/KEM candidates that were eliminated during round two. There
are no code-based signature schemes that made it to round two or further.

132
 All data is taken from the supporting documentations of LEDAcrypt [41], NTS-KEM [13],
ROLLO [4] and RQC [6].

Candidate Framework Code Metric Pk Size Reason for Drop Out

LEDAcrypt McE/N QC LDPC HM 1.4 − 2.7 broken [16]
NTS-KEM Niederreiter binary Goppa HM 319 merged (Classic McE)
ROLLO Niederreiter IC, LRPC RM 0.7 cryptanalysis [52]
RQC Quasi-Cyclic IC, Gabidulin RM 1.8 N/A

Table 25: Code-based PKE/KEM submissions to NIST, eliminated in round 2

Finally, there are three candidates that made it to the final round, round three. Classic
McEliece, as main candidate, and BIKE and HQC as alternative candidates.
As before, the public key (pk) size is given in kilobytes, data is taken from the proposed
parameters for the 128-bit security level.

Candidate Framework Code Metric pk size

Classic McEliece Niederreiter binary Goppa Hamming 261
BIKE Niederreiter MDPC Hamming 1.5
HQC Quasi-Cyclic decodable code of choice, QC Hamming 2.2

Table 26: Final round code-based PKE submissions to NIST

133
7.1 Round 4 Candidates: Classic McEliece, BIKE and HQC
In this section, we present the three code-based proposals Classic McEliece, BIKE and HQC,
which are in the fourth round of the NIST standardization call from 2016. For each one, we
give a mathematical description and the proposed parameters.

7.1.1 Classic McEliece

The NIST submission Classic McEliece uses the Niederreiter framework (Section 3.2) with
binary Goppa codes (Definition 49) as secret codes. This subsection is based on the round 3
submission [14].
Let us start with the description of the scheme. Let m be a positive integer, q = 2m ,
n ≤ q and t ≥ 2 be positive integers such that mt < n and set k = n − mt.
Further, pick a monic irreducible polynomial f (z) ∈ F2 [z] of degree m and identify Fq
with F2 [z]/f (z). Note that under this identification, every element in F2m can be written as

u0 + u1 z + . . . + um−1 z m−1

for a unique vector (u0 , u1 , . . . , um−1 ) ∈ Fm

2 .
With these preliminaries set, we can describe the public-key encryption scheme:

• Key Generation:

1. Generate a random monic irreducible polynomial g(x) ∈ Fq [x] of degree t and n

random distinct elements α1 , . . . , αn ∈ Fq .
2. Compute a parity-check matrix H̃ = {h̃ij }ij of the binary Gopppa code with
parameters (g, α1 , . . . , αn ) by computing h̃ij = αji−1 /g(αj ).
3. Apply an invertible matrix to H̃ and permute the columns of this matrix to get a
matrix in systematic form H = (Idn−k |T).
Denote with (α1′ , . . . , αn′ ) the n-tuple obtained by applying the same permutation
to (α1 , . . . , αn ).
Note that (Idn−k |T) is a parity-check matrix of the Goppa code defined by (g, α1′ , . . . , αn′ ).

• Private Key: The private key is the (n + 1)-tuple Γ′ = (g, α1′ , . . . , αn′ ).

• Public Key: The public key is the (n − k) × (n − k) matrix T and the number t.

• Encryption: Encode the message as weight t vector e ∈ Fn2 and compute

c0 = He⊤ ∈ F2n−k .

• Decryption: Extend c0 to v = (c⊤ n ′

0 , 0, . . . , 0) ∈ F2 . The parameters Γ of the private
key define a Goppa code, so we can use a decoding algorithm for Goppa codes to find
a codeword c with distance ≤ t to v (if it exists).

We then recover e as e = v + c and check that it indeed satisfies He⊤ = c0 and is of

weight t.

134
Remark 273. The decryption works for the following reason: we have that H = (Idn−k |T), so

Hv⊤ = Idn−k c0 = c0 .

Thus, it follows that

H(v + e)⊤ = 0,
and c = v + e is a codeword of the Goppa code defined by Γ′ .
Since this code has minimum distance at least 2t + 1, we get that v + e is also the unique
codeword of distance up to t from v, so we may recover the error vector as e = v + c.

7.1.2 Proposed Parameters for Classic McEliece

We give an overview of the proposed parameter sets, input and output sizes for the expected
security levels. Level 1 corresponds to 128 bits, level 3 corresponds to 192 bits and level 5
corresponds to 256 bits of security. The key sizes and ciphertext size are given in bytes.

Parameter set m n t Public key Private key Ciphertext Security level

mceliece348864 12 3488 64 261120 6492 128 1
mceliece460896 13 4608 96 524160 13608 188 3
mceliece6688128 13 6688 128 1044992 13932 240 5
mceliece6960119 13 6960 119 1047319 13948 226 5
mceliece8192128 13 8192 128 1357824 14120 240 5

Table 27: Parameters for Classic McEliece

The Classic McEliece submission is considered the main candidate for standardization
by NIST. It is clearly based on the original proposal of McEliece [195] and thus a rather
conservative choice by NIST. The main advantage of Classic McEliece is thus its well studied
security, as there are no known algebraic attacks on the original proposal of McEliece since
1978, but it still suffers from the same disadvantage, i.e., the large size of its public keys.

7.1.3 BIKE
The NIST submission Bit Flipping Key Encapsulation (BIKE) combines circulant matrices
with the idea of moderate density parity-check matrices (Definition 74). The usage of circulant
matrices keeps key sizes small while using moderate density parity-check matrices allows
efficient decoding with a Bit-Flipping algorithm. We follow the NIST round 3 submission [20]
and give a ring-theoretic description of the system. Note however that BIKE can also be fully
described with matrices.
Let r be prime number such that 2 is primitive modulo r, i.e., 2 generates the multiplicative
group Z/rZ⋆ . The parameter r denotes the block size, √ from which we obtain the code length
n = 2r. We √ further pick an even row weight w ≈ n such that w/2 is odd and an error
weight t ≈ n.

135
 We then set R := F2 [x]/(xr − 1). Any element a ∈ R can be represented as polynomials
of degree less or equal than r − 1 and can uniquely be written as linear combination of the
form
r−1
X
a= ai xi ,
i=0

where ai ∈ F2 for all i ∈ {0, 1, . . . , r − 1}.

This gives us a natural notion of the weight of a, which we denote with wt(a), i.e.,

wt(a) = |{i ∈ {0, 1, . . . , r − 1} | ai ̸= 0}|.

Remark 274. The choice of r ensures that the irreducible factors of xr − 1 are x − 1 and
xr−1 + xr−2 + · · · + 1 (see Exercise 277). As a consequence of this, an element a ∈ R is
invertible if and only if wt(a) is odd and wt(a) ̸= r.

• Key Generation: Pick a pair (h0 , h1 ) ∈ R2 such that wt(h0 ) = wt(h1 ) = w/2. Then
compute h = h1 h−1
0 ∈ R.

• Private Key: The private key is the pair (h0 , h1 ).

• Public Key: The public key is the element h ∈ R and the integer t.

• Encryption: The message gets encoded as error (e0 , e1 ) ∈ R2 such that wt(e0 ) +
wt(e1 ) = t and then encrypted as s = e0 + e1 h.

• Decryption: We compute sh0 = e0 h0 + e1 h1 . Since h0 and h1 are of moderate density,

this can be decoded efficiently with a Bit-Flipping algorithm to recover the pair (e0 , e1 ).

Remark 275. The difficulty of attacking BIKE lies in finding an element h̃ ∈ R of at most
moderately high weight, such that hh̃ is also of at most moderately high weight.
Remark 276. BIKE can also be described with matrices: for
r−1
X
a= ai xi ∈ R
i=0

and
r−1
X
b= bi xi ,
i=0

we are considering the code with parity-check matrix

 
a a1 · · · ar−2 ar−1 b0 b1 · · · br−2 br−1
 0 
 ar−1 a0 · · · ar−3 ar−2 br−1 b0 · · · br−3 br−2
 

 . .. .. ..
 
H =  .. .. ..
. . .

 . . . 
 
 a2 a3 · · · a0 a1 b2 b3 · · · b0 b1 
 
a1 a2 · · · ar−1 a0 b1 b2 · · · br−1 b0

136
 Pr−1 Pr−1
In this case, the errors e0 = i=0 e0,i xi and e1 = i=0 e1,i xi may be viewed as vectors

ẽj = (ej,0 , ej,r−1 , ej,r−2 , . . . , ej,1 )

for all j ∈ {1, 2}. We then compute syndromes by

H(ẽ1 | ẽ2 )⊤ .

Exercise 277. Let r be a prime such that 2 generates Z/rZ⋆ . Show that the irreducible factors
of xr − 1 ∈ F2 [x] are x − 1 and xr−1 + xr−2 + · · · 1. You may use the following steps:

1. Let p(x) be a monic irreducible factor of xr−1 + xr−2 + · · · + 1 and α a root of p(x) in
the algebraic closure. Show that r is the smallest positive integer such that αr = 1.
 n
2. Justify that the roots of p(x) are the elements of the set α(2 ) | n ∈ N≥1 .
 n
3. Show that α(2 ) | n ∈ N≥1 contains exactly r − 1 elements and conclude that p(x) =
xr−1 + xr−2 + · · · + 1.

7.1.4 Proposed Parameters for BIKE

We now present the proposed parameters for three levels of security, where again level 1 is
128 bits of security, level 3 is 192 bits, and level 5 is 256 bits of security. We also include an
estimate for the decoding failure rate (DFR) and key and ciphertext sizes in bytes.

Security r w t Private key Public key Ciphertext DFR

Level 1 12323 142 134 281 1541 1573 2−128
Level 3 24659 206 199 419 3083 3115 2−192
Level 5 40973 274 264 580 5122 5154 2−256

Table 28: Parameters for BIKE

It can be seen that BIKE has small public key sizes, which is a big advantage over the
other systems.

7.1.5 HQC
The submission Hamming Quasi-Cyclic (HQC) is based on the quasi-cyclic framework (see
Section 3.4) and uses a combination of a decodable code of choice and circulant matrices.
The third round proposal suggests to use concatenated Reed-Muller and Reed-Solomon
codes (Definitions 78, 75, 44), in the initial NIST submission [8, Section 1.6] a tensor product
code of a BCH and a repetition code was proposed. An important feature of HQC is the fact
that the used codes are not secret.
We follow the NIST submission [5] for the detailed description.
Let n be such that (xn − 1)/(x − 1) is irreducible over F2 . We pick a positive integer
k < n and an [n, k] linear code C with an efficient decoding algorithm, whose error correcting

137
capacity
√ is given by t. We are further given error weights w, wr and we , all in the range of
n n
2 . We set R := F2 [x]/(x − 1). Recall that any element a ∈ R can be written as

a = an−1 xn−1 + an−2 xn−2 + . . . + a0

for unique a0 , a1 , . . . , an−1 ∈ F2 . For such an element we denote its Hamming weight as
wtH (a) = |{i ∈ {0, 1, . . . , n − 1} | ai ̸= 0}|.
n
Pn−1alsoi that we can identify a vector a = (a0 , a1 , . . . , an−1 ) ∈ F2 with the element a =
Note
i=0 ai x ∈ R and vice versa. In the following description any bold letter, e.g. u, refers to
the associated vector in Fn2 of an element in R, e.g. u ∈ R.

• Key Generation: Given the parameters (n, k, t, w, we , wr ), choose a generator matrix

G of the code C and generate a random h ∈ R.
• Private Key: The private key is a randomly generated pair (y, z) ∈ R2 such that
wtH (y) = wtH (z) = w.
• Public Key: We compute s = y + hz ∈ R. The public key is given by (G, h, s, t).
• Encryption: We randomly generate an element e ∈ R such that wt(e) = we and a pair
(r1 , r2 ) ∈ R2 such that wtH (r1 ) = wtH (r2 ) = wr .
Let m ∈ Fk2 be the message, which gets encrypted as the pair c = (u, v) ∈ R2 , where
u = r1 + hr2 and v = mG + sr2 + e.
• Decryption: As mentioned in the quasi-cyclic framework, we compute that
v − uz = mG + (yr2 − r1 z + e).
The term yr2 − r1 z + e has Hamming weight ≤ t with high probability (this follows
non-trivially from the choice of the parameters). If this is the case, we can use the
decoding algorithm of C to recover the message m.

7.1.6 Proposed Parameters for HQC

The following table contains the proposed parameters for HQC together with an upper es-
timate on the decoding failure rate (DFR) and ciphertext size and key sizes. The key and
ciphertext sizes are given in bytes and as before, security levels 1,3 and 5 correspond to
128-bit, 192-bit and 256-bit security respectively.

Security n w wr = we Public key Private key Ciphertext DFR

Level 1 17669 66 75 2249 40 4481 2−128
Level 3 35851 100 114 4522 40 9026 2−192
Level 5 57637 131 149 7245 40 14469 2−256

Table 29: Parameters for HQC

The advantages of HQC are its efficient implementation and its small key sizes. However,
HQC suffers from a low encryption rate.

138
7.2 Code-Based Signature Schemes
In 2023, NIST has opened an additional standardization call for post-quantum signature
schemes. Out of the 50 submitted schemes, 40 have been found complete and proper and
have been published as official round 1 candidates.
Among the 40 schemes, we find

12 multivariate schemes,

7 lattice-based schemes,

4 symmetric schemes,

1 isogeny-based scheme,

5 schemes that have been grouped as “other”,

11 code-based schemes.

Within the first 2 months, 11 of the schemes have been attacked. At the moment of this
writing, we have 29 surviving schemes, out of which we find

9 multivariate schemes,

5 lattice-based schemes,

4 symmetric schemes,

1 isogeny-based scheme,

1 scheme that has been grouped as “other”,

9 code-based schemes.

The interested reader can compare the 29 survivors on

[Link]

In the following, we will only consider the 11 submitted code-based signatures.

139
 Recall the three different approaches to construct a signature scheme, with the benefits
and limitations:

Hash-and-Sign
Needs Limitations Advantages
Trapdoor Large public keys Small signatures
Secret code Slow signing
ZK Protocol and Fiat-Shamir Transform
Needs Limitations Advantages
Hard problem Large signatures Small public keys
ZK Protocol and MPCitH
Needs Limitations Advantages
Hard problem Slow signing Small signatures
(N − 1)-private MPC Slow verifying Small public keys

Table 30: Comparison of the different techniques to construct a code-based signature scheme.

7.2.1 Hash-and-sign schemes

Let us start with the three code-based hash-and-sign schemes.

Trapdoor Secret Code Scheme Comment

Lee SDP Quasi-cyclic code FuLeeca Broken
SDP Reed-Muller code Enhanced pqsigRM Broken
SDP (U, U + V )-code WAVE Large public keys

Table 31: Hash-and-sign schemes submitted to the additional call of NIST for signature
schemes.

1. FuLeeca

FuLeeca [228] is the first cryptosystem based on the Lee metric. It uses a secret quasi-
cyclic code with low Lee weight generators a, b, i.e., wtL (a, b) = wkey , defining the two
circulant matrices A, B which give the secret generator matrix
 
G= A B .

The public generator matrix is given by G in systematic form,

 
G′ = Idk T ,

140
 Level Public key size Signature size Signing time Verification time
I 1.3 1.1 1803 1.4
III 1.9 1.6 2139 2.5
V 2.6 2.1 11805 3.8

Table 32: Performance of FuLeeca. Sizes are in kilobytes and timings in MCycles.

for
T = A−1 B.
Clearly, it is enough to publish one row of T.

In order to sign a message m, the signer hashes m getting c = Hash(m) and iteratively
searches for a small x, such that v = xG satisfies two conditions

(a) wtL (v) ∈ [wsig − 2wkey , wsig ],

(b) LMP(v, c) > λ + 64.

The first assumption ensures that an impersonator has to solve the Lee SDP in order
to forge a signature, and the second conditions binds the message to the signature.
On a high level, the hash of the message should have many signs matching with the
codeword. By setting their LMP larger than λ, one ensures that an impersonator has
to go through 2λ randomly chosen v before finding enough signs matching. Since the
codeword v = (y, yT), he signature is then given by y.
A verifier first recovers v = (y, yT) checks exactly these two conditions

(a) wtL (v) ∈ [wsig − 2wkey , wsig ],

(b) LMP(v, c) > λ + 64,

in order to accept the signature y.

The signature scheme shines with very small public key and signature sizes, one of the
only code-based schemes to achieve both.
Unfortunately, the scheme was broken by van Woerden and Hörmann. The attack makes
use of the following facts:

• The x used to get the codeword v = xG mod p is chosen so small, there is no

modular reduction necessary. That is v = xG also over Z. This allows the attackers
to directly use the integer lattice L(G).
• The quasi-cyclic structure of the code
 allows
 the attackers further to only search
for a solution in one part, i.e., G = A B and it is enough to work with L(A).
• Finally, using BKZ [236], the attacker can find short Euclidean vectors in L(A).
Usually, one would expect exponentially many such short vectors and only very
few of those are also of small Lee weight. However, the chosen instances of FuLeeca
allow for this attack to work fast.

141
 Level Public key size Signature size Signing time Verification time
I 2000 1.03 2.2 0.2

Table 33: Performance of Enhanced pqsigRM. Sizes are in kilobytes and timings in MCycles.

2. Enhanced pqsigRM

This proposals [94] follows closely the original idea of CFS using a modified Reed-Muller
code.
Thus, the secret code is given by a Reed-Muller code having parity-check matrix H and
the public code is a scrambled parity-check matrix H′ = HP. Upon a message m, one
hashes the messages Hash(m) and hopes that it is the syndrome of a low weight vector
e, i.e., eH⊤ = Hash(m). In this case, one sends eP as signature. The verifier can easily
check that ePP⊤ H⊤ = Hash(m).
Note that a scrambled Reed-Muller code can be distinguished and the secret code can
be recovered using the attack [198]. Thus, Enhanced pqsigRM proposes a modified
Reed-Muller code. Recall from Section 2, that Reed-Muller codes are(U, U + V ) codes.
The original attack makes use of the fact that the hull of such a code, i.e., C ∩ C ⊥ only
consists of (U, U )-codewords, which helps to reveal the secret code. To avoid this, the
proposed code is designed so that dim(U ⊥ ∩ V ) is large.
Nevertheless, Enhanced pqsigRM has been broken by Debris-Alazard, Loisel and Vasseur
again exploiting the (U, U + V ) structure to recover the secret code.

3. WAVE

WAVE [50] is a hash-and-sign scheme, whose trapdoor is based on permuted generalized

(U, U +V )-codes. Unlike most code-based schemes, WAVE does not rely on finding small
weight codewords, but rather large weight codewords. In fact, until the Hamming weight
q−1
q (n − k) it is hard to find low weight codewords and similarly after the Hamming
q−1
weight k + q (n − k) it is again hard to find large weight codewords.

Again a signer starts with a secret generalized (U, U + V ) code and scrambles it to
publish the parity-check matrix H′ = HP.
Upon a message m the signer computes the hash Hash(m) and hopes that it is the
syndrome of a large weight vector, i.e., Hash(m) = eH⊤. In order to find such large
weight e, WAVE makes use of the secret generalized (U, U + V ) code and performing
ISD in the V part.
In this case, the signer sends the signature eP. A verifier can then easily check that
Hash(m) = ePP⊤ H⊤ .
The main advantage of WAVE is in its security, in fact a large amount of work has been
performed using rejection sampling and smartly choosing the distribution, such that the
preimage sampleable property is achieved, which thwarts all attacks trying to exploit
the knowledge of signatures.
As limitations, WAVE has quite large public key sizes in the range of 3 MB.

142
 Level Public key size Signature size Signing time Verification time
I 3677 0.8 1160 205
III 7867 1.2 3507 464
V 13632 1.6 7936 813

Table 34: Performance of WAVE. Sizes are in kilobytes and timings in MCycles.

7.2.2 ZK Protocols and Fiat-Shamir Transform

In the additional call 3 code-based signature schemes using ZK protocols have been submitted,
namely CROSS based on restricted errors, LESS based on LEP and MEDS based on MCE.
Let us start with the three code-based hash-and-sign schemes.

Hard Problem Scheme Comment

Restricted SDP CROSS
LEP LESS Large total size
MCE MEDS Large total size

Table 35: Signatures from ZK protocols submitted to the additional call of NIST for signature
schemes.

1. CROSS

The signature scheme CROSS [38] uses an adapted version of the code-based ZK protocol
CVE (see Section 4.2). However, instead of using SDP and thus σ a linear isometry
in the Hamming metric, CROSS relies on the Restricted SDP. This allows not only to
represent vectors e ∈ En using only the exponents ℓ(e) ∈ Fnz , thus having size n⌈log2 (z)⌉,
but also the maps that act transitively on En are given by componentwise multiplication
with vectors in En .

CROSS makes use of several techniques to compress sizes, such as Merkle trees and and
weighted challenge vectors, b ∈ {0, 1}t . In fact, seeing that one of the responses (where
bi = 1) has a much smaller size to send than the other, in order to reduce the signature
size one would sample challenge vectors b of large weight. Note that this information
could potentially be used by an attacker. Thus, CROSS adapted the forgery attack [165]
in order to choose the weight w of b and the number of rounds t, in a secure way.

CROSS provides several variants, one relying on Restricted SDP, denoted by R-SDP,
one relying on Restricted SDP in a subgroup G, denotes by R-SDP(G). The “f” variant
stands for fast, the “b” variant provides a balanced solution and the “s” variant provides
a small solution.

143
 Variant Level Public key size Signature size Signing time Verification time
R-SDP-f I 0.06 19 1.28 0.78
R-SDP-b I 0.06 12 2.38 1.44
R-SDP-s I 0.06 10 8.96 5.84
R-SDP(G)-f I 0.03 12 0.94 0.55
R-SDP(G)-b I 0.03 9.2 1.85 1.09
R-SDP(G)-s I 0.03 7.9 6.54 3.96
R-SDP-f III 0.09 42 2.75 1.69
R-SDP-b III 0.09 28 4.97 2.89
R-SDP-s III 0.09 23 12.2 6.8
R-SDP(G)-f III 0.06 27 2.04 1.21
R-SDP(G)-b III 0.06 23 2.63 1.53
R-SDP(G)-s III 0.06 18 9.67 5.61
R-SDP-f V 0.12 76 4.93 3.04
R-SDP-b V 0.12 51 8.26 5
R-SDP-s V 0.12 43 15.69 9.37
R-SDP(G)-f V 0.07 48 3.93 2.32
R-SDP(G)-b V 0.07 40 4.99 2.96
R-SDP(G)-s V 0.07 32 14.12 7.73

Table 36: Performance of CROSS. Sizes are in kilobytes and timings in MCycles.

144
 Variant Level Public key size Signature size Signing time Verification time
LESS-1b I 13.7 8.4 878.7 890.8
LESS-1i I 41.1 6.1 876.6 883.6
LESS-1s I 95.9 5.2 703.6 714.7
LESS-3b III 34.5 18.4 7224 7315
LESS-3s III 68.9 14.1 8527 8608
LESS-5b V 64.6 32.5 33787 34014
LESS-5s V 129 26.1 22621 22703

Table 37: Performance of LESS. Sizes are in kilobytes and timings in MCycles.

2. LESS

LESS [37] is a code-based signature scheme based on LEP and using a ZK protocol with
the Fiat-Shamir transform.
On a high level, the idea of LESS is as follows. A prover publishes G ∈ Fqk×n chosen at
random and chooses a secret permutation matrix P and a v ∈ (F⋆q )n at random. The
prover computes and publishes G′ = GPdiag(v), while the monomial transformation
Pdiag(v) is kept secret. In order to prove knowledge of the monomial transformation,
the prover also computes the commitment G′′ = GP′ diag(v′ ) for some permutation
matrix P′ and v′ ∈ (F⋆q )n . The prover can thus easily provide the monomial transfor-
mation from G to G′′ (being P′ diag(v′ )) or the linear isometry from G′ to G′′ (being
P−1 diag(v)−1 P′ diag(v′ )) without revealing any information on the secret monomial
from G to G′ (being Pdiag(v)).
Clearly such ZK protocol comes with a cheating probability of 1/2. LESS decreases the
cheating probability by using multiple public keys. In more details, one chooses several
monomial transformations Q1 , . . . , QN and publishes GQ1 , . . . , GQN . The verifier now
chooses from which GQi the monomial transformation to G′′ should be revealed, thus
increasing the challenge space to N + 1 and the cheating probability to N 1+1 .
Since the G was chosen at random it is enough to send a seed as public key. A draw-
back that comes with LESS is that the commitments and the responses are structured
matrices, thus needing a lot of bits to be sent.
LESS also makes use of several compression techniques such as seed trees and weighted
challenges.
Also LESS provides several variants: a balanced configuration, denoted with “b”, where
public key and signature are roughly of the same size, and a small configuration, denotes
with “s”, providing a small signature at the cost of larger public keys. Finally, for level
I also an intermediate configuration, denoted with “i” is given.
Note that at the moment of this writing, the contributors of LESS suggested a novel
approach to shorten the signatures. In [96] the authors propose to use canonical forms
of matrices, this corresponds to a short representative of a certain equivalence class.
As a first step, the monomial transformations are split as (P, v, P′ , v′ ) for P a k × k

145
 Variant Level Public key size Signature size
LESS-1c I 13.9 2.4
LESS-1f I 41.8 1.8
LESS-3c III 35 5.6
LESS-3f III 105.2 4.4
LESS-5c V 65.8 10
LESS-5f V 197.3 7.8

Table 38: New sizes of LESS. Sizes are in kilobytes.

permutation matrix, P′ a (n − k) × (n − k) permutation matrix and v ∈ (F⋆q )k , v′ ∈

(F⋆q )n−k , thus getting G and G′ are monomially equivalent if there exist (P, v, P′ , v′ )
such that  
Pdiag(v) 0
G = SG′  ,
0 P′ diag(v′ )
for some S ∈ GLk (q).
Since one sends the generator matrices in systematic form, this allows the authors to
restrict the monomial transformation to the redundant k × (n − k) part and only send
P−1 diag(v)−1 P′ diag(v′ ).
The resulting sizes are much smaller now, as shown in Table 38.

3. MEDS

MEDS [95] uses the same strategy as LESS, but adapted to matrix codes and the rank
metric.
A prover publishes G1 , . . . , Gk ∈ Fm×n q chosen at random and chooses the secret ma-
trices A ∈ GLm (q), B ∈ GLn (q) at random. The prover computes and publishes
G′i = AGi B, while the rank-metric isometry (A, B) is kept secret. In order to prove
knowledge of the monomial transformation, the prover also computes the commitment
G′′i = A′ Gi B′ for some A′ ∈ GLm (q), B ∈ GLn (q). The prover can thus easily provide
the transformation from C = ⟨G1 , . . . , Gk ⟩ to C ′ = ⟨G′′1 , . . . , G′′k ⟩ (being A′ , B′ ) or the
isometry from C ′ = ⟨G′1 , . . . , Gk ⟩ to C ′′ = ⟨G′′1 , . . . , G′′k ⟩ (being A′ A−1 , B−1 B′ ) without
revealing any information on the secret isometry from C to C ′ (being A, B).
The signature scheme MEDS also makes use of the same compression techniques as
LESS, namely seed trees, fixed weight challenges and multiple public keys.
Similar to LESS, also MEDS results in quite total sizes, being the size of the signature
added to the size of the public key.
The MEDS proposal also gives two different parameter sets for each security level, one
being tuned for small signatures, and the other for fast signing and verifying.

146
 Variant Level Public key size Signature size Signing time Verification time
MEDS-9923 I 9.9 9.8 518 515.6
MEDS-13220 I 13.2 12.98 88.9 87.48
MEDS-41711 III 41.7 41 1467 1462
MEDS-55604 III 55.6 54.7 387.3 380.7
MEDS-134180 V 134.2 132.6 1629.9 1612.6
MEDS-167717 V 167.7 165.5 961.8 938.9

Table 39: Performance of MEDS. Sizes are in kilobytes and timings in MCycles.

7.2.3 ZK Protocols and MPCitH

In the additional round for post-quantum signature schemes, one finds 5 code-based schemes
which are using ZK protocols and using the MPCitH technique.

Hard Problem MPC Scheme

SDP hypercube, threshold SDitH
Rank SDP hypercube additive RYDE
Relaxed PKP BG splitting PERK
MinRank additive hypercube, linearized polynomials MIRA
MinRank Kipnis-Shamir modeling MiRitH

Table 40: Signatures from ZK protocols and MPCitH technique submitted to the additional
call of NIST for signature schemes.

1. SDitH:

The SDitH signature scheme [10] relies on the SDP and an MPC protocol which ef-
ficiently checks whether a given shared input corresponds to the solution of a SDP
instance. The used MPC protocol is called hypercube technique [11] and instead tradi-
tional additive sharings, SDitH uses low-threshold linear secret sharings to exploit their
error-correcting feature, called threshold approach [22].

First of all, recall that due to the systematic form of a parity-check matrix
 
H = A Idn−k ,

any syndrome
s = (e, e′ )H⊤ = eA⊤ + e′ .
Thus, it is enough to use e for the secret sharing.

147
 Variant Level Public key size Signature size Signing time Verification time
SDitH-gf256-L1-hyp I 0.1 8.2 13.4 12.5
SDitH-gf251-L1-hyp I 0.1 8.2 22.1 21.2
SDitH-gf256-L1-thr I 0.1 10.1 5.1 1.6
SDitH-gf251-L1-thr I 0.1 10.1 4.4 0.6
SDitH-gf256-L3-hyp III 0.2 19.1 30.5 27.7
SDitH-gf251-L3-hyp III 0.2 19.1 51.1 49
SDitH-gf256-L3-thr III 0.2 24.9 14.8 4.9
SDitH-gf251-L3-thr III 0.2 24.9 11.7 1.5
SDitH-gf256-L5-hyp V 0.2 33.4 59.2 54.4
SDitH-gf251-L5-hyp V 0.2 33.4 94.8 91.3
SDitH-gf256-L5-thr V 0.2 43.9 30.5 10.2
SDitH-gf251-L5-thr V 0.2 43.9 23.9 3.2

Table 41: Performance of SDitH. Sizes are in kilobytes and timings in MCycles.

Let Fq = {f1 , . . . , fq } . The MPC protocol is based on four polynomials,

S(x), P (x), Q(x), F (x),

defined as
• S(x) ∈ Fq [x] of degree up to n − 1 such that S(fi ) = ei ,
• Q(x) ∈ Fq [x] of degree t = wtH (e′ , e) such that Q(x) = i∈supp(e′ ,e) (x − fi ),
Q

• F (x) ∈ Fq [x] of degree n such that F (x) = ni=1 (x − fi ),

Q

S(x)Q(x)
• P (x) ∈ Fq [x] of degree up to t − 1, such that P (x) = F (x) .

The correctness of the SDP solution amounts to verifying the relation:

S(x)Q(x) = P (x)F (x).

While F (x) is made public, the prover wants to convince the verifier of the knowledge
of P (x), Q(x), such that S(fi )Q(fi )) = P (fi )F (fi )) = 0 for all i ∈ {1, . . . , n}.
The soundness of the MPC protocol is based on the fact that wtH (e′ , e) = t is equivalent
to the existence of P (x), Q(x) of degree up to t−1, respectively t, such that S(x)Q(x) =
P (x)F (x). The parties thus get as shares (e, P (x), Q(x)), locally compute (e′ , e) and
S(x) by Lagrange interpolation and verify that S(x)Q(x) = P (x)F (x).
SDitH provides for each security level 4 parameter sets, two for the hypercube approach
and two for the threshold approach. There is a clear trade-off between the two variants,
as the hypercube approach achieves smaller signatures, while the threshold approach is
faster.

148
2. RYDE:

RYDE [18] is based on the Rank SDP and using the (ℓ, N )-threshold linear secret sharing
scheme as MPC protocol. For this a secret s is split into N shares [[s]] = (s1 , . . . , sN ),
such that the secret can be recovered from any ℓ + 1 shares si .
RYDE uses an additive (N, N )-threshold linear secret sharing scheme, as explained in
Section 2.3.6, that is the shares of s are given by
N
X −1
(r1 , . . . , rN −1 , s − ri ),
i=1

for some random ri .

In more details, the MPC protocol works as follows. We are given a parity-check matrix
 
(n−k)×n
H = A Idn−k ∈ Fqm ,

a syndrome s ∈ Fn−k ′
q m and a weight t. Let (e, e ) be a solution to the Rank SDP
instance. Each party is then given a share of [[e]]. Let S be the error support of (e, e′ ),
i.e., S = ⟨e1 , . . . , en ⟩ of Fq - dimension t. Then S has an annihilator polynomial
Y
f (x) = (x − s).
s∈S

The parties also take the following as shares b, a, c, where b ∈ Ftqm is a vector containing
the coefficients of
t
i
X
L= bi (xq − x),
i=1

a∈ Ftqmη is randomly sampled and c = −⟨b, a⟩. The parties now proceed as

(a) sample at random (γ1 , . . . , γn , ε) ∈ Fn+1

m·η ,
(b) locally compute e′ = s − Ae,
t
(c) locally compute z = − nj=1 γj (eqj − ej ),
P

i
(d) locally compute wi = nj=1 γj (eqj − ej ) for all i ∈ {1, . . . , t − 1},
P

(e) locally compute and open α = εw + a,

(f) locally compute and open v = εz − ⟨α, b⟩ − c,
(g) and they accept if v = 0.

RYDE is able to achieve smaller signatures than SDitH, however at the cost of a slower
signing and verifying process. In Table 42, we can see the two parameter sets for each
security level, one denoted by “F” for a fast version and one denoted by “S” for a small
version.

149
 Variant Level Public key size Signature size Signing time Verification time
RYDE-128F I 0.09 7.4 5.4 4.4
RYDE-128S I 0.09 6 23.4 20.1
RYDE-192F III 0.13 16.4 12.2 10.7
RYDE-192S III 0.13 13 49.6 44.8
RYDE-256 V 0.2 29.1 26 22.7
RYDE-256 V 0.2 22.8 105.5 94.9

Table 42: Performance of RYDE. Sizes are in kilobytes and timings in MCycles.

3. PERK:

PERK [1] is based on the relaxed PKP, that is, one publishes a parity-check matrix
(n−k)×n
H ∈ Fq , a vector e ∈ Fnq and a permuted syndrome s ∈ Fn−k
q , i.e., there exists
⊤ ⊤
some σ ∈ Sn such that Hσ(e) = s . Hence, the secret is given by the permutation σ.
PERK is based on the BG ZK protocol introduced in [21], and employs a simple MPC
protocol.
The BG protocol works as follows: one samples randomly permutations σ2 , . . . , σN ∈ Sn ,
and vectors v2 , . . . , vN ∈ Fnq . One computes the commitments ci from the hashes of the
used seeds to generate σi , vi .
One then computes the permutation σ1 = σ2−1 ◦ · · · ◦ σN −1
◦ σ and samples a random
n
v1 ∈ Fq . The commitment c1 is given by the hash of σ1 , and the seed for v1 . One then
computes
N
X −1
v = vN + σN ◦ · · · ◦ σi+1 (vi )
i=1

and the commitment c which is the hash of the syndrome vH⊤ .

The first challenge of the verifier is some β ∈ Fq , with this the prover computes e e0 = βe
and for all i ∈ {1, . . . , N } the vectors e
ei = σi (e
ei−1 ) + vi . The first response is given by
the hash of all the eei . The verifier can then challenge any i ∈ {1, . . . , N } and the prover
responds with ci , e
ei and in the case i = 1 also with σ1 .
The employed MPC protocol asks N parties to perform the BG steps i ∈ {1, . . . , N }

• if i ̸= 1 sample random (σi , vi ) ∈ Sn × Fnq and compute the commitment ci =

Hash(σi , vi ) (actually of their seeds),
• if i = 1 sample random v1 ∈ Fnq and compute σ1 as usual, i.e., σ1 = σ2−1 ◦· · ·◦σN
−1
◦σ
and the commitment c1 = Hash(σ1 , v1 ),
• upon the challenge β one sets e
e0 ) = βe and each party computes e
ei = σi (e
ei−1 )+vi .
• The verifier has to recompute the commitments and e
ei for each i ∈ {1, . . . , N }.

We will denote this MPC protocol as “BG splitting”.

150
 Variant Level Public key size Signature size Signing time Verification time
PERK-I-fast3 I 0.15 8.35 7.6 5.3
PERK-I-fast5 I 0.24 8.03 7.2 5.1
PERK-I-short3 I 0.15 6.56 39 27
PERK-I-short5 I 0.24 6.06 36 25
PERK-III-fast3 III 0.23 18.8 16 13
PERK-III-fast5 III 0.37 18 15 12
PERK-III-short3 III 0.23 15 82 65
PERK-III-short5 III 0.37 13.8 77 60
PERK-V-fast3 V 0.31 33.3 36 28
PERK-V-fast5 V 0.51 31.7 34 26
PERK-V-short3 V 0.31 26.4 185 143
PERK-V-short5 V 0.51 24.2 171 131

Table 43: Performance of PERK. Sizes are in kilobytes and timings in MCycles.

4. MIRA:

MIRA [19] is based on the MinRank problem, i.e., the decoding problem for Matrix
codes endowed with the rank metric. The MPC protocol used in MIRA PN −1is an additive
sharing. That is for a secret s, the shares are (r1 , . . . , rN −1 , s − i=1 ri ), for some
random ri .
The MPC protocol is similar to the one in RYDE; we have the generating matrices
G1 , . . . , Gk ∈ Fm×n
q , one chooses a secret x ∈ Fkq and publishes E of rank t and R =
Pk
E − i=1 Gi xi .
Each party received x ∈ Fkq and the coefficients bi ∈ Fqm of the annihilating polynomial

t
i
X
L(x) = bi xq ,
i=1

a random a ∈ Ftqmη and c = −⟨a, b⟩. The parties proceed as follows

(a) sample random (γ1 , . . . , γn , ε) ∈ Fn+1

q mη ,
Pk
(b) compute E = R + i=1 xi Gi ,
(c) set ei ∈ Fqm associated to the ith column of E, that is for some basis Γ of Fqm over
Fq compute ei = Γ−1 (E{i} ),
t
(d) compute z = − nj=1 γj eqj ,
P

i
(e) compute wi = nj=1 γj eq for all i ∈ {1, . . . , t},
P

151
 Variant Level Public key size Signature size Signing time Verification time
MIRA-128F I 0.09 7.4 37.4 36.7
MIRA-128S I 0.09 5.6 46.8 43.9
MIRA-192F III 0.12 15.5 107.2 107
MIRA-192S III 0.12 11.8 119.7 116.2
MIRA-256F V 0.15 27.7 322.3 323.2
MIRA-256S V 0.15 20.8 337.7 331.4

Table 44: Performance of MIRA. Sizes are in kilobytes and timings in MCycles.

(f) open the shares to compute α = εw + a,

(g) open the shares to compute v = εz − ⟨α, b⟩ − c,
(h) and accept if v = 0.

MIRA has two parameter sets for each security level, given in Table 44. One parameter
set is denoted by “F” for a fast version and one denoted by “S” for a small version.
Compared to RYDE, which uses the same MPC protocol but is based on the rank
decoding problem for Fqm -linear codes instead of Fq -linear codes, we can observe that
MIRA is able to achieve slightly smaller signature sizes than RYDE, however at the
cost of a much slower signing and verification process.

5. MiRitH:

Also MiRitH [2] is based on the MinRank problem and uses an MPC protocol. However,
MiRitH uses a Kipnis-Shamir [169] modeling, instead of the linearized polynomials used
in MIRA. This leads to faster verification and singing.
Recall that in MinRank, the generating matrices G1 , . . . , Gk ∈ Fm×n
q , a received matrix
m×n are made public, and the task is to find x ∈ Fq such that E = R − ki=1 Gi xi
k
P
R ∈ Fq
has rank at most t.
The Kipnis-Shamir modeling is based on the following fact, if there exists a vector
t×(n−t)
x ∈ Fkq and a matrix K ∈ Fq , such that
 
k
X S
(R − xi Gi )   = 0, (7.1)
i=1 K

(n−t)×(n−t)
for some invertible S ∈ Fq then
 x is a solution to the MinRank
 instance
R, G1 , . . . , Gk . Thus, if we write R = R′ R′′ and Gi = G′i G′′i , for each i ∈
{1, . . . , k} then we can transform Equation (7.1) to
k k
!
X X
R′ − xi G′i = R′′ − xi G′′i K.
i=1 i=1

152
 Variant Level Public key size Signature size Signing time Verification time
MiRitH-Iaf I 0.13 7.7 4.8 4.5
MiRitH-Ias I 0.13 5.7 42.9 42.7
MiRitH-Ibf I 0.14 8.8 6.4 5.9
MiRitH-Ibs I 0.14 6.3 51.5 51.8
MiRitH-IIIaf III 0.2 16.7 11.2 10.4
MiRitH-IIIas III 0.2 12.4 94.5 94.2
MiRitH-IIIbf III 0.2 17.9 13.3 12.3
MiRitH-IIIbs III 0.2 13.1 112.2 112
MiRitH-Vaf V 0.25 29.6 23.9 22.2
MiRitH-Vas V 0.25 21.8 196.7 194.6
MiRitH-Vbf V 0.27 32 28.3 26.3
MiRitH-Vbs V 0.27 23.1 241.6 241

Table 45: Performance of MiRitH. Sizes are in kilobytes and timings in MCycles.

Pk  
Thus, let us write Rx = R − i=1 xi Gi and as before Rx = R′x R′′x , hence the
Kipnis-Shamir modeling amounts to showing that R′x = R′′x K.
Thus, each party gets the additive sharings [[x]] and [[K]] and [[A]] for a random
A ∈ Fs×t
q and [[C]] for C = AK. The parties then proceed as follows

(a) locally compute sharings [[R′x ]] and [[R′′x ]],

(b) sample a random matrix X ∈ Fs×m
q ,
(c) locally compute
[[Y]] = X[[R′′x ]] + [[A]]
and open the sharings, so each party gets Y,
(d) locally compute
[[V]] = YK − X[[R′x ]] − C
and open the sharings, so that each party gets V,
(e) accept if V = 0.

MiRitH presents four parameter sets for each security level, two denoted with “a”, and
two denotes with “b”, where the “b” variant achieves a greater security level to leave
some margins for possible further improvements on solving PKP. The parameter sets
denoted by “f” are a fast variant, while the “s” denotes the small variant. We can see
a clear difference in the timings compared to MIRA.
Another variant of MiRitH is using the hypercube technique, which allows to get even
shorter signatures. While the hypercube variant presents several parameter sets for
short signatures, we chose only the shortest variant.

153
 Variant Level Public key size Signature size Signing time Verification time
MiRitH-hyper-Iaf I 0.13 6.2 4.1 3.4
MiRitH-hyper-Ias I 0.13 3.9 3122 3066
MiRitH-hyper-Ibf I 0.14 6.7 5.3 4.4
MiRitH-hyper-Ibs I 0.14 4.1 3184 3156
MiRitH-hyper-IIIaf III 0.21 13.4 9 8.2
MiRitH-hyper-IIIas III 0.21 8.7 5149 5120
MiRitH-hyper-IIIbf III 0.21 13.8 10.2 9.1
MiRitH-hyper-IIIbs III 0.21 8.8 5278 5250
MiRitH-hyper-Vaf V 0.25 23.9 17.4 14.8
MiRitH-hyper-Vas V 0.25 15.1 9730 9800
MiRitH-hyper-Vbf V 0.27 25 21.2 18.2
MiRitH-hyper-Vbs V 0.27 15.4 9767 9811

Table 46: Performance of MiRitH using Hypercube. Sizes are in kilobytes and timings in
MCycles.

Remark 278. Note that all the reported timings are from the respective documentations and
based on different implementations. For signature sizes, we have taken the average sizes.

154
8 Conclusion
In this book chapter, we presented a comprehensive collection of code-based cryptography,
concerning its history and most famous schemes, until the latest advances, especially in sig-
nature schemes.
There are several open question within this research area, prominent ones include

• Is the Rank Syndrome Decoding Problem NP-hard?

• Can we distinguish classical Goppa codes?

• How to improve the code-equivalence solvers?

• How to construct an efficient and secure hash-and-sign scheme?

.. and many more.

We hope that this book chapter helps young researchers to get into code-based cryptog-
raphy, so that we can advance in these open question together.
Any comments, typos or additions can be sent to [Link]@[Link] and we will
update the ArXiv version regularly.

Acknowledgement
The authors would like to thank Jean-Pierre Tillich, Nicolas Sendrier and Thomas Debris-
Alazard for fruitful discussions. The authors would also like to thank Giovanni Tognolini and
the anonymous reviewers for pointing out some of the typos.
Violetta Weger is supported by the Swiss National Science Foundation grant number 195290
and by the European Union’s Horizon 2020 research and innovation programme under the
Marie Sklodowska-Curie grant agreement no. 899987.
Niklas Gassner and Joachim Rosenthal are supported by armasuisse Science and Technology
(Project Nr.: CYD C-2020010).

155
Bibliography
[1] Najwa Aaraj, Slim Bettaieb, Loı̈c Bidoux, Alessandro Budroni, Victor Dyseryn, Andre
Esser, Philippe Gaborit, Mukul Kulkarni, Victor Mateu, Marco Palumbi, Lucas Perin,
and Jean-Pierre Tillich. PERK. In First Round Submission to the additional NIST
Postquantum Cryptography Call, 2023.
[2] Gora Adj, Luis Rivera-Zamarripa, Javier Verbel, Emanuele Bellini, Stefano Barbero,
Andre Esser, Carlo Sanna, and Floyd Zweydinger. MiRitH. In First Round Submission
to the additional NIST Postquantum Cryptography Call, 2023.
[3] Carlos Aguilar, Philippe Gaborit, and Julien Schrek. A new zero-knowledge code based
identification scheme with reduced communication. In 2011 IEEE Information Theory
Workshop, pages 648–652. IEEE, 2011.
[4] Carlos Aguilar Melchor, Nicolas Aragon, Magali Bardet, Slim Bettaieb, Loic Bidoux,
Olivier Blazy, Jean-Christophe Deneuville, Philippe Gaborit, Adrien Hauteville, Ay-
oub Otmani, Olivier Ruatta, Jean-Pierre Tillich, and Gilles Zémor. ROLLO- Rank-
Ouroboros, LAKE & LOCKER. NIST PQC Call for Proposals, 2020. Round 2 Sub-
mission.
[5] Carlos Aguilar Melchor, Nicolas Aragon, Slim Bettaieb, Loı̈c Bidoux, Olivier Blazy,
Jurjen Bos, Jean-Christophe Deneuville, Arnaud Dion, Philippe Gaborit, Jérôme Lacan,
Edoardo Persichetti, Jean-Marc Robert, Pascal Véron, and Gilles Zémor. Hamming
Quasi-Cyclic (HQC). NIST PQC Call for Proposals, 2022. Round 4 Submission.
[6] Carlos Aguilar Melchor, Nicolas Aragon, Slim Bettaieb, Loic Bidoux, Olivier Blazy,
Maxime Bros, Alain Couvreur, Jean-Christophe Deneuville, Philippe Gaborit, Adrien
Hauteville, and Gilles Zémor. Rank Quasi-Cyclic (RQC). NIST PQC Call for Proposals,
2020. Round 2 Submission.
[7] Carlos Aguilar Melchor, Nicolas Aragon, Slim Bettaieb, Loı̈c Bidoux, Olivier Blazy,
Jean-Christophe Deneuville, Philippe Gaborit, Adrien Hauteville, and Gilles Zémor.
Ouroboros-R. NIST PQC Call for Proposals, 2017. Round 1 Submission.
[8] Carlos Aguilar Melchor, Nicolas Aragon, Slim Bettaieb, Loı̈c Bidoux, Olivier Blazy,
Jean-Christophe Deneuville, Philippe Gaborit, Edoardo Persichetti, and Gilles Zémor.
Hamming Quasi-Cyclic (HQC). NIST PQC Call for Proposals, 2017. Round 1 Submis-
sion.
[9] Carlos Aguilar-Melchor, Olivier Blazy, Jean-Christophe Deneuville, Philippe Gaborit,
and Gilles Zémor. Efficient encryption from random quasi-cyclic codes. IEEE Transac-
tions on Information Theory, 64(5):3927–3943, 2018.
[10] Carlos Aguilar Melchor, Thibauld Feneuil, Nicolas Gama, Shay Gueron, James
Howe, David Joseph, Antoine Joux, Edoardo Persichetti, Tovohery H. Randrianarisoa,
Matthieu Rivain, and Dongze Yue. SDitH. In First Round Submission to the additional
NIST Postquantum Cryptography Call, 2023.
[11] Carlos Aguilar-Melchor, Nicolas Gama, James Howe, Andreas Hülsing, David Joseph,
and Dongze Yue. The return of the SDitH. In Annual International Conference on the
Theory and Applications of Cryptographic Techniques, pages 564–596. Springer, 2023.

156
[12] Abdulrahman Al Jabri. A statistical decoding algorithm for general linear block codes.
In IMA International Conference on Cryptography and Coding, pages 1–8. Springer,
2001.

[13] Martin Albrecht, Carlos Cid, Kenneth G. Paterson, Cen Jung Tjhai, and Martin Tom-
linson. NTS-KEM - Second round submission. NIST PQC Call for Proposals, 2019.
Round 2 Submission.

[14] Martin R. Albrecht, Daniel J. Bernstein, Tung Chou, Carlos Cid, Jan Gilcher, Tanja
Lange, Varun Maram, Ingo von Maurich, Rafael Misoczki, Ruben Niederhagen, Ken-
neth G. Paterson, Edoardo Persichetti, Christiane Peters, Peter Schwabe, Nicolas
Sendrier, Jakub Szefer, Cen Jung Tjhai, Martin Tomlinson, and Wen Wang. Clas-
sic McEliece: Conservative Code-Based Cryptography. NIST PQC Call for Proposals,
2022. Round 4 Submission.

[15] M. Alekhnovich. More on average case vs approximation complexity. In 44th Annual

IEEE Symposium on Foundations of Computer Science, 2003. Proceedings., pages 298–
307, 2003.

[16] Daniel Apon, Ray Perlner, Angela Robinson, and Paolo Santini. Cryptanalysis of
LEDAcrypt. Cryptology ePrint Archive, Report 2020/455, 2020. [Link]
2020/455.

[17] Nicolas Aragon, Marco Baldi, Jean-Christophe Deneuville, Karan Khathuria, Edoardo
Persichetti, and Paolo Santini. Cryptanalysis of a code-based full-time signature. De-
signs, Codes and Cryptography, 89(9):2097–2112, 2021.

[18] Nicolas Aragon, Magali Bardet, Loı̈c Bidoux, Jesús-Javier Chi-Domı́nguez, Victor
Dyseryn, Thibauld Feneuil, Philippe Gaborit, Antoine Joux, Matthieu Rivain, Jean-
Pierre Tillich, and Adrien Vinçotte. RYDE. In First Round Submission to the additional
NIST Postquantum Cryptography Call, 2023.

[19] Nicolas Aragon, Magali Bardet, Loı̈c Bidoux, Jesús-Javier Chi-Domı́nguez, Victor
Dyseryn, Thibauld Feneuil, Philippe Gaborit, Romaric Neveu, Matthieu Rivain, and
Jean-Pierre Tillich. MIRA. In First Round Submission to the additional NIST Postquan-
tum Cryptography Call, 2023.

[20] Nicolas Aragon, Paulo S.L.M. Barreto, Slim Bettaieb, Loı̈c Bidoux, Olivier Blazy, Jean-
Christophe Deneuville, Philippe Gaborit, Santosh Ghosh, Shay Gueron, Tim Güneysu,
Carlos Aguilar Melchor, Rafael Misoczki, Edoardo Persichetti, Nicolas Sendrier, Jean-
Pierre tillich, Valentin Vasseur, and Gilles Zémor. BIKE: Bit Flipping Key Encapsula-
tion. NIST PQC Call for Proposals, 2022. Round 4 Submission.

[21] Nicolas Aragon, Loı̈c Bidoux, Jesús-Javier Chi-Domı́nguez, Thibauld Feneuil, Philippe
Gaborit, Romaric Neveu, and Matthieu Rivain. MIRA: a digital signature scheme
based on the minrank problem and the mpc-in-the-head paradigm. arXiv preprint
arXiv:2307.08575, 2023.

[22] Nicolas Aragon, Loı̈c Bidoux, Jesús-Javier Chi-Domı́nguez, Thibauld Feneuil, Philippe
Gaborit, Romaric Neveu, and Matthieu Rivain. Mira: a digital signature scheme based
on the minrank problem and the mpc-in-the-head paradigm, 2023.

157
[23] Nicolas Aragon, Olivier Blazy, Jean-Christophe Deneuville, Philippe Gaborit, Adrien
Hauteville, Olivier Ruatta, Jean-Pierre Tillich, and Gilles Zémor. LAKE - Low rAnk
parity check codes Key Exchange. NIST PQC Call for Proposals, 2017. Round 1
Submission.
[24] Nicolas Aragon, Olivier Blazy, Jean-Christophe Deneuville, Philippe Gaborit, Adrien
Hauteville, Olivier Ruatta, Jean-Pierre Tillich, and Gilles Zémor. LOCKER - LOw
rank parity Check codes EncRyption. NIST PQC Call for Proposals, 2017. Round 1
Submission.
[25] Nicolas Aragon, Olivier Blazy, Philippe Gaborit, Adrien Hauteville, and Gilles Zémor.
Durandal: a rank metric based signature scheme. In Annual International Conference
on the Theory and Applications of Cryptographic Techniques, pages 728–758. Springer,
2019.
[26] Nicolas Aragon, Victor Dyseryn, and Philippe Gaborit. Analysis of the security of the
pssi problem and cryptanalysis of the durandal signature scheme. Cryptology ePrint
Archive, 2023.
[27] Nicolas Aragon, Philippe Gaborit, Adrien Hauteville, Olivier Ruatta, and Gilles Zémor.
RankSign - a signature proposal for the NIST’s call. NIST PQC Call for Proposals,
2017. Round 1 Submission.
[28] Nicolas Aragon, Philippe Gaborit, Adrien Hauteville, and Jean-Pierre Tillich. Improve-
ment of generic attacks on the rank syndrome decoding problem. 2017.
[29] Nicolas Aragon, Philippe Gaborit, Adrien Hauteville, and Jean-Pierre Tillich. A new
algorithm for solving the rank syndrome decoding problem. In 2018 IEEE International
Symposium on Information Theory (ISIT), pages 2421–2425. IEEE, 2018.
[30] Alexei Ashikhmin and Alexander Barg. Minimal vectors in linear codes. IEEE Trans-
actions on Information Theory, 44(5):2010–2017, 1998.
[31] Jaakko Astola. On the asymptotic behaviour of Lee-codes. Discrete applied mathemat-
ics, 8(1):13–23, 1984.
[32] Daniel Augot and Matthieu Finiasz. A public key encryption scheme based on the
polynomial reconstruction problem. In International Conference on the Theory and
Applications of Cryptographic Techniques, pages 229–240. Springer, 2003.
[33] Daniel Augot and Matthieu Finiasz. A public key encryption scheme based on the
polynomial reconstruction problem. In International Conference on the Theory and
Applications of Cryptographic Techniques, pages 229–240. Springer, 2003.
[34] Jean-Philippe Aumasson, Daniel J. Bernstein, Ward Beullens, Christoph Dobraunig,
Maria Eichlseder, Scott Fluhrer, Stefan-Lukas Gazdag, Andreas Hülsing, Panos Kam-
panakis, Stefan Kölbl, Tanja Lange, Martin M. Lauridsen, Florian Mendel, Ruben
Niederhagen, Christian Rechberger, Joost Rijneveld, Peter Schwabe, and Bas Wester-
baan. Sphincs+ . NIST PQC Call for Proposals, 2022. Selected for Standardization.
[35] Roberto Avanzi, Simon Hoerder, Dan Page, and Michael Tunstall. Side-channel attacks
on the McEliece and Niederreiter public-key cryptosystems. Journal of Cryptographic
Engineering, 1(4):271–281, 2011.

158
[36] László Babai. Graph isomorphism in quasipolynomial time. In Proceedings of the forty-
eighth annual ACM symposium on Theory of Computing, pages 684–697, 2016.

[37] Marco Baldi, Alessandro Barenghi, Luke Beckwith, Jean-François Biasse, Andre Esser,
Kris Gaj, Kamyar Mohajerani, Gerardo Pelosi, Edoardo Persichetti, Markku-Juhani O.
Saarinen, Paolo Santini, and Robert Wallace. LESS. In First Round Submission to the
additional NIST Postquantum Cryptography Call, 2023.

[38] Marco Baldi, Alessandro Barenghi, Sebastian Bitzer, Patrick Karl, Felice Manganiello,
Alessio Pavoni, Gerardo Pelosi, Paolo Santini, Jonas Schupp, Freeman Slaughter, An-
tonia Wachter-Zeh, and Violetta Weger. CROSS. In First Round Submission to the
additional NIST Postquantum Cryptography Call, 2023.

[39] Marco Baldi, Alessandro Barenghi, Franco Chiaraluce, Gerardo Pelosi, and Paolo San-
tini. LEDAkem. NIST PQC Call for Proposals, 2017. Round 1 Submission.

[40] Marco Baldi, Alessandro Barenghi, Franco Chiaraluce, Gerardo Pelosi, and Paolo San-
tini. LEDApkc. NIST PQC Call for Proposals, 2017. Round 1 Submission.

[41] Marco Baldi, Alessandro Barenghi, Franco Chiaraluce, Gerardo Pelosi, and Paolo San-
tini. LEDAcrypt: Low-dEnsity parity-check coDe-bAsed cryptographic systems - ver-
sion 3.0. NIST PQC Call for Proposals, 2020. Round 2 Submission.

[42] Marco Baldi, Massimo Battaglioni, Franco Chiaraluce, Anna-Lena Horlemann-

Trautmann, Edoardo Persichetti, Paolo Santini, and Violetta Weger. A new path to
code-based signatures via identification schemes with restricted errors. arXiv preprint
arXiv:2008.06403, 2020.

[43] Marco Baldi, Marco Bianchi, Franco Chiaraluce, Joachim Rosenthal, and Davide
Schipani. A variant of the McEliece cryptosystem with increased public key security.
In Proceedings of the Seventh International Workshop on Coding and Cryptography,
number 7, pages 173–182. HAL-Inria, 2011.

[44] Marco Baldi, Marco Bianchi, Franco Chiaraluce, Joachim Rosenthal, and Davide
Schipani. Using LDGM codes and sparse syndromes to achieve digital signatures. In
International Workshop on Post-Quantum Cryptography, pages 1–15. Springer, 2013.

[45] Marco Baldi, Marco Bianchi, Franco Chiaraluce, Joachim Jakob Rosenthal, Davide
Mose, et al. Method and apparatus for public-key cryptography based on error correct-
ing codes, November 17 2015. US Patent 9,191,199.

[46] Marco Baldi, Sebastian Bitzer, Alessio Pavoni, Paolo Santini, Antonia Wachter-Zeh, and
Violetta Weger. Zero knowledge protocols and signatures from the restricted syndrome
decoding problem. PKC 2024, 2024.

[47] Marco Baldi, Marco Bodrato, and Franco Chiaraluce. A new analysis of the McEliece
cryptosystem based on QC-LDPC codes. In International Conference on Security and
Cryptography for Networks, pages 246–262. Springer, 2008.

[48] Marco Baldi, Franco Chiaraluce, Joachim Rosenthal, Paolo Santini, and Davide
Schipani. Security of generalised Reed–Solomon code-based cryptosystems. IET In-
formation Security, 13(4):404–410, 2019.

159
[49] Gustavo Banegas, Paulo S. L. M. Barreto, Brice Odilon Boidje, Pierre-Louis Cayrel,
Gilbert Ndollane Dione, Kris Gaj, Cheikh Thiécoumba Gueye, Richard Haeussler,
Jean Belo Klamti, Ousmane N’diaye, Duc Tri Nguyen, Edoardo Persichetti, and Jeffer-
son E. Ricardini. DAGS: Key Encapsulation from Dyadic GS Codes. NIST PQC Call
for Proposals, 2017. Round 1 Submission.

[50] Gustavo Banegas, Kévin Carrier, André Chailloux, Alain Couvreur, Thomas Debris-
Alazard, Philippe Gaborit, Pierre Karpman, Johanna Loyer, Ruben Niederhagen, Nico-
las Sendrier, Benjamin Smith, and Jean-Pierre Tillich. WAVE. In First Round Submis-
sion to the additional NIST Postquantum Cryptography Call, 2023.

[51] Magali Bardet, Élise Barelli, Olivier Blazy, Rodolfo Canto-Torres, Alain Couvreur,
Philippe Gaborit, Otmani Ayoub, Nicolas Sendrier, and Jean-Pierre Tillich. BIG
QUAKE: BInary Goppa QUAsi-cyclic Key Encapsulation. NIST PQC Call for Propos-
als, 2017. Round 1 Submission.

[52] Magali Bardet, Pierre Briaud, Maxime Bros, Philippe Gaborit, Vincent Neiger, Olivier
Ruatta, and Jean-Pierre Tillich. An algebraic attack on rank metric code-based cryp-
tosystems. CoRR, abs/1910.00810, 2019.

[53] Magali Bardet, Maxime Bros, Daniel Cabarcas, Philippe Gaborit, Ray Perlner, Daniel
Smith-Tone, Jean-Pierre Tillich, and Javier Verbel. Improvements of algebraic attacks
for solving the rank decoding and MinRank problems. In International Conference on
the Theory and Application of Cryptology and Information Security, pages 507–536.
Springer, 2020.

[54] Magali Bardet, Ayoub Otmani, and Mohamed Saeed-Taha. Permutation code equiv-
alence is not harder than graph isomorphism when hulls are trivial. In 2019 IEEE
International Symposium on Information Theory (ISIT), pages 2464–2468. IEEE, 2019.

[55] Élise Barelli and Alain Couvreur. An efficient structural attack on NIST submission
DAGS. In Thomas Peyrin and Steven Galbraith, editors, Advances in Cryptology –
ASIACRYPT 2018, pages 93–118, Cham, 2018. Springer International Publishing.

[56] Alexander Barg and G David Forney. Random codes: Minimum distances and error
exponents. IEEE Transactions on Information Theory, 48(9):2568–2573, 2002.

[57] Alexander Barg, Evgueni Krouk, and Henk CA van Tilborg. On the complexity of
minimum distance decoding of long linear codes. IEEE Transactions on Information
Theory, 45(5):1392–1405, 1999.

[58] S Barg. Some new NP-complete coding problems. Problemy Peredachi Informatsii,
30(3):23–28, 1994.

[59] Jessica Bariffi, Hannes Bartz, Gianluigi Liva, and Joachim Rosenthal. On the properties
of error patterns in the constant Lee weight channel. In International Zurich Seminar
on Information and Communication (IZS 2022). Proceedings, pages 44–48. ETH Zurich,
2022.

[60] Paulo SLM Barreto, Rafael Misoczki, and Marcos A Simplicio Jr. One-time signature
scheme from syndrome decoding over generic error-correcting codes. Journal of Systems
and Software, 84(2):198–204, 2011.

160
[61] Anja Becker, Antoine Joux, Alexander May, and Alexander Meurer. Decoding random
binary linear codes in 2n/20 : How 1 + 1 = 0 improves information set decoding. In An-
nual international conference on the theory and applications of cryptographic techniques,
pages 520–536. Springer, 2012.

[62] Peter Beelen, Martin Bossert, Sven Puchinger, and Johan Rosenkilde. Structural prop-
erties of twisted Reed-Solomon codes with applications to cryptography. In 2018 IEEE
International Symposium on Information Theory (ISIT), pages 946–950. IEEE, 2018.

[63] Emanuele Bellini, Florian Caullery, Philippe Gaborit, Marc Manzano, and Victor Ma-
teu. Improved Veron identification and signature schemes in the rank metric. In 2019
IEEE International Symposium on Information Theory (ISIT), pages 1872–1876. IEEE,
2019.

[64] Thierry P Berger, Philippe Gaborit, and Olivier Ruatta. Gabidulin matrix codes and
their application to small ciphertext size cryptosystems. In International Conference
on Cryptology in India, pages 247–266. Springer, 2017.

[65] Thierry P Berger, Cheikh Thiécoumba Gueye, and Jean Belo Klamti. Generalized
subspace subcodes with application in cryptology. IEEE Transactions on Information
Theory, 65(8):4641–4657, 2019.

[66] Thierry P. Berger and Pierre Loidreau. How to mask the structure of codes for a
cryptographic use. Designs, Codes and Cryptography, 35:63–79, 2005.

[67] Elwyn Berlekamp. Algebraic coding theory. World Scientific, 2015.

[68] Elwyn Berlekamp, Robert McEliece, and Henk Van Tilborg. On the inherent intractabil-
ity of certain coding problems. IEEE Transactions on Information Theory, 24(3):384–
386, 1978.

[69] Daniel J Bernstein. Grover vs. McEliece. In International Workshop on Post-Quantum

Cryptography, pages 73–80. Springer, 2010.

[70] Daniel J Bernstein, Johannes Buchmann, and Erik Dahmen. Post-Quantum Cryptog-
raphy. Springer-Verlag, Berlin-Heidleberg, 2009.

[71] Daniel J Bernstein, Tanja Lange, and Christiane Peters. Attacking and defending the
McEliece cryptosystem. In International Workshop on Post-Quantum Cryptography,
pages 31–46. Springer, 2008.

[72] Daniel J. Bernstein, Tanja Lange, and Christiane Peters. Wild McEliece. In Interna-
tional Workshop on Selected Areas in Cryptography, pages 143–158. Springer, 2010.

[73] Daniel J Bernstein, Tanja Lange, and Christiane Peters. Smaller decoding exponents:
ball-collision decoding. In Annual Cryptology Conference, pages 743–760. Springer,
2011.

[74] Ward Beullens. Not enough LESS: An improved algorithm for solving code equivalence
problems over Fq . In International Conference on Selected Areas in Cryptography, pages
387–403. Springer, 2020.

161
[75] Jean-François Biasse, Giacomo Micheli, Edoardo Persichetti, and Paolo Santini. LESS
is more: Code-based signatures without syndromes. In International Conference on
Cryptology in Africa, pages 45–65. Springer, 2020.

[76] Loı̈c Bidoux, Philippe Gaborit, and Nicolas Sendrier. Quasi-cyclic Stern proof of knowl-
edge. arXiv preprint arXiv:2110.05005, 2021.

[77] Sebastian Bitzer, Alessio Pavoni, Violetta Weger, Paolo Santini, Marco Baldi, and
Antonia Wachter-Zeh. Generic decoding of restricted errors. In 2023 IEEE International
Symposium on Information Theory (ISIT), pages 246–251. IEEE, 2023.

[78] Jessalyn Bolkema, Heide Gluesing-Luerssen, Christine A Kelley, Kristin E Lauter, Beth
Malmskog, and Joachim Rosenthal. Variations of the McEliece cryptosystem. In Alge-
braic geometry for coding theory and cryptography, pages 129–150. Springer, 2017.

[79] Maxime Bombar and Alain Couvreur. Decoding supercodes of Gabidulin codes and
applications to cryptanalysis. arXiv preprint arXiv:2103.02700, 2021.

[80] Mikhail A Borodin and Ivan V Chizhov. Effective attack on the McEliece cryptosystem
based on Reed-Muller codes. Discrete Mathematics and Applications, 24(5):273–280,
2014.

[81] Eimear Byrne, Anna-Lena Horlemann, Karan Khathuria, and Violetta Weger. Density
of free modules over finite chain rings. Linear Algebra and its Applications, 651:1–25,
2022.

[82] Eimear Byrne and Violetta Weger. Bounds in the Lee metric and optimal codes. Finite
Fields and Their Applications, 87:102151, 2023.

[83] Anne Canteaut and Hervé Chabanne. A further improvement of the work factor in an
attempt at breaking McEliece’s cryptosystem. PhD thesis, INRIA, 1994.

[84] Anne Canteaut and Florent Chabaud. A new algorithm for finding minimum-weight
words in a linear code: Application to McEliece’s cryptosystem and to narrow-sense
BCH codes of length 511. IEEE Transactions on Information Theory, 44(1):367–378,
1998.

[85] Anne Canteaut and Nicolas Sendrier. Cryptanalysis of the original McEliece cryp-
tosystem. In International conference on the theory and application of cryptology and
information security, pages 187–199. Springer, 1998.

[86] Ignacio Cascudo, Ronald Cramer, Diego Mirandola, and Gilles Zémor. Squares of
random linear codes. IEEE Transactions on Information Theory, 61(3):1159–1173,
2015.

[87] Dario Catalano, Ronald Cramer, Giovanni Di Crescenzo, Ivan Darmgård, David
Pointcheval, Tsuyoshi Takagi, Ronald Cramer, and Ivan Damgård. Multiparty com-
putation, an introduction. Contemporary cryptology, pages 41–87, 2005.

[88] Pierre-Louis Cayrel, Cheikh T Gueye, Ousmane Ndiaye, and Robert Niebuhr. Critical
attacks in code-based cryptography. International Journal of Information and Coding
Theory, 3(2):158–176, 2015.

162
 [89] Pierre-Louis Cayrel, Ayoub Otmani, and Damien Vergnaud. On Kabatianskii-Krouk-
Smeets signatures. In International Workshop on the Arithmetic of Finite Fields, pages
237–251. Springer, 2007.

[90] Pierre-Louis Cayrel, Pascal Véron, and Sidi Mohamed El Yousfi Alaoui. A zero-
knowledge identification scheme based on the q-ary syndrome decoding problem. In
International Workshop on Selected Areas in Cryptography, pages 171–186. Springer,
2010.

[91] Florent Chabaud and Jacques Stern. The cryptographic security of the syndrome de-
coding problem for rank distance codes. In International Conference on the Theory and
Application of Cryptology and Information Security, pages 368–381. Springer, 1996.

[92] Cong Chen, Thomas Eisenbarth, Ingo Von Maurich, and Rainer Steinwandt. Differential
power analysis of a McEliece cryptosystem. In International Conference on Applied
Cryptography and Network Security, pages 538–556. Springer, 2015.

[93] Lily Chen, Lily Chen, Stephen Jordan, Yi-Kai Liu, Dustin Moody, Rene Peralta, Ray
Perlner, and Daniel Smith-Tone. Report on post-quantum cryptography, volume 12. US
Department of Commerce, National Institute of Standards and Technology, 2016.

[94] Jinkyu Cho, Jong-Seon No, Yongwoo Lee, Young-Sik Kim, and Zahyun Koo. Enhanced
pqsigRM. In First Round Submission to the additional NIST Postquantum Cryptography
Call, 2023.

[95] Tung Chou, Ruben Niederhagen, Edoardo Persichetti, Lars Ran, Tovohery Haja-
tiana Randrianarisoa, Krijn Reijnders, Simona Samardjiska, and Monika Trimoska.
MEDS. In First Round Submission to the additional NIST Postquantum Cryptogra-
phy Call, 2023.

[96] Tung Chou, Edoardo Persichetti, and Paolo Santini. On linear equivalence, canonical
forms, and digital signatures. Cryptology ePrint Archive, 2023.

[97] Stephen A Cook. The complexity of theorem-proving procedures. In Logic, Automata,

and Computational Complexity: The Works of Stephen A. Cook, pages 143–152. 2023.

[98] Jean-Sebastien Coron. Cryptanalysis of a public-key encryption scheme based on the

polynomial reconstruction problem. In International Workshop on Public Key Cryptog-
raphy, pages 14–27. Springer, 2004.

[99] Nicolas T Courtois, Matthieu Finiasz, and Nicolas Sendrier. How to achieve a McEliece-
based digital signature scheme. In International Conference on the Theory and Appli-
cation of Cryptology and Information Security, pages 157–174. Springer, 2001.

[100] Alain Couvreur, Thomas Debris-Alazard, and Philippe Gaborit. On the hardness of
code equivalence problems in rank metric. arXiv preprint arXiv:2011.04611, 2020.

[101] Alain Couvreur, Philippe Gaborit, Valérie Gauthier-Umaña, Ayoub Otmani, and Jean-
Pierre Tillich. Distinguisher-based attacks on public-key cryptosystems using Reed–
Solomon codes. Designs, Codes and Cryptography, 73(2):641–666, 2014.

163
[102] Alain Couvreur and Matthieu Lequesne. On the security of subspace subcodes of Reed–
Solomon codes for public key encryption. IEEE Transactions on Information Theory,
2021.

[103] Alain Couvreur, Matthieu Lequesne, and Jean-Pierre Tillich. Recovering short secret
keys of RLCE in polynomial time. In International Conference on Post-Quantum Cryp-
tography, pages 133–152. Springer, 2019.

[104] Alain Couvreur, Irene Márquez-Corbella, and Ruud Pellikaan. A polynomial time at-
tack against algebraic geometry code based public key cryptosystems. In 2014 IEEE
International Symposium on Information Theory, pages 1446–1450. IEEE, 2014.

[105] Alain Couvreur, Irene Márquez-Corbella, and Ruud Pellikaan. Cryptanalysis of

McEliece cryptosystem based on algebraic geometry codes and their subcodes. IEEE
Transactions on Information Theory, 63(8):5404–5418, 2017.

[106] Alain Couvreur, Ayoub Otmani, and Jean-Pierre Tillich. Polynomial time attack on
wild McEliece over quadratic extensions. IEEE Transactions on Information Theory,
63(1):404–427, 2016.

[107] Alain Couvreur, Ayoub Otmani, Jean-Pierre Tillich, and Valérie Gauthier-Umana. A
polynomial-time attack on the BBCRS scheme. In IACR International Workshop on
Public Key Cryptography, pages 175–193. Springer, 2015.

[108] Matthew C Davey and David JC MacKay. Reliable communication over channels with
insertions, deletions, and substitutions. IEEE Transactions on Information Theory,
47(2):687–698, 2001.

[109] Thomas Debris-Alazard, Nicolas Sendrier, and Jean-Pierre Tillich. The problem with
the SURF scheme. arXiv preprint arXiv:1706.08065, 2017.

[110] Thomas Debris-Alazard, Nicolas Sendrier, and Jean-Pierre Tillich. Wave: A new family
of trapdoor one-way preimage sampleable functions based on codes. In International
Conference on the Theory and Application of Cryptology and Information Security,
pages 21–51. Springer, 2019.

[111] Thomas Debris-Alazard and Jean-Pierre Tillich. Two attacks on rank metric code-based
schemes: RankSign and an IBE scheme. In International Conference on the Theory and
Application of Cryptology and Information Security, pages 62–92. Springer, 2018.

[112] Ph Delsarte. Bilinear forms over a finite field, with applications to coding theory.
Journal of combinatorial theory, Series A, 25(3):226–241, 1978.

[113] Whitfield Diffie and Martin Hellman. New directions in cryptography. IEEE transac-
tions on Information Theory, 22(6):644–654, 1976.

[114] Jintai Ding, Jason E Gower, and Dieter S Schmidt. Multivariate public key cryptosys-
tems, volume 25. Springer Science & Business Media, 2006.

[115] Vlad Drăgoi, Valeriu Beiu, and Dominic Bucerzan. Vulnerabilities of the McEliece
variants based on polar codes. In International Conference on Security for Information
Technology and Communications, pages 376–390. Springer, 2018.

164
[116] Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, Peter Schwabe, Gregor
Seiler, and Damien Stehlé. CRYSTALS-Dilithium. NIST PQC Call for Proposals, 2022.
Selected for Standardization.

[117] Il’ya Isaakovich Dumer. Two decoding algorithms for linear codes. Problemy Peredachi
Informatsii, 25(1):24–32, 1989.

[118] Molka Elleuch, Antonia Wachter-Zeh, and Alexander Zeh. A public-key cryptosystem
from interleaved Goppa codes. arXiv preprint arXiv:1809.03024, 2018.

[119] Jean-Charles Faugère, Valérie Gauthier-Umaña, Ayoub Otmani, Ludovic Perret, and
Jean-Pierre Tillich. A distinguisher for high-rate McEliece cryptosystems. IEEE Trans-
actions on Information Theory, 59(10):6830–6844, 2013.

[120] Cédric Faure and Pierre Loidreau. A new public-key cryptosystem based on the problem
of reconstructing p–polynomials. In International Workshop on Coding and Cryptogra-
phy, pages 304–315. Springer, 2005.

[121] Uriel Feige, Amos Fiat, and Adi Shamir. Zero-knowledge proofs of identity. Journal of
cryptology, 1(2):77–94, 1988.

[122] Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification
and signature problems. In Conference on the theory and application of cryptographic
techniques, pages 186–194. Springer, 1986.

[123] Matthieu Finiasz and Nicolas Sendrier. Security bounds for the design of code-based
cryptosystems. In International Conference on the Theory and Application of Cryptol-
ogy and Information Security, pages 88–105. Springer, 2009.

[124] G David Forney. Concatenated codes. 1965.

[125] Pierre-Alain Fouque, Jeffrey Hoffstein, Paul Kirchner, Vadim Lyubashevsky, Thomas
Pornin, Thomas Prest, Thomas Ricosset, Gregor Seiler, William Whyte, and Zhenfei
Zhang. FALCON. NIST PQC Call for Proposals, 2022. Selected for Standardization.

[126] Ernest Mukhamedovich Gabidulin. Theory of codes with maximum rank distance.
Problemy peredachi informatsii, 21(1):3–16, 1985.

[127] Ernst M Gabidulin, AV Paramonov, and OV Tretjakov. Ideals over a non-commutative

ring and their application in cryptology. In Workshop on the Theory and Application
of of Cryptographic Techniques, pages 482–489. Springer, 1991.

[128] Ernst M Gabidulin, Haitham Rashwan, and Bahram Honary. On improving security of
GPT cryptosystems. In 2009 IEEE International Symposium on Information Theory,
pages 1110–1114. IEEE, 2009.

[129] Philippe Gaborit, Gaétan Murat, Olivier Ruatta, and Gilles Zémor. Low rank parity
check codes and their application to cryptography. In Proceedings of the Workshop on
Coding and Cryptography WCC, volume 2013, 2013.

[130] Philippe Gaborit, Ayoub Otmani, and Hervé Talé Kalachi. Polynomial-time key recov-
ery attack on the Faure–Loidreau scheme based on Gabidulin codes. Designs, Codes
and Cryptography, 86(7):1391–1403, 2018.

165
[131] Philippe Gaborit, Olivier Ruatta, and Julien Schrek. On the complexity of the rank
syndrome decoding problem. IEEE Transactions on Information Theory, 62(2):1006–
1019, 2015.

[132] Philippe Gaborit and Julien Schrek. Efficient code-based one-time signature from auto-
morphism groups with syndrome compatibility. In 2012 IEEE International Symposium
on Information Theory Proceedings, pages 1982–1986. IEEE, 2012.

[133] Philippe Gaborit and Gilles Zémor. On the hardness of the decoding and the mini-
mum distance problems for rank codes. IEEE Transactions on Information Theory,
62(12):7245–7252, 2016.

[134] Maximilien Gadouleau and Zhiyuan Yan. Properties of codes with the rank metric. In
IEEE Globecom 2006, pages 1–5. IEEE, 2006.

[135] Robert Gallager. Low-density parity-check codes. IRE Transactions on information

theory, 8(1):21–28, 1962.

[136] Lucky Galvez, Jon-Lark Kim, Myeong Jae Kim, Young-Sik Kim, and Nari Lee. McNie:
Compact McEliece-Niederreiter Cryptosystem. NIST PQC Call for Proposals, 2017.
Round 1 Submission.

[137] Danièle Gardy and Patrick Solé. Saddle point techniques in asymptotic coding theory.
In Workshop on Algebraic Coding, pages 75–81. Springer, 1991.

[138] Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and
new cryptographic constructions. In Proceedings of the fortieth annual ACM symposium
on Theory of computing, pages 197–206, 2008.

[139] Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and
new cryptographic constructions. In Proceedings of the fortieth annual ACM symposium
on Theory of computing, pages 197–206, 2008.

[140] Edgar N Gilbert. A comparison of signalling alphabets. The Bell system technical
journal, 31(3):504–522, 1952.

[141] Danilo Gligoroski and Kristian Gjøsteen. Post-quantum Key Encapsulation Mechanism
Edon-K. NIST PQC Call for Proposals, 2017. Round 1 Submission.

[142] Danilo Gligoroski, Simona Samardjiska, Håkon Jacobsen, and Sergey Bezzateev.
McEliece in the world of Escher. IACR Cryptol. ePrint Arch., 2014:360, 2014.

[143] Valerii Denisovich Goppa. A new class of linear correcting codes. Problemy Peredachi
Informatsii, 6(3):24–30, 1970.

[144] Valerii Denisovich Goppa. A rational representation of codes and (l, g)-codes. Problemy
Peredachi Informatsii, 7(3):41–49, 1971.

[145] Valerii Denisovich Goppa. Binary symmetric channel capacity is attained with irre-
ducible codes. Problems of Information Transmission, 10:89–90, 1974.

[146] Elisa Gorla. Rank-metric codes. arXiv preprint arXiv:1902.02650, 2019.

166
[147] Lov K Grover. A fast quantum mechanical algorithm for database search. In Proceedings
of the twenty-eighth annual ACM symposium on Theory of computing, pages 212–219,
1996.

[148] Lov K Grover. Quantum mechanics helps in searching for a needle in a haystack.
Physical review letters, 79(2):325, 1997.

[149] Anina Gruica and Alberto Ravagnani. Common complements of linear subspaces and
the sparseness of MRD codes. arXiv preprint arXiv:2011.02993, 2020.

[150] Cheikh Thiécoumba Gueye, Jean Belo Klamti, and Shoichi Hirose. Generalization of
BJMM-ISD using May-Ozerov nearest neighbor algorithm over an arbitrary finite field
Fq . In International Conference on Codes, Cryptology, and Information Security, pages
96–109. Springer, 2017.

[151] Venkat Guruswami and Eric Blais. Introduction to Coding Theory, Notes 6: Reed-
Solomon, BCH, Reed-Muller, and concatenated codes. February 2010. Lecture Notes.

[152] Amir Herzberg and Dalit Naor. Surf ‘N’Sign: Client signatures on web documents. IBM
Systems Journal, 37(1):61–71, 1998.

[153] Shoichi Hirose. May-Ozerov algorithm for nearest-neighbor problem over Fq and its
application to information set decoding. In International Conference for Information
Technology and Communications, pages 115–126. Springer, 2016.

[154] Anna-Lena Horlemann, Sven Puchinger, Julian Renner, Thomas Schamberger, and An-
tonia Wachter-Zeh. Information-set decoding with hints. Technical report, Cryptology
ePrint Archive, Report 2021/279. [Link] iacr. org/2021/279, 2021.

[155] Anna-Lena Horlemann-Trautmann, Kyle Marshall, and Joachim Rosenthal. Consid-

erations for rank-based cryptosystems. In 2016 IEEE International Symposium on
Information Theory (ISIT), pages 2544–2548. Ieee, 2016.

[156] Anna-Lena Horlemann-Trautmann, Kyle Marshall, and Joachim Rosenthal. Extension

of Overbeck’s attack for Gabidulin-based cryptosystems. Designs, Codes and Cryptog-
raphy, 86(2):319–340, 2018.

[157] Nick Howgrave-Graham and Antoine Joux. New generic algorithms for hard knapsacks.
In Annual International Conference on the Theory and Applications of Cryptographic
Techniques, pages 235–256. Springer, 2010.

[158] Carmelo Interlando, Karan Khathuria, Nicole Rohrer, Joachim Rosenthal, and Violetta
Weger. Generalization of the ball-collision algorithm. Journal of Algebra Combinatorics
Discrete Structures and Applications, 7(2):195–207, 2020.

[159] Yuval Ishai, Eyal Kushilevitz, Rafail Ostrovsky, and Amit Sahai. Zero-knowledge from
secure multiparty computation. In Proceedings of the thirty-ninth annual ACM sympo-
sium on Theory of computing, pages 21–30, 2007.

[160] Fedor Ivanov, Grigory Kabatiansky, Eugeny Krouk, and Nikita Rumenko. A new code-
based cryptosystem. In Code-Based Cryptography Workshop, pages 41–49. Springer,
2020.

167
[161] Heeralal Janwa and Oscar Moreno. McEliece public key cryptosystems using algebraic-
geometric codes. Designs, Codes and Cryptography, 8(3):293–307, 1996.

[162] David Jao and Luca De Feo. Towards quantum-resistant cryptosystems from supersin-
gular elliptic curve isogenies. In International Workshop on Post-Quantum Cryptogra-
phy, pages 19–34. Springer, 2011.

[163] Gregory Kabatianskii, Evgenii Krouk, and Ben Smeets. A digital signature scheme
based on random error-correcting codes. In IMA International Conference on Cryptog-
raphy and Coding, pages 161–167. Springer, 1997.

[164] Grigorii Kabatiansky, Evgenii Krouk, and Sergei Semenov. Error correcting coding and
security for data networks: analysis of the superchannel concept. John Wiley & Sons,
2005.

[165] Daniel Kales and Greg Zaverucha. An attack on some signature schemes constructed
from five-pass identification schemes. In International Conference on Cryptology and
Network Security, pages 3–22. Springer, 2020.

[166] Hiroshi Kamabe and Shusaku Kobota. Simple improvements of bit-flipping decoding.
In 2010 The 12th International Conference on Advanced Communication Technology
(ICACT), volume 1, pages 113–118. IEEE, 2010.

[167] Karan Khathuria, Joachim Rosenthal, and Violetta Weger. Encryption scheme based
on expanded Reed-Solomon codes. Advances in Mathematics of Communications,
15(2):207, 2021.

[168] Karan Khaturia, Joachim Rosenthal, and Violetta Weger. Weight two masking of the
Reed-Solomon structure in conjunction with list decoding. Proceedings of 23rd Interna-
tional Symposium on MathematicalTheory of Networks and Systems, pages 309—-314,
2018.

[169] Aviad Kipnis and Adi Shamir. Cryptanalysis of the HFE public key cryptosystem by
relinearization. In Annual International Cryptology Conference, pages 19–30. Springer,
1999.

[170] Kazukuni Kobara and Hideki Imai. Semantically secure McEliece public-key
cryptosystems-conversions for McEliece PKC. In International Workshop on Public
Key Cryptography, pages 19–35. Springer, 2001.

[171] Evgenii Avramovich Kruk. Decoding complexity bound for linear block codes. Problemy
Peredachi Informatsii, 25(3):103–107, 1989.

[172] Alexander Kshevetskiy and Ernst Gabidulin. The new construction of rank codes. In
Proceedings. International Symposium on Information Theory, 2005. ISIT 2005., pages
2105–2108. IEEE, 2005.

[173] Grégory Landais and Jean-Pierre Tillich. An efficient attack of a McEliece cryptosystem
variant based on convolutional codes. In International Workshop on Post-Quantum
Cryptography, pages 102–117. Springer, 2013.

168
[174] Terry Shue Chien Lau and Chik How Tan. Key recovery attack on McNie based on low
rank parity check codes and its reparation. In Atsuo Inomata and Kan Yasuda, editors,
Advances in Information and Computer Security, pages 19–34, Cham, 2018. Springer
International Publishing.

[175] Terry Shue Chien Lau and Chik How Tan. MURAVE: A new rank code-based signature
with multiple rank verification. In Code-Based Cryptography Workshop, pages 94–116.
Springer, 2020.

[176] Terry Shue Chien Lau and Chik How Tan. Polynomial-time plaintext recovery attacks
on the IKKR code-based cryptosystems. Advances in Mathematics of Communications,
2021.

[177] Julien Lavauzelle, Pierre Loidreau, and Ba-Duc Pham. RAMESSES, a rank metric
encryption scheme with short keys. arXiv preprint arXiv:1911.13119, 2019.

[178] Julien Lavauzelle and Julian Renner. Cryptanalysis of a system based on twisted Reed–
Solomon codes. Designs, Codes and Cryptography, 88(7):1285–1300, 2020.

[179] Pil Joong Lee and Ernest F Brickell. An observation on the security of McEliece’s public-
key cryptosystem. In Workshop on the Theory and Application of of Cryptographic
Techniques, pages 275–280. Springer, 1988.

[180] Wijik Lee, Young-Sik Kim, Yong-Woo Lee, and Jong-Seon No. pqsigRM - Post quantum
signature scheme based on modified Reed-Muller code. NIST PQC Call for Proposals,
2017. Round 1 Submission.

[181] Yongwoo Lee, Wijik Lee, Young Sik Kim, and Jong-Seon No. Modified pqsigRM: RM
Code-Based Signature Scheme. IEEE Access, 8:177506–177518, 2020.

[182] Hanno Lefmann, Kevin T Phelps, and Vojtěch Rödl. Rigid linear binary codes. Journal
of Combinatorial Theory, Series A, 63(1):110–128, 1993.

[183] Jeffrey S Leon. A probabilistic algorithm for computing minimum weights of large
error-correcting codes. IEEE Transactions on Information Theory, 34(5):1354–1359,
1988.

[184] Matthieu Lequesne and Jean-Pierre Tillich. Attack on the Edon-K key encapsulation
mechanism. CoRR, abs/1802.06157, 2018.

[185] Y. X. Li, R. H. Deng, and X. M. Wang. On the Equivalence of McEliece’s and

Niederreiter’s Public-Key Cryptosystems. IEEE Transactions on Information Theory,
40(1):271–273, 1994.

[186] Pierre Loidreau. Designing a rank metric based McEliece cryptosystem. In International
Workshop on Post-Quantum Cryptography, pages 142–152. Springer, 2010.

[187] Pierre Loidreau. Designing a rank metric based McEliece cryptosystem. In Post-
Quantum Cryptography: Third International Workshop, PQCrypto 2010, Darmstadt,
Germany, May 25-28, 2010. Proceedings 3, pages 142–152. Springer, 2010.

[188] Pierre Loidreau and Raphael Overbeck. Decoding rank errors beyond the error correct-
ing capability. Proc. of ACCT-10, Zvenigorod, pages 168–190, 2006.

169
[189] Carl Löndahl and Thomas Johansson. A new version of McEliece PKC based on con-
volutional codes. In International Conference on Information and Communications
Security, pages 461–470. Springer, 2012.

[190] Florence Jessie MacWilliams and Neil James Alexander Sloane. The theory of error
correcting codes, volume 16. Elsevier, 1977.

[191] Telex Magloire, Nkouatchah Ngatched, Martin Bossert, Achim Fahrner, and Fambirai
Takawira. Two bit-flipping decoding algorithms for low-density parity-check codes.
IEEE transactions on communications, 57(3):591–596, 2009.

[192] Irene Márquez-Corbella and Jean-Pierre Tillich. Using Reed-Solomon codes in the
(u|u + v) construction and an application to cryptography. In 2016 IEEE International
Symposium on Information Theory (ISIT), pages 930–934. IEEE, 2016.

[193] Alexander May, Alexander Meurer, and Enrico Thomae. Decoding random linear codes
in ˜≀(20.054n ). In International Conference on the Theory and Application of Cryptology
and Information Security, pages 107–124. Springer, 2011.

[194] Alexander May and Ilya Ozerov. On computing nearest neighbors with applications to
decoding of binary linear codes. In Annual International Conference on the Theory and
Applications of Cryptographic Techniques, pages 203–228. Springer, 2015.

[195] Robert J. McEliece. A public-key cryptosystem based On algebraic coding theory. Deep
Space Network Progress Report, 44:114–116, January 1978.

[196] Robert J. McEliece and Dilip V. Sarwate. On sharing secrets and Reed-Solomon codes.
Communications of the ACM, 24(9):583–584, 1981.

[197] Alexander Meurer. A coding-theoretic approach to cryptanalysis. PhD thesis, Ruhr-

Universität Bochum, 2012.

[198] Lorenz Minder and Amin Shokrollahi. Cryptanalysis of the Sidelnikov cryptosystem.
In Annual International Conference on the Theory and Applications of Cryptographic
Techniques, pages 347–360. Springer, 2007.

[199] Rafael Misoczki, Jean-Pierre Tillich, Nicolas Sendrier, and Paulo SLM Barreto. MDPC-
McEliece: New McEliece variants from moderate density parity-check codes. In 2013
IEEE international symposium on information theory, pages 2069–2073. IEEE, 2013.

[200] C. Monico, J. Rosenthal, and A. Shokrollahi. Using low density parity check codes in
the McEliece cryptosystem. In Proceedings of the 2000 IEEE International Symposium
on Information Theory, page 215, Sorrento, Italy, 2000.

[201] Dustin Moody and Ray Perlner. Vulnerabilities of “McEliece in the world of Escher”.
In Post-Quantum Cryptography, pages 104–117. Springer, 2016.

[202] Eliakim Hastings Moore. A two-fold generalization of Fermat’s theorem. 1896.

[203] D. E. Muller. Application of Boolean algebra to switching circuit design and to error
detection. Transactions of the I.R.E. Professional Group on Electronic Computers,
EC-3(3):6–12, 1954.

170
[204] Alessandro Neri, Anna-Lena Horlemann-Trautmann, Tovohery Randrianarisoa, and
Joachim Rosenthal. On the genericity of maximum rank distance and Gabidulin codes.
Designs, Codes and Cryptography, 86(2):341–363, 2018.

[205] Robert Niebuhr, Edoardo Persichetti, Pierre-Louis Cayrel, Stanislav Bulygin, and Jo-
hannes Buchmann. On lower bounds for information set decoding over Fq and on the
effect of partial knowledge. International journal of information and Coding Theory,
4(1):47–78, 2017.

[206] Harald Niederreiter. Knapsack-type cryptosystems and algebraic coding theory. Prob-
lems of Control and Information Theory 15, 1(6):159–166, 1986.

[207] Ayoub Otmani and Jean-Pierre Tillich. An efficient attack on all concrete KKS propos-
als. In International Workshop on Post-Quantum Cryptography, pages 98–116. Springer,
2011.

[208] Ayoub Otmani, Jean-Pierre Tillich, and Léonard Dallot. Cryptanalysis of two McEliece
cryptosystems based on quasi-cyclic codes. Mathematics in Computer Science, 3(2):129–
140, 2010.

[209] Alexei V Ourivski and Thomas Johansson. New technique for decoding codes in the
rank metric and its cryptography applications. Problems of Information Transmission,
38(3):237–246, 2002.

[210] Samuel Ouzan and Yair Be’ery. Moderate-density parity-check codes. arXiv preprint
arXiv:0911.3262, 2009.

[211] Raphael Overbeck. Structural attacks for public key cryptosystems based on Gabidulin
codes. Journal of cryptology, 21(2):280–301, 2008.

[212] Chris Peikert. A decade of lattice cryptography. Cryptology ePrint Archive, 2015.

[213] Edoardo Persichetti. Efficient one-time signatures from quasi-cyclic codes: A full treat-
ment. Cryptography, 2(4):30, 2018.

[214] Christiane Peters. Information-set decoding for linear codes over Fq . In International
Workshop on Post-Quantum Cryptography, pages 81–94. Springer, 2010.

[215] Erez Petrank and Ron M Roth. Is code equivalence easy to decide? IEEE Transactions
on Information Theory, 43(5):1602–1604, 1997.

[216] Aurélie Phesso and Jean-Pierre Tillich. An efficient attack on a code-based signature
scheme. In Post-Quantum Cryptography, pages 86–103. Springer, 2016.

[217] John Pierce. Limit distribution of the minimum distance of random linear codes. IEEE
Transactions on Information Theory, 13(4):595–599, 1967.

[218] Eugene Prange. The use of information sets in decoding cyclic codes. IRE Transactions
on Information Theory, 8(5):5–9, 1962.

[219] Sven Puchinger, Sven Müelich, Karim Ishak, and Martin Bossert. Code-based cryp-
tosystems using generalized concatenated codes. In Special Sessions in Applications of
Computer Algebra, pages 397–423. Springer, 2015.

171
[220] Sven Puchinger, Julian Renner, and Antonia Wachter-Zeh. Twisted Gabidulin codes in
the GPT cryptosystem. arXiv preprint arXiv:1806.10055, 2018.

[221] Haitham Rashwan, Ernst M Gabidulin, and Bahram Honary. A smart approach for
GPT cryptosystem based on rank codes. In 2010 IEEE International Symposium on
Information Theory, pages 2463–2467. IEEE, 2010.

[222] I. Reed. A class of multiple-error-correcting codes and the decoding scheme. Transac-
tions of the IRE Professional Group on Information Theory, 4(4):38–49, 1954.

[223] Irving S Reed and Gustave Solomon. Polynomial codes over certain finite fields. Journal
of the society for industrial and applied mathematics, 8(2):300–304, 1960.

[224] Krijn Reijnders, Simona Samardjiska, and Monika Trimoska. Hardness estimates of the
code equivalence problem in the rank metric. Cryptology ePrint Archive, 2022.

[225] Julian Renner, Sven Puchinger, and Antonia Wachter-Zeh. Interleaving Loidreau’s rank-
metric cryptosystem. In 2019 XVI International Symposium” Problems of Redundancy
in Information and Control Systems”(REDUNDANCY), pages 127–132. IEEE, 2019.

[226] Julian Renner, Sven Puchinger, and Antonia Wachter-Zeh. LIGA: a cryptosystem based
on the hardness of rank-metric list and interleaved decoding. Designs, Codes and Cryp-
tography, 89(6):1279–1319, 2021.

[227] Tania Richmond, Martin Petrvalsky, and Milos Drutarovsky. A side-channel attack
against the secret permutation on an embedded McEliece cryptosystem. In 3rd Work-
shop on Trustworthy Manufacturing and Utilization of Secure Devices-TRUDEVICE,
2015.

[228] Stefan Ritterhoff, Sebastian Bitzer, Patrick Karl, Georg Maringer, Thomas Scham-
berger, Jonas Schupp, Georg Sigl, Antonia Wachter-Zeh, and Violetta Weger. FuLeeca.
In First Round Submission to the additional NIST Postquantum Cryptography Call,
2023.

[229] Ronald L Rivest, Adi Shamir, and Leonard Adleman. A method for obtaining digital
signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126,
1978.

[230] Ron M Roth. Maximum-rank array codes and their application to crisscross error
correction. IEEE transactions on Information Theory, 37(2):328–336, 1991.

[231] Ron M Roth. Introduction to coding theory. IET Communications, 47, 2006.

[232] Partha Sarathi Roy, Rui Xu, Kazuhide Fukushima, Shinsaku Kiyomoto, Kirill Morozov,
and Tsuyoshi Takagi. Supporting Documentation of RaCoSS (Random Code-based
Signature Scheme). NIST PQC Call for Proposals, 2017. Round 1 Submission.

[233] Gerald E Sacks. Multiple error correction by means of parity checks. IRE transactions
on information theory, 4(4):145–147, 1958.

[234] Paolo Santini, Marco Baldi, and Franco Chiaraluce. Cryptanalysis of a one-time code-
based digital signature scheme. In 2019 IEEE International Symposium on Information
Theory (ISIT), pages 2594–2598. IEEE, 2019.

172
[235] Paolo Santini, Marco Baldi, and Franco Chiaraluce. Computational hardness of the
permuted kernel and subcode equivalence problems. IEEE Transactions on Information
Theory, 2023.

[236] Claus-Peter Schnorr and Martin Euchner. Lattice basis reduction: Improved practical
algorithms and solving subset sum problems. Mathematical programming, 66:181–199,
1994.

[237] Peter Schwabe, Roberto Avanzi, Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint,
Vadim Lyubashevsky, John M. Schanck, Gregor Seiler, Damien Stehle, and Jintai Ding.
CRYSTALS-KYBER. In Selected Algorithm for the NIST Postquantum Cryptography
Call, 2022.

[238] Nicolas Sendrier. On the structure of randomly permuted concatenated code. PhD thesis,
INRIA, 1995.

[239] Nicolas Sendrier. On the concatenated structure of a linear code. Applicable Algebra in
Engineering, Communication and Computing, 9(3):221–242, 1998.

[240] Nicolas Sendrier and Dimitrios E Simos. How easy is code equivalence over Fq ? In
International Workshop on Coding and Cryptography-WCC 2013, 2013.

[241] Adi Shamir. How to share a secret. Communications of the ACM, 22(11):612–613, 1979.

[242] Adi Shamir. An efficient identification scheme based on permuted kernels. Springer,
1990.

[243] Keisuke Shiromoto. Singleton bounds for codes over finite rings. Journal of Algebraic
Combinatorics, 12:95–99, 2000.

[244] P.W. Shor. Algorithms for quantum computation: discrete logarithms and factoring.
In Proceedings 35th Annual Symposium on Foundations of Computer Science, pages
124–134, 1994.

[245] Victor Shoup. A proposal for an ISO standard for public key encryption, 2001.
sho@[Link] 11676 received 20 Dec 2001.

[246] Sujan Raj Shrestha and Young-Sik Kim. New McEliece cryptosystem based on po-
lar codes as a candidate for post-quantum cryptography. In 2014 14th International
Symposium on Communications and Information Technologies (ISCIT), pages 368–372.
IEEE, 2014.

[247] Vladimir M. Sidel’nikov and Sergey O. Shestakov. On an encoding system constructed

on the basis of generalized Reed–Solomon codes. Diskretnaya Matematika, 4(3):57–63,
1992.

[248] Vladimir Michilovich Sidelnikov. A public-key cryptosystem based on binary Reed-

Muller codes. Discrete Mathematics and Applications, 4(3):191–208, 1994.

[249] RCRC Singleton. Maximum distance q-nary codes. IEEE Transactions on Information
Theory, 10(2):116–118, 1964.

173
[250] Yongcheng Song, Xinyi Huang, Yi Mu, Wei Wu, and Huaxiong Wang. A code-based
signature scheme from the Lyubashevsky framework. Theoretical Computer Science,
835:15–30, 2020.
[251] Jacques Stern. A method for finding codewords of small weight. In International
Colloquium on Coding Theory and Applications, pages 106–113. Springer, 1988.
[252] Jacques Stern. A new identification scheme based on syndrome decoding. In Annual
International Cryptology Conference, pages 13–21. Springer, 1993.
[253] Falko Strenzke. A timing attack against the secret permutation in the McEliece PKC.
In International Workshop on Post-Quantum Cryptography, pages 95–107. Springer,
2010.
[254] Falko Strenzke, Erik Tews, H Gregor Molter, Raphael Overbeck, and Abdulhadi
Shoufan. Side channels in the McEliece PKC. In International Workshop on Post-
Quantum Cryptography, pages 216–229. Springer, 2008.
[255] Alan Szepieniec. Ramstake - KEM Proposal for NIST PQC Project. NIST PQC Call
for Proposals, 2017. Round 1 Submission.
[256] Marcel Tiepelt and Jan-Pieter D’Anvers. Exploiting decryption failures in Mersenne
number cryptosystems. pages 45–54, 2020.
[257] Jacobus Hendricus Van Lint. Introduction to coding theory, volume 86. Springer Science
& Business Media, 2012.
[258] Johan van Tilburg. On the McEliece public-key cryptosystem. In Conference on the
Theory and Application of Cryptography, pages 119–131. Springer, 1988.
[259] Alexander Vardy. Algorithmic complexity in coding theory and the minimum distance
problem. In Proceedings of the twenty-ninth annual ACM symposium on Theory of
computing, pages 92–109, 1997.
[260] Rom Rubenovich Varshamov. Estimate of the number of signals in error correcting
codes. Docklady Akad. Nauk, SSSR, 117:739–741, 1957.
[261] Pascal Véron. A fast identification scheme. In Proceedings of 1995 IEEE International
Symposium on Information Theory, page 359. IEEE, 1995.
[262] Antonia Wachter-Zeh, Sven Puchinger, and Julian Renner. Repairing the Faure-
Loidreau public-key cryptosystem. In 2018 IEEE International Symposium on Infor-
mation Theory (ISIT), pages 2426–2430. IEEE, 2018.
[263] Tadashi Wadayama, Keisuke Nakamura, Masayuki Yagita, Yuuki Funahashi, Shogo
Usami, and Ichi Takumi. Gradient descent bit flipping algorithms for decoding LDPC
codes. In 2008 International Symposium on Information Theory and Its Applications,
pages 1–6. IEEE, 2008.
[264] Yongge Wang. RLCE Key Encapsulation Mechanism (RLCE-KEM) Specification. NIST
PQC Call for Proposals, 2017. Round 1 Submission.
[265] Violetta Weger. Information Set Decoding in the Lee Metric and the Local to Global
Principle for Densities. PhD thesis, University of Zurich, 2020.

174
[266] Violetta Weger, Karan Khathuria, Anna-Lena Horlemann, Massimo Battaglioni, Paolo
Santini, and Edoardo Persichetti. On the hardness of the Lee syndrome decoding prob-
lem. Advances in Mathematics of Communications, page 0, 2022.

[267] Christian Wieschebrink. Two NP-complete problems in coding theory with an applica-
tion in code based cryptography. In 2006 IEEE International Symposium on Informa-
tion Theory, pages 1733–1737. IEEE, 2006.

[268] Christian Wieschebrink. Cryptanalysis of the Niederreiter public key scheme based on
GRS subcodes. volume 6061, pages 61–72, 05 2010.

[269] Keita Xagawa. Practical attack on RaCoSS-r. Tc, 1:0, 2018.

[270] Atsushi Yamada, Edward Eaton, Kassem Kalach, Philip Lafrance, and Alex Parent.
QC-MDPC KEM: A Key Encapsulation Mechanism Based on the QC-MDPC McEliece
Encryption Scheme. NIST PQC Call for Proposals, 2017. Round 1 Submission.

[271] Yu Yu and Jiang Zhang. Lepton: Key Encapsulation Mechanisms from a variant of
Learning Parity with Noise. NIST PQC Call for Proposals, 2017. Round 1 Submission.

[272] Gilles Zémor. Notes on Alekhnovich’s cryptosystems. 2016.

175