[Resource Topic] 2022/362: How to Backdoor (Classic) McEliece and How to Guard Against Backdoors

Welcome to the resource topic for 2022/362

Title:
How to Backdoor (Classic) McEliece and How to Guard Against Backdoors

Authors: Tobias Hemmert, Alexander May, Johannes Mittmann, and Carl Richard Theodor Schneider

Abstract:

We show how to backdoor the McEliece cryptosystem such that a backdoored public key is indistinguishable from a usual public key, but allows to efficiently retrieve the underlying secret key. For good cryptographic reasons, McEliece uses a small random seed 𝛅 that generates via some pseudo random generator (PRG) the randomness that determines the secret key. Our backdoor mechanism works by encoding an encryption of 𝛅 into the public key. Retrieving 𝛅 then allows to efficiently recover the (backdoored) secret key. Interestingly, McEliece can be used itself to encrypt 𝛅, thereby protecting our backdoor mechanism with strong post-quantum security guarantees. Our backdoor mechanism also works for the current Classic McEliece NIST standard proposal, and therefore opens the door for widespread maliciously backdoored implementations. Fortunately, there is a simple fix to guard (Classic) McEliece against backdoors. While it is not strictly necessary to store 𝛅 after key generation, we show that 𝛅 allows identifying maliciously backdoored keys. Thus, our results provide a strong advice to implementers to store 𝛅 inside the secret key (as the proposal recommends), and use 𝛅 to guard against backdoor mechanisms.

ePrint: https://eprint.iacr.org/2022/362

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .