How to Backdoor (Classic) McEliece and How to Guard Against Backdoors

Abstract

We show how to backdoor the McEliece cryptosystem such that a backdoored public key is indistinguishable from a usual public key, but allows to efficiently retrieve the underlying secret key.

For good cryptographic reasons, McEliece uses a small random seed \(\boldsymbol{\delta }\) that generates via some pseudo random generator (PRG) the randomness that determines the secret key. Our backdoor mechanism works by encoding an encryption of \(\boldsymbol{\delta }\) into the public key. Retrieving \(\boldsymbol{\delta }\) then allows to efficiently recover the (backdoored) secret key. Interestingly, McEliece can be used itself to encrypt \(\boldsymbol{\delta }\), thereby protecting our backdoor mechanism with strong post-quantum security guarantees.

Our construction also works for the current Classic McEliece NIST standard proposal for non-compressed secret keys, and therefore opens the door for widespread maliciously backdoored implementations.

Fortunately, our backdoor mechanism can be detected by the owner of the (backdoored) secret key if \(\boldsymbol{\delta }\) is stored after key generation as specified by the Classic McEliece proposal. Thus, our results provide strong advice for implementers to store \(\boldsymbol{\delta }\) inside the secret key and use \(\boldsymbol{\delta }\) to guard against backdoor mechanisms.

A A Appendix: A Simpler (But Flawed) SETUP Mechanism

We consider the Vanilla McEliece key generation and describe a simpler attempt at constructing a backdoor. This construction does not even yield a weak SETUP because the backdoor can be efficiently detected by just considering the public keys. The distinguisher may be interesting in its own right and is also described below.

1.1 A.1 A.1 A Flawed SETUP

A description of the original and our simpler (but flawed) backdoored key generation \(\widetilde{\textsf{KGen}}_\texttt{V}^\texttt{F}\) can be found in Fig. 10.

The matrices S and H are generated exactly as in the non-backdoored scheme. The key difference is that instead of applying a random permutation P, we choose a permutation \(\widetilde{P}\) that permutes the columns of \(\textsf{pk}\) such that \(\textsf{pk}\)’s first row contains the ciphertext \(\boldsymbol{c} \in \textbf{F}_2^{\ell }\). This is done by choosing the permutation matrix as the combination of a purely random P and a permutation \(P'\) that sends the bits of \(\boldsymbol{c}\) to the desired coordinates.

Fig. 10.

Original and backdoored Vanilla McEliece key generation

Notice that \(\widetilde{\textsf{KGen}}_{\texttt{V}}^{\texttt{F}}\) works provided that

1. 1.

   \(\boldsymbol{c} \in \textbf{F}_2^{\ell }\) can be encoded in the first row \(\boldsymbol{v} = \textsf{Row}_1(SHP)\) of the public key, and

2. 2.

   \(P'\) is efficiently computable.

We briefly sketch why these statements hold. Regarding the first statement, notice that \(\boldsymbol{c}\in \mathbb {F}_2^\ell \) can be encoded in the first row of the public key if the Hamming weight of \(\boldsymbol{v}\) lies in the interval \([\ell , n-\ell ]\). A simple Chernoff bound shows that under reasonable assumptions (such as \(\ell \le \frac{1}{4}n\)), the probability that this holds is exponentially close to 1.

Regarding the second statement, we can compute \(P'\) in an insertion-sort fashion: Iterating through the first \(\ell \) entries of the first row of SHP from left to right, if an entry differs from the corresponding one in \(\boldsymbol{c}\), we swap this column with the first column to the right with the same entry in the first row.

1.2 B.2 A.2 The distinguisher

In order for the described backdoored keys to be indistinguishable from non-backdoored ones, it is clearly necessary that the ciphertexts of the adversary’s encryption scheme look like random bitstrings. So let us assume that the adversary’s scheme provides indistinguishability from random bits under a chosen plaintext attack (see Definition 1). Under this condition, does the described backdoored scheme provide a SETUP mechanism? Perhaps surprisingly, it turns out that it does not even provide a weak SETUP. To see this, for a public key \(\textsf{pk}\) sampled from \(\textsf{KGen}\) or \(\widetilde{\textsf{KGen}}_{\texttt{V}}^{\texttt{F}}\), we consider the random variables

$$ X:=\textsf{wt}\left( v_1\dots v_\ell \right) ,~~~Y:=\textsf{wt}\left( \boldsymbol{v}\right) , $$

where \(\boldsymbol{v}=v_1\dots v_n:= \textsf{Row}_1(\textsf{pk})\), and we make the following observation:

Lemma 1

If , then \(X\mid Y=w ~\sim ~ \textsf{Binom}(\ell ,\frac{1}{2})\).

If , then \(X\mid Y=w ~\sim ~ \textsf{Hypergeom}(n,w,\ell )\).

Proof

First suppose . Then the first \(\ell \) entries of \(\textsf{Row}_1(\textsf{pk})\) are given by an encryption of a random seed \(\boldsymbol{\delta }\). Since \(\textsf{Enc}_{\textsf{pk}_\mathcal {A}}\) provides random ciphertexts, \(\boldsymbol{c}\) is uniformly distributed among all \(\ell \)-bit strings (or at least computationally indistinguishable from it). Hence \(X=\textsf{wt}\left( \boldsymbol{c}\right) \) is binomially distributed as required, independent of the Hamming weight of \(\textsf{Row}_1(\textsf{pk})\).

Now suppose where \(\textsf{sk}=(C,S,H,P)\). Observe that \(\textsf{pk}\) is obtained from SH by randomly permuting its columns. This means that the first \(\ell \) entries of \(\textsf {Row}_1(\textsf{pk})\) are obtained by randomly sampling without replacement from the entries in the first row of SH. Hence \(X\mid \textsf{wt}\left( \textsf {Row}_1(SH)\right) =w \sim \textsf {Hypergeom}(n,w,\ell )\). As permuting the columns of SH does not change the Hamming weight of its first row, we have \(\textsf{wt}\left( \textsf{Row}_1(\textsf{pk})\right) =\textsf{wt}\left( \textsf{Row}_1(SH)\right) \). This implies the claim.    \(\square \)

Hence the conditional distributions of \(X\mid Y=w\) differ noticeably in the backdoored and non-backdoored case. A maximum-likelihood distinguisher can thus be used to distinguish backdoored from non-backdoored keys with non-negligible advantage.

Fig. 11.

Distinguishing backdoored and non-backdoored public keys. \(p^{\textsf{Binom}}_{\ell ,\frac{1}{2}}\) and \(p^{\textsf{Hypergeom}}_{n,w,\ell }\) denote the probability mass functions of the binomial respectively hypergeometric distribution.

This observation can be used to construct a distinguisher. Our distinguisher \(\mathcal {D}\) described in Fig. 11 is inspired by Lemma 1 and requires only the public key and the ciphertext length of the adversary’s encryption scheme. It is basically a maximum-likelihood distinguisher that, given a public key \(\textsf{pk}\), considers the Hamming weight of the first \(\ell \) bits of its first row. Depending on whether this \(\ell \)-bit string has a higher probability of occurrence assuming \(\textsf{Binom}(\ell ,\frac{1}{2})\) or \(\textsf{Hypergeom}(n,\textsf{wt}\left( \textsf{Row}_1(\textsf{pk})\right) ,\ell )\) as the underlying distribution, the distinguisher outputs that the public key is backdoored or, respectively, non-backdoored.

Lemma 1 implies that the distinguishing advantage of \(\mathcal {D}\) is given by the statistical distance¹ between the distributions \(\textsf{Hypergeom}(n,\textsf{wt}\left( \textsf{Row}_1(\textsf{pk})\right) ,\ell )\) and \(\textsf{Binom}(\ell ,\frac{1}{2})\). Notice that it depends on \(\textsf{wt}\left( \textsf{Row}_1(\textsf{pk})\right) \). It is minimal for \(\textsf{wt}\left( \textsf{Row}_1(\textsf{pk})\right) =\frac{n}{2}\), however even in this case it is far from negligible for reasonable n and \(\ell \) occurring for practical McEliece parameter sets. For example, applying the Randomized Niederreiter scheme described in Sect. 5 to the highest Classic McEliece Category 5 parameter set (see Table 1), even in the favourable case that half the entries in the first row of the public key equal one respectively zero, the distinguishing advantage is about 0.071. It thus clearly does not even provide a weak SETUP because we can distinguish backdoored and non-backdoored keys from just the public keys.

Intuitively speaking, the problem with this attempt at a backdoor construction is the following: In the non-backdoored scheme, the distribution of the first \(\ell \) bits of the first row of \(\textsf{pk}\) is in fact dependent on the Hamming weight of the entire row. For example, if there happen to be in total more ones than zeros in the first row of \(\textsf{pk}\) or equivalently of the associated SH, then applying a random permutation to the columns of SH also results in a bias towards more ones than zeros in the first \(\ell \) bits. This is in contrast with the backdoored scheme for which the first \(\ell \) bits of the first row of the resulting \(\textsf{pk}\) are always uniformly distributed since they are completely determined by the ciphertext \(\boldsymbol{c}\) — which is indistinguishable from a random bitstring by assumption.