Paper 2015/271

Toward Secure Implementation of McEliece Decryption

Mariya Georgieva and Frédéric de Portzamparc


We analyse the security regarding timing attacks of implementations of the decryption in McEliece PKC with binary Goppa codes. First, we review and extend the existing attacks, both on the messages and on the keys. We show that, until now, no satisfactory countermeasure could erase all the timing leakages in the Extended Euclidean Algorithm (EEA) step. Then, we describe a version of the EEA never used for McEliece so far. It uses a constant number of operations for given public parameters. In particular, the operation flow does not depend on the input of the decryption, and thus closes all previous timing attacks. We end up with what should become a central tool toward a secure implementation of McEliece decryption.

Note: Extended version of the COSADE 2015 article "Toward Secure Implementation of McEliece Decryption".

Available format(s)
Publication info
Published elsewhere. Major revision. COSADE 2015
McElieceExtended Euclidean Algorithmtiming attacks
Contact author(s)
frederic urvoy-de-portzamparc @ polytechnique org
2015-03-23: received
Short URL
Creative Commons Attribution


      author = {Mariya Georgieva and Frédéric de Portzamparc},
      title = {Toward Secure Implementation of McEliece Decryption},
      howpublished = {Cryptology ePrint Archive, Paper 2015/271},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.