Summary
Leaderboard
Timeline
Updates23
Forum1
Community
Press
FAQ
Meet the Winners

Summary

Overview

The webpage is dedicated to decoding challenges inspired by the McEliece Cryptosystem. The purpose of the challenge is to understand the hardness of the problems that underlie the security of the modern versions of the McEliece Cryptosystems like Classic McEliece.

Note that you are able to sign up and submit to challenge from now until the submission deadline. To view the information for a specific instance, navigate to the Leaderboard Tab and click on the number of your chosen instance from the correct Track, then proceed to the submission form when you are ready to test your solution.

Track One: McEliece Key Recovery Challenge

Track one of the challenges focuses on McEliece key recovery attacks, i.e., recovering the secret key from a given public key. The McEliece public key is constructed as follows:

Set integer parameters \(n>1\), \(1 < t < n\), \(m>1\).

The parameter \(n\) defines the length of the Goppa code, \(m\) defines a finite field extension \(\mathbb{F}_{2^m} \cong \mathbb{F}_{2}[x]/(f)\) for some \(f\) irreducible over \(\mathbb{F}_{2}\).

Let \(V: \mathbb{F}_{2^m} \rightarrow \mathbb{F}_2^m\) be the bijection that represents \(\mathbb{F}_{2^m}\) as an \(m\)-dimensional vector space over \(\mathbb{F}_2\), i.e, \(\sum_{i=0}^{m-1} a_i \gamma^i \mapsto [a_0, \ldots, a_{m-1}]\), where \(\gamma\) is a primitive root of \(f\).

Choose at random a vector \(L = \{\alpha_1, \ldots, \alpha_n\} \subset \mathbb{F}_{2^m}\).

Choose an irreducible polynomial \(g \in \mathbb{F}_{2^m}[x]\) of degree \(t\).

Consider \(\overline{H}_{\mathsf{Goppa}}(L,g) \in \mathbb{F}_{2^m}^{t \times n}\) of the form

From \(\overline{H}_{\mathsf{Goppa}}(L,g) \in \mathbb{F}_{2^m}^{t \times n}\), construct the matrix \(H_{\mathsf{Goppa}}(L,g) \in\mathbb{F}_{2}^{tm \times n}\) by applying the bijection \(V\) to each element of \(\overline{H}_{\mathsf{Goppa}}(L,g)\).

If \(H_{\mathsf{Goppa}}(L,g) \in\mathbb{F}_{2}^{tm \times n}\) is not full-rank, restart from choosing a new vector \(L\).

Apply row-echelon form to \(H_{\mathsf{Goppa}}(L,g) \in\mathbb{F}_{2}^{tm \times n}\) to obtain the public matrix \(H_\textrm{pub}\). It serves as McEliece's public key.

The corresponding key recovery problem is defined as follows.

Problem 1 (McEliece Key Recovery): Given a matrix \(H_\textrm{pub} \in \mathbb{F}_{2}^{tm \times n}\) constructed as above, recover \(g\) and \(L\).

Track 1A: Theoretical Key Recovery – 10.000$

We are welcoming new theoretical results in algorithms, both classical and quantum, for Track 1A. The submission should be typed in LaTeX and submitted in PDF format via the submission form button above. Please follow the Springer Lecture Notes in Computer Science (LNCS) style. There are no other restrictions on the format; however, the reviewers are not obliged to read all of your pdf, so brevity will be helpful in your submission. You may also submit your paper simultaneously to any other conference or venue.

Track 1B: Practical Key Recovery – 10.000$

We also provide practical key recovery challenges. Each challenge set contains the following data

public matrix \(H_\textrm{pub}\) in the systematic form (the identity matrix is also stored),

coefficients of unitary irreducible polynomial \(f\) s.t. \(\mathbb{F}_{2^m} \cong \mathbb{F}_{2}[x]/(f)\).

The task is to recover the secret polynomial \(g\) and the vector \(L\). The challenges are ordered by their hardness, ranging from 22 to 255 bits of complexity. Only one prize winner will be awarded in each track, and the prize amount will be determined by how high the winner scores on their track's leaderboard. See the Prize section below for more information.

Track Two: Message Recovery Challenge

In McEliece, cryptosystem messages (or keys in McEliece KEM) are binary vectors of size \(n\) and Hamming weight \(t\). For the public matrix \(H_ \textrm{pub} \in \mathbb{F}_{2}^{tm \times n}\), the ciphertext for the message \(\mathbf{m}\) is its syndrome, namely

\[\mathbf{c} = H_ \textrm{pub}\mathbf{m}.\]

The message recovery problem relies on the hardness of syndrome decoding for binary Goppa codes. In particular,

Problem 2 (McEliece Message Recovery): Given a matrix \(H_ \textrm{pub} \in \mathbb{F}_{2}^{m \times n}\) and the syndrome \(\mathbf{c} = H_ \textrm{pub}\mathbf{m}\), find \(\mathbf{m}\).

Track two focuses on practical message recovery attacks. Each challenge set contains the following data:

public matrix \(H_ \textrm{pub}\) in the systematic form (the identity matrix is also stored),

coefficients of unitary irreducible polynomial \(f\) s.t. \(\mathbb{F}_{2^m} \cong \mathbb{F}_{2}[x]/(f)\).

The task is to recover the message \(\mathbf{m}\).

For testing purposes, we provide toy examples with bit securities in the range 20–32. There is no prize associated with those toy challenges. The actual challenges range in complexity from 34–74 and 75-90 bits of security.

Track 2A: Practical Message Recovery – 15.000$

This track consists of seven different prize levels that are correlated with bit complexity, ranging from 34 to 74. Only one prize winner will be awarded in each track, and the prize amount will be determined by how high the winner scores on their track's leaderboard. See the Prize section below for more information. The security levels are chosen so that the lower levels may be completed reasonably with existing techniques. But the highest levels are designed such that current state-of-the-art algorithms (with slight tweaks) are able to solve these instances, if enough computational resources are available. Improvements to your chosen algorithm will be essential for achieving the full prize in these challenges.

Track 2B: Practical Message Recovery – 40.000$

This track consists of sixteen different challenges with a bit complexity of 75–90. The security levels are chosen such that it is unlikely that current state-of-the-art algorithms without algorithmic improvements are able to solve these instances. See the Prize section below for more information.

Background

The McEliece cryptosystem remains, despite significant cryptanalytic efforts, a secure scheme since its invention in 1978. Further, it counts as post-quantum secure, i.e., there are no efficient quantum algorithms known that solve the underlying hard problems. These two facts led to the McEliece scheme being a fourth-round candidate of the current NIST PQC standardization effort for post-quantum secure schemes, in the form of the Classic McEliece submission.

In order to ensure a precise understanding of the security with respect to today's computational resources and algorithmic advancements, we launched the TII McEliece Challenges. This challenge aims at covering all aspects of McEliece security, especially also those, which have received less attention in the past years. Before detailing the precise challenges and choices, let us outline a simplified version of the McEliece scheme.

The McEliece Scheme

McEliece is a code-based scheme, that is based on the hardness of decoding specific linear codes. Therefore, the private key is a structured parity-check matrix \(H\) of a linear code, where McEliece relies on binary Goppa codes. The known structure of the matrix \(H\) allows to correct up to \(t\) errors efficiently. That means for a given syndrome \(\mathbf{c}\), it is possible to efficiently find a vector \(\mathbf{m}\) of Hamming-weight \(t\), satisfying \(H\mathbf{m} = \mathbf{c}\), if such a vector exists.

The public key of the scheme is a permuted and “scrambled” version of \(H_{\mathsf{Goppa}}\). Therefore one first applies a permutation \(P\) to the columns of \(H\) and then performs a basis change via multiplication with an invertible matrix \(S\) to obtain the public key \(H_\textrm{pub}=SH_{\mathsf{Goppa}}(L,g)P\). The matrices \(S\) and \(P\) are part of the secret key.

A message \(\mathbf{m}\), which is a vector with Hamming-weight \(t\), is then encrypted by calculating the syndrome \(\mathbf{c} = H_ \textrm{pub}\mathbf{m}\). Now \(\mathbf{c}\) is the corresponding ciphertext. For decryption, the receiver first calculates \(S^{-1} \mathbf{c} = HP\mathbf{m}\) and then recovers \(P\mathbf{m}\) via the efficient decoding algorithm. Eventually \(\mathbf{m}\) is recovered by applying the inverse permutation to \(P\mathbf{m}\).

The Security Foundation

The security of the McEliece scheme relies on two different problems. First, to ensure that only the holder of the secret key is able to efficiently correct \(t\) errors, i.e., is able to decrypt, it must be hard to recover the hidden structure of the matrix \(H\) from \(H_\textrm{pub}\). This problem is known as the key-recovery problem. On the hand, to ensure that a ciphertext hides the message, it must be hard to compute \(\mathbf{m}\) from \(\mathbf{c}\) without knowing the secret key, i.e., when only \(\mathbf{c}\) and \(H_\textrm{pub}\) are known. This problem is known as the message-recovery problem.

In contrast to many other schemes, for McEliece, the two problems of message- and key-recovery are fundamentally different. The problem that determines parameters of the scheme is the message recovery problem. That means algorithms to solve this problem are more efficient than those recovering the secret key. The best algorithms for message recovery in the case of McEliece are generic decoding algorithms, namely Information Set Decoding (ISD) algorithms. These algorithms are generic in the sense that they can be used to decode any random (appearing) code, and they do not exploit any specifics of the binary Goppa code used in McEliece.

For key-recovery the best-known attacks are rather simple, involving brute-force enumeration of parts of the secret key. Their complexity is far higher than those of message recovery attacks.

Challenges and Goals

We provide challenges for both fundamental problems on which the security of McEliece is based.

The far lower bit complexities of message recovery attacks have always set a higher incentive to study those than to study key recovery attacks. Our challenge aims at breaking this trend by providing its own track focusing on key-recovery attacks. This track subdivides into a theoretical (Track 1A) and a practical section (Track 1B). In the theoretical section, we are interested in classical or quantum algorithmic advancements on McEliece key recovery. These works should focus especially on the parameter regime found in secure McEliece instantiations.

Additionally, we provide a practical key recovery track (Track 1B). This track features various reduced-size instances, starting from 20-bit security up to 255-bit security. Algorithms found optimal for solving these reduced instances might differ from the most efficient for cryptographic-sized instances. However, considering the rather limited progress on key-recovery attacks, any advancement is welcome.

The TII McEliece Challenges also features message recovery attacks in its Track Two. This track aims at improving the accuracy of our today’s security understanding to especially support the parameter selection process. Again this track subdivides into a Track 2A and a Track 2B. Track 2A covers instances, which are both in range for standard techniques and for current state-of-the-art algorithms if either enough computational resources are available or smaller algorithmic improvements are leveraged. Our Track 2B then covers instances that are considered to be out of range of current algorithms. This track aims at setting an incentive for algorithmic advancements and their immediate translation to practice.

Note that we focus on the Niederreiter variant, which is also the one used in the Classic McEliece submission.

How do I Win?

For the Theoretical Key recovery Track, we are looking for innovative approaches that may move the McEliece system into a leading candidate for post-quantum encryption.

For the other tracks, find yourself at the top of the leaderboard by solving the most complicated instance in your chosen track!

The submission deadline for Solutions in response to this Challenge can be viewed in the official Challenge Timeline.

Submission Requirements

Submissions should consist of the following:

For Theoretical Key Recovery algorithms (Track 1A):

Please follow the Springer Lecture Notes in Computer Science (LNCS) Template.

You will then submit your paper as a PDF.

We will also ask for an abstract of your paper and for some information about the authors/submitters of the paper.

For the Practical Approach and Message Recovery tracks (Tracks 1B, 2A, and 2B), please submit:

A submission title and a list of Challenge Team Members, their institutional/organizational affiliations, and their roles.

Your solution to the algorithm and recovered key or plaintext

Optionally, a write-up on Your Solution. The narrative You provide shall include the following:

Please include the algorithm used to generate your keys.

Please provide details on the hardware you used to obtain your solution.

Please include the runtime based on the hardware you used to obtain your solution.

Any other pertinent details, such as:

Any novel techniques that you would like to highlight.

Descriptions and sources of any open-source data used to aid in development/testing

Recommendations for further use of Your solution.

Challenge Timeline

Registration Opens

May 9, 2023

Submission Form Opens

May 23, 2023

Registration and Submission deadline

May 8, 2024 @ 5:00pm ET

Judging

May 8 - June 4, 2024

Winners Announced

June 11, 2024

Prize

After the submission deadline, the following four prizes will be awarded to the best-judged submission in the theoretical track and to the competitor/team that has solved the most difficult instance in each of the other tracks. Note that each track will only award one winner, but that the prize level for each winner will be determined by their level on the challenge Leaderboard. In other words, if the highest solved instance belongs to a higher hardness level, the prize will also increase. This challenge was originally launched with only one prize level per track, but additional partial prize levels have now been added to provide the crowd with more opportunities to win!

(1A) Best Theoretical Key Recovery Algorithms - $10,000

(1B) Best Practical Key Recovery Approach - Full prize: $10,000. Partial prize will be awarded according to the graphic above, if the full prize instance levels are not met.

(2A) Best Practical Message Recovery of 70-74-bit Encryption - Full prize: $15,000. Partial prize will be awarded according to the graphic above, if the full prize instance levels are not met.

(2B) Best Practical Message Recovery of 80-94-bit Encryption - Full prize: $40,000. Partial prize will be awarded according to the graphic above, if the full prize instance levels are not met.

Judging Criteria for Theoretical Key Recovery Algorithms (Track 1A)

Section

Description

Overall Weight

Novelty

Does this approach represent a new method of key recovery?

20%

Accuracy

Does this approach solve for S, G, and P?

40%

Editorial Quality

Is this paper of adequate editorial quality?

10%

Scientific Quality

Does this paper contribute to the science of post-quantum cryptography?

30%

Please view the Official Rules below in the Challenge-Specific Agreement

Algorithm:
Brute-force key search using the support-splitting algorithm.

Hardware:
The solver was run on a variety of servers containing AMD and Ampere CPUs.
As the approach is trivially parallel, the duration is given in single-core time.

Runtime:
1471:04:51:00

Comments (optional):
A paper with implementation details and a code release are forthcoming.

Algorithm:
Adaptation to Goppa codes of degree r=3 of the algorithm from the article: R. Mora, "On the matrix code of quadratic relationships for a Goppa code", arXiv:2310.20497
Modeling introduced in: A. Couvreur, R. Mora, and J.-P. Tillich, "A new approach based on quadratic forms to attack the McEliece cryptosystem", Asiacrypt 2023

Algorithm:
Adaptation to Goppa codes of degree r=3 of the algorithm from the article: R. Mora, "On the matrix code of quadratic relationships for a Goppa code", arXiv:2310.20497
Modeling introduced in: A. Couvreur, R. Mora, and J.-P. Tillich, "A new approach based on quadratic forms to attack the McEliece cryptosystem", Asiacrypt 2023

Algorithm:
Adaptation to Goppa codes of degree r=3 of the algorithm from the article: R. Mora, "On the matrix code of quadratic relationships for a Goppa code", arXiv:2310.20497
Modeling introduced in: A. Couvreur, R. Mora, and J.-P. Tillich, "A new approach based on quadratic forms to attack the McEliece cryptosystem", Asiacrypt 2023

Algorithm:
Adaptation to Goppa codes of degree r=3 of the algorithm from the article: R. Mora, "On the matrix code of quadratic relationships for a Goppa code", arXiv:2310.20497
Modeling introduced in: A. Couvreur, R. Mora, and J.-P. Tillich, "A new approach based on quadratic forms to attack the McEliece cryptosystem", Asiacrypt 2023

Algorithm:
Adaptation to Goppa codes of degree r=3 of the algorithm from the article: R. Mora, "On the matrix code of quadratic relationships for a Goppa code", arXiv:2310.20497
Modeling introduced in: A. Couvreur, R. Mora, and J.-P. Tillich, "A new approach based on quadratic forms to attack the McEliece cryptosystem", Asiacrypt 2023

Algorithm:
Adaptation to Goppa codes of degree r=2 of the algebraic modeling from the article: J.-C. Faugère, V. Gauthier Umaña, A. Otmani, L. Perret, and J.-P. Tillich "A distinguisher for high-rate McEliece cryptosystems", IEEE Transactions on Information Theory.
Hybrid approach.

Algorithm:
Adaptation to Goppa codes of degree r=2 of the algebraic modeling from the article: J.-C. Faugère, V. Gauthier Umaña, A. Otmani, L. Perret, and J.-P. Tillich "A distinguisher for high-rate McEliece cryptosystems", IEEE Transactions on Information Theory.
Hybrid approach.

Algorithm:
Adaptation to Goppa codes of degree r=3 of the algorithm from the article: R. Mora, "On the matrix code of quadratic relationships for a Goppa code", arXiv:2310.20497
Modeling introduced in: A. Couvreur, R. Mora, and J.-P. Tillich, "A new approach based on quadratic forms to attack the McEliece cryptosystem", Asiacrypt 2023

Algorithm:
Adaptation of the attack from the paper [CMT23] (available at https://eprint.iacr.org/2023/950) to a binary Goppa code with a square-free Goppa polynomial of degree 2.
Sketch of the algorithm:
(1) Construct the matrix code of quadratic relationships as defined in [CMT23]
(2) Find 2 rank-2 matrices in the code corresponding to the same GRS code by solving the algebraic system related to the Pfaffian ideal specialized in 3 variables (= dimension of the associated variety)
(3) Apply an adaptation of the attack from Section 6 of [CMT23] to recover a basis of the corresponding 2-dimensional GRS code
(4) Apply a known attack on the GRS code to recover the secret support and multiplier
(5) Find an automorphism for subfield subcodes of Cauchy codes to map the pair (support, multiplier) in an equivalent one that is a valid "Goppa representation", if necessary

Algorithm:
Adaptation of the attack from the paper [CMT23] (available at https://eprint.iacr.org/2023/950) to a binary Goppa code with a square-free Goppa polynomial of degree 2.
Sketch of the algorithm:
(1) Construct the matrix code of quadratic relationships as defined in [CMT23]
(2) Find 2 rank-2 matrices in the code corresponding to the same GRS code by solving the algebraic system related to the Pfaffian ideal specialized in 3 variables (= dimension of the associated variety)
(3) Apply an adaptation of the attack from Section 6 of [CMT23] to recover a basis of the corresponding 2-dimensional GRS code
(4) Apply a known attack on the GRS code to recover the secret support and multiplier
(5) Find an automorphism for subfield subcodes of Cauchy codes to map the pair (support, multiplier) in an equivalent one that is a valid "Goppa representation", if necessary

And just like that, it’s over! Thank you to all of you who sent in submissions. We can’t wait to finally see what you’ve been working so hard on. The HeroX and TII teams will be taking some time to review the Track 1A submissions and to confirm the results on the challenge leaderboard. Keep up the good work and an eye out for the final results!

Crowdsourcing would be nothing without the crowd — that’s you! Thank you for being an indispensable part of this process, and using your brainpower for the greater good.

Congratulations on completing your submission. This is not an easy process, and you deserve a pat on the back for your hard work and dedication. Thank you!

You now have less than a day left to submit to the TII McEliece Challenges. Now’s the time to make final changes and send it off!

Please remember that the deadline is May 8, 2024 at 5:00pm Eastern Time. We don’t accept any late submissions, so do your best to get it in ahead of time.

We can’t wait to see what you’ve come up with! Best of luck.

The time has almost come! You now have two days left to finish your TII McEliece Challenges submissions. Your submissions are due on May 8, 2024 at 5:00pm Eastern Time.

We don’t accept any late submissions, so now is the time to make sure that everything is good to go. Double check file formats and make sure that all of your project components are easily accessible.

We are more than happy to answer your last-minute questions about the submission process. Post a question in the forum or leave a comment on this post, and we will be in touch with you.

We can’t wait to see the final projects. Good luck!

This is your one week warning! The final submission deadline is May 8, 2024 at 5:00pm Eastern Time (New York/USA). No late submissions will be accepted, so make sure to give yourself plenty of buffer time.

If there’s anything you’re unsure about, there is still time to ask for help. Post on the discussion forum or leave a comment on this post. We’ll keep an eye out for your questions.

We can’t wait to see what you’ve been working on. Best of luck finishing up your submissions!