1 Introduction

Code-based cryptography proposals are still alive after the Round 4 of the NIST Post-Quantum Cryptography competition. The strength of these technologies rests upon the hardness of the decoding problem for a general linear code. Of course, an efficient decoding algorithm is required in practice. So, what is already needed is a family of codes with some conveniently masked properties that facilitate their efficient decoding. The original McEliece cryptosystem took advantage of such characteristics that the classical binary Goppa codes enjoy.

One way to introduce Goppa codes is the following. Let \(F \subseteq L\) be an extension of finite fields and let \(g \in L[x]\) be a polynomial which, in this introduction, we assume irreducible for sake of simplicity. A subset of the group of units of the field \(L[x]/\langle g \rangle \), whose elements are represented by linear polynomials, is selected. Their inverses serve to build a parity check matrix of the Goppa code. The arithmetic in \(L[x]\) is a main tool in the design of efficient decoding algorithms for Goppa codes.

From an algebraic point of view, our proposal replaces, in the simplest case, the cyclic group of units of \(L[x]/\langle g \rangle \) by a linear group, whose mathematical structure is more complex. In order to design an efficient decoding algorithm, this non-commutative group is presented as the group of units of a factor ring of the ring of Ore polynomials \(L[x;\sigma ,\partial ]\) modulo a suitable invariant polynomial \(g\). The arithmetic of this non-commutative polynomial ring is used to design an efficient decoding algorithm. Classical Goppa codes become instances of our construction. Therefore, the security of our cryptosystem is expected to be at least as strong as the original one.

In Sect. 2 we recall some basic essentials on Ore polynomials and define skew differential Goppa codes. A non-commutative key equation is derived for these codes (Theorem 1), which turns out to be a left multiple of an equation computed with the help of the Left Extended Euclidean Algorithm in \(L[x;\sigma ,\partial ]\).

The topic of Sect. 3 is the design of an efficient decoding algorithm for skew differential Goppa codes. To this end, the position points are assumed to be P-independent in the sense of [14]. Under this hypothesis, the non-commutative locator polynomial already finds the error positions, and a decoding algorithm, based on the solution of the key equation, is provided (Algorithm 2). This algorithm gives a solution in most cases, but it is possible that its output falls in a decoding failure. An efficient backup algorithm solves any of these failures (Algorithm 3). In resume, the combination of both algorithms correctly computes an error added to a codeword up to the correction capability.

Section 4 describes how to construct parity check matrices and position points to define skew Goppa codes suitable to be used in a code-based cryptosystem. The construction is made for \(\partial = 0\), which guarantees the polynomial run-time of the algorithms, see Remark 4.

The cryptosystem is presented in Sect. 5. A discussion on the choice of the parameters of the code is included.

There is a patent pending by University of Granada in order to protect some of the results in this work, see [8].

2 Skew differential Goppa codes and their non-commutative key equation

In this section, the required algebraic framework is introduced. Let \(\sigma \) be an automorphism of finite order \(\mu \) of a field L. An additive map \(\partial : L \rightarrow L\) is called a \(\sigma \)-derivation if it satisfies \(\partial (ab) = \sigma (a)\partial (b) + \partial (a) b\) for all \(a,b \in L\). By \(R = L[x;\sigma ,\partial ]\) we denote the ring of Ore polynomials built from \((\sigma , \partial )\). This is a fundamental example of non-commutative ring, introduced in [20], whose basic properties may be found in several texts. We follow [3, Chap. 1, Sects. 3 and 4] and adopt its notation, see also [11]. In particular, \(R\) is a left and right Euclidean domain. The left division algorithm computes, given \(f,d\in R\) with \(d\ne 0\), two Ore polynomials \(q, r \in R\) such that \(f = qd + r\) with \(\deg r < \deg d\), where \(\deg \) denotes the degree (in \(x\)) function. Then we will write

$$\begin{aligned} {\text {l-quo-rem}}(f,d) = (q,r), \qquad {\text {l-quo}}(f,d) = q. \end{aligned}$$

Given \(f,g \in R\), the notation \(f \mid _r g\) declares that \(f\) is a right divisor of \(g\), which means \(Rg \subseteq Rf\), that is, \(g = uf\) for some \(u \in R\). The notation \(f \mid _\ell g\) is used analogously, meaning \(gR \subseteq fR\). When \((x-\alpha ) \mid _r f\), for \(f \in R\) and \(\alpha \in L\), we say that \(\alpha \) is a right root of the Ore polynomial \(f\). Greatest common left/right divisors and least common left/right multiples are well defined since all left/right ideals are principal. Concretely,

$$\begin{aligned} Rg + Rf = R \left( g,f\right) _r, \quad gR + fR = \left( g,f\right) _\ell R \end{aligned}$$

and

$$\begin{aligned} Rg \cap Rf = R \left[ g,f\right] _\ell , \quad gR \cap fR = \left[ g,f\right] _r R. \end{aligned}$$

Remark 1

Let \(f,g, f', g' \in R\) nonzero such that \(f'f = g'g\). Then \(\left[ f,g\right] _\ell = f'f\) if and only if \(\left( f',g'\right) _\ell = 1\). In fact, assume \(\left[ f,g\right] _\ell = f'f = g'g\) and let \(d = \left( f',g'\right) _\ell \). Then \(f' = d f''\) and \(g' = d g''\). Hence \(d f'' f = d g'' g\), so \(\left[ f,g\right] _\ell \mid _r f'' f = g'' g\). Therefore \(f'f \mid _r f''f\), i.e., \(f' \mid _r f''\). It follows that \(d\) is a unit, so \(d \in L\) and \(\left( f',g'\right) _\ell = 1\). Conversely, assume \(\left( f',g'\right) _\ell = 1\). If \(\left[ f,g\right] _\ell = f''' f = g''' g\), since \(\left[ f,g\right] _\ell \mid _r f'f = g'g\), there exists \(c\in R\) such that \(c \left[ f,g\right] _\ell = f'f = g'g\). It follows \(c f''' = f'\) and \(c g''' = g'\), hence \(c \mid _l \left( f',g'\right) _\ell \). Therefore \(c \in L\) and \(\left[ f,g\right] _\ell = f'f = g'g\).

The analogous result for least common right multiples and greatest common right divisors also holds.

There exist Left and Right Extended Euclidean algorithms (LEEA and REEA, for short) that compute greatest common divisors and least common multiples on both sides. For our forthcoming reasoning, we will need a very precise statement of the LEEA that provides the Bezout coefficients in each step of the algorithm. This is given in Algorithm 1.

Algorithm 1
figure a

Left Extended Euclidean Algorithm

Full size image

The output of Algorithm 1 enjoys some properties that will be used later. We record them in the following lemma, whose commutative version may be found in [23, Lemma 3.8].

Lemma 1

Let \(f,g\in R\) and \(\{u_i,v_i,r_i\}_{i=0,\ldots ,h}\) be the coefficients obtained when applying the LEEA to f and g. Then, for all \(i =0, \ldots , h\), we have:

  1. 1.

    \(u_i f + v_i g = r_i\).

  2. 2.

    \(\left( u_i,v_i\right) _\ell =1\).

  3. 3.

    \(\deg f=\deg r_{i-1}+\deg v_i\).

Proof

The proof given in [6, Lemma 24] works here step by step. \(\square \)

Let \(0 \ne g \in R\) be invariant, i.e. \(Rg = gR\). Therefore, \(R/Rg\) is a ring. It is easy to check that \(fh = g\) if and only if \(h'f = g\), where \(gh = h'g\), so \(f \mid _r g\) if and only if \(f \mid _l g\). In particular, since \(x-\gamma \) is irreducible for all \(\gamma \in L\), \(\left( x-\gamma ,g\right) _r = 1\) if and only if \(\left( x-\gamma ,g\right) _\ell = 1\).

Observe that \(\left( x-\gamma ,g\right) _\ell = 1\) means that \(x-\gamma + Rg\) is a unit in \(R/Rg\), so there exists a unique \(h \in R\) with \(\deg (h) < \deg (g)\) such that \((x-\gamma )h - 1 \in Rg\) and \(h(x-\gamma ) -1 \in Rg\).

Definition 1

Let \(F \subseteq L\) be a field extension. Let \(g \in R = L[x;\sigma ,\partial ]\) be a nonzero invariant polynomial. Let \(\alpha _0, \ldots , \alpha _{n-1} \in L\) be different elements such that \(\left( x - \alpha _i, g\right) _r = 1\) for all \(0 \le i \le n-1\), let \(h_i \in R\) such that \(\deg (h_i) < \deg (g)\) and

$$\begin{aligned} (x - \alpha _i) h_i - 1 \in R g, \end{aligned}$$
(1)

and let \(\eta _0, \ldots , \eta _{n-1} \in L^*\). A (generalized) skew differential Goppa code \(\mathcal {C} \subseteq F^n\) is the set of vectors \((c_0,\ldots , c_{n-1}) \in F^n\) such that

$$\begin{aligned} \sum _{i=0}^{n-1} h_i \eta _i c_i = 0. \end{aligned}$$
(2)

By a degree argument, (2) is equivalent to

$$\begin{aligned} \sum _{i=0}^{n-1} h_i \eta _i c_i \in R g. \end{aligned}$$
(3)

We say that \(\{\alpha _0, \ldots , \alpha _{n-1}\}\) are the position points, \(g\) is the (skew differential) Goppa polynomial and \(h_0, \ldots , h_{n-1}\) are the parity check polynomials. If \(\partial = 0\), we just call it a (generalized) skew Goppa code.

Remark 2

A classical Goppa code is an instance of the skew differential Goppa codes when \(\sigma \) is the identity map, \(\partial = 0\) and \(\eta _i = 1\) for all \(0 \le i \le n-1\).

Remark 3

In [25], linearized Goppa codes are introduced. Since the ring of linearized polynomials over a finite field is isomorphic to the ring of Ore polynomials built from the Frobenius automorphism with trivial skew derivation, linearized Goppa codes become instances of skew differential Goppa codes. Nevertheless, there are some mistakes in this reference. For instance, [25, Proposition 1] seems not to be correct. Indeed, following the notation in [25], let \(q = 2\), \(m = 3\). The field \(\mathbb {F}_{q^m}\) is represented as \( \mathbb {F}_{2^3} = \mathbb {F}_{2}[b] / \langle b^3 + b + 1\rangle \). Let \( \textbf{g} = \left\langle g_1 = b^2 + b, g_2 = b \right\rangle \). We get

$$\begin{aligned} \sigma _{\textbf{g}}(x)= & {} \sigma _{\left\langle g_1, g_2 \right\rangle }(x) = x(x+b^2+b)(x+b)(x+b^2) = x^4 + x^2 + x, \\ \sigma _{\textbf{g}_1}(x)= & {} \sigma _{\left\langle g_2 \right\rangle }(x) = x (x+b) = x^2 + bx \end{aligned}$$

and

$$\begin{aligned} \sigma _{\textbf{g}_1}(x) \circ (x^q - g_1^{q-1}x) = (x^2 + b x) \circ (x^2 + (b^2 + b) x) = x^4 + (b^2+b+1)x, \end{aligned}$$

so it is not true that \(\sigma _{\textbf{g}}(x) = \sigma _{\textbf{g}_i}(x) \circ (x^q - g_i^{q-1}x)\).

For the rest of this section a skew differential Goppa code \(\mathcal {C}\) is fixed. Let \(\{\varepsilon _i ~\mid ~ 0 \le i \le n-1\}\) be the canonical basis of \(F^n\). Assume \(c \in \mathcal {C}\) is transmitted and \(r \in F^n\) is received. Therefore

$$\begin{aligned} r = c + e \end{aligned}$$

for some \(e = \sum _{j=1}^\nu e_{j} \varepsilon _{k_j}\) with \(e_j \ne 0\) for \(1 \le j \le \nu \). The syndrome polynomial is defined and computed as

$$\begin{aligned} s = \sum _{i=0}^{n-1} h_i \eta _i r_i. \end{aligned}$$

By (2), it follows that

$$\begin{aligned} s - \sum _{j=1}^\nu h_{k_j} \eta _{k_j} e_j = \sum _{i=0}^{n-1} h_i \eta _i c_i \in Rg = gR. \end{aligned}$$
(4)

We define the (non-commutative) error locator polynomial as

$$\begin{aligned} \lambda = \left[ \{x - \alpha _{k_j}~\mid ~1 \le j \le \nu \}\right] _\ell \in R. \end{aligned}$$

Then \(\deg (\lambda ) \le \nu \) and, for each \(1 \le j \le \nu \), there exists \(\rho _{k_j} \in R\) such that \(\deg (\rho _{k_j}) < \nu \) and

$$\begin{aligned} \lambda = \rho _{k_j} (x-\alpha _{k_j}). \end{aligned}$$
(5)

The error evaluator polynomial is defined as

$$\begin{aligned} \omega = \sum _{j=1}^\nu \rho _{k_j} \eta _{k_j} e_j. \end{aligned}$$

It follows that \(\deg (\omega ) < \nu \).

Our next aim is to derive and solve a non-commutative key equation that relates syndrome, and error locator and error evaluator polynomials. The solution requires the following lemma.

Lemma 2

Let \(f,g \in R\) such that \(\deg f < \deg g = \chi \). Assume that there exist \(\kappa , \lambda , \omega \in R\) such that \( \kappa g + \lambda f = \omega , \deg \lambda \le \left\lfloor \frac{\chi }{2} \right\rfloor { and}\deg \omega <\left\lfloor \frac{\chi }{2} \right\rfloor . \) Let \(u_I,v_I\) and \(r_I\) be the (partial) Bezout coefficients returned by the LEEA with input g and f, where I is the index determined by the conditions \(\deg r_{I-1} \ge \left\lfloor \frac{\chi }{2} \right\rfloor \) and \(\deg r_I < \left\lfloor \frac{\chi }{2} \right\rfloor \). Then there exists \(h \in R\) such that \(\kappa = h u_I\), \(\lambda = h v_I\) and \(\omega = h r_I\).

Proof

Since \(\kappa g + \lambda f = \omega \), \(\deg \lambda \le \left\lfloor \frac{\chi }{2} \right\rfloor \) and \(\deg \omega < \left\lfloor \frac{\chi }{2} \right\rfloor \), it follows that \(\deg \kappa < \left\lfloor \frac{\chi }{2} \right\rfloor \). By Lemma 1, \(\deg v_I + \deg r_{I-1} = \chi \), so that \(\deg v_I \le \chi - \left\lfloor \frac{\chi }{2} \right\rfloor \).

Write \(\left[ \lambda ,v_I\right] _\ell = a \lambda = b v_I\), where \(a,b\in R\) with \(\deg a \le \deg v_I \le \chi - \left\lfloor \frac{\chi }{2} \right\rfloor \) and \(\deg b \le \deg \lambda \le \left\lfloor \frac{\chi }{2} \right\rfloor \). Then \(\left( a,b\right) _\ell =1\) by Remark 1.

From \(\kappa g + \lambda f = \omega \) we get

$$\begin{aligned} a \kappa g + a \lambda s = a \omega . \end{aligned}$$
(6)

By Lemma 1, we have \(u_I g + v_I f = r_I\), which we multiply on the left by b to get

$$\begin{aligned} b u_I g + b v_I s = b r_I. \end{aligned}$$
(7)

Hence, from (6) and (7),

$$\begin{aligned} (a \kappa - b u_I) g = a \omega - b r_I. \end{aligned}$$
(8)

Since

$$\begin{aligned} \deg (a \omega - b r_I) \le \max \left\{ \deg a + \deg \omega , \deg b + \deg r_I \right\} \\ < \max \left\{ \chi - \left\lfloor \frac{\chi }{2} \right\rfloor + \left\lfloor \frac{\chi }{2} \right\rfloor , \left\lfloor \frac{\chi }{2} \right\rfloor + \left\lfloor \frac{\chi }{2} \right\rfloor \right\} = \chi = \deg g, \end{aligned}$$

it follows, from (8), that \(a \kappa = b u_I\) and \(a \omega = b r_I\). Actually, \(\left( a,b\right) _\ell =1\) yields \(\left[ \kappa ,u_I\right] _\ell = a \kappa = b u_I\) and \(\left[ \omega ,r_I\right] _\ell = a \omega = b r_I\) by Remark 1. In particular, \(\deg a \le \deg r_I < \left\lfloor \frac{\chi }{2} \right\rfloor \).

Let \(\left[ a,b\right] _r = a a' = b b'\). Since \(\left[ \lambda ,v_I\right] _\ell \) is a right multiple of a and b, there exists \(m \in R\) such that \(\left[ \lambda ,v_I\right] _\ell = \left[ a,b\right] _r m\). Then \(a \lambda = b v_I = a a' m = b b' m\). Thus, \(\lambda = a' m\) and \(v_I = b' m\) and, by minimality, \(\left( \lambda ,v_I\right) _r = m\). Similar arguments prove that there exist \(m',m''\in R\) such that \(u_I = b' m'\) and \(\kappa = a' m'\), and that \(r_I = b' m''\) and \(\omega = a' m''\). Nevertheless, by Lemma 1, \(\left( u_I,v_I\right) _\ell = 1\), so \(b'=1\). In this way, \(b = a a'\) and we get \(\lambda = a' v_I\), \(\omega = a' r_I\) and \(\kappa = a' u_I\). This completes the proof. \(\square \)

Theorem 1

The error locator \(\lambda \) and the error evaluator \(\omega \) polynomials satisfy the non-commutative key equation

$$\begin{aligned} \omega = \kappa g + \lambda s, \end{aligned}$$
(9)

for some \(\kappa \in R\). Assume that \(\nu \le t = \left\lfloor \frac{\deg g}{2} \right\rfloor \). Let \(u_I,v_I\) and \(r_I\) be the Bezout coefficients returned by the left extended Euclidean algorithm with input g and s, where I is the index determined by the conditions \(\deg r_{I-1}\ge t\) and \(\deg r_I<t\). Then there exists \(h \in R\) such that \(\kappa = h u_I\), \(\lambda = h v_I\) and \(\omega = h r_I\).

Proof

Since \((x - \alpha _i) h_i + R g = 1 + Rg\) for all \(0 \le i \le n-1\), we get from (4) the following computation in the ring R/Rg:

$$\begin{aligned} \begin{aligned} \lambda s + Rg&= \sum _{j=1}^\nu \lambda h_{k_j} \eta _{k_j} e_j + R g \\&= \sum _{j=1}^\nu \rho _{k_j} (x-\alpha _{k_j}) h_{k_j} \eta _{k_j} e_j + R g \\&= \sum _{j=1}^\nu \rho _{k_j} \eta _{k_j} e_j + R g \\&= \omega + R g. \end{aligned} \end{aligned}$$

This proves (9). By construction,

$$\begin{aligned} \deg s \le \max \left\{ \deg (h_i) ~\mid ~ 0 \le i \le n-1 \right\} < \deg g, \end{aligned}$$

so the second statement of the theorem follows from Lemma 2. \(\square \)

3 Decoding algorithms

From now on we assume

$$\begin{aligned}\nu \le t = \left\lfloor \frac{\deg g}{2} \right\rfloor .\end{aligned}$$

It follows from Theorem 1 that the condition \(\left( \lambda ,\omega \right) _\ell = 1\) implies that \(\lambda \) and \(\omega \) are left associated to \(v_I\) and \(r_I\), respectively. Hence, under this condition the LEEA computes the error locator and evaluator polynomials. In the commutative case, it is easy to check that locator and evaluator are always relatively prime. Although, in our experiments, most of examples in this non-commutative setting already satisfy the condition \(\left( \lambda ,\omega \right) _\ell = 1\), this is not always the case (see Example 3). For a correct decoding, we need to know when \(v_I,r_I\) are actually the error locator and the error evaluator polynomials, and if the error locator polynomial already locates the error positions.

In order to proceed, we need the notion of left P-independent set in the sense of [4, 15]. From now on, we assume the following hypothesis on the position points.

Hypothesis 1

We assume that \(\{\alpha _0, \ldots , \alpha _{n-1}\} \subseteq L\) is left P-independent, that is,

$$\begin{aligned} \deg \left[ \{x - \alpha _i ~\mid ~0 \le i \le n-1\}\right] _\ell = n. \end{aligned}$$
(10)

Observe that, by [4, Theorem 5.3], every subset of a P-independent set is P-independent.

As a consequence of Hypothesis 1, \(\deg (\lambda ) = \nu \). Let us deduce that \(\lambda \) already locates the error positions.

Proposition 1

\(x- \alpha _k \mid _r \lambda \) if and only if \(k \in \{k_1, \ldots , k_\nu \}\).

Proof

If \(x-\alpha _k \mid _r \lambda \) with \(k \notin \{k_1, \ldots , k_\nu \}\) then the set \(\{\alpha _k, \alpha _{k_1}, \ldots , \alpha _{k_\nu }\}\) is left P-dependent. \(\square \)

3.1 Decoding algorithm with unlikely decoding failure

In this subsection we give a criterion on the partial outputs of LEEA to decide if \(\lambda \) is left associated to \(v_I\) (Proposition 2). This leads to a decoding algorithm (Algorithm 2) that turns out to work in most cases. In the next subsection, we discuss how to correctly decode when Algorithm 2 outputs a decoding failure. Our approach is adapted from [6, Lemma 26 and Theorem 15].

Lemma 3

Let \(\{i_1, \ldots , i_m\}\subseteq \{0,\ldots ,n-1\}\) with \(1 < m \le n\), and

$$\begin{aligned} f=\left[ x - \alpha _{i_1}, \ldots ,x - \alpha _{i_m}\right] _\ell . \end{aligned}$$

Let \(f_1,\ldots , f_m\in R\) such that \(f = f_j (x - \alpha _{i_j})\) for all \(1 \le j\le m\). Then:

  1. 1.

    \(\left[ f_1, \ldots , f_m\right] _r = f\) and \(\left( f_1, \ldots , f_m\right) _\ell = 1\).

  2. 2.

    \(R/f R = \bigoplus _{j=1}^m f_j R/f R\).

  3. 3.

    For any \(h\in R\) with \(\deg h < m\) there exist \(a_1,\ldots ,a_m \in L\) such that \(h = \sum _{j=1}^m f_j a_j\).

  4. 4.

    The set \(\{f_1, \ldots , f_m\}\) gives, modulo fR, a basis of \(R/f R\) as an L-vector space.

Proof

(1) By Hypothesis 1, \(\{\alpha _{i_1}, \ldots , \alpha _{i_m}\}\) is left P-independent. So, by (10), \(\deg f = m\) and, thus, \(\deg f_j = m-1\) for every \(j=1,\ldots ,m\). Since \(m > 1\), the degree of \(\left[ f_1, \ldots , f_m\right] _r\) must be at least \(m-1+1 = m\). But f is obviously a common left multiple of \(f_1, \ldots , f_m\), whence \(f = \left[ f_1, \ldots , f_m\right] _\ell \). It is straightforward to check that \(\left( f_1, \ldots , f_m\right) _\ell = 1\), otherwise there would be a left common multiple of \(x - \alpha _{i_j}\) for \(1 \le j \le m\) with degree smaller than \(\deg f\).

(2) Since \(f R \subseteq f_j R\) for all \(1 \le j \le m\) and \(\left( f_1, \ldots , f_m\right) _\ell = 1\), we get \(R/fR = \sum _{j=1}^m f_j R / f R\). Observe that \(f_j R/f R \cong R/(x - \alpha _{i_j})R\) is one-dimensional over L. Since the dimension of R/fR as an L–vector space is \(\deg f = m\), we get that the sum is direct.

(3) and (4) follow from (2). \(\square \)

Proposition 2

Let \(u, v, r \in R\) such that \(u g + v s = r\), \(h u = \kappa \), \(h v = \lambda \) and \(h r = \omega \) for some \(h \in R\). Let \(T=\{l_1, l_2, \ldots ,l_m\} = \{ 0 \le l \le n-1 ~\mid ~ (x-\alpha _l) \mid _r v\}\). Then \(m = \deg v\) if and only if \(\deg h = 0\).

Proof

Since \(v \mid _r \lambda \), every right root of \(v\) is a right root of \(\lambda \), hence \(\{l_1, \ldots , l_m\} \subseteq \{k_1, \ldots , k_\nu \}\) by Proposition 1. We reorder the set of error positions in such a way that \(T=\{k_1, \ldots ,k_m\}\) with \(m \le \nu \). If \(\deg h = 0\), then \(m = \nu \) and \(\deg v = \nu \) by (10), since \(\{\alpha _{k_1}, \ldots , \alpha _{k_\nu }\}\) is left P-independent. Conversely, if \(m = \deg v\), then

$$\begin{aligned} v = \left[ \{x - \alpha _{k_j} ~\mid ~1 \le j \le m\}\right] _\ell \end{aligned}$$

by (10) and Hypothesis 1. Recall that \(\lambda = \rho _{k_j} (x - \alpha _{k_j})\) and write \(v = \rho '_j (x - \alpha _{k_j})\) for all \(1 \le j \le m\). Since

$$\begin{aligned} \deg r = \deg \omega - \deg h = \deg \omega + \deg v - \deg \lambda \le \nu -1+m-\nu = m-1, \end{aligned}$$

we get from Lemma 3 that \(r = \sum _{i=1}^m \rho '_i a_i\) for some \(a_{1},\ldots , a_{m} \in L\). On the other hand, \(\lambda = h v\). Thus, for any \(1 \le j \le m\), \(\rho _{k_j} (x - \alpha _{k_j}) = h \rho '_j (x - \alpha _{k_j})\), so \(\rho _{k_j} = h \rho '_j\). Now, \(h r = \omega \), so

$$\begin{aligned} \sum _{j=1}^m \rho _{k_j} a_j = h \left( \sum _{j=1}^m \rho '_j a_j \right) = h r = \omega = \sum _{j=1}^m \rho _{k_j} e_j + \sum _{j=m+1}^\nu \rho _{k_j} e_{j}. \end{aligned}$$
(11)

By Lemma 3, \(\{\rho _{k_1}, \ldots , \rho _{k_\nu }\}\) is a basis of \(R/\lambda R\) as a right L–vector space. Therefore, since \(e_j \ne 0\) for every \(1 \le j \le \nu \), Eq. (11) implies that \(m = \nu \) and, thus, \(\deg h = 0\). \(\square \)

Theorem 1 and Proposition 2 ensure the correctness of the decoding algorithm described in Algorithm 2.

Algorithm 2
figure b

Decoding algorithm for skew differential Goppa codes with unlikely decoding failure

Full size image

3.2 Solving decoding failures

Proposition 2 gives a sufficient condition which tells us if we have actually found the solution of (9), and, therefore, the output of Algorithm 2 is the error polynomial. Nevertheless, a decoding failure may occur, see Example 3, and we might not had compute the error locator polynomial, but only a proper right divisor. So we need to find new right roots of \(\lambda \).

Proposition 3

Let \(u, v, r \in R\) such that \(u g + v s = r\), \(h u = \kappa \), \(h v = \lambda \) and \(h r = \omega \) for some \(h \in R\). Let \(k \in \{0, \ldots , n-1\}\) such that \(x-\alpha _k \not \mid _r v\) but \(x - \alpha _k \mid _r \lambda \). Set \(v' = \left[ x-\alpha _k,v\right] _\ell \) and let \(h'' \in R\) such that \(h'' v = v'\). Define \(u' = h'' u\) and \(r' = h'' r\). Then \(u' g + v' s = r'\), \(h' u' = \kappa \), \(h' v' = \lambda \) and \(h' r' = \omega \) for some \(h' \in R\).

Proof

Since \(\lambda = h v\), it follows that \(\left[ x-\alpha _k,v\right] _\ell \mid _r \lambda \), so there exists \(h' \in R\) such that \(\lambda = h' \left[ x-\alpha _k,v\right] _\ell \). Then \(h v = \lambda = h' h'' v\), hence \(h = h' h''\). Multiplying \(u g + v s = r\) by \(h''\) on the left, we get \(u' g + v' s = r'\). Moreover, \(\kappa = h u = h' h'' u = h' u'\), \(\lambda = h v = h' h'' v = h' v'\) and \(\omega = h r = h' h'' r = h' r'\). \(\square \)

Proposition 4

Assume \(\lambda = h v\) with \(\deg h \ge 1\). Let

$$\begin{aligned}\{s_1, \ldots , s_m\} = \big \{ i \in \{0, \ldots , n-1\} ~\mid ~ (x - \alpha _i) \mid _r v \big \}\end{aligned}$$

and \(\{l_1, \ldots , l_r\} = \{0, \ldots , n-1\} {\setminus } \{s_1, \ldots , s_m\}\). For any \(1\le i\le r\), let \(f_i = \left[ f_{i-1},x - \alpha _{l_i}\right] _\ell \) with \(f_{0} = v\). Then:

  1. 1.

    There exists \(d \ge 0\) such that \(\deg (f_{d-1})=\deg (f_d)\),

  2. 2.

    If \(d_0\) is the minimal index such that \(\deg (f_{d_0-1})=\deg (f_{d_0})\), then \(d_0 \in \{k_1, \ldots , k_\nu \}\).

Proof

For any \(1\le i\le r\), let \(\lambda _i=\left[ \lambda _{i-1},x - \alpha _{l_i}\right] _\ell \) with \(\lambda _{0} = \lambda \). It is clear that \(f_i \mid _r \lambda _i\) for any \(1 \le i \le r\). Suppose that the sequence \(\{\deg (f_i)\}_{0\le i\le r}\) is strictly increasing. Hence \(\deg (f_{r}) = r + \deg (v) = n - m + \deg (v) > n\) because, by Proposition 2, \(\deg (v) > m\). This is not possible, since \(f_{r} \mid _r \lambda _{r} = \left[ \{x - \alpha _i ~\mid ~ 0 \le i \le n-1\}\right] _r\) whose degree is bounded from above by \(n\). So there exists a minimal \(d_0 \ge 0\) such that \(\deg (f_{d_0-1}) = \deg (f_{d_0})\). Now, \(x-\alpha _{i_{d_0}} \mid _r f_{d_0-1} \mid _r \lambda _{d_0-1} = \left[ \lambda , x-\alpha _{l_1}, \ldots , x-\alpha _{l_{d_0-1}}\right] _\ell \). Since, \(l_{d_0} \ne l_1, \ldots , l_{d_0-1}\), \(x - \alpha _{l_{d_0}} \mid _r \lambda \). Thus, \(d_0 \in \{k_1, \ldots , k_\nu \}\). \(\square \)

Propositions 3 and 4 provide a way to find the locator if a decoding failure happens. This is presented in Algorithm 3.

Algorithm 3
figure c

Solving decoding failures

Full size image

Remark 4

Concerning the complexity, the run-time of Algorithm 2 is dominated by the execution of the LEEA and a linear system resolution. In Algorithm 3, the internal loop, that finds an error position, computes the least common left multiple of a linear polynomial and \(v_{curr}\), updating \(v_{curr}\) to this least common left multiple, until the process does not increase the degree. Its theoretical complexity is then dominated by an n-times execution of a least common left multiple of bounded polynomials. Now, this loop is executed, at most, the number of error positions, so that the complexity of Algorithm 3 is bounded polynomially with respect to the complexity of the LEEA. Consequently, in general, the conjunction of Algorithms 2 and 3 has polynomial run-time, in the worst case, with respect to the execution of the LEEA and a linear system resolution.

In the setting of the cryptosystem to be described in Sect. 5, that is, skew polynomials over a finite field with \(\partial = 0\), according to [7, Lemma 3.3], the execution of the LEEA is in \(\mathcal {O}(n^2)\) operations in the field, whilst the traditional approach to solve the linear system in Line 23 of Algorithm 2 is by Gaussian elimination, which can be done in \(\mathcal {O}(t^3)\). Therefore the complexity of Algorithm 2 belongs to \(\mathcal {O}(t^3+n^2)\) operations in the field, whilst Algorithm 3 belongs to \(\mathcal {O}(tn^3)\).

It was noticed by one of the referees that there is a fast computation of the left extended Euclidean algorithm in [2]. These results could be used to speed our algorithms up in the finite field case.

Observe that, by Theorem 1 and Proposition 2, decoding failure cannot happen if \(\left( \lambda , \omega \right) _\ell = 1\). Next, we analyze this condition.

Proposition 5

Under the notation of Sect. 2, the following statements are equivalent:

  1. 1.

    \(\left( \omega ,\lambda \right) _\ell = 1\).

  2. 2.

    \(\omega + \lambda R\) generates \(R/\lambda R\) as a right \(R\)–module.

  3. 3.

    The set \(\{ (\omega + \lambda R)x^i ~\mid ~ 0 \le i \le \nu -1 \}\) is right linearly independent over L.

Proof

The equivalence between (1) and (2) is a direct consequence of Bezout’s Theorem. It is clear that \(\omega + \lambda R\) generates the right R–module \(R/\lambda R\) if and only if \(\{ (\omega + \lambda R)x^i ~\mid ~ 0 \le i \le \nu -1 \}\) spans \(R/\lambda R\) as a right L–vector space. Since the dimension over L of \(R/\lambda R\) is \(\nu \), the equivalence between (2) and (3) becomes clear. \(\square \)

In the skew case, i.e. \(\partial = 0\), a more precise analysis can be done. Besides the partial norms \(N_i(a)\), for any \(a \in L\) and \(i \in \mathbb {N}\), the -\(i\)th norm of \(a\) is defined as \({\text {N}}^{}_{-i}(a) = {\text {N}}^{\sigma }_{-i}(a) = {\text {N}}^{\sigma ^{-1}}_{i}(a)\), i.e.

$$\begin{aligned} {\text {N}}^{}_{-i}(a) = a \sigma ^{-1}(a) \ldots \sigma ^{-i+1}(a). \end{aligned}$$

Since \(\sigma \) has order \(\mu \), it follows that \({\text {N}}^{}_{\mu }(\gamma ) = {\text {N}}^{}_{-\mu }(\gamma )\). Moreover, for each \(f = \sum _j f_j x^j \in R\) and all \(\gamma \in L\), there exists \(h \in R\) such that

$$\begin{aligned} f = (x-\gamma ) h + \sum _{j} \sigma ^{-j}(f_j) {\text {N}}^{}_{-j}(\gamma ). \end{aligned}$$
(12)

Lemma 4

The j-coordinate of \(\omega x^i + \lambda R\) with respect to the basis \(\{\rho _{k_1}, \ldots , \rho _{k_\nu }\}\) is \({\text {N}}^{}_{-i}(\alpha _{k_j}) \sigma ^{-i}(\eta _{k_j}) \sigma ^{-i}(e_j)\), for any \(1\le j \le \nu \).

Proof

By (12), \(\alpha _{k_j}\) is a left root of \(x^i-{\text {N}}^{}_{-i}(\alpha _{k_j})\). Then \(x^i-{\text {N}}^{}_{-i}(\alpha _{k_j}) \in (x - \alpha _{k_j}) R\). Multiplying on the left by \(\rho _{k_j}\), \(\rho _{k_j} x^i - \rho _{k_j} {\text {N}}^{}_{-i}(\alpha _{k_j}) \in \lambda R\). Thus, in \(R/\lambda R\),

$$\begin{aligned} \begin{aligned} \omega x^i&= \sum _{j=1}^\nu \rho _{k_j} \eta _{k_j} e_j x^i \\&= \sum _{j=1}^\nu \rho _{k_j} x^i \sigma ^{-i}(\eta _{k_j}) \sigma ^{-i}(e_j) \\&= \sum _{j=1}^\nu \rho _{k_j} {\text {N}}^{}_{-i}(\alpha _{k_j}) \sigma ^{-i}(\eta _{k_j}) \sigma ^{-i}(e_j) \end{aligned} \end{aligned}$$

and the result follows. \(\square \)

Proposition 6

\(\left( \omega ,\lambda \right) _\ell = 1\) if and only if

$$\begin{aligned} \det \Big ( {\text {N}}^{}_{-i}(\alpha _{k_j}) \sigma ^{-i}(\eta _{k_j}) \sigma ^{-i}(e_j) \Big )_{0 \le i \le \nu -1 1 \le j \le \nu } \ne 0. \end{aligned}$$

Proof

It follows from Lemma 4 and Proposition 5. \(\square \)

Remark 5

Example 3 shows a system providing, under certain carefully chosen errors, a decoding failure. However, as we have pointed out above, this unlikely occurs. In the setting of Example 3, our experiments under randomized errors in the transmission result a probability of 0.003 of obtaining a decoding failure. Whenever the field extension is not trivial, which is the standard setting in practice, none of our experiments outputted a decoding error. For instance, under parameters \(F=\mathbb {F}_{2^2}\), \(n=512\) and \(t=5\), after 4 millions executions, no decoding failure was found. This suggests that, for non trivial extensions, there is no decoding failure. Unfortunately, we have been unable to prove it, so we leave this assertion as an open problem.

4 Parity check matrices and position points for skew Goppa codes

This section deals with the computation of parity-check matrices and the choice of the position points for skew Goppa codes. Although most of results are still valid in the skew differential case, the presentation become less technical under the assumption \(\partial = 0\). On the other hand, this level of generality suffices for our main purpose, namely, the design of a cryptosystem based on skew Goppa codes over a finite field.

For a given skew differential Goppa code, a parity check matrix can be derived from (2). We make it explicit in the skew Goppa case. So let \(R = L[x;\sigma ]\), where \(L\) is a finite extension of a given field \(F\), and \(\sigma \) is a field automorphism of \(L\) of finite order \(\mu \). Let \(\mathcal {C}\) be a skew Goppa code with Goppa polynomial \(g \in R\), position points \(\{\alpha _0, \ldots , \alpha _{n-1}\}\), \(\eta _0, \ldots , \eta _{n-1} \in L^*\) and parity check polynomials \(h_0, \ldots , h_{n-1}\). Let \(\deg (g) = \chi \), \(h_i = \sum _{j=0}^{\chi -1} h_{i,j} x^j\) and

$$\begin{aligned} \widehat{H} = \begin{pmatrix} \sigma ^{-0}(h_{0,0}) \eta _0 &{} \sigma ^{-0}(h_{1,0}) \eta _1 &{} \cdots &{} \sigma ^{-0}(h_{n-1,0}) \eta _{n-1} \\ \sigma ^{-1}(h_{0,1}) \eta _0 &{} \sigma ^{-1}(h_{1,1}) \eta _1 &{} \cdots &{} \sigma ^{-1}(h_{n-1,1}) \eta _{n-1} \\ \vdots &{} \vdots &{} \ddots &{} \vdots \\ \sigma ^{-\chi +1}(h_{0,\chi -1}) \eta _0 &{} \sigma ^{-\chi +1}(h_{1,\chi -1}) \eta _1 &{} \cdots &{} \sigma ^{-\chi +1}(h_{n-1,\chi -1}) \eta _{n-1} \\ \end{pmatrix}. \end{aligned}$$

Proposition 7

For each \(\gamma \in L\), let \(\mathfrak {v}(\gamma )\) denote its \(F\)–coordinates, as a column vector, with respect to a fixed \(F\)–basis of \(L\). Let

$$\begin{aligned} H = \Big (\begin{array}{l} \mathfrak {v}(\sigma ^{-j}(h_{i,j}) \eta _i) \end{array}\Big )_{\genfrac{}{}{0.0pt}3{0 \le j \le \chi -1}{0 \le i \le n-1}} \in {F}^{(\chi m) \times n}. \end{aligned}$$

Then \(H\) is a parity check matrix for \(\mathcal {C}\).

Proof

Observe that

$$\begin{aligned} \sum _{i=0}^{n-1} h_i \eta _i c_i = \sum _{i=0}^{n-1} \sum _{j=0}^{\chi -1} h_{i,j} x^j \eta _i c_i = \\ \sum _{i=0}^{n-1} \sum _{j=0}^{\chi -1} x^j \sigma ^{-j}(h_{i,j}) \eta _i c_i = \sum _{j=0}^{\chi -1} x^j \sum _{i=0}^{n-1} \sigma ^{-j}(h_{i,j}) \eta _i c_i, \end{aligned}$$

so (2) is also equivalent to

$$\begin{aligned} \sum _{i=0}^{n-1} \sigma ^{-j}(h_{i,j}) \eta _i c_i = 0, \quad 0 \le j \le \chi -1, \end{aligned}$$

i.e.

$$\begin{aligned} (c_0, c_1, \ldots , c_{n-1}) \widehat{H}^{\texttt{T}} = 0. \end{aligned}$$

Since \(\mathcal {C} \subseteq F^{n}\), \((c_0, c_1, \ldots , c_{n-1}) \in \mathcal {C}\) if and only if \((c_0, c_1, \ldots , c_{n-1}) H^{\texttt{T}} = 0\). \(\square \)

We gather from [4, 14] the information on P-independent sets needed to describe every possible set of position points in the skew Goppa case.

It is well known that the center of \(R = L[x;\sigma ]\) is \(K[x^{\mu }]\), where \(K = L^\sigma \), the invariant subfield of \(L\) under \(\sigma \). So, for every \(a\in L\), the polynomial \(x^\mu - {\text {N}}^{}_{}(a)\) is central, where

$$\begin{aligned} {\text {N}}^{}_{}(a) = a\sigma (a) \cdots \sigma ^{\mu -1}(a) \end{aligned}$$

is the norm of \(a\). Define, following [13], the conjugate of \(a\) under \(c \in L^*\) as \(^{c}a = \sigma (c)ac^{-1} \), and the conjugacy class of \(a \) as

$$\begin{aligned} \Delta (a) = \{ {}^ca: c \in L^*\}. \end{aligned}$$

By virtue of Hilbert’s 90 Theorem (see e.g. [16, Chap. VI, Theorem 6.1]), \(\Delta (a) = \Delta (b)\) if, and only if, \({\text {N}}^{}_{}(a) = {\text {N}}^{}_{}(b)\). Hence,

$$\begin{aligned} \Delta (a) = \{b \in L: {\text {N}}^{}_{}(a) = {\text {N}}^{}_{}(b)\}. \end{aligned}$$
(13)

Observe that these conjugacy classes form a partition of \(L\).

For each \(f = \sum _j f_j x^j \in R\) and any \(b \in L\), by [13, Lemma 2.4], there exists \(h \in R\) such that

$$\begin{aligned} f = h (x-b) + \sum _{j} f_j {\text {N}}^{}_{j}(b), \end{aligned}$$
(14)

where \({\text {N}}^{}_{j}(b) \in L\) is defined as

$$\begin{aligned} {\text {N}}^{}_{0}(b) = 1, \text { and } {\text {N}}^{}_{j}(b) = b \sigma (b) \ldots \sigma ^{j-1}(b) \text { for } j \ge 1. \end{aligned}$$

Observe that \({\text {N}}^{}_{}(b) = {\text {N}}^{}_{\mu }(b)\). We get thus from (14) and (13) that

$$\begin{aligned} \Delta (a) = \{ b \in L: (x-b) \mid _r x^\mu - {\text {N}}^{}_{}(a)\}. \end{aligned}$$
(15)

We are now in a position to show how to build P-independent sets by using the general theory as established in [4, 14].

Proposition 8

Given \(a \in L^*\), the P-independent subsets of \(\Delta (a)\) are those of the form \(\{{}^{c_1}a, \ldots , {}^{c_m}a\}\), where \(m \le \mu \) and \(\{c_1, \ldots , c_m\} \) is a \(K\)–linearly independent subset of \(L\). Moreover, \(m = \mu \) if and only if

$$\begin{aligned} \left[ x-{}^{c_1}a, \ldots , x- {}^{c_m}a\right] _\ell = x^\mu - {\text {N}}^{}_{}(a). \end{aligned}$$

Proof

According to [4, Theorem 5.3], \(\{{}^{c_1}a, \ldots , {}^{c_m}a\}\) is P-independent if and only if \(\{c_1, \ldots , c_m\}\) is linearly independent over the \(\sigma \)–centralizer of \(a\), given by

$$\begin{aligned} C^\sigma (a) = \{c \in L\setminus \{0\}: {}^ca=a\} \cup \{0\}, \end{aligned}$$

which is a subfield of \(L\). Indeed, \(C^\sigma (a) = K\), so we obtain the first statement. The second one is derived from (15). \(\square \)

Proposition 9

A subset \(\Gamma \subseteq L^*\) is P-independent of and only if

$$\begin{aligned} \Gamma = \Gamma _1 \cup \cdots \cup \Gamma _r, \end{aligned}$$

where \(\Gamma _i \subseteq \Delta (a_i)\) is P-independent for all \(i=1, \ldots , r\), and \(a_1, \ldots , a_r \in L\) are nonzero elements of different norm.

Proof

Since the conjugacy classes form a partition of \(L^*\) and subsets of P-independent sets are P-independent, we deduce that every P-independent set \(\Gamma \subseteq L^*\) decomposes as \(\Gamma = \Gamma _1 \cup \cdots \cup \Gamma _r\) for \(\Gamma _i \subseteq \Delta (a_i)\) for \(a_1, \ldots , a_r \in L^*\) of different norms.

To reason the converse, observe first that the equality (15) says that, for each \(a \in L^*\), the conjugacy class \(\Delta (a) \) is precisely the set of all right roots, in the sense of [14], of the skew polynomial \(x^\mu - {\text {N}}^{}_{}(a)\). So, these conjugacy classes are instances of full algebraic subsets of \(L^*\) to which [14, Corollary 4.4] can be applied. Thus, if \(\Gamma _i \subseteq \Delta (a_i)\) is P-independent, then, by virtue of Proposition 8, it corresponds to a \(K\)–linearly subset of \(L\), which is a subset of a \(K\)–basis \(B_i\) of \(L\). Again by Proposition 8, \(B_i\) gives a maximal P-independent subset \(\Lambda _i\) of \(\Delta (a_i)\) (a P-basis, in the words of [14]), that contains \(\Gamma _i\). By [14, Corollary 4.4], \(\Lambda _1 \cup \cdots \cup \Lambda _r\) is a P-basis of \(\Delta _1(a_1) \cup \cdots \cup \Delta _r(a_r)\). As a consequence, \(\Gamma _1 \cup \cdots \cup \Gamma _r\) is P-independent. \(\square \)

As for the selection of the skew Goppa polynomial concerns, we may state:

Proposition 10

Consider \(h \in K[x^\mu ] \) without roots in \(K\). Then \(g = x^ah \in L[x;\sigma ]\) has no right roots in \(L^*\) for any \(a \ge 0\).

Proof

If \(\alpha \in L^*\) is a right root of \(g\), then \(\alpha \) is a right root of \(h \in L[x;\sigma ]\). Then, by Proposition 8, \(x^\mu - {\text {N}}^{}_{}(\alpha )\) is a right divisor in \(L[x;\sigma ]\) of the central polynomial \(h\). This gives that \(x^\mu - {\text {N}}^{}_{}(\alpha )\) is a divisor of \(h \in K[x^\mu ]\), that is, \({\text {N}}^{}_{}(\alpha ) \in K\) is a root of \(h(x^\mu )\). \(\square \)

5 A McEliece cryptosystem based on skew Goppa codes

To design a skew Goppa code \(\mathcal {C}\), we first choose, as alphabet, a finite field \(F = \mathbb {F}_{q}\), where \(q = p^d\) for a prime \(p\). We set the length \(n\) and the correction capacity \(t < n/2\). In practice, this parameter \(t\) is much smaller than \(n\), as we will see below. Algorithms 2 and 3 guarantee that we may set

$$\begin{aligned} t = \left\lfloor \frac{\deg g}{2} \right\rfloor , \end{aligned}$$
(16)

where \(g\) is the skew Goppa polynomial. We must build the skew polynomial ring \(R = L[x;\sigma ]\), where \(L\) is an extension of \(F\) of degree \(m\), so \(L = \mathbb {F}_{q^m} \). We choose \(t, n, m\) such that \(2mt \le n\) since, from (2), a parity check matrix over \(F\) has size \(2mt \times n\). If \(2mt\) is too close or too far from \(n\), we get codes with very small or very large dimension. For instance, in the Classic McEliece NIST’s Post-Quantum Cryptography Standardization Project proposal, see [1], the proposed code rates, the ratios between dimension and length, are \(\approx 0.75\).

From the relation

$$\begin{aligned} \dim _F \mathcal {C} = n - {\text {rank}} (H) \ge n - 2mt, \end{aligned}$$
(17)

by choosing

$$\begin{aligned} m \le \frac{n}{4t}, \end{aligned}$$

we obtain that

$$\begin{aligned} \frac{\dim _F \mathcal {C}}{n} \ge 0.5. \end{aligned}$$

If the dimension of \(\mathcal {C}\) is strictly greater than \( n - 2mt, \) then we choose randomly a linear subcode \(\mathcal {C'}\) of \(\mathcal {C}\) with that dimension. Setting

$$\begin{aligned} \frac{n}{10t} \le m \le \frac{n}{4t}, \end{aligned}$$

then

$$\begin{aligned} 0.5 \le \frac{\dim _F \mathcal {C}'}{n} \le 0.8. \end{aligned}$$

The field automorphism \(\sigma \) of \(L\) is given as a power of the Frobenius automorphism \(\tau \), that is \(\tau (a) = a^p\), so we pick \(1 \le s \le dm\) and set \(\delta = {\text {gcd}}(s,dm)\). Define \(\sigma = \tau ^s\), which has order

$$\begin{aligned} \mu = \frac{dm}{\delta }, \end{aligned}$$

and \(K = L^\sigma = \mathbb {F}_{p^\delta }\). If \(\delta = dm\), then the automorphism is the identity and we recover the classical Goppa codes as observed in Remark 2.

The definition of the skew Goppa code \(\mathcal {C}\) requires the specification of a P-independent subset of \(L^*\), the position points, and an invariant polynomial \(g \in R\) having no right root among these points. As for the first task concerns, we describe all maximal P-independent subsets of \(L^*\). Every other P-independent set is a subset of one of these.

Proposition 11

Let \(\gamma \) be a primitive element in L. Every maximal P-independent subset of \(L^*\) if of the form

$$\begin{aligned} \{\sigma (c_{ij})\gamma ^ic_{ij}^{-1}: i=0, \ldots , p^\delta -{2}, j = 0, \ldots , \mu -1\}, \end{aligned}$$

where \(\{c_{i0}, \ldots , c_{i\mu -1}\}\) is a \(K\)–basis of \(L\) for each \(i=0, \ldots , p^\delta -2\). As a consequence, if a P-independent subset of \(L^*\) has \(n\) elements, then \(n \le (p^\delta -1)\mu \).

Proof

It is well-known that \({\text {N}}^{}_{}(\gamma )\) is a primitive element of \(K\). Thus,

$$\begin{aligned} \{{\text {N}}^{}_{}(\gamma ^i): i =0, \ldots , p^\delta -2 \} \end{aligned}$$

is a set of representatives of the conjugacy classes of \(L^*\) according to (13). The proposition holds now from Propositions 8 and  9. \(\square \)

Example 1

Let \(\{\alpha , \sigma (\alpha ), \ldots , \sigma ^{\mu -1}(\alpha )\}\) be a normal basis of \(L/K\). For \(0 \le i \le \mu -1\), set \(\beta _i = \sigma ^{i+1}(\alpha )/\sigma ^i(\alpha )\). Proposition 11 implies that

$$\begin{aligned} \left\{ \gamma ^i\beta _j ~\mid ~ 0 \le i \le p^\delta -2, 0 \le j \le \mu -1 \right\} \end{aligned}$$

is a maximal P-independent set of \(L^*\).

As for the choice of the skew Goppa polynomial concerns, we may set \(g = x^ah\), for any central non constant polynomial \(h \in K[x^\mu ]\) without roots in \(K\) and \(a \ge 0\) (Proposition 10) adjusted to condition (16).

Remark 6

If \(g = x^a h\) with \(h\) irreducible, we have an isomorphism of rings

$$\begin{aligned} \frac{R}{Rg} \cong \frac{R}{Rx^a} \times \frac{R}{Rh}. \end{aligned}$$

The first factor is a non-commutative serial ring of length \(a\), while the second factor is isomorphic to a matrix ring with coefficients in a field extension of \(K\). So, the group of units of \( R/Rg\) is a product of the group of units of a field (if \(a > 0\)) and a general linear group over a field extension of \(K\).

By Proposition 11 we get the inequality

$$\begin{aligned} n \le \mu (p^\delta - 1) = \frac{dm}{\delta } \left( p^\delta - 1\right) . \end{aligned}$$
(18)

So, given \(n, t, q=p^d\), we want to find \(m, \delta \) such that

$$\begin{aligned} \max \left\{ \frac{n}{10t}, \frac{n \delta }{d(p^\delta - 1)} \right\} \le m \le \frac{n}{4t} \text { and } \delta \mid dm. \end{aligned}$$
(19)

Our proposal of a McEliece cryptosystem follows the dual version of Niederreiter [19], by means of a Key Encapsulations Mechanism like the one proposed in [1].

5.1 Key schedule

The input is \(n \gg t\) and \(F = \mathbb {F}_{q}\) with \(q= p^d\).

5.1.1 Construction of additional parameters

In order to generate the public and private keys for a McEliece type cryptosystem, the parameters \(m\) and \(s\) have to be found. These can be computed randomly via an exhaustive search to find pairs \((m,\delta )\) satisfying (19) and then looking for an \(s\) such that \(\delta = {\text {gcd}}(s,dm)\). For instance, if \(n = 4096, t = 25, q = p^d = 2\), we get the following combinations:

$$\begin{aligned} \begin{array}{|c|cccccccccccc|} \hline m &{} 24 &{} 26 &{} 28 &{} 30 &{} 32 &{} 33 &{} 34 &{} 36 &{} 36 &{} 38 &{} 39 &{} 40 \\ \hline \delta &{} 12 &{} 13 &{} 14 &{} 15 &{} 16 &{} 11 &{} 17 &{} 12 &{} 18 &{} 19 &{} 13 &{} 20 \\ \hline \end{array} \end{aligned}$$

plus those cases \(m=\delta \), which correspond to classical Goppa codes. If \(n = 2560, t = 22, q = p^d = 2^4\), we get 83 different combinations, among them \(18\) are classical Goppa codes corresponding the case \(\delta = d m\), where \(12 \le m \le 29\) and \(12 \le \delta \le 116\).

We set \(k = n - 2t\left\lfloor \frac{n}{4t} \right\rfloor \), the smallest possible dimension, according to (19). Next pick randomly \(1 \le s \le dm\), and let \(\delta = {\text {gcd}}(s,dm)\), \(\mu = \frac{dm}{\delta }\), \(L = \mathbb {F}_{q^m}\), \(K = \mathbb {F}_{p^\delta }\) and \(\sigma = \tau ^s: L \rightarrow L\). Fix a basis of \(L\) over \(F\) and denote \(\mathfrak {v}: L \rightarrow F^m\) the map providing the coordinates with respect to this basis. Let also denote \(R = L[x;\sigma ]\).

5.1.2 Left P-independent set

The set of position points may be selected amongst the points in a maximal left P-independent set as computed in Example 1. So we need a normal basis and a primitive element of \(L\).

Let first compute a normal basis of \(L\) over \(K\). We point out that

$$\begin{aligned} \{\alpha , \sigma (\alpha ), \ldots , \sigma ^{\mu -1}(\alpha )\} = \{\alpha , \tau ^{\delta }(\alpha ), \ldots , \tau ^{\delta (\mu -1)}(\alpha )\} \end{aligned}$$

since both \(\tau ^{\delta }\) and \(\sigma \) are generators of the cyclic Galois group of the field extension \(L\) of \(K\).

For each \(\phi \in K[z]\), let \(\varphi _{p^{\delta }}(\phi )\) be the number of polynomials in the indeterminate \(z\) of degree smaller than \(\deg \phi \) and relatively prime to \(\phi \). It is well known, see [17, Theorem 3.73], that \(\varphi _{p^{\delta }}(z^\mu -1)\) is the number of \(\alpha \in L\) such that \(\{\alpha , \sigma (\alpha ), \ldots , \sigma ^{\mu -1}(\alpha )\}\) is a normal basis. By [5, Theorem 2],

$$\begin{aligned} \varphi _{p^{\delta }}(z^\mu -1) \ge \frac{p^{\delta \mu }}{e \bigg \lceil \log _{p^\delta }\mu \bigg \rceil }, \end{aligned}$$

so the probability \(\rho \) of picking randomly an element which generates a normal basis is bounded from below by

$$\begin{aligned} \rho \ge \frac{1}{e \bigg \lceil \log _{p^\delta }\mu \bigg \rceil }. \end{aligned}$$

So, a random search should produce a normal element in a very few attempts. For instance, the probability of choosing randomly an element which generates a normal basis when \(n = 4096, t = 25, q = p^d = 2\) or \(n = 2560, t = 22, q = p^d = 2^4\) is \(\rho \ge 0.36\).

It remains to provide a fast method to check if an element generates a normal basis. There are quite enough methods to do that for finite fields, see e.g. [12, 24], where randomized algorithms in \(\mathcal {O}(\mu ^2 + \mu \log p^{\delta })\) and \(\mathcal {O}(\mu ^{1.82} \log p^\delta )\), respectively, are provided. In our experiments we have just used the classical Hensel test, see [10] or [17, Theorem 2.39], which says that, for a given \(\alpha \in L = \mathbb {F}_{p^{dm}}\), \(\{\alpha , \alpha ^{p^{\delta }}, \ldots , \alpha ^{p^{(\mu -1)\delta }}\}\) is a normal basis if and only if

$$\begin{aligned} {\text {gcd}}\left( z^\mu -1, \alpha z^{\mu -1} + \alpha ^{p^{\delta }} z^{\mu -2} + \cdots + \alpha ^{p^{(\mu -1)\delta }} \right) = 1. \end{aligned}$$

A similar analysis can be done for primitive elements. As mentioned in the introduction of [21], all known algorithms to compute primitive elements work in two steps: compute a reasonable small subset containing a primitive element and test all elements of this subset until a primitive elements is found. Since the number of primitive elements in \(L\) is \(\varphi (\mid L \mid -1) = \varphi (p^{dm} - 1)\) and, by [9, Theorem 328], \(\varphi (p^{dm}-1) / (p^{dm}-1)\) is asymptotically bounded from below by a constant multiple of \(\log \log (p^{dm} -1)\), a random search would produce quite fast a primitive element. For instance, in case \(n = 4096, t = 25, q = p^d = 2\), this lower bound is always greater than \(0.168\), or, in case \(n = 2560, t = 22, q = p^d = 2^4\), than \(0.127\).

Testing if a randomly chosen \(\gamma \in L\) is primitive can be done with the classical equivalence

$$\begin{aligned} \gamma \text { is primitive} \iff \gamma ^{\frac{p^{dm}-1}{p_i}} \ne 1 \text { for all prime factor }p_i\text { of }p^{dm}-1 \end{aligned}$$

which requires factoring \(p^{dm}-1\). Since \(p^{dm}-1\) is reasonably small, this can also be done efficiently.

Once a primitive element \(\gamma \) and a normal element \(\alpha \) have been computed, a maximal set of left P-independent elements is

$$\begin{aligned} \textsf{P} = \textstyle \left\{ \gamma ^i \frac{\sigma ^{j+1}(\alpha )}{\sigma ^j(\alpha )} ~\mid ~ 0 \le i \le p^\delta -2, 0 \le j \le \mu -1 \right\} . \end{aligned}$$

In the classical case \(\delta = dm\), being P-independent just means different position points.

5.1.3 Position points, skew Goppa polynomial and parity check polynomials

The list \(\textsf{E}\) of position points is obtained by a random selection of \(n\) points in \(\textsf{P}\). Observe that we have chosen the parameter to have \(n \le \mid \textsf{P}\mid \).

$$\begin{aligned} \textsf{E} = \{\alpha _0, \ldots , \alpha _{n-1} \} \subseteq \textsf{P}. \end{aligned}$$

For the skew Goppa polynomial, we randomly choose a monic polynomial \(h(y) \in K[y]\) without roots in \(K\), see Proposition 10, such that \(\deg _y(h) = \left\lfloor 2t / \mu \right\rfloor \) and set \(g = h(x^\mu ) x^{2t \bmod \mu }\), which has degree \(2t\).

Finally, the REEA allow to compute \(h_0, \ldots , h_{n-1} \in R\) such that, for each \(0 \le i \le n-1\), \(\deg (h_i) < 2t\) and

$$\begin{aligned} (x - \alpha _i) h_i - 1 \in Rg. \end{aligned}$$

In fact \(\deg (h_i) = 2t-1\) by a degree argument.

5.1.4 Parity check matrix and public key

By Proposition 7, a parity check matrix for the skew Goppa code is

$$\begin{aligned} H = \Big (\begin{array}{l} \mathfrak {v}(\sigma ^{-j}(h_{i,j}) \eta _i) \end{array}\Big )_{\genfrac{}{}{0.0pt}3{0 \le j \le 2t-1}{0 \le i \le n-1}} \in {F}^{2tm \times n} \end{aligned}$$

where \(h_i = \sum _{j=0}^{2t-1} h_{i,j} x^j\). Once \(H\) is computed, the public key of our cryptosystem can be calculated as follows: set \(k = n - 2t\left\lfloor \frac{n}{4t} \right\rfloor \), \(r_H = {\text {rank}}(H)\) and \(A \in {F}^{(n-k-r_H) \times n}\), a random full rank matrix. The matrix \(H_{\textrm{pub}}\) is formed by the non zero rows of the reduced row echelon form of the block matrix \(\left( {\begin{matrix} H \\ \hline A \end{matrix}}\right) \). If \(H_{\textrm{pub}}\) has less that \(n-k\) rows, pick a new \(A\). This \(H_{\textrm{pub}}\) defines a linear subcode of \(\mathcal {C}\) of dimension \(k\).

After this Key Schedule in the Key Encapsulation Mechanism, the different values remain as follows:

  • Parameters: \(t \ll n\), \(q = p^d\) and \(k = n - 2t\left\lfloor \frac{n}{4t} \right\rfloor \).

  • Public key: \(H_{\textrm{pub}} \in {F}^{(n-k) \times n}\).

  • Private key: \(L\), \(\sigma \), \(\textsf{E} = \{\alpha _0, \ldots , \alpha _{n-1}\}\), \(g\) and \(h_0, \ldots , h_{n-1}\).

Remark 7

The security of this system is limited by the strength of information-set decoding attacks. From this point of view, the size of the public key has to be large enough to avoid those kind of attacks. Therefore the key size cannot to be smaller than the ones in the classic McEliece’s cryptosystem. However, there are interesting sets of parameters such that the family of proper skew Goppa codes is larger than the classical ones. For instance, if we pick the parameters, \(n = 6960\), \(t = 119\), \(p^d = 2\), there are around \(2^{85347}\) classical binary Goppa codes. This number can be obtained by means of the Gauss formula which computes the number of monic irreducible polynomials over \(\mathbb {F}_{q}\) of degree \(t\), see e. g. [17, Theorem 3.25]. For these parameters there are three possible values for \((m,\delta )\), concretely \((24,12), (26,13), (28,14)\), which can be used to build skew Goppa codes. In all cases \(h=\delta \) and \(\mu = 2\). Fixing a normal element, a primitive element and the corresponding maximal set of P-independent elements, the number of skew Goppa codes can be bounded from below by \(2^{85236}\), \(2^{96470}\) and \(2^{104922}\), respectively. If the alphabet \(\mathbb {F}_{p^d}\) is larger, there are usually more options to build skew Goppa codes. For instance, the parameters \(n = 2560\), \(t = 22\), \(p^d = 2^4\) allow to build around \(2^{29722}\) classical Goppa codes with \(m=3\). According to 5.1.1 there are \(65\) pairs \((m,\delta )\) which we can use to build skew Goppa codes. Each one of these choices has at least \(2^{64305}\) skew Goppa codes on average.

5.2 Encryption and decryption procedures

The encryption process goes as follows. We pick a random error vector, i.e. \(e \in F^n\) such that \({{\,\textrm{w}\,}}(e) = t\), with corresponding error polynomial \(e(x) = \sum _{j=1}^t e_j x^{k_j}\), and \(0 \le k_1< k_2< \cdots < k_t \le n-1\). The sender can easily derive a shared secret key from \(e\) by means of a fixed and publicly known hash function \(\mathcal {H}\). The cryptogram is

$$\begin{aligned} c = e H_{\textrm{pub}}^{\texttt{T}} \in F^{n-k}. \end{aligned}$$

In order to decrypt, the receiver can easily compute \(y \in F^n\) such that

$$\begin{aligned} c = y H_{\textrm{pub}}^{\texttt{T}}, \end{aligned}$$

since \(H_{\textrm{pub}}\) is in row reduced echelon form. Algorithms 2 and 3 can be applied to \(y\) in order to compute \(e\). Then the shared secret key can be retrieved by the receiver as \(\mathcal {H}(e)\).

5.3 Examples

Next, we give some concrete examples. All the computations have been done with aid of the computational system SageMath [22].

Example 2

Let us describe here a toy-example showing an execution of our cryptosystem. Let \(F=\mathbb {F}_{16}=\frac{\mathbb {F}_{2}[a]}{\left\langle a^4 + a + 1 \right\rangle }\) be the field with \(2^4\) elements such that \(a^4+a+1 = 0\). The elements of F may be represented by a hexadecimal character. For instance, \(a^3 + a + 1 = 1011 = \texttt{B}\). Set \(n=16\) and \(t=2\). In this case, we can only consider \(m=2\) and \(\delta =4\). Then \(\mu = 2\) and we choose randomly \(s=4\).

Let \(L=\frac{F[b]}{\langle b^2 + \texttt{F} b + \texttt{B} \rangle }\), and consider \(\{1,b\}\) a basis as F-vector space. We choose randomly \(\gamma = \texttt{B} b + \texttt{2}\), a primitive element in L, and \(\alpha = \texttt{9} b + \texttt{8}\in L\), an element that generates a normal basis. We also choose randomly 16 position points in \(L\),

$$\begin{aligned}{4} \alpha _0&= \texttt{4} b + \texttt{5}&\quad \alpha _1&= \texttt{1} b + \texttt{F}&\quad \alpha _2&= \texttt{8} b + \texttt{3}&\quad \alpha _3&= \texttt{3} b + \texttt{D} \\ \alpha _4&= \texttt{3} b + \texttt{7}&\quad \alpha _5&= \texttt{9}&\quad \alpha _6&= \texttt{8} b + \texttt{B}&\quad \alpha _7&= \texttt{3} b + \texttt{A} \\ \alpha _8&= \texttt{4} b + \texttt{9}&\quad \alpha _9&= \texttt{5} b + \texttt{2}&\quad \alpha _{10}&= \texttt{C} b + \texttt{6}&\quad \alpha _{11}&= \texttt{7} b + \texttt{6} \\ \alpha _{12}&= \texttt{2} b + \texttt{4}&\quad \alpha _{13}&= \texttt{A} b + \texttt{B}&\quad \alpha _{14}&= \texttt{C} b + \texttt{1}&\quad \alpha _{15}&= \texttt{1} b + \texttt{1}, \end{aligned}$$

and 16 non-zero elements in L,

$$\begin{aligned}{4} \eta _0&= \texttt{F} b + \texttt{D}&\quad \eta _1&= \texttt{5} b + \texttt{F}&\quad \eta _2&= \texttt{1} b + \texttt{9}&\quad \eta _3&= \texttt{3} b + \texttt{4} \\ \eta _4&= \texttt{3} b + \texttt{4}&\quad \eta _5&= \texttt{1} b + \texttt{D}&\quad \eta _6&= \texttt{4} b + \texttt{F}&\quad \eta _7&= \texttt{7} b + \texttt{B} \\ \eta _8&= \texttt{7} b&\quad \eta _9&= \texttt{2} b + \texttt{8}&\quad \eta _{10}&= \texttt{D} b + \texttt{F}&\quad \eta _{11}&= \texttt{9} b + \texttt{7} \\ \eta _{12}&= \texttt{2} b + \texttt{6}&\quad \eta _{13}&= \texttt{A} b + \texttt{B}&\quad \eta _{14}&= \texttt{3} b + \texttt{6}&\quad \eta _{15}&= \texttt{A} b + \texttt{8}. \end{aligned}$$

We choose randomly the Goppa polynomial

$$\begin{aligned} g=x^{4} + \texttt{7} x^{2} + \texttt{9}\in L[x;\tau ^4] \end{aligned}$$

which allows the calculation of the parity check polynomials

$$\begin{aligned} h_0&= \texttt{2} x^{3} + \left( \texttt{8} b + \texttt{B}\right) x^{2} \\ h_1&= \texttt{D} x^{3} + \texttt{D} b x^{2} + \texttt{3} x + \texttt{3} b \\ h_2&= \texttt{D} x^{3} + \left( \texttt{2} b + \texttt{9}\right) x^{2} + \texttt{3} x + \texttt{B} b + \texttt{6} \\ h_3&= \texttt{8} x^{3} + \left( \texttt{B} b + \texttt{1}\right) x^{2} + \texttt{8} x + \texttt{B} b + \texttt{1} \\ h_4&= \texttt{3} x^{3} + \left( \texttt{5} b + \texttt{F}\right) x^{2} + x + \texttt{3} b + \texttt{5}\\ h_5&= \texttt{9} x^{3} + \texttt{D} x^{2} + \texttt{5} x + \texttt{B} \\ h_6&= \texttt{F} x^{3} + \left( b + \texttt{C}\right) x^{2} + x + \texttt{8} b + \texttt{A} \\ h_7&= \texttt{3} x^{3} + \left( \texttt{5} b + \texttt{B}\right) x^{2} + \texttt{8} x + \texttt{B} b + \texttt{C}\\ h_8&= \texttt{3} x^{3} + \texttt{C} b x^{2} + \texttt{8} x + \texttt{6} b \\ h_9&= \texttt{9} x^{3} + \left( \texttt{B} b + \texttt{2}\right) x^{2} + \texttt{5} x + \texttt{2} b + \texttt{7} \\ h_{10}&= \texttt{8} x^{3} + \left( \texttt{A} b + \texttt{9}\right) x^{2} + \texttt{5} x + \texttt{9} b + \texttt{3} \\ h_{11}&= \texttt{2} x^{3} + \left( \texttt{E} b + \texttt{9}\right) x^{2} \\ h_{12}&= \texttt{F} x^{3} + \left( \texttt{D} b + \texttt{E}\right) x^{2} + \texttt{A} x + \texttt{7} b + \texttt{5} \\ h_{13}&= \texttt{B} x^{3} + \left( \texttt{2} b + \texttt{4}\right) x^{2} + \texttt{A} x + \texttt{8} b + \texttt{3} \\ h_{14}&= \texttt{9} x^{3} + \left( \texttt{6} b + \texttt{D}\right) x^{2} + \texttt{F} x + \texttt{8} b + \texttt{E} \\ h_{15}&= \texttt{E} x^{3} + \left( \texttt{E} b + \texttt{B}\right) x^{2} + \texttt{F} x + \texttt{F} b + \texttt{5}. \end{aligned}$$

Hence, a parity check matrix is given by

$$\begin{aligned} \left( \begin{array}{cccccccc} \texttt{0} &{} \texttt{8} b + \texttt{3} &{} \texttt{9} b + \texttt{A} &{} \texttt{C} b + \texttt{C} &{} \texttt{5} b + \texttt{6} &{} \texttt{B} b + \texttt{6} &{} \texttt{B} b + \texttt{3} &{} \texttt{2} b + \texttt{7} \\ \texttt{0} &{} \texttt{F} b + \texttt{2} &{} \texttt{3} b + \texttt{8} &{} \texttt{B} b + \texttt{6} &{} \texttt{3} b + \texttt{4} &{} \texttt{5} b + \texttt{C} &{} \texttt{4} b + \texttt{F} &{} \texttt{D} b + \texttt{7} \\ \texttt{E} b + \texttt{D} &{} \texttt{F} b + \texttt{D} &{} \texttt{5} b + \texttt{8} &{} \texttt{C} b + \texttt{C} &{} \texttt{F} b + \texttt{A} &{} \texttt{D} b + \texttt{E} &{} \texttt{3} b + \texttt{2} &{} \texttt{4} b + \texttt{E} \\ \texttt{D} b + \texttt{9} &{} \texttt{C} b + \texttt{7} &{} \texttt{D} b + \texttt{F} &{} \texttt{B} b + \texttt{6} &{} \texttt{5} b + \texttt{C} &{} \texttt{9} b + \texttt{F} &{} \texttt{9} b + \texttt{A} &{} \texttt{9} b + \texttt{E} \end{array}\right. \\ \left. \begin{array}{cccccccc} \texttt{F} b + \texttt{B} &{} \texttt{4} b + \texttt{7} &{} \texttt{1} &{} \texttt{0} &{} \texttt{E} b + \texttt{5} &{} \texttt{D} &{} \texttt{7} b + \texttt{B} &{} \texttt{D} b + \texttt{3} \\ \texttt{D} b &{} \texttt{A} b + \texttt{E} &{} \texttt{C} b + \texttt{6} &{} \texttt{0} &{} \texttt{7} b + \texttt{9} &{} \texttt{8} b + \texttt{2} &{} \texttt{2} b + \texttt{4} &{} \texttt{C} b + \texttt{1} \\ \texttt{D} b + \texttt{5} &{} \texttt{5} b + \texttt{2} &{} \texttt{7} &{} \texttt{A} b + \texttt{E} &{} \texttt{9} b + \texttt{E} &{} \texttt{E} &{} \texttt{F} b + \texttt{A} &{} \texttt{F} b + \texttt{8} \\ \texttt{9} b &{} b + \texttt{4} &{} \texttt{2} b + \texttt{1} &{} b + \texttt{E} &{} \texttt{D} b + \texttt{4} &{} \texttt{2} b + \texttt{9} &{} \texttt{8} b + \texttt{3} &{} \texttt{6} b + \texttt{9} \end{array}\right) , \end{aligned}$$

whose expansion with coefficients in F is given by

$$\begin{aligned} H = \left( \begin{array}{rrrrrrrrrrrrrrrr} \texttt{0} &{} \texttt{3} &{} \texttt{A} &{} \texttt{C} &{} \texttt{6} &{} \texttt{6} &{} \texttt{3} &{} \texttt{7} &{} \texttt{B} &{} \texttt{7} &{} \texttt{1} &{} \texttt{0} &{} \texttt{5} &{} \texttt{D} &{} \texttt{B} &{} \texttt{3} \\ \texttt{0} &{} \texttt{8} &{} \texttt{9} &{} \texttt{C} &{} \texttt{5} &{} \texttt{B} &{} \texttt{B} &{} \texttt{2} &{} \texttt{F} &{} \texttt{4} &{} \texttt{0} &{} \texttt{0} &{} \texttt{E} &{} \texttt{0} &{} \texttt{7} &{} \texttt{D} \\ \texttt{0} &{} \texttt{2} &{} \texttt{8} &{} \texttt{6} &{} \texttt{4} &{} \texttt{C} &{} \texttt{F} &{} \texttt{7} &{} \texttt{0} &{} \texttt{E} &{} \texttt{6} &{} \texttt{0} &{} \texttt{9} &{} \texttt{2} &{} \texttt{4} &{} \texttt{1} \\ \texttt{0} &{} \texttt{F} &{} \texttt{3} &{} \texttt{B} &{} \texttt{3} &{} \texttt{5} &{} \texttt{4} &{} \texttt{D} &{} \texttt{D} &{} \texttt{A} &{} \texttt{C} &{} \texttt{0} &{} \texttt{7} &{} \texttt{8} &{} \texttt{2} &{} \texttt{C} \\ \texttt{D} &{} \texttt{D} &{} \texttt{8} &{} \texttt{C} &{} \texttt{A} &{} \texttt{E} &{} \texttt{2} &{} \texttt{E} &{} \texttt{5} &{} \texttt{2} &{} \texttt{7} &{} \texttt{E} &{} \texttt{E} &{} \texttt{E} &{} \texttt{A} &{} \texttt{8} \\ \texttt{E} &{} \texttt{F} &{} \texttt{5} &{} \texttt{C} &{} \texttt{F} &{} \texttt{D} &{} \texttt{3} &{} \texttt{4} &{} \texttt{D} &{} \texttt{5} &{} \texttt{0} &{} \texttt{A} &{} \texttt{9} &{} \texttt{0} &{} \texttt{F} &{} \texttt{F} \\ \texttt{9} &{} \texttt{7} &{} \texttt{F} &{} \texttt{6} &{} \texttt{C} &{} \texttt{F} &{} \texttt{A} &{} \texttt{E} &{} \texttt{0} &{} \texttt{4} &{} \texttt{1} &{} \texttt{E} &{} \texttt{4} &{} \texttt{9} &{} \texttt{3} &{} \texttt{9} \\ \texttt{D} &{} \texttt{C} &{} \texttt{D} &{} \texttt{B} &{} \texttt{5} &{} \texttt{9} &{} \texttt{9} &{} \texttt{9} &{} \texttt{9} &{} \texttt{1} &{} \texttt{2} &{} \texttt{1} &{} \texttt{D} &{} \texttt{2} &{} \texttt{8} &{} \texttt{6} \end{array}\right) . \end{aligned}$$

Now, we compute the public key. Since \(k=8\) and the rank of H is \(n-k = 8\), no additional random row is needed, so the public key \(H_{\textrm{pub}}\) is simply the row reduced echelon form of H, that is,

$$\begin{aligned} H_{\textrm{pub}} = \left( \begin{array}{rrrrrrrrrrrrrrrr} \texttt{1} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{C} &{} \texttt{2} &{} \texttt{3} &{} \texttt{2} &{} \texttt{9} &{} \texttt{9} &{} \texttt{A} &{} \texttt{4} \\ \texttt{0} &{} \texttt{1} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{9} &{} \texttt{1} &{} \texttt{A} &{} \texttt{C} &{} \texttt{7} &{} \texttt{3} &{} \texttt{8} &{} \texttt{6} \\ \texttt{0} &{} \texttt{0} &{} \texttt{1} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{A} &{} \texttt{8} &{} \texttt{2} &{} \texttt{4} &{} \texttt{D} &{} \texttt{6} &{} \texttt{5} &{} \texttt{B} \\ \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{1} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{9} &{} \texttt{0} &{} \texttt{1} &{} \texttt{3} &{} \texttt{B} &{} \texttt{7} &{} \texttt{8} &{} \texttt{9} \\ \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{1} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{E} &{} \texttt{9} &{} \texttt{B} &{} \texttt{C} &{} \texttt{F} &{} \texttt{2} &{} \texttt{6} &{} \texttt{6} \\ \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{1} &{} \texttt{0} &{} \texttt{0} &{} \texttt{A} &{} \texttt{B} &{} \texttt{1} &{} \texttt{6} &{} \texttt{9} &{} \texttt{1} &{} \texttt{1} &{} \texttt{5} \\ \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{1} &{} \texttt{0} &{} \texttt{3} &{} \texttt{F} &{} \texttt{1} &{} \texttt{2} &{} \texttt{F} &{} \texttt{B} &{} \texttt{E} &{} \texttt{1} \\ \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{0} &{} \texttt{1} &{} \texttt{A} &{} \texttt{D} &{} \texttt{8} &{} \texttt{6} &{} \texttt{4} &{} \texttt{1} &{} \texttt{2} &{} \texttt{B} \end{array}\right) . \end{aligned}$$

We select now the shared secret, a vector \(e\in F^{16}\) with \(t=2\) non-zero components,

$$\begin{aligned} \left( \texttt{4},\,\texttt{0},\,\texttt{0},\,\texttt{0},\,\texttt{0},\,\texttt{0},\,\texttt{0},\,\texttt{0},\,\texttt{0},\,\texttt{C},\,\texttt{0},\,\texttt{0},\,\texttt{0},\,\texttt{0},\,\texttt{0},\,0\right) . \end{aligned}$$

In this case the non-zero components correspond to the positions 0 and 9. We encrypt the secret by multiplying by the transpose of \(H_{\textrm{pub}}\) obtaining a cyphertext

$$\begin{aligned} c=\left( \texttt{F},\,\texttt{C},\,\texttt{A},\,\texttt{0},\,\texttt{6},\,\texttt{D},\,\texttt{8},\,\texttt{3}\right) \in F^8. \end{aligned}$$

The receiver solves the linear system \(c = y H^{\texttt{T}}_{\textrm{pub}}\) obtaining, for instance,

$$\begin{aligned} y=\left( \texttt{F},\,\texttt{C},\,\texttt{A},\,\texttt{0},\,\texttt{6},\,\texttt{D},\,\texttt{8},\,\texttt{3},\,\texttt{0},\,\texttt{0},\,\texttt{0},\,\texttt{0},\,\texttt{0},\,\texttt{0},\,\texttt{0},\,0\right) . \end{aligned}$$

Finally, applying the decoding algorithm in Algorithm 2 to y, we find the vector e, decrypting the secret.

Example 3

This example shows that decoding failures, although quite unusual, can happen. Let \(F = \mathbb {F}_{2^8} = \frac{\mathbb {F}_{2}[z]}{\left\langle z^8 + z^4 + z^3 + z^2 + 1 \right\rangle }\), \(n = 16\), and \(t = 2\). The possible values for the pair \((m,\delta )\) are (1, 4), (2, 1), (2, 4) and (2, 8). We fix then \(m=1\) and \(\delta =4\). Choose the automorphism \(\sigma : L \rightarrow L\) defined by \(\sigma (a) = a^{2^4}\). So, \(\mu = 2\) and \(K = \mathbb {F}_{2^4}\), which may be presented as \(K = \frac{\mathbb {F}_{2}[w]}{\left\langle w^4 + w + 1 \right\rangle }\), with embedding \(w \mapsto z^{34}\) into \(F\). As a consequence, \(k=n-2t\lfloor \frac{n}{4t}\rfloor = 8\), the smallest dimension for this set of given parameters. The chosen normal and primitive elements are \(\alpha = z^{37}\) and \(\gamma = z^{41}\).

The list \(\textsf{E} = \{\alpha _0, \ldots , \alpha _{15}\}\) of evaluation points contains the elements

$$\begin{aligned} \alpha _0&= \gamma ^0 \textstyle \frac{\sigma (\alpha )}{\alpha } = z^{45},&\alpha _1&= \gamma ^9 \textstyle \frac{\sigma (\alpha )}{\alpha } = z^{159}, \\ \alpha _2&= \gamma ^{13} \textstyle \frac{\sigma (\alpha )}{\alpha } = z^{68},&\alpha _3&= \gamma ^{13} \textstyle \frac{\sigma ^2(\alpha )}{\sigma (\alpha )} = z^{233}, \\ \alpha _4&= \gamma ^{10} \textstyle \frac{\sigma ^2(\alpha )}{\sigma (\alpha )} = z^{110},&\alpha _5&= \gamma ^7 \textstyle \frac{\sigma (\alpha )}{\alpha } = z^{77}, \\ \alpha _6&= \gamma ^{12} \textstyle \frac{\sigma (\alpha )}{\alpha } = z^{27},&\alpha _7&= \gamma ^{10} \textstyle \frac{\sigma (\alpha )}{\alpha } = z^{200}, \\ \alpha _8&= \gamma ^2 \textstyle \frac{\sigma ^2(\alpha )}{\sigma (\alpha )} = z^{37},&\alpha _9&= \gamma ^0 \textstyle \frac{\sigma ^2(\alpha )}{\sigma (\alpha )} = z^{210}, \\ \alpha _{10}&= \gamma ^6 \textstyle \frac{\sigma ^2(\alpha )}{\sigma (\alpha )} = z^{201},&\alpha _{11}&= \gamma ^3 \textstyle \frac{\sigma (\alpha )}{\alpha } = z^{168}, \\ \alpha _{12}&= \gamma ^{11} \textstyle \frac{\sigma ^2(\alpha )}{\sigma (\alpha )} = z^{151},&\alpha _{13}&= \gamma ^2 \textstyle \frac{\sigma (\alpha )}{\alpha } = z^{127}, \\ \alpha _{14}&= \gamma ^1 \textstyle \frac{\sigma ^2(\alpha )}{\sigma (\alpha )} = z^{251},&\alpha _{15}&= \gamma ^{12} \textstyle \frac{\sigma ^2(\alpha )}{\sigma (\alpha )} = z^{192}. \end{aligned}$$

Let \(g = x^4 + z^{238}x^2 + z^{68}\) be the skew Goppa polynomial. The corresponding parity check polynomials are

$$\begin{aligned} h_0&= z^{136}x^3 + z^{91}x^2 + z^{187}x + z^{142},&h_1&= z^{68}x^3 + z^{62}x^2 + z^{136}x + z^{130}, \\ h_2&= z^{102}x^3 + z^{170}x^2 + z^{204}x + z^{17},&h_3&= z^{102}x^3 + z^{5}x^2 + z^{204}x + z^{107}, \\ h_4&= z^{85}x^3 + z^{60}x^2 + z^{34}x + z^{9},&h_5&= z^{238}x^3 + z^{195}x^2 + z^{204}x + z^{161}, \\ h_6&= z^{85}x^3 + z^{7}x^2 + z^{170}x + z^{92},&h_7&= z^{85}x^3 + z^{225}x^2 + z^{34}x + z^{174}, \\ h_8&= z^{170}x^3 + z^{252}x^2 + z^{187}x + z^{14},&h_9&= z^{136}x^3 + z^{181}x^2 + z^{187}x + z^{232}, \\ h_{10}&= z^{102}x^3 + z^{3}x^2 + z^{238}x + z^{139},&h_{11}&= z^{136}x^3 + z^{19}x^2 + z^{136}x + z^{19}, \\ h_{12}&= z^{170}x^3 + z^{36}x^2 + z^{34}x + z^{155},&h_{13}&= z^{170}x^3 + z^{162}x^2 + z^{187}x + z^{179}, \\ h_{14}&= z^{51}x^3 + z^{242}x^2 + z^{221}x + z^{157},&h_{15}&= z^{85}x^3 + z^{97}x^2 + z^{170}x + z^{182}. \end{aligned}$$

From these parity check polynomials, we may compute the matrix \(H\in F^{4\times 16}\). Since H has rank 4, according to Sect. 5.1.4, we append to H a random matrix in \(F^{4\times 16}\), whose row reduced echelon form yields the following public key matrix

$$\begin{aligned} H_{\textrm{pub}} = { \left( \begin{array}{cccccccccccccccc} 1 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} z^{142} &{} z^{92} &{} z^{126} &{} z^{156} &{} z^{187} &{} z^{178} &{} z^{234} &{} z^{88} \\ 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} z^{73} &{} z^{103} &{} z^{157} &{} z^{113} &{} z^{188} &{} z^{253} &{} z^{222} &{} z^{152} \\ 0 &{} 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} z^{109} &{} z^{109} &{} z^{64} &{} z^{165} &{} z^{131} &{} z^{204} &{} z^{138} &{} z^{145} \\ 0 &{} 0 &{} 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} 0 &{} z^{180} &{} z^{78} &{} z^{202} &{} z^{230} &{} z^{82} &{} z^{81} &{} z^{185} &{} z^{224} \\ 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} z^{70} &{} z^{247} &{} z^{51} &{} z^{65} &{} z^{49} &{} z^{162} &{} z^{111} &{} z^{36} \\ 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} 0 &{} 0 &{} z^{119} &{} z^{236} &{} z^{50} &{} z^{243} &{} z^{136} &{} z^{56} &{} z^{133} &{} z^{225} \\ 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} 0 &{} z^{89} &{} z^{172} &{} z^{152} &{} z^{209} &{} z^{234} &{} z^{22} &{} z^{231} &{} z^{96} \\ 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} z^{70} &{} z^{152} &{} z^{157} &{} z^{32} &{} z^{247} &{} z^{180} &{} z^{172} &{} z^{106}\end{array} \right) } \end{aligned}$$

Let the error vector be

$$\begin{aligned} e = \left( z^{249}, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0\right) . \end{aligned}$$

Hence the cryptogram is

$$\begin{aligned} c = e H_{\textrm{pub}}^{\texttt{T}} = \left( z^{133}, z^{103}, z^{109}, z^{78}, z^{247}, z^{236}, z^{172}, z^{152})\right) , \end{aligned}$$

which is transmitted to the receiver. A solution of

$$\begin{aligned} c = y H_{\textrm{pub}}^{\texttt{T}} \end{aligned}$$

is

$$\begin{aligned} y = \left( z^{133}, z^{103}, z^{109}, z^{78}, z^{247}, z^{236}, z^{172}, z^{152}, 0, 0, 0, 0, 0, 0, 0, 0\right) , \end{aligned}$$

which allows to compute the syndrome polynomial

$$\begin{aligned} s = z^{36}x^3 + z^{81}x^2 + z^{87}x + z^{132}. \end{aligned}$$

The LEEA applied to \(g,s\) until we find the first remainder with degree below \(2\), and we get

$$\begin{aligned} v_I = z^{189}x + z^{174}, \quad r_I = z^{119}. \end{aligned}$$

The only right root of \(v_I\) is \(z^{240}\), which is not in \(\textsf{E}\). Therefore, the cardinal of the evaluation points which are roots of \(v_I\) is \(0 < 1 = \deg v_I\). There is a decoding failure which we can solve with Algorithm 3. The 10th evaluation point, \(\alpha _9\), does not increment the degree, so it is a root of the locator polynomial \(\lambda \). Since \(\left[ v_I, x - \alpha _9\right] _\ell = x^2 + 1\) which have \(\alpha _0\) and \(\alpha _9\) as roots, we get that \(\lambda = x^2 + 1\). The corresponding evaluator polynomial is \(\omega = z^{155} x + z^{200}\). The error positions are \(0\) and \(9\), and the evaluator polynomial allows to compute the error values, \(z^{249}\) and \(1\) respectively, as expected.

5.4 McEliece’s original approach

The approach in [18] can also be followed. Private key is computed as in Subsection 5.1. The public key is obtained as follows: Let \(H\) be the matrix computed in 5.1.4 from Proposition 7. Compute a full rank generator matrix \(G\) for the left kernel of \(H^{\texttt{T}}\). Let \(S \in {F}^{r \times r}\) a random non singular matrix where \(r = {\text {rank}}(G)\). Then \(G_{\textrm{pub}}\) consists in the first \(k\) rows of \(SG\). These concludes the key schedule.

The encryption procedure starts with a message which is a word \(m \in F^k\). In order to encrypt, we select a random \(e \in F^n\) such that \({{\,\textrm{w}\,}}(e) = t\). The cryptogram is

$$\begin{aligned} y = m G_{\textrm{pub}} + e \in F^n. \end{aligned}$$

To decrypt, let \(y(x) = \sum _{i=0}^{n-1} y_i x^i\). Apply Algorithms 2 and 3 in order to compute the vector e. Then the message can be recovered multiplying \(y-e\) by a suitable right inverse of \(G_{\textrm{pub}}\).