Summary: This comment points out a mathematical explanation for _why_
Classic McEliece has much smaller ciphertexts than, e.g., Kyber.
Context: The primary motivation for this KEM is security, but a frequent
observation is that this KEM has much smaller ciphertexts than any of
the alternatives. An interesting consequence is that the minimum network
traffic for frequently used long-term post-quantum public keys (e.g.,
server identity keys) is achieved by this KEM. Various post-quantum
deployments, such as Rosenpass, would lose efficiency if they switched
the long-term keys from this KEM to alternatives.
The underlying cryptanalytic facts are that, for any particular
ciphertext size, the ranking of costs of known attacks is as follows:
* Fastest: attacking ciphertexts or keys for Kyber, NTRU, etc.
* Much slower: attacking McEliece ciphertexts.
* Slowest: attacking McEliece keys.
People often wonder whether this means that the McEliece system hasn't
been studied: i.e., whether further study would eliminate the McEliece
ciphertext-size advantage. Normally this question is answered with a
pointer to the long history of McEliece attack papers. I'm filing this
comment to highlight a different answer.
I've recently given a talk with a unified description of code/lattice
cryptosystems, pinpointing what's different about the McEliece system:
https://cr.yp.to/talks/2024.07.17/slides-djb-20240717-mceliece-4x3.pdf
Attacks against all of these cryptosystems can be viewed as finding a
lattice vector close to a target point. Barak similarly commented in
https://eprint.iacr.org/2017/365
on the "family" of "coding/lattice" systems, and claimed that "all the
known lattice-based public-key encryption schemes can be broken using
oracle access to an O(√n) approximation algorithm for the lattice
closest vector problem". A closer look shows, however, that it's easy
to write down systems where that level of approximation doesn't break
the system. For McEliece, the gap is only polylogarithmic: the distance
d from the target to the lattice is so high that exponentially many
lattice points are within distance d*polylog of the target.
The fundamental reason for this difference is that, for any particular
ciphertext size, keygen and dec use a quantitatively much more powerful
decoder for McEliece than for the alternatives. Simple attacks that
exploit the low distances allowed by the alternative decoders are faster
than state-of-the-art attacks against the much larger distances allowed
by the Goppa decoder used by McEliece.
It's also worth noting that the structure of the alternative decoders is
the basic reason that the weakness of the alternatives is shared between
ciphertexts and keys. In principle the alternatives can strengthen ther
keys (see, e.g.,
https://eprint.iacr.org/2013/004), but this costs size
(
https://link.springer.com/chapter/10.1007/978-3-319-11659-4_2), making
ciphertexts even easier to attack for any particular ciphertext size.
---D. J. Bernstein