How to Backdoor (Classical) McEliece and How to Guard Against Backdoors.

We show how to backdoor the McEliece cryptosystem such that a backdoored public key is indistinguishable from a usual public key, but allows to efficiently retrieve the underlying secret key. For good cryptographic reasons, McEliece uses a small random seed delta that generates via some pseudo random generator (PRG) the randomness that determines the secret key. Our backdoor mechanism works by encoding an encryption of delta into the public key. Retrieving delta then allows to efficiently recover the (backdoored) secret key. Interestingly, McEliece can be used itself to encrypt delta, thereby protecting our backdoor mechanism with strong post-quantum security guarantees. Our construction also works for the current Classic McEliece NIST standard proposal for non-compressed secret keys, and therefore opens the door for widespread maliciously backdoored implementations. Fortunately, our backdoor mechanism can be detected by the owner of the (backdoored) secret key if delta is stored after key generation as specified by the Classic McEliece proposal. Thus, our results provide strong advice for implementers to store delta inside the secret key and use delta to guard against backdoor mechanisms.