Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

On the matrix code of quadratic relationships for a Goppa code

Rocco Mora

TL;DR

This work advances the cryptanalytic study of McEliece-type schemes by analyzing the matrix code of quadratic relationships generated by Goppa and alternant codes. By developing a Pfaffian-based algebraic model and detailing a taxonomy of structured low-rank matrices within the matrix code, the authors establish a polynomial-time key-recovery attack for binary square-free Goppa codes of degree $2$, achieving practical breaks on contemporary challenges. A key contribution is the concept of a Goppa code representation and a method to transform a generic support/multiplier pair into such a representation, enabling recovery of the secret Goppa parameters via a rank-2 centered attack and a Sidelnikov–Shestakov step. The results illustrate that Pfaffian modeling is not only a distinguisher but also a viable route to key recovery, significantly impacting parameter choices and security assessments in McEliece-like cryptosystems, especially for the high-rate regime and degree-2 Goppa codes.

Abstract

In this article, we continue the analysis started in \cite{CMT23} for the matrix code of quadratic relationships associated with a Goppa code. We provide new sparse and low-rank elements in the matrix code and categorize them according to their shape. Thanks to this description, we prove that the set of rank 2 matrices in the matrix codes associated with square-free binary Goppa codes, i.e. those used in Classic McEiece, is much larger than what is expected, at least in the case where the Goppa polynomial degree is 2. We build upon the algebraic determinantal modeling introduced in \cite{CMT23} to derive a structural attack on these instances. Our method can break in just a few seconds some recent challenges about key-recovery attacks on the McEliece cryptosystem, consistently reducing their estimated security level. We also provide a general method, valid for any Goppa polynomial degree, to transform a generic pair of support and multiplier into a pair of support and Goppa polynomial.

On the matrix code of quadratic relationships for a Goppa code

TL;DR

This work advances the cryptanalytic study of McEliece-type schemes by analyzing the matrix code of quadratic relationships generated by Goppa and alternant codes. By developing a Pfaffian-based algebraic model and detailing a taxonomy of structured low-rank matrices within the matrix code, the authors establish a polynomial-time key-recovery attack for binary square-free Goppa codes of degree , achieving practical breaks on contemporary challenges. A key contribution is the concept of a Goppa code representation and a method to transform a generic support/multiplier pair into such a representation, enabling recovery of the secret Goppa parameters via a rank-2 centered attack and a Sidelnikov–Shestakov step. The results illustrate that Pfaffian modeling is not only a distinguisher but also a viable route to key recovery, significantly impacting parameter choices and security assessments in McEliece-like cryptosystems, especially for the high-rate regime and degree-2 Goppa codes.

Abstract

In this article, we continue the analysis started in \cite{CMT23} for the matrix code of quadratic relationships associated with a Goppa code. We provide new sparse and low-rank elements in the matrix code and categorize them according to their shape. Thanks to this description, we prove that the set of rank 2 matrices in the matrix codes associated with square-free binary Goppa codes, i.e. those used in Classic McEiece, is much larger than what is expected, at least in the case where the Goppa polynomial degree is 2. We build upon the algebraic determinantal modeling introduced in \cite{CMT23} to derive a structural attack on these instances. Our method can break in just a few seconds some recent challenges about key-recovery attacks on the McEliece cryptosystem, consistently reducing their estimated security level. We also provide a general method, valid for any Goppa polynomial degree, to transform a generic pair of support and multiplier into a pair of support and Goppa polynomial.
Paper Structure (12 sections, 13 theorems, 71 equations, 1 table, 1 algorithm)

This paper contains 12 sections, 13 theorems, 71 equations, 1 table, 1 algorithm.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Notation
  4. GRS and Goppa codes
  5. Product and square of codes
  6. Extension of a code over a field extension
  7. The matrix code of quadratic relationships
  8. The Goppa code representation
  9. Description of structured matrices in the code of quadratic relationships
  10. Retrieving the basis of a GRS code
  11. Explanation of Algorithm \ref{['alg: attack']} under Assumption \ref{['assumption: rank2']}
  12. Conclusions

Key Result

Proposition 2.2

MS86 Let $\text{\bf GRS}_{r}({\boldsymbol{x}},{\boldsymbol{y}})$ be a GRS code of length $n$. Its dual is also a GRS code. In particular $\text{\bf GRS}_{r}({\boldsymbol{x}},{\boldsymbol{y}})^\perp=\text{\bf GRS}_{n-r}({\boldsymbol{x}},{\boldsymbol{y}}^\perp),$ with ${\boldsymbol{y}}^\perp\stackrel{

Theorems & Definitions (35)

  • Definition 2.1: Generalized Reed-Solomon (GRS) code
  • Proposition 2.2
  • Definition 2.3: Alternant code
  • Definition 2.4: Goppa code
  • Theorem 2.5
  • Definition 2.6
  • Definition 2.7: Image of a code by the Frobenius map
  • Definition 2.8: Extension of a code over a field extension
  • Proposition 2.9
  • Lemma 2.10: from Lemma 2.22 and Lemma 2.23, R15
  • ...and 25 more