The syzygy distinguisher
Hugues Randriambololona
TL;DR
The work introduces a novel distinguisher for alternant and Goppa codes with subexponential complexity in the error-correcting capability, surpassing generic decoding and not restricted by prior regime limitations. It hinges on graded Betti numbers of the homogeneous coordinate ring of shortened dual codes, computed through linear-algebraic constructions that resemble Macaulay matrices, and is underpinned by lower-bound results from the Eagon–Northcott complex. This provides a structural, algebraic approach to CPA security questions for Classic McEliece and opens avenues for potential subexponential attacks or improved cryptanalytic techniques. Overall, the paper connects syzygy theory and algebraic geometry with code-based cryptography to advance understanding of code distinguishability and its practical implications.
Abstract
We present a new distinguisher for alternant and Goppa codes, whose complexity is subexponential in the error-correcting capability, hence better than that of generic decoding algorithms. Moreover it does not suffer from the strong regime limitations of the previous distinguishers or structure recovery algorithms: in particular, it applies to the codes used in the Classic McEliece candidate for postquantum cryptography standardization. The invariants that allow us to distinguish are graded Betti numbers of the homogeneous coordinate ring of a shortening of the dual code. Since its introduction in 1978, this is the first time an analysis (in the CPA model) of the McEliece cryptosystem breaks the exponential barrier.