Understanding the new distinguisher of alternant codes at degree 2

IF 1.4 2区数学 Q3 COMPUTER SCIENCE, THEORY & METHODS

Designs, Codes and Cryptography Pub Date : 2025-04-19 DOI:10.1007/s10623-025-01626-8

Axel Lemoine, Rocco Mora, Jean-Pierre Tillich

{"title":"Understanding the new distinguisher of alternant codes at degree 2","authors":"Axel Lemoine, Rocco Mora, Jean-Pierre Tillich","doi":"10.1007/s10623-025-01626-8","DOIUrl":null,"url":null,"abstract":"Distinguishing Goppa codes or alternant codes from generic linear codes (Faugère et al. in Proceedings of the IEEE Information Theory Workshop—ITW 2011, Paraty, Brasil, October 2011, pp. 282–286, 2011) has been shown to be a first step before being able to attack McEliece cryptosystem based on those codes (Bardet et al. in IEEE Trans Inf Theory 70(6):4492–4511, 2024). Whereas the distinguisher of Faugère et al. (2011) is only able to distinguish Goppa codes or alternant codes of rate very close to 1, in Couvreur et al. (in: Guo and Steinfeld (eds) Advances in Cryptology—ASIACRYPT 2023—29th International Conference on the Theory and Application of Cryptology and Information Security, Guangzhou, China, December 4–8, 2023, Proceedings, Part IV, Volume 14441 of LNCS, pp. 3–38, Springer, 2023) a much more powerful (and more general) distinguisher was proposed. It is based on computing the Hilbert series \\(\\{{{\\,\\textrm{HF}\\,}}(d),\\;d \\in \\mathbb {N}\\}\\) of a Pfaffian modeling. The distinguisher of Faugère et al. (2011) can be interpreted as computing \\({{\\,\\textrm{HF}\\,}}(1)\\). Computing \\({{\\,\\textrm{HF}\\,}}(2)\\) still gives a polynomial time distinguisher for alternant or Goppa codes and is apparently able to distinguish Goppa or alternant codes in a much broader regime of rates as the one of Faugère et al. (2011). However, the scope of this distinguisher was unclear. We give here a formula for \\({{\\,\\textrm{HF}\\,}}(2)\\) corresponding to generic alternant codes when the field size q satisfies \\(q \\geqslant r\\), where r is the degree of the alternant code. We also show that this expression for \\({{\\,\\textrm{HF}\\,}}(2)\\) provides a lower bound in general. The value of \\({{\\,\\textrm{HF}\\,}}(2)\\) corresponding to random linear codes is known and this yields a precise description of the new regime of rates that can be distinguished by this new method. This shows that the new distinguisher improves significantly upon the one given in Faugère et al. (2011).","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"17 1","pages":""},"PeriodicalIF":1.4000,"publicationDate":"2025-04-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Designs, Codes and Cryptography","FirstCategoryId":"100","ListUrlMain":"https://doi.org/10.1007/s10623-025-01626-8","RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 0

Abstract

Distinguishing Goppa codes or alternant codes from generic linear codes (Faugère et al. in Proceedings of the IEEE Information Theory Workshop—ITW 2011, Paraty, Brasil, October 2011, pp. 282–286, 2011) has been shown to be a first step before being able to attack McEliece cryptosystem based on those codes (Bardet et al. in IEEE Trans Inf Theory 70(6):4492–4511, 2024). Whereas the distinguisher of Faugère et al. (2011) is only able to distinguish Goppa codes or alternant codes of rate very close to 1, in Couvreur et al. (in: Guo and Steinfeld (eds) Advances in Cryptology—ASIACRYPT 2023—29th International Conference on the Theory and Application of Cryptology and Information Security, Guangzhou, China, December 4–8, 2023, Proceedings, Part IV, Volume 14441 of LNCS, pp. 3–38, Springer, 2023) a much more powerful (and more general) distinguisher was proposed. It is based on computing the Hilbert series \(\{{{\,\textrm{HF}\,}}(d),\;d \in \mathbb {N}\}\) of a Pfaffian modeling. The distinguisher of Faugère et al. (2011) can be interpreted as computing \({{\,\textrm{HF}\,}}(1)\). Computing \({{\,\textrm{HF}\,}}(2)\) still gives a polynomial time distinguisher for alternant or Goppa codes and is apparently able to distinguish Goppa or alternant codes in a much broader regime of rates as the one of Faugère et al. (2011). However, the scope of this distinguisher was unclear. We give here a formula for \({{\,\textrm{HF}\,}}(2)\) corresponding to generic alternant codes when the field size q satisfies \(q \geqslant r\), where r is the degree of the alternant code. We also show that this expression for \({{\,\textrm{HF}\,}}(2)\) provides a lower bound in general. The value of \({{\,\textrm{HF}\,}}(2)\) corresponding to random linear codes is known and this yields a precise description of the new regime of rates that can be distinguished by this new method. This shows that the new distinguisher improves significantly upon the one given in Faugère et al. (2011).

查看原文本刊更多论文

了解 2 级交替编码的新区分度

从一般线性码中区分Goppa码或替代码（faug等人在IEEE信息理论研讨会- itw 2011， Paraty, Brasil， 2011年10月，pp. 282-286, 2011）已被证明是能够攻击基于这些代码的McEliece密码系统的第一步（Bardet等人在IEEE Trans Inf Theory 70(6):4492 - 4511,2024）。faug et al.（2011）的鉴别器只能区分率非常接近1的Goppa码或替代码，而在Couvreur et al. （in: Guo and Steinfeld (eds) Advances in Cryptology - asiacrypt 2023 - 29 International Conference on the Theory and Application of cryptoology and Information Security, Guangzhou, China, December 4-8, 2023, Proceedings, Part IV, Volume 14441 of LNCS, pp. 3-38，施普林格，2023）中，提出了一个更强大（和更通用）的鉴别器。它是基于计算希尔伯特级数\(\{{{\,\textrm{HF}\,}}(d),\;d \in \mathbb {N}\}\)的一个Pfaffian模型。faugires et al.（2011）的区分符可以理解为计算\({{\,\textrm{HF}\,}}(1)\)。计算\({{\,\textrm{HF}\,}}(2)\)仍然为交替码或Goppa码提供了一个多项式时间区分符，并且显然能够在更广泛的速率范围内区分Goppa码或交替码，如faug等人（2011）。然而，这一区分的范围并不清楚。当字段大小q满足\(q \geqslant r\)时，我们给出了对应于通用交替码的\({{\,\textrm{HF}\,}}(2)\)公式，其中r为交替码的程度。我们还证明了\({{\,\textrm{HF}\,}}(2)\)的表达式通常提供了一个下界。随机线性码对应的\({{\,\textrm{HF}\,}}(2)\)值是已知的，这产生了可以用这种新方法区分的新比率制度的精确描述。这表明新的区分符比faugires et al.（2011）给出的区分符有了显著的改进。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Designs, Codes and Cryptography 工程技术-计算机：理论方法

CiteScore

2.80

自引率

12.50%

发文量

157

审稿时长

16.5 months

期刊介绍： Designs, Codes and Cryptography is an archival peer-reviewed technical journal publishing original research papers in the designated areas. There is a great deal of activity in design theory, coding theory and cryptography, including a substantial amount of research which brings together more than one of the subjects. While many journals exist for each of the individual areas, few encourage the interaction of the disciplines. The journal was founded to meet the needs of mathematicians, engineers and computer scientists working in these areas, whose interests extend beyond the bounds of any one of the individual disciplines. The journal provides a forum for high quality research in its three areas, with papers touching more than one of the areas especially welcome. The journal also considers high quality submissions in the closely related areas of finite fields and finite geometries, which provide important tools for both the construction and the actual application of designs, codes and cryptographic systems. In particular, it includes (mostly theoretical) papers on computational aspects of finite fields. It also considers topics in sequence design, which frequently admit equivalent formulations in the journal’s main areas. Designs, Codes and Cryptography is mathematically oriented, emphasizing the algebraic and geometric aspects of the areas it covers. The journal considers high quality papers of both a theoretical and a practical nature, provided they contain a substantial amount of mathematics.