A new approach based on quadratic forms to attack the McEliece cryptosystem

IACR Cryptol. ePrint Arch. Pub Date : 2023-06-17 DOI:10.48550/arXiv.2306.10294

Alain Couvreur, Rocco Mora, J. Tillich

{"title":"A new approach based on quadratic forms to attack the McEliece cryptosystem","authors":"Alain Couvreur, Rocco Mora, J. Tillich","doi":"10.48550/arXiv.2306.10294","DOIUrl":null,"url":null,"abstract":"We bring in here a novel algebraic approach for attacking the McEliece cryptosystem. It consists in introducing a subspace of matrices representing quadratic forms. Those are associated with quadratic relationships for the component-wise product in the dual of the code used in the cryptosystem. Depending on the characteristic of the code field, this space of matrices consists only of symmetric matrices or skew-symmetric matrices. This matrix space is shown to contain unusually low-rank matrices (rank $2$ or $3$ depending on the characteristic) which reveal the secret polynomial structure of the code. Finding such matrices can then be used to recover the secret key of the scheme. We devise a dedicated approach in characteristic $2$ consisting in using a Gr\\\"obner basis modeling that a skew-symmetric matrix is of rank $2$. This allows to analyze the complexity of solving the corresponding algebraic system with Gr\\\"obner bases techniques. This computation behaves differently when applied to the skew-symmetric matrix space associated with a random code rather than with a Goppa or an alternant code. This gives a distinguisher of the latter code family. We give a bound on its complexity which turns out to interpolate nicely between polynomial and exponential depending on the code parameters. A distinguisher for alternant/Goppa codes was already known [FGO+11]. It is of polynomial complexity but works only in a narrow parameter regime. This new distinguisher is also polynomial for the parameter regime necessary for [FGO+11] but contrarily to the previous one is able to operate for virtually all code parameters relevant to cryptography. Moreover, we use this matrix space to find a polynomial time attack of the McEliece cryptosystem provided that the Goppa code is distinguishable by the method of [FGO+11] and its degree is less than $q-1$, where $q$ is the alphabet size of the code.","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"63 1","pages":"950"},"PeriodicalIF":0.0000,"publicationDate":"2023-06-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Cryptol. ePrint Arch.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.48550/arXiv.2306.10294","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

We bring in here a novel algebraic approach for attacking the McEliece cryptosystem. It consists in introducing a subspace of matrices representing quadratic forms. Those are associated with quadratic relationships for the component-wise product in the dual of the code used in the cryptosystem. Depending on the characteristic of the code field, this space of matrices consists only of symmetric matrices or skew-symmetric matrices. This matrix space is shown to contain unusually low-rank matrices (rank $2$ or $3$ depending on the characteristic) which reveal the secret polynomial structure of the code. Finding such matrices can then be used to recover the secret key of the scheme. We devise a dedicated approach in characteristic $2$ consisting in using a Gr\"obner basis modeling that a skew-symmetric matrix is of rank $2$. This allows to analyze the complexity of solving the corresponding algebraic system with Gr\"obner bases techniques. This computation behaves differently when applied to the skew-symmetric matrix space associated with a random code rather than with a Goppa or an alternant code. This gives a distinguisher of the latter code family. We give a bound on its complexity which turns out to interpolate nicely between polynomial and exponential depending on the code parameters. A distinguisher for alternant/Goppa codes was already known [FGO+11]. It is of polynomial complexity but works only in a narrow parameter regime. This new distinguisher is also polynomial for the parameter regime necessary for [FGO+11] but contrarily to the previous one is able to operate for virtually all code parameters relevant to cryptography. Moreover, we use this matrix space to find a polynomial time attack of the McEliece cryptosystem provided that the Goppa code is distinguishable by the method of [FGO+11] and its degree is less than $q-1$, where $q$ is the alphabet size of the code.

查看原文本刊更多论文

一种基于二次型的攻击McEliece密码系统的新方法

我们在这里引入了一种新的代数方法来攻击McEliece密码系统。它包括引入一个表示二次型的矩阵的子空间。它们与密码系统中使用的代码对偶中组件式乘积的二次关系相关联。根据码域的特性，这个矩阵空间仅由对称矩阵或斜对称矩阵组成。这个矩阵空间显示包含异常低秩矩阵(秩$2$或$3$取决于特征)，揭示了代码的秘密多项式结构。找到这样的矩阵可以用来恢复方案的秘密密钥。我们在特征$2$中设计了一种专用方法，包括使用秩$2$的偏对称矩阵的Gr\ ' obner基建模。这允许分析用Gr\ obner基技术求解相应代数系统的复杂性。当应用于与随机代码相关联的斜对称矩阵空间而不是与Goppa或备用代码相关联时，此计算的行为不同。这给出了后一种代码族的区别。我们给出了其复杂度的一个界，结果表明，根据编码参数的不同，它可以很好地在多项式和指数之间进行插值。交替/Goppa代码的区分符已经为人所知[FGO+11]。它具有多项式复杂度，但只适用于一个狭窄的参数范围。这个新的区分符也是[FGO+11]所需的参数体系的多项式，但与之前的区分符相反，它能够对几乎所有与密码学相关的代码参数进行操作。此外，我们利用这个矩阵空间找到了一个多项式时间攻击的McEliece密码系统，前提是Goppa码可以用[FGO+11]的方法区分，并且它的度小于$q-1$，其中$q$是编码的字母表大小。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IACR Cryptol. ePrint Arch.

自引率

0.00%

发文量