A new approach based on quadratic forms to attack the McEliece cryptosystem

We bring in here a novel algebraic approach for attacking the McEliece cryptosystem. It consists in introducing a subspace of matrices representing quadratic forms. Those are associated with quadratic relationships for the component-wise product in the dual of the code used in the cryptosystem. Depending on the characteristic of the code field, this space of matrices consists only of symmetric matrices or skew-symmetric matrices. This matrix space is shown to contain unusually low-rank matrices (rank $2$ or $3$ depending on the characteristic) which reveal the secret polynomial structure of the code. Finding such matrices can then be used to recover the secret key of the scheme. We devise a dedicated approach in characteristic $2$ consisting in using a Gr\"obner basis modeling that a skew-symmetric matrix is of rank $2$. This allows to analyze the complexity of solving the corresponding algebraic system with Gr\"obner bases techniques. This computation behaves differently when applied to the skew-symmetric matrix space associated with a random code rather than with a Goppa or an alternant code. This gives a distinguisher of the latter code family. We give a bound on its complexity which turns out to interpolate nicely between polynomial and exponential depending on the code parameters. A distinguisher for alternant/Goppa codes was already known [FGO+11]. It is of polynomial complexity but works only in a narrow parameter regime. This new distinguisher is also polynomial for the parameter regime necessary for [FGO+11] but contrarily to the previous one is able to operate for virtually all code parameters relevant to cryptography. Moreover, we use this matrix space to find a polynomial time attack of the McEliece cryptosystem provided that the Goppa code is distinguishable by the method of [FGO+11] and its degree is less than $q-1$, where $q$ is the alphabet size of the code.

翻译：本文提出了一种新的代数方法用于攻击McEliece密码系统。该方法通过引入一个由二次型矩阵构成的子空间，这些矩阵与密码系统中所用码的对偶码中分量乘积的二次关系相关联。根据码域的特征，该矩阵空间仅由对称矩阵或斜对称矩阵构成。研究表明，该矩阵空间包含异常低秩矩阵（秩为$2$或$3$，取决于特征值），这些矩阵揭示了码的秘密多项式结构。利用这些矩阵可以恢复方案中的密钥。我们设计了一种特征为$2$的专用方法，通过Gröbner基建模将斜对称矩阵的秩约束为$2$。这种方法使得能够利用Gröbner基技术分析相应代数系统的求解复杂度。当将该计算应用于随机码而非Goppa码或交错码对应的斜对称矩阵空间时，其行为表现出差异性，从而为后一类码族提供了区分器。我们给出了该区分器的复杂度界限，该复杂度根据码参数在多项式与指数复杂度之间平滑过渡。针对交错码/Goppa码的区分器此前已有研究[FGO+11]，其复杂度为多项式级别但仅适用于狭窄的参数范围。本文提出的新区分器在[FGO+11]所需的参数区间内同样具有多项式复杂度，但与前者不同，它能适用于几乎所有与密码学相关的码参数。此外，我们利用该矩阵空间实现了一种多项式时间攻击McEliece密码系统的方法，前提是Goppa码可被[FGO+11]方法区分，且其度数小于$q-1$（其中$q$为码的字母表大小）。