We bring in here a novel algebraic approach for attacking the McEliece cryptosystem. It consists in introducing a subspace of matrices representing quadratic forms. Those are associated with quadratic relationships for the component-wise product in the dual of the code used in the cryptosystem. Depending on the characteristic of the code field, this space of matrices consists only of symmetric matrices or skew-symmetric matrices. This matrix space is shown to contain unusually low-rank matrices (rank $2$ or $3$ depending on the characteristic) which reveal the secret polynomial structure of the code. Finding such matrices can then be used to recover the secret key of the scheme. We devise a dedicated approach in characteristic $2$ consisting in using a Gr\"obner basis modeling that a skew-symmetric matrix is of rank $2$. This allows to analyze the complexity of solving the corresponding algebraic system with Gr\"obner bases techniques. This computation behaves differently when applied to the skew-symmetric matrix space associated with a random code rather than with a Goppa or an alternant code. This gives a distinguisher of the latter code family. We give a bound on its complexity which turns out to interpolate nicely between polynomial and exponential depending on the code parameters. A distinguisher for alternant/Goppa codes was already known [FGO+11]. It is of polynomial complexity but works only in a narrow parameter regime. This new distinguisher is also polynomial for the parameter regime necessary for [FGO+11] but contrarily to the previous one is able to operate for virtually all code parameters relevant to cryptography. Moreover, we use this matrix space to find a polynomial time attack of the McEliece cryptosystem provided that the Goppa code is distinguishable by the method of [FGO+11] and its degree is less than $q-1$, where $q$ is the alphabet size of the code.

翻译：本文提出一种攻破McEliece密码系统的代数新方法。该方法通过引入表示二次型的矩阵子空间实现攻击，这些矩阵与密码系统中所用码的对偶码的分量乘积的二次关系相关联。根据码域特征的不同，该矩阵空间仅包含对称矩阵或斜对称矩阵。研究表明，该矩阵空间存在秩异常低的矩阵（根据特征不同为秩$2$或秩$3$），这些矩阵揭示了码的秘密多项式结构。利用此类矩阵可恢复方案的秘密密钥。我们在特征$2$条件下设计了专用方法：通过Gröbner基建模斜对称矩阵的秩为$2$。这使得我们能够分析用Gröbner基技术求解对应代数系统的复杂度。当该计算应用于随机码而非Goppa码或交错码的斜对称矩阵空间时，其行为存在差异，从而可区分后者码族。我们给出了复杂度上界，该上界根据码参数在多项式与指数复杂度之间平滑插值。已有文献[FGO+11]提出了针对交错/Goppa码的区分器，其复杂度为多项式但仅适用于窄参数范围。本区分器在[FGO+11]所需的参数范围内同样为多项式复杂度，但与先前方法不同，它能处理密码学相关的几乎所有码参数。此外，利用该矩阵空间，当Goppa码可通过[FGO+11]方法区分且其度数小于$q-1$（$q$为码的字母表大小）时，我们找到了多项式时间攻破McEliece密码系统的途径。