Abstract
We consider the McEliece cryptosystem with a binary Goppa code C⊂F2n specified by an irreducible Goppa polynomial g(x)∈F2m[X] and Goppa points (α1,…,αn)∈F2mn. Since g(x) together with the αi's allow for efficient decoding, these parameters form McEliece secret keys. Such a Goppa code C is an (n−tm)-dimensional subspace of F2n, and therefore C has co-dimension tm. For typical McEliece instantiations we have tm≈n4.We show that given more than tm elements of the Goppa points allows to recover the Goppa polynomial g(x) and the remaining entries in polynomial time. Hence, in case tm≈n4, roughly a fourth of a McEliece secret key is sufficient to recover the full key efficiently.Let us give an illustrative numerical example. For ClassicMcEliece with (n,t,m)=(3488,64,12) on input 64⋅12+1=769 Goppa points, we recover the remaining 3488−769=2719 Goppa points in F212 and the degree-64 Goppa polynomial g(x)∈F212[x] in 60 secs.Our results also extend to the case of erroneous Goppa points, but in this case our algorithms are no longer polynomial time.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have