Structural cryptanalysis of McEliece schemes with compact keys

Abstract

A very popular trend in code-based cryptography is to decrease the public-key size by focusing on subclasses of alternant/Goppa codes which admit a very compact public matrix, typically quasi-cyclic ($$\mathrm{QC}$$QC), quasi-dyadic ($$\mathrm{QD}$$QD), or quasi-monoidic ($$\mathrm{QM}$$QM) matrices. We show that the very same reason which allows to construct a compact public-key makes the key-recovery problem intrinsically much easier. The gain on the public-key size induces an important security drop, which is as large as the compression factor $$p$$p on the public-key. The fundamental remark is that from the $$k\times n$$k×n public generator matrix of a compact McEliece, one can construct a $$k/p \times n/p$$k/p×n/p generator matrix which is--from an attacker point of view--as good as the initial public-key. We call this new smaller code the folded code. Any key-recovery attack can be deployed equivalently on this smaller generator matrix. To mount the key-recovery in practice, we also improve the algebraic technique of Faugere, Otmani, Perret and Tillich (FOPT). In particular, we introduce new algebraic equations allowing to include codes defined over any prime field in the scope of our attack. We describe a so-called structural elimination which is a new algebraic manipulation which simplifies the key-recovery system. As a proof of concept, we report successful attacks on many cryptographic parameters available in the literature. All the parameters of CFS-signatures based on $$\mathrm{QD}$$QD/$$\mathrm{QM}$$QM codes that have been proposed can be broken by this approach. In most cases, our attack takes few seconds (the hardest case requires less than 2 h). In the encryption case, the algebraic systems are harder to solve in practice. Still, our attack succeeds against several cryptographic challenges proposed for $$\mathrm{QD}$$QD and $$\mathrm{QM}$$QM encryption schemes. We mention that some parameters that have been proposed in the literature remain out of reach of the methods given here. However, regardless of the key-recovery attack used against the folded code, there is an inherent weakness arising from Goppa codes with $$\mathrm{QM}$$QM or $$\mathrm{QD}$$QD symmetries. Indeed, the security of such schemes is not relying on the bigger compact public matrix but on the small folded code which can be efficiently broken in practice with an algebraic attack for a large set of parameters.