Vulnerabilities of the McEliece Variants Based on Polar Codes

Abstract

Several variants of the McEliece public key encryption scheme present interesting properties for post-quantum cryptography. In this article we pursue a study of one potential variation, namely the McEliece scheme based on polar codes, and, more generally, based on any weakly decreasing monomial code. Recently, both polar as well as Reed-Muller codes were redefined using a polynomial formalism using different partial orders on the set of monomials over the ring of polynomials of m variables with coefficients in \(\mathbb {F}_2\). We use this approach to study the star product of two weakly decreasing monomial codes and determine its dimension. With these results at hand, we will identify particular types of weakly decreasing monomial codes for which the star product allows for an efficient distinguisher. These results support our quest for efficient key recovery attacks against these variants of the McEliece scheme.

A.1 Computing the Dimension for Weakly Decreasing Monomial Codes

Example 1

Let \(I=[1,x_0x_1]_{\preceq _{{\mathrm {w}}}}\cup [1,x_0x_2]_{\preceq _{{\mathrm {w}}}}\cup [1,x_1x_3]_{\preceq _{{\mathrm {w}}}}\). We observe that I is a weakly decreasing set and it is not a decreasing set. If we apply our formula step by step we obtain

1. 1.

   The first step is to compute the cardinality of all the intervals \([1,g_i]_{\preceq _{{\mathrm {w}}}}\).

   • \(\left| [1,x_0x_1]_{\preceq _{{\mathrm {w}}}}\right| =\left| \{1,x_0,x_1,x_0x_1\}\right| =2^2\).

   • \(\left| [1,x_0x_2]_{\preceq _{{\mathrm {w}}}}\right| =\left| \{1,x_0,x_2,x_0x_2\}\right| =2^2\).

   • \(\left| [1,x_1x_3]_{\preceq _{{\mathrm {w}}}}\right| =\left| \{1,x_1,x_3,x_1x_3\}\right| =2^2\).

     which gives a total of 12 elements.

2. 2.

   The second step computes the cardinality of the intervals \([1,\gcd (g_i,g_j)]_{\preceq _{{\mathrm {w}}}}\)

   • \(\left| [1,x_0]_{\preceq _{{\mathrm {w}}}}\right| =\left| \{1,x_0\}\right| =2^1.\)

   • \(\left| [1,x_1]_{\preceq _{{\mathrm {w}}}}\right| =\left| \{1,x_1\}\right| =2^1.\)

   • \(\left| [1]\right| =\left| \{1\}\right| =2^0.\)

     which gives a total of 5 elements and an updated sum of 7.

3. 3.

   The third and last step determines the cardinality of the interval \([1,\gcd (x_0x_1,x_0x_2,x_1x_3)]_{\preceq _{{\mathrm {w}}}}=\{1\}\). So, we have only one element and the dimension of the code is

   $$\begin{aligned} \mathrm {dim}(\mathscr {C}(I))=8. \end{aligned}$$

Remark 2

Another way of computing the formula is to use the set of indices \(\{\text {ind}(g_i)\}_{g_i\in I_{\max _{\preceq _{{\mathrm {w}}}}}}\). Take for example \(m=5\) and

$$I_{\max _{\preceq _{{\mathrm {w}}}}}=\{x_0x_1x_2,x_0x_2x_4,x_2x_4,x_0x_1x_3x_4\},$$

which gives the set of indices \(\text {ind}(I_{\max _{\preceq _{{\mathrm {w}}}}})=\{\{0,1,2\},\{0,2,3\},\{2,4\},\{0,1,3,4\}\}\). By applying our formula we obtain

$$\begin{aligned} \mathrm {dim}(\mathscr {C}(I))=2*2^3+2^2+2^4-(2^2+2+2^2+2+2+2^2+2)+(2+2+1)-1=22. \end{aligned}$$