Abstract
We consider the McEliece cryptosystem with a binary Goppa code \(C \subset {{\mathbb F}}_2^n\) specified by an irreducible Goppa polynomial \(g(x) \in {{\mathbb F}}_{2^m}[X]\) and Goppa points \((\alpha _1, \ldots , \alpha _n) \in {{\mathbb F}}_{2^m}^n\). Since g(x) together with the Goppa points allow for efficient decoding, these parameters form McEliece secret keys. Such a Goppa code C is an \((n-tm)\)-dimensional subspace of \({{\mathbb F}}_2^n\), and therefore C has co-dimension tm. For typical McEliece instantiations we have \(tm \approx \frac{n}{4}\).
We show that given more than tm entries of the Goppa point vector \((\alpha _1, \ldots , \alpha _n)\) allows to recover the Goppa polynomial g(x) and the remaining entries in polynomial time. Hence, in case \(tm \approx \frac{n}{4}\) roughly a fourth of a McEliece secret key is sufficient to recover the full key efficiently.
Let us give some illustrative numerical examples. For ClassicMcEliece with \((n,t,m)=(3488,64,12)\) on input \(64\cdot 12+1=769\) Goppa points, we recover the remaining \(3488-769=2719\) Goppa points in \({{\mathbb F}}_{2^{12}}\) and the degree-64 Goppa polynomial \(g(x) \in {{\mathbb F}}_{2^{12}}[x]\) in 60 s.
For ClassicMcEliece with \((n,t,m)=(8192,128,13)\) on input \(128\cdot 13+1=1665\) Goppa points, we recover the remaining \(8192-1665=6529\) Goppa points in \({{\mathbb F}}_{2^{13}}\) and the degree-128 Goppa polynomial \(g(x) \in {{\mathbb F}}_{2^{13}}[x]\) in 288 s.
Our results also extend to the case of erroneous Goppa points, but in this case our algorithms are no longer polynomial time.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Albrecht, M.R., et al.: Classic McEliece: Conservative Code-Based Cryptography (2020). https://classic.mceliece.org/nist/mceliece-20201010.pdf
Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes in 2n/20: how 1 + 1 = 0 improves information set decoding. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 520–536. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_31
Bernstein, D.J., Lange, T., Peters, C.: Attacking and defending the McEliece cryptosystem. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 31–46. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88403-3_3
Bernstein, D.J., Lange, T., Peters, C.: Smaller decoding exponents: ball-collision decoding. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 743–760. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_42
Bernstein, D.J., Lange, T., Peters, C.: Wild McEliece. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 143–158. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19574-7_10
Boneh, D., Durfee, G., Frankel, Y.: An attack on RSA given a small fraction of the private key bits. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 25–34. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-49649-1_3
Chou, T.: McBits revisited. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 213–231. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_11
Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997)
Dachman-Soled, D., Gong, H., Kulkarni, M., Shahverdi, A.: (In)security of ring-LWE under partial key exposure. J. Math. Cryptol. 15(1), 72–86 (2021)
Engelbert, D., Overbeck, R., Schmidt, A.: A summary of McEliece-type cryptosystems and their security. J. Math. Cryptol. 1(2), 151–199 (2007)
Ernst, M., Jochemsz, E., May, A., de Weger, B.: Partial key exposure attacks on RSA up to full size exponents. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 371–386. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_22
Esser, A., May, A., Verbel, J., Wen, W.: Partial key exposure attacks on BIKE, Rainbow and NTRU. In: CRYPTO. Lecture Notes in Computer Science. Springer (2022)
Esser, A., May, A., Zweydinger, F.: McEliece needs a break-solving McEliece-1284 and quasi-cyclic-2918 with modern ISD. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022. LNCS, vol. 13277, pp. 433–457. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07082-2_16
Faugère, J., Gauthier-Umaña, V., Otmani, A., Perret, L., Tillich, J.: A distinguisher for high rate McEliece cryptosystems. In: ITW, pp. 282–286. IEEE (2011)
Gennaro, R.: An improved pseudo-random generator based on the discrete logarithm problem. J. Cryptol. 18(2), 91–110 (2005)
Goppa, V.D.: A new class of linear correcting codes. Probl. Peredachi Inf. 6, 207–212 (1970)
Loidreau, P., Sendrier, N.: Weak keys in the McEliece public-key cryptosystem. IEEE Trans. Inf. Theor. 47(3), 1207–1211 (2006)
May, A., Meurer, A., Thomae, E.: Decoding random linear codes in \(\tilde{\cal{O}}(2^{0.054n})\). In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 107–124. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_6
May, A., Nowakowski, J., Sarkar, S.: Partial key exposure attack on short secret exponent CRT-RSA. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13090, pp. 99–129. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_4
May, A., Nowakowski, J., Sarkar, S.: Approximate divisor multiples – factoring with only a third of the secret CRT-exponents. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022. LNCS, vol. 13277, pp. 147–167. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07082-2_6
May, A., Ozerov, I.: On computing nearest neighbors with applications to decoding of binary linear codes. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 203–228. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_9
Overbeck, R., Sendrier, N.: Code-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 95–145. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-540-88702-7_4
Patel, S., Sundaram, G.S.: An efficient discrete log pseudo random generator. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 304–317. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055737
Paterson, K.G., Villanueva-Polanco, R.: Cold boot attacks on NTRU. In: Patra, A., Smart, N.P. (eds.) INDOCRYPT 2017. LNCS, vol. 10698, pp. 107–125. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-71667-1_6
Prange, E.: The use of information sets in decoding cyclic codes. IRE Trans. Inf. Theory 8(5), 5–9 (1962). https://doi.org/10.1109/TIT.1962.1057777
Shoup, V.: A Computational Introduction to Number Theory and Algebra. Cambridge University Press, Cambridge (2005)
Sidelnikov, V.M., Shestakov, S.O.: On insecurity of cryptosystems based on generalized Reed-Solomon codes. Discrete Math. Appl. 2, 439–444 (1992)
Suzuki, K., Takayasu, A., Kunihiro, N.: Extended partial key exposure attacks on RSA: improvement up to full size decryption exponents. Theor. Comput. Sci. 841, 62–83 (2020)
Villanueva-Polanco, R.: Cold boot attacks on bliss. In: Schwabe, P., Thériault, N. (eds.) LATINCRYPT 2019. LNCS, vol. 11774, pp. 40–61. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-30530-7_3
Villanueva-Polanco, R.: Cold boot attacks on post-quantum schemes. Ph.D. thesis, Royal Holloway, University of London, Egham, UK (2019)
Villanueva-Polanco, R.: Cold boot attacks on LUOV. Appl. Sci. 10(12), 4106 (2020)
Acknowledgments
Elena Kirshanova is supported by the Young Russian Mathematics scholarship and by the Russian Science Foundation grant N 22-41-04411, https://rscf.ru/project/22-41-04411/. Alexander May is funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) – grants 465120249; 390781972.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Kirshanova, E., May, A. (2022). Decoding McEliece with a Hint – Secret Goppa Key Parts Reveal Everything. In: Galdi, C., Jarecki, S. (eds) Security and Cryptography for Networks. SCN 2022. Lecture Notes in Computer Science, vol 13409. Springer, Cham. https://doi.org/10.1007/978-3-031-14791-3_1
Download citation
DOI: https://doi.org/10.1007/978-3-031-14791-3_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-14790-6
Online ISBN: 978-3-031-14791-3
eBook Packages: Computer ScienceComputer Science (R0)