Feng-Rao decoding of primary codes

We show that the Feng-Rao bound for dual codes and a similar bound by Andersen and Geil [H.E. Andersen and O. Geil, Evaluation codes from order domain theory, Finite Fields Appl., 14 (2008), pp. 92-123] for primary codes are consequences of each other. This implies that the Feng-Rao decoding algorithm can be applied to decode primary codes up to half their designed minimum distance. The technique applies to any linear code for which information on well-behaving pairs is available. Consequently we are able to decode efficiently a large class of codes for which no non-trivial decoding algorithm was previously known. Among those are important families of multivariate polynomial codes. Matsumoto and Miura in [R. Matsumoto and S. Miura, On the Feng-Rao bound for the L-construction of algebraic geometry codes, IEICE Trans. Fundamentals, E83-A (2000), pp. 926-930] (See also [P. Beelen and T. H{\o}holdt, The decoding of algebraic geometry codes, in Advances in algebraic geometry codes, pp. 49-98]) derived from the Feng-Rao bound a bound for primary one-point algebraic geometric codes and showed how to decode up to what is guaranteed by their bound. The exposition by Matsumoto and Miura requires the use of differentials which was not needed in [Andersen and Geil 2008]. Nevertheless we demonstrate a very strong connection between Matsumoto and Miura's bound and Andersen and Geil's bound when applied to primary one-point algebraic geometric codes.Comment: elsarticle.cls, 23 pages, no figure. Version 3 added citations to the works by I.M. Duursma and R. Pellikaa

On the complexity of computing Gr\"obner bases for weighted homogeneous systems

Solving polynomial systems arising from applications is frequently made easier by the structure of the systems. Weighted homogeneity (or quasi-homogeneity) is one example of such a structure: given a system of weights $W=(w\_{1},\dots,w\_{n})$, $W$-homogeneous polynomials are polynomials which are homogeneous w.r.t the weighted degree $\deg\_{W}(X\_{1}^{\alpha\_{1}},\dots,X\_{n}^{\alpha\_{n}}) = \sum w\_{i}\alpha\_{i}$. Gr\"obner bases for weighted homogeneous systems can be computed by adapting existing algorithms for homogeneous systems to the weighted homogeneous case. We show that in this case, the complexity estimate for Algorithm~\F5 \left(\binom{n+\dmax-1}{\dmax}^{\omega}\right) can be divided by a factor $\left(\prod w\_{i} \right)^{\omega}$. For zero-dimensional systems, the complexity of Algorithm~\FGLM $nD^{\omega}$ (where $D$ is the number of solutions of the system) can be divided by the same factor $\left(\prod w\_{i} \right)^{\omega}$. Under genericity assumptions, for zero-dimensional weighted homogeneous systems of $W$-degree $(d\_{1},\dots,d\_{n})$, these complexity estimates are polynomial in the weighted B\'ezout bound $\prod\_{i=1}^{n}d\_{i} / \prod\_{i=1}^{n}w\_{i}$. Furthermore, the maximum degree reached in a run of Algorithm \F5 is bounded by the weighted Macaulay bound $\sum (d\_{i}-w\_{i}) + w\_{n}$, and this bound is sharp if we can order the weights so that $w\_{n}=1$. For overdetermined semi-regular systems, estimates from the homogeneous case can be adapted to the weighted case. We provide some experimental results based on systems arising from a cryptography problem and from polynomial inversion problems. They show that taking advantage of the weighted homogeneous structure yields substantial speed-ups, and allows us to solve systems which were otherwise out of reach

Polynomial time attack on high rate random alternant codes

A long standing open question is whether the distinguisher of high rate alternant codes or Goppa codes \cite{FGOPT11} can be turned into an algorithm recovering the algebraic structure of such codes from the mere knowledge of an arbitrary generator matrix of it. This would allow to break the McEliece scheme as soon as the code rate is large enough and would break all instances of the CFS signature scheme. We give for the first time a positive answer for this problem when the code is {\em a generic alternant code} and when the code field size $q$ is small : $q \in \{2,3\}$ and for {\em all} regime of other parameters for which the aforementioned distinguisher works. This breakthrough has been obtained by two different ingredients : (i) a way of using code shortening and the component-wise product of codes to derive from the original alternant code a sequence of alternant codes of decreasing degree up to getting an alternant code of degree $3$ (with a multiplier and support related to those of the original alternant code); (ii) an original Gr\"obner basis approach which takes into account the non standard constraints on the multiplier and support of an alternant code which recovers in polynomial time the relevant algebraic structure of an alternant code of degree $3$ from the mere knowledge of a basis for it

On the matrix code of quadratic relationships for a Goppa code

In this article, we continue the analysis started in \cite{CMT23} for the matrix code of quadratic relationships associated with a Goppa code. We provide new sparse and low-rank elements in the matrix code and categorize them according to their shape. Thanks to this description, we prove that the set of rank 2 matrices in the matrix codes associated with square-free binary Goppa codes, i.e. those used in Classic McEiece, is much larger than what is expected, at least in the case where the Goppa polynomial degree is 2. We build upon the algebraic determinantal modeling introduced in \cite{CMT23} to derive a structural attack on these instances. Our method can break in just a few seconds some recent challenges about key-recovery attacks on the McEliece cryptosystem, consistently reducing their estimated security level. We also provide a general method, valid for any Goppa polynomial degree, to transform a generic pair of support and multiplier into a pair of support and Goppa polynomial

A Combinatorial Commutative Algebra Approach to Complete Decoding

Esta tesis pretende explorar el nexo de unión que existe entre la estructura algebraica de un código lineal y el proceso de descodificación completa. Sabemos que el proceso de descodificación completa para códigos lineales arbitrarios es NP-completo, incluso si se admite preprocesamiento de los datos. Nuestro objetivo es realizar un análisis algebraico del proceso de la descodificación, para ello asociamos diferentes estructuras matemáticas a ciertas familias de códigos. Desde el punto de vista computacional, nuestra descripción no proporciona un algoritmo eficiente pues nos enfrentamos a un problema de naturaleza NP. Sin embargo, proponemos algoritmos alternativos y nuevas técnicas que permiten relajar las condiciones del problema reduciendo los recursos de espacio y tiempo necesarios para manejar dicha estructura algebraica.Departamento de Algebra, Geometría y Topologí