A characterization of MDS codes that have an error correcting pair

Error-correcting pairs were introduced in 1988 by R. Pellikaan, and were found independently by R. K\"otter (1992), as a general algebraic method of decoding linear codes. These pairs exist for several classes of codes. However little or no study has been made for characterizing those codes. This article is an attempt to fill the vacuum left by the literature concerning this subject. Since every linear code is contained in an MDS code of the same minimum distance over some finite field extension we have focused our study on the class of MDS codes. Our main result states that an MDS code of minimum distance $2t+1$ has a $t$-ECP if and only if it is a generalized Reed-Solomon code. A second proof is given using recent results Mirandola and Z\'emor (2015) on the Schur product of codes

Cryptanalysis of public-key cryptosystems that use subcodes of algebraic geometry codes

We give a polynomial time attack on the McEliece public key cryptosystem based on subcodes of algebraic geometry (AG) codes. The proposed attack reposes on the distinguishability of such codes from random codes using the Schur product. Wieschebrink treated the genus zero case a few years ago but his approach cannot be extent straightforwardly to other genera. We address this problem by introducing and using a new notion, which we call the t-closure of a code

Cryptanalysis of McEliece Cryptosystem Based on Algebraic Geometry Codes and their subcodes

We give polynomial time attacks on the McEliece public key cryptosystem based either on algebraic geometry (AG) codes or on small codimensional subcodes of AG codes. These attacks consist in the blind reconstruction either of an Error Correcting Pair (ECP), or an Error Correcting Array (ECA) from the single data of an arbitrary generator matrix of a code. An ECP provides a decoding algorithm that corrects up to $\frac{d^*-1-g}{2}$ errors, where $d^*$ denotes the designed distance and $g$ denotes the genus of the corresponding curve, while with an ECA the decoding algorithm corrects up to $\frac{d^*-1}{2}$ errors. Roughly speaking, for a public code of length $n$ over $\mathbb F_q$, these attacks run in $O(n^4\log (n))$ operations in $\mathbb F_q$ for the reconstruction of an ECP and $O(n^5)$ operations for the reconstruction of an ECA. A probabilistic shortcut allows to reduce the complexities respectively to $O(n^{3+\varepsilon} \log (n))$ and $O(n^{4+\varepsilon})$. Compared to the previous known attack due to Faure and Minder, our attack is efficient on codes from curves of arbitrary genus. Furthermore, we investigate how far these methods apply to subcodes of AG codes.Comment: A part of the material of this article has been published at the conferences ISIT 2014 with title "A polynomial time attack against AG code based PKC" and 4ICMCTA with title "Crypt. of PKC that use subcodes of AG codes". This long version includes detailed proofs and new results: the proceedings articles only considered the reconstruction of ECP while we discuss here the reconstruction of EC

Error-correcting pairs: a new approach to code-based cryptography

International audienceMcEliece proposed the first public-key cryptosystem based on linear error-correcting codes. A code with an efficient bounded distance decoding algorithm is chosen as secret key. It is assumed that the chosen code looks like a random code. The known efficient bounded distance decoding algorithms of the families of codes proposed for code-based cryptography, like Reed-Solomon codes, Goppa codes, alternant codes or algebraic geometry codes, can be described in terms of error-correcting pairs (ECP). That means that, the McEliece cryptosystem is not only based on the intractability of bounded distance decoding but also on the problem of retrieving an error-correcting pair from the public code. In this article we propose the class of codes with a t-ECP whose error-correcting pair that is not easily reconstructed from of a given generator matrix

Integral closures and weight functions over finite fields

AbstractCurves and surfaces of type I are generalized to integral towers of rank r. Weight functions with values in Nr and the corresponding weighted total-degree monomial orderings lift naturally from one domain Rj−1 in the tower to the next, Rj, the integral closure of Rj−1[xj]/〈φ(xj)〉. The qth power algorithm is reworked in this more general setting to produce this integral closure over finite fields, though the application is primarily that of calculating the normalizations of curves related to one-point AG codes arising from towers of function fields. Every attempt has been made to couch all the theory in terms of multivariate polynomial rings and ideals instead of the terminology from algebraic geometry or function field theory, and to avoid the use of any type of series expansion