Paper 2025/632

On breaking McEliece keys using brute force

Lorenz Panny, Technische Universität München, Germany
Abstract

In the McEliece public-key encryption scheme, a private key is almost always not determined uniquely by its associated public key. This paper gives a structural characterization of equivalent private keys, generalizing a result known for the more approachable special case $\lvert L\rvert=q$. These equivalences reduce the cost estimate for a simple private-key search using the support-splitting algorithm (SSA) by a polynomial but practically very substantial factor. We provide an optimized software implementation of the SSA for this kind of key search and demonstrate its capabilities in practice by solving a key-recovery challenge with a naïve a‑priori cost estimate of $2^{83}$ bit operations in just ${\approx}\,1400$ core days, testing ${\approx}\,9400$ private-key candidates per core and second in the process. We stress that the speedup from those equivalences is merely polynomial and does not indicate any weakness in realistic instantiations of the McEliece cryptosystem, whose parameter choices are primarily constrained by decoding attacks rather than ludicrously more expensive key-recovery attacks.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Preprint.
Keywords
code-based cryptographyconcrete cryptanalysisGoppa codes
Contact author(s)
lorenz @ yx7 cc
History
2025-04-11: approved
2025-04-07: received
See all versions
Short URL
https://ia.cr/2025/632
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2025/632,
      author = {Lorenz Panny},
      title = {On breaking {McEliece} keys using brute force},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/632},
      year = {2025},
      url = {https://eprint.iacr.org/2025/632}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.