Decoding McEliece with a Hint - Secret Goppa Key Parts Reveal Everything.

We consider the McEliece cryptosystem with a binary Goppa code C subset of F-2(n) specified by an irreducible Goppa polynomial g(x) is an element of F-2m[X] and Goppa points (alpha(1), ..., alpha(n)) is an element of F-2m(n). Since g(x) together with the Goppa points allow for efficient decoding, these parameters form McEliece secret keys. Such a Goppa code C is an (n - tm)-dimensional subspace of F-2(n), and therefore C has co-dimension tm. For typical McEliece instantiations we have tm approximate to n/4. We show that given more than tm entries of the Goppa point vector (alpha(1), ..., alpha(n)) allows to recover the Goppa polynomial g(x) and the remaining entries in polynomial time. Hence, in case tm approximate to n/4 roughly a fourth of a McEliece secret key is sufficient to recover the full key efficiently. Let us give some illustrative numerical examples. For CLASSICMCELIECE with (n, t, m) = (3488, 64,12) on input 64.12+1 = 769 Goppa points, we recover the remaining 3488- 769 = 2719 Goppa points in F-212 and the degree-64 Goppa polynomial g(x) is an element of F-212[x] in 60 s. For CLASSICMCELIECE with (n, t, m) = (8192, 128, 13) on input 128 . 13 + 1 = 1665 Goppa points, we recover the remaining 8192 - 1665 = 6529 Goppa points in F-213 and the degree-128 Goppa polynomial g(x) is an element of F-213[x] in 288s. Our results also extend to the case of erroneous Goppa points, but in this case our algorithms are no longer polynomial time.