1

Is there a cryptographic reason for using an irreducible Goppa polynomial $g$ in the McEliece scheme? One doesn't need irreducibility to define a usable code, so I assume there is some structural attack against reducible polynomials? [One caveat is that the presentation I've seen for Patterson decoding uses irreducibility, but one doesn't need to use that algorithm (and it isn't used in e.g. the FPGA implementation here).]

The key generation is already annoying enough without enforcing irreducibility IMHO. The only thing I can think of is that irreducibility definitely ensures that the support $L$ is disjoint from the zeros of $g$ while maintaining uniform distributions on the choice of $g$ and $L$

yoyo
  • 480
  • 2
  • 12

1 Answers1

2

As you note, $g(X)$ cannot have any roots in $L$ and so we must perform at least one polynomial GCD to check this.

For binary Goppa codes, we must also check that $g(X)$ has no repeated roots, else the minimum distance proof may break down. This will require another GCD check.

Irreducibility precludes both of these situations as well as irritating issues with Patterson’s algorithm (I think that Patterson may be asymptotically faster than Sendrier’s Berlekamp-Massey variant, but I am not sure). The complexity of Rabin’s test is not going to be much worse than the tests that we must already do, so for a one-off piece of key generation we might as well do that.

Daniel S
  • 29,316
  • 1
  • 33
  • 73