This work addresses the long-standing problem of distinguishing Goppa codes from alternant codes in the Classic McEliece post-quantum cryptosystem—a task previously believed to require exponential time. We propose the first subexponential distinguisher, breaking a fundamental exponential barrier in structural cryptanalysis. Methodologically, we introduce the graded Betti numbers of the homogeneous coordinate ring of shortened dual codes as a novel algebraic invariant—combining tools from algebraic geometry of codes, commutative algebra, and structural code analysis—thereby eliminating reliance on restrictive parameter assumptions (e.g., high code rate or large field size) inherent in prior distinguishers. Our distinguisher successfully identifies Goppa codes under NIST-standardized parameters with complexity substantially lower than generic decoding attacks. This represents the first structural advance in McEliece cryptanalysis that provably transcends exponential complexity, marking a paradigm shift in the algebraic understanding of alternant-based public-key schemes.

We present a new distinguisher for alternant and Goppa codes, whose complexity is subexponential in the error-correcting capability, hence better than that of generic decoding algorithms. Moreover it does not suffer from the strong regime limitations of the previous distinguishers or structure recovery algorithms: in particular, it applies to the codes used in the Classic McEliece candidate for postquantum cryptography standardization. The invariants that allow us to distinguish are graded Betti numbers of the homogeneous coordinate ring of a shortening of the dual code. Since its introduction in 1978, this is the first time an analysis of the McEliece cryptosystem breaks the exponential barrier.