A Distinguisher-Based Attack of a Homomorphic Encryption Scheme Relying on Reed-Solomon Codes

TL;DR

This paper presents a distinguisher-based attack on a homomorphic encryption scheme built on Reed-Solomon codes, exploiting properties of the code's square code to recover secret parameters and break the scheme.

Contribution

The authors develop a novel distinguisher that detects secret code columns, enabling full recovery of secret parameters and compromising the encryption scheme.

Findings

The attack can recover the secret set L from the public code.

The dimension of the punctured square code reveals the intersection with L.

The attack enables decryption of any ciphertext in the scheme.

Abstract

Bogdanov and Lee suggested a homomorphic public-key encryption scheme based on error correcting codes. The underlying public code is a modified Reed-Solomon code obtained from inserting a zero submatrix in the Vandermonde generating matrix defining it. The columns that define this submatrix are kept secret and form a set $L$. We give here a distinguisher that detects if one or several columns belong to $L$ or not. This distinguisher is obtained by considering the code generated by component-wise products of codewords of the public code (the so called "square code"). This operation is applied to punctured versions of this square code obtained by picking a subset $I$ of the whole set of columns. It turns out that the dimension of the punctured square code is directly related to the cardinality of the intersection of $I$ with $L$. This allows an attack which recovers the full set $L$ and which can then decrypt any ciphertext.