Attack on the Edon-K Key Encapsulation Mechanism

TL;DR

This paper presents a polynomial-time attack on the Edon-K post-quantum key encapsulation scheme, exploiting its underlying code structure to recover secrets and demonstrate insecurity.

Contribution

The authors develop a novel decoding attack based on the code's super-code structure, revealing vulnerabilities in Edon-K not previously identified.

Findings

The attack recovers the secret in polynomial time.

Edon-K scheme is insecure against the proposed decoding attack.

The code structure of Edon-K can be exploited for cryptanalysis.

Abstract

The key encapsulation mechanism Edon-K was proposed in response to the call for post-quantum cryptography standardization issued by the National Institute of Standards and Technologies (NIST). This scheme is inspired by the McEliece scheme but uses another family of codes defined over $\mathbb{F}_{2^{128}}$ instead of $\mathbb{F}_2$ and is not based on the Hamming metric. It allows significantly shorter public keys than the McEliece scheme. In this paper, we give a polynomial time algorithm that recovers the encapsulated secret. This attack makes the scheme insecure for the intended use. We obtain this result by observing that recovering the error in the McEliece scheme corresponding to Edon-K can be viewed as a decoding problem for the rank-metric. We show that the code used in Edon-K is in fact a super-code of a Low Rank Parity Check (LRPC) code of very small rank (1 or 2). A suitable parity-check matrix for the super-code of such low rank can be easily derived from for the public key. We then use this parity-check matrix in a decoding algorithm that was devised for LRPC codes to recover the error. Finally we explain how we decapsulate the secret once we have found the error.