Cryptanalysis of a System Based on Twisted Reed-Solomon Codes
Julien Lavauzelle, Julian Renner

TL;DR
This paper presents an efficient key-recovery attack on a McEliece cryptosystem variant using twisted Reed-Solomon codes, demonstrating that the scheme is insecure under practical parameters and highlighting the need for careful analysis of subfield subcodes.
Contribution
It introduces a novel attack exploiting subfield subcode structure, breaking the cryptosystem and challenging the assumed security of twisted Reed-Solomon code-based cryptography.
Findings
The attack always succeeds for practical parameters.
Private keys can be recovered within minutes.
The scheme's security claims are invalidated by the attack.
Abstract
Twisted Reed-Solomon (TRS) codes are a family of codes that contains a large number of maximum distance separable codes that are non-equivalent to Reed--Solomon codes. TRS codes were recently proposed as an alternative to Goppa codes for the McEliece code-based cryptosystem, resulting in a potential reduction of key sizes. The use of TRS codes in the McEliece cryptosystem has been motivated by the fact that a large subfamily of TRS codes is resilient to a direct use of known algebraic key-recovery methods. In this paper, an efficient key-recovery attack on the TRS variant that was used in the McEliece cryptosystem is presented. The algorithm exploits a new approach based on recovering the structure of a well-chosen subfield subcode of the public code. It is proved that the attack always succeeds and breaks the system for all practical parameters in field operations. A software…
| Function | Description |
| maps a generator matrix of to a generator matrix of the subfield subcode of | |
| maps a generator matrix of to a generator matrix of the code | |
| maps vectors to of degree such that for | |
| maps a vector to a matrix whose rows are for each . | |
| implements a Sidelnikov–Shestakov attack, which takes a generator matrix of a RS code as input, and returns a vector of locators describing the code | |
| maps the vectors and to the generator matrix of the corresponding TRS code |
| Claimed security level | Runtime of Algorithm 1 | |||||
| bits∗ | 133 seconds | |||||
| bits∗ | seconds | |||||
| bits∗ | seconds | |||||
| bits∗ | seconds |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCoding theory and cryptography · Cryptographic Implementations and Security · graph theory and CDMA systems
Cryptanalysis of a System Based on Twisted Reed–Solomon Codes
Julien Lavauzelle Université de Rennes, CNRS, IRMAR – UMR 6625, France. Email: [email protected]
Julian Renner Institute for Communications Engineering, Technical University of Munich (TUM), Germany. Email: [email protected]
(March 6, 2024)
Abstract
Twisted Reed–Solomon (TRS) codes are a family of codes that contains a large number of maximum distance separable codes that are non-equivalent to Reed–Solomon codes. TRS codes were recently proposed as an alternative to Goppa codes for the McEliece code-based cryptosystem, resulting in a potential reduction of key sizes. The use of TRS codes in the McEliece cryptosystem has been motivated by the fact that a large subfamily of TRS codes is resilient to a direct use of known algebraic key-recovery methods.
In this paper, an efficient key-recovery attack on the TRS variant that was used in the McEliece cryptosystem is presented. The algorithm exploits a new approach based on recovering the structure of a well-chosen subfield subcode of the public code. It is proved that the attack always succeeds and breaks the system for all practical parameters in field operations. A software implementation of the algorithm retrieves a valid private key from the public key within a few minutes, for parameters claiming a security level of bits. The success of the attack also indicates that, contrary to common beliefs, subfield subcodes of the public code need to be precisely analyzed when proposing a McEliece-type code-based cryptosystem. Finally, the paper discusses an attempt to repair the scheme and a modification of the attack aiming at Gabidulin–Paramonov–Tretjakov cryptosystems based on twisted Gabidulin codes.
1 Introduction
In the last years, cryptosystems relying on the hardness of decoding in a generic code have gained a lot of attention due to their potential resistance against quantum computer attacks. The first code-based cryptosystem was proposed by McEliece already in 1978 [McE78]. Its hardness is based on the assumption that a random generator matrix of a random binary Goppa code is hard to distinguish from the generator matrix of a random code. To this day, the principle behind the McEliece system still plays a significant role in the design of code-based cryptography. In particular, four out of the six code-based proposals in round 2 of the National Institute of Standards and Technology (NIST) post-quantum cryptography standardization process are based on McEliece’s principle.
Compared to other post-quantum-secure public-key encryption schemes, e.g. some lattice-based cryptosystems, the main drawback of the McEliece cryptosystem lies in the size of its public key. To overcome this drawback, other families of codes have been proposed to replace Goppa codes, but most of them can be subjected to algebraic attacks. For instance, generalized Reed–Solomon (GRS) codes were proposed in 1986 by Niederreiter [Nie86], but Sidelnikov and Shestakov mounted a very efficient attack to recover an alternative secret key [SS92]. Wieschebrink proved that also random subcodes of GRS codes — proposed in [BL05] — cannot be used due to their vulnerability to the code squaring attack [Wie10]. Further instances and cryptanalyses of algebraic code-based schemes can be found in [Sid94, MS07, BCGO09, FOP*+*16, JM96, CCP17]. One should emphasize that many recent attacks are largely based on previously known methods. For example, some instances of the RLCE scheme [Wan16] were broken by Couvreur, Lequesne and Tillich by a sophisticated analysis of the squares of puncturings and shortenings of the public code [CLT19].
One recent alternative class of codes for the McEliece cryptosystem emerged from twisted Reed–Solomon (TRS) codes [BPR17]. In particular, Beelen et al. analyzed the structural properties of a very specific subfamily of TRS codes [BBPR18]. They proved that this subfamily is disjoint from the class of GRS codes; thus the attack by Sidelnikov and Shestakov [SS92] cannot be applied to their system. Further, they showed that shortenings of these codes up to two positions have maximal Schur square dimension [Puc18], meaning that the proposed system is impervious to a direct application of the attack presented by Couvreur et al. in [CGGU*+*14]. Additionally, the authors gave evidence that their system is not vulnerable to straight-forward applications of methods introduced by Wieschebrink in [Wie06, Wie10].
The intention of the authors of [BBPR18] was to exploit the optimal error-correction capability of TRS codes to reduce the length of the public code, and accordingly the size of the public key. In [BBPR18], an explicit subfamily of TRS codes was proposed, providing a reduction of the public key up to a factor of compared to binary Goppa codes, for a claimed security level of bits.
In this paper, we present an efficient key-recovery attack on this cryptosystem based on TRS codes. As analyzed by the authors of [BBPR18], the direct application of previously known structural attacks does not work. Instead, we recover the structure of a well-chosen subfield subcode of the public TRS code . We give a characterization of the structure of this subfield subcode, as a subspace of low codimension contained in a classical Reed–Solomon code . We then prove that the Wieschebrink squaring method always succeeds when applied to the subfield subcode , and this enables us to retrieve an algebraic description of . By analyzing equivalent representations of TRS codes, we finally deduce an algebraic description of the public code . The application of the squaring method to the subfield subcode is a non-trivial modification of Wieschebrink’s attack.
To the best of our knowledge, our attack is the first of its kind to exploit structural weaknesses of subfield subcodes of the public code. On the contrary, the restriction to a subfield is usually considered as an operation that breaks the structure of an algebraic code and therefore makes it suitable for cryptography as attested by the attack-resilience of Goppa codes despite being subfield subcodes of Reed–Solomon codes. Our approach of attacking the subfield subcode instead of the original code might also be applicable to other classes of codes used in code-based cryptography.
We show that for all practical parameters proposed by the designers, our algorithm recovers a valid private key from the public key in operations over the underlying field, where denotes the code length. The attack is implemented in the computer-algebra system SageMath [The19] and is made public. Although the implementation is not optimized, it determines a valid private key in approximately two minutes for the parameters proposed in [BBPR18].
The paper is structured as follows. In Section 2, we introduce the notation, and state the definition as well as important structural properties of TRS codes. In Section 3, we present the key generation, encryption and decryption algorithm and the parameters proposed in [BBPR18]. In Section 4, we derive a structural attack on the scheme and we precisely analyze its complexity. Additionally, in Section 5, we discuss a potential fix of the cryptosystem, as well as an extension of the attack to the rank metric setting [PRW18]. Conclusions are given in Section 6.
2 Preliminaries
2.1 Notation
Let denote the finite field of order , where is a prime power. Vectors in are row vectors, and we use to represent the set of matrices over . For and , the -th entry of is denoted by . The set of invertible matrices of size over is denoted by .
Let us fix a finite field extension . The -vector space generated by a subset is denoted by . By convention, we also represent the -vector space spanned by the rows of by .
A linear code with parameters is an -vector space of of dimension , where is the minimum Hamming weight of a non-zero codeword . A generator matrix of is a matrix such that
Given and , their componentwise product is defined as . Further, we define the Schur-square (or Hadamard-square) of a linear code as
[TABLE]
Let denote the set of univariate polynomials over . For a fixed evaluation vector , we define the evaluation map
[TABLE]
Finally, if are two finite subsets of integers, then we define their sumset
[TABLE]
2.2 Twisted Reed–Solomon codes
Before introducing TRS codes, let us first recall the definition of (classical) Reed–Solomon codes.
Definition 1** (Reed–Solomon code).**
Let the entries of be pairwise distinct, and fix . The Reed–Solomon (RS) code of length and dimension is defined by
[TABLE]
The entries of are called locators of the Reed–Solomon code .
RS codes are maximum distance separable (MDS) codes, i.e., they reach the Singleton bound . They also admit the use of efficient decoding algorithms for an error of weight up to the unique decoding radius .
TRS codes were recently constructed as a generalization of RS codes [BPR17]. Let us first define a specific subspace of polynomials. Let , and . Given a vector of pairwise distinct increasing hooks, a vector of pairwise distinct twists, and a vector of field coefficients , the set of -twisted polynomials is
[TABLE]
Definition 2** (Twisted Reed–Solomon code, [BPR17]).**
Let the entries of be pairwise distinct, and fix . Let be defined as above. The -twisted Reed–Solomon (TRS) code of length , dimension and locators is defined by
[TABLE]
According to Definition 2, a generator matrix of is given by
[TABLE]
where for .
In [BBPR18], the authors show that the construction of TRS codes according to Definition 2 does not necessarily lead to MDS codes. However, they provide a method to obtain a subfamily of MDS TRS codes, cf. Theorem 1.
Theorem 1** (Explicit MDS TRS codes [BBPR18]).**
Let be a prime power, and be non-negative integers such that is a chain of subfields. Fix and the entries of as pairwise distinct locators. Finally, let , and be chosen as in Definition 2, such that for . Then is MDS.
A decoding algorithm for TRS codes is also proposed in [BBPR18]. Given a corrupted codeword , where , the strategy is to guess elements and then to decode in the Reed–Solomon code . This approach succeeds if and thus admits a worst case complexity in . Notice that for the explicit family presented in Theorem 1, we have , hence this decoding algorithm is only practical for a tiny number of twists.
The following lemma shows that TRS codes are invariant under specific transformations of their parameters. This property is a key element for the cryptanalysis of the system, and could be of independent interest.
Lemma 2**.**
Let , , and be defined as in Definition 2. Then for any ,
[TABLE]
where and with , .
Proof.
Let , where . We have
[TABLE]
where . Hence by definition , and it follows that . The proof on the converse inclusion is similar since is non-zero. ∎∎
3 The variant of the McEliece cryptosystem using TRS codes
3.1 Definition of the cryptosystem
Setup.
Fix a prime power , and integers with . Also fix satisfying
[TABLE]
Further, set for , such that is a chain of subfields. Finally, set and for , where .
Integers , , , , and tuples , satisfying the above conditions are referred to as valid parameters of the cryptosystem [BBPR18]. They are public parameters.
Key generation.
Given valid parameters , , , , and , a pair of public/private keys is generated as follows.
Choose at random such that the entries of are pairwise distinct. 2. 2.
Choose at random such that for . 3. 3.
Choose at random. 4. 4.
Output the public key , where is the generator matrix of described in Section 2.2.
The private key consists of and the public key is .
Encryption.
Given a plaintext and the public key , the ciphertext is generated as follows.
Choose at random with Hamming weight . 2. 2.
Output the ciphertext
[TABLE]
Decryption.
Given a ciphertext and the private key , the decryption algorithm can be described as follows.
Decode to using the decoding algorithm of given in [BBPR18]. 2. 2.
Output the plaintext .
Proposed Parameters.
The designers of the system proposed the parameters listed in Table 1 [BBPR18]. Recall that the public code is defined over the field .
There are two main reasons for choosing a small number of twists. On the one hand, the complexity of the decoding algorithm proposed in [BBPR18] is in and thus increases doubly exponentially with the number of twists. On the other hand, the number of elements in the largest field also scales exponentially with the number of twists, which impacts the key sizes.
3.2 Resistance to some known key-recovery algebraic attacks
As mentioned in Section 1, Beelen et al. showed that some existing attacks cannot be directly mounted on their system [BBPR18]. Let us recall these attacks and explain why they are ineffective.
Sidelnikov–Shestakov attack.
In [SS92], Sidelnikov and Shestakov presented an attack on a variant of the McEliece cryptosystem using GRS codes. The attack uses two key facts: first, for MDS codes it is easy to find minimal-weight codewords with a given support, by running a simple Gaussian elimination; second, the ratio between two minimial-weight codewords of a GRS code, whose supports differ in only two coordinates, gives a rational function of degree one. Using these properties, the recovery of an alternate public key (i.e. an algebraic description of the public code as a GRS code) reduces to solving linear systems of equations involving the coefficients of the rational functions and the parameters of the GRS code. Formally, the result of Sidelnikov and Shestakov [SS92] can be summarized as follows.
Theorem 3** (Sidelnikov–Shestakov [SS92]).**
Let be a Reed–Solomon code with locators . Given any generator matrix of , there exists an algorithm which determines in time a vector such that
[TABLE]
In particular, it holds that with and .
However for TRS codes, the ratio of two minimal-weight codewords with close support is a high degree rational function involving many coefficients. This property prevents a direct use of Sidelnikov–Shestakov’s attack.
Wieschebrink attack.
In order to attack a variant of McEliece cryptosystem using random subcodes of GRS codes, Wieschebrink considered the following structural properties. Let be a random subcode of dimension of a GRS code of dimension , with small compared to . With high probability, the Schur square is a GRS code of dimension . If , a Sidelnikov–Shestakov attack can be applied to recover the secret parameters. Otherwise, one can shorten the public code to fulfill the latter condition, since a shortened RS code is again a RS code.
As proved by the designers of the cryptosystem, Wieschebrink’s idea cannot be directly applied to TRS codes, due to a smart choice of parameters: the Schur square of the public code has dimension , and shortening techniques seem unappropriate since the family of TRS codes is not stable under this operation. We will see in the following section that restricting TRS codes to subfields however leaks the algebraic structure of the public code.
4 An efficient key-recovery attack using subfield subcodes
This section presents an efficient key-recovery algorithm for the cryptosystem with the parameters proposed in [BBPR18]. The algorithm first determines a linear transformation of the secret locators by exploiting structural properties of the subfield subcode of the public code. Then, the algorithm finds the coefficients of the twist monomials by Lagrange interpolation. The algorithm finally outputs such that . As shown in Lemma 2, is a valid private key that can be used in the decryption algorithm (see Section 3.1).
4.1 Key-recovery algorithm
4.1.1 First step: recovery of an affine transformation of the secret locators
Let us consider the -subfield subcode of the code spanned by the public generator matrix . We first state a technical lemma.
Lemma 4**.**
Let the entries of be pairwise distinct. Further, let where is an extension of , such that . Then, if and only if .
Proof.
Let and assume that . Since and , there exists a polynomial of degree such that . Moreover, is injective over the -subspace of polynomials of degree , hence . The converse is straightforward. ∎∎
Let us now define as the set of exponents of monomials which do not support twists111Since the parameters and are public, an attacker knows the set .. For valid parameters, since for each . We can now prove the following characterization of subfield subcodes of TRS codes with valid parameters.
Proposition 5**.**
Let be chosen with valid parameters, as described in Section 3. Define as above. Then,
[TABLE]
Proof.
Let us denote \mathcal{S}=\operatorname{Span}_{\mathbb{F}_{q_{0}}}\big{(}\{\operatorname{ev}_{\boldsymbol{\alpha}}(X^{i}),i\in\mathcal{I}\}\big{)} and . First, it is clear that . Indeed, for we have , and since is a vector over , it yields that .
Conversely, let , where . Lemma 4 ensures that , since for valid parameters. It remains to notice that . ∎∎
We observe by Proposition 5 that the subfield subcode is a proper non-MDS subcode of the RS code . Thus, one cannot directly use a Sidelnikov–Shestakov attack [SS92] on . In 2006, Wieschebrink mounted an attack on cryptosystems based on random subcodes of RS codes [Wie10]. The author’s idea is that, with very high probability over the chosen subcode , the square code is a RS code. A Sidelnikov–Shestakov attack can then be used on to recover the private parameters.
In the following, we prove that for most valid parameters defined in [BBPR18], and for all practical ones, the square code is a RS code subject to a Sidelnikov–Shestakov attack.
Proposition 6**.**
Let , , , , and be valid parameters, and assume that . Let . Then,
[TABLE]
Proof.
We use the notation and the results of Proposition 5. This yields
[TABLE]
As a consequence, the theorem holds if .
Notice that for valid parameters, we have and , where , and . We have , and , hence it is clear that contains the subset
[TABLE]
Moreover one can easily check that if , then . The condition is always satisfied with valid parameters since and . Finally, the assumption leads us to using constraints on valid parameters. This easily yields .
∎∎
Remark 7**.**
In practice, the assumption is not restrictive, since the decryption algorithm is effective only if .
For valid parameters, we have , hence we can apply a Sidelnikov–Shestakov attack to the code . This algorithm outputs a vector of locators which is an affine transformation of the secret locators (see Theorem 3). Formally, for some and , where .
4.1.2 Second step: from an affine to a linear transformation of the secret locators
Lemma 2 only ensures that if for a non-zero . Therefore, given , the search of a valid such that remains. Since is rather small, this search can be proceeded exhaustively as follows. Given and , one first computes the code
[TABLE]
If holds, then we have found a valid and hence a valid . Notice that each individual test can be performed in time .
4.1.3 Third step: recovery of a valid pair
The previous steps provide a tuple which can be used as a vector of locators for the public TRS code. In order to determine a vector such that , we use the following result.
Lemma 8**.**
Let , and such that . Denote by and the coefficients of the monomials and in . Then, we have
[TABLE]
Proof.
This is clear from the following simple computation
[TABLE]
∎∎
Hence, a vector of coefficients such that can be computed as follows. Pick at random a codeword . Then, interpolate as a polynomial evaluated over the vector of locators . Notice that we have , thus for every non-zero coefficient of , we obtain the coefficient due to Lemma 8.
It remains to be observed that, if a codeword is picked uniformly at random in , the probability that is roughly . Since , a random leads to the recovery of the whole vector with high probability. Note that this procedure can be derandomized by iteratively taking each row the public matrix .
4.1.4 Final step: recovery of an alternative private key
After determining and , one can easily compute a matrix such that . Then, can be used in the proposed decryption algorithm as a valid (alternative) private key to retrieve any secret plaintext .
4.2 Analysis of the attack
A summary of the attack is given in Algorithm 1. Let us explain the notation we use there. Given a matrix , its transpose is represented by , and is a matrix whose rows form a basis of the right kernel of . The reduced row echelon form of is denoted by . Moreover, if and have the same rowspace, then denotes any solution to . Finally, in Table 2 we describe functions involved in Algorithm 1.
Theorem 9**.**
Given any generator matrix of a TRS code , Algorithm 1 retrieves a tuple such that the matrix generates in operations over .
Proof.
The correctness of Algorithm 1 was proved in Section 4.1. Let us now provide details about the complexity of Algorithm 1.
- •
Line 2: The computation of requires operations in and operations in .
- •
Line 3: The computation of can be performed in time . Informally, one needs to find a basis of the space generated by the set . This basis can be built iteratively; updating the basis with a new element costs operations in and must be done times, and rejecting candidates costs operations in and must be done times.
- •
Line 4: Applying the function on requires operations in [SS92].
- •
Line 7 to Line 11: The computation of requires operations in ; building needs operations in ; matrix multiplication needs operations in ( was already computed in Line 2). In the worst case, the previous sequences of computations have to be performed times. Hence these steps require operations in .
- •
Line 15 to Line 22: In the worst case, interpolations have to be performed, requiring operations in .
- •
Line 25: Computation of needs operations in .
- •
Line 26: Computation of by a reduction to row echelon form of the matrix needs operations in . ∎
∎
In practice, and must be chosen to be small (for instance, and were proposed in [BBPR18]) in order to obtain an efficient decryption algorithm and keys of moderate size. Hence, for practical parameters Algorithm 1 has a complexity in and thus recovers a valid private key in polynomial time.
Our attack is implemented in the computer algebra system SageMath v8.7 [The19] and is available at https://bitbucket.org/julianrenner/trs_attack. Although the implementation is not optimized, it recovers a valid private key within a few minutes for the proposed parameters, see Table 3.
5 Discussion and open questions
5.1 Repairing the cryptosystem?
After a notification of this attack, the authors of [BBPR18] described a possible fix of the system, in which a modified version of the generator matrix is made public. The idea is to multiply the generator matrix from the right by a diagonal matrix with non-zero entries , such that the -subfield subcode of the vector space spanned by the rows of is not contained in a RS code. This clearly prevents a direct application of our attack.
Nevertheless, we would like to point out that this possible repair might not fix the inherent weaknesses of the cryptosystem. In fact, the subfield subcode of a GRS code is a so-called alternant code , which also admits an algebraic description. As a consequence, it seems very plausible that the security of the proposed repaired cryptosystem can be reduced to the security of a McEliece-like cryptosystem using the subfield subcode .
One can then notice that the parameters proposed by the authors of [BBPR18] are far below those considered as secure for alternant codes. For instance, BIG QUAKE [BBB*+*17] and Classic McEliece [Dan17] (both are unbroken candidates for the NIST standardization call on post-quantum cryptography) use alternant codes with a length and dimension of several thousands, while in the proposed parameters for the TRS codes, we have and with a field size . Algebraic attacks as developed in [FOPT10, FOP*+*16] should then be considered as a potential threat. One should also mention the recent attack on the cryptosystem DAGS [BBB*+*18] based on alternant codes, performed by Barelli and Couvreur [BC18]. Informally, the authors of [BC18] manage to derive an alternant code with much smaller parameters from the public code, allowing the last step of the key recovery algorithm — which is exponential in the involved parameters — to remain feasible due to the small size of the derived alternant code.
Finally and most crucially, one can question the possible benefit to consider codes whose security might not be better than those based on alternant codes (for which cryptosystems have been designed and studied), but which suffer from larger key sizes and much less efficient decoding algorithms.
5.2 On the rank metric version of the cryptosystem
In [PRW18] a modified version of the previous system was proposed, based on a subfamily of twisted Gabidulin codes. The idea is to consider a variant of the GPT cryptosystem [GPT91], where twisted Gabidulin codes are used instead of (subcodes of) Gabidulin codes. Although we do not claim to have a proper attack on the system, let us show some potential weaknesses that could be analyzed in a future work.
The GPT cryptosystem can be viewed as an analogue of the McEliece cryptosystem, using rank metric codes instead of Hamming metric codes. We refer to [Ove07] for more details about rank metric codes and variants of the GPT cryptosystem. Let us give a short overview of the latter.
Let and be a family of rank metric codes. The GPT cryptosystem works as follows:
- •
Key generation: Alice generates a secret generator matrix for a code randomly chosen in . Then she computes a public key , where the matrices , of rank , and are chosen uniformly at random and kept secret.
- •
Encryption: given a plaintext , Bob computes the ciphertext , where is a random error with small rank over (the rank of the error is such that can be decoded in ).
- •
Decryption: Alice decodes the last coordinates of in the code and retrieves .
In most variants of the GPT cryptosystem, is a (sub-)family of Gabidulin codes [Gab85]
[TABLE]
where are -linearly independent, and . Polynomials with monomials only of the form are called -polynomials, or linearized polynomials. In [PRW18], the authors proposed to define as the subfamily of twisted Gabidulin codes
[TABLE]
where are chosen in the chain of subfields , and are -linearly independent, similar to the case of TRS codes.
Our claim is that the code generated by also admits structured subfield subcodes which could be used to attack the system. Indeed, one can prove that the last coordinates of form a subcode of the Gabidulin code of rather small codimension. Applying variants of Overbeck’s attacks — e.g. in [Ove05] — might lead to the recovery of a linear transformation of and thus a structural attack on the public key close to the one presented in this paper.
For a code and , let , and
[TABLE]
In fact, we observe in simulations that for , if has dimension , then one recovers an -linear transformation of , as well as a full-rank matrix , by applying [Ove07, Algorithm 3.5.1] to a generator matrix of . Then, the coefficients are determined by interpolation of the last positions of the rows of with -polynomials of -degree smaller than , similar to Section 4.1.3. Finally, one chooses such that
[TABLE]
where subscript refers to the last positions of and is a generator matrix of . Clearly, ( is then a valid private key.
Further simulations show that if has full -rank and is small, then the code has a dimension with high probability. However, if is large or if has -rank smaller than , then has dimension smaller than and this straightforward approach fails.
Since a precise analysis of the potential weakness of system proposed in [PRW18] is out of the scope of this paper, we leave it as an open problem for future research.
6 Conclusion
This paper presents an efficient key-recovery attack on the McEliece cryptosystem based on a subfamily of TRS codes. The attack does not contradict the structural properties presented in [BBPR18], but recovers the structure of a subfield subcode of the public TRS code, which enables us to determine a description of the supercode. This attack retrieves a valid private key from the public key for all practical parameters in field operations. This is formally proved, and confirmed by experimental results: one retrieves a valid private key for a claimed security level of bits within a few minutes. In addition, the security of the system after an attempt to repair it is discussed, as well as potential ways to adapt our attack to the rank metric variant of the considered system.
The subfield subcode approach presented in this paper is unique, in the sense that a widespread idea considers the restriction of codes to subfields as a way to break their structure. However, our cryptanalysis proves that subfield subcodes — as well as punctured codes and shortened codes — must also be taken into account when trying to assert the security of McEliece-like cryptosystems.
Acknowledgements
This work was done while the second author was visiting the Institut de Recherche Mathématique de Rennes (IRMAR), Université de Rennes 1, France.
The first author is funded by the French Direction Générale l’Armement, through the Pôle d’excellence cyber.
This project has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 801434).
We would like to thank Antonia Wachter-Zeh (TUM) for fruitful discussions and Oliver De Candido (TUM) for his comments that helped to improve the manuscript. We would further like to thank the authors of the proposed cryptosystem [BBPR18] for validating our attack and pointing out a possible repair of the system with respect to our attack.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[BBB + 17] Magali Bardet, Élise Barelli, Olivier Blazy, Rodolfo C. Torres, Alain Couvreur, Philippe Gaborit, Ayoub Otmani, Nicolas Sendrier, and Jean-Pierre Tillich. BIG QUAKE B Inary Goppa QU Asi–cyclic Key Encapsulation. https://bigquake.inria.fr , 2017.
- 2[BBB + 18] Gustavo Banegas, Paulo S. L. M. Barreto, Brice O. Boidje, Pierre-Louis Cayrel, Gilbert N. Dione, Kris Gaj, Cheikh T. Gueye, Richard Haeussler, Jean B. Klamti, Ousmane Ndiaye, Duc T. Nguyen, Edoardo Persichetti, and Jefferson E. Ricardini. DAGS: Key Encapsulation Using Dyadic GS Codes. J. Mathematical Cryptology , 12(4):221–239, 2018.
- 3[BBPR 18] Peter Beelen, Martin Bossert, Sven Puchinger, and Johan Rosenkilde né Nielsen. Structural Properties of Twisted Reed–Solomon Codes with Applications to Code-Based Cryptography. In IEEE Int. Symp. Inf. Theory (ISIT) , 2018.
- 4[BC 18] Élise Barelli and Alain Couvreur. An Efficient Structural Attack on NIST Submission DAGS. In Thomas Peyrin and Steven D. Galbraith, editors, Advances in Cryptology - ASIACRYPT , volume 11272, pages 93–118. Springer, 2018.
- 5[BCGO 09] Thierry P. Berger, Pierre-Louis Cayrel, Philippe Gaborit, and Ayoub Otmani. Reducing Key Length of the Mc Eliece Cryptosystem. In Bart Preneel, editor, Progress in Cryptology - AFRICACRYPT , volume 5580, pages 77–97. Springer, 2009.
- 6[BL 05] Thierry P. Berger and Pierre Loidreau. How to Mask the Structure of Codes for a Cryptographic Use. Designs, Codes and Cryptogr. , 35(1):63–79, Apr 2005.
- 7[BPR 17] Peter Beelen, Sven Puchinger, and Johan Rosenkilde né Nielsen. Twisted Reed–Solomon Codes. In IEEE Int. Symp. Inf. Theory (ISIT) , 2017.
- 8[CCP 17] Alain Couvreur, Irene M. Corbella, and Ruud Pellikaan. Cryptanalysis of Mc Eliece Cryptosystem Based on Algebraic Geometry Codes and Their Subcodes. IEEE Trans. Information Theory , 63(8):5404–5418, 2017.
