Encryption Scheme Based on Expanded Reed-Solomon Codes
Karan Khathuria, Joachim Rosenthal, Violetta Weger

TL;DR
This paper introduces a new code-based public-key cryptosystem utilizing expanded Reed-Solomon codes, offering enhanced security against certain attacks and significantly reducing key size compared to traditional systems.
Contribution
It proposes a novel encryption scheme based on shortened expanded Reed-Solomon codes that improves security and reduces key size without relying on cyclic structures.
Findings
Provides security against Schur product-based distinguishers
Achieves approximately 45% key size reduction
Demonstrates practical viability of the scheme
Abstract
We present a code-based public-key cryptosystem, in which we use Reed-Solomon codes over an extension field as secret codes and disguise it by considering its shortened expanded code over the base field. Considering shortened expanded codes provides a safeguard against distinguisher attacks based on the Schur product. Moreover, without using a cyclic or a quasi-cyclic structure we obtain a key size reduction of nearly compared to the classic McEliece cryptosystem proposed by Bernstein et al.
| Rate | Key Size (bits) | ||||
|---|---|---|---|---|---|
| 0.60 | 13 | 1382 | 829 | 277 | 6783627 |
| 0.65 | 13 | 1270 | 825 | 223 | 5952804 |
| 0.70 | 13 | 1207 | 844 | 182 | 5339456 |
| 0.75 | 13 | 1192 | 894 | 149 | 4929077 |
| 0.80 | 13 | 1230 | 984 | 123 | 4702652 |
| 0.82 | 13 | 1258 | 1031 | 114 | 4624198 |
| 0.85 | 13 | 1340 | 1139 | 101 | 4634545 |
| 0.87 | 13 | 1420 | 1235 | 93 | 4692805 |
| 0.90 | 13 | 1602 | 1441 | 81 | 4863276 |
| Rate | Key Size (bits) | ||||
|---|---|---|---|---|---|
| 0.65 | 7 | 2360 | 1534 | 413 | 13134108 |
| 0.70 | 7 | 1945 | 1361 | 292 | 10191102 |
| 0.75 | 7 | 1738 | 1303 | 218 | 8480009 |
| 0.80 | 7 | 1662 | 1329 | 167 | 7448878 |
| 0.85 | 7 | 1700 | 1445 | 128 | 6815134 |
| 0.87 | 7 | 1770 | 1539 | 116 | 6785893 |
| 0.89 | 7 | 1872 | 1666 | 103 | 6754721 |
| 0.91 | 7 | 2024 | 1841 | 92 | 6814326 |
| Key Size (in bits) | ||||||
| Proposed system | Type I | 13 | 3 | 1258 | 1031 | 4624198 |
| Type II | 7 | 4 | 1872 | 1666 | 6754721 | |
| classical McEliece | 2 | 13 | 6960 | 5413 | 8373911 | |
| BBCRS based schemes | and | 1423 | 1 | 1422 | 786 | 5113520 |
| and | 1163 | 1 | 1162 | 928 | 2274160 | |
| and | 1993 | 1 | 1992 | 1593 | 6966714 | |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Encryption Scheme Based on Expanded Reed-Solomon Codes
Karan Khathuria
Institute of Mathematics
University of Zurich
Winterthurerstrasse 190
8057 Zurich, Switzerland
,
Joachim Rosenthal
Institute of Mathematics
University of Zurich
Winterthurerstrasse 190
8057 Zurich, Switzerland
and
Violetta Weger
Institute of Mathematics
University of Zurich
Winterthurerstrasse 190
8057 Zurich, Switzerland
Abstract.
We present a code-based public-key cryptosystem, in which we use Reed-Solomon codes over an extension field as secret codes and disguise it by considering its shortened expanded code over the base field. Considering shortened expanded codes provides a safeguard against distinguisher attacks based on the Schur product. Moreover, without using a cyclic or a quasi-cyclic structure we obtain a key size reduction of nearly compared to the classic McEliece cryptosystem proposed by Bernstein et al.
Key words and phrases:
Code-based Cryptography, McEliece Cryptosystem, Reed-Solomon codes, Expanded codes
1. Introduction
In 1978 McEliece [31] presented the first code-based public key cryptosystem. It belongs to the family of very few public-key cryptosystems which are unbroken since decades. The hard problem the McEliece system relies on, is the difficulty of decoding a random (-like) linear code having no visible structure. McEliece proposed to use binary Goppa codes for the encryption scheme. Due to the low error-correcting capacity of Goppa codes, the cryptosystem results in large public key sizes. Several alternative families of codes have been proposed with the aim of reducing the key sizes. Some of the famous families of codes considered are: generalized Reed-Solomon codes [5, 6, 8, 10, 14, 25, 36], non-binary Goppa codes [12], algebraic geometric codes [24], LDPC and MDPC codes [7, 34], Reed-Muller codes [41] and convolutional codes [29]. Most of them were unsuccessful in hiding the structure of the private code [15, 16, 17, 18, 26, 33, 37, 42, 46].
The motivation to quest for better code-based cryptosystems is mainly due to the advent of quantum computers. In 1994 Peter Shor [40] developed a polynomial time quantum algorithm for factoring integers and solving discrete logarithm problems. This means that most of the currently popular cryptosystems, such as RSA and ECC, will be broken in an era of quantum computers. In the ongoing process of the standardization of quantum-resistant public-key cryptographic algorithms by the National Institute of Standards and Technology (NIST), code-based cryptosystems are one of the most promising candidates. At the time of this writing there are seven code-based cryptosystems included in NIST’s standardization process: BIKE [3] based on quasi-cyclic MDPC codes, classic McEliece [11] based on binary Goppa codes, ROLLO [32] based on quasi-cyclic LRPC codes, RQC [1] based on rank metric quasi-cyclic codes, HQC [1] based on Hamming metric quasi-cyclic codes, LEDAcrypt [4] based on quasi-cyclic LDPC codes and NTS-KEM [2] based on binary Goppa codes.
In this paper we present a new variant of the McEliece scheme using expanded Reed-Solomon codes. A linear code defined over an extension field can be expanded, over the base field , to a linear code by expanding each codeword with respect to a fixed -linear isomorphism from to . In the proposed cryptosystem we hide the structure of an expanded GRS code by puncturing and permuting the columns of its parity check matrix and multiplying by an invertible block diagonal matrix. In order to decode a large number of non-codewords, we use a burst of errors during the encryption step, i.e. we consider error vectors having support in sub-vectors of size . This error pattern comes with a disadvantage: it can be used to speed up the information set decoding (ISD) algorithms. However, for a small degree of extension , the key sizes turn out to be remarkably competitive.
The paper is organized as follows. In Section 2, we give the preliminaries regarding the expanded codes. In Section 3, we describe the proposed cryptosystem which is based on the shortening of an expanded generalized Reed-Solomon code. In Section 4, we provide security arguments for the proposed cryptosystem against the known structural and non-structural attacks. In Section 5, we provide parameters of the proposed cryptosystem that achieve a security level of 256-bits against the ISD algorithm.
2. Background
2.1. Expanded Codes
Let be a prime power and let be an integer. Let be a primitive element of the field , i.e. . The field can also be seen as an - vector space of dimension via the following -linear isomorphism
[TABLE]
We extend this isomorphism for vectors over in the following way:
[TABLE]
This is clearly an -linear isomorphism. Hence this gives us a way to obtain a linear code over from a linear code over .
Definition 2.1** (Expanded Codes).**
Let be positive integers with , let be a prime power and be an integer. Let be a linear code of length and dimension over . The expanded code of with respect to a primitive element is a linear code over the base field defined as
[TABLE]
where is the -linear isomorphism defined by as above.
Remark 1**.**
It is easy to see that the expanded code is a linear code of length and dimension , because is an -linear isomorphism and
.
Given a code with its generator matrix and parity check matrix, the following lemma gives a way to construct a generator matrix and a parity check matrix of the expanded code .
Lemma 2.2**.**
Let be a linear code in .
- (1)
Let have a generator matrix , where are vectors in . Then the expanded code of over with respect to a primitive element has the expanded generator matrix
[TABLE] 2. (2)
Let have a parity check matrix , where are vectors in . Then the expanded code of over with respect to a primitive element has the expanded parity check matrix
[TABLE]
Proof.
See [47, Theorem 1]. ∎
Proposition 1**.**
Let be a linear code in having a generator matrix and a parity check matrix . Let and be the expanded generator matrix and expanded parity check matrix of , respectively. Then
- (1)
* for all ,* 2. (2)
* for all .*
Proof.
Let and let for all
. Then
[TABLE]
Similarly, for all . ∎
Remark 2**.**
can also be determined by the commutativity of the following diagram (as -linear maps):
[TABLE]
3. The Cryptosystem
In this section we will present the proposed cryptosystem in the Niederreiter version. We consider an expanded GRS code whose parity check matrix can be viewed as blocks, where each block is of size . In order to destroy the algebraic structure of the code, we choose and shorten it on randomly chosen columns in each block. We then hide the shortened code by multiplying it with an invertible matrix, which preserves the weight of a vector over the extension field .
Key generation:
Let be a prime power, be positive integers and be positive integers, satisfying . Consider a GRS code of dimension and length over the finite field and choose a parity check matrix of . Let be the error correction capacity of .
Let be the expanded parity check matrix of the expanded code of with respect to a primitive element . is an matrix over .
Shortening
- •
For each , let be a randomly chosen subset of
of size and define .
- •
We puncture on columns indexed by . Let be the resulting
parity check matrix and let be the shortened code.
Hiding
- •
Choose random invertible matrices over . Define to be the block diagonal matrix having as diagonal blocks.
- •
Now choose a random permutation of length and define to be the block permutation matrix of size . It can also be seen as Kronecker product of the permutation matrix corresponding to and the identity matrix of size .
- •
Define and compute .
The private key is then and the public key is .
Encryption:
Let be a message having support in sub-vectors each of length , in particular
[TABLE]
for some distinct . Then compute the cipher text
[TABLE]
Decryption:
For the decryption we apply on , i.e.
[TABLE]
Observe that , where is the embedding of to , by introducing zeros on the positions indexed by . From Proposition 1 we get
[TABLE]
Due to the block structure of the matrix , the vector of has support in sub-vectors each of length , thus has support in sub-vectors each of length . Henceforth , and we can decode to get . By applying we get and by projecting on positions not indexed by , we get and therefore after multiplying by , we recover the message .
Choice of parameters
For low key sizes it is desirable to use a small degree of extension and small .
In the case of quadratic extension and in the case of , puncturing all but one column from each block results in an alternant code (subfield subcode of a GRS code). Alternant codes are known to be vulnerable to square code attacks [17, 19]. Hence, we do not propose to use quadratic extensions or .
We therefore propose to use and with .
4. Security
In this section we discuss the security of the proposed cryptosystem. We focus on the three main attacks on cryptosystems based on GRS codes. Two of them are structural (or key recovery) attacks, namely the Sidelnikov-Shestakov attack and the distinguisher attack based on the Schur product of the public code. The third one is the best known non-structural attack called information set decoding (ISD).
4.1. Sidelnikov and Shestakov attack
The first code-based cryptosystem using GRS codes as secret codes was proposed by Niederreiter in the same article [36] as the famous Niederreiter cryptosystem. This proposal was then attacked by Sidelnikov and Shestakov in [43], where they used the fact, that the public matrix is still a generator matrix of a GRS code and they were able to recover the evaluation points and hence the GRS structure of the public matrix.
In the cryptosystem proposed in Section 3, the secret GRS parity check matrix over is hidden in two ways: first by puncturing its expanded parity check matrix over and then by scrambling the columns of the punctured matrix . Due to multiplying with a block diagonal matrix it is clear that the resulting code is no more equivalent to an evaluation code (or an expanded evaluation code). Hence evaluations (or expanded evaluation column vectors) can not be exploited using the Sidelnikov-Shestakov attack.
4.2. Distinguisher attack based on the Schur product
For the attack based on the Schur product we need to introduce some definitions and notations.
Definition 4.1** (Schur product).**
Let . We denote by the Schur product of and their component-wise product
[TABLE]
Remark 3**.**
The Schur product is symmetric and bilinear.
Definition 4.2** (Schur product of codes and square code).**
Let be two codes of length . The Schur product of two codes is the vector space spanned by all with and :
[TABLE]
If , then we call the square code of and denote it by .
Definition 4.3** (Schur matrix).**
Let be a matrix, with rows . The Schur matrix of , denoted by , consists of the rows for
We observe by Remark 3, that if is a generator matrix of a code then its Schur matrix is a generator matrix of the square code of . Let be the following map
[TABLE]
For a matrix , we observe that has the size .
Various McEliece cryptosystems based on modifications of GRS codes have been proved to be insecure [15, 18, 20]. This is because the dimension of the square code of GRS codes is very low compared to a random linear code of the same dimension. Moreover, other families of codes have also been shown to be vulnerable against the attacks based on Schur products. In [16], Couvreur * et al.* presented a general attack against cryptosystems based on algebraic geometric codes and their subcodes. In [19] Faugère et al. showed that high rate binary Goppa codes can be distinguished from a random code. In [17], Couvreur et al. presented a polynomial time attack against cryptosystems based on non-binary Goppa codes defined over quadratic extensions.
The distinguisher attack is based on the low dimensional square code of the public code (or of the shortened public code). In the following, based on experimental observations, we infer that the public code of the proposed cryptosystem cannot be distinguished using square code techniques.
Let be the public code of the proposed cryptosystem. Note that is a shortening of an expanded GRS code .
- (1)
Squares of expanded GRS codes: Like in the case of Reed-Solomon codes and their subfield subcodes, the expanded GRS codes also have low square code dimension. To see this, we visualize expanded GRS codes as subfield subcodes of GRS-like codes. Let be a GRS code of length and dimension over having the following parity check matrix
[TABLE]
where is a vector of distinct elements in , is a vector over and . Let be a primitive element in . We define a new code of length over given by the kernel of the following parity check matrix
[TABLE]
Using Lemma 2.2, it is easy to observe, that the expanded code of with respect to is permutation equivalent to the -kernel of . In other words is permutation equivalent to the subfield subcode of over . Observe that a generator matrix of is given by
[TABLE]
where is such that , and . One can verify that . Observe that a generator matrix of is permutation equivalent to
[TABLE]
where is a generator matrix of the subfield subcode of over , and is a generator matrix of the -subfield subcode of the bottom rows of . The matrix is also known as the glue-vector generator matrix, as in [45]. Due to the block structure of the Schur matrix of will have many zero rows. As a result the dimension of the square code is not full, given large enough . This may lead to vulnerabilities when using expanded GRS codes directly in the cryptosystem. 2. (2)
Effect of Shortening: Consider the parity check matrix of an expanded GRS code as shown in Lemma 2.2. We partition the columns of into blocks, each of size . By the definition of , each of these blocks corresponds to a unique column vector of the parity check matrix of the parent GRS code. In order to weaken this correspondence, we puncture (randomly chosen) of the columns from each block of . As a result the correspondence of each block to the parent column vector is inconsistent. In addition we multiply the punctured parity check matrix by an invertible block diagonal matrix . This further destroys the algebraic structure inherited from the parent GRS code. This was evident in our computations of the square code dimension of such shortened codes. Even in the case of we observed that puncturing one column from each block of results in a full square code dimension.
4.3. Information Set Decoding
Information set decoding (ISD) algorithms are the best known algorithms for decoding a general linear code. ISD algorithms were introduced by Prange [39] in 1962. Since then several improvements have been proposed for codes over the binary field by Lee-Brickel [27], Leon [28], Stern [44] and more recently by Bernstein et al. [13], Becker et al. [9], May-Ozerov [30]. Several of these algorithms have been generalized to the case of codes over general finite fields, see [21, 22, 23, 35, 38].
An ISD algorithm in its simplest form first chooses an information set , which is a size subset of such that the restriction of the parity check matrix on the columns indexed by the complement of is non-singular. Then Gaussian elimination brings the parity check matrix in a standard form and assuming that the errors are outside of the information set, these row operations on the syndrome will exploit the error vector, if the weight does not exceed the given error correction capacity.
ISD for the proposed cryptosystem:
In the proposed cryptosystem we introduce a burst pattern in the error vector, in particular the error vector has support in sub-vectors each of length . Henceforth, we modify Stern’s ISD algorithm to incorporate such pattern in the error vector.
We first recall the Stern’s algorithm. The algorithm partitions the information set into two equal-sized subsets and , and chooses uniformly at random a subset of size outside of . Then it looks for vectors having exactly weight among the columns indexed by , exactly weight among the columns indexed by , and exactly weight 0 in columns indexed by and the missing weight in the remaining indices.
In the proposed cryptosystem we have been given a public code of length and dimension over . We also know that the error vector has support in sub-vectors of length . Hence we use Stern’s algorithm on the blocks of size . We consider the information set to have blocks. We partition into two equal-sized subsets and , and choose uniformly at random a subset of blocks outside of . Then we look for vectors having support in exactly blocks in , exactly blocks in , and exactly 0 blocks in .
In Section 5 we compute the key sizes of the proposed cryptosystem having 256-bit security against this modified ISD algorithm.
5. Key size
In this section we compute the key sizes of the proposed cryptosystem having 256-bit security against the ISD algorithm discussed in Section 4.3. Later we compare these key sizes with the key sizes of the McEliece cryptosystem using binary Goppa codes [11] and some recently proposed cryptosystems that are using Reed-Solomon codes as secret codes. These are based on the idea of [5, 6] (BBCRS), where the authors proposed to hide the structure of the code using as transformation matrix the sum of a rank matrix and a weight matrix. The proposed parameters in [5, 6] with and were broken by the square code attack [15, 18], where denotes the rate of the code. Two countermeasures were recently proposed in [8, 25]. In order to hide the structure of the Reed-Solomon code the authors of [8] use and or and . Whereas in [25] the transformation matrix has weight and rank .
In the proposed cryptosystem, the public key is a parity check matrix of a linear code over having length and dimension . Hence the public key size is bits. For a degree of extension , let be the public code.
In Table 1, we provide the key sizes for different rates of the public code achieving a 256-bit security level against the modified ISD algorithm discussed in Section 4.3. Observe that the smallest key size is achieved at rate .
In Table 2, we provide the key sizes for different rates of the public code achieving a 256-bit security level against the modified ISD algorithm discussed in Section 4.3. In this case the smallest key size is achieved at rate .
In conclusion, for a bit security level we propose to use the cryptosystem with the two sets of parameters and , see Table 3.
The proposed parameters for the classic McEliece system using binary Goppa codes by Bernstein et al. in [11] are , which gives a key size of bits. It achieves a security level of 260-bits with respect to the ball-collision algorithm [13].
In comparison to the classic McEliece system, the Type I set of parameters reduces the key size by and the Type II set of parameters reduces the key size by .
6. Acknowledgement
The authors would like to thank Matthieu Lequesne and Jean-Pierre Tillich for pointing out the square code vulnerability in the case of quadratic extensions. This work has been supported by the Swiss National Science Foundation under grant no. 169510.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Carlos Aguilar, Olivier Blazy, Jean-Christophe Deneuville, Philippe Gaborit, and Gilles Zémor. Efficient Encryption From Random Quasi-Cyclic Codes. IEEE Transactions on Information Theory , 64(5):3927–3943, May 2018.
- 2[2] Martin Albrecht, Carlos Cid, Kenneth G. Paterson, Cen Jung Tjhai, and Martin Tomlinson. NTS-KEM, 2018.
- 3[3] Nicolas Aragon, Paulo S.L.M. Barreto, Slim Bettaieb, Loïc Bidoux, Olivier Blazy, Jean-Christophe Deneuville, Philippe Gaborit, Shay Gueron, Tim Guneysu, Carlos Aguilar Melchor, Rafael Misoczki, Edoardo Persichetti, Nicolas Sendrier, Jean-Pierre Tillich, and Gilles Zémor. Bike: Bit flipping key encapsulation. 2017.
- 4[4] Marco Baldi, Alessandro Barenghi, Franco Chiaraluce, Gerardo Pelosi, and Paolo Santini. LED Akem: a post-quantum key encapsulation mechanism based on QC-LDPC codes. In International Conference on Post-Quantum Cryptography , pages 3–24. Springer, 2018.
- 5[5] Marco Baldi, Marco Bianchi, Franco Chiaraluce, Joachim Rosenthal, and Davide Schipani. A Variant of the Mc Eliece Cryptosystem with Increased Public Key Security. In Proceedings of the Seventh International Workshop on Coding and Cryptography (WCC) 2011 , pages 173 – 182, 2011.
- 6[6] Marco Baldi, Marco Bianchi, Franco Chiaraluce, Joachim Rosenthal, and Davide Schipani. Method and Apparatus for Public-Key Cryptography Based on Error Correcting Codes, November 17 2015. US Patent 9,191,199.
- 7[7] Marco Baldi, Marco Bodrato, and Franco Chiaraluce. A new analysis of the Mc Eliece cryptosystem based on QC-LDPC codes. In International Conference on Security and Cryptography for Networks , pages 246–262. Springer Berlin Heidelberg, 2008.
- 8[8] Marco Baldi, Franco Chiaraluce, Joachim Rosenthal, Paolo Santini, and Davide Schipani. On the security of generalized Reed-Solomon code-based cryptosystems. IET Information Security , 2019.
