Distinguishers for Skew and Linearized Reed-Solomon Codes

TL;DR

This paper demonstrates that generalized skew and linearized Reed-Solomon codes can be efficiently distinguished from random codes, revealing their structural properties and limitations in cryptographic applications.

Contribution

It proves that GSRS and GLRS codes decompose into GRS subcodes, making them distinguishable, and provides explicit transformations between these code types.

Findings

GSRS and GLRS codes are distinguishable from random codes using the square code method.

The distinguishability applies even with Hamming-isometric disguising.

Explicit algebraic transformations between GSRS and GLRS codes are provided.

Abstract

Generalized Reed-Solomon (GRS) and Gabidulin codes have been proposed for various code-based cryptosystems, though most such schemes without elaborate disguising techniques have been successfully attacked. Both code classes are prominent examples of the isometric families of (generalized) skew and linearized Reed-Solomon ((G)SRS and (G)LRS) codes which are obtained as evaluation codes from skew polynomials. Both GSRS and GLRS codes share the advantage of achieving the maximum possible error-decoding radius and thus promise smaller key sizes than e.g. Classic McEliece. We investigate whether these generalizations can avoid the known structural attacks on GRS and Gabidulin codes. In particular, we prove that both GSRS and GLRS codes decompose into GRS subcodes and are thus efficiently distinguishable from random codes with a square code method. This applies to all parameters for which the code length $n$ and its dimension $k$ over the field $\mathbb{F}_{q^m}$ satisfy $m + 1 < k < n - \tfrac{1}{2} (m^2 + 3m)$. The distinguishability extends to GSRS and GLRS codes with Hamming-isometric disguising. We further relate these findings to existing distinguishers for GRS, Gabidulin, and LRS codes, and extend known results on duals of SRS and LRS codes to the generalized setting allowing nonzero column multipliers. Finally, we provide explicit transformations between GSRS and GLRS codes, clarifying the algebraic relationship between the skew and linearized frameworks.