A Distinguisher-Based Attack of a Homomorphic Encryption Scheme Relying on Reed-Solomon Codes

Bogdanov and Lee suggested a homomorphic public-key encryption scheme based on error correcting codes. The underlying public code is a modified Reed-Solomon code obtained from inserting a zero submatrix in the Vandermonde generating matrix defining it. The columns that define this submatrix are kept secret and form a set $L$. We give here a distinguisher that detects if one or several columns belong to $L$ or not. This distinguisher is obtained by considering the code generated by component-wise products of codewords of the public code (the so called "square code"). This operation is applied to punctured versions of this square code obtained by picking a subset $I$ of the whole set of columns. It turns out that the dimension of the punctured square code is directly related to the cardinality of the intersection of $I$ with $L$. This allows an attack which recovers the full set $L$ and which can then decrypt any ciphertext.Comment: 11 page

A Distinguisher-Based Attack of a Homomorphic Encryption Scheme Relying on Reed-Solomon Codes

International audienceBogdanov and Lee suggested a homomorphic public-key encryption scheme based on errorcorrecting codes. The underlying public code is a modied Reed-Solomon code obtained from insertinga zero submatrix in the Vandermonde generating matrix dening it. The columns that dene thissubmatrix are kept secret and form a set L. We give here a distinguisher that detects if one or severalcolumns belong to L or not. This distinguisher is obtained by considering the code generated bycomponent-wise products of codewords of the public code (the so called \square code"). This operationis applied to punctured versions of this square code obtained by picking a subset I of the whole setof columns. It turns out that the dimension of the punctured square code is directly related to thecardinality of the intersection of I with L. This allows an attack which recovers the full set L and whichcan then decrypt any ciphertext

A Distinguisher for High Rate McEliece Cryptosystems

International audienceThe Goppa Code Distinguishing (GD) problem consists in distinguishing the matrix of a Goppa code from a random matrix. The hardness of this problem is an assumption to prove the security of code-based cryptographic primitives such as McEliece's cryptosystem. Up to now, it is widely believed that the GD problem is a hard decision problem. We present the first method allowing to distinguish alternant and Goppa codes over any field. Our technique can solve the GD problem in polynomial-time provided that the codes have sufficiently large rates. The key ingredient is an algebraic characterization of the key-recovery problem. The idea is to consider the rank of a linear system which is obtained by linearizing a particular polynomial system describing a key-recovery attack. Experimentally it appears that this dimension depends on the type of code. Explicit formulas derived from extensive experimentations for the rank are provided for "generic" random, alternant, and Goppa codes over any alphabet. Finally, we give theoretical explanations of these formulas in the case of random codes, alternant codes over any field of characteristic two and binary Goppa codes