Cryptanalysis of the Niederreiter Public Key Scheme Based on GRS Subcodes

A new structural attack on the McEliece/Niederreiter public key cryptosystem based on subcodes of generalized Reed-Solomon codes proposed by Berger and Loidreau is described. It allows the reconstruction of the private key for almost all practical parameter choices in polynomial time with high probability

On some properties of the Schur - Hadamard product for linear codes and their applications

Произведение Шура - Адамара активно используется при криптоанализе асимметричных кодовых криптосистем типа Мак-Элиса, основанных на линейных кодах. Именно, это произведение успешно применяется при криптоанализе кодовых систем на подкодах обобщённых кодов Рида - Соломона, на двоичных кодах Рида - Маллера и их подкодах коразмерности 1, на соединении некоторых известных кодов. В качестве способа усиления стойкости криптосистемы авторами ранее предложена система на тензорном произведении линейных кодов. С целью анализа стойкости этой системы в настоящей работе исследуются свойства произведения Шура - Адамара для тензорного произведения произвольных линейных кодов. В результате получены необходимые и достаточные условия, когда s-я степень тензорного произведения кодов перестановочно эквивалентна прямой сумме кодов. Этот результат позволяет, в частности, выбирать параметры линейных кодов так, чтобы произведение Шура - Адамара для тензорного произведения совпадало со всем пространством, в котором это произведение определено. Таким образом, могут быть определены параметры линейных кодов, при которых атака на основе произведения Шура - Адамара, применённого к публичному ключу, не проходит. Получены некоторые новые свойства произведения Шура - Адамара для линейных кодов, которые позволили, в частности, доказать неразложимость двоичных кодов Рида - Маллера. Как следствие, доказана теорема о структуре группы перестановочных автоморфизмов прямой суммы неразложимых кодов

A Distinguisher-Based Attack of a Homomorphic Encryption Scheme Relying on Reed-Solomon Codes

Bogdanov and Lee suggested a homomorphic public-key encryption scheme based on error correcting codes. The underlying public code is a modified Reed-Solomon code obtained from inserting a zero submatrix in the Vandermonde generating matrix defining it. The columns that define this submatrix are kept secret and form a set $L$. We give here a distinguisher that detects if one or several columns belong to $L$ or not. This distinguisher is obtained by considering the code generated by component-wise products of codewords of the public code (the so called "square code"). This operation is applied to punctured versions of this square code obtained by picking a subset $I$ of the whole set of columns. It turns out that the dimension of the punctured square code is directly related to the cardinality of the intersection of $I$ with $L$. This allows an attack which recovers the full set $L$ and which can then decrypt any ciphertext.Comment: 11 page

Structural Properties of Twisted Reed-Solomon Codes with Applications to Cryptography

We present a generalisation of Twisted Reed-Solomon codes containing a new large class of MDS codes. We prove that the code class contains a large subfamily that is closed under duality. Furthermore, we study the Schur squares of the new codes and show that their dimension is often large. Using these structural properties, we single out a subfamily of the new codes which could be considered for code-based cryptography: These codes resist some existing structural attacks for Reed-Solomon-like codes, i.e. methods for retrieving the code parameters from an obfuscated generator matrix.Comment: 5 pages, accepted at: IEEE International Symposium on Information Theory 201

A Distinguisher-Based Attack on a Variant of McEliece's Cryptosystem Based on Reed-Solomon Codes

Baldi et \textit{al.} proposed a variant of McEliece's cryptosystem. The main idea is to replace its permutation matrix by adding to it a rank 1 matrix. The motivation for this change is twofold: it would allow the use of codes that were shown to be insecure in the original McEliece's cryptosystem, and it would reduce the key size while keeping the same security against generic decoding attacks. The authors suggest to use generalized Reed-Solomon codes instead of Goppa codes. The public code built with this method is not anymore a generalized Reed-Solomon code. On the other hand, it contains a very large secret generalized Reed-Solomon code. In this paper we present an attack that is built upon a distinguisher which is able to identify elements of this secret code. The distinguisher is constructed by considering the code generated by component-wise products of codewords of the public code (the so-called "square code"). By using square-code dimension considerations, the initial generalized Reed-Solomon code can be recovered which permits to decode any ciphertext. A similar technique has already been successful for mounting an attack against a homomorphic encryption scheme suggested by Bogdanoc et \textit{al.}. This work can be viewed as another illustration of how a distinguisher of Reed-Solomon codes can be used to devise an attack on cryptosystems based on them.Comment: arXiv admin note: substantial text overlap with arXiv:1203.668

On Linear Codes with Random Multiplier Vectors and the Maximum Trace Dimension Property

Let $C$ be a linear code of length $n$ and dimension $k$ over the finite field $\mathbb{F}_{q^m}$. The trace code $\mathrm{Tr}(C)$ is a linear code of the same length $n$ over the subfield $\mathbb{F}_q$. The obvious upper bound for the dimension of the trace code over $\mathbb{F}_q$ is $mk$. If equality holds, then we say that $C$ has maximum trace dimension. The problem of finding the true dimension of trace codes and their duals is relevant for the size of the public key of various code-based cryptographic protocols. Let $C_{\mathbf{a}}$ denote the code obtained from $C$ and a multiplier vector $\mathbf{a}\in (\mathbb{F}_{q^m})^n$. In this paper, we give a lower bound for the probability that a random multiplier vector produces a code $C_{\mathbf{a}}$ of maximum trace dimension. We give an interpretation of the bound for the class of algebraic geometry codes in terms of the degree of the defining divisor. The bound explains the experimental fact that random alternant codes have minimal dimension. Our bound holds whenever $n\geq m(k+h)$, where $h\geq 0$ is the Singleton defect of $C$. For the extremal case $n=m(h+k)$, numerical experiments reveal a closed connection between the probability of having maximum trace dimension and the probability that a random matrix has full rank