In 1978, in the seminal article , R. J. McEliece designed a public key encryption scheme relying on the hardness of the bounded decoding problem , i.e. on the hardness of decoding an arbitrary code. For a long time, this scheme was considered as unpractical because of the huge size of the public keys compared to public key encryption schemes relying on algorithmic number theoretic problems. The trend changed in the last decade because of the progress of quantum computing and the increasing threat of the existence in a near future of a quantum computer able to break usual cryptography primitives based on number theoretic problems. An evidence for this change of trend is the recent call of the National Institute for Standards and Technology (NIST) for post quantum cryptography. The majority of the submissions to this call are based either on codes or on lattices.
After forty years of research on code based cryptography, one can identify two general trends for instantiating McEliece’s scheme. The first one consists in using codes from probabilistic constructions such as MDPC codes [23, 1]. The other one consists in using algebraic codes such as Goppa codes or more generally alternant codes. A major difference between these two families of proposals is that the first one, based on MDPC codes benefits in some cases from clean security reductions to the decoding problem.
Concerning McEliece instantiations based on algebraic codes, which include McEliece’s original proposal based on binary Goppa codes, two approaches have been considered in order to address the drawback of the large of pubic key sizes. On the one hand, some proposals suggested to replace Goppa or alternant codes by more structured codes such as generalised Reed–Solomon (GRS) codes , their low dimensional subcodes , or GRS codes to which various transformations have been applied [30, 2, 29]. It turns out that most of these proposals have been subject to polynomial time key-recovery attacks [28, 31, 9, 13]. In addition, proposals based on Goppa codes which are close to GRS codes, namely Goppa code with a low extension degree have been the target of some structural attacks [17, 12]. On the other hand, many proposals suggest the use of codes with a non trivial automorphism group [18, 5, 22, 26]. A part of these proposals has been either partially or completely broken [25, 16, 15]. In particular, in the design of such proposals, precautions should be taken since the knowledge of a non trivial automorphism group of the public code facilitates algebraic attacks by significantly reducing the degrees and number of variables of the algebraic system to solve in order to recover the secret key.
Among the recent submissions to NIST call for post quantum cryptography, a proposal called DAGS  is based on the use of quasi–dyadic (QD) generalised Srivastava codes with extension degree . By quasi–dyadic we mean that the permutation group of the code is of the form for some positive integer . Moreover, generalised Srivastava codes form a proper subclass of alternant codes. DAGS proposal takes advantage of both usual techniques to reduce the size of the keys. First, by using alternant codes which are close to generalised Reed Solomon codes i.e. with an extension degree . Second, by using codes with a large permutation group. In terms of security with respect to key recovery attacks, DAGS parameters are chosen to be out of reach of the algebraic attacks [16, 15]. In addition, it should be emphasised that the choice of alternant codes which are not Goppa codes permits to be out of reach of the distinguisher by shortening and squaring used in .
In this article, we present an attack breaking McEliece instantiations based on alternant codes with extension degree and a large permutation group. This attack permits to recover the secret key in operations in , where denotes the permutation group, the code length and is the base field of the public code. The key step of the attack consists in finding some subcode of the public code referred to as . From this code and using an operation we called conductor, the secret key can easily be recovered. For this main step, we present two ways to proceed, the first approach is based on a partial brute force search while the second one is based on the resolution of a polynomial system of degree
. An analysis of the work factor of this attack using the first approach shows that DAGS keys with respective estimated security levels 128, 192 and 256 bits can be broken with respective approximate work factorsand . For the second approach, we were not able to provide a complexity analysis. However, its practical implementation using Magma  is impressively efficient on some DAGS parameters. In particular, it permits to break claimed 256 bits security keys in less than one minute!
This attack is a novel and original manner to recover the structure of alternant codes by jointly taking advantage of the permutation group and the small size of the extension degree. Even if some variant of the attack reposes on the resolution of a polynomial system, this system has nothing to do with those of algebraic attacks of [16, 15, 17]. On the other hand, despite this attack shares some common points with that of  where the Schur product of codes (See Section 2 for a definition) plays a crucial role, the keys we break in the present article are out of reach of a distingusher by shortening and squaring and hence our attack differs from filtration attacks as in [12, 10].
It is worth noting that reparing DAGS scheme in order to resist to the present attack is possible. Recently, the authors presented new parameter sets which are out of reach of the first version of the attack. These new parameters are available on the current version of the proposal111https://dags-project.org/pdf/DAGS_spec.pdf.
1 Notation and prerequisites
1.1 Subfield subcodes and trace codes
Given a code of length over , its subfield subcode
is the subcode of vectors whose entries all lie in, that is the code:
The trace code is the image of the code by the component wise trace map
Let us recall a classical and well–known result on subfield subcodes and trace codes.
Theorem 1.1 (Delsarte Theorem )
Let be a code. Then
1.2 Generalised Reed–Solomon codes and alternant codes
Let be a power of prime and a positive integer. We denote by the vector space of polynomials over whose degree is bounded from above by . Let be a positive integer, we will consider codes over with their subfield subcodes over . In § 2 and further, we will focus particularly on the case .
Definition 2 (Supports and multipliers)
A vector whose entries are pairwise distinct is called a support. A vector whose entries are all nonzero is referred to as a multiplier.
Definition 3 (Generalised Reed–Solomon codes)
Let be a positive integer, be a support and be a multiplier. The generalised Reed–Solomon (GRS) code with support and multiplier of dimension is defined as
When , the code is a Reed–Solomon code and is denoted as .
The dual of a GRS code is a GRS code too. This is made explicit in Lemma 1 below. Let us first introduce an additional notation.
Let be a support, we define the polynomial as
Let be a support and a multiplier of length and . Then
and denotes the derivative of the polynomial .
Definition 4 (Alternant code)
Let be positive integers such that . Let be a support, be a multiplier and be a positive integer. The alternant code of support , multiplier and degree over is defined as
The integer is referred to as the extension degree of the alternant code.
Next, by duality and using Delsarte’s Theorem (Theorem 1.1), we have
We refer the reader to [20, Chapter 12] for further properties of alternant codes. Recall that the code defined in Definition 4 has dimension and equality holds in general. Moreover, these codes benefit from efficient decoding algorithms correcting up to errors (see [20, Chapter 12§9]).
1.2.1 Fully non degenerate alternant codes
We conclude this subsection on alternant codes by a definition which is useful in the sequel.
An alternant code is said to be fully non degenerate if it satisfies the two following conditions.
A generator matrix of has no zero column.
Most of the time, an alternant code is fully non degenerate.
1.3 Punctured and shortened codes
The notions of puncturing and shortening are classical ways to build new codes from existing ones. We recall here their definition.
Let be a code of length and . The puncturing and the shortening of at are respectively defined as the codes
Let us finish by recalling the following classical result.
Let be a vector and . Then, the vector denotes the vector obtained from be removing the entries whose indexes are in .
Let be positive integers. Let be as in Definition 4. Let . Then
See for instance [12, Proposition 9]. ∎
1.4 Quasi–dyadic codes, quasi-dyadic alternant codes
Quasi–dyadic (QD) codes are codes with a nontrivial permutation group isomorphic to for some positive integer . Such a code has length . The permutation group of the code is composed of permutations, each one being a product of transpositions with disjoint supports. The example of interest in the present article is the case of QD–alternant codes. In what follows, we explain how to create them.
From now on, denotes a power of and denotes the positive integer such that .
Let be an additive subgroup with generators, i.e. is an –vector subspace of of dimension with an –basis . Clearly, as an additive group, is isomorphic to . The group acts on by translation: for any , we denote by the translation
Using the basis , we fix an ordering in as follows. Any element can be regarded as an element and we sort them by lexicographic order. For instance, if :
Let for some positive and such that . Let be a support which splits into blocks of elements of , each block being an orbit under the action of by translation on sorted using the previously described ordering. For instance, suppose , then such an is of the form,
where the ’s are chosen to have disjoint orbits under the action of by translation on .
Let be a multiplier which also splits into blocks of length whose entries are equal.
Let be a positive integer and consider the code .
The set of entries of is globally invariant under the action of by translation. In particular, for any , the translation induces a permutation of the code . We refer this permutation to as . For instance, reconsidering Example (3), the permutations and are respectively of the form
The group of permutations is isomorphic to and hence to . For convenience, we also denote this group of permutations by .
For any , the code is quasi–dyadic.
See for instance [27, Chapter 5]. ∎
1.5 Invariant subcode of a quasi–dyadic code
Given a code with a non–trivial permutation group , we define the code as the subcode of :
The invariant subcode has repeated entries since on any orbit of the support under the action of , the entries of a codeword are equal. This motivates an alternative definition of the invariant code where repetitions have been removed.
In the context of Definition 7, let be a vector such that for any , . We denote by the vector obtained by keeping only one entry per orbit under the action of on the support. We define the invariant code with non repeated entries as
We are interested in the structure of invariant of QD alternant codes. To study this structure, we first need to recall some basic notions of additive polynomials.
1.5.1 Additive polynomials
An additive polynomial is a polynomial whose monomials are all of the form for . Such a polynomial satisfies for any .
The zero locus of an additive polynomial in is an additive subgroup of
and such polynomials satisfy some interpolation properties.
Let be an additive group of cardinality . There exists a unique additive polynomial which is monic of degree and vanishes at any element of .
See [19, Proposition 1.3.5 & Lemma 1.3.6]. ∎
From now on, given an additive subgroup , we always denote by the unique monic additive polynomial of degree in that vanishes on .
1.5.2 Invariant of a quasi–dyadic alternant code
It turns out that the invariant code with non repeated entries of a QD alternant code is an alternant code too. This relies on the following classical result of invariant theory for which a simple proof can be found in .
Let and be an additive subgroup. Suppose that for any , . Then, there exists such that , where is the monic additive polynomial of degree vanishing at any element of .
This entails the following result on the structure of the invariant code of an alternant code. We refer to Definition 8 for the notation in the following statement.
Let be a –alternant code with permutation group of order . Set . Then,
Among the schemes recently submitted to NIST, the submission DAGS  uses as a primitive a McEliece encryption scheme based on QD generalised Srivastava codes. It is well known that generalised Srivastava codes form a subclass of alternant codes [20, Chapter 12]. Therefore, this proposal lies in the scope of the attack presented in what follows.
Parameters proposed in DAGS submission are listed in Table 1.
Let us recall what do the parameters stand for:
denotes the size of the base field of the alternant code;
denotes the extension degree. Hence the GRS code above the alternant code is defined over ;
denotes the length of the QD alternant code;
denotes the length of the invariant code with non repeated entries , where denotes the permutation group.
denotes the dimension of the QD alternant code;
denotes the dimension of the invariant code;
denotes the number of generators of , i.e. ;
denotes the degree of the invariant code with non repeated entries, which is alternant according to Theorem 1.3.
The indexes and in the parameters names correspond to security levels according to NIST’s call. Level 1, corresponds to 128 bits security with a classical computer, Level 3 to 192 bits security and Level 5 to 256 bits security.
In addition to the set of parameters of Table 1, we introduce self chosen smaller parameters listed in Table 2. They do not correspond to claimed secure instantiations of the scheme but permitted to test some of our assumptions by computer aided calculations.
2 Schur products
From now on and unless otherwise specified, the extension degree will be equal to . This is the context of any proposed parameters in DAGS.
2.1 Product of vectors
The component wise product of two vectors in is denoted by
Next, for any positive integer we define as
More generally, given a polynomial we define as the vector . In particular, given , we denote by and the vectors obtained by applying respectively the trace and the norm map component by component:
Finally, the all one vector , which is the unit vector of the algebra with operations and is denoted by .
2.2 Schur product of codes
The Schur product of two codes and is defined as
In particular, denotes the square code of a code : .
2.3 Schur products of GRS and alternant codes
The behaviour of GRS and of some alternant codes with respect to the Schur product is very different from that of random codes. This provides a manner to distinguish GRS codes from random ones and leads to a cryptanalysis of GRS based encryption schemes [31, 9, 13]. Some alternant codes, namely Wild Goppa codes with extension degree 2 have been also subject to a cryptanalysis based on Schur products computations [11, 12].
Here we recall an elementary but crucial result.
Let be a support and be multipliers. Let be two positive integers, then
See for instance [9, Proposition 6].∎
In this section, we introduce a fundamental object in the attack to follow. This object was already used in [10, 12] without being named. We chose here to call it conductor. The rationale behind this terminology is explained in Remark 2.
Let and be two codes of length over . The conductor of into is defined as the largest code such that . That is:
Let be two codes, then
The terminology conductor has been borrowed from number theory in which the conductor of two subrings of the ring of integers of a number field is the largest ideal of such that .
3.1 Conductors of GRS codes
Let be a support and a multiplier. Let be two integers less than . Then,
Let us emphasize a very interesting aspect of Proposition 4. We considered the conductor of a GRS code into another one having the same support and multiplier. The point is that the conductor does not depend on . Hence the computation of a conductor permits to get rid of the multiplier and to obtain a much easier code to study: a Reed–Solomon code.
3.2 An illustrative example : recovering the structure of GRS codes using conductors
Before presenting the attack on QD–alternant codes, we propose first to describe a manner to recover the structure of a GRS code. This may help the reader to understand the spirit the attack to follow.
Suppose we know a generator matrix of a code where are unknown. In addition, suppose that we know a generator matrix of the subcode which has codimension in . First compute the conductor
From Proposition 5, the conductor equals . This code has dimension and is spanned by and . We claim that, from the knowledge of , a pair such that can be found easily by using techniques which are very similar from those presented further in § 5.6.
Of course, there is no reason that we could know both and . However, we will see further that the quasi–dyadic structure permits to find interesting subcodes whose conductor may reveal the secret structure of the code.
3.3 Conductors of alternant codes
When dealing with alternant codes, having an exact description of the conductors like in Proposition 5 becomes difficult. We can at least prove the following theorem.
Let be a support and a multiplier. Let be two positive integers. Then,
3.4 Why the straigthforward generalisation of the illustrative example fails for alternant codes
On the other hand, even if inclusion (4) was an equality, the attack described in § 3.2 could not be straightforwardly generalised to alternant codes. Indeed, suppose we know two alternant codes with consecutive degrees and . Then, Proposition 6 would yield
Suppose that the above inclusion is actually an equality; as we just said this is in general what happens. The point is that as soon as has one entry in , then is reduced to the code spanned by and hence cannot provide any relevant information.
The previous discussion shows that, if we want to generalise the toy attack described in §3.2 to alternant codes, we cannot use a pair of alternant codes with consecutive degrees. In light of Proposition 6, the gap between the degrees and of the two alternant codes should be large enough to provide a non trivial conductor. A sufficient condition for this is that is non trivial. This motivates the introduction of a code we called the norm trace code.
3.5 The norm–trace code
In what follows, we fix such that . In particular, forms an –basis of .
Definition 11 (Norm trace code)
Let be a support. The norm–trace code is defined as
This norm trace code turns out to be the code we will extract from the public key by conductor computations. To relate it with the previous discussions, we have the following statement whose proof is straightforward.
Let be a support. Then, for any , we have
It addition to this statement, we observed experimentally that for inclusion (6) is in general an equality.
3.6 Summary and a heuristic
First, let us summarise the previous discussions.
Experimentally, we observed that if , then, almost every time, we have
One problem remains: given an alternant code , how to get a subcode in order to apply the previous results? This will be explained in § 4 and 5 in which we show that for quasi–dyadic alternant codes it is possible to get a subcode such that for some satisfying .
Moreover, it turns out that
can be replaced by a subcode without changing the result of the previous discussions. This is what is argued in the following heuristic.
Let us give some evidences for this heuristic. From Proposition 4,
From (2), we have Since is a code over and by the –linearity of the trace map, we get
Since then, from (1), it is a subset of a GRS code. Namely,
Therefore, thanks to Theorem 2.1, we get
Note that is spanned by generators which are obtained by computing the Schur products of elements of a basis of by elements of a basis of . By (i), the number of such generators exceeds . For this reason, it is reasonable to hope that this Schur product fills in the target code and that,
Next, we have
Therefore, using Lemma 1, we conclude that
Using Remark 3, we get the result.
Further discussion on the Heuristic
In all our computer experiments, we never observed any phenomenon contradicting this heuristic.
4 Fundamental degree properties of the invariant subcode of a QD alternant code
A crucial statement for the attack is:
From (1), we have
This code is obtained by evaluation of polynomials of degree up to
From Theorem 1.2, the invariant codewords of come from evaluations of polynomials of the form . Such polynomials have a degree that is a multiple of and hence their degree cannot exceed . Thus, they should lie in . This leads to
This proves (a).
To prove (b), note that the assumption on asserts the existence of such that and . Thus, and . Therefore and contains an element of that is not in .∎
5 Presentation of the attack
Recall that the extension degree is always . The public code is the QD alternant code
with a permutation group of cardinality . As in § 1.6, the code has a length , dimension and is defined over a field and for some positive integer . The degree of the alternant code is also a multiple of and hence is of the form . We suppose from now on that the classical lower bound on the dimension is reached, i.e. . This always holds in the parameters proposed in . We finally set . In summary, we have the following notation
5.2 The subcode
We introduce a subcode of and prove that its knowledge permits to compute the norm trace code. This code is unknown by the attacker and we will see in § 6 that the time consuming part of the attack consists in guessing it.
Suppose that . We define the code as
For parameters suggested in DAGS, we always have , with strict inequality for DAGS_1 and DAGS_3 and equality for DAGS_5.
The following results are the key of the attack. Theorem 5.1 explains why this subcode is of deep interest and how it can be used to recover the norm–trace code, from which the secret key can be recovered (see § 5.6). Theorem 5.2 explains why this subcode can be computed in a reasonable time thanks to the QD structure. Indeed, it shows that even if has a large codimension as a subcode of its codimension in is much smaller. This is why the QD structure plays a crucial role in this attack.
The code has codimension in .
Using Theorem 1.3, we know that has the same dimension as . This code has dimension . Since , we get the result.∎
Actually the codimension equals