In the last years, systems based on the hardness of decoding in a generic code have gained large attention since they are potentially resistant to quantum computer attacks. The first code-based cryptosystem was proposed by McEliece in 1978 . It is based on binary Goppa codes and is still considered to be secure.
The main drawback of the original McEliece system is its large public key. To overcome this drawback, many code classes have been proposed to replace Goppa codes, but most of them were subject to algebraic attacks. For instance, generalised Reed–Solomon (GRS) codes were proposed in 1986 by Niederreiter , but Sidelnikov and Shestakov mounted a very efficient attack to recover an alternative secret key . Wieschebrink proved that also random subcodes of GRS codes — proposed in  — cannot be used due to their vulnerability against the code squaring attack . Further instances and cryptanalyses of algebraic code-based schemes can be found in [23, 17, 6, 11, 15, 8].
One of the recent alternative classes emerged from twisted Reed–Solomon codes . Beelen et al. analysed the structural properties of a specific subfamily of twisted Reed–Solomon codes in . In their work, they proved that none of the codes they consider is a generalised Reed–Solomon code and thus the attack by Sidelnikov and Shestakov  cannot be applied to their system. Further, they showed that shortenings of these codes up to two positions have maximal Schur square dimension , meaning that the proposed system is impervious to the attack presented by Couvreur et al. in . Additionally, the authors conjecture that their proposed system is not vulnerable to the algorithms proposed by Wieschebrink in [26, 27]. As a result of the mentioned structural properties, specific subfamilies of twisted Reed–Solomon codes seem to be interesting for code-based cryptography. In , the authors propose an explicit subfamily of twisted Reed–Solomin codes and sets of parameters that provide a reduction of the public key up to a factor of compared to binary Goppa codes, for a claimed security level of bits.
In this paper, we mount an attack on the twisted Reed–Solomon code-based cryptosystem given in . Since it does not seem straightforward to directly retrieve the structure of the proposed codes, our idea is to first recover the structure of the subfield subcodes of twisted Reed–Solomon codes, which then in turn reveal the structure of the supercodes. We show that for all practical parameters, our algorithm recovers a valid private key from the public key in operations over the underlying field, where denotes the code length. We implemented the attack in the computer-algebra system SageMath  and although the implementation is not optimized, it determines a valid private key for the parameters proposed by the designers in approximately two minutes (a link to the mentioned implementation is provided in the paper). Additionally, we discuss a potential application of the proposed attack to the rank-metric version of the considered system .
The paper is structured as follows. In Section 2 we introduce the notation, and we state the definition and important structural properties of twisted Reed–Solomon codes. In Section 3 we present the key generation, encryption and decryption algorithm as well as the parameters proposed in . In Section 4 we derive a structural attack on the scheme, and we precisely analyse its complexity. In Section 5 we discuss a potential fix of the cryptosystem, as well as an extension of the attack to the rank-metric setting. Conclusions are given in Section 6.
Let be a power of a prime and let denote the finite field of order . We use to denote the set of matrices over and
for the set of row vectors of lengthover . Rows and columns of -matrices are indexed by and , where is the element in the -th row and -th column of the matrix .
For a field extension , the -row space of a matrix is the -vector space spanned by its rows, i.e.,
We denote the component-wise product of and by
Further, given a linear code , we define its square as
The set of all univariate polynomials over a field is denoted by . Let us now fix some . We define the evaluation map as
Finally, if and are two finite subsets of integers, then we define
2.2 Twisted Reed–Solomon Codes
Definition 1 (Reed–Solomon Code).
Let with , the elements be distinct and . The Reed–Solomon (RS) code of length and dimension is defined by
The entries in are called locators of the RS code.
Reed–Solomon codes are maximum-distance separable (MDS) codes, i.e., they reach the so-called Singleton bound , where denotes the (Hamming) minimum distance of the code. Twisted Reed–Solomon codes were recently proposed as a generalisation of Reed–Solomon codes.
Definition 2 (Twisted Reed–Solomon Code, ).
Let with and . Further, denote the hook vector by with distinct , the twist vector by with distinct , and . The set of twisted polynomials over is defined by
Let be distinct and . The -twisted Reed–Solomon (RS) code of length and dimension is defined by
The elements are called locators of the twisted RS code.
According to Definition 2, a generator matrix of with is given by
where for .
In , the authors show that by constructing a twisted RS code according to Definition 2, one does not necessarily obtain an MDS code. However, they provide a method to obtain twisted RS codes that are MDS, cf. Theorem 1.
Theorem 1 (Explicit MDS twisted RS codes ).
Let be a prime power, and be non-negative integers such that is a chain of subfields. Let , the elements be distinct, and let , and be chosen as in Definition 2 and such that for . Then is MDS.
A decoding algorithm for twisted RS codes is also proposed in . Given a corrupted codeword , the strategy is to guess elements and then decode in the Reed–Solomon code . This approach succeeds if and thus, has a worst case complexity of . Notice that , and thus this decoding algorithm is only practical for a tiny number of twists.
In the following lemma, we show a property of twisted RS codes that is important for the attack proposed in this paper.
Let , , and be defined as in Definition 2. Then for any ,
where and with , .
Let , where . We have
where . Hence by definition , and it follows that . The proof on the converse inclusion is similar since is non-zero. ∎
3 The Twisted RS Code Based McEliece Cryptosystem
In this section we describe the system proposed in .
Fix a prime power , and integers with . Fix also such that
Further, set for , such that
is a chain of subfields. Finally, set and for , where .
Integers , , , , and vectors , satisfying the above conditions are referred to as valid parameters of the cryptosystem . They are public parameters of the cryptosystem.
3.2 Key Generation
Given valid parameters , , , , and :
Choose at random such that the entries of are distinct.
Choose at random such that for .
Choose at random and full rank.
Compute the public key , where is the generator matrix of described in Section 2.2.
The private key consists of and the public key is .
Given a plaintext and a public key :
Choose at random with Hamming weight .
Compute the ciphertext
Given a ciphertext and the private key :
Decode in to using the decoding algorithm given in .
Compute the plaintext .
3.5 Proposed Parameters
In , the parameters , , and are proposed for a security level bits. There are two main reasons for choosing a small number of twists. On the one hand, the proposed decoding algorithm has a complexity of times and thus increases doubly exponentially with the number of twists. On the other hand, the field size and thus the key sizes also scale exponentially as the number of twists.
4 An Efficient Key-Recovery Attack Using Subfield Subcodes
In this section, we propose an efficient key-recovery algorithm for the cryptosystem and parameters proposed in 
. The algorithm first determines a linear transformation of the secret locatorsby exploiting structural properties of the subfield subcode
of the public code. Then, the algorithm finds the coefficients of the twist monomials by Lagrange interpolation. The algorithm finally outputssuch that . As shown in Section 2.2, is a valid private key that can be used in the decryption algorithm (Section 3.4).
4.1 Derivation of the Key-Recovery Algorithm
4.1.1 First Step: Recovery of an Affine Transformation of the Secret Locators
Let us consider the -subfield subcode of the code spanned by the public generator matrix . We first state a technical lemma.
Let with distinct , and where is an extension of . Assume that . Then,
Let and assume that . Since and , there exists a polynomial of degree such that . Moreover, is injective over the -subspace of polynomials of degree , hence . The converse is straightforward. ∎
Let us now define as the set of exponents of monomials which are not twisted.
Let be chosen as described in Section 3 and . Then,
First, it is clear that . Indeed, we obviously have for every , and since is a vector over , we also get .
Let us now prove that . Let , where . Since , Lemma 3 implies . It remains to notice that .
We observe by Theorem 4 that the subfield subcode of the public code is a strict subcode of a Reed–Solomon code, since the evaluated polynomials do not have monomials of degree . Thus, one cannot directly use the Sidelnikov–Shestakov attack  on . In 2006, Wieschebrink mounted an attack on cryptosystems based on random subcodes of Reed–Solomon codes 
. The author’s idea is that, with very high probability over the chosen subcode, the square code is a Reed–Solomon code. Sidelnikov–Shestakov attack can then be used on to recover the private parameters.
In the following, we prove that for most valid parameters of , and for every practical ones, the square code is a Reed–Solomon code subject to Sidelnikov–Shestakov attack.
Let , , , , and be valid parameters, and assume that . Let . Then,
where and . As a consequence, the claimed result holds if and only if .
It is clear that contains the subset
On the one hand, one can easily check that if , then . Moreover, is always fulfilled by valid parameters since and . On the other hand, if we assume , then we can prove that , which a sufficient condition for having . ∎
Let be a Reed–Solomon code with locators . Given any generator matrix of , the algorithm given by Sidelnikov and Shestakov  determines, in time , a vector such that
In particular, it holds that with and .
See . ∎
It follows that by applying the Sidelnikov–Shestakov algorithm to , we obtain a vector which is an affine transformation of the secret locators, i.e., for some and .
4.1.2 Second Step: Recovery of a Linear Transformation of the Secret Locators
Lemma 2 only ensures that if for some non-zero . Therefore, given , it remains to search exhaustively for such that . This exhaustive search can be proceeded as follows: given and , compute the code
If , then we found a valid , hence a valid . Notice that each individual test can be performed in time .
4.1.3 Third Step: Recovery of a Valid Pair
Previous steps provide a tuple which can be used as locators for the twisted RS code. To determine a vector such that , we use the following Lemma 7.
Let be chosen as described in Section 3, for some and denote the unique polynomial that interpolates the pairs . Further, let be such that and
where are the coefficients of . Then, .
By interpolating , one obtains a unique polynomial with coefficients
If , then we get
4.1.4 Final Step: Recovery of an Alternative Private Key
After determining and , one can easily compute a matrix such that . Then, can be used in the proposed decryption algorithm as a valid (alternative) private key to retrieve any secret plaintext .
4.2 Performance Analysis of the Attack
A pseudo algorithm describing the attack is given in Algorithm 1. Let us explain the notation we use there. We arbitrarily order . By we denote the transpose of the matrix and by a matrix whose rows form a basis of the right kernel of
. The reduced row echelon form ofis denoted by . The function maps a generator matrix of to a generator matrix of the subfield subcode of , i.e., . The function maps a generator matrix of to a generator matrix of the code . The interpolation function is defined as such that for . We define the function
and the function implementing Sidelnikov–Shestakov attack as such that if is a generator matrix of a Reed–Solomon code , then
The function maps the vectors and to the corresponding twisted RS generator matrix, i.e., . Further, if and have the same rowspace, then is a solution to .
Below we provide details on the complexity of the steps in Algorithm 1.
Line 1: Computation of requires operations in and operations in .
Line 2: Computation of can be performed in time . Informally, one needs to find basis of the space generated by the family . This basis can be built iteratively; updating the basis with a new element costs operations in and must be done times, and rejecting candidates costs operations in and must be done times.
Line 18: Computation of needs operations in .
Line 19: Computation of by transformation of in reduced row echelon form needs operations in .