Cryptanalysis of a System Based on Twisted Reed-Solomon Codes

It was recently proved that twisted Reed--Solomon codes represent a family of codes which contain a large amount of MDS codes, non-equivalent to Reed--Solomon codes. As a consequence, they were proposed as an alternative to Goppa codes for the McEliece cryptosystem, resulting to a potential reduction of key sizes. In this paper, an efficient key-recovery attack is given on this variant of the McEliece cryptosystem. The algorithm is based on the recovery of the structure of subfield subcodes of twisted Reed--Solomon codes, and it always succeeds. Its correctness is proved, and it is shown that the attack breaks the system for all practical parameters in O(n^4) field operations. A practical implementation is also provided and retrieves a valid private key from the public key within just a few minutes, for parameters claiming a security level of 128 bits. We also discuss a potential repair of the scheme and an application of the attack to GPT cryptosystems using twisted Gabidulin codes.

Authors

• 7 publications
• 13 publications
• Twisted Gabidulin Codes in the GPT Cryptosystem

In this paper, we investigate twisted Gabidulin codes in the GPT code-ba...
06/26/2018 ∙ by Sven Puchinger, et al. ∙ 0

• Repairing the Faure-Loidreau Public-Key Cryptosystem

A repair of the Faure-Loidreau (FL) public-key code-based cryptosystem i...
01/11/2018 ∙ by Antonia Wachter-Zeh, et al. ∙ 0

• An efficient structural attack on NIST submission DAGS

We present an efficient key recovery attack on code based encryption sch...
05/14/2018 ∙ by Elise Barelli, et al. ∙ 0

• The Subfield Codes of Hyperoval and Conic codes

Hyperovals in (2,(q)) with even q are maximal arcs and an interesting re...
04/17/2018 ∙ by Ziling Heng, et al. ∙ 0

• The decoding failure probability of MDPC codes

Moderate Density Parity Check (MDPC) codes are defined here as codes whi...
01/15/2018 ∙ by Jean-Pierre Tillich, et al. ∙ 0

• Practical Algebraic Attack on DAGS

DAGS scheme is a key encapsulation mechanism (KEM) based on quasi-dyadic...
05/09/2019 ∙ by Magali Bardet, et al. ∙ 0

• A structural attack to the DME-(3,2,q) cryptosystem

We present a structural attack on the DME cryptosystem with paramenters ...
02/25/2020 ∙ by Martin Avendano, et al. ∙ 0

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

In the last years, systems based on the hardness of decoding in a generic code have gained large attention since they are potentially resistant to quantum computer attacks. The first code-based cryptosystem was proposed by McEliece in 1978 [16]. It is based on binary Goppa codes and is still considered to be secure.

The main drawback of the original McEliece system is its large public key. To overcome this drawback, many code classes have been proposed to replace Goppa codes, but most of them were subject to algebraic attacks. For instance, generalised Reed–Solomon (GRS) codes were proposed in 1986 by Niederreiter [18], but Sidelnikov and Shestakov mounted a very efficient attack to recover an alternative secret key [24]. Wieschebrink proved that also random subcodes of GRS codes — proposed in [7] — cannot be used due to their vulnerability against the code squaring attack [27]. Further instances and cryptanalyses of algebraic code-based schemes can be found in [23, 17, 6, 11, 15, 8].

One of the recent alternative classes emerged from twisted Reed–Solomon codes [5]. Beelen et al. analysed the structural properties of a specific subfamily of twisted Reed–Solomon codes in [4]. In their work, they proved that none of the codes they consider is a generalised Reed–Solomon code and thus the attack by Sidelnikov and Shestakov [24] cannot be applied to their system. Further, they showed that shortenings of these codes up to two positions have maximal Schur square dimension [21], meaning that the proposed system is impervious to the attack presented by Couvreur et al. in [9]. Additionally, the authors conjecture that their proposed system is not vulnerable to the algorithms proposed by Wieschebrink in [26, 27]. As a result of the mentioned structural properties, specific subfamilies of twisted Reed–Solomon codes seem to be interesting for code-based cryptography. In [4], the authors propose an explicit subfamily of twisted Reed–Solomin codes and sets of parameters that provide a reduction of the public key up to a factor of compared to binary Goppa codes, for a claimed security level of bits.

In this paper, we mount an attack on the twisted Reed–Solomon code-based cryptosystem given in [4]. Since it does not seem straightforward to directly retrieve the structure of the proposed codes, our idea is to first recover the structure of the subfield subcodes of twisted Reed–Solomon codes, which then in turn reveal the structure of the supercodes. We show that for all practical parameters, our algorithm recovers a valid private key from the public key in operations over the underlying field, where denotes the code length. We implemented the attack in the computer-algebra system SageMath [25] and although the implementation is not optimized, it determines a valid private key for the parameters proposed by the designers in approximately two minutes (a link to the mentioned implementation is provided in the paper). Additionally, we discuss a potential application of the proposed attack to the rank-metric version of the considered system [22].

The paper is structured as follows. In Section 2 we introduce the notation, and we state the definition and important structural properties of twisted Reed–Solomon codes. In Section 3 we present the key generation, encryption and decryption algorithm as well as the parameters proposed in [4]. In Section 4 we derive a structural attack on the scheme, and we precisely analyse its complexity. In Section 5 we discuss a potential fix of the cryptosystem, as well as an extension of the attack to the rank-metric setting. Conclusions are given in Section 6.

2 Preliminaries

2.1 Notation

Let be a power of a prime and let denote the finite field of order . We use to denote the set of matrices over and

for the set of row vectors of length

over . Rows and columns of -matrices are indexed by and , where is the element in the -th row and -th column of the matrix .

For a field extension , the -row space of a matrix is the -vector space spanned by its rows, i.e.,

We denote the component-wise product of and by

 a⋆b:=(a1b1,…,anbn)∈Fnq.

Further, given a linear code , we define its square as

The set of all univariate polynomials over a field is denoted by . Let us now fix some . We define the evaluation map as

 evα:Fq[x] →Fnq f ↦(f(α1),f(α2),…,f(αn)).

Finally, if and are two finite subsets of integers, then we define

 I⊕J:={a+b:a∈I, b∈J}.

2.2 Twisted Reed–Solomon Codes

Definition 1 (Reed–Solomon Code).

Let with , the elements be distinct and . The Reed–Solomon (RS) code of length and dimension is defined by

 Cα[n,k]Fq:={evα(f):f∈{k−1∑i=0fixi:fi∈Fq}}.

The entries in are called locators of the RS code.

Reed–Solomon codes are maximum-distance separable (MDS) codes, i.e., they reach the so-called Singleton bound , where denotes the (Hamming) minimum distance of the code. Twisted Reed–Solomon codes were recently proposed as a generalisation of Reed–Solomon codes.

Definition 2 (Twisted Reed–Solomon Code, [5]).

Let with and . Further, denote the hook vector by with distinct , the twist vector by with distinct , and . The set of twisted polynomials over is defined by

 Pn,kt,h,η={k−1∑i=0fixi+ℓ∑j=1ηjfhjxk−1+tj:fi∈Fq}⊆Fq[x].

Let be distinct and . The -twisted Reed–Solomon (RS) code of length and dimension is defined by

 Cα,t,h,η[k,n]:={evα(f):f∈Pn,kt,h,η}.

The elements are called locators of the twisted RS code.

According to Definition 2, a generator matrix of with is given by

 Gα,t,h,η:=⎛⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜⎝1α1⋮αh1−1αh1+η1αk−1+t1αh1+1⋮αhℓ−1αhℓ+ηℓαk−1+tℓαhℓ+1⋮αk−1⎞⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟⎠,

where for .

In [4], the authors show that by constructing a twisted RS code according to Definition 2, one does not necessarily obtain an MDS code. However, they provide a method to obtain twisted RS codes that are MDS, cf. Theorem 1.

Theorem 1 (Explicit MDS twisted RS codes [4]).

Let be a prime power, and be non-negative integers such that is a chain of subfields. Let , the elements be distinct, and let , and be chosen as in Definition 2 and such that for . Then is MDS.

A decoding algorithm for twisted RS codes is also proposed in [4]. Given a corrupted codeword , the strategy is to guess elements and then decode in the Reed–Solomon code . This approach succeeds if and thus, has a worst case complexity of . Notice that , and thus this decoding algorithm is only practical for a tiny number of twists.

In the following lemma, we show a property of twisted RS codes that is important for the attack proposed in this paper.

Lemma 2.

Let , , and be defined as in Definition 2. Then for any ,

 Cα,t,h,η[k,n]=C^α,t,h,^η[k,n],

where and with , .

Proof.

Let , where . We have

 f(ax)=k−1∑i=0(fiai)xi+ℓ∑j=1(^ηjak−1+tj−hj)(fhjahj)xk−1+tj=g(x),

where . Hence by definition , and it follows that . The proof on the converse inclusion is similar since is non-zero. ∎

3 The Twisted RS Code Based McEliece Cryptosystem

In this section we describe the system proposed in [4].

3.1 Setup

Fix a prime power , and integers with . Fix also such that

 n+1k−√n<ℓ+2

Further, set for , such that

 Fq0⊂Fq1⊂…⊂Fqℓ=Fq

is a chain of subfields. Finally, set and for , where .

Integers , , , , and vectors , satisfying the above conditions are referred to as valid parameters of the cryptosystem [4]. They are public parameters of the cryptosystem.

3.2 Key Generation

Given valid parameters , , , , and :

1. Choose at random such that the entries of are distinct.

2. Choose at random such that for .

3. Choose at random and full rank.

4. Compute the public key , where is the generator matrix of described in Section 2.2.

The private key consists of and the public key is .

3.3 Encryption

Given a plaintext and a public key :

1. Choose at random with Hamming weight .

2. Compute the ciphertext

 y=mGpub+e∈Fnq.

3.4 Decryption

Given a ciphertext and the private key :

1. Decode in to using the decoding algorithm given in [4].

2. Compute the plaintext .

3.5 Proposed Parameters

In [4], the parameters , , and are proposed for a security level bits. There are two main reasons for choosing a small number of twists. On the one hand, the proposed decoding algorithm has a complexity of times and thus increases doubly exponentially with the number of twists. On the other hand, the field size and thus the key sizes also scale exponentially as the number of twists.

4 An Efficient Key-Recovery Attack Using Subfield Subcodes

In this section, we propose an efficient key-recovery algorithm for the cryptosystem and parameters proposed in [4]

. The algorithm first determines a linear transformation of the secret locators

by exploiting structural properties of the subfield subcode

of the public code. Then, the algorithm finds the coefficients of the twist monomials by Lagrange interpolation. The algorithm finally outputs

such that . As shown in Section 2.2, is a valid private key that can be used in the decryption algorithm (Section 3.4).

4.1 Derivation of the Key-Recovery Algorithm

4.1.1 First Step: Recovery of an Affine Transformation of the Secret Locators

Let us consider the -subfield subcode of the code spanned by the public generator matrix . We first state a technical lemma.

Lemma 3.

Let with distinct , and where is an extension of . Assume that . Then,

 evα(P)∈Fnq0⟺P∈Fq0[x].
Proof.

Let and assume that . Since and , there exists a polynomial of degree such that . Moreover, is injective over the -subspace of polynomials of degree , hence . The converse is straightforward. ∎

Let us now define as the set of exponents of monomials which are not twisted.

Theorem 4.

Let be chosen as described in Section 3 and . Then,

 Cpub∩Fnq0={evα(f):f∈F},

where

 F:={∑i∈Ifixi:fi∈Fq0}⊆Fq0[x].
Proof.

First, it is clear that . Indeed, we obviously have for every , and since is a vector over , we also get .

Let us now prove that . Let , where . Since , Lemma 3 implies . It remains to notice that .

We observe by Theorem 4 that the subfield subcode of the public code is a strict subcode of a Reed–Solomon code, since the evaluated polynomials do not have monomials of degree . Thus, one cannot directly use the Sidelnikov–Shestakov attack [24] on . In 2006, Wieschebrink mounted an attack on cryptosystems based on random subcodes of Reed–Solomon codes [27]

. The author’s idea is that, with very high probability over the chosen subcode

, the square code is a Reed–Solomon code. Sidelnikov–Shestakov attack can then be used on to recover the private parameters.

In the following, we prove that for most valid parameters of [4], and for every practical ones, the square code is a Reed–Solomon code subject to Sidelnikov–Shestakov attack.

Theorem 5.

Let , , , , and be valid parameters, and assume that . Let . Then,

 C2sub=Cα[2k−1,n]Fq0.
Proof.

We use the notation of Theorem 4. Notice that for valid parameters, we have and where . Theorem 4 implies that

where and . As a consequence, the claimed result holds if and only if .

It is clear that contains the subset

 {0,…,r−1}∪{r+ℓ,…,k+r−2}∪{k+r+ℓ−1,…,2k−2}.

On the one hand, one can easily check that if , then . Moreover, is always fulfilled by valid parameters since and . On the other hand, if we assume , then we can prove that , which a sufficient condition for having . ∎

Theorem 6.

Let be a Reed–Solomon code with locators . Given any generator matrix of , the algorithm given by Sidelnikov and Shestakov [24] determines, in time , a vector such that

 Cα[n,k]Fq0=Cα′[n,k]Fq0.

In particular, it holds that with and .

Proof.

See [24]. ∎

It follows that by applying the Sidelnikov–Shestakov algorithm to , we obtain a vector which is an affine transformation of the secret locators, i.e., for some and .

4.1.2 Second Step: Recovery of a Linear Transformation of the Secret Locators

Lemma 2 only ensures that if for some non-zero . Therefore, given , it remains to search exhaustively for such that . This exhaustive search can be proceeded as follows: given and , compute the code

 Ab:=RFq({evα′−b1(xi):i∈I}).

If , then we found a valid , hence a valid . Notice that each individual test can be performed in time .

4.1.3 Third Step: Recovery of a Valid Pair (^α,^η)

Previous steps provide a tuple which can be used as locators for the twisted RS code. To determine a vector such that , we use the following Lemma 7.

Lemma 7.

Let be chosen as described in Section 3, for some and denote the unique polynomial that interpolates the pairs . Further, let be such that and

 ^ηj=gIj,k+tjgIj,hj+1,j=1,…,ℓ,

where are the coefficients of . Then, .

Proof.

By definition,

 Gpubi,j =k∑s=1Si,sGα,t,h,ηs,j =k∑s=1Si,sαs−1j+ℓ∑u=1Si,hu+1ηuαk−1+tuj =k∑s=1Si,sa−s+1^αs−1j+ℓ∑u=1Si,hu+1ηua−(k−1+tu)^αk−1+tuj.

By interpolating , one obtains a unique polynomial with coefficients

 gi,s=⎧⎪⎨⎪⎩Si,sa−s+1if s∈{1,…,k}Si,hu+1ηua−(k−1+tu)if s=k+tu, u=1…,ℓ 0otherwise.

If , then we get

 ^ηu=ηua−(k−1+tu−hu)=gi,k+tugi,hu+1.

4.1.4 Final Step: Recovery of an Alternative Private Key (^S,^α,^η)

After determining and , one can easily compute a matrix such that . Then, can be used in the proposed decryption algorithm as a valid (alternative) private key to retrieve any secret plaintext .

4.2 Performance Analysis of the Attack

A pseudo algorithm describing the attack is given in Algorithm 1. Let us explain the notation we use there. We arbitrarily order . By we denote the transpose of the matrix and by a matrix whose rows form a basis of the right kernel of

. The reduced row echelon form of

is denoted by . The function maps a generator matrix of to a generator matrix of the subfield subcode of , i.e., . The function maps a generator matrix of to a generator matrix of the code . The interpolation function is defined as such that for . We define the function

 GenSub:Fnq0 →F(k−ℓ)×nq0, (a1,…,an) ↦⎛⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜ ⎜⎝1…1a1…an⋮⋱⋮ah1−11…ah1−1nah1+11…ah1+1n⋮⋱⋮ahℓ−11…ahℓ−1nahℓ+11…ahℓ+1n⋮⋱⋮ak−11…ak−1n⎞⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟⎠

and the function implementing Sidelnikov–Shestakov attack as such that if is a generator matrix of a Reed–Solomon code , then

 RFq0(G)=RFq0(GenSub(SidelShest(G))).

The function maps the vectors and to the corresponding twisted RS generator matrix, i.e., . Further, if and have the same rowspace, then is a solution to .

Below we provide details on the complexity of the steps in Algorithm 1.

• Line 1: Computation of requires operations in and operations in .

• Line 2: Computation of can be performed in time . Informally, one needs to find basis of the space generated by the family . This basis can be built iteratively; updating the basis with a new element costs operations in and must be done times, and rejecting candidates costs operations in and must be done times.

• Line 3: Applying the function on needs operations in  [24].

• Line 4 to Line 10: In the worst case, the following computations have to be performed times. Computation of needs operations in , building needs operations in and matrix multiplication of needs operations in ( was already computed in Line 1). In total operations in are required.

• Line 11 to Line 17: In the worst case, Lagrange interpolations have to be performed, which needs in total operations in .

• Line 18: Computation of needs operations in .

• Line 19: Computation of by transformation of in reduced row echelon form needs operations in .

In practice, and have to be chosen small (for instance, and were proposed in [4]) for decryption efficiency and key size reduction. Hence, Algorithm 1 has a complexity in