Abstract
Twisted Reed–Solomon (TRS) codes are a family of codes that contains a large number of maximum distance separable codes that are non-equivalent to Reed–Solomon codes. TRS codes were recently proposed as an alternative to Goppa codes for the McEliece code-based cryptosystem, resulting in a potential reduction of key sizes. The use of TRS codes in the McEliece cryptosystem has been motivated by the fact that a large subfamily of TRS codes is resilient to a direct use of known algebraic key-recovery methods. In this paper, an efficient key-recovery attack on the TRS variant that was used in the McEliece cryptosystem is presented. The algorithm exploits a new approach based on recovering the structure of a well-chosen subfield subcode of the public code. It is proved that the attack always succeeds and breaks the system for all practical parameters in \(O(n^4)\) field operations. A software implementation of the algorithm retrieves a valid private key from the public key within a few minutes, for parameters claiming a security level of 128 bits. The success of the attack also indicates that, contrary to common beliefs, subfield subcodes of the public code need to be precisely analyzed when proposing a McEliece-type code-based cryptosystem. Finally, the paper discusses an attempt to repair the scheme and a modification of the attack aiming at Gabidulin–Paramonov–Tretjakov cryptosystems based on twisted Gabidulin codes.
Similar content being viewed by others
Notes
Since the parameters k and \(h_1,\ldots ,h_{\ell }\) are public, an attacker knows the set \(\mathcal {I}\).
References
Banegas G., Barreto P.S.L.M., Boidje B.O., Cayrel P.-L., Dione G.N., Gaj K., Gueye C.T., Haeussler R., Klamti J.B., Ndiaye O., Nguyen D.T., Persichetti E., Ricardini J.E.: DAGS: key encapsulation using dyadic GS codes. J. Math. Cryptol. 12(4), 221–239 (2018).
Bardet M., Barelli É., Blazy O., Torres R.C., Couvreur A., Gaborit P., Otmani A., Sendrier N., Tillich J.-P.L: BIG QUAKE BInary Goppa QUAsi–cyclic Key Encapsulation. (2017). https://bigquake.inria.fr.
Barelli É., Couvreur A.: An efficient structural attack on NIST submission DAGS. In: Peyrin T., Galbraith S.D. (eds.) Advances in Cryptology—ASIACRYPT, vol. 11272, pp. 93–118. Springer, New York (2018).
Beelen P., Puchinger S., Rosenkilde né N.J.: Twisted Reed-Solomon codes. In IEEE Int. Symp. Inf. Theory (ISIT) (2017).
Beelen P., Bossert M., Puchinger S., Rosenkilde né N.J.: Structural properties of twisted Reed-Solomon codes with applications to code-based cryptography. In: IEEE Int. Symp. Inf. Theory (ISIT) (2018).
Berger T.P., Loidreau P.: How to mask the structure of codes for a cryptographic use. Des. Codes Cryptogr. 35(1), 63–79 (2005).
Berger T.P., Cayrel P.-L., Gaborit P., Otmani A.: Reducing key length of the McEliece cryptosystem. In: Preneel B. (ed.) Progress in Cryptology—AFRICACRYPT, vol. 5580, pp. 77–97. Springer (2009).
Bernstein D.J., Chou T., Lange T., von Maurich I., Misoczki R., Niederhagen R., Persichetti E., Peters C., Schwabe P., Sendrier N., Szefer J., Wang W.: Classic McEliece (2017). https://classic.mceliece.org.
Couvreur A., Gaborit P., Gauthier-Umaña V., Otmani A., Tillich J.-P.: Distinguisher-based attacks on public-key cryptosystems using Reed-Solomon codes. Des. Codes Cryptogr. 73(2), 641–666 (2014).
Couvreur A., Corbella I.M., Pellikaan R.: Cryptanalysis of McEliece cryptosystem based on algebraic geometry codes and their subcodes. IEEE Trans. Inf. Theory 63(8), 5404–5418 (2017).
Couvreur A., Lequesne M., Tillich J.-P.: Recovering short secret keys of RLCE in polynomial time. In: Jintai D., Rainer S. (eds.) Post-Quantum Cryptography—10th International Conference, PQCrypto 2019, Chongqing, China, 8–10 May 2019, Revised Selected Papers, volume 11505 of Lecture Notes in Computer Science, pp. 133–152. Springer (2019).
Faugère J.-C., Otmani A., Perret L., Tillich J-P.: Algebraic cryptanalysis of McEliece variants with compact keys. In: Gilbert H. (ed.) Advances in Cryptology—EUROCRYPT 2010, vol. 6110, pp. 279–298. Springer (2010).
Faugère J.-C., Otmani A., Perret L., de Portzamparc F., Tillich J.-P.: Structural cryptanalysis of McEliece schemes with compact keys. Des. Codes Cryptogr. 79(1), 87–112 (2016).
Gabidulin E.M.: Theory of codes with maximum rank distance. Probl. Inf. Transm. 21(1), 3–16 (1985).
Gabidulin E.M., Paramonov A.V., Tretjakov O.V.: Ideals over a non-commutative ring and their application in cryptology. In: Workshop Theory and Appl. Cryptogr. Techn., pp. 482–489. Springer (1991).
Janwa H., Moreno O.: McEliece public key cryptosystems using algebraic-geometric codes. Des. Codes Cryptogr. 8(3), 293–307 (1996).
McEliece R.J.: A public-key cryptosystem based on algebraic coding theory. Jet Propuls. Lab. DSN Progr. Rep. 42–44, 114–116 (1978).
Minder L., Shokrollahi A.: Cryptanalysis of the Sidelnikov cryptosystem. In Advances in Cryptology—EUROCRYPT 2007, vol. 4515, pp. 347–360. Springer (2007).
Niederreiter H.: Knapsack type cryptosystems and algebraic coding theory. Probl. Control Inf. Theory 15, 159 (1986).
Overbeck R.: A new structural attack for GPT and variants. LNCS: MYCRYPT 3715, 50–63 (2005).
Overbeck R.: Public key cryptography based on coding theory. PhD thesis, Darmstadt University of Technology, Germany (2007).
Puchinger S.: Construction and decoding of evaluation codes in hamming and rank metric. PhD thesis, Ulm University, Germany (2018).
Puchinger S., Renner J., Wachter-Zeh A.: Twisted Gabidulin codes in the GPT cryptosystem. In: Int. Workshop Alg. Combin. Coding Theory (ACCT) (2018).
Sidelnikov M.V.: Public-key cryptosystem based on binary Reed-Muller codes. Discret. Math. Appl. 4, 191–208 (1994).
Sidelnikov M.V., Shestakov O.S.: On insecurity of cryptosystems based on generalized Reed-Solomon codes. Discret. Math. Appl. 2, 439–444 (1992).
The Sage Developers. SageMath, the Sage Mathematics Software System (2019). https://www.sagemath.org.
Wang Y.: Quantum resistant random linear code based public key encryption scheme RLCE. In: IEEE International Symposium on Information Theory, ISIT 2016, Barcelona, Spain, 10–15 July 2016, pp. 2519–2523. IEEE (2016).
Wieschebrink C.: An attack on a modified Niederreiter encryption scheme. In: Public Key Cryptography–PKC 2006, pp 14–26. Springer, Berlin (2006).
Wieschebrink C.: Cryptanalysis of the Niederreiter public key scheme based on GRS subcodes. In: Sendrier N. (ed.) Post-quantum Cryptography, pp. 61–72. Springer, Berlin (2010).
Acknowledgements
This work was done while the second author was visiting the Institut de Recherche Mathématique de Rennes (IRMAR), Université de Rennes 1, France. The first author is funded by the French Direction Générale l’Armement, through the Pôle d’excellence cyber. This project has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 801434). We would like to thank Antonia Wachter-Zeh (TUM) for fruitful discussions and Oliver De Candido (TUM) for his comments that helped to improve the manuscript. We would further like to thank the authors of the proposed cryptosystem [5] for validating our attack and pointing out a possible repair of the system with respect to our attack.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by A. Joux.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Lavauzelle, J., Renner, J. Cryptanalysis of a system based on twisted Reed–Solomon codes. Des. Codes Cryptogr. 88, 1285–1300 (2020). https://doi.org/10.1007/s10623-020-00747-6
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-020-00747-6