Distinguisher-based attacks on public-key cryptosystems using Reed–Solomon codes

Because of their interesting algebraic properties, several authors promote the use of generalized Reed–Solomon codes in cryptography. Niederreiter was the first to suggest an instantiation of his cryptosystem with them but Sidelnikov and Shestakov showed that this choice is insecure. Wieschebrink proposed a variant of the McEliece cryptosystem which consists in concatenating a few random columns to a generator matrix of a secretly chosen generalized Reed–Solomon code. More recently, new schemes appeared which are the homomorphic encryption scheme proposed by Bogdanov and Lee, and a variation of the McEliece cryptosystem proposed by Baldi et al. which hides the generalized Reed–Solomon code by means of matrices of very low rank. In this work, we show how to mount key-recovery attacks against these public-key encryption schemes. We use the concept of distinguisher which aims at detecting a behavior different from the one that one would expect from a random code. All the distinguishers we have built are based on the notion of component-wise product of codes. It results in a powerful tool that is able to recover the secret structure of codes when they are derived from generalized Reed–Solomon codes. Lastly, we give an alternative to Sidelnikov and Shestakov attack by building a filtration which enables to completely recover the support and the non-zero scalars defining the secret generalized Reed–Solomon code.

[1]  Thierry P. Berger,et al.  How to Mask the Structure of Codes for a Cryptographic Use , 2005, Des. Codes Cryptogr..

[2]  Edgar Martínez-Moro,et al.  On the unique representation of very strong algebraic geometry codes , 2014, Des. Codes Cryptogr..

[3]  Ruud Pellikaan,et al.  Error-correcting pairs for a public-key cryptosystem , 2012, ArXiv.

[4]  Joachim Rosenthal,et al.  A variant of the McEliece cryptosystem with increased public key security , 2011 .

[5]  J. Davenport Editor , 1960 .

[6]  Victor Zinoviev,et al.  Editorial: 3rd International Castle Meeting on Coding Theory and Applications , 2014, Des. Codes Cryptogr..

[7]  J. K. Gibson,et al.  Equivalent Goppa Codes and Trapdoors to McEliece's Public Key Cryptosystem , 1991, EUROCRYPT.

[8]  O. Antoine,et al.  Theory of Error-correcting Codes , 2022 .

[9]  Ignacio Cascudo,et al.  Asymptotically Good Ideal Linear Secret Sharing with Strong Multiplication over Any Fixed Finite Field , 2009, CRYPTO.

[10]  Annett Baier Selected Areas in Cryptography , 2005, Lecture Notes in Computer Science.

[11]  Tanja Lange,et al.  Wild McEliece , 2010, IACR Cryptol. ePrint Arch..

[12]  Edgar Martínez-Moro,et al.  The non-gap sequence of a subcode of a generalized Reed–Solomon code , 2011, Des. Codes Cryptogr..

[13]  F. MacWilliams,et al.  The Theory of Error-Correcting Codes , 1977 .

[14]  Zvika Brakerski When Homomorphism Becomes a Liability , 2012, IACR Cryptol. ePrint Arch..

[15]  Ignacio Cascudo,et al.  The Torsion-Limit for Algebraic Function Fields and Its Application to Arithmetic Secret Sharing , 2011, CRYPTO.

[16]  Christian Wieschebrink Cryptanalysis of the Niederreiter Public Key Scheme Based on GRS Subcodes , 2010, PQCrypto.

[17]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[18]  W. Cary Huffman,et al.  Fundamentals of Error-Correcting Codes , 1975 .

[19]  Ruud Pellikaan,et al.  On decoding by error location and dependent sets of error positions , 1992, Discret. Math..

[20]  Lorenz Minder,et al.  Cryptanalysis of the McEliece cryptosystem over hyperelliptic codes , 2008 .

[21]  I. V. Chizhov,et al.  The failure of McEliece PKC based on Reed-Muller codes , 2013, IACR Cryptol. ePrint Arch..

[22]  Joachim Rosenthal,et al.  Enhanced Public Key Security for the McEliece Cryptosystem , 2014, Journal of Cryptology.

[23]  Pierre Loidreau,et al.  Weak keys in the McEliece public-key cryptosystem , 2001, IEEE Trans. Inf. Theory.

[24]  V. Sidelnikov,et al.  On insecurity of cryptosystems based on generalized Reed-Solomon codes , 1992 .

[25]  Jean-Charles Faugère,et al.  A Distinguisher for High-Rate McEliece Cryptosystems , 2011, IEEE Transactions on Information Theory.

[26]  Andrej Bogdanov,et al.  Homomorphic encryption from codes , 2011, IACR Cryptol. ePrint Arch..

[27]  Christian Wieschebrink,et al.  Two NP-complete Problems in Coding Theory with an Application in Code Based Cryptography , 2006, 2006 IEEE International Symposium on Information Theory.

[28]  Edgar Martínez-Moro,et al.  Evaluation of public-key cryptosystems based on algebraic geometry codes , 2011 .

[29]  Amin Shokrollahi,et al.  Cryptanalysis of the Sidelnikov Cryptosystem , 2007, EUROCRYPT.

[30]  V. Sidelnikov,et al.  A public-key cryptosystem based on binary Reed-Muller codes , 1994 .

[31]  Ayoub Otmani,et al.  A Distinguisher-Based Attack of a Homomorphic Encryption Scheme Relying on Reed-Solomon Codes , 2012, IACR Cryptol. ePrint Arch..

[32]  Ayoub Otmani,et al.  A Distinguisher-Based Attack on a Variant of McEliece's Cryptosystem Based on Reed-Solomon Codes , 2012, ArXiv.