Cryptanalysis of a variant of the McEliece encryption scheme Julien - - PowerPoint PPT Presentation

Cryptanalysis of a variant of the McEliece encryption scheme

Julien Lavauzelle

IRMAR, Université de Rennes 1

Journées Nationales de Calcul Formel 2020 03/03/2020

Outline

• 1. McEliece cryptosystem and variants
• 2. Attack on the Reed–Solomon variant
• 3. Attack on the twisted Reed–Solomon variant

0/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

McEliece cryptosystem

McEliece cryptosystem (1978): a public-key encryption scheme.

1/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

McEliece cryptosystem

McEliece cryptosystem (1978): a public-key encryption scheme.

Summary: ◮ private key: an efficient decoding algorithm for a code C, ◮ public key: a random description of the code (masks the decoding algorithm), ◮ encryption: encode the message and add an error, ◮ decryption: decode the error and retrieve the message.

1/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

McEliece cryptosystem

McEliece cryptosystem (1978): a public-key encryption scheme.

Summary: ◮ private key: an efficient decoding algorithm for a code C, ◮ public key: a random description of the code (masks the decoding algorithm), ◮ encryption: encode the message and add an error, ◮ decryption: decode the error and retrieve the message. Security relies on two problems:

• 1. hardness of decoding random codes
• 2. hardness of recognizing the structure of a code (≃ find an efficient

decoding algorithm from a random description of a code)

1/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

General statement of the problem

Let F be a k-dimensional subspace of Fq[x]/(xq − x). Input. G =    y1f1(x1) . . . . . . ynf1(xn) . . . . . . y1fk(x1) . . . . . . ynfk(xn)    ∈ Fk×n

q

where:    f1(x), . . . , fk(x) is a basis of F, (x1, . . . , xn) are pairwise distinct in Fq, (y1, . . . , yn) are non-zero elements of Fq.

2/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

General statement of the problem

Let F be a k-dimensional subspace of Fq[x]/(xq − x). Input. G =    y1f1(x1) . . . . . . ynf1(xn) . . . . . . y1fk(x1) . . . . . . ynfk(xn)    ∈ Fk×n

q

where:    f1(x), . . . , fk(x) is a basis of F, (x1, . . . , xn) are pairwise distinct in Fq, (y1, . . . , yn) are non-zero elements of Fq.

• Output. A basis g1(x), . . . , gk(x) of F, pairwise distinct elements x′

1, . . . , x′ n ∈

Fq and non-zero elements y′

1, . . . , y′ n ∈ F× q such that

G =    y′

1g1(x′ 1)

. . . . . . y′

ng1(x′ n)

. . . . . . y′

1gk(x′ 1)

. . . . . . y′

ngk(x′ n)

   .

2/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Instances of the problem

A Public-Key Cryptosystem Based on Algebraic Coding Theory. McEliece. Jet Propulsion Laboratory DSN Progress Report. 1978.

Original McEliece cryptosystem: binary Goppa codes, q = 2m. – x = (x1, . . . , xn) ∈ Fn

q pairwise distinct,

– π(x) the derivative of ∏n

i=1(x − xi) ∈ Fq[x],

– an irreducible Γ(x) ∈ Fq[x], – y = Γ(x1)

π(x1), . . . , Γ(x1) π(x1)

• ∈ (F×

q )n.

Fx,Γ,r =

• f(x) ∈ Fq[x] | deg(f) < r and yif(xi) ∈ F2, ∀i = 1, . . . , n
• .

3/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Instances of the problem

A Public-Key Cryptosystem Based on Algebraic Coding Theory. McEliece. Jet Propulsion Laboratory DSN Progress Report. 1978.

Original McEliece cryptosystem: binary Goppa codes, q = 2m. – x = (x1, . . . , xn) ∈ Fn

q pairwise distinct,

– π(x) the derivative of ∏n

i=1(x − xi) ∈ Fq[x],

– an irreducible Γ(x) ∈ Fq[x], – y = Γ(x1)

π(x1), . . . , Γ(x1) π(x1)

• ∈ (F×

q )n.

Fx,Γ,r =

• f(x) ∈ Fq[x] | deg(f) < r and yif(xi) ∈ F2, ∀i = 1, . . . , n
• .

◮ Still considered as secure (NIST competition). ◮ Main drawback: large key sizes.

3/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Intances of the problem

In order to reduce key sizes: ◮ Niederreiter (1986): generalized Reed–Solomon codes

– x = (x1, . . . , xn) ∈ Fn

q pairwise distinct

– y = (y1, . . . , yn) ∈ (F×

q )n

F =

• f(x) ∈ Fq[x] | deg(f) < k
• 4/20
• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Intances of the problem

In order to reduce key sizes: ◮ Niederreiter (1986): generalized Reed–Solomon codes

– x = (x1, . . . , xn) ∈ Fn

q pairwise distinct

– y = (y1, . . . , yn) ∈ (F×

q )n

F =

• f(x) ∈ Fq[x] | deg(f) < k
• However, broken by Sidelnikov and Shestakov in 1992 (Part II).

On Insecurity of Cryptosystems Based on Generalized Reed-Solomon Codes. Sidelnikov,

• Shestakov. Discrete Math. Appl.. 1992.

4/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Intances of the problem

In order to reduce key sizes: ◮ Niederreiter (1986): generalized Reed–Solomon codes

– x = (x1, . . . , xn) ∈ Fn

q pairwise distinct

– y = (y1, . . . , yn) ∈ (F×

q )n

F =

• f(x) ∈ Fq[x] | deg(f) < k
• However, broken by Sidelnikov and Shestakov in 1992 (Part II).

◮ A lot of propositions to replace Goppa codes → Reed–Muller codes, AG codes, QC-MDPC codes, etc.

On Insecurity of Cryptosystems Based on Generalized Reed-Solomon Codes. Sidelnikov,

• Shestakov. Discrete Math. Appl.. 1992.

4/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Intances of the problem

In order to reduce key sizes: ◮ Niederreiter (1986): generalized Reed–Solomon codes

– x = (x1, . . . , xn) ∈ Fn

q pairwise distinct

– y = (y1, . . . , yn) ∈ (F×

q )n

F =

• f(x) ∈ Fq[x] | deg(f) < k
• However, broken by Sidelnikov and Shestakov in 1992 (Part II).

◮ A lot of propositions to replace Goppa codes → Reed–Muller codes, AG codes, QC-MDPC codes, etc. ◮ In 2018: Beelen, Bossert, Puchinger and Rosenkilde proposed twisted Reed–Solomon codes. → claimed key size reduction by a factor 7 → also broken (Part III)

On Insecurity of Cryptosystems Based on Generalized Reed-Solomon Codes. Sidelnikov,

• Shestakov. Discrete Math. Appl.. 1992.

Cryptanalysis of a System Based on Twisted Reed–Solomon Codes. L., Renner. Designs, Codes and Cryptograhy. 2020.

4/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Outline

• 1. McEliece cryptosystem and variants
• 2. Attack on the Reed–Solomon variant
• 3. Attack on the twisted Reed–Solomon variant

4/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

The problem

Let F =

• f(x) ∈ Fq[x] | deg(f) < k
• .
• Input. A matrix

G =    y1f1(x1) . . . . . . ynf1(xn) . . . . . . y1fk(x1) . . . . . . ynfk(xn)    ∈ Fk×n

q

, where – f1(x), . . . , fk(x) is a basis of F, – (x1, . . . , xn) ∈ Fn

q are pairwise distinct, and (y1, . . . , yn) ∈ (F× q )n.

Output. A basis g1(x), . . . , gk(x)

• f F,

pairwise distinct elements (x′

1, . . . , x′ n) ∈ Fn q and non-zero elements (y′ 1, . . . , y′ n) ∈ (F× q )n such that

G =    y′

1g1(x′ 1)

. . . . . . y′

ng1(x′ n)

. . . . . . y′

1gk(x′ 1)

. . . . . . y′

ngk(x′ n)

   .

5/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

The problem

• Remark. One can write G as:

S ·        1 1 . . . . . . 1 1 x1 x2 . . . . . . xn−1 xn x2

1

x2

2

. . . . . . x2

n−1

x2

n

. . . . . . xk−1

1

xk−1

2

. . . . . . xk−1

n−1

xk−1

n

       · Diag(y1, . . . , yn)

where S ∈ Fk×k

q

is invertible.

6/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Structural properties

Notation. – 1 = (1, . . . , 1) ∈ Fn

q

– a ⋆ b = (a1b1, . . . , anbn) – λa = (λa1, . . . , λan) F =

• f(x) ∈ Fq[x] | deg(f) < k
• 7/20
• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Structural properties

Notation. – 1 = (1, . . . , 1) ∈ Fn

q

– a ⋆ b = (a1b1, . . . , anbn) – λa = (λa1, . . . , λan) F =

• f(x) ∈ Fq[x] | deg(f) < k
• Definition. Generalized Reed–Solomon code:

GRSk(x, y) :=

• y ⋆ evx(f) := (y1f(x1), . . . , ynf(xn)) | f(x) ∈ F

⊆ Fn

q

7/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Structural properties

Notation. – 1 = (1, . . . , 1) ∈ Fn

q

– a ⋆ b = (a1b1, . . . , anbn) – λa = (λa1, . . . , λan) F =

• f(x) ∈ Fq[x] | deg(f) < k
• Definition. Generalized Reed–Solomon code:

GRSk(x, y) :=

• y ⋆ evx(f) := (y1f(x1), . . . , ynf(xn)) | f(x) ∈ F

⊆ Fn

q

F is invariant under the action of the general affine group {x → ax + b}.

• Proposition. Let a, b ∈ Fq. We have

GRSk(x, y) = GRSk(ax + b1, y) .

7/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Structural properties

Actually, one can “extend” the evaluation of elements in F, at a point at infinity: Xk−1(∞) = 1 and Xj(∞) = 0 for j < k − 1.

8/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Structural properties

Actually, one can “extend” the evaluation of elements in F, at a point at infinity: Xk−1(∞) = 1 and Xj(∞) = 0 for j < k − 1. Can be formally written as evaluating rational functions at points of the projective line P1(Fq) ≃ Fq ∪ {∞}.

8/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Structural properties

Actually, one can “extend” the evaluation of elements in F, at a point at infinity: Xk−1(∞) = 1 and Xj(∞) = 0 for j < k − 1. Can be formally written as evaluating rational functions at points of the projective line P1(Fq) ≃ Fq ∪ {∞}. Invariance under the projective linear group {(t : s) → (at + bs : ct + ds)}.

• Proposition. Let a, b, c, d ∈ Fq, ad − bc = 1. Then we have

GRSk(x, y) = GRSk ax + b1 cx + d1, y

• .

8/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Structural properties

Actually, one can “extend” the evaluation of elements in F, at a point at infinity: Xk−1(∞) = 1 and Xj(∞) = 0 for j < k − 1. Can be formally written as evaluating rational functions at points of the projective line P1(Fq) ≃ Fq ∪ {∞}. Invariance under the projective linear group {(t : s) → (at + bs : ct + ds)}.

• Proposition. Let a, b, c, d ∈ Fq, ad − bc = 1. Then we have

GRSk(x, y) = GRSk ax + b1 cx + d1, y

• .
• Remark. The group of homographies t → at+b

ct+d is 3-transitive over Fq ∪ {∞}.

In our search for x, one can arbitrarily fix 3 points, say xn−2 = 1, xn−1 = 0, xn = ∞.

8/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Sidelnikov–Shestakov’s attack

(Trivial) lemma. For every subset S ⊂ {x1, . . . , xn} of cardinality k − 1, there exists a unique monic f ∈ F such that f(S) = {0}. f(x) =

k−1

∏

i=1

(x − si)

9/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Sidelnikov–Shestakov’s attack

(Trivial) lemma. For every subset S ⊂ {x1, . . . , xn} of cardinality k − 1, there exists a unique monic f ∈ F such that f(S) = {0}. f(x) =

k−1

∏

i=1

(x − si) G =       y1f1(x1) y2f1(x2) . . . . . . . . . ynf1(xn) . . . . . . . . . . . . y1fk(x1) y2fk(x2) . . . . . . . . . ynfk(xn)       By Gaussian elimination: u =

• . . .

1 uk+1 . . . un

• →

f(x) v =

• . . .

1 vk+1 . . . vn

• →

g(x) where ui’s, vi’s are non-zero.

9/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Sidelnikov–Shestakov’s attack

u =

• . . .

1 uk+1 . . . un

• →

f(x) v =

• . . .

1 vk+1 . . . vn

• →

g(x)

• Lemma. If two elements f, g ∈ F share k − 2 zeroes, then

f(x) g(x) = αx + β γx + δ .

10/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Sidelnikov–Shestakov’s attack

u =

• . . .

1 uk+1 . . . un

• →

f(x) v =

• . . .

1 vk+1 . . . vn

• →

g(x)

• Lemma. If two elements f, g ∈ F share k − 2 zeroes, then

f(x) g(x) = αx + β γx + δ . u ⋆ v−1 =

• ⊥

⊥ . . . ⊥

uk+1 vk+1

. . .

un vn

• →

φ(x) = f(x)

g(x) = αx+β γx+δ

10/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Sidelnikov–Shestakov’s attack

u =

• . . .

1 uk+1 . . . un

• →

f(x) v =

• . . .

1 vk+1 . . . vn

• →

g(x)

• Lemma. If two elements f, g ∈ F share k − 2 zeroes, then

f(x) g(x) = αx + β γx + δ . u ⋆ v−1 =

• ⊥

⊥ . . . ⊥

uk+1 vk+1

. . .

un vn

• →

φ(x) = f(x)

g(x) = αx+β γx+δ

Solve (in α, β, γ, δ) the system φ(xi) = ui

vi , where i ∈ {n − 2, n − 1, n}

= ⇒ find φ

10/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Sidelnikov–Shestakov’s attack

u =

• . . .

1 uk+1 . . . un

• →

f(x) v =

• . . .

1 vk+1 . . . vn

• →

g(x)

• Lemma. If two elements f, g ∈ F share k − 2 zeroes, then

f(x) g(x) = αx + β γx + δ . u ⋆ v−1 =

• ⊥

⊥ . . . ⊥

uk+1 vk+1

. . .

un vn

• →

φ(x) = f(x)

g(x) = αx+β γx+δ

Solve (in α, β, γ, δ) the system φ(xi) = ui

vi , where i ∈ {n − 2, n − 1, n}

= ⇒ find φ Solve the equation φ(xi) = ui

vi

for each i ∈ [k + 1, n − 3] = ⇒ find xk+1, . . . , xn−3

10/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Sidelnikov–Shestakov’s attack

Once x is known, one can easily find a valid y′ by solving a linear system.

11/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Sidelnikov–Shestakov’s attack

Once x is known, one can easily find a valid y′ by solving a linear system.

• Theorem. [Sidelnikov–Shestakov] Given as input any matrix G generating

the code GRSk(x, y), there exists an algorithm running in time O(n4) that out- puts x′, y′ such that GRSk(x′, y′) = GRSk(x, y) . Moreover, x′ = ax+b1

cx+d1 and y′ = λy.

11/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Outline

• 1. McEliece cryptosystem and variants
• 2. Attack on the Reed–Solomon variant
• 3. Attack on the twisted Reed–Solomon variant

11/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Twisted Reed–Solomon codes

Reed–Solomon codes: FRS = 1, x, . . . , xh−1, xh, xh+1, . . . , xk−1Fq

k − 1 n − 1 12/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Twisted Reed–Solomon codes

Reed–Solomon codes: FRS = 1, x, . . . , xh−1, xh, xh+1, . . . , xk−1Fq

k − 1 n − 1

• Definition. Twisted Reed–Solomon codes (with one twist):

FTRS = 1, x, . . . , xh−1, xh+ η

• ∈Fq2

xk−1+t, xh+1, . . . , xk−1Fq2

12/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Twisted Reed–Solomon codes

Reed–Solomon codes: FRS = 1, x, . . . , xh−1, xh, xh+1, . . . , xk−1Fq

k − 1 n − 1

• Definition. Twisted Reed–Solomon codes (with one twist):

FTRS = 1, x, . . . , xh−1, xh+ η

• ∈Fq2

xk−1+t, xh+1, . . . , xk−1Fq2 η

k − 1 h k − 1 + t n − 1 12/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Twisted Reed–Solomon codes

Reed–Solomon codes: FRS = 1, x, . . . , xh−1, xh, xh+1, . . . , xk−1Fq

k − 1 n − 1

• Definition. Twisted Reed–Solomon codes (with one twist):

FTRS = 1, x, . . . , xh−1, xh+ η

• ∈Fq2

xk−1+t, xh+1, . . . , xk−1Fq2 η

k − 1 h k − 1 + t n − 1

Set x = (x1, . . . , xn) ∈ Fn

q pairwise distinct, and y = 1.

TRSk[x, h, t, η] := {(f(x1), . . . , f(xn)) | f ∈ FTRS} ⊆ Fn

q2

12/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Input

S

• ∈GLk(Fq2)

·              1 1 . . . . . . 1 1 x1 x2 . . . . . . xn−1 xn x2

1

x2

2

. . . . . . x2

n−1

x2

n

. . . . . . xh

1+ηxk−1+t 1

xh

2+ηxk−1+t 2

. . . . . . xh

n−1+ηxk−1+t n−1

xh

n+ηxk−1+t n

. . . . . . xk−1

1

xk−1

2

. . . . . . xk−1

n−1

xk−1

n

            

13/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Structural properties

Structural Properties of Twisted Reed–Solomon Codes with Applications to Cryptography. Beelen, Bossert, Puchinger, Rosenkilde. ISIT. 2018.

Can we apply the same technique?

14/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Structural properties

Structural Properties of Twisted Reed–Solomon Codes with Applications to Cryptography. Beelen, Bossert, Puchinger, Rosenkilde. ISIT. 2018.

Can we apply the same technique? TRSk[x, h, t, η] is also MDS: ∀I ⊂ [1, n], |I| = k − 1, ∃ monic f(x) ∈ FTRS, ∀i ∈ I, f(xi) = 0

14/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Structural properties

Structural Properties of Twisted Reed–Solomon Codes with Applications to Cryptography. Beelen, Bossert, Puchinger, Rosenkilde. ISIT. 2018.

Can we apply the same technique? TRSk[x, h, t, η] is also MDS: ∀I ⊂ [1, n], |I| = k − 1, ∃ monic f(x) ∈ FTRS, ∀i ∈ I, f(xi) = 0 However, if f, g ∈ FTRS share k − 2 zeroes, then generally f/g is not a rational function of degree 1.

14/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Structural properties

Structural Properties of Twisted Reed–Solomon Codes with Applications to Cryptography. Beelen, Bossert, Puchinger, Rosenkilde. ISIT. 2018.

Can we apply the same technique? TRSk[x, h, t, η] is also MDS: ∀I ⊂ [1, n], |I| = k − 1, ∃ monic f(x) ∈ FTRS, ∀i ∈ I, f(xi) = 0 However, if f, g ∈ FTRS share k − 2 zeroes, then generally f/g is not a rational function of degree 1. Moreover,

• Proposition. Let a ∈ Fq. We have

TRSk[ax, h, t, η] = TRSk[x, h, t, ηak−1+t−h] But we cannot hope better.

14/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Main idea

Our idea: Starting from any generator matrix G for TRSk[x, h, t, η], build a new code: – whose description involves x, – which can be attacked. Two tools:

• 1. subfield subcode,
• 2. code squaring.

15/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Subfield subcode

Subfield subcode of C ⊆ Fn

q2:

C ∩ Fn

q = {c ∈ C | ∀i ∈ [1, n], ci ∈ Fq}

16/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Subfield subcode

Subfield subcode of C ⊆ Fn

q2:

C ∩ Fn

q = {c ∈ C | ∀i ∈ [1, n], ci ∈ Fq}

... efficiently computable from G.

16/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Subfield subcode

Subfield subcode of C ⊆ Fn

q2:

C ∩ Fn

q = {c ∈ C | ∀i ∈ [1, n], ci ∈ Fq}

... efficiently computable from G.

Here: FTRS = 1, x, . . . , xh−1, xh+ η

• ∈Fq2

xk−1+t, xh+1, . . . , xk−1Fq2 η

k − 1 h k − 1 + t n − 1

FTRS ∩ Fq[x] = 1, x, . . . , xh−1, 0, xh+1, . . . , xk−1Fq

k − 1 h n − 1

Close to a Reed–Solomon code!!

16/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Squaring

Filling the gap by the squaring method. Square code of C: C⋆2 = c ⋆ c′ | c ∈ C, c′ ∈ C ⊆ Fn

q

... efficiently computable from G.

17/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Squaring

Filling the gap by the squaring method. Square code of C: C⋆2 = c ⋆ c′ | c ∈ C, c′ ∈ C ⊆ Fn

q

... efficiently computable from G.

FTRS ∩ Fq[x] = 1, x, . . . , xh−1, 0, xh+1, . . . , xk−1Fq

k − 1 h n − 1

(FTRS ∩ Fq[x])⋆2 = 1, x, . . . , . . . , x2k−2Fq

k − 1 2k − 2 n − 1

Proposition. (TRSk[x, h, t, η] ∩ Fn

q)⋆2 = GRS2k−1(x, 1)

17/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Using elder’s techniques

Apply Sidelnikov–Shestakov’s attack on (TRSk[x, h, t, η] ∩ Fn

q)⋆2 = GRS2k−1(x, 1)

We also know that ∞ / ∈ x and y = 1. = ⇒ the algorithm outputs x′ = ax + b1 for some a, b ∈ Fq

18/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Using elder’s techniques

Apply Sidelnikov–Shestakov’s attack on (TRSk[x, h, t, η] ∩ Fn

q)⋆2 = GRS2k−1(x, 1)

We also know that ∞ / ∈ x and y = 1. = ⇒ the algorithm outputs x′ = ax + b1 for some a, b ∈ Fq But... we only have TRSk[ax, h, t, η] = TRSk[x, h, t, ηak−1+t−h] Last steps: – Exhaustive search over b = ⇒ recover ax – Find η by interpolation of random codewords.

18/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Summary of the attack

• Input. a matrix G ∈ Fk×n

q2

generating TRSk[x, h, t, η] ⊆ Fn

q2.

• Output. a pair (ax, ηak−1+t−h) equivalent to (x, η).
• 1. Compute a generator matrix Gsub of the subfield subcode

TRSk[x, h, t, η] ∩ Fn

q .

• 2. Compute a generator matrix G⋆2

sub of the square code

(TRSk[x, h, t, η] ∩ Fn

q)⋆2 .

• 3. Apply Sidelnikov–Shestakov attack on G⋆2

sub and recover x′ = ax + b1.

• 4. Find b ∈ Fq such that evx′−b1(xj) ∈ TRSk[x, h, t, η] for all j < h − 1.
• 5. Find η by interpolation of random words in TRSk[x, h, t, η].

19/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Summary of the attack

• Input. a matrix G ∈ Fk×n

q2

generating TRSk[x, h, t, η] ⊆ Fn

q2.

• Output. a pair (ax, ηak−1+t−h) equivalent to (x, η).
• 1. Compute a generator matrix Gsub of the subfield subcode

TRSk[x, h, t, η] ∩ Fn

q .

• 2. Compute a generator matrix G⋆2

sub of the square code

(TRSk[x, h, t, η] ∩ Fn

q)⋆2 .

• 3. Apply Sidelnikov–Shestakov attack on G⋆2

sub and recover x′ = ax + b1.

• 4. Find b ∈ Fq such that evx′−b1(xj) ∈ TRSk[x, h, t, η] for all j < h − 1.
• 5. Find η by interpolation of random words in TRSk[x, h, t, η].
• Theorem. [L., Renner] There is a key-recovery attack over the twisted Reed–

Solomon variant of McEliece cryptosystem running in O(max{q, n}n3) oper- ations over Fq.

19/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –

Questions?

20/20

• J. Lavauzelle

JNCF 2020 – Cryptanalysis of a variant of the McEliece encryption scheme –