Cryptanalysis of a system based on twisted Reed–Solomon codes


Twisted Reed–Solomon (TRS) codes are a family of codes that contains a large number of maximum distance separable codes that are non-equivalent to Reed–Solomon codes. TRS codes were recently proposed as an alternative to Goppa codes for the McEliece code-based cryptosystem, resulting in a potential reduction of key sizes. The use of TRS codes in the McEliece cryptosystem has been motivated by the fact that a large subfamily of TRS codes is resilient to a direct use of known algebraic key-recovery methods. In this paper, an efficient key-recovery attack on the TRS variant that was used in the McEliece cryptosystem is presented. The algorithm exploits a new approach based on recovering the structure of a well-chosen subfield subcode of the public code. It is proved that the attack always succeeds and breaks the system for all practical parameters in \(O(n^4)\) field operations. A software implementation of the algorithm retrieves a valid private key from the public key within a few minutes, for parameters claiming a security level of 128 bits. The success of the attack also indicates that, contrary to common beliefs, subfield subcodes of the public code need to be precisely analyzed when proposing a McEliece-type code-based cryptosystem. Finally, the paper discusses an attempt to repair the scheme and a modification of the attack aiming at Gabidulin–Paramonov–Tretjakov cryptosystems based on twisted Gabidulin codes.

This is a preview of subscription content, log in to check access.


  1. 1.

    Since the parameters k and \(h_1,\ldots ,h_{\ell }\) are public, an attacker knows the set \(\mathcal {I}\).


  1. 1.

    Banegas G., Barreto P.S.L.M., Boidje B.O., Cayrel P.-L., Dione G.N., Gaj K., Gueye C.T., Haeussler R., Klamti J.B., Ndiaye O., Nguyen D.T., Persichetti E., Ricardini J.E.: DAGS: key encapsulation using dyadic GS codes. J. Math. Cryptol. 12(4), 221–239 (2018).

    MathSciNet  Article  Google Scholar 

  2. 2.

    Bardet M., Barelli É., Blazy O., Torres R.C., Couvreur A., Gaborit P., Otmani A., Sendrier N., Tillich J.-P.L: BIG QUAKE BInary Goppa QUAsi–cyclic Key Encapsulation. (2017).

  3. 3.

    Barelli É., Couvreur A.: An efficient structural attack on NIST submission DAGS. In: Peyrin T., Galbraith S.D. (eds.) Advances in Cryptology—ASIACRYPT, vol. 11272, pp. 93–118. Springer, New York (2018).

    Google Scholar 

  4. 4.

    Beelen P., Puchinger S., Rosenkilde né N.J.: Twisted Reed-Solomon codes. In IEEE Int. Symp. Inf. Theory (ISIT) (2017).

  5. 5.

    Beelen P., Bossert M., Puchinger S., Rosenkilde né N.J.: Structural properties of twisted Reed-Solomon codes with applications to code-based cryptography. In: IEEE Int. Symp. Inf. Theory (ISIT) (2018).

  6. 6.

    Berger T.P., Loidreau P.: How to mask the structure of codes for a cryptographic use. Des. Codes Cryptogr. 35(1), 63–79 (2005).

    MathSciNet  Article  Google Scholar 

  7. 7.

    Berger T.P., Cayrel P.-L., Gaborit P., Otmani A.: Reducing key length of the McEliece cryptosystem. In: Preneel B. (ed.) Progress in Cryptology—AFRICACRYPT, vol. 5580, pp. 77–97. Springer (2009).

  8. 8.

    Bernstein D.J., Chou T., Lange T., von Maurich I., Misoczki R., Niederhagen R., Persichetti E., Peters C., Schwabe P., Sendrier N., Szefer J., Wang W.: Classic McEliece (2017).

  9. 9.

    Couvreur A., Gaborit P., Gauthier-Umaña V., Otmani A., Tillich J.-P.: Distinguisher-based attacks on public-key cryptosystems using Reed-Solomon codes. Des. Codes Cryptogr. 73(2), 641–666 (2014).

    MathSciNet  Article  Google Scholar 

  10. 10.

    Couvreur A., Corbella I.M., Pellikaan R.: Cryptanalysis of McEliece cryptosystem based on algebraic geometry codes and their subcodes. IEEE Trans. Inf. Theory 63(8), 5404–5418 (2017).

    MathSciNet  Article  Google Scholar 

  11. 11.

    Couvreur A., Lequesne M., Tillich J.-P.: Recovering short secret keys of RLCE in polynomial time. In: Jintai D., Rainer S. (eds.) Post-Quantum Cryptography—10th International Conference, PQCrypto 2019, Chongqing, China, 8–10 May 2019, Revised Selected Papers, volume 11505 of Lecture Notes in Computer Science, pp. 133–152. Springer (2019).

  12. 12.

    Faugère J.-C., Otmani A., Perret L., Tillich J-P.: Algebraic cryptanalysis of McEliece variants with compact keys. In: Gilbert H. (ed.) Advances in Cryptology—EUROCRYPT 2010, vol. 6110, pp. 279–298. Springer (2010).

  13. 13.

    Faugère J.-C., Otmani A., Perret L., de Portzamparc F., Tillich J.-P.: Structural cryptanalysis of McEliece schemes with compact keys. Des. Codes Cryptogr. 79(1), 87–112 (2016).

    MathSciNet  Article  Google Scholar 

  14. 14.

    Gabidulin E.M.: Theory of codes with maximum rank distance. Probl. Inf. Transm. 21(1), 3–16 (1985).

    MathSciNet  MATH  Google Scholar 

  15. 15.

    Gabidulin E.M., Paramonov A.V., Tretjakov O.V.: Ideals over a non-commutative ring and their application in cryptology. In: Workshop Theory and Appl. Cryptogr. Techn., pp. 482–489. Springer (1991).

  16. 16.

    Janwa H., Moreno O.: McEliece public key cryptosystems using algebraic-geometric codes. Des. Codes Cryptogr. 8(3), 293–307 (1996).

    MathSciNet  Article  Google Scholar 

  17. 17.

    McEliece R.J.: A public-key cryptosystem based on algebraic coding theory. Jet Propuls. Lab. DSN Progr. Rep. 42–44, 114–116 (1978).

    Google Scholar 

  18. 18.

    Minder L., Shokrollahi A.: Cryptanalysis of the Sidelnikov cryptosystem. In Advances in Cryptology—EUROCRYPT 2007, vol. 4515, pp. 347–360. Springer (2007).

  19. 19.

    Niederreiter H.: Knapsack type cryptosystems and algebraic coding theory. Probl. Control Inf. Theory 15, 159 (1986).

    MathSciNet  MATH  Google Scholar 

  20. 20.

    Overbeck R.: A new structural attack for GPT and variants. LNCS: MYCRYPT 3715, 50–63 (2005).

    MATH  Google Scholar 

  21. 21.

    Overbeck R.: Public key cryptography based on coding theory. PhD thesis, Darmstadt University of Technology, Germany (2007).

  22. 22.

    Puchinger S.: Construction and decoding of evaluation codes in hamming and rank metric. PhD thesis, Ulm University, Germany (2018).

  23. 23.

    Puchinger S., Renner J., Wachter-Zeh A.: Twisted Gabidulin codes in the GPT cryptosystem. In: Int. Workshop Alg. Combin. Coding Theory (ACCT) (2018).

  24. 24.

    Sidelnikov M.V.: Public-key cryptosystem based on binary Reed-Muller codes. Discret. Math. Appl. 4, 191–208 (1994).

    Article  Google Scholar 

  25. 25.

    Sidelnikov M.V., Shestakov O.S.: On insecurity of cryptosystems based on generalized Reed-Solomon codes. Discret. Math. Appl. 2, 439–444 (1992).

    MATH  Google Scholar 

  26. 26.

    The Sage Developers. SageMath, the Sage Mathematics Software System (2019).

  27. 27.

    Wang Y.: Quantum resistant random linear code based public key encryption scheme RLCE. In: IEEE International Symposium on Information Theory, ISIT 2016, Barcelona, Spain, 10–15 July 2016, pp. 2519–2523. IEEE (2016).

  28. 28.

    Wieschebrink C.: An attack on a modified Niederreiter encryption scheme. In: Public Key Cryptography–PKC 2006, pp 14–26. Springer, Berlin (2006).

  29. 29.

    Wieschebrink C.: Cryptanalysis of the Niederreiter public key scheme based on GRS subcodes. In: Sendrier N. (ed.) Post-quantum Cryptography, pp. 61–72. Springer, Berlin (2010).

    Google Scholar 

Download references


This work was done while the second author was visiting the Institut de Recherche Mathématique de Rennes (IRMAR), Université de Rennes 1, France. The first author is funded by the French Direction Générale l’Armement, through the Pôle d’excellence cyber. This project has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 801434). We would like to thank Antonia Wachter-Zeh (TUM) for fruitful discussions and Oliver De Candido (TUM) for his comments that helped to improve the manuscript. We would further like to thank the authors of the proposed cryptosystem [5] for validating our attack and pointing out a possible repair of the system with respect to our attack.

Author information



Corresponding author

Correspondence to Julien Lavauzelle.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Communicated by A. Joux.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Lavauzelle, J., Renner, J. Cryptanalysis of a system based on twisted Reed–Solomon codes. Des. Codes Cryptogr. 88, 1285–1300 (2020).

Download citation


  • Code-Based Cryptography
  • McEliece Cryptosystem
  • Subfield Subcodes
  • Twisted Reed–Solomon Codes

Mathematics Subject Classification

  • 11T71