Recovering Short Secret Keys of RLCE in Polynomial Time

  • Alain Couvreur
  • Matthieu LequesneEmail author
  • Jean-Pierre Tillich
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11505)


We present a key recovery attack against Y. Wang’s Random Linear Code Encryption (RLCE) scheme recently submitted to the NIST call for post-quantum cryptography. The public key of this code based encryption scheme is a generator matrix of a generalised Reed Solomon code whose columns are mixed in a certain manner with purely random columns. In this paper, we show that it is possible to recover the underlying structure when there are not enough random columns. The attack reposes on a distinguisher on the dimension of the square code. This process allows to recover the secret key for all the short key parameters proposed by the author in \(O(n^5)\) operations. Our analysis explains also why RLCE long keys stay out of reach of our attack.


Code based cryptography McEliece scheme RLCE Distinguisher Key recovery attack Generalised Reed Solomon codes Schur product of codes 



The authors are supported by French Agence nationale de la recherche grants ANR-15-CE39-0013 Manta, ANR-17-CE39-0007 CBCrypt and by the Commission of the European Communities through the Horizon 2020 program under project number 645622 (PQCRYPTO). Computer aided calculations have been performed using softwares Sage and Magma [5].


  1. 1.
    Baldi, M., Bianchi, M., Chiaraluce, F., Rosenthal, J., Schipani, D.: Enhanced public key security for the McEliece cryptosystem. J. Cryptol. 29(1), 1–27 (2016). Scholar
  2. 2.
    Bardet, M., Chaulet, J., Dragoi, V., Otmani, A., Tillich, J.-P.: Cryptanalysis of the McEliece public key cryptosystem based on polar codes. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 118–143. Springer, Cham (2016). Scholar
  3. 3.
    Berger, T.P., Loidreau, P.: Security of the Niederreiter form of the GPT public-key cryptosystem. In: Proceedings IEEE International Symposium on Information Theory - ISIT 2002, p. 267. IEEE, June 2002Google Scholar
  4. 4.
    Bernstein, D.J., et al.: Classic McEliece: conservative code-based cryptography, November 2017., first round submission to the NIST post-quantum cryptography call
  5. 5.
    Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system I: the user language. J. Symbolic Comput. 24(3/4), 235–265 (1997)MathSciNetCrossRefGoogle Scholar
  6. 6.
    Cascudo, I., Cramer, R., Mirandola, D., Zémor, G.: Squares of random linear codes. IEEE Trans. Inform. Theory 61(3), 1159–1173 (2015)MathSciNetCrossRefGoogle Scholar
  7. 7.
    Chizhov, I.V., Borodin, M.A.: Effective attack on the McEliece cryptosystem based on Reed-Muller codes. Discrete Math. Appl. 24(5), 273–280 (2014)MathSciNetzbMATHGoogle Scholar
  8. 8.
    Couvreur, A., Gaborit, P., Gauthier-Umaña, V., Otmani, A., Tillich, J.P.: Distinguisher-based attacks on public-key cryptosystems using Reed-Solomon codes. Des. Codes Cryptogr. 73(2), 641–666 (2014). Scholar
  9. 9.
    Couvreur, A., Márquez-Corbella, I., Pellikaan, R.: Cryptanalysis of McEliece cryptosystem based on algebraic geometry codes and their subcodes. IEEE Trans. Inform. Theory 63(8), 5404–5418 (2017)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Couvreur, A., Otmani, A., Tillich, J.P.: Polynomial time attack on wild McEliece over quadratic extensions. IEEE Trans. Inform. Theory 63(1), 404–427 (2017)MathSciNetCrossRefGoogle Scholar
  11. 11.
    Couvreur, A., Otmani, A., Tillich, J.-P., Gauthier–Umaña, V.: A polynomial-time attack on the BBCRS scheme. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 175–193. Springer, Heidelberg (2015). Scholar
  12. 12.
    Faugère, J.C., Gauthier, V., Otmani, A., Perret, L., Tillich, J.P.: A distinguisher for high rate McEliece cryptosystems. IEEE Trans. Inform. Theory 59(10), 6830–6844 (2013)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Huffman, W.C., Pless, V.: Fundamentals of Error-Correcting Codes. Cambridge University Press, Cambridge (2003). Scholar
  14. 14.
    McEliece, R.J.: A Public-Key System Based on Algebraic Coding Theory, pp. 114–116. Jet Propulsion Lab (1978). DSN Progress Report 44Google Scholar
  15. 15.
    Sidelnikov, V.M., Shestakov, S.: On the insecurity of cryptosystems based on generalized Reed-Solomon codes. Discrete Math. Appl. 1(4), 439–444 (1992)zbMATHGoogle Scholar
  16. 16.
    Wang, Y.: Quantum resistant random linear code based public key encryption scheme RLCE. In: Proceedings of the IEEE International Symposium on Information Theory - ISIT 2016, pp. 2519–2523. IEEE, Barcelona, July 2016.
  17. 17.
    Wang, Y.: RLCE-KEM (2017)., first round submission to the NIST post-quantum cryptography call
  18. 18.
    Wieschebrink, C.: Two NP-complete problems in coding theory with an application in code based cryptography. In: Proceedings IEEE International Symposium Information Theory - ISIT, pp. 1733–1737 (2006)Google Scholar
  19. 19.
    Wieschebrink, C.: Cryptanalysis of the Niederreiter public key scheme based on GRS subcodes. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 61–72. Springer, Heidelberg (2010). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Alain Couvreur
    • 1
  • Matthieu Lequesne
    • 2
    • 3
    Email author
  • Jean-Pierre Tillich
    • 3
  1. 1.Inria and LIX, CNRS UMR 7161 École polytechniquePalaiseau CedexFrance
  2. 2.Sorbonne Université, UPMC Univ Paris 06ParisFrance
  3. 3.InriaParisFrance

Personalised recommendations