Distinguisher-based attacks on public-key cryptosystems using Reed–Solomon codes

Abstract

Because of their interesting algebraic properties, several authors promote the use of generalized Reed–Solomon codes in cryptography. Niederreiter was the first to suggest an instantiation of his cryptosystem with them but Sidelnikov and Shestakov showed that this choice is insecure. Wieschebrink proposed a variant of the McEliece cryptosystem which consists in concatenating a few random columns to a generator matrix of a secretly chosen generalized Reed–Solomon code. More recently, new schemes appeared which are the homomorphic encryption scheme proposed by Bogdanov and Lee, and a variation of the McEliece cryptosystem proposed by Baldi et al. which hides the generalized Reed–Solomon code by means of matrices of very low rank. In this work, we show how to mount key-recovery attacks against these public-key encryption schemes. We use the concept of distinguisher which aims at detecting a behavior different from the one that one would expect from a random code. All the distinguishers we have built are based on the notion of component-wise product of codes. It results in a powerful tool that is able to recover the secret structure of codes when they are derived from generalized Reed–Solomon codes. Lastly, we give an alternative to Sidelnikov and Shestakov attack by building a filtration which enables to completely recover the support and the non-zero scalars defining the secret generalized Reed–Solomon code.

Appendices

Appendix 1: Proof of Proposition 12

Set \(a \mathop {=}\limits ^{\text {def}}|I|-|J|\) and \(b\mathop {=}\limits ^{\text {def}}|I|\). After a suitable permutation of the support and the indexes of the \(x_j\)’s, the code \(\fancyscript{C}_I\) has a generator matrix of the form

$$\begin{aligned} \left( \begin{array}{l@{\quad }l@{\quad }l@{\quad }l@{\quad }l@{\quad }l@{\quad }l} x_1 &{} x_2 &{} \cdots &{} x_a &{} x_{a+1} &{} \cdots &{} x_b \\ \vdots &{} \vdots &{} &{} \vdots &{} \vdots &{} &{} \vdots \\ x_1^{\ell } &{} x_2^{\ell } &{} \cdots &{} x_a^{\ell } &{} x_{a+1}^{\ell } &{} \cdots &{} x_b^{\ell }\\ &{} &{} &{} &{} &{} &{} \\ x_1^{\ell +1} &{} x_2^{\ell +1} &{} \cdots &{} x_a^{\ell +1} &{} &{} &{} \\ \vdots &{} \vdots &{} &{} \vdots &{} &{} (0) &{} \\ x_1^k &{} x_2^k &{} \cdots &{} x_a^k &{} &{} &{} \end{array}\right) \end{aligned}$$

We define the maps

$$\begin{aligned}&\Phi _{I} : \left\{ \begin{array}{c@{\quad }c@{\quad }c} \mathbb {F}_{q}[x] &{} \rightarrow &{} \mathbb {F}_{q}^b \\ P &{} \mapsto &{} (P(x_1), \ldots , P(x_b)) \end{array}\right. \quad \text { and }\\&\Phi _{I\setminus J} : \left\{ \begin{array}{c@{\quad }c@{\quad }c} \mathbb {F}_{q}[x] &{} \rightarrow &{} \mathbb {F}_{q}^b \\ P &{} \mapsto &{} (P(x_1), \ldots , P(x_a), 0\ldots , 0) \end{array}\right. . \end{aligned}$$

We have the two following obvious lemmas.

Lemma 22

Both maps \(\Phi _{I}\) and \(\Phi _{I\setminus J}\) are linear. In addition, their restrictions to the vector space \(\langle x^2, \ldots , x^{2k}\rangle \) are injective.

Proof

It is sufficient to prove that the restriction of \(\Phi _{I\setminus J}\) is injective. It is an elementary consequence of polynomial interpolation, since \(a = |I| - |J|\) is assumed to be be larger than \(2k\). \(\square \)

Lemma 23

For all \(P, Q\in \mathbb {F}_{q}[x]\), we have:

$$\begin{aligned} \Phi _{I}\left( P \right) \star \Phi _{I}\left( Q \right)&= \Phi _{I}\left( PQ \right) \end{aligned}$$

(25)

$$\begin{aligned} \Phi _{I\setminus J} \left( P \right) \star \Phi _{I\setminus J} \left( Q \right)&= \Phi _{I\setminus J} \left( PQ \right) \end{aligned}$$

(26)

$$\begin{aligned} \Phi _{I}\left( P \right) \star \Phi _{I\setminus J} \left( Q \right)&= \Phi _{I\setminus J} \left( PQ \right) \end{aligned}$$

(27)

Clearly, we have

$$\begin{aligned} \fancyscript{C}_I = \Phi _{I}\left( \langle x,\ldots , x^{^\ell }\rangle \right) \ \oplus \ \Phi _{I\setminus J} \left( \langle x^{\ell +1},\ldots , x^k\rangle \right) . \end{aligned}$$

(28)

Using (25), (26) and (27), we get

$$\begin{aligned} \fancyscript{C}_I^2&= \Phi _{I}\left( \langle x, \ldots , x^{\ell }\rangle \right) ^2 \ + \ \Phi _{I\setminus J} \left( \langle x^{\ell +1}, \ldots , x^k\rangle \right) ^2\\&\quad + \ \Phi _{I}\left( \langle x, \ldots , x^{\ell }\rangle \right) \star \Phi _{I\setminus J} \left( \langle x^{\ell +1}, \ldots , x^k\rangle \right) \nonumber \\&= \Phi _{I}\left( \langle x^2, \ldots , x^{2\ell }\rangle \right) \ + \ \Phi _{I\setminus J} \left( \langle x^{2\ell +2}, \ldots , x^{2k}\rangle \right) \nonumber \\&\quad +\ \Phi _{I\setminus J} \left( \langle x^{\ell +2 }, \ldots , x^{k+ \ell }\rangle \right) \nonumber \\&= \Phi _{I}\left( \langle x^2, \ldots , x^{2\ell }\rangle \right) \ + \ \Phi _{I\setminus J} \left( \langle x^{2\ell +2}, \ldots , x^{2k}\rangle \ +\ \langle x^{\ell +2 }, \ldots , x^{k+ \ell }\rangle \right) \end{aligned}$$

Since, by assumption, \(\ell <k\), we have

$$\begin{aligned} \langle x^{\ell +2 }, \ldots , x^{k+ \ell }\rangle \ +\ \langle x^{2\ell +2}, \ldots , x^{2k}\rangle \ =\ \langle x^{\ell +2}, \ldots , x^{2k}\rangle \end{aligned}$$

Therefore,

$$\begin{aligned} \fancyscript{C}_I^2 = \Phi _{I}\left( \langle x^2, \ldots , x^{2\ell }\rangle \right) \ +\ \Phi _{I\setminus J} \left( \langle x^{\ell +2}, \ldots , x^{2k}\rangle \right) . \end{aligned}$$

(29)

Lemma 22 entails

$$\begin{aligned} \dim \Phi _{I}\left( \langle x^2, \ldots , x^{2\ell }\rangle \right) = 2\ell -1,\ \quad \text {and}\quad \ \dim \Phi _{I\setminus J} \left( \langle x^{\ell +2}, \ldots , x^{2k}\rangle \right) = 2k-\ell -1. \end{aligned}$$

(30)

To conclude the proof, we need to compute the dimension of the intersection of these spaces. For this purpose, set

$$\begin{aligned} R(x)\mathop {=}\limits ^{\text {def}}\prod _{j=a+1}^b (x-x_j). \end{aligned}$$

An element of \(\Phi _{I}\left( \langle x^2, \ldots , x^{2\ell }\rangle \right) \cap \Phi _{I\setminus J} \left( \langle x^{\ell +2},\ldots , x^{2k}\rangle \right) \) is an element of \(\Phi _{I}\left( \langle x^2 , \ldots , x^{2\ell }\rangle \right) \) which vanishes on the \(|J| = b-a\) last positions: it is an element of \(\Phi _{I}\left( \langle x^2 R(x), \ldots , x^{2\ell -|J|}R(x)\rangle \right) \). Thus,

$$\begin{aligned}&\Phi _{I}\left( \langle x^2, \ldots , x^{2 \ell }\rangle \right) \cap \ \Phi _{I\setminus J} \left( \langle x^{\ell +2}, \ldots , x^{2k}\rangle \right) \nonumber \\&\quad =\Phi _{I}\left( \langle x^2 R,\ldots , x^{2\ell - |J|}R\rangle \right) \cap \Phi _{I\setminus J} \left( \langle x^{\ell +2}, \ldots , x^{2k}\rangle \right) \nonumber \\&\quad = \Phi _{I\setminus J} \left( \langle x^2 R,\ldots , x^{2\ell - |J|}R\rangle \right) \cap \Phi _{I\setminus J} \left( \langle x^{\ell +2}, \ldots , x^{2k}\rangle \right) \nonumber \\&\quad = \Phi _{I\setminus J} \left( \langle x^2R, \ldots , x^{2\ell - |J|}R\rangle \cap \langle x^{\ell +2}, \ldots , x^{2k}\rangle \right) . \end{aligned}$$

The last equality is also a consequence of Lemma 22 since the direct image of an intersection by an injective map is the intersection of the direct images.

Since all the \(x_i\)’s are nonzero, the polynomials \(x^{\ell +2}\) and \(R\) are prime to each other, this yields

$$\begin{aligned} \langle x^2R, \ldots , x^{2\ell - |J|}R\rangle \cap \langle x^{\ell +2}, \ldots , x^{2k}\rangle&= \langle x^{\ell +2}R, \ldots , x^{2\ell - |J|}R\rangle . \end{aligned}$$

Therefore,

$$\begin{aligned} \Phi _{I}\left( \langle x^2, \ldots , x^{2 \ell }\rangle \right) \cap \Phi _{I\setminus J} \left( \langle x^{\ell +2}, \ldots , x^{2k}\rangle \right) = \Phi _{I\setminus J} \left( \langle x^{\ell + 2 } R(x), \ldots , x^{2\ell - |J|}R(x)\rangle \right) \nonumber \\ \end{aligned}$$

(31)

and this last space has dimension \(\ell - |J|- 1\). Finally, combining (29), (30) and (31), we get

$$\begin{aligned} \dim \fancyscript{C}_I^2 = (2k - \ell -1) + (2\ell -1) -(\ell - |J| -1) = 2k + |J| - 1. \end{aligned}$$

Appendix 2: Proof of Lemma 13

Recall that \(\varvec{R}\) has rank \(1\), then so does \(\varvec{R}\varvec{\Pi }^{-1}\) and there exist \(\varvec{a}\) and \(\varvec{b}\) in \(\mathbb {F}_{q}^n\) such that \( \varvec{R}\varvec{\Pi }^{-1} = \varvec{b}^T \varvec{a}\). Set

$$\begin{aligned} \varvec{P}\mathop {=}\limits ^{\text {def}}\mathfrak {I}+ \varvec{R}\varvec{\Pi }^{-1} = \mathfrak {I}+ \varvec{b}^T \varvec{a}. \end{aligned}$$

We first need the following lemmas

Lemma 24

The matrix \(\varvec{Q}\) is invertible if and only if \(\varvec{P}\) is.

Proof

We have \(\varvec{Q}= \varvec{\Pi }+ \varvec{R}= (\mathfrak {I}+ \varvec{R}\varvec{\Pi }^{-1})\varvec{\Pi }= \varvec{P}\varvec{\Pi }\), which yields the proof. \(\square \)

Lemma 25

The matrix \(\varvec{P}\) is invertible if and only if \(\varvec{a}\cdot \varvec{b} \ne -1\). In addition, if it is invertible, then

$$\begin{aligned} \varvec{P}^{-1} = \mathfrak {I}-\frac{1}{1+\varvec{a}\cdot \varvec{b}} \varvec{b}^T \varvec{a}. \end{aligned}$$

Proof

First, assume that \(\varvec{a}\cdot \varvec{b}\ne -1\). Then,

$$\begin{aligned} \varvec{P}\left( \mathfrak {I}-\frac{1}{1+\varvec{a}\cdot \varvec{b}} \varvec{b}^T \varvec{a}\right)&= \left( \mathfrak {I}+ \varvec{b}^T \varvec{a}\right) \left( \mathfrak {I}-\frac{1}{1+\varvec{a}\cdot \varvec{b}} \varvec{b}^T \varvec{a}\right) \\&= \mathfrak {I}+ \left( 1 - \frac{1}{1+\varvec{a}\cdot \varvec{b} }\right) \varvec{b}^T \varvec{a}-\frac{1}{1+\varvec{a}\cdot \varvec{b}} \varvec{b}^T \varvec{a}\varvec{b}^T \varvec{a}\\&=\mathfrak {I}+ \frac{\varvec{a}\cdot \varvec{b}}{1+\varvec{a}\cdot \varvec{b}}\varvec{b}^T \varvec{a}- \frac{\varvec{a}\cdot \varvec{b}}{1+\varvec{a}\cdot \varvec{b}}\varvec{b}^T \varvec{a}\\&= \mathfrak {I}. \end{aligned}$$

To conclude the “only if” part of the proof, there remains to prove that \(\varvec{P}\) is non invertible for \(\varvec{a}\cdot \varvec{b} = -1\). Assume \(\varvec{a}\cdot \varvec{b} = -1\), then

$$\begin{aligned} \varvec{P}^2 = \mathfrak {I}+2\varvec{b}^T \varvec{a}+ \varvec{b}^T \varvec{a}\varvec{b}^T \varvec{a}= \mathfrak {I}+ (2 +\varvec{a}\cdot \varvec{b}) \varvec{b}^T \varvec{a}= \varvec{P}. \end{aligned}$$

Thus, in this situation, \(\varvec{P}\) is a projection distinct from \(\mathfrak {I}\) and hence is non invertible. \(\square \)

Let \(\varvec{c}\) be an element of \(\fancyscript{C}_{\text {pub}}\). Since

$$\begin{aligned} \fancyscript{C}_{\text {sec}}= \fancyscript{C}_{\text {pub}}\varvec{Q}= \fancyscript{C}_{\text {pub}}(\varvec{\Pi }+ \varvec{R})= \fancyscript{C}_{\text {pub}}(\mathfrak {I}+ \varvec{R}\varvec{\Pi }^{-1})\varvec{\Pi }. \end{aligned}$$

We obtain

$$\begin{aligned} \fancyscript{C}=\fancyscript{C}_{\text {sec}}\varvec{\Pi }^{-1}= \fancyscript{C}_{\text {pub}}\varvec{P}\quad \mathrm{where}\quad \varvec{P}\mathop {=}\limits ^{\text {def}}\mathfrak {I}+ \varvec{R}\varvec{\Pi }^{-1}. \end{aligned}$$

(32)

Therefore

$$\begin{aligned} \fancyscript{C}_{\text {pub}}= (\fancyscript{C}_{\text {sec}}\varvec{\Pi }^{-1}) \varvec{P}^{-1} = \fancyscript{C}\varvec{P}^{-1}. \end{aligned}$$

From this, we obtain that there exists \(\varvec{p}\) in \(\fancyscript{C}\) such that \(\varvec{c}= \varvec{p}\varvec{P}^{-1}\). Thus, from Lemma 25 we know that \(\varvec{P}^{-1} = \mathfrak {I}-\frac{1}{1+\varvec{a}\cdot \varvec{b}} \varvec{b}^T \varvec{a}= \mathfrak {I}+ \varvec{\lambda }^T \varvec{a}\), which enables to write:

$$\begin{aligned} \varvec{c}= \varvec{p}\left( \mathfrak {I}+ \varvec{\lambda }^T \varvec{a}\right) = \varvec{p}+(\varvec{\lambda }\cdot \varvec{p})\varvec{a}. \end{aligned}$$

\(\square \)

Corollary 26

Given \(\varvec{u}, \varvec{v}\in \mathbb {F}_{q}^n\) the map \(\varvec{p}\mapsto \varvec{p}+ (\varvec{u}\cdot \varvec{p})\varvec{v}\) is an automorphism of \(\mathbb {F}_{q}^n\) if and only if \(\varvec{u}\cdot \varvec{v}\ne -1\).

Appendix 3: Proof of Proposition 15

This follows immediately from the fact that we can express \(\varvec{z}_i\) in terms of the \(\varvec{g}_j\)’s, say

$$\begin{aligned} \varvec{z}_i = \sum _{1 \leqslant j \leqslant k} a_{ij} \varvec{g}_j. \end{aligned}$$

We observe now that there exist three relations between the \(\varvec{z}_i \star \varvec{g}_j\)’s:

$$\begin{aligned} \sum _{1 \leqslant j \leqslant k} a_{2j} \varvec{z}_1 \star \varvec{g}_j - \sum _{1 \leqslant j \leqslant k} a_{1j} \varvec{z}_2 \star \varvec{g}_j = \varvec{z}_1 \star \varvec{z}_2 - \varvec{z}_2 \star \varvec{z}_1&= 0 \end{aligned}$$

(33)

$$\begin{aligned} \sum _{1 \leqslant j \leqslant k} a_{3j} \varvec{z}_1 \star \varvec{g}_j - \sum _{1 \leqslant j \leqslant k} a_{1j} \varvec{z}_3 \star \varvec{g}_j = \varvec{z}_1 \star \varvec{z}_3 - \varvec{z}_3 \star \varvec{z}_1&= 0 \end{aligned}$$

(34)

$$\begin{aligned} \sum _{1 \leqslant j \leqslant k} a_{3j} \varvec{z}_2 \star \varvec{g}_j - \sum _{1 \leqslant j \leqslant k} a_{2j} \varvec{z}_3 \star \varvec{g}_j = \varvec{z}_2 \star \varvec{z}_3 - \varvec{z}_3 \star \varvec{z}_2&= 0 \end{aligned}$$

(35)

It remains to prove that the three obtained identities relating the \(\varvec{z}_i \star \varvec{g}_j\)’s are independent under some conditions on the \(\varvec{z}_i\)’s. Actually, these relations are independent if and only if the \(\varvec{z}_i\)’s generate a space of dimension larger than or equal to \(2\). Indeed, sort the \(\varvec{z}_1 \star \varvec{g}_j\)’s as \(\varvec{z}_1 \star \varvec{g}_1, \ldots , \varvec{z}_1 \star \varvec{g}_k, \varvec{z}_2 \star \varvec{g}_1, \ldots , \varvec{z}_2 \star \varvec{g}_k, \varvec{z}_3 \star \varvec{g}_1, \ldots , \varvec{z}_3 \star \varvec{g}_k\). Then the system defined by Eqs. 33 to 35 is defined by the \( 3 \times 3k\) matrix

$$\begin{aligned} A:=\left( \begin{array}{l@{\quad }l@{\quad }l@{\quad }l@{\quad }l@{\quad }l@{\quad }l@{\quad }l@{\quad }l} a_{21} &{} \cdots &{} a_{2k} &{} -a_{11} &{} \cdots &{} -a_{1k} &{} 0 &{} \cdots &{} 0 \\ a_{31} &{} \cdots &{} a_{3k} &{} 0 &{} \cdots &{} 0 &{} -a_{11} &{} \cdots &{} -a_{1k} \\ 0 &{} \cdots &{} 0 &{} -a_{31} &{} \cdots &{} -a_{3k} &{} a_{21} &{} \cdots &{} a_{2k} \end{array}\right) . \end{aligned}$$

Then, \(A\) has rank strictly less than \(3\) if there exists a vector \(\varvec{u} = (u_1, u_2, u_3)\) such that \(\varvec{u}A = 0\) which is equivalent to the system

$$\begin{aligned} \left\{ \begin{array}{l@{\quad }l@{\quad }l} u_1 \varvec{z}_2 + u_2 \varvec{z}_3 &{} = &{} 0\\ -u_1 \varvec{z}_1 - u_3 \varvec{z}_3 &{} = &{} 0\\ - u_2 \varvec{z}_1 + u_3 \varvec{z}_2 &{} = &{} 0 \end{array}\right. \end{aligned}$$

and such a system has a nonzero solution \(\varvec{u}=(u_1, u_2, u_3)\) if and only if the \(\varvec{z}_i\)’s are pairwise collinear i.e. generate a subspace of dimension lower than or equal to \(1\).