Code-Based Cryptography

1. Error-Correcting Codes and Cryptography2. McEliece Cryptosystem3. Message Attacks (ISD)4. Key Attacks

5. Other Cryptographic Constructions Relying on Coding Theory

I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY

4. Key Attacks

1. Introduction2. Support Splitting Algorithm3. Distinguisher for GRS codes4. Attack against subcodes of GRS codes5. Error-Correcting Pairs6. Attack against GRS codes

7. Attack against Reed-Muller codes8. Attack against Algebraic Geometry codes9. Goppa codes still resist

I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY

GRS codes for the McEliece scheme

‚ Generalized Reed-Solomon codes

H. Niederreiter.Knapsack-type cryptosystems and algebraic coding theory.Problems of Control and Information Theory, 15(2):159 � 166, 1986.

Parameters Key size Security level[256, 128, 129]256 67 ko 295

7Attack against this proposal:

V. M. Sidelnikov and S. O. Shestakov.On the insecurity of cryptosystems based on generalized Reed-Solomon codes.Discrete Math. Appl., 2:439�444, 1992.

1

GRS codes for the McEliece scheme

‚ Generalized Reed-Solomon codes

H. Niederreiter.Knapsack-type cryptosystems and algebraic coding theory.Problems of Control and Information Theory, 15(2):159 � 166, 1986.

Parameters Key size Security level[256, 128, 129]256 67 ko 295

7Attack against this proposal:

V. M. Sidelnikov and S. O. Shestakov.On the insecurity of cryptosystems based on generalized Reed-Solomon codes.Discrete Math. Appl., 2:439�444, 1992.

1

Filtration Attack for GRS codes

Suppose that we know:

Ck = GRSk (a,b) and Ck�1 = GRSk�1(a,b)

Proposition: Assume that 2k � 1 n � 2

Ck�2 = GRSk�2(a,b) is the solution space of the following problem

c 2 Ck�1 and c ⇤ Ck ✓ (Ck�1)2

In this way we build the following filtration

GRSk (a,b) ◆ GRSk�1(a,b) ◆ GRSk�2(a,b) ◆ · · · ◆ GRS1(a,b)

Note that: GRS1(a,b) =�↵b | ↵ 2 F⇤

q

So we get the column multiplier b. If b is known, a can becomputed by solving a linear system.

2

Filtration Attack for GRS codes

Suppose that we know:

Ck = GRSk (a,b) and Ck�1 = GRSk�1(a,b)

Proposition: Assume that 2k � 1 n � 2

Ck�2 = GRSk�2(a,b) is the solution space of the following problem

c 2 Ck�1 and c ⇤ Ck ✓ (Ck�1)2

Proof: [Sketch of the Proof]

In this way we build the following filtration

GRSk (a,b) ◆ GRSk�1(a,b) ◆ GRSk�2(a,b) ◆ · · · ◆ GRS1(a,b)

Note that: GRS1(a,b) =�↵b | ↵ 2 F⇤

q

So we get the column multiplier b. If b is known, a can becomputed by solving a linear system.

2

Filtration Attack for GRS codes

Suppose that we know:

Ck = GRSk (a,b) and Ck�1 = GRSk�1(a,b)

Proposition: Assume that 2k � 1 n � 2

Ck�2 = GRSk�2(a,b) is the solution space of the following problem

c 2 Ck�1 and c ⇤ Ck ✓ (Ck�1)2

Proof: [Sketch of the Proof]

Ck�1 ⇤ Ck = (Ck�1)2

In this way we build the following filtration

GRSk (a,b) ◆ GRSk�1(a,b) ◆ GRSk�2(a,b) ◆ · · · ◆ GRS1(a,b)

Note that: GRS1(a,b) =�↵b | ↵ 2 F⇤

q

So we get the column multiplier b. If b is known, a can becomputed by solving a linear system.

2

Filtration Attack for GRS codes

Suppose that we know:

Ck = GRSk (a,b) and Ck�1 = GRSk�1(a,b)

Proposition: Assume that 2k � 1 n � 2

Ck�2 = GRSk�2(a,b) is the solution space of the following problem

c 2 Ck�1 and c ⇤ Ck ✓ (Ck�1)2

Proof: [Sketch of the Proof]

Ck�1 ⇤ Ck = (Ck�1)2

(b ⇤ f (a)) ⇤ (b ⇤ g(a)) = (b ⇤ b) (fg)(a)

with deg(f ) < k � 1 , deg(g) < k ) deg(fg) < 2k � 2

In this way we build the following filtration

GRSk (a,b) ◆ GRSk�1(a,b) ◆ GRSk�2(a,b) ◆ · · · ◆ GRS1(a,b)

Note that: GRS1(a,b) =�↵b | ↵ 2 F⇤

q

So we get the column multiplier b. If b is known, a can becomputed by solving a linear system.

2

Filtration Attack for GRS codes

Suppose that we know:

Ck = GRSk (a,b) and Ck�1 = GRSk�1(a,b)

Proposition: Assume that 2k � 1 n � 2

Ck�2 = GRSk�2(a,b) is the solution space of the following problem

c 2 Ck�1 and c ⇤ Ck ✓ (Ck�1)2

In this way we build the following filtration

GRSk (a,b) ◆ GRSk�1(a,b) ◆ GRSk�2(a,b) ◆ · · · ◆ GRS1(a,b)

Note that: GRS1(a,b) =�↵b | ↵ 2 F⇤

q

So we get the column multiplier b. If b is known, a can becomputed by solving a linear system.

2

Filtration Attack for GRS codes

Suppose that we know:

Ck = GRSk (a,b) and Ck�1 = GRSk�1(a,b)

Proposition: Assume that 2k � 1 n � 2

Ck�2 = GRSk�2(a,b) is the solution space of the following problem

c 2 Ck�1 and c ⇤ Ck ✓ (Ck�1)2

In this way we build the following filtration

GRSk (a,b) ◆ GRSk�1(a,b) ◆ GRSk�2(a,b) ◆ · · · ◆ GRS1(a,b)

Note that: GRS1(a,b) =�↵b | ↵ 2 F⇤

q

So we get the column multiplier b. If b is known, a can becomputed by solving a linear system.

2

Filtration Attack for GRS codes

Suppose that we know:

Ck = GRSk (a,b) and Ck�1 = GRSk�1(a,b)

Proposition: Assume that 2k � 1 n � 2

Ck�2 = GRSk�2(a,b) is the solution space of the following problem

c 2 Ck�1 and c ⇤ Ck ✓ (Ck�1)2

In this way we build the following filtration

GRSk (a,b) ◆ GRSk�1(a,b) ◆ GRSk�2(a,b) ◆ · · · ◆ GRS1(a,b)

Note that: GRS1(a,b) =�↵b | ↵ 2 F⇤

q

So we get the column multiplier b.

If b is known, a can becomputed by solving a linear system.

2

Filtration Attack for GRS codes

Suppose that we know:

Ck = GRSk (a,b) and Ck�1 = GRSk�1(a,b)

Proposition: Assume that 2k � 1 n � 2

Ck�2 = GRSk�2(a,b) is the solution space of the following problem

c 2 Ck�1 and c ⇤ Ck ✓ (Ck�1)2

In this way we build the following filtration

GRSk (a,b) ◆ GRSk�1(a,b) ◆ GRSk�2(a,b) ◆ · · · ◆ GRS1(a,b)

Note that: GRS1(a,b) =�↵b | ↵ 2 F⇤

q

So we get the column multiplier b. If b is known, a can becomputed by solving a linear system.2

Filtration Attack for GRS codes

1. Suppose that Ck = GRSk (a,b) is known.

2. Shortening at the first position (i.e. S1( Ck )) we get C0k�1 = GRSk�1(a

0,b0)

where

a

0 = (a2, . . . , an) and b

0 = (b02, . . . , b

0n) with b0

j = bj(aj � a1)

3. We can build the filtration:

GRSk (a,b) ◆ GRSk�1(a0,b0) ◆ GRSk�2(a

0,b0) ◆ GRS1(a0,b0)

4. Se we get the column multiplier b

0 and the support a

0.5. Repeat the process shortening in another position to

recover a completely.

3

Filtration Attack for GRS codes

1. Suppose that Ck = GRSk (a,b) is known.

2. Shortening at the first position (i.e. S1( Ck )) we get C0k�1 = GRSk�1(a

0,b0)

where

a

0 = (a2, . . . , an) and b

0 = (b02, . . . , b

0n) with b0

j = bj(aj � a1)

3. We can build the filtration:

GRSk (a,b) ◆ GRSk�1(a0,b0) ◆ GRSk�2(a

0,b0) ◆ GRS1(a0,b0)

4. Se we get the column multiplier b

0 and the support a

0.5. Repeat the process shortening in another position to

recover a completely.

3

Filtration Attack for GRS codes

1. Suppose that Ck = GRSk (a,b) is known.

2. Shortening at the first position (i.e. S1( Ck )) we get C0k�1 = GRSk�1(a

0,b0)

where

a

0 = (a2, . . . , an) and b

0 = (b02, . . . , b

0n) with b0

j = bj(aj � a1)

It’s easy to get a generator matrix of S1( Ck )

G =

Generator matrixfor Ck

0

BBB@

1 a12 . . . a1n0 a22 . . . a2n...

... . . . ...0 ak2 . . . akn

1

CCCA

3. We can build the filtration:

GRSk (a,b) ◆ GRSk�1(a0,b0) ◆ GRSk�2(a

0,b0) ◆ GRS1(a0,b0)

4. Se we get the column multiplier b

0 and the support a

0.5. Repeat the process shortening in another position to

recover a completely.

3

Filtration Attack for GRS codes

1. Suppose that Ck = GRSk (a,b) is known.

2. Shortening at the first position (i.e. S1( Ck )) we get C0k�1 = GRSk�1(a

0,b0)

where

a

0 = (a2, . . . , an) and b

0 = (b02, . . . , b

0n) with b0

j = bj(aj � a1)

It’s easy to get a generator matrix of S1( Ck )

G =

Generator matrixfor Ck

0

BBB@

1 a12 . . . a1n0 a22 . . . a2n...

... . . . ...0 ak2 . . . akn

1

CCCAGenerator matrix

for S1( Ck )

3. We can build the filtration:

GRSk (a,b) ◆ GRSk�1(a0,b0) ◆ GRSk�2(a

0,b0) ◆ GRS1(a0,b0)

4. Se we get the column multiplier b

0 and the support a

0.5. Repeat the process shortening in another position to

recover a completely.

3

Filtration Attack for GRS codes

1. Suppose that Ck = GRSk (a,b) is known.

2. Shortening at the first position (i.e. S1( Ck )) we get C0k�1 = GRSk�1(a

0,b0)

where

a

0 = (a2, . . . , an) and b

0 = (b02, . . . , b

0n) with b0

j = bj(aj � a1)

3. We can build the filtration:

GRSk (a,b) ◆ GRSk�1(a0,b0) ◆ GRSk�2(a

0,b0) ◆ GRS1(a0,b0)

4. Se we get the column multiplier b

0 and the support a

0.5. Repeat the process shortening in another position to

recover a completely.

3

Filtration Attack for GRS codes

1. Suppose that Ck = GRSk (a,b) is known.

2. Shortening at the first position (i.e. S1( Ck )) we get C0k�1 = GRSk�1(a

0,b0)

where

a

0 = (a2, . . . , an) and b

0 = (b02, . . . , b

0n) with b0

j = bj(aj � a1)

3. We can build the filtration:

GRSk (a,b) ◆ GRSk�1(a0,b0) ◆ GRSk�2(a

0,b0) ◆ GRS1(a0,b0)

4. Se we get the column multiplier b

0 and the support a

0.

5. Repeat the process shortening in another position torecover a completely.

3

Filtration Attack for GRS codes

1. Suppose that Ck = GRSk (a,b) is known.

2. Shortening at the first position (i.e. S1( Ck )) we get C0k�1 = GRSk�1(a

0,b0)

where

a

0 = (a2, . . . , an) and b

0 = (b02, . . . , b

0n) with b0

j = bj(aj � a1)

3. We can build the filtration:

GRSk (a,b) ◆ GRSk�1(a0,b0) ◆ GRSk�2(a

0,b0) ◆ GRS1(a0,b0)

4. Se we get the column multiplier b

0 and the support a

0.5. Repeat the process shortening in another position to

recover a completely.

3

Filtration Attack for GRS codes

Public Key: Kpub =

(a generator matrix of Cpub = GRSk (a,b)

and t =j

d(C)�12

k

The Algorithm: Assume that 2k � 1 n � 2

1. Determine the code

S1(Cpub) = GRSk�1(a0,b0)

2. Build the filtration:

GRSk (a,b)| {z }Cpub

◆ GRSk�1(a0,b0)| {z }

S1(Cpub)

◆ . . . ◆ GRS1(a0,b0)

3. Return b

0 and a

0

4

Filtration Attack for GRS codes

Public Key: Kpub =

(a generator matrix of Cpub = GRSk (a,b)

and t =j

d(C)�12

k

The Algorithm: Assume that 2k � 1 n � 21. Determine the code

S1(Cpub) = GRSk�1(a0,b0)

2. Build the filtration:

GRSk (a,b)| {z }Cpub

◆ GRSk�1(a0,b0)| {z }

S1(Cpub)

◆ . . . ◆ GRS1(a0,b0)

3. Return b

0 and a

0

4

Filtration Attack for GRS codes

Public Key: Kpub =

(a generator matrix of Cpub = GRSk (a,b)

and t =j

d(C)�12

k

The Algorithm: Assume that 2k � 1 n � 21. Determine the code

S1(Cpub) = GRSk�1(a0,b0)

2. Build the filtration:

GRSk (a,b)| {z }Cpub

◆ GRSk�1(a0,b0)| {z }

S1(Cpub)

◆ . . . ◆ GRS1(a0,b0)

3. Return b

0 and a

0

4

Filtration Attack for GRS codes

Public Key: Kpub =

(a generator matrix of Cpub = GRSk (a,b)

and t =j

d(C)�12

k

The Algorithm: Assume that 2k � 1 n � 21. Determine the code

S1(Cpub) = GRSk�1(a0,b0)

2. Build the filtration:

GRSk (a,b)| {z }Cpub

◆ GRSk�1(a0,b0)| {z }

S1(Cpub)

◆ . . . ◆ GRS1(a0,b0)

3. Return b

0 and a

0

4

Another (Filtration) Attack - Retrieving an ECP

Proposition 1:

Let C = GRSk(c,d) =) C? = GRSn�k(c,d?)

Then, A = GRSt+1(c, 1) and B = GRSt(c,d?)

is a t-ECP for C over Fq

Proposition 2: To compute a t-ECP for C = GRSk(a,b) it suffise tocompute a code of type B = GRSt(c,d?)

If we know C = GRSk(c,d) and B = GRSt(c,d?)

Then, A = GRSt+1(a, 1) =⇣B ⇤ C

⌘?

5

Another (Filtration) Attack - Retrieving an ECP

Proposition 1:

Let C = GRSk(c,d) =) C? = GRSn�k(c,d?)

Then, A = GRSt+1(c, 1) and B = GRSt(c,d?)

is a t-ECP for C over Fq

Proposition 2: To compute a t-ECP for C = GRSk(a,b) it suffise tocompute a code of type B = GRSt(c,d?)

If we know C = GRSk(c,d) and B = GRSt(c,d?)

Then, A = GRSt+1(a, 1) =⇣B ⇤ C

⌘?

5

Another (Filtration) Attack - Retrieving an ECP

Proposition 1:

Let C = GRSk(c,d) =) C? = GRSn�k(c,d?)

Then, A = GRSt+1(c, 1) and B = GRSt(c,d?)

is a t-ECP for C over Fq

Proposition 2: To compute a t-ECP for C = GRSk(a,b) it suffise tocompute a code of type B = GRSt(c,d?)

If we know C = GRSk(c,d) and B = GRSt(c,d?)

Then, A = GRSt+1(a, 1) =⇣B ⇤ C

⌘?

5

Another (Filtration) Attack - Retrieving an ECP

Proposition 1:

Let C = GRSk(c,d) =) C? = GRSn�k(c,d?)

Then, A = GRSt+1(c, 1) and B = GRSt(c,d?)

is a t-ECP for C over Fq

Proposition 2: To compute a t-ECP for C = GRSk(a,b) it suffise tocompute a code of type B = GRSt(c,d?)

If we know C = GRSk(c,d) and B = GRSt(c,d?)

Then, A = GRSt+1(a, 1) =⇣B ⇤ C

⌘?

5

Another (Filtration) Attack - Retrieving an ECP

Public Key: Kpub =

(a generator matrix of Cpub = GRSk (a,b)

and t =j

d(C)�12

k

The Algorithm: Assume that 2k � 1 n � 2

1. Determine the codes

C?pub = GRS2t(a,b

?) and S1(C?pub) = GRS2t�1(a

0,⇠ b

?)

2. Build the filtration:

GRS2t(a,b?)| {z }

C?pub

◆ GRS2t�1(a0,⇠ b

?)| {z }S1(C?

pub)

◆ . . . ◆ GRSt(a0,⇠ b

?)| {z }B

3. Return (A,B) which is an ECP for S1(C) where: A = (B ⇤ S1(C))?4. Note that: Correcting an error in the first position is not a difficult

problem.

6

Another (Filtration) Attack - Retrieving an ECP

Public Key: Kpub =

(a generator matrix of Cpub = GRSk (a,b)

and t =j

d(C)�12

k

The Algorithm: Assume that 2k � 1 n � 21. Determine the codes

C?pub = GRS2t(a,b

?) and S1(C?pub) = GRS2t�1(a

0,⇠ b

?)

2. Build the filtration:

GRS2t(a,b?)| {z }

C?pub

◆ GRS2t�1(a0,⇠ b

?)| {z }S1(C?

pub)

◆ . . . ◆ GRSt(a0,⇠ b

?)| {z }B

3. Return (A,B) which is an ECP for S1(C) where: A = (B ⇤ S1(C))?4. Note that: Correcting an error in the first position is not a difficult

problem.

6

Another (Filtration) Attack - Retrieving an ECP

Public Key: Kpub =

(a generator matrix of Cpub = GRSk (a,b)

and t =j

d(C)�12

k

The Algorithm: Assume that 2k � 1 n � 21. Determine the codes

C?pub = GRS2t(a,b

?) and S1(C?pub) = GRS2t�1(a

0,⇠ b

?)

2. Build the filtration:

GRS2t(a,b?)| {z }

C?pub

◆ GRS2t�1(a0,⇠ b

?)| {z }S1(C?

pub)

◆ . . . ◆ GRSt(a0,⇠ b

?)| {z }B

3. Return (A,B) which is an ECP for S1(C) where: A = (B ⇤ S1(C))?4. Note that: Correcting an error in the first position is not a difficult

problem.

6

Another (Filtration) Attack - Retrieving an ECP

Public Key: Kpub =

(a generator matrix of Cpub = GRSk (a,b)

and t =j

d(C)�12

k

The Algorithm: Assume that 2k � 1 n � 21. Determine the codes

C?pub = GRS2t(a,b

?) and S1(C?pub) = GRS2t�1(a

0,⇠ b

?)

2. Build the filtration:

GRS2t(a,b?)| {z }

C?pub

◆ GRS2t�1(a0,⇠ b

?)| {z }S1(C?

pub)

◆ . . . ◆ GRSt(a0,⇠ b

?)| {z }B

3. Return (A,B) which is an ECP for S1(C) where: A = (B ⇤ S1(C))?

4. Note that: Correcting an error in the first position is not a difficultproblem.

6

Another (Filtration) Attack - Retrieving an ECP

Public Key: Kpub =

(a generator matrix of Cpub = GRSk (a,b)

and t =j

d(C)�12

k

The Algorithm: Assume that 2k � 1 n � 21. Determine the codes

C?pub = GRS2t(a,b

?) and S1(C?pub) = GRS2t�1(a

0,⇠ b

?)

2. Build the filtration:

GRS2t(a,b?)| {z }

C?pub

◆ GRS2t�1(a0,⇠ b

?)| {z }S1(C?

pub)

◆ . . . ◆ GRSt(a0,⇠ b

?)| {z }B

3. Return (A,B) which is an ECP for S1(C) where: A = (B ⇤ S1(C))?4. Note that: Correcting an error in the first position is not a difficult

problem.

6

4. Key Attacks

1. Introduction2. Support Splitting Algorithm3. Distinguisher for GRS codes4. Attack against subcodes of GRS codes5. Error-Correcting Pairs6. Attack against GRS codes7. Attack against Reed-Muller codes

8. Attack against Algebraic Geometry codes9. Goppa codes still resist

I. Márquez-Corbella CODE-BASED CRYPTOGRAPHY