Abstract
Recently, F. Ivanov, E. Krouk and V. Zyablov proposed new cryptosystem based of Generalized Reed–Solomon (GRS) codes over field extensions. In their approach, the subfield images of GRS codes are masked by a special transform, so that the resulting public codes are not equivalent to subfield images of GRS code but burst errors still can be decoded. In this paper, we show that the complexity of message–recovery attack on this cryptosystem can be reduced due to using burst errors, and the secret key of Ivanov–Krouk–Zyablov cryptosystem can successfully recovered in polynomial time with a linear–algebra based attack and a square–based attack.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
- Code–based cryptography
- GRS codes
- Field extensions
- Subspace subcodes
- Projected codes
- Information–set decoding
- Key–recovery attack
1 Introduction
Due to the development of quantum computing and the vulnerability of traditional asymmetric cryptosystems to attacks using quantum computers, there is a need to create new secure cryptosystems. Code–based cryptography is considered as one of the most promising and mature candidates for post–quantum cryptography. The first code–based cryptosystem based on binary Goppa codes was proposed by R. J. McEliece in 1978 [19] and in its modern version ClassicMcEliece [7] submitted to NIST–PQC competition is still believed to be secure. However due to large public key sizes, the McEliece cryptosystem is limited in some practical applications. In order to get smaller key sizes, there were attempts to replace binary Goppa codes by other classes of efficient algebraic codes, such as Generalized Reed–Solomon (GRS) codes [22], Reed–Muller codes [26], AG–codes [16], concatenated codes [25], rank–metric Gabidulin codes [13]. However, most of this modifications were proven unsecure [8, 11, 21, 24, 25, 27]. With general McEliece framework being masking a fast–decodable code by using a hiding permutation, there were also attempts to employ more sophisticated hiding mechanisms (e.g. [3, 6, 26, 28, 29]). However most of this modifications were also successfully attacked [10, 12, 29]. Another approach to reduce public key size is using random group–structured codes, which was successfully implemented in BIKE [1, 2] and HQC [20] cryptosystems, however this introduces some decryption failure rate (DFR) making it harder to prove CCA security.
Recently, several protocols based on subfield images of algebraic codes over field extensions were proposed. Namely, in [5] T. Berger, C. Gueye, J. Klamti introduced the notion of generalized subspace (GS) subcodes, which are intermediate level between subfield subcodes and subfield images of codes over field extensions \(\mathbb {F}_{q^m}\), and proposed using such codes in cryptography. In addition, it was shown in [5] that a McEliece–like cryptosystem based on subfield images of GRS codes can be attacked by a modification of the Sidelnikov–Shestakov attack, and quasi–cyclic variant of this cryptosystem can be attacked by using approach of [23]. In [17], K. Khathuria, J. Rosenthal and V. Weger proposed using the punctured subfield images of GRS codes in the Niederreiter–like cryptosystem (XGRS cryptosystem). However, in [9], a cryptosystem based on generalized subspace subcodes of GRS codes (SSRS cryptosystem), which generalizes XGRS cryptosystem, was successfully attacked using a modification of Schur–Hadamard product in the case \(\lambda > m/2\), where \(\lambda \) is dimension of subspaces. More recently, F. Ivanov, E. Krouk and V. Zyablov proposed a new protocol [15] based on subfield images of GRS–codes, with the public code being neither subfield image of GRS–code naither its subcode. However, in this paper we show that Ivanov–Krouk–Zyablov (IKZ) cryptosystem is also insecure.
This paper is organized is follows. In Sect. 2 we give necessary preliminaries on m–block codes, subfield images of codes, generalized subspace subcodes and generalized projected codes. In Sect. 3, we consider a generalization of Ivanov–Krouk–Zyablov protocol and estimate the complexity of information–set decoding attack on it. In Sect. 4, we propose a key–recovery attack based on linear algebra. In Sect. 5, we propose a faster attack based on twisted squares attack of [9] which however requires larger degree field extensions.
2 Preliminaries
Let \(\mathbb {F}_q\) be a finite field of size q. Given a vector \(\textbf{c} \in \mathbb {F}_q^n\), by \({\text {supp}}(c) = \{ i = 1, \dots , n \mid c_i \ne 0 \}\) we denote the support of \(\textbf{c}\) and by \({\text {wt}}(\textbf{c}) = |{\text {supp}}(\textbf{c})|\) we denote the Hamming weight of \(\textbf{c}\). The Hamming distance between \(\textbf{x},\textbf{y} \in \mathbb {F}^n\) is denoted by \(d(\textbf{x},\textbf{y}) = {\text {wt}}(\textbf{x}-\textbf{y})\). A linear \([n,k,d]_q\)–code is a linear subspace \(C \subset \mathbb {F}_q^n\), such that \(\dim (C) = k\) and \(d = \min _{c \in C \setminus \{0\}} {\text {wt}}(c)\). \(G_C\) denotes a generator matrix of C and \(H_C\) denotes a parity–check matrix of C. Given a code C, its dual code is denoted by \(C^{\perp }\). By \(I_n\) we denote \(n \times n\)–identity matrix.
Shortened and punctured codes are well–known constructions for building new codes from existing ones. Let \(\overline{1, n} = \{ 1, \dots , n\}\) and let \(I \subset \overline{1,n}\). Given a \([n,k,d]_q\)–code C, the punctured code of C on positions I is defined as follows
i.e. \({\text {Pct}}_I(C)\) is obtained from C by deleting coordinates indexed by I. The shortened code of C on I is
Note that \({\text {Pct}}_I(C)\) and \({\text {Sh}}_I(C)\) are also linear codes and the following relations hold.
Proposition 1
([14], Theorem 1.5.7). Let C be a \([n,k,d]_q\)–code. Then
-
1.
\({\text {Pct}}_I(C)^{\perp } = {\text {Sh}}_I(C^{\perp })\) and \({\text {Sh}}_I(C)^{\perp } = {\text {Pct}}_I(C^{\perp })\);
-
2.
if \(|I| < d\), then \(\dim \left( {\text {Pct}}_I(C) \right) = k\) and \(\dim \left( {\text {Sh}}(C^{\perp }) \right) = n-k-|I|\); if \(|I|=d\) and I is the set of coordinates where a minimum weight codeword is nonzero, then
$$\begin{aligned} \dim ({\text {Pct}}_I(C)) = k-1, \quad \dim ({\text {Sh}}_I(C^{\perp })) = n-k-|I|+1. \end{aligned}$$
2.1 m–block Codes
In [4, 5] T. Berger et. al. proposed the notion of m–block codes for which the ambient alphabet is the set of m–tuples of elements of \(\mathbb {F}_q\). Namely, a m–block code of length n is an additive code over the alphabet \(\mathbb {E}_m = \mathbb {F}_q^m\) (i.e. a subgroup of \((\mathbb {E}_m^n, +)\)), which is stable by scalar multiplication by any \(\lambda \in \mathbb {F}_q\). The integer m is called the block size. Given \(\textbf{c} = (\mathbf {c_1}, \dots , \mathbf {c_n}) \in \mathbb {E}_m^n \simeq \mathbb {F}_q^{mn}\), by \({\text {supp}}_m(\textbf{c}) = \{ i \mid \mathbf {c_i} \ne 0 \}\) we denote block support of c, by \({\text {wt}}_m(\textbf{c}) = |{\text {supp}}_m(\textbf{c})|\) and \(d_m(\textbf{x},\textbf{y}) = {\text {wt}}_m(\textbf{x}-\textbf{y})\) we denote block Hamming weight and block Hamming distance respectively. Since \(\mathbb {E}_m^n\) and \(\mathbb {F}_q^{nm}\) can be identified, it follows that a m–block code is also a linear code over \(\mathbb {F}_q\) of length mn, equipped with block Hamming metric. A m–block code C of block length n, \(\mathbb {F}_q\)–dimension k and minimum block distance \(d_m = \min _{c \in C \setminus \{0 \}} {\text {wt}}_m(c) \}\) is said to be \([n,k,d_m]_q^m\)–block code.
Block codes are of particular interest due to having ability to correct error bursts. Indeed, let \(\mathcal {S}_{m,n,t} = \{ e \in \mathbb {E}_m^n \mid {\text {wt}}_m(e) \le t \}\) be a set of synchronous t error burst of length m, then clearly a \([n,k,d_m]_q^m\)–code can correct any error from \(\mathcal {S}_{m,n,\lfloor (d_m-1)/2 \rfloor } \).
Remark 1
Let \(\mathcal {E}_{mn,l} \subset \mathbb {F}_q^{nm}\) denote a set of l error bursts of length up to m (non–synchronous to m–block structure of a code). Note that if an m–block code can correct any error from \(\mathcal {S}_{m,n,t}\), then it can correct any error from \(\mathcal {E}_{mn,\lfloor t/2 \rfloor }\) since any non–synchronous error burst of length m covers at most two m–blocks.
Note that the notion of block codes can be easily generalized to multi-block codes. Namely, a multi–block code is an additive subgroup of \(\mathbb {E}_{m_1} \times \dots \times \mathbb {E}_{m_n}\), which is stable by scalar multiplication by any \(\lambda \in \mathbb {F}_q\).
Two multi–block codes \(C_1\) and \(C_2\) of length are said to be multiplier equivalent if there exist \(\varLambda _1, \dots , \varLambda _n \in {\text {GL}}_{m_i}(\mathbb {F}_q)\) such that
Proposition 2
Let \(C_2 = \left\{ \textbf{c}\cdot \varLambda \mid c \in C_1 \right\} \). Then \(C_2^{\perp } = \{ \textbf{h} \cdot \left( \varLambda ^{-1}\right) ^\textsf{T}\mid \textbf{h} \in C_1^{\perp } \}.\)
Proof
Let \(G_{C_1}\) be a generator matrix of \(C_1\) and \(H_{C_1}\) be a parity check matrix of \(C_1\). Since \(G_{C_1} \cdot \varLambda \) is a generator matrix of \(C_2\) and
it follows that \(H_{C_1} \cdot \left( \varLambda ^{-1}\right) ^\textsf{T}\) is a parity–check matrix of \(C_2\).
Let \(V_1, \dots , V_n\) be a tuple of \(\mathbb {F}_q\)–linear subspaces of \(\mathbb {E}_{m_1}, \dots , \mathbb {E}_{m_n}\) of \(\mathbb {F}_q\)–dimensions \(\mu _i \le m_i\), \(i=1,\dots ,n\). The generalized subspace subcode of a multi–block code C relative to \(V_1, \dots , V_n\) is defined as
One can easily notice that this codes allow short representation. Let \(T_1, \dots , T_n \in \mathbb {F}_{q}^{\mu _i \times m_i}\) be generator matrices of \(V_1, \dots , V_n\) viewed as \([m_i, \mu _i]_q\)–linear codes. Define the maps
Then the short representation of \(C_{\mid V_1, \dots , V_n}\) relative to \(T_1, \dots , T_n\) is
Remark 2
We clearly have
Let \(P_1, \dots , P_n \in \mathbb {F}_q^{m_i \times \mu _i}\) be full-rank matrices, which define projection maps \(x \mapsto xP_i\). Given a multi–block code C, the generalized projected code relative to \(P_1, \dots , P_n\) is defined as follows
Proposition 3
Let C be a multi–block code, \(1 \le \mu _i \le m_i\), and let \(T_1, \dots , T_n \in \mathbb {F}_{q}^{\mu _i \times m_i}\) be full-rank matrices. Then
Proof
Let \(\widetilde{T_i} \in \mathbb {F}_{q}^{m_i \times m_i}\) be a non–singular matrix derived from \(T_i\) by adding \(m_i - \mu _i\) linearly independent rows. Let
Since \({\text {GSS}}(C; T_1, \dots , T_n)\) is shortened subcode of \(\widetilde{C}\) on last \(m_i - \mu _i\) positions of each \(m_i\)–block, using Proposition 1 we obtain that \({\text {GSS}}(C; T_1, \dots , T_n)^{\perp }\) is punctured code of
(see Proposition 2) on the same positions, which is \({\text {GPC}}(C^{\perp }; T_1^{\textsf{T}}, \dots , T_n^{\textsf{T}})\).
For more details on m–block codes, generalized subspace and generalized projected codes we refer to [4, 5, 9].
2.2 Subfield Images of Codes
A possible way to construct m–block codes with known parameters is to consider subfield images of codes over some extension field \(\mathbb {F}_{q^m}\). Let \(\mathcal {B}= \{ b_1, \dots , b_m \}\) be a \(\mathbb {F}_q\)–basis of \(\mathbb {F}_{q^m}\), by \(\phi _{\mathcal {B}}\) we denote \(\mathbb {F}_q\)–linear isomorphism between \(\mathbb {F}_{q^m}\) and \(\mathbb {E}_m= \mathbb {F}_q^m\), i.e.
Let
be an extension of \(\phi _{\mathcal {B}}\) to \(\mathbb {F}_{q^m}^n\). The subfield image of a \([n, k, d]_{q^m}\) code \(C \subset \mathbb {F}_{q^m}^n\) relative to the basis \(\mathcal {B}\) is defined as \(\varPhi _{\mathcal {B}}(C) = \{ \varPhi _{\mathcal {B}}(c) \mid c \in C \}\). Clearly, \(\varPhi _{\mathcal {B}}(C)\) is \([n, k, d]_{q}^m\) block code and if \({\text {Dec}}_C: \mathbb {F}_{q^m}^n \rightarrow C\) is a decoder of C, then \(\varPhi _{\mathcal {B}} \circ {\text {Dec}}_C \circ \varPhi _{\mathcal {B}}^{-1}\) is a decoder of \(\varPhi _{\mathcal {B}}(C)\).
Remark 3
Let \(\mathbb {F}_{q^m} = \mathbb {F}_{q}[\gamma ]\), where \(\gamma \) is a root of a primitive polynomial. Note that the usual choice of a basis of \(\mathbb {F}_{q^m}\) is \(\varGamma = \{ \gamma ^0, \dots , \gamma ^{m-1} \}\).
Proposition 4
(Proposition 3 of [5]). Suppose \(\mathcal {B}'\) is another basis of \(\mathbb {F}_{q^m}\) and M is basis change matrix, i.e. \(\phi _{\mathcal {B}'}(x) = \phi _{\mathcal {B}}(x)M\) for any \(x \in \mathbb {F}_{q^m}\), then \(\varPhi _{\mathcal {B}}(C)\) and \(\varPhi _{\mathcal {B}'}(C)\) are multiplier equivalent with \(\varLambda _1 = \dots = \varLambda _n = M\), i.e.
Remark 4
Note that \(\varPhi _{\mathcal {B}}(C) = \varPhi _{\lambda \mathcal {B}}(C)\) for any nonzero \(\lambda \in \mathbb {F}_{q^m}\).
Given \(\xi \in \mathbb {F}_{q^m}\), by \(\textbf{M}_{\mathcal {B}}(\xi )\) we denote the matrix of transformation \(x \mapsto \xi x\) written in basis \(\mathcal {B}\), i.e.
Note that for any \(\lambda , \xi \in \mathbb {F}_{q^m}\), \(\xi \ne 0\), the following equality holds
Proposition 5
(Proposition 4 of [5]). If \(G_{C} = (g_{i,j}) \in \mathbb {F}_{q^m}^{k \times n}\) is a generator matrix of C, then
is a generator matrix of \(\varPhi _{\mathcal {B}}(C)\).
Given a basis \(\mathcal {B}\) of \(\mathbb {F}_{q^m}\), the dual basis \(\mathcal {B}^{*}\) is the unique basis of \(\mathbb {F}_{q^m}\), such that \(\textbf{M}_{\mathcal {B}^*}(\xi ) = \left( \textbf{M}_{\mathcal {B}}(\xi )\right) ^{\textsf{T}} \) for any \(\xi \in \mathbb {F}_{q^m}\).
Proposition 6
(Proposition 5 of [5]). Let \(C \subset \mathbb {F}_{q^m}\) be a \([n,k]_{q^m}\)–code with a parity–check matrix \(H_C\), then
and the parity–check matrix of \(\varPhi _{\mathcal {B}}(C)\) is
Corollary 1
Let \(C \subset \mathbb {F}_{q^m}\) be a \([n,k]_{q^m}\)–code. Then Proposition 3 and Proposition 6 imply
2.3 Generalized Reed–Solomon Codes
Let \(\textbf{x}= (x_1, \dots , x_n) \in \mathbb {F}_q^n\) be a vector of distinct non–zero values and let \(\textbf{y} = (y_1, \dots , y_n) \in \mathbb {F}_q^n\) be a vector, such that \(y_i \ne 0\) for all i. The generalized Reed–Solomon code with support \(\textbf{x}\) and multiplier \(\textbf{y}\) of length n and dimension k is
When \(\textbf{y} = (1,1, \dots , 1)\), the code is said to be a Reed–Solomon code and denoted as \({\text {RS}}_k(\textbf{x})\). As is well–known, \({\text {GRS}}_{k}(\textbf{x}, \textbf{y})\) is a \([n,k,n-k+1]_q\)–code, the generator matrix of \({\text {GRS}}_{k}(\textbf{x}, \textbf{y})\) is
the generator matrix of \({\text {RS}}_k(\textbf{x})\) is \(G_k(\textbf{x}) = G_k(\textbf{x}, \textbf{1})\), the dual of \({\text {GRS}}_{k}(\textbf{x},\textbf{y})\) is \({\text {GRS}}_{n-k}(\textbf{x},\textbf{z})\), where
Note that for a given GRS code multiplier and support are not unique. We refer [18, Chapter 12] and [14, §5.3] for more details on GRS codes.
Remark 5
Any subfield image of \({\text {GRS}}_k(\textbf{x}, \textbf{y})\) is multiplier equivalent to a subfield image of \({\text {RS}}_k(\textbf{x})\). Indeed,
3 Ivanov–Krouk–Zyablov Cryptosystem
In [15] F. Ivanov, E. Krouk and V. Zyablov proposed a new cryptosystem based on subfield images of generalized Reed–Solomon codes, with its key feature being that public code is not equivalent to a subfield image. In this section, we give a generalized version of it, consider some of its properties, and estimate the complexity of a key–recovery attack.
3.1 Protocol Description
-
Key generation. Let \(C = {\text {RS}}_k(\textbf{x})\) be a random \([n,k]_{q^m}\) RS–code of even length with support \(\textbf{x}= (x_1, \dots , x_n)\). Choose a random non–singular matrix \(S \in {\text {GL}}_{km}(\mathbb {F}_q)\), and random non–singular matrices \(Y_j \in {\text {GL}}_m(\mathbb {F}_q)\), \(M_j \in {\text {GL}}_{m_j}(\mathbb {F}_q)\), \(j=1,\dots ,n\), where
$$ m_{j} = {\left\{ \begin{array}{ll} m - 1, &{} j\text { is odd} \\ m + 1, &{} j\text { is even} \end{array}\right. }. $$The public key is \(G_{pub} = S \cdot {\text {Exp}}_{\varGamma }(G_k(\textbf{x})) \cdot \overline{Y} \cdot \overline{M}\), where
$$ \overline{Y} = {\text {diag}}(Y_1, \dots , Y_n), \quad \overline{M} = {\text {diag}}(M_1, \dots , M_n) $$and secret key is \((\textbf{x}, S, Q = \overline{Y} \cdot \overline{M})\).
-
Encryption. Let \(t = {(n-k)}/{2}\) be a number of errors that can be corrected by C. Let \(m \in \mathbb {F}_{q}^{km}\) be a plain text, then the ciphertext is
$$\begin{aligned} z = m G_{pub} + e, \quad e \in \mathcal {E}_{mn, t/3}. \end{aligned}$$ -
Decryption. Let \({\text {Dec}}_C: \mathbb {F}_{q^m} \rightarrow C\) be a decoder of C. Then \(mG_{pub}\) can be found as follows
$$ mG_{pub} = \varPhi _{\mathcal {B}} \circ {\text {Dec}}_C \circ \varPhi _{\mathcal {B}}^{-1} \left( z \cdot Q^{-1} \right) . $$
Remark 6
Note that \(eQ^{-1} \in \mathcal {S}_{m,n,t}\). Indeed, let j be a starting position of an error burst of length m. Two cases are possible:
-
1)
\((2s - 1)m + 1 \le j \le 2sm\) for some s. It follows that after multiplying by \(Q^{-1}\) only two m–blocks get corrupted.
-
2)
\(2sm + 1 \le j \le (2s + 1)m\) for some s. It follows that after multiplying by \(Q^{-1}\) three m–blocks can get corrupted. Namely, 2s, \(2s+1\), \(2s+2\)–th blocks.
Note that in [15] case 2) hasn’t been considered and due to this it was erroneously proposed to sample e from \(\mathcal {E}_{mn,t/2}\).
Remark 7
The use of GRS–codes in this protocol is equivalent to the use of RS–codes due to the presence of \(\overline{Y}\) (see Remark 5).
Remark 8
Without loss of generality, one can assume that \(Y_{2i} = I_{m}\) and \(M_{2i-1} = I_{m-1}\). Indeed,
Proposition 7
Let \(G_{pub} = S \cdot {\text {Exp}}_{\varGamma }(G_k(\textbf{x}, \textbf{y})) \cdot Q\) be a public key of IKZ–cryptosystem based on \({\text {GRS}}_{k}(\textbf{x}, \textbf{y})\)–code. Then any parity–check matrix of \(C_{pub}^{\perp }\) is of the form
In addition, since
it follows that H is a public key of IKZ cryptosystem based on \({\text {GRS}}_{n-k}(\textbf{x}, \textbf{z})\)–code.
Proof
Using Proposition 6 and (3), we obtain
3.2 Message–Recovery Attack
Since the error \(\textbf{e}\) is structured, it is possible to exploit it for reducing complexity of information–set decoding attack. Indeed, we can consider \(C_{pub} = {\text {Span}}_{\mathbb {F}_q}(G_{pub})\) as a m–block code, then any error from \(\mathcal {E}_{mn,t/3}\) covers at most 2t/3 m–blocks (see Fig. 1). It follows that remaining \(n-2t/3\) blocks are error–free and the probability of finding error–free information set of k blocks is
which does not depend on m. Therefore, the workfactor of Ivanov–Krouk–Zyablov cryptosystem is significantly lower than estimates of [15]. We also note that due to using structured errors a significant reduction in complexity of ISD–attacks also extends to several more IKZ–like cryptosystems recently proposed in [30].
So, due to simple message–recovery attack, Ivanov–Krouk–Zyablov cryptosystem [15] can only be considered as a way to avoid key–recovery attacks since it produces a public code which is not multiplier equivalent to a subfield image of a GRS–code. However, below we show that such application of Ivanov–Krouk–Zyablov protocol is also insecure.
4 Direct Key–Recovery Attack
In this section, we propose a key–recovery attack which is based on the uniqueness of systematic generator matrix of \(C_{pub}\) and distinguishability of matrices \(\textbf{M}_{\varGamma }(a)\), \(a \in \mathbb {F}_{q^m}\), from random ones.
4.1 Case of Even k
Define \(Q_{i} \in \mathbb {F}_{q}^{2m \times 2m}\) as
so \(Q = {\text {diag}}(Q_1, \dots , Q_{n/2})\). Let \(G^{sys}_C = \left[ I_k \mid L \right] = (l_{i,j}) \in \mathbb {F}_{q^m}^{k \times n}\) be the systematic generator matrix of C. One can easily notice that
where
is a generator matrix of \(C_{pub}\). It follows that the unique systematic generator matrix \(G_{pub}^{sys}\) of \(C_{pub}\) is of the form
Let us denote \(Q_i^{-1} K_{i,j} Q_{j}\) by \(K_{i,j}'\). For \(1 \le i,r \le k/2\) and \(k/2 + 1 \le j,s \le n/2\) define
if corresponding inverse matrices exist (which is true in most cases). Since matrices \(K_{i,j}\) have very special structure, namely, \(K_{i,j}\) belong to the \(\mathbb {F}_{q}\)–algebra
we can exploit it to recover the matrix Q up to certain equivalences.
Proposition 8
Let a \(\mathbb {F}_{q^m}\)–code \(C'\) be semi–linear equivalent over \(\mathbb {F}_q\) to C, i.e.
(see [14]), where \(\alpha _i \in \mathbb {F}_{q^m} \setminus \{ 0 \}\), and \(\theta \in \textsf{Gal}(\mathbb {F}_{q^m}/\mathbb {F}_q)\) is an automorphism of \(\mathbb {F}_{q^m}\) that fixes \(\mathbb {F}_q\) pointwise. Let \(A_{\theta }\) be a matrix representation of \(\theta \) written in the basis \(\varGamma = \{ \gamma ^0, \dots , \gamma ^{m-1} \}\) of \(\mathbb {F}_{q^m} = \mathbb {F}_q[\gamma ]\), i.e.
Then the matrix \({\text {Exp}}_{\varGamma }(G_{C'}) \cdot {\text {diag}}(Q'_1, \dots , Q'_{n/2})\), where
also spans \(C_{pub}\).
Conjecture 1
Let \(X, Y \in \textsf{QMat}\), where
Let \(\varXi \) be a sufficiently large subset of \(\varDelta \) and \(\zeta \in \varDelta \) be non–zero. Then
-
1.
if \(\left\{ Y X^{-1} \cdot \xi \cdot X Y^{-1} \mid \xi \in \varXi \right\} \subset \varDelta \), then there exist \(a,b \in \mathbb {F}_{q^m}^*\) and \(\theta \in \textsf{Gal}(\mathbb {F}_{q^m}/\mathbb {F}_{q})\), such that
$$ Y = {\text {diag}}(A_{\theta }^{-1} \cdot \textbf{M}_{\varGamma }(a), A_{\theta }^{-1} \cdot \textbf{M}_{\varGamma }(b)) \cdot X, $$ -
2.
if \(\zeta \cdot XY^{-1} \in \varDelta \) or \(YX^{-1} \cdot \zeta \in \varDelta \) and \(\left\{ Y X^{-1} \cdot \xi \cdot X Y^{-1} \mid \xi \in \varXi \right\} \subset \varDelta \), then there exist \(a,b \in \mathbb {F}_{q^m}^*\), such that
$$ Y = {\text {diag}}(\textbf{M}_{\varGamma }(a), \textbf{M}_{\varGamma }(b)) \cdot X $$
with high probability.
Remark 9
Note that the set \(\varXi \) has to contain at least one matrix which is not of the form
Otherwise, the conjecture does not hold, i.e. \( Y = {\text {diag}}(A_{\theta _1} \cdot \textbf{M}_{\varGamma }(a), A_{\theta _2} \cdot \textbf{M}_{\varGamma }(b)) \cdot X \) for some \(a,b \in \mathbb {F}_{q^m}^*\), \(\theta _1, \theta _2 \in \textsf{Gal}(\mathbb {F}_{q^m}/\mathbb {F}_{q})\). Indeed,
Our experiments performed in computer algebra system Sage evince that Conjecture 1 is most likely correct as soon as \(|\varXi | \ge 3\). So, the resulting key–recovery algorithm can be summarized as follows.Footnote 1
- Step 1.:
-
Compute the systematic generator matrix (4) of \(C_{pub}\). Using a brute-force search, find a matrix \(Q_{1}' \in \textsf{QMat}\) such that
$$ {\left\{ \begin{array}{ll} Q_{1}' \cdot V_{1,j,r,s} \cdot {Q_{1}'}^{-1} \in \varDelta \end{array}\right. } $$(see (5)) for some set of indices \(1 \le r \le k/2\) and \(k/2 + 1 \le j,s \le n/2\) of size \(\ge 5\). Conjecture 1 implies that \(Q_1'\) is of the form (7). Since Proposition 8 allows replacing C with any semi–linear equivalent code, it follows that without loss of generality, we may assume that \(\theta \in \textsf{Gal}(\mathbb {F}_{q^m} / \mathbb {F}_q)\) is the identity automorphism.
- Step 2.:
-
For \(j=k/2+1, \dots , n/2\), find matrices \(Q_j' \in \textsf{QMat}\), such that
$$ {\left\{ \begin{array}{ll} \left( {Q_1'} \cdot K'_{1,j} \right) \cdot {Q'_{j}}^{-1} \in \varDelta , \\ Q_j' \cdot W_{i,j,r,s} \cdot {Q_j'}^{-1} \in \varDelta , \end{array}\right. } $$(see (4), (6)) for some set of indices \(1 \le i,r \le k/2\) and \(k/2 + 1 \le s \le n/2\) of size \(\ge 5\).
- Step 3.:
-
Finally, for \(i=2,\dots ,k\) find \(Q_i' \in \textsf{QMat}\) satisfying
$$ {\left\{ \begin{array}{ll} Q'_i \cdot \left( K_i \cdot {Q_j'}^{-1} \right) \in \varDelta \quad \text {for all }j=k/2+1,\dots ,n/2. \end{array}\right. } $$ - Step 4.:
-
Let \(Q' = {\text {diag}}(Q'_1, \dots , Q'_{n/2})\), using Conjecture 1 we obtain
$$\begin{aligned} Q' = {\text {diag}}(A_\theta ^{-1} \textbf{M}_{\varGamma }(\alpha _1), \dots A_\theta ^{-1} \textbf{M}_{\varGamma }(\alpha _n)) \cdot Q \end{aligned}$$for some \(\theta \in \textsf{Gal}(\mathbb {F}_{q^m}/\mathbb {F}_{q})\) and \((\alpha _1, \dots , \alpha _n) \in \mathbb {F}_{q^m}^*\). Hence
$$\begin{aligned} C' = \varPhi _{\varGamma }^{-1}\left( {\text {Span}}_{\mathbb {F}_{q^m}}(G_{pub} \cdot Q'^{-1}) \right) \end{aligned}$$is semi–linear equivalent to C and is therefore a GRS code. Indeed,
$$\begin{aligned} C'&= \left\{ \left( \theta (\alpha _1 c_1), \dots , \theta (\alpha _n c_n) \right) \mid (c_1,\dots ,c_n) \in {\text {RS}}_k(\textbf{x}) \right\} = \\ {}&= \left\{ \left( \theta (\alpha _1) f(\theta (x_1)), \dots , \theta (\alpha _1) f(\theta (x_n)) \right) \mid f \in \mathbb {F}_{q^m}[x], \deg (f) \le k-1 \right\} . \end{aligned}$$So, after applying the Sidelnikov–Shestakov attack [27] to \(C'\), it is possible to decode \(C_{pub}\).
4.2 Case of Odd k
Suppose first that \(Q_{(k+1)/2}\) is known. Let \(G^{sys}_C = (l_{i,j}) \in \mathbb {F}_{q^m}^{k \times n}\) be the systematic generator matrix of C. It follows that the systematic form of \(G_{pub} \cdot {\text {diag}}(I_{(k-1)m}, Q_{(k+1)/2}^{-1}, I_{(n-k-1)m})\) is
where
Hence the above–described attack can be modified as follows.
- Step 1.:
-
In this step, we try to guess \(Q_{(k+1)/2}\) (up to equivalences described in Proposition 8). To do this, for each \(Q'_{(k+1)/2} \in \textsf{QMat}\) we compute the systematic form (8) of
$$\begin{aligned} G_{pub} \cdot {\text {diag}}(I_{(k-1)m}, {Q'_{(k+1)/2}}^{-1}, I_{(n-k-1)m}) \end{aligned}$$and then check
$$ {\left\{ \begin{array}{ll} C \in \left\{ \textbf{M}_{\varGamma }(a) \mid a \in \mathbb {F}_{q^m} \right\} , \\ D_j {K'_{i,j}}^{-1} J_i, \in \left\{ \textbf{M}_{\varGamma }(a) \mid a \in \mathbb {F}_{q^m} \right\} \\ \quad \text {for all }1 \le i \le (k-1)/2, (k+1)/2 + 1 \le j \le n/2 \end{array}\right. } $$until proper \(Q'_{(k+1)/2}\) is found.
- Step 2.:
-
For \(j=(k+1)/2+1, \dots , n/2\), find matrices \(Q_j' \in \textsf{QMat}\), such that
$$ {\left\{ \begin{array}{ll} Q_j' \cdot W_{i,j,r,s} \cdot {Q_j'}^{-1} \in \varDelta , \\ D_j \cdot {Q'_j}^{-1} \in \left\{ \left( \textbf{M}_{\varGamma }(a), \textbf{M}_{\varGamma }(b)\right) \mid a,b \in \mathbb {F}_{q^m} \right\} \end{array}\right. } $$(see (4), (6)) for some set of indices \(1 \le i,r \le (k-1)/2\) and \((k+1)/2 + 1 \le s \le n/2\) of size \(\ge 5\).
- Step 3.:
-
For \(i=1,\dots ,(k-1)/2\) find \(Q_i' \in \textsf{QMat}\) satisfying
$$ {\left\{ \begin{array}{ll} Q'_i \cdot \left( K_i \cdot {Q_j'}^{-1} \right) \in \varDelta \quad \text {for all }j=(k+1)/2+1,\dots ,n/2. \end{array}\right. } $$Compute \(Q' = {\text {diag}}(Q'_1, \dots , Q_{n/2})\) and run Step 4 of Sect. 4.1.
Since the size of \(\textsf{QMat}\) is \(O(q^{m^2 + (m+1)^2})\), it follows that the complexity of the attack is \(O(n q^{m^2 + (m+1)^2} m^3)\) assuming brute–force search is used in each step. Note that for large m this attack is too complex. However, for \(m \ge 3\) it is possible to implement another attack based on twisted squares.
5 Twisted Squares–Based Attack
Let \(\textbf{U}_i\) be an i–th \(m_i\)–block column of \(G_{pub}\), i.e.
Attack we propose is consist of the following steps.
5.1 Recovering the Support \(\textbf{x}\)
By \(\mathbf {x_{odd}}\) we denote \((x_1, x_3, \dots , x_{n-1})\). Let \(\varPi \in \mathbb {F}_q^{m \times (m-1)}\) be the projection matrix of the following form
Consider
We have
where \(N_i = Y_i \varPi M_i \in \mathbb {F}_{q}^{m \times m-1}\). It follows that \(G_{odd}\) is a generator matrix of
So, Proposition 3 and Corollary 1 imply that \(G_{odd}\) is a parity–check matrix of the code
Remark 10
Recall that, \({\text {RS}}_{k}(\mathbf {x_{odd}})^{\perp } = {\text {GRS}}_{n-k}(\mathbf {x_{odd}}, \mathbf {z_{odd}})\), where
Hence D is short representation of generalized subspace subcode of a GRS code.
It follows that it is possible to recover one of the supports \(\mathbf {x_{odd}}'\) of \({\text {RS}}_{k}(\mathbf {x_{odd}})^{\perp }\) from D by applying CL–attack [9, Alg. 1 and Alg. 2] to D. Indeed, given GSS–subcode of \({\text {GRS}}_{k}(\textbf{a}, \textbf{b})\), such that the dimension of all subspaces is \(\lambda > m/2\), CL–attack reconstructs a support of corresponding \({\text {GRS}}\)–code by applying the algorithm of [5, §VI.B] to its twisted square.
Remark 11
Note that in order to apply CL–attack, \(G_{odd}\) has to be singular, which is true if
In addition, it is also possible to find \(\mathbf {x_{odd}}\) in the case when
by attacking the dual of the public code (see Proposition 7).
Remark 12
Since the support of a GRS code is completely defined by fixing arbitrary three points, it follows that without loss of generality we may assume that \(\mathbf {x_{odd}}' = \mathbf {x_{odd}}\).
It remains now to recover \(x_2, x_4, \dots , x_n\). For the sake of convenience, we describe the recovering procedure only for \(x_2\). Consider the matrix
One can easily notice that
where \(N_i\) are the same as in (9) and
Using Proposition 3 and Corollary 1, we see that \(G_{odd + 2}\) is a generator matrix of
and a parity–check matrix of
Let \(G_{D_2}\) be a generator matrix of \(D_2\). We have
(see Sect. 2.1), it follows that
With \(\mathbf {x_{odd}}=(x_1, x_3, \dots , x_{n-1})\) being known, it is possible to find \(x_2\) by iterating \(w \in \mathbb {F}_{q^m}^* \setminus \{ x_1, x_3, x_5, \dots , x_{n-1} \}\) and checking whether the linear system
where \(X_3, \dots , X_{n-1} \in \mathbb {F}_q^{m \times m-1}\) and
has a non–zero solution. Note that in most practical cases the number of unknowns \((n/2-1)(m-1)m + 3m^2 + m = O(nm^2/2)\) is much less than the number of equations \((n/2 + 1 - k)k m^2\) and the solution, if it exists, is most likely unique up to multiplication by
In our experiments, the above described method allowed successfully recovering correct \(x_2\) in all cases.Footnote 2
Remark 13
It is also possible to reconstruct \(\textbf{x}\) when neither \(km < (m-1)n/2\) and \((n-k)m < (m-1)n/2\) hold. Choose the smallest \(s \in \overline{1,n/2}\) such that
where \(n' = n-2s\). Consider
One can easily notice that
i.e. \(G'_{pub}\) and \(G''_{pub}\) are public keys of IKZ–cryptosystem. Therefore, it is possible to recover \(x_1, \dots , x_{n-2s}\) by attacking \(G'_{pub}\) as above first and then to recover \(x_{n-2s+1}, \dots x_n\) by attacking \(G''_{pub}\).
5.2 Recovering the Matrix Q
Since \(G_{pub} = S \cdot {\text {Exp}}_{\varGamma }(G_k(\textbf{x})) \cdot {\text {diag}}(Q_1, \dots , Q_{n/2})\), is follows that \(G_{pub}\) is a generator matrix of
so, due to Proposition 3 \(G_{pub}\) a parity–check matrix of
Let \(G_{\hat{D}}\) be a generator matrix of \(\hat{D}\). Since
it follows that
With \(\textbf{x}\) being known after previous step, \(Q_1, \dots , Q_{n/2}\) can be found by solving the linear system
where \(X_i\) are of the form
Since again the number of equations is larger than the number of unknowns the solution is most likely be unique up to multiplication by \({\text {diag}}_{n}(\textbf{M}_{\varGamma }(\beta ))\) for some \(\beta \in \mathbb {F}_{q^m}\), which was experimentally validated. The complexity of CL-attack is \(O(n q^m)\) operations in \(\mathbb {F}_q\), the complexity of support recovering is \(O(q^m (mn)^3)\) and the complexity of recovering Q is \(O((mn)^3)\). Hence the overall complexity of the attack is \(O((mn)^3 q^m)\).
6 Conclusion
In this paper, it was shown that Ivanov–Krouk–Zyablov cryptosystem is insecure and its secret key can be recovered in polynomial time due to proposed key–recovery attacks. Since the first one is based only on linear algebra, it can easily be generalized to recover the matrix Q even for other classes of codes. So, the masking transform used by Ivanov, Krouk and Zyablov is intrinsically flawed. It also seems that using hiding transforms that allow decoding error bursts cannot improve key sizes compared to classic approaches due to simple message–recovery attacks based on information–set decoding.
Notes
- 1.
The code for our implementation is available on https://github.com/kirill-vedenev/ikz-cryptanalysis.
- 2.
The code for our implementation of this and the next step is available on https://github.com/kirill-vedenev/ikz-cryptanalysis.
References
Aragon, N., et al.: BIKE - Bit-Flipping Key Encapsulation. https://bikesuite.org
Aragon, N., Blazy, O., Deneuville, J.C., Gaborit, P., Zémor, G.: Ouroboros: an efficient and provably secure KEM family. IEEE Trans. Inf. Theory 68, 6233–6244 (2022)
Baldi, M., Bianchi, M., Chiaraluce, F., Rosenthal, J., Schipani, D.: Enhanced Public Key Security for the McEliece Cryptosystem. J. Cryptol. 29(1), 1–27 (2014). https://doi.org/10.1007/s00145-014-9187-8
Berger, T.P., El Amrani, N.: Codes over \(\cal{L}(GF(2)^m,GF(2)^m)\), MDS diffusion matrices and cryptographic applications. In: El Hajji, S., Nitaj, A., Carlet, C., Souidi, E.M. (eds.) C2SI 2015. LNCS, vol. 9084, pp. 197–214. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-18681-8_16
Berger, T.P., Gueye, C.T., Klamti, J.B.: Generalized subspace subcodes with application in cryptology. IEEE Trans. Inf. Theory 65, 4641–4657 (2019). https://doi.org/10.1109/TIT.2019.2909872
Berger, T.P., Loidreau, P.: How to mask the structure of codes for a cryptographic use. Des. Codes Crypt. 35(1), 63–79 (2005). https://doi.org/10.1007/s10623-003-6151-2
Bernstein, D.J., et al.: Classic McEliece: conservative code-based cryptography. NIST Submissions (2020)
Borodin, M.A., Chizhov, I.V.: Effective attack on the McEliece cryptosystem based on Reed-Muller codes. Discret. Math. Appl. 24(5), 273–280 (2014)
Couvreur, A., Lequesne, M.: On the security of subspace subcodes of Reed-Solomon codes for public key encryption. IEEE Trans. Inf. Theory 68, 632–648 (2022). https://doi.org/10.1109/TIT.2021.3120440
Couvreur, A., Lequesne, M., Tillich, J.-P.: Recovering short secret keys of RLCE in polynomial time. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 133–152. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_8
Couvreur, A., Márquez-Corbella, I., Pellikaan, R.: Cryptanalysis of public-key cryptosystems that use subcodes of algebraic geometry codes. In: Pinto, R., Malonek, P.R., Vettori, P. (eds.) Coding Theory and Applications. CSMS, vol. 3, pp. 133–140. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-17296-5_13
Couvreur, A., Otmani, A., Tillich, J.-P., Gauthier–Umaña, V.: A Polynomial-Time Attack on the BBCRS Scheme. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 175–193. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_8
Gabidulin, E.M., Paramonov, A.V., Tretjakov, O.V.: Ideals over a non-commutative ring and their application in cryptology. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 482–489. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_41
Huffman, W.C., Pless, V.: Fundamentals of Error-Correcting Codes. Cambridge University Press, Cambridge (2010)
Ivanov, F., Krouk, E., Zyablov, V.: New code-based cryptosystem based on binary image of generalized Reed-Solomon code. In: 2021 XVII International Symposium “Problems of Redundancy in Information and Control Systems” (REDUNDANCY), pp. 66–69. IEEE (2021). https://doi.org/10.1109/REDUNDANCY52534.2021.9606467
Janwa, H., Moreno, O.: McEliece public key cryptosystems using algebraic-geometric codes. Des. Codes Crypt. 8(3), 293–307 (1996). https://doi.org/10.1023/A:1027351723034
Khathuria, K., Rosenthal, J., Weger, V.: Encryption scheme based on expanded Reed-Solomon codes. Adv. Math. Commun. 15, 207–218 (2021). https://doi.org/10.3934/amc.2020053
MacWilliams, F.J., Sloane, N.J.A.: The Theory of Error Correcting Codes, vol. 16. Elsevier, Amsterdam (1977)
McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. DSN Prog. Rep. 4244, 114–116 (1978)
Melchor, C.A., et al.: Hamming Quasi-Cyclic (HQC). https://pqc-hqc.org
Minder, L., Shokrollahi, A.: Cryptanalysis of the sidelnikov cryptosystem. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 347–360. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72540-4_20
Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Prob. Contr. Inf. Theory 15, 159–166 (1986)
Otmani, A., Tillich, J.P., Dallot, L.: Cryptanalysis of two McEliece cryptosystems based on quasi-cyclic codes. Math. Comput. Sci. 3(2), 129–140 (2010). https://doi.org/10.1007/s11786-009-0015-8
Overbeck, R.: Structural attacks for public key cryptosystems based on gabidulin codes. J. Cryptol. 21(2), 280–301 (2008). https://doi.org/10.1007/s00145-007-9003-9
Sendrier, N.: On the structure of randomly permuted concatenated code. Ph.D. thesis, INRIA (1995)
Sidelnikov, V.M.: A public-key cryptosystem based on binary Reed-Muller codes. Discret. Math. Appl. 4(3), 191–208 (1994)
Sidelnikov, V.M., Shestakov, S.O.: On insecurity of cryptosystems based on generalized Reed-Solomon codes. Discrete Math. Appl. 2, 439–444 (1992)
Wang, Y.: Quantum resistant random linear code based public key encryption scheme RLCE. In: 2016 IEEE International Symposium on Information Theory (ISIT), pp. 2519–2523. IEEE (2016)
Wieschebrink, C.: Cryptanalysis of the niederreiter public key scheme based on GRS subcodes. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 61–72. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12929-2_5
Zyablov, V.V., Ivanov, F.I., Krouk, E.A., Sidorenko, V.R.: On new problems in asymmetric cryptography based on error-resistant coding. Probl. Inf. Transm. 58, 184–201 (2022). https://doi.org/10.1134/S0032946022020077
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Vedenev, K., Kosolapov, Y. (2023). Cryptanalysis of Ivanov–Krouk–Zyablov Cryptosystem. In: Deneuville, JC. (eds) Code-Based Cryptography. CBCrypto 2022. Lecture Notes in Computer Science, vol 13839. Springer, Cham. https://doi.org/10.1007/978-3-031-29689-5_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-29689-5_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-29688-8
Online ISBN: 978-3-031-29689-5
eBook Packages: Computer ScienceComputer Science (R0)