On the Security of Subspace Subcodes of Reed–Solomon Codes for Public Key Encryption

Abstract

This article discusses the security of McEliece-like encryption schemes using subspace subcodes of Reed–Solomon codes, <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">i.e.</i> subcodes of Reed–Solomon codes over <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">${\mathbb {F}_{q^{m}}}$ </tex-math></inline-formula> whose entries lie in a fixed collection of <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">${\mathbb {F}_{q}}$ </tex-math></inline-formula> –subspaces of <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">${\mathbb {F}_{q^{m}}}$ </tex-math></inline-formula> . These codes appear to be a natural generalisation of Goppa and alternant codes and provide a broader flexibility in designing code based encryption schemes. For the security analysis, we introduce a new operation on codes called the <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">twisted product</i> which yields a polynomial time distinguisher on such subspace subcodes as soon as the chosen <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">${\mathbb {F}_{q}}$ </tex-math></inline-formula> –subspaces have dimension larger than <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$m/2$ </tex-math></inline-formula> . From this distinguisher, we build an efficient attack which in particular breaks some parameters of a recent proposal due to Khathuria, Rosenthal and Weger.