Distinguisher-based attacks on public-key cryptosystems using Reed-Solomon codes

Alain Couvreur, Philippe Gaborit, Valérie Gauthier-Umaña, Ayoub Otmani, Jean Pierre Tillich

Research output: Contribution to journalResearch Articlepeer-review

72 Scopus citations


Because of their interesting algebraic properties, several authors promote the use of generalized Reed-Solomon codes in cryptography. Niederreiter was the first to suggest an instantiation of his cryptosystem with them but Sidelnikov and Shestakov showed that this choice is insecure. Wieschebrink proposed a variant of the McEliece cryptosystem which consists in concatenating a few random columns to a generator matrix of a secretly chosen generalized Reed-Solomon code. More recently, new schemes appeared which are the homomorphic encryption scheme proposed by Bogdanov and Lee, and a variation of the McEliece cryptosystem proposed by Baldi et al. which hides the generalized Reed-Solomon code by means of matrices of very low rank. In this work, we show how to mount key-recovery attacks against these public-key encryption schemes. We use the concept of distinguisher which aims at detecting a behavior different from the one that one would expect from a random code. All the distinguishers we have built are based on the notion of component-wise product of codes. It results in a powerful tool that is able to recover the secret structure of codes when they are derived from generalized Reed-Solomon codes. Lastly, we give an alternative to Sidelnikov and Shestakov attack by building a filtration which enables to completely recover the support and the non-zero scalars defining the secret generalized Reed-Solomon code.

Original languageEnglish (US)
Pages (from-to)641-666
Number of pages26
JournalDesigns, Codes, and Cryptography
Issue number2
StatePublished - Nov 2014

All Science Journal Classification (ASJC) codes

  • Computer Science Applications
  • Applied Mathematics


Dive into the research topics of 'Distinguisher-based attacks on public-key cryptosystems using Reed-Solomon codes'. Together they form a unique fingerprint.

Cite this