On the structure of the Schur squares of Twisted Generalized Reed-Solomon codes and application to cryptanalysis

TL;DR

This paper challenges prior claims that twisted generalized Reed-Solomon (TGRS) codes resist Schur-square attacks, showing that a broad class of $\ell$-twisted codes are distinguishable from random codes via Schur-square analysis of shortened codes. Focusing on the practically relevant case $\ell=1$, it develops a polynomial-time key-recovery attack for McEliece schemes based on TGRS codes, with a clear attack workflow: recover a codimension-1 subcode using a Schur-square distinguisher, extract the secret evaluation vector and multipliers via a Sidelnikov–Shestakov-like method, and determine the twist parameters $h$, $t$, and $\eta$. The authors provide a rigorous probability analysis of the attack’s success and report implemented results in a SageMath prototype, highlighting that the parameter ranges used in prior works are vulnerable beyond previously understood bounds. Collectively, the work demonstrates practical vulnerabilities in Schur-square-based defenses for TGRS/GRS-like McEliece variants and raises questions about security for higher twists $\ell>1$, with implications for code-based cryptography and the design of secure post-quantum schemes.

Abstract

Twisted generalized Reed-Solomon (TGRS) codes constitute an interesting family of evaluation codes, containing a large class of maximum distance separable codes non-equivalent to generalized Reed-Solomon (GRS) ones. Moreover, the Schur squares of TGRS codes may be much larger than those of GRS codes with same dimension. Exploiting these structural differences, in 2018, Beelen, Bossert, Puchinger and Rosenkilde proposed a subfamily of Maximum Distance Separable (MDS) Twisted Reed-Solomon (TRS) codes over $\mathbb{F}_q$ with $\ell$ twists $q \approx n^{2^{\ell}}$ for McEliece encryption, claiming their resistance to both Sidelnikov Shestakov attack and Schur products--based attacks. In short, they claimed these codes to resist to classical key recovery attacks on McEliece encryption scheme instantiated with Reed-Solomon (RS) or GRS codes. In 2020, Lavauzelle and Renner presented an original attack on this system based on the computation of the subfield subcode of the public TRS code. In this paper, we show that the original claim on the resistance of TRS and TGRS codes to Schur products based--attacks is wrong. We identify a broad class of codes including TRS and TGRS ones that is distinguishable from random by computing the Schur square of some shortening of the code. Then, we focus on the case of single twist (i.e., $\ell = 1$), which is the most efficient one in terms of decryption complexity, to derive an attack. The technique is similar to the distinguisher-based attacks of RS code-based systems given by Couvreur, Gaborit, Gauthier-Umaña, Otmani, Tillich in 2014.

Figures (3)

• Figure 1: Illustrates the partition $\mathcal{E}'^3 \sqcup \Psi \sqcup \Gamma$ of $\mathcal{R}^3$
• Figure 2: The first image illustrates the ratio of $\mathcal{E}'\times\mathcal{E}'$ in $\mathbb{F} _q[x]_{<k} \times \mathbb{F} _q[x]_{<k}$, the second one is for the ratio of $\mathcal{G}$ in $\mathbb{F} _q[x]_{<k} \times \mathbb{F} _q[x]_{<k}$ and the third one represents the worst case intersection of the first two.
• Figure :

Theorems & Definitions (62)

• definition 1
• remark 1
• definition 2: Componentwise product
• definition 3: Schur product of linear codes and square code
• proposition 1
• proposition 2
• definition 4: Generalized Reed-Solomon Code
• proposition 3
• proof
• lemma 1