Twisted generalized Reed-Solomon (TGRS) codes constitute an interesting family of evaluation codes, containing a large class of maximum distance separable codes non-equivalent to generalized Reed-Solomon (GRS) ones. Moreover, the Schur squares of TGRS codes may be much larger than those of GRS codes with same dimension. Exploiting these structural differences, in 2018, Beelen, Bossert, Puchinger and Rosenkilde proposed a subfamily of Maximum Distance Separable (MDS) Twisted Reed-Solomon (TRS) codes over $\mathbb{F}_q$ with $\ell$ twists $q \approx n^{2^{\ell}}$ for McEliece encryption, claiming their resistance to both Sidelnikov Shestakov attack and Schur products--based attacks. In short, they claimed these codes to resist to classical key recovery attacks on McEliece encryption scheme instantiated with Reed-Solomon (RS) or GRS codes. In 2020, Lavauzelle and Renner presented an original attack on this system based on the computation of the subfield subcode of the public TRS code. In this paper, we show that the original claim on the resistance of TRS and TGRS codes to Schur products based--attacks is wrong. We identify a broad class of codes including TRS and TGRS ones that is distinguishable from random by computing the Schur square of some shortening of the code. Then, we focus on the case of single twist (i.e., $\ell = 1$), which is the most efficient one in terms of decryption complexity, to derive an attack. The technique is similar to the distinguisher-based attacks of RS code-based systems given by Couvreur, Gaborit, Gauthier-Uma\~na, Otmani, Tillich in 2014.
翻译:扭曲广义Reed-Solomon(TGRS)码构成了一类有趣的评估码,其中包含大量与广义Reed-Solomon(GRS)码不等价的最大距离可分码。此外,TGRS码的Schur平方可能远大于具有相同维度的GRS码的Schur平方。利用这些结构差异,Beelen、Bossert、Puchinger和Rosenkilde于2018年提出了一类在$\mathbb{F}_q$上具有$\ell$次扭曲的最大距离可分扭曲Reed-Solomon(TRS)码子族,其中$q \approx n^{2^{\ell}}$,用于McEliece加密方案,并宣称其能同时抵抗Sidelnikov-Shestakov攻击和基于Schur积的攻击。简言之,他们声称这些码能够抵抗针对采用Reed-Solomon(RS)码或GRS码实例化的McEliece加密方案的经典密钥恢复攻击。2020年,Lavauzelle和Renner提出了一种基于计算公开TRS码的子域子码的原创攻击方法。本文证明,关于TRS和TGRS码抵抗基于Schur积攻击的原始论断是错误的。我们识别出一类包含TRS和TGRS码的广泛码类,通过计算该码某个缩短码的Schur平方即可将其与随机码区分开来。随后,我们聚焦于单次扭曲(即$\ell = 1$)的情形——这是解密复杂度最高效的配置——以推导出一种攻击方法。该技术与Couvreur、Gaborit、Gauthier-Umaña、Otmani、Tillich在2014年提出的针对基于RS码系统的区分器攻击方法类似。