ON THE SECURITY OF SUBSPACE SUBCODES

OF REED–SOLOMON CODES FOR PUBLIC KEY ENCRYPTION

by

Alain Couvreur & Matthieu Lequesne

arXiv:2009.05826v2 [cs.CR] 8 Oct 2021

Abstract. — This article discusses the security of McEliece-like encryption schemes using subspace
subcodes of Reed–Solomon codes, i.e. subcodes of Reed–Solomon codes over Fqm whose entries lie
in a fixed collection of Fq –subspaces of Fqm . These codes appear to be a natural generalisation
of Goppa and alternant codes and provide a broader flexibility in designing code based encryption
schemes. For the security analysis, we introduce a new operation on codes called the twisted product
which yields a polynomial time distinguisher on such subspace subcodes as soon as the chosen Fq –
subspaces have dimension larger than m/2. From this distinguisher, we build an efficient attack
which in particular breaks some parameters of a recent proposal due to Khathuria, Rosenthal and
Weger.

Contents
1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2. Notation and prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Subspace Subcodes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4. Further properties of the expansion operator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
5. The XGRS cryptosystem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
6. Twisted-square code and distinguisher. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
7. Attacking the SSRS scheme. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
8. Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

1. Introduction
In the late 70’s, at the very beginning of public key cryptography, McEliece proposed a public
key encryption scheme whose security relies on the hardness of the bounded decoding problem
[BMvT78]. However, the system should be instantiated with a public code equipped with an
efficient decoding algorithm and one usually expect from the public code to be indistinguishable
from an arbitrary one since this last property guarantees the security of the system. In his seminal
article [McE78], McEliece proposed to instantiate his system with a binary Goppa code [Gop70,
Gop71] (see [Ber73] for a description in English).
One of the major drawbacks of such a proposal is the significant size of the public key. McEliece’s
historical proposal with binary Goppa codes required a 32.7 kB key for a claimed classical security
of 65 bits. In the recent NIST submission Classic McEliece [BCL+ 19], a public key size of 261 kB
is proposed for a claimed security level of 128 bits. For this reason, there has been many attempts

Key words and phrases. — Code-based cryptography, McEliece encryption scheme, subspace subcodes, GRS
codes, expansion of codes, square product of codes, key recovery attack.
2 ALAIN COUVREUR & MATTHIEU LEQUESNE

in the last forty years to replace the Goppa codes used in McEliece’s scheme by other families
of codes, in order to reduce the key size. Many of these proposals focus on Generalised Reed-
Solomon (GRS) codes, since they benefit from excellent decoding properties. On the other hand,
their structure is difficult to hide. Consequently, to our knowledge, all code-based cryptographic
schemes using GRS codes or low-codimensional subcodes of GRS codes as trapdoor have been
attacked.
The use of GRS codes to replace Goppa codes in McEliece’s scheme was initially suggested in
Niederreiter’s paper [Nie86], but this proposal was attacked by Sidelnikov and Shestakov [SS92]
(although an earlier article from Roth and Seroussi [RS85] already explained how to recover the
structure of a GRS code). To overcome the attack of Sidelnikov and Shestakov while trying to keep
the benefits of GRS codes, several proposals appeared in the literature. Berger and Loidreau pro-
posed to replace the GRS code by a subcode of low codimension [BL05]; Wieschebrink [Wie06]
included some random columns in a generator matrix of a GRS code; his approach was enhanced in
NIST submission RLCE [Wan16, Wan17], where random columns are included and then “mixed”
with the original columns using specific linear transformations; finally Baldi, Bianchi, Chiaraluce,
Rosenthal and Schipani (BBCRS) [BBC+ 16] proposed to mask the structure of a GRS code by
right multiplying it by a “partially weight preserving” matrix. All these proposals have been par-
tially or fully broken using attacks derived from a square code distinguisher. The first contribution,
due to Wieschebrink [Wie10] broke the Berger-Loidreau proposal. Later on, Wieschebrink’s and
BBCRS schemes were attacked in [CGG+ 14, COTG15] and RLCE in [CLT19].
In summary, forty years of research on the use of algebraic codes for public key encryption boil
down to the following observations.
(1) On one hand, the raw use of GRS codes as well as most of the variants using these codes lead
to insecure schemes.
(2) On the other hand, Goppa codes or more generally alternant codes remain robust decades
after they were initially proposed by McEliece.
Alternant codes are nothing but subfield subcodes of GRS codes. Hence, considering the spec-
trum with (full) GRS codes on one end and their subfield subcodes (i.e. alternant codes) on the
other, the intermediary case is that of subspace subcodes of Reed–Solomon codes. This notion of
subspace subcodes of Reed-Solomon (SSRS) was originally introduced without any cryptographic
motivation by Solomon, McEliece and Hattori [Ste93, MS94, Hat95, HMS98]. An SSRS code
is a subset of a parent Reed-Solomon code over Fqm consisting of the codewords whose components
all lie in a fixed λ-dimensional Fq -vector subspace of Fqm , for some λ 6 m. These codes are no
longer linear over Fqm but only over Fq . The SSRS construction provides long codes with good
parameters over alphabets of moderate size, in the spirit of alternant codes [MS86, Chapter 12].
Therefore these codes are interesting from an information-theoretic point of view.
For public key cryptography, some recent works exploring different approaches appeared in
the recent years. The first use of the notion of subspace subcodes for cryptography comes from
Gabidulin and Loidreau who propose to use subspace subcodes of Gabidulin codes for a rank-
metric based cryptosystem in [GL05, GL08]. The first work discussing the use of SSRS codes
for public key encryption is due to Berger, Gueye and Klamti [BGK19]. Shortly after, Berger,
Gueye, Klamti and Ruatta [BGKR19] proposed a cryptosystem based on quasi–cyclic subcodes
of SSRS codes. In another line of work, Khathuria, Rosenthal and Weger [KRW21] proposed
a McEliece–like encryption scheme using expanded subspace subcodes of GRS codes instead of
Goppa codes. Throughout the document, we will refer to this scheme as the XGRS scheme (where
the X stands for expanded ).
The use of subspace subcodes of Reed–Solomon codes is of particular interest in code based
cryptography since it includes McEliece’s original proposal based on Goppa codes on the one hand
and encryption based on generalised Reed–Solomon codes on the other hand as the two extremities
of a same spectrum. Indeed, starting from Reed–Solomon codes over Fqm and considering subspace
subcodes over subspaces of Fqm of dimension 1 6 λ 6 m, the case λ = m is corresponds to GRS
codes, while the case λ = 1 corresponds to alternant codes (which include Goppa codes). The
 ON THE SECURITY OF SUBSPACE SUBCODES OF REED–SOLOMON CODES 3

notion of subspace subcodes allows a modulation of the parameter λ. Consequently, they are of
particular interest for two reasons.
(1) Subspace subcodes may provide interesting codes for encryption with λ > 1, providing shorter
keys than the original McEliece scheme.
(2) Their security analysis encompasses that of Goppa and alternant codes and may help to better
understand the security of McEliece encryption scheme. We emphasise that such a security
analysis is of crucial interest since Classic McEliece lies among the very few candidates selected
by the NIST for the last round of the post-quantum standardisation process.

proved insecure
m/2 in this work
0 1 m
λ

alternant codes, Goppa codes GRS codes

(believed secure) (known insecure)

Figure 1. The case λ = m (i.e. using the whole GRS code as secret key) is known to be
insecure. On the other hand, the case λ = 1 corresponding to alternant codes (among
which Goppa codes) is a well-studied hard problem. Our attack covers all cases where
m/2 < λ 6 m.

Our contribution. — In the present article, we first introduce a general public key cryptosystem
relying on subspace subcodes of Reed–Solomon codes, which we refer to as the SSRS cryptosystem.
We prove that the XGRS cryptosystem of [KRW21] is in fact a sub-instance of the SSRS scheme.
Then, we analyse the security of the SSRS cryptosystem, using alternatively a high-level approach
(considering abstract subspaces of Fqm ) or a more constructive one (focusing on explicit descrip-
tions of such codes as Fq -linear codes using the expansion operator ). We present a distinguisher
on the SSRS scheme, by introducing a new and original notion, which we called twisted product
of codes. Our distinguisher succeeds for any subpace subcode of a GRS code over Fqm when the
subspaces have dimension λ > m/2 (see Figure 1). Using this distinguisher we derive a polynomial
time attack on SSRS when λ > m/2, which in particular breaks some parameters of the XGRS
scheme proposed by its authors, namely the case of subspace subcodes on 2–dimensional subspaces
of GRS codes over Fq3 .

Related work. — This work should be related to [BGK19, § VI.B] where it is shown that an
encryption scheme based on an expanded GRS code (the full code, not a subspace subcode) is not
secure. Next, in the same reference [BGK19, § VI.C], the case of subspace subcodes is discussed
and the proposed attack involves a brute force search on the all the bases used for the expansion
of each position. This attack has an exponential complexity, while ours runs in polynomial time.
On the other hand, the “λ > m/2 condition” for the public code to be distinguished from
a random one should be compared to the results of [COT14b, COT17], where some classical
Goppa codes are attacked using, among others, the square code operation. The considered classical
Goppa codes correspond to the parameters m = 2 and λ = 1 and hence lie at the very limit of
the distinguisher. These Goppa codes got however broken due to peculiar features that give them
a larger dimension compared to generic alternant codes of the same parameters (see [SKHN76,
COT14a]).

Outline of the article. — We start in Section 2 by fixing the notation and bringing well–known
notions of algebraic coding theory that are necessary to follow the article. The notion of subspace
subcodes is recalled in Section 3 as well as some of their known properties. We also discuss the
way to practically represent subspace subcodes, and introduce the SSRS cryptosystem, which is
an instantiation of the McEliece scheme using subspace subcodes of Reed–Solomon codes. Some
4 ALAIN COUVREUR & MATTHIEU LEQUESNE

operators play an important role in this article, Section 4 is devoted to them and the way they
interact with each other. In Section 5, we present the XGRS cryptosystem from [KRW21] and
prove that it is a sub-instance of the SSRS cryptosystem. The notion of twisted square code and
the corresponding distinguisher are introduced in Section 6. Finally, Section 7 is devoted to the
presentation of the attack on SSRS scheme.

Note. A long version of the present article including further detailed proofs and remarks is
available online. See [CL20].

Acknowledgements. — The authors express their deep gratitude to the anonymous referees
whose relevant comments and suggestions permitted a significant improvement of the present arti-
cle. This research was conducted while Matthieu Lequesne was employed by Sorbonne Université
and Inria. Matthieu Lequesne is now employed at the CWI in Amsterdam (Netherlands) and is
funded by the ERC-ADG-ALGSTRONGCRYPTO project (no. 740972).

2. Notation and prerequisites

In this section, we fix the notation and recall some usual tools of code-based cryptography that
are used in the definition of subspace subcodes and in the construction the XGRS cryptosystem.

2.1. Notation. — In this article, q denotes a power of a prime and m a positive integer. The
vector space of polynomials of degree less than k over a field F is denoted by F[X]<k . The space
of matrices with entries in a field F with m rows and n columns is denoted by Fm×n . Given an
F–vector space V and vectors v 0 , . . . , v s−1 ∈ V, the subspace spanned over F by the v i ’s is denoted
by
(s−1  )
def
X 
h v 0 , . . . , v s−1 iF = λi v i  λi ∈ F .

i=0

k×n
Moreover, given a matrix G ∈ F , we denote by h G iF the space spanned by the rows of G,
that is to say the code with generator matrix G, is denoted by
def
h G iF = h v | v row of G iF = {m · G | m ∈ Fk }.

The support of a vector is the set of its indices with non-zero entries. An [n, k] code over F is a
linear code over F of length n and dimension k.
Given two integers a, b with a < b, we denote by Ja, bK the interval of integers {a, a + 1, . . . , b}.
The cardinality of a finite set U is denoted by |U |. Given a probabilistic event A, its probability
is denoted by P [A] and the mean of a random variable X is denoted by E [X].

Convention. In this article, any word or finite sequence of length ℓ is indexed from 0 to ℓ − 1.
In particular, codewords of length n are indexed as follows: (x0 , . . . , xn−1 ).

2.2. Reed–Solomon codes. —

Definition 1 (Generalised Reed–Solomon codes). — Let x ∈ Fnq be a vector whose entries

are pairwise distinct and y ∈ Fnq be a vector whose entries are all nonzero. The generalised
Reed–Solomon (GRS) code with support x and multiplier y of dimension k is defined as
def
GRSk (x, y) = {(y0 f (x0 ), . . . , yn−1 f (xn−1 )) | f ∈ Fq [x]<k } .

If y = (1, . . . , 1) then the code is said to be a Reed–Solomon code and denoted as RSk (x).
 ON THE SECURITY OF SUBSPACE SUBCODES OF REED–SOLOMON CODES 5

2.3. Component wise product of codes. — The component-wise product of two vectors a
and b in Fn is denoted by
def
a ⋆ b = (a0 b0 , . . . , an−1 bn−1 ).
This definition extends to the product of codes, where the component-wise product or ⋆–product
of two K-linear codes A and B ⊆ Fn spanned over a field K ⊆ F is defined as
def
A ⋆K B = h a ⋆ b | a ∈ A , b ∈ B iK .
def
When A = B, we denote by AK⋆2 = A ⋆K A the square code of A spanned over K.
Remark 2. — The field K in the above notation is almost always equal to F the base field on
which the codes are defined. However, it may sometimes be a subfield. For the sake of clarity, we
make the value of K explicit only in the ambiguous cases.

2.4. Punctured and shortened codes. — The notions of puncturing and shortening are clas-
sical ways to build new codes from existing ones. These constructions will be useful for the attack.
We recall here their definition. For a codeword c ∈ Fnq , we denote by (c0 , . . . , cn−1 ) its entries.
Definition 3 (Puncturing, shortening). — Let C ⊆ Fnq and L ⊆ J0, n − 1K. The puncturing
and the shortening of C at L are defined as
def def
PctL (C ) = {(ci )i∈J0,n−1K\L | c ∈ C } and ShL (C ) = PctL ({c ∈ C | ∀i ∈ L, ci = 0}) .
Similarly, given a matrix M with n columns, one defines PctL (M ) as the matrix whose columns
with index in L are removed, so that puncturing a generator matrix of a code yields a generator
matrix of the punctured code.
Shortening a code is equivalent to puncturing the dual code, as explained by the following
proposition.
Proposition 4 ([HP03, Theorem 1.5.7]). — Let C be a linear code over Fnq and L ⊆ J0, n − 1K.
Then,
ShL (Dual(C )) = Dual(PctL (C )) and Dual(ShL (C )) = PctL (Dual(C )) ,
where Dual(A ) denotes the dual of the code A .
Remark 5. — The notation Dual(C ) to denote the dual code of C is rather unusual. This code
is commonly denoted C ⊥ .

2.5. Bases and trace map. — In this paper, we consider codes over a finite field Fqm and
codes over its subfield Fq . A useful and natural tool is the trace map.
Definition 6 (Trace map). — Let q be a prime power and m an integer. The trace map is
defined as 
Fqm −→ F
Tr : Pm−1q qi
x 7−→ i=0 x .

Definition 7 ([LN97, Definition 2.30]). — Let B = (b0 , . . . , bm−1 ) be an Fq -basis of Fqm . There
exists a unique basis B ∗ = (b∗0 , . . . , b∗m−1 ), such that :

1 if i = j,
∀0 6 i, j 6 m − 1, Tr(bi b∗j ) =
0 otherwise.
This basis will be referred to as the dual basis of B and denoted B ∗ .
Given an Fq –basis B = (b0 , . . . , bm−1 ) of Fqm and x an element of Fqm . Then the expression of
x as an Fq –linear combination of the elements of B writes as
x = Tr(b∗0 x)b0 + · · · + Tr(b∗n−1 x)bn−1 ,
where B ∗ = (b∗0 , . . . , b∗m−1 ) denotes the dual basis of B.
6 ALAIN COUVREUR & MATTHIEU LEQUESNE

3. Subspace Subcodes
3.1. Definition and first properties. —
Definition 8 ([HMS98]). — Given a linear code C defined over a field Fqm , and a λ-dimensional
subspace S of Fqm (0 6 λ 6 m), the subspace subcode C|S is defined to be the set of codewords
of C whose components all lie in S.
def
C|S = {c ∈ C | ∀i ∈ J0, n − 1K, ci ∈ S} ⊆ Fnqm .
It is important to note that the code C|S is an Fq –linear subspace of Fnqm which is generally
neither Fqm –linear nor linear over some intermediary extension. Since each entry of a codeword
can be represented as λ elements of Fq , the code could be converted into a code over the alphabet
n
Fλq . Such a code would form an additive subgroup over (Fλq ) , therefore this construction is called
a subgroup subcode by Jensen in [Jen95]. In a context of message transmission, this natural way
to represent such a subspace subcode is detailed further in § 3.2.
We can generalise this definition with different subspaces for each entry.
Definition 9. — Given a linear code C of length n over a field Fqm , and the λ-dimensional
subspaces (S0 , . . . , Sn−1 ) of Fqm (0 6 λ 6 m), the subspace subcode C|(S0 ,...,Sn−1 ) is defined to be
the set of codewords of C such that the i-th components lies in Si .
def
C|(S0 ,...,Sn−1 ) = {c ∈ C | ∀i ∈ J0, n − 1K, ci ∈ Si }.
Remark 10. — When S0 = · · · = Sn−1 = Fq , then we find the usual definition of subfield
subcode.
Remark 11. — It is possible to give a more general definition where the Si ’s do not have the
same dimension λ. However, such a broader definition would be useless in the present article.
Proposition 12. — Let C be a linear code of length n and dimension k over Fqm and S ⊆ Fqm
be a subspace of dimension λ 6 m. Then
(1) dimFq C|S > km − n(m − λ).
Proof. — See for instance [Jen95, Theorem 2 (1)].
Example 13. — The following example comes from [HMS98].
Consider C the Reed–Solomon code over F24 of length 15 and dimension 9. This code has
minimum distance 7. Any element of F24 can be decomposed over the F2 -basis (1, α, α2 , α3 ),
where α is a root of the irreducible polynomial X 4 + X + 1. Let S be the subspace spanned by
(1, α, α2 ). The code C|S is the subset of codewords of C that have no component in α3 . Hence,
if one uses this code for communication, there is no need to send the α3 component, since it is
always zero.
So this subspace subcode can be seen as an F2 -linear code of length 15 over the set of binary
3-tuples. But the code is not a linear code over F23 . The minimum distance of C|S is at least 7,
because it cannot be less than the minimum distance of the parent code. The number of codewords
in C|S is 222 . As a comparison, one other way to create a code of length 15 over binary 3-tuples
is by shortening the generalised BCH code [63, 52, 7] over F23 . This gives a [15, 4, > 7] code over
F23 which has 212 codewords.
Similarly to the case of subfield subcodes, inequality (1) is typically an equality as explained in
the following statement that we prove because of a lack of references.
Proposition 14. — Let R be a uniformly random code among the codes of length n and di-
mension k over Fqm . Let S0 , . . . , Sn−1 be Fq –subspaces of Fqm of dimension λ. Suppose that
km > n(m − λ). Then, for any integer ℓ, we have
 
  −ℓ 1 1
P dimFq R|(S0 ,...,Sn−1 ) > km − n(m − λ) + ℓ 6 q + km−n(m−λ) .
1 − q −mn q
 ON THE SECURITY OF SUBSPACE SUBCODES OF REED–SOLOMON CODES 7

In particular, for fixed values of q, m and λ, this probability is in O(q −ℓ ) when n → ∞.

Proof. — Let Grand be a uniformly random variable among the full rank matrices in Fqk×n
m and
def
R = {mGrand | m ∈ Fkqm }.

The code R is uniformly random among the set of [n, k] codes over Fqm ([Cou20, Lemma 3.12]).
Let Φ be the Fq –linear canonical projection
n−1
Y
Φ : Fnqm −→ Fqm /Si .
i=0

Then, R|(S0 ,...,Sn−1 ) is the kernel of the restriction of Φ to R and hence,

 
  X
E |R|(S0 ,...,Sn−1 ) | = E  1Φ(mGrand )=0 
 
m∈Fk
qm
X
= P [Φ(mGrand ) = 0]
m∈Fk
qm
X
(2) =1+ P [Φ(mGrand ) = 0] .
m∈Fk
qm
\{0}

Since Grand is uniformly random among the full–rank matrices, then for any m ∈ Fkqm \ {0}, the
vector mGrand is uniformly random in Fqm \ {0} ([Cou20, Lemma 3.13]) and hence
|ker Φ \ {0}|
∀m ∈ Fkqm \ {0}, P [Φ(mGrand = 0)] =  n 
Fqm \ {0}
Q
| i Si | − 1
= mn
q −1
q λn − 1 1
= mn 6 q −n(m−λ) · ·
q −1 1 − q −mn
Thus, applied to (2),
1
E |R|(S0 ,...,Sn−1 ) | 6 1 + |Fkqm \ {0}| · q −n(m−λ) ·
 
1 − q −mn
1
6 1 + q km−n(m−λ) · ·
1 − q −mn
Finally, using Markov inequality, we get
h i
P dimFq (R|(S0 ,...,Sn−1 ) ) > km − n(m − λ) + ℓ = P |R|(S0 ,...,Sn−1 ) | > q km−n(m−λ)+ℓ
 
 
E |R|(S0 ,...,Sn−1 ) |
6
q km−n(m−λ)+ℓ
 
−ℓ 1 1
6q + km−n(m−λ) .
1 − q −mn q

3.2. How to represent subspace subcodes? — For a practical implementation, subspace

subcodes may be represented as codes over the subfield Fq with a higher length. For this sake we
introduce the expansion operator and give some of its properties.
8 ALAIN COUVREUR & MATTHIEU LEQUESNE

3.2.1. The Expansion Operator. —

Definition 15 (Expansion of a vector or a code). — For an Fq –basis B of Fqm , let ExpB
denote the expansion of a vector over the basis B defined by
Fℓqm Fmℓ

−→ q
ExpB :
(x0 , . . . , xℓ−1 ) 7−→ (x0,0 , . . . , x0,m−1 , . . . , xℓ−1,0 , . . . , xℓ−1,m−1 ),
where for any i ∈ J0, ℓ − 1K, xi = xi,0 b0 + · · · + xi,m−1 bm−1 . Given a linear code C of length n
over Fqm , denote ExpB (C ) the linear code over Fq defined by
def
ExpB (C ) = {ExpB (c) | c ∈ C }.
We will apply this operator to vectors or codes of different lengths ℓ.

Note that if B ∗ = (b∗0 , . . . , b∗m−1 ) denotes the dual basis of B then

ExpB (x) = (Tr(b∗0 x0 ), . . . , Tr(b∗m−1 x0 ), . . . , Tr(b∗0 xℓ−1 ), . . . , Tr(b∗m−1 xℓ−1 )).
We also wish to define the expansion of a matrix so that the expansion of a generator matrix of
a code C ⊆ Fnqm over a basis B is a generator matrix of ExpB (C ). It turns out that expanding the
rows of a generator matrix is not sufficient. Indeed, for a given codeword c ∈ C and any α ∈ Fqm ,
the vector ExpB (αc) is in ExpB (C ). This leads to the following definition.
Definition 16 (Expansion of a matrix). — Given B = (b0 , . . . , bm−1 ) an Fq -basis of Fqm .
Let ExpMatB denote the following operation.
Fqk×n Fmk×mn


 m −→ q
ExpB ( b0 m0 )
  


..


    
m0 .

  

  
ExpB ( bm−1 m0 )

    
ExpMatB : . ..
   



 .
.  7−→
 
 . .

    
ExpB ( b0 mk−1 )

    

  

 mk−1  .. 
.

  


ExpB ( bm−1 mk−1 )


Remark 17. — Caution, applying ExpMatB to an 1 × n matrix returns an m × mn matrix. It

is not equivalent to applying ExpB to the vector corresponding to this row.
⊺
Remark 18. — ExpMatB∗ (M ) = (ExpMatB (M ⊺ )) .
Proposition 19 ([KRW21, Proposition 1]). — Let C be a linear code of dimension k and length
n over Fqm . Let G denote a generator matrix of C and H denote a parity-check matrix of C .
Then, for any fixed Fq -basis B of Fqm , the following hold.
(i) For all x ∈ Fkqm , we have ExpB (x · G) = ExpB (x) · ExpMatB (G).
⊺ ⊺ ⊺
(ii) For all y ∈ Fnqm , we have ExpB ((H · y ⊺ ) ) = ExpMatB∗ (H) · ExpB (y) .
Corollary 20. — Let G and H be a generator and a parity-check matrix of C respectively. Let B
denote an Fq -basis of Fqm . Then ExpMatB (G) and ExpMatB∗ (H) are respectively a generator
matrix and a parity-check matrix of ExpB (C ).
Definition 21 (Block). — Given a vector v ∈ Fnqm , an Fq –basis B of Fqm and a non negative
integer i < n, the i–th block of the expanded vector ExpB (v) ∈ Fmn q is the length m vector
composed by the entries of index mi, mi + 1, . . . , mi + m − 1 of ExpB (v). It corresponds to the
decomposition over B of the i-th entry of v. We extend this definition to matrices, where the i-th
block of an expanded matrix means the mk × m matrix whose rows correspond to the i-th block
of each row of the expanded matrix. In particular, the expansion in a basis B of some x ∈ Fnqm is
the concatenation of n blocks of length m.
 ON THE SECURITY OF SUBSPACE SUBCODES OF REED–SOLOMON CODES 9

3.2.2. Expansion over various bases. — We have seen in Definition 9 that we could define a
subspace subcode with different subspaces for each entry. Similarly, we can define an expansion
with regard to a different basis for each entry.

Definition 22. — Given ℓ bases (B0 , . . . , Bℓ−1 ) of Fqm , we define Exp(Bi )i (x) as the expansion
of x ∈ Fℓqm , whose ith block is the expansion of xi over the basis Bi . For a linear code C ⊆ Fnqm ,
we define Exp(Bi )i (C ) in a similar fashion. Finally, given a matrix M ∈ Fqk×n m and an additional
Fq –basis B̄ = (b̄0 , . . . , b̄m−1 ) of Fqm , we define
 
Exp(Bi )i ( b̄0 m0 )
 .. 

 . 

(Bi )i ( b̄m−1 m0 )
 Exp 
 
ExpMatB̄ (M )
def 
=
 .. 
.
(Bi )i  . 
 Exp(Bi )i ( b̄0 mk−1 )
 

..
 
 
 . 
Exp(Bi )i ( b̄m−1 mk−1 )

Using dual bases we get an explicit description:

Exp(Bi )i (x) = (Tr(b∗0,0 x0 ), . . . , Tr(b∗0,m−1 x0 ), . . . , Tr(b∗ℓ−1,0 xℓ−1 ) . . . , Tr(b∗ℓ−1,m−1 xℓ−1 )),
where Bi = (bi,0 , . . . , bi,m−1 ).
The properties of Proposition 19 still hold for various bases.

Remark 23. — Note that contrary to the expansion of codes, the expansion of a matrix depends
on the choice of a basis B̄ for the vertical expansion. When considering the code spanned by an
expansion matrix, different choices of B̄ yield the same code, so we will omit the vertical expansion
basis in the expansion matrix operator.

3.2.3. Squeezing: the inverse of expansion. — We can define the “inverse” of the expansion op-
erator.

Definition 24 (Squeezing). — Let B = (b0 , . . . , bm−1 ) be a basis of Fqm . Let x =

(x0,0 , . . . , x0,m−1 , . . . , xn−1,0 , . . . , xn−1,m−1 ) ∈ Fmn q . We define the squeezed vector of x with
respect to the basis B as
 m−1 m−1 
def
X X
SqueezeB (x) = x0,j bj , . . . , xn−1,j bj ∈ Fnqm .
j=0 j=0

Let C be an [m × n, k]–code over Fq . We define the squeezed code of C with respect to B as

def
SqueezeB (C ) = {SqueezeB (c) | c ∈ C } .
Finally, given a matrix M ∈ Fmk×mn
q , then SqueezeMatB (M ) ∈ Fmk×n
q denotes the matrix
whose rows are obtained by squeezing each row of the matrix M over B.

Remark 25. — Beware that if M is obtained by expanding a matrix of rank r over the basis
B, then SqueezeMatB (ExpMatB (M )) is a km × n matrix and hence is not equal to M but it
generates the same code.

Proposition 26. — Let C be an [n, k] code over Fqm and B be a basis of Fqm . Then,
SqueezeB (ExpB (C )) = C .

Similarly to the expansion operators, we can define the squeezing operators with a different
basis for each block.
10 ALAIN COUVREUR & MATTHIEU LEQUESNE

3.2.4. Representation of subspace subcodes. — Let C be a code of length n and dimension k over
the field Fqm and S denote an Fq -subspace of Fqm of dimension λ 6 m. Let BS = (b0 , . . . , bλ−1 ) ∈
Fλqm be an Fq -basis of S. Then any vector c = (c0 , . . . , cn−1 ) ∈ S n , i.e. whose entries are all in S
can be expanded as
def
ExpBS (c) = (c0,0 , . . . , c0,λ−1 , . . . , cn−1,0 , . . . , cn−1,λ−1 ),
where the ci,j ′ s are the coefficients of the decomposition of ci in the BS .
Remark 27. — Note that the previous definition makes sense only for vectors in S n .
Next, the subspace subcode C|S can be represented as
def
ExpBS (C|S ) = {ExpBS (c) | c ∈ C|S }.
Here again, as noticed in Remark 27, the notion is well–defined only for codes with entries in S.
Similarly to Definition 21, a block refers to a set of the form Jiλ, (i + 1)λ − 1K. That is to say,
a set of λ = dim S consecutive indexes of the expanded code, corresponding to the decomposition
of a single entry in S in the basis BS .

3.3. Subspace-subcodes of Reed-Solomon codes. — Expanding codes, in particular

Reed–Solomon codes, over the base field has been studied since the 1980’s. For instance, in
[KL85, KL88], Kasami and Lin investigate the weight distribution of expanded binary Reed–
Solomon codes. Sakakibara, Tokiwa and Kasahara extend their work to q-ary Reed–Solomon
codes [STK89].
But the idea behind subspace subcodes, which consists in keeping only the subset of codewords
that are defined over a subspace of the field, first appears in a paper by Solomon [Sol93]. In
a joint work with McEliece [MS94], they define the notion of trace-shortened codes, which is a
special case of subspace subcodes where λ = m − 1 and where the considered subspace S is the
kernel of the trace map. These articles focus uniquely on Reed–Solomon codes. Still, this point
of view turns out to be the most general one since a subspace subcode of a GRS code can always
be regarded as a subspace subcode of an RS code by changing the subspaces as explained by the
following statements.
n
Proposition 28. — Let C ⊆ Fnqm , S0 , . . . , Sn−1 be Fq –subspaces of Fqm and a ∈ (F×
qm ) . Then,

(C ⋆ a)|(S0 ,...,Sn−1 ) = C|(a−1 S0 ,...,a−1 ⋆ a.

0 n−1 Sn−1 )

Moreover, let x, y ∈ Fnqm be a support and a multiplier, then

GRSk (x, y)|(S0 ,...,Sn−1 ) = RSk (x)|(y−1 S0 ,...,y−1 ⋆ y.
0 n−1 Sn−1 )

The notion is then generalised to any kind of subspace and any code by Jensen in [Jen95]
under the name subgroup subcodes. In his thesis [Hat95] and in [HMS98], Hattori studies the
dimension of subspace subcodes of Reed–Solomon codes. Some conjectures of Hattori are later
proved by Spence in [Spe04]. Cui and Pei extend the results to generalised Reed–Solomon codes
in [JJ01]. Then, Wu proposes a more constructive approach of these codes using the equivalent of
the expansion operator in [Wu11]. The idea of using distinct bases for each position is introduced
in [vDT99].

3.4. An instantiation of McEliece with SSRS codes. — Let us first present a generic en-
cryption scheme based on subspace subcodes of GRS codes. This cryptosystem will be referred
to as the Subspace Subcode of Reed–Solomon (SSRS) scheme. We will later prove that the cryp-
tosystem of [KRW21] is a sub-instance of the SSRS scheme.
3.4.1. Parameters. — The cryptosystem is publicly parametrised by:
– q a prime power;
– m an integer;
– λ such that 0 < λ < m;
– n, k such that 0 6 k < n 6 q m and km > (m − λ)n.
 ON THE SECURITY OF SUBSPACE SUBCODES OF REED–SOLOMON CODES 11

3.4.2. Key generation. —

– Generate a uniformly random vector x ∈ Fnqm with distinct entries.
– Choose n uniformly random λ–dimensional vector subspaces S0 , . . . , Sn−1 ⊆ Fqm with re-
spective bases BS0 , . . . , BSn−1 .
(km−n(m−λ))×λn
– Let Gpub ∈ Fq denote a generator matrix of the code
def

Cpub = Exp(BS0 ,...,BSn−1 ) RSk (x)|(S0 ,...,Sn−1 ) .

If Gpub is not full-rank, abort and restart the process. See Section 5.2 for the practical
computation on Gpub .
– The public key is Gpub and the secret key is (x, BS0 , . . . , BSn−1 ).

Lemma 29 (Public Key Size). — The public key is a matrix of size m(n − k) × λn over Fq .
Only the non-systematic part is transmitted. Hence the public key size in bits is
m(n − k)(λn − m(n − k)) log2 (q).
mk−(m−λ)n
3.4.3. Encryption. — Let m ∈ Fq be the plaintext. Denote
def n−k
t = ⌊ ⌋.
2
(m−λ)n (m−λ)n
Choose e ⊆ Fq uniformly at random among vectors of Fq with exactly t non-zero
blocks (see Definition 21).
3.4.4. Decryption. — From y ∈ Fλn ′ mn
q , construct a vector y ∈ Fq by completing each block of
size λ with m − λ entries set to zero.
Denote y ′′ = Squeeze(Bi )i (y ′ ). According to the definition of e, the vector y ′′ ∈ Fnqm is at
distance t of the code RSk (x). Hence, by decoding, one computes the unique c ∈ RSk (x) at
distance 6 t from y ′′ and the expansion of c yields mGpub .

4. Further properties of the expansion operator

We now introduce some properties of the expansion operators. More specifically, in order to
analyse the XGRS cryptosystem, we study how this operator behaves with respect to other oper-
ations (especially those used in the key generation): puncturing/shortening, computing the dual,
changing the expansion basis. We also consider the relation with the square product operation,
as this is a natural distinguisher for GRS-based codes.
In this section, for the sake of clarity, all properties will be defined considering the same basis for
each entry, but everything works exactly the same way if one considered expansion with a different
basis for each entry, as different columns of Fqm (or blocks of columns of Fq corresponding to the
expansion of same column of Fqm ) do not interact.

4.1. Subspace subcodes as shortening of expanded codes. — This lemma explains how
to construct the parity-check matrix of a subspace subcode from the parity-check matrix of the
parent code. This result is important to perform computations over the subspace subcodes.

Lemma 30. — For integers n and λ < m, denote J (λ, m) the subset of J0, mn − 1K consisting
of the last m − λ entries of each block of length m
def
(3) J (λ, m) = {im + j, i ∈ J0, n − 1K, j ∈ Jλ, m − 1K} .
Let B = (b0 , . . . , bm−1 ) be an Fq -basis of Fqm such that BS = (b0 , . . . , bλ−1 ) is a basis of S. Then,
ExpBS (C|S ) = ShJ (λ,m) (ExpB (C )) .
Equivalently, the following diagram is commutative.
12 ALAIN COUVREUR & MATTHIEU LEQUESNE

( · )|S
C C|S

ExpB ExpBS

ShJ (λ,m) ( · )
ExpB (C ) ExpBS (C|S )

Let H ∈ Fqk×nm denote a parity–check matrix of C . Complete the basis BS = (b0 , . . . , bλ−1 )
with m − λ additional elements (bλ , . . . , bm−1 ) ∈ Fm−λ
qm such that B = (b0 , . . . , bm−1 ) forms an
Fq –basis of Fqm . According to Corollary 20, the matrix ExpMatB∗ (H) is a parity–check matrix
of ExpB (C ) and, from Proposition 4, removing (puncturing) the last m − λ columns of each block
of this matrix provides a parity–check matrix of ExpBS (C|S ).

4.2. Puncturing and shortening. —

Lemma 31. — Let C be an [n, k] code over Fqm . Let L denote a subset of J0, n − 1K. Then the
following equalities hold.
ExpB (PctL (C )) = PctL′ (ExpB (C )) ,

ExpB (ShL (C )) = ShL′ (ExpB (C )) ,

′
where L denotes the set of all columns generated from expanding columns in L, that is
def [
L′ = {i + j, 0 6 j < m}.
i∈L

Proof. — The result is straightforward for puncturing. The expansion operation is independent
for each column, hence puncturing a column before expanding is equivalent to puncturing the
corresponding block of m columns. As for shortening, the shortening operation is the dual of
puncturing operation, hence the result is a consequence of the next lemma.

4.3. Dual code. —

Lemma 32 ([Wu11], Lemma 1). — Let B be a basis and B ∗ denote the dual basis. For all
a, b ∈ Fnqm , if a and b are orthogonal, i.e. a · b⊺ = 0, then ExpB (a) and ExpB∗ (b) are orthogonal
⊺
ExpB (a) · (ExpB∗ (b)) = 0.

Corollary 33. — Let C be an [n, k] code over Fqm . Let B = (b0 , . . . , bm−1 ) be a basis of Fqm .
Then the following equality holds.
Dual(ExpB (C )) = ExpB∗ (Dual(C )),
∗
where B denotes the dual basis of B.

4.4. Changing the expansion basis. —

Lemma 34. — Let C be an [n, k] code over Fqm . Let (Bi )i be n bases of Fqm . Let (Qi ) ∈ (Fm×m
q )n
denote n invertible m × m matrices. The following equality holds.
 
Q0
Exp(Bi ·(Q−1 )⊺ )i (C ) = ExpBi (C ) · 
 .. .

i
.
Qn
 ON THE SECURITY OF SUBSPACE SUBCODES OF REED–SOLOMON CODES 13

Proof. — Let c be a codeword of C . We only focus on the first entry of c which we denote by
c. We also denote the elements of B0 by (b0 , . . . , bm−1 ) and the entries of Q0 by (qi,j )i,j . The

⊺
decomposition of c in B0 is c = c0 b0 + · · ·+ cm bm . Let D = (d0 , . . . , dm−1 ) be the basis B0 · Q−1
0 .
Pm−1
For any i ∈ J0, m − 1K, we have bi = j=0 dj qi,j . Expressing c in this new basis gives
m−1
X XX  XX 
c= ci b i = dj qi,j = xi qi,j dj .
i=0 i j j i

Therefore, ExpB (c) · Q0 = ExpD (c). This holds for any entry of any codeword c ∈ C .

4.5. Scalar multiplication in Fqm . —

Lemma 35. — Let C be an [n, k] code over Fqm . Let (Bi )i be n basis of Fqm . Let a =
(a0 , . . . , an−1 ) ∈ Fnqm denote a vector of length n over Fqm . The following equality holds.
Exp(Bi )i (C ) = Exp(ai Bi )i ({(c ⋆ a) | c ∈ C })
= Exp(ai Bi )i (C ⋆ a).

5. The XGRS cryptosystem

5.1. The cryptosystem. — We describe here the cryptosystem which we call XGRS, presented
in [KRW21] by Khathuria, Rosenthal and Weger. Next, we explain why XGRS is a sub-instance
of the SSRS scheme.
5.1.1. Parameters. — The cryptosystem is publicly parametrised by:
– q a prime power;
– m an integer;
– λ such that 2 6 λ < m;
– n, k such that 0 6 k < n 6 q m and km > (m − λ)n.

q m λ n k Public Key Size (kB)

13 3 2 1258 1031 579
7 4 2 1872 1666 844
Table 1. Parameters proposed for the XGRS scheme [KRW21]

Remark 36. — As suggested by the parameters in Table 1, m is a small integer. The preprint
version of the paper [KRW19] proposed to use m = 2 with a slightly modified key generation.
The proposed parameters are now m = 3 and m = 4.
5.1.2. Key Generation. —
– Generate uniformly random vectors (x, y) ∈ Fnqm × (F× n
qm ) such that x has distinct entries.
Denote C = GRSk (x, y) and let H sec be a parity-check matrix of C .
– Choose γ, a primitive element of Fqm /Fq , i.e. a generator of the field extension. We consider
the basis Bγ = (1, γ, . . . , γ m−1 ) of Fqm .
def m(n−k)×mn
– Set H = ExpMatBγ∗ (H sec ) ∈ Fq a parity-check matrix of ExpBγ (C ).
– For any i ∈ J0, n − 1K, choose Li a random subset of J(i − 1)m, im − 1K of size |Li | = m − λ.
Set L = ∪i Li .
def m(n−k)×λn
– Set H L = PctL (H) ∈ Fq .
– For any i ∈ J0, n − 1K, choose Qi a random λ × λ invertible matrix. Denote by Q the
block-diagonal matrix having Q0 , . . . , Qn−1 as diagonal blocks.
– Denote by S the invertible matrix of Fq such that S · H L · Q is in systematic form.
def
– Set H pub = S · H L · Q.
– The public key is H pub , the private key is (x, y, Q, L, γ).
14 ALAIN COUVREUR & MATTHIEU LEQUESNE

Remark 37. — Compared to the cryptosystem presented in [KRW21], we omitted the block
permutation. Indeed, applying a block permutation after expanding is equivalent to applying the
permutation before the expansion and then expanding. As we start with a GRS code chosen
uniformly at random, applying a permutation on the columns does not change the probability
distribution of the public keys.
def
5.1.3. Encryption. — Recall that t = ⌊ n−k 2 ⌋ the error–correcting capacity of a GRS code of
length n and dimension k. The message is encoded as a vector y ∈ Fλn q whose support is included
in t blocks of length λ, i.e. there exist positions i0 , . . . , it−1 ∈ J0, n − 1K, such that
[
Support(y) ⊆ Jλ(iℓ − 1), λiℓ − 1K.
06ℓ6t−1

The ciphertext is then defined as c = H pub · y ⊺ .

⊺

5.1.4. Decryption. — In order to decrypt the ciphertext, a user knowing the private key should:
– generate H sec from x and y.
⊺
– compute c′ = c · S −1 ;
– compute c′′ = SqueezeBγ (c′ );
⊺ ⊺
– find y ′′ ∈ Fnqm of weight |y ′′ | 6 t such that c′′ = H sec y ′′ (i.e. decode in C );
 
– compute y ′ = PctL ExpBγ (y ′′ ) ;

⊺
– finally recover y = y ′ · Q−1 .

5.2. Relation with the SSRS scheme. — To conclude this section, we show that the XGRS
scheme is a sub-instance of the SSRS scheme presented in Section 3.4.

Proposition 38. — The XGRS scheme with secret key (x, y, Q, L, γ) is equivalent to the SSRS
scheme with secret key (x, S0 , . . . , Sn−1 ) where the subspaces Si are defined as follows.
(0) def def
– Let Bi = PctLi (Bγ ) ∈ Fλqm where Li = {j − mi, ∀j ∈ L ∩ Jim, (i + 1)m − 1K}.
(1) def (0) ⊺
– Set Bi = yi−1 Bi · (Q−1 i ) .
(1)
– Si is the subspace of Fqm spanned by the elements of Bi .

Proof. — Let Cpub denote the public code of an instance of the XGRS scheme with private key
(x, y, Q, L, γ), i.e. Cpub is the code over Fq that admits the public key H pub as parity-check matrix.
We have
 
Cpub = Dual h H pub iFq
 
= Dual h H L · Q iFq .

def
⊺
Let us define Q(1) = Q−1 . This is still a block-diagonal matrix composed of n blocks of
size λ × λ. We can rewrite this
 
Cpub = Dual h H L iFq · Q(1) .
 
We can replace H L by its definition: PctL ExpMatBγ∗ (H sec ) . Next, we can swap the Dual
and Punct operators according to Proposition 4:
   
Cpub = ShL Dual ExpBγ∗ h H sec iFq · Q(1) .

We can then swap the Dual and Exp operators according to Corollary 33.
   
Cpub = ShL ExpBγ Dual h H sec iFq · Q(1) .
 ON THE SECURITY OF SUBSPACE SUBCODES OF REED–SOLOMON CODES 15

 
Let Gsec be a generator matrix of the secret code Dual h H sec iFq , i.e. a generator matrix of
the code GRSk (x, y). We have
  
Cpub = ShL ExpBγ h Gsec iFq · Q(1) .

Let us denote Q(2) the block-diagonal matrix obtained by replacing each λ×λ matrix of Q(1) by
the m × m matrix obtained by inserting “an identity row/column” at the positions corresponding
to L. For instance, if m = 3, λ = 2 and the first element of L equals 1, which means that the
(1)
column 1 is shortened, we add a column and a row in the middle of Q0 , i.e.
 
  q00 0 q01
(1) q00 q01 (2)
if Q0 = , then Q0 =  0 1 0  .
q10 q11
q10 0 q11
Hence, we can write D E 
(2)
Cpub = ShL ExpMatBγ (Gsec ) · Q .
Fq
(3) (2)
We define Qi as the matrix obtained from Qi by permuting the columns so that the inserted
columns are the m − λ rightmost ones. For instance in the previous example, we would have
 
q00 q01 0
(3)
Q0 =  0 0 1 .
q10 q11 0
Therefore, Q(3) = Q(2) P where P is a block–diagonal matrix whose diagonal blocks are m × m
permutations matrices. Then, we replace L by the set J (λ, m) = {mi+j | 0 6 i < n, λ 6 j < m}.
Hence, we get D E 
(3)
Cpub = ShJ (λ,m) ExpMatBγ (Gsec ) · Q .
Fq
We can apply the basis change explained in Lemma 34.
D E 
Cpub = ShJ (λ,m) ExpMat(Bi′ ) (Gsec ) ,
i Fq
 ⊺
def (3)
where Bi′ = Bγ · (Qi )−1 for all i ∈ J0, n − 1K. Finally, we apply Proposition 28 and Lemma 35
to replace the code GRSk (x, y) by RSk (x). Hence,
D E 
Cpub = ShJ (λ,m) ExpMat(Bi )i (G′sec ) ,
Fq

def
where G′sec is a generator matrix of RSk (x) and Bi = yi−1 Bi′ for all i ∈ J0, n − 1K. In other words,
Cpub = RSk (x)|(S0 ,...,Sn−1 ) , where Si is the subspace spanned by the λ first elements of Bi . This
is indeed an instance of the SSRS cryptosystem.

6. Twisted-square code and distinguisher

In this section, we first recall how the star product of codes may distinguish some codes such
as Reed–Solomon codes from random ones. It turns out that the raw use of the star product
is not sufficient to distinguish SSRS codes from random codes. Therefore, in the second part
of this section, we introduce a new notion called twisted star product. We first explore the case
m = 3, λ = 2 to give some insight on the interest of defining this twisted star product of two
subspace subcodes. Then, we define this notion for other parameters. Note that a similar notion
appears in Randriambololona’s work on the existence of asymptotically good binary codes with
asymptotically good squares [Ran13]. In the third part of the section, we focus on the dimension
of the twisted square codes and how it can be used as a distinguisher.
We refer to Figure 2 for a diagram summarising the relations between the various statements
to follow.
16 ALAIN COUVREUR & MATTHIEU LEQUESNE

6.1. Square code distinguisher. — The notion of star product has been recalled in Section 2.3.
We recall the following result on the generic behaviour of random codes with respect to this
operation.

Theorem 39. — ([CCMZ15, Theorem 2.3], informal) For a linear code R chosen
at random
over Fq of dimension k and length n, the dimension of R ⋆2 is typically min(n, k+1
2 ).

Theorem 39 provides a distinguisher between random codes and algebraically struc-

tured codes such as generalised Reed–Solomon codes and their low–codimensional sub-
codes [Wie10, CGG+ 14], Reed–Muller codes [CB14], polar codes [BCD+ 16] some Goppa
codes [COT14b, COT17], high–rate alternant codes [FGO+ 11] or algebraic geometry
codes [CMCP14, CMCP17]. For instance, in the case of GRS codes, we have the follow-
ing result.

Proposition 40. — Let n, k, x, y be as in Definition 1. Then,

⋆2
(GRSk (x, y)) = GRS2k−1 (x, y ⋆ y).
In particular, if k 6 n/2, then
⋆2
dim (GRSk (x, y)) = 2k − 1.

Thus, compared to random codes whose square have dimension quadratic in the dimension of
the code, the square of a GRS code has a dimension which is linear in that of the original code.
This criterion allows to distinguish GRS codes of appropriate dimension from random codes. A
rich literature of cryptanalysis of code–based encryption primitives involves this operation.
In an initial version of the XGRS cryptosystem, submitted on ArXiv [KRW19], such a dis-
tinguisher could be applied to the cryptosystem and lead to an attack. The authors changed the
cryptosystem in order to avoid such attacks. The new parameters are out of reach of a distin-
guisher based on the square code operation. This motivates the introduction of an alternative
product.

6.2. The twisted square product. — In the remainder of this section, for the sake of sim-
plicity, are stated using the same subspace and expansion basis for all blocks but they can be
straightforwardly generalised to the case of various subspaces and expansion bases.
6.2.1. Motivation: the case λ = 2, m = 3. — In this section, we consider the case λ = 2, m = 3.
Let us introduce a definition that is needed in the sequel.

Definition 41. — Let S ⊆ Fqm be an Fq –vector space, we define the square subspace
def
S 2 = h ab | a, b ∈ S iFq .

Lemma 42. — Let S be a subspace of Fqm of dimension 2. Let BS = (γ0 , γ1 ) be a basis of S.

Let a, b ∈ S such that
ExpBS ((a)) = (a0 , a1 ) and ExpBS ((b)) = (b0 , b1 ).
Then,
ExpBS 2 ((ab)) = (a0 b0 , a0 b1 + a1 b0 , a1 b1 ),
where BS 2 = (γ02 , γ0 γ1 , γ12 ).

Remark 43. — Note that when m = 3 and dim S = 2, we have S 2 = Fq3 . Indeed, let (γ0 , γ1 )
def
be a basis of S, if γ02 , γ0 γ1 and γ12 were not Fq -independent, denoting ζ = γ1 /γ0 , then 1, ζ and ζ 2
would not be Fq -independent either. Hence ζ would have degree 6 2 over Fq . But by definition
ζ 6∈ Fq .
 ON THE SECURITY OF SUBSPACE SUBCODES OF REED–SOLOMON CODES 17

Consider the SSRS scheme with
m = 3, λ = 2. The public key is a generator matrix G of
Exp(BS0 ,...,BS ) C|(S0 ,...,Sn−1 ) . From an attacker’s point of view, the spaces S0 , . . . , Sn−1 and
n−1
their bases BS0 , . . . , BSn−1 are unknown. But, we have access to the entries of G, in particular we
have access to the coefficients a0 , a1 (resp. b0 , b1 ) of the decomposition in the basis Bi of the i–th
entry of some codewords of C . Hence, the coefficients of the product ab in the basis (γ02 , γ0 γ1 , γ12 )
of Si2 can be computed without knowing neither C nor the basis Bi . This motivates the
following definition.

Definition 44 (Twisted product). — Let a and b in F2n

q whose components are denoted
(0) (1) (0) (1) (0) (1)
a = (a0 , a0 , a1 , a1 , . . . , an−1 , an−1 );
(0) (1) (0) (1) (0) (1)
b = (b0 , b0 , b1 , b1 , . . . , bn−1 , bn−1 ).
We define the twisted product of a and b as
def (0) (0) (0) (1) (1) (0) (1) (1)
a˜
⋆ b = (ai bi , ai bi + ai bi , ai bi )06i6n−1 ∈ F3n
q .

This definition extends to the product of codes, where the twisted product of two codes A and
B ⊆ F2n
q is defined as
def
A˜
⋆B = h a ˜⋆ b | a ∈ A , b ∈ B iFq .
def
In particular, A ˜⋆2 denotes the twisted square code of a code A : A ⋆˜2 = A ˜⋆A .

With this definition, we can rewrite Lemma 42 for vectors in the following way.

Lemma 45. — Let S be a subspace of Fqm of dimension 2. Let BS = (γ0 , γ1 ) be a basis of S.

Let a, b ∈ Fnqm such that all their entries lie in S. Then,
ExpBS (a) ˜⋆ ExpBS (b) = ExpBS 2 (a ⋆ b),

where BS 2 = (γ02 , γ0 γ1 , γ12 ).

Extending this result to codes, we obtain the following theorem.

Theorem 46. — Let C be an [n, k]-code over Fqm and S a subspace of Fqm of dimension λ. Let
BS = (γ0 , γ1 ) be an Fq –basis of S. Then,

⋆˜2 
⋆2 
(4) ExpBS (C|S ) = ExpBS 2 C|S F ,
q

where BS 2 = (γ02 , γ0 γ1 , γ12 ). This results generalises straightforwardly to an expansion over various
subspaces.

Proof. — This is a direct consequence of Lemma 45 by definition of the Exp operator and by
Fq -linearity of Exp.

Note that in our case, because S 2 = Fqm , the basis BS 2 in (4) is a full basis of Fqm . Theorem 46
is summarised by the following diagram.
( · )|S ( · )⋆2
Fq
⋆2
C C|S C|S Fq

ExpB ExpB ExpB

S S2

˜2
ShJ (λ,m) ( · ) ( · )⋆

⋆2 
ExpB (C ) ExpBS (C|S ) ExpBS 2 C|S Fq
18 ALAIN COUVREUR & MATTHIEU LEQUESNE

6.2.2. General definition of the twisted square code. —

Remark 47. — This section is a generalisation of the previous definitions and results. A reader
only interested in the practical aspects of the attack can skip directly to Section 6.3.
For arbitrary λ > 2, we have the following definition.
Definition 48 (Twisted square product, general case). — Let a and b in Fλn
q whose
components are denoted
a = (a0,0 , . . . , a0,λ−1 , a1,0 , . . . , a1,λ−1 , . . . , an−1,0 , . . . , an−1,λ−1 ),
b = (b0,0 , . . . , b0,λ−1 , b1,0 , . . . , b1,λ−1 , . . . , bn−1,0 , . . . , bn−1,λ−1 ).
(λ+1)n
We define the twisted product a ˜ ⋆ b ∈ Fq 2 of a and b such that for any i ∈ J0, n − 1K and for
r, s such that 0 6 r 6 s 6 λ − 1,

def ai,r bi,s + ai,s bi,r if r < s
(a ˜
⋆ b)i(λ+1)+(s+1)+r =
2 2 ai,r bi,r if r = s.
This definition extends to the product of codes, where the twisted product of two codes A and
B ⊆ Fλn
q is defined as
def
A˜
⋆B = h a ˜⋆ b | a ∈ A , b ∈ B iFq .
def
In particular, A ˜⋆2 denotes the twisted square code of a code A : A ⋆˜2 = A ˜⋆A .
We are interested in the case where S 2 = Fqm , because the goal is to reconstruct a fully
n expanded

o
code. For a random subspace S ⊆ Fqm of dimension λ, its dimension is typically min λ+1 2 ,m .
The case m = 3, λ = 2 is a special case where λ+1


2 = m. Hence, for other parameters m, λ such
that λ+1 But when λ+1



2 = m, Theorem 46 generalises straightforwardly. 2 > m, the twisted
square code does not correspond to an expanded code. It is as if the code were expanded over a
generating family of Fqm which is not a basis: the vectors are too long. A way to circumvent this
and to obtain a result similar to Theorem 46 is to shorten the twisted square code to cancel the
useless columns and obtain an expansion over a basis. This yields the following results.
Lemma 49. — Let S be a subspace of Fqm of dimension λ such that S 2 = Fqm . Let BS =
(γ0 , . . . , γλ−1 ) be an Fq –basis of S. Let BS 2 denote the first m elements of (γ02 , γ0 γ1 , . . . , γ0 γi ,
γ1 γi , . . . , γi2 , . . . , γλ−1
2
). Let a, b ∈ Fnqm whose entries all lie in S. Denote c the vector of length
λ+1


2 n over Fq defined as
def
c = ExpBS (a) ˜⋆ ExpBS (b).
Let K(λ, m) denote the set
def
n o
λ+1 λ+1



(5) K(λ, m) = 2 i + j, i ∈ J0, n − 1K, j ∈ Jm, 2 − 1K .
If BS 2 is a basis of Fqm and for any i ∈ K(λ, m), the i–th entry of c is zero, then,
(6) PctK(λ,m) (c) = ExpBS 2 (a ⋆ b).
Proof. — Let c be defined as in the statement. We want to prove that
SqueezeBS 2 (PctK(λ,m) (c)) = a ⋆ b.
This is equivalent to Equation (6) because BS 2 is a basis of Fqm . Without loss of generality, we
only need to focus on the block corresponding to the first entry in Fqm .
Let (a0 , . . . , aλ−1 ) and (b0 , . . . , bλ−1 ) denote the decomposition of the first entries of a (resp.
b) over BS . The first entry of a ⋆ b is
! 
X X X
a i γi  a j γj  = ci,j γi γj ,
i j 06i6j<λ
 ON THE SECURITY OF SUBSPACE SUBCODES OF REED–SOLOMON CODES 19

where the coefficients ci,j match exactly the definition of the twisted square product, hence corre-
spond to the entries of c.
Let Bfull denote the family (γ02 , γ0 γ1 , . . . , γ0 γi , γ1 γi , . . . , γi2 , . . . , γλ−1
2
). The last entries of each
block of c are equal to zero. This corresponds exactly to the elements of Bfull that are not in BS 2 .
We therefore have
SqueezeBS 2 (PctK(λ,m) (c)) = SqueezeBfull (c) = a ⋆ b.

This leads to the following main statement, which is the generalisation of Theorem 46.
Theorem 50. — Let C be an [n, k] code over Fqm and S a subspace of Fqm of dimension λ such
that S 2 = Fqm . Let BS = (γ0 , . . . , γλ−1 ) be an Fq –basis of S. Then,

˜⋆2  
⋆2 
(7) ShK(λ,m) ExpBS (C|S ) ⊆ ExpBS 2 C|S Fq ,

where BS 2 and K(λ, m) are defined as in Lemma 49, provided BS 2 is a basis of Fqm . This result
generalises straightforwardly to an expansion over various subspaces and bases.
Proof. — We intend to apply Lemma 49. This lemma has two conditions. The first condition is
met by shortening the left-hand term. Indeed, the effect of shortening is that we keep only the
words whose entries indexed by K(λ, m) are all equal to zero. The second condition (BS 2 being a
basis) is a hypothesis.
Compared to Lemma 49 and its proof, one should be careful that in general ShK(λ,m) A ˜⋆2

(where A denotes ExpBS (C|S )) is not spanned by words of the form PctK(λ,m) (a˜⋆b) with a, b ∈
ExpB (A ) but by linear combinations, i.e. words of the form
⋆b0 + · · · + as ˜⋆bs ) ,
PctK(λ,m) (a0 ˜ for a0 , . . . , as , b0 , . . . , bs ∈ A .
Therefore, one needs to apply the very same reasoning as that of the proof of Lemma 49 replacing
a˜⋆b by a sum of such vectors. This is not a problem and the proof generalises straightforwardly,
since all the involved operators are linear.
Finally, because of the shortening operation, we only obtain an inclusion and not an equality.
Remark 51. — In the special case λ+1


2 = m, K(λ, m) = ∅, therefore the shortening is useless
and the inclusion in (7) is an equality.
Remark 52. — In the sequel, we see that under a reasonable conjecture and some condition,
the inclusion in (7) is an equality.

6.3. Dimension of the twisted square of subspace subcodes. —

6.3.1. Typical dimension of the twisted square of a random subspace subcode. — Similarly to
Theorem 39 on squares of random codes, we expect that twisted squares of random codes typically
have the largest possible dimension. For this reason, we state the following conjecture which is
confirmed by our experimental observations using the computer algebra software Sage.
Conjecture 53. — For any positive integer k such that 2k 6 n, any Fq –subspace S ⊆ Fnqm of
dimension λ > 2 such that S 2 = Fqm and any Fq –basis BS of S, let R denote an [n, k] code chosen
uniformly at random, then
    

⋆˜2 λ+1 km − n(m − λ) + 1
P dimFq ExpBS (R|S ) = min n, −→ 1.
2 2 k→∞

It is worth noting that in general λ+1

2 > m. In such a case, as already mentioned before

⋆˜2
stating Lemma 49, the code ExpBS R|S represents something which is not an expansion
of a code with respect to a basis of Fqm but rather a kind of expansion with respect to a
family of generators of the set S 2 . This family is denoted Bfull in the proof of Lemma 49. This
set spans S 2 but is not linearly independent in general. Hence, given a vector with entries in Fnqm ,
20 ALAIN COUVREUR & MATTHIEU LEQUESNE

the decomposition with respect to this family of generators is not unique. For this reason, it is
difficult to identify the twisted square code with the expansion of another code.
To ensure the unique decomposition, the key idea is to proceed as in the statement of Theorem 50
and to shorten the twisted
square code on the positions of theλ+1 set
K(λ, m) introduced in (5),
i.e. shortening the last λ+1
2 −m positions of each block of length 2 . According to Theorem 50,
a codeword in ShK(λ,m) ExpBS (R|S )˜⋆2 is the expansion of a codeword of R ⋆2 in a given basis of

Fqm . The latter property is in general not satisfied by codewords of ExpBS (R|S )˜⋆2 . Therefore, this
shortened code turns out to be a more relevant object of study and its dimension is of particular
interest in the sequel. This dimension is the purpose of the following statement.

Corollary 54. — Let R be a uniformly random [n, k] code over Fqm and S ⊆ Fqm be a subspace
such that S 2 = Fqm . Denote by K(λ, m) the set introduced in (5). Then, under Conjecture 53, we
typically have
dimFq ShK(λ,m) ExpBS (R|S )˜⋆2 >

(8)
     
km − n(m − λ) + 1 λ+1
min mn, −n −m .
2 2
6.3.2. Typical dimension of the twisted square of a subspace subcode of a RS code. — On the other
hand, subspace subcodes of Reed–Solomon codes have a different behaviour. Indeed, Theorem 50
yields the following result.

Corollary 55. — Given a GRS code C = GRSk (x, y) and an Fq –subspace S ⊆ Fqm of dimen-
sion λ < m such that S 2 = Fqm . Denote by K(λ, m) the set introduced in (5). Then,

⋆˜2 
(9) dimFq ShK(λ,m) ExpBS (C|S ) 6 min{mn, m(2k − 1)}.

6.3.3. The distinguisher. — Putting the previous statements together, the twisted product pro-
vides a distinguisher between expanded subspace subcodes of GRS codes and expanded subspace
subcodes of random codes.

Theorem 56. — Let k be a positive integer, S ⊆ Fnqm of dimension λ > 2 an Fq –subspace such
that S 2 = Fqm , BS an Fq –basis. Let D be defined as ExpBS (C|S ), where C is either a random
[n, k] code over Fqm or an [n, k] GRS code over Fqm . Suppose also that
     
km − n(m − λ) + 1 λ+1
(10) m(2k − 1) < min mn, −n −m .
2 2
Then, assuming Conjecture 53, the computation of dimFq ShK(λ,m) D ˜⋆2 provides a polynomial-

time algorithm which decides whether C is an RS code or a random code and succeeds with high
probability. This extends straightforwardly to the case of multiple spaces and bases.

Remark 57. — Condition (10) entails in particular 2k 6 n, which is a necessary condition for
the distinguisher to succeed. Indeed, if 2k > n, the square code of the GRS code spans the whole
space Fnqm . Hence it cannot be distinguished from a random code. When this condition is not
met, it is sometimes possible to shorten the code so that the shortened code meets this condition.
This is addressed in Section 6.3.5.

6.3.4. Experimental results. — Using the computer algebra software Sage, we tested the be-
haviour of the dimension of the twisted square (shortened at K(λ, m)) of subspace subcodes either
of random codes or of RS codes. For each parameter set (see Table 2), we ran more than 100 tests
and none of them yielded dimensions of the twisted square that was different from the bounds
given either by Conjecture 53 or by Corollary 55.
In particular, these experiments show that bounds (8) and (9) are typically equalities. Note
that this observation is not necessary to distinguish the codes but it will be useful for the attack
presented in Section 7.
 ON THE SECURITY OF SUBSPACE SUBCODES OF REED–SOLOMON CODES 21

Bounds on Actual
Parent code q m λ n k the dimension
Dimension

of ShK(λ,m) C ⋆˜2 of ShK(λ,m) C ⋆˜2
Random 7 3 2 120 55 > 360 360
RS 7 3 2 120 55 6 327 327
Random 7 5 3 160 75 > 800 800
RS 7 5 3 160 75 6 745 745
Table 2. Parameter sets for the tests. The code C is the shortening at m − λ positions
per block of the expansion of a parent code. The parent code is either random or a Reed–
Solomon code, as indicated in the first column of the table. The penultimate column
gives the bounds on the dimension of the twisted square code shortened at K(λ, m):
a lower bound for random codes (Corollary 54) and an upper bound for SSRS codes
(Corollary 55). The last column gives the actual dimension of the twisted square code
computed using Sage. For each set of parameters, at least 100 tests were run and the
actual dimension never differed from the bounds. We observe in particular that the
bounds stated in Corollaries 54 and 55 are typically equalities.

6.3.5. Broadening the range of the distinguisher by shortening. — Similarly to the works
[CGG+ 14, COT17], the range of the distinguisher can be broadened by shortening the public
code. This can make the distinguisher work in some cases when 2k > n. The idea is to shorten
some blocks of length λ (corresponding to a given position of the original code in Fnqm ). For each
shortened block the degree k is decreased by 1. Indeed, from Lemma 31 shortening a whole block
corresponds to shortening the corresponding position of the parent code over Fqm .
Let us investigate the condition for this to work. Let s0 be the least positive integer such that
2(k − s0 ) − 1 < n − s0 , i.e.
def
s0 = 2k − n.
If one shortens the public code at s > s0 blocks, which corresponds to s(m − λ) positions, we can
apply Theorem 56 on the shortened code. The condition of the theorem becomes
     
m(k − s) − (n − s)(m − λ) + 1 λ+1
m(2(k −s)−1) < min m(n − s), − (n − s) −m .
2 2
Example 58. — Consider the parameters of XGRS in the first row of Table 1. Suppose we
shorten s = 820 blocks of the public key (i.e. 1260 positions of the parent GRS code). It corre-
sponds to reduce to n′ = n − s = 438 and k ′ = k − s = 211. The shortened public key will have
dimension 195. Thus, the twisted square of the shortened public key will typically have dimension
1263 while the twisted square of an expanded subspace subcode of a random code would have full
length, i.e. 3(n − s) = 1314.
6.3.6. Limits of the distinguisher: the “m/2 barrier”. — Suppose that λ 6 m 2 and let C be a
GRS code of dimension k and S a subspace of dimension λ such that the SSRS code reaches the
typical dimension (see Propositions 12 and 14), i.e. dimFq C|S = km − n(m − λ).
For this dimension to be positive, we must have
 
λ n
k >n 1− > ·
m 2
This is incompatible with the necessary condition 2k 6 n (see Remark 57) and cannot be
overcome by shortening blocks as described in Section 6.3.5. Hence, whenever λ 6 m/2, the
distinguisher is ineffective.
Remark 59. — In [COT14b, COT17] a distinguisher on so–called wild Goppa codes over
quadratic extensions is established using the square code operation after a suitable shortening.
This corresponds precisely to the case λ = 1 and m = 2 which, according to the previous discussion,
should be out of reach of the distinguisher. The reason why this distinguisher is efficient for these
22 ALAIN COUVREUR & MATTHIEU LEQUESNE

parameters is precisely because the dimension of such codes significantly exceeds the lower bound
of Proposition 12 (see [SKHN76, COT14a]).

 Theorem

˜  50 

Sh Exp(C|S ) ⋆2 ⊆ Exp C|S ⋆2
F q

Conjecture 53 Conjecture 60 
Typical dimension 
˜ 


˜ Sh Exp(C|S ) ⋆2 ⊇ Exp C|S ⋆2
of Exp R|S ⋆2 F q

Corollary 54 Corollary 55 
⋆˜2  
⋆2  Conjecture 62i

Sh Exp(C|S ) = Exp C|S
h
Lower bound Upper bound C|S ⋆2

⋆2
= C|S
Fq P F 2 → 1
for random codes for RS codes q


⋆˜2   
⋆2
Sh Exp(C|S ) = Exp C|S 2

Theorem 56 Theorem 63
Distinguisher [BGK19]

Attack

Figure 2. Informal summary of the statements. Any statement is the consequence of

the statements pointing to it.

7. Attacking the SSRS scheme

In this section, we describe how to use these tools to attack the SSRS scheme. For the sake
of convenience, we first focus on the parameters with m = 3, λ = 2 and then discuss the general
case.

7.1. Further conjectures for the attack. — As explained in Section 6.3.4 our experiments
show that Inequalities (8) and (9) are typically equalities. This encourages us to state the following
two conjectures.
Conjecture 60. — Let S, BS , BS 2 , K(λ, m) be as in Theorem 50 and suppose that Equation (10)
is satisfied. If C is an [n, k] GRS code, then, with high probability, the inclusion of Equation (7)
is an equality, i.e. 
˜⋆2  
⋆2 
ShK(λ,m) ExpBS (C|S ) = ExpBS 2 C|S Fq .

In addition, the right–hand term of the last equality satisfies the following inclusion.
Lemma 61. — Let C ⊆ Fnqm and S ⊆ Fqm be an Fq –vector space. Then

⋆2
C|S F ⊆ C ⋆2 |S 2 .


(11)
q

Proof. — It suffices to observe that the result holds on Fq –generators. Let a, b ∈ C|S . Then,
a⋆b ∈ C ⋆2 . In addition, for any i ∈ {0, . . . , n−1}, we have (a⋆b)i ∈ S 2 . Thus, a⋆b ∈ (C ⋆2 )|S 2 .
Moreover, Inclusion (11) turns out to be typically an equality in the case of GRS codes as
suggested by the following conjecture.
Conjecture 62. — Let S, BS , BS 2 , K(λ, m) be as in Theorem 50 and suppose that Equation (10)
is satisfied. If C is an [n, k] GRS code, then, with high probability, the inclusion of Equation (11)
is an equality, i.e.

⋆2
C|S F = C ⋆2 |S 2 .


q
 ON THE SECURITY OF SUBSPACE SUBCODES OF REED–SOLOMON CODES 23

7.2. The case m = 3 and λ = 2. —

7.2.1. Constructing the square code. — Let Cpub be the public code of an instance of the SSRS
scheme. This code is described by a generator matrix Gpub which is the only data we have access
to. We know that there exist unknown spaces S0 , . . . , Sn−1 with bases BSi = (bi,0 , bi,1 ) and an RS
code over Fqm such that  
Cpub = Exp(BS ) RSk (x)|(Si ) .
i i i
˜2
⋆
We can compute the generator matrix of the twisted square code Cpub , which according to
Theorem 46 is equal to 
⋆2 
ExpB  RSk (x)|(Si )i F ,
S2 q
i i
def
where BSi2 = (b2i,0 , bi,0 bi,1 , b2i,1 ). Moreover, assuming Conjecture 62, this code is likely to be equal
to
ExpB  (RS2k−1 (x)) .
S2
i i

It is important to stress that, at this stage, we do not know the value of x nor the BSi or the BSi2 .
7.2.2. Finding the value of x. — We now have access to a fully expanded RS code (and not a
subspace subcode) and want to use this to find the value of x. In fact, the authors of [BGK19]
propose an algorithm to solve this problem, by using a generalisation of the algorithm of Sidelnikov
and Shestakov [SS92] to recover the structure of GRS codes.
Theorem 63. — [BGK19, § IV.B] Let x = (x0 , . . . , xn−1 ) ∈ Fnqm be a vector with distinct
entries and B0 , . . . , Bn−1 be an n–tuple of Fq –bases of Fqm . Let
C = Exp(Bi )i (RSk (x)).
There exists a polynomial time algorithm which
takes as inputs C , three distinct elements x′0 , x′1 , x′2 ∈ Fqm and an Fq –basis B0′ of Fqm ;
and returns x′3 , . . . , x′n−1 ∈ Fnqm and Fq –bases (B1′ , . . . , Bn−1
′
) of Fqm such that
′ ′
C = Exp(B0′ ,...,Bn−1
′ ) (RSk ((x0 , . . . , xn−1 ))).

The principle of the algorithm is very similar to that of Sidelnikov Shestakov. Starting from
a systematic generator matrix of an expanded Reed–Solomon code, the hidden structure of the
RS code is deduced from relations satisfied by the m × m blocks of the right hand side of this
systematic generator matrix.
Remark 64. — Theorem 63 asserts in particular that the choice of three values of the support
together with one basis uniquely determines a pair (x, (Bi )i ) describing a code Exp(Bi )i (x).
Using this Theorem 63, we obtain a vector x′ and Fq –bases Bi′ of Fq3 such that
˜
⋆2
Cpub = Exp(Bi′ ) (RS2k−1 (x′ )).
i

′
Remark 65. — Note that the value of x is not necessarily the same as the one contained in the
secret key but we are looking for an equivalent secret key, i.e. we only need a code description
which allows us to decode.
7.2.3. Recovering a secret key. — Once x′ is found, there remains to find bases BS0′ , . . . , BSn−1
′

of 2–dimensional subspaces S0′ , . . . , Sn−1

′
⊆ Fq3 such that
Cpub = ExpB  (RSk (x′ )).
S′
i i

These bases can be obtained by solving a linear system. They are the pairs
(0) (1) (0) (1)
BS0′ = (b0 , b0 ), . . . , BSn−1
′ = (bn−1 , bn−1 )
such that
SqueezeB  (Cpub ) ⊆ RSk (x′ ),
S′
i i
24 ALAIN COUVREUR & MATTHIEU LEQUESNE

which can be equated as follows. Let H be a parity–check matrix of RSk (x) and Gpub a generator
matrix of Cpub . Let
 (0) 
b0 (0)
 (1)
b0


 (0) 

 b 1


(1)
B= b1  ∈ F2n×n .
 
q3
 .. 

 . 

(0) 
bn−1 


(1)
(0) bn−1
The unknown entries of B are the solutions of the linear system
(12) Gpub BH ⊺ = 0.
There are
– 2n unknowns in Fq3 which yields 6n unknowns in Fq ;
– for (3k − n)(n − k) = O(n2 ) equations.
Thus, the matrix B is very likely to be the unique solution up to a scalar multiple. From this, we
obtain a complete equivalent secret key, which allows to decrypt any ciphertext.

Remark 66. — After presenting a polynomial time recovery of the structure of expanded GRS
codes in [BGK19, § IV.B], the extension to expanded SSRS codes is discussed [BGK19, § VI.C].
The suggested approach consists in performing a brute–force search on the expansion bases
B0 , . . . , Bn−1 . But the cost of such an approach is exponential in n and λ. Our use of the
twisted square code allows to address the same problem in polynomial time.

7.2.4. Extending the reach of the attack by shortening blocks. — As explained in Section 6.3.5, it
˜2
⋆
may happen that Cpub = F3nq , i.e. the twisted square of the public code equals the whole ambient
space. In such a situation, the distinguisher fails and so does the attack. To overcome this issue, it
is sometimes possible to shorten a fixed number s of blocks of Cpub and apply the previous attack
to this block–shortened code.
More precisely, let I ⊆ J0, 2n − 1K be a set of indices corresponding to a union of blocks,
i.e. of the form I = {2i0 , 2i0 + 1, . . . , 2is , 2is + 1}. We apply the previous algorithm to the code
ShI (Cpub ) which returns ((x′i )i∈I ′
/ , (Bi )i6∈I ) such that

˜
ShI (Cpub )⋆2 = Exp(Bi′ )i∈I
/
((x′i )i∈I
/ ).

Recall that the choice of three of the x′i ’s and one of the Bi ’s entirely determines the other ones.
Then, one can re-apply the same process with another set of blocks I1 such that there are at least
3 that are neither in I0 nor in I1 . This allows to deduce new values for xi ’s for i ∈ I \ I1 . And
we repeat this operation until x′ is entirely computed. Then, we proceed as in Section 7.2.3 to
recover the rest of the secret key.
7.2.5. Application: attacking some parameters of the XGRS system. — The proposed attack
efficiently breaks all parameters of Type I proposed in [KRW21] (i.e. with λ = 2 and m = 3).
˜
⋆2
Using a Sage implementation, the calculation of Cpub takes a few minutes. Next, we obtained a
full key recovery using the “guess and squeeze” approach described further in Section 7.6 followed
by a usual Sidelnikov Shestakov attack. The overall attack runs in less than one hour for keys
corresponding to a claimed security level of 256 bits. The previously described approach consisting
˜
⋆2
in applying directly the algorithm of [BGK19, § VI.B] on Cpub has not been implemented but is
probably even more efficient.

7.3. The general case. — The attack presented in Section 7.2 generalises straightforwardly
(up to the following details) when the conditions of Conjecture 60 are met.
 ON THE SECURITY OF SUBSPACE SUBCODES OF REED–SOLOMON CODES 25

 
˜2
⋆ ˜2
⋆
– According to Theorem 50, we should no longer work with Cpub but with ShK(λ,m) Cpub ,
where K(λ, m) is defined in Lemma 49 (5). Assuming Conjectures 60 and 62, we deduce
that this code is the expansion of a GRS code. Hence, the algorithm of [BGK19, § VI.B]
can be applied to it.
– The recovery of the subspaces and bases described in Section 7.2.3 involves a matrix B ∈
Fλn×n
q with λn nonzero entries, which will be the unknowns of the system (12). Hence, this
system has λn unknowns in Fqm , i.e. λmn unknowns in Fq for (mk−n(m−λ))(n−k) = O(n2 )
equations. As the value of m (and hence λ) remain very small compared to n, there is still
in general a unique solution up to a scalar multiple.

7.4. Summary of the attack. — The attack can be summarised by the following algorithms,
depending on the values of k and n.

Algorithm 1 The attack when 2k 6 n

 
˜
⋆2 λ+1


1: Compute ShK(λ,m) Cpub , where K(λ, m) is the the union of the last 2 − m positions of
each block (see Lemma 30 (3));
2: Apply the algorithm of [BGK19, § VI.B] to recover a support x of the parent Reed–Solomon
code;
3: Apply the calculations of Section 7.2.3 to recover the bases Bi .

Algorithm 2 Attack when 2k > n

1: Choose a number s of blocks to shorten satisfying condition (10) so that the distinguisher
succeeds.
2: Pick a union of s blocks I and 
˜
⋆
(a) Compute ShK(λ,m)′ ShI (Cpub ) 2 , where K(λ, m)′ is the union of the last λ+1


2 −m
positions of each block;
(b) Apply the algorithm of [BGK19, § VI.B] to recover a partial support (xi )i∈I
/ ;
(c) Repeat this process with another I until you got the whole support x.
3: Apply the calculations of Section 7.2.3 to recover the bases Bi .

Note that the support of a GRS code is defined up to three degrees of freedom. Hence, in
Algorithm 2, in order to consistently reconstruct the whole support of x, one should make sure
that the set I always includes the first three positions and assign them some fixed arbitrary values.

7.5. Complexity. — For the complexity analysis and according to the parameters proposed in
[KRW21], we suppose that m = O(1), λ = O(1) and k = Θ(n).
7.5.1. Step 1, the twisted square computation. — First let us evaluate the cost of the computation
def
of the twisted square of the code Cpub ⊆ Fλn
q of dimension k0 = (mk − n(m − λ))).
1. Starting from a k0 × λn generator matrix of Cpub , any non ordered pair of rows provides
a generator of the twisted square. Hence there are k02+1 = O(n2 ) generators to compute,

each computation costing n λ+1 operations. This is an overall cost of O(n3 ) operations in


2
Fq .
2. Then, deducing a row echelon generator matrix of this twisted square from these O(n2 )
generators has the cost of the computation of the row echelon form of a O(n2 ) × O(n)
matrix, which requires O(nω+1 ) operations in Fq (see [BCG+ 17, Théorème 8.6]), where
ω 6 3 is the complexity exponent of operations of linear algebra.
Thus, the overall cost of the computation of this twisted square code is O(nω+1 ). In addition,
in the situation where 2k − 1 > n, we need to iterate the calculation on a constant number of
shortenings of the public code, which has no influence on the complexity exponent.
26 ALAIN COUVREUR & MATTHIEU LEQUESNE

Remark 67. — Similarly to the discussions [COT17, § VI.D] and [CMCP17, § VI.B.4], it
is possible to randomly generate O(n) generators of the twisted square code and perform the
echelon form on this subset of generators. This provides the whole twisted square code with a
high probability, reducing the cost of the calculation to O(nω ) operations in Fq .

7.5.2. Step 2, recovering x. — The second step of the attack, i.e. performing the algorithm of
[BGK19, § VI.B] to recover x is not that expensive. A quick analysis of this algorithm allows
to observe that the most time consuming step is the calculation of the systematic form of the
generator matrix, which has actually been performed in the previous step. Therefore, this second
step can be neglected in the complexity analysis.
7.5.3. Step 3, recovering the bases. — Finally, the last step of the attack, consisting in recovering
the bases Bi , boils down to the resolution of a linear system of O(n2 ) equations and O(n) unknowns,
which costs O(nω+1 ) operations.
Summary. The overall cost of the attack is of O(nω+1 ) operations in Fq .

7.6. Recovering the bases for arbitrary expanded codes: guess and squeeze. — To
conclude this section, we present an alternative approach to detect the hidden structure of ex-
panded codes and recover the expansion bases. As explained in Section 7.2.5, this is the approach
we implemented. The advantage of this approach is that it can be applied to expansions of codes
which are not RS codes. Therefore it could be an interesting tool for other cryptanalyses.
Given a code C ⊆ Fnqm and bases B0 , . . . , Bn−1 of Fqm , suppose you only know a generator
matrix of
def
Cexp = Exp(Bi ) (C ).
The objective is to guess the Bi ’s iteratively instead of brute forcing any n–tuple of bases, which
would be prohibitive.

Step 1. Shorten Cexp at k − 1 blocks (which corresponds to m(k − 1) positions). This yields a
code whose dimension most of the times equals m. According to Lemma 31, this is the
expansion of a code of dimension 1 obtained by shortening C at k − 1 positions.
Step 2. Puncture this shortened code in order to keep only two blocks. We get a [2m, m] code
which we call Cexp,tiny ⊆ F2m
q . This code is the expansion of a [2, 1] code called Ctiny ⊆
F2qm obtained from C by shortening k − 1 positions and puncturing the remaining code
in order to keep only 2 positions.
Step 3. Now, for any pair of bases (B0 , B1 ) of Fqm , compute
Squeeze(B0 ,B1 ) (Cexp,tiny ).
The point is that, for a wrong choice of bases, we get a generator matrix with m rows and
2 columns which is very likely to be full rank. Hence a wrong choice provides the trivial
code F2qm . On the other hand, a good choice of bases provides the code Ctiny which has
dimension 1. This property allows to guess the bases.
Actually, according to Lemma 35, if one guesses the bases a0 B0 , a1 B1 for some a0 , a1 ∈ F× qm ,
the squeezing will provide Ctiny ⋆ (a0 , a1 ) which also has dimension 1. Therefore, it is possible to
first guess the bases up to a scalar multiple in F× qm . Therefore, the cost of computing these two
bases is in O(q 2m(m−1) ) operations.
Once the first two bases are known, one can restart the process by with another pair of blocks
involving one of the two blocks for which the basis is already known, which requires O(q m(m−1) )
operations. This yields an overall complexity of O(q 2m(m−1) + nq m(m−1) ) operations in Fq for this
guess and squeeze algorithm.

Remark 68. — Note that in the attack of XGRS scheme, the bases to guess are known to be of
the form (1, γ, γ 2 , . . . , γ m−1 ) for some generator γ ∈ Fqm . This additional information significantly
improves this search and reduce the cost of the calculation of the n bases to O(q 2m + nq m )
operations.
 ON THE SECURITY OF SUBSPACE SUBCODES OF REED–SOLOMON CODES 27

Remark 69. — Proceeding this way only allows to get back the code C ⋆ a ⊆ Fnqm for an
n
unknown vector a ∈ (F× qm ) . However, this is an important first step. For instance, if C was a
Reed–Solomon, we obtain a generalised Reed–Solomon code whose structure is computable using
Sidelnikov and Shestakov attack. It is then possible to decode.

8. Conclusion
We presented a polynomial time distinguisher on subspace subcodes of Reed–Solomon codes
relying on a new operation called the twisted square product. We are hence able to distinguish
SSRS codes from random ones as soon as the dimension λ of the subspaces exceeds m 2 . From this
distinguisher, we derived an attack breaking in particular the parameter set λ = 2 and m = 3 of
the XGRS system [KRW21].
These results contribute to better understand the security of the McEliece encryption scheme
instantiated with algebraic codes. On the one hand, we have generalised Reed–Solomon codes,
which are known to be insecure since the early 90’s. On the other hand, alternant codes seem
to resist to any attack except some Goppa codes with a very low extension degree [COT17,
FPdP14]. The present work provides an analysis of a family of codes including these two cases as
the two extremities of a spectrum. Concerning the subspace subcodes lying in between, we show
an inherent weakness of SSRS codes when λ > m/2 (See Figure 1, page 3). The case λ = m/2 is
in general out of reach of our distinguisher, but remains border line as testified by some attacks
on the cases λ = 1, m = 2 in the literature [COT17, FPdP14].
A question which remains open is the actual security of the cases 1 < λ < m/2 which are out of
reach of the twisted square code distinguisher. These codes, which include alternant codes, deserve
to have a careful security analysis in the near future. Indeed, if they turn out to be resistant to
any attack, they could provide an alternative to Classic McEliece [BCL+ 19] with shorter key
sizes. On the other hand, if some of these codes turned out to be insecure, this may impact the
security of Classic McEliece which is a crucial question in the near future.

References
[BBC 16] Marco Baldi, Marco Bianchi, Franco Chiaraluce, Joachim Rosenthal, and Davide Schipani.
+

Enhanced public key security for the McEliece cryptosystem. J. Cryptology, 29(1):1–27, 2016.
[BCD+ 16] Magali Bardet, Julia Chaulet, Vlad Dragoi, Ayoub Otmani, and Jean-Pierre Tillich. Crypt-
analysis of the McEliece public key cryptosystem based on polar codes. In Post-Quantum
Cryptography 2016, LNCS, pages 118–143, Fukuoka, Japan, February 2016.
[BCG 17] Alin Bostan, Frédéric Chyzak, Marc Giusti, Romain Lebreton, Grégoire Lecerf, Bruno
+

Salvy, and Éric Schost. Algorithmes Efficaces en Calcul Formel. Frédéric Chyzak (auto-édit.),
Palaiseau, September 2017.
[BCL+ 19] Daniel J. Bernstein, Tung Chou, Tanja Lange, Ingo von Maurich, Rafael Mizoczki, Ruben
Niederhagen, Edoardo Persichetti, Christiane Peters, Peter Schwabe, Nicolas Sendrier,
Jakub Szefer, and Wang Wen. Classic McEliece: conservative code-based cryptography.
https://classic.mceliece.org, March 2019. Second round submission to the NIST post-
quantum cryptography call.
[Ber73] Elwyn Berlekamp. Goppa codes. IEEE Trans. Inform. Theory, 19(5):590–592, 1973.
[BGK19] Thierry P. Berger, Cheikh Thiécoumba Gueye, and Jean Belo Klamti. Generalized subspace
subcodes with application in cryptology. IEEE Trans. Inform. Theory, 65(8):4641–4657, 2019.
[BGKR19] Thierry P. Berger, Cheikh Thiécoumba Gueye, Jean Belo Klamti, and Olivier Ruatta. De-
signing a public key cryptosystem based on quasi-cyclic subspace subcodes of Reed–Solomon
codes. In International Conference on Algebra, Codes and Cryptology, pages 97–113. Springer,
2019.
[BL05] Thierry P. Berger and Pierre Loidreau. How to mask the structure of codes for a cryptographic
use. Des. Codes Cryptogr., 35(1):63–79, 2005.
[BMvT78] Elwyn Berlekamp, Robert McEliece, and Henk van Tilborg. On the inherent intractability of
certain coding problems. IEEE Trans. Inform. Theory, 24(3):384–386, May 1978.
28 ALAIN COUVREUR & MATTHIEU LEQUESNE

[CB14] Ivan V. Chizhov and Mikhail A. Borodin. Effective attack on the McEliece cryptosystem based
on Reed-Muller codes. Discrete Math. Appl., 24(5):273–280, 2014.
[CCMZ15] Igniacio Cascudo, Ronald Cramer, Diego Mirandola, and Gilles Zémor. Squares of random
linear codes. IEEE Trans. Inform. Theory, 61(3):1159–1173, 3 2015.
[CGG+ 14] Alain Couvreur, Philippe Gaborit, Valérie Gauthier-Umaña, Ayoub Otmani, and Jean-Pierre
Tillich. Distinguisher-based attacks on public-key cryptosystems using Reed-Solomon codes.
Des. Codes Cryptogr., 73(2):641–666, 2014.
[CL20] Alain Couvreur and Matthieu Lequesne. On the security of subspace subcodes of Reed-Solomon
codes for public key encryption, 2020. ArXiv:2009.05826.
[CLT19] Alain Couvreur, Matthieu Lequesne, and Jean-Pierre Tillich. Recovering short secret keys
of RLCE in polynomial time. In Jintai Ding and Rainer Steinwandt, editors, Post-Quantum
Cryptography 2019, volume 11505 of LNCS, pages 133–152, Chongquing, China, May 2019.
Springer.
[CMCP14] Alain Couvreur, Irene Márquez-Corbella, and Ruud Pellikaan. A polynomial time attack
against algebraic geometry code based public key cryptosystems. In Proc. IEEE Int. Sym-
posium Inf. Theory - ISIT 2014, pages 1446–1450, June 2014.
[CMCP17] Alain Couvreur, Irene Márquez-Corbella, and Ruud Pellikaan. Cryptanalysis of McEliece cryp-
tosystem based on algebraic geometry codes and their subcodes. IEEE Trans. Inform. Theory,
63(8):5404–5418, 8 2017.
[COT14a] Alain Couvreur, Ayoub Otmani, and Jean-Pierre Tillich. New identities relating wild Goppa
codes. Finite Fields Appl., 29:178–197, 2014.
[COT14b] Alain Couvreur, Ayoub Otmani, and Jean-Pierre Tillich. Polynomial time attack on wild
McEliece over quadratic extensions. In Phong Q. Nguyen and Elisabeth Oswald, editors, Ad-
vances in Cryptology - EUROCRYPT 2014, volume 8441 of LNCS, pages 17–39. Springer
Berlin Heidelberg, 2014.
[COT17] Alain Couvreur, Ayoub Otmani, and Jean-Pierre Tillich. Polynomial time attack on wild
McEliece over quadratic extensions. IEEE Trans. Inform. Theory, 63(1):404–427, 1 2017.
[COTG15] Alain Couvreur, Ayoub Otmani, Jean-Pierre Tillich, and Valérie Gauthier-Umaña. A
polynomial-time attack on the BBCRS scheme. In J. Katz, editor, Public-Key Cryptography -
PKC 2015, volume 9020 of LNCS, pages 175–193. Springer, 2015.
[Cou20] Alain Couvreur. Introduction to coding theory, 2020. Lecture notes available on
http://www.lix.polytechnique.fr/~alain.couvreur/doc_ens/lecture_notes.pdf.
[FGO+ 11] Jean-Charles Faugère, Valérie Gauthier, Ayoub Otmani, Ludovic Perret, and Jean-Pierre
Tillich. A distinguisher for high rate McEliece cryptosystems. In Proc. IEEE Inf. Theory
Workshop- ITW 2011, pages 282–286, Paraty, Brasil, October 2011.
[FPdP14] Jean-Charles Faugère, Ludovic Perret, and Frédéric de Portzamparc. Algebraic attack against
variants of McEliece with Goppa polynomial of a special form. In Advances in Cryptology -
ASIACRYPT 2014, volume 8873 of LNCS, pages 21–41, Kaoshiung, Taiwan, R.O.C., Decem-
ber 2014. Springer.
[GL05] Ernst M Gabidulin and Pierre Loidreau. On subcodes of codes in rank metric. In Proc. IEEE
Int. Symposium Inf. Theory - ISIT, pages 121–123. IEEE, 2005.
[GL08] Ernst M. Gabidulin and Pierre Loidreau. Properties of subspace subcodes of Gabidulin codes.
Adv. Math. Commun., 2(2):147–157, 2008.
[Gop70] Valerii D. Goppa. A new class of linear error-correcting codes. Problemy Peredachi Informatsii,
6(3):24–30, 1970. In Russian.
[Gop71] Valerii D. Goppa. Rational representation of codes and (L, g) codes. Problemy Peredachi In-
formatsii, 7(3):41–49, 1971. In Russian.
[Hat95] Masayuki Hattori. Subspace Subcodes of Reed–Solomon Codes. PhD thesis, California Institute
of Technology, 1995.
[HMS98] Masayuki Hattori, Robert J. McEliece, and Gustave Solomon. Subspace subcodes of Reed–
Solomon codes. IEEE Trans. Inform. Theory, 44(5):1861–1880, 1998.
[HP03] W. Cary Huffman and Vera Pless. Fundamentals of error-correcting codes. Cambridge Univer-
sity Press, Cambridge, 2003.
[Jen95] Jørn M. Jensen. Subgroup subcodes. IEEE Trans. Inform. Theory, 41(3):781–785, 1995.
[JJ01] Cui Jie and Pei Junying. Subspace subcodes of generalized Reed–Solomon codes. Acta Math-
ematicae Applicatae Sinica, 17(4):503–508, 2001.
 ON THE SECURITY OF SUBSPACE SUBCODES OF REED–SOLOMON CODES 29

[KL85] Tadao Kasami and Shu Lin. On the binary weight distribution of some Reed–Solomon codes.
Technical report, NASA, 1985.
[KL88] Tadao Kasami and Shu Lin. The binary weight distribution of the extended (2m, 2m − 4) code
of the Reed–Solomon code over GF (2m ) with generator polynomial (x − α)(x − α2 )(x − α3 ).
Linear Algebra and its Applications, 98:291–307, 1988.
[KRW19] Karan Khathuria, Joachim Rosenthal, and Violetta Weger. Encryption scheme based on ex-
panded Reed–Solomon codes, 2019. ArXiv:1906.00745v2 (Version 2).
[KRW21] Karan Khathuria, Joachim Rosenthal, and Violetta Weger. Encryption scheme based on ex-
panded Reed–Solomon codes. Advances in Mathematics of Communications, 15(2):207–218,
2021.
[LN97] Rudolf Lidl and Harald Niederreiter. Finite fields, volume 20 of Encyclopedia of Mathematics
and its Applications. Cambridge University Press, Cambridge, second edition, 1997. With a
foreword by P. M. Cohn.
[McE78] Robert J. McEliece. A Public-Key System Based on Algebraic Coding Theory, pages 114–116.
Jet Propulsion Lab, 1978. DSN Progress Report 44.
[MS86] Florence J. MacWilliams and Neil J. A. Sloane. The Theory of Error-Correcting Codes. North–
Holland, Amsterdam, fifth edition, 1986.
[MS94] Robert J. McEliece and Gustave Solomon. Trace-shortened Reed-Solomon codes. The Telecom-
munications and Data Acquisition Progress Report 42-117, page 119, 1994.
[Nie86] Harald Niederreiter. Knapsack-type cryptosystems and algebraic coding theory. Problems of
Control and Information Theory, 15(2):159–166, 1986.
[Ran13] Hugues Randriambololona. Asymptotically good binary linear codes with asymptotically good
self-intersection spans. IEEE transactions on information theory, 59(5):3038–3045, 2013.
[RS85] Ron M. Roth and Gadiel Seroussi. On generator matrices of MDS codes. IEEE Trans. Inform.
Theory, 31(6):826–830, 1985.
[SKHN76] Yasuo Sugiyama, Masao Kasahara, Shigeichi Hirasawa, and Toshihiko Namekawa. Further
results on Goppa codes and their applications to constructing efficient binary codes. IEEE
Trans. Inform. Theory, 22:518–526, 1976.
[Sol93] Gustave Solomon. Non-linear, non-binary cyclic group codes. In Proc. IEEE Int. Symposium
Inf. Theory - ISIT, pages 192–192. IEEE, 1993.
[Spe04] Sarah A. Spence. Identifying high-dimension subspace subcodes of Reed-Solomon codes. IEEE
Transactions on Information Theory, 50(6):1280–1282, 2004.
[SS92] Vladimir Michilovich Sidelnikov and S.O. Shestakov. On the insecurity of cryptosystems based
on generalized Reed-Solomon codes. Discrete Math. Appl., 1(4):439–444, 1992.
[Ste93] Jacques Stern. A new identification scheme based on syndrome decoding. In D.R. Stinson,
editor, Advances in Cryptology - CRYPTO’93, volume 773 of LNCS, pages 13–21. Springer,
1993.
[STK89] Katsumi Sakakibara, Kin-Ichiroh Tokiwa, and Masao Kasahara. Notes on q-ary expanded
Reed–Solomon codes over GF (q m ). Electronics and Communications in Japan (Part III: Fun-
damental Electronic Science), 72(2):14–23, 1989.
[vDT99] Marten van Dijk and Ludo Tolhuizen. Efficient encoding for a class of subspace subcodes.
IEEE Trans. Inform. Theory, 45(6):2142–2146, 1999.
[Wan16] Yongge Wang. Quantum resistant random linear code based public key encryption scheme
RLCE. In Proc. IEEE Int. Symposium Inf. Theory - ISIT 2016, pages 2519–2523, Barcelona,
Spain, July 2016. IEEE.
[Wan17] Yongge Wang. RLCE–KEM. http://quantumca.org, 2017. First round submission to the
NIST post-quantum cryptography call.
[Wie06] Christian Wieschebrink. Two NP-complete problems in coding theory with an application in
code based cryptography. In Proc. IEEE Int. Symposium Inf. Theory - ISIT, pages 1733–1737,
2006.
[Wie10] Christian Wieschebrink. Cryptanalysis of the Niederreiter public key scheme based on GRS
subcodes. In Post-Quantum Cryptography 2010, volume 6061 of LNCS, pages 61–72. Springer,
2010.
[Wu11] Yingquan Wu. On expanded cyclic and Reed–Solomon codes. IEEE Trans. Inform. Theory,
57(2):601–620, 2011.
30 ALAIN COUVREUR & MATTHIEU LEQUESNE

Alain Couvreur, Inria • LIX, École polytechnique, Palaiseau, France • E-mail : [email protected]
Matthieu Lequesne, Sorbonne Université • Inria, Paris, France • E-mail : [email protected]