Alain Couvreur

Alain Couvreur, Rati Ludhani

We study the classification of minimal codewords of projective Reed-Muller codes of order $2$. This problem is equivalent to identifying quadrics over finite fields whose set of rational points is maximal with respect to the inclusion. We prove that except one particular case over $\mathbb{F}_2$, any two absolutely irreducible quadrics whose sets of rational points are contained within one another should be equal as projective varieties. We deduce a precise characterisation of the minimal codewords of projective Reed-Muller codes of order $2$ and further give their exact number for each possible weight.

Eimear Byrne, Alain Couvreur, Lucien François

Tensor codes are a generalisation of matrix codes. Such codes are defined as subspaces of order-r tensors for which the ambient space is endowed with the tensor-rank as a metric. A class of these codes was introduced by Roth, who also outlined a decoding algorithm for low tensor-rank errors that can be generalised to an algorithm with exponential complexity in the decoding radius. They may be viewed as a generalisation of the well-known Delsarte-Gabidulin-Roth maximum rank distance codes. We study a generalised class of these codes. We investigate their properties and outline decoding techniques for different metrics that leverage their tensor structure. We first consider a fibre-wise decoding approach, as each fibre of a codeword corresponds to a Gabidulin codeword. We then give a generalisation of Loidreau-Overbeck's decoding method that corrects errors with properties constrained by the dimensions of the slice spaces and fibre spaces. The metrics we consider are bounded from above by the tensor-rank metric, and therefore these algorithms also decode tensor-rank weight errors.

Maxime Bombar, Alain Couvreur, Thomas Debris-Alazard

It is a long standing open problem to find search to decision reductions for structured versions of the decoding problem of linear codes. Such results in the lattice-based setting have been carried out using number fields: Polynomial-LWE, Ring-LWE, Module-LWE and so on. We propose a function field version of the LWE problem. This new framework leads to another point of view on structured codes, e.g. quasi-cyclic codes, strengthening the connection between lattice-based and code-based cryptography. In particular, we obtain the first search to decision reduction for structured codes. Following the historical constructions in lattice-based cryptography, we instantiate our construction with function fields analogues of cyclotomic fields, namely Carlitz extensions, leading to search to decision reductions on various versions of Ring-LPN, which have applications to secure multi party computation and to an authentication protocol.

Maxime Bombar, Alain Couvreur

We discuss the decoding of Gabidulin and interleaved Gabidulin codes. We give the full presentation of a decoding algorithm for Gabidulin codes, which as Loidreau's seminal algorithm consists in localizing errors in the spirit of Berlekamp-Welch algorithm for Reed-Solomon codes. On the other hand, this algorithm consists in acting on codewords on the right while Loidreau's algorithm considers an action on the left. This right-hand side decoder was already introduced by the authors in a previous work for cryptanalytic applications. We give here a generalised version which applies to the case of non-full length Gabidulin codes. Finally, we show that this algorithm turns out to provide a very clear and natural approach for the decoding of interleaved Gabidulin codes.

Maxime Bombar, Alain Couvreur

This article discusses the decoding of Gabidulin codes and shows how to extend the usual decoder to any supercode of a Gabidulin code at the cost of a significant decrease of the decoding radius. Using this decoder, we provide polynomial time attacks on the rank-metric encryption schemes RAMESSES and LIGA.

Anne Canteaut, Alain Couvreur, Léo Perrin

Extended Affine (EA) equivalence is the equivalence relation between two vectorial Boolean functions $F$ and $G$ such that there exist two affine permutations $A$, $B$, and an affine function $C$ satisfying $G = A \circ F \circ B + C$. While the problem has a simple formulation, it is very difficult in practice to test whether two functions are EA-equivalent. This problem has two variants: {\em EA-partitioning} deals with partitioning a set of functions into disjoint EA-equivalence classes, and \emph{EA-recovery} is about recovering the tuple $(A,B,C)$ if it exists. In this paper, we present a new algorithm that efficiently solves the EA-recovery problem for quadratic functions. Although its worst-case complexity occurs when dealing with APN functions, it supersedes, in terms of performance, all previously known algorithms for solving this problem for all quadratic functions and in any dimension, even in the case of APN functions. This approach is based on the Jacobian matrix of the functions, a tool whose study in this context can be of independent interest. The best approach for EA-partitioning in practice mainly relies on class invariants. We provide an overview of the known invariants along with a new one based on the \emph{ortho-derivative}. This new invariant is applicable to quadratic APN functions, a specific type of functions that is of great interest, and of which tens of thousands need to be sorted into distinct EA-classes. Our ortho-derivative-based invariant is very fast to compute, and it practically always distinguishes between EA-inequivalent quadratic APN functions.

Alain Couvreur, Matthieu Lequesne

This article discusses the security of McEliece-like encryption schemes using subspace subcodes of Reed-Solomon codes, i.e. subcodes of Reed-Solomon codes over $\mathbb{F}_{q^m}$ whose entries lie in a fixed collection of $\mathbb{F}_q$-subspaces of $\mathbb{F}_{q^m}$. These codes appear to be a natural generalisation of Goppa and alternant codes and provide a broader flexibility in designing code based encryption schemes. For the security analysis, we introduce a new operation on codes called the twisted product which yields a polynomial time distinguisher on such subspace subcodes as soon as the chosen $\mathbb{F}_q$-subspaces have dimension larger than $m/2$. From this distinguisher, we build an efficient attack which in particular breaks some parameters of a recent proposal due to Khathuria, Rosenthal and Weger.

Alain Couvreur, Hugues Randriambololona

This article surveys the development of the theory of algebraic geometry codes since their discovery in the late 70's. We summarize the major results on various problems such as: asymptotic parameters, improved estimates on the minimum distance, and decoding algorithms. In addition, we present various modern applications of these codes such as public-key cryptography, algebraic complexity theory, multiparty computation or distributed storage.

Magali Bardet, Manon Bertin, Alain Couvreur et al.

DAGS scheme is a key encapsulation mechanism (KEM) based on quasi-dyadic alternant codes that was submitted to NIST standardization process for a quantum resistant public key algorithm. Recently an algebraic attack was devised by Barelli and Couvreur (Asiacrypt 2018) that efficiently recovers the private key. It shows that DAGS can be totally cryptanalysed by solving a system of bilinear polynomial equations. However, some sets of DAGS parameters were not broken in practice. In this paper we improve the algebraic attack by showing that the original approach was not optimal in terms of the ratio of the number of equations to the number of variables. Contrary to the common belief that reducing at any cost the number of variables in a polynomial system is always beneficial, we actually observed that, provided that the ratio is increased and up to a threshold, the solving can be heavily improved by adding variables to the polynomial system. This enables us to recover the private keys in a few seconds. Furthermore, our experimentations also show that the maximum degree reached during the computation of the Gröbner basis is an important parameter that explains the efficiency of the attack. Finally, the authors of DAGS updated the parameters to take into account the algebraic cryptanalysis of Barelli and Couvreur. In the present article, we propose a hybrid approach that performs an exhaustive search on some variables and computes a Gröbner basis on the polynomial system involving the remaining variables. We then show that the updated set of parameters corresponding to 128-bit security can be broken with 2^83 operations.

Daniel Coggia, Alain Couvreur

We present a polynomial time attack of a rank metric code based encryption scheme due to Loidreau for some parameters.

Alain Couvreur, Matthieu Lequesne, Jean-Pierre Tillich

We present a key recovery attack against Y. Wang's Random Linear Code Encryption (RLCE) scheme recently submitted to the NIST call for post-quantum cryptography. This attack recovers the secret key for all the short key parameters proposed by the author.

Elise Barelli, Alain Couvreur

We present an efficient key recovery attack on code based encryption schemes using some quasi-dyadic alternant codes with extension degree 2. This attack permits to break the proposal DAGS recently submitted to NIST.

Alain Couvreur, Ayoub Otmani, Jean-Pierre Tillich et al.

The BBCRS scheme is a variant of the McEliece public-key encryption scheme where the hiding phase is performed by taking the inverse of a matrix which is of the form $\mathbf{T} +\mathbf{R}$ where $\mathbf{T}$ is a sparse matrix with average row/column weight equal to a very small quantity $m$, usually $m < 2$, and $\mathbf{R}$ is a matrix of small rank $z\geqslant 1$. The rationale of this new transformation is the reintroduction of families of codes, like generalized Reed-Solomon codes, that are famously known for representing insecure choices. We present a key-recovery attack when $z = 1$ and $m$ is chosen between $1$ and $1 + R + O( \frac{1}{\sqrt{n}} )$ where $R$ denotes the code rate. This attack has complexity $O(n^6)$ and breaks all the parameters suggested in the literature.

Alain Couvreur, Irene Márquez-Corbella, Ruud Pellikaan

We give a polynomial time attack on the McEliece public key cryptosystem based on subcodes of algebraic geometry (AG) codes. The proposed attack reposes on the distinguishability of such codes from random codes using the Schur product. Wieschebrink treated the genus zero case a few years ago but his approach cannot be extent straightforwardly to other genera. We address this problem by introducing and using a new notion, which we call the t-closure of a code.

Alain Couvreur, Ayoub Otmani, Jean-Pierre Tillich

We present a polynomial time structural attack against the McEliece system based on Wild Goppa codes from a quadratic finite field extension. This attack uses the fact that such codes can be distinguished from random codes to compute some filtration, that is to say a family of nested subcodes which will reveal their secret algebraic description.

Alain Couvreur, Philippe Gaborit, Valérie Gauthier-Umaña et al.

Because of their interesting algebraic properties, several authors promote the use of generalized Reed-Solomon codes in cryptography. Niederreiter was the first to suggest an instantiation of his cryptosystem with them but Sidelnikov and Shestakov showed that this choice is insecure. Wieschebrink proposed a variant of the McEliece cryptosystem which consists in concatenating a few random columns to a generator matrix of a secretly chosen generalized Reed-Solomon code. More recently, new schemes appeared which are the homomorphic encryption scheme proposed by Bogdanov and Lee, and a variation of the McEliece cryptosystem proposed by Baldi et \textit{al.} which hides the generalized Reed-Solomon code by means of matrices of very low rank. In this work, we show how to mount key-recovery attacks against these public-key encryption schemes. We use the concept of distinguisher which aims at detecting a behavior different from the one that one would expect from a random code. All the distinguishers we have built are based on the notion of component-wise product of codes. It results in a powerful tool that is able to recover the secret structure of codes when they are derived from generalized Reed-Solomon codes. Lastly, we give an alternative to Sidelnikov and Shestakov attack by building a filtration which enables to completely recover the support and the non-zero scalars defining the secret generalized Reed-Solomon code.