A Polynomial-Time Attack on the BBCRS Scheme

The BBCRS scheme is a variant of the McEliece public-key encryption scheme where the hiding phase is performed by taking the inverse of a matrix which is of the form $\mathbf{T} +\mathbf{R}$ where $\mathbf{T}$ is a sparse matrix with average row/column weight equal to a very small quantity $m$, usually $m < 2$, and $\mathbf{R}$ is a matrix of small rank $z\geqslant 1$. The rationale of this new transformation is the reintroduction of families of codes, like generalized Reed-Solomon codes, that are famously known for representing insecure choices. We present a key-recovery attack when $z = 1$ and $m$ is chosen between $1$ and $1 + R + O( \frac{1}{\sqrt{n}} )$ where $R$ denotes the code rate. This attack has complexity $O(n^6)$ and breaks all the parameters suggested in the literature.

💡 Research Summary

The paper presents a polynomial‑time key‑recovery attack against the BBCRS public‑key encryption scheme, a variant of McEliece that hides a secret Generalized Reed‑Solomon (GRS) code by multiplying it with the inverse of a matrix Q = T + R. Here T is a sparse, nonsingular n×n matrix with average row/column weight m (typically m < 2) and R is a low‑rank matrix of rank z. The authors focus on the case z = 1 and on values of m satisfying 1 < m ≤ 1 + R + O(1/√n), where R denotes the code rate. Under these conditions they devise an attack with overall complexity O(n⁶), breaking all parameter sets suggested in the original BBCRS proposal.

The attack builds on the concept of the square code (the component‑wise product of a code with itself) and on shortening operations. For a random linear code of dimension k, the dimension of its square code is roughly quadratic in k, whereas for a GRS code it is exactly 2k‑1. This discrepancy provides a distinguisher: by computing the dimension of the square of suitably shortened versions of the public code’s dual, one can detect when the underlying structure deviates from a random code.

The authors first establish two simple algebraic relations: the public code C_pub equals C_sec·(T+R)⁻¹, and its dual C_pub^⊥ equals C_sec^⊥·(T+R)·T. Using these, they consider subsets I of coordinates and form the shortened dual code S_I(C_pub^⊥). They then compute the dimension of (S_I(C_pub^⊥))². When m is in the specified range, there exist choices of I for which this dimension is smaller than expected for a random code. This anomaly reveals the positions of rows of T that have weight 1 (set J₁) and weight 2 (set J₂). By systematically testing subsets and measuring the square‑code dimension, the attacker recovers the exact structure of T in O(n⁵) operations.

Having reconstructed T, the attacker knows Q = T + R because R is rank‑1 and its representation (α,β) is public in the scheme definition. Consequently Q⁻¹ can be computed directly. Multiplying the public generator matrix G_pub by Q yields S⁻¹·G_sec, from which the secret GRS generator matrix G_sec and the random invertible matrix S can be extracted using the previously known attack on the original McEliece‑type scheme (cited as