1

Generalized subspace subcodes with application in

cryptology
Thierry P. BERGER, Cheikh Thiécoumba GUEYE and Jean Belo KLAMTI

Cheikh Thiécoumba GUEYE and Jean Belo KLAMTI are with Université Cheikh Anta Diop, Faculté des Sciences et
Techniques, DMI, LACGAA, Dakar, Sénégal, [email protected] and [email protected]
Thierry P. Berger is with XLIM (UMR CNRS 6172), Université de Limoges, 123 avenue A. Thomas, 87060 Limoges Cedex,
arXiv:1704.07882v1 [cs.CR] 25 Apr 2017

France, [email protected]
Abstract
Most of the codes that have an algebraic decoding algorithm are derived from the Reed Solomon codes. They are obtained
by taking equivalent codes, for example the generalized Reed Solomon codes, or by using the so-called subfield subcode method,
which leads to Alternant codes and Goppa codes over the underlying prime field, or over some intermediate subfield. The main
advantages of these constructions is to preserve both the minimum distance and the decoding algorithm of the underlying Reed
Solomon code. In this paper, we propose a generalization of the subfield subcode construction by introducing the notion of
subspace subcodes and a generalization of the equivalence of codes which leads to the notion of generalized subspace subcodes.
When the dimension of the selected subspaces is equal to one, we show that our approach gives exactly the family of the codes
obtained by equivalence and subfield subcode technique. However, our approach highlights the links between the subfield subcode
of a code defined over an extension field and the operation of puncturing the q-ary image of this code. When the dimension of
the subspaces is greater than one, we obtain codes whose alphabet is no longer a finite field, but a set of r-uples. We explain why
these codes are practically as efficient for applications as the codes defined on an extension of degree r. In addition, they make
it possible to obtain decodable codes over a large alphabet having parameters previously inaccessible. As an application, we give
some examples that can be used in public key cryptosystems such as McEliece.

Index Terms
Linear code, Shortened code, Punctured code, Subfield subcodes, Reed Solomon codes, Alternant codes, q-ary image.

I. I NTRODUCTION
The McEliece cryptosystem is the most known and oldest code-based cryptographic protocol. An important part of its
security is based on the use of codes that seem random and possess an effective error correction algorithm. In its original
paper, R. McEliece proposed the use of binary Goppa codes. This class is a subclass of Alternant codes, which are themselves
subcodes on the binary field of Generalized Reed-Solomon codes. This construction makes it possible to easily decode errors,
provides a good minimum distance and effectively mask the underlying algebraic structure.
The main problem with this protocol is the size of the secret key. There are several ways to reduce the size of keys. One of
these is the use of codes with a large automorphism group, typically quasi-cyclic (QC), quasi-dyadic (QD), or quasi-monoidic
(QM) matrices [2], [3], [9], [12], [13], [14], [17].
Another approach is to use subfield subcodes over a subfield of great size. The variant based on the subfield subcodes
introduced by Berger et al. [3] was attacked by Wieschebrink [20]. Recently Faugère et al. proposed two attacks respectively
a structural attack and a algebraic attack against the McEliece schemes with compact keys [6], [7].
In this paper, we introduce a new construction of subfield subcodes called Generalized Subfield Subcodes and we prove that
the Generalized Subfield Subcodes of Reed-Solomon are exactly alternant codes. The approach developed for the Generalized
Subfield Subcodes leads to a second construction called Generalized Subspace Subcodes which is a promising research direction
for both coding theory and hiding the structure of a code.
This paper is organized as following: in Section II we give some definitions in coding theory. In Section III we introduce
the shortened q-ary images of a code and give the link between subfield subcodes and shortened codes. In Section IV we
present the first attempt at generalization of subfield subcodes namely the Generalized Subfield Subcodes and we show that
the codes introduced in Section III-A can also be constructed using a known method to construct alternant codes. In Section
V we introduce Subspace Subcodes, which is a new class of additive block codes. We generalize this first class to obtain
another class of block additive codes named Generalized Subspace Subcodes. For this second class we proposed an algorithm
which allows us to compute its generator matrix. In addition we give some examples and directions for their application in
transmission and cryptology.

II. P RELIMINARIES
A. Linear code
Let Fqm be an arbitrary finite field. A linear code C of length n and dimension k is a vector subspace of Fnqm of dimension
k. A vector x ∈ Fnqm is called word and a vector x ∈ C is called codeword.
 2

The Hamming distance between two words x and y denoted by d(x, y) is the number of positions on which they differ. The
Hamming distance of a code C denoted by d is the minimal Hamming distance between any two different codewords.
The Hamming weight of a word x ∈ Fnqm denoted by wt(x) is the number of its nonzero coordinates. In the case of a linear
code the minimal Hamming distance of a code is equal to the minimal Hamming weight of its nonzero codewords.
A linear code C over an arbitrary finite field Fqm is called Fqm -linear code. If its length is n, its dimension is k and its
minimal Hamming distance is d we call this code a [n, k, d] Fqm -linear code. A linear code C over an arbitrary finite field
Fqm is usually specified by a full-rank matrix G ∈ Fqk×nm called generator matrix of C, whose rows span the code. Thus,
C = xG : x ∈ Fkqm . A linear code can be also defined by the right kernel of a matrix H called parity-check matrix of C as

follows:
C = x ∈ Fkqm s.t. HxT = 0


The matrix H is a generator matrix of the dual code C ⊥ of C for the usual scalar product.

B. Shortened codes and punctured codes

Definition 1. (Shortened code)[5]
Let C be an [n, k, d]qm -linear code, choose a subset I ⊂ {1, 2, ..., n} of coordinates such that |I| = i with 1 ≤ i ≤ n
and take the subcode of C consisting of the codewords having 0 on those positions. Deleting the chosen coordinates in every
codeword of this subcode yields a Fqm -linear code denoted ShortI (C). ShortI (C) is called a shortened code of C on I.
Definition 2. (Punctured code)[5]
Let C be an [n, k, d]qm -linear code,choose a subset I ⊂ {1, 2, ..., n} of coordinates such that |I| = i with 1 ≤ i < d. Deleting
the chosen coordinates in every codeword yields a Fqm -linear code denoted P unctI (C). P unctI (C) is called a punctured
code of C on I.
If I = {j}, we denote P unctI (C) by P unctj (C) and ShortI (C) by Shortj (C) where j, 1 ≤ j ≤ n, is the deleted position.
For all vector x ∈ Fnqm , we denoted by P unctI (x) = (xi )i∈I/ , if x is such that xI = (xi )i∈I = 0, we denoted by
ShortI (x) = (xi )i∈I
/ .
Remark 1. There are some links between shortening and puncturing operations. Indeed, let C be an [n, k, d]qm -linear code.
Let I be a subset of N = {1, 2, ..., n}. The shortened code of C on I is the punctured code on I of the subcode
CI = {c = (c1 , c2 , ..., cn ) ∈ C | ci = 0 ∀i ∈ I}. We remark also that a shortened code of a linear code C can be considered
like a subcode of C if we replace the deleted coordinates by 0. Therefore, all the best decoding algorithms of C, can be used
to decode a shortened code of C.
Theorem 1. Let C be an [n, k, d] Fqm -linear code. Let I be a subset of N = {1, 2, ..., n}. Then the following identity is
verified
⊥
P unctI (C) = ShortI C ⊥

Proof:
Let x ∈ C, y ∈ C ⊥ . Then if (yi )i∈I = 0, we have ShortI (y) = (yk )k6∈I ∈ ShortI (C ⊥ ) and P unctI (x) = (xk )k6∈I ∈
P unctI (C). According to the definition of a code and its dual we have
X X X
x.y T = 0 ⇐⇒ xk yk = xk yk + xk yk = 0
k∈N k∈N \I k∈I
X
⇐⇒ xk yk = P unctI (x).ShortI (y)T = 0.
k∈N \I

Lemma 1. Let C be an [n, k, d] Fqm -linear code. Let i ∈ {1, ..., n}. The equality Shorti (C) = P uncti (C) is verified if and
only if one of the following conditions is satisfied:
1) For all codewords c = (c1 , c2 , ..., cn ) ∈ C, ci = 0,
2) The word ei = (0, ..., 0, 1, 0, ..., 0) having only one non-zero coefficient which is equal to 1 in position i is in C.
Proof:
1) Suppose first that the identity Shorti (C) = P uncti (C) is verified.
Suppose that Conditions 1) is not satisfied, then there exists a codeword c ∈ C such that ci = 1. Under our hypothesis,
P uncti (c) is an element of Shorti (C), i.e. there exists c′ ∈ C such that P 00uncti (c) = Shorti (c′ ). Clearly, ei = c′ − c
is an element of C and Condition 2) is satisfied.
2) Reciprocally
a) Suppose that Condition 1) is satisfied. Since all the codewords c ∈ C verify ci = 0, then P uncti (C) = Shorti (C).
 3

b) Suppose that Condition 2) is satisfied. Let Ci = {c ∈ C s.t ci = 0} be the subcode of C constituted of codewords
c such that ci = 0. Clearly, C is generated by {ei } ∪ Ci . Let c be a codeword of C. If c ∈ Ci then P uncti (c) =
Shorti (c) ∈ Shorti (C). If c = ei + c′ , c′ ∈ Ci , then P uncti (c) = Shorti (c′ ) ∈ Shorti (C).
In both cases, Shorti (C) = P uncti (C).

Remark 2. If a code C satisfies the first condition of Lemma 1, then its dual C ⊥ will satisfy the second one.
We deduce the following proposition.
Proposition 1. Let C be an [n, k, d] Fqm -linear code and i, 1 ≤ i ≤ n, be an integer. If the parameters of P uncti (C) and
Shorti (C) are respectively [n − 1, kp , dp ] and [n − 1, ks , ds ], then:
1) ds ≥ d, ds ≥ dp ≥ d − 1.
2) If P uncti (C) 6= Shorti (C) then kp = k and ks = k − 1.
3) If P uncti (C) = Shorti (C) then
• If Condition 1 of Lemma 1 is verified, then the parameters of P uncti (C) and Shorti (C) are [n − 1, k, d].
• If Condition 2 of Lemma 1 is verified (i.e. ei ∈ C), then kp = ks = k − 1.

Proof:
Note that, since Shorti (C) ⊂ P uncti (C), the following relations hold: ks ≤ kp ≤ k and ds ≥ dp . Moreover, using the
notations of the proof of Lemma 1, Shorti (C) is isomorphic to Ci ⊂ C, and then ds ≥ d.
One can easy check that dp ≥ d − 1.
Suppose firstly that for all codewords c = (c1 , c2 , ..., cn ) ∈ C, ci = 0 (Condition 1 of Lemma 1). Then we have, P uncti (C) =
Shorti (C) is an [n − 1, k, d] code.
Suppose now that there exists a codeword c ∈ C such that ci = 1. One can check that the code C is equal to h{c}i ⊕ Ci . We
deduce that ks = k − 1.
If ei 6∈ C, then Shorti (C) ( P uncti (C), and then ks = k − 1 < kp ≤ k.
If ei ∈ C, then kp = ks = k − 1.

One can notice that if ei ∈ C, then d = 1, and we have no information about values of ds and dp (but we have in this case
ds = dp ).
From Proposition 1, we deduce the following corollary:
Corollary 1. Let C be an [n, k, d] Fqm -linear code and I be a set of r distinct positions. Let [n − 1, ks, ds ] and [n − 1, kp, dp ]
be respectively the parameters of ShortI (C) and P unctI (C). Then we have ds ≥ d, ks ≥ k − r, dp ≥ d − r and kp ≥ k − r.

C. Subfield Subcodes and Trace code

For more details and proofs, the reader can refer to [16], Ch.7 §7.
Definition 3. The subfield subcode C over Fq of a Fqm -linear code C is the set of codewords of C which have components in
Fq : C = C ∩ Fnq .
A first property of C is the fact that it is a Fq -linear code. The simplest way to construct such a subfield subcode is to
construct a parity check matrix as follows.
Let C be an [n, k, d] Fqm -linear code defined by the parity check matrix
 
h1,1 ... h1,n
H= : :  ∈ Fr×n
qm .
hr,1 ... hr,n
Let B = {b1 , b2 , ..., bm } be a basis of Fqm as a Fq -vector space. We can construct the map φB : Fqm −→ Fm
q defined by,
Xm
if x = xi bi , xi ∈ Fq , then φ(x) = (x1 , x2 , ..., xm ).
i=1

φ(h1,1 )T ... φ(h1,n )T

 

Proposition 2. The matrix H̃ =  : :  is a parity check matrix of the subfield subcode C of C.

φ(hr,1 )T ... φ(hr,n )T
Note that H̃ is not necessary of full rank. Then a subfield subcode C of an [n, k, d] Fqm -linear code C is an [n, k ∗ ≥
n − rm, d∗ ≥ d] Fq -linear code.
One can notice that H̃ is independent of the choice of the basis B, which allows to omit the index B in the definition of
φB .
 4

Example 1. The subfield subcode of the Reed-Solomon code RSd of minimal distance d is the BCH code BCHd of constructed
minimal distance δ = d over the prime subfield Fp . Note that the true minimum distance of BCHd could be greater than d.
Another construction of a Fq -linear code from a Fqm -linear code is the trace construction.
2 m−1
If x is an element of Fqm , the trace of x over Fq is defined by Tm (x) = x + xq + xq + · · · + xq . The trace function is a
n n
Fq -linear map. This mapping is naturally extended to Fqm : if c = (c1 , ..., cn ) ∈ Fqm , then Tm (c) = (Tm (c1 ), ..., Tm (cn )) ∈ Fnq .
Definition 4. [16] The trace code of an Fqm -linear code C is the Fq -linear code Tm (C).
The link between trace code and subfield subcode is described in the following theorem:
Theorem 2. [16][Th.11, ch.7 §7, Delsarte] The dual of the subfield code C of a code C is the trace code of its dual:
C⊥ = Tm (C ⊥ ).
This fact is a direct consequence of Proposition 2 and a classical result of algebra: all Fq -linear mapping of Fqm into Fq
can be expressed as Tm (αx) for some α ∈ Fqm .

D. Fqm -linear isometries and Alternant codes

It is well-known [10] that the linear isometries for the Hamming distance on Fnqm form a group
generated by the permutations of the support and the scalar multiplications by invertible elements of Fqm on each coordinate.
From a matrix point of view, it is the monomial group Mn of n × n matrices over Fqm with one and only one non-zero
element on each row and each column.
In order to obtain a code equivalent to C, such a monomial matrix acts by right multiplication on any generator matrix of
a code C. The new code is Fqm -linear and has the same parameters of the original one.
Moreover, if C has a decoding algorithm, then this algorithm can be used to decode the new code.
The most famous example is that of Generalized Reed-Solomon (GRS) codes that are obtained by applying a monomial
matrix to a Reed-Solomon code.
An Alternant code is simply a subfield subcode of a GRS code. It naturally inherits the decoding algorithm of the underlying
Reed-Solomon code.

E. q-ary images of a code of length n over Fqm

As we did in Section II-C, we fix a basis B = (b1 , ..., bm ) of Fqm over Fq and denote by φB the corresponding Fq -linear
isomorphism Fqm 7→ Fm q .
The mapping φB can be extended to the whole space Fnqm : if c = (c1 , ...cn ) ∈ Fnqm , then ΦB (c) = (φB (c1 ), ..., φB (cn )).
Definition 5. The q-ary image of a code C relative to the base B is the image Imq (C) = ΦB (C) of C by ΦB .
The code Imq (C) is clearly a Fq -linear code of length nm. Note that, contrary to Section II-C, this code is dependent on
the choice of the basis B.
In order to build a generator matrix G of Imq (C) over Fq from those G of C over Fqm , since Imq (C) is not Fqm -linear, it
is necessary to take all the multiples of the rows of G. In fact, it is sufficient to take m multiples Fq -linearly independent.
A simple way is the following: for any element β ∈ Fqm , the map ψβ : x 7→ βx is a Fq -linear endomorphism of Fqm . Its
image by φB is an endomorphism of Fm q . We denote by Mβ the matrix of the corresponding endomorphism: with obvious
notations, if φB (x) = (x1 , ..., xm ) then φB (βx) = (x1 , ..., xm )Mβ .
Proposition 3. If G = (βi,j ) is a k × n generator matrix of C, then the mk × nm matrix G obtained by replacing each entry
βi,j by the corresponding m × m matrix Mβi,j . Moreover, the matrix G is of full rank km.
Proof: The fact that G generates the full code ImB (C) comes directly from the fact that ΦB is an isomorphism. In addition
the two codes have the same number of elements, which implies that G is of rank km.
As a direct consequence, we obtain the following corollary:
Corollary 2. If C is an [n, k, d] Fqm -linear code, then Imq (C) is an [nm, km, dq ≥ d] Fq -linear code.

III. L INK BETWEEN S UBFIELD S UBCODES AND S HORTENED CODES

A. Shortening the q-ary image of a code
Let u = (i1 , i2 , ..., in ) ∈ {1, 2, ..., m}n be a n-tuple of positions ij , 1 ≤ ij ≤ m. We define two sets of indexes
Iu = {i1 , i2 + m, i3 + 2m; ..., in + (n − 1)m} and Ju = Iu = {1, ..., n} \ Iu .
Let C be a linear code of length n over Fqm . We fix a basis B of Fqm over Fq and we look at the q-ary image of C relatively
to B.
 5

We denote by Su (respectively Pu ) the operation of shortening (respectively puncturing) the q-ary image of C on positions
Ju : Su (C) = ShortJu (Imq (C)) and Pu (C) = P unctJu (Imq (C)).
Proposition 4. If C is an [n, k, d] Fqm -linear code, then Su (C) is an [n, k ′ , d′ ] Fq -linear code with k ′ ≥ n − m(n − k) and
d′ ≥ d. Moreover, if the code C has a decoding algorithm of error correction capability t, then this algorithm can be applied
to Su (C) with the same error correction capability.
Proof: The inequalities k ′ ≥ n − m(n − k) and d′ ≥ d are direct consequences of Corollary 1 and Corollary 2. In order
to decode a noisy codeword y of Su (C), we extend y to a word of length nm by adding the value 0 on the shortened position,
then we use the inverse of the map ΦB in order to obtain a noisy codeword y of C. By construction, the weight of the errors on
y and y are the same. So, if the error is less than or equal to t, it is possible to correct y and to recover the correct codeword
c ∈ Su (C).
Example 2. Set n = 7, m = 3 and let α be a root of the polynomial x3 + x + 1. The following matrix is a generator matrix
of the Reed Solomon code RS2 of parameters [7, 6, 3]8 associated to the support a = (1, α, α2 , α3 , α4 , α5 , α6 ):
 
1 1 1 1 1 1 1
1 α α2 α3 α4 α5 α6 
1 α2 α4 α6 α α3 α5 
 
G= 1 α3 α6 α2 α5 α α4 

 
1 α4 α α5 α2 α6 α3 
1 α5 α3 α α6 α4 α2
Its generator matrix in form systematic is given by:
 
1 0 0
0 α 0 0
0 1 0 α2 
0 0 0
0 α3 
 
0 0 1 0 0
Gsys =  
0
 0 0 α4 
0 1  0
0 0 0 α5 
0 0 1
0 0 1 α6
0 0 0
The q-ary image (binary image) of the generator matrix G in the base 1 = (100), α = (010), α2 = (001) is given by

 
M1 M0 M0 M0 M0 M0 Mα
M0 M1 M0 M0 M0 M0 Mα2 
 
M0 M0 M1 M0 M0 M0 Mα3 
Im2 (Gsyst ) = 
 
M0 M0 M0 M1 M0 M0 Mα4 

M0 M0 M0 M0 M1 M0 Mα5 
M0 M0 M0 M0 M0 M1 Mα6
then
1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0
 

 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 


 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 


 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 


 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 


 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 


 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 1 0 


 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 1 

 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 1 1 
Im2 (G) =  

 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 1 


 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 1 1 


 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 0 1 


 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 1 1 


 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 


 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 


 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 1 

 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0
     i
0 0 0 1 0 0 0 1 0
with M0 =  0 0 0 , M1 =  0 1 0  and Mαi =  0 0 1  for all i ∈ {1, 2, ..., 6}
0 0 0 0 0 1 1 1 0
 6

The parity check matrix of the binary image Im2 (C) of the code C is given by:
 
0 0 1 0 1 0 1 0 1 0 1 1 1 1 1 1 1 0 1 0 0
H2 =  1 0 1 0 1 1 1 1 1 1 1 0 1 0 0 0 0 1 0 1 0 
0 1 0 1 0 1 0 1 1 1 1 1 1 1 0 1 0 0 0 0 1
7
Let u = (2, 3, 3, 2, 2, 3, 3) ∈ {1, 2, 3} be a tuple then Iu = {2, 6, 9, 11, 14, 18, 21} Now we compute Su (H2 ) corresponding
to the generator matrix of Im2 (C):  
0 0 1 1 1 0 0
Su (H2 ) =  0 1 1 1 0 1 0 
1 1 1 1 1 0 1
The generator matrix GSu of the subfield subcode Su (C) of the code C over F2 is given by
 
1 0 0 0 0 0 1
 0 1 0 0 0 1 1 
GSu = 
 0 0 1 0 1

1 0 
0 0 0 1 1 1 0
Then Su (C) is a [7, 4, 2] binary linear code.
When u = (1, 3, 1, 2, 3, 1, 3) we have Iu = {1, 6, 7, 11, 15, 16, 21} and the subfield subcode j Su (C) over F2 of the code C
is an [7, 4, 3] binary linear code of generator matrix
 
1 0 0 1 0 1 0
 0 1 0 1 0 1 1 
GSu =  0 0 1 1 0 0 1 


0 0 0 0 1 1 1
Algorithm 1 give a simple method to construct a generator matrix G of Su (C) from a generator matrix G of C.

Algorithm 1 Generator matrix of G of Su (C)

• Construct a generator matrix of Imq (C) using the method described in Section II-E.
• Compute a generator matrix of the dual of this image.
• Delete the columns indexed by Ju and perform a Gaussian elimination on this matrix.
• Compute a generator matrix of the dual of this punctured code.

B. Subfield Subcode as shortened q-ary image of a code

If we choose a basis B = {b1 , b2 , ..., bm } of Fqm such that b1 = 1, then we have Fq = φ−1 ({(a1 , 0, 0, ..., 0) | a1 ∈ Fq }).
Proposition 5. Let u = (1, 1, ..., 1) be a n-tuples of positions. If B is a basis such that b1 = 1, then the code Su (C) is the
subfield subcode of C over Fq .
Proof: This is a direct consequence of Remark 1: a codeword c = (c1 , ..., cn ) ∈ Fnq is in Su (C) if and only if c′ =
(c1 , 0, ..., 0, c2 , 0, ..., 0, ...., cn , 0, ..., 0) ∈ Fnm
q is in Imq (C), which is equivalent to the fact that Φ−1 ′ n
B (c ) ∈ C ∩ Fq .
A natural question is: Does this construction allow to construct new codes? The answer will be given in the next section.
Proposition 6. Let u = (i, i, ..., i) be a n-tuples of positions where 1 ≤ i ≤ m. If B is a multiplicative basis of the form
B = (1, α, α2 , ..., αm−1 ), then the code Su (C) is the subfield subcode over Fq of C.
We do not the give the proof of this result, but it will be easily derived from the discussion of the next section.

IV. A FIRST ATTEMPT AT GENERALIZATION

In this section we will show that the codes introduced in Section III-A can also be constructed using the classical method
used to construct alternant codes. However, our approach leads to a second generalization presented in Section V.
For an arbitrary finite field Fq we denote by E = Fm
q and by GLq (m) the linear group of isomorphisms acting on E.
 7

A. q-ary block codes of length r over E

For more details on block codes, the reader can refer to [1].
Definition 6. Let (A, +) be an additive group. An additive code of length r over A is an additive subgroup of (An , +).
Definition 7. A block code of length n over E = Fm n
q is an additive code over the additive group (E , +) which is stable by
scalar multiplication of any element λ of Fq . The integer m is the size of the blocks.
Note that the condition on the scalar multiplication is not necessary if q = p is a prime number. Since En is a Fq -linear
vector space of dimension nm isomorphic to Fnm q , a block code is also a Fq -linear code of length nm. However, in this paper
we are not interested in its properties as code of length nm, but in its block properties.
In particular, we look at its block-weight wm , which denotes the number of non-zero blocks. For instance, the q-ary image
Imq (C) introduced previously is nothing else than a block code of size of blocks m and minimum block-distance equal to the
minimum distance of C.
Since a block code C is a Fq -linear code, it is possible to define the notion of generator matrix, which is nothing else than
the generator matrix of the corresponding linear code of length mn over Fq . If its dimension is k, in order to compare a
block code of block-size m with a Fqm -linear code, we introduce the notion of pseudo-dimension, which is k/m. Even if it
is possible to construct the Fq -dual of the linear code of length nm, the notion of duality for block code is not completely
obvious, for example the q-ary image of the dual of a code C over Fqm is not the dual of its q-ary image. More details on
additive block codes, some generalizations of generator matrices and a notion of block-duality can be found in [1].

B. Linear isometries of block codes

Generalizing the results of Section II-D, it is possible to define the isometry group of En . We denote by wm (x) the block
weight of a word x ∈ E n .
Let GLq (m) be the group of Fq -linear automorphism. Then GLq (m) is isomorphic to the group of non-singular square
matrices of length m × m over Fq .
For all f = (f1 , f2 , ..., fn ) ∈ GLq (m)n and x = (x1 |x2 |...|xn ) ∈ En where xi ∈ E, we define the action of GLq (m)n on
n
E as follows: f (x) = (f1 (x1 )|f2 (x2 )|..|fn (xn )). This is equivalent to multiplying x by the block-diagonal matrix of size
nm whose blocks are matrices of fi
Theorem 3. The Fq -isometries of En (i.e. linear isomorphisms preserving the Hamming block-weight) form a group generated
by block permutations and GLq (m)n .
Proof: Let M onn (GLq(m)) be the group generated by the block permutations where each block is of length m and the
block diagonal matrices of length mn which each matrix of length m on the diagonal is a non-singular matrix. It is clear that
block permutations and the block diagonal matrices preserve the Hamming block weight of the element of En .
Reciprocally, let g be an isometry of En . We look at the images of elements of En of block weight 1 by g. For 1 ≤ i ≤ n, let Vi
be the subspace of E n of elements with all bock component equal to 0 except the i-th: if x ∈ Vi , then x = (0, ..., 0, xi , 0, ..., 0),
xi ∈ E. Pick an element x ∈ Vi . Since g is a block isometry, y = g(x) ∈ Vj for some j, 1 ≤ j ≤ n. Suppose that there exists
another element x′ ∈ Vi such that g(x′ ) ∈ Vj ′ , with j 6= j ′ . Clearly wm (x + x′ ) = 1 and wm (g(x + x′ )) = 2. This implies that
g(Vi ) = Vj . So, g acts as a permutation on the set of Vi , which define the block-permutation part of our isometry. Applying
the inverse of this permutation to g, we can now suppose that, for all i, g(Vi ) = Vi . If gi denotes the restriction of g to Vi ,
gi must be Fq -linear, moreover, since gi preserves the block weight, Ker(gi ) = {0}, so gi ∈ GLq (m), which completes the
proof of this theorem.

The “monomial group” M onn (GLq(m)) introduced in the proof of Theorem 3 consists of the n × n matrices having one
and only one nonzero elements on each row and each column, moreover this non-zero element must be invertible and then is
an element of GLq (m)n . So, this theorem is a generalization of Section II-D.
Definition 8. Let C and C ′ be two block codes of length n over E. The codes C and C ′ are equivalent if there exists an
element f ∈ M onn (GLq(m)) such that C ′ = f (C).
Clearly, if C ′ = f (C), then the minimum block-distances of C and C ′ are equal. Moreover, if there exists a block-distance
decoding algorithm for C, it can be used to decode C ′ .
There is no natural notion of duality for the block structure of a Fq -linear code over E n . However, we can look at the dual
of a block code C considered as a code of length nm over Fq .
If fi ∈ GLq (m) is a linear isomorphism, we denote by fiT its adjoint isomorphism. From a matrix point of view, this means
that MfiT = MfTi .
Proposition 7. Let C be an additive code of length n over E, f = (f1 , ..., fn ) ∈ GLq (m)n be a diagonal isometry (without
permutation) and C ′ = f (C). Let f ∗ = ((f1−1 )T , ..., (fn−1 )T ) ∈ GLq (m)n . Then the relation between the dual of C and the
dual of C ′ is C ′⊥ = f ∗ (C ′⊥ ).
 8

n
X n
X
Proof: If x = (x1 , ..., xn ) ∈ En and y = (y1 , ..., yn ) ∈ En , then we have < x, y >= < xi , yi >= xi yiT .
i=1 i=1
Applying this property to f (x) and f ∗ (y), we obtain
Xn n
X n
X
∗ −1 T T −1 T
< f (x), f (y) >= xi Mfi (yi (Mfi ) ) = xi Mfi Mfi yi = xi yiT =< x, y >.
i=1 i=1 i=1
Consequently, we have < x, y >= 0 if and only if < f (x), f ∗ (y) >= 0, which completes the proof.
In addition, it is easy to verify that the dual of a permuted block code is the permuted block code of its dual.

C. Generalized Subfield Subcodes

Combining the results of Section III-A and Section IV-B, we are able to define the notion of generalized subfield subcode
of a linear code C over Fqm .
As before, B denotes a fixed basis of Fqm over Fq , u denotes a set of indexes used to construct a shortened code,
f = (f1 , ..., fn ) ∈ GLq (m)n an n-tuple of linear isomorphisms, π a permutation of the n blocks and mon = π ◦ f ∈
M onn (GLq(m)) the corresponding isometry.
Definition 9. Let C be a Fqm -linear code of length n. The Generalized Subfield Subcode with relative to B, u and mon is the
Fq -linear code GSS(C) = Su (mon(Imq (C))).
We can immediately make some remarks.
Remark 3.
′ ′
• If C is an [n, k, d]qm -linear code, then GSS(C) is an [n, k ≥ n − m(n − k), d ≥ d]q -linear code. Moreover, if C has a
decoding algorithm up to t errors, this algorithm can be applied to GSS(C).
• In order to construct all the Generalized Subfield Subcodes of a code C, it is not necessary to change the basis B, indeed,
a change of basis can be made by applying the corresponding matrix to the coordinates of f .
• In order to construct all the Generalized Subfield Subcodes of a code C, it is sufficient to use the projections indexed
by 1̄ = (1, 1, ..., 1). Indeed, other values for the coordinatesui correspond to permutations on each m-blocks, which is
always a linear mapping in GLq (m) and can be composed with the fi ’s.
Following Algorithm 1, Algorithm 2 allows to construct a generator matrix of a GSS code. The basis B is fixed and
u = (1, ..., 1).

Algorithm 2 Generator matrix of a GSS code

Input: A generator matrix G of C and mon ∈ M onn (GLq(m))
Output: A generator matrix G of GSS(C), relative to mon.
1) Construct a generator matrix M of Imq (C)
2) Compute M ′ = M Diagf where Diagf is the nm × nm block diagonal matrix, with each block corresponding to the
fi ’s.
3) Compute a parity check matrix H ′ of M ′ .
4) Delete the columns of the matrix H ′ except the first ones of each block. This leads to a parity check matrix H of
GSS(C).
5) Perform a Gaussian elimination on H.
6) Permute H according to π.
7) Compute a parity check matrix G of H
Return: G

A first remark is the fact that the permutation π can be applied at any time from step 3 in the algorithm. However, it is
simplest to perform the permutation at the end, since we no longer have to apply this permutation on blocks, but only on
vectors of length n.
In addition, it is possible to use Proposition 7 in the algorithm by inverting the order of Step 2 and Step 3 and replacing f
by f ∗ . This give the following variant for steps 2) to 4):
2) Compute a parity check matrix H of M .
3) Compute H ′ = HDiagf ∗ .
4) Delete the columns of the matrix H ′ except the first ones of each block. This leads to a parity check matrix H of
GSS(C).
Let p1 : E 7→ Fq be the projection of an element on to its first component, the operations 2) and 3) of this variant can be
combined into a single map p1 (f ∗ ) = (p1 ◦ (f1−1 )T , ..., p1 ◦ (fn−1 )T ) ∈ (E ∗ )n where E ∗ is the dual vector space of E, i.e.
E ∗ = L(E, Fq ).
 9

Remember that E ∗ is isomorphic to E as follows: for y ∈ E, we denote by φy ∈ E∗ the map defined by φy (x) =< x, y >=
xy T . So, instead of choosing an element mon = π ◦ f as input of Algorithm 2, we can choose a permutation π and an n-tuple
y = (y1 , ..., yn ) ∈ (E \ {0})n . We denote by Diagy the nm × n block diagonal matrix with diagonal blocks yiT . Note that
the diagonal blocks are not square matrices, but column vectors. So, the mapping p1 (f ∗ ) = y is computed using Diagy : for
x = (x1 , ..., xn ) ∈ E n , y(x) = (x1 y1T , ..., xn ynT ) = xDiagy . This leads to Algorithm 3:

Algorithm 3 Generator matrix G of GSS(C) relative to π and y

Input: A generator matrix G of C, a permutation π, and a matrix Diagy with yi 6= 0 for 1 ≤ i ≤ n.
Output: A generator matrix G of GSS(C), relative to π and y.
1) Construct a generator matrix M of Imq (C)
2) Compute a parity check matrix H of M .
3) Compute H ′ = M Diagy .
4) Perform a Gaussian elimination on H ′ .
5) Permute H ′ according to π.
6) Compute a parity check matrix G of H ′
Return: G

D. Link between generalized subfield subcodes and subfield subcodes of equivalent codes
In this section, we show that the generalized subfield subcodes of a given code are nothing else than subfield subcodes of
equivalent codes. However, the approach presented in Section III gives a new point of view on this topic and will naturally be
extended in the next section.
We need to have a more algebraic approach of the construction of generalized subfield subcodes. Suppose first without loss
of generality, that the block permutation π is the identity. Indeed, this permutation can always be considered as having already
been applied beforehand to the code C.
We will look at a fixed coordinate of a word c = (c1 , ..., cn ) ∈ C ⊂ Fnqm . We choose a coordinate u = ci ∈ Fqm . Suppose
Xm
that u = ui bi , ui ∈ Fq is the decomposition of u on the basis B. Let M = Mfi be a m × m matrix corresponding to
i=1
fi ∈ GLq (m). This matrix M can be interpreted as a change of basis B to B ′ = (b′1 , ..., b′m ): (u1 , ..., um )M is nothing else
than the coordinates of u on this new basis B ′ . Let Vi = V be the Fq -subspace of Fqm generated by b′1 . The shortening
operation in the i-th m-tuple in the construction of a generalized subfield subcode consists of keeping only the code words
having their i-th coordinate in Vi , and then identify Vi to Fq by means of its generator b′1 .
We have shown the following proposition:
Proposition 8. The generalized subfield subcodes of a Fqm -linear code C can be constructed as follows:
1) Choose a set of n Fq -subspaces Vi of rank 1 of Fqm .
n
Y
2) Set C ′ = C ∩ Vi .
i=1
3) By means of a generator ai of each Vi , identifies Vi to Fq . This leads to a q-ary image C = Imq (C ′ ).
4) Choose a permutation π over Fnq and return π(C).
One can remark that, since C is a Fq -linear code, the construction does not depend on the choice of representatives ai .
As a consequence of Proposition 8, we obtain the following theorem:
Theorem 4. Let C be an [n, k]qm -linear code. The generalized subfield subcodes of C are exactly the codes obtained by taking
the subfield subcodes of the Fqm -linear codes equivalent to C under Fqm -linear isometries (as described in Section II-D).
Proof:
Without lost of generality, we can suppose that, for both the generalized subfield subcode construction and the subfield
subcode of equivalent codes construction, the permutation π is the identity.
Note that the subfield subcode of C over Fq corresponds to the choice V1 = ... = Vn = L(1) = Fq ⊂ Fqm .
Consider now any choice of subspaces Vi = L(ai ). Set D = Diag(a1 , ..., an ) be the n×n diagonal matrix which corresponds
to the multiplication of each component by the ai ’s. The subfield subcode of the image of C by D is clearly the generalized
Yn
subfield subcode of C corresponding to Vi .
i=1
The following corollary is a direct consequence of Theorem 4.
Corollary 3. The Generalized Subfield Subcodes of Reed-Solomon codes are exactly Alternant codes.
 10

In addition, we will make explicit the link between the subspaces Vi of Proposition 8 and the yi ’s of Algorithm 3.
Proposition 9. The vector spaces of Proposition 8 are generated by the elements yi of Algorithm 3.
Proof: As previously, we denote by M = Mfi the m × m matrix corresponding to fi ∈ GLq (m). This matrix M is
interpreted as a change of basis B to B ′ = (b′1 , ..., b′m ). The matrix M −1 corresponds to the change of basis from B ′ to B. Its
first row is given by the coordinates of b′1 in the basis B. In the construction of Algorithm 3, the coordinates of yi are given
by the first column of (M −1 )T . Consequently, we have b′1 = ai = yi , which completes our proof.

V. S UBSPACE SUBCODES
Codes defined over a finite field of great size are used to correct burst errors or for concatenation of codes. The most famous
example is that of Reed-Solomon codes over F2m , with typical values 4 ≤ m ≤ 8. However Reed-Solomon codes are MDS
codes, which implies in particular that their length n is limited to 2m .
In practice, for transmission applications, a code over F2m is generally implemented in binary, i.e. using its binary image
Im2 (C). The notion of additive block codes over E = Fm 2 is an interesting and efficient alternative for applications. In this
section, we will present a generic construction of additive block codes of length greater than 2m . If the starting code is a
Reed-Solomon code, these new codes posses a decoding algorithm and have a constructed minimal distance, which remains
very competitive even if these codes cannot be MDS.
In this section, we introduce a new class of additive block codes with interesting parameters for both transmission and
cryptology applications.
In order to facilitate a comparison between the parameters of linear codes over Fqm and block codes over Fm q , we use the
notation [n; k; d]qm for their parameters, with n is the m-block length of the code, k = Logqm (♯C) is its pseudo-dimension
and d is its m-block minimum distance. Note that, for an additive block code, k is not necessarily an integer.
In order to simplify the presentation of this section, we do not discuss the presence of a possible permutation π which is
implicitly fixed to be the identity.

A. Subspace subcodes
A natural, simple and efficient way to generalize the approach introduced in Section IV-D is to increase the size of the
subspaces Vi .
Definition 10. Let C be an Fqm -linear code of length n and V be a Fq -subspace of Fqm of dimension r ≤ m. The subspace
subcode over V of C is the Fq -linear code SSV (C) = C ∩ V n .
Most of the previous results can be generalized directly. Fixing a basis B = (β1 , ..., βr ) of V , the code SSV (C) can be
identified by an additive block code over E = Frq . If we complete the basis B into a basis B of E, this block code is obtained
by shortening the q-ary image of C over the m − r last components of each block.
We deduce directly the following proposition:
Proposition 10. If the parameters of C are [n, k, d]qm , then those of SSV (C) are [n, k ′ ≥ (km − n(m − r), d′ ≥ d]qr .
Note that, if we choose another basis B of V , it leads to an equivalent (in the meaning of Section IV-B) block code.
In addition, if there is a decoding algorithm for C, this algorithm can be applied to decode SSV (C).

B. Generalized subspace subcode

Definition 11. Let C be a Fqm -linear code of parameters [n; k; d]qm . Let r be an integer less than m. Let V1 , ..., Vn be a set of
Yn
n Fq -subspaces of Fq of dimension r. Set W =
m Vi , constituted of n-tuples with the i-th coordinate in Vi . The generalized
i=1
subspace subcode of C relative to W is the Fq -vector space GSSW (C) = C ∩ W .
Proposition 10 can be also applied to generalized subspace subcodes.
Example 3. Following Example 2, we start from the Reed Solomon code RS3 with parameters [7; 5; 3]8 . A generator matrix
of the dual of its binary image is
 
1 0 0 0 0 0 1 0 1 1 0 0 1 0 1 0 0 1 0 0 1
 0 1 0 0 0 0 1 1 1 0 1 0 1 1 1 1 0 1 1 0 1 
 
 0 0 1 0 0 0 0 1 1 0 0 1 0 1 1 0 1 0 0 1 0 
H=  0 0 0

 1 0 0 0 1 1 1 0 0 1 1 1 1 1 1 0 1 1 

 0 0 0 0 1 0 1 1 0 0 1 0 1 0 0 1 0 0 1 1 0 
0 0 0 0 0 1 1 1 1 0 0 1 1 1 0 1 1 0 1 1 1
 11

We choose W = V1 V2 V1 V3 V1 V2 V1 , where V1 is generated by 1 and α, V2 by 1 and α2 and V3 by α and α2 . So, in order

to obtain a parity check matrix of C = GSSW (RS3 ), we delete the columns indexed by 3, 5, 9, 10, 15 17 and 21 of H. A
binary generator matrix of C is then
 
1 0 0 0 0 0 0 0 1 0 1 0 0 0
 0 1 0 0 0 0 0 0 0 1 0 1 0 0 
 
 0 0 1 0 0 0 0 0 0 0 1 0 1 0 
 
 0 0 0 1 0 0 0 0 0 0 0 1 0 1 
G=  0 0 0 0 1 0 0 0 1 0 1 0 1 0 

 
 0 0 0 0 0 1 0 0 0 1 0 1 0 1 
 
 0 0 0 0 0 0 1 0 1 0 0 0 1 0 
0 0 0 0 0 0 0 1 0 1 0 0 0 1
As a binary code, its parameters are [14; 8; 3]2. If we look at this code as a block-code of block size equals to 2, it is a
[7; 4; 3]4 code, which is optimal compared to a code over F4 of length 7 and dimension 4.
In practice, if we want to construct such codes, it is easy to extend the previous algorithms to Algorithm 4.

Algorithm 4 Generator matrix G G of GSSW (C)

n
Y
Input: A generator matrix G of C, a set W = Vi of n vector spaces Vi of dimension r. Each Vi is defined by a basis
i=1
(vi,1 , ..., vi,r ) of Vi .
Output: A generator matrix G of GSSW (C).
1) Construct a generator matrix M of Imq (C)
2) Construct n matrices Mi of size r × m. The rows of Mi are the coordinates of the basis (vi,1 , ..., vi,r ) of Vi relative to
B.
3) Compute D = Diag(M1T , ..., MnT ), the block-diagonal matrix of size mn × rn having the matrices MiT as diagonal
blocks.
4) Compute H ′ = HD.
5) Perform a Gaussian elimination on H ′ .
6) Compute a parity check matrix G of H ′
Return: G

C. Examples
In this construction, the minimum distance of the original code is preserved, while the dimension of the code decreases with
the number of punctured positions. So, the value r = m − 1 seems interesting to provide codes with nice parameters.
We give some examples.
• q = 2, m = 4, r = 3. We start from the extended Reed-Solomon code C over F16 with parameters [16; 13; 4]16 . For r = 3,
the parameters of any generalized subspace subcode of C are [16; k ′ ≥ 12; d′ ≥ 4]8 . Note that the parameters [16; 12; 4]8
are optimal for F8 -linear code.
In practice, all the codes we obtained had parameters exactly [16; 12; 4]8.
• q = 2, m = 5, r = 3. We start from the extended Reed-Solomon code C over F32 with parameters [32, 26, 7]16. For
r = 3, the parameters of any generalized subspace subcode of C are [32; k ′ ≥ 22; d′ ≥ 7]8 . The parameters [32; 22; 7]8
are optimal for F8 -linear code.
• q = 2, m = 9,. We start from the extended Reed-Solomon code C over F29 with parameters [512, 350, 163]512. For
r = 83, the parameters of any generalized subspace subcode of C are [512; k ′ ≥ 329.75; d′ ≥ 163]256 .

D. Cryptographic applications
The purpose of this section is not to present the complete design of a public key cryptosystem, but to show that the
generalized subspace subcode construction is a promising research direction to hide the structure of a code.
The general principle of such a cryptosystem is as follows: the starting point is a class of codes for which there exists an
efficient decoding algorithm up to a fixed number t of errors. The structure of such a code is masked by some operations
which constitute the secret key. The public key is then a generator matrix of a code which looks like a random code C. The
message to be encrypted is encoded by a generator matrix of C and a random error of weight t is added to this message.
Such a cryptosystem is sensitive to two types of attacks:
• Structural attacks that involve retrieving the structure of the masked code.
 12

• Decoding by brute force. This consists of applying generic decoding algorithms to a random code. This problem is
NP-hard, however the parameters of the code must be sufficiently large to resist at this kind of attacks.
The evaluation of the brute force decoding attack is not easy, and many papers are devoted to this topic [4], [8], [11], [19].
We chose to use a simple criterion: for a given code of parameters [n; k; d] with correction capacity t = ⌊(d − 1)/2⌋, we
compute the ratio between thenumber  of information
 sets and the number of information sets without errors. Our measure of
n n−t
the workfactor is then wf = / . Our criterion yields a workfactor greater or equal to 2128 .
k k
Most of McEliece-like cryptosystems use subfield subcodes of Generalized Reed-Solomon codes (for example the binary
Goppa codes in the original McEliece cryptosystem). We propose to use generalized subspace subcodes of Reed-Solomon
codes (GSS codes of GRS codes for short).
There are some advantages and disadvantages to using generalized subspace subcodes instead of subfield subcodes.
• In the case r = 1 and q = 2, our generalized subspace subcodes are nothing else than Alternant codes, and it is well-known
that Goppa codes have better parameters.
• For r close to m (typically m − 4 ≤ rm), the code parameters become more interesting. Moreover, if we want to construct
′
subfield subcodes of a code over Fqm , the size of subfield is bounded above by 2m , with m′ ≤ m/2. So our parameters
are more flexible. Finally, there exist some attacks against subfield subcodes of GRS codes over large fields [6], [7]. A
priori, this type of attack does not apply to generalized subfield subcodes.
• The main reason for this comes from the fact that the GSS codes are no longer defined over a field but over some vector
space. In return, the description of these codes as linear codes over F2m′ cannot be used. We need to give a full Fq basis
of our codes, which increase the size of the secret key.
In practice, a binary Goppa code of parameters [4096; 3556; 91] leads to a resistance against brute force decoding greater
than our criterion wf ≥ 2128 . The corresponding size of the public key is then 938 Ko.
Our third example in Section V-C has for parameters [512; 329; 163]28 and leads to a workfactor greater than 2128 . In
addition, one can notice that we did not take in account the fact that this code is defined over a large alphabet, which will
increase the complexity of this attack. Unfortunately, the size of the secret key is very large, approximatively 1514 Ko. This
is essentially due to the fact that q = 2, that implies the code is F2 -linear.
An intermediate solution consists in choosing a relatively large q and a small m. Set q = 24 = 16, m = 3 and r = 2. We
obtain Fqm = F212 , so it is possible to pick a Reed-Solomon code up to the length 212 = 4096. For example, we choose a
Reed-Solomon code of parameters [700; 580; 121]212 . The Vi subspaces of our construction are subspaces over F16 of dimension
2. We obtain a F16 -linear GSS code of parameters [700; 520; 121]28 , which leads to a workfactor wf greater than 2128 . The
Fq -generator matrix is of size 1400 × 1040. Each entry is over F24 and needs 4 bits of memory. As usual, we use a systematic
matrix to describe our code i.e. a matrix of size k × n − k. The size of the public key is then 1040 × 360 × 4 = 1497600
bits, or 183 Ko, which is significantly smaller than a classical Goppa code with the same level of security against brute force
decoding.

VI. C ONCLUSION
The purpose of this paper is not to present a complete study of structural attacks against subspace subcodes. Here is a list
of questions that naturally come to mind and deserve further development.
1) The equivalent of GRS codes in the subspace subcode context correspond to generalized subspace subcodes of Reed-
Solomon code with parameter r = m. It is well known that, from a generator matrix of a GRS code, it is easy to recover
the underlying algebraic structure, i.e. the support of the corresponding Reed-Solomon code and the values of the scalar
multiplications on each component [18].
The problem in the GSS context is the following: we fix a Reed-Solomon code C of parameters [n; k; d] over Fqm .
We choose a basis B and compute Imq (C). We pick randomly an element mon in M onn (GLq (m)) and compute a
Fq -generator matrix G of mon(Imq (C)). From the matrix G, is it possible in reasonable time to recover RS and mon
or another equivalent set of parameters RS ′ and mon′ ?
2) Given a Reed-Solomon code C and a Fq -generator matrix under systematic form of a generalized subspace subcode
GSSW (C), is it possible to recover the secret basis of the subspaces Vi and the permutation π? This question is
connected to a list of problems in increasing order of difficulty:
• Suppose π is known (which equivalent to π is the identity).
– r = m. This particular case will probably be solved using the conjugacy of matrices.
– 1 ≤ r < m.
• π is unknown.
– r = m.
– 1 ≤ r < m.
3) Given a Fq -generator matrix under systematic form of a generalized subspace subcode GSSW (C) with C an unknown
Reed-Solomon code, is it possible to recover C and the algebraic parameters of GSSW (C)?
 13

R EFERENCES
[1] T. P. Berger and N. E. Amrani, “Codes over L(GF(2)m , GF(2)m ) , MDS diffusion matrices and cryptographic applications,” in Codes, Cryptology, and
Information Security - C2SI 2015, Proceedings, ser. Lecture Notes in Computer Science, S. E. Hajji, A. Nitaj, C. Carlet, and E. M. Souidi, Eds., vol.
9084. Springer, 2015, pp. 197–214.
[2] T. P. Berger, P. Cayrel, P. Gaborit, and A. Otmani, “Reducing key length of the McEliece cryptosystem,” in Progress in Cryptology - AFRICACRYPT
Proceedings, ser. Lecture Notes in Computer Science, B. Preneel, Ed., vol. 5580. Springer, 2009, pp. 77–97.
[3] T. P. Berger and P. Loidreau, “How to mask the structure of codes for a cryptographic use,” Des. Codes Cryptography, vol. 35, no. 1, pp. 63–79, 2005.
[4] D. J. Bernstein, T. Lange, and C. Peters, “Smaller decoding exponents: Ball-collision decoding,” in Advances in Cryptology - CRYPTO 2011, Proceedings,
ser. Lecture Notes in Computer Science, P. Rogaway, Ed., vol. 6841. Springer, 2011, pp. 743–760.
[5] G. Cohen, I Honkala, S. Lytsin and A. Lobstein, “Covering codes” North Holland Mathematical Library, 1997.
[6] J. Faugère, A. Otmani, L. Perret, F. de Portzamparc, and J. Tillich, “Structural cryptanalysis of McEliece schemes with compact keys,” Des. Codes
Cryptography, vol. 79, no. 1, pp. 87–112, 2016.
[7] J. Faugère, A. Otmani, L. Perret, and J. Tillich, “Algebraic cryptanalysis of McEliece variants with compact keys,” in Advances in Cryptology -
EUROCRYPT 2010, Proceedings, ser. Lecture Notes in Computer Science, H. Gilbert, Ed., vol. 6110. Springer, 2010, pp. 279–298.
[8] M. Finiasz and N. Sendrier, “Security bounds for the design of code-based cryptosystems,” in Advances in Cryptology - ASIACRYPT 2009, Proceedings,
ser. Lecture Notes in Computer Science, M. Matsui, Ed., vol. 5912. Springer, 2009, pp. 88–105.
[9] P. Gaborit, “Shorter keys for code based cryptography” in International Workshop on Coding and Cryptography - WCC 2005, Proceedings, Bergen,
Norway, Mar. 2005, pp. 81–91.
[10] W.C. Huffman, “Groups and codes” in V.S. Pless and W.C. Huffman, editors,Handbook of Coding Theory, chapter 17. Elsevier, Amsterdam, The
Netherlands, 1998.
[11] P. J. Lee and E. F. Brickell, “An observation on the security of McEliece’s public-key cryptosystem,” in Advances in Cryptology - EUROCRYPT ’88,
Proceedings, ser. Lecture Notes in Computer Science, C. G. Günther, Ed., vol. 330. Springer, 1988, pp. 275–280.
[12] R. Misoczki and P. S. L. M. Barreto, “Compact McEliece keys from goppa codes,” in Selected Areas in Cryptography - SAC 2009, Revised Selected
Papers, ser. Lecture Notes in Computer Science, M. J. J. Jr., V. Rijmen, and R. Safavi-Naini, Eds., vol. 5867. Springer, 2009, pp. 376–392.
[13] R. Misoczki, J. Tillich, N. Sendrier, and P. S. L. M. Barreto, “MDPC-McEliece: New McEliece variants from moderate density parity-check codes,” in
Proceedings of the 2013 IEEE International Symposium on Information Theory. IEEE, 2013, pp. 2069–2073.
[14] P. S. L. M. Barreto, R. Lindner, and R. Misoczki, “Monoidic codes in cryptography,” in Post-Quantum Cryptography - PQCrypto 2011, Proceedings,
ser. Lecture Notes in Computer Science, B. Yang, Ed., vol. 7071. Springer, 2011, pp. 179–199.
[15] R. McEliece, “A public-key cryptosystem based on algebraic coding theory” DSN Prog. Rep., Jet Prop. Lab., California Inst. Technol., Pasadena, CA
(January 1978) pp. 114–116.
[16] F.J. MacWilliams and N.J.A. Sloane, “The Theory of Error Correcting Codes” North-Holland, Amsterdam, 1986.
[17] E. Persichetti, “Compact McEliece keys based on quasi-dyadic Srivastava codes,” J. Mathematical Cryptology, vol. 6, no. 2, pp. 149–169, 2012. [
[18] V. M. Sidel’nikov and S. O. Shestakov. “On cryptosystems based on generalized Reed-Solomon codes,” Discrete Mathematics, vol. 4, no. 3, pp. 57–63,
1992.
[19] R. C. Torres and N. Sendrier, “Analysis of information set decoding for a sub-linear error weight,” in Post-Quantum Cryptography - PQCrypto 2016,
Proceedings, ser. Lecture Notes in Computer Science, T. Takagi, Ed., vol. 9606. Springer, 2016, pp. 144–161.
[20] C. Wieschebrink, “Cryptanalysis of the Niederreiter public key scheme based on GRS subcodes,” in Post-Quantum Cryptography, PQCrypto 2010,
Proceedings, ser. Lecture Notes in Computer Science, N. Sendrier, Ed., vol. 6061. Springer, 2010, pp. 61–72.