pith. sign in

arxiv: 2604.12954 · v1 · submitted 2026-04-14 · 💻 cs.CR · cs.IT· math.IT

Distinguishers for Skew and Linearized Reed-Solomon Codes

Felicitas H\"ormann , Anna-Lena Horlemann This is my paper

Pith reviewed 2026-05-10 15:24 UTC · model grok-4.3

classification 💻 cs.CR cs.ITmath.IT
keywords Reed-Solomon codesskew polynomialslinearized polynomialscode-based cryptographydistinguishersquare code methodGabidulin codes
0
0 comments X

The pith

Skew and linearized Reed-Solomon codes decompose into generalized Reed-Solomon subcodes, making them distinguishable from random codes using square code methods.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines generalized versions of Reed-Solomon and Gabidulin codes, known as GSRS and GLRS codes, which are built from skew polynomials and aim to offer better error correction for code-based cryptography. It shows that these codes break down into standard generalized Reed-Solomon subcodes. This structure allows a square code distinguisher to separate them from random codes for parameter ranges where the dimension k satisfies m+1 < k < n - 0.5(m² + 3m). The distinguishability holds even when the codes are disguised using Hamming-isometric transformations.

Core claim

Both GSRS and GLRS codes decompose into GRS subcodes and are thus efficiently distinguishable from random codes with a square code method. This applies to all parameters for which the code length n and its dimension k over the field F_{q^m} satisfy m + 1 < k < n - 1/2 (m² + 3m). The distinguishability extends to GSRS and GLRS codes with Hamming-isometric disguising.

What carries the argument

The square code method applied after proving that GSRS and GLRS codes decompose into GRS subcodes.

If this is right

  • GSRS and GLRS codes in the given parameter range can be efficiently distinguished from random linear codes.
  • Existing structural attacks on GRS and Gabidulin codes extend to these generalized versions.
  • The algebraic relationship between skew and linearized frameworks allows explicit transformations between GSRS and GLRS codes.
  • Results on duals of SRS and LRS codes extend to the generalized setting with nonzero column multipliers.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Code-based cryptosystems using these codes may require additional disguising techniques beyond Hamming-isometric transformations to resist distinguishers.
  • Future designs of skew polynomial-based codes should account for subcode decompositions to avoid square code attacks.
  • Connections to existing distinguishers for GRS and Gabidulin codes suggest a unified framework for detecting algebraic structure in evaluation codes.

Load-bearing premise

The subcode decomposition into GRS codes persists even after applying Hamming-isometric disguising transformations.

What would settle it

A specific GSRS or GLRS code instance with parameters in the range where the square code dimension matches that of a random code of the same length and dimension would falsify the distinguisher.

read the original abstract

Generalized Reed-Solomon (GRS) and Gabidulin codes have been proposed for various code-based cryptosystems, though most such schemes without elaborate disguising techniques have been successfully attacked. Both code classes are prominent examples of the isometric families of (generalized) skew and linearized Reed-Solomon ((G)SRS and (G)LRS) codes which are obtained as evaluation codes from skew polynomials. Both GSRS and GLRS codes share the advantage of achieving the maximum possible error-decoding radius and thus promise smaller key sizes than e.g. Classic McEliece. We investigate whether these generalizations can avoid the known structural attacks on GRS and Gabidulin codes. In particular, we prove that both GSRS and GLRS codes decompose into GRS subcodes and are thus efficiently distinguishable from random codes with a square code method. This applies to all parameters for which the code length $n$ and its dimension $k$ over the field $\mathbb{F}_{q^m}$ satisfy $m + 1 < k < n - \tfrac{1}{2} (m^2 + 3m)$. The distinguishability extends to GSRS and GLRS codes with Hamming-isometric disguising. We further relate these findings to existing distinguishers for GRS, Gabidulin, and LRS codes, and extend known results on duals of SRS and LRS codes to the generalized setting allowing nonzero column multipliers. Finally, we provide explicit transformations between GSRS and GLRS codes, clarifying the algebraic relationship between the skew and linearized frameworks.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proves that generalized skew Reed-Solomon (GSRS) and generalized linearized Reed-Solomon (GLRS) codes decompose into GRS subcodes for all parameters satisfying m + 1 < k < n - ½(m² + 3m). This decomposition implies that the codes have low-dimensional square codes and are thus efficiently distinguishable from random codes by the square-code method. The distinguishability is asserted to extend to codes disguised by Hamming isometries (position permutations and nonzero column multipliers). The manuscript also relates these results to prior distinguishers for GRS, Gabidulin, and LRS codes, extends known dual characterizations to the generalized setting with column multipliers, and supplies explicit transformations between the GSRS and GLRS families.

Significance. If the decomposition and its invariance under isometries hold, the work shows that GSRS and GLRS codes remain structurally attackable even after standard disguising, limiting their direct use in code-based cryptography without stronger hiding techniques. The algebraic decomposition result, the explicit GSRS–GLRS transformations, and the extension of dual statements constitute concrete contributions to the structural theory of evaluation codes over skew polynomials.

major comments (2)
  1. [§5] §5 (extension to Hamming-isometric disguises): the claim that the square-code distinguisher continues to apply after disguising rests on the assertion that the isometry maps the GRS subcode to another GRS subcode whose square-code dimension is unchanged. No separate lemma isolates the precise conditions on the nonzero column multipliers under which the decomposition commutes with the disguise; if multipliers interact with the skew or linearized evaluation map, the square-code dimension may increase and the distinguisher may fail even when the plain-code parameters satisfy the stated inequality.
  2. [Theorem 4.3] Theorem 4.3 (decomposition statement): while the parameter range m + 1 < k < n - ½(m² + 3m) is stated precisely, the proof sketch does not explicitly verify that the resulting GRS subcodes remain of dimension at least 2 (necessary for the square-code dimension to be strictly smaller than that of a random code of the same length and dimension).
minor comments (2)
  1. [§2] The notation for the skew polynomial ring and the evaluation map is introduced in §2 but the precise definition of the generalized multiplier vector is only referenced later; a consolidated notation table would improve readability.
  2. [§1] Several citations to prior square-code distinguishers for Gabidulin codes appear in the introduction but lack page or theorem numbers, making it harder to trace the exact technical differences claimed in §6.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the careful reading and constructive comments on our manuscript. We address the two major comments point by point below. Both points identify places where the presentation can be strengthened by additional explicit verification; we will incorporate the requested clarifications in the revised version.

read point-by-point responses

  1. Referee: [§5] §5 (extension to Hamming-isometric disguises): the claim that the square-code distinguisher continues to apply after disguising rests on the assertion that the isometry maps the GRS subcode to another GRS subcode whose square-code dimension is unchanged. No separate lemma isolates the precise conditions on the nonzero column multipliers under which the decomposition commutes with the disguise; if multipliers interact with the skew or linearized evaluation map, the square-code dimension may increase and the distinguisher may fail even when the plain-code parameters satisfy the stated inequality.

    Authors: We agree that the interaction between nonzero column multipliers and the skew/linearized evaluation maps merits an isolated statement. In the revision we will add a short lemma (placed in §5) proving that any Hamming isometry maps a GSRS (resp. GLRS) code to another code in the same family whose GRS subcodes are again GRS codes of identical dimension. The argument uses the fact that column multipliers act by right-multiplication on the evaluation vectors and therefore commute with the square-code construction; the skew or linearized structure is preserved because the multipliers are field elements independent of the automorphism. This establishes that the square-code dimension bound remains unchanged, so the distinguisher applies to the disguised codes exactly when it applies to the plain codes. revision: yes

  2. Referee: [Theorem 4.3] Theorem 4.3 (decomposition statement): while the parameter range m + 1 < k < n - ½(m² + 3m) is stated precisely, the proof sketch does not explicitly verify that the resulting GRS subcodes remain of dimension at least 2 (necessary for the square-code dimension to be strictly smaller than that of a random code of the same length and dimension).

    Authors: The referee correctly notes that the current proof sketch omits an explicit check that each GRS subcode has dimension at least 2. The decomposition in Theorem 4.3 produces GRS subcodes whose dimensions are k - m (or an analogous quantity depending on the precise splitting). Because the hypothesis requires k > m + 1, each subcode dimension is at least 2. In the revised manuscript we will insert a single sentence immediately after the statement of the decomposition that records this arithmetic verification and recalls why dimension ≥ 2 is required for the square-code dimension to be strictly smaller than that of a random code of the same length and dimension. No change to the parameter range or the main argument is needed. revision: yes

Circularity Check

0 steps flagged

No circularity: algebraic decomposition proof is independent of inputs.

full rationale

The paper proves that GSRS/GLRS codes decompose into GRS subcodes for the stated parameter range m+1 < k < n - ½(m²+3m), yielding low-dimensional square codes distinguishable from random. This is a direct structural result from skew/linearized polynomial evaluation, not a parameter fit renamed as prediction, not a self-definition, and not dependent on load-bearing self-citations whose content reduces to the target claim. The extension to Hamming-isometric disguises (permutations plus column multipliers) is asserted as preserving the subcode structure, but the provided text shows no reduction of this invariance to a prior self-citation or ansatz that is itself unverified; it remains an external algebraic claim. No steps match the enumerated circular patterns.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The proof rests on standard properties of skew polynomial rings and evaluation codes; no new free parameters or invented entities are introduced.

axioms (2)
  • standard math Skew polynomial rings over finite fields admit a well-defined evaluation map that produces linear codes.
    Invoked when defining (G)SRS and (G)LRS as evaluation codes.
  • domain assumption The square-code operation preserves the subcode structure of GRS codes.
    Used to transfer the known GRS distinguisher to the generalized families.

pith-pipeline@v0.9.0 · 5593 in / 1347 out tokens · 44042 ms · 2026-05-10T15:24:52.846422+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

54 extracted references · 54 canonical work pages

  1. [1]

    Alagic, G., Bros, M., Ciadoux, P., Cooper, D., Dang, Q., Dang, T., Kelsey, J., Lichtinger, J., Liu, Y.K., Miller, C., Moody, D., Peralta, R., Perlner, R., Robinson, A., Silberg, H., Smith-Tone, D., Waller, N.: Status report on the fourth round of the NIST post-quantum cryptography standardization process, NIST IR 8545. Tech. rep., National Institute of St...

    work page doi:10.6028/nist.ir.8545 2025

  2. [2]

    Albrecht, M.R., Bernstein, D.J., Chou, T., Cid, C., Gilcher, J., Lange, T., Maram, V., von Maurich, I., Misoczki, R., Niederhagen, R., Paterson, K.G., Persichetti, 26 E., Peters, C., Schwabe, P., Sendrier, N., Szefer, J., Tjhai, C.J., Tomlinson, M., Wang, W.: Classic McEliece: conservative code-based cryptography: cryptosystem specification. Tech. rep., R...

    work page 2022

  3. [3]

    Finite Fields and Their Applications80, 102013 (2022).https://doi.org/10.1016/j.ffa.2022.102013

    Alfarano, G.N., Lobillo, F., Neri, A., Wachter-Zeh, A.: Sum-rank product codes and bounds on the minimum distance. Finite Fields and Their Applications80, 102013 (2022).https://doi.org/10.1016/j.ffa.2022.102013

    work page doi:10.1016/j.ffa.2022.102013 2022

  4. [4]

    Journal of Cryptology29(1), 1–27 (2014).https://doi.org/10.1007/s00145-014-9187-8

    Baldi,M.,Bianchi,M.,Chiaraluce,F.,Rosenthal,J.,Schipani,D.:Enhancedpublic key security for the McEliece cryptosystem. Journal of Cryptology29(1), 1–27 (2014).https://doi.org/10.1007/s00145-014-9187-8

    work page doi:10.1007/s00145-014-9187-8 2014

  5. [5]

    Problemy Peredachi Informatsii 30(3), 23–28 (1994)

    Barg, S.: Some new NP-complete coding problems. Problemy Peredachi Informatsii 30(3), 23–28 (1994)

    work page 1994

  6. [6]

    IEEE Transactions on Information Theory24(3), 384– 386 (1978).https://doi.org/10.1109/TIT.1978.1055873

    Berlekamp, E., McEliece, R., van Tilborg, H.: On the inherent intractability of certain coding problems. IEEE Transactions on Information Theory24(3), 384– 386 (1978).https://doi.org/10.1109/TIT.1978.1055873

    work page doi:10.1109/tit.1978.1055873 1978

  7. [7]

    Boucher, D., Nouetowa, K.E.: A decoding algorithm for skew cyclic generalized skewReed–Solomoncodes.In:2025IEEEInternationalSymposiumonInformation Theory (ISIT 2025) (2025),https://hal.science/hal-04893716

    work page 2025

  8. [8]

    Designs, Codes and Cryptography70(3), 405–431 (2014).https: //doi.org/10.1007/s10623-012-9704-4

    Boucher, D., Ulmer, F.: Linear codes using skew polynomials with automorphisms and derivations. Designs, Codes and Cryptography70(3), 405–431 (2014).https: //doi.org/10.1007/s10623-012-9704-4

    work page doi:10.1007/s10623-012-9704-4 2014

  9. [9]

    IEEE Transactions on Information Theory61(3), 1159–1173 (2015).https://doi

    Cascudo, I., Cramer, R., Mirandola, D., Zémor, G.: Squares of random linear codes. IEEE Transactions on Information Theory61(3), 1159–1173 (2015).https://doi. org/10.1109/TIT.2015.2393251

    work page doi:10.1109/tit.2015.2393251 2015

  10. [10]

    Designs, Codes and Cryptography88(9), 1941–1957 (2020)

    Coggia, D., Couvreur, A.: On the security of a Loidreau rank metric code based encryption scheme. Designs, Codes and Cryptography88(9), 1941–1957 (2020). https://doi.org/10.1007/s10623-020-00781-4

    work page doi:10.1007/s10623-020-00781-4 1941

  11. [11]

    Designs, Codes and Cryptography73(2), 641–666 (2014).https://doi

    Couvreur, A., Gaborit, P., Gauthier-Umaña, V., Otmani, A., Tillich, J.P.: Distinguisher-based attacks on public-key cryptosystems using Reed–Solomon codes. Designs, Codes and Cryptography73(2), 641–666 (2014).https://doi. org/10.1007/s10623-014-9967-z

    work page doi:10.1007/s10623-014-9967-z 2014

  12. [12]

    In: Public-Key Cryptography (PKC 2015)

    Couvreur, A., Otmani, A., Tillich, J.P., Gauthier-Umaña, V.: A polynomial-time attack on the BBCRS scheme. In: Public-Key Cryptography (PKC 2015). pp. 175– 193 (2015).https://doi.org/10.1007/978-3-662-46447-2_8

    work page doi:10.1007/978-3-662-46447-2_8 2015

  13. [13]

    In: Proceedings of the 19th ACM Asia Conference on Computer and Communications Security (ASIA CCS ’24)

    Esser, A., Verbel, J., Zweydinger, F., Bellini, E.: SoK: CryptographicEstimators – a software library for cryptographic hardness estimation. In: Proceedings of the 19th ACM Asia Conference on Computer and Communications Security (ASIA CCS ’24). pp. 560–574 (2024).https://doi.org/10.1145/3634737.3645007

    work page doi:10.1145/3634737.3645007 2024

  14. [14]

    IEEE Transactions on Information Theory59(10), 6830–6844 (2013).https://doi.org/10.1109/TIT.2013.2272036

    Faugère, J.C., Gauthier-Umaña, V., Otmani, A., Perret, L., Tillich, J.P.: A distin- guisher for high-rate McEliece cryptosystems. IEEE Transactions on Information Theory59(10), 6830–6844 (2013).https://doi.org/10.1109/TIT.2013.2272036

    work page doi:10.1109/tit.2013.2272036 2013

  15. [15]

    In: Advances in Cryptology (EUROCRYPT ’91)

    Gabidulin, E.M., Paramonov, A.V., Tretjakov, O.V.: Ideals over a non- commutative ring and their application in cryptology. In: Advances in Cryptology (EUROCRYPT ’91). vol. 547, pp. 482–489 (1991).https://doi.org/10.1007/ 3-540-46416-6_41

    work page 1991

  16. [16]

    Designs, Codes and Cryptography48(2), 171–177 (2008).https://doi.org/ 10.1007/s10623-007-9160-8

    Gabidulin, E.M.: Attacks and counter-attacks on the GPT public key cryptosys- tem. Designs, Codes and Cryptography48(2), 171–177 (2008).https://doi.org/ 10.1007/s10623-007-9160-8

    work page doi:10.1007/s10623-007-9160-8 2008

  17. [17]

    org/10.1007/bf01390769 27

    Gibson, J.K.: Severely denting the Gabidulin version of the McEliece public key cryptosystem.Designs,CodesandCryptography6(1),37–45(1995).https://doi. org/10.1007/bf01390769 27

    work page doi:10.1007/bf01390769 1995

  18. [18]

    In: Advances in Cryptology (EUROCRYPT ’96)

    Gibson, K.: The security of the Gabidulin public key cryptosystem. In: Advances in Cryptology (EUROCRYPT ’96). pp. 212–223 (1996).https://doi.org/10.1007/ 3-540-68339-9_19

    work page 1996

  19. [19]

    In: 2016 IEEE International Symposium on Information The- ory (ISIT 2016)

    Horlemann-Trautmann, A.L., Marshall, K., Rosenthal, J.: Considerations for rank- based cryptosystems. In: 2016 IEEE International Symposium on Information The- ory (ISIT 2016). pp. 2544–2548 (2016).https://doi.org/10.1109/ISIT.2016. 7541758

    work page doi:10.1109/isit.2016 2016

  20. [20]

    Designs, Codes and Cryptography86, 319–340 (2018).https://doi.org/10.1007/s10623-017-0343-7

    Horlemann-Trautmann, A.L., Marshall, K., Rosenthal, J.: Extension of Overbeck’s attack for Gabidulin based cryptosystems. Designs, Codes and Cryptography86, 319–340 (2018).https://doi.org/10.1007/s10623-017-0343-7

    work page doi:10.1007/s10623-017-0343-7 2018

  21. [21]

    Cambridge University Press (2003).https://doi.org/10.1017/cbo9780511807077

    Huffman, W.C., Pless, V.: Fundamentals of Error-Correcting Codes. Cambridge University Press (2003).https://doi.org/10.1017/cbo9780511807077

    work page doi:10.1017/cbo9780511807077 2003

  22. [22]

    In: Code-Based Cryptography (CBCrypto 2022)

    Hörmann, F., Bartz, H., Horlemann, A.L.: Distinguishing and recovering gener- alized linearized Reed–Solomon codes. In: Code-Based Cryptography (CBCrypto 2022). pp. 1–20 (2023).https://doi.org/10.1007/978-3-031-29689-5_1

    work page doi:10.1007/978-3-031-29689-5_1 2022

  23. [23]

    In: Public-Key Cryptography (PKC 2001)

    Kobara, K., Imai, H.: Semantically secure McEliece public-key cryptosystems: con- versions for McEliece PKC. In: Public-Key Cryptography (PKC 2001). pp. 19–35 (2001).https://doi.org/10.1007/3-540-44586-2_2

    work page doi:10.1007/3-540-44586-2_2 2001

  24. [24]

    Lam,T.Y.:AgeneraltheoryofVandermondematrices.ExpositionesMathematicae 4, 193–215 (1986)

    work page 1986

  25. [25]

    Journal of Algebra119(2), 308–336 (1988).https://doi.org/10.1016/ 0021-8693(88)90063-4

    Lam, T., Leroy, A.: Vandermonde and Wronskian matrices over division rings. Journal of Algebra119(2), 308–336 (1988).https://doi.org/10.1016/ 0021-8693(88)90063-4

    work page 1988

  26. [26]

    Transactions of the American Mathematical Society345(2), 595–622 (1994)

    Lam, T., Leroy, A.: Hilbert 90 theorems over division rings. Transactions of the American Mathematical Society345(2), 595–622 (1994)

    work page 1994

  27. [27]

    Bulletin of the Belgian Mathematical Society - Simon Stevin2(3), 321–347 (1995)

    Leroy, A.: Pseudo linear transformations and evaluation in Ore extensions. Bulletin of the Belgian Mathematical Society - Simon Stevin2(3), 321–347 (1995)

    work page 1995

  28. [28]

    IEEE Transactions on Information Theory40, 271–273 (1994).https://doi.org/10.1109/18.272496

    Li, Y.X., Deng, R., Wang, X.M.: On the equivalence of McEliece’s and Nieder- reiter’s public-key cryptosystems. IEEE Transactions on Information Theory40, 271–273 (1994).https://doi.org/10.1109/18.272496

    work page doi:10.1109/18.272496 1994

  29. [29]

    Liu, S.: Generalized skew Reed–Solomon codes and other applications of skew polynomial evaluation. Ph.D. thesis, University of Toronto (Canada) (2016)

    work page 2016

  30. [30]

    In: 2015 IEEE 14th Canadian Workshop on Infor- mation Theory (CWIT 2015)

    Liu, S., Manganiello, F., Kschischang, F.R.: Construction and decoding of gener- alized skew-evaluation codes. In: 2015 IEEE 14th Canadian Workshop on Infor- mation Theory (CWIT 2015). pp. 9–13 (2015).https://doi.org/10.1109/CWIT. 2015.7255141

    work page doi:10.1109/cwit 2015

  31. [31]

    Finite Fields and Their Applications46, 326–346 (2017).https://doi.org/10.1016/j.ffa.2017.04.007

    Liu,S.,Manganiello,F.,Kschischang,F.R.:Matroidalstructureofskewpolynomial rings with application to network coding. Finite Fields and Their Applications46, 326–346 (2017).https://doi.org/10.1016/j.ffa.2017.04.007

    work page doi:10.1016/j.ffa.2017.04.007 2017

  32. [32]

    In: International Workshop on Algebraic and Combinatorial Coding Theory (ACCT) (2016)

    Loidreau, P.: An evolution of GPT cryptosystem. In: International Workshop on Algebraic and Combinatorial Coding Theory (ACCT) (2016)

    work page 2016

  33. [33]

    In: Post-quantum cryptography (PQCrypto 2017)

    Loidreau, P.: A new rank metric codes based encryption scheme. In: Post-quantum cryptography (PQCrypto 2017). pp. 3–17 (2017).https://doi.org/https://doi. org/10.1007/978-3-319-59879-6_1

    work page doi:10.1007/978-3-319-59879-6_1 2017

  34. [34]

    Transactions of the American Mathematical Society6(3), 349–352 (1905)

    Maclagan-Wedderburn, J.H.: A theorem on finite algebras. Transactions of the American Mathematical Society6(3), 349–352 (1905)

    work page 1905

  35. [35]

    Journal of Algebra504, 587–612 (2018)

    Martínez-Peñas, U.: Skew and linearized Reed–Solomon codes and maximum sum rank distance codes over any division ring. Journal of Algebra504, 587–612 (2018). https://doi.org/https://doi.org/10.1016/j.jalgebra.2018.02.005 28

    work page doi:10.1016/j.jalgebra.2018.02.005 2018

  36. [36]

    Designs, Codes and Cryptography88(8), 1521–1539 (2020).https://doi.org/10.1007/ s10623-020-00772-5

    Martínez-Peñas, U.: Hamming and simplex codes for the sum-rank metric. Designs, Codes and Cryptography88(8), 1521–1539 (2020).https://doi.org/10.1007/ s10623-020-00772-5

    work page 2020

  37. [37]

    IEEE Transactions on Information The- ory65(8), 4785–4803 (2019).https://doi.org/10.1109/TIT.2019.2912165

    Martínez-Peñas, U., Kschischang, F.R.: Reliable and secure multishot network cod- ing using linearized Reed–Solomon codes. IEEE Transactions on Information The- ory65(8), 4785–4803 (2019).https://doi.org/10.1109/TIT.2019.2912165

    work page doi:10.1109/tit.2019.2912165 2019

  38. [38]

    The Deep Space Network Progress Report42-44, 114–116 (1978)

    McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. The Deep Space Network Progress Report42-44, 114–116 (1978)

    work page 1978

  39. [39]

    gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/ call-for-proposals-final-dec-2016.pdf

    National Institute of Standards and Technology (NIST): Submis- sion requirements and evaluation criteria for the post-quantum cryptography standardization process (2016),https://csrc.nist. gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/ call-for-proposals-final-dec-2016.pdf

    work page 2016

  40. [40]

    Prob- lems of Control and Information Theory15, 159–166 (1986)

    Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Prob- lems of Control and Information Theory15, 159–166 (1986)

    work page 1986

  41. [41]

    Preprint: HAL science ouverte, hal-05441609 (2026),https:// hal.science/hal-05441609

    Nouetowa, K.E.: A post-quantum encryption scheme based on linearized Reed- Solomon codes. Preprint: HAL science ouverte, hal-05441609 (2026),https:// hal.science/hal-05441609

    work page 2026

  42. [42]

    Preprint: HAL science ouverte, hal-04894873 (2025),https: //hal.science/hal-04894873

    Nouetowa, K.É., Loidreau, P.: An analysis of a generalization of Loidreau’s en- cryption scheme. Preprint: HAL science ouverte, hal-04894873 (2025),https: //hal.science/hal-04894873

    work page 2025

  43. [43]

    The Annals of Mathematics 34(3), 480–508 (1933).https://doi.org/10.2307/1968173

    Ore, O.: Theory of non-commutative polynomials. The Annals of Mathematics 34(3), 480–508 (1933).https://doi.org/10.2307/1968173

    work page doi:10.2307/1968173 1933

  44. [44]

    Designs, Codes and Cryptography86(9), 1983– 1996 (2017).https://doi.org/10.1007/s10623-017-0434-5

    Otmani, A., Kalachi, H.T., Ndjeya, S.: Improved cryptanalysis of rank metric schemes based on Gabidulin codes. Designs, Codes and Cryptography86(9), 1983– 1996 (2017).https://doi.org/10.1007/s10623-017-0434-5

    work page doi:10.1007/s10623-017-0434-5 1983

  45. [45]

    Journal of Cryptology21(2), 280–301 (2007).https://doi.org/10.1007/ s00145-007-9003-9

    Overbeck, R.: Structural attacks for public key cryptosystems based on Gabidulin codes. Journal of Cryptology21(2), 280–301 (2007).https://doi.org/10.1007/ s00145-007-9003-9

    work page 2007

  46. [46]

    In: Progress in Cryp- tology (Mycrypt 2005)

    Overbeck, R.: A new structural attack for GPT and variants. In: Progress in Cryp- tology (Mycrypt 2005). pp. 50–63 (2005).https://doi.org/10.1007/11554868_5

    work page doi:10.1007/11554868_5 2005

  47. [47]

    Overbeck, R.: Public key cryptography based on coding theory. Ph.D. thesis, Tech- nische Universität Darmstadt (2007)

    work page 2007

  48. [48]

    IRE Transactions on Information Theory8(5), 5–9 (1962).https://doi.org/10.1109/TIT.1962

    Prange, E.: The use of information sets in decoding cyclic codes. IRE Transactions on Information Theory8(5), 5–9 (1962).https://doi.org/10.1109/TIT.1962. 1057777

    work page doi:10.1109/tit.1962 1962

  49. [50]

    Cambridge University Press, Cambridge (2006).https://doi.org/10.1017/CBO9780511808968

    Roth, R.: Introduction to coding theory. Cambridge University Press, Cambridge (2006).https://doi.org/10.1017/CBO9780511808968

    work page doi:10.1017/cbo9780511808968 2006

  50. [51]

    Discrete Mathematics and Applications2(4), 439–444 (1992).https://doi.org/10.1515/dma.1992.2.4.439

    Sidelnikov, V.M., Shestakov, S.O.: On insecurity of cryptosystems based on gener- alized Reed–Solomon codes. Discrete Mathematics and Applications2(4), 439–444 (1992).https://doi.org/10.1515/dma.1992.2.4.439

    work page doi:10.1515/dma.1992.2.4.439 1992

  51. [52]

    The Sage Developers: SageMath, the Sage Mathematics Software System (Version 10.5) (2024),https://www.sagemath.org

    work page 2024

  52. [53]

    2019.8849700

    Wieschebrink, C.: Two NP-complete problems in coding theory with an application in code based cryptography. In: 2006 IEEE International Symposium on Informa- tion Theory (ISIT 2006). pp. 1733–1737 (2006).https://doi.org/10.1109/isit. 2006.261651 29

    work page doi:10.1109/isit 2006

  53. [54]

    In: Post-Quantum Cryptography (PQCrypto 2010)

    Wieschebrink, C.: Cryptanalysis of the Niederreiter public key scheme based on GRS subcodes. In: Post-Quantum Cryptography (PQCrypto 2010). pp. 61–72 (2010).https://doi.org/10.1007/978-3-642-12929-2_5

    work page doi:10.1007/978-3-642-12929-2_5 2010

  54. [55]

    Wilhelm, F.K., Steinwandt, R., Zeuch, D., Lageyre, P., Kirchhoff, S.: Status of quantum computer development, version 2.1. Tech. rep., Federal Office for In- formation Security (BSI) (2024),https://www.bsi.bund.de/dok/study_status_ quantum_computer A The ReSkew cryptosystem We use this appendix to introduce the ReSkew cryptosystem which is built on Reed–S...

    work page 2024