A Distinguisher-Based Attack of a Homomorphic Encryption Scheme Relying on Reed-Solomon Codes

Bogdanov and Lee suggested a homomorphic public-key encryption scheme based on error correcting codes. The underlying public code is a modified Reed-Solomon code obtained from inserting a zero submatrix in the Vandermonde generating matrix defining it. The columns that define this submatrix are kept secret and form a set L. We give here a distinguisher that detects if one or several columns belong to L or not. This distinguisher is obtained by considering the code generated by component-wise products of codewords of the public code (the so called “square code”). This operation is applied to punctured versions of this square code obtained by picking a subset I of the whole set of columns. It turns out that the dimension of the punctured square code is directly related to the cardinality of the intersection of I with L. This allows an attack which recovers the full set L and which can then decrypt any ciphertext.