Quantum Fourier sampling, Code Equivalence, and the quantum security of the McEliece and Sidelnikov cryptosystems

The Code Equivalence problem is that of determining whether two given linear codes are equivalent to each other up to a permutation of the coordinates. This problem has a direct reduction to a nonabelian hidden subgroup problem (HSP), suggesting a possible quantum algorithm analogous to Shor’s algorithms for factoring or discrete log. However, we recently showed that in many cases of interest—including Goppa codes—solving this case of the HSP requires rich, entangled measurements. Thus, solving these cases of Code Equivalence via Fourier sampling appears to be out of reach of current families of quantum algorithms. Code equivalence is directly related to the security of McEliece-type cryptosystems in the case where the private code is known to the adversary. However, for many codes the support splitting algorithm of Sendrier provides a classical attack in this case. We revisit the claims of our previous article in the light of these classical attacks, and discuss the particular case of the Sidelnikov cryptosystem, which is based on Reed-Muller codes.

💡 Research Summary

The paper investigates the security of code‑based cryptosystems through the lens of the Code Equivalence problem, which asks whether two linear codes are identical up to a permutation of coordinates. This problem can be reduced to a non‑abelian hidden subgroup problem (HSP), suggesting that a quantum algorithm based on Fourier sampling might solve it, analogously to Shor’s algorithms for factoring and discrete logarithms.

The authors recall their earlier work (Dinh et al., 2011) showing that for many practically relevant codes—including Goppa codes—the associated HSP instances are “hard”: strong quantum Fourier sampling (or any measurement on the coset state) yields only negligible information about the hidden permutation. The hardness stems from two conditions on the code’s automorphism group: (i) the group size must be sub‑exponential (|Aut(M)| ≤ e^{o(n)}), and (ii) the minimal degree (the smallest support of a non‑identity element) must be linear in the block length (Ω(n)). Under these conditions, the code is termed HSP‑hard.

The paper then connects HSP‑hardness to the security of McEliece‑type cryptosystems. In McEliece, the secret key consists of an invertible matrix S, a permutation matrix P, and a generator matrix M of a code that admits efficient decoding. The public key is M′ = S M P. If an adversary knows both M and M′ (a “known‑code” adversary), recovering S is trivial by linear algebra; the challenge is to recover P, which is exactly the Code Equivalence problem. The authors initially argued that because Goppa‑based instances are HSP‑hard, a quantum attacker would face a substantial barrier.

However, they acknowledge the classical Support Splitting Algorithm (SSA) introduced by Sendrier (2000). SSA labels each coordinate by the weight enumerator of the hull of the code punctured at that coordinate. For most Goppa codes this labeling is unique (or nearly unique), allowing the hidden permutation P to be recovered efficiently with a classical algorithm. Consequently, a known‑code adversary can break Goppa‑based McEliece cryptosystems in polynomial time, rendering the HSP‑hardness result irrelevant for post‑quantum security in this setting. The authors draw a parallel with Graph Isomorphism: although the problem reduces to an HSP on the symmetric group, known quantum techniques fail, yet many graph families are easy classically via canonical labeling.

The discussion then turns to the Sidelnikov cryptosystem, which uses binary Reed–Muller (RM) codes. Since there is a unique RM code for each length and rate, the generator matrix M is public, and security again hinges on Code Equivalence. Reed–Muller codes have a well‑studied automorphism group: the general affine group GL(m, 2) ⋉ F₂^m. Its size is 2^{O(log n)} (sub‑exponential) and its minimal degree equals 2^{m‑1} = n/2, satisfying the HSP‑hardness criteria. The authors prove (Theorem 3) that RM(r, m) with r ≤ 0.1 m and sufficiently large m are HSP‑hard, implying that quantum Fourier sampling alone cannot efficiently recover the hidden permutation for these codes.

Nevertheless, a classical attack exists: Minder and Shokrollahi (2007) presented a quasipolynomial‑time algorithm for Code Equivalence on binary Reed–Muller codes in the low‑rate regime (small r). This algorithm becomes infeasible when r is large (high‑rate codes), precisely the regime where Theorem 3 still guarantees HSP‑hardness. Thus, for high‑rate Reed–Muller codes, the Sidelnikov system may enjoy both classical and quantum resistance, though other classical attacks (e.g., based on minimum‑weight codewords) could become relevant.

In summary, the paper’s contributions are:

1. Formalizing HSP‑hardness for linear codes via automorphism‑group size and minimal degree.
2. Demonstrating that Goppa‑based McEliece is classically vulnerable to the SSA, despite HSP‑hardness.
3. Extending the HSP‑hardness analysis to Reed–Muller codes, showing that quantum Fourier sampling does not break the Sidelnikov cryptosystem in the high‑rate regime.
4. Highlighting that quantum security assessments must consider both HSP‑hardness and existing classical structural attacks; HSP‑hardness alone is insufficient to guarantee post‑quantum security.