24 research outputs found
Polynomial-Time Key Recovery Attack on the Faure-Loidreau Scheme based on Gabidulin Codes
Encryption schemes based on the rank metric lead to small public key sizes of
order of few thousands bytes which represents a very attractive feature
compared to Hamming metric-based encryption schemes where public key sizes are
of order of hundreds of thousands bytes even with additional structures like
the cyclicity. The main tool for building public key encryption schemes in rank
metric is the McEliece encryption setting used with the family of Gabidulin
codes. Since the original scheme proposed in 1991 by Gabidulin, Paramonov and
Tretjakov, many systems have been proposed based on different masking
techniques for Gabidulin codes. Nevertheless, over the years all these systems
were attacked essentially by the use of an attack proposed by Overbeck.
In 2005 Faure and Loidreau designed a rank-metric encryption scheme which was
not in the McEliece setting. The scheme is very efficient, with small public
keys of size a few kiloBytes and with security closely related to the
linearized polynomial reconstruction problem which corresponds to the decoding
problem of Gabidulin codes. The structure of the scheme differs considerably
from the classical McEliece setting and until our work, the scheme had never
been attacked. We show in this article that this scheme like other schemes
based on Gabidulin codes, is also vulnerable to a polynomial-time attack that
recovers the private key by applying Overbeck's attack on an appropriate public
code. As an example we break concrete proposed bits security parameters in
a few seconds.Comment: To appear in Designs, Codes and Cryptography Journa
New algorithms for decoding in the rank metric and an attack on the LRPC cryptosystem
We consider the decoding problem or the problem of finding low weight
codewords for rank metric codes. We show how additional information about the
codeword we want to find under the form of certain linear combinations of the
entries of the codeword leads to algorithms with a better complexity. This is
then used together with a folding technique for attacking a McEliece scheme
based on LRPC codes. It leads to a feasible attack on one of the parameters
suggested in \cite{GMRZ13}.Comment: A shortened version of this paper will be published in the
proceedings of the IEEE International Symposium on Information Theory 2015
(ISIT 2015
An Upper-Bound on the Decoding Failure Probability of the LRPC Decoder
Low Rank Parity Check (LRPC) codes form a class of rank-metric
error-correcting codes that was purposely introduced to design public-key
encryption schemes. An LRPC code is defined from a parity check matrix whose
entries belong to a relatively low dimensional vector subspace of a large
finite field. This particular algebraic feature can then be exploited to
correct with high probability rank errors when the parameters are appropriately
chosen. In this paper, we present theoretical upper-bounds on the probability
that the LRPC decoding algorithm fails
Generalized Subspace Subcodes in the Rank Metric
Rank-metric codes were studied by E. Gabidulin in 1985 after a brief
introduction by Delsarte in 1978 as an equivalent of Reed-Solomon codes, but
based on linearized polynomials. They have found applications in many areas,
including linear network coding and space-time coding.
They are also used in cryptography to reduce the size of the keys compared to
Hamming metric codes at the same level of security. However, some families of
rank-metric codes suffer from structural attacks due to the strong algebraic
structure from which they are defined.
It therefore becomes interesting to find new code families in order to
address these questions in the landscape of rank-metric codes.
\par In this paper, we provide a generalization of Subspace Subcodes in Rank
metric introduced by Gabidulin and Loidreau. We also characterize this family
by giving an algorithm which allows to have its generator and parity-check
matrices based on the associated extended codes. We have also studied the
specific case of Gabidulin codes whose underlying decoding algorithms are
known. Bounds for the cardinalities of these codes, both in the general case
and in the case of Gabidulin codes, are also provided
An algebraic approach to the Rank Support Learning problem
Rank-metric code-based cryptography relies on the hardness of decoding a
random linear code in the rank metric. The Rank Support Learning problem (RSL)
is a variant where an attacker has access to N decoding instances whose errors
have the same support and wants to solve one of them. This problem is for
instance used in the Durandal signature scheme. In this paper, we propose an
algebraic attack on RSL which clearly outperforms the previous attacks to solve
this problem. We build upon Bardet et al., Asiacrypt 2020, where similar
techniques are used to solve MinRank and RD. However, our analysis is simpler
and overall our attack relies on very elementary assumptions compared to
standard Gr{\"o}bner bases attacks. In particular, our results show that key
recovery attacks on Durandal are more efficient than was previously thought
LIGA: A Cryptosystem Based on the Hardness of Rank-Metric List and Interleaved Decoding
We propose the new rank-metric code-based cryptosystem LIGA which is based on
the hardness of list decoding and interleaved decoding of Gabidulin codes. LIGA
is an improved variant of the Faure-Loidreau (FL) system, which was broken in a
structural attack by Gaborit, Otmani, and Tal\'e Kalachi (GOT, 2018). We keep
the FL encryption and decryption algorithms, but modify the insecure key
generation algorithm. Our crucial observation is that the GOT attack is
equivalent to decoding an interleaved Gabidulin code. The new key generation
algorithm constructs public keys for which all polynomial-time interleaved
decoders fail---hence LIGA resists the GOT attack. We also prove that the
public-key encryption version of LIGA is IND-CPA secure in the standard model
and the KEM version is IND-CCA2 secure in the random oracle model, both under
hardness assumptions of formally defined problems related to list decoding and
interleaved decoding of Gabidulin codes. We propose and analyze various
exponential-time attacks on these problems, calculate their work factors, and
compare the resulting parameters to NIST proposals. The strengths of LIGA are
short ciphertext sizes and (relatively) small key sizes. Further, LIGA
guarantees correct decryption and has no decryption failure rate. It is not
based on hiding the structure of a code. Since there are efficient and
constant-time algorithms for encoding and decoding Gabidulin codes, timing
attacks on the encryption and decryption algorithms can be easily prevented.Comment: Extended version of arXiv:1801.0368
Injective Rank Metric Trapdoor Functions with Homogeneous Errors
In rank-metric cryptography, a vector from a finite dimensional linear space
over a finite field is viewed as the linear space spanned by its entries. The
rank decoding problem which is the analogue of the problem of decoding a random
linear code consists in recovering a basis of a random noise vector that was
used to perturb a set of random linear equations sharing a secret solution.
Assuming the intractability of this problem, we introduce a new construction of
injective one-way trapdoor functions. Our solution departs from the frequent
way of building public key primitives from error-correcting codes where, to
establish the security, ad hoc assumptions about a hidden structure are made.
Our method produces a hard-to-distinguish linear code together with low weight
vectors which constitute the secret that helps recover the inputs.The key idea
is to focus on trapdoor functions that take sufficiently enough input vectors
sharing the same support. Applying then the error correcting algorithm designed
for Low Rank Parity Check (LRPC) codes, we obtain an inverting algorithm that
recovers the inputs with overwhelming probability
An extension of Overbeck's attack with an application to cryptanalysis of Twisted Gabidulin-based schemes
In the present article, we discuss the decoding of Gabidulin and related
codes from a cryptographic perspective and we observe that these codes can be
decoded with the single knowledge of a generator matrix. Then, we extend and
revisit Gibson's and Overbeck's attacks on the generalised GPT encryption
scheme (instantiated with Gabidulin codes) for various ranks of the distortion
matrix and apply our attack to the case of an instantiation with twisted
Gabidulin codes