LIGA: A Cryptosystem Based on the Hardness of Rank-Metric List and Interleaved Decoding

We propose the new rank-metric code-based cryptosystem LIGA which is based on the hardness of list decoding and interleaved decoding of Gabidulin codes. LIGA is an improved variant of the Faure-Loidreau (FL) system, which was broken in a structural attack by Gaborit, Otmani, and Tal\'e Kalachi (GOT, 2018). We keep the FL encryption and decryption algorithms, but modify the insecure key generation algorithm. Our crucial observation is that the GOT attack is equivalent to decoding an interleaved Gabidulin code. The new key generation algorithm constructs public keys for which all polynomial-time interleaved decoders fail---hence LIGA resists the GOT attack. We also prove that the public-key encryption version of LIGA is IND-CPA secure in the standard model and the KEM version is IND-CCA2 secure in the random oracle model, both under hardness assumptions of formally defined problems related to list decoding and interleaved decoding of Gabidulin codes. We propose and analyze various exponential-time attacks on these problems, calculate their work factors, and compare the resulting parameters to NIST proposals. The strengths of LIGA are short ciphertext sizes and (relatively) small key sizes. Further, LIGA guarantees correct decryption and has no decryption failure rate. It is not based on hiding the structure of a code. Since there are efficient and constant-time algorithms for encoding and decoding Gabidulin codes, timing attacks on the encryption and decryption algorithms can be easily prevented.Comment: Extended version of arXiv:1801.0368

Polynomial-Time Key Recovery Attack on the Faure-Loidreau Scheme based on Gabidulin Codes

Encryption schemes based on the rank metric lead to small public key sizes of order of few thousands bytes which represents a very attractive feature compared to Hamming metric-based encryption schemes where public key sizes are of order of hundreds of thousands bytes even with additional structures like the cyclicity. The main tool for building public key encryption schemes in rank metric is the McEliece encryption setting used with the family of Gabidulin codes. Since the original scheme proposed in 1991 by Gabidulin, Paramonov and Tretjakov, many systems have been proposed based on different masking techniques for Gabidulin codes. Nevertheless, over the years all these systems were attacked essentially by the use of an attack proposed by Overbeck. In 2005 Faure and Loidreau designed a rank-metric encryption scheme which was not in the McEliece setting. The scheme is very efficient, with small public keys of size a few kiloBytes and with security closely related to the linearized polynomial reconstruction problem which corresponds to the decoding problem of Gabidulin codes. The structure of the scheme differs considerably from the classical McEliece setting and until our work, the scheme had never been attacked. We show in this article that this scheme like other schemes based on Gabidulin codes, is also vulnerable to a polynomial-time attack that recovers the private key by applying Overbeck's attack on an appropriate public code. As an example we break concrete proposed $80$ bits security parameters in a few seconds.Comment: To appear in Designs, Codes and Cryptography Journa

An IND-CCA Rank Metric Encryption Scheme Implementation

TCC(graduação) - Universidade Federal de Santa Catarina. Centro Tecnológico. Ciências da Computação.The advances in the field of quantum computation impose a severe threat to the cryptographic primitives used nowadays. In particular, the community predicts public-key cryptography will be turned completely obsolete if these computers are ever produced. In the light of these facts, researchers are contributing in a great effort to preserve current information systems against quantum attacks. Post-quantum cryptography is the area of research that aims to develop cryptographic systems to resist against both quantum and classical computers while assuring interoperability with existing networks and protocols. This work considers the use of Gabidulin codes—a class of error-correcting codes using rank metric—in the construction of encryption schemes. We first introduce error-correcting codes in general and Gabidulin codes in particular. Then, we present the use of these codes in the context of public-key encryption schemes and show that, while providing the possibility of smaller key sizes, they are especially challenging in terms of security. We present the scheme proposed in Loidreau in 2017, showing that although correcting the main weakness in previous propositions, it is still insecure related to chosen-ciphertext attacks. Then, we present a modification to the scheme, proposed by Shehhi et al. to achieve CCA security, and provide an implementation. We also analyze the theoretical complexity of recent attacks to rank-based cryptography and propose a set of parameters for the scheme

A Public-Key Cryptosystem Using Cyclotomic Matrices

Confidentiality and Integrity are two paramount objectives in the evaluation of information and communication technology. In this paper, we propose an arithmetic approach for designing asymmetric key cryptography. Our method is based on the formulation of cyclotomic matrices correspond to the diophantine system. The proposed cyclotomic asymmetric cryptosystem (CAC) utilizes the cyclotomic matrices, whose entries are cyclotomic numbers of order $2l^{2}$, $l$ be prime over a finite field $\mathbb{F}_{p}$ of $p$ elements. The method utilize cyclotomic matrices to design a one-way function. The outcome of a one-way function that is efficient to compute however difficult to compute its inverse unless if secret data about the trapdoor is known. We demonstrate that the encryption and decryption can be efficiently performed with asymptotic complexity of $\mathcal{O}(e^{2.373})$. Besides, we study the computational complexity of the CAC

LowMS: a new rank metric code-based KEM without ideal structure

We propose and analyze LowMS, a new rank-based key encapsulation mechanism (KEM). The acronym stands for Loidreau with Multiple Syndromes, since our work combines the cryptosystem of Loidreau (presented at PQCrypto 2017) together with the multiple syndrome approach, that allows to reduce parameters by sending several syndromes with the same error support in one ciphertext. Our scheme is designed without using ideal structures. Considering cryptosystems without such an ideal structure, like the FrodoKEM cryptosystem, is important since structure allows to compress objects, but gives reductions to specific problems whose security may potentially be weaker than for unstructured problems. For 128 bits of security, we propose parameters with a public key size of 4,6KB and a ciphertext size of 1,1KB. To the best of our knowledge, our scheme is the smallest among all existing unstructured post-quantum lattice or code-based algorithms, when taking into account the sum of the public key size and the ciphertext size. In that sense, our scheme is for instance about 4 times shorter than FrodoKEM. Our system relies on the hardness of the Rank Support Learning problem, a well-known variant of the Rank Syndrome Decoding problem, and on the problem of indistinguishability of distorted Gabidulin codes, i.e. Gabidulin codes multiplied by an homogeneous matrix of given rank. The latter problem was introduced by Loidreau in his paper

McEliece-type encryption based on Gabidulin codes with no hidden structure

This paper presents a new McEliece-type encryption scheme based on Gabidulin codes, which uses linearized transformations to disguise the private key. When endowing this scheme with the partial cyclic structure, we obtain a public key of the form $GM^{-1}$, where $G$ is a partial circulant generator matrix of Gabidulin code and $M$ as well as $M^{-1}$ is a circulant matrix of large rank weight, even as large as the code length. Another difference from Loidreau\u27s proposal at PQCrypto 2017 is that both $G$ and $M$ are publicly known. Recovering the private key can be reduced to deriving from $M$ a linearized transformation and two circulant matrices of small rank weight. This new scheme is shown to resist all the known distinguisher-based attacks, such as the Overbeck attack and Coggia-Couvreur attack, and also has a very small public key size. For instance, 2592 bytes are enough for our proposal to achieve the security of 256 bits, which is 400 times smaller than Classic McEliece that has been selected into the fourth round of the NIST Post-Quantum Cryptography (PQC) standardization process