18 research outputs found
Polynomial-Time Key Recovery Attack on the Faure-Loidreau Scheme based on Gabidulin Codes
Encryption schemes based on the rank metric lead to small public key sizes of
order of few thousands bytes which represents a very attractive feature
compared to Hamming metric-based encryption schemes where public key sizes are
of order of hundreds of thousands bytes even with additional structures like
the cyclicity. The main tool for building public key encryption schemes in rank
metric is the McEliece encryption setting used with the family of Gabidulin
codes. Since the original scheme proposed in 1991 by Gabidulin, Paramonov and
Tretjakov, many systems have been proposed based on different masking
techniques for Gabidulin codes. Nevertheless, over the years all these systems
were attacked essentially by the use of an attack proposed by Overbeck.
In 2005 Faure and Loidreau designed a rank-metric encryption scheme which was
not in the McEliece setting. The scheme is very efficient, with small public
keys of size a few kiloBytes and with security closely related to the
linearized polynomial reconstruction problem which corresponds to the decoding
problem of Gabidulin codes. The structure of the scheme differs considerably
from the classical McEliece setting and until our work, the scheme had never
been attacked. We show in this article that this scheme like other schemes
based on Gabidulin codes, is also vulnerable to a polynomial-time attack that
recovers the private key by applying Overbeck's attack on an appropriate public
code. As an example we break concrete proposed bits security parameters in
a few seconds.Comment: To appear in Designs, Codes and Cryptography Journa
New algorithms for decoding in the rank metric and an attack on the LRPC cryptosystem
We consider the decoding problem or the problem of finding low weight
codewords for rank metric codes. We show how additional information about the
codeword we want to find under the form of certain linear combinations of the
entries of the codeword leads to algorithms with a better complexity. This is
then used together with a folding technique for attacking a McEliece scheme
based on LRPC codes. It leads to a feasible attack on one of the parameters
suggested in \cite{GMRZ13}.Comment: A shortened version of this paper will be published in the
proceedings of the IEEE International Symposium on Information Theory 2015
(ISIT 2015
Two attacks on rank metric code-based schemes: RankSign and an Identity-Based-Encryption scheme
RankSign [GRSZ14a] is a code-based signature scheme proposed to the NIST
competition for quantum-safe cryptography [AGHRZ17] and, moreover, is a
fundamental building block of a new Identity-Based-Encryption (IBE) [GHPT17a].
This signature scheme is based on the rank metric and enjoys remarkably small
key sizes, about 10KBytes for an intended level of security of 128 bits.
Unfortunately we will show that all the parameters proposed for this scheme in
[AGHRZ17] can be broken by an algebraic attack that exploits the fact that the
augmented LRPC codes used in this scheme have very low weight codewords.
Therefore, without RankSign the IBE cannot be instantiated at this time. As a
second contribution we will show that the problem is deeper than finding a new
signature in rank-based cryptography, we also found an attack on the generic
problem upon which its security reduction relies. However, contrarily to the
RankSign scheme, it seems that the parameters of the IBE scheme could be chosen
in order to avoid our attack. Finally, we have also shown that if one replaces
the rank metric in the [GHPT17a] IBE scheme by the Hamming metric, then a
devastating attack can be found
An algebraic approach to the Rank Support Learning problem
Rank-metric code-based cryptography relies on the hardness of decoding a
random linear code in the rank metric. The Rank Support Learning problem (RSL)
is a variant where an attacker has access to N decoding instances whose errors
have the same support and wants to solve one of them. This problem is for
instance used in the Durandal signature scheme. In this paper, we propose an
algebraic attack on RSL which clearly outperforms the previous attacks to solve
this problem. We build upon Bardet et al., Asiacrypt 2020, where similar
techniques are used to solve MinRank and RD. However, our analysis is simpler
and overall our attack relies on very elementary assumptions compared to
standard Gr{\"o}bner bases attacks. In particular, our results show that key
recovery attacks on Durandal are more efficient than was previously thought