6 research outputs found
Polynomial-Time Key Recovery Attack on the Faure-Loidreau Scheme based on Gabidulin Codes
Encryption schemes based on the rank metric lead to small public key sizes of
order of few thousands bytes which represents a very attractive feature
compared to Hamming metric-based encryption schemes where public key sizes are
of order of hundreds of thousands bytes even with additional structures like
the cyclicity. The main tool for building public key encryption schemes in rank
metric is the McEliece encryption setting used with the family of Gabidulin
codes. Since the original scheme proposed in 1991 by Gabidulin, Paramonov and
Tretjakov, many systems have been proposed based on different masking
techniques for Gabidulin codes. Nevertheless, over the years all these systems
were attacked essentially by the use of an attack proposed by Overbeck.
In 2005 Faure and Loidreau designed a rank-metric encryption scheme which was
not in the McEliece setting. The scheme is very efficient, with small public
keys of size a few kiloBytes and with security closely related to the
linearized polynomial reconstruction problem which corresponds to the decoding
problem of Gabidulin codes. The structure of the scheme differs considerably
from the classical McEliece setting and until our work, the scheme had never
been attacked. We show in this article that this scheme like other schemes
based on Gabidulin codes, is also vulnerable to a polynomial-time attack that
recovers the private key by applying Overbeck's attack on an appropriate public
code. As an example we break concrete proposed bits security parameters in
a few seconds.Comment: To appear in Designs, Codes and Cryptography Journa
LIGA: A Cryptosystem Based on the Hardness of Rank-Metric List and Interleaved Decoding
We propose the new rank-metric code-based cryptosystem LIGA which is based on
the hardness of list decoding and interleaved decoding of Gabidulin codes. LIGA
is an improved variant of the Faure-Loidreau (FL) system, which was broken in a
structural attack by Gaborit, Otmani, and Tal\'e Kalachi (GOT, 2018). We keep
the FL encryption and decryption algorithms, but modify the insecure key
generation algorithm. Our crucial observation is that the GOT attack is
equivalent to decoding an interleaved Gabidulin code. The new key generation
algorithm constructs public keys for which all polynomial-time interleaved
decoders fail---hence LIGA resists the GOT attack. We also prove that the
public-key encryption version of LIGA is IND-CPA secure in the standard model
and the KEM version is IND-CCA2 secure in the random oracle model, both under
hardness assumptions of formally defined problems related to list decoding and
interleaved decoding of Gabidulin codes. We propose and analyze various
exponential-time attacks on these problems, calculate their work factors, and
compare the resulting parameters to NIST proposals. The strengths of LIGA are
short ciphertext sizes and (relatively) small key sizes. Further, LIGA
guarantees correct decryption and has no decryption failure rate. It is not
based on hiding the structure of a code. Since there are efficient and
constant-time algorithms for encoding and decoding Gabidulin codes, timing
attacks on the encryption and decryption algorithms can be easily prevented.Comment: Extended version of arXiv:1801.0368
Expanded Gabidulin Codes and Their Application to Cryptography
This paper presents a new family of linear codes, namely the expanded
Gabidulin codes. Exploiting the existing fast decoder of Gabidulin codes, we
propose an efficient algorithm to decode these new codes when the noise vector
satisfies a certain condition. Furthermore, these new codes enjoy an excellent
error-correcting capability because of the optimality of their parent Gabidulin
codes. Based on different masking techniques, we give two encryption schemes by
using expanded Gabidulin codes in the McEliece setting. According to our
analysis, both of these two cryptosystems can resist the existing structural
attacks. Our proposals have an obvious advantage in public-key representation
without using the cyclic or quasi-cyclic structure compared to some other
code-based cryptosystems
On a Rank-Metric Code-Based Cryptosystem with Small Key Size
A repair of the Faure-Loidreau (FL) public-key code-based cryptosystem is proposed.The FL cryptosystem is based on the hardness of list decoding Gabidulin codes which are special rank-metric codes. We prove that the recent structural attack on the system by Gaborit et al. is equivalent to decoding an interleaved Gabidulin code. Since all known polynomial-time decoders for these codes fail for a large constructive class of error patterns, we are able to construct public keys that resist the attack. It is also shown that all other known attacks fail for our repair and parameter choices. Compared to other code-based cryptosystems, we obtain significantly smaller key sizes for the same security level