Polynomial-time key recovery attack on the Faure–Loidreau scheme based on Gabidulin codes
Encryption schemes based on the rank metric lead to small public key sizes of order of few thousands bytes which represents a very attractive feature compared to Hamming metric-based encryption schemes where public key sizes are of order of hundreds of thousands bytes even with additional structures like the cyclicity. The main tool for building public key encryption schemes in rank metric is the McEliece encryption setting used with the family of Gabidulin codes. Since the original scheme proposed in 1991 by Gabidulin, Paramonov and Tretjakov, many systems have been proposed based on different masking techniques for Gabidulin codes. Nevertheless, over the years most of these systems were attacked essentially by the use of an attack proposed by Overbeck. In 2005 Faure and Loidreau designed a rank-metric encryption scheme which was not in the McEliece setting. The scheme is very efficient, with small public keys of size a few kiloBytes and with security closely related to the linearized polynomial reconstruction problem which corresponds to the decoding problem of Gabidulin codes. The structure of the scheme differs considerably from the classical McEliece setting and until our work, the scheme had never been attacked. We show in this article that for a range of parameters, this scheme is also vulnerable to a polynomial-time attack that recovers the private key by applying Overbeck’s attack on an appropriate public code. As an example we break in a few seconds parameters with 80-bit security claim. Our work also shows that some parameters are not affected by our attack but at the cost of a lost of efficiency for the underlying schemes.
KeywordsPost-quantum cryptography Gabidulin code GPT encryption scheme
Mathematics Subject Classification11T71 14G50
The authors would like to thank Pierre Loidreau for helpful discussions and for bringing reference  to our attention.
- 1.Augot D., Finiasz M.: A public key encryption scheme based on the polynomial reconstruction problem. In: Advances in Cryptology—EUROCRYPT 2003, volume 2656 of Lecture Notes in Comput. Sci., pp. 229–240. Springer (2003).Google Scholar
- 2.Augot D., Finiasz M., Loidreau P.: Using the trace operator to repair the polynomial reconstruction based cryptosystem presented at eurocrypt 2003. IACR Cryptol. ePrint Arch. 2003, 209 (2003).Google Scholar
- 5.Coron J.-S.: Cryptanalysis of the repaired public-key encryption scheme based on the polynomial reconstruction problem. IACR Cryptol. ePrint Arch. 2003, 219 (2003).Google Scholar
- 6.Coron J.-S.: Cryptanalysis of a public-key encryption scheme based on the polynomial reconstruction problem. In: Public Key Cryptography—PKC 2004, 7th International Workshop on Theory and Practice in Public Key Cryptography, Singapore, March 1–4, 2004, pp. 14–27 (2004).Google Scholar
- 7.Couvreur A., Otmani A., Tillich J.-P.: Polynomial time attack on wild McEliece over quadratic extensions. In: Nguyen P.Q., Oswald E. (eds.) Advances in Cryptology—EUROCRYPT 2014, volume 8441 of Lecture Notes in Comput. Sci., pp. 17–39. Springer, Berlin (2014).Google Scholar
- 8.Faure C., Loidreau P.: A new public-key cryptosystem based on the problem of reconstructing p-polynomials. In: Coding and Cryptography, International Workshop, WCC 2005, Bergen, Norway, March 14–18, 2005. Revised Selected Papers, pp. 304–315 (2005).Google Scholar
- 12.Gibson K.: The security of the Gabidulin public key cryptosystem. In: Ueli M. (ed.) Advances in Cryptology—EUROCRYPT ’96, volume 1070 of Lecture Notes in Comput. Sci., pp. 212–223. Springer (1996).Google Scholar
- 15.Gabidulin E.M., Paramonov A.V., Tretjakov O.V.: Ideals over a non-commutative ring and their applications to cryptography. In: Advances in Cryptology—EUROCRYPT’91, number 547 in Lecture Notes in Comput. Sci., pp. 482–489. Brighton (1991).Google Scholar
- 16.Gabidulin E., Rashwan H., Honary B.: On improving security of GPT cryptosystems. In: Proceedings of the IEEE International Symposium on Information Theory—ISIT, pp. 1110–1114. IEEE (2009).Google Scholar
- 18.Kiayias A., Yung M.: Cryptanalyzing the polynomial-reconstruction based public-key system under optimal parameter choice. In: Advances in Cryptology—ASIACRYPT 2004, 10th International Conference on the Theory and Application of Cryptology and Information Security, Jeju Island, Korea, December 5–9, 2004, Proceedings, pp. 401–416 (2004).Google Scholar
- 19.Loidreau P., Raphael O.: Decoding rank errors beyond the error-correction capability. In: Proceedings of the Tenth International Workshop on Algebraic and Combinatorial Coding Theory, ACCT-10, pp. 168–190 (2006).Google Scholar
- 20.Loidreau P.: Rank metric and cryptography. Accreditation to supervise research, Université Pierre et Marie Curie—Paris VI (2007).Google Scholar
- 21.Loidreau P.: Designing a rank metric based McEliece cryptosystem. In: Sendrier N. (ed.) Post-Quantum Cryptography 2010, volume 6061 of Lecture Notes in Comput. Sci., pp. 142–152. Springer (2010).Google Scholar
- 22.McEliece R.J.: A Public-Key System Based on Algebraic Coding Theory, pp. 114–116. Jet Propulsion Lab. DSN Progress Report 44 (1978)Google Scholar
- 23.Otmani A., Kalachi H.T.: Square code attack on a modified Sidelnikov cryptosystem. In: El Hajji S., Nitaj A., Carlet C., El Mamoun S. (eds) Codes, Cryptology, and Information Security—FirstInternational Conference, C2SI 2015, Rabat, Morocco, May 26–28, 2015, Proceedings—In Honor of Thierry Berger, volume 9084 of Lecture Notesin Computer Science, pp. 173–183. Springer (2015).Google Scholar
- 24.Otmani A., Kalachi H.T., Ndjeya S.: Improved cryptanalysis of rank metric schemes based on Gabidulin codes. arXiv:1602.08549 (2016).
- 25.Overbeck R.: Extending Gibson’s attacks on the GPT cryptosystem. In: Ytrehus O. (ed.) WCC 2005, volume 3969 of Lecture Notes in Comput. Sci., pp. 178–188. Springer (2005).Google Scholar
- 26.Overbeck R.: A new structural attack for GPT and variants. In: Mycrypt, volume 3715 of Lecture Notes in Comput. Sci., pp. 50–63 (2005).Google Scholar
- 28.Rashwan H., Gabidulin E., Honary B.: A smart approach for GPT cryptosystem based on rank codes. In: Proceedings of the IEEE International Symposium on Information Theory—ISIT, pp. 2463–2467. IEEE (2010).Google Scholar