Designs, Codes and Cryptography

, Volume 86, Issue 7, pp 1391–1403 | Cite as

Polynomial-time key recovery attack on the Faure–Loidreau scheme based on Gabidulin codes

  • Philippe Gaborit
  • Ayoub Otmani
  • Hervé Talé Kalachi


Encryption schemes based on the rank metric lead to small public key sizes of order of few thousands bytes which represents a very attractive feature compared to Hamming metric-based encryption schemes where public key sizes are of order of hundreds of thousands bytes even with additional structures like the cyclicity. The main tool for building public key encryption schemes in rank metric is the McEliece encryption setting used with the family of Gabidulin codes. Since the original scheme proposed in 1991 by Gabidulin, Paramonov and Tretjakov, many systems have been proposed based on different masking techniques for Gabidulin codes. Nevertheless, over the years most of these systems were attacked essentially by the use of an attack proposed by Overbeck. In 2005 Faure and Loidreau designed a rank-metric encryption scheme which was not in the McEliece setting. The scheme is very efficient, with small public keys of size a few kiloBytes and with security closely related to the linearized polynomial reconstruction problem which corresponds to the decoding problem of Gabidulin codes. The structure of the scheme differs considerably from the classical McEliece setting and until our work, the scheme had never been attacked. We show in this article that for a range of parameters, this scheme is also vulnerable to a polynomial-time attack that recovers the private key by applying Overbeck’s attack on an appropriate public code. As an example we break in a few seconds parameters with 80-bit security claim. Our work also shows that some parameters are not affected by our attack but at the cost of a lost of efficiency for the underlying schemes.


Post-quantum cryptography Gabidulin code GPT encryption scheme 

Mathematics Subject Classification

11T71 14G50 



The authors would like to thank Pierre Loidreau for helpful discussions and for bringing reference [19] to our attention.


  1. 1.
    Augot D., Finiasz M.: A public key encryption scheme based on the polynomial reconstruction problem. In: Advances in Cryptology—EUROCRYPT 2003, volume 2656 of Lecture Notes in Comput. Sci., pp. 229–240. Springer (2003).Google Scholar
  2. 2.
    Augot D., Finiasz M., Loidreau P.: Using the trace operator to repair the polynomial reconstruction based cryptosystem presented at eurocrypt 2003. IACR Cryptol. ePrint Arch. 2003, 209 (2003).Google Scholar
  3. 3.
    Berger T.P.: Isometries for rank distance and permutation group of gabidulin codes. IEEE Trans. Inf. Theory 49(11), 3016–3019 (2003).MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Couvreur A., Gaborit P., Gauthier-Umaña V., Otmani A., Tillich J.-P.: Distinguisher-based attacks on public-key cryptosystems using Reed-Solomon codes. Des. Codes Cryptogr. 73(2), 641–666 (2014).MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Coron J.-S.: Cryptanalysis of the repaired public-key encryption scheme based on the polynomial reconstruction problem. IACR Cryptol. ePrint Arch. 2003, 219 (2003).Google Scholar
  6. 6.
    Coron J.-S.: Cryptanalysis of a public-key encryption scheme based on the polynomial reconstruction problem. In: Public Key Cryptography—PKC 2004, 7th International Workshop on Theory and Practice in Public Key Cryptography, Singapore, March 1–4, 2004, pp. 14–27 (2004).Google Scholar
  7. 7.
    Couvreur A., Otmani A., Tillich J.-P.: Polynomial time attack on wild McEliece over quadratic extensions. In: Nguyen P.Q., Oswald E. (eds.) Advances in Cryptology—EUROCRYPT 2014, volume 8441 of Lecture Notes in Comput. Sci., pp. 17–39. Springer, Berlin (2014).Google Scholar
  8. 8.
    Faure C., Loidreau P.: A new public-key cryptosystem based on the problem of reconstructing p-polynomials. In: Coding and Cryptography, International Workshop, WCC 2005, Bergen, Norway, March 14–18, 2005. Revised Selected Papers, pp. 304–315 (2005).Google Scholar
  9. 9.
    Gabidulin E.M.: Theory of codes with maximum rank distance. Problemy Peredachi Informatsii 21(1), 3–16 (1985).MathSciNetzbMATHGoogle Scholar
  10. 10.
    Gabidulin E.M.: Attacks and counter-attacks on the GPT public key cryptosystem. Des. Codes Cryptogr. 48(2), 171–177 (2008).MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Gibson K.: Severely denting the Gabidulin version of the McEliece public key cryptosystem. Des. Codes Cryptogr. 6(1), 37–45 (1995).MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Gibson K.: The security of the Gabidulin public key cryptosystem. In: Ueli M. (ed.) Advances in Cryptology—EUROCRYPT ’96, volume 1070 of Lecture Notes in Comput. Sci., pp. 212–223. Springer (1996).Google Scholar
  13. 13.
    Gabidulin E.M., Ourivski A.V.: Modified GPT PKC with right scrambler. Electron. Notes Discrete Math. 6, 168–177 (2001).MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Gabidulin E.M., Ourivski A.V., Honary B., Ammar B.: Reducible rank codes and their applications to cryptography. IEEE Trans. Inf. Theory 49(12), 3289–3293 (2003).MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Gabidulin E.M., Paramonov A.V., Tretjakov O.V.: Ideals over a non-commutative ring and their applications to cryptography. In: Advances in Cryptology—EUROCRYPT’91, number 547 in Lecture Notes in Comput. Sci., pp. 482–489. Brighton (1991).Google Scholar
  16. 16.
    Gabidulin E., Rashwan H., Honary B.: On improving security of GPT cryptosystems. In: Proceedings of the IEEE International Symposium on Information Theory—ISIT, pp. 1110–1114. IEEE (2009).Google Scholar
  17. 17.
    Gaborit P., Ruatta O., Schrek J.: On the complexity of the rank syndrome decoding problem. IEEE Trans. Inf. Theory 62(2), 1006–1019 (2016).MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Kiayias A., Yung M.: Cryptanalyzing the polynomial-reconstruction based public-key system under optimal parameter choice. In: Advances in Cryptology—ASIACRYPT 2004, 10th International Conference on the Theory and Application of Cryptology and Information Security, Jeju Island, Korea, December 5–9, 2004, Proceedings, pp. 401–416 (2004).Google Scholar
  19. 19.
    Loidreau P., Raphael O.: Decoding rank errors beyond the error-correction capability. In: Proceedings of the Tenth International Workshop on Algebraic and Combinatorial Coding Theory, ACCT-10, pp. 168–190 (2006).Google Scholar
  20. 20.
    Loidreau P.: Rank metric and cryptography. Accreditation to supervise research, Université Pierre et Marie Curie—Paris VI (2007).Google Scholar
  21. 21.
    Loidreau P.: Designing a rank metric based McEliece cryptosystem. In: Sendrier N. (ed.) Post-Quantum Cryptography 2010, volume 6061 of Lecture Notes in Comput. Sci., pp. 142–152. Springer (2010).Google Scholar
  22. 22.
    McEliece R.J.: A Public-Key System Based on Algebraic Coding Theory, pp. 114–116. Jet Propulsion Lab. DSN Progress Report 44 (1978)Google Scholar
  23. 23.
    Otmani A., Kalachi H.T.: Square code attack on a modified Sidelnikov cryptosystem. In: El Hajji S., Nitaj A., Carlet C., El Mamoun S. (eds) Codes, Cryptology, and Information Security—FirstInternational Conference, C2SI 2015, Rabat, Morocco, May 26–28, 2015, Proceedings—In Honor of Thierry Berger, volume 9084 of Lecture Notesin Computer Science, pp. 173–183. Springer (2015).Google Scholar
  24. 24.
    Otmani A., Kalachi H.T., Ndjeya S.: Improved cryptanalysis of rank metric schemes based on Gabidulin codes. arXiv:1602.08549 (2016).
  25. 25.
    Overbeck R.: Extending Gibson’s attacks on the GPT cryptosystem. In: Ytrehus O. (ed.) WCC 2005, volume 3969 of Lecture Notes in Comput. Sci., pp. 178–188. Springer (2005).Google Scholar
  26. 26.
    Overbeck R.: A new structural attack for GPT and variants. In: Mycrypt, volume 3715 of Lecture Notes in Comput. Sci., pp. 50–63 (2005).Google Scholar
  27. 27.
    Overbeck R.: Structural attacks for public key cryptosystems based on Gabidulin codes. J. Cryptol. 21(2), 280–301 (2008).MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Rashwan H., Gabidulin E., Honary B.: A smart approach for GPT cryptosystem based on rank codes. In: Proceedings of the IEEE International Symposium on Information Theory—ISIT, pp. 2463–2467. IEEE (2010).Google Scholar
  29. 29.
    Rashwan H., Gabidulin E., Honary B.: Security of the GPT cryptosystem and its applications to cryptography. Secur. Commun. Netw. 4(8), 937–946 (2011).CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2017

Authors and Affiliations

  1. 1.XLIM-MATHISUniversité de LimogesLimoges CedexFrance
  2. 2.LITIS (EA 4108)University of RouenSaint-Etienne-du-RouvrayFrance
  3. 3.Department of Mathematics, ERALUniversity of Yaounde 1YaoundéCameroon

Personalised recommendations