Abstract
Encryption schemes based on the rank metric lead to small public key sizes of order of few thousands bytes which represents a very attractive feature compared to Hamming metric-based encryption schemes where public key sizes are of order of hundreds of thousands bytes even with additional structures like the cyclicity. The main tool for building public key encryption schemes in rank metric is the McEliece encryption setting used with the family of Gabidulin codes. Since the original scheme proposed in 1991 by Gabidulin, Paramonov and Tretjakov, many systems have been proposed based on different masking techniques for Gabidulin codes. Nevertheless, over the years most of these systems were attacked essentially by the use of an attack proposed by Overbeck. In 2005 Faure and Loidreau designed a rank-metric encryption scheme which was not in the McEliece setting. The scheme is very efficient, with small public keys of size a few kiloBytes and with security closely related to the linearized polynomial reconstruction problem which corresponds to the decoding problem of Gabidulin codes. The structure of the scheme differs considerably from the classical McEliece setting and until our work, the scheme had never been attacked. We show in this article that for a range of parameters, this scheme is also vulnerable to a polynomial-time attack that recovers the private key by applying Overbeck’s attack on an appropriate public code. As an example we break in a few seconds parameters with 80-bit security claim. Our work also shows that some parameters are not affected by our attack but at the cost of a lost of efficiency for the underlying schemes.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
In [8] the problem is termed as p-polynomial reconstruction problem.
References
Augot D., Finiasz M.: A public key encryption scheme based on the polynomial reconstruction problem. In: Advances in Cryptology—EUROCRYPT 2003, volume 2656 of Lecture Notes in Comput. Sci., pp. 229–240. Springer (2003).
Augot D., Finiasz M., Loidreau P.: Using the trace operator to repair the polynomial reconstruction based cryptosystem presented at eurocrypt 2003. IACR Cryptol. ePrint Arch. 2003, 209 (2003).
Berger T.P.: Isometries for rank distance and permutation group of gabidulin codes. IEEE Trans. Inf. Theory 49(11), 3016–3019 (2003).
Couvreur A., Gaborit P., Gauthier-Umaña V., Otmani A., Tillich J.-P.: Distinguisher-based attacks on public-key cryptosystems using Reed-Solomon codes. Des. Codes Cryptogr. 73(2), 641–666 (2014).
Coron J.-S.: Cryptanalysis of the repaired public-key encryption scheme based on the polynomial reconstruction problem. IACR Cryptol. ePrint Arch. 2003, 219 (2003).
Coron J.-S.: Cryptanalysis of a public-key encryption scheme based on the polynomial reconstruction problem. In: Public Key Cryptography—PKC 2004, 7th International Workshop on Theory and Practice in Public Key Cryptography, Singapore, March 1–4, 2004, pp. 14–27 (2004).
Couvreur A., Otmani A., Tillich J.-P.: Polynomial time attack on wild McEliece over quadratic extensions. In: Nguyen P.Q., Oswald E. (eds.) Advances in Cryptology—EUROCRYPT 2014, volume 8441 of Lecture Notes in Comput. Sci., pp. 17–39. Springer, Berlin (2014).
Faure C., Loidreau P.: A new public-key cryptosystem based on the problem of reconstructing p-polynomials. In: Coding and Cryptography, International Workshop, WCC 2005, Bergen, Norway, March 14–18, 2005. Revised Selected Papers, pp. 304–315 (2005).
Gabidulin E.M.: Theory of codes with maximum rank distance. Problemy Peredachi Informatsii 21(1), 3–16 (1985).
Gabidulin E.M.: Attacks and counter-attacks on the GPT public key cryptosystem. Des. Codes Cryptogr. 48(2), 171–177 (2008).
Gibson K.: Severely denting the Gabidulin version of the McEliece public key cryptosystem. Des. Codes Cryptogr. 6(1), 37–45 (1995).
Gibson K.: The security of the Gabidulin public key cryptosystem. In: Ueli M. (ed.) Advances in Cryptology—EUROCRYPT ’96, volume 1070 of Lecture Notes in Comput. Sci., pp. 212–223. Springer (1996).
Gabidulin E.M., Ourivski A.V.: Modified GPT PKC with right scrambler. Electron. Notes Discrete Math. 6, 168–177 (2001).
Gabidulin E.M., Ourivski A.V., Honary B., Ammar B.: Reducible rank codes and their applications to cryptography. IEEE Trans. Inf. Theory 49(12), 3289–3293 (2003).
Gabidulin E.M., Paramonov A.V., Tretjakov O.V.: Ideals over a non-commutative ring and their applications to cryptography. In: Advances in Cryptology—EUROCRYPT’91, number 547 in Lecture Notes in Comput. Sci., pp. 482–489. Brighton (1991).
Gabidulin E., Rashwan H., Honary B.: On improving security of GPT cryptosystems. In: Proceedings of the IEEE International Symposium on Information Theory—ISIT, pp. 1110–1114. IEEE (2009).
Gaborit P., Ruatta O., Schrek J.: On the complexity of the rank syndrome decoding problem. IEEE Trans. Inf. Theory 62(2), 1006–1019 (2016).
Kiayias A., Yung M.: Cryptanalyzing the polynomial-reconstruction based public-key system under optimal parameter choice. In: Advances in Cryptology—ASIACRYPT 2004, 10th International Conference on the Theory and Application of Cryptology and Information Security, Jeju Island, Korea, December 5–9, 2004, Proceedings, pp. 401–416 (2004).
Loidreau P., Raphael O.: Decoding rank errors beyond the error-correction capability. In: Proceedings of the Tenth International Workshop on Algebraic and Combinatorial Coding Theory, ACCT-10, pp. 168–190 (2006).
Loidreau P.: Rank metric and cryptography. Accreditation to supervise research, Université Pierre et Marie Curie—Paris VI (2007).
Loidreau P.: Designing a rank metric based McEliece cryptosystem. In: Sendrier N. (ed.) Post-Quantum Cryptography 2010, volume 6061 of Lecture Notes in Comput. Sci., pp. 142–152. Springer (2010).
McEliece R.J.: A Public-Key System Based on Algebraic Coding Theory, pp. 114–116. Jet Propulsion Lab. DSN Progress Report 44 (1978)
Otmani A., Kalachi H.T.: Square code attack on a modified Sidelnikov cryptosystem. In: El Hajji S., Nitaj A., Carlet C., El Mamoun S. (eds) Codes, Cryptology, and Information Security—FirstInternational Conference, C2SI 2015, Rabat, Morocco, May 26–28, 2015, Proceedings—In Honor of Thierry Berger, volume 9084 of Lecture Notesin Computer Science, pp. 173–183. Springer (2015).
Otmani A., Kalachi H.T., Ndjeya S.: Improved cryptanalysis of rank metric schemes based on Gabidulin codes. arXiv:1602.08549 (2016).
Overbeck R.: Extending Gibson’s attacks on the GPT cryptosystem. In: Ytrehus O. (ed.) WCC 2005, volume 3969 of Lecture Notes in Comput. Sci., pp. 178–188. Springer (2005).
Overbeck R.: A new structural attack for GPT and variants. In: Mycrypt, volume 3715 of Lecture Notes in Comput. Sci., pp. 50–63 (2005).
Overbeck R.: Structural attacks for public key cryptosystems based on Gabidulin codes. J. Cryptol. 21(2), 280–301 (2008).
Rashwan H., Gabidulin E., Honary B.: A smart approach for GPT cryptosystem based on rank codes. In: Proceedings of the IEEE International Symposium on Information Theory—ISIT, pp. 2463–2467. IEEE (2010).
Rashwan H., Gabidulin E., Honary B.: Security of the GPT cryptosystem and its applications to cryptography. Secur. Commun. Netw. 4(8), 937–946 (2011).
Acknowledgements
The authors would like to thank Pierre Loidreau for helpful discussions and for bringing reference [19] to our attention.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by I. Landjev.
Rights and permissions
About this article
Cite this article
Gaborit, P., Otmani, A. & Kalachi, H.T. Polynomial-time key recovery attack on the Faure–Loidreau scheme based on Gabidulin codes. Des. Codes Cryptogr. 86, 1391–1403 (2018). https://doi.org/10.1007/s10623-017-0402-0
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-017-0402-0