Abstract
We propose the new rankmetric codebased cryptosystem LIGA which is based on the hardness of list decoding and interleaved decoding of Gabidulin codes. LIGA is an improved variant of the Faure–Loidreau (FL) system, which was broken in a structural attack by Gaborit, Otmani, and Talé Kalachi (GOT, 2018). We keep the FL encryption and decryption algorithms, but modify the insecure key generation algorithm. Our crucial observation is that the GOT attack is equivalent to decoding an interleaved Gabidulin code. The new key generation algorithm constructs public keys for which all polynomialtime interleaved decoders fail—hence LIGA resists the GOT attack. We also prove that the publickey encryption version of LIGA is INDCPA secure in the standard model and the key encapsulation mechanisms version is INDCCA2 secure in the random oracle model, both under hardness assumptions of formally defined problems related to list decoding and interleaved decoding of Gabidulin codes. We propose and analyze various exponentialtime attacks on these problems, calculate their work factors, and compare the resulting parameters to NIST proposals. The strengths of LIGA are short ciphertext sizes and (relatively) small key sizes. Further, LIGA guarantees correct decryption and has no decryption failure rate. It is not based on hiding the structure of a code. Since there are efficient and constanttime algorithms for encoding and decoding Gabidulin codes, timing attacks on the encryption and decryption algorithms can be easily prevented.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Introduction
Publickey cryptography is the foundation for establishing secure communication between multiple parties. Traditional publickey algorithms such as RSA are based on the hardness of factoring large numbers or the discrete logarithm problem, but can be attacked in polynomial time once a capable quantum computer exists. Codebased publickey cryptosystems are considered to be postquantum secure, but compared to RSA or elliptic curve cryptography their crucial drawback is the significantly larger key size. Recently, the National Institute of Standards and Technology (NIST) has initiated a standardization progress for postquantum secure publickey algorithms [31]. The currently being evaluated Round 3 of the competition includes 9 codebased and latticebased publickey encryption algorithms. The NIST competition and its systems attract a lot of attention and show the importance of designing postquantum secure publickey encryption algorithms.
The Faure–Loidreau (FL) codebased cryptosystem [16, 28] is based on the problem of reconstructing linearized polynomials and can be seen as linearized equivalent of the (broken) Augot–Finiasz cryptosystem [5]. While the Augot–Finiasz cryptosystem is closely connected to (list) decoding Reed–Solomon codes, the FL cryptosystem is connected to (list) decoding Gabidulin codes, a special class of rankmetric codes [18]. In contrast to McEliecetype (or Niederreitertype) cryptosystems, where the public key is a matrix, in the FL system, the public key is only a vector, resulting in a much smaller key size. At the time when the FL cryptosystem was designed, it was only conjectured that Gabidulin codes cannot be list decoded efficiently. As this was proven in the last years for many families of Gabidulin codes [38, 46, 48], the FL system could be a very promising postquantum secure publickey cryptosystem. However, the recent structural attack by Gaborit, Otmani and Talé Kalachi [21] can recover an alternative public key in cubic time complexity.
In this paper, a new system is presented which is based on the original FL system, and therefore relies on the proven hardness of list decoding Gabidulin codes, but makes the attack from [21] impossible. Our contributions are as follows. First, a new codingtheoretic interpretation of the original FL system is given and an alternative decryption algorithm is proposed. Second, we show that the public key can be seen as a corrupted codeword of an interleaved Gabidulin code. We prove that the failure condition of the GOT attack [21] on the public key is equivalent to the failure condition of decoding the public key as a corrupted interleaved Gabidulin codeword. This observation enables us to design a new codebased publickey encryption scheme, as well as a corresponding key encapsulation mechanism  data encapsulation mechanism (KEMDEM), based on the hardness of list and interleaved decoding Gabidulin codes: LIGA. In LIGA, we choose the public key in a way that the corresponding interleaved decoder is guaranteed to fail, and thus, the system is secured against the attack from [21]. We also prove that the publickey encryption version of LIGA is INDCPA secure in the standard model and the KEM version is INDCCA2 secure in the random oracle model, both under hardness assumptions on problems related to list and interleaved decoding of Gabidulin codes. We analyze possible (exponentialtime) attacks on these hard problems, provide sets of parameters for LIGA, and compare them amongst others to NIST proposals (RQC, ROLLO, BIKE, McEliece).
The structure of this paper is as follows. In Sect. 2, the notation is introduced and definitions are given. In Sect. 3, the key generation of the original FL system is shown and a new codingtheoretic interpretation of the ciphertext and the public key is derived. After summarizing the attack from [21], we prove its equivalence to decoding the public key as an interleaved Gabidulin code. Based on this equivalence, the new system LIGA is proposed in Sect. 4 and its INDCPA and INDCCA2 security are proven in Sect. 5. A security analysis of our system is given in Sect. 6. In Sect. 7, example parameters for security levels 128, 192, and 256 bit are proposed and compared to the NIST proposals RQC [2], ROLLO [1], BIKE [3], ClassicMcEliece [8] and Loidreau’s McEliecelike system from [29]. Conclusions are given in Sect. 8.
Parts of these results have been presented at the IEEE International Symposium on Information Theory 2018 [50]. The content of this journal paper contains various new results that were not shown in [50]. For instance, in this paper,

we generalize LIGA’s Key Generation algorithm, i.e., the choice of the \(\mathbf {z}_i\)’s (the interleaved errors in the public key) is more flexible now (in [50], \(\mathbf {z}_1 = \mathbf {z}_2 = \dots = \mathbf {z}_u\)),

we present a KEM/DEM version of LIGA,

we identify formal problems in the rank metric on which the security of LIGA relies and prove the INDCPA/CCA2 security of the KEM/DEM version under the assumption that some of these problems are hard,

we analyze new exponentialtime attacks on these problems.
2 Preliminaries
2.1 Notations
Let q be a power of a prime and let \(\mathbb {F}_q\) denote the finite field of order q. Then, \(\mathbb {F}_{q^m}\) and \(\mathbb {F}_{q^{mu}}\) denote extension fields of \(\mathbb {F}_q\) of order \(q^m\) and \(q^{mu}\), respectively. We use \(\mathbb {F}_q^{m \times n}\) to denote the set of all \(m\times n\) matrices over \(\mathbb {F}_q\) and \(\mathbb {F}_{q^m}^n =\mathbb {F}_{q^m}^{1 \times n}\) for the set of all row vectors of length n over \(\mathbb {F}_{q^m}\). Further, we use another field extension \(\mathbb {F}_{q^{mu}}\) with \(u>1\). Thus, \(\mathbb {F}_q\subseteq \mathbb {F}_{q^m}\subseteq \mathbb {F}_{q^{mu}}\).
For a field \(\mathbb {F}\), the vector space that is spanned by \(\mathbf {v}_1,\hdots ,\mathbf {v}_l \in \mathbb {F}^n\) is denoted by
Denote the set of integers \([a,b] = \{i: a \le i \le b\}\). Rows and columns of \(m\times n\)matrices are indexed by \(1,\dots , m\) and \(1,\dots , n\), where \(A_{i,j}\) is the element in the ith row and jth column of the matrix \(\mathbf {A}\). Further,
By \({{\,\mathrm{rk}\,}}_q(\mathbf {A})\) and \({{\,\mathrm{rk}\,}}_{q^m}(\mathbf {A})\), we denote the rank of a matrix \(\mathbf {A}\) over \(\mathbb {F}_q\), respectively \(\mathbb {F}_{q^m}\). Let \((\gamma _1,\gamma _2,\dots ,\gamma _{u})\) be an ordered basis of \(\mathbb {F}_{q^{mu}}\) over \(\mathbb {F}_{q^m}\). By utilizing the vector space isomorphism \(\mathbb {F}_{q^{mu}}\cong \mathbb {F}_{q^m}^u\), we can relate each vector \(\mathbf{a} \in \mathbb {F}_{q^{mu}}^n\) to a matrix \(\mathbf{A} \in \mathbb {F}_{q^m}^{u \times n}\) according to
where \(\varvec{\gamma } = (\gamma _1,\gamma _2,\dots ,\gamma _{u})\) and
The trace operator of a vector \(\mathbf {a}\in \mathbb {F}_{q^{mu}}\) to \(\mathbb {F}_{q^m}\) is defined by
A dual basis \((\gamma _1^*,\gamma _2^*,\dots ,\gamma _{u}^*)\) to \((\gamma _1,\gamma _2,\dots ,\gamma _{u})\) is a basis that fulfills
where \(i,j \in [1,u]\). Note that a dual basis always exists.
Denote by \(\mathcal {M}_{s,q}\left( \mathbf {a} \right) \in \mathbb {F}_{q^m}^{s \times n}\) the \(s \times n\) Moore matrix for a vector \(\mathbf {a} = (a_1,a_2,\dots ,a_n) \in \mathbb {F}_{q^m}^n\), i.e.,
If \(a_1, a_2,\dots \), \(a_{n}\in \mathbb {F}_{q^m}\) are linearly independent over \(\mathbb {F}_q\), then \({{\,\mathrm{rk}\,}}_{q^m}(\mathcal {M}_{s,q}\left( \mathbf {a} \right) )=\min \{s,n\}\), cf. [26, Lemma 3.15]. This definition can also be extended to matrices by
where \(\mathbf {A} \in \mathbb {F}_{q^m}^{l \times n}\).
The Gaussian binomial coefficient is denoted by
where s and r are nonnegative integers.
Let \(\mathcal {X}\) be a set. When x is drawn uniformly at random from the set \(\mathcal {X}\), we denote it by \(x \xleftarrow {\$}\mathcal {X}\). Further, by \(x \leftarrow y\) we mean that we assign y to x.
2.2 Rankmetric codes and Gabidulin codes
The rank norm \({{\,\mathrm{rk}\,}}_q(\mathbf {a})\) is the rank of the matrix representation \(\mathbf {A}\in \mathbb {F}_q^{m \times n}\) over \(\mathbb {F}_{q}\). The rank distance between \(\mathbf {a}\) and \(\mathbf {b}\) is the rank of the difference of the two matrix representations, i.e.,
An \([n,k,d]_q^\mathsf {R}\) code \(\mathcal {C}\) over \(\mathbb {F}_{q^m}\) is a linear rankmetric code, i.e., it is a linear subspace of \(\mathbb {F}_{q^m}^n\) of dimension k and minimum rank distance
For linear codes with \(n \le m\), the Singletonlike upper bound [14, 18] implies that \(d \le nk+1\). If \(d=nk+1\), the code is called a maximum rank distance (MRD) code.
Gabidulin codes [18] are a special class of rankmetric codes and can be defined by their generator matrices.
Definition 1
(Gabidulin Code [18]) A linear \(\mathcal {G}(n,k)\) code over \(\mathbb {F}_{q^m}\) of length \(n \le m\) and dimension k is defined by its \(k \times n\) generator matrix
where \(\mathbf {g}=(g_1,g_2, \dots , g_{n}) \in \mathbb {F}_{q^m}^n\) and \({{\,\mathrm{rk}\,}}_q(\mathbf {g}) = n\).
In [18], it is shown that Gabidulin codes are MRD codes, i.e., \(d=nk+1\).
For a short description on decoding of Gabidulin codes, denote by \(\mathbf {C}_\mathcal {G}\in \mathbb {F}_q^{m \times n}\) the transmitted codeword (i.e., the matrix representation of \(\mathbf {c}_\mathcal {G}\in \mathbb {F}_{q^m}^n\)) of a \(\mathcal {G}(n,k)\) code that is corrupted by an additive error \(\mathbf{E} \in \mathbb {F}_q^{m \times n}\). At the receiver side, only the received matrix \(\mathbf{R} \in \mathbb {F}_q^{m \times n}\), where \(\mathbf{R} = \mathbf {C}_\mathcal {G}+ \mathbf{E}\), is known. The channel might provide additional side information in the form of erasures:

\(\varrho \) row erasures (in [45] called “deviations”) and

\(\gamma \) column erasures (in [45] called “erasures”),
such that the received matrix can be decomposed into
where \(\mathbf {A}^{(R)} \in \mathbb {F}_q^{m \times \varrho }\), \(\mathbf {B}^{(R)} \in \mathbb {F}_q^{\varrho \times n}\), \(\mathbf {A}^{(C)} \in \mathbb {F}_q^{m \times \gamma }\), \(\mathbf {B}^{(C)} \in \mathbb {F}_q^{\gamma \times n}\) are fullrank matrices, respectively, and \(\mathbf {E}^{(E)} \in \mathbb {F}_q^{m \times n}\) is a matrix of rank t. The decoder knows \(\mathbf {R}\) and additionally \(\mathbf {A}^{(R)}\) and \(\mathbf {B}^{(C)}\). Further, t denotes the number of errors without side information. The rankmetric errorerasure decoding algorithms from [20, 45, 51] can then reconstruct \(\mathbf {c}_\mathcal {G} \in \mathcal {G}(n,k)\) with asymptotic complexity \(\mathcal O(n^2)\) operations over \(\mathbb {F}_{q^m}\), or in subquadratic complexity using the fast operations described in [36, 37], if
is fulfilled.
2.3 Interleaved rankmetric codes
Interleaved Gabidulin Codes are a code class for which efficient decoders are known that are able to correct w.h.p. random errors of rank larger than \(\lfloor \frac{d1}{2}\rfloor \).
Definition 2
(Interleaved Gabidulin Codes [27]) A linear (vertically, homogeneous) interleaved Gabidulin code \(\mathcal {IG}(u;n,k)\) over \(\mathbb {F}_{q^m}\) of length \(n \le m\), dimension \(k \le n\), and interleaving order u is defined by
As a shortterm notation, we also speak about a uinterleaved Gabidulin code. When considering random errors of rank weight t, the code \(\mathcal {IG}(u;n,k)\) can be decoded uniquely with high probability up to \(w \le \lfloor \frac{u}{u+1}(nk)\rfloor \) errors,^{Footnote 1} cf. [27, 43, 51]. However, it is wellknown that there are many error patterns for which the known efficient decoders fail. In fact, we can explicitly construct a large class of such errors as shown in the following lemma.
Lemma 1
(Interleaved Decoding [27, 43, 49, p. 64]) Let \(\mathbf {c}_i=\mathbf {x}_i \cdot \mathbf {G}_{\mathcal {G}}\). All known^{Footnote 2} efficient decoders for \(\mathcal {IG}(u;n,k)\) codes fail to correct an error \(\mathbf {z}\in \mathbb {F}_{q^{mu}}^n\) with \(\mathbf {z} = \sum _{i=1}^{u} \mathbf {z}_i\gamma _i^*\) and \({{\,\mathrm{rk}\,}}_q(\mathbf {z})=w\) if
It is widely conjectured that there cannot be a decoder that decodes the error patterns of Lemma 1uniquely. Decoding these failing error patterns has been subject to intensive research since the Loidreau–Overbeck decoder [27] was found in 2006. In the Hamming metric, the equivalent problem for Reed–Solomon codes has been studied since 1997 [25] and more than a dozen papers have dealt with decoding algorithms for these codes. None of these papers was able to give a polynomialtime decoding algorithm for the cases of Lemma 1. It seems that all unique decoders have to fail for the error patterns of Lemma 1 since for these cases, there is no unique decision, i.e., more then one interleaved codeword lies in the ball of radius w around the received word.
3 Key generation in the original Faure–Loidreau system
In this section, we recall the key generation algorithm of the original FL cryptosystem, we give a codingtheoretic interpretation of the original public key, and analyze the structural attack from [21].
3.1 The original algorithm
Let \(q,m,n,k,u,w,t_{\mathsf {pub}}\) be positive integers that fulfill the restrictions given in Table 1 and are publicly known. In the following, we consider the three finite fields \(\mathbb {F}_q\), \(\mathbb {F}_{q^m}\), and \(\mathbb {F}_{q^{mu}}\), which are extension fields of each other, i.e.:
The original FL key generation is shown in Algorithm 1.
3.2 Codingtheoretic interpretation of the original public key
The public key \(\mathbf {k}_{\mathsf {pub}}\) of the FL system is a corrupted codeword of a uinterleaved Gabidulin code. To our knowledge, this connection between the public key and interleaved Gabidulin codes has not been known before. This interpretation is central to this paper and will be used in Sect. 4.1 to define the public key of LIGA such that is not vulnerable against the attacks from [21] and described in Sect. 3.3.
Theorem 1
Fix a basis \(\mathbf {\gamma }\) of \(\mathbb {F}_{q^{mu}}\) over \(\mathbb {F}_{q^m}\). Let \(\mathbf {\gamma }^*\) be a dual basis to \(\mathbf {\gamma }\) and write \(\mathbf {k}_{\mathsf {pub}}= \sum _{i=1}^{u} \mathbf {k}_{\mathsf {pub}}^{(i)}\gamma _i^*\). Then,
where the \(\mathbf {c}_{\mathcal {G}}^{(i)} \in \mathbb {F}_{q^m}^n\) are codewords of the Gabidulin code \(\mathcal {G}(n,k)\) with generator matrix \(\mathbf {G}_\mathcal {G}\) and the \(\mathbf {z}_i \in \mathbb {F}_{q^m}^n\) are obtained from the vector \(\mathbf {z} \in \mathbb {F}_{q^{mu}}^n\) by \(\mathbf {z} = \sum _{i=1}^{u} \mathbf {z}_i\gamma _i^*\).
Proof
Recall the definition of the public key
where \(\mathbf {x} \in \mathbb {F}_{q^{mu}}^k\), \(\mathbf {G}_{\mathcal {G}} \in \mathbb {F}_{q^m}^{k\times n}\) is the generator matrix of a \(\mathcal {G}(n,k)\) code, and \(\mathbf {z} \in \mathbb {F}_{q^{mu}}^n\) with \({{\,\mathrm{rk}\,}}_q(\mathbf {z})=w\). Let \(\mathbf {x} = \sum _{i=1}^{u} \mathbf {x}_i\gamma _i^*\), where the \(\mathbf {x}_i\) have coefficients in \(\mathbb {F}_{q^m}\).
Then, we obtain the following representation of the public key \(\mathbf {k}_{\mathsf {pub}}\) as a \(u \times n\) matrix in \(\mathbb {F}_{q^m}\)
Since \(\mathbf {x}_i \cdot \mathbf {G}_{\mathcal {G}}\) is a codeword of a \(\mathcal {G}(n,k)\) code, \(\forall i \in [1,u]\), the matrix representation of \(\mathbf {k}_{\mathsf {pub}}\) can be seen as a codeword from an \(\mathcal {IG}(u;n,k)\) code, corrupted by an error. \(\square \)
Note that the error \((\mathbf {z}_1^\top ,\dots ,\mathbf {z}_u^\top )^\top \) in (3) has \(\mathbb {F}_q\)rank at most w due to the structure of \(\mathbf {z}= (\mathbf {s}\mathbf {0}) \mathbf {P}^{1}\).
3.3 Efficient key recovery of the original FL key
The attack by Gaborit, Otmani and Talé Kalachi (GOT) on the original FL system in [21] (see Algorithm 2 below) is an efficient structural attack which computes a valid private key of the FL system in cubic time when the public key fulfills certain conditions. We recall this attack in the following and derive an alternative, equally powerful, attack based on interleaved decoding the public key, utilizing the observation of the previous subsection. We prove that the failure conditions of both attacks are equivalent. The interleaved decoding attack does not have any advantage in terms of cryptanalysis compared to [21], but enables us to exactly predict for which public keys both attacks work and for which the attacks fail.
3.3.1 GOT attack
The key recovery in the GOT attack (Algorithm 2) succeeds under the conditions of the following theorem.
Theorem 2
(GOT Attack [21, Thm. 1]) Let \(\gamma _1,\dots ,\gamma _u \in \mathbb {F}_{q^{mu}}\) be a basis of \(\mathbb {F}_{q^{mu}}\) over \(\mathbb {F}_{q^m}\) and let \(\mathbf {z}_i = {{\,\mathrm{Tr}\,}}(\gamma _i \mathbf {z})\), for \(i=1,\dots u\).
If the matrix \(\mathbf {Z} \in \mathbb {F}_{q^m}^{u \times n}\) with \(\mathbf {z}_1,\dots ,\mathbf {z}_u\) as rows, satisfies
then \((\mathbf {x}, \mathbf {z})\) can be recovered from \((\mathbf {G}_{\mathcal {G}},\mathbf {k}_{\mathsf {pub}})\) with \(\mathcal {O}(n^3)\) operations in \(\mathbb {F}_{q^{mu}}\) by using Algorithm 2.
If the key is generated by Algorithm 1, the GOT attack breaks the original FL system with high probability.
3.3.2 Interleaved decoding attack
Recall from Theorem 1 that the public key \(\mathbf {k}_{\mathsf {pub}}\) is a corrupted interleaved codeword. Based on this observation we will derive a structural attack on the original FL system to which we refer as Interleaved Decoding Attack in the following. We prove that interleaved decoding and the GOT attack fail (i.e, do not provide any information) for the same public keys. The idea is to decode \(\mathbf {k}_{\mathsf {pub}}\) in an interleaved Gabidulin code. Since \(w \le \frac{u}{u+1}(nk)\), such a decoder will return \(\mathbf {x}\) with high probability, but fail in certain cases, see Sect. 2.3.
Since \({{\,\mathrm{rk}\,}}_{q^m}(\mathcal {M}_{nw1,q}\left( \mathbf {g} \right) )=nw1\), the interleaved decoder fails if (compare Lemma 1):
where
3.3.3 Equivalence of GOT attack and interleaved decoding attack
In the following, we prove that the failure condition of the GOT Attack is equivalent to the condition that decoding \(\mathbf {k}_{\mathsf {pub}}\) in an interleaved Gabidulin code fails.
Theorem 3
The GOT Attack from [21] fails if and only if the Interleaved Decoding Attack fails. In particular, both fail if (4) holds.
Proof
Rewrite the matrix from Theorem 2 as
and the matrix from equation (5) as
Since the matrix in (6) and in (7) only differ in row permutations, they are rowspace equivalent, implying that they have the same rank. Further, the rank of the matrix in (7) cannot become larger than w (since any vector in the right kernel of this matrix has rank weight at least \(nw\) [34, Algorithm 3.2.1]). Thus, the failures of Theorem 2 and Lemma 1 are equivalent. \(\square \)
In the next section, we will exploit the observation of Theorem 3, i.e., we propose a new key generation algorithm that avoids public keys that can be efficiently decoded by an interleaved decoder, thereby rendering the GOT attack useless.
4 The new system LIGA
In this section, we propose a publickey codebased encryption scheme \({{\Pi }}^{\mathrm{PKE}}= (\mathsf {KeyGen},\mathsf {Encrypt},\mathsf {Decrypt})\) called \(\textsf {LIGA}\). The system is based on the original FL system [16], where we keep both the original encryption and decryption algorithm, but replace the insecure keygeneration algorithm. Further, we present a KEMDEM version of \(\textsf {LIGA}\) denoted by \({\Pi }^{\mathrm{KEM}}=(\mathsf {KeyGen},\mathsf {Encaps},\mathsf {Decaps})\).
Later, in Sect. 5, we will analyze the security of the system. We single out problems from coding theory and we prove that the encryption version is INDCPA secure and the KEMDEM version is INDCCA2 secure under the assumption that the stated problems are hard. Furthermore, we study new and known attacks on these problems and show that they all run in exponential time (see Sect. 6).
4.1 The new key generation algorithm
We introduce a new key generation algorithm that is based on choosing \(\mathbf {z} = \sum _{i=1}^{u} \mathbf {z}_i\gamma ^*_i\) in a way that \(\varphi < w\), where \(\varphi \) is the rank of the interleaved Moore matrix of the errors \(\mathbf {z}_i\) in the public key, see (5). Based on the dimension of the span of the \(\mathbf {z}_i\), we will upper bound \(\varphi \) in the following Theorem 4. Recall that when \(\varphi < w\), the GOT attack [21] and interleaved decoding of the public key fail, see Theorem 3. In this case, retrieving any knowledge about the private key from the public key requires to solve Problem 1 (defined later), which basically corresponds to decoding the interleaved codeword when error patterns occur for which all known decoders fail.
Theorem 4
Let \(\dim (\langle \mathbf {z}_1,\hdots ,\mathbf {z}_u \rangle _{q^m}) = \zeta \). Then
Proof
The dimension of \(\langle \mathbf {z}_1,\hdots ,\mathbf {z}_u \rangle _{q^m}\) implies that at most \(\zeta (nkw)\) rows of \(\tilde{\mathbf {Z}}\) are linearly independent over \(\mathbb {F}_{q^m}\), meaning that \(\varphi \le \zeta (nkw)\).
The definition of \(\mathbf {z}=(\mathbf {s} \  \ \mathbf {0}) \cdot \mathbf {P}^{1}\) leads to
where the last inequality holds since \(\mathbf {s}_1,\hdots ,\mathbf {s}_u\) are vectors of length w. \(\square \)
We propose the following modification to Line 3 of the Key Generation, depending on the parameter \(\zeta \):
Clearly, \(\dim (\langle \mathbf {z}_1,\hdots ,\mathbf {z}_u \rangle _{q^m}) = \zeta \) in this case. To avoid that the GOT attack [21] runs in polynomial time, Theorem 4 implies that the parameter \(\zeta \) must always be chosen such that \(\zeta < \frac{w}{nkw}\). In Sect. 6, we will discuss several further exponentialtime attacks on LIGA. Some of these attacks have a work factor depending on \(\zeta \), which must be considered in the parameter design.
Furthermore, the condition \({{\,\mathrm{rk}\,}}_{q}(\mathbf {s}_i') = w\) ensures that \({{\,\mathrm{rk}\,}}_{q}(\mathbf {z}_i)=w\), i.e., as large as possible for a given subspace \(\mathcal {A}\). This choice maximizes the work factor of generic decoding attacks on the rows of the public key (seen as a received word of an interleaved Gabidulin code), see Sect. 6.
The restriction of the choice of \(\mathcal {A}\) to subspaces that contain a basis of full\(\mathbb {F}_q\)rank codewords is to ensure that the set from which we sample in Line 3’ is nonempty. Hence, the key generation always works.
Compared to the choice of \(\mathbf {z}\) in Line 3 of the original Key Generation algorithm, we restrict the choice of \(\mathbf {z}\), but we will see in Sect. 6 that there are still enough possibilities for \(\mathbf {z}\) to prevent an efficient naive bruteforce attack.
Appendix 1 contains a more detailed discussion on how to realize Lines 3 and \(3'\) in practice.
4.2 The public key encryption version
The new key generation algorithm \(\mathsf {KeyGen}\), the encryption algorithm \(\mathsf {Encrypt}\) and the decryption algorithm \(\mathsf {Decrypt}\) are shown in Algorithm 3, Algorithm 4 and Algorithm 5, respectively. Compared to original key generation algorithm, the algorithm \(\mathsf {KeyGen}\) has one more input parameter \(\zeta \) (cf. Sect. 4.1).
The proposed system has no decryption failures as proven in the following theorem.
Theorem 5
(Correctness [16]) Algorithm 5 returns the correct plaintext \(\mathbf {m}\).
Proof
Line 1 computes
whose last \(nw\) columns are given by
where \(\mathbf {G}^{\prime }:= \mathbf {G}_{\mathcal {G}}\mathbf {P}_{[w+1,n]} \in \mathbb {F}_{q^m}^{k \times (nw)}\) and \(\mathbf {e}^{\prime }:= \mathbf {e}\mathbf {P}_{[w+1,n]}\). By decoding in \(\mathcal {\mathcal {G}}'\), we thus obtain the vector
Since the last u positions of the plaintext \(\mathbf {m}\) are zero (i.e., \(m_i=0\) for \(i=ku+1,\dots ,k\)), we get \(\alpha = \sum _{i=ku+1}^{k}m_i^{\prime }x_i^*\), where \(\{x_{ku+1}^*,\dots ,x_k^*\}\) is a dual basis to \(\{x_{ku+1},\dots ,x_k\}\). As we know \(\alpha \) and \(\mathbf {x}\), we can compute the plaintext \(\mathbf {m}\). \(\square \)
Remark 1
Steps 1 to 3 of Algorithm 5 can be interpreted as an errorerasure decoder of a Gabidulin code. As this observation may have advantages, especially for implementations, we present this connection formally in Appendix 2.
A SageMath v8.8 [47] implementation of the public key encryption version of LIGA can be downloaded from https://bitbucket.org/julianrenner/liga_pke. The purpose of the source code is to clarify the shown algorithms but not to provide a secure and efficient instance. Developing an implementation that offers the latter two properties and can serve for a performance comparison with other schemes is outside of the scope of this paper and is left for future research.
4.3 KEM/DEM version \({{\Pi }}^{\mathrm{PKE}}\) and \({\Pi }^{\mathrm{KEM}}\)
In [23], generic transformations of INDCPA secure public key encryptions into INDCCA2 secure KEMs are proposed. In the following, we apply one of the transformations directly to \({{\Pi }}^{\mathrm{PKE}}\) to obtain \({\Pi }^{\mathrm{KEM}}\). Later, in Sect. 5.2, we will prove that \({{\Pi }}^{\mathrm{PKE}}\) fulfills the requirements such that the applied transformation is secure.
Let \(\mathcal {G}\), \(\mathcal {H}\) and \(\mathcal {K}\) be hash functions, where \(\mathcal {G}\ne \mathcal {H}\). In Algorithm 6 and Algorithm 7, we show the encapsulation and decapsulation algorithms of the KEM \({\Pi }^{\mathrm{KEM}}= (\mathsf {KeyGen},\mathsf {Encaps},\mathsf {Decaps})\). The algorithm \(\mathsf {KeyGen}\) remains Algorithm 3.
4.4 Complexity
4.4.1 Timing attacks
Resistance against timing attacks is essential in many applications and systems that do not enable a constanttime implementation are thus considered insecure. Due to the fact that Step 4 of Algorithm 4 can be easily implemented in constant time, the proposed encryption algorithm does not reveal any information about secret knowledge through timing attacks. The same holds for the presented decryption algorithm since there exists an efficient constanttime decoding algorithm for Gabidulin codes [10] and all other steps of Algorithm 5 can be realized in constant time as well.
4.4.2 Asymptotically fastest methods
In some scenarios, a constanttime implementation of the system may not be required but we want that the key generation, encryption, and decryption are as fast as possible. The following results were not known when the original FL system was proposed, but have a major impact on its efficiency.
The complexity of key generation and encryption is dominated by the cost of encoding a Gabidulin code (Line 8 of Algorithm 3 and Line 4 of Algorithm 4).^{Footnote 3} The asymptotically fastestknown algorithms [13, 36, 37] for this require

\(O^\sim (n^{\min \{\frac{\omega +1}{2},1.635\}})\) operations in \(\mathbb {F}_{q^m}\) or \(O^\sim (n^{\omega 2}m^2)\) operations in \(\mathbb {F}_q\) in general^{Footnote 4} and

\(O^\sim (n)\) operations in \(\mathbb {F}_{q^m}\) if the entries of \(\mathbf {g}\) are a normal basis of \(\mathbb {F}_{q^m}/\mathbb {F}_q\),
where \(\omega \) is the matrix multiplication exponent and \(O^\sim \) means that \(\log \) factors are neglected.
The bottleneck of decryption is (errorerasure) decoding of a Gabidulin code (Line 3 of Algorithm 5, see also Appendix 2 below), where the asymptotically fastest algorithm costs
operations in \(\mathbb {F}_{q^m}\) [36, 37] or
operations in \(\mathbb {F}_q\) (decoder in [36] with linearizedpolynomial operations in [13]).
For small lengths n, the algorithms from [22, 40, 44, 49], which have quadratic complexity over \(\mathbb {F}_{q^m}\) (or cubic complexity over \(\mathbb {F}_q\)), might be faster than the mentioned algorithms due to smaller hidden constants in the Onotation.
5 Difficult problems & semantic security of LIGA
In this section, we introduce problems in the rank metric that are considered to be difficult. Furthermore, we prove that the publickey encryption version of LIGA is INDCPA secure and the KEM version is INDCCA2 secure under the assumption that there does not exist probabilistic polynomialtime algorithms that can solve them. A detailed complexity analysis of existing and new algorithms solving the stated problems is given in Sect. 6.
5.1 Difficult problems in the rank metric
LIGA is based on several difficult problems which are stated in this section. Note that the search variants of the problems correspond exactly to retrieving information about the private key from the public key (not necessarily a valid private key as explained in the following) or the plaintext from the ciphertext. The decisional problems are equivalent to distinguishing the public key or the ciphertext from random vectors.
Definition 3
(ResIGDistribution: Restricted Interleaved Gabidulin Code Distribution)
Input: \(q,m,n,k,w >\lfloor \frac{nk}{2}\rfloor ,\zeta< \frac{w}{nkw}, u<w\).
Choose uniformly at random

\(\mathbf {G}\xleftarrow {\$}\mathcal {G}\), where \(\mathcal {G}\) is the set of all generator matrices of [n, k] Gabidulin codes over \(\mathbb {F}_{q^m}\)

\(\mathbf {M}\xleftarrow {\$}\{\mathbf {X}\in \mathbb {F}_{q^m}^{u\times k} : {{\,\mathrm{rk}\,}}_{q^m}(\mathbf {X}_{[ku+1,k]}) = u\} \).

\(\mathcal {A} \xleftarrow {\$}\{ \text {subspace } \mathcal {U} \subseteq \mathbb {F}_{q^m}^w \, : \, \dim \mathcal {U} = \zeta , \, \mathcal {U} \text { has a basis of full}\) \(\mathbb {F}_q\) \(\text { rank elements} \}\)

\(\mathbf {E}' \xleftarrow {\$}\left\{ \begin{pmatrix} \mathbf {s}_1' \\ \vdots \\ \mathbf {s}_u' \end{pmatrix} \in \mathbb {F}_{q^m}^{u \times w}\, : \, \langle \mathbf {s}_1',\dots ,\mathbf {s}_u'\rangle _{\mathbb {F}_{q^m}} = \mathcal {A}, \, {{\,\mathrm{rk}\,}}_{q}(\mathbf {s}_i') = w \, \forall \, i \right\} \)

\(\mathbf {Q} \xleftarrow {\$}\{ \mathbf {A}\in \mathbb {F}_q^{w \times n} : {{\,\mathrm{rk}\,}}_{q}(\mathbf {A}) = w \}\)

\(\mathbf {E}\leftarrow \mathbf {E}' \mathbf {Q}\)
Output: \((\mathbf {G},\mathbf {M}\mathbf {G}+\mathbf {E})\).
Problem 1
(ResIGSearch: Restricted interleaved Gabidulin Code Search Problem)
Input: \((\mathbf {G},\mathbf {Y})\) from ResIGDistribution with input \(q,m,n,k,w,\zeta ,u\) (Definition 3).
Goal: Find \(\mathbf {M}\in \mathbb {F}_{q^m}^{u\times k}\) and \(\mathbf {E}\in \{\mathbf {X}\in \mathbb {F}_{q^m}^{u \times n} : {{\,\mathrm{rk}\,}}_{\mathbb {F}_q}(\mathbf {X}) \le w\}\) s.t. \(\mathbf {M}\mathbf {G}+\mathbf {E}= \mathbf {Y}\).
Problem 1 (ResIGSearch) is equivalent to decoding a codeword of a uinterleaved Gabidulin code that is corrupted by an error \(\mathbf {E}\), see also Sect. 6.1.2 and is therefore the underlying problem of the structural attacks from Sect. 3.3.
Note however that not necessarily every solution of this problem can be used directly as a valid private key since some additional structure on \(\mathbf {E}\) is introduced in LIGA (i.e., Problem 1 is easier to solve than retrieving a valid private key of LIGA).
Problem 2
(ResIGDec: Restricted Interleaved Gabidulin Code Decisional Problem)
Input: \((\mathbf {G},\mathbf {Y}) \in \mathbb {F}_{q^m}^{k\times n} \times \mathbb {F}_{q^m}^{u\times n}\).
Goal: Decide with nonnegligible advantage whether \(\mathbf {Y}\) came from ResIGDistribution with input \(q,m,n,k,w,\zeta ,u\) (Definition 3) or the uniform distribution over \(\mathbb {F}_{q^m}^{u\times n}\).
To solve ResIGDec (Problem 2), we do not know a better approach than trying to solve the associated search problem (i.e., ResIGSearch), which is usually done for all decodingbased problems.
Definition 4
(ResErrDistribution: Restricted Error Distribution)
Input: \(q,m,n,k,w,t_{\mathsf {pub}},u,\varvec{\gamma }, (\mathbf {G},\mathbf {K}) \) from ResIGDistribution (Definition 3).
Choose uniformly at random

\(\mathbf {e}\xleftarrow {\$}\{ \mathbf {x}\in \mathbb {F}_{q^m}^{n}\, : \, {{\,\mathrm{rk}\,}}_q(\mathbf {x}) = t_{\mathsf {pub}}\} \)

\(\alpha \xleftarrow {\$}\mathbb {F}_{q^{mu}}\)

\(\mathbf {k}\leftarrow {{\,\mathrm{ext}\,}}_{\mathbf {\gamma }}^{1}(\mathbf {K})\)

\(\mathbf {y}\leftarrow {{\,\mathrm{Tr}\,}}(\alpha \mathbf {k}) +\mathbf {e} = {{\,\mathrm{Tr}\,}}(\alpha \mathbf {m}) \mathbf {G}+ {{\,\mathrm{Tr}\,}}(\alpha \mathbf {z}) + \mathbf {e}\)
Output: \(\mathbf {y}\).
Problem 3
(ResGSearch: Restricted Gabidulin Code Search Problem)
Input: \(q,m,n,k,w,t_{\mathsf {pub}},u,\varvec{\gamma }, (\mathbf {G},\mathbf {K}) \) from ResIGDistribution (Definition 3), \(\mathbf {y}\) from ResErrDistribution (Definition 4) with input \((\mathbf {G},\mathbf {K})\).
Goal: Find \(\mathbf {m}\in \mathbb {F}_{q^m}^{k}\) and \(\mathbf {e}\in \{\mathbf {x}\in \mathbb {F}_{q^m}^{n} : {{\,\mathrm{rk}\,}}_{\mathbb {F}_q}(\mathbf {x}) \le t_{\mathsf {pub}}\}\) such that \(\mathbf {m}\mathbf {G}+\mathbf {e}= \mathbf {y}\).
Problem 3 is equivalent to decoding a codeword of a Gabidulin code that is corrupted by an error that has with high probability a rank weight of \(> (nk)/2\), see Appendix 3.
Problem 4
(ResGDec: Restricted Gabidulin Code Decisional Problem)
Input: \(q,m,n,k,w,t_{\mathsf {pub}},u,\varvec{\gamma }, (\mathbf {G},\mathbf {K}) \) from ResIGDistribution (Definition 3), \(\mathbf {y}\in \mathbb {F}_{q^m}^{n}\).
Goal: Decide with nonnegligible advantage whether \(\mathbf {y}\) came from ResErrDistribution with input \(q,m,n,k,w,t_{\mathsf {pub}},u,\varvec{\gamma }, (\mathbf {G},\mathbf {K})\) or the uniform distribution over \( \mathbb {F}_{q^m}^{n}\).
As before, we are not aware of a faster approach to solve ResGDec than through the solution of the associated search problem.
We will see in the next subsection that LIGA is INDCCA2 secure under the assumption that \(\textsf {ResGDec}\) is a hard problem. As mentioned above, there is an obvious reduction of \(\textsf {ResGDec}\) to \(\textsf {ResGSearch}\), which can again be efficiently reduced to \(\textsf {ResIGSearch}\). In fact, all relevant attacks studied in Sect. 6 make use of this chain of reduction and aim at solving one of the two search problems.
We are not aware of a reduction of \(\textsf {ResIGDec}\) to \(\textsf {ResIGSearch}\) or one of the other problems. Hence, it might very well be that \(\textsf {ResIGDec}\) is significantly easier than the other problems. In Sect. 6.3, we show that there is a distinguisher for \(\textsf {ResIGDec}\) that is efficiently computable if the system parameter \(\zeta \) is chosen too small. Due to the missing reduction, it is not clear whether or not this distinguisher influences the security of the system.
5.2 Semantic security
In this section, we prove that the public key encryption system \({{\Pi }}^{\mathrm{PKE}}\) is semantically secure against chosen plaintext attacks in the standard model under the assumption that ResGDec (Problem 4) is difficult. In addition, we show that the INDCCA2 security of \({\Pi }^{\mathrm{KEM}}\) reduces tightly to the INDCPA security of \({{\Pi }}^{\mathrm{PKE}}\) in the random oracle model.
5.2.1 INDCPA security of \({{\Pi }}^{\mathrm{PKE}}\)
To show that \({{\Pi }}^{\mathrm{PKE}}\) is secure against chosen plaintext attacks, we use the definition of admissibility as in [33].
Definition 5
(Admissibility [33]) The public key encryption scheme \({{\Pi }}^{\mathrm{PKE}}= (\mathsf {KeyGen},\mathsf {Encrypt},\mathsf {Decrypt})\) with a message space \(\mathcal {M}\) and a random space \(\mathcal {R}\) is called admissible if there is a pair of deterministic polynomialtime algorithms \(\mathsf {Encrypt}_1\) and \(\mathsf {Encrypt}_2\) satisfying the following property:

Partible: \(\mathsf {Encrypt}_1\) takes as input a public key \(\mathsf {pk}\) and \(r \in \mathcal {R}\), and outputs a \(p(\lambda )\) bitstring, where \(\lambda \) is the security parameter. \(\mathsf {Encrypt}2\) takes as input a key \(\mathsf {pk}\), and \(\mathbf {m}\in \mathcal {M}\) and outputs a \(p(\lambda )\) bitstring. Here p is some polynomial in the security parameter \(\lambda \). Then for any \(\mathsf {pk}\) given by \(\mathsf {KeyGen}\), \(r \in \mathcal {R}\), and \(\mathbf {m}\in \mathcal {M}\), \(\mathsf {Encrypt}_1( \mathsf {pk}, r ) \oplus \mathsf {Encrypt}_2 ( \mathsf {pk}, \mathbf {m}) = \mathsf {Encrypt}( \mathsf {pk}, \mathbf {m}; r ) \).

Pseudorandomness: Let D be a probabilistic algorithm and let
$$\begin{aligned} \mathsf {Adv}_{D,\mathsf {Encrypt}_1}^{ind}(\lambda ) =&\Pr \Big [ D(\mathsf {pk},\mathsf {Encrypt}_1(\mathsf {pk},r)) = 1 r \xleftarrow {\$}\mathcal {R}, (\mathsf {sk}, \mathsf {pk}) \leftarrow \mathsf {KeyGen}\big (1^{\lambda }\big ) \Big ] \\& \Pr \big [ D(\mathsf {pk},s) = 1 s \xleftarrow {\$}\mathcal {U}_{p(\lambda )}, (\mathsf {sk}, \mathsf {pk}) \leftarrow \mathsf {KeyGen}\big (1^{\lambda } \big ) \big ]. \end{aligned}$$We define the advantage function of the problem as follows. For any t,
$$\begin{aligned} \mathsf {Adv}_{\mathsf {Encrypt}_1}^{ind}(\lambda ,t) = \max _{D} \big \{\mathsf {Adv}_{D,\mathsf {Encrypt}_1}^{ind}(\lambda ) \big \}, \end{aligned}$$where the maximum is taken over all D with timecomplexity t. Then, the function \(\mathsf {Adv}_{\mathsf {Encrypt}_1}^{ind}(\lambda ,t)\) is negligible for every polynomial bounded t and every sufficiently large \(\lambda \).
In the following we will prove that \({{\Pi }}^{\mathrm{PKE}}\) is INDCPA secure by showing that is fulfills the definition of admissibility.
Theorem 6
The system \({{\Pi }}^{\mathrm{PKE}}= (\mathsf {KeyGen},\mathsf {Encrypt}, \mathsf {Decrypt})\) is an INDCPA secure encryption scheme in the standard model under the assumption that the ResGDec problem is difficult.
Proof
Let \(\mathsf {Encrypt}_1 := {{\,\mathrm{Tr}\,}}(\alpha \mathbf {k}_{\mathsf {pub}}) +\mathbf {e}\) and \(\mathsf {Encrypt}_2 := \mathbf {m}\mathbf {G}_\mathcal {G}\). Then, one observes that \(\mathsf {Encrypt}= \mathsf {Encrypt}_1 \oplus \mathsf {Encrypt}_2\) and thus \({{\Pi }}^{\mathrm{PKE}}\) is partible. Since ResGDec (Problem 4) is assumed to be difficult, the encryption scheme fulfills pseudorandomness and thus, the system is admissibile. As proven in [33, Lemma 1], if \({{\Pi }}^{\mathrm{PKE}}\) fulfills Definition 5, then it is an INDCPA secure encryption scheme. \(\square \)
5.2.2 INDCCA2 security of \({\Pi }^{\mathrm{KEM}}\)
We used a transformation proposed in [23] to transform the public key encryption scheme \({{\Pi }}^{\mathrm{PKE}}\) into the KEM \({\Pi }^{\mathrm{KEM}}\). In the following, we prove that \({\Pi }^{\mathrm{KEM}}\) is INDCCA2 secure.
The applied transformation requires that the encryption scheme is \(\gamma \)spread which is proven to be the case for \({{\Pi }}^{\mathrm{PKE}}\) in the following.
Definition 6
(\(\gamma \)spread, [17, 23]) For valid \((\mathsf {pk},\mathsf {sk})\), the minentropy of \(\mathsf {Encrypt}(\mathbf {m},\mathsf {pk})\) is defined by
where \(\hat{\mathcal {C}}\) is the set of possible ciphertexts. A public key encryption scheme is called \(\gamma \)spread if for every valid key pair \((\mathsf {pk},\mathsf {sk})\) and every message \(\mathbf {m}\in \mathcal {M}\), \(\gamma (\mathbf {m},\mathsf {pk}) \ge \gamma \). It follows that for all \(\mathbf {c}\in \hat{\mathcal {C}}\),
Lemma 2
The public key encryption system \({{\Pi }}^{\mathrm{PKE}}\) is \(\gamma \)spread, where \(\gamma = m(t_{\mathsf {pub}}u)+t_{\mathsf {pub}}(nt_{\mathsf {pub}}1)\).
Proof
We observe that
where \(\hat{\mathcal {C}}'\) is the set of all vectors in rank distance \(t_{\mathsf {pub}}\) from \((\mathbf {m},\mathbf {0}_u)\mathbf{G}_{\mathcal {G}}\) and \(\text {(i)}\) follows from the fact that there at most \(q^{mu}\) choices for \(\alpha \). In [19, Section IV.B], a constructive way of obtaining rank\(t_{\mathsf {pub}}\) matrices is given. More precisely, an injective mapping \( \varphi \, : \, \mathbb {F}_q^{t(n+mt1)} \rightarrow \{\mathbf {A}\in \mathbb {F}_q^{n \times m} \, : \, {{\,\mathrm{rk}\,}}\mathbf {A}= t\}\) is given. Hence, we have \(\{\mathbf {e}\in \mathbb {F}_{q^m}^{n} : {{\,\mathrm{rk}\,}}_{q}(\mathbf {e}) = t_{\mathsf {pub}}\} \ge q^{t(n+mt1)}\). It follows that
\(\square \)
Theorem 7
The KEMDEM \({\Pi }^{\mathrm{KEM}}= (\mathsf {KeyGen},\mathsf {Encaps}, \mathsf {Decaps})\) is INDCCA2 secure in the random oracle model under the assumption that the ResGDec problem is difficult.
Proof
Assuming the ResGDec is difficult, the encryption \({{\Pi }}^{\mathrm{PKE}}\) is INDCPA secure, see Theorem 6. Further, it is proven in Lemma 2 that \({{\Pi }}^{\mathrm{PKE}}\) has \(\gamma \)spread encryptions. Thus, the system \({\Pi }^{\mathrm{KEM}}\) can be tightly reduced to \({\Pi }^{\mathrm{KEM}}\) in the random oracle model as shown in [23]. \(\square \)
6 Security analysis of LIGA
In this section, we analyze the security of LIGA. As proven in Theorem 6 and 7, the encryption version is INDCPA secure and the KEM version is INDCCA2 secure under the assumption that ResGDec is difficult. Since there are obvious reductions from ResGDec to ResGSearch and from ResGDec to ResIGSearch, we will study the hardness of these two search problems in this section (Sect. 6.1 for ResIGSearch and Sect. 6.2 for ResGSearch). In fact, we are not aware of a more efficient method to solve ResGDec than through these two search problems.
Although no formal reduction from any of the other three studied problems to ResIGDec is known, we study also the hardness of ResIGDec (Sect. 6.3). We derive a distinguisher for the public key with exponential complexity in the system parameters, which can be avoided by proper parameter choice.
Due to the nature of the (random) encryption, there are public keys for which the probability that the work factor of some of the ciphertext attacks on ResGSearch (ciphertext attack) is below the designed minimal work factor is not negligible (i.e., \(> 2^{\lambda }\)). We show in Sect. 6.4 that these weak keys occur with negligible probability (i.e., \(\le 2^{\lambda }\)) during the random key generation if the parameters are chosen in a suitable way.
6.1 Exponentialtime attacks on ResIGSearch
We propose new and summarize known methods that solve ResIGSearch (Problem 1). All studied algorithms have exponential complexity in the code parameters.
Recall that in the decryption algorithm of LIGA, the last u positions of the private key \(\mathbf {x}\) have to be a basis of \(\mathbb {F}_{q^{mu}}\) over \(\mathbb {F}_{q^m}\). Therefore, not every solution of Problem 1 (ResIGSearch) can be used as valid private key and Problem 1 is a strictly easier problem than retrieving a valid private key corresponding to a given public key.
6.1.1 Bruteforce the vector \(\mathbf {z}\) attack
The number of vectors \(\mathbf {z}\in \mathbb {F}_{q^{mu}}^n\) that fulfill the conditions stated in Sect. 4.1 is equal to number of possible vectors \(\mathbf {s}\in \mathbb {F}_{q^{mu}}^w\) times the number of full rank matrices in \(\mathbb {F}_{q^m}^{w\times n}\) in reduced row Echelon form. Formally, the number of vectors \(\mathbf {z}\) is
Thus, bruteforcing a vector \(\mathbf {z}\) that is a solution to ResIGSearch has work factor
where the latter inequality follows from a lower bound on qbinomials (see [24, Lemma 4]), and
is the average number of interleaved codewords in a ball of radius w around a uniformly at random chosen interleaved received word.
6.1.2 Interleaved decoding attack
As described in Sect. 3.3, an attacker can apply an interleaved decoder on \(\mathbf {k}_{\mathsf {pub}}\) to retrieve an alternative private key. A major ingredient of LIGA is that the public key is chosen in a way that this decoding will always fail (i.e., the corresponding linear system of equations does not have a unique solution). However, it is still possible to bruteforce search in the solution space of the involved system of equations. This is analyzed in the following. Notice thereby that any interleaved codeword in radius at most w is a solution to ResIGSearch.
Problem 1 (ResIGSearch) is equivalent to decoding a codeword of a uinterleaved Gabidulin code that is corrupted by an error \(\mathbf {E}\). The error \(\mathbf {E}\) fulfills
and thus, no known algorithm is able to correct it efficiently.
The crucial point of the interleaved decoding algorithms from [27, 43] is solving a linear system of equations based on the syndromes with \(w+1\) unknowns and \(\varphi \) linearly independent equations which is equivalent to finding the kernel of the matrix in (5), cf. [49, Section 4.1]. For \(\zeta \ge \frac{w}{nkw}\), the dimension of the solution space is one and all solutions are valid for the remaining decoding steps. For \(\zeta < \frac{w}{nkw}\), the dimension of the solution space is \(w+1\varphi \) but each valid solution forms only a onedimensional subspace. An attacker can therefore search in the solution space for a valid solution which requires on average
trials, where \(\mathcal {N}\) is the average number of interleaved codewords, see (9).
The size of the solution space is \(w+1\varphi \) and clearly maximized for the smallestpossible value of \(\varphi \), i.e., \(\varphi = nkw\). In this case, the search through the solution space has work factor
Since the size of the solution space is maximal for \(\varphi = nkw\), the repair from Sect. 4.1 with the explicit parameter value \(\zeta =1\) (i.e., \(\dim \big ( \langle \mathbf {z}_1 , \dots , \mathbf {z}_u\rangle _{\mathbb {F}_{q^m}}\big ) = 1\)) is the most secure choice in this sense. However, we keep the choice of \(\zeta \) flexible as the pairwise linear dependence of the \(\mathbf {z}_i\) might decrease the security (we are however not aware of how this fact could be used).
Besides the syndromebased interleaved decoding algorithms in [27, 43], and [49, p. 64], there is an interpolationbased decoding algorithm [49, Section 4.3 (page 72)]. This interpolationbased algorithm can be interpreted both as a list decoder of interleaved Gabidulin codes with exponential worstcase and average list size or as a probabilistic unique decoder. The probabilistic unique interpolationbased decoder fails if and only if the decoding algorithms in [27, 43, 49, p. 64] fail and therefore the previous analysis applies here as well. For the list decoder, cf. [49, Lemma 4.5], the work factor of the resulting attack is
Notice that the list of size \(q^{m(u1)k}\) contains many words which are no valid codewords, but we have to go through the whole list to find all valid codewords in radius up to w.
6.1.3 List decoding of the public key attack
Recall that \(\mathbf {k}_{\mathsf {pub}}= \mathbf {x} \cdot \mathbf{G}_{\mathcal {G}} + \mathbf {z}\). Previously, we have explained why this vector is a corrupted version of a codeword of a uinterleaved Gabidulin code. At the same time, \(\mathbf {x} \cdot \mathbf{G}_{\mathcal {G}}\) can be seen as a short Gabidulin code over a large field \(\mathbb {F}_{q^{mu}}\) and therefore, if existing, one could apply list decoding algorithms to decode \(\mathbf {k}_{\mathsf {pub}}\) and obtain \(\mathbf {x}\). The weight of the error \(\mathbf {z}\) is larger than the unique decoding radius and therefore a unique decoder cannot be applied to reconstruct \(\mathbf {x}\) and a list decoder for radius w is required.
However, such an algorithm has not been found yet. It was even shown in [38, 46, 48] that for most classes of Gabidulin codes such a polynomialtime list decoding algorithm cannot exist. Note that these results were not known when the original FL cryptosystem was proposed. These results also imply that there is no polynomialtime list decoding algorithm for arbitrary Gabidulin codes beyond the unique decoding radius (such as the Guruswami–Sudan algorithm for Reed–Solomon codes).
6.1.4 Randomized Gabidulin decoding attack on the public key
The public key can be seen as the sum of a Gabidulin codeword over the field \(\mathbb {F}_{q^{mu}}\) and an error of weight \(w > \frac{nk}{2}\). Alternatively, as shown in Sect. 3.2, the public key can be seen as an interleaved Gabidulin codeword that is corrupted by an error of weight w (note that this is the reason why all the \(\mathbf {s}_i\)’s must have full \(\mathbb {F}_q\)rank in Algorithm 3). Each row of (3) is a codeword of a Gabidulin code over \(\mathbb {F}_{q^m}\) that is corrupted by an error of rank weight w. Both the corrupted Gabidulin codeword over \(\mathbb {F}_{q^{mu}}\) as well as over \(\mathbb {F}_{q^m}\) can be decoded using the randomized decoding approach proposed in [39]. Since applying the attack on each row of the unfolded public key is more efficient, we conclude that the randomized Gabidulin decoding attack on the public key has an average complexity of
over \(\mathbb {F}_{q^m}\).
6.1.5 Moving to another close error attack
The following attack was suggested by Rosenkilde [41]. It tries to move the vector \(\mathbf {z}\) (which we have chosen such that the interleaved decoder fails) to a close vector of the same or smaller rank weight w for which the interleaved decoder for \(\mathbf {k}_{\mathsf {pub}}\) does not fail.
The idea is to find a vector \(\mathbf {y} \in \mathbb {F}_{q^m}^{u \times n}\) such that \(\mathbf {z}^\prime := \mathbf {z} + \mathbf {y}\) still has rank weight \({{\,\mathrm{rk}\,}}_q(\mathbf {z}^\prime ) \le w\) and that the rank of the matrix from (5) over \(\mathbb {F}_{q^m}\) is at least w. To guarantee the first condition, we want to construct \(\mathbf {y}\) such that its extended \(um \times n\) matrix over \(\mathbb {F}_q\) has a row space \(\mathcal {R} := \mathrm {RowSpace}_{\mathbb {F}_q}\big ({{\,\mathrm{ext}\,}}_{\varvec{\gamma }}(\mathbf {y})\big )\) that is contained in the one of \(\mathbf {z}\). Since for the original error \(\mathbf {z}\), the matrix (5) has rank \(\varphi \le \zeta (nkw)\), \(\mathcal {R}\) must have at least \(\mathbb {F}_q\)dimension \(w\varphi \ge w(\zeta +1)\zeta (nk)\). By choosing a random \(\mathcal {R}\) with this property and taking a random matrix \(\mathbf {y}\) whose extended matrix has \(\mathbb {F}_q\)row space \(\mathrm {RowSpace}_{\mathbb {F}_q}\big ({{\,\mathrm{ext}\,}}_{\varvec{\gamma }}(\mathbf {y})\big ) = \mathcal {R}\), the second condition is fulfilled with high probability.
The complexity of the attack is hence dominated by the complexity of finding a subspace \(\mathcal {R} \subseteq \mathbb {F}_q^{n}\) of dimension \(w\varphi \) that is contained in the wdimensional \(\mathbb {F}_q\)row space of \(\mathbf {z}\). Since this is unknown, we can find it in a LasVegas fashion by repeatedly drawing a subspace uniformly at random. The expected number of iterations until we find a suitable row space is thus one over the probability that a random \((w\varphi )\)dimensional subspace of \(\mathbb {F}_q^n\) is contained in a given wdimensional subspace, which is (cf. [15, Proof of Lemma 7]):
Hence, the attack has work factor
6.2 Exponentialtime attacks on ResGSearch
Retrieving information about the plaintext from the ciphertext and the public key is equal to solving ResGSearch (Problem 4). In this section, methods that solve this problem are summarized.
6.2.1 Randomized Gabidulin decoding attack on the ciphertext
Each ciphertext of LIGA can be seen as a Gabidulin codeword over \(\mathbb {F}_{q^m}\) plus an error:
Denote \(\tilde{w} := {{\,\mathrm{rk}\,}}_{\mathbb {F}_q}({{\,\mathrm{Tr}\,}}(\alpha \mathbf {z}) + \mathbf {e})\). Then we can use the decoding algorithm proposed in [39], which requires on average at least
operations in \(\mathbb {F}_{q^m}\).
Clearly, the complexity of the algorithm strongly depends on the value \(\tilde{w}\), which in turn depends on the generated keys. In general, \(\tilde{w} = w +t_{\mathsf {pub}}\), but for some choices of \(\mathbf {z}\), \(\alpha \), and \(\mathbf {e}\), the rank \(\tilde{w}\) is smaller. For this issue, see Sect. 6.4 and Appendix 3, where we study the probability that \(\tilde{w}\) is small, both for randomness in the encryption (random choice of \(\alpha \) and \(\mathbf {e}\)) and the key generation (random choice of \(\mathbf {z}\)). Some extremely rarely occurring keys (weak keys) thereby result in relatively high probabilities that \(\tilde{w}\) is small.
However, we can choose the system parameters such that both, the probability of a weak key as well as the conditional probability that \(\tilde{w}<w\) given a nonweak key is below \(2^{\lambda }\). Hence, with overwhelming probability, a random key and ciphertext result in a ciphertext error of rank weight \(\tilde{w}\ge w\) and the work factor of this attack is always at least as large as the “Randomized Gabidulin Decoding Attack on the Public Key” in Sect. 6.1.
6.2.2 List decoding of the ciphertext attack
As described in the Randomized Gabidulin Decoding Attack on the Ciphertext above, the ciphertext of LIGA is a codeword of a Gabidulin code, corrupted by an error of rank weight \(\tilde{w}\), Hence, an attacker can try to decode the ciphertext directly. Since \(\tau \) is always greater than the unique decoding radius \(\left\lfloor \frac{nk}{2}\right\rfloor \) of the Gabidulin code, this would require the existence of an efficient (list) decoding algorithm up to radius \(\tau \). As explained previously, there is no such algorithm and bounds on the list size prove that there cannot exist a generic list decoding algorithm for all Gabidulin codes which indicates that list decoding is a hard problem.
However, to be secure, we have considered list decoding as follows for the security level of our system. The list size \(\mathcal {L}_\mathbf {c},\text {worst}\) denotes a lower bound on the worstcase work factor of list decoding. For example, for a Gabidulin code with parameters \(nm\) and \(\hbox {gcd}(n,n\tau )\ge 2\), there is a received word such that there are at least
codewords in rank distance at most \(\tau \) to it.
Although \(\mathcal {L}_\mathbf {c},\text {worst}\) does not imply any statement about the average list size/average work factor, it provides an estimate of the order of magnitude of the work factor of a hypothetical list decoding attack. For our suggested parameters, we have ensured that the value of \(\mathcal {L}_\mathbf {c},\text {worst}\) is sufficiently large in the proposed sets of parameters in Sect. 7.
6.2.3 Combinatorial rank syndrome decoding (RSD) attack
The ciphertext can be interpreted as a codeword from a code of dimension k (see [16]), generated by the generator matrix
Since the structure of this code only permits decoding like a random rankmetric code, it can be decoded with the combinatorial syndrome decoding attack from [4] whose complexity is in the order of
6.2.4 Algebraic RSD attack
As described in the previous section, the ResGSearch problem can be solved by decoding an error of rank weight \(t_{\mathsf {pub}}\) in a random [n, k] code. Beside the combinatorial approach, there exist algebraic algorithms to solve the Problem.
In [6], the RSD problem is expressed as a multivariate polynomial system and is solved by computing a Gröbner basis. The complexity of that attack is generally smaller than the combinatorial approach. In case there is a unique solution to the system, then the work factor of the algorithm is
where \(\mu \) is the exponent in the complexity expression of the used matrix multiplication algorithm. The asymptotically fastest known matrix multiplication algorithm has an exponent of \(\mu < 2.373\). As the authors of [6], we use \(\mu = 2.807\) to compute the work factors in this paper since it corresponds to Strassen’s algorithm, which is (due to the hidden constant) in practice the fastest algorithm for large (but still reasonably small) matrix sizes.
Very recently, a new algebraic algorithm was proposed to solve the RSD problem [7]. It divides the RSD problem instances into two categories. If
we are in the overdetermined case and the proposed algorithm has work factor
in \(\mathbb {F}_q\), where \(p= \min \{i: i \in \{1,\hdots ,n\}, m \left( {\begin{array}{c}nik1\\ t_{\mathsf {pub}}\end{array}}\right) \ge \left( {\begin{array}{c}ni\\ t_{\mathsf {pub}}\end{array}}\right) 1\}\). Otherwise, we are in the underdetermined case in which the algorithm has work factor
We have
with \(a = \min \{i: i \in \{1,\hdots ,n\}, m \left( {\begin{array}{c}nk1\\ t_{\mathsf {pub}}\end{array}}\right) \ge \left( {\begin{array}{c}ni\\ t_{\mathsf {pub}}\end{array}}\right) \  1\}\). Further, for \(0<b<t_{\mathsf {pub}}+2\) and \(A_b 1 \le B_b + C_b\),
where \(A_b:=\sum _{j=1}^{b}\left( {\begin{array}{c}n\\ t_{\mathsf {pub}}\end{array}}\right) \left( {\begin{array}{c}mk+1\\ j\end{array}}\right) \), \(B_b:=\sum _{j=1}^{b} m\left( {\begin{array}{c}nk1\\ t_{\mathsf {pub}}\end{array}}\right) \left( {\begin{array}{c}mk+1\\ j\end{array}}\right) \) and
We denote the minimum of the work factors of the two algorithms as the work factor of the algebraic RSD attack, i.e.,
Note that for algebraic decoding, it is neither known how to improve the complexity by using the fact that there are multiple solutions, nor it is known how to speed up the algorithm in the quantum world.
6.2.5 Linearization attack
In [16], a message attack was proposed which succeeds for some parameters with high probability in polynomial time.
Lemma 3
(Linearization Attack [16]) Let \(\mathbf {k}_{\mathsf {pub}}^{(i)} = {{\,\mathrm{Tr}\,}}(\gamma _i \mathbf {k}_{\mathsf {pub}})\) for \(i=1,\dots ,u\) and
Then, the encrypted message \(\mathbf {m}\) can be efficiently recovered if the left kernel of \(\mathbf {M}\) has dimension \(\dim (\ker (\mathbf {M})) = 1\).
If \((u+2)t_{\mathsf {pub}}+ k > n\), then \(\mathbf {M}\) has at least two more rows than columns and we have \(\dim (\ker (\mathbf {M}))>1\). If \(\mathbf {k}_{\mathsf {pub}}\) is random and \((u+2)t_{\mathsf {pub}}+ k \le n\), the attack is efficient with high probability [16].
Lemma 4
Let \(\mathbf {M}\) be as in (13). Then,
Proof
We can write
so by elementary row operations, we can transform \(\mathbf {M}\) into
Due to \(w+2t_{\mathsf {pub}}<nk\), the matrix \(\mathcal {M}_{t_{\mathsf {pub}}+1,q}\left( \mathbf {z}_i \right) \) is a submatrix of \(\mathcal {M}_{nkw,q}\left( \mathbf {z}_i \right) \), so
Further, since the number of columns of \(\mathbf {M}\) is equal to n,
\(\square \)
The linearization attack is inefficient if the rank of \(\mathbf {M}\) is smaller than its number of rows, which implies the following, stronger version of the original statement in [16].
Theorem 8
If \(t_{\mathsf {pub}}> \tfrac{nk}{u+2}\) or \(\varphi < u (t_{\mathsf {pub}}+1)\), the linearization attack in [16] is inefficient and its work factor is
The first condition in Theorem 8 is again fulfilled by the choice of w in Table 1. The second one reads \(t_{\mathsf {pub}}> \tfrac{\varphi }{u}+1\), and for any valid \(\varphi \), there are choices of w such that \(t_{\mathsf {pub}}\) fulfills this inequality for any \(u>1\).
6.2.6 Algebraic attacks
Faure and Loidreau [16] also described two message attacks of exponential worstcase complexity. The first one is based on computing gcds of polynomials of degrees
Since computing the gcd of two polynomials can be implemented in quasilinear time in the polynomials’ degree, (14) gives an estimate on the work factor of this attack. The second algebraic attack is based on finding Gröbner bases of a system of \(n_\mathrm {p} = \genfrac(){0.0pt}1{n}{k+2 t_{\mathsf {pub}}u+1}\) many polynomials of degree approximately \(d_\mathrm {p} = \tfrac{q^{t_{\mathsf {pub}}+1}1}{q1}\). The attack is only efficient for small code parameters, cf. [16, Sec. 5.3]. Since the averagecase complexity of Gröbner bases algorithms is hard to estimate, we cannot directly relate \(n_\mathrm {p}\) and \(d_\mathrm {p}\) to the attack’s work factor. Faure and Loidreau choose the code parameters such that \(n_\mathrm {p} \approx 2^{32}\) and \(d_\mathrm {p} = 127\) and claim that the attack is inefficient for these values. Our example parameters in Sect. 7 result in at least these values.
6.2.7 Overbecklike attack
The key attack described in [28, Ch. 7, Sec. 2.1] is based on a similar principle as Overbeck uses to attack the McEliece cryptosystem based on Gabidulin codes [35]. The attack from [28, Ch. 7, Sec. 2.1] cannot be applied if
6.2.8 Bruteforce attack on the element \(\alpha \)
An attacker can bruteforce \(\alpha \in \mathbb {F}_{q^{mu}}\), which has a complexity of
By knowing \(\alpha \), he just needs to apply an efficient decoding algorithm on \(\tilde{\mathbf {c}} = \mathbf {c}  {{\,\mathrm{Tr}\,}}(\alpha \mathbf {k}_{\mathsf {pub}})\) to retrieve the secret message.
6.3 Exponentialtime attacks on ResIGDec
We have seen in Sect. 5 that LIGA is INDCCA2 secure under the assumption that ResGDec is a hard problem. The two previous subsections analyzed all known attacks on the ResGSearch and ResIGSearch problems, which are relevant since there is an obvious reduction of ResGDec to these search problems.
In the following, we study Problem ResIGDec (which translates to distinguishing the public key from a random vector in \(\mathbb {F}_{q^{mu}}^n\)), which is different in the sense that we do not know an efficient reduction from ResGDec (or one of the search problems) to ResIGDec. In other words, even if distinguishing the public key is easy, it might still be hard to distinguish the ciphertext. Nevertheless, we study the hardness of ResIGDec in the following and present a distinguisher, which is efficient to compute if \(\zeta \) is chosen small. The distinguisher is as follows.
Recall the choice of \(\mathbf {k}_{\mathsf {pub}}\) in Algorithm 3. We have
Expand \(\mathbf {k}_{\mathsf {pub}}\) into a \(u \times n\) matrix over \(\mathbb {F}_{q^m}\) and choose any \(\zeta +1\) rows. As the \(\mathbb {F}_{q^m}\)expansion of the error \(\mathbf {z}\) has \(\mathbb {F}_{q^m}\)rank \(\zeta \), there are at least \(q^m1\) many nontrivial \(\mathbb {F}_{q^m}\)linear combinations of these \(\zeta +1\) rows that are codewords of \(G_{\mathcal {G}}\). This is not true with high probability for a random \(u \times n\) matrix over \(\mathbb {F}_{q^m}\).
Thus, by repeatedly randomly linearly combining these \(\zeta +1\) rows and checking whether the result is a codeword of \(G_{\mathcal {G}}\), we obtain a MonteCarlo algorithm with an expected work factor of
neglecting the cost of checking whether a vector in \(\mathbb {F}_{q^m}^n\) is a codeword. Hence, if \(m\zeta \) is smaller than the security parameter of the system, this distinguisher is feasible to compute.
6.4 Avoiding Weak Keys
As already discussed in Sect. 6.2, the work factors of the “Randomized Gabidulin Decoding Attack on the Ciphertext” and the “List Decoding of the Ciphertext Attack” depend on the rank of the error part \({{\,\mathrm{Tr}\,}}(\alpha \mathbf {z}) + \mathbf {e}\) of the ciphertext (seen as codeword plus error). Generically, this error has weight \(t_{\mathsf {pub}}+\mathbf {e}\), but due to the trace operation and the addition, the rank might be smaller.
In Appendix 3, we will analyze the probability that for a given key (i.e., \(\mathbf {z}\) in this case) and a random encryption (random choices of \(\alpha \) and \(\mathbf {e}\)) the rank is significantly smaller than expected (we use \(<w\) as a threshold, see Sect. 6.2). Briefly summarized, we get the following results.
It turns out that this probability heavily depends on the minimum distance of the code \(\mathcal {A}\) used to generate \(\mathbf {z}\) in Algorithm 3. The smaller this minimum distance, the larger the probability that the rank is low. More precisely, for a given \(\mathcal {A}\) of minimum distance \(2 \le t \le w\zeta +2\)
Due to the above discussion, we call a key with \(\Pr ({{\,\mathrm{rk}\,}}_{\mathbb {F}_q}({{\,\mathrm{Tr}\,}}(\alpha \mathbf {z}) + \mathbf {e})<w)>2^{\lambda }\) a weak key. In Appendix 3, we derive an upper bound on the probability of choosing weak key (i.e., an \(\mathcal {A}\) of too small minimum distance) in Algorithm 3. For \(\zeta q^{\zeta wm} \le \tfrac{1}{2}\), this bound is roughly
cf. Remark 2 (see Theorem 11 for a nonasymptotic bound) in Appendix 3, where t is the smallest minimum distance for which the key is not weak.
It can be seen that the parameters of LIGA can be chosen such that there is a t with \(2 \le t \le w\zeta +2\) such that both \(\Pr ({{\,\mathrm{rk}\,}}_{\mathbb {F}_q}({{\,\mathrm{Tr}\,}}(\alpha \mathbf {z}) + \mathbf {e})<w)\) (for any nonweak key) and \(\Pr (\text {weak key})\) are smaller than \(2^{\lambda }\). This is the case for all parameters proposed in Table 1.
6.5 Summary of the work factors
In this section, we recall the conditions on the choice of the parameters such that all known attacks are inefficient and summarize their work factors. Furthermore, we give specific parameters and compare LIGA to other codebased cryptosystems.
In the following, we choose the parameters q, m, n, k, u, w, and \(t_{\mathsf {pub}}\) as in Table 1. Recall that this choice of w prevents the Overbecklike attack (Sect. 6.2.7) and results in an exponential work factor of the linearization attack (Sect. 6.2.5).
Furthermore, we choose \(\zeta \) to be small such that the work factor of searching the exponentiallylarge output of the interleaved decoding attack (Sect. 6.1.2) is large. Note that the latter attack returns an exponentiallylarge output if and only if the GOT [21] attack fails, cf. Theorem 3.
The resulting considered work factors are summarized in Table 2. In addition to these work factors, we have considered the following requirements:

The work factor of the second algebraic attack in [16] (cf. Sect. 6.2.6) is unknown. Hence, we choose the code parameters such that the resulting nonlinear system of equations occurring in the attack consists of more than \(n_\mathrm {p} \approx 2^{32}\) many polynomials of degree at least \(d_\mathrm {p} = 127\). This is the same choice as in [16].

Since there is no efficient list decoder for Gabidulin codes, the work factor of the list decoding the public key or the ciphertext in Sect. 6.2.2 is not known. However, we do have a lower bound on the worstcase work factor for some codes, given by the maximal list size \(\mathcal {L}_\mathbf {c},\text {worst}\) in (12). In all examples for which the bound holds, we chose the parameters such that \(\log _2(\mathcal {L}_\mathbf {c},\text {worst})\) is much larger than the claimed security level.

The probability of generating a weak key should be negligible. Thus, we choose the parameters such that \(\zeta q^{\zeta wm} \le \tfrac{1}{2}\) and
$$\begin{aligned} \Pr (\text {weak key})&\le \frac{q^{m\zeta }1}{(q^m1)(q^{mw}1)}\left( \sum _{i=0}^{t1} \genfrac[]{0.0pt}{}{w}{i}_{q} \prod _{j=0}^{i1} \left( q^mq^j\right) 1 \right) \\&\le 2^{\lambda }, \end{aligned}$$where \(\lambda \) is the security parameter and
$$\begin{aligned} t := \min \left\{ t \, : \, q^{m\zeta }+ {256} \min \{t,t_{\mathsf {pub}}\}^2 q^{(t+t_{\mathsf {pub}}w+1)\left( n+\frac{t3wt_{\mathsf {pub}}}{2}\right) } \le 2^{\lambda } \right\} . \end{aligned}$$
7 Parameters and key sizes
We propose parameters for security levels of 128 bit, 192 bit and 256 bit in Table 3, where \(R=\frac{ku}{n}\) denotes the rate. The parameters are chosen in a way that we can send at least 256 bit of information and thus the system can be used as a KEM. Further, we use a security margin of at least 20 bit. For all parameters, the algebraic attack based on computing gcds of polynomials is the most efficient attack.
To evaluate the performance of LIGA, we compare it to the INDCCAsecure version [42] of Loidreau’s system [29] and the NIST proposals RQC [2], ROLLO [1], BIKE [3] and Classic McEliece [8]. We show the sizes of the private key \(\mathsf {sk}\), the public key \(\mathsf {pk}\) and the ciphertext \(\mathsf {ct}\) in Byte in Table 4 as proposed by the authors.^{Footnote 5} Note that in LIGA we can use a similar representation of the secret key and public key as in RQC, see [2, Section 2.3.3]. More precisely, we just store a seed of size 40 bytes to generate the secret key \(\mathsf {sk}= (\mathbf {x},\mathbf {P}_{[w+1,n]})\) which leads to secret key size of 40 bytes. The vector \(\mathbf {g}\) in the public key \(\mathsf {pk}= (\mathbf {g},\mathbf {k}_{\mathsf {pub}})\) can be also stored as a seed of size 40 bytes. Thus, the size of the public key \(\mathsf {pk}\) is equal to \(\big \lceil \frac{m n u\log _2(q)}{8} \big \rceil + 40\) bytes. The size of the ciphertext \(\mathsf {ct}\) is given by \(\lceil nm\log _2(q) \rceil \) bytes.
In [11], a generalization of Grover’s algorithm is proposed that finds the roots of a function f in \(\sqrt{2^b/r}\) function evaluations on average, where r is the number of roots and \(2^b\) is the number of possible inputs of f. Thus, in a postquantum world, all shown attacks on \(\textsf {LIGA}\) may be accelerated using Grover’s algorithm except the GCD based attack and the Algebraic RSD attack. Similar to the quantum informationset decoding algorithm described in [9], the mentioned attacks have in common that they guess an element from a large set and then evaluate in polynomial time whether the guess leads to the desired outcome. If the desired outcome is obtained, the system can be broken in polynomial time using exactly this guess. Thus, the work factor of these algorithms is the product of the complexity of checking whether the guess leads to the desired outcome times the inverse of the probability that the guess leads to the desired outcome. Thus, we can easily construct a function f that takes as input a guess and checks in polynomial time whether the guess is as desired. If this is the case, f outputs 0 and otherwise anything except 0. Then, we can apply Grover’s algorithm to find a root of that function f. Such a root is then an element of the set that leads to the desired outcome. In this way, Grover’s algorithm reduces the work factor to the product of the polynomial time required for checking the guess times the squareroot of the inverse of the probability that the guess is as desired. For the GCD based attack, we do not know how to improve the work factor by a quantum computer since the stated complexity already assumes a running time linear in the polynomials’ degree. Further, at the current state of research, there is no quantum speed up known for the Algebraic RSD attack [2, Section 6.3]. Using the described work factors, we obtain for LIGA128, LIGA192 and LIGA256 a postquantum security level of 97.5 bit, 127.5 bit and 157.5 bit, respectively, where Moving to Close Error is the most efficient attack for all three parameter sets.
8 Conclusion
In this paper, we presented a new rankmetric codebased cryptosystem: LIGA. LIGA uses a new codingtheoretic interpretation of the Faure–Loidreau system. We showed that the ciphertext is a corrupted codeword of a Gabidulin code, where to an unauthorized receiver, the error weight is too large to be correctable. The authorized user knows the row space of a part of the error and is thus able to correct the error. Further, we derived that a part of the public key can be seen as a corrupted codeword of an interleaved Gabidulin code and that in the original FL system, an interleaved Gabidulin decoder can efficiently recover the private key from this part of the public key with high probability. We proved that the condition that interleaved Gabidulin decoders fail is equal to the condition that the severe attack by Gaborit, Otmani and Talé Kalachi fails.
Based on the latter observation, we chose LIGA’s key generation algorithm such that interleaved Gabidulin decoders fail which in turn implies that the attack by Gaborit et al. fails.
We proposed two versions of LIGA and proved that the public key encryption is INDCPA secure and the KEM is INDCCA2 secure under the assumption that the ResGDec problem is hard. We extensively analyzed the security of this decisional problem by studying attacks on the ResGSearch, ResIGSearch, and ResIGDec (recall that there is a reduction of ResGDec to each of the two search problems). All studied attacks have an exponential work factor in the proposed parameter ranges and can be avoided by parameter choice.
Finally, we presented parameters for security levels of 128, 192 and 256 bit and compared them to the NIST proposals RQC, ROLLO, BIKE, Classic McEliece and a rankmetric McEliecelike system proposed by Loidreau. It was observed that LIGA has small ciphertext sizes as well as relatively small key sizes. Encryption and decryption correspond to encoding and decoding of Gabidulin codes, for which efficient and constanttime algorithms exist. Further, the proposed system guarantees decryption and is not based on hiding the structure of a code. Hence, the LIGA system should be considered as an alternative of small ciphertext and key size.
Notes
In this setting, an “error of weight w” is a matrix in \(\mathbb {F}_{q^{mu}}^n\) with \(\mathbb {F}_q\)rank equal to w.
Note that since \(\mathbf {x}\) and \(\mathbf {z}\) have coefficients in the large field \(\mathbb {F}_{q^{mu}}\), this line can be realized as encoding u messages over \(\mathbb {F}_{q^m}\) with the generator matrix \(\mathbf {G}_\mathcal {G}\in \mathbb {F}_{q^m}^{k \times n}\) and corrupting these codewords with an error (see also Sect. 3.2 below).
Which of the two algorithms is fastest depends on the relation between n and m, as well as the used working basis of \(\mathbb {F}_{q^m}\) over \(\mathbb {F}_q\).
The size of the secret key of Loidreau’s system is not shown since the authors of [42] do not state how they represent \(\mathsf {sk}\).
Note that we described the key generation as in [16], where \(\mathbf {g}\) is chosen at random, but this is not necessary for the security of the system.
References
Aguilar Melchor, C., Aragon, N., Bardet, M., Bettaieb, S., Bidoux, L., Blazy, O., Deneuville, J., Gaborit, P., Hauteville, A., Otmani, A., Ruatta, O., Tillich, J., Zemor, G.: ROLLO  RankOuroboros, LAKE & LOCKER. Second round submission to the NIST postquantum cryptography call (2019). https://pqcrollo.org
Aguilar Melchor, C., Aragon, N., Bettaieb, S., Bidoux, L., Blazy, O., Deneuville, J., Gaborit, P., Zemor, G., Couvreur, A., Hauteville: Rank quasi cyclic (RQC). Second round submission to the NIST postquantum cryptography call (2019). https://pqcrqc.org
Aragon, N., Barreto, P., Bettaieb, S., Bidoux, L., Blazy, O., Deneuville, J., Gaborit, P., Gueron, S., Güneysu, T., Aguilar Melchor, C., Misoczki, R., Persichetti, E., Sendrier, N., Tillich, J., Vasseur, V., Zemor, G.: BIKE  bit flipping key encapsulation. Second round submission to the NIST postquantum cryptography call (2019). https://pqcrollo.org
Aragon, N., Gaborit, P., Hauteville, A., Tillich, J.P.: A new algorithm for solving the rank syndrome decoding problem. In: IEEE Int. Symp. Inf. Theory (ISIT) (2018)
Augot, D., Finiasz, M.: A public key encryption scheme based on the polynomial reconstruction problem. LNCS: Revised selected papers of EUROCRYPT 2003 2656, 229–249 (2003)
Bardet, M., Briaud, P., Bros, M., Gaborit, P., Neiger, V., Ruatta, O., Tillich, J.P.: An algebraic attack on rank metric codebased cryptosystems. Tech. rep. (2019). arXiv:1910.00810v1
Bardet, M., Bros, M., Cabarcas, D., Gaborit, P., Perlner, R., SmithTone, D., Tillich, J.P., Verbel, J.: Algebraic attacks for solving the rank decoding and minrank problems without Gröbner basis (2020)
Bernstein, D., Chou, T., Lange, T., Maurich, I., Misoczki, R., Niederhagen, R., Persichetti, E., Peters, C., Schwabe, P., Sendrier, N., Szefer, J., Wang, W.: Classic McEliece. Second round submission to the NIST postquantum cryptography call (2019). https://classic.mceliece.org
Bernstein D.J.: Grover vs. mceliece. In: Sendrier N. (ed.) PostQuantum Cryptography, pp. 73–80. Springer, Berlin Heidelberg (2010).
Bettaieb, S., Bidoux, L., Gaborit, P., Marcatel, E.: Preventing timing attacks against RQC using constant time decoding of Gabidulin codes. In: Int. Conf. on PostQuantum Cryptography (PQCrypto) (2019)
Boyer M., Brassard G., Høyer P., Tapp A.: Tight bounds on quantum searching. Fortschritte der Physik 46(4–5), 493–505 (1998)
Byrne E., Ravagnani A.: Partitionbalanced families of codes and asymptotic enumeration in coding theory. J. Comb. Theory A 171, 105169 (2020).
Caruso, X., Le Borgne, J.: Fast multiplication for skew polynomials. In: ISSAC (2017)
Delsarte P.: Bilinear forms over a finite field with applications to coding theory. J. Comb. Theory Ser. A 25(3), 226–241 (1978).
Etzion T., Vardy A.: Errorcorrecting codes in projective space. IEEE Trans. Inform. Theory 57(2), 1165–1173 (2011).
Faure C., Loidreau P.: A new publickey cryptosystem based on the problem of reconstructing ppolynomials. Coding and Cryptography, pp. 304–315. Springer, Berlin (2006).
Fujisaki E., Okamoto T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol 26, 80–101 (2013).
Gabidulin E.M.: Theory of codes with maximum rank distance. Probl. Inf. Transm. 21(1), 3–16 (1985).
Gabidulin E.M., Ourivski A.V., Honary B., Ammar B.: Reducible rank codes and their applications to cryptography. IEEE Trans. Inform. Theory 49(12), 3289–3293 (2003).
Gabidulin E.M., Pilipchuk N.I.: Error and erasure correcting algorithms for rank codes. Des. Codes Cryptogr. 49(1–3), 105–122 (2008).
Gaborit P., Otmani A., Talé Kalachi H.: Polynomialtime key recovery attack on the FaureLoidreau scheme based on gabidulin codes. Des. Codes Cryptogr. 86(7), 1391–1403 (2018).
Gadouleau, M., Yan, Z.: Complexity of decoding Gabidulin codes. In: IEEE Annual Conf. Inform. Science and Syst, pp. 1081–1085 (2008)
Hofheinz D., Hövelmanns K., Kiltz E.: A modular analysis of the FujisakiOkamoto transformation. In: Kalai Y., Reyzin L. (eds.) Theory of Cryptography, pp. 341–371. Springer International Publishing, Cham (2017).
Koetter R., Kschischang F.R.: Coding for errors and erasures in random network coding. IEEE Trans. Inform. Theory 54(8), 3579–3591 (2008).
Krachkovsky V.Y., Lee Y.X.: Decoding for iterative ReedSolomon coding schemes. IEEE Trans. Magn. 33(5), 2740–2742 (1997).
Lidl R., Niederreiter H.: Finite Fields. Encyclopedia of Mathematics and its ApplicationsCambridge University Press, Cambridge (1996).
Loidreau, P., Overbeck, R.: Decoding rank errors beyond the error correcting capability. In: Int. Workshop Alg. Combin. Coding Theory (ACCT) (2006)
Loidreau, P.: Métrique rang et cryptographie (in French). Méoire d’habilitation á diriger des recherches, UniversitéPierre et Marie Curie, Paris 6 (2007)
Loidreau, P.: A new rank metric codes based encryption scheme. In: Int. Conf. on PostQuantum Cryptography (PQCrypto) (2017)
Marsaglia, G.: Bounds on the rank of the sum of matrices (1967)
National Institute of Standards and Technology (NIST), U.S. Department of Commerce: Postquantum cryptography standardization (2017), https://csrc.nist.gov/Projects/postquantumcryptography/PostQuantumCryptographyStandardization
Neri A., HorlemannTrautmann A.L., Randrianarisoa T., Rosenthal J.: On the genericity of maximum rank distance and gabidulin codes. Des. Codes Cryptogr. 86(2), 341–363 (2018).
Nojima R., Imai H., Kobara K., Morozov K.: Semantic security for the McEliece cryptosystem without random oracles. Des. Codes Cryptogr. 49, 289–305 (2008).
Overbeck, R.: Public Key Cryptography based on Coding Theory. Ph.D. thesis, TU Darmstadt, Darmstadt, Germany (2007)
Overbeck R.: A new structural attack for GPT and variants. LNCS MYCRYPT 3715, 50–63 (2005).
Puchinger, S., WachterZeh, A.: Subquadratic decoding of Gabidulin codes. In: IEEE Int. Symp. Inf. Theory (ISIT), pp. 2554–2558 (2016)
Puchinger S., WachterZeh A.: Fast operations on linearized polynomials and their applications in coding theory. J. Symb. Comp 89, 194–215 (2018).
Raviv N., WachterZeh A.: Some Gabidulin codes cannot be list decoded efficiently at any radius. IEEE Trans. Inform. Theory 62(4), 1605–1615 (2016).
Renner, J., Jerkovits, T., Bartz, H., Puchinger, S., Loidreau, P., WachterZeh, A.: Randomized decoding of Gabidulin codes beyond the unique decoding radius. In: Int. Conf. on PostQuantum Cryptography (PQCrypto) (2020)
Richter, G., Plass, S.: Error and erasure decoding of rankcodes with a modified BerlekampMassey algorithm. In: International ITG Conference on Systems, Communications and Coding 2004 (SCC) (2004)
Rosenkilde, J.S.H.: Personal Communication (2018)
Shehhi H.A., Bellini E., Borba F., Caullery F., Manzano M., Mateu V.: An indccasecure codebased encryption scheme using rank metric. In: Buchmann J., Nitaj A., Rachidi T. (eds.) Progress in Cryptology: AFRICACRYPT 2019, pp. 79–96. Springer International Publishing, Cham (2019).
Sidorenko V.R., Jiang L., Bossert M.: Skewfeedback shiftregister synthesis and decoding interleaved Gabidulin codes. IEEE Trans. Inform. Theory 57(2), 621–632 (2011).
Silva, D., Kschischang, F.R.: Fast encoding and decoding of gabidulin codes. In: IEEE Int. Symp. Inf. Theory (ISIT), pp. 2858–2862 (2009)
Silva D., Kschischang F.R., Kötter R.: A rankmetric approach to error control in random network coding. IEEE Trans. Inform. Theory 54(9), 3951–3967 (2008).
Trombetti, R., Zullo, F.: On the list decodability of rank metric codes. preprint (2019), https://arxiv.org/abs/1907.01289
W. A. Stein and et al.: SageMath Software (http://wwwsagemathorg)
WachterZeh A.: Bounds on list decoding of rankmetric codes. IEEE Trans. Inform. Theory 59(11), 7268–7277 (2013).
WachterZeh, A.: Decoding of Block and Convolutional Codes in Rank Metric. Ph.D. thesis, Ulm University and University of Rennes 1, Ulm, Germany and Rennes, France (2013)
WachterZeh, A., Puchinger, S., Renner, J.: Repairing the FaureLoidreau publickey cryptosystem. In: IEEE Int. Symp. Inf. Theory (ISIT), pp. 2426–2430 (2018)
WachterZeh A., Zeh A.: List and unique errorerasure decoding of interleaved gabidulin codes with interpolation techniques. Des. Codes Cryptogr. 73(2), 547–570 (2014).
Acknowledgements
The work of J. Renner and A. WachterZeh was supported by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (Grant Agreement No. 801434). S. Puchinger received funding from the European Union’s Horizon 2020 research and innovation program under the Marie SklodowskaCurie Grant Agreement No. 713683. We would like to thank Johan Rosenkilde for proposing the “moving to a close error” attack. Also, we are thankful to Michael Schelling for his observation that decryption of the FL system can be seen as errorerasure decoding. Further, we thank Pierre Loidreau for his valuable comments on a previous version of this paper. We are also grateful to Alessandro Neri for fruitful discussions that helped to achieve the results in Appendix 3.
Funding
Open Access funding enabled and organized by Projekt DEAL.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by D. Panario.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
A: Practical considerations on the key generation
We discuss practical aspects related to the following lines of the modified key generation algorithm (Algorithm 3).
We conjecture that the set from which \(\mathcal {A}\) is sampled is almost the entire set of \(\zeta \)dimensional subspaces of \(\mathbb {F}_{q^m}^w\) (or, equivalently, of linear \([w,\zeta ]_{q^m}\) codes). Using a combinatorial argument on the known number of fullrank codewords of MRD codes, we prove in Lemma 8 (Appendix 3) that MRD codes always have a basis consisting of fullrank codewords. Since the weight enumerator is not known in general for nonMRD codes, we cannot give a proof, but we expect that most codes that are close to MRD (i.e., d is close to \(nk+1\)) also have such a basis. The conjecture is then implied by the fact that (closeto) MRD codes constitute the majority of linear codes [12, 32] for the parameters considered here.
Since it is hard to check if a randomly drawn code admits a basis of full\(\mathbb {F}_q\)rank codewords in the worst case, these arguments also imply a practical method on how to implement Lines 3 and \(3'\) in practice: sample uniformly at random from the set of \([w,\zeta ]_{q^m}\) codes. With overwhelming probability, the code is close to MRD and a large proportion of its codewords have full \(\mathbb {F}_q\)rank. Randomly choosing u codewords will thus give a generating set consisting of fullrank codewords with high probability. Only if no basis is found after a given number of trials, one needs to formally check if the code does not admit a generating set of full\(\mathbb {F}_q\)rank codewords. This gives a LasVegastype algorithm with (supposedly) small expected running time.
The worst case of this algorithm (i.e., no suitable generating set is found after a given number of trials) occurs with extremely small probability (provably it is close to the probability of drawing no MRD code at random, it might be even smaller in reality since also “nearMRD” might have suitable bases). Nevertheless, the worstcase complexity is still quite large. Alternatively, one can draw a new code \(\mathcal {A}\) if no generating set is found after a given number of trials. This, however, slightly changes the random experiment from which the code \(\mathcal {A}\) is drawn. The only part of this paper which is influenced by such a modification is Sect. 6.4, a summary of Appendix 3, which studies weak keys (i.e., keys for which there is a nonnegligible probability that the error part of the ciphertext has too low rank and is vulnerable to a feasible ciphertext attack). A key is weak only if the minimum distance of \(\mathcal {A}\) is small. By parameter choice, the probability that such a key is generated can be made arbitrarily small (cf. Appendix 3). By the same arguments as above, we conjecture that if the probability of obtaining a generating set of full\(\mathbb {F}_q\)rank codewords by drawing u codewords uniformly at random is small, then also the minimum distance of the code must be small (i.e., far away from MRD). In summary, we expect (but cannot prove) that this change of drawing procedure results in an even smaller weakkey probability than predicted by Theorem 11 (Appendix 3).
B: Decryption as errorerasure decoding
In the following, we give a codingtheoretic interpretation of the ciphertext of the original FL system and of LIGA, which—to the best of our knowledge—has not been observed before.
Lemma 5
Fix a basis \(\mathbf {\gamma }\) of \(\mathbb {F}_{q^m}\) over \(\mathbb {F}_q\). Then, the matrix representation of the ciphertext can be written in the form
where

\(\mathbf {C}_\mathcal {G} = {{\,\mathrm{ext}\,}}_{\mathbf {\gamma }}([\mathbf {m}+{{\,\mathrm{Tr}\,}}(\alpha \mathbf {x})]\cdot \mathbf{G}_{\mathcal {G}}) \in \mathbb {F}_q^{m \times n}\) is unknown and a codeword of a Gabidulin code,

\(\mathbf {A}^{(C)} = {{\,\mathrm{ext}\,}}_{\mathbf {\gamma }}({{\,\mathrm{Tr}\,}}(\alpha \mathbf {s})) \in \mathbb {F}_q^{m \times w}\) is unknown,

\(\mathbf {B}^{(C)} = (\mathbf {P}^{1})_{[1,\dots ,w]} \in \mathbb {F}_q^{w \times n}\) is known and

\(\mathbf {E} = {{\,\mathrm{ext}\,}}_{\mathbf {\gamma }}(\mathbf {e}) \in \mathbb {F}_q^{m \times n}\) is unknown.
Proof
Due to the \(\mathbb {F}_{q^m}\)linearity of the trace map \({{\,\mathrm{Tr}\,}}\) and the fact that the entries of the matrices \(\mathbf {G}_\mathcal {G}\) and \(\mathbf {P}^{1}\) are in \(\mathbb {F}_{q^m}\), we can write the ciphertext as follows.
Since the entries of \((\mathbf {P}^{1})_{[1,\dots ,w]}\) are in \(\mathbb {F}_q\), the expansion of the ciphertext into the \(\mathbb {F}_q\)basis \(\mathbf {\gamma }\) of \(\mathbb {F}_{q^m}\) can be written as in (15) above. \(\square \)
Theorem 9
The message vector \(\mathbf {m}\) can be reconstructed by the errorerasure decoders in [20, 45, 51] (as well as their accelerations in [36, 37]) and Steps 4 and 5 of Algorithm 5.
Proof
As seen in Lemma 5, we can decompose the matrix representation of the ciphertext into a codeword plus an error that is partially known. In fact, the decomposition is of the form as in (1) (see Sect. 2.2), so \(\mathbf {m}+{{\,\mathrm{Tr}\,}}(\alpha \mathbf {x})\) can be reconstructed by the errorerasure decoders in [20, 45, 51] since the decoding condition (2) reads as
in this case and is fulfilled by Table 1.
The message \(\mathbf {m}\) can then be recovered from \(\mathbf {m}+{{\,\mathrm{Tr}\,}}(\alpha \mathbf {x})\) using the same steps as in Algorithm 5. \(\square \)
Theorem 9 leads to the following observation. The ciphertext is a codeword plus an error of rank weight \(w+t_{\mathsf {pub}}\), which is beyond the unique decoding radius. The legitimate receiver can only decrypt since she knows the (wdimensional) row space of a part of the error. Although the attacker knows the code, she cannot recover the message since she has no further knowledge about the structure of the error. Note the difference to the codebased McEliece cryptosystem, where the security relies on the fact that an attacker does not know the structure of the code. We will turn this observation into an exponentialtime message attack in Sect. 6.2.2, which we will consider in our parameter choice.
Furthermore, the procedure implied by Theorem 9 might have a practical advantage compared to the original decryption algorithm. The code \(\mathcal {\mathcal {G}}'\) used for decoding in Algorithm 5 depends on the private key. In Theorem 9, the code is given by \(\mathbf {g}\), which is public and in fact does not need to be chosen randomly in the key generation.^{Footnote 6} Depending on the used algorithm and type of implementation (e.g., in hardware), it can be advantageous in terms of complexity or implementation size if the code is fixed.
Probability of large enough ciphertext error weight
In this section, we analyze the probability that the error part \({{\,\mathrm{Tr}\,}}(\alpha \mathbf {z}) + \mathbf {e}\) of the ciphertext
has large enough rank to avoid the ciphertext attacks discussed in Sect. 6. The results of this appendix are summarized in Sect. 6.4.
Generically (i.e., with probability close to 1 for random choices of \(\mathbf {k}_{\mathsf {pub}}\), \(\alpha \), \(\mathbf {e}\)), we have \({{\,\mathrm{rk}\,}}_{q}({{\,\mathrm{Tr}\,}}(\alpha \mathbf {z}))=w\), \({{\,\mathrm{rk}\,}}_{q}(\mathbf {e}) = t_{\mathsf {pub}}\), and \({{\,\mathrm{rk}\,}}_{q}\big ({{\,\mathrm{Tr}\,}}(\alpha \mathbf {z})+\mathbf {e}\big )=w+t_{\mathsf {pub}}\). However, there is a very small probability that the error has significantly smaller rank than the generic case. Our aim is to design the system parameters such that this probability is sufficiently small, e.g., \(2^{\lambda }\), to avoid attacks utilizing this behavior.
As we will see in this section, the choice of \(\mathbf {z}\) in the public key influences this probability (fixed \(\mathbf {z}\), randomness in \(\alpha \) and \(\mathbf {e}\)) significantly. Since \(\mathbf {z}\) is itself drawn using a random experiment during the key generation, we study with which probability this key is “strong”, i.e., whether the rank of \({{\,\mathrm{Tr}\,}}(\alpha \mathbf {z}) + \mathbf {e}\) is large with sufficiently high probability (randomness only in \(\alpha \) and \(\mathbf {e}\)).
We start with a lemma that shows that the probability mass function of the \(\mathbb {F}_q\)rank of \({{\,\mathrm{Tr}\,}}(\alpha \mathbf {z})\) for uniformly drawn \(\alpha \) only depends on the weight distribution of the code spanned by \(\mathbf {a}_1,\dots ,\mathbf {a}_\zeta \) (the \(\mathbb {F}_{q^m}\)linearly independent vectors over \(\mathbb {F}_{q^m}\) from which \(\mathbf {z}\) is constructed).
Lemma 6
Let \(\mathbf {z}\) be constructed from the randomly chosen code \(\mathcal {A}[w,\zeta ]_{q^m}\) as in Algorithm 3. Denote by \(A_0,\dots ,A_w\) the rankweight distribution of \(\mathcal {A}\). For \(\alpha \in \mathbb {F}_{q^{mu}}\) chosen uniformly at random, we have
Proof
We use the notation (\(\mathbf {z}\), \(\mathbf {s}\), \(\mathcal {A}\), \(\mathbf {P}\), and \(\mathbf {S}\)) from Algorithm 3. First observe that \({{\,\mathrm{Tr}\,}}(\alpha \mathbf {z}) = {{\,\mathrm{Tr}\,}}(\alpha [\mathbf {s}\mathbf {0}]) \mathbf {P}\). Hence,
We can expand \(\alpha \in \mathbb {F}_{q^{mu}}\) in the dual basis \(\gamma _i^*\) as \(\alpha = \sum _{i=1}^{u} \alpha _i \gamma _i^*\). Then,
where \(\mathbf {a}_1,\dots ,\mathbf {a}_\zeta \) is a basis of \(\mathcal {A}\) and \(\mathbf {S}\in \mathbb {F}_{q^m}^{u \times \zeta }\) is a matrix of full rank \(\zeta \). As \(\alpha \) is chosen uniformly at random from \(\mathbb {F}_{q^{mu}}\), the \(\alpha _i\) are chosen independently and uniformly at random from \(\mathbb {F}_{q^m}\). As \({{\,\mathrm{rk}\,}}_{q^m} \mathbf {S}= \zeta \), this is equivalent to saying that
is chosen uniformly at random from \(\mathbb {F}_{q^m}^\zeta \). Hence, we have
i.e., \({{\,\mathrm{Tr}\,}}(\alpha \mathbf {s})\) is a codeword of \(\mathcal {A}\), chosen uniformly at random. This immediately implies the claim. \(\square \)
A direct consequence of the lemma above is the following statement.
Corollary 1
With notation as in Lemma 6, let d be the minimum rank distance of the code \(\mathcal {A}[w,\zeta ]_{q^m}\). Then,
Corollary 1 shows that we can easily bound the probability that \({{\,\mathrm{Tr}\,}}(\alpha \mathbf {z})\) has small \(\mathbb {F}_q\)rank if the code \(\mathcal {A}\) (as defined in Lemma 6) has a large minimum rank distance. Loosely speaking, if the minimum rank distance of the code is small, we can consider this key to be weak, and strong otherwise. Since the code is chosen uniformly at random from the set of \(\mathbb {F}_{q^m}\)linear \([w,\zeta ]_{\mathbb {F}_{q^m}}\) (cf. choice of \(\mathbf {a}_i\) in Algorithm 3), we can use the following result from [12] to bound the probability that the key is weak.
Lemma 7
([12, Corollary 5.4]) Let \(1 \le k \le n\) and \(2\le d \le nk+2\). Choose a code \(\mathcal {C}\in \mathbb {F}_{q^m}^n\) uniformly at random from the \(\mathbb {F}_{q^m}\)linear codes of parameters \([n,k]_{\mathbb {F}_{q^m}}\). Then,
Since the code in Lemma 7 is chosen uniformly at random, it does not exactly match the distribution of the code \(\mathcal {A}\) in Algorithm 3. Hence, we need the following lemma and theorem to estimate the probability of a small minimum distance in our case.
Lemma 8
An \(\mathbb {F}_{q^m}\)linear MRD code \([n,k]_{q^m}\) has a basis consisting of codewords of \(\mathbb {F}_q\)rank n.
Proof
We show that the number of fullrank codewords is at least \(q^{m(k1)}\). Since these codewords are all nonzero, their \(\mathbb {F}_{q^m}\)span must have cardinality at least \(q^{mk}\) and is hence the entire code.
The weight distribution of an MRD code of length n and minimum distance d can be given by (see [18]):
where m is the order of the extension field, \(n \le m\), and \(A_{d+s}\) denotes the number of rank\((d+s)\) codewords.
We are interested in a lower bound for the number of fullrank codewords, i.e., \(s = nd\). The sum in (16) is an alternating sum whose terms get larger, the larger j and therefore can be lower bounded by the case of \(j=s\) plus the case of \(j=s1\). That means:
Hence, for \(s=nd\), we obtain:
Theorem 10
Let m, \(\zeta \), and w be chosen such that
Let \(\mathcal {A}\) be chosen as in Algorithm 3, i.e., uniformly at random from the set of linear \([w,\zeta ]_{q^m}\) codes that have a basis consisting only of codewords with \(\mathbb {F}_q\)rank w. Furthermore, let \(2 \le t \le w\zeta +2\). Then,
Proof
We define an alternative random experiment, where a code \(\mathcal {A}'\) is chosen uniformly from all linear \([w,\zeta ]_{q^m}\). The sought probability is then given by the conditional probability
where \(\mathcal {S}\) is the event that \(\mathcal {A}'\) has a basis of maximalrank codewords. We derive the result using the relation
First note that Lemma 7 gives us
By Lemma 8, we have
Using [32, Theorem 21], we can lowerbound this probability by
where the last inequality follows from (18). The claim follows by combining the two bounds with (19). \(\square \)
The last building block for a general bound on the probability of \({{\,\mathrm{Tr}\,}}(\alpha \mathbf {z}) + \mathbf {e}\) having small rank is the following lemma, which gives a bound for this probability conditioned on the event that \({{\,\mathrm{Tr}\,}}(\alpha \mathbf {z})\) has a given (large) rank.
Lemma 9
Let \(\mathbf {k}_{\mathsf {pub}}= \mathbf {x} \cdot \mathbf{G}_{\mathcal {G}} + \mathbf {z}\) be fixed as in Algorithm 4 and let \(\alpha \) be chosen such that \({{\,\mathrm{rk}\,}}_{\mathbb {F}_q}\!\left( {{\,\mathrm{Tr}\,}}(\alpha \mathbf {z})\right) =t\). For \(\mathbf {e} \xleftarrow {\$}\{ \mathbf {a}\in \mathbb {F}_{q^m}^n : {{\,\mathrm{rk}\,}}_q(\mathbf {a}) = t_{\mathsf {pub}}\}\), drawn uniformly at random, we have
Proof
For simplicity, we write (for some basis \({\varvec{\gamma }}\) of \(\mathbb {F}_{q^m}\) over \(\mathbb {F}_q\))
It is clear that \({{\,\mathrm{rk}\,}}_{\mathbb {F}_q}(\mathbf {e}_1+\mathbf {e}_2) = {{\,\mathrm{rk}\,}}_{\mathbb {F}_q}\!\left( \mathbf {E}_1 + \mathbf {E}_2\right) \) and, since \({{\,\mathrm{rk}\,}}_{\mathbb {F}_q}(\mathbf {e}_1)= {{\,\mathrm{rk}\,}}_{\mathbb {F}_q}(\mathbf {E}_1) = t\) and \({{\,\mathrm{rk}\,}}_{\mathbb {F}_q}(\mathbf {e}_1)= {{\,\mathrm{rk}\,}}_{\mathbb {F}_q}(\mathbf {E}_1) = t_{\mathsf {pub}}\),
Note that in our probabilistic model, \(\mathcal {E}_1^\mathrm {C}\) and \(\mathcal {E}_1^\mathrm {R}\) are fixed and it follows easily that \(\mathcal {E}_2^\mathrm {C}\) and \(\mathcal {E}_2^\mathrm {R}\) are random variables that are uniformly distributed on the set of \(t_{\mathsf {pub}}\)dimensional subspaces of \(\mathbb {F}_q^m\) and \(\mathbb {F}_q^n\), respectively, and stochastically independent. Due to [30, Theorem 1], for
we have
Since \({{\,\mathrm{rk}\,}}_{\mathbb {F}_q}\!\left( \mathbf {E}_1\right) + {{\,\mathrm{rk}\,}}_{\mathbb {F}_q}\!\left( \mathbf {E}_2\right) = t+t_{\mathsf {pub}}\), this implies
Due to [15, Proof of Lemma 7], we have
Likewise, we have
Due to \(n \le n\), we obtain
This proves the claim. \(\square \)
Summarized, we have the following. The proof follows directly by combining Corollary 1, Lemmas 7 and 9, and a unionbound argument.
Theorem 11
Let m, \(\zeta \), and w be chosen such that \(1\zeta q^{\zeta wm} \ge \tfrac{1}{2}\). Choose \(\mathbf {z}\) of the public key as in Algorithm 3. Let \(2 \le t\le w\zeta +2\). With probability at least
the public key has the following property:
Choose \(\alpha \in \mathbb {F}_{q^{mu}}\) and For \(\mathbf {e} \xleftarrow {\$}\{ \mathbf {a}\in \mathbb {F}_{q^m}^n : {{\,\mathrm{rk}\,}}_q(\mathbf {a}) = t_{\mathsf {pub}}\}\), both uniformly at random. Then the probability that \({{\,\mathrm{Tr}\,}}(\alpha \mathbf {z}) + \mathbf {e}\) has \(\mathbb {F}_q\)rank at least w is lowerbounded by
Remark 2
By the asymptotical analysis in [12], we have
Since the hidden constant strongly depends on q, this asymptotic value should only be used for a rough estimation of the strongkey probability and the exact formula in Theorem 11 should be used for parameter design.
Nevertheless, the formula shows that \(1P_\mathrm {strong,key}(t)\) decreases exponentially in m times the difference of t and \(w\zeta +2\). Hence, usually we can choose t close to the maximal value \(w\zeta +2\) to achieve a given designed probability for a key to be strong.
For instance, we can choose \(t \approx (w\zeta +2)\tfrac{\lambda }{m}\log _{q}(2)\) for
where \(\lambda \) is the security parameter.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Renner, J., Puchinger, S. & WachterZeh, A. LIGA: a cryptosystem based on the hardness of rankmetric list and interleaved decoding. Des. Codes Cryptogr. 89, 1279–1319 (2021). https://doi.org/10.1007/s1062302100861z
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s1062302100861z