Abstract
Some types of weak keys in the Faure–Loidreau (FL) cryptosystem are presented. We show that from such weak keys the private key can be reconstructed with a computational effort that is substantially lower than the security level (≈225 operations for 80-bit security). The proposed key-recovery attack is based on ideas of generalized minimum distance (GMD) decoding for rank-metric codes.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Note, that by definition 2ξ is always an integer (see (8)).
- 2.
There may be estimates \(\hat{\mathbf {c}}^{(1)}\) at rank distance w from kpub such that \(\hat{\mathbf {c}}^{(1)}\ne {\mathbf {c}}^{(1)}\). However, this event is very unlikely since ξ is very small for the considered parameters (see Table 1) and was not observed in our simulations.
References
Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)
Loidreau, P.: Designing a rank metric based McEliece cryptosystem. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 142–152. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12929-2_11
McEliece, R.J.: A public-key cryptosystem based on algebraic codes. Deep Space Network Progress Report 44, pp. 114–116 (1978)
Faure, C., Loidreau, P.: A new public-key cryptosystem based on the problem of reconstructing p–polynomials. In: Ytrehus, Ø. (ed.) WCC 2005. LNCS, vol. 3969, pp. 304–315. Springer, Heidelberg (2006). https://doi.org/10.1007/11779360_24
Augot, D., Finiasz, M.: A public key encryption scheme based on the polynomial reconstruction problem. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 229–240. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_14
Wachter-Zeh, A., Puchinger, S., Renner, J.: Repairing the Faure-Loidreau public-key cryptosystem. In: IEEE International Symposium on Information Theory (ISIT) (2018)
Gaborit, P., Otmani, A., Kalachi, H.T.: Polynomial-time key recovery attack on the Faure-Loidreau scheme based on Gabidulin codes. Des. Codes Crypt. 86(7), 1391–1403 (2018)
Loidreau, P., Overbeck, R.: Decoding rank errors beyond the error correcting capability. In: International Workshop on Algebraic and Combinatorial Coding Theory (ACCT), pp. 186–190, September 2006
Forney, G.: Generalized minimum distance decoding. IEEE Trans. Inf. Theory 12(2), 125–131 (1966)
Bossert, M., Costa, E., Gabidulin, E., Schulz, E., Weckerle, M.: Verfahren und Kommunikationsvorrichtung zum Dekodieren von mit einem Rang-Code codierten Daten, EU Patent EP20 040 104 458 (2003)
Gabidulin, E.M.: Theory of codes with maximum rank distance. Problemy Peredachi Informatsii 21(1), 3–16 (1985)
Gabidulin, E.M., Paramonov, A.V., Tretjakov, O.V.: Rank errors and rank erasures correction. In: 4th International Colloquium on Coding Theory (1991)
Richter, G., Plass, S.: Error and erasure decoding of rank-codes with a modified Berlekamp-Massey algorithm. In: International ITG Conference on Systems, Communications and Coding (SCC) (2004)
Gabidulin, E.M., Pilipchuk, N.I.: Error and erasure correcting algorithms for rank codes. Des. Codes Crypt. 49(1–3), 105–122 (2008)
Silva, D.: Error control for network coding, Ph.D. dissertation (2009)
Sidorenko, V., Jiang, L., Bossert, M.: Skew-feedback shift-register synthesis and decoding interleaved Gabidulin codes. IEEE Trans. Inf. Theory 57(2), 621–632 (2011)
Wachter-Zeh, A., Zeh, A.: List and unique error-erasure decoding of interleaved Gabidulin codes with interpolation techniques. Des. Codes Crypt. 73(2), 547–570 (2014). https://doi.org/10.1007/s10623-014-9953-5
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
A Appendix
A Appendix
1.1 A.1 Encryption
Let \(\mathbf{m }=(m_1 \ m_2 \ \dots \ m_{k-u}\ | \,0 \ \dots \ 0)\in {\mathbb F_{q^m}}^k\) be the plaintext.
-
1.
Choose an element \(\alpha \in {\mathbb F_{q^{mu}}}\) at random.
-
2.
Choose \(\mathbf{e }\in {\mathbb F_{q^m}}^n\) with rkq(e)≤tpub at random.
-
3.
Compute the ciphertext \(\mathbf{c }\in {\mathbb F_{q^m}}^n\) as
$$\begin{aligned} \mathbf {c}=\mathbf {m}\mathbf {G}+\mathrm{{Tr}}_{q^{mu}/q^m}(\alpha \mathbf {k}_\text {pub})+\mathbf {e}. \end{aligned}$$
1.2 A.2 Decryption
-
1.
Compute
$$\begin{aligned} \mathbf {c}\mathbf {P}&=\mathbf {m}\mathbf {G}\mathbf {P}+\mathrm{{Tr}}_{q^{mu}/q^m}(\alpha \mathbf {k}_\text {pub})\mathbf {P}+\mathbf {e}\mathbf {P}. \end{aligned}$$Due to the \({\mathbb F_{q^m}}\)-linearity of the trace we have
$$\begin{aligned} \mathrm{{Tr}}_{q^{mu}/q^m}(\alpha \mathbf {k}_\text {pub})\mathbf {P} =\mathrm{{Tr}}_{q^{mu}/q^m}(\alpha \mathbf {x})\mathbf {G}\mathbf {P}+(\mathrm{{Tr}}_{q^{mu}/q^m}(\alpha \mathbf {s})\,|\,\mathbf {0}) \end{aligned}$$and get
$$\begin{aligned} \mathbf {c}\mathbf {P}=(\mathbf {m}+\mathrm{{Tr}}_{q^{mu}/q^m}(\alpha \mathbf {x}))\mathbf {G}\mathbf {P}+(\mathrm{{Tr}}_{q^{mu}/q^m}(\alpha \mathbf {s})\,|\,\mathbf {0})+\mathbf {e}\mathbf {P}. \end{aligned}$$ -
2.
Define GP′ as the last n − w columns of the product GP and let c′ and e′ be the last n − w positions of c and eP, respectively. Then we have that
$$\begin{aligned} \mathbf {c}'=(\mathbf {m}+\mathrm{{Tr}}_{q^{mu}/q^m}(\alpha \mathbf {x}))\mathbf {G}_{P}'+\mathbf {e}' \end{aligned}$$with \(\mathrm {{rk}}_q(\mathbf{e }')\le {t_{\text {pub}}}=\left\lfloor \frac{n-k-w}{2}\right\rfloor \).
Since GP′ is a generator matrix of Gab\([n-w,k]\) we can decode to remove e′ and get
$$\begin{aligned} \mathbf {m}'&=\mathbf {m}+\mathrm{{Tr}}_{q^{mu}/q^m}(\alpha \mathbf {x}). \end{aligned}$$ -
3.
Since \(\mathbf{m }=(m_1 \ m_2 \ \dots \ m_{k-u}\,|\,\underbrace{0 \ \dots \ 0}_{u})\) we have that the last u positions of m′ are
$$\begin{aligned} m_i'=\mathrm{{Tr}}_{q^{mu}/q^m}(\alpha x_i), \qquad \forall i=k-u+1,\dots ,k. \end{aligned}$$Since \({\mathcal {X}}{\overset{{\text {def}}}{=}}(x_{k-u+1},\dots ,x_{k})\) forms an ordered basis of \({\mathbb F_{q^{mu}}}\) over \({\mathbb F_{q^m}}\) we can compute α as
$$\begin{aligned} \alpha =\sum _{i=k-u+1}^{k}\mathrm{{Tr}}_{q^{mu}/q^m}(\alpha x_i)x_i^{\perp }=\sum _{i=k-u+1}^{k}m_{i}'x_i^{\perp }, \end{aligned}$$where \({\mathcal {X}}^{\perp }{\overset{{\text {def}}}{=}}(x_{k-u+1}^\perp ,\dots ,x_{k}^\perp )\) denotes the dual basis of 𝒳. Finally, we can recover the plaintext as
$$\begin{aligned} \mathbf {m}=\mathbf {m}'-\mathrm{{Tr}}_{q^{mu}/q^m}(\alpha \mathbf {x}). \end{aligned}$$
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Jerkovits, T., Bartz, H. (2019). Weak Keys in the Faure–Loidreau Cryptosystem. In: Baldi, M., Persichetti, E., Santini, P. (eds) Code-Based Cryptography. CBC 2019. Lecture Notes in Computer Science(), vol 11666. Springer, Cham. https://doi.org/10.1007/978-3-030-25922-8_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-25922-8_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-25921-1
Online ISBN: 978-3-030-25922-8
eBook Packages: Computer ScienceComputer Science (R0)