Weak Keys in the Faure–Loidreau Cryptosystem

Abstract

Some types of weak keys in the Faure–Loidreau (FL) cryptosystem are presented. We show that from such weak keys the private key can be reconstructed with a computational effort that is substantially lower than the security level (≈2²⁵ operations for 80-bit security). The proposed key-recovery attack is based on ideas of generalized minimum distance (GMD) decoding for rank-metric codes.

A Appendix

1.1 A.1 Encryption

Let \(\mathbf{m }=(m_1 \ m_2 \ \dots \ m_{k-u}\ | \,0 \ \dots \ 0)\in {\mathbb F_{q^m}}^k\) be the plaintext.

1. 1.

   Choose an element \(\alpha \in {\mathbb F_{q^{mu}}}\) at random.

2. 2.

   Choose \(\mathbf{e }\in {\mathbb F_{q^m}}^n\) with rk_q(e)≤t_pub at random.

3. 3.

   Compute the ciphertext \(\mathbf{c }\in {\mathbb F_{q^m}}^n\) as

   $$\begin{aligned} \mathbf {c}=\mathbf {m}\mathbf {G}+\mathrm{{Tr}}_{q^{mu}/q^m}(\alpha \mathbf {k}_\text {pub})+\mathbf {e}. \end{aligned}$$

1.2 A.2 Decryption

1. 1.

   Compute

   $$\begin{aligned} \mathbf {c}\mathbf {P}&=\mathbf {m}\mathbf {G}\mathbf {P}+\mathrm{{Tr}}_{q^{mu}/q^m}(\alpha \mathbf {k}_\text {pub})\mathbf {P}+\mathbf {e}\mathbf {P}. \end{aligned}$$

   Due to the \({\mathbb F_{q^m}}\)-linearity of the trace we have

   $$\begin{aligned} \mathrm{{Tr}}_{q^{mu}/q^m}(\alpha \mathbf {k}_\text {pub})\mathbf {P} =\mathrm{{Tr}}_{q^{mu}/q^m}(\alpha \mathbf {x})\mathbf {G}\mathbf {P}+(\mathrm{{Tr}}_{q^{mu}/q^m}(\alpha \mathbf {s})\,|\,\mathbf {0}) \end{aligned}$$

   and get

   $$\begin{aligned} \mathbf {c}\mathbf {P}=(\mathbf {m}+\mathrm{{Tr}}_{q^{mu}/q^m}(\alpha \mathbf {x}))\mathbf {G}\mathbf {P}+(\mathrm{{Tr}}_{q^{mu}/q^m}(\alpha \mathbf {s})\,|\,\mathbf {0})+\mathbf {e}\mathbf {P}. \end{aligned}$$
2. 2.

   Define G_P′ as the last n − w columns of the product GP and let c′ and e′ be the last n − w positions of c and eP, respectively. Then we have that

   $$\begin{aligned} \mathbf {c}'=(\mathbf {m}+\mathrm{{Tr}}_{q^{mu}/q^m}(\alpha \mathbf {x}))\mathbf {G}_{P}'+\mathbf {e}' \end{aligned}$$

   with \(\mathrm {{rk}}_q(\mathbf{e }')\le {t_{\text {pub}}}=\left\lfloor \frac{n-k-w}{2}\right\rfloor \).

   Since G_P′ is a generator matrix of Gab\([n-w,k]\) we can decode to remove e′ and get

   $$\begin{aligned} \mathbf {m}'&=\mathbf {m}+\mathrm{{Tr}}_{q^{mu}/q^m}(\alpha \mathbf {x}). \end{aligned}$$
3. 3.

   Since \(\mathbf{m }=(m_1 \ m_2 \ \dots \ m_{k-u}\,|\,\underbrace{0 \ \dots \ 0}_{u})\) we have that the last u positions of m′ are

   $$\begin{aligned} m_i'=\mathrm{{Tr}}_{q^{mu}/q^m}(\alpha x_i), \qquad \forall i=k-u+1,\dots ,k. \end{aligned}$$

   Since \({\mathcal {X}}{\overset{{\text {def}}}{=}}(x_{k-u+1},\dots ,x_{k})\) forms an ordered basis of \({\mathbb F_{q^{mu}}}\) over \({\mathbb F_{q^m}}\) we can compute α as

   $$\begin{aligned} \alpha =\sum _{i=k-u+1}^{k}\mathrm{{Tr}}_{q^{mu}/q^m}(\alpha x_i)x_i^{\perp }=\sum _{i=k-u+1}^{k}m_{i}'x_i^{\perp }, \end{aligned}$$

   where \({\mathcal {X}}^{\perp }{\overset{{\text {def}}}{=}}(x_{k-u+1}^\perp ,\dots ,x_{k}^\perp )\) denotes the dual basis of 𝒳. Finally, we can recover the plaintext as

   $$\begin{aligned} \mathbf {m}=\mathbf {m}'-\mathrm{{Tr}}_{q^{mu}/q^m}(\alpha \mathbf {x}). \end{aligned}$$