Randomized Decoding of Gabidulin Codes Beyond the Unique Decoding Radius

Julian Renner; Thomas Jerkovits; Hannes Bartz; Sven Puchinger; Pierre Loidreau; Antonia Wachter-Zeh

doi:10.1007/978-3-030-44223-1_1

International Conference on Post-Quantum Cryptography

PQCrypto 2020: Post-Quantum Cryptography pp 3-19 | Cite as

Randomized Decoding of Gabidulin Codes Beyond the Unique Decoding Radius

Authors
Authors and affiliations

Julian Renner
Thomas Jerkovits
Hannes Bartz
Sven Puchinger
Pierre Loidreau
Antonia Wachter-Zeh

Conference paper

First Online: 10 April 2020

1 Citations
458 Downloads

Part of the Lecture Notes in Computer Science book series (LNCS, volume 12100)

Abstract

We address the problem of decoding Gabidulin codes beyond their unique error-correction radius. The complexity of this problem is of importance to assess the security of some rank-metric code-based cryptosystems. We propose an approach that introduces row or column erasures to decrease the rank of the error in order to use any proper polynomial-time Gabidulin code error-erasure decoding algorithm. The expected work factor of this new randomized decoding approach is a polynomial term times $q^{m(n-k)-w(n+m)+w^2+\min \{2\xi (\frac{n+k}{2}-\xi ),wk\} }$, where n is the code length, q the size of the base field, m the extension degree of the field, k the code dimension, w the number of errors, and $\xi := w-\tfrac{n-k}{2}$. It improves upon generic rank-metric decoders by an exponential factor.

Keywords

Gabidulin codes Decoding Rank metric Code-based cryptography

This is a preview of subscription content, to check access.

A Proof of Lemma 1

The number of q-vector spaces of dimension v, which intersections with $\mathcal {U}$ have dimension at least $\omega $, is equal to

$$\begin{aligned} \sum _{i=\omega }^{\min \{u,v\}}\left[ \begin{matrix} \ell -u \\ v-i \end{matrix} \right] _{q} \left[ \begin{matrix} u \\ i \end{matrix} \right] _{q}q^{(u-i)(v-i)} = \sum _{j=\max \{0,v-u\}}^{v-\omega }\left[ \begin{matrix} \ell -u \\ j \end{matrix} \right] _{q} \left[ \begin{matrix} u \\ v-j \end{matrix} \right] _{q}q^{j(u-v+j)}, \end{aligned}$$

see [8]. Since the total number of v-dimensional subspaces of a $\ell $-dimensional space is equal to $\left[ \begin{matrix} \ell \\ v \end{matrix} \right] _{q}$, the probability

$$\begin{aligned} \mathrm {Pr}[\dim (\mathcal {U}\cap \mathcal {V}) \ge \omega ]&=\frac{ \sum _{i=\omega }^{\min \{u,v\}} \left[ \begin{matrix} \ell -u \\ v-i \end{matrix} \right] _{q} \left[ \begin{matrix} u \\ i \end{matrix} \right] _{q} q^{(u-i)(v-i)} }{\left[ \begin{matrix} \ell \\ v \end{matrix} \right] _{q}} \\&= \frac{\sum _{j=\max \{0,v-u\}}^{v-\omega }\left[ \begin{matrix} \ell -u \\ j \end{matrix} \right] _{q} \left[ \begin{matrix} u \\ v-j \end{matrix} \right] _{q}q^{j(u-v+j)}}{\left[ \begin{matrix} \ell \\ v \end{matrix} \right] _{q}}. \end{aligned}$$

Using the upper bound on the Gaussian coefficient derived in [20, Lemma 4], it follows that

$$\begin{aligned} \mathrm {Pr}[\dim (\mathcal {U}\cap \mathcal {V}) \ge \omega ]&\le 16\sum _{j=\max \{0,v-u\}}^{v-\omega } q^{j(\ell -u-j)+v(u-v+j)-v(\ell -v)}\\&=16\sum _{j=\max \{0,v-u\}}^{v-\omega } q^{(j-v)(\ell -u-j)}\\&\le 16 ~(\min \{u,v\}+1-\omega ) q^{(j^{*}-v)(\ell -u-j^{*})}, \end{aligned}$$

where $j^{*}:= \min \{ v-\omega , \frac{1}{2}(\ell +v-u) \}$. The latter inequality follows from the fact that the term $(j-v)(\ell -u-j)$ is a concave function in j and is maximum for $j = \frac{1}{2}(\ell +v-u)$. $\square $

B Guessing Jointly the Column and Row Space of the Error

We analyze the success probability of decoding to a specific codeword (i.e., the analog of Lemma 2) for guessing jointly the row and the column space of the error.

Lemma 4

Let $\varvec{r}\in \mathbb {F}_{q^m}^n$ be defined as in Sect. 2.2, where neither parts of the error row space nor column space are known, i.e., $\gamma =\rho =0$ and $t = w$. The probability that an error-erasure decoder using a random

$\delta _r$-dimensional guess of the error row space and a
$\delta _c$-dimensional guess of the error column space,

where $\delta _r+\delta _c =: \delta \in [2\xi ,n-k]$, outputs $\varvec{m}\varvec{G}_\mathrm {Gab}$ is upper-bounded by

$$\begin{aligned} \frac{\displaystyle \sum _{i=\lceil \xi + \frac{\delta }{2}\rceil }^{\displaystyle \min \{\delta ,w\}} \sum _{\begin{array}{c} 0 \le w_r,w_c \le i \\ w_r+w_c=i \end{array}} \left[ \begin{matrix} n-w \\ \delta _r-w_r \end{matrix} \right] _{q} \left[ \begin{matrix} w \\ w_r \end{matrix} \right] _{q}q^{(w-w_r)(\delta _r-w_r)} \left[ \begin{matrix} m-w \\ \delta _c-w_c \end{matrix} \right] _{q} \left[ \begin{matrix} w \\ w_c \end{matrix} \right] _{q}q^{(w-w_c)(\delta _c-w_c)}}{\left[ \begin{matrix} n \\ \delta _r \end{matrix} \right] _{q}\left[ \begin{matrix} m \\ \delta _c \end{matrix} \right] _{q}}. \end{aligned}$$

Proof

The statement follows by the same arguments as Lemma 2, where we computed the probability that the row space of a random vector space of dimension $\delta $ intersects with the w-dimensional row space of the error in i dimensions (where i must be sufficiently large to apply the error erasure decoder successfully). Here, we want that a random guess of $\delta _r$- and $\delta _c$-dimensional vector spaces intersect with the row and column space of the error in exactly $w_r$ and $w_c$ dimensions, respectively. We sum up over all choices of $w_r$ and $w_c$ that sum up to an i that is sufficiently large to successfully apply the error erasure decoder. This is an optimistic argument since guessing correctly $w_r$ dimensions of the row and $w_c$ dimensions of the column space of the error might not reduce the rank of the error by $w_r+w_c$. However, this gives an upper bound on the success probability. $\square $

Example 1 shows that guessing row and column space jointly is not advantageous for some specific parameters.

Example 1

Consider the example $q=2$, $m=n=24$, $k=16$, $w=6$. Guessing only the row space of the error with $\delta = 4$ succeeds with probability $1.66 \cdot 10^{-22}$ and joint guessing with $\delta _r = \delta _c = 2$ succeeds with probability $1.93 \cdot 10^{-22}$. Hence, it is advantageous to guess only the row space (or due to $m=n$ only the column space). For a larger example with $m=n=64$, $k=16$, and $w=19$, the two probabilities are almost the same, $\approx 5.27 \cdot 10^{-82}$ (for $\delta =32$ and $\delta _r=\delta _c=16$).

References

1.
Aguilar Melchor, C., et al.: Rank quasi cyclic (RQC). Second round submission to the NIST post-quantum cryptography call (2019). https://pqc-rqc.org
2.
Aragon, N., Gaborit, P., Hauteville, A., Tillich, J.: A new algorithm for solving the rank syndrome decoding problem. In: IEEE International Symposium on Information Theory (ISIT), pp. 2421–2425, June 2018. https://doi.org/10.1109/ISIT.2018.8437464
3.
Augot, D., Finiasz, M.: A public key encryption scheme based on the polynomial reconstruction problem. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 229–240. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_14CrossRefGoogle Scholar
4.
Bardet, M., et al.: An algebraic attack on rank metric code-based cryptosystems. Technical report (2019). arXiv:1910.00810v1
5.
Ben-Sasson, E., Kopparty, S., Radhakrishnan, J.: Subspace polynomials and limits to list decoding of Reed-Solomon codes. IEEE Trans. Inf. Theory 56(1), 113–120 (2010). https://doi.org/10.1109/TIT.2009.2034780MathSciNetCrossRefzbMATHGoogle Scholar
6.
Berlekamp, E., McEliece, R.J., van Tilborg, H.: On the inherent intractability of certain coding problems. IEEE Trans. Inf. Theory 24(3), 384–386 (1978)MathSciNetCrossRefGoogle Scholar
7.
Delsarte, P.: Bilinear forms over a finite field with applications to coding theory. J. Comb. Theory Ser. A 25(3), 226–241 (1978)MathSciNetCrossRefGoogle Scholar
8.
Etzion, T., Vardy, A.: Error-correcting codes in projective space. IEEE Trans. Inf. Theory 57(2), 1165–1173 (2011)MathSciNetCrossRefGoogle Scholar
9.
Faure, C., Loidreau, P.: A new public-key cryptosystem based on the problem of reconstructing p–polynomials. In: Ytrehus, Ø. (ed.) WCC 2005. LNCS, vol. 3969, pp. 304–315. Springer, Heidelberg (2006). https://doi.org/10.1007/11779360_24CrossRefGoogle Scholar
10.
Gabidulin, E.M.: Theory of codes with maximum rank distance. Probl. Inf. Transm. 21(1), 3–16 (1985)MathSciNetzbMATHGoogle Scholar
11.
Gabidulin, E.M., Paramonov, A.V., Tretjakov, O.V.: Rank errors and rank erasures correction. In: 4th International Colloquium on Coding Theory (1991)Google Scholar
12.
Gabidulin, E.M., Pilipchuk, N.I.: Error and erasure correcting algorithms for rank codes. Des. Codes Cryptogr. 49(1–3), 105–122 (2008)MathSciNetCrossRefGoogle Scholar
13.
Gaborit, P., Otmani, A., Talé Kalachi, H.: Polynomial-time key recovery attack on the Faure-Loidreau scheme based on Gabidulin codes. Des. Codes Cryptogr. 86, 1391–1403 (2018)MathSciNetCrossRefGoogle Scholar
14.
Gaborit, P., Ruatta, O., Schrek, J.: On the complexity of the rank syndrome decoding problem. IEEE Trans. Inf. Theory 62(2), 1006–1019 (2016). https://doi.org/10.1109/TIT.2015.2511786MathSciNetCrossRefzbMATHGoogle Scholar
15.
Gaborit, P., Zémor, G.: On the hardness of the decoding and the minimum distance problems for rank codes. IEEE Trans. Inf. Theory 62(12), 7245–7252 (2015)MathSciNetCrossRefGoogle Scholar
16.
Guruswami, V., Sudan, M.: Improved decoding of Reed-Solomon and algebraic-geometry codes. IEEE Trans. Inf. Theory 45(6), 1757–1767 (1999)MathSciNetCrossRefGoogle Scholar
17.
Guruswami, V., Vardy, A.: Maximum-likelihood decoding of Reed-Solomon codes is NP-hard. IEEE Trans. Inf. Theory 51, 2249–2256 (2005)MathSciNetCrossRefGoogle Scholar
18.
Horlemann-Trautmann, A.L., Kuijper, M.: A module minimization approach to Gabidulin decoding via interpolation. J. Algebra Comb. Discrete Struct. Appl. 5(1), 29–43 (2017)MathSciNetzbMATHGoogle Scholar
19.
Jerkovits, T., Bartz, H.: Weak keys in the Faure-Loidreau cryptosystem. In: Baldi, M., Persichetti, E., Santini, P. (eds.) CBC 2019. LNCS, vol. 11666, pp. 102–114. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25922-8_6CrossRefGoogle Scholar
20.
Koetter, R., Kschischang, F.R.: Coding for errors and erasures in random network coding. IEEE Trans. Inf. Theory 54(8), 3579–3591 (2008)MathSciNetCrossRefGoogle Scholar
21.
Lavauzelle, J., Loidreau, P., Pham, B.D.: Ramesses, a rank metric encryption scheme with short keys. preprint (2019). https://arxiv.org/abs/1911.13119
22.
Raviv, N., Wachter-Zeh, A.: Some Gabidulin codes cannot be list decoded efficiently at any radius. IEEE Trans. Inf. Theory 62(4), 1605–1615 (2016)MathSciNetCrossRefGoogle Scholar
23.
Richter, G., Plass, S.: Error and erasure decoding of rank-codes with a modified Berlekamp-Massey algorithm. In: International ITG Conference on Systems, Communications and Coding 2004 (SCC) (2004)Google Scholar
24.
Roth, R.M.: Maximum-rank array codes and their application to crisscross error correction. IEEE Trans. Inf. Theory 37(2), 328–336 (1991)MathSciNetCrossRefGoogle Scholar
25.
Silva, D.: Error control for network coding. Ph.D. thesis (2009)Google Scholar
26.
Silva, D., Kschischang, F.R., Koetter, R.: A rank-metric approach to error control in random network coding. IEEE Trans. Inf. Theory 54(9), 3951–3967 (2008)MathSciNetCrossRefGoogle Scholar
27.
Stern, J.: Approximating the number of error locations within a constant ratio is NP-complete. In: Cohen, G., Mora, T., Moreno, O. (eds.) AAECC 1993. LNCS, vol. 673, pp. 325–331. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-56686-4_54CrossRefGoogle Scholar
28.
Trombetti, R., Zullo, F.: On the list decodability of Rank Metric codes. preprint (2019). https://arxiv.org/abs/1907.01289
29.
Vardy, A.: The intractability of computing the minimum distance of a code. IEEE Trans. Inf. Theory 43(6), 1757–1766 (1997)MathSciNetCrossRefGoogle Scholar
30.
Wachter, A., Sidorenko, V., Bossert, M.: A basis for all solutions of the key equation for Gabidulin codes. In: IEEE International Symposium on Information Theory (ISIT), pp. 1143–1147, June 2010. https://doi.org/10.1109/ISIT.2010.5513681
31.
Wachter-Zeh, A.: Bounds on list decoding of rank-metric codes. IEEE Trans. Inf. Theory 59(11), 7268–7277 (2013)MathSciNetCrossRefGoogle Scholar
32.
Wachter-Zeh, A.: Decoding of block and convolutional codes in rank metric. Ph.D. thesis, Ulm University and Université Rennes 1 (2013)Google Scholar
33.
Wachter-Zeh, A., Puchinger, S., Renner, J.: Repairing the Faure-Loidreau public-key cryptosystem. In: IEEE International Symposium on Information Theory (ISIT) (2018)Google Scholar

Copyright information

Authors and Affiliations

Julian Renner
- 1
Email author
Thomas Jerkovits
- 2
Hannes Bartz
- 2
Sven Puchinger
- 3
Pierre Loidreau
- 4
Antonia Wachter-Zeh
- 1

1.Technical University of Munich (TUM)MunichGermany
2.German Aerospace Center (DLR)Oberpfaffenhofen-WesslingGermany
3.Technical University of Denmark (DTU)LyngbyDenmark
4.Univ Rennes, DGA MI, CNRS, IRMAR - UMR 6625RennesFrance

Randomized Decoding of Gabidulin Codes Beyond the Unique Decoding Radius

Abstract

Keywords

References

Copyright information

Authors and Affiliations

Personalised recommendations

Cite paper