LIGA: a cryptosystem based on the hardness of rank-metric list and interleaved decoding

We propose the new rank-metric code-based cryptosystem LIGA which is based on the hardness of list decoding and interleaved decoding of Gabidulin codes. LIGA is an improved variant of the Faure–Loidreau (FL) system, which was broken in a structural attack by Gaborit, Otmani, and Talé Kalachi (GOT, 2018). We keep the FL encryption and decryption algorithms, but modify the insecure key generation algorithm. Our crucial observation is that the GOT attack is equivalent to decoding an interleaved Gabidulin code. The new key generation algorithm constructs public keys for which all polynomial-time interleaved decoders fail—hence LIGA resists the GOT attack. We also prove that the public-key encryption version of LIGA is IND-CPA secure in the standard model and the key encapsulation mechanisms version is IND-CCA2 secure in the random oracle model, both under hardness assumptions of formally defined problems related to list decoding and interleaved decoding of Gabidulin codes. We propose and analyze various exponential-time attacks on these problems, calculate their work factors, and compare the resulting parameters to NIST proposals. The strengths of LIGA are short ciphertext sizes and (relatively) small key sizes. Further, LIGA guarantees correct decryption and has no decryption failure rate. It is not based on hiding the structure of a code. Since there are efficient and constant-time algorithms for encoding and decoding Gabidulin codes, timing attacks on the encryption and decryption algorithms can be easily prevented.


Introduction
Public-key cryptography is the foundation for establishing secure communication between multiple parties. Traditional public-key algorithms such as RSA are based on the hardness of factoring large numbers or the discrete logarithm problem, but can be attacked in polynomial time once a capable quantum computer exists. Code-based public-key cryptosystems are considered to be post-quantum secure, but compared to RSA or elliptic curve cryptography their crucial drawback is the significantly larger key size. Recently, the National Institute of Standards and Technology (NIST) has initiated a standardization progress for post-quantum secure public-key algorithms [31]. The currently being evaluated Round 3 of the competition includes 9 code-based and lattice-based public-key encryption algorithms. The NIST competition and its systems attract a lot of attention and show the importance of designing post-quantum secure public-key encryption algorithms.
The Faure-Loidreau (FL) code-based cryptosystem [16,28] is based on the problem of reconstructing linearized polynomials and can be seen as linearized equivalent of the (broken) Augot-Finiasz cryptosystem [5]. While the Augot-Finiasz cryptosystem is closely connected to (list) decoding Reed-Solomon codes, the FL cryptosystem is connected to (list) decoding Gabidulin codes, a special class of rank-metric codes [18]. In contrast to McEliece-type (or Niederreiter-type) cryptosystems, where the public key is a matrix, in the FL system, the public key is only a vector, resulting in a much smaller key size. At the time when the FL cryptosystem was designed, it was only conjectured that Gabidulin codes cannot be list decoded efficiently. As this was proven in the last years for many families of Gabidulin codes [38,46,48], the FL system could be a very promising post-quantum secure public-key cryptosystem. However, the recent structural attack by Gaborit, Otmani and Talé Kalachi [21] can recover an alternative public key in cubic time complexity.
In this paper, a new system is presented which is based on the original FL system, and therefore relies on the proven hardness of list decoding Gabidulin codes, but makes the attack from [21] impossible. Our contributions are as follows. First, a new coding-theoretic interpretation of the original FL system is given and an alternative decryption algorithm is proposed. Second, we show that the public key can be seen as a corrupted codeword of an interleaved Gabidulin code. We prove that the failure condition of the GOT attack [21] on the public key is equivalent to the failure condition of decoding the public key as a corrupted interleaved Gabidulin codeword. This observation enables us to design a new code-based public-key encryption scheme, as well as a corresponding key encapsulation mechanism -data encapsulation mechanism (KEM-DEM), based on the hardness of list and interleaved decoding Gabidulin codes: LIGA. In LIGA, we choose the public key in a way that the corresponding interleaved decoder is guaranteed to fail, and thus, the system is secured against the attack from [21]. We also prove that the public-key encryption version of LIGA is IND-CPA secure in the standard model and the KEM version is IND-CCA2 secure in the random oracle model, both under hardness assumptions on problems related to list and interleaved decoding of Gabidulin codes. We analyze possible (exponential-time) attacks on these hard problems, provide sets of parameters for LIGA, and compare them amongst others to NIST proposals (RQC, ROLLO, BIKE, McEliece).
The structure of this paper is as follows. In Sect. 2, the notation is introduced and definitions are given. In Sect. 3, the key generation of the original FL system is shown and a new coding-theoretic interpretation of the ciphertext and the public key is derived. After summarizing the attack from [21], we prove its equivalence to decoding the public key as an interleaved Gabidulin code. Based on this equivalence, the new system LIGA is proposed in Sect. 4 and its IND-CPA and IND-CCA2 security are proven in Sect. 5. A security analysis of our system is given in Sect. 6. In Sect. 7, example parameters for security levels 128, 192, and 256 bit are proposed and compared to the NIST proposals RQC [2], ROLLO [1], BIKE [3], ClassicMcEliece [8] and Loidreau's McEliece-like system from [29]. Conclusions are given in Sect. 8.
Parts of these results have been presented at the IEEE International Symposium on Information Theory 2018 [50]. The content of this journal paper contains various new results that were not shown in [50]. For instance, in this paper, -we generalize LIGA's Key Generation algorithm, i.e., the choice of the z i 's (the interleaved errors in the public key) is more flexible now (in [50], z 1 = z 2 = · · · = z u ), -we present a KEM/DEM version of LIGA, -we identify formal problems in the rank metric on which the security of LIGA relies and prove the IND-CPA/CCA2 security of the KEM/DEM version under the assumption that some of these problems are hard, -we analyze new exponential-time attacks on these problems.

Notations
Let q be a power of a prime and let F q denote the finite field of order q. Then, F q m and F q mu denote extension fields of F q of order q m and q mu , respectively. We use F m×n q to denote the set of all m × n matrices over F q and F n q m = F 1×n q m for the set of all row vectors of length n over F q m . Further, we use another field extension F q mu with u > 1. Thus, F q ⊆ F q m ⊆ F q mu .
For a field F, the vector space that is spanned by v 1 , . . . , v l ∈ F n is denoted by By rk q (A) and rk q m (A), we denote the rank of a matrix A over F q , respectively F q m . Let (γ 1 , γ 2 , . . . , γ u ) be an ordered basis of F q mu over F q m . By utilizing the vector space isomorphism F q mu ∼ = F u q m , we can relate each vector a ∈ F n q mu to a matrix A ∈ F u×n q m according to ext γ : F n q m → F m×n q a = (a 1 , . . . , a n ) → A = ⎛ ⎜ ⎝ where γ = (γ 1 , γ 2 , . . . , γ u ) and The trace operator of a vector a ∈ F q mu to F q m is defined by Tr : F n q mu → F n q m a = (a 1 , a 2 , . . . , a n ) → A dual basis (γ * 1 , γ * 2 , . . . , γ * u ) to (γ 1 , γ 2 , . . . , γ u ) is a basis that fulfills where i, j ∈ [1, u]. Note that a dual basis always exists. Denote by M s,q (a) ∈ F s×n q m the s × n Moore matrix for a vector a = (a 1 , a 2 , . . . , a n ) ∈ F n q m , i.e., If a 1 , a 2 , . . . , a n ∈ F q m are linearly independent over F q , then rk q m (M s,q (a)) = min{s, n}, cf. [26,Lemma 3.15]. This definition can also be extended to matrices by where A ∈ F l×n q m . The Gaussian binomial coefficient is denoted by where s and r are non-negative integers.
Let X be a set. When x is drawn uniformly at random from the set X , we denote it by x $ ← − X . Further, by x ← y we mean that we assign y to x.

Rank-metric codes and Gabidulin codes
The rank norm rk q (a) is the rank of the matrix representation A ∈ F m×n q over F q . The rank distance between a and b is the rank of the difference of the two matrix representations, i.e., An [n, k, d] R q code C over F q m is a linear rank-metric code, i.e., it is a linear subspace of F n q m of dimension k and minimum rank distance For linear codes with n ≤ m, the Singleton-like upper bound [14,18] implies that d ≤ n−k+1.
If d = n − k + 1, the code is called a maximum rank distance (MRD) code. Gabidulin codes [18] are a special class of rank-metric codes and can be defined by their generator matrices.
Definition 1 (Gabidulin Code [18]) A linear G(n, k) code over F q m of length n ≤ m and dimension k is defined by its k × n generator matrix where g = (g 1 , g 2 , . . . , g n ) ∈ F n q m and rk q (g) = n.
In [18], it is shown that Gabidulin codes are MRD codes, i.e., d = n − k + 1. For a short description on decoding of Gabidulin codes, denote by C G ∈ F m×n q the transmitted codeword (i.e., the matrix representation of c G ∈ F n q m ) of a G(n, k) code that is corrupted by an additive error E ∈ F m×n q . At the receiver side, only the received matrix R ∈ F m×n q , where R = C G + E, is known. The channel might provide additional side information in the form of erasures: -row erasures (in [45] called "deviations") and γ column erasures (in [45] called "erasures"), such that the received matrix can be decomposed into where are full-rank matrices, respectively, and E (E) ∈ F m×n q is a matrix of rank t. The decoder knows R and additionally A (R) and B (C) . Further, t denotes the number of errors without side information. The rankmetric error-erasure decoding algorithms from [20,45,51] can then reconstruct c G ∈ G(n, k) with asymptotic complexity O(n 2 ) operations over F q m , or in sub-quadratic complexity using the fast operations described in [36,37], if is fulfilled.

Interleaved rank-metric codes
Interleaved Gabidulin Codes are a code class for which efficient decoders are known that are able to correct w.h.p. random errors of rank larger than d−1 2 .
Definition 2 (Interleaved Gabidulin Codes [27]) A linear (vertically, homogeneous) interleaved Gabidulin code IG(u; n, k) over F q m of length n ≤ m, dimension k ≤ n, and interleaving order u is defined by As a short-term notation, we also speak about a u-interleaved Gabidulin code. When considering random errors of rank weight t, the code IG(u; n, k) can be decoded uniquely with high probability up to w ≤ u u+1 (n − k) errors, 1 cf. [27,43,51]. However, it is well-known that there are many error patterns for which the known efficient decoders fail. In fact, we can explicitly construct a large class of such errors as shown in the following lemma.
It is widely conjectured that there cannot be a decoder that decodes the error patterns of Lemma 1 uniquely. Decoding these failing error patterns has been subject to intensive research since the Loidreau-Overbeck decoder [27] was found in 2006. In the Hamming metric, the equivalent problem for Reed-Solomon codes has been studied since 1997 [25] and more than a dozen papers have dealt with decoding algorithms for these codes. None of these papers was able to give a polynomial-time decoding algorithm for the cases of Lemma 1. It seems that all unique decoders have to fail for the error patterns of Lemma 1 since for these cases, there is no unique decision, i.e., more then one interleaved codeword lies in the ball of radius w around the received word.

Key generation in the original Faure-Loidreau system
In this section, we recall the key generation algorithm of the original FL cryptosystem, we give a coding-theoretic interpretation of the original public key, and analyze the structural attack from [21].

The original algorithm
Let q, m, n, k, u, w, t pub be positive integers that fulfill the restrictions given in Table 1 and are publicly known. In the following, we consider the three finite fields F q , F q m , and F q mu , which are extension fields of each other, i.e.: The original FL key generation is shown in Algorithm 1.

Algorithm 1: Original FL Key Generation
Input: Parameters q, m, n, k, u, w as in Table 1 Output: Secret key sk, public key pk

Coding-theoretic interpretation of the original public key
The public key k pub of the FL system is a corrupted codeword of a u-interleaved Gabidulin code. To our knowledge, this connection between the public key and interleaved Gabidulin codes has not been known before. This interpretation is central to this paper and will be used in Sect. 4.1 to define the public key of LIGA such that is not vulnerable against the attacks from [21] and described in Sect. 3.3.

Theorem 1 Fix a basis of F q mu over F q m . Let * be a dual basis to and write
where the c (i) G ∈ F n q m are codewords of the Gabidulin code G(n, k) with generator matrix G G and the z i ∈ F n q m are obtained from the vector z ∈ F n q mu by Proof Recall the definition of the public key where the x i have coefficients in F q m . Then, we obtain the following representation of the public key k pub as a u × n matrix in Since x i · G G is a codeword of a G(n, k) code, ∀i ∈ [1, u], the matrix representation of k pub can be seen as a codeword from an IG(u; n, k) code, corrupted by an error.
Note that the error (z 1 , . . . , z u ) in (3) has F q -rank at most w due to the structure of z = (s|0)P −1 .

Efficient key recovery of the original FL key
The attack by Gaborit, Otmani and Talé Kalachi (GOT) on the original FL system in [21] (see Algorithm 2 below) is an efficient structural attack which computes a valid private key of the FL system in cubic time when the public key fulfills certain conditions. We recall this attack in the following and derive an alternative, equally powerful, attack based on interleaved decoding the public key, utilizing the observation of the previous subsection. We prove that the failure conditions of both attacks are equivalent. The interleaved decoding attack does not have any advantage in terms of cryptanalysis compared to [21], but enables us to exactly predict for which public keys both attacks work and for which the attacks fail.

GOT attack
The key recovery in the GOT attack (Algorithm 2) succeeds under the conditions of the following theorem.

Algorithm 2: GOT Attack
Input: Public key (g, k pub ) Output: Private key (x, P) 1 Choose γ 1 , . . . , γ u to be a basis of F q mu over F q m 4 Pick at random a non-zero vector h ∈ F n q m such that Theorem 2 (GOT Attack [21, Thm. 1]) Let γ 1 , . . . , γ u ∈ F q mu be a basis of F q mu over F q m and let z i = Tr(γ i z), for i = 1, . . . u.
If the matrix Z ∈ F u×n q m with z 1 , . . . , z u as rows, satisfies then (x, z) can be recovered from (G G , k pub ) with O(n 3 ) operations in F q mu by using Algorithm 2.
If the key is generated by Algorithm 1, the GOT attack breaks the original FL system with high probability.

Interleaved decoding attack
Recall from Theorem 1 that the public key k pub is a corrupted interleaved codeword. Based on this observation we will derive a structural attack on the original FL system to which we refer as Interleaved Decoding Attack in the following. We prove that interleaved decoding and the GOT attack fail (i.e, do not provide any information) for the same public keys. The idea is to decode k pub in an interleaved Gabidulin code. Since w ≤ u u+1 (n − k), such a decoder will return x with high probability, but fail in certain cases, see Sect. 2.3.

Equivalence of GOT attack and interleaved decoding attack
In the following, we prove that the failure condition of the GOT Attack is equivalent to the condition that decoding k pub in an interleaved Gabidulin code fails.

Theorem 3
The GOT Attack from [21] fails if and only if the Interleaved Decoding Attack fails. In particular, both fail if (4) holds.
Proof Rewrite the matrix from Theorem 2 as and the matrix from equation (5) Since the matrix in (6) and in (7) only differ in row permutations, they are row-space equivalent, implying that they have the same rank. Further, the rank of the matrix in (7) cannot become larger than w (since any vector in the right kernel of this matrix has rank weight at least n − w [34, Algorithm 3.2.1]). Thus, the failures of Theorem 2 and Lemma 1 are equivalent.
In the next section, we will exploit the observation of Theorem 3, i.e., we propose a new key generation algorithm that avoids public keys that can be efficiently decoded by an interleaved decoder, thereby rendering the GOT attack useless.

The new system LIGA
In this section, we propose a public-key code-based encryption scheme PKE = (KeyGen, Encrypt, Decrypt) called LIGA. The system is based on the original FL system [16], where we keep both the original encryption and decryption algorithm, but replace the insecure key-generation algorithm. Further, we present a KEM-DEM version of LIGA denoted by KEM = (KeyGen, Encaps, Decaps).
Later, in Sect. 5, we will analyze the security of the system. We single out problems from coding theory and we prove that the encryption version is IND-CPA secure and the KEM-DEM version is IND-CCA2 secure under the assumption that the stated problems are hard. Furthermore, we study new and known attacks on these problems and show that they all run in exponential time (see Sect. 6).

The new key generation algorithm
We introduce a new key generation algorithm that is based on choosing z = u i=1 z i γ * i in a way that ϕ < w, where ϕ is the rank of the interleaved Moore matrix of the errors z i in the public key, see (5). Based on the dimension of the span of the z i , we will upper bound ϕ in the following Theorem 4. Recall that when ϕ < w, the GOT attack [21] and interleaved decoding of the public key fail, see Theorem 3. In this case, retrieving any knowledge about the private key from the public key requires to solve Problem 1 (defined later), which basically corresponds to decoding the interleaved codeword when error patterns occur for which all known decoders fail.
Proof The dimension of z 1 , . . . , z u q m implies that at most ζ(n − k − w) rows ofZ are linearly independent over F q m , meaning that ϕ ≤ ζ(n − k − w). The definition of z = (s | 0) · P −1 leads to where the last inequality holds since s 1 , . . . , s u are vectors of length w.
We propose the following modification to Line 3 of the Key Generation, depending on the parameter ζ : To avoid that the GOT attack [21] runs in polynomial time, Theorem 4 implies that the parameter ζ must always be chosen such that ζ < w n−k−w . In Sect. 6, we will discuss several further exponential-time attacks on LIGA. Some of these attacks have a work factor depending on ζ , which must be considered in the parameter design.
Furthermore, the condition rk q (s i ) = w ensures that rk q (z i ) = w, i.e., as large as possible for a given subspace A. This choice maximizes the work factor of generic decoding attacks on the rows of the public key (seen as a received word of an interleaved Gabidulin code), see Sect. 6.
The restriction of the choice of A to subspaces that contain a basis of full-F q -rank codewords is to ensure that the set from which we sample in Line 3' is non-empty. Hence, the key generation always works.
Compared to the choice of z in Line 3 of the original Key Generation algorithm, we restrict the choice of z, but we will see in Sect. 6 that there are still enough possibilities for z to prevent an efficient naive brute-force attack.
Appendix 1 contains a more detailed discussion on how to realize Lines 3 and 3 in practice.

The public key encryption version
The new key generation algorithm KeyGen, the encryption algorithm Encrypt and the decryption algorithm Decrypt are shown in Algorithm 3, Algorithm 4 and Algorithm 5, respectively. Compared to original key generation algorithm, the algorithm KeyGen has one more input parameter ζ (cf. Sect. 4.1).
The proposed system has no decryption failures as proven in the following theorem.
Since the last u positions of the plaintext m are zero (i.e., m i = 0 for i = k − u + 1, . . . , k), . , x k }. As we know α and x, we can compute the plaintext m.

Algorithm 5: Decrypt (·)
Remark 1 Steps 1 to 3 of Algorithm 5 can be interpreted as an error-erasure decoder of a Gabidulin code. As this observation may have advantages, especially for implementations, we present this connection formally in Appendix 2.
A SageMath v8.8 [47] implementation of the public key encryption version of LIGA can be downloaded from https://bitbucket.org/julianrenner/liga_pke. The purpose of the source code is to clarify the shown algorithms but not to provide a secure and efficient instance. Developing an implementation that offers the latter two properties and can serve for a performance comparison with other schemes is outside of the scope of this paper and is left for future research.

KEM/DEM version 5 PKE and 5 KEM
In [23], generic transformations of IND-CPA secure public key encryptions into IND-CCA2 secure KEMs are proposed. In the following, we apply one of the transformations directly to PKE to obtain KEM . Later, in Sect. 5.2, we will prove that PKE fulfills the requirements such that the applied transformation is secure.
Let G, H and K be hash functions, where G = H. In Algorithm 6 and Algorithm 7, we show the encapsulation and decapsulation algorithms of the KEM KEM = (KeyGen, Encaps, Decaps). The algorithm KeyGen remains Algorithm 3.

Timing attacks
Resistance against timing attacks is essential in many applications and systems that do not enable a constant-time implementation are thus considered insecure. Due to the fact that Step 4 of Algorithm 4 can be easily implemented in constant time, the proposed encryption algorithm does not reveal any information about secret knowledge through timing attacks. The same holds for the presented decryption algorithm since there exists an efficient constanttime decoding algorithm for Gabidulin codes [10] and all other steps of Algorithm 5 can be realized in constant time as well.

Asymptotically fastest methods
In some scenarios, a constant-time implementation of the system may not be required but we want that the key generation, encryption, and decryption are as fast as possible. The following results were not known when the original FL system was proposed, but have a major impact on its efficiency.
The complexity of key generation and encryption is dominated by the cost of encoding a Gabidulin code (Line 8 of Algorithm 3 and Line 4 of Algorithm 4). 3 The asymptotically fastest-known algorithms [13,36,37] for this require where ω is the matrix multiplication exponent and O ∼ means that log factors are neglected.
The bottleneck of decryption is (error-erasure) decoding of a Gabidulin code (Line 3 of Algorithm 5, see also Appendix 2 below), where the asymptotically fastest algorithm costs [36,37] or operations in F q (decoder in [36] with linearized-polynomial operations in [13]). For small lengths n, the algorithms from [22,40,44,49], which have quadratic complexity over F q m (or cubic complexity over F q ), might be faster than the mentioned algorithms due to smaller hidden constants in the O-notation.

Difficult problems & semantic security of LIGA
In this section, we introduce problems in the rank metric that are considered to be difficult. Furthermore, we prove that the public-key encryption version of LIGA is IND-CPA secure and the KEM version is IND-CCA2 secure under the assumption that there does not exist probabilistic polynomial-time algorithms that can solve them. A detailed complexity analysis of existing and new algorithms solving the stated problems is given in Sect. 6.

Difficult problems in the rank metric
LIGA is based on several difficult problems which are stated in this section. Note that the search variants of the problems correspond exactly to retrieving information about the private key from the public key (not necessarily a valid private key as explained in the following) or the plaintext from the ciphertext. The decisional problems are equivalent to distinguishing the public key or the ciphertext from random vectors.

Problem 1 (ResIG-Search: Restricted interleaved Gabidulin Code Search Problem)
Problem 1 (ResIG-Search) is equivalent to decoding a codeword of a u-interleaved Gabidulin code that is corrupted by an error E, see also Sect. 6.1.2 and is therefore the underlying problem of the structural attacks from Sect. 3.3. Note however that not necessarily every solution of this problem can be used directly as a valid private key since some additional structure on E is introduced in LIGA (i.e., Problem 1 is easier to solve than retrieving a valid private key of LIGA).

Problem 2 (ResIG-Dec: Restricted Interleaved Gabidulin Code Decisional Problem)
Input: (G, Y) ∈ F k×n q m × F u×n q m . Goal: Decide with non-negligible advantage whether Y came from ResIG-Distribution with input q, m, n, k, w, ζ, u (Definition 3) or the uniform distribution over F u×n q m .
To solve ResIG-Dec (Problem 2), we do not know a better approach than trying to solve the associated search problem (i.e., ResIG-Search), which is usually done for all decoding-based problems.

Problem 3 (ResG-Search: Restricted Gabidulin Code Search Problem)
Problem 3 is equivalent to decoding a codeword of a Gabidulin code that is corrupted by an error that has with high probability a rank weight of > (n − k)/2, see Appendix 3.

Problem 4 (ResG-Dec: Restricted Gabidulin Code Decisional Problem)
Input: q, m, n, k, w, t pub , u, γ , (G, K) from ResIG-Distribution (Definition 3), y ∈ F n q m . Goal: Decide with non-negligible advantage whether y came from ResErr-Distribution with input q, m, n, k, w, t pub , u, γ , (G, K) or the uniform distribution over F n q m .
As before, we are not aware of a faster approach to solve ResG-Dec than through the solution of the associated search problem.
We will see in the next subsection that LIGA is IND-CCA2 secure under the assumption that ResG-Dec is a hard problem. As mentioned above, there is an obvious reduction of ResG-Dec to ResG-Search, which can again be efficiently reduced to ResIG-Search. In fact, all relevant attacks studied in Sect. 6 make use of this chain of reduction and aim at solving one of the two search problems.
We are not aware of a reduction of ResIG-Dec to ResIG-Search or one of the other problems. Hence, it might very well be that ResIG-Dec is significantly easier than the other problems. In Sect. 6.3, we show that there is a distinguisher for ResIG-Dec that is efficiently computable if the system parameter ζ is chosen too small. Due to the missing reduction, it is not clear whether or not this distinguisher influences the security of the system.

Semantic security
In this section, we prove that the public key encryption system PKE is semantically secure against chosen plaintext attacks in the standard model under the assumption that ResG-Dec (Problem 4) is difficult. In addition, we show that the IND-CCA2 security of KEM reduces tightly to the IND-CPA security of PKE in the random oracle model.

IND-CPA security of 5 PKE
To show that PKE is secure against chosen plaintext attacks, we use the definition of admissibility as in [33].
Definition 5 (Admissibility [33]) The public key encryption scheme PKE = (KeyGen, Encrypt, Decrypt) with a message space M and a random space R is called admissible if there is a pair of deterministic polynomial-time algorithms Encrypt 1 and Encrypt 2 satisfying the following property: -Partible: Encrypt 1 takes as input a public key pk and r ∈ R, and outputs a p(λ) bit-string, where λ is the security parameter. Encrypt2 takes as input a key pk, and m ∈ M and outputs a p(λ) bit-string. Here p is some polynomial in the security parameter λ. Then for any pk given by KeyGen, r ∈ R, and m ∈ M, Encrypt 1 (pk, r ) ⊕ Encrypt 2 (pk, m) = Encrypt(pk, m; r ).
We define the advantage function of the problem as follows. For any t, where the maximum is taken over all D with time-complexity t. Then, the function Adv ind Encrypt 1 (λ, t) is negligible for every polynomial bounded t and every sufficiently large λ.
In the following we will prove that PKE is IND-CPA secure by showing that is fulfills the definition of admissibility. Proof Let Encrypt 1 := Tr(αk pub ) + e and Encrypt 2 := mG G . Then, one observes that Encrypt = Encrypt 1 ⊕ Encrypt 2 and thus PKE is partible. Since ResG-Dec (Problem 4) is assumed to be difficult, the encryption scheme fulfills pseudorandomness and thus, the system is admissibile. As proven in [33,Lemma 1], if PKE fulfills Definition 5, then it is an IND-CPA secure encryption scheme.

IND-CCA2 security of 5 KEM
We used a transformation proposed in [23] to transform the public key encryption scheme PKE into the KEM KEM . In the following, we prove that KEM is IND-CCA2 secure.
The applied transformation requires that the encryption scheme is γ -spread which is proven to be the case for PKE in the following. = q mu 1 |{e ∈ F n q m : rk q (e) = t pub }| , whereĈ is the set of all vectors in rank distance t pub from (m, 0 u )G G and (i) follows from the fact that there at most q mu choices for α. In [19, Section IV.B], a constructive way of obtaining rank-t pub matrices is given. More precisely, an injective mapping ϕ : F

Security analysis of LIGA
In this section, we analyze the security of LIGA. As proven in Theorem 6 and 7, the encryption version is IND-CPA secure and the KEM version is IND-CCA2 secure under the assumption that ResG-Dec is difficult. Since there are obvious reductions from ResG-Dec to ResG-Search and from ResG-Dec to ResIG-Search, we will study the hardness of these two search problems in this section (Sect. 6.1 for ResIG-Search and Sect. 6.2 for ResG-Search). In fact, we are not aware of a more efficient method to solve ResG-Dec than through these two search problems. Although no formal reduction from any of the other three studied problems to ResIG-Dec is known, we study also the hardness of ResIG-Dec (Sect. 6.3). We derive a distinguisher for the public key with exponential complexity in the system parameters, which can be avoided by proper parameter choice.
Due to the nature of the (random) encryption, there are public keys for which the probability that the work factor of some of the ciphertext attacks on ResG-Search (ciphertext attack) is below the designed minimal work factor is not negligible (i.e., > 2 −λ ). We show in Sect. 6.4 that these weak keys occur with negligible probability (i.e., ≤ 2 −λ ) during the random key generation if the parameters are chosen in a suitable way.

Exponential-time attacks on ResIG-Search
We propose new and summarize known methods that solve ResIG-Search (Problem 1). All studied algorithms have exponential complexity in the code parameters.
Recall that in the decryption algorithm of LIGA, the last u positions of the private key x have to be a basis of F q mu over F q m . Therefore, not every solution of Problem 1 (ResIG-Search) can be used as valid private key and Problem 1 is a strictly easier problem than retrieving a valid private key corresponding to a given public key.

Brute-force the vector z attack
The number of vectors z ∈ F n q mu that fulfill the conditions stated in Sect. 4.1 is equal to number of possible vectors s ∈ F w q mu times the number of full rank matrices in F w×n q m in reduced row Echelon form. Formally, the number of vectors z is |{z : z can occur in Alg. 3}| ≥1 · |{P : P can occur in Alg. 3}| Thus, brute-forcing a vector z that is a solution to ResIG-Search has work factor where the latter inequality follows from a lower bound on q-binomials (see [24,Lemma 4]), and is the average number of interleaved codewords in a ball of radius w around a uniformly at random chosen interleaved received word.

Interleaved decoding attack
As described in Sect. 3.3, an attacker can apply an interleaved decoder on k pub to retrieve an alternative private key. A major ingredient of LIGA is that the public key is chosen in a way that this decoding will always fail (i.e., the corresponding linear system of equations does not have a unique solution). However, it is still possible to brute-force search in the solution space of the involved system of equations. This is analyzed in the following. Notice thereby that any interleaved codeword in radius at most w is a solution to ResIG-Search.

Problem 1 (ResIG-Search) is equivalent to decoding a codeword of a u-interleaved Gabidulin code that is corrupted by an error E. The error E fulfills
and thus, no known algorithm is able to correct it efficiently. The crucial point of the interleaved decoding algorithms from [27,43] is solving a linear system of equations based on the syndromes with w+1 unknowns and ϕ linearly independent equations which is equivalent to finding the kernel of the matrix in (5), cf. [49, Section 4.1]. For ζ ≥ w n−k−w , the dimension of the solution space is one and all solutions are valid for the remaining decoding steps. For ζ < w n−k−w , the dimension of the solution space is w + 1 − ϕ but each valid solution forms only a one-dimensional subspace. An attacker can therefore search in the solution space for a valid solution which requires on average where N is the average number of interleaved codewords, see (9). The size of the solution space is w +1−ϕ and clearly maximized for the smallest-possible value of ϕ, i.e., ϕ = n − k − w. In this case, the search through the solution space has work factor Since the size of the solution space is maximal for ϕ = n−k−w, the repair from Sect. 4.1 with the explicit parameter value ζ = 1 (i.e., dim z 1 , . . . , z u F q m = 1) is the most secure choice in this sense. However, we keep the choice of ζ flexible as the pair-wise linear dependence of the z i might decrease the security (we are however not aware of how this fact could be used).
Besides the syndrome-based interleaved decoding algorithms in [27], [43], and [49, p. 64], there is an interpolation-based decoding algorithm [49, Section 4.3 (page 72)]. This interpolation-based algorithm can be interpreted both as a list decoder of interleaved Gabidulin codes with exponential worst-case and average list size or as a probabilistic unique decoder. The probabilistic unique interpolation-based decoder fails if and only if the decoding algorithms in [27], [43], [49, p. 64] fail and therefore the previous analysis applies here as well. For the list decoder, cf. [49,Lemma 4.5], the work factor of the resulting attack is Notice that the list of size q m(u−1)k contains many words which are no valid codewords, but we have to go through the whole list to find all valid codewords in radius up to w.

List decoding of the public key attack
Recall that k pub = x · G G + z. Previously, we have explained why this vector is a corrupted version of a codeword of a u-interleaved Gabidulin code. At the same time, x ·G G can be seen as a short Gabidulin code over a large field F q mu and therefore, if existing, one could apply list decoding algorithms to decode k pub and obtain x. The weight of the error z is larger than the unique decoding radius and therefore a unique decoder cannot be applied to reconstruct x and a list decoder for radius w is required. However, such an algorithm has not been found yet. It was even shown in [38,46,48] that for most classes of Gabidulin codes such a polynomial-time list decoding algorithm cannot exist. Note that these results were not known when the original FL cryptosystem was proposed. These results also imply that there is no polynomial-time list decoding algorithm for arbitrary Gabidulin codes beyond the unique decoding radius (such as the Guruswami-Sudan algorithm for Reed-Solomon codes).

Randomized Gabidulin decoding attack on the public key
The public key can be seen as the sum of a Gabidulin codeword over the field F q mu and an error of weight w > n−k 2 . Alternatively, as shown in Sect. 3.2, the public key can be seen as an interleaved Gabidulin codeword that is corrupted by an error of weight w (note that this is the reason why all the s i 's must have full F q -rank in Algorithm 3). Each row of (3) is a codeword of a Gabidulin code over F q m that is corrupted by an error of rank weight w. Both the corrupted Gabidulin codeword over F q mu as well as over F q m can be decoded using the randomized decoding approach proposed in [39]. Since applying the attack on each row of the unfolded public key is more efficient, we conclude that the randomized Gabidulin decoding attack on the public key has an average complexity of WF RGD = n 64 · q m(n−k)−w(n+m)+w 2 +min{2ξ( n+k 2 −ξ),wk} over F q m .

Moving to another close error attack
The following attack was suggested by Rosenkilde [41]. It tries to move the vector z (which we have chosen such that the interleaved decoder fails) to a close vector of the same or smaller rank weight w for which the interleaved decoder for k pub does not fail. The idea is to find a vector y ∈ F u×n q m such that z := z + y still has rank weight rk q (z ) ≤ w and that the rank of the matrix from (5) over F q m is at least w. To guarantee the first condition, we want to construct y such that its extended um × n matrix over F q has a row space R := RowSpace F q ext γ (y) that is contained in the one of z. Since for the original error z, the matrix (5) has rank ϕ ≤ ζ(n − k − w), R must have at least F q -dimension w − ϕ ≥ w(ζ + 1) − ζ(n − k). By choosing a random R with this property and taking a random matrix y whose extended matrix has F q -row space RowSpace F q ext γ (y) = R, the second condition is fulfilled with high probability.
The complexity of the attack is hence dominated by the complexity of finding a subspace R ⊆ F n q of dimension w − ϕ that is contained in the w-dimensional F q -row space of z. Since this is unknown, we can find it in a Las-Vegas fashion by repeatedly drawing a subspace uniformly at random. The expected number of iterations until we find a suitable row space is thus one over the probability that a random (w − ϕ)-dimensional subspace of F n q is contained in a given w-dimensional subspace, which is (cf. [15, Proof of Lemma 7]): Hence, the attack has work factor WF MCE = q (n−w)(w−ϕ) ≥ q (n−w)(w(ζ +1)−ζ(n−k)) .

Exponential-time attacks on ResG-Search
Retrieving information about the plaintext from the ciphertext and the public key is equal to solving ResG-Search (Problem 4). In this section, methods that solve this problem are summarized.

Randomized Gabidulin decoding attack on the ciphertext
Each ciphertext of LIGA can be seen as a Gabidulin codeword over F q m plus an error: c = (m, 0 u ) · G G + Tr(αk pub ) + e = [(m, 0 u ) + Tr(αx)] · G G codeword + Tr(αz) + e error Denotew := rk F q (Tr(αz) + e). Then we can use the decoding algorithm proposed in [39], which requires on average at least n 64 · q m(n−k)−w(n+m)+w 2 +min{2ξ( n+k 2 −ξ),wk} (11) operations in F q m . Clearly, the complexity of the algorithm strongly depends on the valuew, which in turn depends on the generated keys. In general,w = w + t pub , but for some choices of z, α, and e, the rankw is smaller. For this issue, see Sect. 6.4 and Appendix 3, where we study the probability thatw is small, both for randomness in the encryption (random choice of α and e) and the key generation (random choice of z). Some extremely rarely occurring keys (weak keys) thereby result in relatively high probabilities thatw is small.
However, we can choose the system parameters such that both, the probability of a weak key as well as the conditional probability thatw < w given a non-weak key is below 2 −λ . Hence, with overwhelming probability, a random key and ciphertext result in a ciphertext error of rank weightw ≥ w and the work factor of this attack is always at least as large as the "Randomized Gabidulin Decoding Attack on the Public Key" in Sect. 6.1.

List decoding of the ciphertext attack
As described in the Randomized Gabidulin Decoding Attack on the Ciphertext above, the ciphertext of LIGA is a codeword of a Gabidulin code, corrupted by an error of rank weight w, Hence, an attacker can try to decode the ciphertext directly. Since τ is always greater than the unique decoding radius n−k 2 of the Gabidulin code, this would require the existence of an efficient (list) decoding algorithm up to radius τ . As explained previously, there is no such algorithm and bounds on the list size prove that there cannot exist a generic list decoding algorithm for all Gabidulin codes which indicates that list decoding is a hard problem.
However, to be secure, we have considered list decoding as follows for the security level of our system. The list size L c , worst denotes a lower bound on the worst-case work factor of list decoding. For example, for a Gabidulin code with parameters n|m and gcd(n, n − τ ) ≥ 2, there is a received word such that there are at least codewords in rank distance at most τ to it. Although L c , worst does not imply any statement about the average list size/average work factor, it provides an estimate of the order of magnitude of the work factor of a hypothetical list decoding attack. For our suggested parameters, we have ensured that the value of L c , worst is sufficiently large in the proposed sets of parameters in Sect. 7.

Combinatorial rank syndrome decoding (RSD) attack
The ciphertext can be interpreted as a codeword from a code of dimension k (see [16]), generated by the generator matrix ⎛ Tr(γ 1 k pub ) . . .
Since the structure of this code only permits decoding like a random rank-metric code, it can be decoded with the combinatorial syndrome decoding attack from [4] whose complexity is in the order of

Algebraic RSD attack
As described in the previous section, the ResG-Search problem can be solved by decoding an error of rank weight t pub in a random [n, k] code. Beside the combinatorial approach, there exist algebraic algorithms to solve the Problem. In [6], the RSD problem is expressed as a multivariate polynomial system and is solved by computing a Gröbner basis. The complexity of that attack is generally smaller than the combinatorial approach. In case there is a unique solution to the system, then the work factor of the algorithm is where μ is the exponent in the complexity expression of the used matrix multiplication algorithm. The asymptotically fastest known matrix multiplication algorithm has an exponent of μ < 2.373. As the authors of [6], we use μ = 2.807 to compute the work factors in this paper since it corresponds to Strassen's algorithm, which is (due to the hidden constant) in practice the fastest algorithm for large (but still reasonably small) matrix sizes.
Very recently, a new algebraic algorithm was proposed to solve the RSD problem [7]. It divides the RSD problem instances into two categories. If we are in the overdetermined case and the proposed algorithm has work factor Otherwise, we are in the underdetermined case in which the algorithm has work factor WF Wogr = min{WF Under , WF Hybrid }.
We have Further, for 0 < b < t pub + 2 and We denote the minimum of the work factors of the two algorithms as the work factor of the algebraic RSD attack, i.e., WF ARSD = min{WF Gr , WF Wogr }.
Note that for algebraic decoding, it is neither known how to improve the complexity by using the fact that there are multiple solutions, nor it is known how to speed up the algorithm in the quantum world.

Linearization attack
In [16], a message attack was proposed which succeeds for some parameters with high probability in polynomial time.

Lemma 3 (Linearization Attack [16]) Let k
Then, the encrypted message m can be efficiently recovered if the left kernel of M has dimension dim(ker(M)) = 1.
If (u + 2)t pub + k > n, then M has at least two more rows than columns and we have dim(ker(M)) > 1. If k pub is random and (u + 2)t pub + k ≤ n, the attack is efficient with high probability [16]. (13). Then,

Lemma 4 Let M be as in
so by elementary row operations, we can transform M into Further, since the number of columns of M is equal to n, The linearization attack is inefficient if the rank of M is smaller than its number of rows, which implies the following, stronger version of the original statement in [16].
The first condition in Theorem 8 is again fulfilled by the choice of w in Table 1. The second one reads t pub > ϕ u + 1, and for any valid ϕ, there are choices of w such that t pub fulfills this inequality for any u > 1.

Algebraic attacks
Faure and Loidreau [16] also described two message attacks of exponential worst-case complexity. The first one is based on computing gcds of polynomials of degrees Since computing the gcd of two polynomials can be implemented in quasi-linear time in the polynomials' degree, (14) gives an estimate on the work factor of this attack. The second algebraic attack is based on finding Gröbner bases of a system of n p = n k+2t pub −u+1 many polynomials of degree approximately d p = q t pub +1 −1 The attack is only efficient for small code parameters, cf. [16,Sec. 5.3]. Since the average-case complexity of Gröbner bases algorithms is hard to estimate, we cannot directly relate n p and d p to the attack's work factor. Faure and Loidreau choose the code parameters such that n p ≈ 2 32 and d p = 127 and claim that the attack is inefficient for these values. Our example parameters in Sect. 7 result in at least these values.

Overbeck-like attack
The key attack described in [28,Ch. 7

Brute-force attack on the elementĄ
n attacker can brute-force α ∈ F q mu , which has a complexity of WF α = q mu .
By knowing α, he just needs to apply an efficient decoding algorithm onc = c − Tr(αk pub ) to retrieve the secret message.

Exponential-time attacks on ResIG-Dec
We have seen in Sect. 5 that LIGA is IND-CCA2 secure under the assumption that ResG-Dec is a hard problem. The two previous subsections analyzed all known attacks on the ResG-Search and ResIG-Search problems, which are relevant since there is an obvious reduction of ResG-Dec to these search problems.
In the following, we study Problem ResIG-Dec (which translates to distinguishing the public key from a random vector in F n q mu ), which is different in the sense that we do not know an efficient reduction from ResG-Dec (or one of the search problems) to ResIG-Dec. In other words, even if distinguishing the public key is easy, it might still be hard to distinguish the ciphertext. Nevertheless, we study the hardness of ResIG-Dec in the following and present a distinguisher, which is efficient to compute if ζ is chosen small. The distinguisher is as follows.
Recall the choice of k pub in Algorithm 3. We have Expand k pub into a u ×n matrix over F q m and choose any ζ +1 rows. As the F q m -expansion of the error z has F q m -rank ζ , there are at least q m −1 many non-trivial F q m -linear combinations of these ζ + 1 rows that are codewords of G G . This is not true with high probability for a random u × n matrix over F q m . Thus, by repeatedly randomly linearly combining these ζ + 1 rows and checking whether the result is a codeword of G G , we obtain a Monte-Carlo algorithm with an expected work factor of WF k pub ,distinguisher = q mζ , neglecting the cost of checking whether a vector in F n q m is a codeword. Hence, if mζ is smaller than the security parameter of the system, this distinguisher is feasible to compute.

Avoiding Weak Keys
As already discussed in Sect. 6.2, the work factors of the "Randomized Gabidulin Decoding Attack on the Ciphertext" and the "List Decoding of the Ciphertext Attack" depend on the rank of the error part Tr(αz) + e of the ciphertext (seen as codeword plus error). Generically, this error has weight t pub + e, but due to the trace operation and the addition, the rank might be smaller.
In Appendix 3, we will analyze the probability that for a given key (i.e., z in this case) and a random encryption (random choices of α and e) the rank is significantly smaller than expected (we use < w as a threshold, see Sect. 6.2). Briefly summarized, we get the following results.
It turns out that this probability heavily depends on the minimum distance of the code A used to generate z in Algorithm 3. The smaller this minimum distance, the larger the probability that the rank is low. More precisely, for a given A of minimum distance 2 ≤ t ≤ w − ζ + 2 cf. Theorem 11 in Appendix 3. Due to the above discussion, we call a key with Pr(rk F q (Tr(αz) + e) < w) > 2 −λ a weak key. In Appendix 3, we derive an upper bound on the probability of choosing weak key (i.e., an A of too small minimum distance) in Algorithm 3. For ζ q ζ w−m ≤ 1 2 , this bound is roughly cf. Remark 2 (see Theorem 11 for a non-asymptotic bound) in Appendix 3, where t is the smallest minimum distance for which the key is not weak. It can be seen that the parameters of LIGA can be chosen such that there is a t with 2 ≤ t ≤ w − ζ + 2 such that both Pr(rk F q (Tr(αz) + e) < w) (for any non-weak key) and Pr(weak key) are smaller than 2 −λ . This is the case for all parameters proposed in Table 1.

Summary of the work factors
In this section, we recall the conditions on the choice of the parameters such that all known attacks are inefficient and summarize their work factors. Furthermore, we give specific parameters and compare LIGA to other code-based cryptosystems.
In the following, we choose the parameters q, m, n, k, u, w, and t pub as in Table 1. Recall that this choice of w prevents the Overbeck-like attack (Sect. 6.2.7) and results in an exponential work factor of the linearization attack (Sect. 6.2.5).
Furthermore, we choose ζ to be small such that the work factor of searching the exponentially-large output of the interleaved decoding attack (Sect. 6.1.2) is large. Note that the latter attack returns an exponentially-large output if and only if the GOT [21] attack fails, cf. Theorem 3.
The resulting considered work factors are summarized in Table 2. In addition to these work factors, we have considered the following requirements: -The work factor of the second algebraic attack in [16] (cf. Sect. 6.2.6) is unknown. Hence, we choose the code parameters such that the resulting non-linear system of equations occurring in the attack consists of more than n p ≈ 2 32 many polynomials of degree at least d p = 127. This is the same choice as in [16]. -Since there is no efficient list decoder for Gabidulin codes, the work factor of the list decoding the public key or the ciphertext in Sect. 6.2.2 is not known. However, we do have a lower bound on the worst-case work factor for some codes, given by the maximal list size L c , worst in (12). In all examples for which the bound holds, we chose the parameters such that log 2 (L c , worst) is much larger than the claimed security level. -The probability of generating a weak key should be negligible. Thus, we choose the parameters such that ζ q ζ w−m ≤ 1 2 and Pr(weak key) ≤ q mζ − 1 (q m − 1)(q mw − 1) Moving to Close Error (Sect. 6.1.5) where λ is the security parameter and

Parameters and key sizes
We propose parameters for security levels of 128 bit, 192 bit and 256 bit in Table 3, where R = k−u n denotes the rate. The parameters are chosen in a way that we can send at least 256 bit of information and thus the system can be used as a KEM. Further, we use a security margin of at least 20 bit. For all parameters, the algebraic attack based on computing gcds of polynomials is the most efficient attack.
To evaluate the performance of LIGA, we compare it to the IND-CCA-secure version [42] of Loidreau's system [29] and the NIST proposals RQC [2], ROLLO [1], BIKE [3] and Classic McEliece [8]. We show the sizes of the private key sk, the public key pk and the ciphertext ct in Byte in Table 4 as proposed by the authors. 5 Note that in LIGA we can use a similar representation of the secret key and public key as in RQC, see [2,Section 2.3.3]. More Table 4 Comparison of memory costs of sk, pk and the ciphertext ct in Byte with IND-CCA-secure Loidreau [42] and the NIST proposals RQC [2], ROLLO [1], BIKE [3] and Classic McEliece [8]. The entry 'yes' in the column DFR indicates that a scheme has a decryption failure rate larger than 0 time linear in the polynomials' degree. Further, at the current state of research, there is no quantum speed up known for the Algebraic RSD attack [2, Section 6.3]. Using the described work factors, we obtain for LIGA-128, LIGA-192 and LIGA-256 a post-quantum security level of 97.5 bit, 127.5 bit and 157.5 bit, respectively, where Moving to Close Error is the most efficient attack for all three parameter sets.

Conclusion
In this paper, we presented a new rank-metric code-based cryptosystem: LIGA. LIGA uses a new coding-theoretic interpretation of the Faure-Loidreau system. We showed that the ciphertext is a corrupted codeword of a Gabidulin code, where to an unauthorized receiver, the error weight is too large to be correctable. The authorized user knows the row space of a part of the error and is thus able to correct the error. Further, we derived that a part of the public key can be seen as a corrupted codeword of an interleaved Gabidulin code and that in the original FL system, an interleaved Gabidulin decoder can efficiently recover the private key from this part of the public key with high probability. We proved that the condition that interleaved Gabidulin decoders fail is equal to the condition that the severe attack by Gaborit, Otmani and Talé Kalachi fails.
Based on the latter observation, we chose LIGA's key generation algorithm such that interleaved Gabidulin decoders fail which in turn implies that the attack by Gaborit et al.

fails.
We proposed two versions of LIGA and proved that the public key encryption is IND-CPA secure and the KEM is IND-CCA2 secure under the assumption that the ResG-Dec problem is hard. We extensively analyzed the security of this decisional problem by studying attacks on the ResG-Search, ResIG-Search, and ResIG-Dec (recall that there is a reduction of ResG-Dec to each of the two search problems). All studied attacks have an exponential work factor in the proposed parameter ranges and can be avoided by parameter choice.
Finally, we presented parameters for security levels of 128, 192 and 256 bit and compared them to the NIST proposals RQC, ROLLO, BIKE, Classic McEliece and a rank-metric McEliece-like system proposed by Loidreau. It was observed that LIGA has small ciphertext sizes as well as relatively small key sizes. Encryption and decryption correspond to encoding and decoding of Gabidulin codes, for which efficient and constant-time algorithms exist. Further, the proposed system guarantees decryption and is not based on hiding the structure of a code. Hence, the LIGA system should be considered as an alternative of small ciphertext and key size. and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

A: Practical considerations on the key generation
We discuss practical aspects related to the following lines of the modified key generation algorithm (Algorithm 3).
We conjecture that the set from which A is sampled is almost the entire set of ζ -dimensional subspaces of F w q m (or, equivalently, of linear [w, ζ ] q m codes). Using a combinatorial argument on the known number of full-rank codewords of MRD codes, we prove in Lemma 8 (Appendix 3) that MRD codes always have a basis consisting of full-rank codewords. Since the weight enumerator is not known in general for non-MRD codes, we cannot give a proof, but we expect that most codes that are close to MRD (i.e., d is close to n − k + 1) also have such a basis. The conjecture is then implied by the fact that (close-to) MRD codes constitute the majority of linear codes [12,32] for the parameters considered here.
Since it is hard to check if a randomly drawn code admits a basis of full-F q -rank codewords in the worst case, these arguments also imply a practical method on how to implement Lines 3 and 3 in practice: sample uniformly at random from the set of [w, ζ ] q m codes. With overwhelming probability, the code is close to MRD and a large proportion of its codewords have full F q -rank. Randomly choosing u codewords will thus give a generating set consisting of full-rank codewords with high probability. Only if no basis is found after a given number of trials, one needs to formally check if the code does not admit a generating set of full-F q -rank codewords. This gives a Las-Vegas-type algorithm with (supposedly) small expected running time.
The worst case of this algorithm (i.e., no suitable generating set is found after a given number of trials) occurs with extremely small probability (provably it is close to the probability of drawing no MRD code at random, it might be even smaller in reality since also "near-MRD" might have suitable bases). Nevertheless, the worst-case complexity is still quite large. Alternatively, one can draw a new code A if no generating set is found after a given number of trials. This, however, slightly changes the random experiment from which the code A is drawn. The only part of this paper which is influenced by such a modification is Sect. 6.4, a summary of Appendix 3, which studies weak keys (i.e., keys for which there is a non-negligible probability that the error part of the ciphertext has too low rank and is vulnerable to a feasible ciphertext attack). A key is weak only if the minimum distance of A is small. By parameter choice, the probability that such a key is generated can be made arbitrarily small (cf. Appendix 3). By the same arguments as above, we conjecture that if the probability of obtaining a generating set of full-F q -rank codewords by drawing u codewords uniformly at random is small, then also the minimum distance of the code must be small (i.e., far away from MRD). In summary, we expect (but cannot prove) that this change of drawing procedure results in an even smaller weak-key probability than predicted by Theorem 11 (Appendix 3).

B: Decryption as error-erasure decoding
In the following, we give a coding-theoretic interpretation of the ciphertext of the original FL system and of LIGA, which-to the best of our knowledge-has not been observed before.
Lemma 5 Fix a basis of F q m over F q . Then, the matrix representation of the ciphertext can be written in the form where Proof Due to the F q m -linearity of the trace map Tr and the fact that the entries of the matrices G G and P −1 are in F q m , we can write the ciphertext as follows. Since the entries of (P −1 ) [1,...,w] are in F q , the expansion of the ciphertext into the F q -basis of F q m can be written as in (15) above.

Theorem 9
The message vector m can be reconstructed by the error-erasure decoders in [20,45,51] (as well as their accelerations in [36,37]) and Steps 4 and 5 of Algorithm 5.
Proof As seen in Lemma 5, we can decompose the matrix representation of the ciphertext into a codeword plus an error that is partially known. In fact, the decomposition is of the form as in (1) (see Sect. 2.2), so m + Tr(αx) can be reconstructed by the error-erasure decoders in [20,45,51] since the decoding condition (2) reads as w + 2 rk q (E) = w + 2t pub ≤ n − k in this case and is fulfilled by Table 1.
The message m can then be recovered from m + Tr(αx) using the same steps as in Algorithm 5.
Theorem 9 leads to the following observation. The ciphertext is a codeword plus an error of rank weight w + t pub , which is beyond the unique decoding radius. The legitimate receiver can only decrypt since she knows the (w-dimensional) row space of a part of the error. Although the attacker knows the code, she cannot recover the message since she has no further knowledge about the structure of the error. Note the difference to the code-based McEliece cryptosystem, where the security relies on the fact that an attacker does not know the structure of the code. We will turn this observation into an exponential-time message attack in Sect. 6.2.2, which we will consider in our parameter choice.
Furthermore, the procedure implied by Theorem 9 might have a practical advantage compared to the original decryption algorithm. The code G used for decoding in Algorithm 5 depends on the private key. In Theorem 9, the code is given by g, which is public and in fact does not need to be chosen randomly in the key generation. 6 Depending on the used algorithm and type of implementation (e.g., in hardware), it can be advantageous in terms of complexity or implementation size if the code is fixed.

Probability of large enough ciphertext error weight
In this section, we analyze the probability that the error part Tr(αz) + e of the ciphertext c = (m, 0 u ) · G G + Tr(αk pub ) + e = [(m, 0 u ) + Tr(αx)] · G G codeword + Tr(αz) + e error has large enough rank to avoid the ciphertext attacks discussed in Sect. 6. The results of this appendix are summarized in Sect. 6.4.
Generically (i.e., with probability close to 1 for random choices of k pub , α, e), we have rk q (Tr(αz)) = w, rk q (e) = t pub , and rk q Tr(αz) + e = w + t pub . However, there is a very small probability that the error has significantly smaller rank than the generic case. Our aim is to design the system parameters such that this probability is sufficiently small, e.g., 2 −λ , to avoid attacks utilizing this behavior.
As we will see in this section, the choice of z in the public key influences this probability (fixed z, randomness in α and e) significantly. Since z is itself drawn using a random experiment during the key generation, we study with which probability this key is "strong", i.e., whether the rank of Tr(αz) + e is large with sufficiently high probability (randomness only in α and e).
We start with a lemma that shows that the probability mass function of the F q -rank of Tr(αz) for uniformly drawn α only depends on the weight distribution of the code spanned by a 1 , . . . , a ζ (the F q m -linearly independent vectors over F q m from which z is constructed).

Lemma 6 Let z be constructed from the randomly chosen code A[w, ζ ] q m as in Algorithm 3.
Denote by A 0 , . . . , A w the rank-weight distribution of A. For α ∈ F q mu chosen uniformly at random, we have Proof We use the notation (z, s, A, P, and S) from Algorithm 3. First observe that Tr(αz) = Tr(α[s|0])P. Hence, rk F q (Tr(αz)) = rk F q (Tr(αs)) .
We can expand α ∈ F q mu in the dual basis γ * i as α = u i=1 α i γ * i . Then, where a 1 , . . . , a ζ is a basis of A and S ∈ F u×ζ q m is a matrix of full rank ζ . As α is chosen uniformly at random from F q mu , the α i are chosen independently and uniformly at random from F q m . As rk q m S = ζ , this is equivalent to saying that i.e., Tr(αs) is a codeword of A, chosen uniformly at random. This immediately implies the claim.
A direct consequence of the lemma above is the following statement.

Corollary 1 With notation as in Lemma 6, let d be the minimum rank distance of the code A[w, ζ ] q m . Then,
Pr rk F q Tr(αz) < d = q −mζ .
Corollary 1 shows that we can easily bound the probability that Tr(αz) has small F q -rank if the code A (as defined in Lemma 6) has a large minimum rank distance. Loosely speaking, if the minimum rank distance of the code is small, we can consider this key to be weak, and strong otherwise. Since the code is chosen uniformly at random from the set of F q m -linear [w, ζ ] F q m (cf. choice of a i in Algorithm 3), we can use the following result from [12] to bound the probability that the key is weak. Since the code in Lemma 7 is chosen uniformly at random, it does not exactly match the distribution of the code A in Algorithm 3. Hence, we need the following lemma and theorem to estimate the probability of a small minimum distance in our case.

Lemma 8
An F q m -linear MRD code [n, k] q m has a basis consisting of codewords of F q -rank n.
Proof We show that the number of full-rank codewords is at least q m(k−1) . Since these codewords are all non-zero, their F q m -span must have cardinality at least q mk and is hence the entire code.
The weight distribution of an MRD code of length n and minimum distance d can be given by (see [18]): A d+s = n d + s q s j=0 (−1) j+s d + s d + j q q (s− j)(s− j−1)/2 (q m( j+1) − 1), s = 0, 1, . . . , n − d, (16) where m is the order of the extension field, n ≤ m, and A d+s denotes the number of rank-(d + s) codewords.
We are interested in a lower bound for the number of full-rank codewords, i.e., s = n − d. The sum in (16) is an alternating sum whose terms get larger, the larger j and therefore can be lower bounded by the case of j = s plus the case of j = s − 1. That means: Hence, for s = n − d, we obtain: ≥ q m(k−1) .
Theorem 10 Let m, ζ , and w be chosen such that Let A be chosen as in Algorithm 3, i.e., uniformly at random from the set of linear [w, ζ ] q m codes that have a basis consisting only of codewords with F q -rank w. Furthermore, let 2 ≤ t ≤ w − ζ + 2. Then, Pr d rk,min (A) < t ≤ 2 q mζ − 1 (q m − 1)(q mw − 1) Proof We define an alternative random experiment, where a code A is chosen uniformly from all linear [w, ζ ] q m . The sought probability is then given by the conditional probability Pr d rk,min (A ) < t|S , where S is the event that A has a basis of maximal-rank codewords. We derive the result using the relation Pr d rk,min (A ) < t ≥ Pr d rk,min (A ) < t|S Pr S . (19) First note that Lemma 7 gives us Pr d rk,min (A ) < t ≤ q mζ − 1 (q m − 1)(q mw − 1) By Lemma 8, we have Pr S ≥ Pr A is MRD .
Using [32,Theorem 21], we can lower-bound this probability by Pr A is MRD ≥ 1 − ζ q ζ w−m ≥ 1 2 , where the last inequality follows from (18). The claim follows by combining the two bounds with (19).
The last building block for a general bound on the probability of Tr(αz) + e having small rank is the following lemma, which gives a bound for this probability conditioned on the event that Tr(αz) has a given (large) rank.

Lemma 9
Let k pub = x · G G + z be fixed as in Algorithm 4 and let α be chosen such that rk It is clear that rk F q (e 1 + e 2 ) = rk F q (E 1 + E 2 ) and, since rk F q (e 1 ) = rk F q (E 1 ) = t and rk F q (e 1 ) = rk F q (E 1 ) = t pub , Note that in our probabilistic model, E C 1 and E R 1 are fixed and it follows easily that E C 2 and E R 2 are random variables that are uniformly distributed on the set of t pub -dimensional subspaces of F m q and F n q , respectively, and stochastically independent. Due to [30,Theorem 1], for

Theorem 11
Let m, ζ , and w be chosen such that 1 − ζ q ζ w−m ≥ 1 2 . Choose z of the public key as in Algorithm 3. Let 2 ≤ t ≤ w − ζ + 2. With probability at least P strong,key (t) ≥ 1 − 2 q mζ − 1 (q m − 1)(q mw − 1) the public key has the following property: Choose α ∈ F q mu and For e $ ← − {a ∈ F n q m : rk q (a) = t pub }, both uniformly at random. Then the probability that Tr(αz) + e has F q -rank at least w is lower-bounded by Pr rk F q Tr(αz) + e ≥ w

Remark 2
By the asymptotical analysis in [12], we have Since the hidden constant strongly depends on q, this asymptotic value should only be used for a rough estimation of the strong-key probability and the exact formula in Theorem 11 should be used for parameter design. Nevertheless, the formula shows that 1 − P strong,key (t) decreases exponentially in m times the difference of t and w − ζ + 2. Hence, usually we can choose t close to the maximal value w − ζ + 2 to achieve a given designed probability for a key to be strong.
For instance, we can choose t ≈ (w − ζ + 2) − λ m log q (2) for P strong,key (t) where λ is the security parameter.