[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ Skip to main content
Log in

On the security of a Loidreau rank metric code based encryption scheme

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

We present a polynomial time attack of a rank metric code based encryption scheme due to Loidreau for some parameters.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (United Kingdom)

Instant access to the full article PDF.

Similar content being viewed by others

Notes

  1. Processor: Intel® Core™ i5-8250U CPU @ 1.60GHz.

References

  1. Baldi M., Bianchi M., Chiaraluce F., Rosenthal J., Schipani D.: Enhanced public key security for the McEliece cryptosystem. J. Cryptol. 29(1), 1–27 (2016). https://doi.org/10.1007/s00145-014-9187-8.

    Article  MathSciNet  MATH  Google Scholar 

  2. Berger T.P.: Isometries for rank distance and permutation group of Gabidulin codes. IEEE Trans. Inform. Theory 49(11), 3016–3019 (2003).

    Article  MathSciNet  Google Scholar 

  3. Bosma W., Cannon J., Playoust C.: The Magma algebra system I: the user language. J. Symb. Comput. 24(3/4), 235–265 (1997).

    Article  MathSciNet  Google Scholar 

  4. Bostan, A., Chyzak, F., Giusti, M., Lebreton, R., Lecerf, G., Salvy, B., Schost, E.: Algorithmes Efficaces en Calcul Formel. Frédéric Chyzak (auto-édit.), Palaiseau (Sep 2017), https://hal.archives-ouvertes.fr/AECF/, 686 p. Imprimé par CreateSpace. Aussi disponible en version électronique

  5. Couvreur A., Gaborit P., Gauthier-Umaña V., Otmani A., Tillich J.P.: Distinguisher-based attacks on public-key cryptosystems using Reed–Solomon codes. Des. Codes Cryptogr. 73(2), 641–666 (2014).

    Article  MathSciNet  Google Scholar 

  6. Couvreur, A., Otmani, A., Tillich, J.P., Gauthier-Umaña, V.: A polynomial-time attack on the BBCRS scheme. In: Katz, J. (ed.) Public-Key Cryptography - PKC 2015. LNCS, vol. 9020, pp. 175–193. Springer (2015)

  7. Delsarte P.: Bilinear forms over a finite field, with applications to coding theory. J. Comb. Theory Ser. A 25(3), 226–241 (1978).

    Article  MathSciNet  Google Scholar 

  8. Faugère, J.C., Gauthier, V., Otmani, A., Perret, L., Tillich, J.P.: A distinguisher for high rate McEliece cryptosystems. IACR Cryptology ePrint Archive, Report 2010/331 (2010), http://eprint.iacr.org/

  9. Gabidulin E.M.: Theory of codes with maximum rank distance. Prob. Peredachi Inf. 21(1), 3–16 (1985).

    MathSciNet  MATH  Google Scholar 

  10. Gabidulin, E.M., Paramonov, A.V., Tretjakov, O.V.: Ideals over a non-commutative ring and their applications to cryptography. In: Advances in Cryptology - EUROCRYPT’91. pp. 482–489. No. 547 in LNCS, Brighton (1991)

  11. Gaborit, P., Murat, G., Ruatta, O., Zémor, G.: Low rank parity check codes and their application to cryptography. In: Proceedings of the Workshop on Coding and Cryptography WCC’2013. Bergen (2013), www.selmer.uib.no/WCC2013/pdfs/Gaborit.pdf

  12. Loidreau P.: A Welch–Berlekamp like algorithm for decoding Gabidulin codes. In: Ytrehus Ø. (ed.) Coding and Cryptography, pp. 36–45. Springer, Berlin (2006).

    Chapter  Google Scholar 

  13. Loidreau, P.: A new rank metric codes based encryption scheme. In: Post-Quantum Cryptography 2017. LNCS, vol. 10346, pp. 3–17. Springer (2017)

  14. McEliece, R.J.: A Public-Key System Based on Algebraic Coding Theory, pp. 114–116. Jet Propulsion Lab (1978), dSN Progress Report 44

  15. Overbeck R.: Structural attacks for public key cryptosystems based on Gabidulin codes. J. Cryptol. 21(2), 280–301 (2008).

    Article  MathSciNet  Google Scholar 

Download references

Acknowledgements

The authors express a deep gratitude to the anonymous referees for their very relevant suggestions. The second author was funded by French ANR projects ANR-15-CE39-0013 Manta and ANR-17-CE39-0007 CBCrypt.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Alain Couvreur.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This is one of several papers published in Designs, Codes and Cryptography comprising the “Special Issue on Coding and Cryptography 2019”.

Proof of Proposition 1

Proof of Proposition 1

1.1 Preliminaries on Gaussian binomial coefficients

Notation 1

In what follows, we denote by \({\left[ \begin{array}{c} a \\ b \end{array}\right] }_{q^m}\) the Gaussian binomial coefficient representing the number of subspaces of dimension b of a vector space of dimension a over \({\mathbb {F}}_{q^m}\).

Lemma 8

There exists a positive constant C such that for any pair of positive integers nk such that \(n \geqslant k\), we have

$$\begin{aligned} q^{k(n-k)} \leqslant {\left[ \begin{array}{c} n \\ k \end{array}\right] }_{q} \leqslant C \cdot q^{k(n-k)} . \end{aligned}$$

Proof

By definition of Gaussian binomials, we have

$$\begin{aligned} {\left[ \begin{array}{c} n \\ k \end{array}\right] }_{q} = \prod _{t = 0}^{k-1}\frac{q^n-q^t}{q^k-q^t} = q^{k(n-k)} \prod _{t = 0}^{k-1} \frac{1 - q^{t-n}}{1-q^{t-k}}\cdot \end{aligned}$$

Since \(n \geqslant k \), we get

$$\begin{aligned} \prod _{t=0}^{k-1} \frac{1-q^{t-n}}{1-q^{t-k}} \geqslant 1, \end{aligned}$$

which yields the left hand inequality. To get the other equality, we need to bound from above the product:

$$\begin{aligned} \prod _{t=0}^{k-1} \frac{1-q^{t-n}}{1-q^{t-k}} \leqslant \prod _{t=0}^{k-1} \frac{1}{1-q^{t-k}} = \prod _{j=0}^{k-1} \frac{1}{1 - \frac{1}{q^{j+1}}}, \end{aligned}$$

where the last equality is obtained by applying the change of variables \(j = k-1-t\). Set

$$\begin{aligned} a_k {\mathop {=}\limits ^{\text {def}}}\prod _{j=0}^{k-1} \frac{1}{1 - \frac{1}{q^{j+1}}}\cdot \end{aligned}$$

The sequence \(a_k\) is increasing and converges. Indeed,

$$\begin{aligned} \log (a_k) = \sum _{j=0}^{k-1} - \log \left( 1 - \frac{1}{q^{j+1}}\right) \end{aligned}$$

and the series with general term \(-\log (1 - 1/q^{j+1})\) converges. As a conclusion, the right-hand inequality is obtained by taking

$$\begin{aligned} C {\mathop {=}\limits ^{\text {def}}}\prod _{j=0}^{\infty } \frac{1}{1-\frac{1}{q^{j+1}}}\cdot \end{aligned}$$

\(\square \)

Remark 2

A finer analysis would permit to prove that \(C \leqslant {\left( \frac{q}{q-1} \right) }^{\frac{q}{q-1}}\). In particular, since \(q \geqslant 2\), we have that \(C \leqslant 4\).

1.2 The proof

Let \({\mathscr {C}_{rand }}\) be a subspace of \({\mathbb {F}}_{q^m}^n\) chosen uniformly at random among its subspaces of dimension k. From \({\mathscr {C}_{rand }}\) we build the map

$$\begin{aligned} \Psi :\left\{ \begin{array}{ccc} \overbrace{{\mathscr {C}_{rand }}\times \cdots \times {\mathscr {C}_{rand }}}^{(s+1)\ \text {times}} &{} \longrightarrow &{} {\mathbb {F}}_{q^m}^n \\ (\textit{\textbf{c}}_0, \ldots , \textit{\textbf{c}}_s) &{} \longmapsto &{} \textit{\textbf{c}}_0 + \textit{\textbf{c}}_1^{[1]} + \cdots + \textit{\textbf{c}}_s^{[s]} \end{array} \right. . \end{aligned}$$

The image of this map is \({\mathscr {C}_{rand }}+ {\mathscr {C}_{rand }}^{[1]} + \cdots + {\mathscr {C}_{rand }}^{[s]}\) and hence the dimension of \({\mathscr {C}_{rand }}+ {\mathscr {C}_{rand }}^{[1]} + \cdots + {\mathscr {C}_{rand }}^{[s]}\) is related to the dimension of the kernel of \(\Psi \). Therefore, our approach will consist in estimating \({\mathbb {E}}\left( |\ker \Psi |\right) \).

We have

$$\begin{aligned} {\mathbb {E}}\left( |\ker \Psi |\right) = \sum _{{\mathop {{\textit{\textbf{x}}}_0 + {\textit{\textbf{x}}}_1^{[1]} + \cdots + {\textit{\textbf{x}}}_s^{[s]} =0}\limits ^{({\textit{\textbf{x}}}_0, \ldots , {\textit{\textbf{x}}}_{s}) \in {({\mathbb {F}}_{q^m}^n)}^s}}} {\mathbb {P}}\left( {\textit{\textbf{x}}}_0, \ldots , {\textit{\textbf{x}}}_{s} \in {\mathscr {C}_{rand }}\right) . \end{aligned}$$
(9)

Lemma 9

Let \(\mathscr {A}\) be a subspace of \({\mathbb {F}}_{q^m}^n\) of dimension \(t\leqslant k\). Then

$$\begin{aligned} {\mathbb {P}}\left( \mathscr {A}\subseteq {\mathscr {C}_{rand }}\right) \leqslant C \cdot q^{-mt(n-k)}, \end{aligned}$$

where C is the constant of Lemma 8.

Proof

We have

$$\begin{aligned} {\mathbb {P}}(\mathscr {A} \subseteq {\mathscr {C}_{rand }}) = \frac{{\left[ \begin{array}{c} n- t \\ k - t \end{array}\right] }_{q^m}}{{\left[ \begin{array}{c} n \\ k \end{array}\right] }_{q^m}}\cdot \end{aligned}$$

Using Lemma 8 we get the upper bound,

$$\begin{aligned} {\mathbb {P}}(\mathscr {A} \subseteq {\mathscr {C}_{rand }}) \leqslant C\cdot q^{m(k-t)(n-k)} \cdot q^{-mk(n-k)} = C \cdot q^{-mt(n-k)}. \end{aligned}$$

\(\square \)

For any \(0 \leqslant t \leqslant s+1\), we introduce the set

$$\begin{aligned} E_t {\mathop {=}\limits ^{\text {def}}}\left\{ ({\textit{\textbf{x}}}_0, \dots , {\textit{\textbf{x}}}_s) \in ({\mathbb {F}}_{q^m}^n)^s ~\Bigg |~ \begin{array}{rcl} {\textit{\textbf{x}}}_0 + {\textit{\textbf{x}}}_1^{[1]} +\cdots + {\textit{\textbf{x}}}_s^{[s]} &{}=&{} 0\\ dim _{{\mathbb {F}}_{q^m}}\left\langle {\textit{\textbf{x}}}_0, \ldots , {\textit{\textbf{x}}}_{s}\right\rangle &{}=&{} t \end{array} \right\} \cdot \end{aligned}$$

Thanks to (9) and Lemma 9, we can write that

$$\begin{aligned} {\mathbb {E}}\left( |\ker \Psi |\right) \leqslant C \cdot \sum _{t = 0}^{s + 1} q^{-mt(n-k)} \left| E_t\right| . \end{aligned}$$
(10)

Lemma 10

Let \(1 \leqslant t \leqslant k-1\). Then,

$$\begin{aligned} \left| E_t\right| \leqslant C \cdot q^{(mt+n)(s+1-t)+mn(t-1)}. \end{aligned}$$

Proof

Let \(({\textit{\textbf{x}}}_0, \ldots , {\textit{\textbf{x}}}_s) \in E_t\). Since the \({\textit{\textbf{x}}}_i\)’s span a space of dimension t, there exists a unique \((s+1-t)\times (s+1)\) full rank matrix \(\textit{\textbf{M}}\) in reduced echelon form with entries in \({\mathbb {F}}_{q^m}\) such that

$$\begin{aligned} \textit{\textbf{M}} \cdot \left( \begin{array}{ccc} &{} {\textit{\textbf{x}}}_0 &{} \\ \hline &{} \vdots &{} \\ \hline &{} {\textit{\textbf{x}}}_s &{} \end{array} \right) = 0. \end{aligned}$$
(11)

Let us count the number of possible \((s+1)\)–tuples \(({\textit{\textbf{x}}}_0, \dots , {\textit{\textbf{x}}}_s)\) satisfying (11) and such that \({\textit{\textbf{x}}}_0 + {\textit{\textbf{x}}}_1^{[1]} +\cdots + {\textit{\textbf{x}}}_s^{[s]} = 0\). For any \(1 \leqslant i \leqslant n\), we have

$$\begin{aligned}&x_{0,i} + x_{1,i}^q + \cdots + x_{s,i}^{q^s} = 0 \end{aligned}$$
(12)
$$\begin{aligned}&\mathrm{and} \qquad \textit{\textbf{M}}\cdot \left( \begin{array}{c} x_{0,i}\\ \vdots \\ x_{s,i} \end{array} \right) =0 \end{aligned}$$
(13)

Let us label the columns of \(\textit{\textbf{M}}\) from 0 to s. Let \({\mathcal {P}} \subseteq \{0, \ldots , s\}\) be the set of indices of columns which are pivots for \(\textit{\textbf{M}}\) and \({\mathcal {P}}^c\) its complementary. We denote by a the smallest element of \({\mathcal {P}}^c\). Notice that

$$\begin{aligned} |{\mathcal {P}}^c| =t \qquad \mathrm{and} \qquad a \leqslant s+1-t. \end{aligned}$$
(14)

In (12), we can eliminate any \(x_{j,i}\) where \(j\in {\mathcal {P}}\) using (13). By this manner we get an expression depending only on the \(x_{j,i}\)’s for \(j \in {\mathcal {P}}^c\). If we fix the value of the \(x_{r, i}\)’s for any \(r \in {\mathcal {P}}^c \setminus \{a\}\), we obtain an equation of the form

$$\begin{aligned} Q(x_{a, i}) = 0, \end{aligned}$$

where Q is a q–polynomial of q–degree at most a. There are then at most \(q^{a}\) possible values for \(x_{a, i}\) for any choice of the elements \(x_{r,i}\) with \(r \in {\mathcal {P}}^c \setminus \{i\}\). Using (14) we deduce that there are at most

$$\begin{aligned} q^{m(t-1) + a} \leqslant q^{m(t-1) + s+1-t} \end{aligned}$$

possible choices for the tuple \((x_{0, i}, \dots , x_{s,i})\). Consequently, Eq. (11) has at most \(q^{mn(t-1) + n(s+1-t)}\) solutions.

Finally, since the full rank \((s+1-t)\times (s+1)\) matrices in row echelon form are in one–to–one correspondence with t–dimensional subspaces of \({\mathbb {F}}_{q^m}^{s+1}\) there are \({\left[ \begin{array}{c} s+1 \\ t \end{array}\right] }_{q^m}\) possible choices for \(\textit{\textbf{M}}\). Using Lemma 8, we deduce the result. \(\square \)

Combining (10) and Lemma 10, we get

$$\begin{aligned} \begin{aligned} {\mathbb {E}}\left( |\ker \Psi |\right)&\leqslant C^2 \cdot \sum _{t=0}^{s+1} q^{-mt(n-k) + (mt+n)(s+1-t)+mn(t-1)}\\&\leqslant C^2 \cdot q^{m(k(s+1)-n)} \cdot \sum _{t=0}^{s+1} q^{(s+1-t)(mt+n-mk)}. \end{aligned} \end{aligned}$$

By assumption (in the statement of Proposition 1), we have \(s < k\). Next, since \(n \leqslant m\), we see that the exponents in the above sum are all less than or equal 0. More precisely,

$$\begin{aligned} \begin{aligned} \sum _{t=0}^{s+1} q^{(s+1-t)(mt+n-mk)}&\leqslant 2 + \sum _{t=0}^{s-1} q^{(s+1-t)(mt+n-mk)}\\&\leqslant 2 + \sum _{t=0}^{s-1}q^{-m(s+1-t)}\\&\leqslant 2 + \sum _{i=0}^{s-1} q^{-m(i+2)} \leqslant 2 + \frac{q^{-2m}}{1 - q^{-m}}\cdot \end{aligned} \end{aligned}$$

Consequently, we have the following result.

Proposition 5

There is a positive constant \(C'\) such that

$$\begin{aligned} {\mathbb {E}}\left( |\ker \Psi |\right) \leqslant C' \cdot q^{m(k(s+1)-n)}. \end{aligned}$$

To conclude the proof of Proposition 1, suppose that

$$\begin{aligned} \dim _{{\mathbb {F}}_{q^m}} {\mathscr {C}_{rand }}+ {\mathscr {C}_{rand }}^{[1]}+\cdots +{\mathscr {C}_{rand }}^{[s]} \leqslant \min \{k(s+1), n\} - a. \end{aligned}$$

This means that

$$\begin{aligned} \dim _{{\mathbb {F}}_{q^m}} \ker \Psi \geqslant \max \{0, k(s+1) - n\} + a. \end{aligned}$$

Using Markov inequality together with Proposition 5, we get

$$\begin{aligned} \begin{aligned} {\mathbb {P}}\Big ( |\ker \Psi | \geqslant&\ q^{m(\max \{0, k(s+1) - n\} + a)} \Big )\\&\qquad \leqslant C' \cdot \frac{q^{m(k(s+1)-n)}}{ q^{m(\max \{0, k(s+1) - n\} + a)}}\\&\qquad \leqslant C' \cdot q^{-ma}. \end{aligned} \end{aligned}$$

This concludes the proof.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Coggia, D., Couvreur, A. On the security of a Loidreau rank metric code based encryption scheme. Des. Codes Cryptogr. 88, 1941–1957 (2020). https://doi.org/10.1007/s10623-020-00781-4

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-020-00781-4

Keywords

Mathematics Subject Classification

Navigation