Abstract
We present a polynomial time attack of a rank metric code based encryption scheme due to Loidreau for some parameters.
Similar content being viewed by others
Notes
Processor: Intel® Core™ i5-8250U CPU @ 1.60GHz.
References
Baldi M., Bianchi M., Chiaraluce F., Rosenthal J., Schipani D.: Enhanced public key security for the McEliece cryptosystem. J. Cryptol. 29(1), 1–27 (2016). https://doi.org/10.1007/s00145-014-9187-8.
Berger T.P.: Isometries for rank distance and permutation group of Gabidulin codes. IEEE Trans. Inform. Theory 49(11), 3016–3019 (2003).
Bosma W., Cannon J., Playoust C.: The Magma algebra system I: the user language. J. Symb. Comput. 24(3/4), 235–265 (1997).
Bostan, A., Chyzak, F., Giusti, M., Lebreton, R., Lecerf, G., Salvy, B., Schost, E.: Algorithmes Efficaces en Calcul Formel. Frédéric Chyzak (auto-édit.), Palaiseau (Sep 2017), https://hal.archives-ouvertes.fr/AECF/, 686 p. Imprimé par CreateSpace. Aussi disponible en version électronique
Couvreur A., Gaborit P., Gauthier-Umaña V., Otmani A., Tillich J.P.: Distinguisher-based attacks on public-key cryptosystems using Reed–Solomon codes. Des. Codes Cryptogr. 73(2), 641–666 (2014).
Couvreur, A., Otmani, A., Tillich, J.P., Gauthier-Umaña, V.: A polynomial-time attack on the BBCRS scheme. In: Katz, J. (ed.) Public-Key Cryptography - PKC 2015. LNCS, vol. 9020, pp. 175–193. Springer (2015)
Delsarte P.: Bilinear forms over a finite field, with applications to coding theory. J. Comb. Theory Ser. A 25(3), 226–241 (1978).
Faugère, J.C., Gauthier, V., Otmani, A., Perret, L., Tillich, J.P.: A distinguisher for high rate McEliece cryptosystems. IACR Cryptology ePrint Archive, Report 2010/331 (2010), http://eprint.iacr.org/
Gabidulin E.M.: Theory of codes with maximum rank distance. Prob. Peredachi Inf. 21(1), 3–16 (1985).
Gabidulin, E.M., Paramonov, A.V., Tretjakov, O.V.: Ideals over a non-commutative ring and their applications to cryptography. In: Advances in Cryptology - EUROCRYPT’91. pp. 482–489. No. 547 in LNCS, Brighton (1991)
Gaborit, P., Murat, G., Ruatta, O., Zémor, G.: Low rank parity check codes and their application to cryptography. In: Proceedings of the Workshop on Coding and Cryptography WCC’2013. Bergen (2013), www.selmer.uib.no/WCC2013/pdfs/Gaborit.pdf
Loidreau P.: A Welch–Berlekamp like algorithm for decoding Gabidulin codes. In: Ytrehus Ø. (ed.) Coding and Cryptography, pp. 36–45. Springer, Berlin (2006).
Loidreau, P.: A new rank metric codes based encryption scheme. In: Post-Quantum Cryptography 2017. LNCS, vol. 10346, pp. 3–17. Springer (2017)
McEliece, R.J.: A Public-Key System Based on Algebraic Coding Theory, pp. 114–116. Jet Propulsion Lab (1978), dSN Progress Report 44
Overbeck R.: Structural attacks for public key cryptosystems based on Gabidulin codes. J. Cryptol. 21(2), 280–301 (2008).
Acknowledgements
The authors express a deep gratitude to the anonymous referees for their very relevant suggestions. The second author was funded by French ANR projects ANR-15-CE39-0013 Manta and ANR-17-CE39-0007 CBCrypt.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This is one of several papers published in Designs, Codes and Cryptography comprising the “Special Issue on Coding and Cryptography 2019”.
Proof of Proposition 1
Proof of Proposition 1
1.1 Preliminaries on Gaussian binomial coefficients
Notation 1
In what follows, we denote by \({\left[ \begin{array}{c} a \\ b \end{array}\right] }_{q^m}\) the Gaussian binomial coefficient representing the number of subspaces of dimension b of a vector space of dimension a over \({\mathbb {F}}_{q^m}\).
Lemma 8
There exists a positive constant C such that for any pair of positive integers n, k such that \(n \geqslant k\), we have
Proof
By definition of Gaussian binomials, we have
Since \(n \geqslant k \), we get
which yields the left hand inequality. To get the other equality, we need to bound from above the product:
where the last equality is obtained by applying the change of variables \(j = k-1-t\). Set
The sequence \(a_k\) is increasing and converges. Indeed,
and the series with general term \(-\log (1 - 1/q^{j+1})\) converges. As a conclusion, the right-hand inequality is obtained by taking
\(\square \)
Remark 2
A finer analysis would permit to prove that \(C \leqslant {\left( \frac{q}{q-1} \right) }^{\frac{q}{q-1}}\). In particular, since \(q \geqslant 2\), we have that \(C \leqslant 4\).
1.2 The proof
Let \({\mathscr {C}_{rand }}\) be a subspace of \({\mathbb {F}}_{q^m}^n\) chosen uniformly at random among its subspaces of dimension k. From \({\mathscr {C}_{rand }}\) we build the map
The image of this map is \({\mathscr {C}_{rand }}+ {\mathscr {C}_{rand }}^{[1]} + \cdots + {\mathscr {C}_{rand }}^{[s]}\) and hence the dimension of \({\mathscr {C}_{rand }}+ {\mathscr {C}_{rand }}^{[1]} + \cdots + {\mathscr {C}_{rand }}^{[s]}\) is related to the dimension of the kernel of \(\Psi \). Therefore, our approach will consist in estimating \({\mathbb {E}}\left( |\ker \Psi |\right) \).
We have
Lemma 9
Let \(\mathscr {A}\) be a subspace of \({\mathbb {F}}_{q^m}^n\) of dimension \(t\leqslant k\). Then
where C is the constant of Lemma 8.
Proof
We have
Using Lemma 8 we get the upper bound,
\(\square \)
For any \(0 \leqslant t \leqslant s+1\), we introduce the set
Thanks to (9) and Lemma 9, we can write that
Lemma 10
Let \(1 \leqslant t \leqslant k-1\). Then,
Proof
Let \(({\textit{\textbf{x}}}_0, \ldots , {\textit{\textbf{x}}}_s) \in E_t\). Since the \({\textit{\textbf{x}}}_i\)’s span a space of dimension t, there exists a unique \((s+1-t)\times (s+1)\) full rank matrix \(\textit{\textbf{M}}\) in reduced echelon form with entries in \({\mathbb {F}}_{q^m}\) such that
Let us count the number of possible \((s+1)\)–tuples \(({\textit{\textbf{x}}}_0, \dots , {\textit{\textbf{x}}}_s)\) satisfying (11) and such that \({\textit{\textbf{x}}}_0 + {\textit{\textbf{x}}}_1^{[1]} +\cdots + {\textit{\textbf{x}}}_s^{[s]} = 0\). For any \(1 \leqslant i \leqslant n\), we have
Let us label the columns of \(\textit{\textbf{M}}\) from 0 to s. Let \({\mathcal {P}} \subseteq \{0, \ldots , s\}\) be the set of indices of columns which are pivots for \(\textit{\textbf{M}}\) and \({\mathcal {P}}^c\) its complementary. We denote by a the smallest element of \({\mathcal {P}}^c\). Notice that
In (12), we can eliminate any \(x_{j,i}\) where \(j\in {\mathcal {P}}\) using (13). By this manner we get an expression depending only on the \(x_{j,i}\)’s for \(j \in {\mathcal {P}}^c\). If we fix the value of the \(x_{r, i}\)’s for any \(r \in {\mathcal {P}}^c \setminus \{a\}\), we obtain an equation of the form
where Q is a q–polynomial of q–degree at most a. There are then at most \(q^{a}\) possible values for \(x_{a, i}\) for any choice of the elements \(x_{r,i}\) with \(r \in {\mathcal {P}}^c \setminus \{i\}\). Using (14) we deduce that there are at most
possible choices for the tuple \((x_{0, i}, \dots , x_{s,i})\). Consequently, Eq. (11) has at most \(q^{mn(t-1) + n(s+1-t)}\) solutions.
Finally, since the full rank \((s+1-t)\times (s+1)\) matrices in row echelon form are in one–to–one correspondence with t–dimensional subspaces of \({\mathbb {F}}_{q^m}^{s+1}\) there are \({\left[ \begin{array}{c} s+1 \\ t \end{array}\right] }_{q^m}\) possible choices for \(\textit{\textbf{M}}\). Using Lemma 8, we deduce the result. \(\square \)
Combining (10) and Lemma 10, we get
By assumption (in the statement of Proposition 1), we have \(s < k\). Next, since \(n \leqslant m\), we see that the exponents in the above sum are all less than or equal 0. More precisely,
Consequently, we have the following result.
Proposition 5
There is a positive constant \(C'\) such that
To conclude the proof of Proposition 1, suppose that
This means that
Using Markov inequality together with Proposition 5, we get
This concludes the proof.
Rights and permissions
About this article
Cite this article
Coggia, D., Couvreur, A. On the security of a Loidreau rank metric code based encryption scheme. Des. Codes Cryptogr. 88, 1941–1957 (2020). https://doi.org/10.1007/s10623-020-00781-4
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-020-00781-4