Polynomial-Time Key Recovery Attack on the Faure-Loidreau Scheme based on Gabidulin Codes
Encryption schemes based on the rank metric lead to small public key sizes of order of few thousands bytes which represents a very attractive feature compared to Hamming metric-based encryption schemes where public key sizes are of order of hundreds of thousands bytes even with additional structures like the cyclicity. The main tool for building public key encryption schemes in rank metric is the McEliece encryption setting used with the family of Gabidulin codes. Since the original scheme proposed in 1991 by Gabidulin, Paramonov and Tretjakov, many systems have been proposed based on different masking techniques for Gabidulin codes. Nevertheless, over the years most of these systems were attacked essentially by the use of an attack proposed by Overbeck.
In 2005 Faure and Loidreau designed a rank-metric encryption scheme which was not in the McEliece setting. The scheme is very efficient, with small public keys of size a few kiloBytes and with security closely related to the linearized polynomial reconstruction problem which corresponds to the decoding problem of Gabidulin codes. The structure of the scheme differs considerably from the classical McEliece setting and until our work, the scheme had never been attacked. We show in this article that for a range of parameters, this scheme is also vulnerable to a polynomial-time attack that recovers the private key by applying Overbeck’s attack on an appropriate public code. As an example we break in a few seconds parameters with -bit security claim. Our work also shows that some parameters are not affected by our attack but at the cost of a lost of efficiency for the underlying schemes.
Key words and phrases:Post-quantum cryptography; Gabidulin code; Polynomial reconstruction; Faure-Loidreau scheme.
McEliece encryption setting.
Post-quantum cryptography aims at proposing schemes that resist to an hypothetical quantum computer. It represents more and more a serious alternative to classical cryptography based on the discrete logarithm problem and the factorization problem. McEliece opened the way to code-based cryptography by proposing the first post-quantum (public-key encryption) scheme [McE78]. The McEliece cryptosystem is in fact an encryption setting which relies on the hiding of particular class of decodable codes. The algorithmic assumption underlying the security is the difficulty of solving the closest vector problem with the Hamming metric for the particular class of masked decodable codes on which the scheme relies. Over the years many variants of the McEliece cryptosystem were proposed with different families of codes, and many were broken by recovering the structure of the masked codes. However the original family of codes, the binary Goppa codes, proposed by McEliece essentially remains unattacked. The resistance to structural attacks, which try to recover the structure of the masked codes, is the main potential weakness of this setting. For instance the highly structured Reed-Solomon codes are difficult to mask and most of McEliece variants relying on Reed-Solomon codes or variations on Reed-Solomon codes have been broken.
Rank metric cryptography.
The McEliece cryptosystem setting is very versatile and only needs a decodable family of codes along with a particular masking technique of codes. Hence this approach can also be used with another metric than the classical Hamming metric. An important metric emerging in cryptography is the rank metric which considers the ambient space where is a (finite) field and and are positive integers, as the space of matrices so that we can associate the rank to any vector from . By viewing any finite extension of finite fields as a linear space over of dimension then for any positive integer , the ambient space can also be viewed as the space of matrices. In [GPT91] Gabidulin, Paramonov and Tretjakov proposed the first rank-metric based encryption scheme. This scheme can be seen as an analog of the McEliece’s one but based on the class of Gabidulin codes.
The main interest of the rank metric is that the time complexity of best known generic attacks for rank metric grows faster regarding the size of parameters, than for Hamming metric. In practice, without additional structure like cyclicity, it means that it is possible to obtain public key sizes for rank metric of only a few thousand bytes, when hundred of thousand bytes are needed for Hamming metric.
An important operation in the key generation of the GPT cryptosystem is the masking phase where the secret Gabidulin code undergoes a transformation to mask its inherent algebraic structure. This transformation is a probabilistic algorithm that adds some randomness to its input . Originally, the authors in [GPT91] proposed to use a distortion transformation that outputs (a generator matrix of) the code where is random code with a prescribed dimension . The presence of has however an impact: the sender has to add an error vector whose rank weight is where is the error correction capability of the . Hence, roughly speaking, the hiding phase publishes a degraded code in terms of error correction.
Gabidulin codes are often seen as equivalent of Reed-Solomon codes because, like them, they are highly structured. That is the reason why their use in the GPT cryptosystem has been the subject to several attacks. Gibson was the first to prove the weakness of the system through a series of successful attacks [Gib95, Gib96]. Following these failures, the first works which modified the GPT scheme to avoid Gibson’s attack were published in [GO01, GOHA03]. The idea is to hide further the structure of Gabidulin code by considering isometries for the rank metric. Consequently, a right column scrambler is introduced which is an invertible matrix with its entries in the base field while the ambient space of the Gabidlun code is . But Overbeck designed in [Ove05b, Ove05a, Ove08] a more general attack that dismantled all the existing modified GPT cryptosystems. His approach consists in applying an operator which applies times the Frobenius operation on the public generator matrix . The dimension increases by each time the Frobenius is applied. Therefore by taking the codimension becomes if is the rank of . This phenomenon is a clearly distinguishing property of a Gabidulin code which cannot be encountered for instance with a random linear code where the dimension would increase by for each use of the Frobenius operator.
Overbeck’s attack uses crucially two important facts, namely the column scrambler matrix is defined on the based field and the codimension of is equal to . Several works then proposed to resist to this attack either by taking special random codes so that the second property is not true as in [Loi10, RGH10], or by taking a column scrambler matrix defined over the extension field as in [Gab08, GRH09, RGH11].
But recently in [OTKN16] it was shown that even if the column scrambler is defined on the extension field as in [Gab08, GRH09, RGH11], by using precisely Overbeck’s technique, it is still possible to recover very efficiently a secret Gabidulin code whose error correction is certainly strictly less than the error correction of the secret original Gabidiulin code but still strictly greater than the number of added errors . In other words, an attacker is still able to decrypt any ciphertext and consequently, all schemes based on Gabidulin codes presented in [Gab08, GRH09, RGH11] are actually not secure.
Besides the McEliece setting used with Gabidulin codes, Faure and Loidreau proposed in [FL05] another approach for designing rank-metric encryption scheme based on Gabidulin codes. The scheme was supposed to be secure under the assumption that the problem of the linearized polynomial reconstruction111In [FL05] the problem is termed as -polynomial reconstruction problem. is intractable. This scheme follows the works done in [AF03, AFL03] where a public-key encryption scheme is defined that relies on the polynomial reconstruction problem which corresponds to the decoding problem of Reed-Solomon codes. The Polynomial Reconstruction (PR) consists in solving the following problem: given two -tuples and and parameters , recover all polynomials of degree less than such that for at most distinct indices . The public key is then a noisy random codeword from a Reed-Solomon code where the (Hamming) weight of the error is greater than the decoding capability of the Reed-Solomon code. However the schemes have undergone polynomial-time attacks in [Cor03, Cor04, KY04]. The authors in [FL05] proposed an analog of Augot-Finiasz scheme but in the rank-metric context. The security of [FL05] is related to the difficulty of solving -polynomial reconstruction corresponding actually to the decoding problem of a Gabidulin code beyond its error-correcting capability. After Overbeck’s attack, parameters proposed in [FL05] were updated in [Loi07, Chap. 7] in order to resist to it.
We show in this article that the Faure-Loidreau scheme is vulnerable to a structural polynomial-time attack that recovers the private key from the public key. Based in part on the security analysis given in [Loi07, Chap. 7], we show that by applying Overbeck’s attack on an appropriate public code an attacker can recover the private key very efficiently, only assuming a mild condition on the code, which was always true in all our experimentations.
Informally, the Faure-Loidreau encryption scheme considers three finite fields . The rank weight of vectors is computed over the field . The public key is then composed of a Gabidulin code of dimension of length defined by a matrix with and where is some vector in and is a vector of with (rank) weight . Both vectors and have to be kept secret but from attacker’s point of view the private key is essentially since can be deduced from it.
Our attack uses the Frobenius operator, introduced by Overbeck, which takes as input any vector space and integer in order to construct the vector space defined as
The first step of the attack considers a basis of viewed as a vector space over of dimension and defines the vectors . Our main result shows that the system can be broken in polynomial time and can be stated as follows:
If the -vector space generated by denoted by satisfies the property
then the private key can be recovered from with operations in the field .
Notice that if behaves as random code then generally the condition (1) holds. We implemented our attack on parameters given in [FL05, Loi07] for -bit security, which were broken in a few seconds. A necessary condition for (1) to be true is to choose that is to say
The attack presented in this paper is very similar to the approach proposed in [LO06] where the authors seek to decode several noisy codewords of a Gabidulin code. Let us assume that we received words from where each is written as with belonging to a Gabidulin code of dimension and length over and the ’s are vectors from . Let us denote by the matrix of size formed by the ’s and let be the dimension of the -vector space generated by the columns of . The authors show that when then Overbeck’s technique recovers in operations the codewords . It therefore provides a method that decodes a Gabidulin code beyond the classical error-correcting limit . This approach can be used here to attack the Faure-Loidreau scheme [FL05] because the vectors can be written as where belong to the Gabidulin generated by and the matrix formed by satisfy which in turn has to verify .
Vectors from where is a field are denoted by boldface letters as . The concatenation of two vectors and is denoted by . The set of matrices with entries in having rows and columns is denoted by and the subset of invertible matrices form the general linear group denoted by . A linear code of length over a field is a linear subspace of . An element of a code is called a codeword and a matrix whose rows form a basis is called a generator matrix. The dual of a code is the linear space denoted by containing vectors such that:
Any generator matrix of is called a parity-check matrix of .
The finite field with elements is denoted by where is a power of a prime number . The trace operator of over is the -linear map defined for any in by
Let be a basis of over . The dual basis, or also called the trace orthogonal basis of is a basis of over such that for any and in
where and when . Note that there always exits a dual basis and furthermore it is possible to express any from as
Any univariate polynomial of the form where is a called a -linearised polynomial and is its -degree.
Any map is naturally extended to vectors by . This applies in particular to the cases where is a polynomial or is the Frobenius (and trace) operator. For any subsets and the notation represents the set . For any subfield and form the -vector space generated by is denoted by . For any and for any the notation is used to denote the set . For any subset and any integer we define as the set of vectors where describes . Note that when is a vector space then is also a linear subspace of .
The rank weight of denoted by is the dimension of the -vector space generated by , or equivalently
Note that for any with there exists in and such that and .
Finally, an algorithm is said to decode errors in a code if for any and for any such that we have . Generally, we call such a vector an error vector.
3. Gabidulin Codes
We now introduce an important family of codes known for having an efficient decoding algorithm for the rank metric.
Definition 3 (Gabidulin code).
Let in such that . The Gabidulin code of length and dimension is the -linear subspace of defined by
Equivalently, a generator matrix of is given by where
Gabidulin codes are known to possess a fast decoding algorithm that can decode errors of weight provided that . Furthermore the dual of a Gabidulin code is also a Gabidulin code (see for instance [Gab85, GPT91, Ber03]).
The dual of is the Gabidulin code where belongs to and .
We also have the following proposition.
For any in and for any Gabidulin code with then
The proof of this proposition comes directly from the fact that for any positive integer , and for any in ,
We gather important algebraic properties about Gabidulin codes in order to explain why many attacks occur when the underlying code is a Gabidulin code . One key property is that Gabidulin codes can be easily distinguished from random linear codes. This singular behaviour has been precisely exploited by Overbeck [Ove05b, Ove05a, Ove08] to mount attacks. For that purpose we introduce the operator defined for any linear vector subspace by
This operator can also be defined over matrices in an obvious manner. For instance a generator matrix of is . This implies in particular the next proposition.
For any , which implies in particular that
The importance of Proposition 6 becomes clear when we compare it to the case of random codes.
Let be a code generated by a randomly drawn matrix from then with a high probability
Another way of understanding the previous proposition is to observe that if is random code then whereas for Gabidulin codes we would obtain
4. Faure-Loidreau Encryption Scheme
Throughout this step, besides the fields and , another field is considered where is the extension of of degree , and three integers , and such that and
Pick at random with and let be the generator matrix of as in (5)
Pick at random such that form a basis of over
Generate randomly with and and then compute defined as
The private key is and the public key is where
A plaintext here is a vector belonging to such that when . To encrypt then one randomly generates and such that . The ciphertext is the vector defined by
The receiver computes first that is to say
Let be the matrix obtained by removing the first columns of and let and be respectively the restriction of and to the last coordinates. We then have
Using the fact that generates a Gabidulin code of length and dimension and since , it is possible to recover by applying a decoding algorithm. Since by construction is chosen so that when then by choosing a dual basis of the value of can be computed as the following
Once is recovered, the plaintext is then equal to .
5. Polynomial-Time Key Recovery Attack when
In this section, we show that it is possible to recover an alternative private key from the public data and when the condition holds. We start by remarking that if an attacker is able to find a matrix and such that
then can fully recover by solving only the last equations of the following linear system (see Algorithm 1 for more details)
In the sequel, we describe a way to obtain by finding such a matrix . The first step is to consider a basis of viewed as a vector space over of dimension . For any we set . Lastly, let be the (public) code generated by and , that is to say
is defined by the generator matrix where
For all let us set and . By construction, we also have the equality
Let us define then we have
Set . It is sufficient to use Proposition 5 and to observe that
Let and assume that . The code is then of dimension generated by where and .
Furthermore, for any with and for any such that
where , there exists with such that .
Let us decompose as where and . Let be the matrix where the -th row is composed by the first components of . Note that where is defined as in (18) is a generator matrix of , and the following equality holds
Hence is a generator matrix of the code which satisfies the equality
The fact that generates an Gabidulin code implies that
Consequently, there exists with that satisfies . Furthermore, the equality holds which implies that
This means that generates actually the full space which is equivalent to say generates .
For the second part of the proposition, let be any element from with and let be in such that (20) holds for some in . There exists an element in such that . Consider matrices , and such that and so that we have
We have then the following equalities
It follows from (22) that and hence since . So we can write
We deduce that and consequently, we get
So by letting we have proved the proposition. ∎
Proposition 11 shows that an equivalent key can be found in polynomial time by simply using a non zero element of . We now prove our main result stated in the introduction which shows the weakness of the system.
If the -vector space generated by denoted by satisfies the property
then the private key can be recovered from with operations in the field
Firstly, note that from (19) we know that . Algorithm 1 gives the full description of the attack and provides a proof of Theorem 1. Indeed, the attack consists in picking any codeword from and then, by Gaussian elimination, we transform so that there exists for which we have
where . From Proposition 11 we know that is an equivalent key that will gives an equality of the form (16), and therefore it is possible by solving a linear system to find . Lastly, the time complexity comes from the fact the operations involved are essentially Gaussian eliminations over square matrices with columns and entries in . ∎
An important assumption for the success of the attack is that which was always true in all our experimentations. This assumption is true if and only if the equality holds, which implies to have , or equivalently
Assuming that behaves as a random code then would hold with high probability as long as (23) is true. The parameters proposed in [Loi07] satisfy (23). Furthermore, the analysis given in [Loi07] implies to take . We implemented the attack with Magma V2.21-6 and the secret key was found in less than second confirming the efficiency of the approach.
Let us observe that taking implies for to be very small since we have
For instance, with parameters proposed in [Loi07] we would have . Consequently the values of , and have to be changed so that general decoding attacks fail [GRS16]. Let us notice that this situation is quite similar to the counter-measures proposed in [RGH10, Loi10] to resist to Overbeck’s attack. But the strength of this reparation deserves a thorough analysis.
Faure and Loidreau proposed a rank-metric encryption scheme based on Gabidulin codes related to the problem of the linearized polynomial reconstruction. We showed that the scheme is vulnerable to a polynomial-time key recovery attack by using Overbeck’s techniques applied on an appropriate public code.
Our attack assumes that parameters are chosen so that which was always the case in [FL05, Loi07]. We have also seen that taking implies to choose which exposes further the system to general decoding attacks like [GRS16]. Hence it imposes to increase the key sizes and consequently reduces the practicability of the scheme while offering no assurance that the scheme is still secure. The best choice from a designer’s point of view would be to take as small as possible but a thorough analysis has to be undertaken in light of the connections with the reparations proposed in [RGH10, Loi10]. This point is left as an open question in our paper and breaking this kind of parameters would lead arguably to a cryptanalysis of [RGH10, Loi10], and to an algorithm that decodes Gabidulin codes beyond the bound .
The authors would like to thank Pierre Loidreau for helpful discussions and for bringing reference [LO06] to our attention.
- [AF03] Daniel Augot and Matthieu Finiasz. A public key encryption scheme based on the polynomial reconstruction problem. In Advances in Cryptology - EUROCRYPT 2003, volume 2656 of Lecture Notes in Comput. Sci., pages 229–240. Springer, 2003.
- [AFL03] Daniel Augot, Matthieu Finiasz, and Pierre Loidreau. Using the trace operator to repair the polynomial reconstruction based cryptosystem presented at eurocrypt 2003. IACR Cryptology ePrint Archive, 2003:209, 2003.
- [Ber03] Thierry P. Berger. Isometries for rank distance and permutation group of gabidulin codes. IEEE Trans. Inform. Theory, 49(11):3016–3019, 2003.
- [CGG14] Alain Couvreur, Philippe Gaborit, Valérie Gauthier-Umaña, Ayoub Otmani, and Jean-Pierre Tillich. Distinguisher-based attacks on public-key cryptosystems using Reed-Solomon codes. Des. Codes Cryptogr., 73(2):641–666, 2014.
- [Cor03] Jean-Sébastien Coron. Cryptanalysis of the repaired public-key encryption scheme based on the polynomial reconstruction problem. IACR Cryptology ePrint Archive, 2003:219, 2003.
- [Cor04] Jean-Sébastien Coron. Cryptanalysis of a public-key encryption scheme based on the polynomial reconstruction problem. In Public Key Cryptography - PKC 2004, 7th International Workshop on Theory and Practice in Public Key Cryptography, Singapore, March 1-4, 2004, pages 14–27, 2004.
- [COT14] Alain Couvreur, Ayoub Otmani, and Jean-Pierre Tillich. Polynomial time attack on wild McEliece over quadratic extensions. In Phong Q. Nguyen and Elisabeth Oswald, editors, Advances in Cryptology - EUROCRYPT 2014, volume 8441 of Lecture Notes in Comput. Sci., pages 17–39. Springer Berlin Heidelberg, 2014.
- [FL05] Cédric Faure and Pierre Loidreau. A new public-key cryptosystem based on the problem of reconstructing p-polynomials. In Coding and Cryptography, International Workshop, WCC 2005, Bergen, Norway, March 14-18, 2005. Revised Selected Papers, pages 304–315, 2005.
- [Gab85] Ernest Mukhamedovich Gabidulin. Theory of codes with maximum rank distance. Problemy Peredachi Informatsii, 21(1):3–16, 1985.
- [Gab08] Ernst. M. Gabidulin. Attacks and counter-attacks on the GPT public key cryptosystem. Des. Codes Cryptogr., 48(2):171–177, 2008.
- [Gib95] Keith Gibson. Severely denting the Gabidulin version of the McEliece public key cryptosystem. Des. Codes Cryptogr., 6(1):37–45, 1995.
- [Gib96] Keith Gibson. The security of the Gabidulin public key cryptosystem. In Ueli Maurer, editor, Advances in Cryptology - EUROCRYPT ’96, volume 1070 of Lecture Notes in Comput. Sci., pages 212–223. Springer, 1996.
- [GO01] Ernst M. Gabidulin and Alexei V. Ourivski. Modified GPT PKC with right scrambler. Electron. Notes Discrete Math., 6:168–177, 2001.
- [GOHA03] Ernst M. Gabidulin, Alexei V. Ourivski, Bahram Honary, and Bassem Ammar. Reducible rank codes and their applications to cryptography. IEEE Trans. Inform. Theory, 49(12):3289–3293, 2003.
- [GPT91] Ernst M. Gabidulin, A. V. Paramonov, and O. V. Tretjakov. Ideals over a non-commutative ring and their applications to cryptography. In Advances in Cryptology - EUROCRYPT’91, number 547 in Lecture Notes in Comput. Sci., pages 482–489, Brighton, April 1991.
- [GRH09] Ernst Gabidulin, Haitam Rashwan, and Bahram Honary. On improving security of GPT cryptosystems. In Proc. IEEE Int. Symposium Inf. Theory - ISIT, pages 1110–1114. IEEE, 2009.
- [GRS16] Philippe Gaborit, Olivier Ruatta, and Julien Schrek. On the complexity of the rank syndrome decoding problem. IEEE Trans. Information Theory, 62(2):1006–1019, 2016.
- [KY04] Aggelos Kiayias and Moti Yung. Cryptanalyzing the polynomial-reconstruction based public-key system under optimal parameter choice. In Advances in Cryptology - ASIACRYPT 2004, 10th International Conference on the Theory and Application of Cryptology and Information Security, Jeju Island, Korea, December 5-9, 2004, Proceedings, pages 401–416, 2004.
- [LO06] Pierre Loidreau and Raphael Overbeck. Decoding rank errors beyond the error-correction capability. In Proceedings of the Tenth International Workshop on Algebraic and Combinatorial Coding Theory, ACCT-10, pages 168–190, 2006.
- [Loi07] Pierre Loidreau. Rank metric and cryptography. Accreditation to supervise research, Université Pierre et Marie Curie - Paris VI, January 2007.
- [Loi10] Pierre Loidreau. Designing a rank metric based McEliece cryptosystem. In Nicolas Sendrier, editor, Post-Quantum Cryptography 2010, volume 6061 of Lecture Notes in Comput. Sci., pages 142–152. Springer, 2010.
- [McE78] Robert J. McEliece. A Public-Key System Based on Algebraic Coding Theory, pages 114–116. Jet Propulsion Lab, 1978. DSN Progress Report 44.
- [OTK15] Ayoub Otmani and Hervé Talé-Kalachi. Square code attack on a modified Sidelnikov cryptosystem. In Said El Hajji, Abderrahmane Nitaj, Claude Carlet, and El Mamoun Souidi, editors, Codes, Cryptology, and Information Security - First International Conference, C2SI 2015, Rabat, Morocco, May 26-28, 2015, Proceedings - In Honor of Thierry Berger, volume 9084 of Lecture Notes in Computer Science, pages 173–183. Springer, 2015.
- [OTKN16] Ayoub Otmani, Hervé Talé-Kalachi, and Sélestin Ndjeya. Improved cryptanalysis of rank metric schemes based on Gabidulin codes. CoRR, abs/1602.08549, 2016.
- [Ove05a] Raphael Overbeck. Extending Gibson’s attacks on the GPT cryptosystem. In Oyvind Ytrehus, editor, WCC 2005, volume 3969 of Lecture Notes in Comput. Sci., pages 178–188. Springer, 2005.
- [Ove05b] Raphael Overbeck. A new structural attack for GPT and variants. In Mycrypt, volume 3715 of Lecture Notes in Comput. Sci., pages 50–63, 2005.
- [Ove08] Raphael Overbeck. Structural attacks for public key cryptosystems based on Gabidulin codes. J. Cryptology, 21(2):280–301, 2008.
- [RGH10] Haitam Rashwan, Ernst Gabidulin, and Bahram Honary. A smart approach for GPT cryptosystem based on rank codes. In Proc. IEEE Int. Symposium Inf. Theory - ISIT, pages 2463–2467. IEEE, 2010.
- [RGH11] Haitam Rashwan, Ernst Gabidulin, and Bahram Honary. Security of the GPT cryptosystem and its applications to cryptography. Security and Communication Networks, 4(8):937–946, 2011.