PolynomialTime Key Recovery Attack on the FaureLoidreau Scheme based on Gabidulin Codes
Abstract.
Encryption schemes based on the rank metric lead to small public key sizes of order of few thousands bytes which represents a very attractive feature compared to Hamming metricbased encryption schemes where public key sizes are of order of hundreds of thousands bytes even with additional structures like the cyclicity. The main tool for building public key encryption schemes in rank metric is the McEliece encryption setting used with the family of Gabidulin codes. Since the original scheme proposed in 1991 by Gabidulin, Paramonov and Tretjakov, many systems have been proposed based on different masking techniques for Gabidulin codes. Nevertheless, over the years most of these systems were attacked essentially by the use of an attack proposed by Overbeck.
In 2005 Faure and Loidreau designed a rankmetric encryption scheme which was not in the McEliece setting. The scheme is very efficient, with small public keys of size a few kiloBytes and with security closely related to the linearized polynomial reconstruction problem which corresponds to the decoding problem of Gabidulin codes. The structure of the scheme differs considerably from the classical McEliece setting and until our work, the scheme had never been attacked. We show in this article that for a range of parameters, this scheme is also vulnerable to a polynomialtime attack that recovers the private key by applying Overbeck’s attack on an appropriate public code. As an example we break in a few seconds parameters with bit security claim. Our work also shows that some parameters are not affected by our attack but at the cost of a lost of efficiency for the underlying schemes.
Key words and phrases:
Postquantum cryptography; Gabidulin code; Polynomial reconstruction; FaureLoidreau scheme.1. Introduction
McEliece encryption setting.
Postquantum cryptography aims at proposing schemes that resist to an hypothetical quantum computer. It represents more and more a serious alternative to classical cryptography based on the discrete logarithm problem and the factorization problem. McEliece opened the way to codebased cryptography by proposing the first postquantum (publickey encryption) scheme [McE78]. The McEliece cryptosystem is in fact an encryption setting which relies on the hiding of particular class of decodable codes. The algorithmic assumption underlying the security is the difficulty of solving the closest vector problem with the Hamming metric for the particular class of masked decodable codes on which the scheme relies. Over the years many variants of the McEliece cryptosystem were proposed with different families of codes, and many were broken by recovering the structure of the masked codes. However the original family of codes, the binary Goppa codes, proposed by McEliece essentially remains unattacked. The resistance to structural attacks, which try to recover the structure of the masked codes, is the main potential weakness of this setting. For instance the highly structured ReedSolomon codes are difficult to mask and most of McEliece variants relying on ReedSolomon codes or variations on ReedSolomon codes have been broken.
Rank metric cryptography.
The McEliece cryptosystem setting is very versatile and only needs a decodable family of codes along with a particular masking technique of codes. Hence this approach can also be used with another metric than the classical Hamming metric. An important metric emerging in cryptography is the rank metric which considers the ambient space where is a (finite) field and and are positive integers, as the space of matrices so that we can associate the rank to any vector from . By viewing any finite extension of finite fields as a linear space over of dimension then for any positive integer , the ambient space can also be viewed as the space of matrices. In [GPT91] Gabidulin, Paramonov and Tretjakov proposed the first rankmetric based encryption scheme. This scheme can be seen as an analog of the McEliece’s one but based on the class of Gabidulin codes.
The main interest of the rank metric is that the time complexity of best known generic attacks for rank metric grows faster regarding the size of parameters, than for Hamming metric. In practice, without additional structure like cyclicity, it means that it is possible to obtain public key sizes for rank metric of only a few thousand bytes, when hundred of thousand bytes are needed for Hamming metric.
An important operation in the key generation of the GPT cryptosystem is the masking phase where the secret Gabidulin code undergoes a transformation to mask its inherent algebraic structure. This transformation is a probabilistic algorithm that adds some randomness to its input . Originally, the authors in [GPT91] proposed to use a distortion transformation that outputs (a generator matrix of) the code where is random code with a prescribed dimension . The presence of has however an impact: the sender has to add an error vector whose rank weight is where is the error correction capability of the . Hence, roughly speaking, the hiding phase publishes a degraded code in terms of error correction.
Gabidulin codes are often seen as equivalent of ReedSolomon codes because, like them, they are highly structured. That is the reason why their use in the GPT cryptosystem has been the subject to several attacks. Gibson was the first to prove the weakness of the system through a series of successful attacks [Gib95, Gib96]. Following these failures, the first works which modified the GPT scheme to avoid Gibson’s attack were published in [GO01, GOHA03]. The idea is to hide further the structure of Gabidulin code by considering isometries for the rank metric. Consequently, a right column scrambler is introduced which is an invertible matrix with its entries in the base field while the ambient space of the Gabidlun code is . But Overbeck designed in [Ove05b, Ove05a, Ove08] a more general attack that dismantled all the existing modified GPT cryptosystems. His approach consists in applying an operator which applies times the Frobenius operation on the public generator matrix . The dimension increases by each time the Frobenius is applied. Therefore by taking the codimension becomes if is the rank of . This phenomenon is a clearly distinguishing property of a Gabidulin code which cannot be encountered for instance with a random linear code where the dimension would increase by for each use of the Frobenius operator.
Overbeck’s attack uses crucially two important facts, namely the column scrambler matrix is defined on the based field and the codimension of is equal to . Several works then proposed to resist to this attack either by taking special random codes so that the second property is not true as in [Loi10, RGH10], or by taking a column scrambler matrix defined over the extension field as in [Gab08, GRH09, RGH11].
But recently in [OTKN16] it was shown that even if the column scrambler is defined on the extension field as in [Gab08, GRH09, RGH11], by using precisely Overbeck’s technique, it is still possible to recover very efficiently a secret Gabidulin code whose error correction is certainly strictly less than the error correction of the secret original Gabidiulin code but still strictly greater than the number of added errors . In other words, an attacker is still able to decrypt any ciphertext and consequently, all schemes based on Gabidulin codes presented in [Gab08, GRH09, RGH11] are actually not secure.
FaureLoidreau’s approach.
Besides the McEliece setting used with Gabidulin codes, Faure and Loidreau proposed in [FL05] another approach for designing rankmetric encryption scheme based on Gabidulin codes. The scheme was supposed to be secure under the assumption that the problem of the linearized polynomial reconstruction^{1}^{1}1In [FL05] the problem is termed as polynomial reconstruction problem. is intractable. This scheme follows the works done in [AF03, AFL03] where a publickey encryption scheme is defined that relies on the polynomial reconstruction problem which corresponds to the decoding problem of ReedSolomon codes. The Polynomial Reconstruction (PR) consists in solving the following problem: given two tuples and and parameters , recover all polynomials of degree less than such that for at most distinct indices . The public key is then a noisy random codeword from a ReedSolomon code where the (Hamming) weight of the error is greater than the decoding capability of the ReedSolomon code. However the schemes have undergone polynomialtime attacks in [Cor03, Cor04, KY04]. The authors in [FL05] proposed an analog of AugotFiniasz scheme but in the rankmetric context. The security of [FL05] is related to the difficulty of solving polynomial reconstruction corresponding actually to the decoding problem of a Gabidulin code beyond its errorcorrecting capability. After Overbeck’s attack, parameters proposed in [FL05] were updated in [Loi07, Chap. 7] in order to resist to it.
Our results.
We show in this article that the FaureLoidreau scheme is vulnerable to a structural polynomialtime attack that recovers the private key from the public key. Based in part on the security analysis given in [Loi07, Chap. 7], we show that by applying Overbeck’s attack on an appropriate public code an attacker can recover the private key very efficiently, only assuming a mild condition on the code, which was always true in all our experimentations.
Informally, the FaureLoidreau encryption scheme considers three finite fields . The rank weight of vectors is computed over the field . The public key is then composed of a Gabidulin code of dimension of length defined by a matrix with and where is some vector in and is a vector of with (rank) weight . Both vectors and have to be kept secret but from attacker’s point of view the private key is essentially since can be deduced from it.
Our attack uses the Frobenius operator, introduced by Overbeck, which takes as input any vector space and integer in order to construct the vector space defined as
The first step of the attack considers a basis of viewed as a vector space over of dimension and defines the vectors . Our main result shows that the system can be broken in polynomial time and can be stated as follows:
Theorem 1.
If the vector space generated by denoted by satisfies the property
(1) 
then the private key can be recovered from with operations in the field .
Notice that if behaves as random code then generally the condition (1) holds. We implemented our attack on parameters given in [FL05, Loi07] for bit security, which were broken in a few seconds. A necessary condition for (1) to be true is to choose that is to say
This was always the case for parameters proposed in [FL05, Loi07].
Related work.
The attack presented in this paper is very similar to the approach proposed in [LO06] where the authors seek to decode several noisy codewords of a Gabidulin code. Let us assume that we received words from where each is written as with belonging to a Gabidulin code of dimension and length over and the ’s are vectors from . Let us denote by the matrix of size formed by the ’s and let be the dimension of the vector space generated by the columns of . The authors show that when then Overbeck’s technique recovers in operations the codewords . It therefore provides a method that decodes a Gabidulin code beyond the classical errorcorrecting limit . This approach can be used here to attack the FaureLoidreau scheme [FL05] because the vectors can be written as where belong to the Gabidulin generated by and the matrix formed by satisfy which in turn has to verify .
Organisation.
2. Preliminaries
Vectors from where is a field are denoted by boldface letters as . The concatenation of two vectors and is denoted by . The set of matrices with entries in having rows and columns is denoted by and the subset of invertible matrices form the general linear group denoted by . A linear code of length over a field is a linear subspace of . An element of a code is called a codeword and a matrix whose rows form a basis is called a generator matrix. The dual of a code is the linear space denoted by containing vectors such that:
Any generator matrix of is called a paritycheck matrix of .
The finite field with elements is denoted by where is a power of a prime number . The trace operator of over is the linear map defined for any in by
Let be a basis of over . The dual basis, or also called the trace orthogonal basis of is a basis of over such that for any and in
where and when . Note that there always exits a dual basis and furthermore it is possible to express any from as
(2) 
Any univariate polynomial of the form where is a called a linearised polynomial and is its degree.
Any map is naturally extended to vectors by . This applies in particular to the cases where is a polynomial or is the Frobenius (and trace) operator. For any subsets and the notation represents the set . For any subfield and form the vector space generated by is denoted by . For any and for any the notation is used to denote the set . For any subset and any integer we define as the set of vectors where describes . Note that when is a vector space then is also a linear subspace of .
Definition 2.
The rank weight of denoted by is the dimension of the vector space generated by , or equivalently
(3) 
Note that for any with there exists in and such that and .
Finally, an algorithm is said to decode errors in a code if for any and for any such that we have . Generally, we call such a vector an error vector.
3. Gabidulin Codes
We now introduce an important family of codes known for having an efficient decoding algorithm for the rank metric.
Definition 3 (Gabidulin code).
Let in such that . The Gabidulin code of length and dimension is the linear subspace of defined by
(4) 
Equivalently, a generator matrix of is given by where
(5) 
Gabidulin codes are known to possess a fast decoding algorithm that can decode errors of weight provided that . Furthermore the dual of a Gabidulin code is also a Gabidulin code (see for instance [Gab85, GPT91, Ber03]).
Proposition 4.
The dual of is the Gabidulin code where belongs to and .
We also have the following proposition.
Proposition 5.
For any in and for any Gabidulin code with then
(6) 
Proof.
The proof of this proposition comes directly from the fact that for any positive integer , and for any in ,
∎
We gather important algebraic properties about Gabidulin codes in order to explain why many attacks occur when the underlying code is a Gabidulin code . One key property is that Gabidulin codes can be easily distinguished from random linear codes. This singular behaviour has been precisely exploited by Overbeck [Ove05b, Ove05a, Ove08] to mount attacks. For that purpose we introduce the operator defined for any linear vector subspace by
(7) 
This operator can also be defined over matrices in an obvious manner. For instance a generator matrix of is . This implies in particular the next proposition.
Proposition 6.
For any , which implies in particular that
The importance of Proposition 6 becomes clear when we compare it to the case of random codes.
Proposition 7.
Let be a code generated by a randomly drawn matrix from then with a high probability
(8) 
Remark 8.
Another way of understanding the previous proposition is to observe that if is random code then whereas for Gabidulin codes we would obtain
4. FaureLoidreau Encryption Scheme
Key generation.
Throughout this step, besides the fields and , another field is considered where is the extension of of degree , and three integers , and such that and
(9) 

Pick at random with and let be the generator matrix of as in (5)

Pick at random such that form a basis of over

Generate randomly with and and then compute defined as
(10)
The private key is and the public key is where
(11) 
Encryption.
A plaintext here is a vector belonging to such that when . To encrypt then one randomly generates and such that . The ciphertext is the vector defined by
(12) 
Decryption.
The receiver computes first that is to say
(13)  
(14) 
Let be the matrix obtained by removing the first columns of and let and be respectively the restriction of and to the last coordinates. We then have
(15) 
Using the fact that generates a Gabidulin code of length and dimension and since , it is possible to recover by applying a decoding algorithm. Since by construction is chosen so that when then by choosing a dual basis of the value of can be computed as the following
Once is recovered, the plaintext is then equal to .
5. PolynomialTime Key Recovery Attack when
In this section, we show that it is possible to recover an alternative private key from the public data and when the condition holds. We start by remarking that if an attacker is able to find a matrix and such that
then can fully recover by solving only the last equations of the following linear system (see Algorithm 1 for more details)
(16) 
In the sequel, we describe a way to obtain by finding such a matrix . The first step is to consider a basis of viewed as a vector space over of dimension . For any we set . Lastly, let be the (public) code generated by and , that is to say
(17) 
Remark 9.
is defined by the generator matrix where
(18) 
For all let us set and . By construction, we also have the equality
(19) 
Lemma 10.
Let us define then we have
Proposition 11.
Let and assume that . The code is then of dimension generated by where and .
Furthermore, for any with and for any such that
(20) 
where , there exists with such that .
Proof.
Let us decompose as where and . Let be the matrix where the th row is composed by the first components of . Note that where is defined as in (18) is a generator matrix of , and the following equality holds
(21) 
Hence is a generator matrix of the code which satisfies the equality
The fact that generates an Gabidulin code implies that
Consequently, there exists with that satisfies . Furthermore, the equality holds which implies that
This means that generates actually the full space which is equivalent to say generates .
For the second part of the proposition, let be any element from with and let be in such that (20) holds for some in . There exists an element in such that . Consider matrices , and such that and so that we have
We have then the following equalities
(22) 
It follows from (22) that and hence since . So we can write
We deduce that and consequently, we get
So by letting we have proved the proposition. ∎
Proposition 11 shows that an equivalent key can be found in polynomial time by simply using a non zero element of . We now prove our main result stated in the introduction which shows the weakness of the system.
Theorem 1.
If the vector space generated by denoted by satisfies the property
then the private key can be recovered from with operations in the field
Proof.
Firstly, note that from (19) we know that . Algorithm 1 gives the full description of the attack and provides a proof of Theorem 1. Indeed, the attack consists in picking any codeword from and then, by Gaussian elimination, we transform so that there exists for which we have
where . From Proposition 11 we know that is an equivalent key that will gives an equality of the form (16), and therefore it is possible by solving a linear system to find . Lastly, the time complexity comes from the fact the operations involved are essentially Gaussian eliminations over square matrices with columns and entries in . ∎
An important assumption for the success of the attack is that which was always true in all our experimentations. This assumption is true if and only if the equality holds, which implies to have , or equivalently
(23) 
Assuming that behaves as a random code then would hold with high probability as long as (23) is true. The parameters proposed in [Loi07] satisfy (23). Furthermore, the analysis given in [Loi07] implies to take . We implemented the attack with Magma V2.216 and the secret key was found in less than second confirming the efficiency of the approach.
Remark 2.
Let us observe that taking implies for to be very small since we have
(24) 
For instance, with parameters proposed in [Loi07] we would have . Consequently the values of , and have to be changed so that general decoding attacks fail [GRS16]. Let us notice that this situation is quite similar to the countermeasures proposed in [RGH10, Loi10] to resist to Overbeck’s attack. But the strength of this reparation deserves a thorough analysis.
6. Conclusion
Faure and Loidreau proposed a rankmetric encryption scheme based on Gabidulin codes related to the problem of the linearized polynomial reconstruction. We showed that the scheme is vulnerable to a polynomialtime key recovery attack by using Overbeck’s techniques applied on an appropriate public code.
Our attack assumes that parameters are chosen so that which was always the case in [FL05, Loi07]. We have also seen that taking implies to choose which exposes further the system to general decoding attacks like [GRS16]. Hence it imposes to increase the key sizes and consequently reduces the practicability of the scheme while offering no assurance that the scheme is still secure. The best choice from a designer’s point of view would be to take as small as possible but a thorough analysis has to be undertaken in light of the connections with the reparations proposed in [RGH10, Loi10]. This point is left as an open question in our paper and breaking this kind of parameters would lead arguably to a cryptanalysis of [RGH10, Loi10], and to an algorithm that decodes Gabidulin codes beyond the bound .
7. Acknowledgements
The authors would like to thank Pierre Loidreau for helpful discussions and for bringing reference [LO06] to our attention.
References
 [AF03] Daniel Augot and Matthieu Finiasz. A public key encryption scheme based on the polynomial reconstruction problem. In Advances in Cryptology  EUROCRYPT 2003, volume 2656 of Lecture Notes in Comput. Sci., pages 229–240. Springer, 2003.
 [AFL03] Daniel Augot, Matthieu Finiasz, and Pierre Loidreau. Using the trace operator to repair the polynomial reconstruction based cryptosystem presented at eurocrypt 2003. IACR Cryptology ePrint Archive, 2003:209, 2003.
 [Ber03] Thierry P. Berger. Isometries for rank distance and permutation group of gabidulin codes. IEEE Trans. Inform. Theory, 49(11):3016–3019, 2003.
 [CGG14] Alain Couvreur, Philippe Gaborit, Valérie GauthierUmaña, Ayoub Otmani, and JeanPierre Tillich. Distinguisherbased attacks on publickey cryptosystems using ReedSolomon codes. Des. Codes Cryptogr., 73(2):641–666, 2014.
 [Cor03] JeanSébastien Coron. Cryptanalysis of the repaired publickey encryption scheme based on the polynomial reconstruction problem. IACR Cryptology ePrint Archive, 2003:219, 2003.
 [Cor04] JeanSébastien Coron. Cryptanalysis of a publickey encryption scheme based on the polynomial reconstruction problem. In Public Key Cryptography  PKC 2004, 7th International Workshop on Theory and Practice in Public Key Cryptography, Singapore, March 14, 2004, pages 14–27, 2004.
 [COT14] Alain Couvreur, Ayoub Otmani, and JeanPierre Tillich. Polynomial time attack on wild McEliece over quadratic extensions. In Phong Q. Nguyen and Elisabeth Oswald, editors, Advances in Cryptology  EUROCRYPT 2014, volume 8441 of Lecture Notes in Comput. Sci., pages 17–39. Springer Berlin Heidelberg, 2014.
 [FL05] Cédric Faure and Pierre Loidreau. A new publickey cryptosystem based on the problem of reconstructing ppolynomials. In Coding and Cryptography, International Workshop, WCC 2005, Bergen, Norway, March 1418, 2005. Revised Selected Papers, pages 304–315, 2005.
 [Gab85] Ernest Mukhamedovich Gabidulin. Theory of codes with maximum rank distance. Problemy Peredachi Informatsii, 21(1):3–16, 1985.
 [Gab08] Ernst. M. Gabidulin. Attacks and counterattacks on the GPT public key cryptosystem. Des. Codes Cryptogr., 48(2):171–177, 2008.
 [Gib95] Keith Gibson. Severely denting the Gabidulin version of the McEliece public key cryptosystem. Des. Codes Cryptogr., 6(1):37–45, 1995.
 [Gib96] Keith Gibson. The security of the Gabidulin public key cryptosystem. In Ueli Maurer, editor, Advances in Cryptology  EUROCRYPT ’96, volume 1070 of Lecture Notes in Comput. Sci., pages 212–223. Springer, 1996.
 [GO01] Ernst M. Gabidulin and Alexei V. Ourivski. Modified GPT PKC with right scrambler. Electron. Notes Discrete Math., 6:168–177, 2001.
 [GOHA03] Ernst M. Gabidulin, Alexei V. Ourivski, Bahram Honary, and Bassem Ammar. Reducible rank codes and their applications to cryptography. IEEE Trans. Inform. Theory, 49(12):3289–3293, 2003.
 [GPT91] Ernst M. Gabidulin, A. V. Paramonov, and O. V. Tretjakov. Ideals over a noncommutative ring and their applications to cryptography. In Advances in Cryptology  EUROCRYPT’91, number 547 in Lecture Notes in Comput. Sci., pages 482–489, Brighton, April 1991.
 [GRH09] Ernst Gabidulin, Haitam Rashwan, and Bahram Honary. On improving security of GPT cryptosystems. In Proc. IEEE Int. Symposium Inf. Theory  ISIT, pages 1110–1114. IEEE, 2009.
 [GRS16] Philippe Gaborit, Olivier Ruatta, and Julien Schrek. On the complexity of the rank syndrome decoding problem. IEEE Trans. Information Theory, 62(2):1006–1019, 2016.
 [KY04] Aggelos Kiayias and Moti Yung. Cryptanalyzing the polynomialreconstruction based publickey system under optimal parameter choice. In Advances in Cryptology  ASIACRYPT 2004, 10th International Conference on the Theory and Application of Cryptology and Information Security, Jeju Island, Korea, December 59, 2004, Proceedings, pages 401–416, 2004.
 [LO06] Pierre Loidreau and Raphael Overbeck. Decoding rank errors beyond the errorcorrection capability. In Proceedings of the Tenth International Workshop on Algebraic and Combinatorial Coding Theory, ACCT10, pages 168–190, 2006.
 [Loi07] Pierre Loidreau. Rank metric and cryptography. Accreditation to supervise research, Université Pierre et Marie Curie  Paris VI, January 2007.
 [Loi10] Pierre Loidreau. Designing a rank metric based McEliece cryptosystem. In Nicolas Sendrier, editor, PostQuantum Cryptography 2010, volume 6061 of Lecture Notes in Comput. Sci., pages 142–152. Springer, 2010.
 [McE78] Robert J. McEliece. A PublicKey System Based on Algebraic Coding Theory, pages 114–116. Jet Propulsion Lab, 1978. DSN Progress Report 44.
 [OTK15] Ayoub Otmani and Hervé TaléKalachi. Square code attack on a modified Sidelnikov cryptosystem. In Said El Hajji, Abderrahmane Nitaj, Claude Carlet, and El Mamoun Souidi, editors, Codes, Cryptology, and Information Security  First International Conference, C2SI 2015, Rabat, Morocco, May 2628, 2015, Proceedings  In Honor of Thierry Berger, volume 9084 of Lecture Notes in Computer Science, pages 173–183. Springer, 2015.
 [OTKN16] Ayoub Otmani, Hervé TaléKalachi, and Sélestin Ndjeya. Improved cryptanalysis of rank metric schemes based on Gabidulin codes. CoRR, abs/1602.08549, 2016.
 [Ove05a] Raphael Overbeck. Extending Gibson’s attacks on the GPT cryptosystem. In Oyvind Ytrehus, editor, WCC 2005, volume 3969 of Lecture Notes in Comput. Sci., pages 178–188. Springer, 2005.
 [Ove05b] Raphael Overbeck. A new structural attack for GPT and variants. In Mycrypt, volume 3715 of Lecture Notes in Comput. Sci., pages 50–63, 2005.
 [Ove08] Raphael Overbeck. Structural attacks for public key cryptosystems based on Gabidulin codes. J. Cryptology, 21(2):280–301, 2008.
 [RGH10] Haitam Rashwan, Ernst Gabidulin, and Bahram Honary. A smart approach for GPT cryptosystem based on rank codes. In Proc. IEEE Int. Symposium Inf. Theory  ISIT, pages 2463–2467. IEEE, 2010.
 [RGH11] Haitam Rashwan, Ernst Gabidulin, and Bahram Honary. Security of the GPT cryptosystem and its applications to cryptography. Security and Communication Networks, 4(8):937–946, 2011.