Abstract
We introduce a new rank-metric code, namely \(\varvec{\lambda }\)-Gabidulin code by multiplying each of the columns of the generator of Gabidulin codes with entries from \(\varvec{\lambda }=(\lambda _1,\ldots ,\lambda _n) \in \mathbb {F}_{q^m}^n\). We discuss the motivation of introducing \(\varvec{\lambda }\)-Gabidulin code and prove some of its properties. Then, we design a new McEliece type rank metric based encryption scheme on \(\varvec{\lambda }\)-Gabidulin code, with a scrambler matrix depending on \(\varvec{\lambda }\). We show that this new cryptosystem is secure against the existing attacks on Gabidulin codes based encryption, in particularly how it resists Overbeck’s structural attack, annulator polynomial attack and the Frobenius weak attack. Finally, we also propose some parameters for the new cryptosystem and show that our proposal has smaller key size than the Loi17 Encryption [29] using Gabidulin codes proposed in PQCrypto 2017.
Similar content being viewed by others
Keywords
1 Introduction
In 1978, McEliece [31] proposed a public-key cryptosystem based on Goppa codes in the Hamming metric. The idea of McEliece cryptosystem is to hide the structure of the generator matrix for the decodable codes with random invertible matrix S and random permutation matrix P, and publish the matrix \(G_\mathsf{pub}= SGP\). Although his design has efficient encryption and decryption, it involves a significantly large public key size. To tackle this problem, several modifications of the scheme have been proposed. One of the approaches to overcome the large public key size for schemes in Hamming metric, is to consider an alternative metric, namely the rank metric. In 1985 Gabidulin [8] introduced the rank metric and the Gabidulin codes with efficient decoding algorithm. Gabidulin codes are usually seen as equivalent of Reed-Solomon codes in the Hamming metric which both are highly structured. Later on, Gabidulin, Paramanov, and Tretjakov used the Gabidulin codes and proposed the first rank metric based cryptosystem, namely GPT [11].
However, due to the well-structuredness of Gabidulin codes, proposals of cryptosystems based on Gabidulin codes have alternately been attacked and modified. The first structural attack on the initial GPT system was suggested by Gibson [18] through exploiting the structure of Gabidulin codes and the distortion matrix in GPT. Modifications have been made to produce GPT’s variants to resist Gibson’s attack. To counter Gibson’s attack, a modified GPT with right scrambler was proposed in [10, 34]. However, this modified GPT with right scrambler was cryptanalyzed by Overbeck by extending Gibson’s attacks [36]. A modified cryptosystem, namely generalized GPT (GGPT) was introduced by Overbeck in the same paper to resist Gibson’s attacks. Yet, as the Gabidulin codes contains huge vector space invariant under the Frobenius automorphism, Overbeck [37] was successful in cryptanalyze all the previous Gabidulin codes based cryptosystems. Despite the efforts of other variants of GGPT proposed in [9, 12, 28, 39] to secure against Overbeck’s attack, these GGPT variants were shown to be insecure against more recent structural attacks such as extension of Overbeck’s attack [20], reduction attack to GGPT [33], and Frobenius weak attack [21].
More recently, there are several encryption schemes based on Gabidulin codes being proposed. Loidreau [29] considered a McEliece type cryptosystem based on Gabidulin codes with a scrambler matrix P which its inverse \(P^{-1}\) over a w-dimensional subspace of \(\mathbb {F}_{q^m}\). This cryptosystem is then implemented in DRANKULA [1]. Also, Lau and Tan [25, 26] introduced a new technique to construct McEliece type encryption scheme based on any generic decodable codes. Apart from these McEliece type cryptosystems based on Gabidulin codes, there are some other encryption schemes such as [2, 13] that do not hide the structure of the generator matrix and use other techniques to construct the encryption. Moreover, there are some other encryption schemes that combines the idea of McEliece and Niederreiter cryptosystem, such as [17, 27].
Although there are other techniques in constructing code-based encryption scheme, the question of the possibility to construct secure McEliece type cryptosystem by considering alternative rank codes is still of interest in the research community. In 2014, the Low Rank Parity Check codes (LRPC) were proposed to construct a McEliece type encryption scheme [15]. Later in 2018, Kim et al. [22] extended the LRPC codes into a new LRPC-Kronecker product codes and proposed a McEliece type encryption based on this code.
The main task of this paper is to propose a new rank metric code, namely \(\varvec{\lambda }\)-Gabidulin code which is an extension of Gabidulin code. This \(\varvec{\lambda }\)-Gabidulin code is analogous to the generalized Reed-Solomon codes in rank metric settings, which is obtained by multiplying the columns of the generator matrix with some elements in \(\mathbb {F}_{q^m}\). We show that \(\varvec{\lambda }\)-Gabidulin code is decodable when certain conditions are met, and use this property to construct a new code-based cryptosystem based on \(\varvec{\lambda }\)-Gabidulin code. In this paper, we first review in Sect. 2 some basic facts and definitions in rank metric and Gabidulin codes. We introduce a new rank metric code, namely \(\varvec{\lambda }\)-Gabidulin code in Sect. 3. Based on \(\varvec{\lambda }\)-Gabidulin code, we propose a new Gabidulin-like code public-key encryption in Sect. 4. In Sect. 5, its security against existing attacks is discussed. In Sect. 6, we suggest some parameters for our proposal and shows that the our proposal has smaller public key size than Loidreau’s proposal in [29] and DRANKULA in [1]. Finally, we conclude this paper in Sect. 7.
2 Background on Rank Metric and Gabidulin Codes
In this section we recall the definition of rank metric and some related results, which are the core of rank metric based cryptosystems.
2.1 Rank Metric
Let \(\mathbb {F}_{q^m}\) be a finite field with \(q^m\) elements and let \(\{ \beta _1, \ldots , \beta _m \}\) be a basis of \(\mathbb {F}_{q^m}\) over the base field \(\mathbb {F}_q\), where q is power of prime.
Definition 1
Let \(\varvec{x} = (x_1,\ldots , x_n) \in \mathbb {F}_{q^m}^n\). The rank of \(\varvec{x}\) in \(\mathbb {F}_q\), denoted by \(\text {rk}_q (\varvec{x})\) is the rank of the matrix \(X=\left[ x_{ij} \right] \in \mathbb {F}_q^{m \times n}\) where \(x_j = \sum _{i=1}^m x_{ij} \beta _i\).
Equivalently, the rank of \(\varvec{x}\) is the dimension over \(\mathbb {F}_q\) of the subspace of \(\mathbb {F}_{q^m}\) which is spanned by the coordinates of \(\varvec{x}\). Note that the rank of a vector is a norm and is independent of the chosen basis.
Definition 2
The rank distance between \(\varvec{x},\varvec{y} \in \mathbb {F}_{q^m}\) is defined to be
If \(\mathcal {C}\) is a linear code, the minimum rank distance of \(\mathcal {C}\), is defined by
The Singleton bound for rank-metric codes is given by the inequality
Definition 3
A rank-metric code satisfying the Singleton bound is called a maximum rank-distance (MRD) code.
We now state a few results related to the rank metric, in particular the concepts of Grassmann support which are important for security analysis in Sect. 5.
Lemma 1
Let \(\varvec{x} \in \mathbb {F}_{q^m}^n\) such that \(\text {rk}_q(\varvec{x}) = r \le n\), then there exists \(\hat{\varvec{x}} \in \mathbb {F}_{q^m}^r\) with \(\text {rk}_q (\hat{\varvec{x}} ) = r\) and \(U \in \mathbb {F}_q^{ r\times n}\) with \(\text {rk}(U) = r\) such that \(\varvec{x} = \hat{\varvec{x}} U\). This decomposition is unique up to \(\text {GL}_r (\mathbb {F}_q)\)-operation between \(\hat{\varvec{x}} \) and U.
Notation
We denote \([i] := q^i\) as the ith Frobenius power. Let \(M=\left[ M_{a,b}\right] \in \mathbb {F}_{q^m}^{k \times n}\), we denote \(M^{([i])} := \left[ M_{a,b}^{[i]} \right] \in \mathbb {F}_{q^m}^{k \times n}\). Also, for any set \(S \subset \mathbb {F}_{q^m}^n\), we denote \(S^{([l])} := \{ \varvec{s}^{([l])} \mid \varvec{s} \in S \}\). For a matrix U over \(\mathbb {F}_q\), we denote \(\langle U \rangle _{\mathbb {F}_{q^m}}\) as the row span of a matrix U over \(\mathbb {F}_{q^m}\). By abuse of notation, for vector \(\varvec{u_1},\ldots ,\varvec{u_j}\) over \(\mathbb {F}_{q^m}\), we denote \(\langle \varvec{u_1},\ldots ,\varvec{u_j} \rangle _{\mathbb {F}_{q^m}}\) as \(\mathbb {F}_{q^m}\) span of the vectors \(\varvec{u_1},\ldots ,\varvec{u_j}\).
Definition 4
Let \(\varvec{x} \in \mathbb {F}_{q^m}^n\) with \(\text {rk}_q(\varvec{x}) = r \le n\) and decomposition \(\varvec{x} = \hat{\varvec{x}} U\) as in Lemma 1. We call U a Grassman support matrix for \(\varvec{x}\) and \(\langle U \rangle _{\mathbb {F}_{q^m}}\) the Grassman support of \(\varvec{x}\).
Lemma 2
([20, 21]). Let \(\varvec{x} \in S \subseteq \mathbb {F}_{q^m}^n\) with \(\text {rk}_q (\varvec{x}) = r \le n\), and s be an integer such that \(\gcd (s,m) = 1\). Then
Horlemann-Trautmann et al. [20] efficiently computed the elements of rank one in an \(\mathbb {F}_{q^m}\)-linear code \(\mathcal {C} \subseteq \mathbb {F}_{q^m}^n\) with the following lemma:
Lemma 3
([20]). Let \(G \in \mathbb {F}_{q^m}^{k \times n}\) be a generator matrix for a code \(\mathcal {C}\) in reduced row echelon form. Denote \(G_i\) as the ith row of G. Then
-
All elements of rank one in \(\langle G \rangle _{\mathbb {F}_{q^m}}\) are multiples of the elements in
$$\begin{aligned} \mathcal {C}^* := \langle G \rangle _{\mathbb {F}_{q^m}} \cap \mathbb {F}_q^n. \end{aligned}$$ -
The elements in \(\mathcal {C}^*\) are in one-to-one correspondence to the solution of
$$\begin{aligned} \sum _{i=1}^{k} a_i \left[ G_i^{([1])} - G_i \right] = \varvec{0}, \quad \text {where } a_i \in F_q. \end{aligned}$$ -
Computing the solutions of this system requires \(O(kmn^2)\) operations in \(\mathbb {F}_q\).
2.2 Gabidulin Codes
We now give the definition and some properties of Gabidulin codes as they will be used to construct our new code in Sect. 3.
Definition 5
(Gabidulin Codes, [8]). Let \(\varvec{g} = (g_1,\ldots , g_n) \in \mathbb {F}_{q^m}^n\) be linearly independent over \(\mathbb {F}_q\). The Gabidulin code, \(\text {Gab}_{n,k} (\varvec{g})\) over \(\mathbb {F}_{q^m}\) of dimension k and generator vector \(\varvec{g}\) is the code generated by matrix G of the form
Gabidulin [8] showed that the error-correcting capability of \(\text {Gab}_{n,k} (\varvec{g})\) is \(r = \lfloor \frac{n-k}{2} \rfloor \). Moreover, it was also shown that Gabidulin code is an MRD code if and only if \(m \ge n\). Gabidulin also provided an efficient decoding algorithms for Gabidulin codes up to the rank error correcting capability in [8]. The most updated complexity to decode an [n, k]-Gabidulin code is \(O \left( n^{1.69} \log ^2(n) \right) \) operations in \(\mathbb {F}_{q^m}\) [38, Theorem 17].
Definition 6
A linearized polynomial F(z) over \(\mathbb {F}_{q^m}\) is a polynomial of the form \(F(z) = \sum _{i=0}^{k} f_i z^{[i]}\) where \(f_i \in \mathbb {F}_{q^m}\) for \(0 \le i \le k\). We refer k as the q-degree of F(z), \(\deg _q F(z)\).
With \(F(z) = \sum _{i=0}^{k-1} f_i z^{[i]}\), we can now rewrite a codeword \(\varvec{c} = (f_0,\ldots ,f_{k-1})G \in \text {Gab}_{n,k} (\varvec{g})\) as:
Gabidulin codes contains huge vector space invariant under the Frobenius automorphism, which subjects the cryptosystem based on Gabidulin codes to Overbeck’s attack. To be more precise, we now define an \(\mathbb {F}_q\)-linear operator \(\varLambda _i\) on a matrix M as the following:
Definition 7
(Frobenius Map). For any integer \(i \ge 0\), let \(\varLambda _i : \mathbb {F}_{q^m}^{k \times n} \rightarrow \mathbb {F}_{q^m}^{ik \times n}\) be the \(\mathbb {F}_q\)-linear operator that maps any matrix \(M \in \mathbb {F}_{q^m}^{k \times n}\) to \(\varLambda _i ( {M})\):
As a consequence, the Gabidulin codes contains huge vector space invariant under the Frobenius automorphism:
Lemma 4
Let G be the generator matrix of \(\text {Gab}_{n,k}(\varvec{g})\). For integer \(i \ge 0\) and \(1 \le j \le m-1\), we have \(\dim _{\mathbb {F}_{q^m}} \left( \varLambda _i (G) \right) = k+i\) and
Proof
Recall from (3) that
Also, since \(\text {Gab}_{n,k}(\varvec{g})^{[j]} = \left\{ \varvec{x} \left[ \begin{array}{c} \varvec{g}^{[j]} \\ \vdots \\ \varvec{g}^{[j+k-1]} \\ \end{array} \right] : \varvec{x} \in \mathbb {F}_{q^m}^k \right\} \), then
\(\Box \)
2.3 General Decoding of Rank Metric Codes
In the case of rank metric, the rank syndrome decoding problem is analogous to the classical syndrome decoding problem with Hamming metric, as described in the following:
Definition 8
Rank Syndrome Decoding Problem (\(\varvec{\mathsf{RSD}}\)). Let H be a full rank \((n-k) \times n\) matrix over \(\mathbb {F}_{q^m}\), \(\varvec{s}\in \mathbb {F}_{q^m}^{n-k}\) and w an integer. The Rank Syndrome Decoding Problem \(\mathsf{RSD}(q,m,n,k,w)\) needs to determine \(\varvec{x} \in \mathbb {F}_{q^m}^n\) such that \(\text {rk}_q(\varvec{x}) = w\) and \( H \varvec{x}^T = \varvec{s}^T\).
Recently, Gaborit and Zémor [16] showed that if there were efficient probabilistic algorithms for solving the \(\mathsf{RSD}\) problem, then there exist efficient probabilistic algorithm to solve the syndrome decoding problem in Hamming metric. Therefore, \(\mathsf{RSD}\) problem is a good candidate for the hard problem which our cryptosystem is based on.
There are generally two types of generic attacks on the \(\mathsf{RSD}\) problem, namely the combinatorial attack and algebraic attack. The combinatorial approach depends on counting the number of possible supports of size r for a rank code of length n over \(\mathbb {F}_{q^m}\), which corresponds to the number of subspaces of dimension r in \(\mathbb {F}_{q^m}\). For the algebraic approach, the nature of the rank metric favors algebraic attacks using Gröbner bases, as they are largely independent of the value q. These attacks became efficient when q increases. There are mainly three approaches in translating the notion of rank into algebraic setting. The first approach [24] considers directly the \(\mathsf{RSD}\) problem, but the complexity of solving the quadratic system from their attack is hard to evaluate, especially when \(r \ge 4\). The second approach reduces \(\mathsf{RSD}\) problem into MinRank problem [7], but such reduction only works for certain type of MinRank parameters and not for usual parameters used with rank codes based cryptography. While the third approach is proposed by Gaborit et al. [14] by considering the linearized q-polynomials introduced by Ore [32].
We summarize the existing combinatorial and algebraic attacks with their conditions and complexities in Tables 1 and 2 respectively.
Post-quantum Security. Bernstein [5] showed that the exponential term in the decoding complexity should be square rooted using Grover’s algorithm with Quantum computer. Therefore, we use this method to evaluate the post-quantum security of our scheme in Sect. 6.
3 A New Code: \(\varvec{\lambda }\)-Gabidulin Codes
In this section, we discuss the motivation to construct a new rank code, \(\varvec{\lambda }\)-Gabidulin codes. We also prove some of its properties and propose a decoding algorithm for \(\varvec{\lambda }\)-Gabidulin codes.
3.1 \(\varvec{\lambda }\)-Gabidulin Codes Construction
Our construction of \(\varvec{\lambda }\)-Gabidulin codes is in a linearized polynomial settings which is similar to the construction of the generalized Reed-Solomon codes in polynomial settings. We recall the definition of Reed-Solomon codes and generalized Reed-Solomon codes.
Definition 9
(Reed-Solomon (RS). Codes [40] & Generalized RS Codes [30, Ch. 10, Sec. 8]). Let \(\varvec{g'} = (g'_1,\ldots , g'_n) \in \mathbb {F}_{q}^n\) where each \(g'_i\) are pairwise distinct and \(\varvec{\lambda } = (\lambda _1,\ldots ,\lambda _n) \in \mathbb {F}_q^n\) where each of \(\lambda _i \ne 0\). The Reed-Solomon codes \(RS_{n,k} (\varvec{g'})\) over \(\mathbb {F}_{q}\) of dimension k and generator vector \(\varvec{g'}\) is the code generated by matrix \(G_{RS}\) of the form
The generalized Reed-Solomon codes \(GRS_{n,k} (\varvec{g'}_{\varvec{\lambda }})\) over \(\mathbb {F}_{q}\) of dimension k associated with \(\varvec{g'}\) and \(\varvec{\lambda }\) is the code generated by matrix \(G_{GRS}\) of the form
For all \((f'_0,\ldots ,f'_{k-1}) \in \mathbb {F}_q^k\), we can rewrite a codeword \(\varvec{c}_{RS} \in RS_{n,k} (\varvec{g'})\) as
where \(F'(z) = \sum _{i=0}^{k-1} f'_i z^{i}\). Using similar notation, \(\varvec{c}_{GRS} \in GRS_{n,k} (\varvec{g'},\varvec{v})\) can be written as
Recall that a codeword \(\varvec{c} \in \text {Gab}_{n,k} (\varvec{g})\) can be written in the form of (2):
where \(F(z) = \sum _{i=0}^{k-1} f_i z^{[i]}\). Comparing (2) and (6), we notice that the difference between them is the involvement of linearized polynomial F(z) in (2) and polynomial \(F'(z)\) in (6).
We can now construct a code which has codewords of the form similar as (7), except that the polynomial \(F'(z)\) is replaced with linearized polynomial F(z).
Definition 10
(\(\varvec{\lambda }\)-Gabidulin Codes). Let \(\varvec{g} = (g_1,\ldots , g_n) \in \mathbb {F}_{q^m}^n\) be linearly independent over \(\mathbb {F}_q\) and \(\varvec{\lambda } = (\lambda _1, \lambda _2, \ldots , \lambda _n) \in \mathbb {F}_{q^m}^n\). The \(\varvec{\lambda }\)-Gabidulin code \(\text {Gab}_{n,k} (\varvec{g}_{\varvec{\lambda }})\) over \(\mathbb {F}_{q^m}\) of dimension k associated with vector \(\varvec{g}\) and \(\varvec{\lambda }\) is the code generated by matrix \(G_{\varvec{\lambda }}\) of the form
Now, we can rewrite a codeword \(\varvec{c} = (f_0,\ldots ,f_{k-1}) G_{\varvec{\lambda }} \in \text {Gab}_{n,k} (\varvec{g}_{\varvec{\lambda }})\) as
where \(F(z) = \sum _{i=0}^{k-1} f_i z^{[i]}\). Notice from (9) that such construction replaces the polynomial \(F'(z)\) in (7) with linearized polynomial F(z).
Table 3 summarizes the relations between \(\varvec{\lambda }\)-Gabidulin codes, Gabidulin codes, Reed-Solomon Codes and generalized Reed-Solomon Codes:
3.2 \(\varvec{\lambda }\)-Gabidulin Codes Construction
Our construction of \(\varvec{\lambda }\)-Gabidulin codes in fact does not have similar weakness as Gabidulin code (Lemma 4), i.e., it does not contain huge vector space invariant under the Frobenius automorphism as defined in Definition 7.
Consider a generator \(G_{\varvec{\lambda }}\) for \(\text {Gab}_{n,k} (\varvec{g}_{\varvec{\lambda }})\) and the map \(\varLambda _i\) on \(G_{\varvec{\lambda }}\), we have
It is possible for us to choose some \(\varvec{\lambda } \in \mathbb {F}_{q^m}^n\) such that
for \(1 \le j \le n-1\) and \(\dim \left( \ker \left( \varLambda _i (G_{\varvec{\lambda }}) \right) \right) \ne 1\) for all \(i \le n\). Therefore, the Overbeck’s attack [37] is not useful against \(\text {Gab}_{n,k} (\varvec{g}_{\varvec{\lambda }})\) with this property.
We now deduce a parity check matrix for \(G_{\varvec{\lambda }}\).
Proposition 1
Let \(H\in \mathbb {F}_{q^m}^{(n-k)\times n}\) in the form of
be a parity check matrix for G (as in (1)) which generates \(\text {Gab}_{n,k} (\varvec{g})\). Then
is a parity check matrix for \(G_{\varvec{\lambda }}\).
Proof
Given H a parity check matrix for G, we have \(GH^T = \varvec{0}\). Rewrite \(G_{\varvec{\lambda }} = G \varDelta \), \(H_{\varvec{\lambda }} = H \varDelta ^{-1}\) where \(\varDelta = \left[ \begin{array}{ccc} \lambda _1 &{} &{} \varvec{0} \\ &{} \ddots &{} \\ \varvec{0} &{} &{} \lambda _n \\ \end{array} \right] \). Then \(G_{\varvec{\lambda }} H_{\varvec{\lambda }}^T = G \varDelta (H \varDelta ^{-1})^T= G \varDelta \left( \varDelta ^{-1}\right) ^T H^T = G H^T = \varvec{0}\). \(\Box \)
In fact, there exist \(\varvec{\lambda } \in \mathbb {F}_{q^m}^n\) such that \(\varvec{\lambda }\)-Gabidulin code is not an MRD code.
Proposition 2
Let \(\alpha \in \mathbb {F}_{q^m}\) and \(\varvec{\lambda } = (\lambda _1,\ldots ,\lambda _n)\) be a vector over \(\mathbb {F}_{q^m}\) such that \(\left( \lambda _1^{-1}\alpha d_1,\ldots , \lambda _n^{-1} \alpha d_n \right) \in \text {Gab}_{n,k} (\varvec{g})\) where \((d_1,\ldots ,d_n) \in \mathbb {F}_q^n\), then \({\varvec{\lambda }}\)-Gabidulin code is not an MRD code. In particular, \(d_R^{\min } \left( \text {Gab}_{n,k} (\varvec{g}_{\varvec{\lambda }}) \right) = 1\).
Proof
Suppose that \(\alpha \in \mathbb {F}_{q^m}\) and \(\varvec{\lambda } = (\lambda _1,\ldots ,\lambda _n)\) is a vector over \(\mathbb {F}_{q^m}\) such that \(\left( \lambda _1^{-1}\alpha d_1,\ldots , \lambda _n^{-1} \alpha d_n \right) \in \text {Gab}_{n,k} (\varvec{g})\) where \((d_1,\ldots ,d_n) \in \mathbb {F}_q^n\), then there exists \(\varvec{m} \in \mathbb {F}_{q^m}^k\) such that
Consider \(\varvec{c} = \varvec{m} G_{\varvec{\lambda }}\), a code in \(\text {Gab}_{n,k} \left( \varvec{g}_{\varvec{\lambda }} \right) \), then
This implies that \(\text {rk}_q (\varvec{c}) = 1 < n-k+1\). Such \({\varvec{\lambda }}\)-Gabidulin code is not an MRD code. \(\Box \)
Recall from (9) that a codeword \(\varvec{c}= \varvec{f} G_{\varvec{\lambda }} \in \text {Gab}_{n,k} (\varvec{g}_{\varvec{\lambda }})\) can be written as \((\lambda _1 F(g_1) ,\ldots , \lambda _n F(g_n))\) where \(F(z) = \sum _{i=0}^{k-1} f_i z^{[i]}\). Therefore, the decoding of \(\varvec{\lambda }\)-Gabidulin code is not the same as decoding Gabidulin codes (for examples, using Berlekamp-Massey algorithm or Euclidean algorithm). We need the following result to decode \(\varvec{\lambda }\)-Gabidulin codes:
Proposition 3
Let \(\varvec{\lambda } = (\lambda _1, \lambda _2, \ldots , \lambda _n) \in \mathbb {F}_{q^m}^n\) with \(\text {rk}_q (\varvec{\lambda }) = u\) and \(\varvec{x} = (x_1,\ldots ,x_n) \in \mathbb {F}_{q^m}^n\) with \(\text {rk}_q (\varvec{x}) = w\). Then
Proof
Let \(X = \text { span } \{ x_1, \ldots , x_n \} = \text { span }\{ y_1, \ldots , y_w\}\) where \(\{y_1,\ldots ,y_w\}\) is linearly independent. Also, let \(L=\text { span } \{\lambda _1,\ldots ,\lambda _n \}= \text { span }\{ \gamma _1,\ldots ,\gamma _u \}\) where \(\{ \gamma _1,\ldots ,\gamma _u \}\) is linearly independent. For \((\lambda _1 {x}_1, \ldots , \lambda _n {x}_n)\), each entry \(\lambda _i x_i\) is a linear combinations of elements in \(\{ y_i \gamma _j : 1 \le i \le w, 1 \le j \le u \}\), which has dimension at most uw. \(\Box \)
Our new code \(\text {Gab}_{n,k} (\varvec{g_\lambda })\) has a decoding algorithm as described in the following:
Proposition 4
Let \(\varvec{g} \in \mathbb {F}_{q^m}^n\) with \(\text {rk}_q (\varvec{g}) = n\), \(\varvec{\lambda } \in \mathbb {F}_{q^m}^n\) with \(\text {rk}_q (\varvec{\lambda }) = u\) and \(r = \left\lfloor \frac{n-k}{2} \right\rfloor \ge u\), there exists decoding algorithm for \(\text {Gab}_{n,k} \left( \varvec{g}_{\varvec{\lambda }} \right) \) with error-correcting capabilities up to \(\frac{r}{u}\) and decoding complexities of \(O \left( n^{1.69} \log ^2(n) \right) \) operations in \(\mathbb {F}_{q^m}\).
Proof
There are two parts in the decoding algorithm for \(\text {Gab}_{n,k}(\varvec{g_\lambda })\), the first part is to multiply each coordinates of the received vector \(\varvec{y}=(y_1,\ldots ,y_n)\) with \(\lambda _i^{-1}\). Then we can apply any decoding algorithm for the Gabidulin codes \(\text {Gab}_{n,k}(\varvec{g})\) on \((y_1 \lambda _1^{-1},\ldots ,y_n \lambda _n^{-1})\). To be more precise, let \(\varvec{c}\) be a codeword in \(\text {Gab}_{n,k} \left( \varvec{g}_{\varvec{\lambda }} \right) \) and \(\varvec{e} \in \mathbb {F}_{q^m}^n\) with \(\text {rk}_q (\varvec{e}) \le \frac{r}{u}\). Then there exists \(\varvec{f} \in \mathbb {F}_{q^m}^k\) such that \(\varvec{c} = \varvec{f}G_{\varvec{\lambda }}\). Let \(F(z) = \sum _{i=0}^{k-1} f_i z^{[i]}\), then the received vector, \(\varvec{y}\) can be written as
Multiplying each entry of \(\varvec{y}\) with \(\lambda _i^{-1}\) for \(i=1,\ldots ,n\):
Notice that \(\varvec{\hat{c}} := ( F(g_1),\ldots , F(g_n))\) is a codeword in \(\text {Gab}_{n,k} (\varvec{g})\). If the vector \(\varvec{\hat{e}} := (\lambda _1^{-1} e_1,\ldots , \lambda _n^{-1} e_n)\) has rank less than or equal to r, then we can decode \(\varvec{\hat{y}}\) and recover \(\hat{\varvec{c}}\). By Proposition 3, \(\text {rk}_q (\varvec{\hat{e}}) \le \text {rk}_q (\varvec{e}) \times \text {rk}_q (\varvec{\lambda }) \le \frac{r}{u} \times u = r\). Therefore we can recover \(\hat{\varvec{c}}\) and thus recover \(\varvec{c}\) by multiplying each entry with \(\lambda _i\).
Since the first part consists of n multiplications in \(\mathbb {F}_{q^m}\), the complexity of the first part is O(n). For the second part, the complexity is \(O \left( n^{1.69} \log ^2(n) \right) \) operations in \(\mathbb {F}_{q^m}\) by using sub-quadratic decoding of Gabidulin codes in [38]. Therefore, the total complexity to decode \(\varvec{\lambda }\)-Gabidulin codes is \(O \left( n^{1.69} \log ^2(n) \right) \) operations in \(\mathbb {F}_{q^m}\). \(\Box \)
4 New Public-Key Encryption on \(\varvec{\lambda }\)-Gabidulin Codes
The \(\varvec{\lambda }\)-Gabidulin code does not contain huge vector space invariant under the Frobenius automorphism with proper choices of \(\varvec{\lambda }\), hence we propose a new Gabidulin-like code encryption, namely LG encryption based on \(\varvec{\lambda }\)-Gabidulin codes with a scrambler matrix from elements in \(\varvec{\lambda }\). We first prove a result that is related to the choice of our scrambler matrix, P:
Proposition 5
Let \(\gamma \in \mathbb {F}_{q^m} \setminus \mathbb {F}_q\) and \(\varvec{\lambda } = (\lambda _1, \lambda _2, \ldots , \lambda _n)\) such that for \(i=1,\ldots , n\), \(\lambda _i \in \left\{ \gamma , \gamma ^{-1} \right\} \). Define \(P := \left[ P_1, \ldots , P_n \right] \) an \(n \times n\) invertible matrix consisting entries of the form \(c \gamma \) or \(c \gamma ^{-1}\) where \(c \in \mathbb {F}_q\) and \(\varDelta \) be a diagonal matrix with entries \(\varDelta _{ii} = \lambda _i\) for \(i=1,\ldots ,n\). Let \(\varvec{x} = (x_1,\ldots ,x_n) \in \mathbb {F}_{q^m}^n\) such that \(\text {rk}_q (\varvec{x}) = t\). Then \(\text {rk}_q \left( \varvec{x} P^{-1} \varDelta ^{-1} \right) \le 3t\).
Proof
Consider the matrix \(P^{-1} \varDelta ^{-1}\), each entries in \(P^{-1} \varDelta ^{-1}\) is a linear combination of the elements from the set
Let \(X = \text { span } \{ x_1, \ldots , x_n \}\) generated by \(\{ y_1, \ldots , y_t\}\), since \(\text {rk}_q(\varvec{x}) = t\). Then each entries in \(\varvec{x}P^{-1} \varDelta ^{-1}\) belongs to the span of elements in
which has dimension at most 3t. \(\Box \)
We also need the following properties for our public-key encryption scheme:
Definition 11
An [n, k]-linear code \(\mathcal {C} \subseteq \mathbb {F}_{q^m}^n\) is called an (s, t, l)-intersecting code if
Remark
Note that for \(1 \le t \le n-k-1\), \(\text {Gab}_{n,k} (\varvec{g})\) is a \((1,t,(t-1)(k-1))\)-intersecting code, since
4.1 Description of the Encryption Scheme
Generates global parameters \(m \ge n > k\) and parameters r and a such that \(k \not \mid n-1\), \(r = \left\lfloor \frac{n-k}{2} \right\rfloor \), \(a = \left\lfloor \frac{r}{3} \right\rfloor \) and \(ak \ge n\). The plaintext space is \(\mathbb {F}_{q^m}^k\). Outputs parameter \(=(m,n,k,r,a)\).
Generate random \(S \in \text {GL}_k (\mathbb {F}_{q^m})\). Form \(G_{\varvec{\lambda }} P\) by
-
i.
generate randomly \(\gamma \in \mathbb {F}_{q^m} \setminus \mathbb {F}_q\) such that \(\gamma ^2 \ne 1\), \(\left( \gamma ^{-1} \right) ^2 \ne 1\) and \(\gamma \ne \gamma ^{-1}\). Form \(\varvec{\lambda } = \left( \lambda _1 ,\ldots ,\lambda _n \right) \) where each \(\lambda _i\) is picked randomly from \(\left\{ \gamma , \gamma ^{-1} \right\} \);
-
ii.
generate randomly \(\varvec{g} \in \mathbb {F}_{q^m}^n\) with \(\text {rk}_q (\varvec{g}) = n\). Then construct \(G_{\varvec{\lambda }}\) in the form of (8) as a generator of length n and dimension k;
-
iii.
generate randomly P an \(n \times n\) invertible matrix such that its inverse \(P^{-1}\) consisting entries from \(\{ c\gamma , c\gamma ^{-1} : c \in \mathbb {F}_q \}\);
such that for all s relatively prime to m, the code generated by \(G_{\varvec{\lambda }} P\) is (s, a, 0)-intersecting. Compute
Outputs public key, \(\kappa _{pub} = (G_\mathsf{pub},r)\) and secret key \(\kappa _{pvt} = (S,\varvec{g},\varvec{\lambda },P)\).
Given the plaintext \( \varvec{m} \in \mathbb {F}_{q^m}^k\) to be encrypted, choose a random vector \(\varvec{e} \in \mathbb {F}_{q^m}^{n}\) such that \(\text {rk}_q (\varvec{e})=a\). Compute and output the ciphertext \(\varvec{y} = \varvec{m}G_\mathsf{pub}+ \varvec{e}\).
Given \(\varvec{y}\) the received ciphertext. Let \(\varDelta \) be a diagonal matrix with entries \(\varDelta _{ii} = \lambda _i\) for \(i=1,\ldots ,n\). Compute \(P^{-1}\) and \(\varvec{y}P^{-1}\varDelta ^{-1} \). Perform decoding on \(\varvec{y}P^{-1}\varDelta ^{-1}\) with respect to \(\text {Gab}_{n,k} (\varvec{g})\) to recover \(\varvec{m}S\). We can then recover \(\varvec{m}\) by multiplying \(S^{-1}\).
Correctness. The correctness of our encryption scheme relies on the decoding capability of the code \(\text {Gab}_{n,k} (\varvec{g})\). Let \(\varvec{\hat{e}} := \varvec{e}P^{-1} = (\hat{e}_1,\ldots ,\hat{e}_n)\) and G be of the form of (1), then
By Proposition 5, we have \(\text {rk}_q \left( \left( \lambda _1^{-1} \hat{e}_1,\ldots ,\lambda _n^{-1} \hat{e}_n \right) \right) \le a \times 3 \le r\) where r is the error correcting capability of \(\text {Gab}_{n,k} (\varvec{g})\), then we can decode \(\varvec{y}P^{-1}\varDelta ^{-1}\) correctly to recover \(\varvec{m}S\). Finally, compute \(\varvec{m}=\varvec{m}SS^{-1}\) to recover \(\varvec{m}\).
4.2 A Toy Example of \(G_{\varvec{\lambda }}P\) in LG Encryption
Let \((m,n,k,r,a)=(29,25,13,6,2)\). Let z be the primitive element in \(\mathbb {F}_{q^m}\). Generate random
and \(\varvec{g} = (g_1,g_1^{[1]},\ldots ,g_1^{[24]})\) where \(\text {rk}_q (\varvec{g}) = n\) and
Let P be the \(n \times n\) circulant matrix induced by the vector
We can verify that the code generated by matrix \(G_{\lambda } P\) is (s, a, 0)-intersecting for all s relatively prime to m.
5 Security Against Structural Attacks
We now show that the new encryption scheme with public key (10) is able to resist the structural attacks on the cryptosystems based on Gabidulin codes.
5.1 Overbeck’s Attack
Overbeck’s attack exploits the properties of Gabidulin codes which contains huge vector space invariant under the Frobenius automorphism. We consider the Frobenius map \(\varLambda _i\) on the \(G_\mathsf{pub}\):
Let \(G^{**} = \left[ \begin{array}{c} {G}_{\varvec{\lambda }}^{[0]} P^{[0]}\\ \vdots \\ {G}_{\varvec{\lambda }}^{[i]} P^{[i]} \\ \end{array} \right] \). The code generated by \(G_{\varvec{\lambda }}P\) is (1, a, 0)-intersecting. If \((i+1)k \ge n\), then \(\dim (G^{**}) \ge n\), which implies that \(\dim (G^{**}) = n\). If \((i+1)k < n\), then \(\dim (G^{**}) = (i+1)k\). Since \(k \not \mid n-1\), there does not exist i such that \((i+1)k = n-1\). Hence we know that \(\dim (G^{**}) \ne n-1\). Since \(\dim (G^{**}) \ne n-1\) for all i, we have \(\dim (\ker (G^{**})) \ne 1\). Overbeck’s attack will then fail.
5.2 Annulator Polynomial Attack
An adversary will consider an annulator polynomial for \(\varvec{e} \in \mathbb {F}_{q^m}^n\) and try to reconstruct \(\varvec{e}\) from \(f(\varvec{e})\). Since \( \text {rk}_q (\varvec{e}) = a \le \left\lfloor \frac{r}{3} \right\rfloor \), then there exists a linearized polynomial with f(x) of degree \(q^{a}\) of the form:
for some \(f_i \in \mathbb {F}_{q^m}\), such that
The linear system (11) consists of n equations with k variables of \(\varvec{m}\), a variables \(f_i\) and \(a\times k\) variables of \(f_i m_j\) for \(i=0,\ldots , a-1\), \(j=1,\ldots , k\), giving us a total of \(ak+k+a\) variables to be determined. Since \(ak \ge n\) as in our choices of the cryptosystem, we have \(ak+k+n > n\), thus the complexity of solving RSD problem for \(G_\mathsf{pub}\) is exponential.
5.3 Frobenius Weak Attack
Let \(\mathcal {C}\) be the code generated by \(G_\mathsf{pub}\), \(\varvec{y} = \varvec{m}G_\mathsf{pub}+ \varvec{e}\) with \(\text {rk}_q (\varvec{e}) = a\). Consider \(s< m\) such that \(\gcd (s,m) = 1\). First of all, an adversary will try to construct the matrix
If \( j < a\), then by Lemma 2, we have \(\left\langle \varvec{e}, \varvec{e}^{([s])}, \ldots , \varvec{e}^{([s(j-1)])} \right\rangle \ne \text {supp}(\varvec{e})\). Therefore, the adversary cannot obtain a parity check matrix H for \(\mathcal {U}\), where \(\mathcal {U}\) is the span of all elements of rank one in \(\mathcal {C}_{ext} := \sum _{i=0}^{a-1} \left( \mathcal {C} + \langle e \rangle \right) ^{[si]}\) such that \(\varvec{e}H^T = \varvec{0}\).
Hence, an adversary will consider to construct \(G_{\mathsf{pub}_j}\) with \(j=a\), so that \(\left\langle \varvec{e}^{([0])}, \ldots , \varvec{e}^{([s(a-1)])} \right\rangle = \text {supp}(\varvec{e}) \subseteq \mathcal {U}\). The adversary will compute the space \(\mathcal {U}\) generated by the elements of rank one in \(\mathcal {C}_{ext}\) using Lemma 3. Since \(\bigcup _{i=0}^{a-1} \mathcal {C}^{([si])} \subset \mathcal {C}_{ext}\) and \(\mathcal {C}\) is a (s, a, 0)-intersecting code, then
Therefore we have \(\dim _{\mathbb {F}_{q^m}} \left( \mathcal {C}_{ext} \right) =n\). Let \(\bar{G}\) be the generator matrix for \(\mathcal {C}_{ext}\) in reduced row echelon form. We then have
where \(\bar{G}_i\) denotes the ith row of \(\bar{G}\). Then for each i, \(\bar{G}_i^{([1])} - \bar{G}_i = \varvec{0}\). Thus the adversary is not able to compute the space \(\mathcal {U}\) using Lemma 3, and not able to determine its parity check matrix H. The Frobenius weak attack fails.
Remark
Since the structure of our \(\varvec{\lambda }\)-Gabidulin codes is similar as Gabidulin codes, therefore we do not consider other attacks on the cryptosystems based on LRPC codes, such as attacks from [6, 27], as these attacks are not relevant to our cryptosystem.
6 Proposed Parameters
We performed simulation on Magma by generating 1000 random sets of \(\varvec{\lambda }\), \(G_{\lambda }\), P and \(G_{\varvec{\lambda }} P\) with parameters \((q,m,n,k,a)=(2,83,79,31,8)\) and conditions in Key Generation \(\mathcal {K}_\mathtt{PE}\). We found that all of the codes with generator matrix \(G_{\varvec{\lambda }} P\) in the simulation are (s, a, 0)-intersecting, for all s relatively prime to m. This indicates that such \(G_{\lambda }P\) with the required properties is easy to be generated.
Recall that Tables 1 and 2 give the complexity to solve \(\mathsf{RSD}\) problem using combinatorial attacks and algebraic attacks. We replace the term r in the formulas with a in the calculations. In addition, we square root the exponential term in evaluating the post-quantum complexity in solving \(\mathsf{RSD}\) problem. We suggest two sets of parameters for \(2^{128}\) and \(2^{256}\) bits post quantum security respectively in Table 4. We consider the public key matrix \(G_\mathsf{pub}\) in systematic form, which gives us key size of \(\frac{k(n-k)m}{8} \log _2 (q)\) bytes. We denote the achieved post-quantum security as “PQ.Sec”.
We consider and compare the Loi17 and DRANKULA encryption with our encryption scheme as these encryption schemes are structurally similar (McEliece type), except that the codes used are different. We also include the formula \(m^3 2^{\frac{a-1}{2} \left\lfloor ( k \min (m,n))/n \right\rfloor }\) to evaluate the complexity of attack on \(\mathsf{RSD}\) in Table 5 (as this formula is used in [29] to evaluate the complexity in Quantum computer).
Our LG Encryption using \(\varvec{\lambda }\)-Gabidulin codes has smaller public key size (17.85 KB) than public key size of Loidreau’s proposal (Loi17 of 21.50 KB in [29]), and smaller public key size than public key size of DRANKULA (27.65 KB in [1]) at similar post quantum security of \(2^{140}\).
7 Conclusion
This paper has proposed a new rank metric code, \(\varvec{\lambda }\)-Gabidulin code and a new McEliece type cryptosystem based on \(\varvec{\lambda }\)-Gabidulin code as an alternative to the current rank metric code based cryptosystem. In particular, we consider a public key matrix with generator matrix of \(\varvec{\lambda }\)-Gabidulin code multiplied with a scrambler matrix associated to \(\varvec{\lambda }\). In fact, we can convert our encryption scheme to IND-CCA2 encryption scheme via security conversions proposed in [23]. As such we do not present security proofs but rather discuss more on the scheme’s structural security in resisting the Overbeck’s attack, annulator polynomial attack and Frobenius weak attack. Moreover, our proposal has smaller public key size (17.85 KB) than Loidreau’s proposal (21.50 KB) in [29], and smaller public key size than DRANKULA (27.65 KB) in [1] at similar post quantum security of \(2^{140}\).
References
Abdouli, A., et al.: DRANKULA: a McEliece-like rank metric based cryptosystem implementation. In: The Proceedings of the 15th International Joint Conference on e-Business and Telecommunications (ICETE) 2018, vol. 2, pp. 64–75. SECRYPT (2018)
Aguilar, C., Blazy, O., Deneuville, J., Gaborit, P., Zémor, G.: Efficient encryption from random quasi-cyclic codes. IEEE Trans. Inf. Theory 64(5), 3927–3943 (2018)
Aragon, N., Gaborit, P., Hauteville, A., Tillich, J.-P.: A new algorithm for solving the rank syndrome decoding problem. In: The Proceedings of IEEE International Symposium on Information Theory (ISIT) 2018, pp. 2421–2425 (2018)
Chabaud, F., Stern, J.: The cryptographic security of the syndrome decoding problem for rank distance codes. In: Kim, K., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 368–381. Springer, Heidelberg (1996). https://doi.org/10.1007/BFb0034862
Bernstein, D.J.: Grover vs. McEliece. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 73–80. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12929-2_6
Debris-Alazard, T., Tillich, J.-P.: Two attacks on rank metric code-based schemes: RankSign and an IBE scheme. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 62–92. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_3
Faugère, J.-C., Levy-dit-Vehel, F., Perret, L.: Cryptanalysis of MinRank. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 280–296. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_16
Gabidulin, E.M.: Theory of codes with maximum rank distance. Probl. Peredachi Informatsii 21(1), 3–16 (1985)
Gabidulin, E.M.: Attacks and counter-attacks on the GPT public key cryptosystem. Des. Codes Cryptogr. 48(2), 171–177 (2008)
Gabidulin, E.M., Ourivski, A.V.: Modified GPT PKC with right scrambler. Electron. Notes Discret. Math. 6, 168–177 (2001)
Gabidulin, E.M., Paramonov, A.V., Tretjakov, O.V.: Ideals over a non-commutative ring and their application in cryptology. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 482–489. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_41
Gabidulin, E.M., Rashwan, H., Honary, B.: On improving security of GPT cryptosystems. In: The Proceedings of IEEE International Symposium on Information Theory (ISIT) 2009, pp. 1110–1114 (2009)
Gaborit, P., Hauteville, A., Phan, D.H., Tillich, J.-P.: Identity-based encryption from codes with rank metric. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 194–224. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_7
Gaborit, P., Ruatta, O., Schrek, J.: On the complexity of the rank syndrome decoding problem. IEEE Trans. Inf. Theory 62(2), 1006–1019 (2016)
Gaborit, P., Ruatta, O., Schrek, J., Zémor, G.: New results for rank-based cryptography. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT 2014. LNCS, vol. 8469, pp. 1–12. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-06734-6_1
Gaborit, P., Zémor, G.: On the hardness of the decoding and the minimum distance problems for rank codes. IEEE Trans. Inf. Theory 62(12), 7245–7252 (2016)
Galvez, L., Kim, J., Kim, M.J., Kim, Y., Lee, N.: McNie: compact McEliece-Niederreiter Cryptosystem. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/McNie.zip
Gibson, J.K.: Severely denting the Gabidulin version of the McEliece public-key cryptosystem. Des. Codes Cryptogr. 6(1), 37–45 (1995)
Goubin, L., Courtois, N.T.: Cryptanalysis of the TTM cryptosystem. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 44–57. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_4
Horlemann-Trautmann, A., Marshall, K., Rosenthal, J.: Extension of Overbeck’s attack for Gabidulin based cryptosystems. Des. Codes Cryptogr. 86(2), 319–340 (2018)
Horlemann-Trautmann, A., Marshall, K., Rosenthal, J.: Considerations for rank-based cryptosystems. In: IEEE International Symposium on Information Theory (ISIT) 2016, pp. 2544–2548 (2016)
Kim, J., Galvez, L., Kim, Y.-S., Lee, N.: A new LRPC-Kronecker product codes based public-key cryptography. In: The Proceedings of the 5th ACM on Asia Public-Key Cryptography Workshop (APKC) 2018, pp. 25–33 (2018)
Kobara, K., Imai, H.: Semantically secure McEliece public-key cryptosystems -conversions for McEliece PKC -. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 19–35. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44586-2_2
Levy-dit-Vehel, F., Perret, L.: Algebraic decoding of rank metric codes. In: The Proceedings of Yet Another Conference on Cryptography (YACC) 2006, pp. 142–152 (2006)
Lau, T.S.C., Tan, C.H.: A new encryption scheme based on rank metric codes. In: Susilo, W., Yang, G. (eds.) ACISP 2018. LNCS, vol. 10946, pp. 750–758. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93638-3_43
Lau, T.S.C., Tan, C.H.: A new technique in rank metric code-based encryption. Cryptography 2(4), 32 (2018)
Lau, T.S.C., Tan, C.H.: Key recovery attack on McNie based on low rank parity check codes and its reparation. In: Inomata, A., Yasuda, K. (eds.) IWSEC 2018. LNCS, vol. 11049, pp. 19–34. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-97916-8_2
Loidreau, P.: Designing a rank metric based McEliece cryptosystem. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 142–152. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12929-2_11
Loidreau, P.: A new rank metric codes based encryption scheme. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 3–17. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_1
MacWilliams, F.J., Sloane, N.J.A.: The Theory of Error-Correcting Codes. Elsevier, North-Holland, Amsterdamm (1977)
McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. The Deep Space Network Progress Report 42-44, Jet Propulsion Laboratory, Pasedena, pp. 114–116 (1978)
Ore, O.: On a special class of polynomials. Trans. Am. Math. Soc. 35(3), 559–584 (1933)
Otmani, A., Kalachi, H.T., Ndjeya, S.: Improved cryptanalysis of rank metric schemes based on Gabidulin codes. Des. Codes Cryptogr. 86(9), 1983–1996 (2018)
Ourivski, A.V., Gabidulin, E.M.: Column scrambler for the GPT cryptosystem. Discret. Appl. Math. 128, 207–221 (2003)
Ourivski, A.V., Johansson, T.: New technique for decoding codes in the rank metric and its cryptography applications. Probl. Inf. Transm. 38(3), 237–246 (2002)
Overbeck, R.: Extending Gibson’s attacks on the GPT cryptosystem. In: Ytrehus, Ø. (ed.) WCC 2005. LNCS, vol. 3969, pp. 178–188. Springer, Heidelberg (2006). https://doi.org/10.1007/11779360_15
Overbeck, R.: Structural attacks for public key cryptosystems based on Gabidulin codes. J. Cryptol. 21(2), 280–301 (2008)
Puchinger, S., Wachter-Zeh, A.: Sub-quadratic decoding of Gabidulin codes. In: IEEE International Symposium on Information Theory (ISIT) 2016, pp. 2554–2558 (2016)
Rashwan, H., Gabidulin, E.M., Honary, B.: Security of the GPT cryptosystem and its applications to cryptography. Secur. Commun. Netw. 4(8), 937–946 (2011)
Reed, I.S., Solomon, G.: Polynomial codes over certain finite fields. J. Soc. Ind. Appl. Math. (SIAM) 8(2), 300–304 (1960)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Lau, T.S.C., Tan, C.H. (2019). A New Gabidulin-Like Code and Its Application in Cryptography. In: Carlet, C., Guilley, S., Nitaj, A., Souidi, E. (eds) Codes, Cryptology and Information Security. C2SI 2019. Lecture Notes in Computer Science(), vol 11445. Springer, Cham. https://doi.org/10.1007/978-3-030-16458-4_16
Download citation
DOI: https://doi.org/10.1007/978-3-030-16458-4_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-16457-7
Online ISBN: 978-3-030-16458-4
eBook Packages: Computer ScienceComputer Science (R0)