Keywords

1 Introduction

In 1978, McEliece [31] proposed a public-key cryptosystem based on Goppa codes in the Hamming metric. The idea of McEliece cryptosystem is to hide the structure of the generator matrix for the decodable codes with random invertible matrix S and random permutation matrix P, and publish the matrix \(G_\mathsf{pub}= SGP\). Although his design has efficient encryption and decryption, it involves a significantly large public key size. To tackle this problem, several modifications of the scheme have been proposed. One of the approaches to overcome the large public key size for schemes in Hamming metric, is to consider an alternative metric, namely the rank metric. In 1985 Gabidulin [8] introduced the rank metric and the Gabidulin codes with efficient decoding algorithm. Gabidulin codes are usually seen as equivalent of Reed-Solomon codes in the Hamming metric which both are highly structured. Later on, Gabidulin, Paramanov, and Tretjakov used the Gabidulin codes and proposed the first rank metric based cryptosystem, namely GPT [11].

However, due to the well-structuredness of Gabidulin codes, proposals of cryptosystems based on Gabidulin codes have alternately been attacked and modified. The first structural attack on the initial GPT system was suggested by Gibson [18] through exploiting the structure of Gabidulin codes and the distortion matrix in GPT. Modifications have been made to produce GPT’s variants to resist Gibson’s attack. To counter Gibson’s attack, a modified GPT with right scrambler was proposed in [10, 34]. However, this modified GPT with right scrambler was cryptanalyzed by Overbeck by extending Gibson’s attacks [36]. A modified cryptosystem, namely generalized GPT (GGPT) was introduced by Overbeck in the same paper to resist Gibson’s attacks. Yet, as the Gabidulin codes contains huge vector space invariant under the Frobenius automorphism, Overbeck [37] was successful in cryptanalyze all the previous Gabidulin codes based cryptosystems. Despite the efforts of other variants of GGPT proposed in [9, 12, 28, 39] to secure against Overbeck’s attack, these GGPT variants were shown to be insecure against more recent structural attacks such as extension of Overbeck’s attack [20], reduction attack to GGPT [33], and Frobenius weak attack [21].

More recently, there are several encryption schemes based on Gabidulin codes being proposed. Loidreau [29] considered a McEliece type cryptosystem based on Gabidulin codes with a scrambler matrix P which its inverse \(P^{-1}\) over a w-dimensional subspace of \(\mathbb {F}_{q^m}\). This cryptosystem is then implemented in DRANKULA [1]. Also, Lau and Tan [25, 26] introduced a new technique to construct McEliece type encryption scheme based on any generic decodable codes. Apart from these McEliece type cryptosystems based on Gabidulin codes, there are some other encryption schemes such as [2, 13] that do not hide the structure of the generator matrix and use other techniques to construct the encryption. Moreover, there are some other encryption schemes that combines the idea of McEliece and Niederreiter cryptosystem, such as [17, 27].

Although there are other techniques in constructing code-based encryption scheme, the question of the possibility to construct secure McEliece type cryptosystem by considering alternative rank codes is still of interest in the research community. In 2014, the Low Rank Parity Check codes (LRPC) were proposed to construct a McEliece type encryption scheme [15]. Later in 2018, Kim et al. [22] extended the LRPC codes into a new LRPC-Kronecker product codes and proposed a McEliece type encryption based on this code.

The main task of this paper is to propose a new rank metric code, namely \(\varvec{\lambda }\)-Gabidulin code which is an extension of Gabidulin code. This \(\varvec{\lambda }\)-Gabidulin code is analogous to the generalized Reed-Solomon codes in rank metric settings, which is obtained by multiplying the columns of the generator matrix with some elements in \(\mathbb {F}_{q^m}\). We show that \(\varvec{\lambda }\)-Gabidulin code is decodable when certain conditions are met, and use this property to construct a new code-based cryptosystem based on \(\varvec{\lambda }\)-Gabidulin code. In this paper, we first review in Sect. 2 some basic facts and definitions in rank metric and Gabidulin codes. We introduce a new rank metric code, namely \(\varvec{\lambda }\)-Gabidulin code in Sect. 3. Based on \(\varvec{\lambda }\)-Gabidulin code, we propose a new Gabidulin-like code public-key encryption in Sect. 4. In Sect. 5, its security against existing attacks is discussed. In Sect. 6, we suggest some parameters for our proposal and shows that the our proposal has smaller public key size than Loidreau’s proposal in [29] and DRANKULA in [1]. Finally, we conclude this paper in Sect. 7.

2 Background on Rank Metric and Gabidulin Codes

In this section we recall the definition of rank metric and some related results, which are the core of rank metric based cryptosystems.

2.1 Rank Metric

Let \(\mathbb {F}_{q^m}\) be a finite field with \(q^m\) elements and let \(\{ \beta _1, \ldots , \beta _m \}\) be a basis of \(\mathbb {F}_{q^m}\) over the base field \(\mathbb {F}_q\), where q is power of prime.

Definition 1

Let \(\varvec{x} = (x_1,\ldots , x_n) \in \mathbb {F}_{q^m}^n\). The rank of \(\varvec{x}\) in \(\mathbb {F}_q\), denoted by \(\text {rk}_q (\varvec{x})\) is the rank of the matrix \(X=\left[ x_{ij} \right] \in \mathbb {F}_q^{m \times n}\) where \(x_j = \sum _{i=1}^m x_{ij} \beta _i\).

Equivalently, the rank of \(\varvec{x}\) is the dimension over \(\mathbb {F}_q\) of the subspace of \(\mathbb {F}_{q^m}\) which is spanned by the coordinates of \(\varvec{x}\). Note that the rank of a vector is a norm and is independent of the chosen basis.

Definition 2

The rank distance between \(\varvec{x},\varvec{y} \in \mathbb {F}_{q^m}\) is defined to be

$$\begin{aligned} d_R (\varvec{x},\varvec{y}) = \text {rk}_q (\varvec{x}-\varvec{y}). \end{aligned}$$

If \(\mathcal {C}\) is a linear code, the minimum rank distance of \(\mathcal {C}\), is defined by

$$\begin{aligned} d_R^{\min } (\mathcal {C}) := \min _{\varvec{c} \in \mathcal {C}} \{d_R (\varvec{c}, \varvec{0}) \mid \varvec{c} \ne \varvec{0} \}. \end{aligned}$$

The Singleton bound for rank-metric codes is given by the inequality

$$\begin{aligned} d_R^{\min } (\mathcal {C}) \le n- \dim (\mathcal {C}) + 1. \end{aligned}$$

Definition 3

A rank-metric code satisfying the Singleton bound is called a maximum rank-distance (MRD) code.

We now state a few results related to the rank metric, in particular the concepts of Grassmann support which are important for security analysis in Sect. 5.

Lemma 1

Let \(\varvec{x} \in \mathbb {F}_{q^m}^n\) such that \(\text {rk}_q(\varvec{x}) = r \le n\), then there exists \(\hat{\varvec{x}} \in \mathbb {F}_{q^m}^r\) with \(\text {rk}_q (\hat{\varvec{x}} ) = r\) and \(U \in \mathbb {F}_q^{ r\times n}\) with \(\text {rk}(U) = r\) such that \(\varvec{x} = \hat{\varvec{x}} U\). This decomposition is unique up to \(\text {GL}_r (\mathbb {F}_q)\)-operation between \(\hat{\varvec{x}} \) and U.

Notation

We denote \([i] := q^i\) as the ith Frobenius power. Let \(M=\left[ M_{a,b}\right] \in \mathbb {F}_{q^m}^{k \times n}\), we denote \(M^{([i])} := \left[ M_{a,b}^{[i]} \right] \in \mathbb {F}_{q^m}^{k \times n}\). Also, for any set \(S \subset \mathbb {F}_{q^m}^n\), we denote \(S^{([l])} := \{ \varvec{s}^{([l])} \mid \varvec{s} \in S \}\). For a matrix U over \(\mathbb {F}_q\), we denote \(\langle U \rangle _{\mathbb {F}_{q^m}}\) as the row span of a matrix U over \(\mathbb {F}_{q^m}\). By abuse of notation, for vector \(\varvec{u_1},\ldots ,\varvec{u_j}\) over \(\mathbb {F}_{q^m}\), we denote \(\langle \varvec{u_1},\ldots ,\varvec{u_j} \rangle _{\mathbb {F}_{q^m}}\) as \(\mathbb {F}_{q^m}\) span of the vectors \(\varvec{u_1},\ldots ,\varvec{u_j}\).

Definition 4

Let \(\varvec{x} \in \mathbb {F}_{q^m}^n\) with \(\text {rk}_q(\varvec{x}) = r \le n\) and decomposition \(\varvec{x} = \hat{\varvec{x}} U\) as in Lemma 1. We call U a Grassman support matrix for \(\varvec{x}\) and \(\langle U \rangle _{\mathbb {F}_{q^m}}\) the Grassman support of \(\varvec{x}\).

Lemma 2

([20, 21]). Let \(\varvec{x} \in S \subseteq \mathbb {F}_{q^m}^n\) with \(\text {rk}_q (\varvec{x}) = r \le n\), and s be an integer such that \(\gcd (s,m) = 1\). Then

$$\begin{aligned} \text {supp}(\varvec{x}) = \left\langle \varvec{x}, \varvec{x}^{([s])}, \ldots , \varvec{x}^{([s(r-1)])} \right\rangle _{\mathbb {F}_{q^m}} \subseteq \sum _{i=0}^{r-1} S^{([si])}. \end{aligned}$$

Horlemann-Trautmann et al. [20] efficiently computed the elements of rank one in an \(\mathbb {F}_{q^m}\)-linear code \(\mathcal {C} \subseteq \mathbb {F}_{q^m}^n\) with the following lemma:

Lemma 3

([20]). Let \(G \in \mathbb {F}_{q^m}^{k \times n}\) be a generator matrix for a code \(\mathcal {C}\) in reduced row echelon form. Denote \(G_i\) as the ith row of G. Then

  • All elements of rank one in \(\langle G \rangle _{\mathbb {F}_{q^m}}\) are multiples of the elements in

    $$\begin{aligned} \mathcal {C}^* := \langle G \rangle _{\mathbb {F}_{q^m}} \cap \mathbb {F}_q^n. \end{aligned}$$

  • The elements in \(\mathcal {C}^*\) are in one-to-one correspondence to the solution of

    $$\begin{aligned} \sum _{i=1}^{k} a_i \left[ G_i^{([1])} - G_i \right] = \varvec{0}, \quad \text {where } a_i \in F_q. \end{aligned}$$

  • Computing the solutions of this system requires \(O(kmn^2)\) operations in \(\mathbb {F}_q\).

2.2 Gabidulin Codes

We now give the definition and some properties of Gabidulin codes as they will be used to construct our new code in Sect. 3.

Definition 5

(Gabidulin Codes, [8]). Let \(\varvec{g} = (g_1,\ldots , g_n) \in \mathbb {F}_{q^m}^n\) be linearly independent over \(\mathbb {F}_q\). The Gabidulin code, \(\text {Gab}_{n,k} (\varvec{g})\) over \(\mathbb {F}_{q^m}\) of dimension k and generator vector \(\varvec{g}\) is the code generated by matrix G of the form

$$\begin{aligned} G = \left[ \begin{array}{cccc} g_1 &{} g_2 &{} \ldots &{} g_n \\ g_1^{[1]} &{} g_2^{[1]} &{} \ldots &{} g_n^{[1]} \\ \vdots &{} \vdots &{} \ddots &{} \vdots \\ g_1^{[k-1]} &{} g_2^{[k-1]} &{} \ldots &{} g_n^{[k-1]} \\ \end{array} \right] . \end{aligned}$$
(1)

Gabidulin [8] showed that the error-correcting capability of \(\text {Gab}_{n,k} (\varvec{g})\) is \(r = \lfloor \frac{n-k}{2} \rfloor \). Moreover, it was also shown that Gabidulin code is an MRD code if and only if \(m \ge n\). Gabidulin also provided an efficient decoding algorithms for Gabidulin codes up to the rank error correcting capability in [8]. The most updated complexity to decode an [nk]-Gabidulin code is \(O \left( n^{1.69} \log ^2(n) \right) \) operations in \(\mathbb {F}_{q^m}\) [38, Theorem 17].

Definition 6

A linearized polynomial F(z) over \(\mathbb {F}_{q^m}\) is a polynomial of the form \(F(z) = \sum _{i=0}^{k} f_i z^{[i]}\) where \(f_i \in \mathbb {F}_{q^m}\) for \(0 \le i \le k\). We refer k as the q-degree of F(z), \(\deg _q F(z)\).

With \(F(z) = \sum _{i=0}^{k-1} f_i z^{[i]}\), we can now rewrite a codeword \(\varvec{c} = (f_0,\ldots ,f_{k-1})G \in \text {Gab}_{n,k} (\varvec{g})\) as:

$$\begin{aligned} \varvec{c}&= (f_0,\ldots ,f_{k-1})\left[ \begin{array}{ccc} g_1 &{} \ldots &{} g_n \\ \vdots &{} \ddots &{} \vdots \\ g_1^{[k-1]} &{} \ldots &{} g_n^{[k-1]} \\ \end{array} \right] \nonumber \\&= \left( \sum _{i=0}^{k-1} f_i g_1^{[i]}, \ldots , \sum _{i=0}^{k-1} f_i g_n^{[i]} \right) = \left( F(g_1),\ldots ,F(g_n) \right) . \end{aligned}$$
(2)

Gabidulin codes contains huge vector space invariant under the Frobenius automorphism, which subjects the cryptosystem based on Gabidulin codes to Overbeck’s attack. To be more precise, we now define an \(\mathbb {F}_q\)-linear operator \(\varLambda _i\) on a matrix M as the following:

Definition 7

(Frobenius Map). For any integer \(i \ge 0\), let \(\varLambda _i : \mathbb {F}_{q^m}^{k \times n} \rightarrow \mathbb {F}_{q^m}^{ik \times n}\) be the \(\mathbb {F}_q\)-linear operator that maps any matrix \(M \in \mathbb {F}_{q^m}^{k \times n}\) to \(\varLambda _i ( {M})\):

$$\begin{aligned} \varLambda _i ( {M}) := \left[ \begin{array}{c} {M}^{[0]} \\ \vdots \\ {M}^{[i]} \\ \end{array} \right] . \end{aligned}$$
(3)

As a consequence, the Gabidulin codes contains huge vector space invariant under the Frobenius automorphism:

Lemma 4

Let G be the generator matrix of \(\text {Gab}_{n,k}(\varvec{g})\). For integer \(i \ge 0\) and \(1 \le j \le m-1\), we have \(\dim _{\mathbb {F}_{q^m}} \left( \varLambda _i (G) \right) = k+i\) and

$$\begin{aligned} \dim _{\mathbb {F}_{q^m}} \left( \text {Gab}_{n,k}(\varvec{g})^{[j]} \cap \text {Gab}_{n,k}(\varvec{g})^{[j-1]} \right) = k-1. \end{aligned}$$

Proof

Recall from (3) that

$$ \varLambda _i ( G) = \left[ \begin{array}{c} G^{[0]} \\ \vdots \\ G^{[i]} \\ \end{array} \right] = \left[ \begin{array}{c} \varvec{g}^{[0]} \\ \vdots \\ \varvec{g}^{[k-1]} \\ \vdots \\ \varvec{g}^{[i]} \\ \vdots \\ \varvec{g}^{[k+i-1]} \\ \end{array} \right] \quad \Rightarrow \quad \text {rk}(\varLambda _i ( G)) = k+i. $$

Also, since \(\text {Gab}_{n,k}(\varvec{g})^{[j]} = \left\{ \varvec{x} \left[ \begin{array}{c} \varvec{g}^{[j]} \\ \vdots \\ \varvec{g}^{[j+k-1]} \\ \end{array} \right] : \varvec{x} \in \mathbb {F}_{q^m}^k \right\} \), then

$$\begin{aligned}&\text {Gab}_{n,k}(\varvec{g})^{[j]} \cap \text {Gab}_{n,k}(\varvec{g})^{[j-1]} = \left\{ \varvec{x} \left[ \begin{array}{c} \varvec{g}^{[j]} \\ \vdots \\ \varvec{g}^{[j+k-2]} \\ \end{array} \right] : \varvec{x}' \in \mathbb {F}_{q^m}^{k-1} \right\} \\ \Rightarrow \quad&\dim _{\mathbb {F}_{q^m}} \left( \text {Gab}_{n,k}(\varvec{g})^{[j]} \cap \text {Gab}_{n,k}(\varvec{g})^{[j-1]} \right) = k-1. \end{aligned}$$

   \(\Box \)

2.3 General Decoding of Rank Metric Codes

In the case of rank metric, the rank syndrome decoding problem is analogous to the classical syndrome decoding problem with Hamming metric, as described in the following:

Definition 8

Rank Syndrome Decoding Problem (\(\varvec{\mathsf{RSD}}\)). Let H be a full rank \((n-k) \times n\) matrix over \(\mathbb {F}_{q^m}\), \(\varvec{s}\in \mathbb {F}_{q^m}^{n-k}\) and w an integer. The Rank Syndrome Decoding Problem \(\mathsf{RSD}(q,m,n,k,w)\) needs to determine \(\varvec{x} \in \mathbb {F}_{q^m}^n\) such that \(\text {rk}_q(\varvec{x}) = w\) and \( H \varvec{x}^T = \varvec{s}^T\).

Recently, Gaborit and Zémor [16] showed that if there were efficient probabilistic algorithms for solving the \(\mathsf{RSD}\) problem, then there exist efficient probabilistic algorithm to solve the syndrome decoding problem in Hamming metric. Therefore, \(\mathsf{RSD}\) problem is a good candidate for the hard problem which our cryptosystem is based on.

There are generally two types of generic attacks on the \(\mathsf{RSD}\) problem, namely the combinatorial attack and algebraic attack. The combinatorial approach depends on counting the number of possible supports of size r for a rank code of length n over \(\mathbb {F}_{q^m}\), which corresponds to the number of subspaces of dimension r in \(\mathbb {F}_{q^m}\). For the algebraic approach, the nature of the rank metric favors algebraic attacks using Gröbner bases, as they are largely independent of the value q. These attacks became efficient when q increases. There are mainly three approaches in translating the notion of rank into algebraic setting. The first approach [24] considers directly the \(\mathsf{RSD}\) problem, but the complexity of solving the quadratic system from their attack is hard to evaluate, especially when \(r \ge 4\). The second approach reduces \(\mathsf{RSD}\) problem into MinRank problem [7], but such reduction only works for certain type of MinRank parameters and not for usual parameters used with rank codes based cryptography. While the third approach is proposed by Gaborit et al. [14] by considering the linearized q-polynomials introduced by Ore [32].

We summarize the existing combinatorial and algebraic attacks with their conditions and complexities in Tables 1 and 2 respectively.

Table 1. Combinatorial attacks on \(\mathsf{RSD}\) with their corresponding solving complexities
Full size table
Table 2. Algebraic attacks on \(\mathsf{RSD}\) with their corresponding solving complexities
Full size table

Post-quantum Security. Bernstein [5] showed that the exponential term in the decoding complexity should be square rooted using Grover’s algorithm with Quantum computer. Therefore, we use this method to evaluate the post-quantum security of our scheme in Sect. 6.

3 A New Code: \(\varvec{\lambda }\)-Gabidulin Codes

In this section, we discuss the motivation to construct a new rank code, \(\varvec{\lambda }\)-Gabidulin codes. We also prove some of its properties and propose a decoding algorithm for \(\varvec{\lambda }\)-Gabidulin codes.

3.1 \(\varvec{\lambda }\)-Gabidulin Codes Construction

Our construction of \(\varvec{\lambda }\)-Gabidulin codes is in a linearized polynomial settings which is similar to the construction of the generalized Reed-Solomon codes in polynomial settings. We recall the definition of Reed-Solomon codes and generalized Reed-Solomon codes.

Definition 9

(Reed-Solomon (RS). Codes [40] & Generalized RS Codes [30, Ch. 10, Sec. 8]). Let \(\varvec{g'} = (g'_1,\ldots , g'_n) \in \mathbb {F}_{q}^n\) where each \(g'_i\) are pairwise distinct and \(\varvec{\lambda } = (\lambda _1,\ldots ,\lambda _n) \in \mathbb {F}_q^n\) where each of \(\lambda _i \ne 0\). The Reed-Solomon codes \(RS_{n,k} (\varvec{g'})\) over \(\mathbb {F}_{q}\) of dimension k and generator vector \(\varvec{g'}\) is the code generated by matrix \(G_{RS}\) of the form

$$\begin{aligned} G_{RS} = \left[ \begin{array}{cccc} (g'_1)^0 &{} (g'_2)^0 &{} \ldots &{} (g'_n)^0 \\ (g'_1)^1 &{} (g'_2)^1 &{} \ldots &{} (g'_n)^1 \\ \vdots &{} \vdots &{} \ddots &{} \vdots \\ (g'_1)^{k-1} &{} (g'_2)^{k-1} &{} \ldots &{} (g'_n)^{k-1} \\ \end{array} \right] . \end{aligned}$$
(4)

The generalized Reed-Solomon codes \(GRS_{n,k} (\varvec{g'}_{\varvec{\lambda }})\) over \(\mathbb {F}_{q}\) of dimension k associated with \(\varvec{g'}\) and \(\varvec{\lambda }\) is the code generated by matrix \(G_{GRS}\) of the form

$$\begin{aligned} G_{GRS} = \left[ \begin{array}{cccc} \lambda _1(g'_1)^{0} &{} \lambda _2(g'_2)^{0} &{} \ldots &{} \lambda _n(g'_n)^{0} \\ \lambda _1(g'_1)^{1} &{} \lambda _2(g'_2)^{1} &{} \ldots &{} \lambda _n(g'_n)^{1} \\ \vdots &{} \vdots &{} \ddots &{} \vdots \\ \lambda _1 (g'_1)^{k-1} &{} \lambda _2 (g'_2)^{k-1} &{} \ldots &{} \lambda _n (g'_n)^{k-1} \\ \end{array} \right] . \end{aligned}$$
(5)

For all \((f'_0,\ldots ,f'_{k-1}) \in \mathbb {F}_q^k\), we can rewrite a codeword \(\varvec{c}_{RS} \in RS_{n,k} (\varvec{g'})\) as

$$\begin{aligned} \varvec{c}_{RS}&= (f'_0,\ldots ,f'_{k-1}) G_{RS} = \left( F'(g_1),\ldots , F'(g_n) \right) \end{aligned}$$
(6)

where \(F'(z) = \sum _{i=0}^{k-1} f'_i z^{i}\). Using similar notation, \(\varvec{c}_{GRS} \in GRS_{n,k} (\varvec{g'},\varvec{v})\) can be written as

$$\begin{aligned} \varvec{c}_{GRS}&= (f'_0,\ldots ,f'_{k-1}) G_{GRS} = \left( \lambda _1 F'(g_1),\ldots , \lambda _n F'(g_n) \right) . \end{aligned}$$
(7)

Recall that a codeword \(\varvec{c} \in \text {Gab}_{n,k} (\varvec{g})\) can be written in the form of (2):

$$\begin{aligned} \varvec{c}&= (f_0,\ldots ,f_{k-1})\left[ \begin{array}{ccc} g_1 &{} \ldots &{} g_n \\ \vdots &{} \ddots &{} \vdots \\ g_1^{[k-1]} &{} \ldots &{} g_n^{[k-1]} \\ \end{array} \right] = \left( F(g_1),\ldots ,F(g_n) \right) \end{aligned}$$

where \(F(z) = \sum _{i=0}^{k-1} f_i z^{[i]}\). Comparing (2) and (6), we notice that the difference between them is the involvement of linearized polynomial F(z) in (2) and polynomial \(F'(z)\) in (6).

We can now construct a code which has codewords of the form similar as (7), except that the polynomial \(F'(z)\) is replaced with linearized polynomial F(z).

Definition 10

(\(\varvec{\lambda }\)-Gabidulin Codes). Let \(\varvec{g} = (g_1,\ldots , g_n) \in \mathbb {F}_{q^m}^n\) be linearly independent over \(\mathbb {F}_q\) and \(\varvec{\lambda } = (\lambda _1, \lambda _2, \ldots , \lambda _n) \in \mathbb {F}_{q^m}^n\). The \(\varvec{\lambda }\)-Gabidulin code \(\text {Gab}_{n,k} (\varvec{g}_{\varvec{\lambda }})\) over \(\mathbb {F}_{q^m}\) of dimension k associated with vector \(\varvec{g}\) and \(\varvec{\lambda }\) is the code generated by matrix \(G_{\varvec{\lambda }}\) of the form

$$\begin{aligned} G_{\varvec{\lambda }} = \left[ \begin{array}{cccc} \lambda _1 g_1 &{} \lambda _2 g_2 &{} \ldots &{} \lambda _n g_n \\ \lambda _1 g_1^{[1]} &{} \lambda _2 g_2^{[1]} &{} \ldots &{} \lambda _n g_n^{[1]} \\ \vdots &{} \vdots &{} \ddots &{} \vdots \\ \lambda _1 g_1^{[k-1]} &{} \lambda _2 g_2^{[k-1]} &{} \ldots &{} \lambda _n g_n^{[k-1]} \\ \end{array} \right] . \end{aligned}$$
(8)

Now, we can rewrite a codeword \(\varvec{c} = (f_0,\ldots ,f_{k-1}) G_{\varvec{\lambda }} \in \text {Gab}_{n,k} (\varvec{g}_{\varvec{\lambda }})\) as

$$\begin{aligned} \varvec{c} = \left( \lambda _1 F(g_1) ,\ldots , \lambda _n F(g_2)\right) \end{aligned}$$
(9)

where \(F(z) = \sum _{i=0}^{k-1} f_i z^{[i]}\). Notice from (9) that such construction replaces the polynomial \(F'(z)\) in (7) with linearized polynomial F(z).

Table 3 summarizes the relations between \(\varvec{\lambda }\)-Gabidulin codes, Gabidulin codes, Reed-Solomon Codes and generalized Reed-Solomon Codes:

Table 3. Relations between \(\text {Gab}_{n,k} (\varvec{g})\), \(\text {Gab}_{n,k} (\varvec{g}_{\varvec{\lambda }})\), \(RS_{n,k} (\varvec{g})\), \(GRS_{n,k}(\varvec{g}_{\varvec{\lambda }})\)
Full size table

3.2 \(\varvec{\lambda }\)-Gabidulin Codes Construction

Our construction of \(\varvec{\lambda }\)-Gabidulin codes in fact does not have similar weakness as Gabidulin code (Lemma 4), i.e., it does not contain huge vector space invariant under the Frobenius automorphism as defined in Definition 7.

Consider a generator \(G_{\varvec{\lambda }}\) for \(\text {Gab}_{n,k} (\varvec{g}_{\varvec{\lambda }})\) and the map \(\varLambda _i\) on \(G_{\varvec{\lambda }}\), we have

$$ \varLambda _i ( G_{\varvec{\lambda }} ) = \left[ \begin{array}{c} G_{\varvec{\lambda }}^{[0]} \\ \vdots \\ G_{\varvec{\lambda }}^{[i]} \\ \end{array} \right] = \left[ \begin{array}{ccc} \lambda _1 g_1 &{} \ldots &{} \lambda _n g_n \\ \vdots &{} \ddots &{} \vdots \\ \lambda _1 g_1^{[k-1]} &{} \ldots &{} \lambda _n g_n^{[k-1]} \\ \vdots &{} \ddots &{} \vdots \\ \lambda _1^{[i]} g_1^{[i]} &{} \ldots &{} \lambda _n^{[i]} g_n^{[i]} \\ \vdots &{} \ddots &{} \vdots \\ \lambda _1^{[i]} g_1^{[i+k-1]} &{} \ldots &{} \lambda _n^{[i]} g_n^{[i+k-1]} \\ \end{array} \right] . $$

It is possible for us to choose some \(\varvec{\lambda } \in \mathbb {F}_{q^m}^n\) such that

$$\begin{aligned} \dim _{\mathbb {F}_{q^m}} \left( \text {Gab}_{n,k} (\varvec{g}_{\varvec{\lambda }})^{([j])} \cap \text {Gab}_{n,k} (\varvec{g}_{\varvec{\lambda }})^{([j-1])} \right) = 0 \end{aligned}$$

for \(1 \le j \le n-1\) and \(\dim \left( \ker \left( \varLambda _i (G_{\varvec{\lambda }}) \right) \right) \ne 1\) for all \(i \le n\). Therefore, the Overbeck’s attack [37] is not useful against \(\text {Gab}_{n,k} (\varvec{g}_{\varvec{\lambda }})\) with this property.

We now deduce a parity check matrix for \(G_{\varvec{\lambda }}\).

Proposition 1

Let \(H\in \mathbb {F}_{q^m}^{(n-k)\times n}\) in the form of

$$ H = \left[ \begin{array}{cccc} h_1 &{} h_2 &{} \ldots &{} h_n \\ h_1^{[1]} &{} h_2^{[1]} &{} \ldots &{} h_n^{[1]} \\ \vdots &{} \vdots &{} \ddots &{} \vdots \\ h_1^{[n-k-1]} &{} h_2^{[n-k-1]} &{} \ldots &{} h_n^{[n-k-1]} \\ \end{array} \right] $$

be a parity check matrix for G (as in (1)) which generates \(\text {Gab}_{n,k} (\varvec{g})\). Then

$$ H_{\varvec{\lambda }} = \left[ \begin{array}{cccc} \lambda _1^{-1} h_1 &{} \lambda _2^{-1} h_2 &{} \ldots &{} \lambda _n^{-1} h_n \\ \lambda _1^{-1} h_1^{[1]} &{} \lambda _2^{-1} h_2^{[1]} &{} \ldots &{} \lambda _n^{-1} h_n^{[1]} \\ \vdots &{} \vdots &{} \ddots &{} \vdots \\ \lambda _1^{-1} h_1^{[n-k-1]} &{} \lambda _2^{-1} h_2^{[n-k-1]} &{} \ldots &{} \lambda _n^{-1} h_n^{[n-k-1]} \\ \end{array} \right] $$

is a parity check matrix for \(G_{\varvec{\lambda }}\).

Proof

Given H a parity check matrix for G, we have \(GH^T = \varvec{0}\). Rewrite \(G_{\varvec{\lambda }} = G \varDelta \), \(H_{\varvec{\lambda }} = H \varDelta ^{-1}\) where \(\varDelta = \left[ \begin{array}{ccc} \lambda _1 &{} &{} \varvec{0} \\ &{} \ddots &{} \\ \varvec{0} &{} &{} \lambda _n \\ \end{array} \right] \). Then \(G_{\varvec{\lambda }} H_{\varvec{\lambda }}^T = G \varDelta (H \varDelta ^{-1})^T= G \varDelta \left( \varDelta ^{-1}\right) ^T H^T = G H^T = \varvec{0}\).    \(\Box \)

In fact, there exist \(\varvec{\lambda } \in \mathbb {F}_{q^m}^n\) such that \(\varvec{\lambda }\)-Gabidulin code is not an MRD code.

Proposition 2

Let \(\alpha \in \mathbb {F}_{q^m}\) and \(\varvec{\lambda } = (\lambda _1,\ldots ,\lambda _n)\) be a vector over \(\mathbb {F}_{q^m}\) such that \(\left( \lambda _1^{-1}\alpha d_1,\ldots , \lambda _n^{-1} \alpha d_n \right) \in \text {Gab}_{n,k} (\varvec{g})\) where \((d_1,\ldots ,d_n) \in \mathbb {F}_q^n\), then \({\varvec{\lambda }}\)-Gabidulin code is not an MRD code. In particular, \(d_R^{\min } \left( \text {Gab}_{n,k} (\varvec{g}_{\varvec{\lambda }}) \right) = 1\).

Proof

Suppose that \(\alpha \in \mathbb {F}_{q^m}\) and \(\varvec{\lambda } = (\lambda _1,\ldots ,\lambda _n)\) is a vector over \(\mathbb {F}_{q^m}\) such that \(\left( \lambda _1^{-1}\alpha d_1,\ldots , \lambda _n^{-1} \alpha d_n \right) \in \text {Gab}_{n,k} (\varvec{g})\) where \((d_1,\ldots ,d_n) \in \mathbb {F}_q^n\), then there exists \(\varvec{m} \in \mathbb {F}_{q^m}^k\) such that

$$\begin{aligned} \left( \lambda _1^{-1}\alpha d_1,\ldots , \lambda _n^{-1} \alpha d_n \right) = \varvec{m}G = \left( \sum _{i=0}^{k-1} m_i g_1^{[i]}, \ldots ,\sum _{i=0}^{k-1} m_i g_n^{[i]} \right) . \end{aligned}$$

Consider \(\varvec{c} = \varvec{m} G_{\varvec{\lambda }}\), a code in \(\text {Gab}_{n,k} \left( \varvec{g}_{\varvec{\lambda }} \right) \), then

$$\begin{aligned} \varvec{c}&= \sum _{i=0}^{k-1} m_i \left( \lambda _1 g_1^{[i]} , \ldots , \lambda _n g_n^{[i]} \right) \\&= \left( \lambda _1 \sum _{i=0}^{k-1} m_i g_1^{[i]}, \ldots , \lambda _n \sum _{i=0}^{k-1} m_i g_n^{[i]} \right) \\&= \left( \lambda _1 \lambda _1^{-1}\alpha d_1 ,\ldots , \lambda _n \lambda _n^{-1} \alpha d_n \right) = \alpha (d_1,\ldots ,d_n). \end{aligned}$$

This implies that \(\text {rk}_q (\varvec{c}) = 1 < n-k+1\). Such \({\varvec{\lambda }}\)-Gabidulin code is not an MRD code.    \(\Box \)

Recall from (9) that a codeword \(\varvec{c}= \varvec{f} G_{\varvec{\lambda }} \in \text {Gab}_{n,k} (\varvec{g}_{\varvec{\lambda }})\) can be written as \((\lambda _1 F(g_1) ,\ldots , \lambda _n F(g_n))\) where \(F(z) = \sum _{i=0}^{k-1} f_i z^{[i]}\). Therefore, the decoding of \(\varvec{\lambda }\)-Gabidulin code is not the same as decoding Gabidulin codes (for examples, using Berlekamp-Massey algorithm or Euclidean algorithm). We need the following result to decode \(\varvec{\lambda }\)-Gabidulin codes:

Proposition 3

Let \(\varvec{\lambda } = (\lambda _1, \lambda _2, \ldots , \lambda _n) \in \mathbb {F}_{q^m}^n\) with \(\text {rk}_q (\varvec{\lambda }) = u\) and \(\varvec{x} = (x_1,\ldots ,x_n) \in \mathbb {F}_{q^m}^n\) with \(\text {rk}_q (\varvec{x}) = w\). Then

$$\begin{aligned} \text {rk}_q \left( (\lambda _1 {x}_1, \ldots , \lambda _n {x}_n)\right) \le uw. \end{aligned}$$

Proof

Let \(X = \text { span } \{ x_1, \ldots , x_n \} = \text { span }\{ y_1, \ldots , y_w\}\) where \(\{y_1,\ldots ,y_w\}\) is linearly independent. Also, let \(L=\text { span } \{\lambda _1,\ldots ,\lambda _n \}= \text { span }\{ \gamma _1,\ldots ,\gamma _u \}\) where \(\{ \gamma _1,\ldots ,\gamma _u \}\) is linearly independent. For \((\lambda _1 {x}_1, \ldots , \lambda _n {x}_n)\), each entry \(\lambda _i x_i\) is a linear combinations of elements in \(\{ y_i \gamma _j : 1 \le i \le w, 1 \le j \le u \}\), which has dimension at most uw.    \(\Box \)

Our new code \(\text {Gab}_{n,k} (\varvec{g_\lambda })\) has a decoding algorithm as described in the following:

Proposition 4

Let \(\varvec{g} \in \mathbb {F}_{q^m}^n\) with \(\text {rk}_q (\varvec{g}) = n\), \(\varvec{\lambda } \in \mathbb {F}_{q^m}^n\) with \(\text {rk}_q (\varvec{\lambda }) = u\) and \(r = \left\lfloor \frac{n-k}{2} \right\rfloor \ge u\), there exists decoding algorithm for \(\text {Gab}_{n,k} \left( \varvec{g}_{\varvec{\lambda }} \right) \) with error-correcting capabilities up to \(\frac{r}{u}\) and decoding complexities of \(O \left( n^{1.69} \log ^2(n) \right) \) operations in \(\mathbb {F}_{q^m}\).

Proof

There are two parts in the decoding algorithm for \(\text {Gab}_{n,k}(\varvec{g_\lambda })\), the first part is to multiply each coordinates of the received vector \(\varvec{y}=(y_1,\ldots ,y_n)\) with \(\lambda _i^{-1}\). Then we can apply any decoding algorithm for the Gabidulin codes \(\text {Gab}_{n,k}(\varvec{g})\) on \((y_1 \lambda _1^{-1},\ldots ,y_n \lambda _n^{-1})\). To be more precise, let \(\varvec{c}\) be a codeword in \(\text {Gab}_{n,k} \left( \varvec{g}_{\varvec{\lambda }} \right) \) and \(\varvec{e} \in \mathbb {F}_{q^m}^n\) with \(\text {rk}_q (\varvec{e}) \le \frac{r}{u}\). Then there exists \(\varvec{f} \in \mathbb {F}_{q^m}^k\) such that \(\varvec{c} = \varvec{f}G_{\varvec{\lambda }}\). Let \(F(z) = \sum _{i=0}^{k-1} f_i z^{[i]}\), then the received vector, \(\varvec{y}\) can be written as

$$\begin{aligned} (y_1,\ldots ,y_n) = \varvec{f}G_{\varvec{\lambda }} + \varvec{e} = (\lambda _1 F(g_1),\ldots , \lambda _n F(g_n) )+ (e_1,\ldots ,e_n). \end{aligned}$$

Multiplying each entry of \(\varvec{y}\) with \(\lambda _i^{-1}\) for \(i=1,\ldots ,n\):

$$\begin{aligned} \varvec{\hat{y}} := ( \lambda _1^{-1} y_1,\ldots , \lambda _n^{-1} y_n) = ( F(g_1),\ldots , F(g_n)) + (\lambda _1^{-1} e_1,\ldots , \lambda _n^{-1} e_n). \end{aligned}$$

Notice that \(\varvec{\hat{c}} := ( F(g_1),\ldots , F(g_n))\) is a codeword in \(\text {Gab}_{n,k} (\varvec{g})\). If the vector \(\varvec{\hat{e}} := (\lambda _1^{-1} e_1,\ldots , \lambda _n^{-1} e_n)\) has rank less than or equal to r, then we can decode \(\varvec{\hat{y}}\) and recover \(\hat{\varvec{c}}\). By Proposition 3, \(\text {rk}_q (\varvec{\hat{e}}) \le \text {rk}_q (\varvec{e}) \times \text {rk}_q (\varvec{\lambda }) \le \frac{r}{u} \times u = r\). Therefore we can recover \(\hat{\varvec{c}}\) and thus recover \(\varvec{c}\) by multiplying each entry with \(\lambda _i\).

Since the first part consists of n multiplications in \(\mathbb {F}_{q^m}\), the complexity of the first part is O(n). For the second part, the complexity is \(O \left( n^{1.69} \log ^2(n) \right) \) operations in \(\mathbb {F}_{q^m}\) by using sub-quadratic decoding of Gabidulin codes in [38]. Therefore, the total complexity to decode \(\varvec{\lambda }\)-Gabidulin codes is \(O \left( n^{1.69} \log ^2(n) \right) \) operations in \(\mathbb {F}_{q^m}\).    \(\Box \)

4 New Public-Key Encryption on \(\varvec{\lambda }\)-Gabidulin Codes

The \(\varvec{\lambda }\)-Gabidulin code does not contain huge vector space invariant under the Frobenius automorphism with proper choices of \(\varvec{\lambda }\), hence we propose a new Gabidulin-like code encryption, namely LG encryption based on \(\varvec{\lambda }\)-Gabidulin codes with a scrambler matrix from elements in \(\varvec{\lambda }\). We first prove a result that is related to the choice of our scrambler matrix, P:

Proposition 5

Let \(\gamma \in \mathbb {F}_{q^m} \setminus \mathbb {F}_q\) and \(\varvec{\lambda } = (\lambda _1, \lambda _2, \ldots , \lambda _n)\) such that for \(i=1,\ldots , n\), \(\lambda _i \in \left\{ \gamma , \gamma ^{-1} \right\} \). Define \(P := \left[ P_1, \ldots , P_n \right] \) an \(n \times n\) invertible matrix consisting entries of the form \(c \gamma \) or \(c \gamma ^{-1}\) where \(c \in \mathbb {F}_q\) and \(\varDelta \) be a diagonal matrix with entries \(\varDelta _{ii} = \lambda _i\) for \(i=1,\ldots ,n\). Let \(\varvec{x} = (x_1,\ldots ,x_n) \in \mathbb {F}_{q^m}^n\) such that \(\text {rk}_q (\varvec{x}) = t\). Then \(\text {rk}_q \left( \varvec{x} P^{-1} \varDelta ^{-1} \right) \le 3t\).

Proof

Consider the matrix \(P^{-1} \varDelta ^{-1}\), each entries in \(P^{-1} \varDelta ^{-1}\) is a linear combination of the elements from the set

$$\begin{aligned} \left\{ \gamma \times \gamma , \gamma \times \gamma ^{-1}, \gamma ^{-1} \times \gamma ^{-1}, \gamma ^{-1} \times \gamma \right\} = \left\{ \gamma ^2, 1, \gamma ^{-2} \right\} . \end{aligned}$$

Let \(X = \text { span } \{ x_1, \ldots , x_n \}\) generated by \(\{ y_1, \ldots , y_t\}\), since \(\text {rk}_q(\varvec{x}) = t\). Then each entries in \(\varvec{x}P^{-1} \varDelta ^{-1}\) belongs to the span of elements in

$$\begin{aligned} \left\{ y_i \gamma ^2, y_i, y_i \gamma ^{-2} \right\} _{i=1,\ldots ,t} \end{aligned}$$

which has dimension at most 3t.    \(\Box \)

We also need the following properties for our public-key encryption scheme:

Definition 11

An [nk]-linear code \(\mathcal {C} \subseteq \mathbb {F}_{q^m}^n\) is called an (s, t, l)-intersecting code if

$$\begin{aligned} \dim _{\mathbb {F}_{q^m}} \left( \bigcup _{i=0}^{t-1} \mathcal {C}^{([si])} \right) = \min \left\{ n, tk-l \right\} . \end{aligned}$$

Remark

Note that for \(1 \le t \le n-k-1\), \(\text {Gab}_{n,k} (\varvec{g})\) is a \((1,t,(t-1)(k-1))\)-intersecting code, since

$$\begin{aligned} \dim _{\mathbb {F}_{q^m}} \left( \bigcup _{i=0}^{t-1} \text {Gab}_{n,k} (\varvec{g})^{([i])} \right) = k+t-1 = tk - (t-1)(k-1) < n. \end{aligned}$$

4.1 Description of the Encryption Scheme

Generates global parameters \(m \ge n > k\) and parameters r and a such that \(k \not \mid n-1\), \(r = \left\lfloor \frac{n-k}{2} \right\rfloor \), \(a = \left\lfloor \frac{r}{3} \right\rfloor \) and \(ak \ge n\). The plaintext space is \(\mathbb {F}_{q^m}^k\). Outputs parameter \(=(m,n,k,r,a)\).

Generate random \(S \in \text {GL}_k (\mathbb {F}_{q^m})\). Form \(G_{\varvec{\lambda }} P\) by

  1. i.

    generate randomly \(\gamma \in \mathbb {F}_{q^m} \setminus \mathbb {F}_q\) such that \(\gamma ^2 \ne 1\), \(\left( \gamma ^{-1} \right) ^2 \ne 1\) and \(\gamma \ne \gamma ^{-1}\). Form \(\varvec{\lambda } = \left( \lambda _1 ,\ldots ,\lambda _n \right) \) where each \(\lambda _i\) is picked randomly from \(\left\{ \gamma , \gamma ^{-1} \right\} \);

  2. ii.

    generate randomly \(\varvec{g} \in \mathbb {F}_{q^m}^n\) with \(\text {rk}_q (\varvec{g}) = n\). Then construct \(G_{\varvec{\lambda }}\) in the form of (8) as a generator of length n and dimension k;

  3. iii.

    generate randomly P an \(n \times n\) invertible matrix such that its inverse \(P^{-1}\) consisting entries from \(\{ c\gamma , c\gamma ^{-1} : c \in \mathbb {F}_q \}\);

such that for all s relatively prime to m, the code generated by \(G_{\varvec{\lambda }} P\) is (sa, 0)-intersecting. Compute

$$\begin{aligned} G_\mathsf{pub}:= S G_\lambda P. \end{aligned}$$
(10)

Outputs public key, \(\kappa _{pub} = (G_\mathsf{pub},r)\) and secret key \(\kappa _{pvt} = (S,\varvec{g},\varvec{\lambda },P)\).

Given the plaintext \( \varvec{m} \in \mathbb {F}_{q^m}^k\) to be encrypted, choose a random vector \(\varvec{e} \in \mathbb {F}_{q^m}^{n}\) such that \(\text {rk}_q (\varvec{e})=a\). Compute and output the ciphertext \(\varvec{y} = \varvec{m}G_\mathsf{pub}+ \varvec{e}\).

Given \(\varvec{y}\) the received ciphertext. Let \(\varDelta \) be a diagonal matrix with entries \(\varDelta _{ii} = \lambda _i\) for \(i=1,\ldots ,n\). Compute \(P^{-1}\) and \(\varvec{y}P^{-1}\varDelta ^{-1} \). Perform decoding on \(\varvec{y}P^{-1}\varDelta ^{-1}\) with respect to \(\text {Gab}_{n,k} (\varvec{g})\) to recover \(\varvec{m}S\). We can then recover \(\varvec{m}\) by multiplying \(S^{-1}\).

Correctness. The correctness of our encryption scheme relies on the decoding capability of the code \(\text {Gab}_{n,k} (\varvec{g})\). Let \(\varvec{\hat{e}} := \varvec{e}P^{-1} = (\hat{e}_1,\ldots ,\hat{e}_n)\) and G be of the form of (1), then

$$\begin{aligned} \varvec{y}P^{-1}\varDelta ^{-1}&= \left( \varvec{m}G_\mathsf{pub}+ \varvec{e}\right) P^{-1}\varDelta ^{-1} = \varvec{m}SG_{\varvec{\lambda }}\varDelta ^{-1} + \varvec{e}P^{-1}\varDelta ^{-1} \\&= \varvec{m}SG + \left( \lambda _1^{-1} \hat{e}_1,\ldots ,\lambda _n^{-1} \hat{e}_n \right) . \end{aligned}$$

By Proposition 5, we have \(\text {rk}_q \left( \left( \lambda _1^{-1} \hat{e}_1,\ldots ,\lambda _n^{-1} \hat{e}_n \right) \right) \le a \times 3 \le r\) where r is the error correcting capability of \(\text {Gab}_{n,k} (\varvec{g})\), then we can decode \(\varvec{y}P^{-1}\varDelta ^{-1}\) correctly to recover \(\varvec{m}S\). Finally, compute \(\varvec{m}=\varvec{m}SS^{-1}\) to recover \(\varvec{m}\).

4.2 A Toy Example of \(G_{\varvec{\lambda }}P\) in LG Encryption

Let \((m,n,k,r,a)=(29,25,13,6,2)\). Let z be the primitive element in \(\mathbb {F}_{q^m}\). Generate random

$$\begin{aligned} \gamma&= z^{27} + z^{25} + z^{23} + z^{22} + z^{21} + z^{19} \\&\qquad + z^{18} + z^{17} + z^{13} + z^{12} + z^{8} + z^6 + z^4 + z^3 \\ \gamma ^{-1}&= z^{28} + z^{27} + z^{26} + z^{25} + z^{18} + z^{16} \\&\qquad + z^{15} + z^{13} + z^{12} + z^{11} + z^{10} + z^9 + z^7 + z^4 + z^2. \end{aligned}$$

and \(\varvec{g} = (g_1,g_1^{[1]},\ldots ,g_1^{[24]})\) where \(\text {rk}_q (\varvec{g}) = n\) and

$$\begin{aligned} g_1&= z^{27} + z^{25} + z^{24} + z^{20} + z^{19} + z^{15} + z^{12} + z^8 + z^7 + z^2 + z + 1. \end{aligned}$$

Let P be the \(n \times n\) circulant matrix induced by the vector

$$\begin{aligned} \varvec{p}= \left[ \begin{array}{ccccccccccccccccccccccccc} \gamma ^{-1}&0&0&\gamma&\gamma&\gamma ^{-1}&\gamma ^{-1}&0&0&\gamma ^{-1}&0&0&\gamma&0&0&\gamma&\gamma ^{-1}&0&0&0&\gamma&0&\gamma&0&0 \end{array} \right] . \end{aligned}$$

We can verify that the code generated by matrix \(G_{\lambda } P\) is (sa, 0)-intersecting for all s relatively prime to m.

5 Security Against Structural Attacks

We now show that the new encryption scheme with public key (10) is able to resist the structural attacks on the cryptosystems based on Gabidulin codes.

5.1 Overbeck’s Attack

Overbeck’s attack exploits the properties of Gabidulin codes which contains huge vector space invariant under the Frobenius automorphism. We consider the Frobenius map \(\varLambda _i\) on the \(G_\mathsf{pub}\):

$$\begin{aligned} \varLambda _i (G_\mathsf{pub})&= \left[ \begin{array}{c} ( {S} G_{\varvec{\lambda }} {P})^{[0]} \\ \vdots \\ ( {S} G_{\varvec{\lambda }} {P})^{[i]} \\ \end{array} \right] = \left[ \begin{array}{ccc} {S}^{[0]} &{} &{} {0} \\ &{} \ddots &{} \\ {0} &{} &{} {S}^{[i]} \\ \end{array} \right] \left[ \begin{array}{c} {G}_{\varvec{\lambda }}^{[0]} P^{[0]}\\ \vdots \\ {G}_{\varvec{\lambda }}^{[i]} P^{[i]} \\ \end{array} \right] \end{aligned}$$

Let \(G^{**} = \left[ \begin{array}{c} {G}_{\varvec{\lambda }}^{[0]} P^{[0]}\\ \vdots \\ {G}_{\varvec{\lambda }}^{[i]} P^{[i]} \\ \end{array} \right] \). The code generated by \(G_{\varvec{\lambda }}P\) is (1, a, 0)-intersecting. If \((i+1)k \ge n\), then \(\dim (G^{**}) \ge n\), which implies that \(\dim (G^{**}) = n\). If \((i+1)k < n\), then \(\dim (G^{**}) = (i+1)k\). Since \(k \not \mid n-1\), there does not exist i such that \((i+1)k = n-1\). Hence we know that \(\dim (G^{**}) \ne n-1\). Since \(\dim (G^{**}) \ne n-1\) for all i, we have \(\dim (\ker (G^{**})) \ne 1\). Overbeck’s attack will then fail.

5.2 Annulator Polynomial Attack

An adversary will consider an annulator polynomial for \(\varvec{e} \in \mathbb {F}_{q^m}^n\) and try to reconstruct \(\varvec{e}\) from \(f(\varvec{e})\). Since \( \text {rk}_q (\varvec{e}) = a \le \left\lfloor \frac{r}{3} \right\rfloor \), then there exists a linearized polynomial with f(x) of degree \(q^{a}\) of the form:

$$\begin{aligned} f(\varvec{x}) = \varvec{x}^{[a]} + \sum _{i=0}^{a-1} f_i \varvec{x}^{[i]} \end{aligned}$$

for some \(f_i \in \mathbb {F}_{q^m}\), such that

$$\begin{aligned} f(\varvec{e}) = f(\varvec{y}-\varvec{m}G)&= \varvec{0} \nonumber \\ (\varvec{y}-\varvec{m}G)^{[a]} + \sum _{i=0}^{a-1} f_i (\varvec{y}-\varvec{m}G)&= \varvec{0}. \end{aligned}$$
(11)

The linear system (11) consists of n equations with k variables of \(\varvec{m}\), a variables \(f_i\) and \(a\times k\) variables of \(f_i m_j\) for \(i=0,\ldots , a-1\), \(j=1,\ldots , k\), giving us a total of \(ak+k+a\) variables to be determined. Since \(ak \ge n\) as in our choices of the cryptosystem, we have \(ak+k+n > n\), thus the complexity of solving RSD problem for \(G_\mathsf{pub}\) is exponential.

5.3 Frobenius Weak Attack

Let \(\mathcal {C}\) be the code generated by \(G_\mathsf{pub}\), \(\varvec{y} = \varvec{m}G_\mathsf{pub}+ \varvec{e}\) with \(\text {rk}_q (\varvec{e}) = a\). Consider \(s< m\) such that \(\gcd (s,m) = 1\). First of all, an adversary will try to construct the matrix

$$ G_{\mathsf{pub}_{j}} = \left[ \begin{array}{c} G_{pub}^{([s(0)])} \\ \varvec{y}^{([s(0)])} \\ \ldots \\ G_{pub}^{([s(j-1)])} \\ \varvec{y}^{([s(j-1)])} \\ \end{array} \right] . $$

If \( j < a\), then by Lemma 2, we have \(\left\langle \varvec{e}, \varvec{e}^{([s])}, \ldots , \varvec{e}^{([s(j-1)])} \right\rangle \ne \text {supp}(\varvec{e})\). Therefore, the adversary cannot obtain a parity check matrix H for \(\mathcal {U}\), where \(\mathcal {U}\) is the span of all elements of rank one in \(\mathcal {C}_{ext} := \sum _{i=0}^{a-1} \left( \mathcal {C} + \langle e \rangle \right) ^{[si]}\) such that \(\varvec{e}H^T = \varvec{0}\).

Hence, an adversary will consider to construct \(G_{\mathsf{pub}_j}\) with \(j=a\), so that \(\left\langle \varvec{e}^{([0])}, \ldots , \varvec{e}^{([s(a-1)])} \right\rangle = \text {supp}(\varvec{e}) \subseteq \mathcal {U}\). The adversary will compute the space \(\mathcal {U}\) generated by the elements of rank one in \(\mathcal {C}_{ext}\) using Lemma 3. Since \(\bigcup _{i=0}^{a-1} \mathcal {C}^{([si])} \subset \mathcal {C}_{ext}\) and \(\mathcal {C}\) is a (sa, 0)-intersecting code, then

$$\begin{aligned} \dim _{\mathbb {F}_{q^m}} \left( \mathcal {C}_{ext} \right)&\ge \dim _{\mathbb {F}_{q^m}} \left( \bigcup _{i=0}^{a-1} \mathcal {C}^{([si])} \right) \ge ak \ge n. \end{aligned}$$

Therefore we have \(\dim _{\mathbb {F}_{q^m}} \left( \mathcal {C}_{ext} \right) =n\). Let \(\bar{G}\) be the generator matrix for \(\mathcal {C}_{ext}\) in reduced row echelon form. We then have

$$ \bar{G} = \left[ \begin{array}{c} I_n \\ \varvec{0} \\ \end{array} \right] =: \left[ \begin{array}{c} \bar{G}_1 \\ \bar{G}_2 \\ \vdots \\ \bar{G}_{a(k+1)} \\ \end{array} \right] \in \mathbb {F}_{q^m}^{(a(k+1)) \times n} $$

where \(\bar{G}_i\) denotes the ith row of \(\bar{G}\). Then for each i, \(\bar{G}_i^{([1])} - \bar{G}_i = \varvec{0}\). Thus the adversary is not able to compute the space \(\mathcal {U}\) using Lemma 3, and not able to determine its parity check matrix H. The Frobenius weak attack fails.

Remark

Since the structure of our \(\varvec{\lambda }\)-Gabidulin codes is similar as Gabidulin codes, therefore we do not consider other attacks on the cryptosystems based on LRPC codes, such as attacks from [6, 27], as these attacks are not relevant to our cryptosystem.

6 Proposed Parameters

We performed simulation on Magma by generating 1000 random sets of \(\varvec{\lambda }\), \(G_{\lambda }\), P and \(G_{\varvec{\lambda }} P\) with parameters \((q,m,n,k,a)=(2,83,79,31,8)\) and conditions in Key Generation \(\mathcal {K}_\mathtt{PE}\). We found that all of the codes with generator matrix \(G_{\varvec{\lambda }} P\) in the simulation are (sa, 0)-intersecting, for all s relatively prime to m. This indicates that such \(G_{\lambda }P\) with the required properties is easy to be generated.

Recall that Tables 1 and 2 give the complexity to solve \(\mathsf{RSD}\) problem using combinatorial attacks and algebraic attacks. We replace the term r in the formulas with a in the calculations. In addition, we square root the exponential term in evaluating the post-quantum complexity in solving \(\mathsf{RSD}\) problem. We suggest two sets of parameters for \(2^{128}\) and \(2^{256}\) bits post quantum security respectively in Table 4. We consider the public key matrix \(G_\mathsf{pub}\) in systematic form, which gives us key size of \(\frac{k(n-k)m}{8} \log _2 (q)\) bytes. We denote the achieved post-quantum security as “PQ.Sec”.

Table 4. Parameters for \(2^{128}\) and \(2^{256}\) bits post quantum security
Full size table
Table 5. Comparison on parameters for LG encryption, Loi17 and DRANKULA
Full size table

We consider and compare the Loi17 and DRANKULA encryption with our encryption scheme as these encryption schemes are structurally similar (McEliece type), except that the codes used are different. We also include the formula \(m^3 2^{\frac{a-1}{2} \left\lfloor ( k \min (m,n))/n \right\rfloor }\) to evaluate the complexity of attack on \(\mathsf{RSD}\) in Table 5 (as this formula is used in [29] to evaluate the complexity in Quantum computer).

Our LG Encryption using \(\varvec{\lambda }\)-Gabidulin codes has smaller public key size (17.85 KB) than public key size of Loidreau’s proposal (Loi17 of 21.50 KB in [29]), and smaller public key size than public key size of DRANKULA (27.65 KB in [1]) at similar post quantum security of \(2^{140}\).

7 Conclusion

This paper has proposed a new rank metric code, \(\varvec{\lambda }\)-Gabidulin code and a new McEliece type cryptosystem based on \(\varvec{\lambda }\)-Gabidulin code as an alternative to the current rank metric code based cryptosystem. In particular, we consider a public key matrix with generator matrix of \(\varvec{\lambda }\)-Gabidulin code multiplied with a scrambler matrix associated to \(\varvec{\lambda }\). In fact, we can convert our encryption scheme to IND-CCA2 encryption scheme via security conversions proposed in [23]. As such we do not present security proofs but rather discuss more on the scheme’s structural security in resisting the Overbeck’s attack, annulator polynomial attack and Frobenius weak attack. Moreover, our proposal has smaller public key size (17.85 KB) than Loidreau’s proposal (21.50 KB) in [29], and smaller public key size than DRANKULA (27.65 KB) in [1] at similar post quantum security of \(2^{140}\).