A New Public-Key Cryptosystem Based on the Problem of Reconstructing p–Polynomials

Faure, Cédric; Loidreau, Pierre

doi:10.1007/11779360_24

Cited by 43 publications

(68 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our attack assumes that parameters are chosen so that w u u+1 (n − k) which was always the case in [FL05,Loi07]. We have also seen that taking w > u u+1 (n − k) implies to choose t pub < 1 2 n−k u+1 which exposes further the system to general decoding attacks like [GRS16].…”

Section: Resultsmentioning

confidence: 95%

“…However the schemes have undergone polynomialtime attacks in [Cor03,Cor04,KY04]. The authors in [FL05] proposed an analog of Augot-Finiasz scheme but in the rank-metric context. The security of [FL05] is related to the difficulty of solving p-polynomial reconstruction corresponding actually to the decoding problem of a Gabidulin code beyond its error-correcting capability.…”

Section: Introductionmentioning

confidence: 99%

“…We implemented our attack on parameters given in [FL05,Loi07] for 80-bit security, which were broken in a few seconds.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Polynomial-time key recovery attack on the Faure–Loidreau scheme based on Gabidulin codes

Gaborit

Otmani

Kalachi

2017

Des. Codes Cryptogr.

View full text Add to dashboard Cite

ABSTRACT. Encryption schemes based on the rank metric lead to small public key sizes of order of few thousands bytes which represents a very attractive feature compared to Hamming metric-based encryption schemes where public key sizes are of order of hundreds of thousands bytes even with additional structures like the cyclicity. The main tool for building public key encryption schemes in rank metric is the McEliece encryption setting used with the family of Gabidulin codes. Since the original scheme proposed in 1991 by Gabidulin, Paramonov and Tretjakov, many systems have been proposed based on different masking techniques for Gabidulin codes. Nevertheless, over the years most of these systems were attacked essentially by the use of an attack proposed by Overbeck.In 2005 Faure and Loidreau designed a rank-metric encryption scheme which was not in the McEliece setting. The scheme is very efficient, with small public keys of size a few kiloBytes and with security closely related to the linearized polynomial reconstruction problem which corresponds to the decoding problem of Gabidulin codes. The structure of the scheme differs considerably from the classical McEliece setting and until our work, the scheme had never been attacked. We show in this article that for a range of parameters, this scheme is also vulnerable to a polynomial-time attack that recovers the private key by applying Overbeck's attack on an appropriate public code. As an example we break in a few seconds parameters with 80-bit security claim. Our work also shows that some parameters are not affected by our attack but at the cost of a lost of efficiency for the underlying schemes.Post-quantum cryptography; Gabidulin code; Polynomial reconstruction; Faure-Loidreau scheme.

show abstract

Section: Resultsmentioning

confidence: 95%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Polynomial-time key recovery attack on the Faure–Loidreau scheme based on Gabidulin codes

Gaborit

Otmani

Kalachi

2017

Des. Codes Cryptogr.

View full text Add to dashboard Cite

show abstract

“…The security of the public-key cryptosystem from [2] relied on the hardness of ML decoding of RS codes but was broken by a structural attack. More recently, some public-key cryptosystems based their security partly upon the difficulty of solving the problem Dec-Gab (Decisional-Gabidulin defined in the following) and Search-Gab (Search-Gabidulin), i.e., decoding Gabidulin codes beyond the unique decoding radius or derived instances of this problem [8,19,33].…”

Section: Introductionmentioning

confidence: 99%

Randomized Decoding of Gabidulin Codes Beyond the Unique Decoding Radius

Renner

Jerkovits

Bartz

et al. 2020

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

We address the problem of decoding Gabidulin codes beyond their unique error-correction radius. The complexity of this problem is of importance to assess the security of some rank-metric code-based cryptosystems. We propose an approach that introduces row or column erasures to decrease the rank of the error in order to use any proper polynomial-time Gabidulin code error-erasure decoding algorithm. This approach improves on generic rank-metric decoders by an exponential factor.

show abstract

“…Until now the main tool for rank based cryptography was based on masking Gabidulin codes [17] in different ways and using the McEliece (or Niederreiter) setting with these codes. Most cryptosystems based on this idea were broken by using structural attacks which exploit the particular structure of Gabidulin codes ([39], [14], [8], [28], [16]). A similar situation exists in the Hamming case for which all cryptosystems based on Reed-Solomon codes have been broken for a similar reason: Reed-Solomon codes are so structured that they are difficult to mask and there is always structural information leaking.Since the introduction of code-based cryptography by McEliece in 1978, the different cryptosystems proposed in the Hamming distance setting were based on masking a special family of decodable codes, like Goppa, Reed-Muller of Reed-Solomon codes.…”

mentioning

confidence: 99%

Low Rank Parity Check Codes: New Decoding Algorithms and Applications to Cryptography

Aragon

Gaborit

Hauteville

et al. 2019

IEEE Trans. Inform. Theory

View full text Add to dashboard Cite

We introduce a new family of rank metric codes: Low Rank Parity Check codes (LRPC), for which we propose an efficient probabilistic decoding algorithm. This family of codes can be seen as the equivalent of classical LDPC codes for the rank metric. We then use these codes to design cryptosystems à la McEliece: more precisely we propose two schemes for key encapsulation mechanism (KEM) and public key encryption (PKE). Unlike rank metric codes used in previous encryption algorithms -notably Gabidulin codes -LRPC codes have a very weak algebraic structure. Our cryptosystems can be seen as an equivalent of the NTRU cryptosystem (and also to the more recent MDPC [35] cryptosystem) in a rank metric context. The present paper is an extended version of the article introducing LRPC codes, with important new contributions. We have improved the decoder thanks to a new approach which allows for decoding of errors of higher rank weight, namely up to 2 3 (n − k) when the previous decoding algorithm only decodes up to n−k 2 errors. Our codes therefore outperform the classical Gabidulin code decoder which deals with weights up to n−k 2 . This comes at the expense of probabilistic decoding, but the decoding error probability can be made arbitrarily small. The new approach can also be used to decrease the decoding error probability of previous schemes, which is especially useful for cryptography. Finally, we introduce ideal rank codes, which generalize double-circulant rank codes and allow us to avoid known structural attacks based on folding. To conclude, we propose different parameter sizes for our schemes and we obtain a public key of 3337 bits for key exchange and 5893 bits for public key encryption, both for 128 bits of security.Among potential candidates for alternative cryptography, lattice-based and code-based cryptography are strong candidates. Rank-based cryptography relies on the difficulty of decoding error-correcting codes embedded in a rank metric space (often over extension fields of fields of prime order), when code-based cryptography relies on difficult problems related to error-correcting codes embedded in Hamming metric spaces (often over small fields F q ) and when lattice-based cryptography is mainly based on the study of q-ary lattices, which can be seen as codes over rings of type Z/qZ (for large q), embedded in Euclidean metric spaces.The particular appeal of the rank metric is that the practical difficulty of the decoding problems grows very quickly with the size of parameters. In particular, it is possible to reach a complexity of 2 80 for random instances with size only a few thousand bits, while for lattices or codes, at least a hundred thousand bits are needed. Of course with codes and lattices it is possible to decrease the size to a few thousand bits but with additional structure like quasi-cyclicity [7], which comes at the cost of losing reductions to known difficult problems. The rank metric was introduced by Delsarte and Gabidulin [15], along with Gabidulin codes which are a rank-metric equivalent ...

show abstract

A New Public-Key Cryptosystem Based on the Problem of Reconstructing p–Polynomials

Cited by 43 publications

References 9 publications

Polynomial-time key recovery attack on the Faure–Loidreau scheme based on Gabidulin codes

Polynomial-time key recovery attack on the Faure–Loidreau scheme based on Gabidulin codes

Randomized Decoding of Gabidulin Codes Beyond the Unique Decoding Radius

Low Rank Parity Check Codes: New Decoding Algorithms and Applications to Cryptography

Contact Info

Product

Resources

About