TL;DR
LIGA is a new cryptosystem based on the hardness of list and interleaved decoding of Gabidulin codes, offering improved security over previous systems and characterized by short ciphertexts and small keys.
Contribution
It introduces a modified key generation method that resists known structural attacks, and proves security under standard assumptions related to decoding problems.
Findings
LIGA resists the GOT attack due to its key generation design.
The system is proven IND-CPA secure in the standard model.
LIGA achieves short ciphertexts and small keys with no decryption failures.
Abstract
We propose the new rank-metric code-based cryptosystem LIGA which is based on the hardness of list decoding and interleaved decoding of Gabidulin codes. LIGA is an improved variant of the Faure-Loidreau (FL) system, which was broken in a structural attack by Gaborit, Otmani, and Tal\'e Kalachi (GOT, 2018). We keep the FL encryption and decryption algorithms, but modify the insecure key generation algorithm. Our crucial observation is that the GOT attack is equivalent to decoding an interleaved Gabidulin code. The new key generation algorithm constructs public keys for which all polynomial-time interleaved decoders fail---hence LIGA resists the GOT attack. We also prove that the public-key encryption version of LIGA is IND-CPA secure in the standard model and the KEM version is IND-CCA2 secure in the random oracle model, both under hardness assumptions of formally defined problems…
| Name | Use | Restriction |
| small field size | prime power | |
| extension degree | ||
| code length | ||
| code dimension | ||
| extension degree | ||
| error weight in public key | ||
| error weight in ciphertext | ||
| -dimension of error vector in the public key | and |
| Name of the attack | Work factor |
| Brute-force (Sec. 6.1.1) | |
| Interleaved Decoding (Sec. 6.1.2) | |
| Randomized Decoding (Sec. 6.1.4) | |
| Moving to Close Error (Sec. 6.1.5) | |
| Combinatorial RSD (Sec. 6.2.3) | |
| Algebraic RSD (Sec. 6.2.4) | |
| Linearization (Sec. 6.2.5) | |
| GCD based attack (Sec. 6.2.6) | |
| Brute-force (Sec. 6.2.8) | |
| Distinguisher for (Sec. 6.3) |
| Parameter Set | |||||||||
| LIGA-128 | 2 | 5 | 53 | 92 | 92 | 2 | 27 | 6 | 0.52 |
| LIGA-192 | 2 | 5 | 69 | 120 | 120 | 2 | 35 | 8 | 0.53 |
| LIGA-256 | 2 | 5 | 85 | 148 | 148 | 2 | 43 | 10 | 0.54 |
| System name | Security | DFR | |||
| LIGA-128 | 3795 | 6348 | 1058 | 128 bit | no |
| RQC-I | 40 | 1834 | 3652 | 128 bit | no |
| ROLLO-I-128 | 40 | 696 | 696 | 128 bit | yes |
| Loidreau-128 | 7181 | 6720 | 464 | 128 bit | no |
| BIKE-2 Level 1 | 249 | 1271 | 1271 | 128 bit | yes |
| McEliece348864 | 6452 | 261120 | 128 | 128 bit | no |
| LIGA-192 | 6450 | 10800 | 1800 | 192 bit | no |
| RQC-II | 40 | 2853 | 5690 | 192 bit | no |
| ROLLO-I-192 | 40 | 958 | 958 | 192 bit | yes |
| Loidreau-192 | 13548 | 11520 | 744 | 128 bit | no |
| BIKE-2 Level 2 | 387 | 2482 | 2482 | 192 bit | yes |
| McEliece460896 | 13568 | 524160 | 188 | 192 bit | no |
| LIGA-256 | 9805 | 16428 | 2738 | 256 bit | no |
| RQC-III | 40 | 4090 | 8164 | 256 bit | no |
| ROLLO-I-256 | 40 | 1371 | 1371 | 256 bit | yes |
| Loidreau-256 | 14128 | 16128 | 1024 | 256 bit | no |
| BIKE-2 Level 3 | 513 | 4094 | 4094 | 256 bit | yes |
| McEliece6688128 | 13892 | 1044992 | 240 | 256 bit | no |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
11institutetext: Technical University of Munich (TUM), Munich, Germany
11email: {julian.renner, antonia.wachter-zeh}@tum.de††thanks: The work of J. Renner and A. Wachter-Zeh was supported by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 801434). 22institutetext: Technical University of Denmark (DTU), Lyngby, Denmark
22email: [email protected]††thanks: Sven Puchinger has received funding from the European Union’s Horizon 2020 research and innovation program under the Marie Sklodowska-Curie grant agreement no. 713683 (COFUNDfellowsDTU).
LIGA:
A Cryptosystem Based on the Hardness of Rank-Metric List and Interleaved Decoding
Julian Renner 11
Sven Puchinger 22
Antonia Wachter-Zeh 11
(March 7, 2024)
Abstract
We propose the new rank-metric code-based cryptosystem LIGA which is based on the hardness of list decoding and interleaved decoding of Gabidulin codes. LIGA is an improved variant of the Faure–Loidreau (FL) system, which was broken in a structural attack by Gaborit, Otmani, and Talé Kalachi (GOT, 2018). We keep the FL encryption and decryption algorithms, but modify the insecure key generation algorithm. Our crucial observation is that the GOT attack is equivalent to decoding an interleaved Gabidulin code. The new key generation algorithm constructs public keys for which all polynomial-time interleaved decoders fail—hence LIGA resists the GOT attack. We also prove that the public-key encryption version of LIGA is IND-CPA secure in the standard model and the KEM version is IND-CCA2 secure in the random oracle model, both under hardness assumptions of formally defined problems related to list decoding and interleaved decoding of Gabidulin codes. We propose and analyze various exponential-time attacks on these problems, calculate their work factors, and compare the resulting parameters to NIST proposals. The strengths of LIGA are short ciphertext sizes and (relatively) small key sizes. Further, LIGA guarantees correct decryption and has no decryption failure rate. It is not based on hiding the structure of a code. Since there are efficient and constant-time algorithms for encoding and decoding Gabidulin codes, timing attacks on the encryption and decryption algorithms can be easily prevented.
1 Introduction
Public-key cryptography is the foundation for establishing secure communication between multiple parties. Traditional public-key algorithms such as RSA are based on the hardness of factoring large numbers or the discrete logarithm problem, but can be attacked in polynomial time once a capable quantum computer exists. Code-based public-key cryptosystems are considered to be post-quantum secure, but compared to RSA or elliptic curve cryptography their crucial drawback is the significantly larger key size. Recently, the National Institute of Standards and Technology (NIST) has initiated a standardization progress for post-quantum secure public-key algorithms [29]. The currently being evaluated Round 2 of the competition consists of 17 code-based and lattice-based public-key encryption algorithms. The NIST competition and its systems attract a lot of attention and show the importance of designing post-quantum secure public-key encryption algorithms.
The Faure–Loidreau (FL) code-based cryptosystem [14, 26] is based on the problem of reconstructing linearized polynomials and can be seen as linearized equivalent of the (broken) Augot–Finiasz cryptosystem [5]. While the Augot–Finiasz cryptosystem is closely connected to (list) decoding Reed–Solomon codes, the FL cryptosystem is connected to (list) decoding Gabidulin codes, a special class of rank-metric codes [16]. In contrast to McEliece-type (or Niederreiter-type) cryptosystems, where the public key is a matrix, in the FL system, the public key is only a vector, resulting in a much smaller key size. At the time when the FL cryptosystem was designed, it was only conjectured that Gabidulin codes cannot be list decoded efficiently. As this was proven in the last years for many families of Gabidulin codes [46, 36, 44], the FL system could be a very promising post-quantum secure public-key cryptosystem. However, the recent structural attack by Gaborit, Otmani and Talé Kalachi [19] can recover an alternative public key in cubic time complexity.
In this paper, a new system is presented which is based on the original FL system, and therefore relies on the proven hardness of list decoding Gabidulin codes, but makes the attack from [19] impossible. Our contributions are as follows. First, a new coding-theoretic interpretation of the original FL system is given and an alternative decryption algorithm is proposed. Second, we show that the public key can be seen as a corrupted codeword of an interleaved Gabidulin code. We prove that the failure condition of the GOT attack [19] on the public key is equivalent to the failure condition of decoding the public key as a corrupted interleaved Gabidulin codeword. This observation enables us to design a new code-based public-key encryption scheme, as well as a corresponding key encapsulation mechanism (KEM), based on the hardness of list and interleaved decoding Gabidulin codes: LIGA. In LIGA, we choose the public key in a way that the corresponding interleaved decoder is guaranteed to fail, and thus, the system is secured against the attack from [19]. We also prove that the public-key encryption version of LIGA is IND-CPA secure in the standard model and the KEM version is IND-CCA2 secure in the random oracle model, both under hardness assumptions on problems related to list and interleaved decoding of Gabidulin codes. We analyze possible (exponential-time) attacks on these hard problems, provide sets of parameters for LIGA, and compare them amongst others to NIST proposals (RQC, ROLLO, BIKE, McEliece).
The structure of this paper is as follows. In Section 2, the notation is introduced and definitions are given. In Section 3, the key generation of the original FL system is shown and a new coding-theoretic interpretation of the ciphertext and the public key is derived. After summarizing the attack from [19], we prove its equivalence to decoding the public key as an interleaved Gabidulin code. Based on this equivalence, the new system LIGA is proposed in Section 4 and its IND-CPA and IND-CCA2 security are proven in Section 5. A security analysis of our system is given in Section 6. In Section 7, example parameters for security levels , , and bit are proposed and compared to the NIST proposals RQC [2], ROLLO [1], BIKE [3], ClassicMcEliece [8] and Loidreau’s McEliece-like system from [27]. Conclusions are given in Section 8.
Parts of these results have been presented at the IEEE International Symposium on Information Theory 2018 [48]. The content of this journal paper contains various new results that were not shown in [48]. In particular, in this paper,
- •
we generalize LIGA’s Key Generation algorithm, i.e., the choice of the ’s (the interleaved errors in the public key) is more flexible now (in [48], ),
- •
we present a KEM/DEM version of LIGA,
- •
the encryption and decryption complexity is analyzed,
- •
we show a new way to realize the decryption by error-erasure decoding,
- •
we identify formal problems in the rank metric on which the security of LIGA relies and prove the IND-CPA/CCA2 security of the KEM/DEM version under the assumption that some of these problems are hard,
- •
we analyze new exponential-time attacks on these problems,
- •
we update the choice of parameters.
It is important to note that all these results go well beyond what is known about and what has been analyzed for the original FL system.
2 Preliminaries
2.1 Notations
Let be a power of a prime and let denote the finite field of order . Then, and denote extension fields of of order and , respectively. We use to denote the set of all matrices over and for the set of all row vectors of length over . Further, we use another field extension with . Thus, .
For a field , the vector space that is spanned by is denoted by
[TABLE]
Denote the set of integers . Rows and columns of -matrices are indexed by and , where is the element in the -th row and -th column of the matrix . Further,
[TABLE]
By and , we denote the rank of a matrix over , respectively . Let be an ordered basis of over . By utilizing the vector space isomorphism , we can relate each vector to a matrix according to
[TABLE]
where and
[TABLE]
The trace operator of a vector to is defined by
[TABLE]
A dual basis to is a basis that fulfills
[TABLE]
where . Note that a dual basis always exists.
Denote by the Moore matrix for a vector , i.e.,
[TABLE]
If , are linearly independent over , then , cf. [24, Lemma 3.15]. This definition can also be extended to matrices by
[TABLE]
where .
The Gaussian binomial coefficient is denoted by
[TABLE]
where and are non-negative integers.
Let be a set. When is drawn uniformly at random from the set , we denote it by x\xleftarrow{\}\mathcal{X}x\leftarrow yyx$.
2.2 Rank-Metric Codes and Gabidulin Codes
The rank norm is the rank of the matrix representation over . The rank distance between and is the rank of the difference of the two matrix representations, i.e.,
[TABLE]
An code over is a linear rank-metric code, i.e., it is a linear subspace of of dimension and minimum rank distance
[TABLE]
For linear codes with , the Singleton-like upper bound [12, 16] implies that . If , the code is called a maximum rank distance (MRD) code.
Gabidulin codes [16] are a special class of rank-metric codes and can be defined by their generator matrices.
Definition 1 (Gabidulin Code [16])
A linear code over of length and dimension is defined by its generator matrix
[TABLE]
where and .
In [16], it is shown that Gabidulin codes are MRD codes, i.e., .
For a short description on decoding of Gabidulin codes, denote by the transmitted codeword (i.e., the matrix representation of ) of a code that is corrupted by an additive error . At the receiver side, only the received matrix , where , is known. The channel might provide additional side information in the form of erasures:
- •
row erasures (in [43] called "deviations") and
- •
column erasures (in [43] called "erasures"),
such that the received matrix can be decomposed into
[TABLE]
where , , , are full-rank matrices, respectively, and is a matrix of rank . The decoder knows and additionally and . Further, denotes the number of errors without side information. The rank-metric error-erasure decoding algorithms from [18, 43, 49] can then reconstruct with asymptotic complexity operations over , or in sub-quadratic complexity using the fast operations described in [34, 35], if
[TABLE]
is fulfilled.
2.3 Interleaved Rank-Metric Codes
Interleaved Gabidulin Codes are a code class for which efficient decoders are known that are able to correct w.h.p. random errors of rank larger than .
Definition 2 (Interleaved Gabidulin Codes [25])
A linear (vertically, homogeneous) interleaved Gabidulin code over of length , dimension , and interleaving order is defined by
[TABLE]
As a short-term notation, we also speak about a -interleaved Gabidulin code. When considering random errors of rank weight , the code can be decoded uniquely with high probability up to errors 111 In this setting, an “error of weight ” is a matrix in with -rank equal to ., cf. [25, 41, 49]. However, it is well-known that there are many error patterns for which the known efficient decoders fail. In fact, we can explicitly construct a large class of such errors as shown in the following lemma.
Lemma 1 (Interleaved Decoding [25], [41], [47, p. 64])
Let . All known222i.e., the algorithms in [25, 41], and [47, p. 64]. efficient decoders for codes fail to correct an error with and if
[TABLE]
It is widely conjectured that there cannot be a decoder that decodes the error patterns of Lemma 1 uniquely. Decoding these failing error patterns has been subject to intensive research since the Loidreau–Overbeck decoder [25] was found in 2006. In the Hamming metric, the equivalent problem for Reed–Solomon codes has been studied since 1997 [23] and more than a dozen papers have dealt with decoding algorithms for these codes. None of these papers was able to give a polynomial-time decoding algorithm for the cases of Lemma 1. It seems that all unique decoders have to fail for the error patterns of Lemma 1 since for these cases, there is no unique decision, i.e., more then one interleaved codeword lies in the ball of radius around the received word.
3 Key Generation in the Original Faure–Loidreau System
In this section, we recall the key generation algorithm of the original FL cryptosystem, we give a coding-theoretic interpretation of the original public key, and analyze the structural attack from [19].
3.1 The Original Algorithm
Let be positive integers that fulfill the restrictions given in Table 1 and are publicly known. In the following, we consider the three finite fields , , and , which are extension fields of each other, i.e.:
[TABLE]
The original FL key generation is shown in Algorithm 1.
3.2 Coding-Theoretic Interpretation of the Original Public Key
The public key of the FL system is a corrupted codeword of a -interleaved Gabidulin code. To our knowledge, this connection between the public key and interleaved Gabidulin codes has not been known before. This interpretation is central to this paper and will be used in Section 4.1 to define the public key of LIGA such that is not vulnerable against the attacks from [19] and described in Section 3.3.
Theorem 3.1
Fix a basis of over . Let be a dual basis to and write . Then,
[TABLE]
where the are codewords of the Gabidulin code with generator matrix and the are obtained from the vector by .
Proof.
Recall the definition of the public key
[TABLE]
where , is the generator matrix of a code, and with . Let , where the have coefficients in .
Then, we obtain the following representation of the public key as a matrix in
[TABLE]
Since is a codeword of a code, , the matrix representation of can be seen as a codeword from an code, corrupted by an error. ∎∎
Note that the error in (3) has -rank at most due to the structure of .
3.3 Efficient Key Recovery of the Original FL Key
The attack by Gaborit, Otmani and Talé Kalachi (GOT) on the original FL system in [19] (see Algorithm 2 below) is an efficient structural attack which computes a valid private key of the FL system in cubic time when the public key fulfills certain conditions. We recall this attack in the following and derive an alternative, equally powerful, attack based on interleaved decoding the public key, utilizing the observation of the previous subsection. We prove that the failure conditions of both attacks are equivalent. The interleaved decoding attack does not have any advantage in terms of cryptanalysis compared to [19], but enables us to exactly predict for which public keys both attacks work and for which the attacks fail.
3.3.1 GOT Attack
The key recovery in the GOT attack (Algorithm 2) succeeds under the conditions of the following theorem.
Theorem 3.2 (GOT Attack [19, Thm. 1])
Let be a basis of over and let , for .
If the matrix with as rows, satisfies
[TABLE]
then can be recovered from with operations in by using Algorithm 2.
If the key is generated by Algorithm 1, the GOT attack breaks the original FL system with high probability.
3.3.2 Interleaved Decoding Attack
Recall from Theorem 3.1 that the public key is a corrupted interleaved codeword. Based on this observation we will derive a structural attack on the original FL system to which we refer as Interleaved Decoding Attack in the following. We prove that interleaved decoding and the GOT attack fail (i.e, do not provide any information) for the same public keys. The idea is to decode in an interleaved Gabidulin code. Since , such a decoder will return with high probability, but fail in certain cases, see Section 2.3.
Since , the interleaved decoder fails if (compare Lemma 1):
[TABLE]
where
[TABLE]
3.3.3 Equivalence of GOT Attack and Interleaved Decoding Attack
In the following, we prove that the failure condition of the GOT Attack is equivalent to the condition that decoding in an interleaved Gabidulin code fails.
Theorem 3.3
The GOT Attack from [19] fails if and only if the Interleaved Decoding Attack fails. In particular, both fail if (4) holds.
Proof.
Rewrite the matrix from Theorem 3.2 as
[TABLE]
and the matrix from equation (5) as
[TABLE]
Since the matrix in (6) and in (7) only differ in row permutations, they are row-space equivalent, implying that they have the same rank. Further, the rank of the matrix in (7) cannot become larger than (since any vector in the right kernel of this matrix has rank weight at least [32, Algorithm 3.2.1]). Thus, the failures of Theorem 3.2 and Lemma 1 are equivalent. ∎∎
In the next section, we will exploit the observation of Theorem 3.3, i.e., we propose a new key generation algorithm that avoids public keys that can be efficiently decoded by an interleaved decoder, thereby rendering the GOT attack useless.
4 The New System LIGA
In this section, we propose a public-key code-based encryption scheme called LIGA. The system is based on the original FL system [14], where we keep both the original encryption and decryption algorithm, but replace the insecure key-generation algorithm. Further, we present a KEM-DEM version of LIGA denoted by .
Later, in Section 5, we will analyze the security of the system. We single out problems from coding theory and we prove that the encryption version is IND-CPA secure and the KEM-DEM version is IND-CCA2 secure under the assumption that the stated problems are hard. Furthermore, we study new and known attacks on these problems and show that they all run in exponential time (see Section 6).
4.1 The New Key Generation Algorithm
We introduce a new key generation algorithm that is based on choosing in a way that , where is the rank of the interleaved Moore matrix of the errors in the public key, see (5). Based on the dimension of the span of the , we will upper bound in the following Theorem 4.1. Recall that when , the GOT attack [19] and interleaved decoding of the public key fail, see Theorem 3.3. In this case, retrieving any knowledge about the private key from the public key requires to solve Problem 1 (defined later), which basically corresponds to decoding the interleaved codeword when error patterns occur for which all known decoders fail.
Theorem 4.1
Let . Then
[TABLE]
Proof.
The dimension of implies that at most rows of are linearly independent over , meaning that . The definition of leads to
[TABLE]
where the last inequality holds since are vectors of length . ∎∎
We propose the following modification to Line 1 of the Key Generation, depending on the parameter :
Clearly, in this case. To avoid that the GOT attack [19] runs in polynomial time, Theorem 4.1 implies that the parameter must always be chosen such that . In Section 6, we will discuss several further exponential-time attacks on LIGA. Some of these attacks have a work factor depending on , which must be considered in the parameter design.
Furthermore, the condition ensures that , i.e., as large as possible for a given subspace . This choice maximizes the work factor of generic decoding attacks on the rows of the public key (seen as a received word of an interleaved Gabidulin code), see Section 6.
The restriction of the choice of to subspaces that contain a basis of full--rank codewords is to ensure that the set from which we sample in Line 3’ is non-empty. Hence, the key generation always works.
Compared to the choice of in Line 1 of the original Key Generation algorithm, we restrict the choice of , but we will see in Section 6 that there are still enough possibilities for to prevent an efficient naive brute-force attack.
Appendix 0.A contains a more detailed discussion on how to realize Lines and in practice.
4.2 The Public Key Encryption Version
The new key generation algorithm , the encryption algorithm and the decryption algorithm are shown in Algorithm 3, Algorithm 4 and Algorithm 5, respectively. Compared to original key generation algorithm, the algorithm has one more input parameter (cf. Section 4.1).
The proposed system has no decryption failures as proven in the following theorem.
Theorem 4.2 (Correctness [14])
Algorithm 5 returns the correct plaintext .
Proof.
Line 5 computes
[TABLE]
whose last columns are given by
[TABLE]
where and . By decoding in , we thus obtain the vector
[TABLE]
Since the last positions of the plaintext are zero (i.e., for ), we get , where is a dual basis to . As we know and , we can compute the plaintext . ∎∎
Remark 1
Steps 1 to 3 of Algorithm 5 can be interpreted as an error-erasure decoder of a Gabidulin code. As this observation may have advantages, especially for implementations, we present this connection formally in Appendix 0.B.
A SageMath v8.8 [45] implementation of the public key encryption version of LIGA can be downloaded from https://bitbucket.org/julianrenner/liga_pke. The purpose of the source code is to clarify the shown algorithms but not to provide a secure and efficient implementation.
4.3 KEM/DEM Version and
In [21], generic transformations of IND-CPA secure public key encryptions into IND-CCA2 secure KEMs are proposed. In the following, we apply one of the transformations directly to to obtain . Later, in Section 5.2, we will prove that fulfills the requirements such that the applied transformation is secure.
Let , and be hash functions, where . In Algorithm 6 and Algorithm 7, we show the encapsulation and decapsulation algorithms of the KEM . The algorithm remains Algorithm 3.
4.4 Complexity
4.4.1 Asymptotically Fastest Methods
It is essential for a cryptosystem that key generation, encryption, and decryption can be implemented fast. The following results were not known when the original FL system was proposed, but have a major impact on its efficiency.
The complexity of key generation and encryption is dominated by the cost of encoding a Gabidulin code (Line 3 of Algorithm 3 and Line 4 of Algorithm 4).333Note that since and have coefficients in the large field , this line can be realized as encoding messages over with the generator matrix and corrupting these codewords with an error (see also Section 3.2 below). The asymptotically fastest-known algorithms [34, 11, 35] for this require
- •
operations in or operations in in general444Which of the two algorithms is fastest depends on the relation between and , as well as the used working basis of over . and
- •
operations in if the entries of are a normal basis of ,
where is the matrix multiplication exponent and means that factors are neglected.
The bottleneck of decryption is (error-erasure) decoding of a Gabidulin code (Line 5 of Algorithm 5, see also Appendix 0.B below), where the asymptotically fastest algorithm costs
[TABLE]
[TABLE]
operations in (decoder in [34] with linearized-polynomial operations in [11]).
For small lengths , the algorithms from [38, 20, 42, 47], which have quadratic complexity over (or cubic complexity over ), might be faster than the mentioned algorithms due to smaller hidden constants in the -notation.
4.4.2 Timing Attacks
In some scenarios, resistance against timing attacks is required. Due to the fact that Step 4 of Algorithm 4 can be easily implemented in constant time, the proposed encryption algorithm does not reveal any information about secret knowledge through timing attacks. The same holds for the presented decryption algorithm since there exists an efficient constant-time decoding algorithm for Gabidulin codes [9] and all other steps of Algorithm 5 can be realized in constant time as well.
5 Difficult Problems & Semantic Security of LIGA
In this section, we introduce problems in the rank metric that are considered to be difficult. Furthermore, we prove that the public-key encryption version of LIGA is IND-CPA secure and the KEM version is IND-CCA2 secure under the assumption that there does not exist probabilistic polynomial-time algorithms that can solve them. A detailed complexity analysis of existing and new algorithms solving the stated problems is given in Section 6.
5.1 Difficult Problems in the Rank Metric
LIGA is based on several difficult problems which are stated in this section. Note that the search variants of the problems correspond exactly to retrieving information about the private key from the public key (not necessarily a valid private key as explained in the following) or the plaintext from the ciphertext. The decisional problems are equivalent to distinguishing the public key or the ciphertext from random vectors.
Definition 3 (ResIG-Distribution: Restricted Interleaved Gabidulin Code Distribution)
Input: .
Choose uniformly at random
- •
\mathbf{G}\xleftarrow{\}\mathcal{G}\mathcal{G}[n,k]\mathbb{F}_{q^{m}}$
- •
\mathbf{M}\xleftarrow{\}{\mathbf{X}\in\mathbb{F}{q^{m}}^{u\times k}:\operatorname{rk}{q^{m}}(\mathbf{X}_{[k-u,k]})=u}$.
- •
\mathcal{A}\xleftarrow{\}{\text{subspace }\mathcal{U}\subseteq\mathbb{F}_{q^{m}}^{w},:,\dim\mathcal{U}=\zeta,,\mathcal{U}\text{ has a basis of full--rank elements}}$
- •
\mathbf{E}^{\prime}\xleftarrow{\}\left{\begin{pmatrix}\mathbf{s}{1}^{\prime}\ \vdots\ \mathbf{s}{u}^{\prime}\end{pmatrix}\in\mathbb{F}{q^{m}}^{u\times w},:,\langle\mathbf{s}{1}^{\prime},\dots,\mathbf{s}{u}^{\prime}\rangle{\mathbb{F}{q^{m}}}=\mathcal{A},,\operatorname{rk}{q}(\mathbf{s}_{i}^{\prime})=w,\forall,i\right}$
- •
\mathbf{Q}\xleftarrow{\}{\mathbf{A}\in\mathbb{F}{q}^{w\times n}:\operatorname{rk}{q}(\mathbf{A})=w}$
- •
Output: .
Problem 1 (ResIG-Search: Restricted interleaved Gabidulin Code Search Problem)
Input: from ResIG-Distribution with input (Definition 3).
Goal: Find and s.t. .
Problem 1 (ResIG-Search) is equivalent to decoding a codeword of a -interleaved Gabidulin code that is corrupted by an error , see also Section 6.1.2 and is therefore the underlying problem of the structural attacks from Section 3.3.
Note however that not necessarily every solution of this problem can be used directly as a valid private key since some additional structure on is introduced in LIGA (i.e., Problem 1 is easier to solve than retrieving a valid private key of LIGA).
Problem 2 (ResIG-Dec: Restricted Interleaved Gabidulin Code Decisional Problem)
Input: .
Goal: Decide with non-negligible advantage whether came from ResIG-Distribution with input (Definition 3) or the uniform distribution over .
To solve ResIG-Dec (Problem 2), we do not know a better approach than trying to solve the associated search problem (i.e., ResIG-Search), which is usually done for all decoding-based problems.
Definition 4 (ResErr-Distribution: Restricted Error Distribution)
Input: q,m,n,k,w,t_{\mathsf{pub}},u,{\mathchoice{\mbox{\boldmath\displaystyle\gamma}}{\mbox{\boldmath\textstyle\gamma}}{\mbox{\boldmath\scriptstyle\gamma}}{\mbox{\boldmath\scriptscriptstyle\gamma}}},(\mathbf{G},\mathbf{K}) from ResIG-Distribution (Definition 3).
Choose uniformly at random
- •
\mathbf{e}\xleftarrow{\}{\mathbf{x}\in\mathbb{F}{q^{m}}^{n},:,\operatorname{rk}{q}(\mathbf{x})=t_{\mathsf{pub}}}$
- •
\alpha\xleftarrow{\}\mathbb{F}_{q^{mu}}$
- •
- •
Output: .
Problem 3 (ResG-Search: Restricted Gabidulin Code Search Problem)
Input: q,m,n,k,w,t_{\mathsf{pub}},u,{\mathchoice{\mbox{\boldmath\displaystyle\gamma}}{\mbox{\boldmath\textstyle\gamma}}{\mbox{\boldmath\scriptstyle\gamma}}{\mbox{\boldmath\scriptscriptstyle\gamma}}},(\mathbf{G},\mathbf{K}) from ResIG-Distribution (Definition 3), from ResErr-Distribution (Definition 4) with input .
Goal: Find and such that .
Problem 3 is equivalent to decoding a codeword of a Gabidulin code that is corrupted by an error that has with high probability a rank weight of , see Appendix 0.C.
Problem 4 (ResG-Dec: Restricted Gabidulin Code Decisional Problem)
Input: q,m,n,k,w,t_{\mathsf{pub}},u,{\mathchoice{\mbox{\boldmath\displaystyle\gamma}}{\mbox{\boldmath\textstyle\gamma}}{\mbox{\boldmath\scriptstyle\gamma}}{\mbox{\boldmath\scriptscriptstyle\gamma}}},(\mathbf{G},\mathbf{K}) from ResIG-Distribution (Definition 3), .
Goal: Decide with non-negligible advantage whether came from ResErr-Distribution with input q,m,n,k,w,t_{\mathsf{pub}},u,{\mathchoice{\mbox{\boldmath\displaystyle\gamma}}{\mbox{\boldmath\textstyle\gamma}}{\mbox{\boldmath\scriptstyle\gamma}}{\mbox{\boldmath\scriptscriptstyle\gamma}}},(\mathbf{G},\mathbf{K}) or the uniform distribution over .
As before, we are not aware of a faster approach to solve ResG-Dec than through the solution of the associated search problem.
We will see in the next subsection that LIGA is IND-CCA2 secure under the assumption that ResG-Dec is a hard problem. As mentioned above, there is an obvious reduction of ResG-Dec to ResG-Search, which can again be efficiently reduced to ResIG-Search. In fact, all relevant attacks studied in Section 6 make use of this chain of reduction and aim at solving one of the two search problems.
We are not aware of a reduction of ResIG-Dec to ResIG-Search or one of the other problems. Hence, it might very well be that ResIG-Dec is significantly easier than the other problems. In Section 6.3, we show that there is a distinguisher for ResIG-Dec that is efficiently computable if the system parameter is chosen too small. Due to the missing reduction, it is not clear whether or not this distinguisher influences the security of the system.
5.2 Semantic Security
In this section, we prove that the public key encryption system is semantically secure against chosen plaintext attacks in the standard model under the assumption that ResG-Dec (Problem 4) is difficult. In addition, we show that the IND-CCA2 security of reduces tightly to the IND-CPA security of in the random oracle model.
5.2.1 IND-CPA Security of
To show that is secure against chosen plaintext attacks, we use the definition of admissibility as in [31].
Definition 5 (Admissibility [31])
The public key encryption scheme with a message space and a random space is called admissible if there is a pair of deterministic polynomial-time algorithms and satisfying the following property:
- •
Partible: takes as input a public key and , and outputs a bit-string, where is the security parameter. takes as input a key , and and outputs a bit-string. Here is some polynomial in the security parameter . Then for any given by , , and , .
- •
Pseudorandomness: Let be a probabilistic algorithm and let
[TABLE]
We define the advantage function of the problem as follows. For any ,
[TABLE]
where the maximum is taken over all with time-complexity . Then, the function is negligible for every polynomial bounded and every sufficiently large .
In the following we will prove that is IND-CPA secure by showing that is fulfills the definition of admissibility.
Theorem 5.1
The system is an IND-CPA secure encryption scheme in the standard model under the assumption that the ResG-Dec problem is difficult.
Proof.
Let and . Then, one observes that and thus is partible. Since ResG-Dec (Problem 4) is assumed to be difficult, the encryption scheme fulfills pseudorandomness and thus, the system is admissibile. As proven in [31, Lemma 1], if fulfills Definition 5, then it is an IND-CPA secure encryption scheme. ∎∎
5.2.2 IND-CCA2 Security of
We used a transformation proposed in [21] to transform the public key encryption scheme into the KEM . In the following, we prove that is IND-CCA2 secure.
The applied transformation requires that the encryption scheme is -spread which is proven to be the case for in the following.
Definition 6 (-spread, [15, 21])
For valid , the min-entropy of
is defined by
[TABLE]
where is the set of possible ciphertexts. A public key encryption scheme is called -spread if for every valid key pair and every message , . It follows that for all ,
[TABLE]
Lemma 2
The public key encryption system is -spread, where .
Proof.
We observe that
[TABLE]
where is the set of all vectors in rank distance from and (i) follows from the fact that there at most choices for . In [17, Section IV.B], a constructive way of obtaining rank- matrices is given. More precisely, an injective mapping is given. Hence, we have . It follows that
[TABLE]
∎∎
Theorem 5.2
The KEM-DEM is IND-CCA2 secure in the random oracle model under the assumption that the ResG-Dec problem is difficult.
Proof.
Assuming the ResG-Dec is difficult, the encryption is IND-CPA secure, see Theorem 5.1. Further, it is proven in Lemma 2 that has -spread encryptions. Thus, the system can be tightly reduced to in the random oracle model as shown in [21]. ∎∎
6 Security Analysis of LIGA
In this section, we analyze the security of LIGA. As proven in Theorem 5.1 and 5.2, the encryption version is IND-CPA secure and the KEM version is IND-CCA2 secure under the assumption that ResG-Dec is difficult. Since there are obvious reductions from ResG-Dec to ResG-Search and from ResG-Dec to ResIG-Search, we will study the hardness of these two search problems in this section (Section 6.1 for ResIG-Search and Section 6.2 for ResG-Search). In fact, we are not aware of a more efficient method to solve ResG-Dec than through these two search problems.
Although no formal reduction from any of the other three studied problems to ResIG-Dec is known, we study also the hardness of ResIG-Dec (Section 6.3). We derive a distinguisher for the public key with exponential complexity in the system parameters, which can be avoided by proper parameter choice.
Due to the nature of the (random) encryption, there are public keys for which the probability that the work factor of some of the ciphertext attacks on ResG-Search (ciphertext attack) is below the designed minimal work factor is not negligible (i.e., ). We show in Section 6.4 that these weak keys occur with negligible probability (i.e., ) during the random key generation if the parameters are chosen in a suitable way.
6.1 Exponential-Time Attacks on ResIG-Search
We propose new and summarize known methods that solve ResIG-Search (Problem 1). All studied algorithms have exponential complexity in the code parameters.
Recall that in the decryption algorithm of LIGA, the last positions of the private key have to be a basis of over . Therefore, not every solution of Problem 1 (ResIG-Search) can be used as valid private key and Problem 1 is a strictly easier problem than retrieving a valid private key corresponding to a given public key.
6.1.1 Brute-Force the Vector Attack
The number of vectors that fulfill the conditions stated in Section 4.1 is equal to number of possible vectors times the number of full rank matrices in in reduced row Echelon form. Formally, the number of vectors is
[TABLE]
Thus, brute-forcing a vector that is a solution to ResIG-Search has work factor
[TABLE]
where the latter inequality follows from a lower bound on -binomials (see [22, Lemma 4]), and
[TABLE]
is the average number of interleaved codewords in a ball of radius around a uniformly at random chosen interleaved received word.
6.1.2 Interleaved Decoding Attack
As described in Section 3.3, an attacker can apply an interleaved decoder on to retrieve an alternative private key. A major ingredient of LIGA is that the public key is chosen in a way that this decoding will always fail (i.e., the corresponding linear system of equations does not have a unique solution). However, it is still possible to brute-force search in the solution space of the involved system of equations. This is analyzed in the following. Notice thereby that any interleaved codeword in radius at most is a solution to ResIG-Search.
Problem 1 (ResIG-Search) is equivalent to decoding a codeword of a -interleaved Gabidulin code that is corrupted by an error . The error fulfills
[TABLE]
and thus, no known algorithm is able to correct it efficiently.
The crucial point of the interleaved decoding algorithms from [25, 41] is solving a linear system of equations based on the syndromes with unknowns and linearly independent equations which is equivalent to finding the kernel of the matrix in (5), cf. [47, Section 4.1]. For , the dimension of the solution space is one and all solutions are valid for the remaining decoding steps. For , the dimension of the solution space is but each valid solution forms only a one-dimensional subspace. An attacker can therefore search in the solution space for a valid solution which requires on average
[TABLE]
trials, where is the average number of interleaved codewords, see (9).
The size of the solution space is and clearly maximized for the smallest-possible value of , i.e., . In this case, the search through the solution space has work factor
[TABLE]
Since the size of the solution space is maximal for , the repair from Section 4.1 with the explicit parameter value (i.e., \dim\big{(}\langle\mathbf{z}_{1},\dots,\mathbf{z}_{u}\rangle_{\mathbb{F}_{q^{m}}}\big{)}=1) is the most secure choice in this sense. However, we keep the choice of flexible as the pair-wise linear dependence of the might decrease the security (we are however not aware of how this fact could be used).
Besides the syndrome-based interleaved decoding algorithms in [25], [41], and [47, p. 64], there is an interpolation-based decoding algorithm [47, Section 4.3 (page 72)]. This interpolation-based algorithm can be interpreted both as a list decoder of interleaved Gabidulin codes with exponential worst-case and average list size or as a probabilistic unique decoder. The probabilistic unique interpolation-based decoder fails if and only if the decoding algorithms in [25], [41], [47, p. 64] fail and therefore the previous analysis applies here as well. For the list decoder, cf. [47, Lemma 4.5], the work factor of the resulting attack is
[TABLE]
Notice that the list of size contains many words which are no valid codewords, but we have to go through the whole list to find all valid codewords in radius up to .
6.1.3 List Decoding of the Public Key Attack
Recall that . Previously, we have explained why this vector is a corrupted version of a codeword of a -interleaved Gabidulin code. At the same time, can be seen as a short Gabidulin code over a large field and therefore, if existing, one could apply list decoding algorithms to decode and obtain . The weight of the error is larger than the unique decoding radius and therefore a unique decoder cannot be applied to reconstruct and a list decoder for radius is required.
However, such an algorithm has not been found yet. It was even shown in [46, 36, 44] that for most classes of Gabidulin codes such a polynomial-time list decoding algorithm cannot exist. Note that these results were not known when the original FL cryptosystem was proposed. These results also imply that there is no polynomial-time list decoding algorithm for arbitrary Gabidulin codes beyond the unique decoding radius (such as the Guruswami–Sudan algorithm for Reed–Solomon codes).
6.1.4 Randomized Gabidulin Decoding Attack on the Public Key
The public key can be seen as the sum of a Gabidulin codeword over the field and an error of weight . Alternatively, as shown in Section 3.2, the public key can be seen as an interleaved Gabidulin codeword that is corrupted by an error of weight (note that this is the reason why all the ’s must have full -rank in Algorithm 3). Each row of (3) is a codeword of a Gabidulin code over that is corrupted by an error of rank weight . Both the corrupted Gabidulin codeword over as well as over can be decoded using the randomized decoding approach proposed in [37]. Since applying the attack on each row of the unfolded public key is more efficient, we conclude that the randomized Gabidulin decoding attack on the public key has an average complexity of
[TABLE]
over .
6.1.5 Moving to Another Close Error Attack
The following attack was suggested by Rosenkilde [39]. It tries to move the vector (which we have chosen such that the interleaved decoder fails) to a close vector of the same or smaller rank weight for which the interleaved decoder for does not fail.
The idea is to find a vector such that still has rank weight and that the rank of the matrix from (5) over is at least . To guarantee the first condition, we want to construct such that its extended matrix over has a row space \mathcal{R}:=\mathrm{RowSpace}_{\mathbb{F}_{q}}\big{(}\operatorname{ext}_{\boldsymbol{\gamma}}(\mathbf{y})\big{)} that is contained in the one of . Since for the original error , the matrix (5) has rank , must have at least -dimension . By choosing a random with this property and taking a random matrix whose extended matrix has -row space \mathrm{RowSpace}_{\mathbb{F}_{q}}\big{(}\operatorname{ext}_{\boldsymbol{\gamma}}(\mathbf{y})\big{)}=\mathcal{R}, the second condition is fulfilled with high probability.
The complexity of the attack is hence dominated by the complexity of finding a subspace of dimension that is contained in the -dimensional -row space of . Since this is unknown, we can find it in a Las-Vegas fashion by repeatedly drawing a subspace uniformly at random. The expected number of iterations until we find a suitable row space is thus one over the probability that a random -dimensional subspace of is contained in a given -dimensional subspace, which is (cf. [13, Proof of Lemma 7]):
[TABLE]
Hence, the attack has work factor
[TABLE]
6.2 Exponential-Time Attacks on ResG-Search
Retrieving information about the plaintext from the ciphertext and the public key is equal to solving ResG-Search (Problem 4). In this section, methods that solve this problem are summarized.
6.2.1 Randomized Gabidulin Decoding Attack on the Ciphertext
Each ciphertext of LIGA can be seen as a Gabidulin codeword over plus an error:
[TABLE]
Denote . Then we can use the decoding algorithm proposed in [37], which requires on average at least
[TABLE]
operations in .
Clearly, the complexity of the algorithm strongly depends on the value , which in turn depends on the generated keys. In general, , but for some choices of , , and , the rank is smaller. For this issue, see Section 6.4 and Appendix 0.C, where we study the probability that is small, both for randomness in the encryption (random choice of and ) and the key generation (random choice of ). Some extremely rarely occurring keys (weak keys) thereby result in relatively high probabilities that is small.
However, we can choose the system parameters such that both, the probability of a weak key as well as the conditional probability that given a non-weak key is below . Hence, with overwhelming probability, a random key and ciphertext result in a ciphertext error of rank weight and the work factor of this attack is always at least as large as the “Randomized Gabidulin Decoding Attack on the Public Key” in Section 6.1.
6.2.2 List Decoding of the Ciphertext Attack
As described in the Randomized Gabidulin Decoding Attack on the Ciphertext above, the ciphertext of LIGA is a codeword of a Gabidulin code, corrupted by an error of rank weight , Hence, an attacker can try to decode the ciphertext directly. Since is always greater than the unique decoding radius of the Gabidulin code, this would require the existence of an efficient (list) decoding algorithm up to radius . As explained previously, there is no such algorithm and bounds on the list size prove that there cannot exist a generic list decoding algorithm for all Gabidulin codes which indicates that list decoding is a hard problem.
However, to be secure, we have considered list decoding as follows for the security level of our system. The list size \mathcal{L}_{\text{\mathbf{c},worst}} denotes a lower bound on the worst-case work factor of list decoding. For example, for a Gabidulin code with parameters and , there is a received word such that there are at least
[TABLE]
codewords in rank distance at most to it.
Although \mathcal{L}_{\text{\mathbf{c},worst}} does not imply any statement about the average list size/average work factor, it provides an estimate of the order of magnitude of the work factor of a hypothetical list decoding attack. For our suggested parameters, we have ensured that the value of \mathcal{L}_{\text{\mathbf{c},worst}} is sufficiently large in the proposed sets of parameters in Section 7.
6.2.3 Combinatorial Rank Syndrome Decoding (RSD) Attack
The ciphertext can be interpreted as a codeword from a code of dimension (see [14]), generated by the generator matrix
[TABLE]
Since the structure of this code only permits decoding like a random rank-metric code, it can be decoded with the combinatorial syndrome decoding attack from [4] whose complexity is in the order of
[TABLE]
6.2.4 Algebraic RSD Attack
As described in the previous section, the ResG-Search problem can be solved by decoding an error of rank weight in a random code. Beside the combinatorial approach, there exist algebraic algorithms to solve the Problem.
In [6], the RSD problem is expressed as a multivariate polynomial system and is solved by computing a Gröbner basis. The complexity of that attack is generally smaller than the combinatorial approach. In case there is a unique solution to the system, then the work factor of the algorithm is
[TABLE]
where is the linear algebra constant.
Very recently, a new algebraic algorithm was proposed to solve the RSD problem [7]. It divides the RSD problem instances into two categories. If
[TABLE]
we are in the overdetermined case and the proposed algorithm has work factor
[TABLE]
in , where . Otherwise, we are in the underdetermined case in which the algorithm has work factor
[TABLE]
We have
[TABLE]
with . Further, for and ,
[TABLE]
where , and
[TABLE]
We denote the minimum of the work factors of the two algorithms as the work factor of the algebraic RSD attack, i.e.,
[TABLE]
Note that for algebraic decoding, it is neither known how to improve the complexity by using the fact that there are multiple solutions, nor it is known how to speed up the algorithm in the quantum world.
6.2.5 Linearization Attack
In [14], a message attack was proposed which succeeds for some parameters with high probability in polynomial time.
Lemma 3 (Linearization Attack [14])
Let for and
[TABLE]
Then, the encrypted message can be efficiently recovered if the left kernel of has dimension .
If , then has at least two more rows than columns and we have . If is random and , the attack is efficient with high probability [14].
Lemma 4
Let be as in (13). Then,
[TABLE]
Proof.
We can write
[TABLE]
so by elementary row operations, we can transform into
[TABLE]
Due to , the matrix is a sub-matrix of , so
[TABLE]
Further, since the number of columns of is equal to ,
[TABLE]
∎∎
The linearization attack is inefficient if the rank of is smaller than its number of rows, which implies the following, stronger version of the original statement in [14].
Theorem 6.1
If or , the linearization attack in [14] is inefficient and its work factor is
[TABLE]
The first condition in Corollary 6.1 is again fulfilled by the choice of in Table 1. The second one reads , and for any valid , there are choices of such that fulfills this inequality for any .
6.2.6 Algebraic Attacks
Faure and Loidreau [14] also described two message attacks of exponential worst-case complexity. The first one is based on computing gcds of polynomials of degrees and has a work factor
[TABLE]
Since computing the gcd of two polynomials can be implemented in quasi-linear time in the polynomials’ degree, (14) gives an estimate on the work factor of this attack. The second algebraic attack is based on finding Gröbner bases of a system of many polynomials of degree approximately . The attack is only efficient for small code parameters, cf. [14, Sec. 5.3]. Since the average-case complexity of Gröbner bases algorithms is hard to estimate, we cannot directly relate and to the attack’s work factor. Faure and Loidreau choose the code parameters such that and and claim that the attack is inefficient for these values. Our example parameters in Section 7 result in at least these values.
6.2.7 Overbeck-like Attack
The key attack described in [26, Ch. 7, Sec. 2.1] is based on a similar principle as Overbeck uses to attack the McEliece cryptosystem based on Gabidulin codes [33]. The attack from [26, Ch. 7, Sec. 2.1] cannot be applied if
[TABLE]
6.2.8 Brute-Force Attack on the Element
An attacker can brute-force , which has a complexity of
[TABLE]
By knowing , he just needs to apply an efficient decoding algorithm on to retrieve the secret message.
6.3 Exponential-Time Attacks on ResIG-Dec
We have seen in Section 5 that LIGA is IND-CCA2 secure under the assumption that ResG-Dec is a hard problem. The two previous subsections analyzed all known attacks on the ResG-Search and ResIG-Search problems, which are relevant since there is an obvious reduction of ResG-Dec to these search problems.
In the following, we study Problem ResIG-Dec (which translates to distinguishing the public key from a random vector in ), which is different in the sense that we do not know an efficient reduction from ResG-Dec (or one of the search problems) to ResIG-Dec. In other words, even if distinguishing the public key is easy, it might still be hard to distinguish the ciphertext. Nevertheless, we study the hardness of ResIG-Dec in the following and present a distinguisher, which is efficient to compute if is chosen small. The distinguisher is as follows.
Recall the choice of in Algorithm 3. We have
[TABLE]
Expand into a matrix over and choose any rows. As the -expansion of the error has -rank , there are at least many non-trivial -linear combinations of these rows that are codewords of . This is not true with high probability for a random matrix over .
Thus, by repeatedly randomly linearly combining these rows and checking whether the result is a codeword of , we obtain a Monte-Carlo algorithm with an expected work factor of
[TABLE]
neglecting the cost of checking whether a vector in is a codeword. Hence, if is smaller than the security parameter of the system, this distinguisher is feasible to compute.
6.4 Avoiding Weak Keys
As already discussed in Section 6.2, the work factors of the “Randomized Gabidulin Decoding Attack on the Ciphertext” and the “List Decoding of the Ciphertext Attack” depend on the rank of the error part of the ciphertext (seen as codeword plus error). Generically, this error has weight , but due to the trace operation and the addition, the rank might be smaller.
In Appendix 0.C, we will analyze the probability that for a given key (i.e., in this case) and a random encryption (random choices of and ) the rank is significantly smaller than expected (we use as a threshold, see Section 6.2). Briefly summarized, we get the following results.
It turns out that this probability heavily depends on the minimum distance of the code used to generate in Algorithm 3. The smaller this minimum distance, the larger the probability that the rank is low. More precisely, for a given of minimum distance
[TABLE]
cf. Theorem 0.C.2 in Appendix 0.C.
Due to the above discussion, we call a key with a weak key. In Appendix 0.C, we derive an upper bound on the probability of choosing weak key (i.e., an of too small minimum distance) in Algorithm 3. For , this bound is roughly
[TABLE]
cf. Remark 2 (see Theorem 0.C.2 for a non-asymptotic bound) in Appendix 0.C, where is the smallest minimum distance for which the key is not weak.
It can be seen that the parameters of LIGA can be chosen such that there is a with such that both (for any non-weak key) and are smaller than . This is the case for all parameters proposed in Table 1.
6.5 Summary of the Work Factors
In this section, we recall the conditions on the choice of the parameters such that all known attacks are inefficient and summarize their work factors. Furthermore, we give specific parameters and compare LIGA to other code-based cryptosystems.
In the following, we choose the parameters , , , , , , and as in Table 1. Recall that this choice of prevents the Overbeck-like attack (Section 6.2.7) and results in an exponential work factor of the linearization attack (Section 6.2.5).
Furthermore, we choose to be small such that the work factor of searching the exponentially-large output of the interleaved decoding attack (Section 6.1.2) is large. Note that the latter attack returns an exponentially-large output if and only if the GOT [19] attack fails, cf. Theorem 3.3.
The resulting considered work factors are summarized in Table 2. In addition to these work factors, we have considered the following requirements:
- •
The work factor of the second algebraic attack in [14] (cf. Section 6.2.6) is unknown. Hence, we choose the code parameters such that the resulting non-linear system of equations occurring in the attack consists of more than many polynomials of degree at least . This is the same choice as in [14].
- •
Since there is no efficient list decoder for Gabidulin codes, the work factor of the list decoding the public key or the ciphertext in Section 6.2.2 is not known. However, we do have a lower bound on the worst-case work factor for some codes, given by the maximal list size \mathcal{L}_{\text{\mathbf{c},worst}} in (12). In all examples for which the bound holds, we chose the parameters such that \log_{2}(\mathcal{L}_{\text{\mathbf{c},worst}}) is much larger than the claimed security level.
- •
The probability of generating a weak key should be negligible. Thus, we choose the parameters such that and
[TABLE]
where is the security parameter and
[TABLE]
7 Parameters and Key Sizes
We propose parameters for security levels of bit, bit and bit in Table 3, where denotes the rate. The parameters are chosen in a way that we can send at least bit of information and thus the system can be used as a KEM. Further, we use a security margin of at least bit. For all parameters, the algebraic attack based on computing gcds of polynomials is the most efficient attack.
To evaluate the performance of LIGA, we compare it to the IND-CCA-secure version [40] of Loidreau’s system [27] and the NIST proposals RQC [2], ROLLO [1], BIKE [3] and Classic McEliece [8]. We show the sizes of the private key , the public key and the ciphertext in Byte in Table 4.
8 Conclusion
In this paper, we presented a new rank-metric code-based cryptosystem: LIGA. LIGA uses a new coding-theoretic interpretation of the Faure–Loidreau system. We showed that the ciphertext is a corrupted codeword of a Gabidulin code, where to an unauthorized receiver, the error weight is too large to be correctable. The authorized user knows the row space of a part of the error and is thus able to correct the error. Further, we derived that a part of the public key can be seen as a corrupted codeword of an interleaved Gabidulin code and that in the original FL system, an interleaved Gabidulin decoder can efficiently recover the private key from this part of the public key with high probability. We proved that the condition that interleaved Gabidulin decoders fail is equal to the condition that the severe attack by Gaborit, Otmani and Talé Kalachi fails.
Based on the latter observation, we chose LIGA’s key generation algorithm such that interleaved Gabidulin decoders fail which in turn implies that the attack by Gaborit et al. fails.
We proposed two versions of LIGA and proved that the public key encryption is IND-CPA secure and the KEM is IND-CCA2 secure under the assumption that the ResG-Dec problem is hard. We extensively analyzed the security of this decisional problem by studying attacks on the ResG-Search, ResIG-Search, and ResIG-Dec (recall that there is a reduction of ResG-Dec to each of the two search problems). All studied attacks have an exponential work factor in the proposed parameter ranges and can be avoided by parameter choice.
Finally, we presented parameters for security levels of , and bit and compared them to the NIST proposals RQC, ROLLO, BIKE, Classic McEliece and a rank-metric McEliece-like system proposed by Loidreau. It was observed that LIGA has small ciphertext sizes as well as relatively small key sizes. Encryption and decryption correspond to encoding and decoding of Gabidulin codes, for which efficient and constant-time algorithms exist. Further, the proposed system guarantees decryption and is not based on hiding the structure of a code. Hence, the LIGA system should be considered as an alternative of small ciphertext and key size.
Acknowledgment
The work of J. Renner and A. Wachter-Zeh was supported by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement no. 801434).
S. Puchinger received funding from the European Union’s Horizon 2020 research and innovation program under the Marie Sklodowska-Curie grant agreement no. 713683.
We would like to thank Johan Rosenkilde for proposing the “moving to a close error” attack. Also, we are thankful to Michael Schelling for his observation that decryption of the FL system can be seen as error-erasure decoding. Further, we thank Pierre Loidreau for his valuable comments on a previous version of this paper. We are also grateful to Alessandro Neri for fruitful discussions that helped to achieve the results in Appendix 0.C.
Appendix 0.A Practical Considerations on the Key Generation
We discuss practical aspects related to the following lines of the modified key generation algorithm (Algorithm 3).
We conjecture that the set from which is sampled is almost the entire set of -dimensional subspaces of (or, equivalently, of linear codes). Using a combinatorial argument on the known number of full-rank codewords of MRD codes, we prove in Lemma 8 (Appendix 0.C) that MRD codes always have a basis consisting of full-rank codewords. Since the weight enumerator is not known in general for non-MRD codes, we cannot give a proof, but we expect that most codes that are close to MRD (i.e., is close to ) also have such a basis. The conjecture is then implied by the fact that (close-to) MRD codes constitute the majority of linear codes [30, 10] for the parameters considered here.
Since it is hard to check if a randomly drawn code admits a basis of full--rank codewords in the worst case, these arguments also imply a practical method on how to implement Lines and in practice: sample uniformly at random from the set of codes. With overwhelming probability, the code is close to MRD and a large proportion of its codewords have full -rank. Randomly choosing codewords will thus give a generating set consisting of full-rank codewords with high probability. Only if no basis is found after a given number of trials, one needs to formally check if the code does not admit a generating set of full--rank codewords. This gives a Las-Vegas-type algorithm with (supposedly) small expected running time.
The worst case of this algorithm (i.e., no suitable generating set is found after a given number of trials) occurs with extremely small probability (provably it is close to the probability of drawing no MRD code at random, it might be even smaller in reality since also “near-MRD” might have suitable bases). Nevertheless, the worst-case complexity is still quite large. Alternatively, one can draw a new code if no generating set is found after a given number of trials. This, however, slightly changes the random experiment from which the code is drawn. The only part of this paper which is influenced by such a modification is Section 6.4, a summary of Appendix 0.C, which studies weak keys (i.e., keys for which there is a non-negligible probability that the error part of the ciphertext has too low rank and is vulnerable to a feasible ciphertext attack). A key is weak only if the minimum distance of is small. By parameter choice, the probability that such a key is generated can be made arbitrarily small (cf. Appendix 0.C). By the same arguments as above, we conjecture that if the probability of obtaining a generating set of full--rank codewords by drawing codewords uniformly at random is small, then also the minimum distance of the code must be small (i.e., far away from MRD). In summary, we expect (but cannot prove) that this change of drawing procedure results in an even smaller weak-key probability than predicted by Theorem 0.C.2 (Appendix 0.C).
Appendix 0.B Decryption as Error-Erasure Decoding
In the following, we give a coding-theoretic interpretation of the ciphertext of the original FL system and of LIGA, which—to the best of our knowledge—has not been observed before.
Lemma 5
Fix a basis of over . Then, the matrix representation of the ciphertext can be written in the form
[TABLE]
where
- •
* is unknown and a codeword of a Gabidulin code,*
- •
* is unknown,*
- •
* is known and*
- •
* is unknown.*
Proof.
Due to the -linearity of the trace map and the fact that the entries of the matrices and are in , we can write the ciphertext as follows.
[TABLE]
Since the entries of are in , the expansion of the ciphertext into the -basis of can be written as in (15) above. ∎∎
Theorem 0.B.1
The message vector can be reconstructed by the error-erasure decoders in [18, 43, 49] (as well as their accelerations in [34, 35]) and Steps 5 and 5 of Algorithm 5.
Proof.
As seen in Lemma 5, we can decompose the matrix representation of the ciphertext into a codeword plus an error that is partially known. In fact, the decomposition is of the form as in (1) (see Section 2.2), so can be reconstructed by the error-erasure decoders in [18, 43, 49] since the decoding condition (2) reads as
[TABLE]
in this case and is fulfilled by Table 1.
The message can then be recovered from using the same steps as in Algorithm 5. ∎∎
Theorem 0.B.1 leads to the following observation. The ciphertext is a codeword plus an error of rank weight , which is beyond the unique decoding radius. The legitimate receiver can only decrypt since she knows the (-dimensional) row space of a part of the error. Although the attacker knows the code, she cannot recover the message since she has no further knowledge about the structure of the error. Note the difference to the code-based McEliece cryptosystem, where the security relies on the fact that an attacker does not know the structure of the code. We will turn this observation into an exponential-time message attack in Section 6.2.2, which we will consider in our parameter choice.
Furthermore, the procedure implied by Theorem 0.B.1 might have a practical advantage compared to the original decryption algorithm. The code used for decoding in Algorithm 5 depends on the private key. In Theorem 0.B.1, the code is given by , which is public and in fact does not need to be chosen randomly in the key generation.555Note that we described the key generation as in [14], where is chosen at random, but this is not necessary for the security of the system. Depending on the used algorithm and type of implementation (e.g., in hardware), it can be advantageous in terms of complexity or implementation size if the code is fixed.
Appendix 0.C Probability of Large Enough Ciphertext Error Weight
In this section, we analyze the probability that the error part of the ciphertext
[TABLE]
has large enough rank to avoid the ciphertext attacks discussed in Section 6. The results of this appendix are summarized in Section 6.4.
Generically (i.e., with probability close to for random choices of , , ), we have , , and \operatorname{rk}_{q}\big{(}\operatorname{Tr}(\alpha\mathbf{z})+\mathbf{e}\big{)}=w+t_{\mathsf{pub}}. However, there is a very small probability that the error has significantly smaller rank than the generic case. Our aim is to design the system parameters such that this probability is sufficiently small, e.g., , to avoid attacks utilizing this behavior.
As we will see in this section, the choice of in the public key influences this probability (fixed , randomness in and ) significantly. Since is itself drawn using a random experiment during the key generation, we study with which probability this key is “strong”, i.e., whether the rank of is large with sufficiently high probability (randomness only in and ).
We start with a lemma that shows that the probability mass function of the -rank of for uniformly drawn only depends on the weight distribution of the code spanned by (the -linearly independent vectors over from which is constructed).
Lemma 6
Let be constructed from the randomly chosen code as in Algorithm 3. Denote by the rank-weight distribution of . For chosen uniformly at random, we have
[TABLE]
Proof.
We use the notation (, , , , and ) from Algorithm 3. First observe that . Hence,
[TABLE]
We can expand in the dual basis as . Then,
[TABLE]
where is a basis of and is a matrix of full rank . As is chosen uniformly at random from , the are chosen independently and uniformly at random from . As , this is equivalent to saying that
[TABLE]
is chosen uniformly at random from . Hence, we have
[TABLE]
i.e., is a codeword of , chosen uniformly at random. This immediately implies the claim. ∎∎
A direct consequence of the lemma above is the following statement.
Corollary 1
With notation as in Lemma 6, let be the minimum rank distance of the code . Then,
[TABLE]
Corollary 1 shows that we can easily bound the probability that has small -rank if the code (as defined in Lemma 6) has a large minimum rank distance. Loosely speaking, if the minimum rank distance of the code is small, we can consider this key to be weak, and strong otherwise. Since the code is chosen uniformly at random from the set of -linear (cf. choice of in Algorithm 3), we can use the following result from [10] to bound the probability that the key is weak.
Lemma 7 ([10, Corollary 5.4])
Let and . Choose a code uniformly at random from the -linear codes of parameters . Then,
[TABLE]
Since the code in Lemma 7 is chosen uniformly at random, it does not exactly match the distribution of the code in Algorithm 3. Hence, we need the following lemma and theorem to estimate the probability of a small minimum distance in our case.
Lemma 8
An -linear MRD code has a basis consisting of codewords of -rank .
Proof.
We show that the number of full-rank codewords is at least . Since these codewords are all non-zero, their -span must have cardinality at least and is hence the entire code.
The weight distribution of an MRD code of length and minimum distance can be given by (see [16]):
[TABLE]
where is the order of the extension field, , and denotes the number of rank- codewords.
We are interested in a lower bound for the number of full-rank codewords, i.e., . The sum in (16) is an alternating sum whose terms get larger, the larger and therefore can be lower bounded by the case of plus the case of . That means:
[TABLE]
Hence, for , we obtain:
[TABLE]
∎
Theorem 0.C.1
Let , , and be chosen such that
[TABLE]
Let be chosen as in Algorithm 3, i.e., uniformly at random from the set of linear codes that have a basis consisting only of codewords with -rank . Furthermore, let . Then,
[TABLE]
Proof.
We define an alternative random experiment, where a code is chosen uniformly from all linear . The sought probability is then given by the conditional probability
[TABLE]
where is the event that has a basis of maximal-rank codewords. We derive the result using the relation
[TABLE]
First note that Lemma 7 gives us
[TABLE]
By Lemma 8, we have
[TABLE]
Using [30, Theorem 21], we can lower-bound this probability by
[TABLE]
where the last inequality follows from (18). The claim follows by combining the two bounds with (19). ∎∎
The last building block for a general bound on the probability of having small rank is the following lemma, which gives a bound for this probability conditioned on the event that has a given (large) rank.
Lemma 9
Let be fixed as in Algorithm 4 and let be chosen such that . For \mathbf{e}\xleftarrow{\}{\mathbf{a}\in\mathbb{F}{q^{m}}^{n}:\operatorname{rk}{q}(\mathbf{a})=t_{\mathsf{pub}}}$, drawn uniformly at random, we have
[TABLE]
Proof.
For simplicity, we write (for some basis of over )
[TABLE]
It is clear that and, since and ,
[TABLE]
Note that in our probabilistic model, and are fixed and it follows easily that and are random variables that are uniformly distributed on the set of -dimensional subspaces of and , respectively, and stochastically independent. Due to [28, Theorem 1], for
[TABLE]
we have
[TABLE]
Since , this implies
[TABLE]
Due to [13, Proof of Lemma 7], we have
[TABLE]
Likewise, we have
[TABLE]
Due to , we obtain
[TABLE]
This proves the claim. ∎∎
Summarized, we have the following. The proof follows directly by combining Corollary 1, Lemma 7, and Lemma 9, and a union-bound argument.
Theorem 0.C.2
Let , , and be chosen such that . Choose of the public key as in Algorithm 3. Let . With probability at least
[TABLE]
the public key has the following property:
Choose and For \mathbf{e}\xleftarrow{\}{\mathbf{a}\in\mathbb{F}{q^{m}}^{n}:\operatorname{rk}{q}(\mathbf{a})=t_{\mathsf{pub}}}\operatorname{Tr}(\alpha\mathbf{z})+\mathbf{e}\mathbb{F}_{q}w$ is lower-bounded by
[TABLE]
Remark 2
By the asymptotical analysis in [10], we have
[TABLE]
Since the hidden constant strongly depends on , this asymptotic value should only be used for a rough estimation of the strong-key probability and the exact formula in Theorem 0.C.2 should be used for parameter design.
Nevertheless, the formula shows that decreases exponentially in times the difference of and . Hence, usually we can choose close to the maximal value to achieve a given designed probability for a key to be strong.
For instance, we can choose for
[TABLE]
where is the security parameter.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Aguilar Melchor, C., Aragon, N., Bardet, M., Bettaieb, S., Bidoux, L., Blazy, O., Deneuville, J., Gaborit, P., Hauteville, A., Otmani, A., Ruatta, O., Tillich, J., Zemor, G.: ROLLO - Rank-Ouroboros, LAKE & LOCKER. Second round submission to the NIST post-quantum cryptography call (2019), https://pqc-rollo.org
- 2[2] Aguilar Melchor, C., Aragon, N., Bettaieb, S., Bidoux, L., Blazy, O., Deneuville, J., Gaborit, P., Zemor, G., Couvreur, A., Hauteville: Rank quasi cyclic (RQC). Second round submission to the NIST post-quantum cryptography call (2019), https://pqc-rqc.org
- 3[3] Aragon, N., Barreto, P., Bettaieb, S., Bidoux, L., Blazy, O., Deneuville, J., Gaborit, P., Gueron, S., Güneysu, T., Aguilar Melchor, C., Misoczki, R., Persichetti, E., Sendrier, N., Tillich, J., Vasseur, V., Zemor, G.: BIKE - bit flipping key encapsulation. Second round submission to the NIST post-quantum cryptography call (2019), https://pqc-rollo.org
- 4[4] Aragon, N., Gaborit, P., Hauteville, A., Tillich, J.P.: A new algorithm for solving the rank syndrome decoding problem. In: IEEE Int. Symp. Inf. Theory (ISIT) (2018)
- 5[5] Augot, D., Finiasz, M.: A public key encryption scheme based on the polynomial reconstruction problem. LNCS: Revised selected papers of EUROCRYPT 2003 2656 , 229–249 (2003)
- 6[6] Bardet, M., Briaud, P., Bros, M., Gaborit, P., Neiger, V., Ruatta, O., Tillich, J.P.: An algebraic attack on rank metric code-based cryptosystems. Tech. rep. (2019), ar Xiv:1910.00810 v 1
- 7[7] Bardet, M., Bros, M., Cabarcas, D., Gaborit, P., Perlner, R., Smith-Tone, D., Tillich, J.P., Verbel, J.: Algebraic attacks for solving the rank decoding and minrank problems without Gröbner basis (2020)
- 8[8] Bernstein, D., Chou, T., Lange, T., Maurich, I., Misoczki, R., Niederhagen, R., Persichetti, E., Peters, C., Schwabe, P., Sendrier, N., Szefer, J., Wang, W.: Classic Mc Eliece. Second round submission to the NIST post-quantum cryptography call (2019), https://classic.mceliece.org
