Interleaving Loidreau's Rank-Metric Cryptosystem
Julian Renner, Sven Puchinger, Antonia Wachter-Zeh

TL;DR
This paper introduces an interleaved version of Loidreau's rank-metric cryptosystem, analyzing its security, proposing design guidelines, and suggesting a new code construction to improve key size and security.
Contribution
It presents a novel interleaved cryptosystem variant, analyzes attack resilience, and proposes a probabilistic code construction for secure, efficient implementation.
Findings
Secure instances require near-MRD codes not previously studied.
A new random code construction increases the probability of MRD codes over large fields.
An upper bound on decryption failure rate is derived, enabling parameter optimization.
Abstract
We propose and analyze an interleaved variant of Loidreau's rank-metric cryptosystem based on rank multipliers. We analyze and adapt several attacks on the system, propose design rules, and study weak keys. Finding secure instances requires near-MRD rank-metric codes which are not investigated in the literature. Thus, we propose a random code construction that makes use of the fact that short random codes over large fields are MRD with high probability. We derive an upper bound on the decryption failure rate and give example parameters for potential key size reduction.
| Name | Use | Restriction |
|---|---|---|
| small field size | prime power | |
| extension degree | ||
| code length | ||
| code dimension | ||
| dimension of the | ||
| interleaving order | ||
| error weight in ciphertext |
| Method | Rate | Key size | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Classic | KB | ||||||||||||
| Interleaved | KB | ||||||||||||
| Classic | KB | ||||||||||||
| Interleaved | KB | ||||||||||||
| Classic | KB | ||||||||||||
| Interleaved | KB | ||||||||||||
| Classic | KB | ||||||||||||
| Interleaved | KB |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Interleaving Loidreau’s Rank-Metric Cryptosystem
††thanks: This work was supported by the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 801434), and by the German Israeli Project Cooperation (DIP) grant no. KR3517/9-1.
Julian Renner, Sven Puchinger, Antonia Wachter-Zeh
Institute for Communications Engineering
*Technical University of Munich (TUM)
*Munich, Germany
{julian.renner,sven.puchinger,antonia.wachter-zeh}@tum.de
Abstract
We propose and analyze an interleaved variant of Loidreau’s rank-metric cryptosystem based on rank multipliers. We analyze and adapt several attacks on the system, propose design rules, and study weak keys. Finding secure instances requires near-MRD rank-metric codes which are not investigated in the literature. Thus, we propose a random code construction that makes use of the fact that short random codes over large fields are MRD with high probability. We derive an upper bound on the decryption failure rate and give example parameters for potential key size reduction.
Index Terms:
Code-Based Cryptography, Rank-Metric Codes, Gabidulin Codes, Interleaved Codes
I Introduction
Code-based cryptosystems have gained large attention in the last years since they are potentially resistant to quantum computer attacks, in contrast to currently-used number theoretic systems like RSA or ElGamal. The most famous code-based cryptosystem is the one by McEliece [1], which is based on the hardness of decoding in a generic code.
Recently, [2] introduced a system which can potentially reduce the key size of the original McEliece cryptosystem. The proposed system uses the same public key as the original system, but changes the cipher to a corrupted codeword of an interleaved code. Hence, key attacks are as hard as on the original McEliece system and one potentially obtains a better resistance against generic decoding since the interleaved code can correct significantly more errors than a single Goppa code. However, Tillich [3] found an attack, which is more efficient than generic decoding if the error is not chosen carefully. A repair against Tillich’s attack was proposed in [4].
Rank-metric codes are a promising candidate for code-based cryptography since generic decoding in the rank metric appears to be much harder than generic decoding in the Hamming metric. Hence, they provide significantly smaller key sizes at the same level of security against generic decoding. The rank metric was first considered in a McEliece-like scheme in [5] (Gabidulin–Paramonov–Tretjakov (GPT) cryptosystem). There are several modifications of the GPT system [6, 7, 8, 9, 10, 11, 12, 13, 14], which are all based on hiding the structure of a Gabidulin code, the most famous family of rank-metric codes, from an attacker. However, most of these systems are broken by Gibson’s [15] and Overbeck’s [16] attacks, as well as modifications thereof.
The only Gabidulin-code-based GPT variant that has not been broken so far is the one by Loidreau [14]. There are also GPT variants based on other code classes, e.g., [17, 18], as well as other types of rank-metric-code-based cryptosystems, e.g., [19, 20, 21], which we will not consider here.
In this paper, we combine the ideas of the interleaved system in [2] with Loidreau’s GPT variant [14]. We show that in principle, Loidreau’s system can be interleaved using classical decoders for interleaved Gabidulin codes. We also analyze the security of the new system, including an adaption of Tillich’s attack to the rank metric. Similar to [4], we describe how Tillich’s attack can be prevented by choosing the error matrix in a suitable way. It turns out that the construction of (in this sense) secure errors requires rank-metric codes whose minimum distances are close to the Singleton bound. We show that Gabidulin codes yield potentially insecure error patterns since the resulting error matrix can be distinguished from a random one. We further show that depending on the parameters, one can draw the error matrix in a random way and fulfill the requirements with high probability. For this choice of the error, we derive upper bounds on the decryption failure and present secure parameter sets that demonstrate the potential key size reduction.
II Preliminaries
II-A Notations
Let be a power of a prime and let denote the finite field of order and its extension field of order . We use to denote the set of all matrices over and for the set of all row vectors of length over . Rows and columns of -matrices are indexed by and , where is the element in the -th row and -th column of the matrix . Denote the set of integers . By \operatorname{rk}_{q}({\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}) and \operatorname{rk}_{q^{m}}({\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}), we denote the rank of a matrix over , respectively .
For any , we denote the -power by .
Let {\mathchoice{\mbox{\boldmath\displaystyle\gamma}}{\mbox{\boldmath\textstyle\gamma}}{\mbox{\boldmath\scriptstyle\gamma}}{\mbox{\boldmath\scriptscriptstyle\gamma}}}=\begin{bmatrix}\gamma_{1},\gamma_{2},\dots,\gamma_{m}\end{bmatrix} be an ordered basis of over . By utilizing the vector space isomorphism , we can relate each vector {\mathchoice{\mbox{\boldmath\displaystyle a}}{\mbox{\boldmath\textstyle a}}{\mbox{\boldmath\scriptstyle a}}{\mbox{\boldmath\scriptscriptstyle a}}}\in\mathbb{F}_{q^{m}}^{n} to a matrix {\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}\in\mathbb{F}_{q}^{m\times n} according to \operatorname{ext}_{\boldsymbol{\gamma}}:\mathbb{F}_{q^{m}}^{n}\rightarrow\mathbb{F}_{q}^{m\times n},\leavevmode\nobreak\ {\mathchoice{\mbox{\boldmath\displaystyle a}}{\mbox{\boldmath\textstyle a}}{\mbox{\boldmath\scriptstyle a}}{\mbox{\boldmath\scriptscriptstyle a}}}=\begin{bmatrix}a_{1},\ldots,a_{n}\end{bmatrix}\mapsto{\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}, where . Further, we extend the definition of to matrices by extending each row and then vertically concatenating the resulting matrices.
For a field , the vector space that is spanned by {\mathchoice{\mbox{\boldmath\displaystyle v}}{\mbox{\boldmath\textstyle v}}{\mbox{\boldmath\scriptstyle v}}{\mbox{\boldmath\scriptscriptstyle v}}}_{1},\ldots,{\mathchoice{\mbox{\boldmath\displaystyle v}}{\mbox{\boldmath\textstyle v}}{\mbox{\boldmath\scriptstyle v}}{\mbox{\boldmath\scriptscriptstyle v}}}_{l}\in\mathbb{F}^{n} is denoted by \langle{\mathchoice{\mbox{\boldmath\displaystyle v}}{\mbox{\boldmath\textstyle v}}{\mbox{\boldmath\scriptstyle v}}{\mbox{\boldmath\scriptscriptstyle v}}}_{1},\ldots,{\mathchoice{\mbox{\boldmath\displaystyle v}}{\mbox{\boldmath\textstyle v}}{\mbox{\boldmath\scriptstyle v}}{\mbox{\boldmath\scriptscriptstyle v}}}_{l}\rangle_{\mathbb{F}}=\{\sum_{i=1}^{l}a_{i}{\mathchoice{\mbox{\boldmath\displaystyle v}}{\mbox{\boldmath\textstyle v}}{\mbox{\boldmath\scriptstyle v}}{\mbox{\boldmath\scriptscriptstyle v}}}_{i}\,:\,\ a_{i}\in\mathbb{F}\}.
The vector space that is spanned by the rows of the matrix {\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}\in\mathbb{F}^{m\times n} is denoted by \mathcal{R}\begin{pmatrix}{\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}\end{pmatrix}, i.e., \mathcal{R}\begin{pmatrix}{\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}\end{pmatrix}=\langle\begin{bmatrix}A_{1,1},\ldots,A_{1,n}\end{bmatrix},\ldots,\begin{bmatrix}A_{m,1},\ldots,A_{1m,n}\end{bmatrix}\rangle_{\mathbb{F}} .
The set of all matrices which have only entries from is denoted by , i.e., M_{n}(\mathcal{V})=\{{\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}\in\mathbb{F}_{q^{m}}^{n\times n}:A_{i,j}\in\mathcal{V}\}.
The product space of the subspaces and is denoted by .
II-B Rank-Metric, Gabidulin and Interleaved Gabidulin Codes
The rank norm \operatorname{rk}_{q}({\mathchoice{\mbox{\boldmath\displaystyle a}}{\mbox{\boldmath\textstyle a}}{\mbox{\boldmath\scriptstyle a}}{\mbox{\boldmath\scriptscriptstyle a}}}) is the rank of the matrix representation {\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}\in\mathbb{F}_{q}^{m\times n} over . The rank distance between and is \mathrm{d}_{\mathrm{R}}({\mathchoice{\mbox{\boldmath\displaystyle a}}{\mbox{\boldmath\textstyle a}}{\mbox{\boldmath\scriptstyle a}}{\mbox{\boldmath\scriptscriptstyle a}}},{\mathchoice{\mbox{\boldmath\displaystyle b}}{\mbox{\boldmath\textstyle b}}{\mbox{\boldmath\scriptstyle b}}{\mbox{\boldmath\scriptscriptstyle b}}}):=\operatorname{rk}_{q}({\mathchoice{\mbox{\boldmath\displaystyle a}}{\mbox{\boldmath\textstyle a}}{\mbox{\boldmath\scriptstyle a}}{\mbox{\boldmath\scriptscriptstyle a}}}-{\mathchoice{\mbox{\boldmath\displaystyle b}}{\mbox{\boldmath\textstyle b}}{\mbox{\boldmath\scriptstyle b}}{\mbox{\boldmath\scriptscriptstyle b}}})=\operatorname{rk}_{q}({\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}-{\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}). An linear code over is a -dimensional subspace of and minimum rank distance , i.e, d:=\min_{{\mathchoice{\mbox{\boldmath\displaystyle a}}{\mbox{\boldmath\textstyle a}}{\mbox{\boldmath\scriptstyle a}}{\mbox{\boldmath\scriptscriptstyle a}}}\in\mathcal{C}\setminus\{0\}}\{\operatorname{rk}_{q}({\mathchoice{\mbox{\boldmath\displaystyle a}}{\mbox{\boldmath\textstyle a}}{\mbox{\boldmath\scriptstyle a}}{\mbox{\boldmath\scriptscriptstyle a}}})\}.
Gabidulin codes [22, 23, 24] are a class of rank-metric codes.
Definition 1** (Gabidulin Code).**
A Gabidulin code over of length and dimension is defined by its generator matrix
[TABLE]
where {\mathchoice{\mbox{\boldmath\displaystyle g}}{\mbox{\boldmath\textstyle g}}{\mbox{\boldmath\scriptstyle g}}{\mbox{\boldmath\scriptscriptstyle g}}}=[g_{1},g_{2},\dots,g_{n}]\in\mathbb{F}_{q^{m}}^{n}, \operatorname{rk}_{q}({\mathchoice{\mbox{\boldmath\displaystyle g}}{\mbox{\boldmath\textstyle g}}{\mbox{\boldmath\scriptstyle g}}{\mbox{\boldmath\scriptscriptstyle g}}})=n.
In [23], it is shown that Gabidulin codes are MRD codes, i.e., , and can be decoded uniquely up to .
Interleaved Gabidulin codes are a code class for which efficient decoders are known that are able to correct errors111In this setting, an error of weight is a matrix over of -rank . Note that this means that the tall -matrix obtained by expanding the matrix component-wise over has rank . with high probability, cf. [25, 26, 27].
Definition 2** (Interleaved Gabidulin Codes [25]).**
An interleaved Gabidulin code over of length , dimension , and interleaving order is defined by
[TABLE]
II-C Difficult Problems in Rank Metric
In this section, we state difficult variants of the rank syndrome decoding (RSD) problem which can used for cryptography.
Definition 3** (RSD Distribution).**
*Input:
Choose uniformly at random*
- •
{\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}}\xleftarrow{\}{{\mathchoice{\mbox{\boldmath}}{\mbox{\boldmath}}{\mbox{\boldmath}}{\mbox{\boldmath}}}\in\mathbb{F}{q^{m}}^{(n-k)\times n}:\operatorname{rk}{q^{m}}({\mathchoice{\mbox{\boldmath}}{\mbox{\boldmath}}{\mbox{\boldmath}}{\mbox{\boldmath}}})=n-k}$**
- •
{\mathchoice{\mbox{\boldmath\displaystyle x}}{\mbox{\boldmath\textstyle x}}{\mbox{\boldmath\scriptstyle x}}{\mbox{\boldmath\scriptscriptstyle x}}}\xleftarrow{\}{{\mathchoice{\mbox{\boldmath}}{\mbox{\boldmath}}{\mbox{\boldmath}}{\mbox{\boldmath}}}\in\mathbb{F}{q^{m}}^{n}:\operatorname{rk}{q}({\mathchoice{\mbox{\boldmath}}{\mbox{\boldmath}}{\mbox{\boldmath}}{\mbox{\boldmath}}})=w}$**
Output: ({\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}},{\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}}{\mathchoice{\mbox{\boldmath\displaystyle x}}{\mbox{\boldmath\textstyle x}}{\mbox{\boldmath\scriptstyle x}}{\mbox{\boldmath\scriptscriptstyle x}}}^{\top})
Definition 4** (Search RSD Problem).**
*Input: ({\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}},{\mathchoice{\mbox{\boldmath\displaystyle y}}{\mbox{\boldmath\textstyle y}}{\mbox{\boldmath\scriptstyle y}}{\mbox{\boldmath\scriptscriptstyle y}}}^{\top}) from the RSD Distribution
Goal: Find {\mathchoice{\mbox{\boldmath\displaystyle x}}{\mbox{\boldmath\textstyle x}}{\mbox{\boldmath\scriptstyle x}}{\mbox{\boldmath\scriptscriptstyle x}}}\in\{{\mathchoice{\mbox{\boldmath\displaystyle a}}{\mbox{\boldmath\textstyle a}}{\mbox{\boldmath\scriptstyle a}}{\mbox{\boldmath\scriptscriptstyle a}}}\in\mathbb{F}_{q^{m}}^{n}:\operatorname{rk}_{q}({\mathchoice{\mbox{\boldmath\displaystyle a}}{\mbox{\boldmath\textstyle a}}{\mbox{\boldmath\scriptstyle a}}{\mbox{\boldmath\scriptscriptstyle a}}})=w\} such that {\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}}{\mathchoice{\mbox{\boldmath\displaystyle x}}{\mbox{\boldmath\textstyle x}}{\mbox{\boldmath\scriptstyle x}}{\mbox{\boldmath\scriptscriptstyle x}}}^{\top}={\mathchoice{\mbox{\boldmath\displaystyle y}}{\mbox{\boldmath\textstyle y}}{\mbox{\boldmath\scriptstyle y}}{\mbox{\boldmath\scriptscriptstyle y}}}^{\top}*
Note that the Syndrome Decoding Problem in Hamming Metric can be probabilistically reduced to Search RSD problem [28].
Definition 5** (Interleaved RSD Distribution).**
*Input:
Choose uniformly at random*
- •
{\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}}\xleftarrow{\}{{\mathchoice{\mbox{\boldmath}}{\mbox{\boldmath}}{\mbox{\boldmath}}{\mbox{\boldmath}}}\in\mathbb{F}{q^{m}}^{(n-k)\times n}:\operatorname{rk}{q^{m}}({\mathchoice{\mbox{\boldmath}}{\mbox{\boldmath}}{\mbox{\boldmath}}{\mbox{\boldmath}}})=n-k}$**
- •
{\mathchoice{\mbox{\boldmath\displaystyle X}}{\mbox{\boldmath\textstyle X}}{\mbox{\boldmath\scriptstyle X}}{\mbox{\boldmath\scriptscriptstyle X}}}\xleftarrow{\}{{\mathchoice{\mbox{\boldmath}}{\mbox{\boldmath}}{\mbox{\boldmath}}{\mbox{\boldmath}}}\in\mathbb{F}{q^{m}}^{\ell\times n}:\operatorname{rk}{q}({\mathchoice{\mbox{\boldmath}}{\mbox{\boldmath}}{\mbox{\boldmath}}{\mbox{\boldmath}}})=w}$**
Output: ({\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}},{\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}}{\mathchoice{\mbox{\boldmath\displaystyle X}}{\mbox{\boldmath\textstyle X}}{\mbox{\boldmath\scriptstyle X}}{\mbox{\boldmath\scriptscriptstyle X}}}^{\top})
Definition 6** (Interleaved Search RSD Problem).**
*Input: ({\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}},{\mathchoice{\mbox{\boldmath\displaystyle Y}}{\mbox{\boldmath\textstyle Y}}{\mbox{\boldmath\scriptstyle Y}}{\mbox{\boldmath\scriptscriptstyle Y}}}^{\top}) from the Interleaved RSD Distribution
Goal: Find {\mathchoice{\mbox{\boldmath\displaystyle X}}{\mbox{\boldmath\textstyle X}}{\mbox{\boldmath\scriptstyle X}}{\mbox{\boldmath\scriptscriptstyle X}}}\in\{{\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}\in\mathbb{F}_{q^{m}}^{n}:\operatorname{rk}_{q}({\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}})=w\} such that {\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}}{\mathchoice{\mbox{\boldmath\displaystyle X}}{\mbox{\boldmath\textstyle X}}{\mbox{\boldmath\scriptstyle X}}{\mbox{\boldmath\scriptscriptstyle X}}}^{\top}={\mathchoice{\mbox{\boldmath\displaystyle Y}}{\mbox{\boldmath\textstyle Y}}{\mbox{\boldmath\scriptstyle Y}}{\mbox{\boldmath\scriptscriptstyle Y}}}^{\top}*
Note that the Interleaved Search RSD problem is similar to the problem proposed in [29, Definition 7]. The only difference is that the rows of the matrix in Interleaved RSD Distribution have the same row space whereas the rows of {\mathchoice{\mbox{\boldmath\displaystyle U}}{\mbox{\boldmath\textstyle U}}{\mbox{\boldmath\scriptstyle U}}{\mbox{\boldmath\scriptscriptstyle U}}}^{\top} in [29, Definition 7] have the same column space. For a small interleaving order , the currently most efficient algorithm to solve both, the Interleaved Search RSD Problem and the problem given in [29, Definition 7], was presented in [3] and will be analyzed in Section IV. For a high interleaving order , the algorithm proposed in [30] is able to solve the Interleaved Search RSD Problem with high probability in polynomial time. For an interleaving order greater than , the algorithm proposed in [31] is able to efficiently solve [29, Definition 7], see [31, Section 6.5].
III Interleaving Loidreau’s Cryptosystem
The system that we propose is a McEliece-type system based on interleaving the rank-metric codes introduced in [14].
To prove that decryption of the proposed system is successful with high probability, we need the following lemma.
Lemma 1**.**
Let be an invertible matrix with entries in a -dimensional -linear subspace of . Then
[TABLE]
Proof:
The proof is similar to [14]. Let {\mathchoice{\mbox{\boldmath\displaystyle\gamma}}{\mbox{\boldmath\textstyle\gamma}}{\mbox{\boldmath\scriptstyle\gamma}}{\mbox{\boldmath\scriptscriptstyle\gamma}}}^{\prime}=\begin{bmatrix}\gamma_{1}^{\prime},\dots,\gamma_{\ell}^{\prime}\end{bmatrix} be an ordered basis of over , \boldsymbol{e}=\begin{bmatrix}e_{1},\ldots,e_{n}\end{bmatrix}:=\operatorname{ext}_{\boldsymbol{\gamma}^{\prime}}^{-1}({\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}})\in\mathbb{F}_{q^{m\ell}}^{n} be of rank weight , and . Further, let be a basis of . The entries of the vector belong to the vector space of dimension . ∎
The system parameters are shown in Table I. The key generation, encryption and decryption algorithms are as follows.
III-A Key Generation
The keys are the same as in [14], i.e.,
- •
{\mathchoice{\mbox{\boldmath\displaystyle G}}{\mbox{\boldmath\textstyle G}}{\mbox{\boldmath\scriptstyle G}}{\mbox{\boldmath\scriptscriptstyle G}}}\in\mathbb{F}_{q^{m}}^{k\times n} a generator matrix of a random ,
- •
{\mathchoice{\mbox{\boldmath\displaystyle S}}{\mbox{\boldmath\textstyle S}}{\mbox{\boldmath\scriptstyle S}}{\mbox{\boldmath\scriptscriptstyle S}}}\in\mathbb{F}_{q^{m}}^{k\times k}, which is random and nonsingular
- •
{\mathchoice{\mbox{\boldmath\displaystyle P}}{\mbox{\boldmath\textstyle P}}{\mbox{\boldmath\scriptstyle P}}{\mbox{\boldmath\scriptscriptstyle P}}}\in M_{n}(\mathcal{V})\subset\mathbb{F}_{q^{m}}^{n\times n}, random and non-singular, where is a random -dimensional -linear subspace of .
The public key is given by {\mathchoice{\mbox{\boldmath\displaystyle G}}{\mbox{\boldmath\textstyle G}}{\mbox{\boldmath\scriptstyle G}}{\mbox{\boldmath\scriptscriptstyle G}}}_{\mathrm{pub}}:={\mathchoice{\mbox{\boldmath\displaystyle S}}{\mbox{\boldmath\textstyle S}}{\mbox{\boldmath\scriptstyle S}}{\mbox{\boldmath\scriptscriptstyle S}}}{\mathchoice{\mbox{\boldmath\displaystyle G}}{\mbox{\boldmath\textstyle G}}{\mbox{\boldmath\scriptstyle G}}{\mbox{\boldmath\scriptscriptstyle G}}}{\mathchoice{\mbox{\boldmath\displaystyle P}}{\mbox{\boldmath\textstyle P}}{\mbox{\boldmath\scriptstyle P}}{\mbox{\boldmath\scriptscriptstyle P}}}^{-1}.
III-B Encryption
Choose the error matrix {\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}=\begin{bmatrix}{\mathchoice{\mbox{\boldmath\displaystyle e}}{\mbox{\boldmath\textstyle e}}{\mbox{\boldmath\scriptstyle e}}{\mbox{\boldmath\scriptscriptstyle e}}}_{1}^{\top},\ldots,{\mathchoice{\mbox{\boldmath\displaystyle e}}{\mbox{\boldmath\textstyle e}}{\mbox{\boldmath\scriptstyle e}}{\mbox{\boldmath\scriptscriptstyle e}}}_{\ell}^{\top}\end{bmatrix}^{\top} randomly s.t.
[TABLE] 2. 2.
Compute the cipher {\mathchoice{\mbox{\boldmath\displaystyle Y}}{\mbox{\boldmath\textstyle Y}}{\mbox{\boldmath\scriptstyle Y}}{\mbox{\boldmath\scriptscriptstyle Y}}}={\mathchoice{\mbox{\boldmath\displaystyle M}}{\mbox{\boldmath\textstyle M}}{\mbox{\boldmath\scriptstyle M}}{\mbox{\boldmath\scriptscriptstyle M}}}{\mathchoice{\mbox{\boldmath\displaystyle G}}{\mbox{\boldmath\textstyle G}}{\mbox{\boldmath\scriptstyle G}}{\mbox{\boldmath\scriptscriptstyle G}}}_{\mathrm{pub}}+{\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}\in\mathbb{F}_{q^{m}}^{l\times n}, where {\mathchoice{\mbox{\boldmath\displaystyle M}}{\mbox{\boldmath\textstyle M}}{\mbox{\boldmath\scriptstyle M}}{\mbox{\boldmath\scriptscriptstyle M}}}\in\mathbb{F}_{q^{m}}^{\ell\times k} is the message matrix.
III-C Decryption
Compute {\mathchoice{\mbox{\boldmath\displaystyle Y}}{\mbox{\boldmath\textstyle Y}}{\mbox{\boldmath\scriptstyle Y}}{\mbox{\boldmath\scriptscriptstyle Y}}}{\mathchoice{\mbox{\boldmath\displaystyle P}}{\mbox{\boldmath\textstyle P}}{\mbox{\boldmath\scriptstyle P}}{\mbox{\boldmath\scriptscriptstyle P}}}={\mathchoice{\mbox{\boldmath\displaystyle M}}{\mbox{\boldmath\textstyle M}}{\mbox{\boldmath\scriptstyle M}}{\mbox{\boldmath\scriptscriptstyle M}}}{\mathchoice{\mbox{\boldmath\displaystyle S}}{\mbox{\boldmath\textstyle S}}{\mbox{\boldmath\scriptstyle S}}{\mbox{\boldmath\scriptscriptstyle S}}}{\mathchoice{\mbox{\boldmath\displaystyle G}}{\mbox{\boldmath\textstyle G}}{\mbox{\boldmath\scriptstyle G}}{\mbox{\boldmath\scriptscriptstyle G}}}+{\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}^{\prime}, where {\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}^{\prime}:={\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}{\mathchoice{\mbox{\boldmath\displaystyle P}}{\mbox{\boldmath\textstyle P}}{\mbox{\boldmath\scriptstyle P}}{\mbox{\boldmath\scriptscriptstyle P}}} and \operatorname{rk}_{q}({\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}^{\prime})\leq\lfloor\frac{\ell}{\ell+1}(n-k)\rfloor, cf. Lemma 1. 2. 2.
Decode \textstyle Y$$\textstyle P in to obtain \textstyle M$$\textstyle S. 3. 3.
Compute {\mathchoice{\mbox{\boldmath\displaystyle M}}{\mbox{\boldmath\textstyle M}}{\mbox{\boldmath\scriptstyle M}}{\mbox{\boldmath\scriptscriptstyle M}}}{\mathchoice{\mbox{\boldmath\displaystyle S}}{\mbox{\boldmath\textstyle S}}{\mbox{\boldmath\scriptstyle S}}{\mbox{\boldmath\scriptscriptstyle S}}}{\mathchoice{\mbox{\boldmath\displaystyle S}}{\mbox{\boldmath\textstyle S}}{\mbox{\boldmath\scriptstyle S}}{\mbox{\boldmath\scriptscriptstyle S}}}^{-1}={\mathchoice{\mbox{\boldmath\displaystyle M}}{\mbox{\boldmath\textstyle M}}{\mbox{\boldmath\scriptstyle M}}{\mbox{\boldmath\scriptscriptstyle M}}} to retrieve the message.
Assuming {\mathchoice{\mbox{\boldmath\displaystyle G}}{\mbox{\boldmath\textstyle G}}{\mbox{\boldmath\scriptstyle G}}{\mbox{\boldmath\scriptscriptstyle G}}}_{\mathrm{pub}} cannot be distinguished from a random matrix222The only known distinguisher [32] cannot be applied for a parameter choice according to Table I., an attacker needs to generically decode the cipher to obtain the plain text. This is equal to solving the Interleaved Search RSD Problem.
IV Attacks on the Cryptosystem
We recall, analyze, and adapt known attacks on the systems in [14, 2]. Since the keys are the same as in [14], key attacks are as hard as on the system in [14].
IV-1 (key attack)
In [14], a structural attack is described, which is based on brute-forcing a number of -dimensional subspaces of . The work factor is given by333 We divide the exponent by to obtain an estimate of the post-quantum work factor (presuming that Grover’s algorithm can be applied).
[TABLE]
IV-2 (decoding attack)
The work factors@footnotemark of the algorithms that correct errors of rank in an arbitrary linear rank distance code over are denoted by [33], [34], [35] and [36].
Tillich [3] proposed an attack on the interleaved Goppa codes system in [2], which can be similarly applied here. The augmented matrix of the public key and the cipher {\mathchoice{\mbox{\boldmath\displaystyle G}}{\mbox{\boldmath\textstyle G}}{\mbox{\boldmath\scriptstyle G}}{\mbox{\boldmath\scriptscriptstyle G}}}_{\mathrm{aug}}^{{\mathchoice{\mbox{\boldmath\displaystyle Y}}{\mbox{\boldmath\textstyle Y}}{\mbox{\boldmath\scriptstyle Y}}{\mbox{\boldmath\scriptscriptstyle Y}}}}:=\begin{bmatrix}{\mathchoice{\mbox{\boldmath\displaystyle G}}{\mbox{\boldmath\textstyle G}}{\mbox{\boldmath\scriptstyle G}}{\mbox{\boldmath\scriptscriptstyle G}}}_{\mathrm{pub}}^{\top}{\mathchoice{\mbox{\boldmath\displaystyle Y}}{\mbox{\boldmath\textstyle Y}}{\mbox{\boldmath\scriptstyle Y}}{\mbox{\boldmath\scriptscriptstyle Y}}}^{\top}\end{bmatrix}^{\top} has the same row space as the matrix {\mathchoice{\mbox{\boldmath\displaystyle G}}{\mbox{\boldmath\textstyle G}}{\mbox{\boldmath\scriptstyle G}}{\mbox{\boldmath\scriptscriptstyle G}}}_{\mathrm{aug}}^{{\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}}:=\begin{bmatrix}{\mathchoice{\mbox{\boldmath\displaystyle G}}{\mbox{\boldmath\textstyle G}}{\mbox{\boldmath\scriptstyle G}}{\mbox{\boldmath\scriptscriptstyle G}}}_{\mathrm{pub}}^{\top}{\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}^{\top}\end{bmatrix}^{\top}. Thus, the row space \mathcal{C}_{\mathrm{aug}}:=\mathcal{R}\begin{pmatrix}{\mathchoice{\mbox{\boldmath\displaystyle G}}{\mbox{\boldmath\textstyle G}}{\mbox{\boldmath\scriptstyle G}}{\mbox{\boldmath\scriptscriptstyle G}}}_{\mathrm{aug}}^{{\mathchoice{\mbox{\boldmath\displaystyle Y}}{\mbox{\boldmath\textstyle Y}}{\mbox{\boldmath\scriptstyle Y}}{\mbox{\boldmath\scriptscriptstyle Y}}}}\end{pmatrix} contains codewords of weight , where is the minimum rank distance of an error code spanned by the rows of , i.e., \mathcal{C}_{\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}[n,\ell,d_{\mathrm{E}}]:=\mathcal{R}\begin{pmatrix}{\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}\end{pmatrix}. Due to the restriction on the error matrix in (1), finding some non-zero element of the error code can, at least partially, recover the row space of the extended error matrix \operatorname{ext}_{{\mathchoice{\mbox{\boldmath\displaystyle\gamma}}{\mbox{\boldmath\textstyle\gamma}}{\mbox{\boldmath\scriptstyle\gamma}}{\mbox{\boldmath\scriptscriptstyle\gamma}}}}({\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}) since \mathcal{R}\begin{pmatrix}\operatorname{ext}_{{\mathchoice{\mbox{\boldmath\displaystyle\gamma}}{\mbox{\boldmath\textstyle\gamma}}{\mbox{\boldmath\scriptstyle\gamma}}{\mbox{\boldmath\scriptscriptstyle\gamma}}}}({\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}})\end{pmatrix}=\mathcal{R}\begin{pmatrix}\operatorname{ext}_{{\mathchoice{\mbox{\boldmath\displaystyle\gamma}}{\mbox{\boldmath\textstyle\gamma}}{\mbox{\boldmath\scriptstyle\gamma}}{\mbox{\boldmath\scriptscriptstyle\gamma}}}}({\mathchoice{\mbox{\boldmath\displaystyle e}}{\mbox{\boldmath\textstyle e}}{\mbox{\boldmath\scriptstyle e}}{\mbox{\boldmath\scriptscriptstyle e}}}_{1})\end{pmatrix}+\dots+\mathcal{R}\begin{pmatrix}\operatorname{ext}_{{\mathchoice{\mbox{\boldmath\displaystyle\gamma}}{\mbox{\boldmath\textstyle\gamma}}{\mbox{\boldmath\scriptstyle\gamma}}{\mbox{\boldmath\scriptscriptstyle\gamma}}}}({\mathchoice{\mbox{\boldmath\displaystyle e}}{\mbox{\boldmath\textstyle e}}{\mbox{\boldmath\scriptstyle e}}{\mbox{\boldmath\scriptscriptstyle e}}}_{\ell})\end{pmatrix}. The problem of finding low-rank-weight words was studied in [37], and is in principle equivalent to rank syndrome decoding. In particular, it has a similar complexity if the weight of the low-weight words is as large as the error in rank syndrome decoding, i.e., the smallest-known work factor is
[TABLE]
Note that since each row of is a codeword corrupted by an error of rank at least , the row-wise rank syndrome decoding has a complexity of at least \text{WF}_{{\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}}. Further, this attack has a higher complexity than generic decoding in Loidreau’s original system with the same public key if and only if .
IV-3 (decoding attack)
In [30], a polynomial-time decoding algorithm is proposed that works for arbitrary interleaved codes of interleaving degree and error matrices of full rank. However in case of , one must brute-force through the solution space of a linear system of equations, whose size is exponential in . By choosing the parameters according to Table I, this attack is not efficient.
V Construction of the Error Matrix
We have seen in the previous section that in order to resist Tillich’s attack, the rows of the error matrix must span a code of large minimum rank distance, i.e., must be a generator matrix of an code. The following statement shows how to construct such a code that still fulfills the decoding condition (1), which is necessary for successful decryption.
Theorem 2**.**
Let the error matrix be given by
[TABLE]
where {\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}\in\mathbb{F}_{q^{m}}^{\ell\times t_{\mathsf{pub}}} is a generator matrix of a code and has full -rank and {\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}\in\mathbb{F}_{q}^{t_{\mathsf{pub}}\times n} has full rank. Then, fulfills (1) and is a generator matrix of an code. Also, and any row of has -rank at least .
Proof:
Since has columns, its -rank is at most . Multiplication by the full-rank -matrix from the right does not change the -rank, so \operatorname{rk}_{q}({\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}})\leq t_{\mathsf{pub}} and (1) is satisfied.
To prove that the error matrix spans an code, we first observe that the length of vectors in the row space of is and its -rank is (since has full -rank and multiplication by the full-rank matrix does not change this rank). Thus it is a code of length and dimension over .
As for the minimum distance, we have the following. Let {\mathchoice{\mbox{\boldmath\displaystyle c}}{\mbox{\boldmath\textstyle c}}{\mbox{\boldmath\scriptstyle c}}{\mbox{\boldmath\scriptscriptstyle c}}}_{1},{\mathchoice{\mbox{\boldmath\displaystyle c}}{\mbox{\boldmath\textstyle c}}{\mbox{\boldmath\scriptstyle c}}{\mbox{\boldmath\scriptscriptstyle c}}}_{2} be two distinct vectors in the row space of . Then, we can write them as {\mathchoice{\mbox{\boldmath\displaystyle c}}{\mbox{\boldmath\textstyle c}}{\mbox{\boldmath\scriptstyle c}}{\mbox{\boldmath\scriptscriptstyle c}}}_{i}={\mathchoice{\mbox{\boldmath\displaystyle a}}{\mbox{\boldmath\textstyle a}}{\mbox{\boldmath\scriptstyle a}}{\mbox{\boldmath\scriptscriptstyle a}}}_{i}\cdot{\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}, where {\mathchoice{\mbox{\boldmath\displaystyle a}}{\mbox{\boldmath\textstyle a}}{\mbox{\boldmath\scriptstyle a}}{\mbox{\boldmath\scriptscriptstyle a}}}_{1},{\mathchoice{\mbox{\boldmath\displaystyle a}}{\mbox{\boldmath\textstyle a}}{\mbox{\boldmath\scriptstyle a}}{\mbox{\boldmath\scriptscriptstyle a}}}_{2} are in the row space of . Since the {\mathchoice{\mbox{\boldmath\displaystyle c}}{\mbox{\boldmath\textstyle c}}{\mbox{\boldmath\scriptstyle c}}{\mbox{\boldmath\scriptscriptstyle c}}}_{i} are distinct, so are the {\mathchoice{\mbox{\boldmath\displaystyle a}}{\mbox{\boldmath\textstyle a}}{\mbox{\boldmath\scriptstyle a}}{\mbox{\boldmath\scriptscriptstyle a}}}_{i}. Furthermore, we have \mathrm{d}_{\mathrm{R}}({\mathchoice{\mbox{\boldmath\displaystyle a}}{\mbox{\boldmath\textstyle a}}{\mbox{\boldmath\scriptstyle a}}{\mbox{\boldmath\scriptscriptstyle a}}}_{1},{\mathchoice{\mbox{\boldmath\displaystyle a}}{\mbox{\boldmath\textstyle a}}{\mbox{\boldmath\scriptstyle a}}{\mbox{\boldmath\scriptscriptstyle a}}}_{2})\geq d_{\mathrm{E}}. Since is a full-rank matrix over , multiplication by it does not change the rank of a word. Hence, \mathrm{d}_{\mathrm{R}}({\mathchoice{\mbox{\boldmath\displaystyle c}}{\mbox{\boldmath\textstyle c}}{\mbox{\boldmath\scriptstyle c}}{\mbox{\boldmath\scriptscriptstyle c}}}_{1},{\mathchoice{\mbox{\boldmath\displaystyle c}}{\mbox{\boldmath\textstyle c}}{\mbox{\boldmath\scriptstyle c}}{\mbox{\boldmath\scriptscriptstyle c}}}_{2})=\mathrm{d}_{\mathrm{R}}({\mathchoice{\mbox{\boldmath\displaystyle a}}{\mbox{\boldmath\textstyle a}}{\mbox{\boldmath\scriptstyle a}}{\mbox{\boldmath\scriptscriptstyle a}}}_{1}{\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}},{\mathchoice{\mbox{\boldmath\displaystyle a}}{\mbox{\boldmath\textstyle a}}{\mbox{\boldmath\scriptstyle a}}{\mbox{\boldmath\scriptscriptstyle a}}}_{2}{\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}})=\mathrm{d}_{\mathrm{R}}({\mathchoice{\mbox{\boldmath\displaystyle a}}{\mbox{\boldmath\textstyle a}}{\mbox{\boldmath\scriptstyle a}}{\mbox{\boldmath\scriptscriptstyle a}}}_{1},{\mathchoice{\mbox{\boldmath\displaystyle a}}{\mbox{\boldmath\textstyle a}}{\mbox{\boldmath\scriptstyle a}}{\mbox{\boldmath\scriptscriptstyle a}}}_{2})\geq d_{\mathrm{E}}, which shows that the rows of indeed generate an code. As a result, any row of , as well as itself, has -rank . ∎
Due to the rank-metric Singleton bound, the minimum distance of the error code is upper bounded by . The work factor of [3] is greater than RSD of Loidreau’s system if . To gain in security level (or to reduce the key size), we must choose a suitable code with
[TABLE]
An obvious choice would be a Gabidulin code attaining the upper bound. However, we will show in Appendix A that in this case, the error code \mathcal{R}\begin{pmatrix}{\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}\end{pmatrix} can be distinguished from a random code, which might be a weakness.
In the next section, we will show that it suffices to choose a random code as the error code since its minimum distance attains the upper bound in (3) with high probability, cf. [38].
As an alternative, one can use structured codes that arise from codes whose minimum distance is close to the upper bound. However, such codes have not been studied in the literature and, hence, this paper provides a motivation to study these codes. We will formally state the research problem in the conclusion.
VI Using Random Error Codes
In this section, we show that by choosing uniformly at random among all full-rank matrices in , one obtains an error code with high probability. For this choice of , we then analyze the decryption failure probability.
VI-A Probability of Generating an Code
Theorem 3** (Probabilities for MRD codes [38]).**
Let {\mathchoice{\mbox{\boldmath\displaystyle X}}{\mbox{\boldmath\textstyle X}}{\mbox{\boldmath\scriptstyle X}}{\mbox{\boldmath\scriptscriptstyle X}}}\in\mathbb{F}_{q^{m}}^{k\times(n-k)} be randomly chosen. Then
[TABLE]
where {\mathchoice{\mbox{\boldmath\displaystyle I}}{\mbox{\boldmath\textstyle I}}{\mbox{\boldmath\scriptstyle I}}{\mbox{\boldmath\scriptscriptstyle I}}}_{k} denotes the identity matrix.
Note that for practical parameters, it might not be feasible to determine the minimum rank distance of the chosen code since the fastest-known algorithms to compute the minimum rank distance are exponential in the code parameters.
Proposition 4**.**
Let {\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}={\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}{\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}, where is drawn uniformly at random among all full-rank matrices in and uniformly at random among all full-rank matrices in . Then the probability that is a generator matrix of a code is .
Proof:
It follows directly from Theorems 2 and 3. ∎
Note that if the inverse of the probability that is not MRD, i.e., , is above the security level, this choice of the error does not decrease the security of the system. We take this into account for the choice of the proposed parameters and show the values in Table II.
VI-B Decryption Failure Probability
The decryption algorithm fails if and only if the decoding of the interleaved Gabidulin code fails.
Lemma 5**.**
Let be a fixed subspace and a subspace generated by random and linearly independent elements of . Then,
[TABLE]
Proof:
See [39, Proposition 3.3]. ∎
Theorem 6**.**
Let \tilde{{\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}}={\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}\tilde{{\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}}, where is chosen as random full-rank matrix of and as a random matrix of . Further let \dim(\langle{\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}_{i,1},\ldots,{\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}_{i,t_{\mathsf{pub}}}\rangle_{\mathbb{F}_{q}}\times\mathcal{V})=\lambda t_{\mathsf{pub}} for . Then correcting \tilde{{\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}}{\mathchoice{\mbox{\boldmath\displaystyle P}}{\mbox{\boldmath\textstyle P}}{\mbox{\boldmath\scriptstyle P}}{\mbox{\boldmath\scriptscriptstyle P}}} in succeeds with probability
[TABLE]
Proof:
The error that has to be decoded during decryption can be written as \tilde{{\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}}{\mathchoice{\mbox{\boldmath\displaystyle P}}{\mbox{\boldmath\textstyle P}}{\mbox{\boldmath\scriptstyle P}}{\mbox{\boldmath\scriptscriptstyle P}}}={\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}^{\prime}{\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}^{\prime}, where the -th row of {\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}^{\prime}\in\mathbb{F}_{q^{m}}^{\ell\times\lambda t_{\mathsf{pub}}} is a basis of the product space \langle{\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}_{i,1},\ldots,{\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}_{i,t_{\mathsf{pub}}}\rangle_{\mathbb{F}_{q}}\times\mathcal{V} and {\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}^{\prime}\in\mathbb{F}_{q}^{\lambda t_{\mathsf{pub}}\times n}. Since \dim(\langle{\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}_{i,1},\ldots,{\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}_{i,t_{\mathsf{pub}}}\rangle_{\mathbb{F}_{q}}\times\mathcal{V})=\lambda t_{\mathsf{pub}} and \tilde{{\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}} is random, the matrix {\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}^{\prime} can be seen as random element of and ({\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}{\mathchoice{\mbox{\boldmath\displaystyle P}}{\mbox{\boldmath\textstyle P}}{\mbox{\boldmath\scriptstyle P}}{\mbox{\boldmath\scriptscriptstyle P}}})_{i,j} as random element of \langle{\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}_{i,1},\ldots,{\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}_{i,t_{\mathsf{pub}}}\rangle_{\mathbb{F}_{q}}\times\mathcal{V}, see [39, Proposition 4.3]. Thus, when applying the interleaved decoder proposed in [25, 40], the probability of correcting \tilde{{\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}}{\mathchoice{\mbox{\boldmath\displaystyle P}}{\mbox{\boldmath\textstyle P}}{\mbox{\boldmath\scriptstyle P}}{\mbox{\boldmath\scriptscriptstyle P}}} successfully is
[TABLE]
Further since \operatorname{rk}_{q}({\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}^{\prime})=\lambda t_{\mathsf{pub}}, the probability \Pr[\operatorname{rk}_{\mathbb{F}_{q}}(\tilde{{\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}}{\mathchoice{\mbox{\boldmath\displaystyle P}}{\mbox{\boldmath\textstyle P}}{\mbox{\boldmath\scriptstyle P}}{\mbox{\boldmath\scriptscriptstyle P}}})=t^{\prime}] is equal to the probability that the random matrix {\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}^{\prime} has rank [39, Proposition 4.3], i.e.,
[TABLE]
∎
Note that the error in Theorem 6 is not necessary full-rank. However, it seems possible to adapt the proof of the bound in [25, 40] to random full-rank errors, where we conjecture that the lower bound on the success probability will be higher in case of full-rank errors. Based on this conjecture
the decryption algorithm in Section III fails with probability
[TABLE]
We believe that the latter bound on the decryption failure is not tight since 1) \dim(\langle{\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}_{i,1},\ldots,{\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}_{i,t_{\mathsf{pub}}}\rangle_{\mathbb{F}_{q}}\times\mathcal{V})=\lambda t_{\mathsf{pub}} is not a necessary condition to successfully decode but only required for the correctness of Theorem 6 and 2) the bound was derived for \textstyle E$$\textstyle P that might not have full rank. Nevertheless, for the parameters proposed in Table II, even the inverse of this loose upper bound on the decryption failure rate is below the claimed security levels.
VII Potential Key Size Reduction
For the error construction proposed in Proposition 4, we propose parameters for (post-quantum) levels of security of , , and bit with respect to the known attacks in Table II. The explicit work factors, the inverse of the probability that is not MRD denoted by \text{WF}_{{\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}}:=\log_{2}\ell^{-1}q^{m-\ell t_{\mathsf{pub}}}, the rate , the key size and the upper bound on the decryption failure in bits are presented for .
VIII Conclusion
In this paper, we proposed a rank-metric McEliece-type cryptosystem based on applying the interleaving approach of Elleuch et al. on Loidreau’s cryptosystem. We analyzed possible attacks and showed that structural attacks are as hard as for Loidreau’s system but an additional decoding attack is facilitated by interleaving. The efficiency of the latter attack can be reduced by choosing the error matrix as a generator matrix of a code with large minimum distance. We suggested design rules of the system and proved that depending on the parameters, a random construction of the error matrix fulfills the requirements with high probability. For this choice of the error, we derived upper bounds on the decryption failure and presented valid parameter sets that permit to decrease the key sizes.
Related Open Research Problem
Note that (3) does not restrict the code generated by to be MRD but also allows codes whose minimum distances are close to . Since only little is known about non-MRD codes, the cryptosystem proposed here gives motivation to an interesting new research direction:
Open Research Problem 1**.**
Given an extension field , , , and , for some , , find a rank-metric code with parameters over with efficient decoder, which—vaguely stated—cannot be distinguished from a random rank-metric code as easily as a Gabidulin code (cf. Appendix) below).
Appendix A A Distinguisher for Errors from Gabidulin Codes
In this section, we show that choosing (cf. Theorem 2) to be a generator matrix of a Gabidulin code, results in an error code (i.e., the code spanned by the rows of ) that is distinguishable from a random error matrix. Although this does not directly lead to an explicit attack, which e.g., recovers the error matrix, this might be a weakness of ciphers obtained from these .
We use the fact that the augmented matrix obtained by vertically concatenating {\mathchoice{\mbox{\boldmath\displaystyle G}}{\mbox{\boldmath\textstyle G}}{\mbox{\boldmath\scriptstyle G}}{\mbox{\boldmath\scriptscriptstyle G}}}_{\mathrm{pub}} and the cipher , has the same row space as the same construction with {\mathchoice{\mbox{\boldmath\displaystyle G}}{\mbox{\boldmath\textstyle G}}{\mbox{\boldmath\scriptstyle G}}{\mbox{\boldmath\scriptscriptstyle G}}}_{\mathrm{pub}} and the unknown error , i.e., \mathcal{R}\begin{pmatrix}{\mathchoice{\mbox{\boldmath\displaystyle G}}{\mbox{\boldmath\textstyle G}}{\mbox{\boldmath\scriptstyle G}}{\mbox{\boldmath\scriptscriptstyle G}}}_{\mathrm{aug}}^{{\mathchoice{\mbox{\boldmath\displaystyle Y}}{\mbox{\boldmath\textstyle Y}}{\mbox{\boldmath\scriptstyle Y}}{\mbox{\boldmath\scriptscriptstyle Y}}}}\end{pmatrix}=\mathcal{R}\begin{pmatrix}{\mathchoice{\mbox{\boldmath\displaystyle G}}{\mbox{\boldmath\textstyle G}}{\mbox{\boldmath\scriptstyle G}}{\mbox{\boldmath\scriptscriptstyle G}}}_{\mathrm{aug}}^{{\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}}\end{pmatrix}. Thus, the augmented matrix might reveal the structure of the error matrix by applying the following operator to it, as we will see in the following.
Definition 7** (-Sum).**
Let be a linear code over and . Then, the () -sum of is defined by
[TABLE]
A-A Distinguishing the Augmented Code
We first state the following lemma.
Lemma 7**.**
Let be constructed as in Theorem 2, where is a generator matrix of a Gabidulin code. Then,
[TABLE]
Proof:
By definition \Lambda_{i}(\mathcal{C}_{\mathrm{aug}})=\Lambda_{i}(\mathcal{R}\begin{pmatrix}{\mathchoice{\mbox{\boldmath\displaystyle G}}{\mbox{\boldmath\textstyle G}}{\mbox{\boldmath\scriptstyle G}}{\mbox{\boldmath\scriptscriptstyle G}}}_{\mathrm{pub}}\end{pmatrix})+\Lambda_{i}(\mathcal{C}_{\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}). Since is a generator matrix of a Gabidulin code, \dim(\Lambda_{i}(\mathcal{C}_{\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}))=\min\{\ell+i,t_{\mathsf{pub}}\}. Thus,
[TABLE]
If in Theorem 2 is chosen to be a random full-rank matrix, we have \dim\Lambda_{i}(\mathcal{R}\begin{pmatrix}{\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}\end{pmatrix})=\min\{(i+1)\ell,t_{\mathsf{pub}}\} with high probability. Hence, by the same arguments as in Lemma 7, the overall augmented code has dimension
[TABLE]
By Lemma 7, for (which simply means that for , ), the dimension of with a Gabidulin code matrix is smaller than the respective dimension when using a random , with high probability. Hence, it can be distinguished.
A-B Distinguishing the Dual Augmented Code
We study the dual of the augmented matrix.
Lemma 8**.**
Let
[TABLE]
then \mathcal{C}_{\mathrm{aug}}^{\bot}=\mathcal{R}\begin{pmatrix}{\mathchoice{\mbox{\boldmath\displaystyle G}}{\mbox{\boldmath\textstyle G}}{\mbox{\boldmath\scriptstyle G}}{\mbox{\boldmath\scriptscriptstyle G}}}_{\mathrm{pub}}\end{pmatrix}^{\bot}\cap\mathcal{R}\begin{pmatrix}{\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}\end{pmatrix}^{\bot}=\mathcal{R}\begin{pmatrix}{\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}}_{\mathrm{pub}}\end{pmatrix}\cap\mathcal{R}\begin{pmatrix}{\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}}_{\text{E}}\end{pmatrix}.
Proof:
For the code it holds that
[TABLE]
where denotes the all-zero vector of length . ∎
Lemma 9**.**
There is an {\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}}_{\text{E}} of the form
[TABLE]
where {\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}_{\mathrm{inv}}\in\mathbb{F}_{q}^{t_{\mathsf{pub}}\times n} has -rank , {\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}_{\mathrm{ker}}\in\mathbb{F}_{q}^{(n-t_{\mathsf{pub}})\times n} has -rank , {\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}^{\bot}\in\mathbb{F}_{q^{m}}^{(t_{\mathsf{pub}}-\ell)\times t_{\mathsf{pub}}} and ({\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}^{\bot}{\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}_{\mathrm{inv}}^{\top}{\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}^{\top}) is a parity-check matrix to .
Proof:
Since {\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}\in\mathbb{F}_{q}^{t_{\mathsf{pub}}\times n} is of full rank and defined over , we can find a basis {\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}_{\mathrm{ker}}\in\mathbb{F}_{q}^{(n-t_{\mathsf{pub}})\times n} of its right kernel. Note that {\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}_{\mathrm{ker}} has full - and -rank. By the basis extension theorem, we can extend the linearly independent rows of {\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}_{\mathrm{ker}} into a full basis of . These further basis element form the rows of {\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}_{\mathrm{inv}}. Note that also {\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}_{\mathrm{inv}} has full - and -rank and any non-zero vector in the row space of {\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}_{\mathrm{inv}} is linearly independent to the rows of {\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}_{\mathrm{ker}}. Hence, also the rows of {\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}^{\bot}{\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}_{\mathrm{inv}} are linearly independent of the rows of {\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}_{\mathrm{ker}}, which, together with the fact that {\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}^{\bot} has full rank, shows that {\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}}_{\text{E}} has full -rank .
It remains to show that the rows of {\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}}_{\text{E}} are in the right kernel of . The rows of {\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}_{\mathrm{ker}} fulfill this because {\mathchoice{\mbox{\boldmath\displaystyle E}}{\mbox{\boldmath\textstyle E}}{\mbox{\boldmath\scriptstyle E}}{\mbox{\boldmath\scriptscriptstyle E}}}={\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}{\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}} and {\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}_{\mathrm{ker}} is a basis of the right kernel of . For the first rows of {\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}}_{\text{E}}, we check:
[TABLE]
which is true since {\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}^{\bot}{\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}_{\mathrm{inv}}^{\top}{\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}^{\top} is a parity-check matrix with respect to . ∎
Remark 10**.**
Note that {\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}^{\bot} as in Lemma 9 is a generator matrix of a Gabidulin code since {\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}^{\bot}{\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}_{\mathrm{inv}}^{\top}{\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}^{\top} is one (the dual code of a Gabidulin code is a Gabidulin code, cf. [23]) and {\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}_{\mathrm{inv}}^{\top}{\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}^{\top} is an invertible matrix over (which means that we just need to use different evaluation points in the Gabidulin code).
Lemma 11**.**
Let be defined as in Theorem 2, then
[TABLE]
Proof:
We use Lemma 9. Since {\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}_{\mathrm{inv}} and {\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}_{\mathrm{ker}} are over , {\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}_{\mathrm{inv}}^{q}={\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}_{\mathrm{inv}} and {\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}_{\mathrm{ker}}^{q}={\mathchoice{\mbox{\boldmath\displaystyle B}}{\mbox{\boldmath\textstyle B}}{\mbox{\boldmath\scriptstyle B}}{\mbox{\boldmath\scriptscriptstyle B}}}_{\mathrm{ker}}. Further, \dim\Lambda_{i}({\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}^{\bot})=\min\{t_{\mathsf{pub}}-\ell+i,t_{\mathsf{pub}}\}, cf. [40], since {\mathchoice{\mbox{\boldmath\displaystyle A}}{\mbox{\boldmath\textstyle A}}{\mbox{\boldmath\scriptstyle A}}{\mbox{\boldmath\scriptscriptstyle A}}}^{\bot} is a generator matrix of a Gabidulin code. Thus, \dim\Lambda_{i}\big{(}\mathcal{R}\begin{pmatrix}{\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}}_{\text{E}}\end{pmatrix}\big{)}\leq\min\{n-\ell+i,n\}. ∎
Lemma 12**.**
Let {\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}}_{\mathrm{pub}} be a parity-check matrix of an code generated by {\mathchoice{\mbox{\boldmath\displaystyle G}}{\mbox{\boldmath\textstyle G}}{\mbox{\boldmath\scriptstyle G}}{\mbox{\boldmath\scriptscriptstyle G}}}_{\mathrm{pub}}. Then, \dim\Lambda_{i}\big{(}\mathcal{R}\begin{pmatrix}{\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}}_{\mathrm{pub}}\end{pmatrix}\big{)}=\min\{(i+1)(n-k),n\}, with high probability.
Lemma 13**.**
Let \mathcal{C}_{\mathrm{aug}}^{\bot}=\mathcal{R}\begin{pmatrix}{\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}}_{\mathrm{pub}}\end{pmatrix}\cap\mathcal{R}\begin{pmatrix}{\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}}_{\text{E}}\end{pmatrix}. Then,
[TABLE]
Proof:
We have \mathcal{C}_{\mathrm{aug}}^{\bot}\subseteq\mathcal{R}\begin{pmatrix}{\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}}_{\mathrm{pub}}\end{pmatrix}, thus \mathcal{C}_{\mathrm{aug}}^{\bot}+\ldots+\big{(}\mathcal{C}_{\mathrm{aug}}^{\bot}\big{)}^{[i]}\subseteq\mathcal{R}\begin{pmatrix}[{\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}}_{\mathrm{pub}}^{\top},{{\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}}_{\mathrm{pub}}^{[1]}}^{\top},\dots,{{\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}}_{\text{E}}^{[i]}}^{\top}]^{\top}\end{pmatrix}. The same holds for \mathcal{R}\begin{pmatrix}{\mathchoice{\mbox{\boldmath\displaystyle H}}{\mbox{\boldmath\textstyle H}}{\mbox{\boldmath\scriptstyle H}}{\mbox{\boldmath\scriptscriptstyle H}}}_{\text{E}}\end{pmatrix}, which proves the claim. ∎
Theorem 14**.**
Let \mathcal{C}_{\mathrm{aug}}^{\bot}=\mathcal{R}\begin{pmatrix}\begin{bmatrix}{\mathchoice{\mbox{\boldmath\displaystyle G}}{\mbox{\boldmath\textstyle G}}{\mbox{\boldmath\scriptstyle G}}{\mbox{\boldmath\scriptscriptstyle G}}}_{\mathrm{pub}}^{\top}{\mathchoice{\mbox{\boldmath\displaystyle Y}}{\mbox{\boldmath\textstyle Y}}{\mbox{\boldmath\scriptstyle Y}}{\mbox{\boldmath\scriptscriptstyle Y}}}^{\top}\end{bmatrix}^{\top}\end{pmatrix}^{\bot}. Then, .
Proof:
The proof follows directly by Lemmas 11, 12 and 13. ∎
In summary, by choosing to be a generator matrix of a Gabidulin code, the error code can be distinguished from an error matrix with random . This does not imply an explicit attack on the system, but indicates that there might be a weakness in this case. The distinguisher must also be considered when constructing codes from Open Research Problem 1.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] R. J. Mc Eliece, “A Public-Key Cryptosystem Based on Algebraic Coding Theory,” Coding Thv , vol. 4244, pp. 114–116, 1978.
- 2[2] M. Elleuch, A. Wachter-Zeh, and A. Zeh, “A Public-Key Cryptosystem from Interleaved Goppa Codes,” ar Xiv:1809.03024 , 2018.
- 3[3] J. Tillich, Personal Communication, 2018.
- 4[4] L. Holzbaur, H. Liu, S. Puchinger, and A. Wachter-Zeh, “On Interleaved Goppa Codes and Their Applications,” ar Xiv:1901.10202 , 2019.
- 5[5] E. M. Gabidulin, A. Paramonov, and O. Tretjakov, “Ideals over a Non-Commutative Ring and Their Application in Cryptology,” in Workshop Theory and Appl. Cryptogr. Techn. Springer, 1991, pp. 482–489.
- 6[6] E. M. Gabidulin and A. V. Ourivski, “Modified GPT PKC with Right Scrambler,” Electron. Notes Discrete Mathematics , vol. 6, pp. 168–177, 2001.
- 7[7] E. M. Gabidulin, A. V. Ourivski, B. Honary, and B. Ammar, “Reducible Rank Codes and Their Applications to Cryptography,” IEEE Trans. Inform. Theory , vol. 49, no. 12, pp. 3289–3293, 2003.
- 8[8] P. Loidreau, “Designing a Rank Metric Based Mc Eliece Cryptosystem,” in Int. Workshop Post-Quantum Cryptogr. Springer, 2010, pp. 142–152.
