On the Complexity of the Rank Syndrome Decoding Problem

Gaborit, Philippe; Ruatta, Olivier; Schrek, Julien

doi:10.1109/tit.2015.2511786

Cited by 98 publications

(128 citation statements)

References 34 publications

Supporting

Mentioning

114

Contrasting

Order By: Relevance

“…For the rank metric, some complexity results were obtained more recently in [13], emphasizing the difficulty of ML decoding. This potential hardness was also corroborated by the existing practical complexities of the generic rank metric decoding algorithms [12].…”

Section: Introductionmentioning

confidence: 58%

See 1 more Smart Citation

Randomized Decoding of Gabidulin Codes Beyond the Unique Decoding Radius

Renner

Jerkovits

Bartz

et al. 2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

We address the problem of decoding Gabidulin codes beyond their unique error-correction radius. The complexity of this problem is of importance to assess the security of some rank-metric code-based cryptosystems. We propose an approach that introduces row or column erasures to decrease the rank of the error in order to use any proper polynomial-time Gabidulin code error-erasure decoding algorithm. This approach improves on generic rank-metric decoders by an exponential factor.

show abstract

Section: Introductionmentioning

confidence: 58%

“…In the security evaluations, this polynomial is often neglected and only the exponential term is taken into account. Note that in the case where m > n there might be a better combinatorial bound [12]. Since we do not address this setting, we do not consider this case.…”

Section: Gabidulin Codes and Channel Modelmentioning

confidence: 99%

Randomized Decoding of Gabidulin Codes Beyond the Unique Decoding Radius

Renner

Jerkovits

Bartz

et al. 2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…We have also seen that taking w > u u+1 (n − k) implies to choose t pub < 1 2 n−k u+1 which exposes further the system to general decoding attacks like [GRS16]. Hence it imposes to increase the key sizes and consequently reduces the practicability of the scheme while offering no assurance that the scheme is still secure.…”

Section: Resultsmentioning

confidence: 99%

Polynomial-time key recovery attack on the Faure–Loidreau scheme based on Gabidulin codes

Gaborit

Otmani

Kalachi

2017

Des. Codes Cryptogr.

Self Cite

View full text Add to dashboard Cite

ABSTRACT. Encryption schemes based on the rank metric lead to small public key sizes of order of few thousands bytes which represents a very attractive feature compared to Hamming metric-based encryption schemes where public key sizes are of order of hundreds of thousands bytes even with additional structures like the cyclicity. The main tool for building public key encryption schemes in rank metric is the McEliece encryption setting used with the family of Gabidulin codes. Since the original scheme proposed in 1991 by Gabidulin, Paramonov and Tretjakov, many systems have been proposed based on different masking techniques for Gabidulin codes. Nevertheless, over the years most of these systems were attacked essentially by the use of an attack proposed by Overbeck.In 2005 Faure and Loidreau designed a rank-metric encryption scheme which was not in the McEliece setting. The scheme is very efficient, with small public keys of size a few kiloBytes and with security closely related to the linearized polynomial reconstruction problem which corresponds to the decoding problem of Gabidulin codes. The structure of the scheme differs considerably from the classical McEliece setting and until our work, the scheme had never been attacked. We show in this article that for a range of parameters, this scheme is also vulnerable to a polynomial-time attack that recovers the private key by applying Overbeck's attack on an appropriate public code. As an example we break in a few seconds parameters with 80-bit security claim. Our work also shows that some parameters are not affected by our attack but at the cost of a lost of efficiency for the underlying schemes.Post-quantum cryptography; Gabidulin code; Polynomial reconstruction; Faure-Loidreau scheme.

show abstract

“…For all the proposed parameters it holds the condition k < (r+1)(k+1)−(n+1) r , so the algebraic attack of [21] must be taken into consideration while evaluating the security. 6 Key and signature size comparison…”

Section: Parameters Choicementioning

confidence: 99%

Improved Veron Identification and Signature Schemes in the Rank Metric

Bellini

Caullery

Gaborit

et al. 2019

2019 IEEE International Symposium on Information Theory (ISIT)

Self Cite

View full text Add to dashboard Cite

It is notably challenging to design an efficient and secure signature scheme based on error-correcting codes. An approach to build such signature schemes is to derive it from an identification protocol through the Fiat-Shamir transform. All such protocols based on codes must be run several rounds, since each run of the protocol allows a cheating probability of either 2/3 or 1/2. The resulting signature size is proportional to the number of rounds, thus making the 1/2 cheating probability version more attractive. We present a signature scheme based on double circulant codes in the rank metric, derived from an identification protocol with cheating probability of 2/3. We reduced this probability to 1/2 to obtain the smallest signature among signature schemes based on the Fiat-Shamir paradigm, around 22 KBytes for 128 bit security level. Furthermore, among all code-based signature schemes, our proposal has the lowest value of signature plus public key size, and the smallest secret and public key sizes. We provide a security proof in the Random Oracle Model, implementation performances, and a comparison with the parameters of the most important code-based signature schemes.

show abstract

On the Complexity of the Rank Syndrome Decoding Problem

Cited by 98 publications

References 34 publications

Randomized Decoding of Gabidulin Codes Beyond the Unique Decoding Radius

Randomized Decoding of Gabidulin Codes Beyond the Unique Decoding Radius

Polynomial-time key recovery attack on the Faure–Loidreau scheme based on Gabidulin codes

Improved Veron Identification and Signature Schemes in the Rank Metric

Contact Info

Product

Resources

About