Polynomial-time key recovery attack on the Faure–Loidreau scheme based on Gabidulin codes

Gaborit, Philippe; Otmani, Ayoub; Kalachi, Hervé Talé

doi:10.1007/s10623-017-0402-0

Cited by 27 publications

(44 citation statements)

References 24 publications

(33 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this case, an interleaved decoder, see (2), and therefore also the attack by Gaborit et al [9] fails, see Theorem 3. One possible choice is to set z 1 = z 2 = · · · = z u with rank q (z 1 ) = rank q (z) = w. In this case ϕ = rank q m (M n−k−w,q (z 1 )) = n−k −w < w. This is true since w > n−k 2 , i.e., M n−k−w,q (z 1 ) has more linearly independent elements in the first row than rows.…”

Section: H Overbeck-like Attackmentioning

confidence: 99%

Repairing the Faure-Loidreau Public-Key Cryptosystem

Wachter-Zeh

Puchinger

Renner

2018

2018 IEEE International Symposium on Information Theory (ISIT)

View full text Add to dashboard Cite

A repair of the Faure-Loidreau (FL) public-key code-based cryptosystem is proposed. The FL cryptosystem is based on the hardness of list decoding Gabidulin codes which are special rank-metric codes. We prove that the recent structural attack on the system by Gaborit et al. is equivalent to decoding an interleaved Gabidulin code. Since all known polynomial-time decoders for these codes fail for a large constructive class of error patterns, we are able to construct public keys that resist the attack. It is also shown that all other known attacks fail for our repair and parameter choices. Compared to other codebased cryptosystems, we obtain significantly smaller key sizes for the same security level.Public-key cryptography is the foundation for establishing secure communication between multiple parties. Traditional public-key algorithms such as RSA are based on the hardness of factoring large numbers or the discrete logarithm problem, but can be attacked in polynomial time once a capable quantum computer exists. Code-based public-key cryptosystems are considered to be post-quantum secure, but compared to RSA their main drawback are significantly larger key sizes.The Faure-Loidreau (FL) code-based cryptosystem [1], [2] is based on the problem of reconstructing linearized polynomials and can be seen as linearized equivalent of the (broken) Augot-Finiasz cryptosystem [3]. While the Augot-Finiasz cryptosystem is closely connected to (list) decoding Reed-Solomon codes, the FL cryptosystem is connected to (list) decoding Gabidulin codes, a special class of rank-metric codes [4].In contrast to McEliece or Niederreiter-type cryptosystems, where the public key is a matrix, in the FL system, the key is only a vector, resulting in a much smaller key. At the time when the FL cryptosystem was designed, it was only conjectured that Gabidulin codes cannot be list decoded efficiently. As this was proven recently for many families of Gabidulin codes [5], [6], the FL system is a very promising post-quantum secure public-key cryptosystem.However, there are attacks on the FL cryptosystem: syndrome decoding [7], an Overbeck-like attack [8] which can be avoided by choosing the parameters in a certain way (cf. [2]) and, more severe, the recent attack by Gaborit et al.[9] which leaves no secure set of parameters of the system.In this paper, we propose a repair of the FL cryptosystem and prove that the attack from [9] cannot succeed anymore. Our fundamental observation is that the attack by Gaborit et al.[9] on the public key is equivalent to decoding the public key as an interleaved Gabidulin code to obtain the private key.

show abstract

Section: H Overbeck-like Attackmentioning

confidence: 99%

Repairing the Faure-Loidreau Public-Key Cryptosystem

Wachter-Zeh

Puchinger

Renner

2018

2018 IEEE International Symposium on Information Theory (ISIT)

View full text Add to dashboard Cite

show abstract

“…Another important distance function of coding theory is the rank metric, which measures the rank of the difference between a pair of matrices with entries from a finite field F q . Rank metric codes have seen a recent resurgence of interest both for their potential use in code based cryptography and as error-correcting codes in network communications [19,26,27,36,39,40]. They are also intriguing as mathematical objects in their own right, and several researchers have sought to describe their structural properties [1,4,7,12,13,14,20,21,25,32,35].…”

Section: Introductionmentioning

confidence: 99%

Partition-balanced families of codes and asymptotic enumeration in coding theory

Byrne

Ravagnani

2020

Journal of Combinatorial Theory, Series A

View full text Add to dashboard Cite

We introduce the class of partition-balanced families of codes, and show how to exploit their combinatorial invariants to obtain upper and lower bounds on the number of codes that have a prescribed property. In particular, we derive precise asymptotic estimates on the density functions of several classes of codes that are extremal with respect to minimum distance, covering radius, and maximality. The techniques developed in this paper apply to various distance functions, including the Hamming and the rank metric distances. Applications of our results show that, unlike the Fqm -linear MRD codes, the Fq-linear MRD codes are not dense in the family of codes of the same dimension. More precisely, we show that the density of Fq-linear MRD codes in F n×m q in the set of all matrix codes of the same dimension is asymptotically at most 1/2, both as q → +∞ and as m → +∞. We also prove that MDS and Fqm -linear MRD codes are dense in the family of maximal codes. Although there does not exist a direct analogue of the redundancy bound for the covering radius of Fq-linear rank metric codes, we show that a similar bound is satisfied by a uniformly random matrix code with high probability. In particular, we prove that codes meeting this bound are dense. Finally, we compute the average weight distribution of linear codes in the rank metric, and other parameters that generalize the total weight of a linear code.2010 Mathematics Subject Classification. 05A16, 11T71.

show abstract

“…To defend against these attacks several variants of GPT cryptosystems are proposed as well [12][13][14][15]. There were some recent attacks on the GPT cryptosystem published in [16][17][18] but to withstand these attack recently another construction of GPT cryptosystem is proposed by Loidreau P. [19]. Although GPT cryptosystem is continuously under threats over the years.…”

Section: Introductionmentioning

confidence: 99%

Geo Security using GPT Cryptosystem

Khan¹,

Khalid²,

Ali³

et al. 2020

IJACSA

View full text Add to dashboard Cite

This paper describes an implementation of location-based encryption using a public key cryptosystem based on the rank error correcting codes. In any code based cryptosystem, public and private keys are in the form of matrices based over the finite field. This work proposes an algorithm for calculating public and private key matrices based on the geographic location of the intended receiver. The main idea is to calculate a location specific parity check matrix and then corresponding public key. Data is encrypted using public key. Some information about the parity check matrix along with other private keys are sent to receiver as cipher-text, encrypted with another instance of the public or GPT cryptosystem using public key of the receiver. The proposed scheme also introduces a method of calculating different parity check matrix for each user.

show abstract

Polynomial-time key recovery attack on the Faure–Loidreau scheme based on Gabidulin codes

Cited by 27 publications

References 24 publications

Repairing the Faure-Loidreau Public-Key Cryptosystem

Repairing the Faure-Loidreau Public-Key Cryptosystem

Partition-balanced families of codes and asymptotic enumeration in coding theory

Geo Security using GPT Cryptosystem

Contact Info

Product

Resources

About