Improved cryptanalysis of rank metric schemes based on Gabidulin codes

Abstract

We prove that any variant of the GPT cryptosystem which uses a right column scrambler over the extension field as advocated by the works of Gabidulin et al. with the goal to resist to Overbeck’s structural attack are actually still vulnerable to that attack. We show that by applying the Frobenius operator appropriately on the public key, it is possible to build a Gabidulin code having the same dimension as the original secret Gabidulin code but with a lower length. In particular, the code obtained by this way corrects less errors than the secret one but its error correction capabilities are beyond the number of errors added by a sender. Consequently, an attacker is able to decrypt any ciphertext with this degraded Gabidulin code. We also considered the case where an isometric transformation is applied in conjunction with a right column scrambler which has its entries in the extension field. We proved that this protection is useless both in terms of performance and security. Consequently, our results show that all the existing techniques aiming to hide the inherent algebraic structure of Gabidulin codes have failed.

Appendix A: Overbeck’s attack

Let assume that \(\varvec{G}_\mathrm{pub}=\varvec{S}\left( \varvec{X}\mid \varvec{G}\right) \varvec{P}\) is the public generator matrix that generates \(\mathscr {C}_\mathrm{pub}\) with \(\varvec{P}\in { \textsf {GL}}_{n+\ell }(\mathbb {F}_{q}), \varvec{X}\in \mathscr {M}_{k,\ell }\left( \mathbb {F}_{q^m}\right) \) and \(\varvec{G}\) generating a Gabidulin code \(\mathscr {G}_{k}\left( \varvec{g}\right) \) where \(\left| \varvec{g} \right| = n\). Observe that \(\varLambda _{i}(\varvec{G}_\mathrm{pub})\) can be written as

$$\begin{aligned} \varLambda _{i}\left( \varvec{G}_\mathrm{pub}\right)= & {} \varvec{S}_\mathrm{ext} \Big ( \begin{array}{l} \varLambda _{i}\left( \varvec{X}\right) \mid \varLambda _{i}\left( \varvec{G}\right) \end{array} \Big ) \varvec{P}~~\text { where } ~ \varvec{S}_\mathrm{ext}{\mathop {=}\limits ^{\text {def}}}\begin{pmatrix} \varvec{S}^{[0]} &{} &{} \varvec{0}\\ &{} \ddots {} &{} \\ \varvec{0}&{} &{} \varvec{S}^{[i]} \end{pmatrix}. \end{aligned}$$

(26)

Since \(\varLambda _{i}\left( \varvec{G}\right) \) generates \(\mathscr {G}_{k+i}\left( \varvec{g}\right) = \mathscr {G}_{n-1}\left( \varvec{g}\right) \), there exists \(\varvec{S}^\prime \in { \textsf {GL}}_{k(i+1)}(\mathbb {F}_{q^m})\) such that

$$\begin{aligned} \varvec{S}^\prime \varLambda _{i}\left( \varvec{G}_\mathrm{pub}\right) = \left( \begin{array}{ll} \varvec{X}^* &{} \varvec{G}_{n-1} \\ \varvec{X}^{**} &{} \varvec{0}\end{array} \right) \varvec{P}\end{aligned}$$

(27)

where \(\varvec{X}^* \in \mathscr {M}_{(n-1),\ell }\left( \mathbb {F}_{q^m}\right) , \varvec{X}^{**} \in \mathscr {M}_{(k(i+1)-n+1),\ell }\left( \mathbb {F}_{q^m}\right) \) and \(\varvec{G}_{n-1} \in \mathscr {M}_{(n-1),n}\left( \mathbb {F}_{q^m}\right) \) generates \(\mathscr {G}_{n-1}\left( \varvec{g}\right) \). Using (27), one can deduce that by taking \( i = n - k - 1\)

$$\begin{aligned} \dim {\varLambda _{n - k - 1}(\mathscr {C}_\mathrm{pub})} = n-1+ { \texttt {rank}}(\varvec{X}^{**}). \end{aligned}$$

In the particular case where \({ \texttt {rank}}(\varvec{X}^{**})= \ell ,\) \(\dim {\varLambda _{i}(\mathscr {C}_\mathrm{pub})}=n+\ell -1\) and thus \(\dim {\varLambda _{i}(\mathscr {C}_\mathrm{pub})^\perp } = 1\). Furthermore, if \(\varvec{h}\) is a non-zero vector from \({\mathscr {G}_{n-1}\left( \varvec{g}\right) }^\bot \) and if we set \(\varvec{h}^*=\left( \varvec{0}\mid \varvec{h}\right) \left( \varvec{P}^{-1} \right) ^T\) then under the assumption that \({ \texttt {rank}}(\varvec{X}^{**})= \ell \) we have

$$\begin{aligned} \varLambda _{n - k - 1}(\mathscr {C}_\mathrm{pub})^{\perp }= \mathbb {F}_{q^m}\varvec{h}^*. \end{aligned}$$

(28)

Proposition 10

Let \(\varvec{v}\in \varLambda _{n-k-1}(\mathscr {C}_\mathrm{pub})^{\perp }\) with \(\varvec{v}\ne \varvec{0}\). Any matrix \(\varvec{T}\in { \textsf {GL}}_{n+ \ell }(\mathbb {F}_{q})\) that satisfies \(\varvec{v}\varvec{T}=\left( \varvec{0}\mid \varvec{h}^{\prime }\right) \) with \(\varvec{h}^\prime \in \mathbb {F}_{q^m}^n \) is an alternative column scrambler matrix, that is to say, there exist \(\varvec{Z}\) in \(\mathscr {M}_{k,\ell }\left( \mathbb {F}_{q^m}\right) \) and \(\varvec{G}^*\) that generates a Gabidulin code \(\mathscr {G}_{k}\left( \varvec{g}^*\right) \) such that

$$\begin{aligned} \varvec{G}_\mathrm{pub}=\varvec{S}\left( \varvec{Z}\mid \varvec{G}^* \right) \varvec{T}. \end{aligned}$$

Proof

From (28) there exists \(\alpha \in \mathbb {F}_{q^m}\) such that \(\varvec{v}= \alpha \varvec{h}^* = (\varvec{0}\mid \alpha \varvec{h})\left( \varvec{P}^{-1} \right) ^T\) where \(\varvec{h}\) is a non zero vector of \({\mathscr {G}_{n-1}\left( \varvec{g}\right) }^\bot \). Let \(\varvec{T}\in { \textsf {GL}}_{n+\ell }(\mathbb {F}_{q})\) such that \(\varvec{v}\varvec{T}^{T}=(\varvec{0}\mid \varvec{h}^{\prime })\) and consider the matrices \(\varvec{A}\in \mathscr {M}_{\ell ,\ell }\left( \mathbb {F}_{q}\right) \) and \(\varvec{D}\in \mathscr {M}_{n,n}\left( \mathbb {F}_{q}\right) \) so that

$$\begin{aligned} \varvec{T}\varvec{P}^{-1} = \left( \begin{array}{ll} \varvec{A}&{} \varvec{B}\\ \varvec{C}&{} \varvec{D}\end{array} \right) . \end{aligned}$$

We have the following equalities

$$\begin{aligned} {\tilde{\varvec{h}}} \varvec{T}^T = \left( \varvec{0}\mid \alpha \varvec{h}\right) \left( \varvec{P}^{-1}\right) ^T \varvec{T}^T =\left( \varvec{0}\mid \alpha \varvec{h}\right) \left( \varvec{T}\varvec{P}^{-1}\right) ^T = (\varvec{0}\mid \varvec{h}^{\prime }) \end{aligned}$$

(29)

It comes out from (29) that \(\varvec{h}\varvec{B}^T=\varvec{0}\) and hence \(\varvec{B}= \varvec{0}\) since \(\left| \varvec{h} \right| = n\). So we can write \(\varvec{T}\varvec{P}^{-1} = \left( \begin{array}{ll} \varvec{A}&{} \varvec{0}\\ \varvec{C}&{} \varvec{D}\end{array} \right) \) and using Lemma 2, \(\varvec{P}\varvec{T}^{-1} = \left( \begin{array}{ll} \varvec{A}^\prime &{} \varvec{0}\\ \varvec{C}^\prime &{} \varvec{D}^\prime \end{array} \right) \). Consequently,

$$\begin{aligned} \varvec{G}_{pub}\varvec{T}^{-1}=\varvec{S}\left( \varvec{X}\mid \varvec{G}\right) \left( \begin{array}{ll} \varvec{A}^\prime &{} \varvec{0}\\ \varvec{C}^\prime &{} \varvec{D}^\prime \end{array} \right) =\varvec{S}\left( \varvec{Z}\mid \varvec{G}^* \right) \end{aligned}$$

where \(\varvec{G}^* = \varvec{G}\varvec{D}^\prime \) is a generator matrix of a \(\left( n,k \right) -\)Gabidulin code. So \(\varvec{T}\) is an alternative column scrambler matrix for the system. \(\square \)