Abstract
We prove that any variant of the GPT cryptosystem which uses a right column scrambler over the extension field as advocated by the works of Gabidulin et al. with the goal to resist to Overbeck’s structural attack are actually still vulnerable to that attack. We show that by applying the Frobenius operator appropriately on the public key, it is possible to build a Gabidulin code having the same dimension as the original secret Gabidulin code but with a lower length. In particular, the code obtained by this way corrects less errors than the secret one but its error correction capabilities are beyond the number of errors added by a sender. Consequently, an attacker is able to decrypt any ciphertext with this degraded Gabidulin code. We also considered the case where an isometric transformation is applied in conjunction with a right column scrambler which has its entries in the extension field. We proved that this protection is useless both in terms of performance and security. Consequently, our results show that all the existing techniques aiming to hide the inherent algebraic structure of Gabidulin codes have failed.
Similar content being viewed by others
Notes
This rank is of course independent of the choice of the basis of \(\mathbb {F}_{q^m}\) since the rank of a matrix is invariant when multiplied by an invertible matrix.
References
Shor P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Goldwasser S. (ed.) FOCS, pp. 124–134 (1994).
Shor P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997).
McEliece R.J.: A public-key system based on algebraic coding theory, pp. 114–116. Jet Propulsion Lab (1978). DSN Progress Report 44.
Gabidulin E.M., Paramonov A.V., Tretjakov O.V.: Ideals over a non-commutative ring and their applications to cryptography. In: Advances in Cryptology—EUROCRYPT’91, Number 547 in Lecture Notes in Computer Science, pp. 482–489. Brighton (1991).
Gibson K.: Severely denting the Gabidulin version of the McEliece public key cryptosystem. Des. Codes Cryptogr. 6(1), 37–45 (1995).
Gibson K.: The security of the Gabidulin public key cryptosystem. In: Ueli M. (ed.) Advances in Cryptology—EUROCRYPT ’96. Lecture Notes in Computer Science, vol. 1070, pp. 212–223. Springer, New York (1996).
Gabidulin E.M., Ourivski A.V.: Modified GPT PKC with right scrambler. Electron. Notes Discret. Math. 6, 168–177 (2001).
Gabidulin E.M., Ourivski A.V., Honary B., Ammar B.: Reducible rank codes and their applications to cryptography. IEEE Trans. Inform. Theory 49(12), 3289–3293 (2003).
Overbeck R.: Extending Gibson’s attacks on the GPT cryptosystem. In: Oyvind Y. (ed.) WCC 2005. Lecture Notes in Computer Science, vol. 3969, pp. 178–188. Springer, New York (2005).
Overbeck R.: A new structural attack for GPT and variants. In: Mycrypt. Lecture Notes in Computer Science, vol. 3715, pp. 50–63 (2005).
Overbeck R.: Structural attacks for public key cryptosystems based on Gabidulin codes. J. Cryptol. 21(2), 280–301 (2008).
Loidreau P.: Designing a rank metric based McEliece cryptosystem. In: Nicolas S. (ed.) Post-Quantum Cryptography. Lecture Notes in Computer Science, vol. 6061, pp. 142–152. Springer, New York (2010).
Rashwann H., Gabidulin E., Honary B.: A smart approach for GPT cryptosystem based on rank codes. In: Proceedings IEEE International Symposium Information Theory—ISIT, pp. 2463–2467 (2010).
Gabidulin E.M.: Attacks and counter-attacks on the GPT public key cryptosystem. Des. Codes Cryptogr. 48(2), 171–177 (2008).
Gabidulin E., Rashwan H., Honary B.: On improving security of GPT cryptosystems. In: Proceedings of IEEE International Symposium on Theory—ISIT, pp. 1110–1114 (2009).
Rashwan H., Gabidulin E., Honary B.: Security of the GPT cryptosystem and its applications to cryptography. Secur. Commun. Netw. 4(8), 937–946 (2011).
Gaborit P., Ruatta O., Schrek J.: On the complexity of the rank syndrome decoding problem. IEEE Trans. Inform. Theory 62(2), 1006–1019 (2016).
Horlemann-Trautmann A-L, Marshall K, Rosenthal J: Considerations for rank-based cryptosystems. In: IEEE International Symposium on Information Theory (ISIT), pp. 2544–2548 (2016).
Horlemann-Trautmann A-L, Marshall K, Rosenthal J.: Extension of overbeck’s attack for gabidulin based cryptosystems. Des. Codes Cryptogr. (2017).
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by L. Storme.
Appendix A: Overbeck’s attack
Appendix A: Overbeck’s attack
Let assume that \(\varvec{G}_\mathrm{pub}=\varvec{S}\left( \varvec{X}\mid \varvec{G}\right) \varvec{P}\) is the public generator matrix that generates \(\mathscr {C}_\mathrm{pub}\) with \(\varvec{P}\in { \textsf {GL}}_{n+\ell }(\mathbb {F}_{q}), \varvec{X}\in \mathscr {M}_{k,\ell }\left( \mathbb {F}_{q^m}\right) \) and \(\varvec{G}\) generating a Gabidulin code \(\mathscr {G}_{k}\left( \varvec{g}\right) \) where \(\left| \varvec{g} \right| = n\). Observe that \(\varLambda _{i}(\varvec{G}_\mathrm{pub})\) can be written as
Since \(\varLambda _{i}\left( \varvec{G}\right) \) generates \(\mathscr {G}_{k+i}\left( \varvec{g}\right) = \mathscr {G}_{n-1}\left( \varvec{g}\right) \), there exists \(\varvec{S}^\prime \in { \textsf {GL}}_{k(i+1)}(\mathbb {F}_{q^m})\) such that
where \(\varvec{X}^* \in \mathscr {M}_{(n-1),\ell }\left( \mathbb {F}_{q^m}\right) , \varvec{X}^{**} \in \mathscr {M}_{(k(i+1)-n+1),\ell }\left( \mathbb {F}_{q^m}\right) \) and \(\varvec{G}_{n-1} \in \mathscr {M}_{(n-1),n}\left( \mathbb {F}_{q^m}\right) \) generates \(\mathscr {G}_{n-1}\left( \varvec{g}\right) \). Using (27), one can deduce that by taking \( i = n - k - 1\)
In the particular case where \({ \texttt {rank}}(\varvec{X}^{**})= \ell ,\) \(\dim {\varLambda _{i}(\mathscr {C}_\mathrm{pub})}=n+\ell -1\) and thus \(\dim {\varLambda _{i}(\mathscr {C}_\mathrm{pub})^\perp } = 1\). Furthermore, if \(\varvec{h}\) is a non-zero vector from \({\mathscr {G}_{n-1}\left( \varvec{g}\right) }^\bot \) and if we set \(\varvec{h}^*=\left( \varvec{0}\mid \varvec{h}\right) \left( \varvec{P}^{-1} \right) ^T\) then under the assumption that \({ \texttt {rank}}(\varvec{X}^{**})= \ell \) we have
Proposition 10
Let \(\varvec{v}\in \varLambda _{n-k-1}(\mathscr {C}_\mathrm{pub})^{\perp }\) with \(\varvec{v}\ne \varvec{0}\). Any matrix \(\varvec{T}\in { \textsf {GL}}_{n+ \ell }(\mathbb {F}_{q})\) that satisfies \(\varvec{v}\varvec{T}=\left( \varvec{0}\mid \varvec{h}^{\prime }\right) \) with \(\varvec{h}^\prime \in \mathbb {F}_{q^m}^n \) is an alternative column scrambler matrix, that is to say, there exist \(\varvec{Z}\) in \(\mathscr {M}_{k,\ell }\left( \mathbb {F}_{q^m}\right) \) and \(\varvec{G}^*\) that generates a Gabidulin code \(\mathscr {G}_{k}\left( \varvec{g}^*\right) \) such that
Proof
From (28) there exists \(\alpha \in \mathbb {F}_{q^m}\) such that \(\varvec{v}= \alpha \varvec{h}^* = (\varvec{0}\mid \alpha \varvec{h})\left( \varvec{P}^{-1} \right) ^T\) where \(\varvec{h}\) is a non zero vector of \({\mathscr {G}_{n-1}\left( \varvec{g}\right) }^\bot \). Let \(\varvec{T}\in { \textsf {GL}}_{n+\ell }(\mathbb {F}_{q})\) such that \(\varvec{v}\varvec{T}^{T}=(\varvec{0}\mid \varvec{h}^{\prime })\) and consider the matrices \(\varvec{A}\in \mathscr {M}_{\ell ,\ell }\left( \mathbb {F}_{q}\right) \) and \(\varvec{D}\in \mathscr {M}_{n,n}\left( \mathbb {F}_{q}\right) \) so that
We have the following equalities
It comes out from (29) that \(\varvec{h}\varvec{B}^T=\varvec{0}\) and hence \(\varvec{B}= \varvec{0}\) since \(\left| \varvec{h} \right| = n\). So we can write \(\varvec{T}\varvec{P}^{-1} = \left( \begin{array}{ll} \varvec{A}&{} \varvec{0}\\ \varvec{C}&{} \varvec{D}\end{array} \right) \) and using Lemma 2, \(\varvec{P}\varvec{T}^{-1} = \left( \begin{array}{ll} \varvec{A}^\prime &{} \varvec{0}\\ \varvec{C}^\prime &{} \varvec{D}^\prime \end{array} \right) \). Consequently,
where \(\varvec{G}^* = \varvec{G}\varvec{D}^\prime \) is a generator matrix of a \(\left( n,k \right) -\)Gabidulin code. So \(\varvec{T}\) is an alternative column scrambler matrix for the system. \(\square \)
Rights and permissions
About this article
Cite this article
Otmani, A., Kalachi, H.T. & Ndjeya, S. Improved cryptanalysis of rank metric schemes based on Gabidulin codes. Des. Codes Cryptogr. 86, 1983–1996 (2018). https://doi.org/10.1007/s10623-017-0434-5
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-017-0434-5