Introduction
To instantiate McEliece encryption scheme, one needs a family of codes with random looking generator matrices and an efficient decoding algorithm. If the original proposal due to McEliece himself [12] relies on classical Goppa codes endowed with the Hamming metric, one can actually consider codes endowed with any other metric. The use of –linear rank metric codes, first suggested by Gabidulin et. al. [7] is of particular interest, since the –linearity permits a very “compact” representation of the code and hence permits to design a public key encryption scheme with rather short keys compared to the original McEliece proposal.
Compared to the Hamming metric world, only few families of codes with efficient decoding algorithms are known in rank metric. Basically, the McEliece scheme has been instantiated with two general families of rank metric codes, namely Gabidulin codes [5, 6] and LRPC codes [8].
In [11]
, Loidreau proposed the use of codes which can somehow be regarded as an intermediary version between Gabidulin codes and LRPC codes. These codes are obtained by right multiplying a Gabidulin code with an invertible matrix whose entries are in
and span an –subspace of small dimension . This approach can be regarded as a “rank metric” counterpart of BBCRS scheme [1] in Hamming metric.In the present article, we explain why the case and is weak and describe a key recovery attack in this situation.
Note.
The material of the present article has been communicated to Pierre Loidreau in April 2016. The article [11] is subsequent to this discussion and proposes parameters which avoid the attack described in the present article.
1 Prerequisites
1.1 Rank metric codes
In this article denote positive integers and a prime power. A code of dimension is an –subspace of whose dimension as an
–vector space is
. Given a vector , the rank weight or rank of , denoted as is the dimension of the –vector subspace of spanned by the entries of . The support of a vector , denoted is the –vector space spanned by the entries of . Hence the rank of is nothing but the dimension of its support. The rank distance or distance of two vectors is defined asGiven a code , the minimum distance of is defined as
Remark 1
Note that rank metric codes can be defined in a more general setting as subspace of a space of matrices or a space of morphisms between two vector spaces. A code can be regarded as a space of matrices by choosing an –basis of and associating to each vector the matrix whose –th column is the decomposition of the entry in the basis. A major difference between general spaces of matrices and the codes we introduced is that our vector spaces have an –linear structure. We chose to limit our presentation to codes of the form since only these codes are the object of the study in the present article.
1.2 –polynomials and Gabidulin codes
A –polynomial or a linear polynomial is an –linear combination of monomials Such a polynomial induces a function which is –linear. The –degree of a –polynomial , denoted by is the integer such that the degree of is . In short:
The following very classical result is crucial in what follows.
Proposition 1
Let be a –polynomial. Then, the set of roots of in is an –vector space of dimension less than or equal to .
The space of –polynomials is denoted by and, given a positive integer , the space of –polynomials of degree less than is denoted by
Given positive integers with and an –tuple of –linearly independent elements of , the Gabidulin code is defined as
This code has a generator matrix of the form:
Such codes are known to have minimum distance and to benefit from a decoding algorithm correcting up to half the minimum distance (see [9]).
The –tuple is referred to as the support of the code. Note that the support is not unique as shown by the following lemma which will be useful for our attack.
Lemma 1
Let . Then
Proof
Let be a –polynomial of –degree and be the –polynomial of the same degree defined by . Then the codeword is equal to the codeword . This proves that and the converse inclusion is proved in a similar fashion.∎
1.3 The componentwise Frobenius map
In what follows, we will frequently apply the componentwise Frobenius map or its iterates to vectors or codes. Hence, we introduce the following notation. Given a vector and a nonnegative integer , we denote by the vector:
Similarly, given a code and a positive integer , the code denotes the code
1.4 Overbeck’s distinguisher
In [13], Overbeck proposes a general framework to break cryptosystems based on Gabidulin codes. The core of his attack is that a simple operation permits to distinguish Gabidulin codes from random ones. Indeed, given a random code of dimension , the expected dimension of the code equals and, equivalently is likely to be equal to . More generally, we have the following statement.
Proposition 2
If is a code of length and dimension chosen uniformly at random, then for a nonnegative integer and for a positive integer , we have
Proof
See Appendix 0.A.∎
On the other hand, for a Gabidulin code, the behaviour with respect to such operations is completely different as explained in the following statement.
Proposition 3
Let be a word of rank , and be an integer. Then,
Example 1
As an illustration of the difference of behaviour of Gabidulin codes compared to random codes, given a Gabidulin code of length and dimension , then , while for a random code of the same length and dimension, tends to when tends to infinity.
2 Loidreau’s scheme
In order to mask the structure of Gabidulin codes and to resist to Overbeck’s attack, Loidreau suggested in [11] the following construction. Denote by a random generator matrix of a Gabidulin code . Fix an integer and an –vector subspace of of dimension . Let whose entries are all in . Then, let
We have the following encryption scheme.
 Public key:

The pair where .
 Secret key:

The pair .
 Encryption:

Given a plaintext , choose a uniformly random vector of rank weight . The ciphertext is
 Decryption:

Compute,
Since the entries of are all in then, the entries of are in the product space . The dimension of this space is bounded from above by . Therefore, using a classical decoding algorithm for Gabidulin codes, one can recover .
3 A distinguisher when
3.1 Context
The goal of this section is to establish a distinguisher for Loidreau’s cryptosystem instantiated with and a public code of dimension . Similarly to Overbeck’s attack, this distinguisher reposes on Propositions 2 and 3.
Similarly to the attacks of BBCRS system [3, 4], it is more convenient to work on the dual of the public code because of the following lemmas. By dual, we mean the orthogonal code with respect to the canonical inner product
Lemma 2 ([10, Page 52])
The code is a Gabidulin code for some of rank .
Lemma 3 ([4, Lemma 1])
Any fullrank generator matrix of can be decomposed as
where is a parity–check of the Gabidulin code .
The convenient aspect of the previous lemma is that the matrix has its entries in a small vector space, while its inverse has not.
3.2 The case
We suppose in this section that the vector space in which the matrix has all its entries has dimension :
Note that, w.l.o.g, one can suppose that . Indeed, if is spanned over by , then one can replace by which spans the same code and has entries in and .
Thus, from now on, we suppose that for some . Consequently, can be decomposed as
where are square matrices with entries in . For convenience, we suppose from now on that and
are both invertible. Note that this actually holds with a high probability. If one of these matrices was not invertible, then the attack could probably be performed after minor adjustments.
We have seen that for some with . We define
Lemma 4
The code is spanned by
Proof
For any . There exists such that
which yields the result. ∎
We can now state a crucial result.
Theorem 3.1
The dual of the public code satisfies:
Proof
Thanks to Lemma 4, we prove that is spanned by
Equivalently, is spanned by:
Finally, a similar reasoning permits to show that is spanned by
and hence has dimension at most . ∎
As a conclusion, thanks to Proposition 2, we deduce that is distinguishable in polynomial time from a random code as soon as .
4 The attack
In this section, we derive an attack from the distinguisher defined in Section 3. In what follows, we suppose that and the public code has rate larger than so that the distinguisher introduced in Section 3 works on it. Recall that for some whose entries are –independent and is of the form for and . Finally recall that
In addition, we make the following assumptions:

;

and is not contained in any subfield of ;

.
Assumption (1) has already been discussed in § 3.2. Assumption (2) is reasonable in order to prevent against possible attacks based on an exhaustive search of . Finally, Assumption (3) is what typically happens according to our experiments using Magma [2].
The aim of the attack is to recover the triple , or more precisely, to recover a triple such that
(1) 
Actually, the triple is far from being unique and any other triple satisfying (1) permits to decrypt messages (see further § 4.3). Let us describe an action of on such triples.
Proposition 4
Let such that and such that . Then, the triple satisfies (1).
Proof
It suffices to observe that for any ,
∎
4.1 Step 1: using the distinguisher to compute some subcodes
As shown in the proof of Theorem 3.1, is spanned by:
where . Then, by iterating intersections
we obtain the code spanned by
Notice that Assumption (3) permits to prove that this intersection has exactly dimension . Applying the inverse of the –th Frobenius, we get the code spanned by
Note that . Hence because of Assumption (2). Next, one can compute
(2) 
and
Similarly, we compute the intersection with and get
(3) 
Applying the inverse Frobenius to the last code, we get . Since, from (2), we also know , one can compute
(4) 
Next, for any one can compute
By applying the –th inverse Frobenius to the previous result, we obtain the space for any . In summary, we know the spaces
In addition, from Lemma 1, the vector is determined up to some multiplicative constant. Therefore, one can choose an arbitrary element of and suppose that this element is .
4.2 Step 2. Finding
In summary, the vector and the spaces for any are known. To compute , we will use the following lemma.
Lemma 5
For , , there exists a unique pair such that .
Proof
It suffices to observe that . ∎
The pairs of vectors can be easily computed. Thus, from now on, we suppose we know them. In addition, despite , and are unknown, a calculation permits to show that have the following expressions.
(5) 
Consider the vectors and . They are collinear since, from (5), they are both multiples of . Therefore, one can compute the scalar such that . From (5) we deduce that satisfies the following relation.
(6) 
Or equivalently, is a root of the polynomial
One can easily check that divides and we set
The element we look for is a root of but actually, the forthcoming Proposition 5 provides the description of the other roots. We first need a technical Lemma.
Lemma 6
Let , let be two nonnegative integers and set . Then,
Proposition 5
The set of roots of equals the orbit of under the action of . Equivalently, any root of is of the form for such that .
Proof
We proved that any element in the orbit of under is a root of . To conclude, we need to prove that the orbit of under has cardinality which means that the stabilizer of with respect to this group action is trivial. Indeed, suppose that
for some . Then is a root of , which has degree at most . This contradicts Assumption (2).∎
Thanks to Propositions 4 and 5, we deduce that choosing an arbitrary root of provides a candidate for and there remains to compute providing our triple. Since for some , then,
where
Considering (5) and using Lemma 6, we get
Consequently, we know and the vectors and . Thus, we can also compute
Knowing , and permits to recover .
4.3 End of the attack
Given the pair , compute the unique matrix such that . Then,
and this representation of the dual provides all the elements necessary to decode, that is to decrypt any ciphertext.
Conclusion
We provided a distinguisher à la Overbeck for the public keys of Loidreau’s scheme when and the public code has rate . From this distinguisher, we are able to derive a polynomial time key recovery attack. This attack can probably be extended to other values of when the public code rate satisfies . Therefore, such parameters should be avoided in Loidreau’s scheme.
5 Acknowledgements
The second author was funded by French ANR projects ANR15CE390013 Manta and ANR17CE390007 CBCrypt.
References
 [1] Baldi, M., Bianchi, M., Chiaraluce, F., Rosenthal, J., Schipani, D.: Enhanced public key security for the McEliece cryptosystem. J. Cryptology 29(1), 1–27 (2016). https://doi.org/10.1007/s0014501491878, http://dx.doi.org/10.1007/s0014501491878
 [2] Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system I: The user language. J. Symbolic Comput. 24(3/4), 235–265 (1997)
 [3] Couvreur, A., Gaborit, P., GauthierUmaña, V., Otmani, A., Tillich, J.P.: Distinguisherbased attacks on publickey cryptosystems using ReedSolomon codes. Des. Codes Cryptogr. 73(2), 641–666 (2014)
 [4] Couvreur, A., Otmani, A., Tillich, J.P., GauthierUmaña, V.: A polynomialtime attack on the BBCRS scheme. In: Katz, J. (ed.) PublicKey Cryptography  PKC 2015. LNCS, vol. 9020, pp. 175–193. Springer (2015)
 [5] Delsarte, P.: Bilinear forms over a finite field, with applications to coding theory. J. Comb. Theory, Ser. A 25(3), 226–241 (1978)
 [6] Gabidulin, E.M.: Theory of codes with maximum rank distance. Problemy Peredachi Informatsii 21(1), 3–16 (1985)
 [7] Gabidulin, E.M., Paramonov, A.V., Tretjakov, O.V.: Ideals over a noncommutative ring and their applications to cryptography. In: Advances in Cryptology  EUROCRYPT’91. pp. 482–489. No. 547 in LNCS, Brighton (Apr 1991)
 [8] Gaborit, P., Murat, G., Ruatta, O., Zémor, G.: Low rank parity check codes and their application to cryptography. In: Proceedings of the Workshop on Coding and Cryptography WCC’2013. Bergen, Norway (2013), available on www.selmer.uib.no/WCC2013/pdfs/Gaborit.pdf
 [9] Loidreau, P.: A Welch–Berlekamp like algorithm for decoding Gabidulin codes. In: Ytrehus, Ø. (ed.) Coding and Cryptography. pp. 36–45. Springer Berlin Heidelberg, Berlin, Heidelberg (2006)
 [10] Loidreau, P.: Rank metric and cryptography. Accreditation to supervise research, Université Pierre et Marie Curie  Paris VI (Jan 2007), https://tel.archivesouvertes.fr/tel00200407
 [11] Loidreau, P.: A new rank metric codes based encryption scheme. In: International Workshop on PostQuantum Cryptography. pp. 3–17. Springer (2017)
 [12] McEliece, R.J.: A PublicKey System Based on Algebraic Coding Theory, pp. 114–116. Jet Propulsion Lab (1978), dSN Progress Report 44
 [13] Overbeck, R.: Structural attacks for public key cryptosystems based on Gabidulin codes. J. Cryptology 21(2), 280–301 (2008)
Appendix 0.A Proof of Proposition 2
0.a.1 Preliminaries on Gaussian binomial coefficients
Notation 1
In what follows, we denote by the Gaussian binomial coefficient representing the number of subspaces of dimension of a vector space of dimension over .
Lemma 7
There exists a positive constant such that for any pair of positive integers such that , we have
Proof
By definition of Gaussian binomials, we have
Since , we get
which yields the left hand inequality. To get the other equality, we need to bound from above the product:
where the last equality is obtained by applying the change of variables . Set
The sequence is increasing and converges. Indeed,
and the series with general term converges. As a conclusion, the righthand inequality is obtained by taking
∎
Remark 2
A finer analysis would permit to prove that . In particular, since , we have that .
0.a.2 The proof
Let be a subspace of chosen uniformly at random among its subspaces of dimension . From we build the map
The image of this map is and hence the dimension of is related to the dimension of the kernel of
. Therefore, our approach will consist in estimating
.We have
(7) 
Lemma 8
Proof
Lemma 9
Let . Then,
Comments
There are no comments yet.