1 Introduction
With the growing probability of the existence of a nearfuture quantum computer, it has become important to propose alternatives to existing publickey encryption schemes and key exchange protocols based on number theory. The recent NIST PostQuantum Cryptography Standardization process motivates proposals in this sense. Along with latticebased cryptography, codebased cryptography is the most represented among proposals for encryption schemes or keyencapsulation mechanisms (KEMs). Codebased submissions generically rely on the hardness of decoding problems, either in the Hamming metric or in the rank metric. Hamming metric decoding problems enjoy a longstanding study and few practical improvements for more than fifty years, which ascertain their security. On the opposite, rank metric decoding problems have been studied for less than twenty years [CS96], and their solving complexity is not yet fully stabilized (see the recent results of [BardetBBGNRT09]). Nevertheless, they benefit from much shorter keys and seem very attractive for practical implementation, culminating in submissions for the NIST standardization process [ROLLO17, RQC17]. So as to further reduce the key sizes, designers often use specific structures as quasicyclicity (equivalent of ModuleLWE for lattices) which could be suspected to introduce additional weaknesses [Loi14].
In this paper we aim at designing a new oneway encryption scheme featuring very compact keys, based on rank metric decoding problems. The longstanding idea finds origins in [faure2006new] which was an extended idea of a proposal in Hamming metric [AugotFiniaszPKCPolyReconstruction_2003]. The original rank metric encryption scheme was broken in [GaboritOT18], and a recent repair was proposed in [wachter2018repairing]
. However it implies to choose a specific code and a syndrome coming from a structured vector of moderate rank, which we want to avoid here.
Inspired from [faure2006new], we design a simple oneway encryption scheme with the following strengths.

The security of the scheme only relies on decoding problems in rank metric (such as MinRank and GabSD) and does not require to hide the structure of a code. These decoding problems have been — and are still being — scrutinized in active research fields.

Especially as a KEM, our proposal enables very small parameters for a given security target. Key sizes are competitive with isogenybased proposals such as SIKE [SIKE17].

Even if the decryption algorithm is probabilistic, it is easy to control the failure probability and to make it as small as possible without increasing to much the parameters.
A remaining weakness would be that underlying problems have been less investigated than others. However, our goal here is also to emulate research in this field to be able to ascertain the security of the scheme.
In a first section we introduce necessary notation and definitions. Then we describe the encryption scheme and we propose sets of parameters for security levels 1, 3, 5 of the NIST competition. Keys and ciphertext sizes are not larger than few hundreds of bytes. In the next section, we prove the consistency of the encryption scheme and we analyze its security by showing to which problems the security can be reduced, and by giving the complexity of algorithms solving these problems.
2 Preliminaries
2.1 Notation and definitions
Throughout the paper, we set for some integer , and we let denote the finite field with elements. The field can also be viewed as a vector space of dimension over . The map , , is linear and is called the Frobenius automorphism. Its inverse is the fold composition . For convenience, we sometimes write , for .
Let be a basis of over . We define the extension map
where, for all , the vector consists of coordinates of in the basis , i.e. . In particular, for every , we have .
The rank of , denoted , is defined as the rank over of its extension matrix . Notice that does not depend on the choice of the basis . We also define the row space of with respect to as
Similarly, the column space of is .
We let denote the set of subspaces of of dimension , which contains elements. Each subspace
can be represented by the unique reduced row echelon form (RREF) of any matrix
whose row space generates . We know from [SilbersteinE11, Medvedeva12] that this representation can be computed efficiently (in time ). Recall that a matrix is in reduced row echelon form if the following holds:
[label=–]

the index of the pivot (i.e. the first nonzero coefficient) of row is strictly larger than the index of the pivot of row ;

all pivots are ones;

each pivot is the only nonzero entry in its column.
We finally define .
2.2 Rank metric codes
In this paper, we embed with the rank metric: for , the weight of is defined as . We consider linear codes, i.e. linear subspaces . Notice that the field extension degree is also the length of the code . The dimension of a code is , and its minimum (rank) distance is . A generator matrix (resp. a paritycheck matrix) for is a matrix (resp. ) such that (resp. for every ).
Let us define . Its Moore matrix is defined as
and it is invertible over . Hence is a basis of .
Definition 1 (Gabidulin code [Delsarte78, Gabidulin85])
Let be an ordered basis of . The Gabidulin code of dimension with evaluation vector is the subspace generated by the first rows of .
Gabidulin codes are optimal codes with respect to the rank metric [Delsarte78] and they can be efficiently decoded [Gabidulin85] up to errors. By definition, the submatrix consisting in the first rows of is a generator matrix for . It is also clear that for every , and we have . Hence, one can propose the following definition.
Definition 2 (degree)
Let and . The degree of , denoted , is the unique integer such that . Similarly, one defines the degree of as .
In other words, a vector of degree can be written
for some nonzero and some tuple .
Finally, the dual code is also a Gabidulin code for some basis that can be efficiently computed from . In other words, there exists a paritycheck matrix for consisting in the first rows of a Moore matrix associated to some , see e.g. [Gabidulin85].
3 The encryption scheme
System parameters.
Integers are public parameters and specified according to the desired security level (see Section 4). We set , and we also make public a basis of . We let denote a fixed paritycheck matrix of .
Key generation.
Alice picks uniformly at random a vector of rank . As explained in Algorithm 1, the public key is the syndrome of with respect to the paritycheck matrix of , and the private key is .
Encryption.
Decryption.
We present in Algorithm 3 a decryption algorithm which may fail with negligible probability. The failure rate is devoted to be cryptographically small, and is bounded in Section 5.2. We also make use of an linear map such that . This map can be efficiently computed from the knowledge of the private key . Mathematical properties of this map are given in Section 5.1
In Algorithm 3, one needs to decode Gabidulin codes up to half their minimum distance, i.e. to decode errors of rank less than . Many such algorithms can be found in the literature since the seminal work of Gabidulin [Gabidulin85]. Some of them are based on solving a socalled key equation, such as [Roth91, ParamonovT91, Gabidulin91, RichterP04, WachterZehAS13]
and others use interpolation, for instance
[Loidreau05]. Fastest ones run in operations over .4 Parameters
In Table 1, we propose three sets of parameters for RAMESSES as a KEM, according to the desired level of security. Table 2 proposes a set of parameters for RAMESSES as a PKE. There are generic transformations from PKEs to KEMs, widely used in the NIST competition. Note that the decryption failure can be finely tuned as is explained in Section 5.2. One can notice that the postquantum security is much larger than half the classical one, which is unusual in codebased systems. Indeed the best current attacks against RAMESSES do not use enumeration techniques, which would benefit from the use of Grover algorithm, but Groebner bases algebraic techniques for which there is no known efficient quantum algorithmic speedup, as explained in Section 5.4.
classical  postquantum  public key/ciphertext  private key  

security (bits)  security (bits)  size (bytes)  size (bytes)  
Sets of parameters for RAMESSES as a KEM, with different levels of security. The security is estimated according to the current state of the art of algebraic attacks; the linear algebra constant is set to
. Decryption failure rates are respectively bounded by , and .classical  postquantum  public key/ciphertext  private key  
security (bits)  security (bits)  size (bytes)  size (bytes)  
164  116  27  3  9  256  256  984  554 
Claimed security.
The claimed security is computed according to known attacks reported in Section 5.4.
Public key size.
The public key consists in a vector . Thus, its size is bits, or bytes.
Private key size.
For the private key , Alice actually needs to store only the map . From Section 5.1, this map is a monic polynomial over of degree . Hence only coefficients over actually need to be stored, the size of the private key is thus bits, or bytes.
Ciphertext size.
The ciphertext is a vector , hence its size is bits, i.e. bytes.
5 Analysis
5.1 Mathematical background
Gabidulin codes can be interpreted in the context of skew polynomial rings. Recall that
represents the Frobenius automorphism . The skew polynomial ring , originally studied by Øre [Ore33a, Ore33b], is the ring of univariate polynomials defined by the noncommutative multiplicative ruleIn our context, skew polynomials are also called linearized polynomials. One can define the evaluation of a skew polynomial at as follows:
The evaluation vector of at is defined as
Thus, the rows of can be seen as the evaluation vectors over , of the sequence of degreeordered skew monomials . As a consequence, one can view Gabidulin codes as analogues of ReedSolomon codes for skew polynomial rings:
For , the polynomial of minimum degree such that is the interpolating polynomial of and is denoted . By definition .
Finally, given , the set of polynomials satisfying is a leftideal of . Since skew polynomial rings are principal ideal domains, we can define the minimum vanishing polynomial of as the unique monic skew polynomial which generates . Notice that .
The following lemma will be helpful for the analysis of the scheme consistency.
Lemma 1
Let and . Then we have . Moreover, if , then there exists a nonzero such that .
Proof
Let satisfy . In particular, one can see that . Hence, by linearity . Thus, every satisfies , leading to .
Assume now that . It implies that . Let be an ordered basis of over . Then there must exists a nonzero such that , otherwise we would have . If we set , then we get by linearity.∎
5.2 Consistency
In this section we characterize the output of algorithm described in Section 3. As input, receives a vector of rank and a vector such that , where

[label=–]

vector satisfies ,

matrix has degree ,

vector has rank .
First, notice that for some . In the first step of Algorithm 3, a vector solution to is computed. One can see that the set of such solutions is
Therefore, in step of Algorithm 3, we have
We notably used the linearity of . Also recall that, for any , denotes the interpolating polynomial of . Then we get:
Moreover, yields since . Therefore, the polynomial has degree at most .
We also know that . Hence, in third step of Algorithm 3, any decoding algorithm for that decodes errors of rank at most will retrieve from . Finally, Algorithm 3 outputs a matrix such that .
As a consequence, decryption fails whenever , where is the original plaintext. First notice that . Then, Lemma 1 shows that if decryption fails, then there exists a nonzero such that . Let us now recall that the set of zeroes of is exactly . Hence we get the following result.
Lemma 2
Let . If, on input where , algorithm does not output , then matrix has been chosen at step , such that .
One can now estimate the probability of failure of .
Lemma 3
Let be any pair of keys generated by , on public parameters . Then, for every ,
Proof
Using Lemma 2, we have
It is easy to check that the probability that a dimensional random subspace of intersects nontrivially a fixed subspace of dimension is bounded by . This concludes the proof.∎
5.3 Security proof
Let us first introduce two problems to which the security of RAMESSES can be reduced. Problem 1 is an ad hoc problem. The search version of Problem 2 corresponds to decoding errors of rank in a Gabidulin code; this problem is believed hard for between and , and a improvement in solving this problem would be significant in coding theory.
Problem 1 (Syndrome correlation for Gabidulin codes (CorGab))
Let be a fixed paritycheck matrix of , and .

Input: access to distributions

: , where and ,

: , where and .


Goal: distinguish between and .
Problem 2 (Syndrome decoding for Gabidulin codes, GabSD)
Let be a fixed paritycheck matrix of , and .

Input: access to distributions

: , where ,

: , where .


Goal: distinguish between and .
We now shortly show the indistinguishability under chosen plaintext attacks (INDCPA) of RAMESSES with the following sequence of games.

Game 0. The real scheme with plaintext .

Game 1. We modify Game 0 as follows. In the key generation, the vector is now picked uniformly at random in , without any rank constraint.

Game 2. We modify Game 1 as follows. In the encryption algorithm, is replaced by , where is generated uniformly at random in .

Game 3. We modify Game 2 as follows. The plaintext is replaced by the plaintext .

Game 4. This game is identical to Game 1, except that the plaintext is is replaced by the plaintext .

Game 5. The real scheme with plaintext .
One can then prove that the advantage for an adversary to distinguishing the encryption of and satisfies:
Roughly speaking, one actually mimics the security proof given in [AguilarBDGZ18]. The term comes from transitions between games 0 and 1, and games 4 and 5, whereas transitions between games 1 and 2, and games 3 and 4 yield the term. Games 2 and 3 are informationtheoretically indistinguishable since is random.
5.4 Existing attacks
In the following, we denote by the desired security parameter, i.e., any attack against the cryptosystem must cost at least operations over .
Exhaustive search attacks.
In order to avoid attacks by exhaustive search, one has the following constraints on the parameters.

, satisfied when .

, satisfied when .

, satisfied when .
Attack by decoding beyond the unique decoding radius of Gabidulin codes.
Let be any solution of of rank . From the consistency analysis one can see that can be used as an alternate private key in the algorithm. The computation of such a vector actually corresponds to the search version of GabSD problem.
This problem is easy for (it corresponds to halfminimumdistance decoding) and for (equivalent to interpolation for linearized polynomials). For our concern, we have , and we believe that the search version of GabSD is hard in this range of parameters.
A solution consists in enumerating vector spaces of dimension slightly higher than , checking whether they guessed correctly a large part of the solution space, and in such case, interpolating the solution. Roughly speaking, the number of valid choices for the subspace is large, but the complexity of finding one remains exponential in the code length. Precisely, in our settings (, and even) the number of vector spaces to test before finding one solution is on average
where . This quantity is used as a bound for the complexity of solving GabSD. By using a straightforward Grover algorithm, we obtain that the number of iterations to be completed on a quantum computer is roughly
Attack via a reduction to a quadratic system over .
Given a vector with , any solution to can be written as for some . Therefore, satisfies
(1) 
where . Hence, an attack would consist in searching for and in the previous equation, for some fixed solution to .
Equation (1) can be turned into a quadratic system over (see Appendix 0.A for details). Using results of Bardet et al. [BardetFSS13], the solving complexity would be in , which remains much larger than the complexity of the previous attack.^{1}^{1}1However, notice that the system to be solved in [BardetFSS13] is assumed random, and such that no specialization of variables can be made. This is unlikely the case for our system, but it requires a finer analysis — which is not the scope of this paper — to understand whether improvements can be made in order to solve the system.
Attack via a reduction to a MinRank instance.
The recovery of a representative of the plaintext , given only a ciphertext and , can be modeled as follows. First, one computes (i) any solution of , and (ii) any solution to . Due to the form of the ciphertext, this leads us to
(2) 
where and are unknown to the attacker. Notice that lies in a vector space of dimension , since . Two kinds of attacks can then be mounted to solve (2).
First, Equation (2) can be written , which means that the problem can be rephrased as decoding an error of rank in the underlying code
Notice that is an linear code of dimension at most . One can then write , which yields . A straightforward decoding approach would lead to an attack in time roughly . One could also try to decode in the smallest linear code containing , and use the additional structure provided by the linearity. This structure has been widely employed in the recent improvements, see [BardetBBGNRT09]. However, it is unlikely that the dimension of is small, since the endomorphism of defined by is not linear.
Second, one can see Equation (2) as an instance of MinRank, a problem formally introduced by Courtois in [Courtois01] after the cryptanalysis of HFE [KipnisS99].
Problem 3 (MinRank search problem)
Let be a field.

Input: and an integer .

Goal: Find such that .
Let us denote by an basis of , the smallest vector space containing . Similarly, can be written in some basis of the vector space of dimension representing . Applying to Equation (2), we get:
where . Since , one gets an instance of the MinRank problem, with one “base matrix” and “summand matrices” .
There exist several approaches to solve the MinRank problem. In [GoubinC00], Goubin and Courtois gave an algorithm which finds a solution in expected time . In 1999, Kipnis and Shamir [KipnisS99] proposed a multivariate formulation of MinRank which can be solved by computing Groebner bases. Such computations can be run in time , where is the linear algebra constant, and is the degree of regularity of the system [Lazard83]. Faugère, LevyditVehel and Perret [FaugereLP08] proved that, in the KapnisShamir formalism, any instance can be reduced to a simpler one if . In our case, setting ensures that . Moreover, the authors proved that the degree of regularity is lower than what is expected for random systems, and it seems to be upper bounded by heuristically. This heuristic was confirmed by Verbel et al. [VerbelBCPS19] for superdetermined instances, and by Bardet et al. [BardetBBGNRT09] in the context of decoding low rank errors in random codes. Finally, the latter work also presents instances for which the solving degree decreases to
Comments
There are no comments yet.