Enhancing the Security of the GPT Cryptosystem Against Attacks

: The concept of Public key cryptosystems based on error correcting codes was invented by McEliece in 1978. In 1991 Gabidulin, Paramonov and Tretjakov proposed a new version of the McEliece cryptosystem (GPT) based on maximum rank distance codes instead of hamming distance codes. Respective structural attacks against different variants of the GPT cryptosystem were proposed by Gibson and lately by Overbeck. The Overbeck attack breaks all variants of the GPT cryptosystem and is turned out to be either polynomial or exponential depending on parameters of the cryptosystem. Furthermore, In 2013, Gaborit et al. have presented a decoding attack against the parameters of the simple variant of the GPT cryptosystem which were demonstrated to combat the GPT cryptosystem against Overbeck‘s attack. In this paper, we introduce two new secure approaches against both the structural (Overbeck‘s attack) and decoding (brute force) attacks. The first one is called Distortion Matrix Approach (DMA), and the second is called Advanced Approach for Reducible Rank Codes (ARC). The DMA based on proper choice of a distortion matrix X , while, the ARC based on a proper choice of a scramble matrix P . Furthermore, we evaluate the simple variant of GPT cryptosystem against Gaborit et al. attack and demonstrate a new set of parameters which are secure against all known attacks. Our results show the proposed approaches combat the structural and decoding attacks with a large reduction in the key size in comparison to the original McEliece cryptosystem.


Introduction
McEliece [1] introduced the first code-based public-key cryptosystem (PKC). The system is connected to the hardness of the general decoding problem. It is based on Goppa codes in the Hamming metric. It is a strong cryptosystem but the size of a public key is too large (500 000 bits) for practical implementations to be efficient. The choice of the code has a vital effect on the security of this type of cryptosystems. Some codes have a structure that can be recovered in polynomial time, hence breaking the cryptosystem completely. However, other codes still have protection against cryptanalysis. Niederreiter [2] introduced a new code based version of PKC based on check matrices of Generalized Reed-Solomon codes. It turned out that this cryptosystem is insecure [3]. Several modifications of this PKC [4,5,6], and [7] seem to be secure but no independent cryptanalysis was made on these cryptosystems.
Also, Gabidulin, Paramonov and Tretjakov proposed in [8] other version of McEliece's public key cryptosystem based on rank error correcting codes, which is now called the GPT cryptosystem. The GPT cryptosystem has two advantages over McEliece's Cryptosystem. Firstly, it is more robust against decoding attacks than McEliece's Cryptosystem [9]; secondly, the key size of the GPT is much smaller and more useful in terms of practical applications than McEliece's cryptosystem. There are two types to attack against the GPT cryptosystem and its variants: the first is structural attack, an attacker attempts to recover the private key (the hiding procedure) from the public key, based on the structural properties of the rank codes; the second attack is decoding attack, an attacker tries to correct rank errors by a general algorithm without any knowledge of the structure of a rank code. Decoding attack ia generic and depends only on the code parameters. In 1995, Gibson [10,11] proposed the first structural attack which broke the GPT system for public keys of about 5 Kbits. The Gibson attack was efficient for practical values of parameters 30 n , where n is the length of rank code with the field N 2 F as an alphabet.
Several proposals of the GPT PKC were introduced to withstand Gibson's attack [12,13]. One proposal was to use a rectangular row scramble matrix instead of a square matrix. The proposal allows working with subcodes of the rank codes which have much more complicated structure. Another proposal exploits a modification of Maximum Rank Distance (MRD) codes where the concept of a column scramble matrix was also introduced. Moreover, a new variant, which is called reducible rank codes, was also implemented to combat the GPT cryptosystem against structural attacks [14,15]. All the above variants withstand Gibson attack. In 2005, R. Overbeck [16,17], and [18] has proposed the second structural attack which is more effective than Gibson attack. His method is based on two factors: a) a column scrambler P that is defined over the base field, and b) the unsuitable choice of a distortion matrix X . However, Overbeck managed to break completely all variants of the GPT cryptosystem based on the general and developed ideas of Gibson. In 2013, Gaborit et al. have presented two new generic approaches (decoding attacks) to attack Rank Syndrome Decoding (RSD) problem, both approaches have their own interest depending of the type of parameters considered [38]. Furthermore, they break the proposed parameters in [24], and [21] which were demonstrated to combat the GPT cryptosystem against Overbeck's attack.
In this paper, we introduce two new secure approaches against both the Overbeck and the decoding attacks. The first one is called Distortion Matrix Approach (DMA), and the second is called Advanced Approach for Reducible Rank Codes (ARC). The DMA based on proper choice of a distortion matrix X , while, the ARC based on a proper choice of a scramble matrix P . The DMA is proposed to improve the security of the smart approach [19] against little vulnerability which may affect its security, and as a consequence the system may be broken. Therefore, we address and show these vulnerabilities, and then we will describe a new construction of distortion matrix X which countermeasures the vulnerabilities of the smart approach. The ARC is designed to countermeasure Overbeck's attack against the reducible rank codes variant [14,15]. Finally, we evaluate the simple variant of the GPT PKC which was proposed in [24] against Gaborit et al. attack and demonstrate a new set of parameters which are secure against all known attacks. Our results show the DMA is secure even the column scrambling matrix P is chosen over the base field, and the ARC is secure even the distortion matrix X does not exist. The proposed approaches combat the structural and decoding attacks with a large reduction in the key size in comparison to the original McEliece cryptosystem.
The rest of this paper is structured as follows. Section 2 introduces the related work. Section 3 describes the GPT cryptosystems. Section 4 discusses decoding and Overbeck's attacks against the GPT cryptosystem. The DMA will be presented in Section 5. Section 6 first takes a short introduction on reducible rank codes, and then the ARC will be described. Section 7 gives a short introduction on the simple variant, and afterward we demonstrate new parameters against attacks. Finally, Section 8 concludes the paper with some remarks.

Related Work
Overbeck's attack is a potential attack which breaks all variants of the GPT cryptosystem in a polynomial time. However, there are few methods were proposed to combat Overbeck's attack against the GPT cryptosystem. Kshevetskiy in [20] suggested a secure approach towards the choice of parameters for avoiding Overbeck's attack based on suitable choice of the distortion matrix X . Independently, Loidreau proposed similar method in [21]. Although, they neither explained how the matrix X can be constructed in a secure manner nor explored the implications of that approach. Moreover, they ISSN 2277-3061 2459 | P a g e O c t 2 0 , 2 0 1 3 recommended a set of parameters to be secure against Overbeck's attack. However, all parameters were proposed in [21] have been broken by Gaborit et al., and the second set of parameters which were supposed to be stronger than the first one are also attacked in a few seconds with hybrid Grobner bases attack as shown in [38]. In short, Both Kshevetskiy and Loidreau approaches are not considered to be secure against Gaborit et al. attack (decoding attack).
Gabidulin presented in [22] a secure approach for the standard variant of the GPT cryptosystem called an advanced approach which defines a particular column scrambler matrix P over the extension field without violating the standard mode of the GPT PKC. This approach is secure against all known attacks however it is not applicable for the reducible rank codes variant of the GPT PKC. Hence, the reducible rank codes have different constructions and principles than the standard rank codes [14]. In this paper, we will present the ARC approach as an appropriate secure approach for the reducible rank codes variant. We have applied the advanced approach for the simple variant of the GPT cryptosysrtem in [23], and reduced its public key size from 10 Kbits to 4 Kbits in [24]. Our method to reduce the public key size was based on choice of a set of parameters which were secure against all known attacks at that time. Recently, Gaborit et al. presented a decoding attack (new algorithm) which can break our proposed parameters in 5 days [38]. In this paper, we will evaluate the simple variant against Gaborit et al. attack and demonstrate secure parameters against all known attacks.
We have introduced a new approach called smart approach [19] which based on a proper choice of the distortion matrix X . Recently, we have realized that the smart approach can be vulnerable to a new structural attack under certain conditions. Therefore, we will highlight the vulnerabilities of the smart approach, and then we will propose the DMA as an alternative approach for the Smart approach. In summary, the reducible rank codes variant is still vulnerable to Overbeck's attack, and the Smart approach requisites to be reconstructed in more powerful way in order to avoid any structural attacks in the future. In addition, both Kshevetskiy and Loidreau approaches are not considered to be secure against Gaborit et al. attack. Moreover, the simple variant GPT PKC is also vulnerable to Gaborit et al. attack using our proposed parameters in [24].
Our contributions are as follows: 1. We present the ARC approach to secure the reducible rank codes variant of GPT PKC.
2. We explore some vulnerabilities of the smart approach, and then, we will propose the DMA as an alternative approach for the Smart approach.

The GPT Cryptosystem
We give a short introduction to rank codes in Section 3.1; and provide a description of the standard GPT cryptosystem in Section 3.2.

Rank Codes
Rank codes were introduced by Gabidulin in 1985 [34]. The rank codes are a linear codes generated by polynomial which can correct rank distance errors efficiently. The basic notions of rank codes are introduced as follows: be a finite field of q elements and let   The Rank distance between x and y is defined as the rank norm of the difference y x : fulfils the Singleton-style bound [34] for the rank distance: A code C reaching that bound is called a Maximal Rank Distance (MRD) code.
The theory of optimal MRD (Maximal Rank Distance) codes is given in [34].

The notation
 are any set of elements of the extension field N q F which are linearly independent over the base field q F . A code with the generator matrix (2) is referred to as , then the information vector m can be recovered uniquely from y by some decoding algorithm. There exist fast decoding algorithms for MRD codes [34], [35].

Description of the GPT Cryptosystem
Overview of the GPT Cryptosystem.
The GPT cryptosystem is described as follows: Public key: In previous works, different representations of the public key are given. All of them can be reduced to the following form.
The Public key is a Let us explain roles of the factors.
• The main matrix k G is given by equation (2). It is used to correct rank errors. Errors of rank not greater than 2 = k n t can be corrected.
• A matrix S is a row scrambler. This matrix is a non singular square matrix of order k over the extension field where ' e is the subvector of

The security of the GPT PKC
There are two types of attacks against the GPT cryptosystem and its variants. The first one is the decoding attacks which are described in Section 4.1. The second is structural attacks, we focus on Overbeck's attack in this paper as one of the most powerful structural attack against GPT cryptosystem. Overbeck's attack is discussed in Section 4.2.

Decoding Attacks
An important part of a decryption procedure is correcting rank errors using a fast decoding algorithm known to the legitimate party. An unauthorized party may attempt to correct rank errors by a general algorithm without any knowledge of the structure of a rank code. We consider algorithms described in [36], [37] and [38].
Johannson and Ourivski proposed two algorithms for decoding an arbitrary ) , ( k n linear rank distance code over N q F [36]. These algorithms correct errors of rank Furthermore, Levy-dit-Vehel et al introduced an algorithm which was described in [37]. It requires Operations over q F which is more complex than the Johannson and Ourivski algorithms. Recently, Gaborit et al. proposed two new algorithms in [38], the first algorithm is combinatorial and generalizes a particular Hamming distance attack based on the error support in a rank metric context; the second algorithm introduced a new algebraic setting for solving the Rank Syndrome Decoding (RSD) problem. These algorithms require then an algorithm exists with an average complexity bounded above by (10) operations in N q F .Let us consider the following example as case study in order to evaluate the GPT cryptosystem against Decoding attacks. Complexities of the above attacks to correct 2 = t rank errors are as follows: In brief, the Decoding attacks are infeasible for practical implementations against the GPT cryptosystem and its variants. Hence, the GPT cryptosystem is secure against the Decoding attacks. O c t 2 0 , 2 0 1 3

Overbeck's Attack
Overbeck introduced a potential structural attack against the GPT cryptosystem and its variants [16,17], and [18]. We summarize Overbeck's attack below. We outline the following notations to representing the fundamentals of Overbeck's attack. For The following simple properties if are useful: The property that , if P is a matrix over the base field q F , as described in equation (11).
Using suitable transformations of rows, therefore, equation (12) can be rewritten on the following form:  (19) where u is a vector-row over the extension field Assume that the next condition is valid: Then the equation (21) It allows to find the first row of the parity check matrix for the code with the generator matrix equation (18) (see, [16,17], and [18], for details). Hence this solution breaks a GPT cryptosystem and its variants in a polynomial time.
is valid if matrix P is over the base field q F , as shown in equation (11). As a result of that, the first row of the parity check matrix H of the rank code can be obtained as described by Overbeck, and then the cryptosystem can be broken easily. However, if a matrix P is over the extension field N q F , then P P) ( . Consequently, the Overbeck's attack cannot be applied even the distortion matrix X does not exist. The distortion matrix X is an additional parameter to the GPT cryptosystem to increase its security. although, it is a fundamental parameter of the GPT cryptosystem.

Solution based on distortion matrix X
In the following Sections: the Smart approach is described briefly in Subsection 5.1, and the Distortion matrix approach (DMA) is presented in Subsection 5.2.

Smart Approach
The smart approach was introduced in [19]. It is based on a particular choice of the distortion matrix X . It allows for withstanding all known attacks even if the column scrambler matrix P over the base field q F . In this Section, our intentions are to review and evaluate the overall security of the smart approach.  We give answers for the first question in this Section, while answers of the second question will be in Section 5.2.

An overview of the Smart approach is demonstrated as follows:
The following result is evident. Let the column rank of Y be . Let X be a There exists a matrix X of full ordinary and column rank 1 t such that the matrix ) ( = X Y T • Minimum security -Decoding attacks by Eq.'s (7)-(10)

Distortion matrix approach (DMA)
We presented in the previous subsection the construction of the distortion matrix X over the base field q F satisfying conditions in equation (24) for The crucial point is the equality It seems that for One method to provide the conditions (24) is proposed independently in [20] and [21]. They recommend to choose the matrix X over the extension field N q F in such a manner that the following conditions are satisfied: However, the column rank of matrix Y over the base field q F has to be equal to 1 t . They neither mentioned this fact nor proposed how the matrix X can be constructed. In addition, they recommended a set of parameters to be secure against Overbeck's attack. Although, all parameters sets proposed in [21] have been broken by Gaborit et al., the second set of parameters which were supposed to be stronger than the first one can in fact by attacked in a few seconds with hybrid Grbner bases attack as shown in [38].
The existing smart approach as described in the previous section has a column rank less than 1 t for the matrix Y .
Consequently, the main aim of this section is to show how the matrix X can be constructed to meet the conditions in It follows that As can be seen clearly from this Section that the DMA is secure against Overbeck's and decoding attacks.

Solution based on scramble matrix P
In the following Sections: firstly, we give a short introduction about reducible rank codes in Section 6.1; secondly, we review the GPT cryptosystem which based on reducible rank codes in Section 6.2; finally, we propose the Advanced approach for Reducible rank codes in Section 6.3. A code C is called reducible if its generator matrix G can be represented as

The GPT PKC Based on Reducible Rank Codes
The GPT cryptosystem based on reducible rank codes is described as follows:  (37) Assume that design parameters are chosen such that (38) Then the legitimate user can recover the information sequence m starting with the last subblock and using known to him a fast decoding algorithm.

Advanced Approach for Reducible Rank Codes (ARC)
The legitimate user should choose its design parameters similar to equation (38). It was assumed in the previous works, that a column scrambler P is chosen over the base field q F . In this case, Hence it was enough to choose artificial errors e with rank t q ) | ( Rk F e to satisfy equation (38).
On the other hand, the crucial point of Overbeck's attacks is just the assumption that a column scrambler P is chosen over the base field q F . If it is not a case, then his attacks fail.
We establish conditions, when equation (38) is valid for a matrix P over the extension field  (39) Proof. The column rank of the row vector eL is not greater than the sum of ranks of two subvectors. The first subvector originates from the product e and those columns of L which have entries in q F . It is clear that the rank of this part . The second part originates from the product e and those columns of L which have entries in N q F . Its rank is not greater than n . This concludes proof.
We will show now how the matrix P can be constructed. Therefore, its inverse matrix   By definition that an artificial error e has rank 2 t . Therefore we have for , , We construct a proper column scrambler P , which makes Overbeck's attacks invalid. Let

14
• Minimum security -Decoding attacks by Eq.'s (7)-(10) According to this section Overbeck's attack based on reducible rank codes is ineffective.

Description of the Simple Variant of the GPT cryptosystem
The GPT cryptosystem is described as follows.     Table 1, we evaluate the security of the simple variant of the GPT PKC against both Overbeck and Decoding attacks using same parameters which were presenter by Gaborit et al. in [38] regarding the code is used. According to Table 1: â€™OJ1â€™ stands for the improved basis enumeration by Ouriski and Joahsson, â€™OJ2â€™ stands for coordinates enumeration as described in Eq.(7); â€™Overâ€™ stands for the complexity of the Overbeck attack, â€™MINIâ€™ stands for the complexity of the Levy-dit-Vehel et al algorithm Eq.

Conclusion
We have presented two approaches as techniques of withstanding Overbeck's attack against the GPT cryptosystem and its variants. 1. Distortion Matrix Approach. It is shown that proper choice of the distortion matrix X over the extension field N q F allows the decryption by the authorized party and prevents the unauthorized party from breaking the system by means of any known attacks. This approach is more powerful against Overbeck's attack than the Smart approach.
2. Advanced Approach for Reducible Rank Codes. It is shown that a proper choice of the column scramble matrix P over the extension field N q F makes all new attacks ineffective. This approach is designed to secure the GPT cryptosystem based on reducible rank codes. O c t 2 0 , 2 0 1 3 The two approaches are proposed to countermeasure the attack of the GPT public key cryptosystem based on rank codes. They provide better security comparing with other GPT cryptosystem approaches. Furthermore, We have evaluated the simple variant of GPT PKC against all known attacks including Gaborit et al. attack and demonstrated a new set of parameters which were secure against all known attacks. It has been demonstrated that the decoding attacks are infeasible for practical implementations with 2 2 = q and above. With all these merits, The GPT cryptosystem can be effectively used in many practical applications such as mobile applications.