Decoding supercodes of Gabidulin codes and applications to cryptanalysis

  title={Decoding supercodes of Gabidulin codes and applications to cryptanalysis},
  author={Maxime Bombar and Alain Couvreur},
  journal={IACR Cryptol. ePrint Arch.},
This article discusses the decoding of Gabidulin codes and shows how to extend the usual decoder to any supercode of a Gabidulin code at the cost of a significant decrease of the decoding radius. Using this decoder, we provide polynomial time attacks on the rank metric encryption schemes Ramesses and Liga. 

McEliece-type encryption based on Gabidulin codes with no hidden structure

A new McEliece-type encryption scheme based on Gabidulin codes, which uses linearized transformations to disguise the private key, which is shown to resist all the known distinguisher-based attacks, and also has a very small public key size.

Right-hand side decoding of Gabidulin code and applications

The full presentation of a decoding algorithm for Gabidulin codes, which as Loidreau’s seminal algorithm consists in localizing errors in the spirit of Berlekamp–Welch algorithm for Reed– Solomon codes, is given.



A Welch-Berlekamp Like Algorithm for Decoding Gabidulin Codes

The decoding of Gabidulin codes can be seen as an instance of the problem of reconstruction of linearized polynomials, which leads to the design of two efficient decoding algorithms inspired from the Welch–Berlekamp decoding algorithm for Reed–Solomon codes.

Improvement of Generic Attacks on the Rank Syndrome Decoding Problem

An improvement on the recent GRS algorithm is presented and a complexity of O ((n − k)^ 3 m^3 q^( w (k+1)m/ n −m )) is obtained for decoding an error of weight w in an [n, k] F 2 m-linear code.

A New Public-Key Cryptosystem Based on the Problem of Reconstructing p-Polynomials

This paper presents a new public key cryptosystem whose security relies on the intractability of the problem of reconstructing p-polynomials, and shows how these attacks can be avoided, thanks to properties of rank metric and p- polynomials.

On the security of a Loidreau rank metric code based encryption scheme

A polynomial time attack of a rank metric code based encryption scheme due to Loidreau for some parameters is presented and it is shown that the attack time is proportional to the number of parameters.

RAMESSES, a Rank Metric Encryption Scheme with Short Keys

This work presents a rank metric code-based encryption scheme with key and ciphertext sizes comparable to that of isogeny-based cryptography for an equivalent security level and admits a failure probability that can be precisely controlled and made as low as possible.

LIGA: a cryptosystem based on the hardness of rank-metric list and interleaved decoding

We propose the new rank-metric code-based cryptosystem which is based on the hardness of list decoding and interleaved decoding of Gabidulin codes. is an improved variant of the Faure–Loidreau (FL)

Repairing the Faure-Loidreau Public-Key Cryptosystem

A repair of the Faure-Loidreau (FL) public-key code-based cryptosystem is proposed and it is proved that the recent structural attack on the system by Gaborit et al. is equivalent to decoding an interleaved Gabidulin code.

List and unique error-erasure decoding of interleaved Gabidulin codes with interpolation techniques

A new interpolation-based decoding principle for interleaved Gabidulin codes is presented, which can be applied as a list decoding algorithm as well as an efficient probabilistic unique decoding algorithm.

Polynomial-time key recovery attack on the Faure–Loidreau scheme based on Gabidulin codes

This article shows that for a range of parameters, this rank-metric encryption scheme is also vulnerable to a polynomial-time attack that recovers the private key by applying Overbeck’s attack on an appropriate public code.

Cryptanalysis of the Repaired Public-key Encryption Scheme Based on the Polynomial Reconstruction Problem

  • J. Coron
  • Mathematics, Computer Science
    IACR Cryptol. ePrint Arch.
  • 2003
A new cryptanalysis of the repaired scheme is described, a variant of the Berlekamp-Welsh algorithm, and works very well in practice, as for the proposed parameters, the plaintext is recovered in less than 8 minutes on a single PC.