A New Technique in Rank Metric Code-Based Encryption ^†

Abstract

We propose a rank metric codes based encryption based on the hard problem of rank syndrome decoding problem. We propose a new encryption with a public key matrix by considering the adding of a random distortion matrix over ${\mathbb{F}}_{q^m}$ of full column rank n. We show that IND-CPA security is achievable for our encryption under assumption of the Decisional Rank Syndrome Decoding problem. Furthermore, we also prove some bounds for the number of matrices of a fixed rank with entries over a finite field. Our proposal allows the choice of the error terms with rank up to $\frac{r}{2}$, where r is the error-correcting capability of a code. Our encryption based on Gabidulin codes has public key size of $13.68$ KB, which is 82 times smaller than the public key size of McEliece Cryptosystem based on Goppa codes. For similar post-quantum security level of $2^{140}$ bits, our encryption scheme has a smaller public key size than the key size suggested by LOI17 Encryption.

1. Introduction

1.1. Background and Motivations

In 1978, McEliece [1] proposed a public-key cryptosystem based on Goppa codes in Hamming metric. A message $\mathit{m}$ is encrypted with the public key $G_{pub}=SGP$, where G is a generator matrix of Goppa code, S is some random invertible matrix and P is a permutation matrix which S and P hide the structure of matrix G. The ciphertext $\mathit{c}$ is computed by adding the codeword $\mathit{m}{G}_{pub}$ with an error $\mathit{e}$ of Hamming weight less than or equal to r, where r is the error correcting capability of Goppa code. By decoding $\mathit{c}{P}^{-1}$ with respect to the Goppa code, $\mathit{m}S$ can be obtained and thus retrieve $\mathit{m}=\mathit{m}S{S}^{-1}$. Although the original McEliece cryptosystem is still considered secured today, the large key size of Goppa codes (approximately 1 MB) is less practical in application. Many variants based on alternative families of codes were proposed to tackle this problem, yet many of them were proved to be insecure (for instance, [2,3]).

As an alternative for the Hamming metric, in 1985, Gabidulin introduced the rank metric and the Gabidulin codes [4] over a finite field with $q^m$ elements, ${\mathbb{F}}_{q^m}$. Later, in 1991, Gabidulin et al. [5] proposed the first rank code based cryptosystem, namely the GPT cryptosystem that employs the similar idea as a McEliece cryptosystem to distort the public key matrix. They considered $G_{pub}=SG+X$, where S is a random invertible $k\times k$ matrix over ${\mathbb{F}}_{q^m}$, G is a generator matrix of Gabidulin codes, and X is a random matrix over ${\mathbb{F}}_{q^m}$ with column rank $t<n$. However, the GPT cryptosystem is shown to be insecure against Gibson’s attack [6]. Since then, reparations on GPT were proposed (for instances, GPT [5], modified GPT [7,8], GGPT [9]); however, due to the weakness of Gabidulin codes containing huge vector space invariant under Frobenius automorphism, these cryptosystems were proved to be insecure by Overbeck’s attack [10]. Then, proposals such as Gabidulin’s General Reparation [11], Gabidulin, Rashwan and Honary [12], GPT with more general column scrambler [12], Loidreau’s GGPT [13], and Smart Approach [14] that claimed to resist Overbeck’s attack were proposed. The entries in $P^{-1}$ need to be chosen over ${\mathbb{F}}_{q^m}$ and over ${\mathbb{F}}_q$ in a certain pattern so that the rank of $\mathit{e}{P}^{-1}$ will be less than or equal to r. However, proposals with P of such pattern are proved to be insecure as they could be reduced into GGPT form by attacks proposed by [15,16]. In addition, some general rank syndrome decoding attacks on Gabidulin codes (for instances [17,18,19]) are able to attack the variants above with their suggested parameters in polynomial time.

In 2017, two new research papers about rank metric encryption scheme were presented. The first one is proposed by Gaborit et al. [20], namely RankPKE in their construction of a code-based identity-based encryption scheme. The second attempt is a McEliece type encryption proposed by Loidreau (LOI17) [21] that considers a scrambler matrix P with its inverse $P^{-1}$ over V, a $\lambda$-dimensional subspace of ${\mathbb{F}}_{q^m}$. The term $\mathit{c}{P}^{-1}=\mathit{m}SG+\mathit{e}{P}^{-1}$ has error $\mathit{e}{P}^{-1}$ with $\mathit{e}$ of rank t. In other words, the matrix $P^{-1}$ amplifies the rank of $\mathit{e}$, and this leads to larger public key size as t has to be $\lambda$ times smaller than r.

1.2. Contributions

In this paper, we propose an encryption scheme based on the hard problem of rank syndrome decoding problem. Our construction hides the structure of the generator matrix of the code by adding a distortion matrix of column rank n, with an error of rank larger than r being added into the ciphertext. In particular, let $\mathit{u}\in {\mathbb{F}}_{q^m}^n$ of rank n, a message $\mathit{m}\in {\mathbb{F}}_{q^m}^{k^{\prime }}$ is encrypted by

$${\mathit{c}}_2=(\mathit{m}\parallel {\mathit{m}}_{\mathit{s}})G_{pub}+{\mathit{e}}_2=(\mathit{m}\parallel {\mathit{m}}_{\mathit{s}})(SG+{\mathrm{Cir}}_k\left(\mathit{u}\right)T)+{\mathit{e}}_2,$$

where S is a random matrix in $G{L}_k\left({\mathbb{F}}_{q^m}\right)$, G is a generator matrix for a code $\mathcal{C}$ with error-correcting capability r, ${\mathrm{Cir}}_k\left(\mathit{u}\right)$ is a k-partial circulant matrix (refer to Definition 5 for formal definition), T is a random matrix in ${\mathrm{GL}}_n\left({\mathbb{F}}_q\right)$, ${\mathit{m}}_{\mathit{s}}$ is a random vector in ${\mathbb{F}}_{q^m}^{k-k^{\prime }}$ and ${\mathit{e}}_2$ is a random vector in ${\mathbb{F}}_{q^m}^n$ with rank $r_2\le \frac{r}{2}$. Note that the term ${\mathit{m}}_{\mathit{s}}$ could be chosen such that the term $(\mathit{m}\parallel {\mathit{m}}_{\mathit{s}}){\mathrm{Cir}}_k\left(\mathit{u}\right)T+{\mathit{e}}_2$ in ${\mathit{c}}_2$ has rank larger than $n-r_2$ (which is greater than r).

The term ${\mathit{c}}_1=(\mathit{m}\parallel {\mathit{m}}_{\mathit{s}}){\mathrm{Cir}}_k\left(\mathit{u}\right)+{\mathit{e}}_1$ is included in the ciphertext, where ${\mathit{e}}_1$ is a random vector in ${\mathbb{F}}_{q^m}^n$ with rank $r_1\le \frac{r}{2}$. Decryption could be performed by decoding ${\mathit{c}}_2-{\mathit{c}}_{1}T=(\mathit{m}\parallel {\mathit{m}}_{\mathit{s}})SG+{\mathit{e}}_2-{\mathit{e}}_{1}T$ with respect to the code $\mathcal{C}$ whenever rank of ${\mathit{e}}_2-{\mathit{e}}_{1}T$ is less than or equal to r.

Advantages of Our Proposal. Our proposal has the following advantages:

i.

The distortion matrix ${\mathrm{Cir}}_k\left(\mathit{u}\right)T$ is of column rank n, which hides the generator matrix G since T is random over ${\mathbb{F}}_q$.

ii.

The error term $(\mathit{m}\parallel {\mathit{m}}_{\mathit{s}}){\mathrm{Cir}}_k\left(\mathit{u}\right)T+{\mathit{e}}_2$ has rank at least $n-r_2$. The adversary is not able to decode the ciphertext correctly since the generator matrix G is remained unknown and rank of $(\mathit{m}\parallel {\mathit{m}}_{\mathit{s}}){\mathrm{Cir}}_k\left(\mathit{u}\right)T+{\mathit{e}}_2$ is greater than r.

iii.

For the case in LOI17 Encryption and other Gabidulin codes based cryptosystem, the multiplication of $P^{-1}$ into $\mathit{c}$ often amplifies the rank of the error term, resulting in a choice of error term with smaller rank in the ciphertext. Similarly, the rank of the error term in RankPKE has to be $\lambda$ times smaller than r. On the contrary, in our proposal, we have freedom for the choice of ${\mathit{e}}_1$ and ${\mathit{e}}_2$ with rank $r_1\le \frac{r}{2}$ and $r_2\le \frac{r}{2}$, respectively.

We show that our encryption scheme has IND-CPA security under assumption of a Decisional Rank Syndrome Decoding problem. We propose Gabidulin codes as a choice of decodable code in our encryption. Furthermore, for similar post quantum security level of $2^{140}$ bits, our encryption scheme has smaller public key size as compared to key size suggested by LOI17 Encryption [21].

This paper is organized as follows: we review some preliminaries for rank metric and circulant matrix in Section 2. We also introduce the hard problems that our encryption is based on and name the known best attacks on the problem. In Section 3, we prove some bounds for the number of matrices of a fixed rank over a finite field and some related results. In Section 4, we describe our proposed cryptosystem and provide proofs for its advantages. In Section 5, we prove that our encryption scheme has IND-CPA security under assumption of Decisional Rank Syndrome Decoding problem. In Section 6, we propose the use of Gabidulin codes as a choice for the decodable code $\mathcal{C}$ in our encryption, and analyze its security. We also provide some parameters for the proposal based on the Gabidulin codes. Finally, we give our considerations of this paper in Section 7.

2. Preliminaries

In this section, we recall the definition of rank metric, which is the core of rank metric code based cryptosystems. We also introduce the Decisional Rank Syndrome Decoding problem, a hard problem in coding theory for our encryption scheme. We name the known best generic attacks on the Rank Syndrome Decoding problem.

2.1. Rank Metric

Let ${\mathbb{F}}_{q^m}$ be a finite field with $q^m$ elements where q is a power of prime. In addition, let $\{{\beta }_1,\dots ,{\beta }_m\}$ be a basis of ${\mathbb{F}}_{q^m}$ over the base field ${\mathbb{F}}_q$.

Definition 1.

Alinear codeof length n and dimension k is a linear subspace $\mathcal{C}$ of the vector space ${\mathbb{F}}_{q^m}^n$.

Given a matrix M with coefficients in a field $\mathbb{F}$, the rank of M, $\mathrm{rk}\left(M\right)$ is the dimension of the row span of M as a vector space over $\mathbb{F}$. We denote the row span of a matrix M over $\mathbb{F}$ by ${⟨M⟩}_{\mathbb{F}}$, or $⟨M⟩$ when the context is clear. We now define the rank metric of a vector on ${\mathbb{F}}_{q^m}^n$:

Definition 2.

Let $\mathit{x}=(x_1,\dots ,x_n)\in {\mathbb{F}}_{q^m}^n$. The rank of $\mathit{x}$ in ${\mathbb{F}}_q$, denoted by ${rk}_q\left(\mathit{x}\right)$ is the rank of the matrix $X=\left(x_{ij}\right)\in {\mathbb{F}}_q^{m\times n},$ where $x_j={\sum }_{i=1}^m{x}_{ij}{\beta }_i$.

Equivalently, the rank of $\mathit{x}$ is the dimension over ${\mathbb{F}}_q$ of the subspace of ${\mathbb{F}}_{q^m}$ which is spanned by the coordinates of $\mathit{x}$. Note that the rank of a vector is a norm and is independent of the chosen basis. Similarly, we have the following definition of column rank for a matrix in ${\mathbb{F}}_{q^m}^{k\times n}$:

Definition 3.

Let $M\in {\mathbb{F}}_{q^m}^{k\times n}$. The column rank of M over ${\mathbb{F}}_q$, denoted by ${\mathit{colrk}}_q\left(M\right)$ is the maximum number of linearly independent columns over ${\mathbb{F}}_q$.

We now state a few results related to the rank metric which are important prerequisites for results in later sections.

Lemma 1.

Let $\mathit{x}\in {\mathbb{F}}_{q^m}^n$ such that ${rk}_q\left(\mathit{x}\right)=r$, then there exists $\widehat{\mathit{x}}\in {\mathbb{F}}_{q^m}^r$ with ${rk}_q\left(\widehat{\mathit{x}}\right)=r$ and $U\in {\mathbb{F}}_q^{r\times n}$ with ${rk}_q\left(U\right)=r$ such that $\mathit{x}=\widehat{\mathit{x}}U$. This decomposition is unique up to ${GL}_r\left({\mathbb{F}}_q\right)$-operation between $\widehat{\mathit{x}}$ and U [15].

Definition 4.

Let $\mathit{x}\in {\mathbb{F}}_{q^m}^n$ with ${\mathrm{rk}}_q\left(\mathit{x}\right)=r$ and decomposition $\mathit{x}=\widehat{\mathit{x}}U$ as in Lemma 1. We call U a Grassman support matrix for $\mathit{x}$ and ${\mathit{supp}}_{\mathit{Gr}}\left(\mathit{x}\right)={⟨U⟩}_{{\mathbb{F}}_{q^m}}$ the Grassman support of $\mathit{x}$.

Lemma 2.

Let $M\in {\mathbb{F}}_{q^m}^{k\times n}$ and ${\mathit{colrk}}_q\left(M\right)=s<n$ [16]. Then, there exists $M^{\prime }\in {\mathbb{F}}_{q^m}^{k\times s}$ with ${\mathit{colrk}}_q\left(M^{\prime }\right)=s$ and K an invertible $n\times n$ matrix over ${\mathbb{F}}_q$ such that

$$MK=\left(M^{\prime }\mid {\mathbf{0}}_{k\times (n-s)}\right).$$

(1)

2.2. Circulant and Partial Circulant Matrix

As mentioned in Section 1, we use a k-partial circulant matrix as the distortion matrix for the code with an efficient decoding algorithm. Here, we give the definition of the circulant matrix and k-partial circulant matrix induced by a random vector, $\mathit{x}$.

Definition 5.

Let $\mathit{x}=(x_0,\dots ,x_{n-1})\in {\mathbb{F}}_{q^m}^n$. The circulant matrix induced by $\mathit{x}$ is defined as

$${\mathit{Cir}}_n\left(\mathit{x}\right):=\left(\begin{array}{cccc}{x}_0& x_{n-1}& \dots & x_1\\ x_1& x_0& \dots & x_2\\ ⋮& ⋮& \ddots & ⋮\\ x_{n-1}& x_{n-2}& \dots & x_0\end{array}\right)\in {\mathbb{F}}_{q^m}^{n\times n}.$$

The k-partial circulant matrix, ${\mathrm{Cir}}_k\left(\mathit{x}\right),$ induced by $\mathit{x}$ is the first k rows of ${\mathit{Cir}}_n\left(\mathit{x}\right)$.

In fact, a k-partial circulant matrix induced by $\mathit{x}$ has column rank depending on rank of $\mathit{x}$. We have the following result, which helps us to ensure that the distortion matrix that we choose has column rank as desired:

Lemma 3.

Let $\mathit{x}\in {\mathbb{F}}_{q^m}^n$ with ${\mathit{rk}}_q\left(\mathit{x}\right)=t$; then, ${\mathit{colrk}}_q\left({\mathit{Cir}}_k\left(\mathit{x}\right)\right)\ge t$.

Proof. 

Suppose to the contrary that ${\mathrm{colrk}}_q\left({\mathrm{Cir}}_k\left(\mathit{x}\right)\right)<t$; then, there exists at most $t-1$ columns of ${\mathrm{Cir}}_k\left(\mathit{u}\right)$ that are linearly independent over ${\mathbb{F}}_q$. Consider the first row of ${\mathrm{Cir}}_k\left(\mathit{x}\right)$: $\{x_0,x_1,\dots ,x_{n-1}\}$; then, at most $t-1$ elements in $\{x_0,x_1,\dots ,x_{n-1}\}$ are linearly independent over ${\mathbb{F}}_q$. In other words, ${\mathrm{rk}}_q\left(\mathit{x}\right)\le t-1$, which is a contradiction to ${\mathrm{rk}}_q\left(\mathit{x}\right)=t$. □

2.3. Hard Problems in Coding Theory

We describe the hard problems which our cryptosystem is based on.

Definition 6.

Rank Syndrome Decoding Problem (RSD). Let H be a full rank $(n-k)\times n$ matrix over ${\mathbb{F}}_{q^m}$, $\mathit{s}\in {\mathbb{F}}_{q^m}^{n-k}$ and w an integer. The Rank Syndrome Decoding Problem RSD(q,m,n,k,w) needs to determine $\mathit{x}\in {\mathbb{F}}_{q^m}^n$ such that ${\mathit{rk}}_q\left(\mathit{x}\right)=w$ and $H{\mathit{x}}^T={\mathit{s}}^T$.

The RSD problem is analogous to the classical syndrome decoding problem with Hamming metric. Recently, the RSD problem has been proven to be hard with probabilistic reduction to the Hamming setting [22].

Given $G\in {\mathbb{F}}_{q^m}^{k\times n},$ a full rank parity-check matrix of H in an RSD problem and $\mathit{y}\in {\mathbb{F}}_{q^m}^n$. Then, the dual version of $RSD(q,m,n,k,w)$ is to determine $\mathit{m}\in {\mathbb{F}}_{q^m}^k$ and $\mathit{x}\in {\mathbb{F}}_{q^m}^n$ such that ${\mathrm{rk}}_q\left(\mathit{x}\right)=w$ and $\mathit{y}=\mathit{m}G+\mathit{x}$.

Notation. 

If X is a finite set, we write $\mathit{x}\stackrel{\$}{\leftarrow }X$ to denote assignment to $\mathit{x}$ of an element randomly sampled from the distribution on X.

We now give the definition of Decisional version of RSD problem in its dual form:

Definition 7.

Decisional RSD Problem (DRSD). Let G be a full rank $k\times n$ matrix over $F_{q^m}$, $\mathit{m}\in {\mathbb{F}}_{q^m}^k$ and $\mathit{x}\in {\mathbb{F}}_{q^m}^n$ of rank r. The Decisional RSD Problem $DRSD(q,m,n,k,w)$ needs to distinguish the pair $(\mathit{m}G+\mathit{x},G)$ from $(\mathit{y},G)$ where $\mathit{y}\stackrel{\$}{\leftarrow }{\mathbb{F}}_{q^m}^n$.

It was proved that DRSD is hard in the worst case [20]. Therefore, DRSD is eligible to be a candidate of hard problems in coding theory. The hardness of our cryptosystem relies on the DRSD problem (refer to Section 5).

2.4. Generic Attacks on RSD

There are generally two types of generic attacks on the RSD problem, namely the combinatorial attack and algebraic attack.

Combinatorial Attack. The combinatorial approach depends on counting the number of possible supports of size r for a rank code of length n over ${\mathbb{F}}_{q^m}$, which corresponds to the number of subspaces of dimension r in ${\mathbb{F}}_{q^m}$. We summarize the best combinatorial attacks with their conditions and complexities in Table 1.

Table 1. Best combinatorial attacks on RSD with their conditions and complexities.

Conditions	Best Combinatorial Attacks
$m<n$, $m>k+1+r$	$O\left(\min \left\{{(n-k)}^3{m}^3{q}^{r\frac{(k+1)m}{n}-m},r^3{m}^3{q}^{(r-1)(k+1)}\right\}\right)$ [19,23]
$m<n$, $m\le k+1+r$	$O\left(\min \left\{{(n-k)}^3{m}^3{q}^{r\frac{(k+1)m}{n}-m},{(k+r)}^3{r}^3{q}^{(m-r)(r-1)}\right\}\right)$ [19,23]
$m\ge n$, $\mathit{s}\ne \mathbf{0}$	$O\left(\min \left\{{(n-k)}^3{m}^3{q}^{\min \left\{r\frac{(k+1)m}{n}-m,rk,(r-1)(k+1)\right\}},r^3{m}^3{q}^{(r-1)(k+1)}\right\}\right)$ [17,19,23]
$m\ge n$, $\mathit{s}=\mathbf{0}$	$O\left(\min \left\{{(n-k)}^3{m}^3{q}^{\min \left\{r\frac{(k+1)m}{n}-m,(r-1)k\right\}},r^3{m}^3{q}^{(r-1)(k+1)}\right\}\right)$ [17,19,23]

Algebraic Attack. The nature of the rank metric favors algebraic attacks using Gröbner bases, as they are largely independent of the value q. These attacks became efficient when q increases. We summarize the complexity of algebraic attacks in Table 2.

Table 2. Best Algebraic Attacks on RSD with their conditions and complexities.

Attacks	Conditions	Complexity
CG-Kernel [24]		$O\left(k^3{m}^3{q}^{r⌈\frac{km}{n}⌉}\right)$
GRS-Basic Approach [17]	$n\ge (r+1)(k+1)-1$	$O\left({((r+1)(k+1)-1)}^3\right)$
GRS-Hybrid Approach [17]	$⌈\frac{(r+1)(k+1)-(n+1)}{r}⌉\le k$	$O\left(r^3{k}^3{q}^{r⌈\frac{(r+1)(k+1)-(n+1)}{r}⌉}\right)$

3. Rank of Matrix

The following are some results related to the rank of a matrix over a finite field, which is crucial for the construction of our encryption. We provide some bounds for the number of $m\times n$ matrices over ${\mathbb{F}}_q$ of rank $r<\min \{m,n\}$.

Proposition 1.

Denote $T_r^{(m\times n)}$ as the number of $m\times n$ matrices over ${\mathbb{F}}_q$ of rank r; then, $T_r^{(m\times n)}=\frac{Q_r\left(q^n\right)Q_r\left(q^m\right)}{Q_r\left(q^r\right)},$ where $Q_r\left(x\right)={\prod }_{i=0}^{r-1}\left(x-q^i\right)$ [25,26].

We need the following lemma to give some bounds for $T_r^{(m\times n)}$.

Lemma 4.

For $0\le i\le r-1$, if $m\ge n>r$, then

$$q^{n-r}<\left(1-\frac{q^i}{q^m}\right)\left(\frac{q^{n-i}-1}{q^{r-i}-1}\right)<q^{n-r}\left(\frac{q}{q-1}\right).$$

Proof. 

Expand $\left(1-\frac{q^i}{q^m}\right)\left(\frac{q^{n-i}-1}{q^{r-i}-1}\right)=\frac{q^{m+n-2i}+1-q^{n-i}-q^{m-i}}{q^{m-i}(q^{r-i}-1)}$; it suffices for us to show that $q^{n-r}<\frac{q^{m+n-2i}+1-q^{n-i}-q^{m-i}}{q^{m-i}(q^{r-i}-1)}<q^{n-r}\left(\frac{q}{q-1}\right)$. Since $m-r+1>0$, we have $q^{m-i}+q^{n-i}\le q^{n+m-r-i}+1$, and thus

$$q^{m+n-2i}-q^{m+n-r-i}=q^{n+m-r-i}\left(q^{r-i}-1\right)<q^{m+n-2i}-q^{m-i}-q^{n-i}+1,$$

which implies that

$$\begin{array}{cc}\hfill q^{n-r}& <\frac{q^{m+n-2i}+1-q^{n-i}-q^{m-i}}{q^{m-i}(q^{r-i}-1)}.\hfill \end{array}$$

Since $1+i\le r$, then $q^{m-i}+\left(q^{n-i}+q\right)<q^{m+1-i}+q^{n+1-i}$ and $q^{m+n+1-r-i}\le q^{m+n-2i}$. Adding these inequalities gives us

$$q^{m+n+1-2i}+(q^{m-i}+q^{n-i}+q+q^{m+n+1-r-i})<q^{m+n+1-2i}+1+(q^{m+1-i}+q^{n+1-i}+q^{m+n-2i}).$$

We have

$$\begin{array}{c}(q^{m+n-2i}+1-q^{n-i}-q^{m-i})(q-1)\hfill \\ =q^{m+n+1-2i}+q-q^{n+1-i}-q^{m+1-i}-q^{m+n-2i}-1+q^{m-i}+q^{n-i}\hfill \\ <q^{m+n+1-2i}-q^{m+n+1-r-i}\hfill \\ =q^{n-r+1}{q}^{m-i}\left(q^{r-i}-1\right),\hfill \end{array}$$

which implies that

$$\begin{array}{cc}\hfill \frac{q^{m+n-2i}+1-q^{n-i}-q^{m-i}}{q^{m-i}\left(q^{r-i}-1\right)}& <\frac{q^{n-r+1}}{q-1}=q^{n-r}\left(\frac{q}{q-1}\right).\hfill \end{array}$$

This completes the proof for the inequalities. □

Now, we prove an upper bound and a lower bound for $T_r^{(m\times n)}$:

Proposition 2.

Let $r<min\{m,n\}$; then, the number of $m\times n$ matrices over ${\mathbb{F}}_q$ of rank r is bounded by

$$q^{r(m+n-r)}<T_r^{(m\times n)}<\frac{q^{r(m+n+1-r)}}{{(q-1)}^r}.$$

Proof. 

Assuming that $m\ge n>r$, recall that $Q_r\left(x\right)={\prod }_{i=0}^{r-1}(x-q^i)$, and we have

$$T_r^{(m\times n)}=\frac{Q_r\left(q^m\right)Q_r\left(q^n\right)}{Q_r\left(q^r\right)}=q^{mr}\prod _{i=0}^{r-1}\left(1-\frac{q^i}{q^m}\right)\left(\frac{q^{n-i}-1}{q^{r-i}-1}\right).$$

By Lemma 4,

$$\begin{array}{cc}\hfill q^{mr}\prod _{i=0}^{r-1}\left(q^{n-r}\right)& =q^{r(m+n-r)}\hfill \\ & <T_r^{(m\times n)}\hfill \\ & <q^{mr}\prod _{i=0}^{r-1}\left(q^{n-r}\left(\frac{q}{q-1}\right)\right)\hfill \\ & =\frac{q^{r(m+n+1-r)}}{{(q-1)}^r}.\hfill \end{array}$$

For $n\ge m>r$, the statement could be proved by switching the term m and n in the statement and in Lemma 4. □

Proposition 3.

Assuming that $m\ge n\ge 5$, then $T_{n-1}^{(m\times n)}=\frac{(q^n-1)}{(q-1)(q^m-q^{n-1})}{T}_n^{(m\times n)}$.

Proof. 

Recalling Proposition 1,

$$\begin{array}{cc}\hfill T_{n-1}^{(m\times n)}& =\frac{Q_{n-1}\left(q^m\right)Q_{n-1}\left(q^n\right)}{Q_{n-1}\left(q^{n-1}\right)}=\frac{{\prod }_{i=0}^{n-2}(q^n-q^i){\prod }_{i=0}^{n-2}(q^m-q^i)}{{\prod }_{i=0}^{n-2}(q^{n-1}-q^i)}\hfill \\ & =\frac{(q^n-1)q^{n-2}{\prod }_{i=0}^{n-2}(q^{n-1}-q^i){\prod }_{i=0}^{n-2}(q^m-q^i)}{(q^{n-1}-q^{n-2}){\prod }_{i=0}^{n-2}(q^{n-1}-q^i)}\hfill \\ & =\frac{(q^n-1){\prod }_{i=0}^{n-2}(q^m-q^i)}{(q-1)}=\frac{(q^n-1){\prod }_{i=0}^{n-1}(q^m-q^i)}{(q-1)(q^m-q^{n-1})}\hfill \\ & =\frac{(q^n-1)}{(q-1)(q^m-q^{n-1})}{T}_n^{(m\times n)}.\hfill \end{array}$$

This completes the statement. □

4. A New Encryption Scheme

In this section, we propose our new encryption scheme which consists of a public matrix distorted by a matrix of column rank n. We will discuss some strengths of this encryption after the description of the scheme.

Presentation of the Encryption Scheme,PE$=({\mathcal{S}}_{\mathtt{PE}},{\mathcal{K}}_{\mathtt{PE}},{\mathcal{E}}_{\mathtt{PE}},{\mathcal{D}}_{\mathtt{PE}})$.

$\boxed{\mathbf{Setup},{\mathcal{S}}_{\mathtt{PE}}}$ generates global parameters $m>n>k>k^{\prime }\ge 1$, $k^{\prime }=⌊\frac{k}{2}⌋$ and $r\le ⌊\frac{n-k}{2}⌋$. The plaintext space is ${\mathbb{F}}_{q^m}^{k^{\prime }}$. Output parameters $=(m,n,k,k^{\prime },r)$.

$\boxed{\mathbf{Key\; Generation},{\mathcal{K}}_{\mathtt{PE}}}$ Generate invertible matrix $S\stackrel{\$}{\leftarrow }{\mathbb{F}}_{q^m}^{k\times k}$. Generate a generator matrix $G\in {\mathbb{F}}_{q^m}^{k\times n}$ of a linear code ${\mathcal{C}}_G$ with an efficient decoding algorithm ${\mathcal{C}}_G.\mathfrak{Dec}(·)$ able to correct error up to rank r. Generate vector $\mathit{u}\stackrel{\$}{\leftarrow }{\mathbb{F}}_{q^m}^n$ such that ${\mathrm{rk}}_q\left(\mathit{u}\right)=n$. Generate invertible matrix $T\stackrel{\$}{\leftarrow }{\mathbb{F}}_q^{n\times n}$. Output public key ${\kappa }_{pub}=\left(G_{pub}=SG+{\mathrm{Cir}}_k\left(\mathit{u}\right)T,\mathit{u}\right)$ and private key ${\kappa }_{sec}=(S,G,T)$.

$\boxed{\mathbf{Encryption},{\mathcal{E}}_{\mathtt{PE}}({\kappa }_{pub},\mathit{m})}$ Let $\mathit{m}\in {\mathbb{F}}_{q^m}^{k^{\prime }}$ be the message to be encrypted. Generate random ${\mathit{m}}_{\mathit{s}}\stackrel{\$}{\leftarrow }{\mathbb{F}}_{q^m}^{k-k^{\prime }}$ satisfying ${\mathrm{rk}}_q\left((\mathit{m}\parallel {\mathit{m}}_{\mathit{s}}){\mathrm{Cir}}_k\left(\mathit{u}\right)\right)>⌈\frac{3}{4}(n-k)⌉$. Generate random ${\mathit{e}}_1,{\mathit{e}}_2\stackrel{\$}{\leftarrow }{\mathbb{F}}_{q^m}^n$ such that ${\mathrm{rk}}_q\left({\mathit{e}}_1\right)=r_1\le \frac{r}{2}$ and ${\mathrm{rk}}_q\left({\mathit{e}}_2\right)=r_2\le \frac{r}{2}$. Compute ${\mathit{c}}_1=(\mathit{m}\parallel {\mathit{m}}_{\mathit{s}}){\mathrm{Cir}}_k\left(\mathit{u}\right)+{\mathit{e}}_1$ and ${\mathit{c}}_2=(\mathit{m}\parallel {\mathit{m}}_{\mathit{s}})G_{pub}+{\mathit{e}}_2$. Output $\mathit{c}=({\mathit{c}}_1,{\mathit{c}}_2)$ as the ciphertext.

$\boxed{\mathbf{Decryption},{\mathcal{D}}_{\mathtt{PE}}\left({\kappa }_{sec},\mathit{c}\right)}$ Returns $(\mathit{m}\parallel {\mathit{m}}_{\mathit{s}})=\left({\mathcal{C}}_G.\mathfrak{Dec}({\mathit{c}}_2-{\mathit{c}}_{1}T)\right)S^{-1}$.

Remark 1.

By Proposition 2, the number of ${\mathit{e}}_1$ that can be chosen is at least $T_{r_1}^{m\times n}$, which is at least $q^{r_1(m+n-r_1)}$. Similarly, the number of ${\mathit{e}}_2$ that can be chosen is at least $T_{r_2}^{m\times n}$, which is at least $q^{r_2(m+n-r_2)}$

Correctness. The correctness of our encryption scheme relies on the decoding capability of the code $\mathcal{C}$. Using the private keys, we have ${\mathit{c}}_2-{\mathit{c}}_{1}T=(\mathit{m}\parallel {\mathit{m}}_{\mathit{s}})G_{pub}+{\mathit{e}}_2-\left((\mathit{m}\parallel {\mathit{m}}_{\mathit{s}}){\mathrm{Cir}}_k\left(\mathit{u}\right)-{\mathit{e}}_1\right)T=(\mathit{m}\parallel {\mathit{m}}_{\mathit{s}})SG+{\mathit{e}}_2-{\mathit{e}}_{1}T$. Since ${\mathrm{rk}}_q\left({\mathit{e}}_2-{\mathit{e}}_{1}T\right)\le {\mathrm{rk}}_q\left({\mathit{e}}_2\right)+{\mathrm{rk}}_q\left({\mathit{e}}_{1}T\right)={\mathrm{rk}}_q\left({\mathit{e}}_2\right)+{\mathrm{rk}}_q\left({\mathit{e}}_1\right)\le r$, then the decoding algorithm can decode correctly and retrieve $(\mathit{m}\parallel {\mathit{m}}_{\mathit{s}})S={\mathcal{C}}_G.\mathfrak{Dec}({\mathit{c}}_2-{\mathit{c}}_{1}T)$. Finally, compute $(\mathit{m},{\mathit{m}}_{\mathit{s}})=(\mathit{m}\parallel {\mathit{m}}_{\mathit{s}})S{S}^{-1}$ to recover $(\mathit{m}\parallel {\mathit{m}}_{\mathit{s}})$.

Strengths of the Proposed Encryption.

Recall from Section 1 that there are currently two approaches in constructing a rank metric code based encryption scheme. The idea of the first approach is to scramble the generator matrix G so that the matrix for encryption will appear to be random. As a result, the adversary is not able to decode it correctly. Therefore, the error chosen to encrypt the message in LOI17 Encryption must have rank $\lambda$ times smaller than r. Nevertheless, in our construction, we can choose ${\mathit{e}}_1$ and ${\mathit{e}}_2$ with rank $r_1\le \frac{r}{2}$ and $r_2\le \frac{r}{2},$ respectively. Furthermore, the matrix G in our encryption is scrambled by adding a matrix X, i.e., $G_{pub}=SG+X$, where $X={\mathrm{Cir}}_k\left(\mathit{u}\right)T$ with column rank n as proved in the following:

Corollary 1.

Let $\mathit{u}\in {\mathbb{F}}_{q^m}^n$ such that ${\mathit{rk}}_q\left(\mathit{u}\right)=n$. Then, for any invertible $T\in {\mathbb{F}}_q^{n\times n}$, the column rank of ${\mathit{Cir}}_k\left(\mathit{u}\right)T$, ${\mathit{colrk}}_q\left({\mathit{Cir}}_k\left(\mathit{u}\right)T\right)=n$.

Proof. 

It suffices to show that ${\mathrm{colrk}}_q\left({\mathrm{Cir}}_k\left(\mathit{u}\right)\right)=n$. Since ${\mathrm{colrk}}_q\left({\mathrm{Cir}}_k\left(\mathit{u}\right)\right)\ge {\mathrm{rk}}_q\left(\mathit{u}\right)=n$ by Lemma 3, and ${\mathrm{colrk}}_q\left({\mathrm{Cir}}_k\left(\mathit{u}\right)\right)\le n$, then ${\mathrm{colrk}}_q\left({\mathrm{Cir}}_k\left(\mathit{u}\right)\right)=n$. □

By Corollary 1, our $X={\mathrm{Cir}}_k\left(\mathit{u}\right)T$ chosen has column rank n instead of $t<n$. This will make the reduction of X into the form $XK=(X^{\prime }\mid \mathbf{0})$ (as in Lemma 2) impossible, where K is an invertible $n\times n$ matrix over ${\mathbb{F}}_q$.

On the other hand, the second approach in constructing rank metric code based encryption is to make the generator matrix G publicly known, and introduces an error $\mathit{e}$ with big rank (greater than r) into the ciphertext $\mathit{c}$ to ensure the decoding for retrieval of plaintext $\widehat{\mathit{m}}$ is hard, i.e., $\mathit{c}=\widehat{\mathit{m}}G+\mathit{e}$ and ${\mathrm{rk}}_q\left(\mathit{e}\right)>r$.

In fact, in our encryption scheme, the error term $(\mathit{m}\parallel {\mathit{m}}_{\mathit{s}}){\mathrm{Cir}}_k\left(\mathit{u}\right)T+{\mathit{e}}_2$ in the ciphertext ${\mathit{c}}_2$ has error larger than r, i.e., ${\mathrm{rk}}_q\left((\mathit{m}\parallel {\mathit{m}}_{\mathit{s}}){\mathrm{Cir}}_k\left(\mathit{u}\right)T+{\mathit{e}}_2\right)>r$:

Proposition 4.

Let $\mathit{u}=(u_0,u_1,\dots ,u_{n-1})\in {\mathbb{F}}_{q^m}^n$ such that ${\mathit{rk}}_q\left(\mathit{u}\right)=n$. Given $\widehat{\mathit{m}}=(\mathit{m},{\mathit{m}}_{\mathit{s}})\in {\mathbb{F}}_{q^m}^k$ such that ${\mathit{rk}}_q\left((\mathit{m},{\mathit{m}}_{\mathit{s}}){\mathit{Cir}}_k\left(\mathit{u}\right)\right)>⌈\frac{3}{4}(n-k)⌉$. Then, for any ${\mathit{e}}_2\in {\mathbb{F}}_{q^m}^n$ such that ${\mathit{rk}}_q\left({\mathit{e}}_2\right)=r_2$, we have ${\mathit{rk}}_q\left((\mathit{m},{\mathit{m}}_{\mathit{s}}){\mathit{Cir}}_k\left(\mathit{u}\right)T+{\mathit{e}}_2\right)>r$.

Proof. 

Given $\widehat{\mathit{m}}=(\mathit{m}\parallel {\mathit{m}}_{\mathit{s}})\in {\mathbb{F}}_{q^m}^k$ and ${\mathrm{rk}}_q\left((\mathit{m}\parallel {\mathit{m}}_{\mathit{s}}){\mathrm{Cir}}_k\left(\mathit{u}\right)\right)>⌈\frac{3}{4}(n-k)⌉$, then, for any ${\mathit{e}}_2\in {\mathbb{F}}_{q^m}^n$ such that ${\mathrm{rk}}_q\left({\mathit{e}}_2\right)=r_2$,

$$\begin{array}{cc}\hfill {\mathrm{rk}}_q\left((\mathit{m}\parallel {\mathit{m}}_{\mathit{s}}){\mathrm{Cir}}_k\left(\mathit{u}\right)T+{\mathit{e}}_2\right)& \ge {\mathrm{rk}}_q\left((\mathit{m}\parallel {\mathit{m}}_{\mathit{s}}){\mathrm{Cir}}_k\left(\mathit{u}\right)T\right)-{\mathrm{rk}}_q\left({\mathit{e}}_2\right)\hfill \\ & >\frac{3}{4}(n-k)-r_2\ge \frac{3}{2}r-r_2\hfill \\ & >\frac{3}{2}r-\frac{1}{2}r=r\hfill \end{array}$$

since $T\in {\mathbb{F}}_q^{n\times n}$ is invertible. □

By Proposition 4, we have ${\mathrm{rk}}_q((\mathit{m}\parallel {\mathit{m}}_{\mathit{s}}){\mathrm{Cir}}_k\left(\mathit{u}\right)T+{\mathit{e}}_2)>r$. The adversary is not able to recover the plaintext $\mathit{m}$ from ${\mathit{c}}_2=(\mathit{m}\parallel {\mathit{m}}_{\mathit{s}})SG+((\mathit{m}\parallel {\mathit{m}}_{\mathit{s}}){\mathrm{Cir}}_k\left(\mathit{u}\right)T+{\mathit{e}}_2)$ even if he knows the structure of the generator matrix G. However, in practicality, G remains unknown to the adversary.

5. IND-CPA Secure Encryption

The desired security property of a public-key encryption scheme is indistinguishability under chosen plaintext attack (IND-CPA). This is normally defined by a security game that is interacting between a challenger and an adversary $\mathcal{A}$. The security game is described as follows:

Set up: Given a security parameter, the challenger first runs the key generation algorithm and send ${\kappa }_{pub}$ to $\mathcal{A}$. Challenge: $\mathcal{A}$ chooses two equal length plaintexts ${\mathit{m}}_0$ and ${\mathit{m}}_1$; and sends these to the challenger. Encrypt challenge messages: The challenger chooses a random $b\in \{0,1\}$, computes a challenge ciphertext $\mathit{c}={\mathcal{E}}_{\mathtt{PE}}({\kappa }_{pub},{\mathit{m}}_b)$ and returns $\mathit{c}$ to $\mathcal{A}$. Guess: $\mathcal{A}$ outputs a bit $b^{\prime }\in \{0,1\}$. $\mathcal{A}$ wins if $b^{\prime }=b$.

The advantage of an adversary $\mathcal{A}$ is defined as

$${\mathsf{Adv}}_{\mathtt{PE},\mathcal{A}}^{\mathtt{IND}-\mathtt{CPA}}\left(\lambda \right)=\left|\mathrm{Pr}[b^{\prime }=b]-\frac{1}{2}\right|.$$

A secure public-key encryption scheme against chosen plaintext attack is formally defined as follows:

Definition 8.

A public-key encryption scheme $\mathtt{PE}=({\mathcal{S}}_{\mathtt{PE}},{\mathcal{K}}_{\mathtt{PE}},{\mathcal{E}}_{\mathtt{PE}},{\mathcal{D}}_{\mathtt{PE}})$ is $(t,ϵ)$-IND-CPAsecure if, for any probabilistic t-polynomial time, the adversary $\mathcal{A}$ has the advantage less than ϵ, that is, ${\mathsf{Adv}}_{\mathtt{PE},\mathcal{A}}^{\mathtt{IND}-\mathtt{CPA}}\left(\lambda \right)<ϵ$.

Lemma 5.

Let ${\mathsf{T}}_1$, ${\mathsf{T}}_2$ and $\mathsf{F}$ be events. Suppose the event ${\mathsf{T}}_2\wedge \neg \mathsf{F}$ occurs if and only if ${\mathsf{T}}_1\wedge \neg \mathsf{F}$ occurs, then $|\mathrm{Pr}\left[{\mathsf{T}}_2\right]-\mathrm{Pr}\left[{\mathsf{T}}_1\right]|\le \mathrm{Pr}\left[\mathsf{F}\right]$(Difference Lemma [27]).

We have the following result which is important in our encryption.

Lemma 6.

Given $m\ge n$, $k\ge 1$, $j\ge 2$ and $r<\frac{n}{2}$. Let $\mathit{x},\mathit{y}\in {\mathbb{F}}_{q^m}^n$, then there exists $\mathit{e}\in {\mathbb{F}}_{q^m}^n$ with ${\mathit{rk}}_q\left(\mathit{e}\right)=r^{\prime }\le \frac{r}{j}$ such that ${\mathit{rk}}_q(\mathit{x}+\mathit{e})\ge r^{\prime }+1$ and ${\mathit{rk}}_q(\mathit{y}+\mathit{e})\ge r^{\prime }+1$.

Proof. 

Let $\mathit{x},\mathit{y}\in {\mathbb{F}}_{q^m}^n$ such that ${\mathrm{rk}}_q\left(\mathit{x}\right)=a$ and ${\mathrm{rk}}_q\left(\mathit{y}\right)=b$. We prove the statement by consider different cases for a and b.

Case 1 ($\frac{2}{j}r+1\le a\le n$ and $\frac{2}{j}r+1\le b\le n$): Let $\mathit{e}$ be any element in ${\mathbb{F}}_{q^m}^n$ such that ${\mathrm{rk}}_q\left(\mathit{e}\right)=r^{\prime }\le \frac{r}{j}$. Then ${\mathrm{rk}}_q(\mathit{x}+\mathit{e})\ge {\mathrm{rk}}_q\left(\mathit{x}\right)-{\mathrm{rk}}_q\left(\mathit{e}\right)=a-\frac{r}{j}\ge \frac{2}{j}r+1-\frac{r}{j}=\frac{r}{j}+1\ge r^{\prime }+1$. Similarly, ${\mathrm{rk}}_q(\mathit{y}+\mathit{e})\ge {\mathrm{rk}}_q\left(\mathit{y}\right)-{\mathrm{rk}}_q\left(\mathit{e}\right)=b-\frac{r}{j}\ge \frac{2}{j}r+1-\frac{r}{j}=\frac{r}{j}+1\ge r^{\prime }+1$.

Case 2 ($1\le a\le \frac{2}{j}r$ and $\frac{2}{j}r+1\le b\le n$): Since ${\mathrm{rk}}_q\left(\mathit{x}\right)=a$, by Lemma 1, $\mathit{x}=(x_1,\dots ,x_a)A$, where $x_1,\dots ,x_a$ are linearly independent and A is an $a\times n$ matrix over ${\mathbb{F}}_q$ of rank a. Let $\mathcal{X}=\{x_1,\dots ,x_a\}$, consider a basis $\mathcal{B}$ of ${\mathbb{F}}_{q^m}$ such that $\mathcal{X}\subset \mathcal{B}$ and let ${\mathcal{B}}_e=\mathcal{B}\backslash \mathcal{X}$. Note that $|{\mathcal{B}}_e|=m-a\ge n-a\ge n-\frac{2}{j}r>\frac{r}{j}\ge r^{\prime }$. Then, we can form $\mathit{e}$ of rank $r^{\prime }$ by choosing $r^{\prime }$ elements from ${\mathcal{B}}_e$, and we have ${\mathrm{rk}}_q(\mathit{x}+\mathit{e})\ge r^{\prime }+1$ since elements in $\mathit{x}$ are linearly independent with elements in $\mathit{e}$. With this $\mathit{e}$, we have ${\mathrm{rk}}_q(\mathit{y}+\mathit{e})\ge {\mathrm{rk}}_q\left(\mathit{y}\right)-{\mathrm{rk}}_q\left(\mathit{e}\right)=b-r^{\prime }\ge \frac{2}{j}r+1-r^{\prime }\ge r^{\prime }+1$.

Case 3 ($\frac{2}{j}r+1\le a\le n$ and $1\le b\le \frac{2}{j}r$): This case follows the proof of Case 2 by interchanging the term a with b, and $\mathit{x}$ with $\mathit{y}$.

Case 4 ($1\le a\le \frac{2}{j}r$ and $1\le b\le \frac{2}{j}r$): Since ${\mathrm{rk}}_q\left(\mathit{x}\right)=a$, by Lemma 1, $\mathit{x}=(x_1,\dots ,x_a)A$, where $x_1,\dots ,x_a$ are linearly independent and A is an $a\times n$ matrix over ${\mathbb{F}}_q$ of rank a. Similarly, since ${\mathrm{rk}}_q\left(\mathit{y}\right)=b$, by Lemma 1, $\mathit{y}=(y_1,\dots ,y_b)B$, where $y_1,\dots ,y_b$ are linearly independent and B is an $b\times n$ matrix over ${\mathbb{F}}_q$ of rank b. Let $\mathcal{X}=\{x_1,\dots ,x_a\}$ and $\mathcal{Y}=\{y_1,\dots ,y_b\}$, consider a basis $\mathcal{B}$ of ${\mathbb{F}}_{q^m}$ such that $\mathcal{X}\cup \mathcal{Y}\subset \mathcal{B}$ and let ${\mathcal{B}}_e=\mathcal{B}\backslash (\mathcal{X}\cup \mathcal{Y})$.

If $j\ge 3$, since $|\mathcal{X}\cup \mathcal{Y}|\le \frac{4}{j}r$ and $jn\ge 3n\ge 6r$, then $|{\mathcal{B}}_e|\ge m-\frac{4}{j}r\ge n-\frac{4}{j}r\ge \frac{6}{j}r-\frac{4}{j}r>\frac{r}{j}>r^{\prime }$. We can form $\mathit{e}$ of rank $r^{\prime }$ by choosing $\frac{r}{j}$ elements from ${\mathcal{B}}_e$. Thus, we have ${\mathrm{rk}}_q(\mathit{x}+\mathit{e})\ge r^{\prime }+1$ since elements in $\mathit{x}$ are linearly independent with elements in $\mathit{e}$, and ${\mathrm{rk}}_q(\mathit{y}+\mathit{e})\ge r^{\prime }+1$ since elements in $\mathit{y}$ are linearly independent with elements in $\mathit{e}$.

If $j=2$, then we further break this case into the following subcases:

$\underline{1\le a\le \frac{r}{2} \mathrm{or} 1\le b\le \frac{r}{2}}$: WLOG, assume that $1\le a\le \frac{r}{2}$, then $|{\mathcal{B}}_e|=m-(a+b)\ge n-(a+b)\ge n-\left(\frac{r}{2}+r\right)>\frac{r}{2}\ge r^{\prime }$. We can form $\mathit{e}$ of rank $r^{\prime }$ by choosing $r^{\prime }$ elements from ${\mathcal{B}}_e$. Thus, we have ${\mathrm{rk}}_q(\mathit{x}+\mathit{e})\ge r^{\prime }+1$ since elements in $\mathit{x}$ are linearly independent with elements in $\mathit{e}$, and ${\mathrm{rk}}_q(\mathit{y}+\mathit{e})\ge r^{\prime }+1$ since elements in $\mathit{y}$ are linearly independent with elements in $\mathit{e}$.

$\underline{1+\frac{r}{2}\le a\le r \mathrm{and} 1+\frac{r}{2}\le b\le r}$: WLOG, assume that $a\ge b$. If $\mathcal{Y}\subseteq \mathcal{X}$, then $|{\mathcal{B}}_e|=m-a\ge n-a\ge n-r>\frac{r}{2}\ge r^{\prime }$. We can form $\mathit{e}$ of rank $r^{\prime }$ by choosing $r^{\prime }$ elements from ${\mathcal{B}}_e$. Thus, we have ${\mathrm{rk}}_q(\mathit{x}+\mathit{e})\ge r^{\prime }+1$ since elements in $\mathit{x}$ are linearly independent with elements in $\mathit{e}$, and ${\mathrm{rk}}_q(\mathit{y}+\mathit{e})\ge r^{\prime }+1$ since elements in $\mathit{y}$ are linearly independent with elements in $\mathit{e}$. If $\mathcal{Y}⊈\mathcal{X}$, let $\mathcal{Z}=\mathcal{X}\cap \mathcal{Y}$ and $t=\left|\mathcal{Z}\right|$. Let $a^{\prime }=a-\frac{r}{2}$, $b^{\prime }=b-\frac{r}{2}$, and $v=\frac{r}{2}-t$, pick v elements $x_1^{\prime },\dots ,x_v^{\prime }\in \mathcal{X}\backslash \mathcal{Z}$ and another v elements $y_1^{\prime },\dots ,y_v^{\prime }\in \mathcal{Y}\backslash \mathcal{Z}$. Then, considering ${\mathcal{B}}_{\mathcal{N}}=\mathcal{B}\backslash (\{x_1^{\prime },\dots ,x_v^{\prime },y_1^{\prime },\dots ,y_v^{\prime }\}\cup \mathcal{Z})$, we have $|{\mathcal{B}}_{\mathcal{N}}|=m-(2v+t)\ge n-(2v+t)=n-(r-t)=n-r+t>n-r>\frac{r}{2}\ge r^{\prime }$. We can form $\mathit{e}$ of rank $r^{\prime }$ by choosing $r^{\prime }$ elements from ${\mathcal{B}}_{\mathcal{N}}$ (with at least one element from ${\mathcal{B}}_e$), and the elements picked will only decrease the rank of $\mathit{x}$ and $\mathit{y}$ at most by $a^{\prime }-1$ and $b^{\prime }-1$, respectively. Therefore, we have ${\mathrm{rk}}_q(\mathit{x}+\mathit{e})\ge a-(a^{\prime }-1)\ge \frac{r}{2}+1\ge r^{\prime }+1$ and ${\mathrm{rk}}_q(\mathit{y}+\mathit{e})\ge b-(b^{\prime }-1)\ge \frac{r}{2}+1\ge r^{\prime }+1$. □

Now, suppose the challenger adversary chooses two equal length plaintexts ${\mathit{m}}_0,{\mathit{m}}_1\in {\mathbb{F}}_{q^m}^{k^{\prime }}$ and sends these to the challenger. By the following lemma, the challenger is able to choose a random ${\mathit{m}}_{\mathit{s}}\in {\mathbb{F}}_{q^m}^{k-k^{\prime }}$, ${\mathit{e}}_1,{\mathit{e}}_2\in {\mathbb{F}}_{q^m}^n$ such that the conditions (2)–(7) are satisfied:

Lemma 7.

Given ${\mathit{m}}_0,{\mathit{m}}_1\in {\mathbb{F}}_{q^m}^{k^{\prime }}$ and ${\mathit{m}}_{\mathit{s}}\in {\mathbb{F}}_{q^m}^{k-k^{\prime }}$, there exists ${\mathit{e}}_1,{\mathit{e}}_2\in {\mathbb{F}}_{q^m}^n$ such that

$$\begin{array}{cc}\hfill {\mathit{rk}}_q\left({\mathit{e}}_1\right)=r_1& \le r/2,\hfill \end{array}$$

(2)

$$\begin{array}{cc}\hfill {\mathit{rk}}_q(({\mathbf{0}}_{k^{\prime }}\parallel {\mathit{m}}_{\mathit{s}}){\mathit{Cir}}_k\left(\mathit{u}\right)+{\mathit{e}}_1)& \ge r_1+1,\hfill \end{array}$$

(3)

$$\begin{array}{cc}\hfill {\mathit{rk}}_q(({\mathit{m}}_0+{\mathit{m}}_1\parallel {\mathit{m}}_{\mathit{s}}){\mathit{Cir}}_k\left(\mathit{u}\right)+{\mathit{e}}_1)& \ge r_1+1,\hfill \end{array}$$

(4)

$$\begin{array}{cc}\hfill {\mathit{rk}}_q\left({\mathit{e}}_2\right)=r_2& \le r/2,\hfill \end{array}$$

(5)

$$\begin{array}{cc}\hfill {\mathit{rk}}_q(({\mathbf{0}}_{k^{\prime }}\parallel {\mathit{m}}_{\mathit{s}})G_{pub}+{\mathit{e}}_2)& \ge r_2+1,\hfill \end{array}$$

(6)

$$\begin{array}{cc}\hfill {\mathit{rk}}_q(({\mathit{m}}_0+{\mathit{m}}_1\parallel {\mathit{m}}_{\mathit{s}})G_{pub}+{\mathit{e}}_2)& \ge r_2+1.\hfill \end{array}$$

(7)

Proof. 

Let ${\mathrm{rk}}_q\left(({\mathbf{0}}_{k^{\prime }}\parallel {\mathit{m}}_{\mathit{s}}){\mathrm{Cir}}_k\left(\mathit{u}\right)\right)=a_1$ and ${\mathrm{rk}}_q(({\mathit{m}}_0+{\mathit{m}}_1\parallel {\mathit{m}}_{\mathit{s}}){\mathrm{Cir}}_k\left(\mathit{u}\right)=b_1$, ${\mathrm{rk}}_q\left(({\mathbf{0}}_{k^{\prime }}\parallel {\mathit{m}}_{\mathit{s}})G_{pub}\right)=a_2$ and ${\mathrm{rk}}_q\left(({\mathit{m}}_0+{\mathit{m}}_1\parallel {\mathit{m}}_{\mathit{s}})G_{pub}\right)=b_2$. Then, apply Lemma 6 accordingly. □

Therefore, without knowing any information on ${\mathit{m}}_{\mathit{s}}$, $\mathcal{A}$ is not able to distinguish between ${\mathit{c}}_1+({\mathit{m}}_0\parallel {\mathbf{0}}_{k-k^{\prime }}){\mathrm{Cir}}_k\left(\mathit{u}\right)$ and ${\mathit{c}}_1+({\mathit{m}}_1\parallel {\mathbf{0}}_{k-k^{\prime }}){\mathrm{Cir}}_k\left(\mathit{u}\right)$, between ${\mathit{c}}_2+({\mathit{m}}_0\parallel {\mathbf{0}}_{k-k^{\prime }})G_{pub}$ and ${\mathit{c}}_2+({\mathit{m}}_1\parallel {\mathbf{0}}_{k-k^{\prime }})G_{pub}$, as ${\mathit{e}}_1$, ${\mathit{e}}_2$ are chosen such that Labels (2)–(7) are satisfied. For convenience sake, we have the following notation:

Notation. 

Denote $E_{cir}({\mathit{m}}_0,{\mathit{m}}_1,{\mathit{m}}_{\mathit{s}})$ as the set of all elements in ${\mathbb{F}}_{q^m}^n$ that satisfy (2)–(4); and $E_{G_{pub}}({\mathit{m}}_0,{\mathit{m}}_1,{\mathit{m}}_{\mathit{s}})$ as the set of all elements in ${\mathbb{F}}_{q^m}^n$ that satisfy (5)–(7).

We now state the assumptions for which our encryption is based on:

The Decisional Rank Syndrome Decoding (DRSD) assumption. Let $\mathcal{D}$ be a distinguishing algorithm that takes as input a vector in ${\mathbb{F}}_{q^m}^n$ and a matrix $M\in {\mathbb{F}}_{q^m}^{k\times n}$, and outputs a bit. The DRSD advantage of $\mathcal{D}$ is defined as

$$\begin{array}{cc}\hfill {\mathsf{Adv}}_{M,n,k}^{\mathsf{DRSD}}\left(\mathcal{D}\right)& =\left|\mathrm{Pr}\left[\mathit{v}\stackrel{\$}{\leftarrow }{\mathbb{F}}_{q^m}^k,\mathit{e}\stackrel{\$}{\leftarrow }{\mathcal{E}}_{n,w},\mathit{x}=\mathit{v}M+\mathit{e}:\mathcal{D}(M,\mathit{x})=1\right]\right.\hfill \\ & -\left.\mathrm{Pr}\left[\mathit{y}\stackrel{\$}{\leftarrow }{\mathbb{F}}_{q^m}^n:\mathcal{D}(M,\mathit{y})=1\right]\right|,\hfill \end{array}$$

where ${\mathcal{E}}_{n,w}:=\{\mathit{e}\in {\mathbb{F}}_{q^m}^n:{\mathrm{rk}}_q\left(\mathit{e}\right)=w\}$. The DRSD${}_M$ assumption is the assumption that the advantage ${\mathsf{Adv}}_{M,n,k}^{\mathsf{DRSD}}\left(\mathcal{D}\right)$ is negligible for any $\mathcal{D}$, i.e., ${\mathsf{Adv}}_{M,n,k}^{\mathsf{DRSD}}\left(\mathcal{D}\right)<{\epsilon }_M$.

Now, we prove that our encryption is IND-CPA secure under DRSD${}_{{\mathrm{Cir}}_k\left(\mathit{u}\right)}$ and DRSD${}_{G_{pub}}$ assumptions.

Theorem 1.

Under the DRSD${}_{{\mathit{Cir}}_k\left(\mathit{u}\right)}$ and DRSD${}_{G_{pub}}$ assumptions, the proposed public-key encryption schemePEisIND-CPAsecure.

Proof. 

To prove the security of the scheme, we are using a sequence of games.

Game ${\mathcal{G}}_0$: This is the real IND-CPA attack game against an adversary $\mathcal{A}$ in the definition of semantic security. We run the following attack game algorithm:

$S\stackrel{\$}{\leftarrow }{\mathbb{F}}_{q^m}^{k\times k}$, $\mathit{u}\stackrel{\$}{\leftarrow }{\mathbb{F}}_{q^m}^n$, $T\stackrel{\$}{\leftarrow }{\mathbb{F}}_q^{n\times n}$, ${\kappa }_{pub}\leftarrow (SG+{\mathrm{Cir}}_k\left(\mathit{u}\right)T,\mathit{u})$, ${\kappa }_{sec}\leftarrow (S,G,T)$ $(m_0,m_1)\stackrel{\$}{\leftarrow }\mathcal{A}\left({\kappa }_{pub}\right)$ $b\stackrel{\$}{\leftarrow }\{0,1\}$, ${\mathit{m}}_{\mathit{s}}\stackrel{\$}{\leftarrow }{\mathbb{F}}_{q^m}^{k-k^{\prime }}$, ${\mathit{e}}_1\stackrel{\$}{\leftarrow }{E}_{cir}({\mathit{m}}_0,{\mathit{m}}_1,{\mathit{m}}_{\mathit{s}})$, ${\mathit{e}}_2\stackrel{\$}{\leftarrow }{E}_{G_{pub}}({\mathit{m}}_0,{\mathit{m}}_1,{\mathit{m}}_{\mathit{s}})$, ${\mathit{c}}_1\leftarrow ({\mathit{m}}_b\parallel {\mathit{m}}_{\mathit{s}}){\mathrm{Cir}}_k\left(\mathit{u}\right)+{\mathit{e}}_1$, ${\mathit{c}}_2\leftarrow ({\mathit{m}}_b\parallel {\mathit{m}}_{\mathit{s}})G_{pub}+{\mathit{e}}_2$ $\widehat{b}\leftarrow \mathcal{A}({\kappa }_{pub},{\mathit{c}}_1,{\mathit{c}}_2)$ if $\widehat{b}=b$ then return 1 else return 0

Denote $S_0$ the event that $\mathcal{A}$ wins in Game ${\mathcal{G}}_0$. Then,

$${\mathsf{Adv}}_{\mathtt{PE},\mathcal{A}}^{\mathtt{IND}-\mathtt{CPA}}\left(\lambda \right)=\left|\mathrm{Pr}\left[S_0\right]-\frac{1}{2}\right|.$$

Game ${\mathcal{G}}_1$: We now make one small change to ${\mathcal{G}}_0$. In this game, we pick a random vector $\mathit{y}\stackrel{\$}{\leftarrow }{\mathbb{F}}_{q^m}^n$ and replace ${\mathit{c}}_1$ in ${\mathcal{G}}_0$ for ${\mathcal{E}}_{\mathtt{PE}}({\kappa }_{pub},({\mathit{m}}_b\parallel {\mathit{m}}_{\mathit{s}}))$ by ${\mathit{c}}_1\leftarrow \mathit{y}$:

$S\stackrel{\$}{\leftarrow }{\mathbb{F}}_{q^m}^{k\times k}$, $\mathit{u}\stackrel{\$}{\leftarrow }{\mathbb{F}}_{q^m}^n$, $T\stackrel{\$}{\leftarrow }{\mathbb{F}}_q^{n\times n}$, ${\kappa }_{pub}\leftarrow (SG+{\mathrm{Cir}}_k\left(\mathit{u}\right)T,\mathit{u})$, ${\kappa }_{sec}\leftarrow (S,G,T)$ $(m_0,m_1)\stackrel{\$}{\leftarrow }\mathcal{A}\left({\kappa }_{pub}\right)$ $b\stackrel{\$}{\leftarrow }\{0,1\}$, ${\mathit{m}}_{\mathit{s}}\stackrel{\$}{\leftarrow }{\mathbb{F}}_{q^m}^{k-k^{\prime }}$, ${\mathit{e}}_1\stackrel{\$}{\leftarrow }{E}_{cir}({\mathit{m}}_0,{\mathit{m}}_1,{\mathit{m}}_{\mathit{s}})$, ${\mathit{e}}_2\stackrel{\$}{\leftarrow }{E}_{G_{pub}}({\mathit{m}}_0,{\mathit{m}}_1,{\mathit{m}}_{\mathit{s}})$, $\boxed{\mathit{y}\stackrel{\$}{\leftarrow }{\mathbb{F}}_{q^m}^n,{\mathit{c}}_1\leftarrow \mathit{y},}$${\mathit{c}}_2\leftarrow ({\mathit{m}}_b\parallel {\mathit{m}}_{\mathit{s}})G_{pub}+{\mathit{e}}_2$ $\widehat{b}\leftarrow \mathcal{A}({\kappa }_{pub},{\mathit{c}}_1,{\mathit{c}}_2)$ if $\widehat{b}=b$ then return 1 else return 0

We denote $S_1$ the event that $\mathcal{A}$ wins in Game ${\mathcal{G}}_1$. Under the DRSD${}_{{\mathrm{Cir}}_k\left(\mathit{u}\right)}$ assumption, the two games ${\mathcal{G}}_1$ and ${\mathcal{G}}_0$ are indistinguishable with $\left|\mathrm{Pr}\left[S_1\right]-\mathrm{Pr}\left[S_0\right]\right|\le {\epsilon }_{{\mathrm{Cir}}_k\left(\mathit{u}\right)}$.

Game ${\mathcal{G}}_2$: We now make one small change to ${\mathcal{G}}_1$. In this game, we pick a random vector $\mathit{z}\stackrel{\$}{\leftarrow }{\mathbb{F}}_{q^m}^n$ and replace ${\mathit{c}}_2$ in ${\mathcal{G}}_1$ for ${\mathcal{E}}_{\mathtt{PE}}({\kappa }_{pub},({\mathit{m}}_b\parallel {\mathit{m}}_{\mathit{s}}))$ by ${\mathit{c}}_2\leftarrow \mathit{z}$:

$S\stackrel{\$}{\leftarrow }{\mathbb{F}}_{q^m}^{k\times k}$, $\mathit{u}\stackrel{\$}{\leftarrow }{\mathbb{F}}_{q^m}^n$, $T\stackrel{\$}{\leftarrow }{\mathbb{F}}_q^{n\times n}$, ${\kappa }_{pub}\leftarrow (SG+{\mathrm{Cir}}_k\left(\mathit{u}\right)T,\mathit{u})$, ${\kappa }_{sec}\leftarrow (S,G,T)$ $(m_0,m_1)\stackrel{\$}{\leftarrow }\mathcal{A}\left({\kappa }_{pub}\right)$ $b\stackrel{\$}{\leftarrow }\{0,1\}$, ${\mathit{m}}_{\mathit{s}}\stackrel{\$}{\leftarrow }{\mathbb{F}}_{q^m}^{k-k^{\prime }}$, ${\mathit{e}}_1\stackrel{\$}{\leftarrow }{E}_{cir}({\mathit{m}}_0,{\mathit{m}}_1,{\mathit{m}}_{\mathit{s}})$, ${\mathit{e}}_2\stackrel{\$}{\leftarrow }{E}_{G_{pub}}({\mathit{m}}_0,{\mathit{m}}_1,{\mathit{m}}_{\mathit{s}})$, $\mathit{y}\stackrel{\$}{\leftarrow }{\mathbb{F}}_{q^m}^n$, ${\mathit{c}}_1\leftarrow \mathit{y}$, $\boxed{\mathit{z}\stackrel{\$}{\leftarrow }{\mathbb{F}}_{q^m}^n,{\mathit{c}}_2\leftarrow \mathit{z},}$ $\widehat{b}\leftarrow \mathcal{A}({\kappa }_{pub},{\mathit{c}}_1,{\mathit{c}}_2)$ if $\widehat{b}=b$ then return 1 else return 0

We denote $S_2$ the event that $\mathcal{A}$ wins in Game ${\mathcal{G}}_2$. Under the DRSD${}_{G_{pub}}$ assumption, the two games ${\mathcal{G}}_2$ and ${\mathcal{G}}_1$ are indistinguishable with $\left|\mathrm{Pr}\left[S_2\right]-\mathrm{Pr}\left[S_1\right]\right|\le {\epsilon }_{G_{pub}}$.

As the ciphertext challenge $\mathit{c}=({\mathit{c}}_1,{\mathit{c}}_2)$ is perfectly random, b is hidden to any adversary $\mathcal{A}$ without any advantage; therefore, $\mathrm{Pr}\left[S_2\right]=\frac{1}{2}$. We have

$$\begin{array}{cc}\hfill {\mathsf{Adv}}_{\mathtt{PE},\mathcal{A}}^{\mathtt{IND}-\mathtt{CPA}}\left(\lambda \right)& =\left|\mathrm{Pr}\left[S_0\right]-\frac{1}{2}\right|=\left|\mathrm{Pr}\left[S_0\right]-\mathrm{Pr}\left[S_2\right]\right|\hfill \\ & \le \left|\mathrm{Pr}\left[S_0\right]-\mathrm{Pr}\left[S_1\right]\right|+\left|\mathrm{Pr}\left[S_1\right]-\mathrm{Pr}\left[S_2\right]\right|\hfill \\ & \le {\epsilon }_{{\mathrm{Cir}}_k\left(\mathit{u}\right)}+{\epsilon }_{G_{pub}}.\hfill \end{array}$$

Therefore, under the DRSD${}_{{\mathrm{Cir}}_k\left(\mathit{u}\right)}$ and DRSD${}_{G_{pub}}$ assumption, the proposed public-key encryption scheme PE is IND-CPA secure. □

6. Our Encryption Based on Gabidulin Codes

We propose Gabidulin code as the decodable code $\mathcal{C}$ in our encryption. We analyze the security of the scheme by considering possible structural attacks to cryptanalyze the system based on Gabidulin code. We also give some parameters for our proposal using Gabidulin codes.

6.1. Gabidulin Codes

First, we give the definition for Moore matrix and Gabidulin codes.

Definition 9.

A matrix $G=\left(G_{a,b}\right)\in {\mathbb{F}}_{q^m}^{k\times n}$ is called aMoore matrixinduced by $\mathit{g}$ if there exists a vector $\mathit{g}=(g_1,\dots ,g_n)\in {\mathbb{F}}_{q^m}^n$ such that ith row of G is equal to ${\mathit{g}}^{[i-1]}$ for $i=1,\dots ,k$, i.e., G is in the form of

$$G=\left(\begin{array}{cccc}{g}_1& g_2& \dots & g_n\\ g_1^{\left[1\right]}& g_2^{\left[1\right]}& \dots & g_n^{\left[1\right]}\\ ⋮& ⋮& \ddots & ⋮\\ g_1^{[k-1]}& g_2^{[k-1]}& \dots & g_n^{[k-1]}\end{array}\right),$$

(8)

where $\left[i\right]:=q^i$ is the ith Frobenius power. Similarly, we define $G^{\left(\right[i\left]\right)}=\left(G_{a,b}^{\left[i\right]}\right)$. In addition, for any set $S\subset {\mathbb{F}}_{q^m}^n$, we denote $S^{\left(l\right)}=\{{\mathit{s}}^{\left(\right[l\left]\right)}\mid \mathit{s}\in S\}$.

Definition 10.

Let $\mathit{g}\in {\mathbb{F}}_{q^m}^n$ with ${\mathit{rk}}_q\left(\mathit{g}\right)=n$. The $[n,k]$-Gabidulin code ${\mathit{Gab}}_{n,k}\left(\mathit{g}\right)$ over ${\mathbb{F}}_{q^m}$ of dimension k and generator vector $\mathit{g}$ is the code generated by a Moore matrix G induced by $\mathit{g}$.

The error-correcting capability of ${\mathrm{Gab}}_{n,k}\left(\mathit{g}\right)$ is $r=\lfloor \frac{n-k}{2}\rfloor$. There exist efficient decoding algorithms for Gabidulin codes up to the rank error correcting capability (for example, [4]).

6.2. Structural Attack on Gabidulin Code

We examine some common existing attacks against Gabidulin codes and argue that our proposal resists these attacks.

Frobenius Weak Attack. The principle of the Frobenius weak attack (for more details, please refer to [18]) is to form an extension code ${\mathcal{C}}_{ext}$ from the code ${\mathcal{C}}_{pub}$ generated by $G_{pub}$ and the error term in the ciphertext. In particular,

$${\mathcal{C}}_{ext}:=\sum _{i=0}^{r-1}{\left(\mathcal{C}+⟨\mathit{e}⟩\right)}^{\left[t^{\prime }i\right]},$$

where $gcd(t^{\prime },m)=1$ and ${\mathrm{rk}}_q\left(\mathit{e}\right)=r$. One of the necessary conditions for the complexity of solving the RSD for $\mathcal{C}$ to be polynomial time, via the proposed method is ${dim}_{{\mathbb{F}}_{q^m}}\left({\mathcal{C}}_{ext}\right)\ne n$. Although in our system our error terms ${\mathit{e}}_1$ and ${\mathit{e}}_2$ both have ranks of $\frac{r}{2}$, due to the structure of $G_{pub}$, we have ${dim}_{{\mathbb{F}}_{q^m}}\left({\mathcal{C}}_{ext}\right)=n$ when $\mathcal{C}$ is chosen to be generated by $G_{pub}$, which makes the system secure against this attack.

Key Recovery Attack. Consider the structure of $G_{pub}$:

$$\begin{array}{cc}\hfill G_{pub}& =SG+{\mathrm{Cir}}_k\left(\mathit{u}\right)T\hfill \\ & =\left(\begin{array}{ccc}{s}_{11}& \dots & s_{1k}\\ ⋮& \ddots & ⋮\\ s_{k1}& \dots & s_{kk}\end{array}\right)\left(\begin{array}{ccc}{g}_1& \dots & g_n\\ g_1^{\left[1\right]}& \dots & g_n^{\left[1\right]}\\ ⋮& \ddots & ⋮\\ g_1^{[k-1]}& \dots & g_n^{[k-1]}\end{array}\right)\hfill \\ & +\left(\begin{array}{cccc}{u}_0& u_1& \dots & u_{n-1}\\ u_{n-1}& u_0& \dots & u_{n-2}\\ ⋮& ⋮& \ddots & ⋮\\ u_{n-k+1}& u_{n-k+2}& \dots & u_{n-k}\end{array}\right)\left(\begin{array}{ccc}{t}_{11}& \dots & t_{1n}\\ ⋮& \ddots & ⋮\\ t_{n1}& \dots & t_{nn}\end{array}\right).\hfill \end{array}$$

Note that the above linear system has $kn$ equations, with $k^2+kn$ unknown variables over ${\mathbb{F}}_{q^m}$ and $n^2$ linear variables over ${\mathbb{F}}_q$. Now, consider $G_{pub}^{\left[i\right]}$:

$$\begin{array}{cc}\hfill G_{pub}^{\left[1\right]}& =S^{\left[1\right]}{G}^{\left[1\right]}+{\mathrm{Cir}}_k{\left(\mathit{u}\right)}^{\left[1\right]}{T}^{\left[1\right]}\hfill \\ & =\left(\begin{array}{ccc}{s}_{11}^{\left[1\right]}& \dots & s_{1k}^{\left[1\right]}\\ ⋮& \ddots & ⋮\\ s_{k1}^{\left[1\right]}& \dots & s_{kk}^{\left[1\right]}\end{array}\right)\left(\begin{array}{ccc}{g}_1^{\left[1\right]}& \dots & g_n^{\left[1\right]}\\ g_1^{\left[2\right]}& \dots & g_n^{\left[2\right]}\\ ⋮& \ddots & ⋮\\ g_1^{\left[k\right]}& \dots & g_n^{\left[k\right]}\end{array}\right)+\left(\begin{array}{ccc}{u}_0^{\left[1\right]}& \dots & u_{n-1}^{\left[1\right]}\\ u_{n-1}^{\left[1\right]}& \dots & u_{n-2}^{\left[1\right]}\\ ⋮& \ddots & ⋮\\ u_{n-k+1}^{\left[1\right]}& \dots & u_{n-k}^{\left[1\right]}\end{array}\right)\left(\begin{array}{ccc}{t}_{11}& \dots & t_{1n}\\ ⋮& \ddots & ⋮\\ t_{n1}& \dots & t_{nn}\end{array}\right).\hfill \end{array}$$

This new linear system has $kn$ equations, with $k^2+n$ new unknown variables over ${\mathbb{F}}_{q^m}$. Then, the linear systems $G_{pub},\dots ,G_{pub}^{[m-k]}$ have a total of $(m-k+1)kn$ equations with a total of $(m-k+1)k^2+mn$ unknown variables over ${\mathbb{F}}_{q^m}$ and $n^2$ unknown variables over ${\mathbb{F}}_q$. However, note that solving the equations in $G_{pub},\dots ,G_{pub}^{[m-k]}$ is equivalent to solving a multivariant quadratic problem.

  Reduction Attack. Otmani, Kalachi, and Ndjeya [16] show that a matrix of the form $G_{pub}=SG+X$ where X is a random $k\times n$ matrix over ${\mathbb{F}}_{q^m}$ with column rank $t<r<n$ could be reduced into the form

$$G_{pub}=SG+X=S(G+S^{-1}X)=S(\overline{X}\mid \overline{G})Q,$$

(9)

where $\overline{X}$ is some random $k\times t$ matrix over ${\mathbb{F}}_{q^m}$, Q is an invertible $n\times n$ matrix over ${\mathbb{F}}_q$ and $\overline{G}$ is a generator matrix of a $[n-t,k]$-Gabidulin code generated by some ${\mathit{g}}^{\prime }\in {\mathbb{F}}_{q^m}^{n-t}$. By applying Lemma 2, this reduction is possible due to the structure of X which can be written into the form of $XK=(X^{\prime }\mid {\mathbf{0}}_{k\times (n-t)}),$ where ${\mathrm{colrk}}_q\left(X^{\prime }\right)=t$ and K is an invertible $n\times n$ matrix over ${\mathbb{F}}_q$. These $n-t$ columns of zeroes enable the adversary to decompose $G+S^{-1}X$ into random components, $\overline{X}$ and a Moore matrix component, $\overline{G}$. The adversary can then apply Overbeck’s attack [10] and cryptanalyze the system.

However, in our encryption system, $G_{pub}=SG+{\mathrm{Cir}}_k\left(\mathit{u}\right)T$. By Corollary 1, ${\mathrm{Cir}}_k\left(\mathit{u}\right)T$ has column rank n, thus the adversary is not able to rewrite ${\mathrm{Cir}}_k\left(\mathit{u}\right)T$ in the form of Label (1) which has columns of zero. Therefore, $G_{pub}$ could not be reduced into components of random matrix and Moore matrix of the form (9). Overbeck’s attack cannot be applied in our case.

Moore Decomposition Attack. The Moore Decomposition attack on GPT cryptosystem is the extension of the Overbeck attack [10]. Therefore, it suffices for us to show that a cryptosystem is resistant to the Moore Decomposition attack. We now briefly present the idea of Moore Decomposition attack in the following (for more details, please refer to Section 3 and Section 4 [18]):

Consider $G_{pub}=SG+X=S(G+S^{-1}X)$, since ${\mathrm{colrk}}_q\left(X\right)=t<r$, we have ${\mathrm{colrk}}_q\left(S^{-1}X\right)=t$. Consider a minimal column rank Moore decomposition for $S^{-1}X=X_{\mathrm{Moore}}+Z$, where $X_{\mathrm{Moore}}$ is a Moore matrix and Z is a non-Moore component which has the lowest possible column rank. Denote $s={\mathrm{colrk}}_q\left(Z\right)$. Since $d_R^{\min }\left({\mathrm{Gab}}_{n,k}\left(\mathit{g}\right)\right)=n-k+1\ge s+t+2$, by Corollary 3.12 in [18], all the elements of rank one in ${\sum }_{i=0}^s{⟨G+X⟩}^{\left(\right[i\left]\right)}$ belong to the Grassman support of X. The adversary is able to find a full rank matrix $U\in {\mathbb{F}}_q^{s^{\prime }\times n}$ for $s\le s^{\prime }\le t$ such that ${\mathrm{supp}}_{\mathrm{Gr}}\left(Z\right)\subseteq {⟨U⟩}_{{\mathbb{F}}_{q^m}}\subseteq {\mathrm{supp}}_{\mathrm{Gr}}\left(X\right)$ and compute $H\in {\mathbb{F}}_q^{(n-s^{\prime })\times n}$, a parity check matrix for ${⟨U⟩}_{{\mathbb{F}}_{q^m}}$. By Theorem 4.1 in [18], the adversary can recover $\mathit{m}$ in polynomial time.

In our encryption system, ${\mathrm{Cir}}_k\left(u\right)T$ has column rank n by Corollary 1. Consider a minimal column rank Moore decomposition for $S^{-1}{\mathrm{Cir}}_k\left(u\right)T=M_{\mathrm{Moore}}+W,$ where W is a non-Moore component which has the lowest possible column rank s. Note that, in our case, $t=n$, thus we have $d_R^{\min }\left({\mathrm{Gab}}_{n,k}\left(\mathit{g}\right)\right)=n-k+1<s+n+2$. As it requires $d_R^{\min }\left({\mathrm{Gab}}_{n,k}\left(\mathit{g}\right)\right)>s+t+2$ to apply Corollary 3.12 in [18], this condition is not satisfied in our case, thus Theorem 4.1 in [18] could not be used to recover the encrypted message.

6.3. Proposed Parameters

We propose some parameters for our encryption scheme. We consider $m>n$ and $r_1=r_2=\lfloor \frac{r}{2}\rfloor$. Denote the post-quantum complexity for combinatorial and algebraic attacks as “Comb” and “Alg”, respectively. We use the complexities in Section 2.4 as the lower bound of the complexity by replacing $r=r_1=r_2$ in the calculation. Following Loidreau’s application [21] of Grover’s algorithm, the exponential term in the decoding complexity should be square rooted [28]. The public key size is $\frac{knm+nm}{8}{log}_2\left(q\right)$ bytes. Table 3 is the parameters for $2^{128}$ and $2^{256}$ bits post-quantum security.

Table 3. Parameters of our cryptosystem for $2^{128}$ and $2^{256}$ bits post-quantum security.

	q	m	n	k	${\mathit{r}}_1$	${\mathit{r}}_2$	r	Public Key Size	Post-Quantum Security
PC-I	2	71	67	22	11	11	22	$13.68$ KB	133
PC-II	2	85	83	16	16	16	33	$14.99$ KB	134
PC-III	2	103	101	29	18	18	36	$39.01$ KB	262
PC-IV	2	113	107	26	20	20	40	$40.81$ KB	268

Comparison with LOI17 Encryption for similar post-quantum decoding complexity (at $2^{140}$) [21]. We include the formula $m^3{2}^{\frac{1}{2}\left(r-1\right)⌊\frac{k\min \{m,n\}}{n}⌋}$ in the lower bounds as it was used in [21] to evaluate the complexities of the attack on RSD. Table 4 is the comparison for our encryption PCir and LOI17 encryption.

Table 4. Comparison of parameters between our cryptosystem and LOI17 Encryption.

Encryption	q	m	n	k	${\mathit{r}}_1$	${\mathit{r}}_2$	r	Public Key Size	Post-Quantum Security
PC-V	2	75	73	21	13	13	26	$15.06$KB	141
PC-VI	2	85	83	18	16	16	32	$16.76$KB	144
LOI17-I	2	128	90	24	-	-	11	21.50 KB	140
LOI17-II	2	128	120	80	-	-	4	51.00 KB	141

Our encryption has the following strengths:

i.

Our encryption has larger rank of error $r_1$ and $r_2$.

ii.

At similar security, our key size ($15.06$ KB) is smaller than the key size of LOI17 Encryption ($21.50$ KB). Our encryption scheme can provide better post quantum security with smaller key size.

7. Conclusions

This paper has proposed a new rank metric encryption based on the difficulty of the Rank Syndrome Decoding problem. We modify the original GPT cryptosystem with different considerations for the public matrix. The public matrix is distorted by adding ${\mathrm{Cir}}_k\left(\mathit{u}\right)T$ of column rank n. Our encryption scheme has IND-CPA security under the DRSD${}_{{\mathrm{Cir}}_k\left(\mathit{u}\right)}$ and DRSD${}_{G_{pub}}$ assumptions. Our proposal allows the choice for rank of errors to be $r_1=r_2=\lfloor \frac{r}{2}\rfloor$. Moreover, for similar post-quantum security level of $2^{140}$ bits, our encryption using Gabidulin codes has smaller public key size ($15.1$ KB) than the key size suggested by LOI17 Encryption ($21.5$ KB). Our encryption provides better security with smaller key size.