A New Technique in Rank Metric Code-Based Encryption †

: We propose a rank metric codes based encryption based on the hard problem of rank syndrome decoding problem. We propose a new encryption with a public key matrix by considering the adding of a random distortion matrix over F q m of full column rank n . We show that IND-CPA security is achievable for our encryption under assumption of the Decisional Rank Syndrome Decoding problem. Furthermore, we also prove some bounds for the number of matrices of a ﬁxed rank with entries over a ﬁnite ﬁeld. Our proposal allows the choice of the error terms with rank up to r 2 , where r is the error-correcting capability of a code. Our encryption based on Gabidulin codes has public key size of 13.68 KB, which is 82 times smaller than the public key size of McEliece Cryptosystem based on Goppa codes. For similar post-quantum security level of 2 140 bits, our encryption scheme has a smaller public key size than the key size suggested by LOI17 Encryption.


Background and Motivations
In 1978, McEliece [1] proposed a public-key cryptosystem based on Goppa codes in Hamming metric.A message m is encrypted with the public key G pub = SGP, where G is a generator matrix of Goppa code, S is some random invertible matrix and P is a permutation matrix which S and P hide the structure of matrix G.The ciphertext c is computed by adding the codeword mG pub with an error e of Hamming weight less than or equal to r, where r is the error correcting capability of Goppa code.By decoding cP −1 with respect to the Goppa code, mS can be obtained and thus retrieve m = mSS −1 .Although the original McEliece cryptosystem is still considered secured today, the large key size of Goppa codes (approximately 1 MB) is less practical in application.Many variants based on alternative families of codes were proposed to tackle this problem, yet many of them were proved to be insecure (for instance, [2,3]).
As an alternative for the Hamming metric, in 1985, Gabidulin introduced the rank metric and the Gabidulin codes [4] over a finite field with q m elements, F q m .Later, in 1991, Gabidulin et al. [5] proposed the first rank code based cryptosystem, namely the GPT cryptosystem that employs the similar idea as a McEliece cryptosystem to distort the public key matrix.They considered G pub = SG + X, where S is a random invertible k × k matrix over F q m , G is a generator matrix of Gabidulin codes, and X is a random matrix over F q m with column rank t < n.However, the GPT cryptosystem is shown to be insecure against Gibson's attack [6].Since then, reparations on GPT were proposed (for instances, GPT [5], modified GPT [7,8], GGPT [9]); however, due to the weakness of Gabidulin codes containing huge vector space invariant under Frobenius automorphism, these cryptosystems were proved to be insecure by Overbeck's attack [10].Then, proposals such as Gabidulin's General Reparation [11], Gabidulin, Rashwan and Honary [12], GPT with more general column scrambler [12], Loidreau's GGPT [13], and Smart Approach [14] that claimed to resist Overbeck's attack were proposed.The entries in P −1 need to be chosen over F q m and over F q in a certain pattern so that the rank of eP −1 will be less than or equal to r.However, proposals with P of such pattern are proved to be insecure as they could be reduced into GGPT form by attacks proposed by [15,16].In addition, some general rank syndrome decoding attacks on Gabidulin codes (for instances [17][18][19]) are able to attack the variants above with their suggested parameters in polynomial time.
In 2017, two new research papers about rank metric encryption scheme were presented.The first one is proposed by Gaborit et al. [20], namely RankPKE in their construction of a code-based identity-based encryption scheme.The second attempt is a McEliece type encryption proposed by Loidreau (LOI17) [21] that considers a scrambler matrix P with its inverse P −1 over V, a λ-dimensional subspace of F q m .The term cP −1 = mSG + eP −1 has error eP −1 with e of rank t.In other words, the matrix P −1 amplifies the rank of e, and this leads to larger public key size as t has to be λ times smaller than r.

Contributions
In this paper, we propose an encryption scheme based on the hard problem of rank syndrome decoding problem.Our construction hides the structure of the generator matrix of the code by adding a distortion matrix of column rank n, with an error of rank larger than r being added into the ciphertext.In particular, let u ∈ F n q m of rank n, a message m ∈ F k q m is encrypted by where S is a random matrix in GL k (F q m ), G is a generator matrix for a code C with error-correcting capability r, Cir k (u) is a k-partial circulant matrix (refer to Definition 5 for formal definition), T is a random matrix in GL n (F q ), m s is a random vector in F k−k q m and e 2 is a random vector in F n q m with rank r 2 ≤ r 2 .Note that the term m s could be chosen such that the term (m m s )Cir k (u)T + e 2 in c 2 has rank larger than n − r 2 (which is greater than r).
The term c 1 = (m m s )Cir k (u) + e 1 is included in the ciphertext, where e 1 is a random vector in F n q m with rank r 1 ≤ r 2 .Decryption could be performed by decoding c 2 − c 1 T = (m m s )SG + e 2 − e 1 T with respect to the code C whenever rank of e 2 − e 1 T is less than or equal to r.
Advantages of Our Proposal.Our proposal has the following advantages: i.The distortion matrix Cir k (u)T is of column rank n, which hides the generator matrix G since T is random over F q .ii.The error term (m m s )Cir k (u)T + e 2 has rank at least n − r 2 .The adversary is not able to decode the ciphertext correctly since the generator matrix G is remained unknown and rank of (m m s )Cir k (u)T + e 2 is greater than r.iii.For the case in LOI17 Encryption and other Gabidulin codes based cryptosystem, the multiplication of P −1 into c often amplifies the rank of the error term, resulting in a choice of error term with smaller rank in the ciphertext.Similarly, the rank of the error term in RankPKE has to be λ times smaller than r.On the contrary, in our proposal, we have freedom for the choice of e 1 and e 2 with rank r 1 ≤ r 2 and r 2 ≤ r 2 , respectively.
We show that our encryption scheme has IND-CPA security under assumption of a Decisional Rank Syndrome Decoding problem.We propose Gabidulin codes as a choice of decodable code in our encryption.Furthermore, for similar post quantum security level of 2 140 bits, our encryption scheme has smaller public key size as compared to key size suggested by LOI17 Encryption [21].This paper is organized as follows: we review some preliminaries for rank metric and circulant matrix in Section 2. We also introduce the hard problems that our encryption is based on and name the known best attacks on the problem.In Section 3, we prove some bounds for the number of matrices of a fixed rank over a finite field and some related results.In Section 4, we describe our proposed cryptosystem and provide proofs for its advantages.In Section 5, we prove that our encryption scheme has IND-CPA security under assumption of Decisional Rank Syndrome Decoding problem.In Section 6, we propose the use of Gabidulin codes as a choice for the decodable code C in our encryption, and analyze its security.We also provide some parameters for the proposal based on the Gabidulin codes.Finally, we give our considerations of this paper in Section 7.

Preliminaries
In this section, we recall the definition of rank metric, which is the core of rank metric code based cryptosystems.We also introduce the Decisional Rank Syndrome Decoding problem, a hard problem in coding theory for our encryption scheme.We name the known best generic attacks on the Rank Syndrome Decoding problem.

Rank Metric
Let F q m be a finite field with q m elements where q is a power of prime.In addition, let {β 1 , . . ., β m } be a basis of F q m over the base field F q .Definition 1.A linear code of length n and dimension k is a linear subspace C of the vector space F n q m .
Given a matrix M with coefficients in a field F, the rank of M, rk(M) is the dimension of the row span of M as a vector space over F. We denote the row span of a matrix M over F by M F , or M when the context is clear.We now define the rank metric of a vector on F n q m : Definition 2. Let x = (x 1 , . . ., x n ) ∈ F n q m .The rank of x in F q , denoted by rk q (x) is the rank of the matrix X = (x ij ) ∈ F m×n q , where x j = ∑ m i=1 x ij β i .
Equivalently, the rank of x is the dimension over F q of the subspace of F q m which is spanned by the coordinates of x.Note that the rank of a vector is a norm and is independent of the chosen basis.Similarly, we have the following definition of column rank for a matrix in F k×n q m : Definition 3. Let M ∈ F k×n q m .The column rank of M over F q , denoted by colrk q (M) is the maximum number of linearly independent columns over F q .
We now state a few results related to the rank metric which are important prerequisites for results in later sections.Lemma 1.Let x ∈ F n q m such that rk q (x) = r, then there exists x ∈ F r q m with rk q ( x) = r and U ∈ F r×n q with rk q (U) = r such that x = xU.This decomposition is unique up to GL r (F q )-operation between x and U [15].Definition 4. Let x ∈ F n q m with rk q (x) = r and decomposition x = xU as in Lemma 1.We call U a Grassman support matrix for x and supp Gr (x) = U F q m the Grassman support of x.Lemma 2. Let M ∈ F k×n q m and colrk q (M) = s < n [16] .Then, there exists M ∈ F k×s q m with colrk q (M ) = s and K an invertible n × n matrix over F q such that MK = M | 0 k×(n−s) . (1)

Circulant and Partial Circulant Matrix
As mentioned in Section 1, we use a k-partial circulant matrix as the distortion matrix for the code with an efficient decoding algorithm.Here, we give the definition of the circulant matrix and k-partial circulant matrix induced by a random vector, x.Definition 5. Let x = (x 0 , . . ., x n−1 ) ∈ F n q m .The circulant matrix induced by x is defined as The k-partial circulant matrix, Cir k (x), induced by x is the first k rows of Cir n (x).
In fact, a k-partial circulant matrix induced by x has column rank depending on rank of x.We have the following result, which helps us to ensure that the distortion matrix that we choose has column rank as desired: Proof.Suppose to the contrary that colrk q (Cir k (x)) < t; then, there exists at most t − 1 columns of Cir k (u) that are linearly independent over F q .Consider the first row of Cir k (x): {x 0 , x 1 , . . ., x n−1 }; then, at most t − 1 elements in {x 0 , x 1 , . . ., x n−1 } are linearly independent over F q .In other words, rk q (x) ≤ t − 1, which is a contradiction to rk q (x) = t.

Hard Problems in Coding Theory
We describe the hard problems which our cryptosystem is based on.

Definition 6. Rank Syndrome Decoding Problem (RSD).
Let H be a full rank (n − k) × n matrix over F q m , s ∈ F n−k q m and w an integer.The Rank Syndrome Decoding Problem RSD(q,m,n,k,w) needs to determine x ∈ F n q m such that rk q (x) = w and Hx T = s T .
The RSD problem is analogous to the classical syndrome decoding problem with Hamming metric.Recently, the RSD problem has been proven to be hard with probabilistic reduction to the Hamming setting [22].
Given G ∈ F k×n q m , a full rank parity-check matrix of H in an RSD problem and y ∈ F n q m .Then, the dual version of RSD(q, m, n, k, w) is to determine m ∈ F k q m and x ∈ F n q m such that rk q (x) = w and y = mG + x.
Notation.If X is a finite set, we write x $ ← X to denote assignment to x of an element randomly sampled from the distribution on X.
We now give the definition of Decisional version of RSD problem in its dual form: Definition 7. Decisional RSD Problem (DRSD).Let G be a full rank k × n matrix over F q m , m ∈ F k q m and x ∈ F n q m of rank r.The Decisional RSD Problem DRSD(q, m, n, k, w) needs to distinguish the pair (mG + x, G) from (y, G) where y It was proved that DRSD is hard in the worst case [20].Therefore, DRSD is eligible to be a candidate of hard problems in coding theory.The hardness of our cryptosystem relies on the DRSD problem (refer to Section 5).

Generic Attacks on RSD
There are generally two types of generic attacks on the RSD problem, namely the combinatorial attack and algebraic attack.
Combinatorial Attack.The combinatorial approach depends on counting the number of possible supports of size r for a rank code of length n over F q m , which corresponds to the number of subspaces of dimension r in F q m .We summarize the best combinatorial attacks with their conditions and complexities in Table 1.
Table 1.Best combinatorial attacks on RSD with their conditions and complexities.

Conditions
Best Combinatorial Attacks [17,19,23] Algebraic Attack.The nature of the rank metric favors algebraic attacks using Gröbner bases, as they are largely independent of the value q.These attacks became efficient when q increases.We summarize the complexity of algebraic attacks in Table 2.
Table 2. Best Algebraic Attacks on RSD with their conditions and complexities.

Rank of Matrix
The following are some results related to the rank of a matrix over a finite field, which is crucial for the construction of our encryption.We provide some bounds for the number of m × n matrices over F q of rank r < min{m, n}.

Proposition 1. Denote T (m×n) r
as the number of m × n matrices over F q of rank r; then, T We need the following lemma to give some bounds for ; it suffices for us to show that q n−r < q m+n−2i +1−q n−i −q m−i q m−i (q r−i −1) < q n−r q q−1 .Since m − r + 1 > 0, we have q m−i + q n−i ≤ q n+m−r−i + 1, and thus which implies that .
Since 1 + i ≤ r, then q m−i + q n−i + q < q m+1−i + q n+1−i and q m+n+1−r−i ≤ q m+n−2i .Adding these inequalities gives us We have which implies that This completes the proof for the inequalities.Now, we prove an upper bound and a lower bound for T (m×n) r : Proposition 2. Let r < min{m, n}; then, the number of m × n matrices over F q of rank r is bounded by ), and we have By Lemma 4, For n ≥ m > r, the statement could be proved by switching the term m and n in the statement and in Lemma 4.
This completes the statement.

A New Encryption Scheme
In this section, we propose our new encryption scheme which consists of a public matrix distorted by a matrix of column rank n.We will discuss some strengths of this encryption after the description of the scheme.

Presentation of the Encryption Scheme
The plaintext space is F k q m .Output parameters = (m, n, k, k , r).
Key Generation, K PE Generate invertible matrix S $ ← F k×k q m .Generate a generator matrix G ∈ F k×n q m of a linear code C G with an efficient decoding algorithm C G .Dec(•) able to correct error up to rank r.Generate vector u public key κ pub = G pub = SG + Cir k (u)T, u and private key κ sec = (S, G, T).
Encryption, E PE (κ pub , m) Let m ∈ F k q m be the message to be encrypted.Generate random ← F n q m such that rk q (e 1 ) = r 1 ≤ r 2 and rk q (e 2 ) = r 2 ≤ r Remark 1.By Proposition 2, the number of e 1 that can be chosen is at least T m×n r 1 , which is at least q r 1 (m+n−r 1 ) .Similarly, the number of e 2 that can be chosen is at least T m×n r 2 , which is at least q r 2 (m+n−r 2 ) Correctness.The correctness of our encryption scheme relies on the decoding capability of the code C. Using the private keys, we have c 2 − c 1 T = (m m s )G pub + e 2 − ((m m s )Cir k (u) − e 1 ) T = (m m s )SG + e 2 − e 1 T. Since rk q (e 2 − e 1 T) ≤ rk q (e 2 ) + rk q (e 1 T) = rk q (e 2 ) + rk q (e 1 ) ≤ r, then the decoding algorithm can decode correctly and retrieve (m Strengths of the Proposed Encryption. Recall from Section 1 that there are currently two approaches in constructing a rank metric code based encryption scheme.The idea of the first approach is to scramble the generator matrix G so that the matrix for encryption will appear to be random.As a result, the adversary is not able to decode it correctly.Therefore, the error chosen to encrypt the message in LOI17 Encryption must have rank λ times smaller than r.Nevertheless, in our construction, we can choose e 1 and e 2 with rank r 1 ≤ r 2 and r 2 ≤ r 2 , respectively.Furthermore, the matrix G in our encryption is scrambled by adding a matrix X, i.e., G pub = SG + X, where X = Cir k (u)T with column rank n as proved in the following: Corollary 1.Let u ∈ F n q m such that rk q (u) = n.Then, for any invertible T ∈ F n×n q , the column rank of Cir k (u)T, colrk q (Cir k (u)T) = n.
By Corollary 1, our X = Cir k (u)T chosen has column rank n instead of t < n.This will make the reduction of X into the form XK = (X | 0) (as in Lemma 2) impossible, where K is an invertible n × n matrix over F q .
On the other hand, the second approach in constructing rank metric code based encryption is to make the generator matrix G publicly known, and introduces an error e with big rank (greater than r) into the ciphertext c to ensure the decoding for retrieval of plaintext m is hard, i.e., c = mG + e and rk q (e) > r.
In fact, in our encryption scheme, the error term (m m s )Cir k (u)T + e 2 in the ciphertext c 2 has error larger than r, i.e., rk q ((m m s )Cir k (u)T + e 2 ) > r: Then, for any e 2 ∈ F n q m such that rk q (e 2 ) = r 2 , we have rk q ((m, m s )Cir k (u)T + e 2 ) > r.
Proof.Given m = (m m s ) ∈ F k q m and rk q ((m m s )Cir k (u)) > 3 4 (n − k) , then, for any e 2 ∈ F n q m such that rk q (e 2 ) = r 2 , rk q ((m m s )Cir k (u)T + e 2 ) ≥ rk q ((m m s )Cir k (u)T) − rk q (e 2 ) By Proposition 4, we have rk q ((m m s )Cir k (u)T + e 2 ) > r.The adversary is not able to recover the plaintext m from c 2 = (m m s )SG + ((m m s )Cir k (u)T + e 2 ) even if he knows the structure of the generator matrix G.However, in practicality, G remains unknown to the adversary.

IND-CPA Secure Encryption
The desired security property of a public-key encryption scheme is indistinguishability under chosen plaintext attack (IND-CPA).This is normally defined by a security game that is interacting between a challenger and an adversary A. The security game is described as follows: Set up: Given a security parameter, the challenger first runs the key generation algorithm and send κ pub to A.
Challenge: A chooses two equal length plaintexts m 0 and m 1 ; and sends these to the challenger.

Encrypt challenge messages:
The challenger chooses a random b ∈ {0, 1}, computes a challenge ciphertext c = E PE (κ pub , m b ) and returns c to A.
The advantage of an adversary A is defined as A secure public-key encryption scheme against chosen plaintext attack is formally defined as follows: Definition 8.A public-key encryption scheme PE = (S PE , K PE , E PE , D PE ) is (t, )-IND-CPA secure if, for any probabilistic t-polynomial time, the adversary A has the advantage less than , that is, Adv IND−CPA PE,A (λ) < .Lemma 5. Let T 1 , T 2 and F be events.Suppose the event T 2 ∧ ¬F occurs if and only if T 1 ∧ ¬F occurs, then Pr[T 2 ] − Pr[T 1 ] ≤ Pr[F](Difference Lemma [27]).
We have the following result which is important in our encryption.Lemma 6.Given m ≥ n, k ≥ 1, j ≥ 2 and r < n 2 .Let x, y ∈ F n q m , then there exists e ∈ F n q m with rk q (e) = r ≤ r j such that rk q (x + e) ≥ r + 1 and rk q (y + e) ≥ r + 1.
Proof.Let x, y ∈ F n q m such that rk q (x) = a and rk q (y) = b.We prove the statement by consider different cases for a and b.
Let e be any element in F n q m such that rk q (e) = r ≤ r j .Then rk q (x + e) ≥ rk q (x) Case 2 (1 ≤ a ≤ 2 j r and 2 j r + 1 ≤ b ≤ n): Since rk q (x) = a, by Lemma 1, x = (x 1 , . . ., x a )A, where x 1 , . . . ,x a are linearly independent and A is an a × n matrix over F q of rank a.Let X = {x 1 , . . ., x a }, consider a basis B of F q m such that X ⊂ B and let B e = B \ X .Note that |B e | = m − a ≥ n − a ≥ n − 2 j r > r j ≥ r .Then, we can form e of rank r by choosing r elements from B e , and we have rk q (x + e) ≥ r + 1 since elements in x are linearly independent with elements in e.With this e, we have rk q (y + e) ≥ rk q (y) Case 3 ( 2 j r + 1 ≤ a ≤ n and 1 ≤ b ≤ 2 j r): This case follows the proof of Case 2 by interchanging the term a with b, and x with y.
Case 4 (1 ≤ a ≤ 2 j r and 1 ≤ b ≤ 2 j r): Since rk q (x) = a, by Lemma 1, x = (x 1 , . . ., x a )A, where x 1 , . . ., x a are linearly independent and A is an a × n matrix over F q of rank a.Similarly, since rk q (y) = b, by Lemma 1, y = (y 1 , . . ., y b )B, where y 1 , . . ., y b are linearly independent and B is an b × n matrix over F q of rank b.Let X = {x 1 , . . ., x a } and Y = {y 1 , . . ., y b }, consider a basis B of F q m such that X ∪ Y ⊂ B and let B e = B \ (X ∪ Y ).
If j ≥ 3, since |X ∪ Y | ≤ 4 j r and jn ≥ 3n ≥ 6r, then |B e | ≥ m − 4 j r ≥ n − 4 j r ≥ 6 j r − 4 j r > r j > r .We can form e of rank r by choosing r j elements from B e .Thus, we have rk q (x + e) ≥ r + 1 since elements in x are linearly independent with elements in e, and rk q (y + e) ≥ r + 1 since elements in y are linearly independent with elements in e.
If j = 2, then we further break this case into the following subcases: We can form e of rank r by choosing r elements from B e .Thus, we have rk q (x + e) ≥ r + 1 since elements in x are linearly independent with elements in e, and rk q (y + e) ≥ r + 1 since elements in y are linearly independent with elements in e.
We can form e of rank r by choosing r elements from B e .Thus, we have rk q (x + e) ≥ r + 1 since elements in x are linearly independent with elements in e, and rk q (y + e) ≥ r + 1 since elements in y are linearly independent with elements in e.
We can form e of rank r by choosing r elements from B N (with at least one element from B e ), and the elements picked will only decrease the rank of x and y at most by a − 1 and b − 1, respectively.Therefore, we have Now, suppose the challenger adversary chooses two equal length plaintexts m 0 , m 1 ∈ F k q m and sends these to the challenger.By the following lemma, the challenger is able to choose a random m s ∈ F k−k q m , e 1 , e 2 ∈ F n q m such that the conditions (2)-( 7) are satisfied: Lemma 7. Given m 0 , m 1 ∈ F k q m and m s ∈ F k−k q m , there exists e 1 , e 2 ∈ F n q m such that Proof.Let rk q ((0 Then, apply Lemma 6 accordingly.
Therefore, without knowing any information on m s , A is not able to distinguish between as e 1 , e 2 are chosen such that Labels (2)-( 7) are satisfied.For convenience sake, we have the following notation: Notation.Denote E cir (m 0 , m 1 , m s ) as the set of all elements in F n q m that satisfy (2)-( 4); and E G pub (m 0 , m 1 , m s ) as the set of all elements in F n q m that satisfy ( 5)- (7).
We now state the assumptions for which our encryption is based on: We denote S 2 the event that A wins in Game G 2 .Under the DRSD G pub assumption, the two games As the ciphertext challenge c = (c 1 , c 2 ) is perfectly random, b is hidden to any adversary A without any advantage; therefore, Pr[S 2 ] = 1 2 .We have Therefore, under the DRSD Cir k (u) and DRSD G pub assumption, the proposed public-key encryption scheme PE is IND-CPA secure.

Our Encryption Based on Gabidulin Codes
We propose Gabidulin code as the decodable code C in our encryption.We analyze the security of the scheme by considering possible structural attacks to cryptanalyze the system based on Gabidulin code.We also give some parameters for our proposal using Gabidulin codes.

Gabidulin Codes
First, we give the definition for Moore matrix and Gabidulin codes.

Definition 9.
A matrix G = (G a,b ) ∈ F k×n q m is called a Moore matrix induced by g if there exists a vector g = (g 1 , . . ., g n ) ∈ F n q m such that ith row of G is equal to g [i−1] for i = 1, . . ., k, i.e., G is in the form of where [i] := q i is the ith Frobenius power.Similarly, we define G a,b .In addition, for any set S ⊂ F n q m , we denote S (l) = {s ([l]) | s ∈ S}.
Definition 10.Let g ∈ F n q m with rk q (g) = n.The [n, k]-Gabidulin code Gab n,k (g) over F q m of dimension k and generator vector g is the code generated by a Moore matrix G induced by g.

The error-correcting capability of Gab
There exist efficient decoding algorithms for Gabidulin codes up to the rank error correcting capability (for example, [4]).

Structural Attack on Gabidulin Code
We examine some common existing attacks against Gabidulin codes and argue that our proposal resists these attacks.
Frobenius Weak Attack.The principle of the Frobenius weak attack (for more details, please refer to [18]) is to form an extension code C ext from the code C pub generated by G pub and the error term in the ciphertext.In particular, where gcd(t , m) = 1 and rk q (e) = r.One of the necessary conditions for the complexity of solving the RSD for C to be polynomial time, via the proposed method is dim F q m (C ext ) = n.Although in our system our error terms e 1 and e 2 both have ranks of r 2 , due to the structure of G pub , we have dim F q m (C ext ) = n when C is chosen to be generated by G pub , which makes the system secure against this attack.Key Recovery Attack.Consider the structure of G pub : Note that the above linear system has kn equations, with k 2 + kn unknown variables over F q m and n 2 linear variables over F q .Now, consider G [i] pub : pub = S [1] G [1] + Cir k (u) [1] T [1]   = have a total of (m − k + 1)kn equations with a total of (m − k + 1)k 2 + mn unknown variables over F q m and n 2 unknown variables over F q .However, note that solving the equations in G pub , . . ., G [m−k] pub is equivalent to solving a multivariant quadratic problem.
Reduction Attack.Otmani, Kalachi, and Ndjeya [16] show that a matrix of the form G pub = SG + X where X is a random k × n matrix over F q m with column rank t < r < n could be reduced into the form where X is some random k × t matrix over F q m , Q is an invertible n × n matrix over F q and Ḡ is a generator matrix of a [n − t, k]-Gabidulin code generated by some g ∈ F n−t q m .By applying Lemma 2, this reduction is possible due to the structure of X which can be written into the form of XK = (X | 0 k×(n−t) ), where colrk q (X ) = t and K is an invertible n × n matrix over F q .These n − t columns of zeroes enable the adversary to decompose G + S −1 X into random components, X and a Moore matrix component, Ḡ.The adversary can then apply Overbeck's attack [10] and cryptanalyze the system.However, in our encryption system, G pub = SG + Cir k (u)T.By Corollary 1, Cir k (u)T has column rank n, thus the adversary is not able to rewrite Cir k (u)T in the form of Label (1) which has columns of zero.Therefore, G pub could not be reduced into components of random matrix and Moore matrix of the form (9). Overbeck's attack cannot be applied in our case.
Moore Decomposition Attack.The Moore Decomposition attack on GPT cryptosystem is the extension of the Overbeck attack [10].Therefore, it suffices for us to show that a cryptosystem is resistant to the Moore Decomposition attack.We now briefly present the idea of Moore Decomposition attack in the following (for more details, please refer to Sections 3 and 4 [18]): Consider G pub = SG + X = S(G + S −1 X), since colrk q (X) = t < r, we have colrk q (S −1 X) = t.Consider a minimal column rank Moore decomposition for S −1 X = X Moore + Z, where X Moore is a Moore matrix and Z is a non-Moore component which has the lowest possible column rank.Denote s = colrk q (Z).Since d min R (Gab n,k (g)) = n − k + 1 ≥ s + t + 2, by Corollary 3.12 in [18], all the elements of rank one in ∑ s i=0 G + X ([i]) belong to the Grassman support of X.The adversary is able to find a full rank matrix U ∈ F s ×n q for s ≤ s ≤ t such that supp Gr (Z) ⊆ U F q m ⊆ supp Gr (X) and compute H ∈ F (n−s )×n q , a parity check matrix for U F q m .By Theorem 4.1 in [18], the adversary can recover m in polynomial time.
In our encryption system, Cir k (u)T has column rank n by Corollary 1.Consider a minimal column rank Moore decomposition for S −1 Cir k (u)T = M Moore + W, where W is a non-Moore component which has the lowest possible column rank s.Note that, in our case, t = n, thus we have d min R (Gab n,k (g)) = n − k + 1 < s + n + 2. As it requires d min R (Gab n,k (g)) > s + t + 2 to apply Corollary 3.12 in [18], this condition is not satisfied in our case, thus Theorem 4.1 in [18] could not be used to recover the encrypted message.

Proposed Parameters
We propose some parameters for our encryption scheme.We consider m > n and r 1 = r 2 = r 2 .Denote the post-quantum complexity for combinatorial and algebraic attacks as "Comb" and "Alg", respectively.We use the complexities in Section 2.4 as the lower bound of the complexity by replacing r = r 1 = r 2 in the calculation.Following Loidreau's application [21] of Grover's algorithm, the exponential term in the decoding complexity should be square rooted [28].The public key size is knm+nm 8 log 2 (q) bytes.Table 3 is the parameters for 2 128 and 2 256 bits post-quantum security.in the lower bounds as it was used in [21] to evaluate the complexities of the attack on RSD.Table 4 is the comparison for our encryption PCir and LOI17 encryption.Our encryption has the following strengths: i.Our encryption has larger rank of error r 1 and r 2 .ii.At similar security, our key size (15.06KB) is smaller than the key size of LOI17 Encryption (21.50 KB).Our encryption scheme can provide better post quantum security with smaller key size.

Conclusions
This paper has proposed a new rank metric encryption based on the difficulty of the Rank Syndrome Decoding problem.We modify the original GPT cryptosystem with different considerations for the public matrix.The public matrix is distorted by adding Cir k (u)T of column rank n.
Our encryption scheme has IND-CPA security under the DRSD Cir k (u) and DRSD G pub assumptions.Our proposal allows the choice for rank of errors to be r 1 = r 2 = r 2 .Moreover, for similar post-quantum security level of 2 140 bits, our encryption using Gabidulin codes has smaller public key size (15.1 KB) than the key size suggested by LOI17 Encryption (21.5 KB).Our encryption provides better security with smaller key size.
This new linear system has kn equations, with k 2 + n new unknown variables over F q m .Then, the linear systems G pub , . . ., G

Table 3 .
Parameters of our cryptosystem for 2 128 and 2 256 bits post-quantum security.

Table 4 .
Comparison of parameters between our cryptosystem and LOI17 Encryption.