Julian Renner

Johannes Kunz, Julian Renner, Georg Maringer et al.

This work compares the performance of software implementations of different Gabidulin decoders. The parameter sets used within the comparison stem from their applications in recently proposed cryptographic schemes. The complexity analysis of the decoders is recalled, counting the occurrence of each operation within the respective decoders. It is shown that knowing the number of operations may be misleading when comparing different algorithms as the run-time of the implementation depends on the instruction set of the device on which the algorithm is executed.

Julian Renner, Sven Puchinger, Antonia Wachter-Zeh et al.

We define and analyze low-rank parity-check (LRPC) codes over extension rings of the finite chain ring $\mathbb{Z}_{p^r}$, where $p$ is a prime and $r$ is a positive integer. LRPC codes have originally been proposed by Gaborit et al.(2013) over finite fields for cryptographic applications. The adaption to finite rings is inspired by a recent paper by Kamche et al. (2019), which constructed Gabidulin codes over finite principle ideal rings with applications to space-time codes and network coding. We give a decoding algorithm based on simple linear-algebraic operations. Further, we derive an upper bound on the failure probability of the decoder. The upper bound is valid for errors whose rank is equal to the free rank.

Julian Renner, Thomas Jerkovits, Hannes Bartz et al.

We address the problem of decoding Gabidulin codes beyond their unique error-correction radius. The complexity of this problem is of importance to assess the security of some rank-metric code-based cryptosystems. We propose an approach that introduces row or column erasures to decrease the rank of the error in order to use any proper polynomial-time Gabidulin code error-erasure decoding algorithm. This approach improves on generic rank-metric decoders by an exponential factor.

Julian Renner, Thomas Jerkovits, Hannes Bartz

An efficient decoding algorithm for horizontally u-interleaved LRPC codes is proposed and analyzed. Upper bounds on the decoding failure rate and the computational complexity of the algorithm are derived. It is shown that interleaving reduces the decoding failure rate exponentially in the interleaving order u whereas the computational complexity grows linearly.

Julien Lavauzelle, Julian Renner

Twisted Reed-Solomon (TRS) codes are a family of codes that contains a large number of maximum distance separable codes that are non-equivalent to Reed--Solomon codes. TRS codes were recently proposed as an alternative to Goppa codes for the McEliece code-based cryptosystem, resulting in a potential reduction of key sizes. The use of TRS codes in the McEliece cryptosystem has been motivated by the fact that a large subfamily of TRS codes is resilient to a direct use of known algebraic key-recovery methods. In this paper, an efficient key-recovery attack on the TRS variant that was used in the McEliece cryptosystem is presented. The algorithm exploits a new approach based on recovering the structure of a well-chosen subfield subcode of the public code. It is proved that the attack always succeeds and breaks the system for all practical parameters in $O(n^4)$ field operations. A software implementation of the algorithm retrieves a valid private key from the public key within a few minutes, for parameters claiming a security level of 128 bits. The success of the attack also indicates that, contrary to common beliefs, subfield subcodes of the public code need to be precisely analyzed when proposing a McEliece-type code-based cryptosystem. Finally, the paper discusses an attempt to repair the scheme and a modification of the attack aiming at Gabidulin-Paramonov-Tretjakov cryptosystems based on twisted Gabidulin codes.

Julian Renner, Sven Puchinger, Antonia Wachter-Zeh

We propose and analyze an interleaved variant of Loidreau's rank-metric cryptosystem based on rank multipliers. We analyze and adapt several attacks on the system, propose design rules, and study weak keys. Finding secure instances requires near-MRD rank-metric codes which are not investigated in the literature. Thus, we propose a random code construction that makes use of the fact that short random codes over large fields are MRD with high probability. We derive an upper bound on the decryption failure rate and give example parameters for potential key size reduction.

Julian Renner, Sven Puchinger, Antonia Wachter-Zeh

We propose the new rank-metric code-based cryptosystem LIGA which is based on the hardness of list decoding and interleaved decoding of Gabidulin codes. LIGA is an improved variant of the Faure-Loidreau (FL) system, which was broken in a structural attack by Gaborit, Otmani, and Talé Kalachi (GOT, 2018). We keep the FL encryption and decryption algorithms, but modify the insecure key generation algorithm. Our crucial observation is that the GOT attack is equivalent to decoding an interleaved Gabidulin code. The new key generation algorithm constructs public keys for which all polynomial-time interleaved decoders fail---hence LIGA resists the GOT attack. We also prove that the public-key encryption version of LIGA is IND-CPA secure in the standard model and the KEM version is IND-CCA2 secure in the random oracle model, both under hardness assumptions of formally defined problems related to list decoding and interleaved decoding of Gabidulin codes. We propose and analyze various exponential-time attacks on these problems, calculate their work factors, and compare the resulting parameters to NIST proposals. The strengths of LIGA are short ciphertext sizes and (relatively) small key sizes. Further, LIGA guarantees correct decryption and has no decryption failure rate. It is not based on hiding the structure of a code. Since there are efficient and constant-time algorithms for encoding and decoding Gabidulin codes, timing attacks on the encryption and decryption algorithms can be easily prevented.

Sven Puchinger, Julian Renner, Antonia Wachter-Zeh

In this paper, we investigate twisted Gabidulin codes in the GPT code-based public-key cryptosystem. We show that Overbeck's attack is not feasible for a subfamily of twisted Gabidulin codes. The resulting key sizes are significantly lower than in the original McEliece system and also slightly smaller than in Loidreau's unbroken GPT variant.

Antonia Wachter-Zeh, Sven Puchinger, Julian Renner

A repair of the Faure-Loidreau (FL) public-key code-based cryptosystem is proposed. The FL cryptosystem is based on the hardness of list decoding Gabidulin codes which are special rank-metric codes. We prove that the recent structural attack on the system by Gaborit et al. is equivalent to decoding an interleaved Gabidulin code. Since all known polynomial-time decoders for these codes fail for a large constructive class of error patterns, we are able to construct public keys that resist the attack. It is also shown that all other known attacks fail for our repair and parameter choices. Compared to other code-based cryptosystems, we obtain significantly smaller key sizes for the same security level.