Injective Rank Metric Trapdoor Functions with Homogeneous Errors

Abstract

In rank-metric cryptography, a vector from a finite dimensional linear space over a finite field is viewed as the linear space spanned by its entries. The rank decoding problem which is the analogue of the problem of decoding a random linear code consists in recovering a basis of a random noise vector that was used to perturb a set of random linear equations sharing a secret solution. Assuming the intractability of this problem, we introduce a new construction of injective one-way trapdoor functions. Our solution departs from the frequent way of building public key primitives from error-correcting codes where, to establish the security, ad hoc assumptions about a hidden structure are made. Our method produces a hard-to-distinguish linear code together with low weight vectors which constitute the secret that helps recover the inputs. The key idea is to focus on trapdoor functions that take sufficiently enough input vectors sharing the same support. Applying then the error correcting algorithm designed for Low Rank Parity Check (LRPC) codes, we obtain an inverting algorithm that recovers the inputs with overwhelming probability.

Appendices

A Auxiliary Result

Lemma 1

Let us assume that \(w + 3 \leqslant \min \{L , m \}\). Then we have

$$\begin{aligned} q^{(L+m)w - w^2} \;\leqslant \;\left|{\mathbb {S}_{w}\big (\mathbb {F}_{q^m}^L\big )} \right| \;\leqslant \; e^{2/(q-1)} \; q^{(L+m)w - w^2} \end{aligned}$$

Proof

Using the expression of the cardinality of \(\mathbb {S}_{w}\big (\mathbb {F}_{q^m}^L\big )\) from (1) we therefore have

$$\begin{aligned} \left|{\mathbb {S}_{w}\big (\mathbb {F}_{q^m}^L\big )} \right| = \prod _{i=0}^{w-1} \left( q^{L} - q^i \right) \frac{q^{m} - q^i}{q^{w} - q^i} & = q^{(L+m-w)w} \prod _{i=0}^{w-1} \left( 1 - q^{i-L} \right) \prod _{i=0}^{w-1} \frac{1 - q^{i-m}}{1 - q^{i-w}} \end{aligned}$$

Exploiting the fact that for every \(x \in [0,1/2]\), \(e^{-2x} \leqslant 1 -x \leqslant e^{-x}\) we can write that

$$\begin{aligned} \left|{\mathbb {S}_{w}\big (\mathbb {F}_{q^m}^L\big )} \right| &\geqslant q^{(L+m-w)w} \prod _{i=0}^{w-1}e^{-2q^{i-L}} \; \prod _{i=0}^{w-1} \frac{e^{-2q^{i-m}}}{e^{-q^{i-w}}}\\ &\geqslant q^{(L+m-w)w} e^{\left( -2q^{-L} - 2 q^{-m} + q^{-w} \right) \frac{q^w-1}{q-1}} \end{aligned}$$

Let us set \(\gamma \triangleq q/(q-1)\). This means that \(q^{w-1} \leqslant \frac{q^w-1}{q-1} \leqslant \gamma q^{w-1}\) which entails that

$$\begin{aligned} \left|{\mathbb {S}_{w}\big (\mathbb {F}_{q^m}^L\big )} \right| &\geqslant q^{(L+m-w)w} \; e^{-2\gamma q^{-L+w -1 } - 2 \gamma q^{-m+w-1} + q^{-1}} \end{aligned}$$

But the conditions \(w + 3 \leqslant L\) and \(q \geqslant 2\) enable us to write that \(2\gamma q^{-L+w -1 } \leqslant 2 \gamma q^{-4} \leqslant \frac{1}{2q}\). By the same arguments we also have \(2\gamma q^{-m+w -1 } \leqslant \frac{1}{2q}\). This implies that

$$ e^{-2\gamma q^{-L+w -1 } - 2 \gamma q^{-m+w-1} + q^{-1}} \geqslant 1. $$

We have hence proved that \( \left|{\mathbb {S}_{w}\big (\mathbb {F}_{q^m}^L\big )} \right| \geqslant q^{(L+m - w )w}\). Next, by similar techniques, we can show that

$$\begin{aligned} \left|{\mathbb {S}_{w}\big (\mathbb {F}_{q^m}^L\big )} \right| &\leqslant q^{(L+m-w)w} \; e^{\left( -q^{-L} - q^{-m} + 2 q^{-w} \right) \frac{q^w-1}{q-1}}\\ &\leqslant q^{(L+m-w)w} \; e^{ 2 q^{-w} \frac{q^w-1}{q-1}} \leqslant q^{(L+m-w)w} \; e^{ 2/(q-1)} \end{aligned}$$

which concludes the proof of the lemma.    \(\square \)

B Upper-Bound on the Decoding Failure Probability

We now turn to the question of proving Theorem 2 by bounding the probability \({{\,\mathrm{\mathbb {P}}\,}}\Big \{{{\,\mathrm{\Phi }\,}}({\textbf{H}}, {\textbf{H}}{\textbf{E}}) \ne {\textbf{E}}\Big \}\) that \({{\,\mathrm{\Phi }\,}}\) fails on a random input \(({\textbf{H}},{\textbf{H}}{\textbf{E}})\). For that purpose we define by \({{\,\mathrm{\mathbb {P}}\,}}_\textrm{I}\) and \({{\,\mathrm{\mathbb {P}}\,}}_\textrm{II}\) the probability that \({{\,\mathrm{\Phi }\,}}\) fails at the first and second step respectively. We then clearly have \({{\,\mathrm{\mathbb {P}}\,}}\Big \{{{\,\mathrm{\Phi }\,}}({\textbf{H}}, {\textbf{H}}{\textbf{E}}) \ne {\textbf{E}}\Big \} = {{\,\mathrm{\mathbb {P}}\,}}_\textrm{I} + (1- {{\,\mathrm{\mathbb {P}}\,}}_\textrm{I}) {{\,\mathrm{\mathbb {P}}\,}}_\textrm{II}\) which implies that \( {{\,\mathrm{\mathbb {P}}\,}}\Big \{{{\,\mathrm{\Phi }\,}}({\textbf{H}}, {\textbf{H}}{\textbf{E}}) \ne {\textbf{E}}\Big \} \leqslant {{\,\mathrm{\mathbb {P}}\,}}_\textrm{I} + {{\,\mathrm{\mathbb {P}}\,}}_\textrm{II}. \) We have seen in Sect. 4 that the decoding algorithm \({{\,\mathrm{\Phi }\,}}\) fail during the first step if one of the following two events occur: either \(\langle {{\textbf{s}}_r} {\rangle }_{{\mathbb {F}_q}}\) is not equal to \(\mathcal {E} \cdot \mathcal {W}_r\) for every \(r \in \left\{ 1,\dots ,\ell \right\} \), or each time we have the equality \(\langle {{\textbf{s}}_r} {\rangle }_{{\mathbb {F}_q}} = \mathcal {E} \cdot \mathcal {W}_r\), the strict inclusion \(\mathcal {E} \; \subsetneq \; \bigcap _{i=1}^w \left( f^{(r)}_i\right) ^{-1} \cdot \langle {{\textbf{s}}_r} {\rangle }_{{\mathbb {F}_q}}\) holds. As by assumption the rows of \({\textbf{H}}\) are drawn independently, we see that \({{\,\mathrm{\mathbb {P}}\,}}_\textrm{I}\) is at most

$$\begin{aligned} \prod _{r = 1}^\ell \left( {{\,\mathrm{\mathbb {P}}\,}}\Big \{ \langle {{\textbf{s}}_r} {\rangle }_{{\mathbb {F}_q}} \ne \mathcal {E} \cdot \mathcal {W}_r \Big \} + {{\,\mathrm{\mathbb {P}}\,}}\left\{ \mathcal {E} \ne \bigcap _{i=1}^w \left( f^{(r)}_{i}\right) ^{-1} \cdot \langle {{\textbf{s}}_r} {\rangle }_{{\mathbb {F}_q}} \;\; \Big \vert \;\; \langle {{\textbf{s}}_r} {\rangle }_{{\mathbb {F}_q}} = \mathcal {E} \cdot \mathcal {W}_r\right\} \right) . \end{aligned}$$

(4)

The last failure case is although \(\langle {{\textbf{E}}} {\rangle }_{{\mathbb {F}_q}}\) has been correctly computed, it cannot compute the entries of \({\textbf{E}}\) because for at least one r in \(\left\{ 1,\dots ,\ell \right\} \), the dimension of \(\mathcal {E} \cdot \mathcal {W}_r\) is not equal to tw. We see that we have

$$\begin{aligned} {{\,\mathrm{\mathbb {P}}\,}}_\textrm{II} = 1 - \prod _{r=1}^\ell {{\,\mathrm{\mathbb {P}}\,}}\Big \{\dim \; \mathcal {E} \cdot \mathcal {W}_r = tw \Big \}. \end{aligned}$$

(5)

The rest of this section is devoted to proving bounds for \({{\,\mathrm{\mathbb {P}}\,}}_\textrm{I}\) and \({{\,\mathrm{\mathbb {P}}\,}}_\textrm{II}\), mainly using results from LRPC decoding described in [67].

In order to bound \({{\,\mathrm{\mathbb {P}}\,}}_\textrm{I}\) we bound \({{\,\mathrm{\mathbb {P}}\,}}\Big \{ \langle {{\textbf{s}}_r} {\rangle }_{{\mathbb {F}_q}} \ne \mathcal {E} \cdot \mathcal {W}_r \Big \}\) with Proposition 5 and \({{\,\mathrm{\mathbb {P}}\,}}\left\{ \mathcal {E} \ne \bigcap _{i=1}^w \left( f^{(r)}_{i}\right) ^{-1} \cdot \langle {{\textbf{s}}_r} {\rangle }_{{\mathbb {F}_q}}\;\; \Big \vert \;\; \langle {{\textbf{s}}_r} {\rangle }_{{\mathbb {F}_q}} = \mathcal {E} \cdot \mathcal {W}_r \right\} \) in Theorem 4, and with (4) we get the result.

Proposition 5

(Proposition 3 in [67]). Assume that \(N \geqslant tw\). For a random homogeneous matrix \({\textbf{E}}\xleftarrow {\$}\mathcal {E}^{n \times N}\) and a random vector \({\textbf{h}}\xleftarrow {\$}\mathcal {W}^n\) where \(\mathcal {E} \xleftarrow {\$}\boldsymbol{\textrm{Gr}}_{t}(q,m)\) and \(\mathcal {W} \xleftarrow {\$}\boldsymbol{\textrm{Gr}}_{w}(q,m)\), the probability that \(\langle {{\textbf{h}}{\textbf{E}}} {\rangle }_{{\mathbb {F}_q}}\) is different from \(\mathcal {E} \cdot \mathcal {W}\) is at most

$$ {{\,\mathrm{\mathbb {P}}\,}}\left\{ \langle {{\textbf{h}}{\textbf{E}}} {\rangle }_{{\mathbb {F}_q}} \ne \mathcal {E} \cdot \mathcal {W} \right\} \leqslant 1 - \prod _{i=0}^{tw-1} \left( 1 - q^{i-N} \right) $$

Theorem 4

(Theorem 2 in [67]). Let \(\mathcal {U} \triangleq \mathcal {E} \cdot \mathcal {W}\) where \(\mathcal {W} \in \boldsymbol{\textrm{Gr}}_{w}(q,m)\) and \(\mathcal {E} \xleftarrow {\$}\boldsymbol{\textrm{Gr}}_{t}(q,m)\) with \((2w-1)t < m\). Then for an arbitrary basis \(f_1,\dots {},f_w\) of \(\mathcal {W}\), we have

$$\begin{aligned} {{\,\mathrm{\mathbb {P}}\,}}\left\{ \mathcal {E} = \bigcap _{i=1}^w f_i^{-1} \cdot \mathcal {U} \;\; \Big \vert \;\;\mathcal {E} \xleftarrow {\$}\boldsymbol{\textrm{Gr}}_{t}(q,m) \right\} \; \geqslant \; 1 - \frac{q^{(2w - 1)t}}{q^m - q^{t-1}}\cdot \end{aligned}$$

For \({{\,\mathrm{\mathbb {P}}\,}}_\textrm{II}\), we bound \({{\,\mathrm{\mathbb {P}}\,}}\Big \{\dim \; \mathcal {E} \cdot \mathcal {W}_r = tw \Big \}\) in Proposition 6 and use (5).

Proposition 6

(Proposition 4 in [67]). For \(\mathcal {W} \in \boldsymbol{\textrm{Gr}}_{w}(q,m)\) and assuming that \(wt < m\), we have

$$\begin{aligned} {{\,\mathrm{\mathbb {P}}\,}}\Big \{\dim \; \mathcal {E} \cdot \mathcal {W} = tw \;\; \Big \vert \;\; \mathcal {E} \xleftarrow {\$}\boldsymbol{\textrm{Gr}}_{t}(q,m)\Big \} \; \geqslant \; 1 - \frac{q^{wt}}{q^m - q^{t-1}}. \end{aligned}$$