A NOVEL NIEDERREITER-LIKE CRYPTOSYSTEM BASED ON THE (u|u+ v)-CONSTRUCTION CODES

In this paper, we present a new variant of the Niederreiter Public Key Encryption (PKE) scheme which is resistant against recent attacks. The security is based on the hardness of the Rank Syndrome Decoding (RSD) problem and it presents a (u|u+ v)-construction code using two different types of codes: Ideal Low Rank Parity Check (ILRPC) codes and λ-Gabidulin codes. The proposed encryption scheme benefits are a larger minimum distance, a new efficient decoding algorithm and a smaller ciphertext and public key size compared to the Loidreau’s variants and to its IND-CCA secure version. Mathematics Subject Classification. 11T71, 14G50. Received December 21, 2020. Accepted July 29, 2021.

to Overbeck's attack for chosen length n ≤ 30. However, Horlemann-Trautmann et al. proposed in [18] an extension of Overbeck's attack which breaks most of the proposed variants. Recently, Bardet et al. [5] proposed an algebraic attack which breaks all LRPC approaches and eliminated NIST's candidates from its third round like ROLLO [3] and RQC [1].
One of the properties that are required for encryption schemes is the indistinguishability under (nonadaptive) chosen ciphertext attack (IND-CCA). It is more advantageous than the indistinguishability under chosen-plaintext attack (IND-CPA) which is equivalent to the property of semantic security. Al Shehhi et al. was proposed in [2] an IND-CCA secure version of Loidreau's PKE scheme with an overhead of 23% in the computational cost for encryption algorithm.

Motivation and contribution
In this paper, we propose a new variant of the Niederreiter-PKE scheme based on the RSD problem. We present a new family of (u|u + v) codes constructed by two different types: ILRPC codes and λ-Gabidulin codes. We also provide its decoding algorithm. The proposed scheme is based on the same typical idea of Gabidulin et al. in [10] and we can express its benefits in: -Reduced key sizes using properties of ILRPC codes compared to key sizes given in [22]. -Increasing the security to attacks by concatenating the generator matrix with a random chosen distortion matrix of full rank t 1 and using the shared decoding algorithm of both of ILRPC and λ-Gabidulin codes. -Given larger minimum rank distance d expressed by d 1 and d 2 which are minimum rank distances of the ILRPC code and λ-Gabidulin code, respectively.
The proposed scheme is secure against the extended version of Overbeck's attack by using a scrambler matrix in the extension field, and against the recent attack [5] by choosing a proper set of parameters. We obtain a new decoding algorithm with complexity O(n 3 ). We also prove that the scheme is IND-CCA secure against any probabilistic polynomial time adversary. We then provide an optimal set of parameters for which we obtain smaller public key and ciphertext sizes when we compared it to Loidreau's variants.

Organization
This paper is organized as follows: In Section 2, we give preliminaries on the rank-metric codes, ILRPC codes, the λ-Gabidulin codes, the RSD problem and the Niederreiter-PKC. In Section 3, we define the new (u|u + v) construction code in rank-metric and give its decoding algorithm, then we provide a cryptographic application of the codes in the Niederreiter-like PKE scheme based on the RSD problem. The security analysis is studied in Section 4 with some examples and comparison. Finally, we conclude the paper in Section 5.

Preliminaries
In this section, we provide some basic definitions in the rank metric.

Rank metric codes
Let n, m ∈ N, F q be a finite field of q elements and let F q m be an extension field of degree m. If x = (x 1 , . . . , x n ) ∈ F n q m and (a 1 , . . . , a m ) is a basis of F q m over F q then its associated m × n matrix is where each column vector x j of x can be represented as a sum The rank of the matrix X is the maximal number of vectors column x j that are linearly independent over F q and it defines the rank of x over F q . We denote it by rank(x|F q ) = rank(X|F q ). The rank distance between two vectors x and y in F n q m is defined by dist(x, y) = rank(x − y|F q ) = rank(X − Y |F q ), where Y is the associated matrix of y.
For any code C of length n and dimension k over F q m , the minimum rank distance is defined by This distance verifies the Singleton bound d ≤ n − k + 1 for m ≥ n. When this inequality is achieved, the code will be a Maximal Rank Distance code (MRD). The rank error correcting capacity is then t = d−1 2 = n−k 2 . A Gabidulin code C (g) defines a class of MRD codes for n ≤ m. Its k × n generator matrix G is defined for any set of elements g 1 , . . . , g n from F q m those are linearly independent over F q as follows: where g [i] = g q i means the i-th Frobenius power of g. The (n − k) × n parity check matrix H of a Gabidulin code verifies GH = 0 and it can be written as follows: . . , n} are linearly independent over F q . The main property on Gabidulin codes is the evaluation in a linearized polynomial F (z) ∈ F m q of degree lower than k on the generator vector g We define the support of a vector in F n q m as follows: The support E of g = (g 1 , . . . , g n ) ∈ F n q m of dimension d is the F q subvector space of F q m generated by the coordinates of g with rank(g|F q ) = d and g 1 , . . . , g n are linearly independent.
Definition 2.2. (Gilbert-Varshamov Bound) Let B R = M ∈ F n q m /rank(M ) ≤ t be the ball of radius t centred around 0 for the rank metric. The Gilbert-Varshamov bound for rank metric codes is given by the smallest t for which |B R t | ≥ q m(n−k) . When |B R t | ≈ q m(n−k) the Gilbert-Varshamov bound d GV is given by To ensure the uniqueness of the error decoding in rank metric codes, it is necessary that the minimum rank weight of the code d be smaller or equal to the Gilbert Varshamov bound. While for the error and erasure decoding algorithm, the case when d is beyond the Gilbert Varshamov bound can be considered.

Ideal low rank parity check codes
In this section, we recall the definition of the ideal LRPC (ILRPC) code [3]. Let C be an F q m linear rank metric code and given by the following definition.
q m of support F and P ∈ F q [X] a polynomial of degree n. Let H 1 and H 2 be two matrices given as follows: This codes can counter the folding attack [16] for which we discuss more on it in Section 4. We recall its decoding algorithm in Algorithm 1 given in [11].

λ-Gabidulin codes
The λ-Gabidulin is similar to the generalized Reed Solomon codes in Hamming metric [20]. It has similar construction of the generalized Reed Solomon codes in polynomial settings. We recall its definition as follows: Definition 2.4. (λ-Gabidulin codes [20]) Let g = (g 1 , . . . , g n ) ∈ F n q m be linearly independent over F q and λ = (λ 1 , . . . , λ n ) ∈ F n q m . The λ-Gabidulin code over F q m of dimension k associated with vector g and λ is the code generated by a matrix G λ of the form and its parity check matrix is given by Any codeword c can be written as follows: Such codes have been selected for application in cryptography; the McEliece like cryptosystem and proved out that it can be resistant for the rank syndrome decoding problem (RSD) to known attacks for well chosen parameters.
These codes are not MRD and have minimum distance d ≤ n − k + 1. Further, they do not have weak structure as in the case of Gabidulin codes which have huge vector space invariant under the Frobenius automorphism. We recall its decoding algorithm in Algorithm 2.

Rank-based cryptography
In this section, we recall the Rank Syndrome Decoding (RSD) problem. Problem: For a given (n − k) × n matrix H ( k ≤ n), a vector s ∈ F n−k q m and an integer w. Find a codeword x which satisfies two conditions rank(x|F q ) = w, Hx = s .
Gaborit et al. [13] have provided a probabilistic reduction to the NP-complete Syndrome Decoding problem in the Hamming metric by proving Theorem 2.5.  This problem can strengthen any scheme in the rank metric, that is because all the proposed algorithms to solve it are exponential.

Niederreiter PKE type of GPT-PKE
Niederreiter-PKE is the dual version of McEliece-PKE. They are based on equivalent problems for a given code in Hamming metric [6]. In the rank-metric, the Niederreiter-PKE type of GPT-PKE was proposed by Khan et al. [19] based on the RSD problem for rank reducible codes (RRC) defined by Gabidulin et al. in [10]. It used the parity check matrix of Gabidulin code and concealed its structure by the row/column scrambler and even distortion matrices; the distortion matrix will not appear after the decryption step. The fast decoding algorithm described in [32] is considered up to the rank error correcting capacity t. In Figure 1, we recall the description of Niederreiter-PKE type of GPT-PKE with a given (RRC) [n = rN, k = rM ] which is defined by r chosen [N, N − d + 1, d] -MRD codes of rank distance d for M = N − d + 1. Its generator matrix G is a concatenation of the r canonical generator matrices. Also for the distortion matrix where X 1 , X 2 , . . . , X r are r distortion sub-matrices of column rank t 1 over F q (t 1 ≤ t) which is the design parameter.

The proposed scheme
In this section, we define the new PKE scheme using (u|u + v)-construction code and we give its decoding algorithm.

The (u|u + v)-construction codes
In this section, we start by giving the general definition of the (u|u + v)-construction code in the rank metric.
We denote by C 3 = [C 1 |C 2 ] A the rank code which consists of all vectors (u|u + v), with u ∈ C 1 and v ∈ C 2 .
The length of C 3 is n, its dimension is k = k 1 + k 2 and its n × k generator matrix G over F q m is defined by where G 1 and G 2 are generator matrices of C 1 and C 2 , respectively.
Therefore, the (n − k) × n parity check matrix of the code over F q m is defined by: In Hamming metric the minimum distance of (u|u + v)-construction code is defined by d = min{2d 1 , d 2 }, while it is not known in the rank-metric.
Proposition 3.2. Let C 3 be the [n, k, d] code given in Definition 3.1. Let C 1 be the ILRPC code and C 2 be the λ-Gabidulin code. The minimum distance is upper bounded by is the set of rows of any element c 1 in C 1 (resp.c 2 in C 2 ) which has the minimum rank distance d 1 (resp. d 2 ).
Proof. We start by the general definition of the code C 3 given in Definition 3.1 with G is the generator matrix of C 3 of the form 3.1. Then, for any element c in C 3 , it can be written as follows Similarly by the general definition of the code C 1 (respectively C 2 ) we denote by . Hence, we can write the codeword c as follows Therefore, getting the minimum rank of C 3 is related to get the minimum rank of every non nul c ∈ C 3 . i.e.
We may simplify the rank weight of the expression of c and suppose A = [c 1 c 1 ] the matrix of size k 1 × n and B = [0 c 2 ] the matrix of size k 2 × n. Without loss of generality, we assume k * = max{k 1 , k 2 } and we propose that the matrix of the minimum dimension will be appended with rows of zeros until it achieves k * rows in total. For that we get A and B of same size k * × n and we can write the following property as well as given in [25] rank where C A and C B are the row spaces of the matrices A and B respectively. Clearly we have rank(A) = rank(c 1 ) and rank(B) = rank(c 2 ). Then we have . Therefore, the minimum distance may be written as follows is the set of rows of any element c 1 in C 1 (resp.c 2 in C 2 ) which has the minimum rank distance d 1 (resp. d 2 ). Hence, we conclude the result.

Decoding algorithm
In this section, we propose to use the (u|u + v)-construction with codes in the rank-metric to reach the robustness of Niederreiter-PKE scheme against several attacks, the ILRPC and λ−Gabidulin codes. The advantage of this construction is to get an encryption scheme with shorter ciphertext size. Furthermore, it has a better error correcting capacity [24].
The two codes used in our scheme have decoding algorithms up to the error correcting capacity t of the code, which implies that the algorithm output is a list of one or two codewords containing the sent word [17].
We denote by D 1 a decoding Algorithm 1 for the LRPC code C 1 which decodes up to t (1) errors and by D 2 the error-erasure decoding Algorithm 2 of λ-Gabidulin code C 2 which decodes up to t (2) errors. Therefore, the error correcting capacity of C is: t = d−1

2
Let y = xG + e be a received word, with : -The word x ∈ C is equal to (x 1 , x 1 + x 2 ), with x 1 ∈ C 1 and x 2 ∈ C 2 . -The matrix G is the generator matrix of the form equation (3.1). -The error vector e = (e 1 , e 2 ) ∈ F n q m verifies rank(e|F q ) ≤ t.
Namely, the received word y is: First, we can decode y 1 without loss of generality and recover x 1 since rank(e 1 |F q ) ≤ t (1) . Then, if we compute y 2 − y 1 = x 2 G 2 + (e 2 − e 1 ) then we may decode y 2 − y 1 using the decoding algorithm D 2 to obtain x 2 , since x 2 ∈ C 2 and we have to obtain the bound t 2 for the D 2 rank(e 2 − e 1 |F q ) ≤ t (2) . However, we will be able to detect it by checking that we corrected t errors in total. Hence, the algorithm outputs the whole codeword of the (u|u + v)-construction code. Algorithm 3 Decoding algorithm for (u|u + v)-construction code.
• Output x ∈ F n q m of rank weight rank(x|F q ) ≤ t.
Remark 3.3. The PUM convolutional code [33] is not suitable for such a construction since it has semi infinite generator and parity check matrix which will not much well in the generator or the parity check matrix of the construction (u|u + v).

Niederreiter-PKE based on (u|u + v)-construction codes
In this section, we provide a description for the proposed scheme and we present it in Figure 2. The scheme is a new variant of the Niederreiter-PKE scheme which we recall it in Section 2.5. We respect here the generator matrix of the (u|u + v)−construction code and we use the technique of adding random column scrambler in the parity check matrix of the code [21].
Key generation: For chosen security level (1 δ ) we can fix n, k, m and the design parameter t 1 . The public key is an (n − k) × (n + t 1 ) parity check matrix of the public code H pub = SH X P, where: -H X = [H|0] is a concatenated matrix of H is a (n − k) × n parity check matrix code of a productmatrix proposed in Section 3.1, equation (3.1) and (n − k) × t 1 zeros matrix. which is formulated as in Section 2.5. The matrix H X is the dual of G X = [G|X], where G generates a [n = n 1 + n 2 , k = k 1 + k 2 , d] (u|u + v)-constructed code from [n 1 , k 1 ]ILRPC code and [n 2 , k 2 ] λ−Gabidulin code. -The matrix S is a (n − k) × (n − k) non singular row scrambling matrix over F q m . -The matrix P is a (n + t 1 ) × (n + t 1 ) column scramble matrix over F q m as defined in [9]. -X is a k × t 1 distortion matrix over F q m of full rank t 1 ≥ n − k, of the form: In other words, the dual matrix of H X has the form G X = The private key is the matrix (X, P, S, G) and the decoding algorithm suggested in Section 3.2.
Decryption: To decrypt the message, we use the decoding algorithm proposed in Section (3.2), the legitimate receiver computes: We suppose that we have P = [P 1 P 2 ] where P 1 of size (n + t 1 ) × n and P 2 of size (n + t 1 ) × t 1 . We denote by c = c(S ) −1 and by x = x(P 1 ), such that c = x H . Since the rank weight of x is less than t, we apply the decoding algorithm presented in Section (3.2) on c and we get x then we multiply x by (P 1 ) −1 .
Encryption correctness. This is related directly to the error correcting capacity t of the code C and the error should be less than or equal to t. In the decryption step, for P = [P 1 P 2 ], we compute where c = c(S ) −1 and x = xP 1 . If we have rank(x |F q ) ≤ t, then we can decode with Algorithm 3. Therefore, we can recover correctly x(P 1 ) and extract x = x(P 1 )(P 1 ) −1 . The information rate is equal to k n , the decoding complexity is O(n 3 ) and the public key size is (n − k)(n + t 1 )mlog 2 (q).

Security analysis
In this section, we show that our encryption scheme is secure against all known attacks which are classified into combinatorial and algebraic attacks. We also prove IND-CCA2 security which is the most considerable type among IND-CPA and IND-CCA, since the adversary can not submit the ciphertext to the challenger. The codes ILRPC and λ-Gabidulin are with large minimum distance to avoid attacks that try to recover the code structure by looking for low weight codewords either on the code or on its dual. Since we have a larger minimum distance d, such a property leads to avoid leakage information of the public key as it is shown in [24].

Combinatorial attacks
Usually, these attacks are the most efficient when q, n and k are small enough. The first such attack is given by Chabaud and Stern [8], their attack has a complexity O((nw + m) 3 q (m−w)(w−1) ). Then, Ourivski and Johanson [29] improved this attack to solve the problem of decoding an [n, k] linear code C over F q m with minimal rank distance d, it can be used after computing the generator matrix of the public key. The problem is formulated as follows: Problem: Given G ∈ M k×n (F q m ) and c ∈ F n q m , find u ∈ F k q m such that; e = c − uG has the smallest rank w = rank(e|F q ).
The modeling of this problem leads the authors to solve a system of a set of quadratic equations by two strategies: -Basis enumeration: this method requires O((k + w) 3 q (w−1)(m−w)+2 ) binary operations. -Coordinates enumeration: the complexity of this approach is O((k + w) 3 w 3 q (w−1)(k+1) ) binary operations.
In [12], Gaborit et al. generalized the aforementioned attacks. Their idea is to use the notion of the support of a word in rank-metric in Recently, it was improved in [4] the complexity of solving the RSD problem to (4.1) In our case the error correcting capacity is better due to the large minimum rank distance, so this attack is not applicable.
-Hauteville and Tillich's attack (2015) [16] Hauteville and Tillich introduced a key recovery attack on the LRPC-PKE encryption (in general, the quasicyclic codes). This attack is based on a folding and projecting technique. The point of this attack is to find a codeword of low weight d in a projected code over the ring F q [X]/(X n − 1). It depends on the factorization of the polynomial (X k − 1) by steps described in [16]. In [3], they proposed the ILRPC code to withstand that attack when this codes are indistinguishable with random codes. We claim that the resulted code is also indistinguishable code.
Lemma 4.1. The proposed (u|u + v)-construction code C 3 given in Definition 3.1 is indistinguishable from a random code.
Proof. The property of indistiguishability is inherent from the problem of distinguishing an ILRPC code [3]. Hence, it is hard to distinguish for a given codeword if it is from a random code or from the (u|u + v)-construction code.

Algebraic attacks
Several algebraic attacks have been carried against the GPT-PKE scheme variants and can be considered against the Niederreiter-PKE scheme. Among these attacks we consider the following ones: -Gibson's attack (1995) [14] The purpose of Gibson's attack is to solve the next problem: Problem: Given (G pub , t 1 ) the public key of the GPT-PKE scheme find a triple (G,S,X) such that G pub = SG +X.
We can give a solution of this problem in O((n − k)k 3 q mt1 ) binary operation. The Gibson's attack can not be applied in our approach due to the existence of the full rank distortion matrix in the private key as it has been proven in [23].
where S [i] is the matrix obtained by applying the ith power of the Frobenius automorphism θ i : x → x q i to all coefficients of S.
In [23], Loidreau has shown that Overbeck's attack is not successful if rank(X |G ) = n + t 1 − 1. In the proposed scheme we choose the rank t 1 ≥ n − k to avoid this attack. This property withstands also the recent extension of Overbeck's attack proposed in [18]. When the distortion matrix is not of full rank, it applies the extension of this matrix and searches elements of rank one to recover the encrypted message in polynomial time. Besides this, we choose the column scrambler P in the extension field to avoid the attack [19,22], which means that the Frobenius automorphism of P will not be the same matrix P (i.e. θ(P ) = P ). [1] . . .
-Bardet et al.'s attack (2020) [5] The authors in [5] provided an improvement of algebraic attacks for solving MinRank and Rank Decoding problems without using Gröbner basis and breaks rank based parameters proposed to the NIST Standarization Process approaches like ROLLO and RQC [1,3] .
Two modeling were proposed to solve these problems in two cases: "overdetermined case" when there are enough linear equations i.e.
The complexity of the (m, n, k, w)-decoding algorithm in that case (Algorithm 1, [5]) is given as follows: operations over F q , with ω is the constant of linear algebra. The "underdetermined case" when (4.2) is not fulfilled. However, authors proposed to look for a reduction to the overdetermined case by: Otherwise, they solve the underdetermined case using direct linearization or by Support Minors Modeling in conjunction with the maximal minors of the code for which the best complexity will be set to Widemann's algorithm or Strassen's algorithm. Some approaches could avoid it by changing their parameters to be larger but reasonable. Hence, we set similarly larger value for the set of parameters of the proposed scheme.

Indistinguishability security
In this section, we study the most required security proof, the indistinguishability under chosen ciphertext attack IND-CCA. Let A be a probabilistic polynomial time algorithm adversary on the proposed scheme proposed in this paper and let C be the challenger for which the game hopping is between A and C. It generates the pair of keys (pk, sk) based on the secret parameter and he sends pk to A who will perform a number of operations of the encryption calls to send it to the decryption oracle O which outputs plaintexts. Then A chooses randomly two distinct plaintexts m 0 and m 1 in order to send them to C. Then, C selects at random b ∈ {0, 1} and computes the ciphertext Encrypt(pk, m b ) in order to send it to A. The proposed PKE scheme is indistinguishable when the adversary A could not guess b and has a negligible advantage, i.e. Adv IN D P KE,A (δ) ≤ negl where δ is the chosen security level. We will give the proof of the last type of indistinguishability the (IND-CCA2) considering an experiment E. Proof. To prove this theorem, we perform a sequence of games on the PKE scheme parameters on the experiment E.
-G 0 : We proceed the scheme naturally with its parameters, pk and the matrices S, P and the matrix X of full rank t 1 . The adversary A has to recover the ciphertext for a given public key pk and a security parameter δ. -G 1 : We transform in the game G 0 its pk into a random one, in this time the probability that the adversary has to find the ciphertext using that public key is the same probability of solving an instance of the RSD problem. Hence, the advantage is given as follows: -G 2 : We provide the same as in game G 1 and transform it for random value of y in F n q m . The adversary tries to guess b for that random y. He cannot distinguish the result of the encryption and the random value of y due to the indistinguishability of the (u|u + v)-construction code Hence, we conclude that it is IND-CCA2 secure.
Beside to this, we claim that the randomness of the matrices S, P and X, chosen in the scheme, makes hard to find the exact matrices for each performance of such attacks.

Set of parameters
In this section, we give the set of parameters with its security levels, using the (u|u + v)-construction code with [n 1 = 2k 1 , k 1 , d 1 ] ILRPC and [n 2 , k 2 , d 2 ] λ-Gabidulin codes means that the degree of the extension field becomes lower than the length, with larger minimum distance d which is good to avoid leakage information of the public key.
For the parameters, we choose the matrix X of full rank t 1 to avoid Gibson's attack and this t 1 should be greater than n − k to avoid Overbeck's attack. We also choose the matrix P with entries in F q m as proposed in [22]. Hence, we compute the sizes of the public key, secret key and ciphertext by using the following expressions: -The public key size in systematic form: k(n − k)m log 2 (q) bits. -The ciphertext size: (n − k)m log 2 For the secret key size one can recover the set of parameters with a random vector. This reduces the secret key size. We give in Table 1 some different set of parameters with sizes; public key |pk| in KiloByte (KB) and the ciphertext |ct| in bits with the best complexity of Bardet el al. [5].The column "a" indicates the smaller chosen integer for the hybrid attack since inequality (4.2) is not fulfilled with ω = 2.81.

Comparison
In this section, we provide a comparison with the parameters given in [2,22] with their security level upper than 128 for which they do not satisfy security level of the recent attack [5]. In the set of parameters of [22], σ design the dimension of the vector space over F q m which has entries of the matrix P . We benefit a reduction from the ciphertext and the public key sizes and we set security level used in the item of comparison (4.1).
Hence, the error-correcting capacity is t = n−k 2 = 12. We choose the design parameter t 1 such that t 1 ≥ n − k to withstand Overbeck's attack, in this example t 1 = 25. The rank weight of the ciphertext w should be less or equal to t. Therefore, the (u|u + v)−construction code in this case has the set of parameters [40, 16,10] and then we can obtain the public key size as 1.7 KB. Table 2. Comparison of public key size and cipher text size between (u|u + v)-construction code, Al Shehhi et al. [2] and Loidreau [22] for different security levels.

Conclusion
We present in this paper a variant of the Niederreiter cryptosystem based on the RSD problem using a simple type of codes. The (u|u + v)-construction code between the less structured ILRPC and λ-Gabidulin codes. We provide an efficient decoding algorithm due to the sharing properties of the two codes. This makes our PKE more secure against known attacks as we provide in its security analysis with combinatorial and algebraic attacks. Even with the recent attack [5], the scheme is secure for larger set of parameters and has a reasonable sizes of the public key and ciphertext. The constructed code is indistinguishable from random codes and has larger minimum distance d. Moreover, our PKE is secure under IND-CCA2 with much reduced public key size and ciphertext size for the adopted security level compared to Loidreau's [22] and to its IND-CCA secure version proposed by Al Shehhi et al. [2].