Problems of Information Transmission, Vol. 38, No. 3, 2002, pp. 237–246. Translated from Problemy Peredachi Informatsii, No. 3, 2002, pp. 83–93.
Original Russian Text Copyright
2002 by Ourivski, Johansson.
New Technique for Decoding Codes in the
Rank Metric and Its Cryptography Applications
A. V. Ourivski and T. Johansson
Received November 20, 2001
Abstract—We present two new algorithms for decoding an arbitrary (n, k) linear rank distance
code over GF (q
). These algorithms correct errors of rank r in O
(k + r)
operations in GF (q) respectively. The algorithms give one of the
most eﬃcient attacks on public-key cryptosystems based on rank codes, as well as on the
authentication scheme suggested by Chen.
In 1978, McEliece proposed a public-key cryptosystem (PKC) based on error-correcting codes.
This system is one of a few alternatives to PKCs that are based on the integer factoring problem
or discrete logarithm problem.
In the McEliece system, the designer tries to disguise a specially chosen linear code with high
correcting capability as a random code. Security of the system relies on the inherent intractability
of decoding a random code up to its error-correcting capacity. It is not known whether this problem
is an NP-complete problem. However, some related problems are known to be NP-complete, for
instance, the syndrome decoding problem and that of ﬁnding the minimum distance of a code .
A great advantage of systems based on error-correcting codes is the extremely high rate of
encryption and decryption procedures. A major disadvantage of these systems is relatively large
size of a public key.
To partly avoid this disadvantage, the authors of  suggested a PKC based on codes in the rank
metric (rank codes). This PKC is in the sequel referred to as the GPT public-key cryptosystem.
Apparently, the problem of decoding codes in the rank metric is more complicated than that
for codes in the Hamming metric. This allows one to use rank codes of smaller size as compared
to those used in the McEliece system. For example, the binary work factor to break the original
McEliece PKC with a public key of about 500 Kbits is around 2
, whereas, for the GPT PKC,
such security is achievable with a public key of only a few tens Kbits.
In a series of papers (see [3,4]), Gibson developed structural attacks on the GPT system. Struc-
tural attacks enable the attacker to recover a secret key from the public one using the hidden
structure of the published code. As a consequence, several modiﬁcations of the original GPT PKC
were suggested [5, 6], which provide systems with better protection against structural attacks.
In contrast to structural attacks, a general decoding algorithm tries to decode a received word
into the nearest codeword of the published code. In the GPT PKC, a received word is an encrypted
message; if we can decode this word correctly, we can recover the transmitted message. General
decoding algorithms treat the published code as random and usually do not consider its inherent
The problem of decoding rank codes is also the underlying problem in Chen’s authentication
scheme . Similarly to the GPT PKC, any algorithm for decoding random codes in the rank
metric will give an attack against the Chen scheme.
2002 MAIK “Nauka/Interperiodica”