Decoding of Space-Symmetric Rank Errors
aa r X i v : . [ c s . I T ] F e b Decoding of Space-Symmetric Rank Errors
Thomas Jerkovits
Institute of Communication and NavigationGerman Aerospace Center (DLR) [email protected]
Vladimir Sidorenko, Antonia Wachter-Zeh
Institute for Communications EngineeringTechnical University of Munich (TUM) { vladimir.sidorenko, antonia.wachter-zeh } @tum.de Abstract —This paper investigates the decoding of certainGabidulin codes that were transmitted over a channel with space-symmetric errors . Space-symmetric errors are additive errormatrices that have the property that their column and row spacesare equal. We show that for channels restricted to space-symmetricerrors, with high probability errors of rank up to n − k ) / canbe decoded with a Gabidulin code of length n and dimension k ,using a weak-self orthogonal basis as code locators. Index Terms —Gabidulin codes, space-symmetric, rank metric
I. I
NTRODUCTION
Gabidulin codes [1]–[3] can be considered as the rank-metricanalog of Reed–Solomon codes. The rank metric measures thedistance between two codewords, represented as matrices, asthe rank of their differences. Gabidulin codes are of interestfor many applications related to communication, cryptography,space-time coding, network coding, distributed storage systemsand digital watermarking [4]–[9].Gabidulin codes are maximum rank distance (MRD), i.e.,their minimum distance is d min = n − k + 1 , where n is thelength of the code and k the dimension. Hence, it is possible touniquely decode errors of rank up to ( n − k ) / . There a severalalgorithms which efficiently perform unique decoding, e.g., [1],[2], [10]–[13].In [14]–[16] it was shown that for Gabidulin codes thatcontain a linear subcode of symmetric matrices (i.e., the trans-pose of the matrix coincides with the matrix itself) can correctsymmetric error matrices of rank up to ( n − / . In this paper,we relax the condition of symmetric errors and consider thecase of space-symmetric error matrices which have the propertythat their column and row spaces coincides. We show that itis possible to use a Gabidulin code with the same propertyas in [14]–[16] to decode such space-symmetric errors of rankup to n − k ) / with high probability. We further derive anupper bound on the failure probability of decoding such space-symmetric errors including some simulation results to furthersupport the validation. Some motivation for the application ofspace-symmetric errors to code-based cryptography is addressedas well. II. P RELIMINARIES
A. Notation
Let q be a power of a prime and let F q denote the finitefield of order q and F q m its extension field of order q m . Denoteby F m × nq the set of all m × n matrices over F q and denote This project has received funding from the European Research Council (ERC)under the European Union’s Horizon 2020 research and innovation programme(grant agreement No. 801434) the set of all row vectors of length n by F nq m def = F × nq m . For amatrix A , let A i,j be the entry of the i -th row and j -th column.For a vector α = ( α , α , . . . , α n − ) ∈ F nq m , define its rankby rk( α ) def = dim h α , . . . , α n − i q , where h α , . . . , α n − i q isthe F q -vector space spanned by the entries α i ∈ F q m . Given α ∈ F q m and an integer i , denote its i -th q -power by α [ i ] where [ i ] = q i . Denote by M i ( α ) ∈ F i × nq m the Moore matrix M i ( α ) def = α α . . . α n − α [1]0 α [1]1 . . . α [1] n − ... . . . ... ... α [ i − α [ i − . . . α [ i − n − . We denote the element-wise j -th q -power of the matrix by M i ( α ) [ j ] .Througout this paper, let m = n and A ∈ F n × nq be a squarematrix. Let α = ( α , α , . . . , α n ) ∈ F nq n be a fixed basis of F q n over F q . We define the map φ : F nq n → F n × nq a A , where a ∈ F nq n and A ∈ F n × nq is the unique matrix such that a = αA . The map φ is a bijection that preserves the rank andwe have that rk ( a ) = rk ( A ) . For φ ( a ) = A let ˆ a be the vector, such that φ ( ˆ a ) = A T . Wecall ˆ a the transposed vector of a . If A is a symmetric matrix,that means A = A T , then we have that a = ˆ a .Gabidulin codes are defined by means of linearized polynomi-als which were introduced by Ore [17]. A linearized polynomialover F q n is a polynomial of the form f ( x ) = P d f i =0 f i x [ i ] ,with f i ∈ F q n . If f d f = 0 , we call deg q f ( x ) def = d f the q-degree of f ( x ) . An important property of linearized polynomials ∀ α , α ∈ F q and ∀ a, b ∈ F q m is f ( α a + α b ) = α f ( a ) + α f ( b ) . A linearized polynomial of q -degree d whichcontains all elements of a d -dimensional subspace as roots iscalled the minimal subspace polynomial . B. Gabidulin Codes Generated by Weak Self-Orthogonal Bases
Gabidulin codes [1]–[3] can be seen as the rank-metric analogof Reed–Solomon (RS) codes and can be defined by a generatormatrix as follows. efinition 1 (Gabidulin Code)
Denote by Gab α [ n, k ] aGabidulin code of dimension k and length n over F q n whichis defined by its k × n generator matrix G k def = M k ( α ) , where α ∈ F nq n and α , α , . . . , α n are linearly independentover F q . The set of all Gabidulin codewords is then given byGab α [ n, k ] def = { uG k | ∀ u ∈ F kq n } . Further, we use weak self-orthogonal bases [16], [18], [19].
Definition 2 (Weak Self-Orthogonal Basis)
A basis α ∈ F nq n of F q n over F q is called a weak self-orthogonal basis if M n ( α ) · M n ( α ) T = D , where D ∈ F n × nq n is a diagonal matrix. Definition 3 (Transposed Gabidulin Code)
We define thetransposed Gabidulin code asGab T α [ n, k ] def = { ˆ c | ∀ c ∈ Gab α [ n, k ] } , where ˆ c = φ − ( φ ( c ) T ) . If the first row α of a generator matrix of a Gabidulin codeGab α [ n, k ] forms a weak self-orthogonal basis, then the parity-check matrix of the code is given by H n − k = M n − k ( α ) [ k ] and the parity-check matrix of the transposed code Gab Tk [ α ] isgiven as [16] ˆH n − k = M n − k ( α ) [1] . C. Channel Model
In [14], [16], the following channel model was considered.Let the Gabidulin codeword c = uG k be corrupted by an error e of rank rk( e ) = t , that means r = c + e , (1)and E = φ ( e ) is a symmetric matrix. Then, errors of rank upto t ≤ ( n − / can be corrected for certain parameters [14],[16].In this paper, we relax the condition of E being a symmetricmatrix, to the condition that the row space of E , denoted by R q ( E ) , equals the column space of E , denoted by C q ( E ) , thatmeans R q ( E ) = C q ( E ) . A matrix of rank t whose row space is equal to its column spaceis called space-symmetric and can be decomposed into E = AP A T , (2)where A ∈ F n × tq and P ∈ F t × tq are full-rank matrices of rank t .Note that the vector a = ( a , a , . . . , a t − ) = φ − ( A ) is abasis of the column space and also a basis of the row space,since R q ( E ) = C q ( E ) . III. D ECODING S PACE -S YMMETRIC E RRORS
A. Syndrome-Based Decoding Approach
In the course of this section we introduce a syndrome-based decoding approach (cf. [1], [2], [10]–[12] for syndrome-based decoding up to ( n − k ) / errors) of Gabidulin codesto decode space-symmetric errors. We therefore show that wecan transform the problem of decoding space-symmetric errorsinto the problem of decoding a special interleaved Gabidulincode of interleaving order two (cf. [20]–[23] for decodinginterleaved Gabidulin codes). The basic idea is to compute twosyndromes, one obtained from the original code and anotherone by transposing the received noisy codeword matrix andobtaining the syndrome from the transposed Gabidulin code.The two syndromes can then be used to solve a linear systemof equations jointly and the decoding radius can be increasedbeyond ( n − k ) / . Whether a solution can be found or not,depends on the matrix P , see (2). The explicit decodingapproach is similar to decoding a -interleaved Gabidulin code.From (1) we can compute the syndromes s (1) = ˆ y ˆ H Tn − k = ˆ e ˆ H Tn − k (3)of the transposed code Gab Tk [ α ] and s (2) = yH Tn − k = eH Tn − k (4)of the original Gab k [ α ] code. To each syndrome, we canassociate a polynomial s ( i ) ( x ) = P n − k − j =0 s j x [ j ] for i ∈ { , } .Given an error decomposed as in (2) we can define the rowerror span polynomial as the minimal subspace polynomial ofthe vector a [24] of degree t as: Γ( x ) def = Y u ∈R q ( E ) ( x − φ ( u )) . Since by definition of the error we have that R q ( E ) = C q ( E ) ,the row error span polynomial is equal to the column error spanpolynomial and Γ( a l ) = 0 for all l ∈ { , . . . , t − } .In the following, we give the key equation of the originalcode and the transposed code. Theorem 1 (Key Equations)
Let Γ( x ) = P ti =0 Γ i x [ i ] be theerror span polynomial with t = deg q Γ( x ) = rk ( e ) . Then foreach syndrome we obtain a key equation as follows Γ( s ( i ) ( x )) ≡ Ω ( i ) ( x ) mod x [ n − k ] , ∀ i ∈ { , } , for some Ω ( i ) ( x ) with deg q (Ω) ( i ) ( x )) < t .Proof: See Appendix A.Solving the key equation can be done by solving a linearsystem of equations S ( i ) · Γ T = , where Γ = (Γ , Γ , . . . , Γ t ) and S ( i ) S ( i ) def = s ( i ) t [0] s ( i ) t − . . . s ( i )0 [ t ] s ( i ) t +1[0] s ( i ) t [1] . . . s ( i )1 [ t ] ... ... . . . ... s ( i ) n − k − s ( i ) n − k − . . . s ( i ) n − k − t [ t ] . (5)ince for each syndrome the error span polynomial in the keyequation is the same, we can solve the two key equations jointly.This approach is similar to decoding a -interleaved Gabidulincode [20]–[23] which yields the following linear system ofequations S · Γ T = (cid:20) S (1) S (2) (cid:21) · Γ T = , (6)where (see Appendix B) S (1) = M n − k − t ( a ) [ t +1] · P · M t +1 ( a ) T (7)and S (2) = M n − k − t ( a ) [ t + k ] · P T · M t +1 ( a ) T . (8)Thus, S is as follows S = (cid:20) M n − k − t ( a ) [ t +1] · PM n − k − t ( a ) [ t + k ] · P T (cid:21) · M t +1 ( a ) T . (9)If rk ( S ) = t , we obtain a unique solution for Γ( x ) up toa scalar factor. After solving the key equation (6) we obtainthe coefficients of Γ( x ) and we can find a basis of the rootspace of Γ( x ) . This basis corresponds to one possible a in thedecomposition in (2). Knowing a possible vector a , the error canbe determined. The complete process of decoding is describedin Algorithm 1. In Appendix C, we describe a way to obtainthe error matrix E knowing a possible vector a . Algorithm 1has complexity at most O ( n ) operations over F q n .Note that more efficient algorithms with quadratic or evensub-quadratic complexities in n can be used to solve the jointsyndrome key equation from (6) as well as to find the matrix B ,see e.g., [20], [21], [25], [26], but for our analysis Algorithm 1is sufficient. B. Probability of Decoding Failure
In this section, we show that decoding of space-symmetricerrors is guaranteed with high probability.
Theorem 2 (Decoding of Space-Symmetric Errors)
LetGab α [ n, k ] be given a Gabidulin code of dimension k andlength n , where α is a weak self-orthogonal basis. Furthermore,let r be a noisy Gabidulin codeword as in (1) where E is aspace-symmetric matrix of rank t ≤ n − k ) / . Then decodingis guaranteed with probability of at least − P f , where P f isthe decoding failure probability.Assume that the matrix Q def = P − · P T , (10) where P is defined in (2) , is uniformly drawn at random fromthe set of all matrices in F t × tq . Then P f is bounded from aboveby P f ≤ /q n . Proof:
As discussed above, we obtain a unique solution for rk ( S ) = t to succeed with decoding. To analyze the probabilityof failure, we restrict to the case for which the matrices M n − k − t ( a ) [ t + k ] and M n − k − t ( a ) [ t +1] have no common rows,which means that t > n − k . Consider the case of symmetricerror matrices E for which P = P T , we have that S = (cid:20) M t +1 ,n − k +1 ( a ) M t + k,n ( a ) (cid:21) · P · M t +1 ( a ) T , Algorithm 1:
DecodeSpaceSymmetric
Input : y = ( y , y , . . . , y n ) ∈ F nq n ,Parity-check matrix H n − k of Gab α [ n, k ] Syndrome calculations: s (1) ← ˆ y ˆ H Tn − k and s (2) ← yH Tn − k if s (2) = then c ← y else t ← ⌊ n − k ) / ⌋ Set up S (1) and S (2) as in (5) S ← [( S (1) ) T , ( S (2) ) T ] T while rk( S ) < t do t ← t − Repeat 7 and 8 Solve: S · Γ T = for Γ = (Γ , . . . , Γ t ) ∈ F t +1 q n Find a basis ( a , a , . . . , a ω ) ∈ F ωq n of the rootspace of Γ( x ) = P ti =0 if ω = t then Find B such that e = aB (see Appendix C) c ← y − aB else Declare “decoding failure”
Output:
Estimated codeword c ∈ Gab α [ n, k ] or“decoding failure”.for which we know that rk ( P ) = t by definition, rk ( M t +1 ( a ) T ) = t and since n − k < t + k also the left part ofthe decomposition of S has always rank t for t ≤ n − k ) / .For the case that P is not symmetric, we can rewrite (9) bydefining ˜ M n − k − t def = M n − k − t ( a ) · P as S = " ˜ M [ t +1] n − k − t ˜ M [ t + k ] n − k − t · Q · M t +1 ( a ) T . (11)Assuming that Q is uniformly drawn at random from the setof all matrices in F t × tq the matrix S is similar to the syndromematrix of decoding a -interleaved Gabidulin code and we canbound the probability of decoding error P f according to [21]and Theorem 2 follows.IV. N UMERICAL R ESULTS
We simulated a Gabidulin code for n = 8 , k = 2 over F fora space-symmetric error channel of fixed error weight with t =rk( E ) = 2( n − k ) / . The maximum error weight for uniquedecoding of any rank error is ( n − k ) / . We generated noisy Gabidulin codeword samples and we compare the resultswith a set of different scenarios:1) Space-symmetric errors: We draw the matrix A and P , bothof rank t uniformly at random. Using a Gabidulin code witha weak self-orthonogal basis we decode the nosiy codewordsusing Algorithm 1.2) Uniform assumption: a modified experiment where we di-rectly draw the matrix Q in (10), with rk( Q ) = t uniformlyat random instead of P . We compute the matrix S as in (11)nd check its rank. If rk( S ) = t we declare a decoding errorfailure.3) -interleaved Gabidulin code: simulation of a -interleavedGabidulin code where the two error matrices are drawnuniformly at random such that the dimension of its columnspace is at most n − k ) / .4) Intersection probability: Consider the probability that the in-tersection of two subspaces U and V of F tq m with dimension ℓ drawn uniformly at random has dimension larger than orequal to ω This probability is [27]
Pr[dim (
U ∩ V ) ≥ ω ] = P ℓi = ω (cid:0) t − ℓℓ − i (cid:1) q m (cid:0) ℓi (cid:1) q m · q ( ℓ − i ) (cid:0) tℓ (cid:1) q m . (12)Consider the rows of M n − k − t ( a ) [ t +1] · P being a basis of asubspace ˜ U of F tq m of dimension ℓ = n − k − t . Additionally,consider the rows of M n − k − t ( a ) [ t + k ] · P T being a basisof another subspace ˜ V also of dimension ℓ = n − k − t .We then can use (12) as an estimation of the probability Pr[dim ( ˜
U ∩ ˜ V ) ≥ ω ] for ω = 2( n − k ) − t + 1 which isequal to the probability of the matrix (cid:20) M t +1 ,n − k +1 ( a ) M t + k,n ( a ) (cid:21) having rank t and therefore rk( S ) = t according to (9).Table I shows the simulation results, including the differentscenarios for comparison. We observe that the decoding failurerate of decoding space-symmetric errors using a Gabidulin codewith weak self-orthogonal basis is approximately identical tothe one with the uniform assumption as well as to the one ofdecoding a -interleaved Gabidulin code over an ordinary rank-metric channel with errors of a fixed rank. The upper boundon P f is shown as well and the intersection probability gives agood estimate of the decoding failure rate. TABLE IS
IMULATION RESULTS OF SPACE - SYMMETRIC ERRORS FOR n = 8 , k = 2 OVER F AND t = 4 .Scenario Decoding failure rate1) Space-symmetric errors .
2) Uniform assumption . -interleaved Gabidulin code .
4) Intersection probability . Upper bound: /q m . V. N
UMBER OF S PACE -S YMMETRIC M ATRICES
Denote by (cid:0) nt (cid:1) q the Gaussian binomial coefficient which givesthe number of t -dimensional subspaces of F nq over F q andis [28] (cid:18) nt (cid:19) q = t − Y i =0 q n − q i q t − q i . Theorem 3 (Number of Space-Symmetric Matrices)
Thenumber N sp-sym ( n, t, q ) of n × n matrices over F q of rank t that are space-symmetric is given by N sp-sym ( n, t, q ) = t − Y i =0 ( q n − q i ) . (13) Proof:
The number of column spaces of a n × n matrixof rank t over F q is given by the number of t -dimensionalsubspaces of F nq which is (cid:0) nt (cid:1) q . Since we deal with squarematrices we can identify the column space with the image of theassociated linear map from F nq to F nq . And since column spaceand row space are equal, there are Q t − i =0 ( q t − q i ) surjectivelinear maps from F tq to that t -dimensional image. It followsthat N sp-sym ( n, t, q ) = (cid:0) nt (cid:1) q · Q t − i =0 ( q t − q i ) and inserting thedefinition of (cid:0) nt (cid:1) q , (13) follows.VI. A PPLICATION TO C ODE -B ASED C RYPTOGRAPHY
A McEliece-like cryptosystem based on Gabidulin codes wasfirst introduced in [10], called the
GPT system . Unfortunately,the original system and many of its variants were broken byattacks from Gibons [29], [30] and Overbeck [31]–[33]. Inthis section, we present the potential application of space-symmetric rank errors to code-based cryptography. We thereforecompare the key sizes of the GPT variant by Loidreau [4],[5] if applied to arbitrary rank errors, symmetric errors andspace-symmetric errors. We want to emphasize that we do notclaim any security proofs. Symmetric errors contain a lot ofstructure which might lead to new efficient structural attackswhen used in cryptosystems like [4], [5]. The same holdsfor space-symmetric errors, however, compared to symmetricerrors, the former contain less structure. In either case, for apractical cryptosystem, further analysis to rule out structuralattacks is required.The GPT variant by Loidreau [4], [5] involves a parameter λ which amplifies the rank of the error matrix. In Table II, wegive a set of parameters under the assumption that it is possibleto embed error matrices of a specific structure like symmetric orspace-symmetric rank errors in the aforementioned cryptosys-tem. We also give different hypothetical security levels (SLs).The SL is defined by the smallest work factor (WF) of an attackin bits. We assume that the following three WFs (the first twoWFs are described in [4]) apply: • Decoding attack: WF dec = n q (( t ′ − k • Structural attack: WF struc = n q n ( λ − − ( λ − • Brute-forcing error patterns: WF e with t ′ = t/λ and t being the maximal amount of errors thatcan be corrected by the different scenarios:1) Conventional Gabidulin codes: t = ⌊ ( n − k ) / ⌋
2) Symmetric rank errors: t = ⌊ ( n − / ⌋
3) Space-symmetric rank errors: t = ⌊ n − k ) / ⌋ WF e is defined by the number of distinct error matrices whichis for the three different cases:1) Conventional rank errors: The number of n × n matrices ofrank t ′ over F q which is given by [24] N rank ( n, t ′ , q ) = t ′ − Y j =0 ( q n − q j ) q t ′ − q j .
2) Symmetric rank errors : Let N symm ( n, t ′ , q ) be the numberof symmetric matrices of size n × n of rank t ′ = 2 s over F q we have that [34] N symm ( n, s, q ) = s Y i =1 q i q i − · s − Y i =0 ( q n − i − ABLE IIK
EY SIZES OF THE
GPT
CRYPTOSYSTEM VARIANT [4], [5]
USINGDIFFERENT TYPES OF ERRORS : CONVENTIONAL RANK ERRORS (C ONV ), SYMMETRIC (S YM ) AND SPACE - SYMMETRIC (S P -S YM ) RANK ERRORS FORDIFFERENT SL S . T HE CODE RATE OF ALL CODES IS APPROXIMATELY / .SL Type n k λ t ′ WF dec WF struc WF e Keysize256 Conv 96 48 4 6 259.75 298.75 1117.77 27.65 KB256 Sym 80 40 5 7 258.97 322.97 539.53 16.00 KB256 Sp-Sym 83 41 4 7 265.13 259.13 581.00 17.87 KB192 Conv 88 44 4 5 195.38 274.38 856.75 21.30 KB192 Sym 62 31 4 7 203.86 194.86 413.53 7.45 KB192 Sp-Sym 71 35 4 6 193.45 222.45 426.00 11.18 KB128 Conv 59 29 3 5 133.65 131.65 566.75 6.41 KB128 Sym 49 24 4 6 136.84 154.84 279.53 3.68 KB128 Sp-Sym 58 29 4 6 162.57 129.57 348.00 6.10 KB and N symm ( n, s + 1 , q ) = s Y i =1 q i q i − · s Y i =0 ( q n − i − .
3) Space-symmetric rank errors: N sp-sym ( n, t ′ , q ) as in (13).Table II shows that using symmetric or space-symmetric rankerrors potentially might reduce the key size of such a cryptosys-tem. A PPENDIX
Define B def = P A T and C def = P T A T . Thus E = AB and E T = AC . The vector representation e of E and its transposed ˆ e of E T can therefore be written as e = αE = αAB = aB ˆ e = αE T = αAC = aC , with a = αA . From the syndrome equations (3) and (4) follows s (1) = aC ˆ H Tn − k ⇔ s (1) j = n − X i =0 t − X l =0 a l C l,i α [1+ j ] i = t − X l =0 a l ˆ c [1+ j ] l , (14) s (2) = aBH Tn − k ⇔ s (2) j = n − X i =0 t − X l =0 a l B l,i α [ k + j ] i = t − X l =0 a l ˆ b [ k + j ] l , (15)with ˆ c l being the l -th entry of the vector ˆ c = αC T and ˆ b l of ˆ b = αB T , respectively. A. Proof of the Key Equations
The p -th coefficient of Ω ( i ) = Γ( s ( i ) ( x )) for i ∈ { , } canbe calculated by Ω ( i ) p = p X j =0 Γ j ( s ( i ) p − j ) [ j ] . Using (14) and (15) we obtain for the transposed code andoriginal code Ω (1) p = p X j =0 Γ j t − X l =0 a l ˆ c [1+ p − j ] l ! [ j ] = t − X l =0 ˆ c [1+ i ] l p X j =0 Γ j a [ j ] l . and Ω (2) p = p X j =0 Γ j t − X l =0 a l ˆ b [ k + p − j ] l ! [ j ] = t − X l =0 ˆ b [ k + i ] l p X j =0 Γ j a [ j ] l . respectively. For any p ≥ t this gives Ω ( i ) p = 0 , since Γ( a l ) = P tj =0 Γ j a [ j ] l = 0 by definition and therefore deg q Ω ( i ) ( x ) < deg q Γ( x ) = t for i ∈ { , } . B. Derivation of (7) and (8)Using (14) and (15) we can decompose the syndrome matri-ces from (5) as S (1) = ˆ c [ t +1]0 ˆ c [ t +1]1 . . . ˆ c [ t +1] t − ˆ c [ t +2]0 ˆ c [ t +2]1 . . . ˆ c [ t +2] t − ... ... . . . ... ˆ c [ n − k ]0 ˆ c [ n − k ]1 . . . ˆ c [ n − k ] t − · M t +1 ( a ) T and S (2) = ˆ b [ t + k ]0 ˆ b [ t + k ]1 . . . ˆ b [ t + k ] t − ˆ b [ t + k +1]0 ˆ b [ t + k +1]1 . . . ˆ b [ t + k +1] t − ... ... . . . ... ˆ b [ n − ˆ b [ n − . . . ˆ b [ n − t − · M t +1 ( a ) T . The left sides can be decomposed again according to thedefinition of ˆ c and ˆ b and we have S (1) = α [ t +1]0 α [ t +1]1 . . . α [ t +1] n − α [ t +2]0 α [ t +2]1 . . . α [ t +2] n − ... ... . . . ... α [ n − k ]0 α [ n − k ]1 . . . α [ n − k ] n − · C T · M t +1 ( a ) T and S (2) = α [ t + k ]0 α [ t + k ]1 . . . α [ t + k ] n − α [ t + k +1]0 α [ t + k +1]1 . . . α [ t + k +1] n − ... ... . . . ... α [ n − α [ n − . . . α [ n − n − · B T · M t +1 ( a ) T . Since C T = AP , B T = AP T and a = αA we obtain (7)and (8). C. Finding B such that e = aB Define d l def = ˆ b [ k ] l . We have then from (15) that the syndrome s (2) j = P t − l =0 a l d [ j ] l . Knowing the vector a = ( a , a , . . . , a t − ) we can solve for d = ( d , d , . . . , d t − ) the following linearsystem of equations: a [0]0 a [0]1 · · · a [0] t − a [ − a [ − · · · a [ − t − ... ... . . . ... a [ − v ]0 a [ − v ]1 · · · a [ − v ] t − · d d ... d t − = ( s (2)0 ) [0] ( s (2)1 ) [ − ... ( s (2) v ) [ − v ] with v = n − k − . It remains to find B such that d l = P n − j =0 B l,j α [ k ] j . EFERENCES[1] E. M. Gabidulin, “Theory of Codes with Maximum Rank Distance,”
Probl.Inf. Transm. , vol. 21, no. 1, pp. 3–16, 1985.[2] R. M. Roth, “Maximum-Rank Array Codes and their Application toCrisscross Error Correction,”
IEEE Trans. Inf. Theory , vol. 37, no. 2,pp. 328–336, 1991.[3] P. Delsarte, “Bilinear Forms over a Finite Field with Applications toCoding Theory,”
J. Combin. Theory , vol. 25, no. 3, pp. 226–241, 1978.[4] P. Loidreau, “An Evolution of GPT Cryptosystem.” ACCT, 2016.[5] ——, “A new rank metric codes based encryption scheme,” in
Interna-tional Workshop on Post-Quantum Cryptography . Springer, 2017, pp.3–17.[6] P. Lusina, E. M. Gabidulin, and M. Bossert, “Maximum Rank DistanceCodes as Space-Time Codes,”
IEEE Trans. Inform. Theory , vol. 49, no. 10,pp. 2757–2760, Oct. 2003.[7] D. Silva, F. R. Kschischang, and R. Koetter, “A rank-metric approach toerror control in random network coding,”
IEEE transactions on informa-tion theory , vol. 54, no. 9, pp. 3951–3967, 2008.[8] N. Silberstein, A. S. Rawat, and S. Vishwanath, “Error resilience indistributed storage via rank-metric codes,” in .IEEE, 2012, pp. 1150–1157.[9] P. Lef`evre, P. Carr´e, and P. Gaborit, “Application of rank metric codes indigital image watermarking,”
Signal Processing: Image Communication ,vol. 74, pp. 119–128, 2019.[10] E. M. Gabidulin, A. V. Paramonov, and O. V. Tretjakov, “Rank Errors andRank Erasures Correction,” in
Int. Colloq. Coding Theory , 1991.[11] E. M. Gabidulin, “A Fast Matrix Decoding Algorithm for Rank-Error-Correcting Codes,”
Algebraic Coding , vol. 573, pp. 126–133, 1992.[12] G. Richter and S. Plass, “Fast Decoding of Rank-Codes with Rank Errorsand Column Erasures,” in
IEEE Int. Symp. Inf. Theory (ISIT) , 2004, p.398.[13] A. Wachter-Zeh, V. Afanassiev, and V. Sidorenko, “Fast Decoding ofGabidulin Codes,”
Des. Codes Cryptogr. , vol. 66, no. 1, pp. 57–73, Jan.2013.[14] N. Pilipchuk and E. Gabidulin, “On codes correcting symmetric rankerrors,” vol. 3969, 01 2005, pp. 14–21.[15] E. M. Gabidulin and N. I. Pilipchuk, “Symmetric Rank Codes,”
Probl.Inf. Transm. , vol. 40, no. 2, pp. 103–117, 2004.[16] ——, “Symmetric matrices and codes correcting rank errors beyond the[(d-1)/2] bound,”
Discrete Applied Mathematics , vol. 154, no. 2, pp. 305–312, 2006.[29] J. K. Gibson, “Severely denting the Gabidulin version of the McEliecePublic Key Cryptosystem,”
Des. Codes Cryptogr. , vol. 6, no. 1, pp. 37–45,Jul. 1995. [Online]. Available: http://dx.doi.org/10.1007/BF01390769 [17] Ø. Ore, “On a Special Class of Polynomials,”
Trans. Amer. Math. Soc. ,vol. 35, pp. 559–584, 1933.[18] F. J. MacWilliams and N. J. A. Sloane,
The Theory of Error-CorrectingCodes . North Holland Publishing Co., 1988.[19] G. Seroussi and A. Lempel, “Factorization of symmetric matrices andtrace-orthogonal bases in finite fields,”
SIAM Journal on Computing ,vol. 9, no. 4, pp. 758–767, 1980.[20] V. R. Sidorenko, A. Wachter-Zeh, and D. Chen, “On fast Decodingof Interleaved Gabidulin Codes,” in
Int. Symp. Probl. Redundancy Inf.Control Systems , Sep. 2012, pp. 78–83.[21] V. Sidorenko and M. Bossert, “Decoding interleaved Gabidulin codesand multisequence linearized shift-register synthesis,” in , 2010, pp. 1148–1152.[22] P. Loidreau and R. Overbeck, “Decoding Rank Errors Beyond the ErrorCorrecting Capability,” in
Int. Workshop Alg. Combin. Coding Theory(ACCT) , Sep. 2006, pp. 186–190.[23] A. Wachter-Zeh and A. Zeh, “List and Unique Error-Erasure Decoding ofInterleaved Gabidulin Codes with Interpolation Techniques,”
Des. CodesCryptogr. , vol. 73, no. 2, pp. 547–570, 2014.[24] R. Lidl and H. Niederreiter,
Finite Fields , ser. Encyclopedia of Mathemat-ics and its Applications. Cambridge University Press, Oct. 1996.[25] S. Puchinger and A. Wachter-Zeh, “Fast Operations on Linearized Poly-nomials and their Applications in Coding Theory,”
Journal of SymbolicComputation , vol. 89, pp. 194–215, Nov. 2018.[26] ——, “Sub-quadratic Decoding of Gabidulin Codes,” in
IEEE Int. Symp.Inf. Theory (ISIT) , Jul. 2016.[27] T. Etzion and A. Vardy, “Error-correcting codes in projective space,”
IEEETransactions on Information Theory , vol. 57, no. 2, pp. 1165–1173, 2011.[28] E. R. Berlekamp,
Algebraic Coding Theory , revised ed. Aegean ParkPress, Jun. 1984.[30] K. Gibson, “The Security of the Gabidulin Public Key Cryptosystem,”
Advances in Cryptology , vol. 1070, pp. 212–223, 1996.[31] R. Overbeck, “Extending Gibson’s Attacks on the GPT Cryptosystem,”
Coding and Cryptography — Revised selected papers of WCC 2005 , vol.3969, pp. 178–188, 2006.[32] ——, “A new structural attack for gpt and variants,” in
InternationalConference on Cryptology in Malaysia . Springer, 2005, pp. 50–63.[33] ——, “Structural attacks for public key cryptosystems based on gabidulincodes,”
Journal of cryptology , vol. 21, no. 2, pp. 280–301, 2008.[34] J. MacWilliams, “Orthogonal matrices over finite fields,”