The McEliece scheme is a generic frame which allows to use any error correcting code of which there exists an efficient decoding algorithm to design an encryption scheme by hiding the generator matrix code. Similarly, the Niederreiter frame is the dual version of the McEliece scheme, and achieves smaller ciphertexts. We propose a generalization of the McEliece frame and the Niederreiter frame to matrix codes and the MinRank problem, that we apply to Gabidulin matrix codes (Gabidulin rank codes considered as matrix codes). The masking we consider consists in starting from a rank code C, to consider a matrix version of C and to concatenate a certain number of rows and columns to the matrix codes version of the rank code C and then apply to an isometry for matric codes. The security of the schemes relies on the MinRank problem to decrypt a ciphertext, and the structural security of the scheme relies on a new problem EGMC-Indistinguishability problem that we introduce and that we study in detail. The main structural attack that we propose consists in trying to recover the masked linearity over the extension field which is lost during the masking process. Overall, starting from Gabidulin codes we obtain a very appealing tradeoff between the size of ciphertext and the size of the public key. For 128b of security we propose parameters ranging from ciphertext of size 65 B (and public keys of size 98 kB) to ciphertext of size 138B (and public key of size 41 kB). Our new approach permits to achieve better trade-off between ciphertexts and public key than the classical McEliece scheme. Our new approach permits to obtain an alternative scheme to the classic McEliece scheme, to obtain very small ciphertexts, with moreover smaller public keys than in the classic McEliece scheme. For 256 bits of security, we can obtain ciphertext as low as 119B, or public key as low as 87kB.

翻译：McEliece方案是一个通用框架，它允许使用任何存在高效解码算法的纠错码，通过隐藏其生成矩阵来设计加密方案。类似地，Niederreiter框架是McEliece方案的对偶版本，并能实现更小的密文。我们提出了McEliece框架与Niederreiter框架在矩阵码和MinRank问题上的一种推广，并将其应用于Gabidulin矩阵码（即被视为矩阵码的Gabidulin秩码）。我们所考虑的掩蔽方法为：从一个秩码C出发，考虑其矩阵版本，然后在该秩码C的矩阵码版本上拼接特定数量的行与列，再施加一个矩阵码的等距变换。该方案的安全性依赖于解密时需解决的MinRank问题，而其结构安全性则基于我们引入并深入研究的全新问题——EGMC不可区分性问题。我们提出的主要结构攻击旨在尝试恢复在掩蔽过程中丢失的、关于扩域上的掩蔽线性结构。总体而言，从Gabidulin码出发，我们在密文大小与公钥大小之间获得了极具吸引力的权衡。对于128比特安全等级，我们提出的参数范围可从密文大小65字节（公钥大小98千字节）到密文大小138字节（公钥大小41千字节）。我们的新方法能够在密文与公钥之间实现比经典McEliece方案更优的权衡。这一新方法提供了一种替代经典McEliece方案的方案，能够获得非常小的密文，同时公钥也比经典McEliece方案更小。对于256比特安全等级，我们可以实现低至119字节的密文，或低至87千字节的公钥。