Skip to main content
SpringerLink
Log in

Syndrome Decoding Estimator

  • Conference paper
  • First Online:
Public-Key Cryptography – PKC 2022 (PKC 2022)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13177))

Included in the following conference series:

Abstract

The selection of secure parameter sets requires an estimation of the attack cost to break the respective cryptographic scheme instantiated under these parameters. The current NIST standardization process for post-quantum schemes makes this an urgent task, especially considering the announcement to select final candidates by the end of 2021. For code-based schemes, recent estimates seemed to contradict the claimed security of most proposals, leading to a certain doubt about the correctness of those estimates. Furthermore, none of the available estimates include most recent algorithmic improvements on decoding linear codes, which are based on information set decoding (ISD) in combination with nearest neighbor search. In this work we observe that all major ISD improvements are build on nearest neighbor search, explicitly or implicitly. This allows us to derive a framework from which we obtain practical variants of all relevant ISD algorithms including the most recent improvements. We derive formulas for the practical attack costs and make those online available in an easy to use estimator tool written in python and C. Eventually, we provide classical and quantum estimates for the bit security of all parameter sets of current code-based NIST proposals.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The focus of this work lies on advanced algorithms, but our estimator also provides the estimates for asymptotically inferior procedures.

  2. 2.

    The estimator can be downloaded at https://github.com/Crypto-TII/syndrome_decoding_estimator.

  3. 3.

    Note that this splitting only allows to construct balanced solutions \(\mathbf {e}\), which have exactly weight \(\frac{p}{2}\) on the upper and lower half. While we take this into account when deriving our concrete estimates let us neglect this fact for now.

  4. 4.

    By using a hashing strategy.

  5. 5.

    For \(p=0\) a simple check if \(\mathrm {wt}(\tilde{\mathbf {s}})= \omega \) suffices to determine if the permutation distributes the weight correctly.

  6. 6.

    Note that both sets differ only in a polynomial fraction of their elements. Furthermore our argumentation also holds when using the original base lists, but the refinement allows for easier illustration by yielding approximate matching identities with fixed distances.

  7. 7.

    Note that the equation for \(i=3\) will not be used by the algorithm. It just enables us to perform the nearest neighbor search for \(i=2\) on a reduced sub-instance with flexible \(\ell _2,\omega _2\); instead of being forced to operate always on the full \(n-k-\ell _1\) coordinates with weight \(\omega -p-\omega _1\).

  8. 8.

    For example we can randomize by adding a random \(\mathbf {r}\in \mathbb {F}_2^{n-k}\) to all labels in lists \(L_1\) and \(L_3\).

  9. 9.

    We do not differentiate between both algorithms, since in our setting the only difference of BJMM is the larger choice of \(p_1>p/2\). Hence, the bare optimization of \(p_1\) determines which algorithm is chosen.

  10. 10.

    If we would perform the Meet-in-the-Middle on the full \(n-k-\ell _1\) coordinates as before, the blow-up due to the internal addition of the fixed Hamming weight vectors would be to huge and render this approach inefficient.

  11. 11.

    Note that we take the number of necessary vector space elements that need to be stored as a measure to derive the penalty.

References

  1. Aragon, N., et al.: BIKE: bit flipping key encapsulation (2020)

    Google Scholar 

  2. Aragon, N., Lavauzelle, J., Lequesne, M.: decodingchallenge.org (2019). https://decodingchallenge.org/

  3. Baldi, M., Barenghi, A., Chiaraluce, F., Pelosi, G., Santini, P.: A finite regime analysis of information set decoding algorithms. Algorithms 12(10), 209 (2019)

    Article  MathSciNet  Google Scholar 

  4. Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes in 2n/20: how 1 + 1 = 0 improves information set decoding. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 520–536. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_31

    Chapter  MATH  Google Scholar 

  5. Bernstein, D.J.: Grover vs. McEliece. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 73–80. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12929-2_6

    Chapter  Google Scholar 

  6. Bernstein, D.J., Lange, T., Peters, C.: Attacking and defending the McEliece cryptosystem. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 31–46. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88403-3_3

    Chapter  Google Scholar 

  7. Bernstein, D.J., Lange, T., Peters, C.: Smaller decoding exponents: ball-collision decoding. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 743–760. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_42

    Chapter  Google Scholar 

  8. Both, L., May, A.: Decoding linear codes with high error rate and its impact for LPN security. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 25–46. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_2

    Chapter  Google Scholar 

  9. Canteaut, A., Chabaud, F.: A new algorithm for finding minimum-weight words in a linear code: application to mceliece’s cryptosystem and to narrow-sense bch codes of length 511. IEEE Trans. Inf. Theory 44(1), 367–378 (1998)

    Article  MathSciNet  Google Scholar 

  10. Chou, T., et al.: Classic McEliece: conservative code-based cryptography 10 October 2020 (2020)

    Google Scholar 

  11. Dumer, I.: On minimum distance decoding of linear codes. In: Proceedings of the 5th Joint Soviet-Swedish International Workshop Information Theory, pp. 50–52 (1991)

    Google Scholar 

  12. Esser, A., Bellini, E.: Syndrome decoding estimator. Cryptology ePrint Archive (2021)

    Google Scholar 

  13. Esser, A., Kübler, R., May, A.: LPN decoded. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 486–514. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_17

    Chapter  Google Scholar 

  14. Esser, A., Kübler, R., Zweydinger, F.: A faster algorithm for finding closest pairs in hamming metric. arXiv preprint arXiv:2102.02597 (2021)

  15. Esser, A., Ramos-Calderer, S., Bellini, E., Latorre, J.I., Manzano, M.: An optimized quantum implementation of ISD on scalable quantum resources. Cryptology ePrint Archive (2021)

    Google Scholar 

  16. Finiasz, M., Sendrier, N.: Security bounds for the design of code-based cryptosystems. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 88–105. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_6

    Chapter  Google Scholar 

  17. Hamdaoui, Y., Sendrier, N.: A non asymptotic analysis of information set decoding. IACR Cryptol. ePrint Arch. 2013, 162 (2013)

    Google Scholar 

  18. Indyk, P., Motwani, R.: Approximate nearest neighbors: towards removing the curse of dimensionality. In: Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing, pp. 604–613 (1998)

    Google Scholar 

  19. Kachigar, G., Tillich, J.-P.: Quantum information set decoding algorithms. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 69–89. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_5

    Chapter  MATH  Google Scholar 

  20. Kirshanova, E.: Improved quantum information set decoding. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 507–527. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_24

    Chapter  MATH  Google Scholar 

  21. Kirshanova, E., Laarhoven, T.: Lower bounds on lattice sieving and information set decoding. To appear at CRYPTO 2021 (2021)

    Google Scholar 

  22. Lee, P.J., Brickell, E.F.: An observation on the security of McEliece’s public-key cryptosystem. In: Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 275–280. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-45961-8_25

  23. May, A., Meurer, A., Thomae, E.: Decoding random linear codes in \(\tilde{\cal{O}}(2^{0.054n})\). In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 107–124. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_6

    Chapter  MATH  Google Scholar 

  24. May, A., Ozerov, I.: On computing nearest neighbors with applications to decoding of binary linear codes. In: Oswald, E., Fischlin, Marc (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 203–228. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_9

    Chapter  Google Scholar 

  25. Melchor, C.A., et al.: Hamming quasi-cyclic (HQC) (2020)

    Google Scholar 

  26. Naya-Plasencia, M., Schrottenloher, A.: Optimal merging in quantum k-xor and k-sum algorithms. In: EUROCRYPT 2020–39th Annual International Conference on the Theory and Applications of Cryptographic (2020)

    Google Scholar 

  27. Perlner, R.: pqc-forum: Round 3 official comment: classic mceliece (2021). https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/EiwxGnfQgec/m/xBky_FKFDgAJ

  28. Peters, C.: Information-set decoding for linear codes over F<Subscript> q</Subscript>. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 81–94. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12929-2_7

    Chapter  Google Scholar 

  29. Prange, E.: The use of information sets in decoding cyclic codes. IRE Trans. Inf. Theory 8(5), 5–9 (1962)

    Article  MathSciNet  Google Scholar 

  30. Sendrier, N.: Decoding one out of many. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 51–67. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_4

    Chapter  Google Scholar 

  31. Stern, J.: A method for finding codewords of small weight. In: Cohen, G., Wolfmann, J. (eds.) Coding Theory 1988. LNCS, vol. 388, pp. 106–113. Springer, Heidelberg (1989). https://doi.org/10.1007/BFb0019850

    Chapter  Google Scholar 

  32. Canto Torres, R., Sendrier, N.: Analysis of information set decoding for a sub-linear error weight. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 144–161. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29360-8_10

    Chapter  Google Scholar 

  33. Various: pqc-forum: Round 3 official comment: classic mceliece (2021). https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/EiwxGnfQgec

  34. Various: pqc-forum: Security strength categories for code based crypto (and trying out crypto stack exchange) (2021). https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/6XbG66gI7v0

  35. Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–304. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_19

    Chapter  Google Scholar 

  36. Zalka, C.: Grover’s quantum searching algorithm is optimal. Phys. Rev. A 60(4), 2746 (1999)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Cryptography Research Center, Technology Innovation Institute, Abu Dhabi, UAE

    Andre Esser & Emanuele Bellini

Authors
  1. Andre Esser
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Emanuele Bellini
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Andre Esser or Emanuele Bellini .

Editor information

Editors and Affiliations

  1. National Institute of Advanced Industrial Science and Technology (AIST), Tokyo, Japan

    Goichiro Hanaoka

  2. Yokohama National University, Yokohama, Japan

    Junji Shikata

  3. The University of Electro-Communications, Tokyo, Japan

    Yohei Watanabe

Rights and permissions

Reprints and permissions

Copyright information

© 2022 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Esser, A., Bellini, E. (2022). Syndrome Decoding Estimator. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds) Public-Key Cryptography – PKC 2022. PKC 2022. Lecture Notes in Computer Science(), vol 13177. Springer, Cham. https://doi.org/10.1007/978-3-030-97121-2_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-97121-2_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-97120-5

  • Online ISBN: 978-3-030-97121-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation