About Low DFR for QC-MDPC Decoding

Abstract

McEliece-like code-based key exchange mechanisms using QC-MDPC codes can reach IND-CPA security under hardness assumptions from coding theory, namely quasi-cyclic syndrome decoding and quasi-cyclic codeword finding. To reach higher security requirements, like IND-CCA security, it is necessary in addition to prove that the decoding failure rate (DFR) is negligible, for some decoding algorithm and a proper choice of parameters. Getting a formal proof of a low DFR is a difficult task. Instead, we propose to ensure this low DFR under some additional security assumption on the decoder. This assumption relates to the asymptotic behavior of the decoder and is supported by several other works. We define a new decoder, Backflip, which features a low DFR. We evaluate the Backflip decoder by simulation and extrapolate its DFR under the decoder security assumption. We also measure the accuracy of our simulation data, in the form of confidence intervals, using standard techniques from communication systems.

This work was supported by the ANR CBCRYPT project, grant ANR-17-CE39-0007 of the French Agence Nationale de la Recherche.

A Error Floors for QC-MDPC

The DFR study we are making here differs from what is done for communication systems where the code is fixed and the signal to noise ratio increases (i.e. the bit error probability decreases). We expect to observe the same kind of DFR behavior here for QC-MDPC when we fix (w, t) and let r grow. Some classes of error correcting codes, namely turbo-codes and LDPC codes to which MDPC codes are akin, suffer from a phenomenon known as error floor. The log(DFR) curve is first concave and quickly decreasing (the waterfall). Then at some point the concavity changes and the DFR decreases much more slowly, this is known as the error floor [15, 19]. This could contradict the Assumption 3, but fortunately error floors usually occur very low in DFR curves. The error floors are due to the existence of low weight codewords, in the case of turbo codes, or, for LDPC codes, to the existence of specific error configurations known as near-codewords. An (u, v)-near-codeword is an error pattern of relatively small weight u with a syndrome of small weight v (the syndrome is computed with the sparse parity check matrix). Intuitively, it can be seen as a cluster of errors which are less visible because, together, they only invalidate a few parity equations. If the initial error pattern contains a near-codeword the decoder is more prone to fail. If many near-codewords exist it may cause an error floor.

Error Floors From Near-Codewords. To affect decoding in a (2r, r, w, t)-QC-MDPC-McEliece scheme, an (u, v)-near-codewords (see definition above) must be such that u is smaller than t, and v significantly smaller than the typical syndrome weight. The probability that such a near-codeword exists when the QC-MDPC is chosen at random is extremely small. A very small number of QC-MDPC codes may admit such words, but if they do there will be few of them. Moreover, the decoding of the few error patterns containing near-codewords will not automatically fail, the DFR will just increase a bit, with little impact on the average DFR. Unless there is an algebraic structure which is not immediately apparent, we do not expect near-codewords to have an impact on QC-MDPC DFR.

Error Floors from Low Weight Codewords. Regardless of the algorithm, the decoding of a noisy codeword will almost certainly fail if the noisy codeword comes closer to a codeword \(\mathrm {c}_1\) different from the original one \(\mathrm {c}_0\). For a given error \(\mathrm {e}\) of weight t, and two codewords \(\mathrm {c}_0\) and \(\mathrm {c}_1\) at distance w from one another, the decoding will fail if \(\left| {\mathrm {c}_0+\mathrm {e}-\mathrm {c}_1}\right| \le \left| {e}\right| \), which happens with probability

$$\begin{aligned} P_w=\sum _{i=w/2}^w \frac{\left( {\begin{array}{c}w\\ i\end{array}}\right) \left( {\begin{array}{c}n-w\\ t-i\end{array}}\right) }{\left( {\begin{array}{c}n\\ t\end{array}}\right) }. \end{aligned}$$

(1)

An index 2 QC-MDPC code with block size r and parity check matrix row weight w will generally have exactly r codewords of weight w. If \(\mathbf {H}=(\mathbf {H}_0\mid \mathbf {H}_1)\) is the sparse parity check matrix, with two circulant blocks \(\mathbf {H}_0,\mathbf {H}_1\), then is a generator matrix of the code. With overwhelming probability, the r rows of that generator matrix are the only minimal weight codewords. Let us denote \(P_\lambda (r)\approx rP_w\) the failure probability due to those codewords. A simple analysis shows that \(\log _2P_\lambda (r)\sim _{r\rightarrow \infty } C_\lambda -(w/2-1)\log _2r\) where \(C_\lambda \) only depends of w and t. We have \(\mathrm {DFR}_{\mathcal {D},\lambda }(r)\ge P_\lambda (r)\) for any decoder, this term will dominate when r grows and thus the logarithm of the DFR is not concave in the whole range \(r\in [0,\infty [\). However the change of slope only happens for very large values of r. We have

and this will not affect the DFR for values of r relevant for Assumption 3. Finally note that the sum of two (or more) rows of \(\mathbf {G}\) may also contribute to the DFR. However, it is easily observed that the contribution of those codewords is even smaller.

Additional Comment. The error floor issue is new for QC-MDPC codes. As far as this work is concerned, we assume through Assumption 3 that the error floor occurs below the required \(2^{-\lambda }\), validating the DFR estimation method. We give above some arguments to support the assumption. We agree, as suggested by one of the reviewers, that the matter needs to be more thoroughly studied, but this goes beyond the scope of the present work.