Abstract
McEliece-like code-based key exchange mechanisms using QC-MDPC codes can reach IND-CPA security under hardness assumptions from coding theory, namely quasi-cyclic syndrome decoding and quasi-cyclic codeword finding. To reach higher security requirements, like IND-CCA security, it is necessary in addition to prove that the decoding failure rate (DFR) is negligible, for some decoding algorithm and a proper choice of parameters. Getting a formal proof of a low DFR is a difficult task. Instead, we propose to ensure this low DFR under some additional security assumption on the decoder. This assumption relates to the asymptotic behavior of the decoder and is supported by several other works. We define a new decoder, Backflip, which features a low DFR. We evaluate the Backflip decoder by simulation and extrapolate its DFR under the decoder security assumption. We also measure the accuracy of our simulation data, in the form of confidence intervals, using standard techniques from communication systems.
This work was supported by the ANR CBCRYPT project, grant ANR-17-CE39-0007 of the French Agence Nationale de la Recherche.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
MDPC were previously defined, in a different context, by Ouzan and Be’ery in 2009, http://arxiv.org/abs/0911.3262.
- 2.
References
Melchor, C.A., et al.: BIKE. Second round submission to the NIST post-quantum cryptography call, April 2019
Baldi, M., Santini, P., Chiaraluce, F.: Soft McEliece: MDPC code-based mceliece cryptosystems with very compact keys through real-valued intentional errors. In: Proceedings of IEEE International Symposium on Information Theory - ISIT, pp. 795–799. IEEE Press (2016)
Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes in 2n/20: How 1 + 1 = 0 improves information set decoding. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 520–536. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_31
Canto Torres, R., Sendrier, N.: Analysis of information set decoding for a sub-linear error weight. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 144–161. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29360-8_10
Chaulet, J.: Étude de cryptosystèmes à clé publique basés sur les codes MDPC quasi-cycliques. Ph.D. thesis, University Pierre et Marie Curie, March 2017
Clopper, C.J., Pearson, E.S.: The use of confidence or fiducial limits illustrated in the case of the binomial. Biometrika 26(4), 404–413 (1934)
Drucker, N., Gueron, S., Kostic, D.: On constant-time QC-MDPC decoding with negligible failure rate. Cryptology ePrint Archive, Report 2019/1289 (2019). https://eprint.iacr.org/2019/1289
Eaton, E., Lequesne, M., Parent, A., Sendrier, N.: QC-MDPC: a timing attack and a CCA2 KEM. In: Proceedings of Post-Quantum Cryptography - 9th International Conference, PQCrypto 2018, Fort Lauderdale, FL, USA, 9–11 April 2018, pp. 47–76 (2018)
Fischer, J.-B., Stern, J.: An efficient pseudo-random generator provably as secure as syndrome decoding. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 245–255. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_22
Gallager, R.G.: Low Density Parity Check Codes. MIT Press, Cambridge (1963)
Guo, Q., Johansson, T., Stankovski, P.: A key recovery attack on MDPC with CCA security using decoding errors. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 789–815. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_29
Hamdaoui, Y., Sendrier, N.: A non asymptotic analysis of information set decoding. IACR Cryptology ePrint Archive, Report 2013/162 (2013). http://eprint.iacr.org/2013/162
Heyse, S., von Maurich, I., Güneysu, T.: Smaller keys for code-based cryptography: QC-MDPC McEliece implementations on embedded devices. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 273–292. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40349-1_16
Liva, G., Bartz, H.: Protograph-based quasi-cyclic MDPC codes for mceliece cryptosystems. In: ISTC, Hong Kong, China, pp. 1–5. IEEE, December 2018
MacKay, D.J.C., Postol, M.S.: Weaknesses of margulis and ramanujan-margulis low-density parity-check codes. Electr. Notes Theor. Comput. Sci. 74, 97–104 (2002)
McEliece, R.J.: A public-key system based on algebraic coding theory. DSN Progress Report 44, pp. 114–116. Jet Propulsion Lab (1978)
Misoczki, R., Tillich, J.P., Sendrier, N., Barreto, P.S.L.M.: MDPC-McEliece: new McEliece variants from moderate density parity-check codes. In: Proceedings of IEEE International Symposium on Information Theory - ISIT, pp. 2069–2073 (2013)
Prange, E.: The use of information sets in decoding cyclic codes. IRE Trans. Inf. Theory 8(5), 5–9 (1962)
Richardson, T.: Error floors of LDPC codes. In: Proceedings of the 41th Annual Allerton Conference on Communication, Control, and Computing (2003)
Sendrier, N.: Decoding one out of many. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 51–67. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_4
Sendrier, N., Vasseur, V.: On the decoding failure rate of QC-MDPC bit-flipping decoders. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 404–416. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_22
Tillich, J.P.: The decoding failure probability of MDPC codes. In: 2018 IEEE International Symposium on Information Theory, ISIT 2018, Vail, CO, USA, 17–22 June 2018, pp. 941–945 (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Error Floors for QC-MDPC
A Error Floors for QC-MDPC
The DFR study we are making here differs from what is done for communication systems where the code is fixed and the signal to noise ratio increases (i.e. the bit error probability decreases). We expect to observe the same kind of DFR behavior here for QC-MDPC when we fix (w, t) and let r grow. Some classes of error correcting codes, namely turbo-codes and LDPC codes to which MDPC codes are akin, suffer from a phenomenon known as error floor. The log(DFR) curve is first concave and quickly decreasing (the waterfall). Then at some point the concavity changes and the DFR decreases much more slowly, this is known as the error floor [15, 19]. This could contradict the Assumption 3, but fortunately error floors usually occur very low in DFR curves. The error floors are due to the existence of low weight codewords, in the case of turbo codes, or, for LDPC codes, to the existence of specific error configurations known as near-codewords. An (u, v)-near-codeword is an error pattern of relatively small weight u with a syndrome of small weight v (the syndrome is computed with the sparse parity check matrix). Intuitively, it can be seen as a cluster of errors which are less visible because, together, they only invalidate a few parity equations. If the initial error pattern contains a near-codeword the decoder is more prone to fail. If many near-codewords exist it may cause an error floor.
Error Floors From Near-Codewords. To affect decoding in a (2r, r, w, t)-QC-MDPC-McEliece scheme, an (u, v)-near-codewords (see definition above) must be such that u is smaller than t, and v significantly smaller than the typical syndrome weight. The probability that such a near-codeword exists when the QC-MDPC is chosen at random is extremely small. A very small number of QC-MDPC codes may admit such words, but if they do there will be few of them. Moreover, the decoding of the few error patterns containing near-codewords will not automatically fail, the DFR will just increase a bit, with little impact on the average DFR. Unless there is an algebraic structure which is not immediately apparent, we do not expect near-codewords to have an impact on QC-MDPC DFR.
Error Floors from Low Weight Codewords. Regardless of the algorithm, the decoding of a noisy codeword will almost certainly fail if the noisy codeword comes closer to a codeword \(\mathrm {c}_1\) different from the original one \(\mathrm {c}_0\). For a given error \(\mathrm {e}\) of weight t, and two codewords \(\mathrm {c}_0\) and \(\mathrm {c}_1\) at distance w from one another, the decoding will fail if \(\left| {\mathrm {c}_0+\mathrm {e}-\mathrm {c}_1}\right| \le \left| {e}\right| \), which happens with probability
An index 2 QC-MDPC code with block size r and parity check matrix row weight w will generally have exactly r codewords of weight w. If \(\mathbf {H}=(\mathbf {H}_0\mid \mathbf {H}_1)\) is the sparse parity check matrix, with two circulant blocks \(\mathbf {H}_0,\mathbf {H}_1\), then is a generator matrix of the code. With overwhelming probability, the r rows of that generator matrix are the only minimal weight codewords. Let us denote \(P_\lambda (r)\approx rP_w\) the failure probability due to those codewords. A simple analysis shows that \(\log _2P_\lambda (r)\sim _{r\rightarrow \infty } C_\lambda -(w/2-1)\log _2r\) where \(C_\lambda \) only depends of w and t. We have \(\mathrm {DFR}_{\mathcal {D},\lambda }(r)\ge P_\lambda (r)\) for any decoder, this term will dominate when r grows and thus the logarithm of the DFR is not concave in the whole range \(r\in [0,\infty [\). However the change of slope only happens for very large values of r. We have
and this will not affect the DFR for values of r relevant for Assumption 3. Finally note that the sum of two (or more) rows of \(\mathbf {G}\) may also contribute to the DFR. However, it is easily observed that the contribution of those codewords is even smaller.
Additional Comment. The error floor issue is new for QC-MDPC codes. As far as this work is concerned, we assume through Assumption 3 that the error floor occurs below the required \(2^{-\lambda }\), validating the DFR estimation method. We give above some arguments to support the assumption. We agree, as suggested by one of the reviewers, that the matter needs to be more thoroughly studied, but this goes beyond the scope of the present work.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Sendrier, N., Vasseur, V. (2020). About Low DFR for QC-MDPC Decoding. In: Ding, J., Tillich, JP. (eds) Post-Quantum Cryptography. PQCrypto 2020. Lecture Notes in Computer Science(), vol 12100. Springer, Cham. https://doi.org/10.1007/978-3-030-44223-1_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-44223-1_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-44222-4
Online ISBN: 978-3-030-44223-1
eBook Packages: Computer ScienceComputer Science (R0)