Decoding Random Binary Linear Codes in 2n/20: How 1 + 1 = 0 Improves Information Set Decoding

  • Anja Becker
  • Antoine Joux
  • Alexander May
  • Alexander Meurer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7237)


Decoding random linear codes is a well studied problem with many applications in complexity theory and cryptography. The security of almost all coding and LPN/LWE-based schemes relies on the assumption that it is hard to decode random linear codes. Recently, there has been progress in improving the running time of the best decoding algorithms for binary random codes. The ball collision technique of Bernstein, Lange and Peters lowered the complexity of Stern’s information set decoding algorithm to 20.0556n . Using representations this bound was improved to 20.0537n by May, Meurer and Thomae. We show how to further increase the number of representations and propose a new information set decoding algorithm with running time 20.0494n .


Information Set Decoding Representation Technique 


  1. 1.
    Alekhnovich, M.: More on Average Case vs Approximation Complexity. In: 44th Symposium on Foundations of Computer Science (FOCS), pp. 298–307 (2003)Google Scholar
  2. 2.
    Becker, A., Coron, J.-S., Joux, A.: Improved Generic Algorithms for Hard Knapsacks. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 364–385. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  3. 3.
    Becker, A., Joux, A., May, A., Meurer, A.: Decoding Random Binary Linear Codes in 2n/20: How 1 + 1 = 0 Improves Information Set Decoding. Full Version,
  4. 4.
    Bernstein, D.J., Lange, T., Peters, C.: Attacking and Defending the McEliece Cryptosystem. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 31–46. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Bernstein, D.J., Lange, T., Peters, C.: Smaller Decoding Exponents: Ball-Collision Decoding. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 743–760. Springer, Heidelberg (2011)Google Scholar
  6. 6.
    Elwyn, R.J.M., Berlekamp, R., van Tilborg, H.C.: On the inherent intractability of certain coding problems. IEEE Transactions on Information Theory 24, 384–386 (1978)zbMATHCrossRefGoogle Scholar
  7. 7.
    Blinovskii, V.M.: Lower asymptotic bound on the number of linear code words in a sphere of given radius in \({\mathbb{F}_q^n}\). Probl. Peredach. Inform. 23, 50–53 (1987)MathSciNetGoogle Scholar
  8. 8.
    Canteaut, A., Chabaud, F.: A new algorithm for finding minimum-weight words in a linear code: Application to mceliece’s cryptosystem and to narrow-sense bch codes of length 511. IEEE Transactions on Information Theory 44(1), 367–378 (1998)MathSciNetzbMATHCrossRefGoogle Scholar
  9. 9.
    Coffey, J.T., Goodman, R.M.: The complexity of information set decoding. IEEE Transactions on Information Theory 36, 1031–1037 (1990)MathSciNetzbMATHCrossRefGoogle Scholar
  10. 10.
    Coffey, J.T., Goodman, R.M.: Any code of which we cannot think is good. IEEE Transactions on Information Theory 36 (1990)Google Scholar
  11. 11.
    Faugère, J.-C., Otmani, A., Perret, L., Tillich, J.-P.: A Distinguisher for High Rate McEliece Cryptosystems. In: YACC 2010, full version available as eprint Report 2010/331 (2010)Google Scholar
  12. 12.
    Finiasz, M., Sendrier, N.: Security Bounds for the Design of Code-Based Cryptosystems. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 88–105. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  13. 13.
    Goblick Jr., T.J.: Coding for a discrete information source with a distortion measure. Ph.D. dissertation, Dept. of Elect. Eng. M.I.T., Cambridge, MA (1962)Google Scholar
  14. 14.
    Hopper, N.J., Blum, M.: Secure Human Identification Protocols. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 52–66. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  15. 15.
    Howgrave-Graham, N., Joux, A.: New Generic Algorithms for Hard Knapsacks. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 235–256. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  16. 16.
    Jordan, J.P.: A variant of a public key cryptosystem based on goppa codes. SIGACT News 15, 61–66 (1983)CrossRefGoogle Scholar
  17. 17.
    Kiltz, E., Pietrzak, K., Cash, D., Jain, A., Venturi, D.: Efficient Authentication from Hard Learning Problems. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 7–26. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  18. 18.
    Knuth, D.: Art of Computer Programming: Sorting and Searching, 2nd edn., vol. 3. Addison-Wesley Professional (1998)Google Scholar
  19. 19.
    Lee, P.J., Brickell, E.F.: An Observation on the Security of McEliece’s Public-Key Cryptosystem. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 275–280. Springer, Heidelberg (1988)Google Scholar
  20. 20.
    Leon, J.S.: A probabilistic algorithm for computing minimum weights of large error-correcting codes. IEEE Transactions on Information Theory 34(5), 1354–1359 (1988)MathSciNetCrossRefGoogle Scholar
  21. 21.
    Levitin, L.B.: Covering radius of almost all linear codes satisfies the Goblick bound. In: IEEE Internat. Symp. on Information Theory, Kobe, Japan (1988)Google Scholar
  22. 22.
    McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. In: Jet Propulsion Laboratory DSN Progress Report 42–44, pp. 114–116 (1978)Google Scholar
  23. 23.
    May, A., Meurer, A., Thomae, E.: Decoding Random Linear Codes in \(\tilde{\mathcal{O}}(2^{0.054n})\). In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 107–124. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  24. 24.
    Nguyen, P.Q., Shparlinski, I.E., Stern, J.: Distribution of modular sums and the security of the server aided exponentiation. In: Progress in Computer Science and Applied Logic. Final Proceedings of Cryptography and Computational Number Theory Workshop, Singapore 1999, vol. 20, pp. 331–224 (2001)Google Scholar
  25. 25.
    Prange, E.: The Use of Information Sets in Decoding Cyclic Codes. IRE Transaction on Information Theory 8(5), 5–9 (1962)MathSciNetCrossRefGoogle Scholar
  26. 26.
    Peters, C.: Information-Set Decoding for Linear Codes over \({\mathbb{F}_q}\). In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 81–94. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  27. 27.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the 37th Annual ACM Symposium on Theory of Computing (STOC), pp. 84–93 (2005)Google Scholar
  28. 28.
    Sendrier, N.: Finding the permutation between equivalent linear codes: The support splitting algorithm. IEEE Transactions on Information Theory 46, 1193–1203 (2000)MathSciNetzbMATHCrossRefGoogle Scholar
  29. 29.
    Sendrier, N.: On the security of the McEliece public-key cryptosystem. In: Blaum, M., Farrell, P., van Tilborg, H. (eds.) Information, Coding and Mathematics, pp. 141–163. Kluwer (2002); Proceedings of Workshop honoring Prof. Bob McEliece on his 60th birthdayGoogle Scholar
  30. 30.
    Stern, J.: A Method for Finding Codewords of Small Weight. In: Wolfmann, J., Cohen, G. (eds.) Coding Theory 1988. LNCS, vol. 388, pp. 106–113. Springer, Heidelberg (1989)CrossRefGoogle Scholar
  31. 31.
    Wagner, D.: A Generalized Birthday Problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–303. Springer, Heidelberg (2002)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Anja Becker
    • 1
  • Antoine Joux
    • 1
    • 2
  • Alexander May
    • 3
  • Alexander Meurer
    • 3
  1. 1.Laboratoire PRISMUniversité de Versailles Saint-QuentinFrance
  2. 2.DGAFrance
  3. 3.Horst Görtz Institute for IT-SecurityRuhr-University BochumGermany

Personalised recommendations