Abstract
The selection of secure parameter sets requires an estimation of the attack cost to break the respective cryptographic scheme instantiated under these parameters. The current NIST standardization process for post-quantum schemes makes this an urgent task, especially considering the announcement to select final candidates by the end of 2021. For code-based schemes, recent estimates seemed to contradict the claimed security of most proposals, leading to a certain doubt about the correctness of those estimates. Furthermore, none of the available estimates include most recent algorithmic improvements on decoding linear codes, which are based on information set decoding (ISD) in combination with nearest neighbor search. In this work we observe that all major ISD improvements are build on nearest neighbor search, explicitly or implicitly. This allows us to derive a framework from which we obtain practical variants of all relevant ISD algorithms including the most recent improvements. We derive formulas for the practical attack costs and make those online available in an easy to use estimator tool written in python and C. Eventually, we provide classical and quantum estimates for the bit security of all parameter sets of current code-based NIST proposals.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The focus of this work lies on advanced algorithms, but our estimator also provides the estimates for asymptotically inferior procedures.
- 2.
The estimator can be downloaded at https://github.com/Crypto-TII/syndrome_decoding_estimator.
- 3.
Note that this splitting only allows to construct balanced solutions \(\mathbf {e}\), which have exactly weight \(\frac{p}{2}\) on the upper and lower half. While we take this into account when deriving our concrete estimates let us neglect this fact for now.
- 4.
By using a hashing strategy.
- 5.
For \(p=0\) a simple check if \(\mathrm {wt}(\tilde{\mathbf {s}})= \omega \) suffices to determine if the permutation distributes the weight correctly.
- 6.
Note that both sets differ only in a polynomial fraction of their elements. Furthermore our argumentation also holds when using the original base lists, but the refinement allows for easier illustration by yielding approximate matching identities with fixed distances.
- 7.
Note that the equation for \(i=3\) will not be used by the algorithm. It just enables us to perform the nearest neighbor search for \(i=2\) on a reduced sub-instance with flexible \(\ell _2,\omega _2\); instead of being forced to operate always on the full \(n-k-\ell _1\) coordinates with weight \(\omega -p-\omega _1\).
- 8.
For example we can randomize by adding a random \(\mathbf {r}\in \mathbb {F}_2^{n-k}\) to all labels in lists \(L_1\) and \(L_3\).
- 9.
We do not differentiate between both algorithms, since in our setting the only difference of BJMM is the larger choice of \(p_1>p/2\). Hence, the bare optimization of \(p_1\) determines which algorithm is chosen.
- 10.
If we would perform the Meet-in-the-Middle on the full \(n-k-\ell _1\) coordinates as before, the blow-up due to the internal addition of the fixed Hamming weight vectors would be to huge and render this approach inefficient.
- 11.
Note that we take the number of necessary vector space elements that need to be stored as a measure to derive the penalty.
References
Aragon, N., et al.: BIKE: bit flipping key encapsulation (2020)
Aragon, N., Lavauzelle, J., Lequesne, M.: decodingchallenge.org (2019). https://decodingchallenge.org/
Baldi, M., Barenghi, A., Chiaraluce, F., Pelosi, G., Santini, P.: A finite regime analysis of information set decoding algorithms. Algorithms 12(10), 209 (2019)
Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes in 2n/20: how 1 + 1 = 0 improves information set decoding. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 520–536. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_31
Bernstein, D.J.: Grover vs. McEliece. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 73–80. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12929-2_6
Bernstein, D.J., Lange, T., Peters, C.: Attacking and defending the McEliece cryptosystem. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 31–46. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88403-3_3
Bernstein, D.J., Lange, T., Peters, C.: Smaller decoding exponents: ball-collision decoding. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 743–760. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_42
Both, L., May, A.: Decoding linear codes with high error rate and its impact for LPN security. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 25–46. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_2
Canteaut, A., Chabaud, F.: A new algorithm for finding minimum-weight words in a linear code: application to mceliece’s cryptosystem and to narrow-sense bch codes of length 511. IEEE Trans. Inf. Theory 44(1), 367–378 (1998)
Chou, T., et al.: Classic McEliece: conservative code-based cryptography 10 October 2020 (2020)
Dumer, I.: On minimum distance decoding of linear codes. In: Proceedings of the 5th Joint Soviet-Swedish International Workshop Information Theory, pp. 50–52 (1991)
Esser, A., Bellini, E.: Syndrome decoding estimator. Cryptology ePrint Archive (2021)
Esser, A., Kübler, R., May, A.: LPN decoded. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 486–514. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_17
Esser, A., Kübler, R., Zweydinger, F.: A faster algorithm for finding closest pairs in hamming metric. arXiv preprint arXiv:2102.02597 (2021)
Esser, A., Ramos-Calderer, S., Bellini, E., Latorre, J.I., Manzano, M.: An optimized quantum implementation of ISD on scalable quantum resources. Cryptology ePrint Archive (2021)
Finiasz, M., Sendrier, N.: Security bounds for the design of code-based cryptosystems. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 88–105. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_6
Hamdaoui, Y., Sendrier, N.: A non asymptotic analysis of information set decoding. IACR Cryptol. ePrint Arch. 2013, 162 (2013)
Indyk, P., Motwani, R.: Approximate nearest neighbors: towards removing the curse of dimensionality. In: Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing, pp. 604–613 (1998)
Kachigar, G., Tillich, J.-P.: Quantum information set decoding algorithms. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 69–89. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_5
Kirshanova, E.: Improved quantum information set decoding. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 507–527. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_24
Kirshanova, E., Laarhoven, T.: Lower bounds on lattice sieving and information set decoding. To appear at CRYPTO 2021 (2021)
Lee, P.J., Brickell, E.F.: An observation on the security of McEliece’s public-key cryptosystem. In: Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 275–280. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-45961-8_25
May, A., Meurer, A., Thomae, E.: Decoding random linear codes in \(\tilde{\cal{O}}(2^{0.054n})\). In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 107–124. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_6
May, A., Ozerov, I.: On computing nearest neighbors with applications to decoding of binary linear codes. In: Oswald, E., Fischlin, Marc (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 203–228. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_9
Melchor, C.A., et al.: Hamming quasi-cyclic (HQC) (2020)
Naya-Plasencia, M., Schrottenloher, A.: Optimal merging in quantum k-xor and k-sum algorithms. In: EUROCRYPT 2020–39th Annual International Conference on the Theory and Applications of Cryptographic (2020)
Perlner, R.: pqc-forum: Round 3 official comment: classic mceliece (2021). https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/EiwxGnfQgec/m/xBky_FKFDgAJ
Peters, C.: Information-set decoding for linear codes over F<Subscript> q</Subscript>. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 81–94. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12929-2_7
Prange, E.: The use of information sets in decoding cyclic codes. IRE Trans. Inf. Theory 8(5), 5–9 (1962)
Sendrier, N.: Decoding one out of many. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 51–67. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_4
Stern, J.: A method for finding codewords of small weight. In: Cohen, G., Wolfmann, J. (eds.) Coding Theory 1988. LNCS, vol. 388, pp. 106–113. Springer, Heidelberg (1989). https://doi.org/10.1007/BFb0019850
Canto Torres, R., Sendrier, N.: Analysis of information set decoding for a sub-linear error weight. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 144–161. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29360-8_10
Various: pqc-forum: Round 3 official comment: classic mceliece (2021). https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/EiwxGnfQgec
Various: pqc-forum: Security strength categories for code based crypto (and trying out crypto stack exchange) (2021). https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/6XbG66gI7v0
Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–304. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_19
Zalka, C.: Grover’s quantum searching algorithm is optimal. Phys. Rev. A 60(4), 2746 (1999)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Esser, A., Bellini, E. (2022). Syndrome Decoding Estimator. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds) Public-Key Cryptography – PKC 2022. PKC 2022. Lecture Notes in Computer Science(), vol 13177. Springer, Cham. https://doi.org/10.1007/978-3-030-97121-2_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-97121-2_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-97120-5
Online ISBN: 978-3-030-97121-2
eBook Packages: Computer ScienceComputer Science (R0)