Content uploaded by Emanuele Bellini
Author content
All content in this area was uploaded by Emanuele Bellini on Mar 01, 2022
Content may be subject to copyright.
Syndrome Decoding Estimator
Andre Esser and Emanuele Bellini
Cryptography Research Center
Technology Innovation Institute
Abu Dhabi, UAE
{andre.esser, emanuele.bellini}@tii.ae
Abstract.
The selection of secure parameter sets requires an estima-
tion of the attack cost to break the respective cryptographic scheme
instantiated under these parameters. The current NIST standardization
process for post-quantum schemes makes this an urgent task, especially
considering the announcement to select final candidates by the end of
2021. For code-based schemes, recent estimates seemed to contradict the
claimed security of most proposals, leading to a certain doubt about the
correctness of those estimates. Furthermore, none of the available esti-
mates includes most recent algorithmic improvements on decoding linear
codes, which are based on information set decoding (ISD) in combination
with nearest neighbor search. In this work we observe that all major
ISD improvements are build on nearest neighbor search, explicitly or
implicitly. This allows us to derive a framework from which we obtain
practical variants of all relevant ISD algorithms including the most recent
improvements. We derive formulas for the practical attack costs and make
those online available in an easy to use estimator tool written in python
and C. Eventually, we provide classical and quantum estimates for the
bit security of all parameter sets of current code-based NIST proposals.
Keywords: ISD, syndrome decoding, nearest neighbor, estimator, code-based
1 Introduction
The current NIST standardization process for post quantum schemes is announced
to finally select proposals to be standardized around the end of 2021. After this
initial selection it is still a long procedure until the final standards for the chosen
schemes will be obtained. One major challenge will be the selection of secure
parameter sets for standardization, which match the respective security levels
given by NIST. To determine and evaluate parameter sets a precise estimation of
the attack cost of the best known attacks on the schemes or the corresponding
primitives is necessary.
Before such estimates can be derived efficiently, the best practical attacks must
be identified. Code based schemes usually rely on the hardness of the syndrome
decoding problem, which given a random matrix
H∈F(n−k)×n
2
, a syndrome
s∈Fn−k
2
and an integer
ω
asks to find an error vector
e∈Fn
2
with exactly
ω
coordinates equal to one that satisfies
He
=
s
. The best known algorithms to
solve this problem all belong to a class of algorithms known as information set
decoding (ISD), initially discovered by Prange in 1962 [27]. Since then there have
been numerous works building on the same initial idea [4,8,11,14,21,22,29].
Usually, these works study the problem for
ω
=
cn
, where
c
is constant. For
this choice they improve the asymptotic runtime exponent. However, all code
based NIST PQC submissions rely on sublinear error weight, i.e.
ω
=
o
(
n
). In
this setting the advantage of improved algorithms of the ISD class over Prange’s
initial approach has been shown to asymptotically vanish, i.e., they only affect
second order terms [30]. Since usually these improvements come along with
a polynomial overhead, it is per se not clear which algorithms actually yield
practical improvements.
Estimators for concrete hardness approximation of the syndrome decoding
problem have previously been studied in [15,26] and more recently in [3]. So
far these works consider only a subset of the mentioned improvements, not
including the most recent variants, which are usually based on nearest neighbor
search techniques [8,22]. The omission of these improvements in [3] might be
due to the use of practically costly, but theoretically close to optimal routines
to instantiate the nearest neighbor search in the original works of [8,22]. The
BIKE submission gives a similar reasoning for disregarding these works in the
security analysis based on polynomial overhead [1]. Contrary, we show that
by substituting the used routines by more practical nearest neighbor search
techniques these variants yield complexity improvements with regard to the
cryptographic setting. Furthermore we uncover relations between all significant
algorithmic improvements of the ISD class. More precisely, we show that all major
ISD improvements use nearest neighbor search techniques, explicitly or implicitly.
Using this relation we derive an algorithmic framework, which allows us to
obtain variants of all advanced ISD techniques, including the improvements made
by May-Meurer-Thomae (MMT) [21], Becker-Joux-May-Meurer (BJMM) [4],
May-Ozerov [22] and Both-May [8]. Finally the framework allows us to analyze
the complexity of all algorithms in a unified and practical model giving a fair
comparison and concrete hardness estimations.
Related work
In [26] Peters gives a concrete analysis of Stern’s algorithm for
decoding codes over
Fq
including the case of
q
= 2. Peters focuses especially on
optimized strategies for the initial Gaussian elimination part of ISD algorithms,
adopting techniques introduced in [7,9]. While including some of these improve-
ments in our estimates, we refrain from exhaustively optimizing this step. This
allows us to keep the analysis and formulas comprehensible. Also note that for
more recent ISD algorithms the complexity of the Gaussian elimination procedure
does not dominate.
In [15] the authors present a non-asymptotic analysis of the MMT and BJMM
algorithm, providing estimates for some selected parameter sets. Unfortunately
no source code is provided to easily obtain estimates for parameter sets of more
recent schemes. Also the analysis omits some practical details, as for instance the
necessity for balanced weight distributions in successful runs of the algorithms.
Also a heuristic approach to determine the number of iterations of the algorithms
is used, whereas we use an exact computation.
2
The most recent study of concrete costs of ISD algorithms was performed
in [3]. Here the bit complexity estimates for the algorithmic cost of performing
the MMT algorithm on nearly all proposed parameter sets are significantly lower
than claimed by the submissions. Accordingly, this work raised some discussions
(in the NIST PQC forum [31,32]) about whether the currently proposed parameter
sets of code based schemes actually match their security levels and if so where
to obtain more reliable estimates. We found that the analysis of [3] is flawed for
both advanced ISD algorithms that are considered, namely the BJMM and the
MMT algorithm. We give a more detailed description of that flaw in Appendix A.
Besides that flaw the authors also use techniques that might affect the success
probability of the algorithms, but are not mentioned in the latter analysis (as for
instance a trimming of lists that exceed certain sizes). However, the analysis of
the other ISD variants given in [3] seems to be correct.
In [8] Both and May describe an ISD improvement entirely based on nearest
neighbor search. They also consider nearest neighbor algorithms other than May-
Ozerov, which was motivated by the non-fulfillment of necessary prerequisites.
However, their analysis is purely asymptotical and focuses entirely on the constant
error regime.
Our contribution
The contribution of this work is twofold. First we uncover
relations between major ISD improvements, showing that all of them are build
on nearest neighbor search. In the case of the BJMM and MMT algorithms, this
view allows us to detect and finally correct deficiencies in the way the nearest
neighbor search is performed. Our fix results in two new variants of the BJMM
algorithm, which practically (and probably also asymptotically) outperform the
original BJMM algorithm. Our work therefore contributes substantially to a
better understanding of ISD algorithms.
Moreover, as another contribution, we give a unified framework based on
nearest neighbor search, which allows to obtain variants of all major ISD im-
provements. By an easy exchange of the used nearest neighbor routines we obtain
practical variants of the improvements by May-Ozerov and Both-May, which
were previously disregarded in the context of concrete hardness estimations.
By an analysis of our framework for different instantiations we obtain for-
mulas for the concrete complexity to solve the syndrome decoding problem. We
implemented these estimates for all variants considered in this work (and more
1
)
and provide the source code in form of an easy to use estimator program (mostly)
written in python.
2
This allows for an effortless recomputation of our results,
estimation of the security levels for newly proposed parameter sets as well as
custom modifications if required.
Finally we give the classical estimates for all proposed parameter sets of
code-based schemes being part of the third round of the NIST PQC call, namely
Classic McEliece [10], BIKE [1] and HQC [23]. Here we consider different memory
1
The focus of this work lies on advanced algorithms, but our estimator also provides
the estimates for asymptotically inferior procedures.
2
The estimator can be downloaded at
https://github.com/Crypto-TII/syndrome_
decoding_estimator.
3
access cost models and memory limitations. We find that essentially all parameter
sets of the three schemes match their claimed security levels, with a slight outlier
in form of the McEliece category three parameter set. Also we provide quantum
estimates under the NIST metric of a
maxdepth
constraint, which limits the
depth of the quantum circuit. We find that under this constraint even a very
optimistic analysis of the quantum version of Prange’s ISD algorithm [5] lets all
proposed parameter sets match their claimed quantum security level.
The rest of the paper is organized as follows. In Section 2we give basic
definitions and present the practical nearest neighbor algorithms used in our
analyses. In Section 3we line out the nearest neighbor relations between known
ISD variants. A reader only interested in concrete hardness estimations may skip
this section. Subsequently, in Section 4we present and analyze the framework
and its instantiations to obtain formulas for practical cost estimations. Finally
in Section 5we present our hardness estimates for the classical and quantum
security of all proposed parameter sets of McEliece, BIKE and HQC.
2 Preliminaries
We denote vectors as bold lower case letters and matrices with capital letters.
We let
In
be the
n×n
identity matrix. For an integer
i∈N
we define [
i
] :=
{
1
,
2
, . . . , i}
. Let
v
= (
v1, v2,...vn
)be a vector and
S⊆
[
n
]then we denote by
vSthe projection of vonto its coordinates indexed by S. For w∈Fn
2we define
wt
(
w
) :=
|{i∈
[
n
]
|wi
= 1
}|
to be the Hamming weight of
w
. Furthermore we
let
Bn
p
:=
{w∈Fn
2|wt
(
w
) =
p}
be the set of all binary vectors of length
n
and
Hamming weight p.
Coding Theory
A binary linear code
C
of length
n
and dimension
k
is a
k
-
dimensional subspace of
Fn
2
. Such a code can be defined as the image of a generator
matrix
G∈Fk×n
2
or via the kernel of a parity check matrix
H∈F(n−k)×n
2
. We
use the parity check description of the code throughout this work. Note that
since any codeword
c∈ C
satisfies
Hc
=
0
the task of decoding a faulty codeword
y=c+efor some error eyields the identity
Hy=H(c+e) = He=: s.
The vector
s
is usually called the syndrome of
y
, while obtaining
e
from given
H
and sis called the syndrome decoding problem.
Definition 2.1 (Syndrome Decoding Problem).
Let
H∈F(n−k)×n
2
be the
parity check matrix of a random linear code,
s∈Fn−k
2
and
ω∈
[
n
]. The syndrome
decoding problem asks to find a vector
e∈Fn
2
with
wt
(
e
) =
ω
satisfying
He
=
s
.
Nearest Neighbor
At the heart of all algorithms presented in this work lies a
specific kind of nearest neighbor or approximate matching problem, which we
define in the following.
4
Definition 2.2 (Approximate Matching Problem).
Let
M∈Fr×m
2
be a
random matrix,
s∈Fr
2
and
δ, p ∈N
. The approximate matching problem asks to
find all solutions e∈Fm
2satisfying
wt(e) = pand wt(Me+s) = δ.
We write
Me≈δs,
to denote that
Me
matches
s
on all but
δ
coordinates and call this equation an
approximate matching identity.
Usually, routines to solve the approximate matching problem exploit a direct
reduction to the bichromatic nearest neighbor problem. In this problem we are
given two lists of binary vectors and are asked to find all pairs between those
lists with distance
δ
. Therefore split
e
=
e1
+
e2
in the sum of two vectors.
For now let us consider a meet-in-the-middle split and even
m
(without loss of
generality), where
e1
= (
d1,
0
m
2
)and
e2
= (0
m
2,d2
)with
d1,d2∈ Bm/2
p/2
, but also
other splittings are possible.
3
Then all
e1
, respectively
e2
, are enumerated and
Me1
is stored in list
L1
, respectively
Me2
+
s
is stored in list
L2
. Now, a pair
with distance
δ
between those lists fulfills by definition the approximate matching
identity
M(e1+e2)≈δs.
Also note that due to the chosen splitting
e
=
e1
+
e2
has weight
p
by construction,
as desired.
The asymptotically fastest known algorithm for solving the bichromatic
nearest neighbor problem where the lists are of size
˜
O(2c·m)
, for constant
c
, is
by May-Ozerov [22]. While the algorithm achieves theoretically close to optimal
complexities [19], it inherits a huge polynomial overhead limiting its practicality,
despite recent efforts to reduce that overhead [13]. As one of the major goals
of this work is to provide precise practical estimates we do not consider the
algorithm by May-Ozerov. However, we use different, simpler but more practical
approaches.
Let us briefly outline three techniques to solve the bichromatic nearest neighbor
problem, where we measure all running times in vector operations in
Fm
2
. The
most basic variant is a naive enumeration, which we call Bruteforce in the
following. The algorithm simply enumerates all pairs of
L1×L2
and checks if
their distance is δ. Clearly this algorithm has running time
TB=|L1×L2|.
3Note that this splitting only allows to construct balanced solutions e, which have
exactly weight
p
2
on the upper and lower half. While we take this into account
when deriving our concrete estimates let us neglect this fact for now.
5
Meet-in-the-Middle. A slightly more sophisticated algorithm uses a meet-in-the-
middle approach. First, the lists are enlarged by factor of the number of possible
vectors of Hamming weight equal to
δ
. Thus, for every possible such vector, its
sum with the original element is present in the enlarged list. To balance the
complexities the
δ
-Hamming weight vector is again split in a meet-in-the-middle
fashion among both lists. This implies that the algorithm can only find pairs of
elements whose distance is balanced, i.e. splits equally on both sides of their sum.
We will take this into account in our precise analysis later, but for know let us
ignore this issue. The pseudocode of the algorithm is given in Algorithm 1. Note
that after the addition of the
δ/
2-weighted vectors the nearest neighbor problem
degenerates to a search for equality.
Algorithm 1 Meet-in-the-Middle
Input: L1, L2∈(Fm
2)∗,δ∈[m]
Output: all (x,y)∈L1×L2with wt(x+y) = δ
1: L0
1={x+ (d,0)|x∈L1,d∈ Bm/2
δ/2}
2: L0
2={y+ (0,d)|y∈L2,d∈ Bm/2
δ/2}
3: for y0∈L0
2do
4: L←L∪ {(x,y)|x0=y0,x0∈L0
1}
5: return L
Therefore note that for every pair (x,y)∈Lit holds that
x0=y0⇔x+ (d1,0) = y+ (0,d2)⇔x+y= (d1,d2)⇒wt(x+y) = δ .
The lists
L0
1
and
L0
2
are of size
m/2
w/2·|L1|
, while the output list
L
is of expected
size
|L0
1×L0
2|/
2
m
. As we only need to search for equality the time complexity to
construct Lis linear in these lists sizes,4which gives a time complexity of
TMitM = 2 ·m/2
w/2· |L1|+|L1|2m/2
w/22
2m.(1)
Indyk-Motwani. The third routine we consider for solving the nearest neighbor
problem is based on locality sensitive hashing introduced by Indyk and Motwani
[16]. Let
z
=
x
+
y
for (
x,y
)
∈L1×L2
be an element with weight
δ
. Then the
algorithm guesses
λ∈N
coordinates
I⊂
[
m
]of
z
for which it assumes that
zI
=
0
holds. Now, an exact matching on these
λ
coordinates is performed between
L1
and
L2
. For each match (
x0,y0
), the algorithm then checks if
wt
(
z0
) =
δ
for
z0=x0+y0holds.
The algorithm relies on the fact that for elements whose sum has small
weight, the projection to one of the coordinates of those elements is more likely
to be equal then for elements whose sum has larger weight. Algorithm 2gives a
pseudocode description of the procedure.
4By using a hashing strategy.
6
Algorithm 2 Indyk-Motwani
Input: L1, L2∈(Fm
2)∗,δ∈[m]
Output: all (x,y)∈L1×L2with wt(x+y) = δ
1: λ:= min(log L1, m −2δ),N:= (m−λ
δ)
(m
δ)
2: for i= 1 to Ndo
3: choose random I⊆[m]with |I|=λ
4: for (x,y)∈ {(x,y)∈L1×L2|xI=yI}do
5: if wt(x+y) = δthen
6: L←L∪(x,y)
7: return L
Note that the probability that for a
z∈Fm
2
with
wt
(
z
) =
δ
the projection to
a random choice of λdistinct coordinates is the zero vector is
p:= Pr zI= 0λ|z∈Fm
2∧wt(z) = δ=m−λ
δ
m
δ.
Similar to the meet-in-the-middle approach the time for the construction of
L
is
linear in the involved lists sizes, which results in an expected time complexity of
TIM =p−1·(2|L1|+|L1|2/2λ) = m
δ·(2|L1|+|L1|2/2λ)
m−λ
δ(2)
An approximation of the binomial coefficients via Stirling’s formula and analyt-
ical analysis yields a global minimum at
λ
=
min
(
log |L1|, m −
2
δ
). Numerical
computations show, that this value is also very close to the optimum when instead
considering the more precise form of the runtime formula given in in Equation (2).
3 ISD algorithms from a nearest neighbor perspective
Let us start with the ISD algorithm by Prange, which forms the foundation for
all advanced techniques. The algorithm first applies a random permutation to
the columns of the parity check matrix
H
. Note that for any permutation matrix
P∈Fn×n
2
we have (
HP
)(
P−1e
) =
s
. Now, by applying Gaussian elimination to
its rows we transform
HP
into systematic form, modelled by the multiplication
with an invertible matrix Q∈F(n−k)×(n−k)
2
QHP =˜
H In−k,where ˜
H∈F(n−k)×(k)
2.(3)
Note that for a random permutation matrix there exists such an invertible
Q
with constant probability. Further let (
P−1e
)=(
e0,e00
)
∈Fk
2×Fn−k
2
and
Qs=˜
s∈Fn−k
2, then the following identity holds
Q(H P )(P−1e)=(˜
He0+e00) = ˜
s.
Assume that the permutation Pinduces a weight distribution of
wt(e0) = pand hence wt(e00) = ω−p , (4)
7
then it suffices to find an e0∈Fk
2of weight psatisfying
wt( ˜
He0+˜
s) = wt(e00) = ω−p . (5)
Once a suitable permutation
P
and a vector
e0
are found
e
=
P
(
e0,˜
He0
+
˜
s
)
forms a solution to the syndrome decoding problem. Note that Equations (4)
and (5) yield a approximate matching identity according to Definition 2.2
˜
He0≈ω−p˜
s.(6)
While Prange’s algorithm chooses the weight
p
of
e0
equal to zero and thus
does not have to put any effort into solving the approximate matching problem,
5
all further improvements choose p > 0.
Choosing
p >
0and applying the bruteforce approach that simply enumerates
all possible
e0
of weight
p
yields a polynomial improvement due to Lee and
Brickell [20].
Applying instead the Indyk-Motwani or the meet-in-the-middle approaches
results in algorithmic analogs of the well-known ISD improvements by Stern [29]
and Dumer [11] respectively.
Stern’s original algorithm. Stern [29] improved on the approach of Prange by
introducing an
`
-window of zero entries in the error
e00
. Thus one considers
(
P−1e
)=(
e0,e00
)
∈Fk
2×Fn−k
2
, where
e00
= (0
`,˜
e
). Note that due to this weight
distribution ˜
He0matches the syndrome on the first `coordinates, as we have
˜
He0=˜
s+e00 =˜
s+ (0`,˜
e)=(˜
s1,˜
s2+˜
e),
where
˜
s
= (
˜
s1,˜
s2
)
∈F`
2×Fn−k−`
2
. Now Stern’s algorithm uses the identity
(
˜
He0
)
[`]
=
˜
s1
to perform a meet-in-the-middle search on
e0
. Thus, it splits
e0
= (
e1,
0
k
2
) + (0
k
2,e2
), constructs two lists containing
˜
H
(
x,
0
k
2
)and
˜
H
(0
k
2,y
)
respectively for all
x,y∈ Bk/2
p/2
and searches between those lists for pairs that
sum to
˜
s1
on their first
`
coordinates. For every matching pair ((
x0,0
)
,
(
0,y0
)) it
is checked if
˜
H(x0,y0
) +
˜
s
has weight
ω−p
, which is particularly satisfied when
(x0,y0)=(e1,e2).
NN-perspective of Stern’s Algorithm. Let us modify the permutation step by first
aiming for the weight distribution of Prange (Equation (4)) and then permuting
the error
e00
separately several times until we may expect the desired
`
-window.
For every such permutation we continue with the meet-in-the-middle step of
Stern’s algorithm. First note that this does not change the expected amount
of necessary permutations until the weight is distributed as in Stern’s original
algorithm. However, it shows that the algorithm by Stern is actually solving the
approximate matching identity from Equation (6) via Indyk-Motwani. Here
the matching on the first
`
coordinates after the permutation corresponds to the
matching on a random projection of `coordinates used by Indyk-Motwani.
5
For
p
= 0 a simple check if
wt
(
˜
s
) =
ω
suffices to determine if the permutation
distributes the weight correctly.
8
Dumer’s original algorithm Dumer [11] changed the procedure by increasing the
dimension of
e0
to
k
+
`
, which allowed him to get rid of the
`
-window of zeros in
the permutation. Therefore he defines the systematic form as
QHP =H10
H2In−k−`,(7)
where
H1∈F`×(k+`)
2
and
H2∈F(n−k−`)×(k+`)
2
. Again it is aimed for a weight
distribution where for
P−1e
= (
e0,e00
)
∈Fk+`
2×Fn−k−`
2
it holds
wt
(
e0
) =
p
, and
wt(e00) = ω−p. Due to the increased dimension of e0we get
QH P (e0,e00)=(H1e0, H2e0+e00)=(˜
s1,˜
s2) = ˜
s,
where (
˜
s1,˜
s2
)
∈F`
2×Fn−k−`
2
. The algorithm then uses the identity on the first
`
bits again to search for
e0
using a meet-in-the-middle strategy. Again for each
computed candidate
x
for
e0
satisfying the identity it checks if
wt
(
H2x
+
˜
s2
) =
wt(e00) = ω−pand if so outputs the solution P(x, H2x+˜
s2).
NN-perspective of Dumer’s algorithm Note that the original matrix used by
Prange’s algorithm (see Equation (3)) is already in systematic form according to
the definition of Dumer, since
˜
H In−k=˜
H1I`0
˜
H20In−k−`,where ˜
H∈F(n−k)×(k)
2.
Thus we obtain Equation (7) by setting
H1
=
˜
H1I`
and
H2
=
˜
H20
. Now
let us further split
e0∈Fk+`
2
in two parts
e0
= (
e1,e2
)
∈Fk
2×F`
2
and reconsider
the identity
H1e0=˜
s1,
which now becomes
H1e0=˜
H1I`(e1,e2) = ˜
H1e1+e2=˜
s1.
Thus we are facing again a nearest neighbor identity
˜
H1e1≈|e2|˜
s1
. Dumer’s
algorithm enforces only a joined weight distribution of
wt
((
e1,e2
)) =
p
and,
hence, we do not exactly know the weight of the approximate matching problem
we are facing. However, with inverse polynomial probability the weight distributes
proportionally on both sides, giving
wt
(
e1
) =
k·p
k+`
and
wt
(
e2
) =
`·p
k+`
. Now using
the Meet-in-the-Middle algorithm to solve this instance we obtain a version
of Dumer’s algorithm from a nearest neighbor perspective achieving the same
asymptotic complexity.
A natural question which comes to mind when considering the nearest neighbor
version of Dumer is: why should it be optimal to choose a joined weight distribution
for (
e1,e2
)? By introducing two different weight parameters
p1
and
p2
for both
sides of
e0
we obtain an algorithmic analogue of the improvement of Bernstein
et al. [7] known as Ball Collision Decoding (BCD), which slightly improves on
Dumer’s algorithm.
9
Also one might question the optimality of Stern’s procedure, which performs
the nearest neighbor search on the whole
n−k
coordinates of
e00
and weight
ω−p
instead of using a reduced instance of length
`2
and weight
p2
, like the BCD
variant. We found that refining Stern’s algorithm using the additional parameters
`2and p2yields a slight improvement similar to the BCD one.
The MMT algorithm Let us now turn our focus to the ISD improvements by
May, Meurer and Thomae (MMT) [21] as well as by Becker, Joux, May and
Meurer (BJMM) [4]. In a nutshell these algorithms first apply a permutation,
similar to the previous algorithms. However, instead of splitting the vector
e0
in two addends, as done by Dumer, Stern or BCD, they split it in four (MMT)
or eight (BJMM). Then all candidates for the addends are enumerated in a
meet-in-the-middle fashion. A binary search tree (similar to Wagner’s
k
-tree
algorithm [33]) is subsequently used to construct the solution as sum of base
list elements. Additionally, they do not use a disjoint splitting of the addends
throughout the tree, which gives several different representations of the solution.
For example the MMT algorithm represents
e0
=
e1
+
e2
with
e1,e2∈Fn
2
and
then splits
e1
and
e2
in a meet-in-the-middle fashion (as before). This gives
several different combinations of (
e1,e2
)that sum up to
e0
. As the binary search
tree imposes restrictions on the exact form of the solution, a careful choice of
parameters lets a single of these representations fulfill the constraints. Note that
the knowledge of a single representation of
e0
suffices to solve the syndrome
decoding problem.
As the structure of the BJMM and MMT algorithm is quite similar we stick
with a description of the MMT algorithm for now, highlighting their differences
later.
Let us explain the algorithm in a bit more detail. The MMT (as well as the
BJMM) algorithm uses the same preprocessing step as Dumer, hence
H
is in
systematic form according to Equation (7) and the weight similarly distributes
on
P−1e
:= (
e0,e00
)
∈Fk+`
2×Fn−k−`
2
as
wt
(
e0
) =
p
and
wt
(
e00
) =
ω−p
. Now, as
mentioned before, the algorithm splits
e0= (a1,0k+`
2) + (0k+`
2,a2)
| {z }
e1
+ (a3,0k+`
2) + (0k+`
2,a4)
| {z }
e2
,
with ai∈ B(k+`)/2
p/4, i = 1,2,3,4, hence, by construction we have e1,e2∈ Bk+`
p/2.
Next candidates for
ai
are constructed by enumerating all possible values
from
B(k+`)/2
p/4
in the base lists
Li
. Now, one chooses some random
t∈F`1
2
, for
some optimized
`1≤`
, and constructs a new list
L12
by just considering those
elements (x,y)∈L1×L2for which it holds that
(H1(x+y))[`1]=t.
Now the same is done for the lists
L3
and
L4
, thus they are merged in a new list
L34
but using a modified target
t0
=
t
+ (
˜
s1
)
[`1]
. This choice of
t0
ensures that
(v,w)∈L12 ×L34 satisfy:
H1(v+w)=(˜
s1)[`1],
10
hence the desired identity is already matched on the lower
`1
coordinates. Finally
the algorithm merges lists
L12
and
L34
in a list
L1234
by enforcing the identity
on all
`
bits and then checks if for any
z∈L1234
it holds that
wt
(
˜
H2z
+
˜
s2
) =
wt(e00) = ω−pand, if so, outputs the solution.
NN-perspective and an algorithmic shortcoming of the MMT algorithm. We
show in the following that the MMT algorithm also uses a meet-in-the-middle
strategy for solving nearest-neighbor equations. But contrary to the procedure
given in Algorithm 1, too many vectors are enumerated in the base lists, which
unnecessarily increases the list sizes and results in undesired list distributions for
special inputs.
Similar to the NN-perspective of Dumer’s algorithm, let
H
be in systematic
form as given by Equation (3), which is
H=˜
H In−k=˜
H1I`0
˜
H20In−k−`,where ˜
H∈F(n−k)×(k)
2.
Additionally, let
e0
= (
e0
1,e0
2,e0
3
)
∈Fk
2×F`1
2×F`−`1
2
and let the weight on
each of the
e0
i
be
pi
:=
|e
0
i|·p
k+l
. Also, for now consider the base list elements of the
MMT algorithm to be formed as
Bk/2
p1/4×0k
2× B`1/2
p2/4×0`1
2× B(`−`1)/2
p3/4×0`−`1
2and
0k
2× Bk/2
p1/4×0`1
2× B`1/2
p2/4×0`−`1
2× B(`−`1)/2
p3/4,
rather than B(k+l)/2
p/4×0k+`
2and 0k+`
2× B(k+l)/2
p/4.
Thus, each of the
e0
i
is getting enumerated in a meet-in-the-middle fashion in the
base lists.6Additionally let us write H1as
H1:= ˜
H1I`=˜
H11 I`10
˜
H12 0I`−`1
Now let us consider the first join of base lists. For this join only elements
x∈L1and y∈L2are considered for which
H1(x+y)[`1]=t.(8)
By letting
x
= (
x1,x2,x3
)
∈Fk
2×F`1
2×F`−`1
2
and
y
= (
y1,y2,y3
), analogously,
Equation (8) becomes
˜
H11(x1+y1) + x2+y2=t
⇔˜
H11(x1+y1) = t+x2+y2.(9)
6
Note that both sets differ only in a polynomial fraction of their elements. Fur-
thermore our argumentation also holds when using the original base lists, but the
refinement allows for easier illustration by yielding approximate matching identities
with fixed distances.
11
Note that by construction
wt
(
x1
+
y1
) =
p1/
2and
wt
(
x2
+
y2
) =
p2/
2, hence
the newly constructed list
L12
consists only of vectors having weight
p1/
2, which
are
p2/
2close to
t
when multiplied by
˜
H11
. Since all possible combinations of
(
x1,x2,y1,y2
)are considered in a meet-in-the-middle fashion, this join solves
the approximate matching identity
Hx≈p2/2t,
for xwith wt(x) = p1/2.
Contrary to the Meet-in-the-Middle algorithm from Section 2the MMT
algorithm additionally enumerates all values for
x3
(resp.
y3
) in the base lists even
though they are not taken into account by the matching routine. Thus, whenever
any element satisfies Equation (9), it is added to
L12
for any combination of
(x3,y3)∈ B(`−`1)/2
p3/4× B(`−`1)/2
p3/4.
Thus, if (
z1,z2
) = (
x1
+
y1,x2
+
y2
)describes an element satisfying Equa-
tion (9), all elements of
(z1,z2,z3)|z3∈B(`−`1)/2
p3/4× B(`−`1)/2
p3/4(10)
are added to L12 (analogously the same holds for L34).
The final join then solves the nearest neighbor identity on the upper
`−`1
bits for target (
˜
s1
)
[`1+1,`]
and distance
p3
. But instead of using a disjoint split
of the vectors with weight
p3
, as done by Algorithm 1, the weight is distributed
over the full
`−`1
coordinates (see
z3
of Equation (10)). Thus, there exist
multiple different representations for every possible difference, resulting in as
many duplicates being added to
L1234
for every element fulfilling the approximate
matching identity on the upper bits.
Not only would a single representation of the solution in
L1234
suffice to solve
the problem, but imagine there would be a subsequent level in the tree, which is
e.g. the case for the BJMM algorithm. Then the degenerated list distribution
would significantly affect the list sizes of following levels and, implicitly, the time
complexity and correctness of the algorithm. We want to stress that this problem
only occurs if the algorithm is provided with a parity-check matrix
H
as defined
in Equation (3). If the input matrix has the shape given in Equation (7) with
random
H1
this seems to re-randomize the duplicates such that the list sizes
match their expectations, as experiments have shown [2,12]. Nevertheless, it
enables us in the next section to improve on the standard MMT (respectively
BJMM) algorithm by changing the way the base lists are constructed.
Other advanced ISD variants. Let us briefly outline the differences between the
MMT algorithm and the improvements made by Becker-Joux-May-Meurer [4],
May-Ozerov [22] and Both-May [8]. The BJMM algorithm works similar to
the MMT algorithm but increases the weight of the candidates for the
ai
to
p/
4 +
ε
. The parameter
ε
then accounts for ones that cancel during addition.
While increasing list sizes, this also increases the amount of representations
allowing for larger constraint choices (the length of
`1
) when constructing lists of
12
subsequent levels. Additionally, the increased amount of representations yields a
theoretically optimal search tree depth of three (instead of two), to cancel out the
representations and balance the tree most effectively. The ideas introduced with
the BJMM algorithm were adopted by both May-Ozerov and Both-May variants.
May and Ozerov then exchanged the meet-in-the-middle strategy to solve the
nearest neighbor problem on the last level by their own more efficient algorithm
for nearest neighbor search. Both and May finally exploited the nearest neighbor
search technique from May-Ozerov for the construction of all lists of the tree.
4 An ISD framework based on nearest neighbor search
In this section we describe an algorithmic framework for ISD algorithms based
explicitly on nearest neighbor search that resolves the shortcomings mentioned in
the previous section. We are able to obtain variants of all major ISD improvements
by choosing specific configurations of our framework. Additionally, we can easily
exchange costly routines, such as May-Ozerov nearest neighbor search by more
practical algorithms. Similar to the MMT algorithm, our framework uses a
search tree to construct the solution. To obtain the lists of each level, nearest
neighbor search is exploited. The framework then yields the basis for obtaining
our practical security estimates.
Remark 4.1.
Our complexity estimates show that, for the cryptographically
interesting error regimes, a search tree depth of two is (almost) optimal, regardless
of the chosen instantiation of the framework. We find that this is the case in
memory constrained and unconstrained settings, as well as under consideration of
different memory access costs. Only in some rare cases, an increase to depth three
gives minor improvements of a factor strictly less than two (for the proposed
parameter sets of McEliece, BIKE and HQC). Hence, for didactic reasons we
describe our framework only in depth two.
Let us assume the parity check matrix is in systematic form according to
Equation (3) and let us write the matrix as
H=˜
H In−k=
˜
H1I`10 0
˜
H20I`20
˜
H30 0 I`3
,where ˜
H∈F(n−k)×k
2,(11)
and let
˜
s:= (˜
s1,˜
s2,˜
s3)∈F`1
2×F`2
2×F`3
2(12)
be the corresponding syndrome (after the Gaussian elimination). The permutation
is assumed to distribute the weight on
e
= (
e0,e00
1,e00
2,e00
3
)
∈
(
Fk
2×F`1
2×F`2
2×F`3
2
)
as
wt(e0) = pand wt(e00
i) = ωifor i= 1,2,3,(13)
where
`1, `2, ω1, ω2
and
p
are optimized numerically and
`3
:=
n−k−`1−`2
, as
well as
ω3
:=
ω−p−ω1−ω2
. Note that, by our formulation, the following three
13
approximate matching identities hold7
˜
Hie0≈ωi˜
sifor i= 1,2,3.(14)
Again, we split
e0
=
e1
+
e2
in two addends
ei∈Fk
2
with
wt
(
ei
) =
p1
for
some numerically optimized p1.
In the base lists of the search tree (compare also to Figure 1), we enumerate
all candidates for
e1
, respectively
e2
, in a meet-in-the-middle fashion. To obtain
the lists of the middle level, we combine two base lists by searching for pairs
(x1,x2)∈L1×L2, respectively (x3,x4)∈L3×L4, fulfilling the identities
˜
H1(x1+x2)≈ω11 0`1and respectively
˜
H1(x3+x4)≈ω11 ˜
s1,
where ω11 is another parameter that has to be optimized numerically.
All resulting candidates for
e1
and
e2
, namely
x12
=
x1
+
x2
and
x34
=
x3
+
x4
,
satisfying the above identities are stored in the lists
L12
and
L34
respectively.
Finally, those two lists are merged in the list
L1234
by finding all solutions to the
identity ˜
H2(x12 +x34)≈ω2˜
s2.
Eventually every element of L1234 is checked for yielding a solution.
We measure the time complexity of the proposed framework in vector additions
in
Fn
2
. Even though some of the used labels and vectors could be implemented
using less than
n
coordinates, each addition contributes as one. On the one hand
this simplifies the analysis and on the other hand it is highly implementation
dependent if a vector is indeed implemented using less coordinates
Analysis of the Framework. Let us first analyze our framework. Later, we then
compute the concrete complexity for different configurations. Let us start with
the correctness. Assume the permutation distributes the error weight as desired
(compare to Equation (11)). Now consider the possible decomposition of
e0
=
e1
+
e2
with
wt
(
ei
) =
p1
and denote the amount of different such representations
as
R
. Furthermore let the probability that any such representation fulfills the
restrictions imposed by L12 and L34 be
q:= Pr wt( ˜
H1e1) = wt( ˜
H1e2+˜
s1) = ω11 |e0=e1+e2.
Note that the computation of
L1234
does not impose further constraints on
the representations since, by Equation (14), we already conditioned on
˜
H2(e1+e2) = ˜
H2e0≈ω2˜
s2.
7
Note that the equation for
i
= 3 will not be used by the algorithm. It just enables
us to perform the nearest neighbor search for
i
= 2 on a reduced sub-instance
with flexible
`2, ω2
; instead of being forced to operate always on the full
n−k−`1
coordinates with weight ω−p−ω1.
14
Algorithm 3 ISD-NN-Framework
Input: parity check matrix H∈F(n−k)×n
2, syndrome s, error weight ω∈[n]
Output: e∈Fn
2:He=sand wt(e) = ω
Optimize: `1, `2, ω1, ω2, ω11, p1, p
1:
Let
˜
H1,˜
H2,˜
s1,˜
s2
and all parameters be as defined in Equations (11) to (13)
2: repeat
3: choose random permutation matrix P∈Fn×n
2
4:
Transform
HP
to systematic form by multiplication of invertible matrix
Q(compare to Equation (11)): ˜
H←(QH P )[k],˜
s←Qs
5: Li=xi|xi= (y,0k/2) : y∈ Bk/2
p1/2for i= 1,3
6: Li=xi|xi= (0k/2,y) : y∈ Bk/2
p1/2for i= 2,4
7: Compute L12,L34 and L1234 using nearest neighbor algorithm
8: L12 ← {x1+x2|(x1,x2)∈L1×L2∧˜
H1(x1+x2)≈ω11 0}
9: L34 ← {x3+x4|(x3,x4)∈L3×L4∧˜
H1(x3+x4)≈ω11 ˜
s1}
10: L1234 ← {x12 +x34 |(x12,x34 )∈L12 ×L34 ∧˜
H2(x12 +x34)≈ω2˜
s2}
11: for x∈L1234 do
12: ˜
e= (x,˜
Hx+˜
s)
13: if wt(˜
e) = ωthen
14: break
15: until wt(˜
e) = ω
16: return P˜
e
Hence, as long as we ensure
R·q≥
1, we expect at least one representation
to survive the restrictions imposed. Even if
R·q <
1, we can compensate for it
by 1
R·qrandomized constructions of the tree (line 5to 14 of Algorithm 3).8
Lets now turn our focus to the time complexity. We define
TP
to be the
expected number of random permutations until at least one of them distributes
the weight as desired. For each of these
TP
permutations we need to apply the
Gaussian elimination at a cost of
TG
as well as the computation of base lists,
three nearest neighbor computations and the weight check of elements of the
final list.
Note that in our formulation of the lists they only hold the respective candi-
dates
xi
to keep the notation comprehensible. In a practical application one might
also want to store the label
˜
Hxi
in
Li
for
i
= 1
,
2
,
3and respectively
˜
Hx4
+
˜
s
in
L4
to avoid their re-computation at later levels. While these labels can be naively
computed using matrix vector multiplication, a more sophisticated strategy enu-
merates the
xi
in the base lists such that
wt
(
xi
+
xi+1
) = 2. Then every label
can be computed from the previous one using only two vector additions, yielding
a total cost of roughly
p1
2
+ 2
L1
per base list. This is surpassed by the cost for
8For example we can randomize by adding a random r∈Fn−k
2to all labels in lists
L1and L3.
15
L1
x1˜
Hx1
0
p1
2
n−k
k
2
k
2
L2
x2˜
Hx2
0p1
2
n−k
k
2
k
2
./
L12
e1˜
He1
p1
2
p1
2ω11
`1
k
2
k
2n−k−`1
L3
x3˜
Hx3
0
p1
2
n−k
k
2
k
2
L4
x4˜
Hx4+˜
s
0p1
2
n−k
k
2
k
2
./
L34
e2˜
He2+˜
s
p1
2
p1
2ω11
`1
k
2
k
2n−k−`1
./
L1234
e0˜
He0+˜
s=e00
p
2
p
2ω1
`1
k
2
k
2`2`3
ω2
Fig. 1: Graphical representation of the computation tree used by the ISD framework.
the nearest neighbor search on the first level, which is why we neglect this term
in the analysis. Let us denote the cost for nearest neighbor search on two lists of
size
|L|
, for vectors of length
`
and weight
δ
as
NL,`,δ
. Finally observe, that the
computation of
L1234
comes at a much higher cost than the linear check of the
list, which is why we disregard the linear pass through the list in the analysis.
Hence, in total the time complexity becomes
T=TP
|{z}
permutations ·TG
|{z}
Gaussian
+ max 1,(R·q)−1
| {z }
representations
·2· N|L1|,`1,ω11 +N|L12|,`2,ω2
| {z }
tree computation .
(15)
Note that from a memory point of view one can implement the procedure in
a streaming manner rather than storing each list on every level, similar to the
ones described in [24,33]. In this way we only need space for two base lists as
well as one intermediate list, since the final list can be checked on-the-fly anyway.
Additionally we need to store the matrix, thus we have
M= 2 · |L1|+|L12 |+n−k .
Using the above framework we obtain several ISD algorithms by changing the
specific configuration. This includes improved and practical variants of all major
ISD improvements (restricted to depth 2) such as MMT,BJMM, May-Ozerov
as well as the latest improvement by Both and May.
Let us briefly sketch how to obtain these variants of known ISD algorithms
before analyzing them in more detail. Let us start with the MMT/BJMM
algorithm.
9
. Therefore let us instantiate our framework using the Meet-in-the-
9
Note that we do not differentiate between both algorithms in the following, since
the only difference of the BJMM algorithm is the larger choice of the weight of
base list elements as
p1> p/
2(and the increase of depth to three, which is not
relevant for our practical analysis). Hence, the bare optimization of
p1
determines
which algorithm is chosen.
16
Middle algorithm on both levels to directly obtain a variant of the MMT/
BJMM algorithm using disjoint weight distributions and resolving the shortcom-
ings outlined in the previous section. If we instead choose Meet-in-the-Middle
on the first but May-Ozerov nearest neighbor search on the second level, set
`2
=
n−k−`1
,
ω2
=
ω−p
and hence
`3
=
ω3
= 0 we obtain a variant of the
May-Ozerov ISD algorithm using a disjoint weight distribution on the lower level.
Observe that the choice of parameters ensures the nearest neighbor search on
the final level being performed on all remaining coordinates. And finally if we
choose the May-Ozerov nearest neighbor algorithm on both levels with the same
choice of
`2, `3, ω2, ω3
as for the May-Ozerov variant we obtain the ISD variant
of Both and May.
4.1 Concrete Practical Instantiations of the Framework
So let us start the analysis with a variant where we instantiate the nearest
neighbor routine by Indyk-Motwani. We credit this variant to Both and May,
who first used explicit nearest neighbor search on all levels, by simply calling the
variant Both-May in the following.
Remark 4.2
(Balanced weight distribution). As outlined in Section 2, the way
we construct the solution only allows to obtain
e0
with balanced weight, i.e.,
vectors having weight
p/
2on the upper and weight
p/
2on the lower half of
their coordinates. The amount of balanced vectors is a polynomial fraction of
all vectors with weight
p
and hence it is usually disregarded in the theoretical
analysis. However, for our practical estimates we account for this. Specifically this
influences the amount of representations
R
as well as the amount of necessary
permutations TP.
Both-May Algorithm. Recall that for the Both-May algorithm we choose
`2
=
n−k−`1
,
ω2
=
ω−p−ω1
and
`3
=
ω3
= 0. Thus the expected amount of
iterations until we draw a permutation that distributes the weight according to
Equation (13) (under consideration of Remark 4.2) becomes
TP=n
ω
`2
ω2`1
ω1k/2
p/22=n
ω
n−k−`1
ω−p−ω1`1
ω1k/2
p/22.
Further note, that the number of representations of one balanced vector
e0∈Fk
2
with weight pas a sum of two balanced vectors with weight p1is
R=p/2
p/42(k−p)/2
p1/2−p/42
.
Here the first factor counts the ones contributed to one half of
e0
from the first
addend. The remaining
p/
4ones are then contributed by the second addend.
The second factor counts the possibilities how the remaining
p
1
/
2
−p/
4ones
in one half can cancel out. Finally since every representation of the lower half
can be combined with any representation of the upper half to obtain a valid
representation of e0, we square the result.
17
The probability
q
of a representation (
e1,e2
)of
e0
fulfilling the restriction
imposed by L12 and L34 is
q:= Pr wt( ˜
H1e1) = wt( ˜
H1e2+˜
s1) = ω11 |e0=e1+e2
=ω1
ω1/2 `1−ω1
ω11−ω1/2
2`1
Therefore observe that for a representation (e1,e2)of e0it holds that
˜
H1e1+˜
H1e2+˜
s1=e00
1,where wt(e00
1) = ω1.
Now there are 2
`1
different combinations of values for
˜
H1e1,˜
H1e2
+
˜
s1
that satisfy
the above identity. Out of these pairs
ω1
ω1/2 `1−ω1
ω11−ω1/2
have the correct weight
ω11
. Now by the randomness of
˜
H1
the probability becomes the claimed fraction.
In the base lists we enumerate all vectors of length
k/
2and weight
p1/
2,
hence it holds
|L1|=k/2
p1/2.
The intermediate lists hold all elements of the Cartesian product of two base
lists which fulfill the weight restriction on `1coordinates, thus
|L12|=|L1|2`1
ω11
2`1
Eventually the running time
N|L1|,`1,ω11
for the nearest neighbor routine
on the first level and
N|L12|,n−k−`1,ω−p−ω1
for the second level are given by
Equation (2).
BJMM-dw:BJMM/MMT with disjoint weight distribution. In comparison to
our version of the Both-May algorithm the BJMM-dw algorithm uses Meet-in-
the-Middle for nearest neighbor search. Thus, we choose
`2< n −k−`1
and
ω2< ω −p−ω1
, which yields
`3, ω3>
0.
10
Accordingly the time complexity for
the nearest neighbor search on the first and second level, which are
N|L1|,`1,ω11
and
N|L12|,`2,ω2
are now given by Equation (1). Note that the choice of the meet-
in-the-middle approach only allows to find elements with balanced distances.
Thus, we also need the balanced property on the
`2
and
`1
windows. Hence, the
number of permutations and the probability of a representation matching the
restrictions change to
TP=n
ω
n−k−`1−`2
ω−ω1−ω2−p`2/2
ω2/22`1/2
ω1/22k/2
p/22and q=ω1/2
ω1/42`1/2−ω1/2
ω11/2−ω1/42
2`1.
The rest stays as in the analysis of the Both-May variant.
10
If we would perform the Meet-in-the-Middle on the full
n−k−`1
coordinates
as before, the blow-up due to the internal addition of the fixed Hamming weight
vectors would be to huge and render this approach inefficient.
18
4.2 Joint weight distributions
Since in practice
`1
is comparably (to the code length) small and the error weight
only sublinear, an optimization of parameters in some cases yields
ω11
= 0 and
hence
ω1
= 0. In these cases we find that a joint weight distribution on the
base level, meaning an enumeration of vectors of length
k+`1
2
rather than
k
2
,
as in the original algorithm by Dumer, can yield improvements. Recall that
asymptotically the joint weight case is subsumed by the disjoint weight case when
using proportional weight on both sides.
However, since our primary focus lies on the concrete hardness of cryptographic
parameter sets, which all use a sublinear error weight, we now describe a variant
of the framework using a joint weight distribution on the first level. Note that
this description is also closer to the original descriptions of the May-Ozerov,
BJMM and MMT algorithms, which all use joint weight distributions, the latter
even over multiple levels.
First assume that the weight on the solution
e
= (
e0,e00
1,e00
2,e00
3
)
∈Fk
2×F`1
2×
F`2
2×F`3
2distributes as
wt((e0,e00
1)) = p, wt(e00
2) = ω2and wt(e00
3) = ω3.(16)
Also we re-randomize the identity part of size
`1
by considering the parity check
matrix being of form
H=˜
H In−k−`1=
˜
H10 0
˜
H2I`20
˜
H30I`3
,
where
˜
H∈F(n−k)×(k+`1)
2
has random structure. This allows us to perform a
meet-in-the-middle on (
e0,e00
1
)without splitting both parts individually. Therefore
we change the definition of base lists to
Li=xi|xi= (y,0(k+`1)/2): y∈ B(k+`1)/2
p1/2for i= 1,3and
Li=xi|xi= (0(k+`1)/2,y): y∈ B(k+`1)/2
p1/2for i= 2,4.
Now we construct the lists L12 and L34 as
L12 := {x1+x2|(x1,x2)∈L1×L2∧˜
H1(x1+x2) = 0}
L34 := {x3+x4|(x3,x4)∈L3×L4∧˜
H1(x3+x4) = ˜
s1}.(17)
Finally list L1234 is constructed via nearest neighbor search, as before as
L1234 ← {x12 +x34 |(x12,x34 )∈L12 ×L34 ∧˜
H2(x12 +x34)≈ω2˜
s2}.
Adaptation of the analysis. While most of the analysis stays the same as for the
general nearest neighbor framework, our adaptations affect some of the details.
Precisely the probability
q
of a representation surviving the imposed restrictions
19
as well as the cost for the construction of
L12
and
L34
. First note that for lists
as defined in Equation (17) the probability qis defined as
q:= Pr ˜
H1e1=0∧˜
H1e2=˜
s1|(e0,e00
1) = e1+e2= 2−`1.
Since we already know that
˜
H1
(
e0,e00
1
) =
˜
s1
by randomness of
˜
H1
we have
q
=
Pr ˜
H1e1=0
= 2
−`1
. Now observe that the construction of
L12
(resp.
L34
) can be done in time
|L1|
+
|L2|
+
|L12|
as we only need to check for
equality. Thus, the runtime can still be expressed via Equation (15), where
N|L1|,`1,ω11
:=
|L1|
+
|L2|
+
|L12|
. Next we give two instantiations with joint
weight distribution on the base level. The first is a variant of the BJMM
algorithm using again Meet-in-the-Middle for the construction of
L1234
, while
the second uses Indyk-Motwani instead and can be seen as a variant of the
May-Ozerov algorithm.
BJMM-p-dw:BJMM/MMT algorithm with partially disjoint weight distri-
bution. The expected amount of permutations until we may expect a weight
distribution as given in Equation (16) under consideration of the balanced prop-
erty (see Remark 4.2) is
TP=n
ω
n−k−`1−`2
ω−ω1−ω2−p(k+`1)/2
p/22`2/2
ω2/22
Note that the balanced property on the
`2
windows stems from the fact that
the BJMM algorithm uses Meet-in-the-Middle for the construction of
L1234
.
The base lists are now of increased size
|L1|
=
(k+`1)/2
p1/2
while
|L12|
=
|L34|
=
|L1|2/
2
`1
since we perform an exact matching on
`1
coordinates. On the upside
we now have an increased amount of representations
R=p/2
p/42(k+`1−p)/2)
p1/2−p/42
.
The cost for the computation of
L1234
, namely
N|L12|,`2,ω2
, is given by Equa-
tion (1).
May-Ozerov The essential difference to the BJMM-p-dw lies in the usage of
the Indyk-Motwani for the computation of
L1234
. Also this variant chooses
`2
=
n−k−`1
and
ω2
=
ω−p
, which implies
`3
=
ω3
= 0. Then the complexity
of the final list computation
N|L12|,`2,ω2
is given by Equation (2). The rest stays
as in the analysis of the BJMM-p-dw.
For completeness and comparisons we also state the running time of the
original BJMM algorithm (in depth two). It uses a joint weight distribution over
both levels, hence the vectors are enumerated on (
k
+
`1
+
`2
)
/
2coordinates
in the base lists. This results in the final construction of list
L1234
coming at a
cost of
|L12|
+
|L34|
+
|L1234|
. Referring to Equation (15) this means we have
N|L12|,`2,ω2=|L12 |+|L34|+|L1234 |
20
BJMM: original BJMM algorithm. Let
`
=
`1
+
`2
. The base list size of the
BJMM algorithm is
|L1|
=
(k+`)/2
p1/2
. The matching is then performed again
on
`1
coordinates, which results in
|L12|
=
|L34|
=
|L1|2/
2
`1
. The amount of
representations is
R=p/2
p/42(k+`−p)/2
p1/2−p/42
.
Now the construction of list
L1234
is performed as a matching of
L12
and
L34
on
`−`1
=
`2
coordinates, thus we have
|L1234|
=
|L12|2/
2
`2
. The rest stays as in
the BJMM-p-dw algorithm.
5 Estimator
In this section we present our results on the bit security estimates for the
suggested parameters of code based cryptographic submissions to the NIST PQC
standardisation process, namely McEliece, BIKE and HQC.
A cautious note on concrete hardness estimates. Concrete hardness estimates
often give the impression of being highly accurate, not least because they are
usually given up to the second or even third decimal place. In particular, following
recent discussions (in the NIST PQC forum [31]), we want to emphasize that these
concrete security estimates should always be taken with care. They heavily rely
on implementation details, targeted platforms, possible hardware accelerations
and many more factors. Thus, many assumptions must be made to obtain these
estimates. The derived numbers should therefore be understood as indicative
rather than precise. Following this line of thought we give our estimates rounded
to the nearest integer and admit that they may inherit an inaccuracy of a few
bits.
Before we discuss the security estimations let us briefly address some method-
ology aspects. All advanced algorithms we consider require an exponential amount
of memory, which certainly slows down computations compared to memory-free
algorithms like Prange. In [3] it was suggested to use a logarithmic memory access
model, which accounts for the need of memory with an additive
log log memory
in the bit security estimate, where
memory
is the total memory consumed by the
algorithm. We follow this suggestion and consider besides the more conservative
constant memory access cost also this logarithmic model. Additionally, we con-
sider a cube-root memory access cost, which results in an additive
log 3
√memory
in the respective algorithms bit complexity, which was recently suggested by
Perlner [25].
Note that our estimator software also allows for a square-root access cost
model as well as user defined cost functions. However, we believe that the constant,
logarithmic and cube-root models already give a good overview.
The NIST defines five security categories, where most submissions focus on
parameters for the categories one, three and five. A parameter set for a proposal
is said to match the security level of category one, three or five if the scheme
instantiated with the corresponding parameters is as at least as hard to break as
21
Category n k ω
1 3488 2720 64
3 4608 3360 96
McEliece 5 6688 5024 128
5 6960 5413 119
5 8192 6528 128
1 24646 12323 134
BIKE (message) 3 49318 24659 199
5 81946 40973 264
1 24646 12323 142
BIKE (key) 3 49318 24659 206
5 81946 40973 274
1 35338 17669 132
HQC 3 71702 35851 200
5 115274 57637 262
Table 1: Parameter sets suggested by NIST PQC proposals.
AES-128, AES-192 or AES-256 respectively. In Table 1we list all corresponding
parameters of each submission and their respective security category.
Remark 5.1
(Up-to-date Estimates). Even though, we computed the presented
estimates with the utmost care, we would like to encourage the reader to use our
Syndrome Decoding Estimator rather than only relying on the estimates given in
this paper. This is because the tool offers a wide variety of customization to make
sure the estimates address the right setting. Also, we are constantly extending
and improving the Syndrome Decoding Estimator such that the results obtained
might slightly vary from the tables presented here.
Let us start with the Classic McEliece submission. Table 2shows the bit
complexity estimates for all suggested parameter sets. Besides the ISD vari-
ants obtained as instantiations of our framework we included the estimates for
Prange and Stern for comparisons. It can be observed that the time complexity
estimations for all advanced ISD algorithms, namely Both-May,May-Ozerov,
BJMM,BJMM-dw and BJMM-p-dw are comparable, where the variants bring
slight advantages over BJMM. However, the use of explicit nearest neighbor
search and disjoint weight distributions pays off when turning the focus to the
memory consumption. For the proposed parameter sets, our new BJMM variants
for instance allow to decrease the memory consumption of plain BJMM by up
to 30 bits. This partly stems form the advantage of not enumerating unnecessary
vectors in the base lists as outlined in Section 3. Recall that this reduced memory
consumption eventually also results in practical run time improvements when
considering different memory access models.
22
Category 1
(n= 3488)
Category 3
(n= 4608)
Category 5
(n=6688)
Category 5
(n= 6960)
Category 5
(n= 8192)
T MTMTMTMTM
Prange 173 22 217 23 296 24 297 24 334 24
Stern 151 50 193 60 268 80 268 90 303 109
Both-May 143 88 182 101 250 136 249 137 281 141
May-Ozerov 141 89 180 113 246 165 246 160 276 194
BJMM 142 97 183 121 248 160 248 163 278 189
BJMM-p-dw 143 86 183 100 249 160 248 161 279 166
BJMM-dw 144 97 183 100 250 130 250 160 282 164
M≤60 145 60 187 60 262 58 263 60 298 59
M≤80 143 74 183 77 258 76 258 74 293 77
log Maccess 147 89 187 113 253 165 253 160 283 194
3
√Maccess 156 25 199 26 275 36 276 36 312 47
Table 2: Bit security estimates for the suggested parameter sets of the Classic McEliece
scheme.
Additionally we provide in Table 2bit-security estimates where the available
memory is limited to 60 and 80 bits (still in the constant memory access model).
Under this memory restrictions the May-Ozerov algorithm performs best by
entirely providing the best estimates for those regimes. This is an effect of the
use of joined weight distributions on the lower level as well as memory-efficient
nearest neighbor search in form of Indyk-Motwani.
Also we state the best complexities obtained when considering the logarithmic
and cube-root memory access model.
11
For the logarithmic model it can be
observed that the optimization suggests the same parameters as in the constant
model. This results in all bit complexities being increased by a logarithm of the
memory usage in the constant setting. Contrary, the optimization in the cube-root
model avoids the use of memory almost completely, yielding significantly higher
bit complexities.
We also used our estimator to approximate the hardness of an already solved
McEliece instance reported online at
decodingchallenge.org
[2] and an instance
that was attacked by Bernstein, Lange and Peters in [6]. Recently, Esser, May and
Zweydinger reported the solution to an instance with parameters (
n
= 1284
, k
=
1028
, w
= 24) [2], for this instance our estimator yields a bit complexity of 65 bit.
For the instance (
n
= 1024
, k
= 525
, w
= 50) attacked in [6] by Bernstein et al.
we find a slightly lower bit complexity of 64 bit. Note that while these numbers
might occur high, usually attacks are performed with a register-width of 64 bit.
Thus, the actual operation count is reduced by six bit, yielding operation counts
11
Note that we take the number of necessary vector space elements that need to be
stored as a measure to derive the penalty.
23
Category 1
(n= 24646)
Category 3
(n= 49318)
Category 5
(n= 81946)
T M T M T M
message security
Prange 167 28 235 30 301 32
Stern 146 40 211 43 277 45
Both-May 147 38 212 41 276 63
May-Ozerov 146 55 211 57 276 61
BJMM 147 38 211 59 277 63
BJMM-p-dw 147 37 211 56 276 61
BJMM-dw 147 45 211 56 277 43
log Maccess 150 31 215 33 281 34
3
√Maccess 152 30 217 32 283 33
key security
Prange 169 28 234 30 304 32
Stern 147 40 211 43 279 45
Both-May 148 38 211 60 278 63
May-Ozerov 147 55 210 57 278 61
BJMM 147 54 211 59 279 63
BJMM-p-dw 147 55 211 56 278 61
BJMM-dw 147 55 211 56 279 43
log Maccess 151 31 215 33 283 34
3
√Maccess 153 30 217 32 285 33
Table 3: Bit security estimates for the suggested parameter sets of the BIKE scheme.
of 59 and 58 bits for those instances. These estimates seem to be coherent with
the reported computational efforts made to solve those instances.
Next we give the security estimates for the BIKE scheme. Note that BIKE uses
a quasi-cylic code allowing for polynomial speedups, which need to be considered
in the security estimates.
This is also the reason why we have to distinguish the message and key
security. Obtaining the message from a BIKE ciphertext requires the attacker
to solve a syndrome decoding problem for a syndrome usually not equal to the
zero vector. Opposed to that, attacking the secret key requires finding a low
weight codeword or equivalently solving the syndrome decoding problem, where
the syndrome is the zero vector. For these two cases different speed-ups can be
obtained due to the cyclic structure.
In terms of message security, the cyclicity allows to derive
n−k
=
k
syndrome
decoding instances from an initial input instance out of which a single one has to
be decoded to break the security of the system. This variant is known as decoding
one out of many (DOOM). It has been shown in [28] that Stern’s algorithm can
be sped up in this setting by a factor of roughly
√k
. Even though, it has not
been studied how to obtain this speed-up for advanced ISD algorithms, such as
24
Category 1
(n= 35338)
Category 3
(n= 71702)
Category 5
(n= 115274)
T M T M T M
Prange 166 29 237 31 300 33
Stern 145 41 213 44 276 46
Both-May 146 39 214 42 276 39
May-Ozerov 145 39 214 42 276 44
BJMM 146 39 214 42 276 44
BJMM-p-dw 146 39 214 42 276 43
BJMM-dw 146 39 214 42 276 40
log Maccess 150 32 218 34 280 36
3
√Maccess 151 31 220 33 282 35
Table 4: Bit security estimates for the suggested parameter sets of the HQC scheme.
BJMM, it is commonly assumed to be obtainable similar to the case of Stern’s
algorithm. Hence, we also deducted log k
2from all our bit security estimates.
Considering key security the quasi cyclic code contains all
k
cyclic shifts of the
searched codeword. Hence, without any adaptations the probability of choosing
a permutation that distributes the weight as desired is enhanced by a factor of
k
.
Thus, in this case we subtract log(k)from our bit security estimates.
Table 3states the bit security estimates for the BIKE scheme. Note that
BIKE in comparison to McEliece uses a decreased error weight of
ω
=
O
(
√n
)
rather than
ω
=
O
(
n
log n
). This reduced weight lets the advantage of enumeration
based algorithms deteriorate, with the result that advanced algorithms only offer
a slight advantage over basic Stern. However, when considering the logarithmic
or cube-root model still our May-Ozerov variant provides the best complexities.
For the BIKE setting we observe that already for a logarithmic penalty the
optimization suggests to use low-memory configurations.
Eventually we state in Table 4our bit security estimates for the HQC scheme.
Similar to the BIKE scheme HQC uses a cyclic structure allowing for a
√k
speedup. Also HQC builds on the same asymptotically small error weight of
ω
=
O
(
√n
), but in comparison to BIKE uses even smaller constants. Thus, as
the estimates show, the advantage of more involved procedures vanishes almost
completely. Here most variants degenerate to a version of Stern, by choosing
all intermediate weights equal to zero. Nevertheless, when considering memory
access costs again our May-Ozerov algorithm yields the best time complexity.
The biggest solved instance reported to
decodingchallenge.org
in the quasi-
cyclic setting has parameters (
n
= 2918
, k
= 1459
, w
= 54) [2]. We estimate
for this instance a bit complexity of 64 bit using our estimator tool, which
corresponds to roughly 258 necessary operations on a 64-bit architecture.
25
Interpretation of the security estimates. We observe that most bit security esti-
mates match the required classical gate counts of 143, 207 and 272, corresponding
to breaking AES-128, AES-192 and AES-256 according to NIST, surprisingly
well. Note that all submissions use the asymptotic complexity estimate of basic
Prange as foundation for parameter selection. Hence, the exact match comes
from the fact that the improvement due to advanced algorithms corresponds
quite exactly to Prange’s polynomial factors.
The McEliece submission team admits that advanced ISD algorithms yield a
lower complexity count then required in the constant memory access model [10],
which is confirmed by our estimates. However, they argue that the memory
access costs faced in the real world will make up for the difference. Our estimates
support this claim, when imposing a cube-root memory access cost.
Only the category three parameter set of the Classic McEliece scheme seems
to fail the given security level slightly. Here, even when imposing a cube-root
memory access cost it still deviates from the needed 207 bits by eight bits.
For BIKE and HQC the consideration of different memory access cost models
is less significant. This is because already in the constant memory access setting
the parameters do not allow advanced ISD techniques to leverage the use of
memory. However, both schemes already match their security levels in the more
conservative constant cost model. In the more realistic setting with logarithmic
or cub-root access cost both schemes’ parameter sets seem to inherit a slight
margin of five to fifteen bits.
5.1 Quantum Security
The metric for quantum security provided by NIST is based on a
maxdepth ∈
{
40
,
64
,
96
}
constraint, defining the maximum allowed depth of a quantum circuit
used to attack the corresponding instantiation. Here the
maxdepth
constraint
accounts for the difficulty of constructing large scale quantum computers.
A parameter set is said to match the quantum security definition of category
one, three or five, if it is at least as hard to break as AES-128, AES-192 or
AES-256 quantumly. Furthermore NIST defines the quantum security of AES as
–AES-128 corresponds to 2170−maxdepth quantum gates,
–AES-192 corresponds to 2233−maxdepth quantum gates,
–AES-256 corresponds to 2298−maxdepth quantum gates.
In terms of quantum attacks Bernstein showed, that the search for a correct
permutation in Prange’s algorithm can be asymptotically accelerated by a square-
root gain using a Grover search [5]. There has also been some research on how
to quantize advanced ISD algorithms [17,18]. While resulting in slightly better
asymptotic complexities than Bernstein’s quantum Prange, we agree with the
BIKE submission [1], that these procedures inherit huge overheads making them
for practical security estimates irrelevant.
In the following we analyze the quantum security of the proposed parameter
sets based on Bernstein’s quantum Prange in a very optimistic way, disregarding
any overhead caused by a real implementation. Nevertheless, even with our
analysis, which disregards a lot of the actual costs, we are able to show that
26
all parameter sets still match the quantum security definition of the respective
categories.
Quantum Prange under depth constraint. Let the Gaussian elimination circuit
require a depth of
DE
= (
n−k
)
ωM
, where
ωM∈J
2
,
3
K
. Now recall that the
probability of drawing a random permutation that distributes the weight as
desired (see Equation (4)) is
q:= n−k
ω
n
ω.
Hence, leveraging Grover search, finding a good permutation with one appli-
cation of a single quantum circuit would require a depth of
D=O(DEpq−1).
Since we are limited in depth, following Zalka [34] we need to partition
the search space in enough pieces such that the circuit performing a search on
each partition does not exceed the depth constraint. Then the circuit has to
be reapplied for each partition. Separating the search space in
N
equally large
partitions results in a necessary quantum circuit depth of
DN=O(DEp(qN )−1),
for performing the search on a single partition. Now setting
DN
= 2
maxdepth
results in
N=(DE)2·q−1
22·maxdepth .
Finally this gives a quantum circuit of depth 2
maxdepth
which has to be reapplied
Ntimes to find the solution. Hence, the total time complexity becomes
TQ=N·2maxdepth =(DE)2
q·2maxdepth .
In Table 5we present the quantum bit security estimates for the NIST PQC
schemes. Note that we do not state the security for every category and
maxdepth
combination. Rather we just state the difference of
log TQ
and the quantum
bit security of AES for the corresponding category, which is given in the above
listing. Observe that this difference does not depend on the
maxdepth
constraint
anymore. The table can now be read as the quantum bit security of breaking the
corresponding scheme is
x
bit higher than required, where
x
is the value given in
the column "quantum security margin". For obtaining these estimates we used
the more than optimistic matrix multiplication constant of ωM= 2.5.
The estimates confirm our prior finding, that the McEliece parameter set
for category three inherits a way smaller security margin compared to the other
proposed parameter sets.
27
Scheme Category nquantum
security margin
1 3488 21
3 4608 3
McEliece 5 6688 18
5 6960 18
5 8192 56
1 24646 41
BIKE (message) 3 49318 47
5 81946 53
1 24646 32
BIKE (key) 3 49318 40
5 81946 43
1 35338 33
HQC 3 71702 43
5 115274 44
Table 5: Quantum bit security margin of the corresponding schemes in comparison to
breaking AES quantumly.
References
1.
Aragon, N., Barreto, P., Bettaieb, S., Bidoux, L., Blazy, O., Deneuville, J.C.,
Gaborit, P., Gueron, S., Guneysu, T., Melchor, C.A., et al.: BIKE: bit flipping key
encapsulation (2020)
2.
Aragon, N., Lavauzelle, J., Lequesne, M.: decodingchallenge.org (2019),
http:
//decodingchallenge.org
3.
Baldi, M., Barenghi, A., Chiaraluce, F., Pelosi, G., Santini, P.: A finite regime
analysis of information set decoding algorithms. Algorithms 12(10), 209 (2019)
4.
Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes
in 2
n/20
: How 1 + 1 = 0 improves information set decoding. In: Pointcheval,
D., Johansson, T. (eds.) Advances in Cryptology – EUROCRYPT 2012. Lecture
Notes in Computer Science, vol. 7237, pp. 520–536. Springer, Heidelberg, Germany,
Cambridge, UK (Apr 15–19, 2012). https://doi.org/10.1007/978-3-642-29011-4_31
5.
Bernstein, D.J.: Grover vs. McEliece. In: International Workshop on Post-Quantum
Cryptography. pp. 73–80. Springer (2010)
6.
Bernstein, D.J., Lange, T., Peters, C.: Attacking and defending the mceliece cryp-
tosystem. In: International Workshop on Post-Quantum Cryptography. pp. 31–46.
Springer (2008)
7.
Bernstein, D.J., Lange, T., Peters, C.: Smaller decoding exponents: Ball-collision
decoding. In: Rogaway, P. (ed.) Advances in Cryptology – CRYPTO 2011. Lecture
Notes in Computer Science, vol. 6841, pp. 743–760. Springer, Heidelberg, Germany,
Santa Barbara, CA, USA (Aug 14–18, 2011). https://doi.org/10.1007/978-3-642-
22792-9_42
28
8.
Both, L., May, A.: Decoding linear codes with high error rate and its impact for lpn
security. In: International Conference on Post-Quantum Cryptography. pp. 25–46.
Springer (2018)
9.
Canteaut, A., Chabaud, F.: A new algorithm for finding minimum-weight words
in a linear code: Application to mceliece’s cryptosystem and to narrow-sense bch
codes of length 511. IEEE Transactions on Information Theory
44
(1), 367–378
(1998)
10.
Chou, T., Cid, C., UiB, S., Gilcher, J., Lange, T., Maram, V., Misoczki, R., Nieder-
hagen, R., Paterson, K.G., Persichetti, E., et al.: Classic McEliece: conservative
code-based cryptography 10 october 2020 (2020)
11.
Dumer, I.: On minimum distance decoding of linear codes. In: Proc. 5th Joint
Soviet-Swedish Int. Workshop Inform. Theory. pp. 50–52 (1991)
12.
Esser, A., Kübler, R., May, A.: LPN decoded. In: Katz, J., Shacham, H. (eds.)
Advances in Cryptology – CRYPTO 2017, Part II. Lecture Notes in Computer
Science, vol. 10402, pp. 486–514. Springer, Heidelberg, Germany, Santa Barbara,
CA, USA (Aug 20–24, 2017). https://doi.org/10.1007/978-3-319-63715-0_17
13.
Esser, A., Kübler, R., Zweydinger, F.: A faster algorithm for finding closest pairs
in hamming metric. arXiv preprint arXiv:2102.02597 (2021)
14.
Finiasz, M., Sendrier, N.: Security bounds for the design of code-based cryptosystems.
In: Matsui, M. (ed.) Advances in Cryptology – ASIACRYPT 2009. Lecture Notes
in Computer Science, vol. 5912, pp. 88–105. Springer, Heidelberg, Germany, Tokyo,
Japan (Dec 6–10, 2009). https://doi.org/10.1007/978-3-642-10366-7_6
15.
Hamdaoui, Y., Sendrier, N.: A non asymptotic analysis of information set decoding.
IACR Cryptol. ePrint Arch. 2013, 162 (2013)
16.
Indyk, P., Motwani, R.: Approximate nearest neighbors: towards removing the
curse of dimensionality. In: Proceedings of the thirtieth annual ACM symposium
on Theory of computing. pp. 604–613 (1998)
17.
Kachigar, G., Tillich, J.P.: Quantum information set decoding algorithms. In:
International Workshop on Post-Quantum Cryptography. pp. 69–89. Springer
(2017)
18.
Kirshanova, E.: Improved quantum information set decoding. In: International
Conference on Post-Quantum Cryptography. pp. 507–527. Springer (2018)
19.
Kirshanova, E., Laarhoven, T.: Lower bounds on lattice sieving and information
set decoding. To appear at CRYPTO 2021 (2021)
20.
Lee, P.J., Brickell, E.F.: An observation on the security of McEliece’s public-key
cryptosystem. In: Günther, C.G. (ed.) Advances in Cryptology – EUROCRYPT’88.
Lecture Notes in Computer Science, vol. 330, pp. 275–280. Springer, Heidelberg,
Germany, Davos, Switzerland (May 25–27, 1988). https://doi.org/10.1007/3-540-
45961-8_25
21.
May, A., Meurer, A., Thomae, E.: Decoding random linear codes in
˜
O
(2
0.054n
). In:
Lee, D.H., Wang, X. (eds.) Advances in Cryptology – ASIACRYPT 2011. Lecture
Notes in Computer Science, vol. 7073, pp. 107–124. Springer, Heidelberg, Germany,
Seoul, South Korea (Dec 4–8, 2011). https://doi.org/10.1007/978-3-642-25385-0_6
22.
May, A., Ozerov, I.: On computing nearest neighbors with applications to decoding
of binary linear codes. In: Oswald, E., Fischlin, M. (eds.) Advances in Cryptol-
ogy – EUROCRYPT 2015, Part I. Lecture Notes in Computer Science, vol. 9056,
pp. 203–228. Springer, Heidelberg, Germany, Sofia, Bulgaria (Apr 26–30, 2015).
https://doi.org/10.1007/978-3-662-46800-5_9
23.
Melchor, C.A., Aragon, N., Bettaieb, S., Bidoux, L., Blazy, O., Deneuville, J.C.,
Gaborit, P., Persichetti, E., Zémor, G., Bourges, I.: Hamming quasi-cyclic (HQC)
(2020)
29
24.
Naya-Plasencia, M., Schrottenloher, A.: Optimal merging in quantum k-xor and
k-sum algorithms. In: EUROCRYPT 2020-39th Annual International Conference
on the Theory and Applications of Cryptographic (2020)
25.
Perlner, R.: pqc-forum: Round 3 official comment: Classic mceliece (2021),
available at:
https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/
EiwxGnfQgec/m/xBky_FKFDgAJ
26.
Peters, C.: Information-set decoding for linear codes over f q. In: International
Workshop on Post-Quantum Cryptography. pp. 81–94. Springer (2010)
27.
Prange, E.: The use of information sets in decoding cyclic codes. IRE Transactions
on Information Theory 8(5), 5–9 (1962)
28.
Sendrier, N.: Decoding one out of many. In: International Workshop on Post-
Quantum Cryptography. pp. 51–67. Springer (2011)
29.
Stern, J.: A method for finding codewords of small weight. In: International Collo-
quium on Coding Theory and Applications. pp. 106–113. Springer (1988)
30.
Torres, R.C., Sendrier, N.: Analysis of information set decoding for a sub-linear
error weight. In: Post-Quantum Cryptography. pp. 144–161. Springer (2016)
31.
Various: pqc-forum: Round 3 official comment: Classic mceliece (2021), available at:
https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/EiwxGnfQgec
32.
Various: pqc-forum: Security strength categories for code based crypto (and trying
out crypto stack exchange) (2021), available at:
https://groups.google.com/a/
list.nist.gov/g/pqc-forum/c/6XbG66gI7v0
33.
Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) Advances in
Cryptology – CRYPTO 2002. Lecture Notes in Computer Science, vol. 2442, pp.
288–303. Springer, Heidelberg, Germany, Santa Barbara, CA, USA (Aug 18–22,
2002). https://doi.org/10.1007/3-540-45708-9_19
34.
Zalka, C.: Grover’s quantum searching algorithm is optimal. Physical Review A
60(4), 2746 (1999)
A Remark on the correctness of recently obtained
estimates
The recent analysis of the MMT and BJMM algorithm conducted in [3] contains
a subtle but essential flaw leading to significant underestimation of the respective
algorithmic costs. More precisely the authors suggest for the MMT algorithm to
choose the
`2
value (page 18 of [3]) as
log (k+l)/2
p/4
, where this value corresponds
to the amount of bits on which the matching in the first level is performed. But
since there exist only
p
p/2
representations of the solution, this results in an
expected amount of (k+l)/2
p/4
p
p/2
necessary randomized iterations of the algorithm to find a solution for any
permutation distributing the weight as desired. However, the authors disregard
this factor in the complexity analysis, leading to the mentioned underestimation.
Contrary, for the BJMM algorithm the authors choose the values for
`1
and
`2
correctly as the logarithm of the existing representations. However, since they
use a BJMM algorithm with a search tree of depth three, they need to account
for the first stage matching in the second level by only constraining on
`1−`2
instead of `1bits.
30
