Abstract
In this paper, we study the decoding failure rate (DFR) of non-binary QC-MDPC codes using theoretical tools, extending the results of previous binary QC-MDPC code studies. The theoretical estimates of the DFR are particularly significant for cryptographic applications of QC-MDPC codes. Specifically, in the binary case, it is established that exploiting decoding failures makes it possible to recover the secret key of a QC-MDPC cryptosystem. This implies that to attain the desired security level against adversaries in the CCA2 model, the decoding failure rate must be strictly upper-bounded to be negligibly small. In this paper, we observe that this attack can also be extended to the non–binary case as well, which underscores the importance of DFR estimation. Consequently, we study the guaranteed error–correction capability of non–binary QC–MDPC codes under one–step majority logic (OSML) decoder and provide a theoretical analysis of the 1–iteration parallel symbol flipping decoder and its combination with OSML decoder. Utilizing these results, we estimate the potential public-key sizes for QC-MDPC cryptosystems over \(\mathbb {F}_4\) for various security levels. We find that there is no advantage in reducing key sizes when compared to the binary case.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
With the advent of quantum computers, many traditional public–key cryptosystems based on number–theoretic or elliptic curves primitives are to become vulnerable to attacks using them [14, 42]. So, there is a strong need in developing post-quantum cryptographic protocols that will remain secure against adversaries equipped with quantum computers. One of the most prominent and well-established approach to post-quantum cryptography is cryptography based on error-correcting codes.
The first code–based cryptosystem was proposed in 1978 by R. McEliece [31]. The main idea of the McEliece cryptosystem is to mask a generator matrix of a fast–decodable code by permuting its columns and multiplying by a scrambling matrix on the left. The encryption is performed by encoding a message using the public generator matrix and adding an error. So, the security against message–recovery attacks is based on NP–hard syndrome decoding problem [13]. The original proposal of R. McEliece was based on binary Goppa codes, so the security against key–recovery attack relies on hardness of the problem of distinguishing permuted Goppa codes. It is worth mentioning that the original McEliece cryptosystem with several improvements is one of three Round 4 competitors in NIST-PQC [1]. Despite many advantages, the main drawback of McEliece cryptosystem is large public–key size. There were many attempts to overcome this by replacing Goppa codes with more efficient ones. The notable examples are Generalized Reed–Solomon codes [35], Reed–Muller codes [43], algebraic geometry codes [29], concatenated codes [40], rank–metric Gabidulin codes [22]. However, most of this modifications were proven unsecure [15, 17, 32, 38, 40, 44]. In addition, several modifications of protocol itself were proposed to avoid key–recovery attacks against McEliece–like cryptosystems based on efficient algebraic codes (e.g. [7, 12, 28, 48]), however most of them were also successfully cryptanalyzed [16, 18, 19, 30, 47, 50].
One of the most efficient approaches to reducing public-key size was proposed by P. Gaborit [23] and is based on using quasi-cyclic codes (QC-codes). A code C of length \(n = n'l\) is said to be quasi-cyclic of order \(n'\) and index l if its permutation automorphism group \({\text {PAut}}(C)\) has a cyclic subgroup of order \(n'\) that acts freely on coordinates. The quasi-cyclic structure implies the existence of generator and parity-check matrices of C that admit a block-circulant representation, i.e.
This representation allows storing only the first row of each circulant block \({\text {rot}}(h_{i,j})\), thereby reducing storage and communication costs. Therefore, the public key sizes of code-based encryption protocols that preserve quasi-cyclic structure can be significantly reduced. Note that many encryption protocols based on algebraic QC–codes (e.g. [12, 23]) have been successfully attacked [20, 36]. However, protocols based on random quasi–cyclic moderate density parity–check (QC–MDPC) codes [33], which have no algebraic structure except being quasi–cyclic, are still considered secure and efficient.
The concept of moderate-density parity-check (MDPC) codes extends the idea of low-density parity-check codes (LDPC codes) initially introduced by R. Gallager [24]. In Gallager’s seminal work [24], it was shown that efficient decoding of binary codes with a parity-check matrix containing a very small constant number of ones in each row is feasible using iterative algorithms such as bit-flipping and belief propagation, provided certain conditions are met (no two rows have two or more ones in the same positions). In 2000, C. Monico et al. [34] considered replacing Goppa codes in the McEliece cryptosystem with LDPC codes and pointed out that these codes can be easily distinguished due to the existence of very low–weight codewords in the dual code. The application of quasi-cyclic LDPC codes in constructing code-based cryptosystems was initially proposed in [11] and further developed in [8, 10]. To mitigate key-recovery attacks based on searching for low-weight dual codewords, it was suggested to replace the permutation matrix in the protocol with a sparse non–singular matrix of a specific form. However, this approach was found to introduce serious vulnerabilities [2, 36]. An alternative method to prevent key–recovery based on the search for low–weight codewords was proposed in [33], where it was suggested to use random QC–MDPC codes instead of LDPC. The difference between MDPC and LDPC codes lies in the slightly higher weight of the rows in the parity-check matrices, i.e., which is of order \(O(\sqrt{n})\) for MDPC codes and O(1) for LDPC.
We denote the finite field of size q as \(\mathbb {F}_q\). For a vector \(v \in \mathbb {F}_q^n\), the notation \({\text {supp}}(v) = \{ i \in \llbracket 1, n \rrbracket \mid v_i \ne 0 \}\) is used to represent the set of indices corresponding to the positions where v is nonzero. Here, \(\llbracket a, b \rrbracket = \left\{ a, a+1, \dots , b \right\} \) denotes set of all integers between a and b. The Hamming weight of vector v, denoted as \({\text {wt}}(v)\), is defined as the number of nonzero positions in v. A linear code \(C \in \mathbb {F}_q^n\) of length n and dimension k is refereed as \([n,k]_q\)–code. A generic description of a QC-MDPC cryptosystem [33] in the Niedderiter form [35] is as follows:
-
Key generation The secret key is the parity-check matrix H of a random QC-MDPC \([n=ln', (l-1)n']_q\)-code, represented as
$$\begin{aligned} H = \begin{pmatrix} H_1 \; | \; H_2 \; | \; \dots \; | \; H_{l-1} \; | \; H_l \end{pmatrix}. \end{aligned}$$(2)The matrix H consists of circulant \((n' \times n')\)–blocks \(H_i\), where each \(H_i\) has a row weight of \(\gamma \). Note that \(n'\) is usually chosen to be a prime number p. The public key is the systematic form of H, i.e.
$$ \tilde{H} = H_1^{-1} H = \begin{pmatrix} I_{n'} \; | \; H_1^{-1} H_2 \; | \; \dots \; | \; H_1^{-1} H_l, \end{pmatrix} $$which can be represented by the first rows of \(H_1^{-1} H_i\), where \(i \in \llbracket 2, l \rrbracket \), since the product of circulant matrices is also a circulant matrix.
-
Encryption The plaintext is an error vector \(e \in \mathbb {F}_q^n\) of weight t, and the ciphertext is its syndrome \(\tilde{s} = \tilde{H} e^\textsf{T}\).
-
Decryption To decrypt, the private syndrome \(s = H e^\textsf{T}= H_1 \tilde{s}^{\textsf{T}}\) is computed and used as input for the MDPC decoder (bit-flipping or symbol flipping).
Note that in NIST-PQC, the QC–MDPC approach is represented by BIKE (bit-flipping key encapsulation) protocol [3].
Due to probabilistic nature of decoding of LDPC and MDPC codes, there is a non–zero probability of decryption failure. In [26] it was shown that decryption failures can be used to recover the secret key in binary case. Hence in order to achieve indistinguishability against chosen ciphertext attacks, where an adversary has an access to a decryption oracle (IND–CCA2 security), the decoding failure rate (DFR) has to be negligibly small, i.e. of order \(2^{-\lambda }\), where \(\lambda \) is a security level. In [46], an experimental–based extrapolation framework for estimating DFR has been proposed. In this approach, the DFR curve is assumed to be concave, so estimates for high DFR (\(> 10^{-9}\)) can be obtained via numerical simulations and then extrapolated to low DFRs providing an upper bound. However, it is known that LDPC and MDPC codes exhibit error floor phenomenon, resulting in violation of concavity assumption (see e.g. [4, 6]). Hence DFR estimates obtained by extrapolation could possibly be overly optimistic (see Fig. 1). Another approach is to estimate DFR using only theoretical tools. In [45] J. P. Tillich studied guaranteed error–correction performance of binary QC–MDPC codes under one–step majority logic decoder (OSML). In addition, in [45] the DFR of two–iteraion decoder is studied under some reasonable assumptions, i.e. the probability that one iteration of parallel bit–flipping decoder reduces error weight enough to be corrected by OSML decoder is computed. In [39], the estimate of the number of errors correctable by OSML decoder was improved. Under the same assumptions as in [45], the worst–case plausibility analysis of one and two iteration randomized serial bit–flipping decoder was performed in [5]. In addition, in [5] a combination of one iteration of randomized serial bit-flipping and OSML was studied, and recommended design parameters for IND–CCA2 secure QC-MDPC cryptosystems were given.
In this paper, we study DFR of non–binary QC–MDPC codes using theoretical tools. Namely, we extend the results of [39, 45] to the non–binary case, i.e. we show that error–correcting performance of OSML decoder can also be estimated using similar methods of [39, 45]. In addition, we propose a parallel symbol flipping decoder. Under the same assumptions used in [5, 45], we give theoretical estimates of DFR for the parallel symbol–flipping decoder and its combination with the OSML decoder. We also note that the extension of the randomized serial approach, as considered in [5], in the non-binary case seems to yield unreliable results due to a observed discrepancy between the theoretical estimates and the worst-case simulations. Hence this approach is not included in this paper. In addition, we experimentally demonstrate that slightly modified attack of [26] can also recover secret key in non–binary case. Employing the obtained results, recommended parameters and corresponding key sizes for IND-CCA2–secure QC–MDPC cryptosystems over \(\mathbb {F}_q\) for various security levels are computed.
The paper is organized as follows. In Sect. 2, we present the basic principles of decoding non-binary QC-MDPC codes and study the guaranteed error-correction capability of the one-step majority logic decoder in an assumption-free setting. In Sect. 3, we provide a plausibility analysis of error counters distribution and flipping probability in the non-binary case. Subsequently, we propose a 1-iteration parallel symbol flipping decoder and theoretically estimate the probability of reducing the error weight to a certain value, allowing for further decoding by the OSML decoder. We also provide experimental validation of the theoretical model. Finally, in Sect. 4, we consider the reaction attack against non–binary QC–MDPC cryptosystems and find potential cryptosystem parameters and corresponding public-key sizes.
2 Analysis of Guaranteed Error–correction Capability of Non–binary QC-MDPC Codes
Recall that a code C with a parity–check matrix \(H \in \mathbb {F}_q^{m \times n}\) is said to be a moderate–density parity–check (MDPC) code if each row of the \(H=(h_{i,j})\) is of weight \(O(\sqrt{n})\). In addition, C is said to be \((\gamma , \delta )\)–regular if the weight of each column of H is \(\gamma \) and the weight of each row is \(\delta \). Unless otherwise specified, we will focus exclusively on regular MDPC codes.
Let \(z = c + e \in \mathbb {F}_{q}^n\), where \(c \in C\) and \({\text {wt}}(e) \le t\), be a noisy codeword. By \(s = Hz^{\textsf{T}} = He^{\textsf{T}}\) we denote the syndrome of e. One can easily note that since i–th position of s is computed as
Hence, by selecting \(\gamma \) row indices \(i_1, i_2, \dots , i_{\gamma }\) for which \(h_{i_1,j}, \dots , h_{i_1,j}\) are non-zero, we obtain the following \(\gamma \) equalities:
Since C is an MDPC code, the rows \(h_{i}\) of H are sparse. Considering sparsity of e, it follows that \(s_{i} h_{i,j}^{-1}\) equals \(e_j\) with high probability. Hence it is possible to use the values \(s_{i} h_{i,j}^{-1}\) for estimating e.
Let \(\mathbb {F}_q = \{ \alpha _0 = 0, \alpha _1=1, \alpha _2, \dots , \alpha _{q-1} \}\) be a enumeration of elements of \(\mathbb {F}_q\). Let us define
as the number of rows \(h_{w}\) containing the position j in \({\text {supp}}(h_w)\) and \(s_i h_{w,j}^{-1} = \alpha _i\). The values of \(\sigma _{j, i}\) will be referred to as error counters in position j. Clearly, \(\sigma _{j, i}\) indicates the likelihood that the error value \(e_j\) in position j is equal to \(\alpha _i\). In particular, a higher value of \(\sigma _{j,0}\) implies that position j is less likely to be corrupted, while higher values of \(\sigma _{j,i}\), \(i \ne 0\), indicate a greater likelihood that \(e_j = \alpha _i \ne 0\).
Therefore, several decoding strategies are possible. For instance, it is possible to choose an information set I of k positions with highest \(\sigma _{j, 0}\), indicating that these positions less likely to be erroneous, and then use this I for information set decoding (ordered statistics decoding [21] and statistical decoding [37]).
Another straightforward decoding algorithm that uses counters is as follows:
-
1.
compute the syndrome s and the counters \(\sigma _{j,i}\) for all \(j \in \llbracket 1, n \rrbracket \) and \(i \in \llbracket 0, q-1 \rrbracket \);
-
2.
update the position j of the received word z having the highest value of \(\sigma _{j}^* - \sigma _{j,0}\), where
$$\begin{aligned} \sigma _j^* = \max _{i \in \llbracket 1, q-1 \rrbracket } \sigma _{j,i}, \end{aligned}$$(5)to the new value \(z_j - \alpha _{i^*}\), where \(i^* = {\text {argmax}}_{i \in \llbracket 1, q-1 \rrbracket }\sigma _{j,i}\);
-
3.
repeat from step 1 until either \(s = 0\) or maximum number of iterations is reached.
Remark 1
One can easily note that the syndrome weight after step 2 is decreased by \(\sigma _{j}^{*} - \sigma _{j,0}\). Therefore, the error position and error value in step 2 are chosen to decrease the syndrome weight the most. In this formulation the decoding approach described above was proposed in [9] as a generalization of Gallager’s bit–flipping. In the binary case, the Gallagher’s decoder is also a greedy algorithm that reduces the syndrome weight the most in each step .
2.1 One–Step Majority Logic Decoding
In this subsection, we study guaranteed decoding performance of regular MDPC codes under the OSML decoder (Algorithm 1) which can be considered as single iteration version of parallel symbol flipping.
Remark 2
Note that in the decoder description, instead of recovering the corrected codeword \(c \in C\) from the noisy codeword \(z = c + e\) by iteratively subtracting the estimated error from z, we employ an equivalent formulation where we iteratively find the estimated error \(\tilde{e}\) itself.
Let \(X \in \mathbb {F}_q^{m \times n}\) be an \((m \times n)\)–matrix, and let \(I \subset \llbracket 1, m \rrbracket \) and \(J \subset \llbracket 1, n \rrbracket \) be sets of row and column indices, respectively. We denote the matrix composed of the elements of X with indices \((i,j) \in I \times J\) as \(X_{I, J} = (x_{i,j})_{i \in I, j \in J}\). For convenience, we use the notations \(X_{:, J}\) and \(X_{I, :}\) to represent \(X_{\llbracket 1, m \rrbracket , J}\) and \(X_{I, \llbracket 1, n \rrbracket }\), respectively.
Proposition 1
Let \(H = (h_{i,j}) \in \mathbb {F}_q^{m \times n}\) be a parity–check matrix of a MDPC code, and let \(e \in \mathbb {F}_q^n\) be an error of weight t. Define \(H^{(j)}\) as the matrix consisting of rows from the set
Let
If \(e_j = \alpha _i\), then \(\sigma _{j,i}\) can be lower bounded as follows
Proof
Using (3), we obtain that \(\sigma _{j,i}\) denotes the frequency of occurrence of \(\alpha _i\) in the vector
Hence if \(e_j = \alpha _i\) then \(\sigma _{j, i} = \gamma - {\text {wt}}(v')\). Since \(v'\) is a linear combination of \({\text {wt}}(e')\) columns of \(H^{(j)}\), its weight can be upper bounded by
This concludes the proof of the proposition.
Remark 3
Note that the weight \({\text {wt}}(H^{(j)}_{:, l})\) of l–th column \(H_{:, l}^{(j)}\) of \(H^{(j)}\) equals
Corollary 1
Let \({\text {wt}}(e) \le t\). If \(\mu (t) < th_j \le \gamma - \mu (t-1)\), then the OSML decoder correctly estimates the j–th position of e.
Proof
If \(e_j = 0\), then \(\sigma _{j,0} \ge \gamma - \mu (t)\) and hence \(\sigma _j^* \le \gamma - \sigma _{j,0} \le \mu (t)\). It follows that setting \(th_j > \mu (t)\) in Algorithm 1 will ensure that no non–erroneous position will be corrupted.
If \(e_j = \alpha _i \ne 0\), then \(\sigma _{j,i} \ge \gamma - \mu (t-1)\). Since \(\mu (t) < \gamma - \mu (t-1)\) and \(\mu (t) \ge \mu (t-1)\), it follows that \(\mu (t-1) < \gamma /2\) and thereby \(\sigma _{j,i} \ge \gamma - \mu (t-1) > \gamma /2\). This implies that a clear majority of equalities in (3) vote for \(\alpha _i\) and hence \(\sigma _j^* =\sigma _{j,i}\) (see (5)). Therefore, setting \(th_j < \gamma - \mu (t-1)\) will ensure that error value in a erroneous position will be estimated correctly.
Corollary 2
The guaranteed error–correction capability of OSML decoder is t if for all \(j \in \llbracket 1, n \rrbracket \) it is possible to choose \(th_j\) according to Corollary 1.
Note that OSML is a very simple yet effective decoder that is capable of correcting low–weight error patterns. However, it is particularly useful as a second decoding iteration because it does not rely on probabilistic assumptions. It can effectively decode errors of a certain weight that remain after previous iterations, even if they have a harder–to–decode structure that would make plausibility analysis based on probabilistic assumptions irrelevant.
3 Plausibility Analysis of 1–iteration Parallel Symbol Flipping Decoder
In this section, we provide an analysis of the single-iteration parallel symbol flipping algorithm. Namely, following the approach of [45], we estimate the probability of correcting an error using this decoder under several probabilistic assumptions. Furthermore, under the same assumptions, we estimate the probability of decreasing the error weight to a value that allows correction by the OSML decoder. This provides an upper bound on the decoding failure rate for the combination of a single iteration of parallel symbol flipping followed by the OSML decoder.
3.1 Distribution of Counters
Below we give necessary results on probabilistic distributions of syndrome values and counters \(\sigma _{j,i}\), \(j \in \llbracket 1, n \rrbracket \), \(i \in \llbracket 0, q-1 \rrbracket \), required for further analysis of decoding iteration of proposed parallel symbol–flipping decoder. Our analysis will rely on several assumptions that are analogous to those used in [5, 45].
Assumption 1
Let H be a parity–check of a random QC–MDPC code C in block–circulant form. It is assumed that each row of H is well modeled as a sample from uniform distribution over \(\mathbb {F}_q^n\).
Proposition 2
Let \(x \in \mathbb {F}_q^n\), \(y \in \mathbb {F}_q^n\) be uniformly sampled. Let
Then \(A_m\) can be found recursively using
Proof
Without loss of generality, we assume that \({\text {supp}}(x) \cap {\text {supp}}(y) = \{ 1, \dots , m \}\). It follows that
Theorem 1
Let \(H = (h_{i,j})\) be a parity–check matrix of \((\gamma , \delta )\)–regular QC-MDPC code C of length n. Let \(e \in \mathbb {F}_q^n\) be a random error of weight t, and \(s = eH^\textsf{T}\) be its syndrome. Then for any row \(h_i\) of H, such that \(j \in {\text {supp}}(h_i)\)
Proof
Since \(j \in {\text {supp}}(h_i)\), Eq. (3) implies that \( s_i h_{i,j}^{-1} = e_j + h_{i,j}^{-1} \langle e', h' \rangle , \) where
One can easily note that
Since \(s_i h_{i,j}^{-1} = e_j\) if and only if \(\langle h', e' \rangle = 0\), it follows that
So, using Assumption 1, we obtain
Substituting (10) into this formula, we obtain (6) and (7). In addition, when \(\langle e', h' \rangle \ne 0\), the product \(\langle e', h' \rangle \) can assume any non–zero element of \(\mathbb {F}_q\) with equal probabilities. Consequently, we obtain (8) and (9).
In the parallel symbol flipping decoder (see Algorithm 2), we propose the following flipping criterion based on counter values, using three decoding thresholds: \(th_0\), \(th_E\), and \(th_D\). Namely, the position j of the received noisy codeword \(z = c + e\) will be updated to \(z_j - \alpha _{i}\) if the following conditions are satisfied:
-
1.
\(\sigma _{j,i} > \sigma _{j, \omega }\) for all \(\omega \in \llbracket 0, q-1 \rrbracket \setminus \{ i \}\), and thus \(\sigma _{j}^* = \sigma _{j,i}\),
-
2.
\(\sigma _{j}^* \ge th_E\),
-
3.
\(\sigma _{j,0} < th_0\),
-
4.
\(\sigma _{j}^* - \sigma _{j,0} \ge th_D\).
Note that conditions 1–4 can be replaced by the single condition
where \(\varDelta _{th_0, th_E, th_D}(i)\) is defined as follows
In the following theorem, we will estimate the probability that the flipping criterion accurately determines the positions and values of errors.
Assumption 2
We assume that the probability \(\Pr [\sigma _{j} \in \varDelta (i)]\) to flip position j to value \(z_j-\alpha _i\) is a function only of error weight, i.e. it does not depend on error structure and the location j.
Theorem 2
Let H be a parity–check matrix of \((\gamma , \delta )\)–regular QC-MDPC code C of length n and dimension k. Let \(e \in \mathbb {F}_q^n\) be a random error of weight t. Define
Then the probability that non–zero error value will be estimated correctly is
and the probability of incorrect estimate in non–erroneous position is
where
Proof
From Assumption 2 it follows that the probability
can be modelled using multinomial distribution with parameters
Hence
which implies (11). By similar reasoning, we can also obtain (12).
3.2 Analysis of Parallel Symbol-Flipping Decoder
In this subsection, we employ results of previous subsection to give an plausibility analysis of the one–step parallel symbol flipping decoder (Algorithm 2) and its combination with OSML decoder (Algorithm 3).
Note that, after each iteration some error positions can be estimated correctly and some non–erroneous positions can be estimated to be erroneous incorrectly. In the following proposition, we provide an analysis of the probability that 1-iteration version of this decoder transforms a random error e of weight t into some new error \(e'\) of weight \(t'\).
Proposition 3
Let e be a random error of weight t, then after execution Algorithm 2
-
1.
the probability to correctly estimate u error positions from e is
$$ P_{correct}(t, u) = \left( {\begin{array}{c}t\\ u\end{array}}\right) \left( p_{e \rightarrow c}(t) \right) ^u \left( 1 - p_{e \rightarrow c}(t)\right) ^{t-u}, $$ -
2.
the probability to corrupt v non–erroneous positions is
$$ P_{corrupt}(t, v) = \left( {\begin{array}{c}n-t\\ v\end{array}}\right) \left( p_{c \rightarrow e}(t) \right) ^v \left( 1 - p_{c \rightarrow e} \right) ^{n-t-v}, $$ -
3.
the probability to transform e into an error \(e'\) of weight \(t'\) is
$$ {\text {Pr}}(t \rightarrow t') = \sum _{t-u+v = t'} P_{correct}(t, u) P_{corrupt}(t,v). $$
Proof
Assumption 2 implies that the flip decisions are statistically independent and depend solely on the error weight. It follows that \(P_{correct}(t, u)\) and \(P_{corrupt}(t, v)\) can be modeled as samples from binomial distributions with parameters \(p_{e \rightarrow c}(t)\) and \(p_{c \rightarrow e}(t)\) described in Theorem 2, respectively. The last claim trivially follows from the first two.
Corollary 3
The decoding failure rate of 1-iteration parallel symbol-flipping decoder can be estimated as follows
Note that the new error \(e'\) is not random anymore and, therefore, the same analysis for further iteration is not possible. However, it is possible to decode \(e'\) using OSML decoder, which rely on no probabilistic assumptions.
Thus, we obtain the following corollary:
Corollary 4
Let e be a random error of weight t, let \(\tau \) be the number of errors which can be corrected with certainty using OSML decoder. Then DFR of this combination is upper bounded by
In Figs. 2, 3, 4, we present the results of numerical simulations and compare them with the obtained theoretical estimates. Each experiment involved generating a random key and decoding a random error. For each error weight, the experiments were conducted until 100 decoding failures were detected or until \(10^8\) experiments were performed, whichever occurred first.
We observe that the theoretical estimates of \(DFR_1\) and \(DFR_2\) closely match the simulation results, substantiating the accuracy of the obtained theoretical model.
4 Choice of Cryptosystem Parameters
The choice of parameters of QC–MDPC cryptosystems is determined by the complexity of potential attacks on such cryptosystems. Specifically, the parameters of the cryptosystem should be chosen in such a way that the best key-recovery attacks and message-recovery attacks require a sufficiently large number of operations.
The most effective message–recovery attacks are a family of information set decoding (ISD) algorithms, designed for decoding random codes. This family includes the Prange algorithm, the Lee-Brickell algorithm, Stern algorithm, BJMM, ball–collision, etc. An overview of ISD–algorithms can be found in [49]. The average complexity of these algorithms can be directly estimated using a formula that depends on parameters such as the field size q, code length n, code dimension k, and the weight of the error w that needs to be found. For non–binary code direct complexity estimates for the Lee-Brickell and Stern algorithms can be found in [49], for BJMM in [25], and for ball-collision in [27].
It should be noted that for quasi-cyclic codes of order \(n'\), it has been shown [41] that the complexity of ISD attacks can be reduced by a factor of \(\sqrt{n'}\) compared to codes without any structure. One of the features of QC-MDPC cryptosystems is that for key-recovery attacks, which involve finding low-weight dual codewords, the best attacks are also based on ISD. This is because the same algorithms can easily be adapted to search for codewords of a given weight instead of finding an error of a given weight. For quasi-cyclic codes, in this case, it is also possible to reduce the complexity by a factor of \(n'\) compared to random codes.
Furthermore, we must consider the decoding failure rate since in [26], Q. Guo et al. proposed a reaction attack that allows the recovery of secret keys in cryptosystems based on binary QC-MDPC codes by exploiting decoding failures. The original description assumes that \(l = 2\), i.e., \(n = 2n'\), but it can be easily generalized to other cases. This attack is based on the observation that certain error patterns are more easily decodable than other ones. Namely, let \(\mathcal {E}_r\) be the set of error patterns of the following form:
Let \(\mathbf {h_1} \in \mathbb {F}_q^{n'}\) denote the first row of \(H_1\) (see (2)). Let \(\psi (r)\) denote the number of pairs of non-zero positions of \(\textbf{h}_1\) placed at distance d. The distance between i and j is computed as \(\min \left\{ (i-j) \, {\text {mod}} \, n', (j-i) \, {\text {mod}} \, n'\right\} \). The set of values \(\psi (i)\), \(i \in \llbracket 1, \lfloor n'/2 \rfloor \rrbracket \), is called the distance spectrum of \(\mathbf {h_1} \in \mathcal {R}_n\). In [26], it was shown that there is a correlation between the decoding failure rate on errors from \(\mathcal {E}_r\) and the value of \(\psi (r)\). Specifically, the larger \(\psi (r)\) is, the lower the DFR for errors from \(\mathcal {E}_r\).
Therefore, computing the DFR on errors from \(\mathcal {E}_r\) for different r allows for the recovery of the distance spectrum of \(\mathbf {h_1}\) and subsequently \(\mathbf {h_1}\) itself. Consequently, it becomes possible to reconstruct the secret key of binary QC-MDPC cryptosystems by exploiting the decoding failures. Below, we demonstrate how this attack can be applied to the non-binary case as well.
In our experiments, we observed a correlation between the DFR for errors from \(\tilde{\mathcal {E}r}\) and the values of \(\psi (r)\), where the set \(\tilde{\mathcal {E}_r}\) is defined as follows:
For instance, we conducted simulations to decode errors of weight \(t=84\) from \(\tilde{\mathcal {E}_r}\) using Algorithm 4 for random QC-MDPC codes over \(\mathbb {F}_4\) with parameters \(n' = 2339\), \(l=2\), and \(\gamma = 37\), which ensure a minimal cost of ISD-based key-recovery and message-recovery attacks of \(2^{80}\) bit operations [9]. The results obtained from these simulations are presented in Table 1. As shown in the table, a strong dependency between the distance spectrum and the DFR for errors of this specific form can still be observed.
Thus, it is possible to reconstruct the support of the secret vector \(\mathbf {h_1}\) (up to a cyclic shift) using the following steps:
-
1.
for each \(r \in \llbracket 1, \lfloor n'/2 \rfloor \rrbracket \) numerically estimate DFR for random errors from \(\tilde{\mathcal {E}_r}\), and then use the obtained results to recover the distance spectrum \(\psi \) of \(\mathbf {h_1}\);
-
2.
recover \({\text {supp}}(h_1)\) using the procedure described in [26] for finding positions of ones in \(\mathbf {h_1}\) for the binary case
Once \({\text {supp}}(\mathbf {h_1})\) is recovered, it is possible to recover the whole secret key \((\mathbf {h_1}, \mathbf {h_2})\) in the non-binary case as follows. Let I be an information set such that
then the matrix \(\tilde{H}_{:, I}^{-1} \tilde{H} = H_{:, I}^{-1} H\) contains the row \((\mathbf {h_1}, \mathbf {h_2})\) or its quasi–circular shift. When \({\text {supp}}(\mathbf {h_1})\) is known, I can be constructed of one element from \({\text {supp}}(\mathbf {h_1})\), \(n'-\gamma \) elements from \(\llbracket 1, n' \rrbracket \setminus {\text {supp}}(\mathbf {h_1})\), and randomly guessed \(\gamma -1\) elements from \(\llbracket n'+1, 2n' \rrbracket \). Therefore, the probability of finding a suitable I can be estimated as follows:
So, the method described above in our experiments allowed reconstruction of secret key with significantly lower complexity than claimed security level of \(2^{80}\) bit operations.
It follows that, when choosing the parameters of QC–MDPC cryptosystem that can be converted into IND–CCA2 secure KEM in non–binary case the design criteria are the complexity of ISD–based key–recovery, and message–recovery attacks and small enough decoding failure rate making reaction attacks infeasible. Table 2 provides potential parameters of QC-MDPC cryptosystems over \(\mathbb {F}_4\), with \(l = 2\) and \(n' = p\) being a prime such that the polynomial \(x^p-1\) has a low number of irreducible factors. These parameters are given for three different security levels: \(\lambda \in \{128, 192, 256\}\), which correspond to the complexity of breaking AES with the corresponding key sizes. All the proposed instances are designed to have \(DFR_2 \le 2^{-\lambda }\) (see Corollary 4). Note that the resulting public key sizes (\(pk_{size}\)) are slightly larger than in the binary case (28, 277, 52, 667, 83, 579 respectively [5]). Moreover, increasing the field size to \(q = 8\) with security level \(\lambda =128\) yields an estimated public key size of 36, 321 bits (\(p=12,107\), \(\gamma =69\), \(t=130\)). Thus, for a fixed security level, public key size grows with increasing field size. Indeed, to maintain the same or smaller \(pk_\text {size}\) when increasing q, one must consider shorter MDPC codes. However, due to the complexity of ISD-based key–recovery and message–recovery attacks, \(\gamma \) and t are nearly the same across various ranges of q, implying higher-density codes. Therefore, the increased field size does not appear to compensate for the negative impact of increased code density.
5 Conclusion
In this paper, we have studied the guaranteed error-correction capability of the one-step majority logic (OSML) decoder and provided a plausibility analysis of the 1-iteration parallel symbol flipping decoder for non-binary QC-MDPC codes. Through this analysis, we were able to estimate the decoding failure rate (DFR) of the combined use of these decoders, where parallel symbol flipping is employed to reduce the error weight to a level at which the OSML decoder can successfully correct any remaining errors. Consequently, we have obtained worst-case estimates of the DFR, considering some minimalistic and reasonable assumptions. The accuracy and validity of our theoretical model have been verified through numerical simulations.
Furthermore, we have demonstrated the importance of considering key-recovery reaction attacks when designing non-binary QC-MDPC cryptosystems. This implies that such cryptosystems need to be constructed with an extremely low DFR in order to achieve IND-CCA2 security with long-term keys. Finally, we have provided possible parameters for different NIST security levels of non-binary QC-MDPC cryptosystems, along with their theoretically estimated DFR.
It should be noted that the resulting key sizes are slightly larger than those in the binary case. Therefore, it appears that using non-binary QC-MDPC codes does not offer any benefits in terms of reducing the public-key sizes of IND-CCA2-secure cryptosystems considering the reaction attack. However, there is a possibility that replacing the quasi-cyclic structure with a more general (non-abelian) quasi-group structure, specifically replacing circulant matrices with matrices of multiplication operators in group algebras, could potentially hinder the reaction attack.
Additionally, by abandoning the requirement of key re-usage, it becomes possible to consider more sophisticated decoders for cryptosystems resistant against chosen plaintext attacks (CPA–secure). The study of such decoders can only be carried out through experimental methods and may provide benefits in terms of reducing key sizes, as previously explored in [9].
It is worth mentioning that the obtained in this paper theoretical models could potentially be useful for providing conservative estimates of the DFR of non-binary codes in telecommunications applications.
References
Alagic, G., et al.: Status report on the third round of the NIST post-quantum cryptography standardization process. US Department of Commerce, NIST (2022). https://doi.org/10.6028/NIST.IR.8413
Apon, D., Perlner, R., Robinson, A., Santini, P.: Cryptanalysis of LEDAcrypt. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part III. LNCS, vol. 12172, pp. 389–418. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_14
Aragon, N., et al.: Bike: bit flipping key encapsulation. bikesuite.org
Arpin, S., Billingsley, T.R., Hast, D.R., Lau, J.B., Perlner, R., Robinson, A.: A study of error floor behavior in QC-MDPC codes. In: Cheon, J.H., Johansson, T. (eds.) Post-Quantum Cryptography. Lecture Notes in Computer Science, vol. 13512, pp. 89–103. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-17234-2_5
Baldi, M., Barenghi, A., Chiaraluce, F., Pelosi, G., Santini, P.: Analysis of in-place randomized bit-flipping decoders for the design of LDPC and MDPC code-based cryptosystems. In: Obaidat, M.S., Ben-Othman, J. (eds.) ICETE 2020. CCIS, vol. 1484, pp. 151–174. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90428-9_7
Baldi, M., Barenghi, A., Chiaraluce, F., Pelosi, G., Santini, P.: Performance bounds for QC-MDPC codes decoders. In: Wachter-Zeh, A., Bartz, H., Liva, G. (eds.) Code-Based Cryptography. Lecture Notes in Computer Science, vol. 13150, pp. 95–122. Springer International Publishing, Cham (2022). https://doi.org/10.1007/978-3-030-98365-9_6
Baldi, M., Bianchi, M., Chiaraluce, F., Rosenthal, J., Schipani, D.: Enhanced public key security for the McEliece cryptosystem. J. Cryptol. 29(1), 1–27 (2014). https://doi.org/10.1007/s00145-014-9187-8
Baldi, M., Bodrato, M., Chiaraluce, F.: A new analysis of the McEliece cryptosystem based on QC-LDPC codes. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 246–262. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85855-3_17
Baldi, M., Cancellieri, G., Chiaraluce, F., Persichetti, E., Santini, P.: Using non-binary LDPC and MDPC codes in the McEliece cryptosystem. In: 2019 AEIT International Annual Conference (AEIT), pp. 1–6. IEEE (2019)
Baldi, M., Chiaraluce, F.: Cryptanalysis of a new instance of McEliece cryptosystem based on QC-LDPC codes. In: 2007 IEEE International Symposium on Information Theory, pp. 2591–2595. IEEE (2007)
Baldi, M., Chiaraluce, F., Garello, R., Mininni, F.: Quasi-cyclic low-density parity-check codes in the McEliece cryptosystem. In: 2007 IEEE International Conference on Communications, pp. 951–956. IEEE (2007)
Berger, T.P., Cayrel, P.-L., Gaborit, P., Otmani, A.: Reducing key length of the McEliece cryptosystem. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 77–97. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02384-2_6
Berlekamp, E., McEliece, R., van Tilborg, H.: On the inherent intractability of certain coding problems (corresp.). IEEE Trans. Inf. Theory 24, 384–386 (1978). https://doi.org/10.1109/TIT.1978.1055873
Bernstein, D.J., Lange, T.: Post-quantum cryptography. Nature 549, 188–194 (2017). https://doi.org/10.1038/nature23461
Borodin, M.A., Chizhov, I.V.: Effective attack on the McEliece cryptosystem based on reed-muller codes. Discret. Math. Appl. 24(5), 273–280 (2014)
Couvreur, A., Lequesne, M., Tillich, J.-P.: Recovering short secret keys of RLCE in polynomial time. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 133–152. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_8
Couvreur, A., Márquez-Corbella, I., Pellikaan, R.: Cryptanalysis of public-key cryptosystems that use subcodes of algebraic geometry codes. In: Pinto, R., Malonek, P.R., Vettori, P. (eds.) Coding Theory and Applications. CSMS, vol. 3, pp. 133–140. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-17296-5_13
Couvreur, A., Otmani, A., Tillich, J.-P., Gauthier–Umaña, V.: A polynomial-time attack on the BBCRS scheme. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 175–193. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_8
Deundyak, V.M., Kosolapov, Y.V., Maystrenko, I.A.: On the decipherment of Sidel’nikov-type cryptosystems. In: Baldi, M., Persichetti, E., Santini, P. (eds.) CBCrypto 2020. LNCS, vol. 12087, pp. 20–40. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-54074-6_2
Faugère, J.-C., Otmani, A., Perret, L., Tillich, J.-P.: Algebraic cryptanalysis of McEliece variants with compact keys. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 279–298. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_14
Fossorier, M.P., Lin, S.: Soft-decision decoding of linear block codes based on ordered statistics. IEEE Trans. Inf. Theory 41(5), 1379–1396 (1995)
Gabidulin, E.M., Paramonov, A.V., Tretjakov, O.V.: Ideals over a non-commutative ring and their application in cryptology. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 482–489. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_41
Gaborit, P.: Shorter keys for code based cryptography. In: Proceedings of the 2005 International Workshop on Coding and Cryptography (WCC 2005), pp. 81–91 (2005)
Gallager, R.: Low-density parity-check codes. IRE Trans. Inf. Theory 8(1), 21–28 (1962)
Gueye, C.T., Klamti, J.B., Hirose, S.: Generalization of BJMM-ISD using may-Ozerov nearest neighbor algorithm over an arbitrary finite field \(\mathbb{F}_q\). In: El Hajji, S., Nitaj, A., Souidi, E.M. (eds.) C2SI 2017. LNCS, vol. 10194, pp. 96–109. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-55589-8_7
Guo, Q., Johansson, T., Wagner, P.S.: A key recovery reaction attack on QC-MDPC. IEEE Trans. Inf. Theory 65, 1845–1861 (2019). https://doi.org/10.1109/TIT.2018.2877458
Interlando, C., Khathuria, K., Rohrer, N., Rosenthal, J., Weger, V.: Generalization of the ball-collision algorithm. arXiv preprint: arXiv:1812.10955 (2018)
Ivanov, F., Krouk, E., Zyablov, V.: New code-based cryptosystem based on binary image of generalized reed-Solomon code. In: 2021 XVII International Symposium “Problems of Redundancy in Information and Control Systems”(REDUNDANCY), pp. 66–69. IEEE (2021)
Janwa, H., Moreno, O.: McEliece public key cryptosystems using algebraic-geometric codes. Des. Codes Crypt. 8(3), 293–307 (1996)
Kosolapov, Y., Lelyuk, A.: Cryptanalysis of the BBCRS system on reed-muller binary codes. Bull. South Ural State Univ. Ser. Math. Modell. Program. Comput. Softw. 14, 18–32 (2021). https://doi.org/10.14529/mmp210302
McEliece, R.J.: Public-key cryptosystem based on algebraic coding theory. PL Deep Space Netw. Prog. Report 42, 114–116 (1978)
Minder, L., Shokrollahi, A.: Cryptanalysis of the Sidelnikov cryptosystem. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 347–360. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72540-4_20
Misoczki, R., Tillich, J.P., Sendrier, N., Barreto, P.S.L.M.: MDPC-McEliece: new McEliece variants from moderate density parity-check codes, pp. 2069–2073. IEEE (2013). https://doi.org/10.1109/ISIT.2013.6620590
Monico, C., Rosenthal, J., Shokrollahi, A.: Using low density parity check codes in the McEliece cryptosystem, pp. 215. IEEE (2000). https://doi.org/10.1109/ISIT.2000.866513
Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Prob. Control Inf. Theory 15, 159–166 (1986)
Otmani, A., Tillich, J.P., Dallot, L.: Cryptanalysis of two McEliece cryptosystems based on quasi-cyclic codes. Math. Comput. Sci. 3, 129–140 (2010). https://doi.org/10.1007/s11786-009-0015-8
Overbeck, R.: Statistical decoding revisited. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 283–294. Springer, Heidelberg (2006). https://doi.org/10.1007/11780656_24
Overbeck, R.: Structural attacks for public key cryptosystems based on Gabidulin codes. J. Cryptol. 21(2), 280–301 (2008)
Santini, P., Battaglioni, M., Baldi, M., Chiaraluce, F.: Analysis of the error correction capability of LDPC and MDPC codes under parallel bit-flipping decoding and application to cryptography. IEEE Trans. Commun. 68, 4648–4660 (2020). https://doi.org/10.1109/TCOMM.2020.2987898
Sendrier, N.: On the structure of randomly permuted concatenated code. Ph.D. thesis, INRIA (1995)
Sendrier, N.: Decoding one out of many. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 51–67. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_4
Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE (1994)
Sidelnikov, V.M.: A public-key cryptosystem based on binary reed-muller codes. Discret. Math. Appl. 4(3), 191–208 (1994)
Sidelnikov, V.M., Shestakov, S.O.: On insecurity of cryptosystems based on generalized reed-solomon codes. Discrete Math. Appl. 2 (1992)
Tillich, J.P.: The decoding failure probability of MDPC codes, pp. 941–945. IEEE (2018). https://doi.org/10.1109/ISIT.2018.8437843
Vasseur, V.: Post-quantum cryptography: a study of the decoding of QC-MDPC codes. Ph.D. thesis, Université de Paris (2021)
Vedenev, K., Kosolapov, Y.: Cryptanalysis of Ivanov-Krouk-Zyablov cryptosystem. In: Deneuville, J.C. (ed.) Code-Based Cryptography. Lecture Notes in Computer Science, vol. 13839, pp. 137–153. Springer Nature Switzerland, Cham (2023). https://doi.org/10.1007/978-3-031-29689-5_8
Wang, Y.: Quantum resistant random linear code based public key encryption scheme RLCE. In: 2016 IEEE International Symposium on Information Theory (ISIT), pp. 2519–2523. IEEE (2016)
Weger, V.: Information set decoding in the lee metric and the local to global principle for densities. Ph.D. thesis, PhD thesis, University of Zurich (2020)
Wieschebrink, C.: Cryptanalysis of the Niederreiter public key scheme based on GRS subcodes. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 61–72. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12929-2_5
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Vedenev, K., Kosolapov, Y. (2023). Theoretical Analysis of Decoding Failure Rate of Non–binary QC–MDPC Codes. In: Esser, A., Santini, P. (eds) Code-Based Cryptography. CBCrypto 2023. Lecture Notes in Computer Science, vol 14311. Springer, Cham. https://doi.org/10.1007/978-3-031-46495-9_3
Download citation
DOI: https://doi.org/10.1007/978-3-031-46495-9_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-46494-2
Online ISBN: 978-3-031-46495-9
eBook Packages: Computer ScienceComputer Science (R0)