Abstract
The security of McEliece cryptosystem heavily relies on the hardness of decoding a random linear code. The best known generic decoding algorithms are derived from the Information-Set Decoding (ISD) algorithm. The ISD algorithm was proposed in 1962 by Prange and improved in 1989 by Stern and later in 1991 by Dumer. Since then, there have been numerous works improving and generalizing the ISD algorithm: Peters in 2009, May, Meurer and Thomae in 2011, Becker, Joux, May and Meurer in 2012, May and Ozerov in 2015, and Hirose in 2016. Among all these improvement and generalization only those ofPeters and Hirose are over \(\mathbb {F}_q\) with q an arbitrary prime power. In Hirose’s paper, he describes the May-Ozerov nearest-neighbor algorithm generalized to work for vectors over the finite field \(\mathbb {F}_q\) with arbitrary prime power q. He also applies the generalized algorithm to the decoding problem of random linear codes over \(\mathbb {F}_q\). And he observed by a numerical analysis of asymptotic time complexity that the May-Ozerov nearest-neighbor algorithm may not contribute to the performance improvement of Stern’s ISD algorithm over \(\mathbb {F}_q\) with \(q \ge 3\). In this paper, we will extend the Becker, Joux, May, and Meurer’s ISD using the May-Ozerov algorithm for Nearest-Neighbor problem over \(\mathbb {F}_q\) with q an arbitrary prime power. We analyze the impact of May-Ozerov algorithm for Nearest-Neighbor Problem over \(\mathbb {F}_q\) on the Becker, Joux, May and Meurer’s ISD.
Access provided by CONRICYT-eBooks. Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Code-based cryptography introduced by McEliece [29] is one of the most promising solution for designing secure cryptosystems against quantum attacks. The McEliece public-key encryption scheme, based on binary Goppa codes, has so far successfully resisted all cryptanalysis efforts. But it is not used in real life because of the key length problem. In order to decrease the public-key size, some variants were proposed by concentrating on subclasses of alternant/Goppa codes which admit very compact public matrices, typically quasi-cyclic (QC), quasi-dyadic (QD), or quasi-monoidic (QM) matrices [2, 14, 18, 27, 28, 30, 36]. The security of the McEliece cryptosystem relies on the fact that the public key does not have any known structure. The attacker is faced with the problem of decoding a random code. A way to do this decoding is to use the Information-Set Decoding (ISD) algorithm. The ISD algorithm was introduced by Prange in 1962 [38]. Its principle is to find an information set where there are no errors positions. Its target is to answer to the Computational Syndrome Decoding (CSD) Problem.
In this paper, we will extend the best version of the ISD attack algorithm to arbitrary code over \(\mathbb {F}_q\) and analyze the security of such codes to this new improved version. It is important to note that Peters used the ISD attack to prove the security of arbitrary codes over \(\mathbb {F}_q\) [37], later Ayoub et al. introduced a polynomial attack against Wild McEliece over quadratic extensions and their attack is a structural attack [9]. Recently, Hirose applied the May-Ozerov algorithm for Nearest-Neighbor problem over \(\mathbb {F}_q\) to generalize Stern’s ISD version and he observed that the May-Ozerov algorithm for Nearest-Neighbor problem may not contribute to improve Stern’s ISD [19]. The contribution of our paper is the generalization of Becker, Joux, May, and Meurer’s ISD using the May-Ozerov algorithm for Nearest-Neighbor problem [32] over \(\mathbb {F}_q\) with q an arbitrary prime power. We analyze the contribution of the May-Ozerov algorithm for Nearest-Neighbor problem over an arbitrary finite field \(\mathbb {F}_q\) to the performance of Becker, Joux, May, and Meurer’s ISD. And we analyze the security over an arbitrary finite field \(\mathbb {F}_q\).
q -ary Computational Syndrome Decoding (CSD) Problem
Input: \(\mathbf {H}\in \mathbb {F}_{q}^{\left( n-k\right) \times n}\), \({\varvec{s}} \in \mathbb {F}_{q}^{n-k}\) and an integer \(\omega >0\).
Output: Find \({\varvec{e}} \in \mathbb {F}_{q}^{n}\) of weight \(\le \omega \) such that \( \mathbf {H}{\varvec{e}}^{T}={\varvec{s}}\)
Information-Set Decoding (ISD) Algorithm. The best known attacks against the classical McEliece code-based cryptosystem are generic decoding attacks that treat McEliece’s hidden binary Goppa codes as random linear codes. Introduced by Prange in 1962 (see [38]), the ISD algorithm is a generic decoding attack algorithm. Its target is to solve the CSD problem taking only as inputs a basis of the code and a noisy codeword. Improvements of this form of ISD were developed by Lee and Brickell [25], Stern [40], May, Meurer and Thomae [31], Becker, Joux, May and Meurer (BJMM-ISD) [4], later by May and Ozerov [32] used the nearest neighbor algorithm to improve the BJMM-ISD.
Organisation of Paper. The paper is organized as follows: in Sect. 2, we give some definitions and notations on coding theory, in Sect. 3 we give a summary of previous and recent results on ISD algorithm over an arbitrary finite fields \(\mathbb {F}_q\). In Sect. 4, we give the version of BJMM-ISD using the May-Ozerov Nearest Neighbor algorithm. And in Sect. 5, we give the asymptotic complexity of our algorithm.
2 Coding Theory Background
2.1 Definitions and Notations
Let \(\mathbb {F}_q\) be a finite field (\(q = p^m\), p is prime). A q-ary linear code \(\mathcal {C}\) of length n and dimension k over \(\mathbb {F}_q\) is a vectorial subspace of dimension k of the full vectorial space \(\mathbb {F}_q^n\). It can be specified by a full rank matrix \(\mathbf {G}\in \mathbb {F}_q^{k\times n}\) called generator matrix of \(\mathcal {C}\) whose rows span the code. Namely, \(C =\left\{ {\varvec{x}}\mathbf {G} \ \ such\ \ that \ \ {\varvec{x}}\in \mathbb {F}_q^{k}\right\} .\)
A linear code can be also defined by the right kernel of matrix \(\mathbf {H}\) called parity-check matrix of \(\mathcal {C}\) as follows:
The Hamming distance between two codewords is the number of positions (coordinates) where they differ. The minimal distance of a code is the minimal distance of all codewords. The weight of a word \({\varvec{x}}\in \mathbb {F}_q^n\) denote by \(wt\left( {\varvec{x}}\right) \) is the number of its nonzero positions. Then the minimal weight of a code \(\mathcal {C}\) is the minimal weight of all codewords. If a code \(\mathcal {C}\) is linear, the minimal distance is equal to the minimal weight of the code.
Let \(\mathcal {C}\) be a q-ary linear code of length n, dimension k and generator matrix \(\mathbf {G}=\left( {\varvec{g}}_0, {\varvec{g}}_1,...,{\varvec{g}}_{n-1} \right) \) with \({\varvec{g}}_i\in \mathbb {F}_q^n\) for all \(i\in \left\{ 0, 1,\ldots , n-1 \right\} \). Let \(I\subset \left\{ 0, 1,\ldots , n-1 \right\} \) with \(|I|=k\). We call I an information set if and only if the matrix \(\mathbf {G}_I=\left( {\varvec{g}}\right) _{i\in I} \) is inversible.
A vector \({\varvec{u}}\in \mathbb {F}_q^{\ell }\) is called a balanced vector if the number of its coordinates equal to x is \(\ell /q\) for all \(x \in \mathbb {F}_q\).
For \({\varvec{x}} = \left( x_1 ,...,x_n \right) \in \mathbb {F}_q^{n}\) and a non zero integer \(j < n\), let \(x_{[j]}= \left( x_1 ,...,x_j\right) \) and \({\varvec{x}}^{[j]} = \left( x_{n-j+1} ,...,x_n \right) \).
We denote the q-ary entropy function by:
For all integer n, let \([n]=\left\{ 1,\ldots , n \right\} \). If I is a subset of [n], for all vector \({\varvec{x}}=\left( x_1,..., x_n\right) \), let \({\varvec{x}}_I=\left( x_i\right) _{i\in I}\).
2.2 McEliece’s Cryptosystem
McEliece’s cryptosystem is a public-key encryption scheme introduced in 1978 by McEliece. The original version used the Goppa binary code remained unbroken. It can also be used with any class of codes which has an efficient decoding algorithm.
Secret keys: A matrix \(\mathbf {G}\in \mathbb {F}_{2}^{k\times n}\), \(\mathbf {S}\in \mathbb {F}_{2}^{k\times k}\) (an invertible matrix), \(\mathbf {P} \in \mathbb {F}_{2}^{n\times n}\) (a random permutation matrix).
Public keys: The matrix \(\tilde{\mathbf {G}}=\mathbf {S}\mathbf {G}\mathbf {P}\) and the corrector capacity t.
Encryption: Let \({\varvec{m}}\) be a plaintext then the ciphertext \({\varvec{c}}\) is given by:
with \({\varvec{e}}\) a q-ary vector of length n and weight t.
Decryption: Compute
and use the decoding algorithm to find \( \tilde{{\varvec{m}}}={\varvec{m}}\mathbf {S}\) and finally find \({\varvec{m}}\) by computing \({\varvec{m}}= \tilde{{\varvec{m}}}\mathbf {S}^{-1}\).
2.3 Nearest-Neighbor Problem
The nearest-neighbor (NN) problem over the binary field defined in [32] is generalized over other finite fields in [19].
Neartest Neighbor Problem over \(\mathbb {F}_q\) : Let q be a prime power. Let m be a positive integer. Let \(0<\gamma <1/2\) and \(0<\lambda <1\). Then (m, \(\gamma \), \(\lambda \))-NN problem is defined by:
Input: The constant \(\gamma \) and two lists \(U\subset \mathbb {F}_q^m\), \(V\subset \mathbb {F}_q^m\) of size \(\left| U\right| = \left| U\right| =q^{\lambda n}\) with uniform and pairwise independent vectors.
Output: \(\mathcal {C}\subset U\times V\) which has \(\left( {\varvec{u}}, {\varvec{v}}\right) \) such that \(wt({\varvec{u}}-{\varvec{v}})=\gamma m\) with \(wt\left( {\varvec{u}}-{\varvec{v}}\right) \) is the weight of \({\varvec{u}}-{\varvec{v}}\).
3 Preview Work on Information-Set Decoding over \(\mathbb {F}_q\)
We denote in the rest of the paper the concatenation of two vectors \({\varvec{x}}\) and \({\varvec{y}}\) (respectively of two matrices \(\mathbf {A}\) and \(\mathbf {B}\)) by \(\left( {\varvec{x}}|{\varvec{y}}\right) \) (respectively \(\left( \mathbf {A} |\mathbf {B}\right) \)).
In this section we give a survey of the generalization of ISD algorithm over an arbitrary finite field.
Peters: In 2009, Peters was the first to propose a generalization of the ISD algorithm over an arbitrary finite field \(\mathbb {F}_q\). In her paper [37], she proposed the generalization of Stern-ISD which all of the ISD improvements are based on.
Cayrel et al.: In 2010 just few months after Peters’s paper, Cayrel et al. [34] improved the performance of the ISD over an arbitrary finite field by giving a lower bound of ISD algorithm and they generalized the formula of the lower bound introduced by Finiasz et al. in [15].
Meurer: In 2012 just after their ISD algorithm in the binary case in [4, 31], Meurer proposed a new generalization of the ISD algorithm over an arbitrary finite field in his dissertation thesis [33] based on these two papers.
Hirose: In 2016 Hirose gave a generalization of the nearest-neighbor algorithm introduced by May-Ozerov [32] to generalize the Stern-ISD algorithm. And he analyzed the contribution of the May-Ozerov’s nearest-neighbor algorithm over an arbitrary finite field to the performance of Stern-ISD algorithm over an arbitrary finite field.
The following tables give us a summary complexity results on the ISD algorithm generalization previous work. We denote the ISD algorithm generalization given byPeters by q-Stern-ISD, Hirose’s generalization by q-Hirose-ISD. In Meurer’s dissertation thesis, he gave two variants of ISD algorithm generalization then we denote the basic variant by BReps and the extended variant by XBReps.
4 Becker, Joux, May and Meurer ISD Using May-Ozerov Nearest-Neighbor Algorithm over \(\mathbb {F}_q\)
The Becker, Joux, May and Meurer ISD using May-Ozerov Nearest-Neighbor algorithm over an arbitrary finite field \(\mathbb {F}_q\) is presented in Algorithm 1.
In this algorithm we construct Base Lists over \(\mathbb {F}_q\) like in [4]. For all \(j=0,\ 1\) we denote the Base Lists by \(\mathcal {B}_{j,1}^{\mathcal {L}_j}\), \(\mathcal {B}_{j,2}^{\mathcal {L}_j}\), \(\mathcal {B}_{j,1}^{\mathcal {R}_j}\) and \(\mathcal {B}_{j,2}^{\mathcal {R}_j}\). We define \(\mathcal {B}_{j,1}^{\mathcal {L}_j}\) as follows:
Let \(\mathcal {P}_{j,1}^{\mathcal {L}_j}\) and \(\mathcal {P}_{j,2}^{\mathcal {L}_j}\) be be a partition of \([k+\ell ]=\left\{ 1,...,k+\ell \right\} \) such that \(\left| \mathcal {P}_{j,1}^{\mathcal {L}_j}\right| =\left| \mathcal {P}_{j,2}^{\mathcal {L}_j}\right| =\dfrac{k+\ell }{2}\) then
Where p, \(\epsilon _1\) and \(\epsilon _2\) are the parameters of the algorithm such that \(0\le p<k+\ell \), \(0<\epsilon _1 < k+\ell -p\), \(0<\epsilon _2< k+\ell -\dfrac{p}{2}-\epsilon _1\). The construction of \( \mathcal {B}_{j,2}^{\mathcal {L}_j}\), \( \mathcal {B}_{j,1}^{\mathcal {R}_j}\) and \( \mathcal {B}_{j,2}^{\mathcal {R}_j}\) is similar.
We use these Base Lists to compute a vector \({\varvec{e}}\in \mathbb {F}_q^{k+\ell }\times \left\{ {\varvec{0}}^{n-k-\ell }\right\} \) such that \(wt\left( {\varvec{e}}_{[k+\ell ]}\right) =p\) and \({\varvec{e}}={\varvec{e}}_1-{\varvec{e}}_2\) with \({\varvec{e}}_1\), \({\varvec{e}}_2\in \mathbb {F}_q^{k+\ell }\times \left\{ {\varvec{0}}^{n-k-\ell }\right\} \) and \(wt\left( {\varvec{e}}_1\right) =wt({\varvec{e}}_2)=\dfrac{p}{2}+\epsilon _1\).
Proposition 1
[33]. Let \(0\le p\le k+\ell \) be an integer and \({\varvec{e}}\in \mathbb {F}_q^{k+\ell }\times \left\{ {\varvec{0}}^{n-k-\ell }\right\} \) be a vector such that \(wt\left( {\varvec{e}}\right) =p\). For all integer \(\epsilon \) such that \(0\le \epsilon <k+\ell -p\), denote \(\vartheta \left( k, \ell , \epsilon , p, q \right) \) the number of pairs \(\left( {\varvec{e}}_1, {\varvec{e}}_2\right) \) such that \({\varvec{e}}={\varvec{e}}_1-{\varvec{e}}_2\) with \({\varvec{e}}_1\), \({\varvec{e}}_2\in \mathbb {F}_q^{k+\ell }\times \left\{ {\varvec{0}}^{n-k-\ell }\right\} \) and \(wt\left( {\varvec{e}}_1\right) =wt({\varvec{e}}_2)=\dfrac{p}{2}+\epsilon \). It holds
Then \(\vartheta \left( k, \ell , \epsilon , p, q \right) \ge \left( {\begin{array}{c}p\\ \frac{p}{2}\end{array}}\right) \left( {\begin{array}{c}k+\ell -p\\ \epsilon \end{array}}\right) \left( q-1 \right) ^{\epsilon }\).
And asymtopticalLy by using the inequality \(\log _q2<H_q\left( \frac{1}{2}\right) \), we implicity lower bound \(\log _q \vartheta \left( k, \ell , \epsilon , p, q \right) \ge p\log _q2+\left( k+\ell -p\right) H_q\left( \frac{\epsilon }{k+\ell -p}\right) \) [33]. This brief analysis will allow us to give a constraint on some parameters of our algorithm.
The complexity the q-BJMM-MO is given by:
Theorem 1
Let \(\varepsilon >0\) be a real. The q-BJMM-MO algorithm solves the Syndrome Decoding problem of random [n, k]-linear code over \(\mathbb {F}_q\) with overwhelming probability in time
where
with
Proof
Recall that
where \(\mathbb {P}(\pi _{succ})\) is a the probability to have the good permutation (permutation allowing to have a success decoding) and \(\mathcal {C}_{in}\) is the cost of each iteration with:
Using the equality
with H the binary entropie function.
Let us examine the complexity of each iteration. First we construct Base Lists and the cardinality of each Base List is given by, for each \(i=1, 2\) and \(j=1, 2\)
Then by using the equality
the complexity to compute Base Lists is given by
Second we use Base Lists to make a filtering to compute \(\mathcal {L}_{i}\) and \(\mathcal {R}_{i}\) for each \(i=1, 2\) and the cost of this filtering is given by:
Third we compute the lists \(\mathcal {L}\) and \(\mathcal {R}\) with a filtering and the cost of this filtering is given by
Line 20 only gives the upper bound on \(|\mathcal {L}|=|\mathcal {R}|\).
And finally we make a last filtering using the May-Ozerov Nearest Neighbor algorithm and the cost of this filtering is given by:
We have \(|\mathcal {L}|=|\mathcal {R}|=q^{\mu n}\). Thus MO-NN is given an instance of \((m, \gamma , \lambda )\)-NN problem with:
and
According to Lemma 3 in [19] we must have
5 Numerical Analysis of Time Complexity
We give in this section a optimization numerical time complexity of our algorithm in the half distance decoding using the code’s parameters given in [19] and in the full distance decoding using the code’s parameters given in [33]. We give these complexities for \(q \ge 3\) because the case \(q = 2\) is already done in [4, 31,32,33]
6 Conclusion
The May-Ozerov’s Nearest Neighbor algoritm allows us to improve the generalization of BJMM-ISD. We show in the Tables 1 and 3 that our generalization is faster than Hirose’s generalization in the half distance decoding and in addition by comparing the Tables 2 and 4 we show that is faster than Meurer’s generalization.
References
Andoni, A., Indyk, P., Nguyen, H.L., Razenshteyn, I.: Beyond locality-sensitive hashing. In: SODA, pp. 1018–1028 (2014)
Berger, T.P., Cayrel, P.-L., Gaborit, P., Otmani, A.: Reducing key length of the McEliece cryptosystem. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 77–97. Springer, Heidelberg (2009). doi:10.1007/978-3-642-02384-2_6
Berlekamp, E., McEliece, R., van Tilborg, H.: On the inherent intractability of certain coding problems. IEEE Trans. Inf. Theor. 24(3), 384–386 (1978)
Becker, A., Joux, A., May, A., Meurer A.: Decoding random binary linear codes in \(2n, 20\): how \(1+1=0\) improves information set decoding. In: Eurocrypt 2012 (2012)
Bernstein, D.J., Lange, T., Peters, C.: Smaller decoding exponents: ball-collision decoding. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 743–760. Springer, Heidelberg (2011). doi:10.1007/978-3-642-22792-9_42
Chabot, C., Legeay, M.: Using permutation group for decoding. In: Proceedings of Algebraic and Combinatorial Coding Theory 2010, pp. 86–92 (2010)
Coffey, J.T., Goodman, R.M.: The complexity of Information-Set Decoding (ISD). IEEE Trans. Inf. Theor. 36(5), 1031–1037 (1990)
Cohen, G., Wolfmann, J. (eds.): Coding Theory and Applications. LNCS, vol. 388. Springer, Heidelberg (1989)
Couvreur, A., Otmani, A., Tillich, J.-P.: Polynomial time attack on wild McEliece over quadratic extensions. Cryptology ePrint Archive 2014/112 (2014)
Dubiner, M.: Bucketing coding and information theory for the statistical high-dimensional nearest-neighbor problem. IEEE Trans. Inf. Theor. 56(8), 4166–4179 (2010)
Dumer, I.: On minimum distance decoding of linear codes. In: Proceedings 5th Joint Soviet-Swedish International Workshop Information Theory, Moscow, pp. 50–52 (1991)
Faugère, J.-C., Otmani, A., Perret, L., Tillich, J.-P.: Algebraic cryptanalysis of McEliece variants with compact keys. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 279–298. Springer, Heidelberg (2010)
Faugére, J.-C., Otmani, A., Perret, L., de Portzamparc, F., Tillich, J.-P.: Structural cryptanalysis of McEliece schemes with compact keys. Cryptology ePrint Archive: Report 2014/210 (2014)
Faugére, J.C., Otmani, A., Perret, L., de Portzamparc, F., Tillich, J.P.: Folding alternant and Goppa codes with non-nrivial automorphism groups. arXiv:1405.5101v1 [cs.IT], 20 May 2014
Finiasz, M., Sendrier, N.: Security bounds for the design of code-based cryptosystems. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 88–105. Springer, Heidelberg (2009)
Johansson, T., Löndahl, C.: An Improvement to Stern’s Algorithm
Heyse, S.: Implementation of McEliece based on quasi-dyadic goppa codes for embedded devices. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 143–162. Springer, Heidelberg (2011). doi:10.1007/978-3-642-25405-5_10
Gaborit, P.: Shorter keys for code based cryptography. In: Proceedings of the 2005 International Workshop on Coding and Cryptography (WCC 2005), Bergen, Norway, pp. 81–91, March 2005
Hirose, S.: May-Ozerov algorithm for nearest-neighbor problem over \(\mathbb{F}_q\) and its application to information set decoding. Cryptology ePrint Archive: Report 2016/237 (2016)
Har-Peled, S., Indyk, P., Motwani, R.: Approximate nearest neighbor: towards removing the curse of dimensionality. Theor. Comput. 8(1), 321–350 (2012)
Howgrave-Graham, N., Joux, A.: New generic algorithms for hard knapsacks. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 235–256. Springer, Heidelberg (2010)
Kobara, K.: Flexible quasi-dyadic code-based public-key encryption and signature. Cryptology ePrint Archive, Report 2009/635 (2009)
Legeay, M.: Permutation decoding: towards an approach using algebraic properties of the \(\sigma \)-subcode. In: Augot, D., Canteaut, A. (eds.) WCC 2011, pp. 193–202 (2011)
Legeay, M.: Utilisation du groupe de permutations d’un code correcteur pour améliorer l’éfficacité du décodage. Université de Rennes 1, Année (2012)
Lee, P.J., Brickell, E.F.: An observation on the security of McEliece’s public-key cryptosystem. In: Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 275–280. Springer, Heidelberg (1988). doi:10.1007/3-540-45961-8_25
Leon, J.S.: A probabilistic algorithm for computing minimum weights of large error-correcting codes. IEEE Trans. Inf. Theor. 34, 1354–1359 (1988)
Misoczki, R., Barreto, P.S.L.M.: Compact McEliece keys from Goppa codes. In: Jacobson, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 376–392. Springer, Heidelberg (2009)
Misoczki, R., Tillich, J.P, Sendrier, N., Barreto, P.S.L.M.: MDPC-McEliece: new McEliece variants from moderate density parity-check codes. In: ISIT 2013, pp. 2069–2073 (2013)
McEliece, R.: A public-key cryptosystem based on algebraic coding theory. DSN Prog. Rep., Jet Propulsion Laboratory, California Institute of Technology, Pasadena, CA, pp. 114–116, January 1978
Barreto, P.S.L.M., Lindner, R., Misoczki, R.: Monoidic codes in cryptography. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 179–199. Springer, Heidelberg (2011)
May, A., Meurer, A., Thomae, E.: Decoding random linear codes in \(\tilde{\cal{O}}(2^{0.054n})\). In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 107–124. Springer, Heidelberg (2011). doi:10.1007/978-3-642-25385-0_6
May, A., Ozerov, I.: On computing nearest neighbors with applications to decoding of binary linear codes. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 203–228. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46800-5_9
Meurer, A.: A coding-theoretic approach to cryptanalysis. Dissertation thesis, Universität Bochum Ruhr, Novenber 2012
Niebuhr, R., Persichetti, E., Cayrel, P.-L., Bulygin, S., Buchmann, J.: On lower bounds for information set decoding over \(\mathbb{F}_q\) and on the effect of partial knowledge
Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Probl. Control Inf. Theor. 15, 159–166 (1986)
Persichetti, E.: Compact McEliece keys based on quasi-dyadic Srivastava codes. J. Math. Cryptology 6(2), 149–169 (2012)
Peters, C.: Information-set decoding for linear codes over \(\mathbb{F}_q\). Cryptology ePrint Archive 2009/589 (2009)
Prange, E.: The use of Information-Sets in decoding cyclic codes. IEEE Trans. IT–8, S5–S9 (1962)
Repka, M., Zajac, P.: Overview of the McEliece cryptosystem and its security. Tatra Mountains Math. Publ. 60, 57–83 (2014). doi:10.2478/tmmp-2014-0025
Stern, J.: A method for finding codewords of small weight. In: Cohen, G., Wolfmann, J. (eds.) Coding Theory 1988. LNCS, vol. 388, pp. 106–113. Springer, Heidelberg (1989). doi:10.1007/BFb0019850
Umana, V.G., Leander, G.: Practical key recovery attacks on two McEliece variants. In: International Conference on Symbolic Computation and Cryptography SCC 2010, vol. 2010, p. 62 (2010)
Acknowlegment
This work was carried out with financial support of CEA-MITIC for CBC project and financial support of the government of Senegal’s Ministry of Hight Education and Research for ISPQ project. The third author was supported in part by JSPS KAKENHI Grant Number JP16H02828.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
Nearest-Neighbor Algorithm over an Arbitrary Finite Field \(\mathbb {F}_q\)
We give in this section the May-Ozerov Nearest-Neighbor algorithm over \(\mathbb {F}_q\) proposed by Hirose in [19]
The complexity of May-Ozerov Nearest Neighbor algorithm is given by:
Theorem 2
[19]. Let q be a prime power. Let \(\gamma \), \(\beta \), \(\epsilon >0\) and \(\lambda \) be reals such that \(0<\gamma <\frac{1}{2}\), \(0<\beta <1\), \(\varepsilon >0\) and \(\lambda \le H_{q}(\beta )-\frac{1}{q}\sum \limits _{x\in \mathbb {F}_{q}}H_{q}(q \beta h_{x})\) with \(\sum \limits _{x\in \mathbb {F}_{q}}h_{x}=1\) and for each \(x\in \mathbb {F}_{q}\), \(\frac{\gamma }{q}< h_{x}<\frac{\gamma }{q} + \frac{1-\gamma }{q\beta }\).
Let \(y= (1-\gamma )\left( H_{q}(\beta ) -\frac{1}{q}\sum \limits _{x\in \mathbb {F}_{q}}H_{q}\left( \frac{qh_{x}-\gamma }{1-\gamma } \beta \right) \right) \). Then the MO-NN algorithm solves the \((m,\gamma , \lambda )NN\) problem over \(\mathbb {F}_{q}\) with overwhelming probability in time
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Gueye, C.T., Klamti, J.B., Hirose, S. (2017). Generalization of BJMM-ISD Using May-Ozerov Nearest Neighbor Algorithm over an Arbitrary Finite Field \(\mathbb {F}_q\) . In: El Hajji, S., Nitaj, A., Souidi, E. (eds) Codes, Cryptology and Information Security. C2SI 2017. Lecture Notes in Computer Science(), vol 10194. Springer, Cham. https://doi.org/10.1007/978-3-319-55589-8_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-55589-8_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-55588-1
Online ISBN: 978-3-319-55589-8
eBook Packages: Computer ScienceComputer Science (R0)