Abstract
Quasi-cyclic moderate density parity check codes [1] allow the design of McEliece-like public-key encryption schemes with compact keys and a security that provably reduces to hard decoding problems for quasi-cyclic codes.
In particular, QC-MDPC are among the most promising code-based key encapsulation mechanisms (KEM) that are proposed to the NIST call for standardization of quantum safe cryptography (two proposals, BIKE and QC-MDPC KEM).
The first generation of decoding algorithms suffers from a small, but not negligible, decoding failure rate (DFR in the order of \(10^{-7}\) to \(10^{-10}\)). This allows a key recovery attack that exploits a small correlation between the faulty message patterns and the secret key of the scheme [2], and limits the usage of the scheme to KEMs using ephemeral public keys. It does not impact the interactive establishment of secure communications (e.g. TLS), but the use of static public keys for asynchronous applications (e.g. email) is rendered dangerous.
Understanding and improving the decoding of QCMDPC is thus of interest for cryptographic applications. In particular, finding parameters for which the failure rate is provably negligible (typically as low as \(2^{-64}\) or \(2^{-128}\)) would allow static keys and increase the applicability of the mentioned cryptosystems.
We study here a simple variant of bit-flipping decoding, which we call step-by-step decoding. It has a higher DFR but its evolution can be modelled by a Markov chain, within the theoretical framework of [3]. We study two other, more efficient, decoders. One is the textbook algorithm implemented as in [3]. The other is (close to) the BIKE decoder. For all those algorithms we provide simulation results, and, assuming an evolution similar to the step-by-step decoder, we extrapolate the value of the DFR as a function of the block length. This will give an indication of how much the code parameters must be increased to ensure resistance to the GJS attack.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
MDPC were previously defined, in a different context, by Ouzan and Be’ery in 2009, http://arxiv.org/abs/0911.3262.
- 2.
- 3.
All rows of \(\mathbf {H}\) have the same weight w, no condition on the column weight.
References
Misoczki, R., Tillich, J.P., Sendrier, N., Barreto, P.S.L.M.: MDPC-McEliece: new McEliece variants from moderate density parity-check codes. In: Proceedings of IEEE International Symposium Information Theory - ISIT, pp. 2069–2073 (2013)
Guo, Q., Johansson, T., Stankovski, P.: A key recovery attack on MDPC with CCA security using decoding errors. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 789–815. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_29
Chaulet, J.: Étude de cryptosystèmes à clé publique basés sur les codes MDPC quasi-cycliques. Ph.D. thesis, University Pierre et Marie Curie, March 2017
McEliece, R.J.: A Public-Key System Based on Algebraic Coding Theory, pp. 114–116. Jet Propulsion Lab (1978). DSN Progress Report 44
Gallager, R.G.: Low Density Parity Check Codes. MIT Press, Cambridge (1963)
Baldi, M., Santini, P., Chiaraluce, F.: Soft McEliece: MDPC code-based McEliece cryptosystems with very compact keys through real-valued intentional errors. In: Proceedings of IEEE International Symposium Information Theory - ISIT, pp. 795–799. IEEE Press (2016)
Heyse, S., von Maurich, I., Güneysu, T.: Smaller keys for code-based cryptography: QC-MDPC McEliece implementations on embedded devices. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 273–292. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40349-1_16
Chou, T.: QcBits: constant-time small-key code-based cryptography. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 280–300. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_14
Chaulet, J., Sendrier, N.: Worst case QC-MDPC decoder for McEliece cryptosystem. In: IEEE Conference, ISIT 2016, pp. 1366–1370. IEEE Press (2016)
Aguilar Melchor, C., et al.: BIKE. first round submission to the NIST post-quantum cryptography call, November 2017
Nilsson, A., Johansson, T., Stankovski Wagner, P.: Error amplification in code-based cryptography. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(1), 238–258 (2018)
Tillich, J.P.: The decoding failure probability of MDPC codes. In: 2018 IEEE International Symposium on Information Theory, ISIT 2018, 17–22 June 2018, Vail, CO, USA, pp. 941–945 (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Sendrier, N., Vasseur, V. (2019). On the Decoding Failure Rate of QC-MDPC Bit-Flipping Decoders. In: Ding, J., Steinwandt, R. (eds) Post-Quantum Cryptography. PQCrypto 2019. Lecture Notes in Computer Science(), vol 11505. Springer, Cham. https://doi.org/10.1007/978-3-030-25510-7_22
Download citation
DOI: https://doi.org/10.1007/978-3-030-25510-7_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-25509-1
Online ISBN: 978-3-030-25510-7
eBook Packages: Computer ScienceComputer Science (R0)