Nothing Special   »   [go: up one dir, main page]

Next Article in Journal
Self-Improving Generative Artificial Neural Network for Pseudorehearsal Incremental Class Learning
Next Article in Special Issue
A New Coding Paradigm for the Primitive Relay Channel
Previous Article in Journal
Recommending Links to Control Elections via Social Influence
Previous Article in Special Issue
Coarsely Quantized Decoding and Construction of Polar Codes Using the Information Bottleneck Method
You seem to have javascript disabled. Please note that many of the page functionalities won't work as expected without javascript enabled.
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

A Finite Regime Analysis of Information Set Decoding Algorithms

1
Department of Information Engineering (DII), Università Politecnica delle Marche, 60131 Ancona, Italy
2
Department of Electronics, Information and Bioengineering (DEIB), Politecnico di Milano, 20133 Milano, Italy
*
Author to whom correspondence should be addressed.
Algorithms 2019, 12(10), 209; https://doi.org/10.3390/a12100209
Submission received: 20 June 2019 / Revised: 16 September 2019 / Accepted: 25 September 2019 / Published: 1 October 2019
(This article belongs to the Special Issue Coding Theory and Its Application)

Abstract

:
Decoding of random linear block codes has been long exploited as a computationally hard problem on which it is possible to build secure asymmetric cryptosystems. In particular, both correcting an error-affected codeword, and deriving the error vector corresponding to a given syndrome were proven to be equally difficult tasks. Since the pioneering work of Eugene Prange in the early 1960s, a significant research effort has been put into finding more efficient methods to solve the random code decoding problem through a family of algorithms known as information set decoding. The obtained improvements effectively reduce the overall complexity, which was shown to decrease asymptotically at each optimization, while remaining substantially exponential in the number of errors to be either found or corrected. In this work, we provide a comprehensive survey of the information set decoding techniques, providing finite regime temporal and spatial complexities for them. We exploit these formulas to assess the effectiveness of the asymptotic speedups obtained by the improved information set decoding techniques when working with code parameters relevant for cryptographic purposes. We also delineate computational complexities taking into account the achievable speedup via quantum computers and similarly assess such speedups in the finite regime. To provide practical grounding to the choice of cryptographically relevant parameters, we employ as our validation suite the ones chosen by cryptosystems admitted to the second round of the ongoing standardization initiative promoted by the US National Institute of Standards and Technology.

1. Introduction

Asymmetric cryptosystems are traditionally built on a mathematical function which is hard to compute unless the knowledge of a special parameter is available. Typically, such a function is known as a mathematical trapdoor, and the parameter acts as the private key of the asymmetric cryptosystem. Decoding a random linear block code was first proven to be equivalent to solve an instance of the three dimensional matching by Elwyn Berlekamp et al. in 1978 [1]. By contrast, efficient decoding algorithms for well structured codes have a long history of being available. Therefore, McEliece himself proposed to disguise an efficiently decodable code as a random code and employ the knowledge of the efficiently decodable representation as the private key of an asymmetric cryptosystem. In this way, a legitimate user of the cryptosystem would be able to employ an efficient decoder for the chosen hidden code, while an attacker would be forced to resort to decoding techniques for a generic linear code.
Since the original proposal, a significant amount of variants of the McEliece cryptosystem were proposed swapping the original decodable code choice (Goppa codes [2]) with other efficiently decodable codes with the intent of enhancing computational performances of reducing the key size. The first attempt in this direction was the Niederreiter cryptosystem [3] using generalized Reed–Solomon (GRS) codes. While the original proposal by Niederreiter was broken by Sidel’nikov and Shestakov in [4], replacing the hidden code with a Goppa code in Niederreiter’s proposal yields a cryptosystem which is currently unbroken. More recently, other families of structured codes have been considered in this framework, such as Quasi Cyclic (QC) codes [5], Low Density Parity Check (LDPC) codes [6], Quasi Dyadic (QD) codes [7], Quasi Cyclic Low Density Parity Check (QC-LDPC) codes [8] and Quasi Cyclic Moderate Density Parity Check (QC-MDPC) codes [9].
The significant push in the development of code-based cryptosystems was also accompanied by a comparably sized research effort in their cryptanalysis. In particular, the best attack technique that does not rely on the underlying hidden code structure, and thus is applicable to all the variants, is  known as Information Set Decoding (ISD). In a nutshell, ISD attempts at finding enough error-free locations in a codeword to be able to decode it regardless of the errors which affect the codeword itself. Such a technique was first proposed by Prange [10] as a more efficient alternative to decode  a  general linear block code, with respect to a straightforward guess on the error affected locations. Since  then, a significant amount of improvements to Prange’s original technique were proposed [11,12,13,14,15,16], effectively providing significant polynomial speedups on the exponential-time decoding task. In  addition  to the former works, where the focus is to propose an operational description of a general decoding technique based on information set decoding, the works by the authors of [17,18,19] provide a more general view on general decoding techniques, including split syndrome decoding and supercode decoding, and report proven bounds on the complexities of the said approaches. Finally, we  report the work of Bassalygo et al. [20] as the first tackling formally the complexity of decoding linear codes. For a more comprehensive survey of hard problems in coding theory, we refer the interested reader to [21,22,23].
The common praxis in the literature concerning ISD improvements is to evaluate the code parameters for the worst-case-scenario of the ISD, effectively binding together the code rate and number of corrected errors to the code length. Subsequently, the works analyze the asymptotic speedup as a function of the code length alone. While this approach is effective in showing an improvement in the running time of the ISD in principle, the practical relevance of the improvement when considering useful parameter sizes in cryptography may be less significant.
We note that, in addition to being the most efficient strategy to perform general random linear code decoding, ISD techniques can also be employed to recover the structure of the efficiently decodable code from its obfuscated version for the LDPC, QC-LDPC and QC-MDPC code families.
Recently, the National Institute of Standards and Technology (NIST) has started a selection process to standardize asymmetric cryptosystems resistant to attacks with quantum computers. Since decoding a random code is widely believed to require an exponential amount of time in the number of errors, even in presence of quantum computers, code-based cryptosystems are prominent candidate in the NIST selection process [24]. Hence, having accurate and shared expressions in the finite length regime, both in the classical and in the quantum computing setting, for the work factor of attacks targeting such schemes, it is important to define a common basis for their security assessment. A work sharing our intent is [25], where a non-asymptotic analysis of some ISD techniques is performed. However, a comprehensive source of this type is not available in the literature, to the best of our knowledge.

1.1. Contributions

In this work, we provide a survey of the existing ISD algorithms, with explicit finite regime expressions for their spatial and temporal complexities. We also detail which free parameters have to be optimized for each of the ISD algorithms, and provide a software tool implementing the said optimization procedure on a given set of code parameters in [26].

1.2. Paper Organization

This work is organized as follows. Section 2 states the required notation and recollects the code-based cryptography background required to understand ISD algorithms. Section 3 surveys the existing ISD algorithms, providing complexity estimates for both the space they require and their execution time. Section 4 contains a critical discussion of the results obtained in the finite regime in comparison to the ones available via asymptotic estimates, while Section 5 summarizes our conclusions.

2. Background on Computationally Intractable Coding Theory Problems

In this section, we introduce the notation and background on error correcting codes, and state which hard problems we focus on, for which best solvers are ISD algorithms.
In the following, we consider the case of binary linear block codes, denoting as C ( n , k , d ) a code of length n, dimension k and minimum distance d. This code is thus a subspace of { 0 , 1 } n containing 2 k distinct vectors, and can be represented by a k × n binary matrix G known as the code generator matrix. It is commonplace to indicate with r = n k the amount of redundant bits in an element of the code, i.e., a codeword. The minimum distance of a linear block code corresponds to the minimum weight of its codewords, apart from the null one (which, clearly, has null weight). An  alternative representation is the one provided by the so-called parity check matrix H, which is obtained through the algebraic constraint H G T = 0 r × k . The parity check is thus an r × n binary matrix for which it is easy to show that the product of a codeword c by H is a null r-bit-long vector. The  quantity obtained multiplying a generic n-bit vector c ˜ by H is called the syndrome s = H c ˜ T of c ˜ through H. Note that, if the binary vector c ˜ is not a codeword, the syndrome of c ˜ through H is not null; in other words, we can write c ˜ = c + e , with c being a codeword, and thus have s = H e T .
Decoding of c ˜ through C ( n , k , d ) consists in finding the codeword c whose distance from c ˜ is minimum. The procedure of finding a length-n binary vector e, with Hamming weight smaller than or equal to some integer t, given a non-null syndrome s and a parity matrix H is known as syndrome decoding. The name stems from the fact that decoding a given c ˜ becomes possible by computing the syndrome s of c ˜ , solving the syndrome decoding, and adding the obtained vector e to c ˜ , and corresponds to finding the codeword which is at minimum distance from c ˜ .
We can now recall the two decisional problems in coding theory which were proven to be NP-Complete by Berlekamp et al. in [1], and from which the main building blocks of the cryptographic trapdoors of code-based cryptosystems are derived.
Statement 1
(Coset weights problem). Given a random, r × n binary matrix H, an r bit vector s and a positive integer t, determine if an n bit vector e with w t ( e ) t , where w t ( · ) is the Hamming weight function, such that H e T = s exists.
The Coset weights problem is also known as the Decisional Syndrome Decoding Problem (DSDP).
Statement 2
(Subspace weights problem). Given a random, r × n binary matrix H, and a positive integer w, determine if an n bit vector c with w t ( c ) = t , where w t ( · ) is the Hamming weight function, such that H c T = 0 r × 1 exists.
The Subspace weights problem is also known as the Decisional Codeword Finding Problem (DCFP).
The typical hard problems which are employed to build code-based cryptographic trapdoors are the search variants of the aforementioned two problems. Specifically, the Syndrome Decoding Problem (SDP) asks to find an error vector of weight ≤t, while the Codeword Finding Problem (CFP) asks to find a codeword with a given weight w. A well known result in computational complexity theory (e.g., [27] Chap. 2.5) states that any decision problem belonging to the NP-Complete class has a search-to-decision reduction. In other words, it is possible to solve an instance of the search problem with a polynomial amount of calls to an oracle for the corresponding decision problem. This, in turn, states that the difficulty of Syndrome Decoding Problem (SDP) and Codeword Finding Problem (CFP) is the same of solving their decisional variants Decisional Syndrome Decoding Problem (DSDP) and Decisional Codeword Finding Problem (DCFP), i.e., they are as hard as an NP-Complete problem. We  note that, in the light of such a reduction, and despite it is a notation abuse, it is commonplace to state that Syndrome Decoding Problem (SDP) and Codeword Finding Problem (CFP) are NP-Complete, although only decisional problems belong to the NP-complete class.

2.1. Applications to Cryptography

The class of NP-Complete problems is of particular interest to design cryptosystems, as it is widely believed that problems contained in such a class cannot be solved in polynomial time by a quantum computer. Indeed, the best known approaches to solve both the Codeword Finding Problem (CFP) and the Syndrome Decoding Problem (SDP) have a computational complexity which is exponential in the weight of the codeword or error vector to be found. A notable example of code-based cryptosystem relying on the hardness of the Syndrome Decoding Problem (SDP) is the one proposed by Niederreiter in [3].
Niederreiter cryptosystem generates a public–private key-pair selecting as the private key an instance of a code from a family for which efficient decoding algorithms are available. The code is then represented by its parity check matrix H p r i v , which is multiplied by a rank-r random square binary matrix S obtaining the public key of the cryptosystem H p u b = S H p r i v . The assumption made by Niederreiter is that the multiplication by the random, full rank matrix S makes H p u b essentially indistinguishable from a random parity matrix. While the original choice to employ a Reed–Solomon code as private code was found to falsify this assumption and lead to a practical attack, other code families have proven to be good candidates (e.g., Goppa codes, Low/Medium Density Parity Check codes [28,29,30,31]). A message is encrypted in the Niederreiter cryptosystem encoding it as a fixed weight error vector e and computing its syndrome through H p u b , s = H p u b e T , which acts as the ciphertext. The  owner of the private key ( S , H p r i v ) is able to decipher the ciphertext through first obtaining s = S 1 s and subsequently performing the syndrome decoding of s employing H p r i v .
It is easy to note that, under the assumption that H p u b is indistinguishable from a random parity check matrix, an attacker willing to perform a Message Recovery Attack (MRA) must solve an instance of the Syndrome Decoding Problem (SDP). We note that, as proven by Niederreiter [3], the Syndrome Decoding Problem (SDP) is computationally equivalent to the problem of correcting a bounded amount of errors affecting a codeword, when given a random generator matrix of the code, G. Such  a problem goes by the name of Decoding Problem, and is the mainstay of the original cryptosystem proposal by McEliece [32]. In such a scheme, the ciphertext thus corresponds to the sum between a codeword of the public code, obtained as m G , with m being a length-k vector, and a vector e of weight t. The  message can either be encoded into e or into m; in the latter case, Message Recovery Attack (MRA) is performed by searching for the error vector e and, subsequently, by adding it to the intercepted ciphertext. We point out that this search can automatically turned into the formulation of Syndrome Decoding Problem (SDP), by first computing a valid H p u b from G and then by trying to solve Syndrome Decoding Problem (SDP) on the syndrome of the intercepted ciphertext through H p u b .
One of the most prominent cases where Codeword Finding Problem (CFP) appears in code-based cryptosystems is represented by a Key Recovery Attack (KRA) against Niederreiter cryptosystems where the private parity check matrix H p r i v contains rows with a known low weight w. Indeed, in such a case, considering H p u b as the generator matrix of the dual code, solving the Codeword Finding Problem (CFP) for such a code reveals the low weight rows of H p r i v . We note that such a Key Recovery Attack (KRA) is in the same computational complexity class as Syndrome Decoding Problem (SDP), assuming that the obfuscation of H p u b makes it indistinguishable from a random one.
Two notable cases where solving the Codeword Finding Problem (CFP) is the currently best known method to perform a Key Recovery Attack (KRA) are the LEDAcrypt [33] and BIKE [34] proposals to the mentioned NIST standardization effort for post-quantum cryptosystems. Since such a Codeword Finding Problem (CFP) can also be seen as the problem of finding a binary vector c with weight w such that H p u b c T = 0 , the problem is also known as the Homogeneous Syndrome Decoding Problem (SDP), as it implies the solution of a simultaneous set of linear equations similar to the Syndrome Decoding Problem (SDP), save for the syndrome being set to zero.

2.2. Strategies to Perform MRA

As described in the previous section, security of code-based cryptosystems relies on the hardness of solving Syndrome Decoding Problem (SDP) or Codeword Finding Problem (CFP) instances. In this section, we analyze the case of Syndrome Decoding Problem (SDP) and show that the optimal strategy to perform Message Recovery Attack (MRA) depends on the code parameters. The optimal strategy for solving Syndrome Decoding Problem (SDP) depends on the relation between the actual parameters of the instance under analysis. In particular, in the cases where t is above the Gilbert–Varshamov (GV) distance [35], Generalized Birthday Algorithm (GBA) is the best currently known algorithm for solving Syndrome Decoding Problem (SDP) [36,37]. However, for the cases we consider in this paper, practical values of t are significantly smaller than the GV distance; in such cases, the best known methods to solve Syndrome Decoding Problem (SDP) go by the name of Information Set Decoding (ISD) algorithms. Such algorithms are aimed at lessening the computational effort required in the guesswork of an exhaustive search for the unknown error vector e of weight t, given  a syndrome and a parity check matrix. We point out that it is also possible to adapt all Information Set Decoding (ISD) algorithms, save for the first one proposed by Prange [10], to solve the Codeword Finding Problem (CFP), as a consequence of the structural similarity of the two problems.
All Information Set Decoding (ISD) algorithms share a common structure where an attempt at retrieving the error vector corresponding to a given syndrome is repeated, for a number of times whose average value depends on the success probability of the single attempt itself. The complexity of all Information Set Decoding (ISD) variants can be expressed as the product between the complexity of each attempt, which we denote as C iter , and the average number of required attempts. In particular, such a value can be obtained as the reciprocal of the success probability of each attempt, which we denote as Pr succ ; thus, when considering a code with length n, redundancy r = n k and Hamming weight of the sought error bounded to t, we generically denote the time complexity of obtaining one solution of Syndrome Decoding Problem (SDP) employing the Information Set Decoding (ISD) variant at hand, i.e.,
C ISD ( n , r , t ) = C iter Pr succ .
As we show in the following, the work factor of a Message Recovery Attack (MRA) performed through Information Set Decoding (ISD) may actually depend on the system parameters; to  this end, we first exploit the following well-known result. Let C ( n , k , d ) be a linear binary code with length n, dimension k and minimum distance d, and let H be a parity-check matrix for C ( n , k , d ) . Let s be a length-r binary vector and t be an integer ≤n; then, if  t < d 2 , there is at maximum one vector e of weight t such that s = H e T .
Thus, when H p u b is the parity-check matrix of a code with minimum distance d > 2 t , then solving Syndrome Decoding Problem (SDP) guarantees that the found error vector corresponds to the one that was used to encrypt the message. In this case, the attack work factor corresponds to C ISD ( n , r , t ) .
However, when d 2 t , the time complexity of a Message Recovery Attack (MRA) needs to be derived through a different approach. Indeed, in such a case, the adversary has no guarantee that the output of Information Set Decoding (ISD) corresponds to the error vector that was actually used in the encryption phase. Thus, the work factor of a Message Recovery Attack (MRA) cannot be simply taken as the time complexity of the chosen Information Set Decoding (ISD) algorithm. Let  s be the syndrome corresponding to the intercepted ciphertext and e be the searched error vector, i.e.,  s = H p u b e T . We  define
N ( e ) = e F 2 n   s . t .   w t ( e ) = t   and   H p u b e T = s .
Clearly, N ( e ) corresponds to the number of valid outputs that Information Set Decoding (ISD) can produce, when applied on the syndrome s corresponding to e. In such a case, the probability that an Information Set Decoding (ISD) iteration will not find any valid error vector can be estimated as 1 Pr succ N ( e ) . Thus, in such a case, one attempt of Information Set Decoding (ISD) will succeed with probability Pr succ ( e ) = 1 1 Pr succ N ( e ) . In particular, the algorithm will randomly return a vector among the set of the N ( e ) admissible ones: thus, the probability that the obtained vector corresponds to e is 1 / N ( e ) .
To obtain a closed-form expression for the attack work factor, we can consider the average value of N ( e ) , which we obtain by averaging over all the possible vectors e of weight t and length n, and denote it with N. Then, the attack work factor can be computed as
W F MRA N C iter Pr succ = N C iter 1 1 Pr succ N .
In particular, it can be shown that N P 1 1 P N , so that
W F MRA = α C ISD ( n , k , t ) ,
with
α = N Pr succ 1 1 Pr succ N 1 .
We point out that, for the cases we analyze in this paper, we have N Pr succ 1 , so that α 1 . Thus, from now on, we assume α = 1 , i.e., that the time complexity of performing a Message Recovery Attack (MRA) is equal to that of running an Information Set Decoding (ISD) algorithm in the case in which a unique solution exists.

3. A Finite Regime Analysis of Information Set Decoding Techniques

In the following, we report an analysis of the best known variants of Information Set Decodings (ISDs) and their execution on a classical computer, namely the ones proposed by Prange [10], Lee  and Brickell [11], Leon [12], Stern [13], Finiasz and Sendrier [14], May, Meurer and Thomae [15], and Becker, Joux, May and Meurer [16]. For the sake of clarity, we describe the Information Set Decoding (ISD) algorithms in their syndrome decoding formulation, highlighting for the first variant amenable to dual-use, i.e., Lee  and Brickell’s, how to adapt the technique to the Codeword Finding Problem (CFP). For  all these algorithms, we provide finite-regime time complexities and space complexities, with the aim to analyze the actual computational effort and memory resources needed to solve both the Syndrome Decoding Problem (SDP) and the Codeword Finding Problem (CFP) on instances with cryptographically sized parameters. We also report lower bounds on the complexities of the execution of Prange, Lee and Brickell’s and Stern’s variants of the Information Set Decoding (ISD) on a quantum computer, allowing an evaluation of the corresponding computational efforts.
We provide the exact formulas for the time complexity of ISD variants as a function of the code length n, the code dimension k and the number of errors t. We note that the ISD algorithms having the best asymptotic time complexity are also characterized by an exponential space complexity, which  may significantly hinder their efficiency or make their implementation unpractical. In  particular, we  also analyze the computational cost of such algorithms with a logarithmic memory access cost criterion. Indeed, the logarithmic access cost criterion is the one which fits better scenarios where the spatial complexity of an algorithm is more than polynomial in its input size, therefore resulting in a non-negligible cost for the memory accesses.
In the reported formulas, we employ the O -notation simply to remove the need to specify the computing architecture- or implementation-dependant constants.

3.1. Prange

Prange’s algorithm [10] is the first known variant of ISD, based on the idea of guessing a set I of k error-free positions in the error vector e to be found in the Syndrome Decoding Problem (SDP). For  this purpose, the columns of H are permuted so that those indexed by I are packed to the left. This operation is equivalent to the multiplication of H by an appropriately sized permutation matrix P. The column-reordered matrix H ^ = H P is hence obtained, which can be put in Reduced Row Echelon Form (RREF), with the identity matrix I r placed to the right, i.e.,  [ V   I r ] = U H ^ . If turning H ^ in Reduced Row Echelon Form (RREF) is not possible as the r × r rightmost submatrix is not full-rank, a different permutation is picked. The same transformation U required to bring H in Reduced Row Echelon Form (RREF) is then applied to the single-bit rows of the column syndrome vector s, obtaining s ¯ = U s . If  the weight of the permuted error vector e ^ obtained as e ^ = e P = [ 0 1 × k   s ¯ T ] , where 0 1 × k is the all-zero error vector of length k, matches the expected error weight t, then the algorithm succeeds and the non-permuted error vector e ^ P T is returned. A pseudo-code description of Prange’s ISD algorithm is provided in Algorithm 1.
Algorithm 1: Syndrome decoding formulation of Prange’s ISD.
    Input: s: an r-bit long syndrome (column vector)
                H: an r × n binary parity-check matrix
                t: the weight of the error vector to be recovered
    Output: e: an n-bit binary row error vector s.t. H e T = s , with weight ( e ) = t
    Data: P: an n × n permutation matrix
               s ¯ an r-bit long binary column vector
              V: an r × k binary matrix V = [ v 0 , , v k 1 ]
1 
repeat
2 
      repeat
3 
             P RandomPermutationGen ( n )
4 
             H ^ H P                                     // the corresponding error vector is e ^ = e P
5 
               U ,   [ V | W ]   RedRowEchelonForm ( H ^ )                                     // U H = [ V | W r × r ]
6 
      until W I r
7 
       s ¯ U s
8 
       e ^ [ 0 1 × k   s ¯ T ]
9 
untilweight ( e ^ ) = t
10 
return e ^ P T
Proposition 1
(Computational complexity of Algorithm 1). Given H, an  r × n binary parity-check matrix and s, an r-bit long syndrome (column vector) obtained through H, the complexity for finding the row error vector e with length n and weight t such that s = H e T with Algorithm 1 can be computed starting from the probability of success Pr succ of a single iteration of the loop at Lines 1–9 and the computational requirements of executing the loop body c iter . In particular, the time complexity is C ISD ( n , r , t ) = 1 Pr succ c iter = n t r t C IS ( n , r ) + n , with 
C IS ( n , r ) = 1 i = 1 r ( 1 2 i )   C RREF ( n , r ) + r 2 + n , C RREF ( n , r ) = O n r 2 2 + n r 2 r 3 6 + r 2 + r 6 1 .
The spatial complexity is S ISD ( n , r , t ) = O ( r n ) .
Proof. 
The loop body of Algorithm 1 is dominated by the cost of finding an information set and validating it through checking that the matrix W is indeed an identity, i.e., that the corresponding submatrix of H ^ indeed has full rank.
Note that, in an r × r binary matrix, the first row has a probability of 1 2 r of being linearly dependent from itself (i.e., zero); the second row has a probability of 2 2 r of being linearly dependent (i.e., zero or equal to the first). With an inductive argument, we obtain that the rth row has a probability of 2 r 1 2 r of being linearly dependent from the previous ones. We thus have that the probability of having all the rows independent from one another is i = 1 r ( 1 2 i 1 2 r ) = i = 1 r ( 1 1 2 i ) .
We thus have that the column permutation (Line 4), with computational complexity r n (which can be lowered to n keeping only the permuted column positions) and the Reduced Row Echelon Form (RREF) transformation (Line 5), with cost O n r 2 2 + n r 2 r 3 6 + r 2 + r 6 1 have to be repeated 1 i = 1 r ( 1 2 i ) times, yielding the first addend of the computational cost C IS ( n , r ) . The cost C RREF ( n , r ) is derived considering the Reduced Row Echelon Form (RREF) as an iterative algorithm performing as many iterations as the rank of the identity matrix in the result (i.e., r in this case). Each iteration 0 i r 2 proceeds to find a pivot, taking O ( r i ) , swaps it with the ( r i ) th row in O ( n ) and proceeds to add the pivot to all the remaining r i 1 rows which have a one in the ( n i ) th column. The total cost is
C RREF ( n , r ) = O i = 0 r 2 ( r i ) + r n + i = 0 r 2 ( r 1 i ) ( n i ) = O n r 2 2 + n r 2 r 3 6 + r 2 + r 6 1 .
The second addend of the cost C IS ( n , r ) is constituted by the computational complexity of computing s ¯ = U s , which is r 2 . The total cost of computing an iteration c iter is the sum of C IS ( n , r ) and the cost of building e ^ , i.e.,  O ( n ) .
Pr succ is obtained as the number of permuted error vectors with the error-affected positions such that they are fitting the hypotheses made by the algorithm, divided by the number of all the possible error vectors. This fact holds for all ISD algorithms. In the case of Prange’s ISD, the permuted error vectors admissible by the hypotheses are r t , as all the error-affected positions should be within the last r bits of the permuted error vectors, while the number of error vectors is n t . □
For the sake of clarity, from now on, we denote as ISextract ( H , s ) the procedure computing P , [ V   I r ] , s ¯ , performed on Lines 2–7 of Algorithm 1, with computational time complexity C IS ( n , r ) and space complexity O ( r n ) .

3.2. Lee–Brickell

The ISD algorithm introduced by Lee and Brickell in [11] starts with the same initial operations as in Prange’s, i.e., the computation of the Reduced Row Echelon Form (RREF) of H ^ and the derivation of the corresponding syndrome s ¯ . However, Lee and Brickell improved Prange’s original idea by allowing p positions in the k selected in the error vector to be error-affected. These p remaining error positions are guessed. To verify the guess, Lee and Brickell exploit the identity [ V   I r ]   e ^ T = s ¯ , where  e ^ is split in two parts, e ^ = [ e ^ 1 e ^ 2 ] , with  e ^ 1 being k bit long and with weight p, and  e ^ 2 being r bits long and with weight t p . The identity is rewritten as V e ^ 1 T + I r e ^ 2 T = V e ^ 1 T + e ^ 2 T = s ¯ , from which follows the fact that V e ^ 1 T + s ¯ = e ^ 2 T must have weight t p . Indeed, this condition is employed by the algorithm to check if the guess of p positions is correct. The procedure is summarized in Algorithm 2.
Algorithm 2: Syndrome decoding formulation of Lee and Brickell’s ISD.
    Input: s: an r-bit long syndrome (column vector)
                H: an r × n binary parity-check matrix
                t: the weight of the error vector to be recovered
    Output: e: an n-bit binary row error vector s.t. H e T = s , with weight ( e ) = t
    Data: P: an n × n permutation matrix
               e ^ = e P : the error vector permuted by P
              p: the weight of the first k bits of e ^ , 0 p t , p = 2 proven optimal
               s ¯ : an r-bit long binary column vector, equal to the syndrome of e through [ V   I r ]
              V: an r × k binary matrix V = [ v 0 , , v k 1 ]
1 
repeat
2 
       P , [ V   I r ] , s ¯ ISextract ( H , s )
3 
      for j 1 to k p do
4 
             I IntegerToCombination ( j ) // I is a set of p distinct integers in { 0 , , k 1 }
5 
            if weight ( s ¯ + i I v i ) = t p then
6 
                   e ^ [ 0 1 × k   ( s ¯ + i I v i ) T ]
7 
                  foreach i I do
8 
                         e ^ e ^ + [ 0 1 × i   1   0 1 × ( r + k 1 i ) ]
9 
                  break
10 
untilweight ( e ^ ) = t
11 
return e ^ P T
Proposition 2
(Computational complexity of Algorithm 2). Given H, an  r × n binary parity-check matrix and s, an r-bit long syndrome (column vector) obtained through H, finding the row error vector e with length n and weight t such that s = H e T with Algorithm 2 requires an additional parameter 0 p t .
The time complexity of Algorithm 2 can be computed starting from the probability of success Pr succ of a single iteration of the loop at Lines 1–10 and the computational requirements of executing the loop body c iter . In  particular, the time complexity is
C ISD ( n , r , t , p ) = 1 Pr succ c iter = n t k p r t p C IS ( n , r ) + k p ( C IntToComb + p r ) ,
where C IS ( n , r ) is as in Equation (6) and C IntToComb = O ( ( 2 k p ) ( log ( k p ) ) 2 ) is the cost of decoding an integer into its combinadics representation, i.e, finding the corresponding combination among all the k p ones. The spatial complexity is S ISD ( r , n ) = O ( r n ) .
Proof. 
The probability of success of Lee and Brickell’s ISD is obtained following the same line of reasoning employed for Prange’s, thus dividing the number of admissible permuted error vectors, k p r t p by the number of the possible error vectors n t .
The cost of an iteration of Lee and Brickell’s algorithm can be obtained as the cost of adding together p + 1 bit vectors of length r, i.e.,  p r (Line 6), multiplied by the number of such additions, i.e.,  k p as they constitute the body of the loop at Lines 4–9. Note that, in a practical implementation where the value of p is fixed, it is possible to avoid C IntToComb altogether, specializing the algorithm with a p-deep loop nest to enumerate all the weight p, length k binary vectors. □

3.3. Adapting Lee and Brickell to Solve CFP

The structure of Lee and Brickell’s Information Set Decoding (ISD) allows employing substantially the same algorithm to solve the Codeword Finding Problem (CFP), given a parity matrix H as the representation of the code where a weight w codeword c should be found. The line of reasoning to employ Lee and Brickell’s Information Set Decoding (ISD) to solve the Codeword Finding Problem (CFP) is to note that, by definition, for any codeword c of the code represented by H we have that H c T = 0 1 × r , i.e., a codeword multiplied by the parity check matrix yields a null syndrome. As a consequence, we have that 0 1 × r = H c T = H P P T c T = H ^ P T c T = H ^ c ^ T = V c ^ 1 T + c ^ 2 T . This implies that V c ^ 1 T = c ^ 2 T , which can be exploited as an alternative stopping condition to the one of Algorithm 2, yielding in turn Algorithm 3. The only remaining difference between the Syndrome Decoding Problem (SDP) solving Lee and Brickell’s ISD and the Codeword Finding Problem (CFP) is represented by the ISextract primitive, which no longer needs to compute a transformed syndrome s ¯ = U s as it is null. We thus have a small reduction in C IS ( n , r ) , which becomes C IS ( n , r ) = 1 i = 1 r ( 1 2 i )   C RREF ( n , r ) + n , losing an additive r 2 term. We note that such a reduction is expected to have little impact in practice as the dominant portion of the ISextract function is represented by the Reduced Row Echelon Form (RREF) computation. This in turn implies that solving the Syndrome Decoding Problem (SDP) on a code C has practically the same complexity of finding a codeword with weight w = t in the same code. Therefore, finding low-weight codewords in the code defined by a Niederreiter cryptosystem public key H p u b has an effort comparable to the one of performing syndrome decoding assuming an error with the same weight as the codeword to be found. Two families of codes which may be vulnerable to such an attack unless the parameters are designed taking into account a Codeword Finding Problem (CFP) ISD are the Low Density Parity Check (LDPC) and Moderate Density Parity Check (MDPC) codes. Indeed, such code families can be represented with a parity check matrix with low-weight rows, and such a low-weight representation can be relied upon to perform efficient decoding, leading to an effective cryptosystem break. Indeed, we now show that, if a code C ( n , k , d ) can be represented by a low-weight parity matrix H p r i v , the code will contain low weight codewords. Without loss of generality, consider k > r . Moreover, consider H p r i v as split in three portions [ A l A r B ] of size r × ( k r ) , r × r and r × r , respectively, with B non-singular. We derive the corresponding generator matrix as
G = I ( k r ) × ( k r ) 0 ( k r ) × r ( B 1 A l ) T 0 r × ( k r ) I r × r ( B 1 A r ) T
and consider the bottom r rows [ 0 r × ( k r )   I r × r   ( B 1 A r ) T ] . Consider the product of such bottom rows by B T , yielding [ 0 r × ( k r )   I r × r   ( B 1 A r ) T ] B T = [ 0 r × ( k r )   B T   A r T ] and note that all the rows of this product are valid codewords, as they are the result of a linear combination of rows of the generator matrix G. Moreover, given that the private parity-check matrix H p r i v has low row and column weight by construction, we have that the aforementioned codewords, i.e., the rows of [ 0 r × ( k r )   B T   A r T ] , also have a low weight. This fact may thus allow an attacker to perform a Key Recovery Attack (KRA) retrieving the low-weight codewords and rebuilding H p r i v .
A different attack strategy for the same code families is to try and find codewords in the dual code with respect to the one represented by the parity check matrix H p r i v . Such a code, by definition, sees H p r i v as a valid generator matrix, and thus makes it possible to directly reconstruct H p r i v solving r instances of Codeword Finding Problem (CFP) to obtain the r instances of H p r i v . Solving the Codeword Finding Problem (CFP) on the dual code implies that Algorithm 3 is called considering the aforementioned G matrix as a parity check matrix. Thus, if we denote with C I S D ( n , r , w ) the complexity of solving Codeword Finding Problem (CFP) on the code described by H p r i v , solving the Codeword Finding Problem (CFP) on the dual code, will have a complexity of C I S D ( n , k , w ) , where w is the weight of the codeword of the dual code. Whether this strategy or the one of solving the Codeword Finding Problem (CFP) on the primal code is more advantageous depending on the code rate and the values of w and w .
Algorithm 3: Codeword finding formulation of Lee and Brickell’s ISD.
    Input: H: an r × n binary parity-check matrix
                w: the weight of the codeword to be found
    Output: c: an n-bit codeword with weight ( c ) = w
    Data: P: an n × n permutation matrix
               c ^ = c P : the error vector permuted by P
              p: the weight of the first k bits of c ^ , 0 p w ,
              V: an r × k binary matrix V = [ v 0 , , v k 1 ]
1 
repeat
2 
       P , [ V   I r ] ISextract ( H )
3 
      for j 1 to k p do
4 
             I IntegerToCombination ( j ) // I is a set of p distinct integers in { 0 , , k 1 }
5 
            if weight ( i I v i ) = w p then
6 
                   c ^ [ 0 1 × k   ( i I v i ) T ]
7 
                  foreach i I do
8 
                         c ^ c ^ + [ 0 1 × i   1   0 1 × ( r + k 1 i ) ]
9 
                  break
10 
untilweight ( c ^ ) = w
11 
return c ^ P T

3.4. Leon

The algorithm proposed by Leon in [12], reported in Algorithm 4, improves the Lee and Brickell’s Information Set Decoding (ISD) assuming that the contribution to the value of the first bits of the syndrome s ¯ , s ¯ up , comes only from columns in V, i.e., there is a run of zeroes of length leading the final r bits of the permuted error vector e ^ , i.e.,  e ^ = [ e ^ 1 0 1 × e ^ 2 ] , where e ^ 1 is k bits long and e ^ 2 is r bits long. We thus have that the expected situation after the permutation and RREF computation is
H ^ e ^ T = V up I up V down I down e ^ 1 T 0 1 × T e ^ down T = s ¯ up s ¯ down = s ¯
where e ^ down is assumed to have a run of zeroes in its first bits. Such an assumption will clearly reduce the success rate of an iteration, as not all the randomly chosen permutations will select columns having this property. However, making such an assumption allows performing a preliminary check of the value of the sum of the topmost bits only of each column of V. Indeed, such a sum should match the value of the corresponding topmost bits of s ¯ , s ¯ up , because the leading null bits in e ^ down in turn nullify the contribution of the columns in the topmost rows I up of the identity matrix. Such a check (Line 5 in Algorithm 4) allows discarding a selection of the p columns from the ones of V, earlier, saving  addition instructions with respect to a full column check. The length of the run of zeroes should be picked so that the trade-off between the reduction in success probability is compensated by the gain in the speed of a single iteration.
Algorithm 4: Syndrome decoding formulation of Leon’s ISD.
    Input: s: an r-bit long syndrome (column vector)
                H: an r × n binary parity-check matrix
                t: the weight of the error vector to be recovered
    Output: e: an n-bit binary row error vector s.t. H e T = s , with weight ( e ) = t
    Data: P: an n × n permutation matrix
               e ^ = e P : the error vector permuted by P
              p: the weight of the first k bits of e ^ , 0 p t ,
              : length of the run of zeroes in e ^ = [ e ^ 1 × k   0 1 ×   e ^ 1 × r ]
               s ¯ : an r-bit long binary column vector, equal to the syndrome of e through [ V   I r ] ,
               s ¯ = s ¯ up s ¯ down
              V: an r × k binary matrix
               V = v 0 v k 1 = V up V down = v up   0 v up   k 1 v down   0 v down   k 1
1 
repeat
2 
       P , [ V   I r ] , s ¯ ISextract ( H , s )
3 
      for j 1 to k p do
4 
             I IntegerToCombination ( j ) // I is a set of p distinct integers in { 0 , , k 1 }
5 
            if weight ( s ¯ up + i I v up   i ) = 0 then
6 
                  if weight ( s ¯ down + i I v down   i ) = t p then
7 
                         e ^ [ 0 1 × ( k + )   ( s ¯ down + i I v down   i ) T ]
8 
                        foreach i I do
9 
                               e ^ e ^ + [ 0 1 × i   1   0 1 × ( r + k 1 i ) ]
10 
                        break
11 
untilweight ( e ^ ) = t
12 
return e ^ P T
Proposition 3
(Computational complexity of Algorithm 4). Given H, an  r × n binary parity-check matrix and s, an r-bit long syndrome (column vector) obtained through H, finding the row error vector e with length n and weight t such that s = H e T with Algorithm 4 requires two additional parameters 0 p t , 0 r . The time complexity of Algorithm 4 can be computed starting from the probability of success Pr succ of a single iteration of the loop at Lines 1–11 and the computational requirements of executing the loop body c iter . In  particular, the time complexity is
C ISD ( n , r , t , p , ) = 1 Pr succ c iter = n t k p r t p C IS ( n , r ) + k p C IntToComb + p + k p 2 p ( r ) ,
where C IS ( n , r ) is as in Equation (6) and C IntToComb = O ( ( 2 k p ) ( log ( k p ) ) 2 ) is the cost of decoding an integer into its combinadics representation, i.e., finding the corresponding combination among all the k p ones. Note that, if the value of p is fixed, it is possible to avoid C IntToComb , specializing the algorithm with a p-deep loop nest to generate the combinations. The spatial complexity is S ISD ( r , n ) = O ( r n ) .
Proof. 
The success probability of an iteration of Leon’s algorithm follows the same line of reasoning of Prange’s and Lee and Brickell’s, dividing the number of admissible permuted error vectors k p r t p by the total one n t . The complexity of a single iteration is obtained considering that the loop at Lines 4–10 will perform k p iterations, where p + 1 vectors of length are added together (complexity p ), and, if the result is zero, a further addition of p + 1 bit vectors, each one of length r has to be performed (complexity p ( r ) ). This further addition takes place with a probability of k p 2 , as all possible values for s ¯ up are 2 , and only k p attempts at hitting the correct one are made, thus yielding the correct complexity, under the assumption that the sums of bit vectors are independent and uniformly distributed over all the bit strings. □

3.5. Stern

Stern’s algorithm, introduced in [13], improves Leon’s (Algorithm 4) by employing a meet-in-the-middle strategy to find which set of size p, containing bit portions of columns of V, adds up to the first bits of the syndrome s ¯ . For the sake of clarity, consider V as V = V up V down = v up   0 v up   k 1 v down   0 v down   k 1 where v up   i are -bit column vectors, and  v down   i are ( r ) -bit column vectors, and the transformed syndrome s ¯ as s ¯ = s ¯ up s ¯ down .
Stern’s strategy splits the p-sized set I of indexes of the columns of V up , which should add up to s ¯ up , into two p 2 sized ones I and J ( I = I J ). Stern’s strategy mandates that all columns indexed by I should be within the leftmost k 2 ones of V, while the ones indexed by J should be within the rightmost k 2 ones. It then exploits the following equation
i I v up   i = s ¯ up s ¯ up = i I v up   i + j J v up   j s ¯ up + i I v up   i = j J v up   j
to precompute the value of s ¯ up + i I v up   i for all possible k / 2 p / 2 choices of I , and store them into a lookup table L , together with the corresponding choice of I . The algorithm then enumerates all possible p 2 sized sets of indexes J , computing for each one j J v up   j , and checking if the result is present in L . If this is the case, the algorithm has found a candidate pair ( I , J ) for which i I J v up   i = s ¯ up holds, and thus proceeds to check if i I J v down   i = s ¯ down . This strategy reduces the cost of computing an iteration quadratically at the price of increasing the number of iterations with respect to Lee and Brickell’s approach, and taking a significant amount of space to store the lookup table L which contains k / 2 p / 2 elements. We note that Stern’s variant of the ISD is the first one to exhibit non-polynomial memory requirements, due to the size of the set I , which should be memorized and looked up. Stern’s algorithm is summarized in Algorithm 5.
Algorithm 5: Syndrome decoding formulation of Stern’s ISD.
    Input: s: an r-bit long syndrome (column vector)
                H: an r × n binary parity-check matrix
                t: the weight of the error vector to be recovered
    Output: e: an n-bit binary row error vector s.t. H e T = s , with weight ( e ) = t
    Data: P: an n × n permutation matrix
               e ^ = e P : the error vector permuted by P
              p: the weight of the first k bits of e ^ , 0 p t ,
              : length of the run of zeroes in e ^ = [ e ^ 1 × k   0 1 ×   e ^ 1 × r ]
               s ¯ : an r-bit long binary column vector, equal to the syndrome of e through [ V   I r ] ,
               s ¯ = s ¯ up s ¯ down
              V: an r × k binary matrix
               V = v 0 v k 1 = V up V down = v up   0 v up   k 1 v down   0 v woenp   k 1
               L : list of pairs ( I , a I ) , with I a set of integer indexes between 0 and k 2 1 , and a I an
              -bit binary column vector
1
repeat
2
       P , [ V   I r ] , s ¯ ISextract ( H , s )
3
       L
4
      for j 1 to k / 2 p / 2 do
5
             I IntegerToCombination ( j ) // I is a set of p / 2 distinct integers in { 0 , , k 2 1 } (
6
             L L { ( I , s ¯ up + i I v up   i ) }
7
      for j 1 to k / 2 p / 2 do
8
             J IntegerToCombination ( j ) // J is a set of p / 2 distinct integers in { 0 , , k 2 1 } (
9
            if ( I , i J v up   i + k / 2 ) L then
10
                  if weight ( s ¯ down + i I J v down   i ) = t p then
11
                         e ^ [ 0 1 × ( k + )   ( s ¯ down + i I J v down   i ) T ]
12
                        foreach i I do
13
                               e ^ e ^ + [ 0 1 × i   1   0 1 × ( r + k 1 i ) ]
14
                        foreach i J do
15
                               e ^ e ^ + [ 0 1 × i + k / 2   1   0 1 × ( r + k / 2 1 i ) ]
16
                        break
17
untilweight ( e ^ ) = t
18
return e ^ P T
Proposition 4
(Computational complexity of Algorithm 5). As for Algorithm 4, given H, an  r × n binary parity-check matrix and s, an r-bit long syndrome (column vector) obtained through H, finding the row error vector e with length n and weight t such that s = H e T with Algorithm 5 requires two additional parameters 0 p t , 0 ( k p ) .
The time complexity of Algorithm 5 can be computed starting from the probability of success Pr succ of a single iteration of the loop at Lines 1–17 and the computational requirements of executing the loop body c iter . In  particular, the time complexity is
C ISD ( n , r , t , p , ) = 1 Pr succ c iter = n t k / 2 p / 2 2 r t p C IS ( n , r ) + k / 2 p / 2 p 2 + k / 2 p / 2 ( C IntToComb + p 2 + k / 2 p / 2 2 p ( r ) )
where C IS ( n , r ) is as in Equation (6) and C IntToComb = O ( ( 2 k p ) ( log ( k p ) ) 2 ) is the cost of decoding an integer into its combinadics representation, i.e., finding the corresponding combination among all the k / 2 p / 2 ones. Note  that, if the value of p is fixed, it is possible to avoid C IntToComb , specializing the algorithm with a p-deep loop nest to generate the combinations. The spatial complexity is S ISD ( n , r , t , p , ) = O r n + k / 2 p / 2 ( p 2 log 2 ( k 2 ) + ) .
Proof. 
The success probability of an iteration of Stern’s algorithm follows the same line of reasoning of the previous ones, dividing the number of admissible permuted error vectors k / 2 p / 2 2 r t p by the total one n t . The complexity of a single iteration is obtained considering that the loop at Lines 5–7 will compute k / 2 p / 2 additions of p 2 + 1 vectors, each one bits in length (complexity k / 2 p / 2 p 2 ). The loop at Lines 8–16 performs k / 2 p / 2 iterations, where p 2 + 1 vectors of length are added together (complexity p ), and the result is looked up in table L . If the result is found, a further addition of p + 1 bit vectors, each one r bits long is performed (complexity p ( r ) ). This further addition takes place with a probability of k / 2 p / 2 2 , as all the possible values for the computed bit sum are 2 , and only k / 2 p / 2 are present in L .
The spatial complexity of Stern’s algorithm is the result of adding together the space required for the operations on the H matrix (i.e., r n ) with the amount of space required by the list L , which is k / 2 p / 2 elements long. Each element of the list takes p 2 log 2 ( k 2 ) bits to store the set of indexes, and bits to store the partial sum, yielding a total spatial cost for the list of k / 2 p / 2 ( p 2 log 2 ( k 2 ) + ) bits. □
The aforementioned temporal complexity is obtained assuming a constant memory access cost which, given the exponential amount of memory required is likely to be ignoring a non-negligible amount of time spent to perform memory accesses. Indeed, it is possible to take into account such a time employing a logarithmic memory access cost model. Recalling that the address decoding logic for an n element digital memory of any kind cannot have a circuit depth smaller than log 2 ( n ) , we consider that the operations involved in the computation of an iteration will require such an access, in turn obtaining a cost per iteration equal to c i t e r - l o g c o s t = c i t e r log 2 ( S ISD ( n , r , t , p , ) ) .

3.6. Finiasz–Sendrier

Finiasz and Sendrier in [14] proposed two improvements on Stern’s Information Set Decoding (ISD) algorithm, obtaining Algorithm 6. The first improvement is represented by removing the requirement for the presence of a run of zeroes in the permuted error vector e ^ and allowing the p error bits to be guessed to be present also in that region of e ^ . Such an approach raises the success probability of an iteration. Following the fact that the p positions which should be guessed are picked among the first k + ones of the error vector, Finiasz and Sendrier computed only a partial Reduced Row Echelon Form (RREF) transformation obtaining a smaller, ( r ) × ( r ) , identity matrix in the lower rightmost portion of U H ^ = V up 0 × ( r ) V down I r , and leaving a zero submatrix on top of the identity. As a consequence, the cost of computing such an Reduced Row Echelon Form (RREF) is reduced to
C RREF - FS ( n , r , ) = 3 3 2 n 2 + 2 r 2 3 2 2 3 n 2 + r 2 13 6 + n r 2 2 + n r 2 r 3 6 + r 2 + r 6 1 .
Algorithm 6: Syndrome decoding formulation of Finiasz–Sendrier ISD.
    Input: s: an r-bit long syndrome (column vector)
                H: an r × n binary parity-check matrix
                t: the weight of the error vector to be recovered
    Output: e: an n-bit binary row error vector s.t. H e T = s , with weight ( e ) = t
    Data: P: an n × n permutation matrix
               e ^ = e P : the error vector permuted by P
              p: the weight of the first k bits of e ^ , 0 p t ,
              : a free parameter 0 r ( t p )
               s ¯ : an r-bit long binary column vector, equal to the syndrome of e through V up 0 × ( r ) V down I r ,
               s ¯ = s ¯ up s ¯ down
              V: an r × (k + ) binary matrix
               V = v 0 v k 1 = V up V down = v up   0 v up   k 1 v down   0 v woenp   k 1
               L : list of pairs ( I , a I ) , with I a set of integer indexes between 0 and k + 2 1 , and a I an -bit
              binary column vector
1 
repeat
2 
       P , V up 0 × ( r ) V down I r , s ¯ ISextract - FS ( H , s , )
3 
       L
4 
      for j 1 to ( k + ) / 2 p / 2 do
5 
             I IntegerToCombination ( j ) // I is a set of p / 2 distinct int.s in { 0 , , k + 2 1 } (
6 
             L L { ( I , s ¯ up + i I v up   i ) }
7 
      for j 1 to ( k + ) / 2 p / 2 do
8 
             J IntegerToCombination ( j ) // J is a set of p / 2 distinct int.s in { 0 , , k + 2 1 } (
9 
            if ( I , i J v up   i + ( k + ) / 2 ) L then
10 
                  if weight ( s ¯ down + i I J v down   i ) = t p then
11 
                         e ^ [ 0 1 × ( k + )   ( s ¯ down + i I J v down   i ) T ]
12 
                        foreach i I do
13 
                               e ^ e ^ + [ 0 1 × i   1   0 1 × ( r + k 1 i ) ]
14 
                        foreach i J do
15 
                               e ^ e ^ + [ 0 1 × i + ( k + ) / 2   1   0 1 × ( r + ( k + ) / 2 1 i ) ]
16 
                        break
17 
untilweight ( e ^ ) = t
18 
return e ^ P T
Considering that the invertibility condition is required only for an ( r ) × ( r ) submatrix, we  have that
C IS - FS ( n , r , ) = 1 i = 1 r ( 1 2 i )   C RREF ( n , r , ) + r 2
for a use of the ISD to solve Syndrome Decoding Problem (SDP), while the last r 2 term is not present in case the method is employed to solve the Codeword Finding Problem (CFP).
Proposition 5
(Computational complexity of Algorithm 6). Given H, an  r × n binary parity-check matrix and s, an r-bit long syndrome (column vector) obtained through H, finding the row error vector e with length n and weight t such that s = H e T with Algorithm 6 also requires two additional parameters 0 p t , 0 ( k p ) .
The time complexity of Algorithm 6 can be computed starting from the probability of success Pr succ of a single iteration of the loop at Lines 1–17 and the computational requirements of executing the loop body c iter . In  particular, the time complexity is
C ISD ( n , r , t , p , ) = 1 Pr succ c iter   = n t ( k + ) / 2 p / 2 2 r t p C IS - FS ( n , r , )   + ( k + ) / 2 p / 2 p 2 + ( k + ) / 2 p / 2 C IntToComb + p 2 + ( k + ) / 2 p / 2 2 p ( r ) ) ,
where C IntToComb = O ( ( 2 k p ) ( log ( k p ) ) 2 ) is the cost of decoding an integer into its combinadics representation, i.e., finding the corresponding combination among all the ( k + ) / 2 p / 2 ones. Note that, if the value of p is fixed, it is possible to avoid C IntToComb , specializing the algorithm with a p-deep loop nest to generate the combinations. The spatial complexity is S ISD ( n , r , t , p , ) = O r n + ( k + ) / 2 p / 2 ( p 2 log 2 ( k + l 2 ) + ) .
With a line of reasoning analogous to Stern’s ISD, we consider the complexity of Finiasz and Sendrier’s ISD with a logarithmic memory access cost, multiplying the cost of the iteration by the binary logarithm of the size of the required memory.

3.7. May–Meurer–Thomae

The variant of ISD proposed by May, Meurer and Thomae in [15] improves Finiasz and Sendrier’s variant by introducing two tweaks, resulting in Algorithm 7. The first tweak changes the way in which the p error positions in the permuted error vector e ^ are chosen. Instead of splitting them equally as p 2 in the leftmost k + 2 columns and p 2 in the subsequent k + 2 ones, the selection is made picking two disjoint sets of indexes I , J { 0 , , k + 1 } . Such an approach increases the number of possible permutations which respect this constraint.
The second tweak considers V up as logically split into two submatrices V up = V up 1 V up 2 dividing it row-wise into two parts, the first one with 1 rows and the second one with 2 = 1 rows. After performing the same partial RREF, as it is done in the Finiasz and Sendrier’s ISD, we obtain U H ^ = V up 1 0 1 × ( r ) V up 2 0 2 × ( r ) V down I r and the corresponding s ¯ = s ¯ up 1 s ¯ up 2 s ¯ down .
Such a subdivision is employed to further enhance the efficiency of the checks on the columns of V with respect to the idea of matching bit strings with a precomputed set introduced by Stern. To this end, the sets I and J are in turn obtained as the disjoint union of a pair subsets with cardinality p 4 . Let  I be I 1 I 2 and J be J 1 J 2 . For the sake of simplicity, the disjoint union is realized picking the elements of I 1 , J 1 in { 0 , , k + 2 1 } and the ones of I 2 , J 2 in { k + 2 , , k + 1 } .
The May–Meurer–Thomae (MMT) algorithm thus proceeds to exploit a time to memory trade-off deriving from the same equation employed by Stern, applying twice the precomputation strategy. The derivation from the test equality on the syndrome is done as follows
s ¯ up = i I v up   i + j J v up   j
s ¯ up 1 s ¯ up 2 = a up 1 s ¯ up 2 + b up 1 0 2 × 1 ,   a up 1 s ¯ up 2 = j J v up 1   j v ¯ up 2   j ,   b up 1 0 2 × 1 = i I v up 1   i v ¯ up 2   i .
May, Meurer and Thomae exploited the strategy described by Stern to derive candidate values for the elements of I and J , rewriting the last two equalities as
a up 1 s ¯ up 2 + j J 1 v up 1   j v ¯ up 2   j = j J 2 v up 1   j v ¯ up 2   j ,   b up 1 0 2 × 1 + i I 1 v up 1   i v ¯ up 2   i = i I 2 v up 1   i v ¯ up 2   i
and exploiting their form to build two lists of candidate values for I and J , I ¯ and J ¯ , such that for the elements of the first list, it holds that 0 2 × 1 + i I 1 ¯ v ¯ up 2   i = i I 2 v ¯ up 2   i , and for the elements of the second list it holds that s ¯ up 2 + j J 1 ¯ v ¯ up 2   j = j J ¯ 2 v ¯ up 2   j . We note that, through a straightforward implementation optimization, matching the one employed in Stern’s algorithm, only  the first list needs to be materialized (appearing as L in Algorithm 7).
The second observation made in the MMT algorithm relates to the possibility of reducing the size of the list involved in Stern’s algorithm to compute the value of the sought error vector via a meet-in-the-middle strategy. The observation relies on the fact that it is possible to obtain the first k + bits of the permuted error vector e ^ , e ^ [ k + ] as the sums of two k + long bit vectors, e ^ 1 , e ^ 2 with weight p 2 each. Stern’s algorithm limits the positions of the ones in e ^ 1 , e ^ 2 to be in the first half of the bits for e ^ 1 and in the second half for e ^ 2 , yielding a single valid pair e ^ 1 , e ^ 2 for a given e ^ . By contrast May–Meurer–Thomae does not constrain the positions of the two sets of p 2 positions to be picked from different halves of the k + region of the error vector, but instead it only constrains the choice to non-overlapping positions. In such a fashion, considering the correct guess of p positions, we have that they can be split into the two p 2 sets in p p / 2 possible valid ways, in turn increasing the likelihood of a correct guess. If this choice is made, it is possible to reduce the size of the lists employed to compute the man in the middle approach by a factor of p p / 2 , while retaining (on average), at least a solution. To this end, the authors suggested picking the value of l 2 as k + 2 p 4 , in a way to reduce the size of the lists by the proper factor.
Proposition 6
(Computational complexity of Algorithm 7). Given H, an  r × n binary parity-check matrix and s, an r-bit long syndrome (column vector) obtained through H, finding the row error vector e with length n and weight t such that s = H e T with Algorithm 7 requires three additional parameters 0 p t , 1 and 2 such that 1 + 2 = , 0 ( k p ) .
The time complexity of May–Meurer–Thomae is
C ISD ( n , r , t , p , 1 , 2 ) = n t k + p r t p C IS FS ( n , r , ) + ( k + ) / 2 p / 4 p 4 2 + min ( k + ) / 2 p / 4 , ( k + ) / 2 p / 2 p p / 2 · p 4 2 + ( k + ) / 2 p / 4 2 2 p 2 1 + + ( k + ) / 2 p / 4 p 4 2 + ( k + ) / 2 p / 4 p 4 2 + ( k + ) / 2 p / 4 2 2 p 2 1 + ( k + ) p / 2 p p / 2 2 1 p ( r ) .
The spatial complexity of May–Meurer–Thomae is
S ISD ( n , r , t , p , ) = O r n + ( k + ) / 2 p / 4 ( p 4 log 2 ( k + l 2 ) + 2 ) + min ( k + ) / 2 p / 4 , ( k + ) / 2 p / 2 p p / 2 ( p 2 log 2 ( k + ) + ) .
Algorithm 7: Syndrome decoding formulation of May–Meurer–Thomae ISD.
    Input: s: an r-bit long syndrome (column vector)
                H: an r × n binary parity-check matrix
                t: the weight of the error vector to be recovered
    Output: e: an n-bit binary row error vector s.t. H e T = s , with weight ( e ) = t
    Data: P: an n × n permutation matrix
               e ^ = e P : the error vector permuted by P
              p: the weight of the first k bits of e ^ , 0 p t , p = 2 proven optimal
               1 , 2 : two parameters with 1 + 2 = , 0 r ( t p )
               s ¯ : an r-bit long binary column vector, equal to the syndrome of e through V up 1 0 1 × ( r ) V up 2 0 2 × ( r ) V down I r , s ¯ = s ¯ up 1 s ¯ up 2 s ¯ down
              V: an r × (k + ) binary matrix V = v 0 v k 1 = V up 1 V up 2 V down = v up 1   0 v up 1   k + 1 v up 2   0 v up 2   k + 1 v down   0 v down   k + 1
               L : list of pairs ( I , a I ) with I a set of integer indexes between 0 and k + − 1, and a I an -bit binary column vector; length of
               L is kept at most ( k + ) p / 2 / p p / 2
               L 1 , L 2 : list of pairs ( I 1 , a I 1 ) , and ( J 1 , a J 1 ) with I 1 , J 1 set of integer indexes between 0 and k + 2 1 , and a I 1 , a I 1 , 1 and 2
              bit binary column vectors
1 
repeat
2 
       P , V up 1 0 1 × ( r ) V up 2 0 2 × ( r ) V down I r , s ¯ ISextract- FS ( H , s , )
3 
       L 1
4 
      for j 1 to ( k + ) / 2 p / 4 do
5 
             I 1 IntegerToCombination ( j ) // I 1 is a set of p / 4 int.s in { 0 , , k + 2 1 }
6 
             L 1 L 1 { ( I 1 , s ¯ up 2 + i I 1 v up 2   i ) }
7 
       L
8 
      for i 1 to ( k + ) / 2 p / 4 do
9 
             I 2 IntegerToCombination ( i ) // I 2 is a set of p / 4 int.s in { 0 , , k + 2 1 }
10 
            if ( I 1 , i I 2 v up 2   i + ( k + ) / 2 ) L 1 then
11 
                   I I 1
12 
                  for j I 2 do
13 
                         I I { j + k + 2 }
14 
                   L L { ( I , i I v up 1   i ) }
15 
                  if | L | ( k + ) p / 2 / p p / 2 then
16 
                        break
      // L 1 is no longer needed from here onwards
17 
       L 2
18 
      for j 1 to ( k + ) / 2 p / 4 do
19 
             J 1 IntegerToCombination ( j ) // J 1 is a set of p / 4 int.s in { 0 , , k + 2 1 } (
20 
             L 2 L 2 { ( J 1 , i J 1 v up 2   i ) }
21 
      for a 1 to ( k + ) / 2 p / 4 do
22 
             ( J 2 IntegerToCombination ( a ) // J 2 is a set of p / 4 int.s in { 0 , , k + 2 1 } (
23 
            if ( J 1 , s ¯ up 2 + i J 2 v up 2   i + ( k + ) / 2 ) L 2 then
24 
                   J J 1
25 
                  for j J 2 do
26 
                         J J { j + k + 2 }
27 
                  if ( I , s ¯ up 1 + j J v up 1   j ) L then
28 
                        if weight ( s ¯ down + i I J v down   i ) = t p then
29 
                               e ^ 0 1 × ( k + )   ( s ¯ down + i I J v down   i ) T ]
30 
                              foreach i I J do
31 
                                     e ^ e ^ + [ 0 1 × i   1   0 1 × ( r + k 1 i ) ]
32 
                              break
33 
untilweight ( e ^ ) = t
34 
return e ^ P T
Proof. 
The computational complexity is derived considering the number of iterations of the loops in the algorithm, taking into account the probability of the checks being taken. The spatial complexity is obtained as the sum of the size of the matrix H, the size requirements of L 1 (as L 2 has the same size and can reuse its space) and the expected size of L considering how many pairs may survive the check performed when building it. □

3.8. Becker–Joux–May–Meurer

The Becker–Joux–May–Meurer (BJMM) algorithm introduced in [16] improves the MMT algorithm in two ways: the former is a recursive application of the list building strategy, and the latter is a change to the list element generation employed. We discuss the latter first, forsaking for the sake of clarity its recursive application at first. We then describe the adaptations needed to adopt the recursive splitting strategy without issues.
The BJMM algorithm considers that it is possible to represent a vector e of weight p, length k + , as the sum of two vectors e 1 , e 2 of weight p 2 + ε , and with the same length, under the assumption that the ε extra ones cancel out during the addition. We recall that the MMT approach demands that both e 1 and e 2 have weight strictly equal to p 2 . The BJMM algorithm thus raises the number of valid pairs e 1 , e 2 employed to represent e by a factor equal to k + p ε . Such an improvement is employed to further reduce the size of the lists of values which need to be computed to find e with a meet-in-the-middle approach on checking that the condition V e 1 + V e 2 = s ¯ up . Indeed, since R = p p 2 k + p ε pairs ( e 1 , e 2 ) which respect e = e 1 + e 2 exist, searching a 1 R fraction of the k + l p 2 + ϵ 2 exhaustively will yield (on average) a solution, assuming that the solution pairs are uniformly distributed over all the k + l p 2 + ϵ 2 ones.
Willing to employ a strategy to enumerate only a 1 R fraction of the pairs, while doing useful computation instead of a simple 1 R sub-sampling of the space of the pairs, the BJMM algorithm opts for performing a partial check of the V e 1 + V e 2 = s ¯ up equation, on a smaller number of bits than and discarding the pairs which do not pass the check.
Let us denote with V up [ ρ ] the first ρ rows of V up and with s ¯ up [ ρ ] the first ρ bits of the syndrome s ¯ up The BJMM algorithm thus employs the test V up [ ρ ] e 1 + V up [ ρ ] e 2 = s ¯ up [ ρ ] to obtain a twofold objective: discard a fraction of the ( e 1 , e 2 ) pairs, and select the portion to be kept among the pairs which at least have the first ρ bits of the sum of the columns of V up [ ρ ] matching the value of the corresponding syndrome bits. Such an approach has the advantage over a random sampling that the pairs which are selected have already been checked for compliance on a part of the V e 1 + V e 2 = s ¯ up equation, i.e., it performs a random subsampling while doing useful computation. The BJMM paper suggests that the value of ρ should be ρ log 2 ( R ) : under the assumption that the r bit sums being performed are made of random values, and that the sum should match a given r bit value, only a fraction equal to 1 2 ρ , i.e.,  1 R survives. Note that, regardless of the choice of ρ , a selection of the correct positions will always survive the preliminary checks on ρ bits, while wrong solutions are filtered out on the basis that they will not match on the first ρ bits. In the complete algorithm, the aforementioned line of reasoning is applied twice, as the list-building strategy is recursively applied, leading to two different reduction factors depending on the recursion depth itself.
We now come to the second improvement of the BJMM algorithm, the recursive application of the meet-in-the-middle strategy employed by all the ISDs since Stern’s. Stern’s meet-in-the-middle approach starts from rewriting V up [ l ] e 1 + V up [ l ] e 2 = s ¯ up as V up [ l ] e 1 = V up [ l ] e 2 + s ¯ up . The original BJMM proceeds to build two lists of pairs. The first list contains, for all possible e 1 , the pairs ( V up [ l ] e 1 , e 1 ) . The second list contains, for all possible e 2 , the pairs ( V up [ l ] e 2 + s ¯ up , e 2 ) . The BJMM algorithm sorts lexicographically the two lists on the first elements of the pairs and then checks for the matching pairs in essentially linear time in the length of the lists.
We note that a more efficient (memory saving) way of performing the same computation involves inserting in a (open hash) hashmap which employs as the key V up [ l ] e 1 for the value e 1 . Subsequently, computing on the fly V up [ l ] e 2 + s ¯ up , and looking it up in the hashmap, yields all the matching pairs for e 2 . Let N be the number of possible pairs and M the number of matching pairs, the original strategy requires O ( 2 N + 2 N log 2 2 N + M ) vector sized operations, while the modified one requires O ( N + N + M ) .
The BJMM algorithm employs the meet-in-the-middle strategy to generate the values for the candidate vectors e more than once. In particular, a candidate for e, e ( 0 ) , weight p, length k + , is  generated from two vectors e 1 ( 1 ) , e 2 ( 1 ) , weight p 1 = p 2 + ε 1 , length k + . The e 1 ( 1 ) , e 2 ( 1 ) vectors are in turn generated by pairs e 1 ( 2 ) , e 2 ( 2 ) and e 3 ( 2 ) , e 4 ( 2 ) , which all have weight p 2 = p 1 + ε 2 . Finally, e 1 ( 2 ) , e 2 ( 2 ) , e 3 ( 2 ) , e 4 ( 2 ) , are generated by pairs e 1 + 2 i ( 3 ) , e 2 + 2 i ( 3 ) , i { 0 , 1 , 2 , 3 } , which have length k + , and weight p 3 = p 2 2 + 0 , i.e., no extra ones which will cancel out are allowed when generating e ( 2 ) ’s.
In adopting this approach, two issues must be coped with: no overlapping positions for the ones should be present between any e 1 + 2 i ( 3 ) , e 2 + 2 i ( 3 ) pair, and the values all the V up [ l ] e i ( 1 ) , V up [ l ] e i ( 2 ) , V up [ l ] e ( 1 ) are matched against should be unrelated, so that the sampling of pairs during the merge action of two lists is indeed picking items independently from another list merger on the same level. This allows a list merger at a lower level to consider the elements from above to be picked at random. The first issue is solved picking the positions of the ones for a e 1 + 2 i ( 3 ) , e 2 + 2 i ( 3 ) pair from disjoint sets. Since the independence among the inputs of two level-3 list mergers should still hold, a pair of disjoint sets is generated for each level-3 list pair. In other words, for a given e 1 + 2 i ( 3 ) , e 2 + 2 i ( 3 ) pair, the position of the ones of e 1 + 2 i ( 3 ) , belong to a k + 2 sized set which has null intersection with the set of positions from which the ones of e 2 + 2 i ( 3 ) are picked. This constraint may cause a given target permuted error not to be representable as a combination of the aforementioned pairs. Indeed, consider the fact that the aforementioned strategy implies that there are possible k + 2 p 3 2 pairs, while the vectors to be represented are k + 2 p 3 .
The second issue is solved slightly modifying the matching equations as follows
V up [ ] e 1 ( 1 ) = V up [ ] e 2 ( 1 ) + s ¯ up [ ] no   change V up [ r 1 ] e 1 ( 2 ) = V up [ r 1 ] e 2 ( 2 ) + s ¯ up [ r 1 ] V up [ r 1 ] e 1 ( 2 ) = V up [ r 1 ] e 2 ( 2 ) + s ¯ up [ r 1 ] + rnd 1 V up [ r 1 ] e 3 ( 2 ) = V up [ r 1 ] e 4 ( 2 ) + 0 [ r 1 ] V up [ r 1 ] e 3 ( 2 ) = V up [ r 1 ] e 4 ( 2 ) + rnd 1 V up [ r 2 ] e 1 ( 3 ) = V up [ r 2 ] e 2 ( 3 ) + s ¯ up [ r 2 ] V up [ r 2 ] e 1 ( 3 ) = V up [ r 2 ] e 2 ( 3 ) + s ¯ up [ r 2 ] + rnd 1 + rnd 2 V up [ r 2 ] e 3 ( 3 ) = V up [ r 2 ] e 4 ( 3 ) + 0 r 2 V up [ r 2 ] e 3 ( 3 ) = V up [ r 2 ] e 4 ( 3 ) + rnd 2 V up [ r 2 ] e 5 ( 3 ) = V up [ r 2 ] e 6 ( 3 ) + 0 r 2 V up [ r 2 ] e 5 ( 3 ) = V up [ r 2 ] e 5 ( 3 ) + rnd 1 + rnd 2 V up [ r 2 ] e 7 ( 3 ) = V up [ r 2 ] e 8 ( 3 ) + 0 r 2 V up [ r 2 ] e 7 ( 3 ) = V up [ r 2 ] e 7 ( 3 ) + rnd 2
so that the checks at each level also act in such a fashion that the total sum over r 2 , r 1 , matches the syndrome already, while retaining the desired randomness.
Proposition 7
(Computational complexity of Algorithm 8). Given H, an  r × n binary parity-check matrix and s, an r-bit long syndrome (column vector) obtained through H, finding the row error vector e with length n and weight t such that s = H e T with Algorithm 8 requires three additional parameters 0 p t , 1 and 2 such that 1 + 2 = , 0 ( k p ) .
The time complexity of the algorithm is
C ISD ( n , r , t , p , 1 , 2 ) = P s u c c e s s - B J M M 1 C i t e r
where the probability of an iteration to succeed, P s u c c e s s - B J M M , is equal to the one in May–Meurer–Thomae (i.e., n t k + p r t p ), multiplied by a factor which quantifies the fact that it is possible, picking the two disjoint sets over the subsets of p i positions from the error vector are selected may result in a set which does not contain enough positions. Such a factor, considered in all the splits in the BJMM is ( k + ) / 2 p 3 2 k + p 2 4 . The cost of an iteration of the loop at Lines 1–27 of the BJMM is as follows
4 k + + 2 k + 2 p 3 + 2 + k + 2 p 3 2 ( 2 p 3 2 ) + 2 p 1 p 1 / 2 k + p 1 ε 2 2 2 k + 2 p 3 2 2 ( 2 p 2 1 ) + p p / 2 k + p ε 1 2 1 p 1 p 1 / 2 k + p 1 ε 2 2 2 k + 2 p 3 2 2 2 ( 2 p 1 ) + p p / 2 k + p ε 1 2 1 p 1 p 1 / 2 k + p 1 ε 2 2 2 k + 2 p 3 2 2 2 2 ( p ( r ) ) .
The first line constitutes the cost of the loop at Lines 4–16, the second line is the cost of the loop at Lines 17–23, the third line is the cost of the loop at Lines 24–27 save for the portion related to the branch at Line 25 being taken. The last line is the cost of computing the body of the taken branch, multiplied by the probability of such a branch being taken.
The BJMM variant of the ISD shares with the Stern, Finiasz and Sendrier, and May–Meurer– Thomae ISDs the fact that the exponential memory requirements should be taken into account by a logarithmic access cost, instead of a constant one. We do so following the same method employed for the aforementioned variants, i.e., augmenting the cost of the iteration accordingly.

3.9. Speedups in ISD Algorithms Due to Quasi-Cyclic Codes

A common choice to reduce the size of the keys in a McEliece or Niederreiter cryptosystem is to employ a so-called quasi-cyclic code. Such a code is characterized by a parity-check matrix composed by circulant block matrices, i.e., matrices where all the rows are obtained as a cyclic shift of the first one.
It is possible to exploit such a structure to provide a polynomial speedup factor to both the solution of Codeword Finding Problem (CFP) and Syndrome Decoding Problem (SDP). The speedup in the solution of the Codeword Finding Problem (CFP) can be derived in a straightforward fashion observing that, in the case of both the Codeword Finding Problem (CFP) against the primal and the one against the dual code, for each codeword to be found in a quasi cyclic code with p sized circulant blocks, p 1 more codewords can be derived simply as a block-wise circulant shift of the first one. As  a consequence, for a given codeword with weight w sought by the algorithm, it is guaranteed that at least p many of them are present in the code. Thus, in this case. the success probability of each iteration can be obtained as 1 1 Pr succ p ; when p Pr succ 1 , this in turn implies that the probability of success approximately grows by a factor p, in turn speeding up any ISD by the same factor.
An analogous line of reasoning leads to exploit the Decoding One Out of Many (DOOM) algorithm proposed by Sendrier in [38] to speed up the solution of the Syndrome Decoding Problem (SDP). Decoding One Out of Many (DOOM) relies on the fact that a set of syndromes S through the same parity check matrix are provided to the attacker, and he attempts at decoding at least one of them. In  case of a quasi cyclic code, cyclically shifting the syndrome yields a different, valid syndrome, and a predictable cyclic shift on the corresponding (unknown) error vector. It is therefore possible for an attacker to derive p different syndromes, starting from one and, in case one of them is successfully decoded, no matter which one, he will be able to reconstruct the sought error vector. Essentially, Decoding One Out of Many (DOOM) performs multiple ISD instances, taking care of duplicating only the checks which involve the syndrome, thus pooling the considerable amount of effort required in the rest of the iteration. The overall speedup achieved by Decoding One Out of Many (DOOM) for a quasi cyclic code with block size p is p .
Algorithm 8: Syndrome decoding formulation of Becker–Joux–May–Meurer ISD.
    Input: s: an r-bit long syndrome (column vector)
                H: an r × n binary parity-check matrix
                t: the weight of the error vector to be recovered
    Output: e: an n-bit binary row error vector s.t. H e T = s , with weight ( e ) = t
    Data: P: an n × n permutation matrix
               e ^ = e P : the error vector permuted by P
              p: the weight of the first k bits of e ^ , 0 p t
              : a free parameter 0 r ( t p )
               s ¯ : an r-bit long binary column vector, equal to the syndrome of e through V up 0 × ( r ) V down I r , s = s ¯ up s ¯ down
              V: an r × (k + ) binary matrix V = v 0 v k 1 = V up V down = v up   0 v up   k 1 v down   0 v woenp   k 1
               L b ( a ) : list of set of indexes I ( a ) , at layer a, (root layer: a = 0, leaf layer a = 3)
               | I ( a ) | = p a = p a 1 / 2 + ε a , a 1 , 2 , 3 , p0 = p, ε3 = 0; the elements of I ( a ) are integers in {0,…,k + − 1}
               1,2: parameters respecting 0 ≤ 21, stated as optimized for l 1 log 2 p p / 2 k + l p ε 1 ,
               l 1 log 2 p 1 p 1 / 2 k + l p 1 ε 2
1 
repeat
2 
       P , V up 0 × ( r ) V down I r , s ¯ ISextract- FS ( H , s , )
3 
      for i 0 to 3 do
4 
             L 2 i ( 3 )
5 
             I 2 i RandomExtract ( k + )                         // populates I 2 i with k + 2 values in { 0 , , k + 1 } (
6 
             I 2 i + 1 { 0 , , k + 1 } I 2 i
7 
            for j 1 to ( k + ) / 2 p 3 do
8 
                   I EnumerateComb ( I 2 i , p 3 , j )             // Picks the jth comb. of p 3 items of I 2 i (
9 
                   L 2 i ( 3 ) L 2 i ( 3 ) { ( I , i I v up 2   i ) }
10 
      for i 0 to 1 do
11 
             x RandBitString ( 2 ) + s ¯ up 2
12 
             L 2 i ( 2 )
13 
            foreach j 1 to ( k + ) / 2 p 3 do
14 
                   J EnumerateComb ( I 2 i + 1 , p 3 , j )
15 
                   a x + j J v up 2   j
16 
                  if ( I , a ) L 4 i ( 3 ) then
17 
                         L 2 i ( 2 ) L 2 i ( 2 ) { ( I J , x + i I J v up 1   i ) }
18 
                  if | L 2 i ( 2 ) | > k + p 2 / p 1 p 1 / 2 k + l p 1 ϵ 2 then
19 
                        break
20 
      foreach ( I , J ) L 0 ( 1 ) × L 1 ( 1 ) do
21 
            if i I v up   i + j J v up   j = s ¯ [ ] then
22 
                  if weight ( s ¯ down + i I J v down   i ) = t p then
23 
                         e ^ [ 0 1 × ( k + )   ( s ¯ down + i I J v down   i ) T ]
24 
                        foreach i I J do
25 
                               e ^ e ^ + [ 0 1 × i   1   0 1 × ( r + k 1 i ) ]
26 
                        break
27 
untilweight ( e ^ ) = t
28 
return e ^ P T

3.10. Speedups from Quantum Computing

While there is no known polynomial time algorithm running on a quantum computer able to solve either Syndrome Decoding Problem (SDP) or Codeword Finding Problem (CFP), it is still possible to achieve a significant speedup in the attacks exploiting Grover’s zero-finding algorithm. Grover’s algorithm [39] finds a zero of an n-input Boolean function with a computational cost of 2 n function computations, instead of the 2 n required with a classical computer. The first instance of a proposed exploitation of Grover’s algorithm to speed up ISDs was made by Bernstein in [40], observing that one iteration of Prange’s algorithm can be rewritten as a Boolean function having a zero iff the iteration is successful in finding a valid error vector. The essence of the observation is that the Reduced Row Echelon Form (RREF) computation, and the weight check on the resulting syndrome can be expressed as Boolean functions, and it is straightforward to extend them so that a single bit output indicating the success of the iteration is added. Such an approach allows reducing the number of iterations to be performed to the square root of the one for the classical algorithm, since each iteration of Prange’s algorithm is essentially trying (exhaustively) to find a zero of the aforementioned Boolean function. We therefore rephrase the computational complexity of Prange’s algorithm on a quantum computer. For the sake of simplicity in the analysis, we forgo the overhead of implementing the Boolean function as a reversible circuit, obtaining a conservative estimate of the actual complexity.
Proposition 8
(Quantum computational complexity of Algorithm 1). Given H, an  r × n binary parity-check matrix and s, an r-bit long syndrome (column vector) obtained through H, finding the row error vector e with length n and weight t such that s = H e T with Algorithm 1 running on a quantum computer can be computed starting from the probability of success Pr succ of a single iteration of the loop at Lines 1–7 and the computational requirements of executing the loop body c iter . In particular, the time complexity is C ISD ( n , r , t ) = 1 Pr succ c iter = n t r t C IS ( n , r ) + O ( n ) , with 
C IS ( n , r ) = 1 i = 1 r ( 1 2 i )   C RREF ( n , r ) + r 2 ,
C RREF ( n , r ) = O n r 2 2 + n r 2 r 3 6 + r 2 + r 6 1 .
The spatial complexity is S ISD ( n , r , t ) = O ( r n ) .
Following an argument similar to the one for Prange, we note that there is essentially no difficulty in interpreting Lee and Brickell’s variant of the ISD as computing a slightly more complex Boolean function at each iteration, allowing to reformulate its complexity (Proposition 2) for the quantum case as follows.
Proposition 9
(Quantum computational complexity of Algorithm 2). Given H, an  r × n binary parity-check matrix and s, an r-bit long syndrome (column vector) obtained through H, finding the row error vector e with length n and weight t such that s = H e T with Algorithm 2 requires an additional parameter 0 p t .
The time complexity of Algorithm 2 running on a quantum computer can be computed starting from the probability of success Pr succ of a single iteration of the loop at Lines 1–14 and the computational requirements of executing the loop body c iter . In particular, the time complexity is
C ISD ( n , r , t , p ) = 1 Pr succ c iter = n t k p r t p C IS ( n , r ) + k p ( C IntToComb + p r ) ,
where C IntToComb = O ( ( 2 k p ) ( log ( k p ) ) 2 ) is the cost of decoding an integer into its combinadics representation, i.e., finding the corresponding combination among all the k p ones. The spatial complexity is S ISD ( r , n ) = O ( r n ) .
Similarly, we also reformulate Leon’s Algorithm 4 as follows.
Proposition 10
(Quantum computational complexity of Algorithm 4). Given H, an  r × n binary parity-check matrix, s, an r-bit long syndrome (column vector) obtained through H, and the two parameters 0 p t , 0 ( k p ) , the complexity of finding the row error vector e with length n and weight t such that s = H e T with Algorithm 4 running on a quantum computer can be computed starting from the probability of success Pr succ of a single iteration of the loop at Lines 1–10 and the computational requirements of executing the loop body c iter . In particular, the time complexity is C ISD ( n , r , t , p , ) = 1 Pr succ c iter = n t k p r t p C IS ( n , r ) + k p C IntToComb + p + k p 2 p ( r ) , where  C IntToComb = O ( ( 2 k p ) ( log ( k p ) ) 2 ) is the cost of decoding an integer into its combinadics representation, i.e., finding  the corresponding combination among all the k p ones. Note that, if the value of p is fixed, it is possible to avoid C IntToComb , specializing the algorithm with a p-deep loop nest to generate the combinations. The spatial complexity is S ISD ( r , n ) = O ( r n ) .
Finally, we tackle the reformulation of Stern’s ISD for the quantum case.
Proposition 11
(Quantum computational complexity of Algorithm 5). As for Algorithm 4, given H, an  r × n binary parity-check matrix and s, an r-bit long syndrome (column vector) obtained through H, finding  the row error vector e with length n and weight t such that s = H e T with Algorithm 5 requires two additional parameters 0 p t , 0 ( k p ) .
The time complexity of Algorithm 5 running on a quantum computer can be computed starting from the probability of success Pr succ of a single iteration of the loop at Lines 1–14 and the computational requirements of executing the loop body c iter . In particular, the time complexity is
C ISD ( n , r , t , p , ) = 1 Pr succ c iter = n t k / 2 p / 2 2 r t p C IS ( n , r ) + k / 2 p / 2 p 2 + k / 2 p / 2 ( C IntToComb + p 2 + k / 2 p / 2 2 p ( r ) )
where C IntToComb = O ( ( 2 k p ) ( log ( k p ) ) 2 ) is the cost of decoding an integer into its combinadics representation, i.e., finding the corresponding combination among all the k / 2 p / 2 ones. Note that, if the value of p is fixed, it is possible to avoid C IntToComb , specializing the algorithm with a p-deep loop nest to generate the combinations. The spatial complexity is S ISD ( n , r , t , p , ) = O r n + k / 2 p / 2 ( p 2 log 2 ( k 2 ) + ) .
Since advanced ISD algorithms reduce the overall complexity by reducing the number of iterations at the cost of an increased complexity per iteration, the speedup due to Grover’s algorithm is less evident for modern variants than for classical forms of ISD. Indeed, for all cases where the trade-off on a classical computer reduces by a factor α the number of iterations, at the cost of raising by α the cost of the iteration itself, we have that the trade-off turns out to be disadvantageous on a quantum computer where the speedup factor α is cut down to α by Grover, while the single iteration slowdown stays the same. This was already observed in [41], where it was found that the quantum variant of Stern’s algorithm does not achieve smaller work factors than the quantum variant of Lee and Brickell’s algorithm. Indeed, in the same work, it is noted that the complexity of the quantum-computer variant of Stern’s algorithm achieves a smaller complexity than the straightforward quantized version of the BJMM ISD. Finally, we note that the authors of [42] reported a re-elaboration of the MMT and BJMM ISDs for quantum computers which succeeds in effectively lowering their asymptotic complexities. We however do not take them into account in this work, as no finite regime complexity formulas are provided in [42] for the proposed algorithms. We report, in Table 1, a summary of all the computational complexities of the examined Information Set Decoding (ISD) algorithms, together with the parameters which should be optimized to achieve the best running time for each one of them.

4. Quantitative Assessment of ISD Complexities

In this section, we analyze the computational complexities to solve the Syndrome Decoding Problem (SDP) and the Codeword Finding Problem (CFP) for sets of code parameters relevant to post quantum cryptosystems. To this end, we select the proposals which were admitted to the second round of the NIST post quantum cryptography standardization effort [24] relying on a Niederreiter cryptosystem, or its McEliece variant.
In particular, we consider Classic McEliece [43] and NTS-KEM [44], which employ Goppa codes, and BIKE [34] and LEDAcrypt [31], which employ quasi cyclic codes, to assess our finite domain approach on both quasi-cyclic codes and non-quasi-cyclic codes. The parameters for the reported cryptosystems are designed to match the computation effort required to break them to the one required to break AES-128 (Category 1), AES-192 (Category-3), and AES-256 (Category 5). We report the code length n, code dimension k, number of errors to be corrected t and size of the circulant block p for all the aforementioned candidates in Table 2. Furthermore, for the cryptosystems relying on low- or moderate-density parity check codes, we also report the weight of the codeword to be found, w, in the case of a Codeword Finding Problem (CFP).
We implemented all the complexity formulas from Section 3 employing Victor Shoup’s NTL library, representing the intermediate values either as arbitrary precision integers, or as NTL::RR selectable precision floating point numbers. We chose to employ a 128 bit mantissa and the default 64  bit exponent for the selectable precision.
To minimize the error in computing a large amount of binomial coefficients, while retaining acceptable performance, we precompute the exact values for all the n k binomials for all pairs n , k up to 3 , 000 200 . Furthermore, to minimize the error of Stirling’s approximation whenever n k we also precompute all the exact values for the binomials up to 10 , 000 10 , and compute the exact value whenever k < 10 . To provide a fast approximated computation for all the binomials which do not fall in the aforementioned intervals, we compute the binomials employing the logarithm of Stirling’s series approximated to the fourth term.
We explored the parameter space of each algorithm considering the fact that the different parameters drive different trade-off points in each algorithm. To this end, we explored an appropriately sized region of the parameter space, which we report in Table 3. To determine the explored region, we started from a reasonable choice and enlarged the region until the value of the parameters minimizing the attack complexity was no longer on the region edge for all the involved parameters. We employed, for the choice of the 2 parameter in the MMT ISD variant and the 1 and 2 parameters in the BJMM variant, the choices which were advised in the respective works.
We took into account the advantage provided by a quasi cyclic code in both the Syndrome Decoding Problem (SDP) and the Codeword Finding Problem (CFP) solution complexity, reducing it by a factor equal to p , the square root of the cyclic block size for the Syndrome Decoding Problem (SDP), and p for the Codeword Finding Problem (CFP), in accordance with the point raised in Section 3.9.
Table 4 reports the computational costs of solving both Syndrome Decoding Problem (SDP) and Codeword Finding Problem (CFP) by means of the described variants of the Information Set Decoding (ISD). In addition to the computational complexities obtained, the value of a simple asymptotic cost criterion for the Information Set Decoding (ISD)s, described in [34], is reported. Such a criterion states that the asymptotic complexity of an ISD is 2 log 2 ( 1 k n ) t , for the case of the use in solving a Syndrome Decoding Problem (SDP). A noteworthy point to observe is that, considering the finite regime value of the complexities, the May–Meurer–Thomae algorithm attains a lower time complexity than the Becker–Joux–May–Meurer algorithm in most cases. Indeed, while the Becker–Joux–May–Meurer Information Set Decoding (ISD) variant has a lower asymptotic cost, considering a worst-case-scenario for the solution of the Syndrome Decoding Problem (SDP), i.e., code rate close to 0.5, and a large enough value for n, a finite regime estimate of its cost reports that employing the May–Meurer–Thomae approach should result in a faster computation. Concerning the space complexities of the approaches with exponential (in the code length n) space requirements, we report the obtained values in Table 5. We note that the Information Set Decoding (ISD) variants proposed by Stern and Finiasz and Sendrier have an overall lower memory consumption that their more advanced counterparts. In particular, the space complexities of the aforementioned variants start as low as 16 Gib for Category 1 parameters, and are thus amenable to an implementation which keeps the entire lists in main memory on a modern desktop. By contrast, the May–Meurer–Thomae and Becker–Joux–May–Meurer Information Set Decoding (ISD) variants require a significantly higher amount of memory, with the latter being less demanding than the former in all cases but the one of LEDAcrypt in its n 0 = 2 parameterization for extremely long term keys (LEDAcrypt-XT). In all cases, the space complexities of May–Meurer–Thomae and Becker–Joux–May–Meurer exceed 2 50 , pointing strongly to the need of a significant amount of mass storage to implement a practical attack. Such a requirement is even more stringent in the case of higher security levels, where the memory requirements exceed 2 100 for most parameter choices.

5. Conclusions

In this work, we survey the current approaches to solve efficiently the Information Set Decoding (ISD) problem, providing a complete procedural description of the algorithms at hand. We provide finite regime expressions to estimate both the computational demand and the space requirements of the different Information Set Decoding (ISD) alternatives. To provide insights on the effectiveness of asymptotic estimates for the Information Set Decoding (ISD) complexities, we evaluate them on a set of parameters chosen by code-based cryptosystems submitted to the current NIST standardization effort for post quantum cryptography. Our results show that the May–Meurer–Thomae variant of the Information Set Decoding (ISD) may be preferable in the case an actual attack is implemented against the cryptosystems at hand. Moreover, we also report that the simple approximation provided in [34] for the asymptotic cost of an Information Set Decoding (ISD) appears to be overestimating the complexity of the attack in the finite regime, by a small but significant amount. In light of the obtained results, we deem a practical evaluation of the complexities of the described algorithms on reduced security instances of the cryptosystems at hand an interesting topic for further investigation.

Author Contributions

Conceptualization, M.B., A.B., F.C., G.P. and P.S.; Writing – original draft, M.B., A.B., F.C., G.P. and P.S.

Funding

This research received no external funding.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Berlekamp, E.R.; McEliece, R.J.; van Tilborg, H.C.A. On the inherent intractability of certain coding problems. IEEE Trans. Inf. Theory 1978, 24, 384–386. [Google Scholar] [CrossRef]
  2. Goppa, V.D. A new class of linear correcting codes. Probl. Pered. Inf. 1970, 6, 24–30. [Google Scholar]
  3. Niederreiter, H. Knapsack-type cryptosystems and algebraic coding theory. Probl. Contr. Inf. Theory 1986, 15, 159–166. [Google Scholar]
  4. Sidel’nikov, V.M.; Shestakov, S. On insecurity of cryptosystems based on generalized Reed-Solomon codes. Discret. Math. Appl. 1978, 2, 439–444. [Google Scholar] [CrossRef]
  5. Gaborit, P. Shorter Keys for Code Based Cryptography. In Proceedings of the International Workshop on Coding and Cryptography 2015, Bergen, Norway, 14–18 March 2005; pp. 81–90. [Google Scholar]
  6. Monico, C.; Rosenthal, J.; Shokrollahi, A. Using Low Density Parity Check Codes in the McEliece Cryptosystem. In Proceedings of the IEEE International Symposium on Information Theory (ISIT 2000), Sorrento, Italy, 25–30 June 2000; p. 215. [Google Scholar]
  7. Misoczki, R.; Barreto, P.S.L.M. Compact McEliece keys from Goppa codes. In Selected Areas in Cryptography; Springer: Berlin/Heidelberg, Germany, 2009; Volume 5867, pp. 376–392. [Google Scholar]
  8. Baldi, M.; Bodrato, M.; Chiaraluce, F. A new analysis of the McEliece cryptosystem based on QC-LDPC codes. In Security and Cryptography for Networks; Springer: Berlin/Heidelberg, Germany, 2008; Volume 5229, pp. 246–262. [Google Scholar]
  9. Misoczki, R.; Tillich, J.P.; Sendrier, N.; Barreto, P.S.L.M. MDPC-McEliece: New McEliece Variants from Moderate Density Parity-Check Codes. In Proceedings of the IEEE International Symposium on Information Theory (ISIT 2013), Istanbul, Turkey, 7–12 July 2013; pp. 2069–2073. [Google Scholar]
  10. Prange, E. The use of information sets in decoding cyclic codes. IRE Trans. Inf. Theory 1962, 8, 5–9. [Google Scholar] [CrossRef]
  11. Lee, P.J.; Brickell, E.F. An Observation on the Security of McEliece’s Public-Key Cryptosystem. In Proceedings of the Advances in Cryptology—EUROCRYPT ’88, Workshop on the Theory and Application of of Cryptographic Techniques, Davos, Switzerland, 25–27 May 1988; pp. 275–280. [Google Scholar]
  12. Leon, J.S. A probabilistic algorithm for computing minimum weights of large error-correcting codes. IEEE Trans. Inf. Theory 1988, 34, 1354–1359. [Google Scholar] [CrossRef] [Green Version]
  13. Stern, J. A Method for Finding Codewords of Small Weight. In Proceedings of the Coding Theory and Applications, 3rd International Colloquium, Toulon, France, 2–4 November 1988; pp. 106–113. [Google Scholar]
  14. Finiasz, M.; Sendrier, N. Security Bounds for the Design of Code-Based Cryptosystems. In Proceedings of the Advances in Cryptology—ASIACRYPT 2009, 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, 6–10 December 2009; pp. 88–105. [Google Scholar]
  15. May, A.; Meurer, A.; Thomae, E. Decoding random linear codes in Õ(20.054n). In Proceedings of the Advances in Cryptology—ASIACRYPT 2011—17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, Korea, 4–8 December 2011; pp. 107–124. [Google Scholar]
  16. Becker, A.; Joux, A.; May, A.; Meurer, A. Decoding Random Binary Linear Codes in 2n/20: How 1 + 1 = 0 Improves Information Set Decoding. In Proceedings of the Advances in Cryptology—EUROCRYPT 2012—31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, 15–19 April 2012; pp. 520–536. [Google Scholar]
  17. Coffey, J.T.; Goodman, R.M. The complexity of information set decoding. IEEE Trans. Inf. Theory 1990, 36, 1031–1037. [Google Scholar] [CrossRef] [Green Version]
  18. Kruk, E. Decoding complexity bound for linear block codes. Probl. Peredachi Inf. 1989, 25, 103–107. [Google Scholar]
  19. Barg, A.; Kruk, E.; van Tilborg, H. On the complexity of minimum distance decoding of long linear codes. IEEE Trans. Inf. Theory 1999, 45, 1392–1405. [Google Scholar] [CrossRef] [Green Version]
  20. Bassalygo, L.; Zyablov, V.; Pinsker, M. Problems of complexity in the theory of correcting codes. Probl. Peredachi Inf. 1977, 13, 5–17. [Google Scholar]
  21. Barg, A. Complexity Issues in Coding Theory. Electronic Colloquium on Computational Complexity (ECCC) - Reports Series 1997. 1997. TR97-096. Available online: https://eccc.weizmann.ac.il/eccc-reports/1997/TR97-046/Paper.pdf (accessed on 27 September 2019).
  22. Pless, V.S. (Ed.) Handbook of Coding Theory; Elsevier Science Inc.: New York, NY, USA, 1998. [Google Scholar]
  23. Kabatiansky, G.; Krouk, E.; Semenov, S. Error Correcting Coding and Security for Data Networks: Analysis of the Superchannel Concept; Wiley Inc.: New York, NY, USA, 2005. [Google Scholar]
  24. USA National Institute of Standards and Technology. Post-Quantum Crypto Project; USA National Institute of Standards and Technology: Gaithersburg, MA, USA, 2016.
  25. Hamdaoui, Y.; Sendrier, N. A non asymptotic analysis of information set decoding. IACR Cryptol. EPrint Arch. 2013, 2013, 162. [Google Scholar]
  26. Baldi, M.; Barenghi, A.; Chiaraluce, F.; Pelosi, G.; Santini, P. LEDAtools. 2019. Available online: https://github.com/LEDAcrypt/LEDAtools (accessed on 27 September 2019).
  27. Arora, S.; Barak, B. Computational Complexity—A Modern Approach; Cambridge University Press: Cambridge, UK, 2009. [Google Scholar]
  28. Baldi, M.; Barenghi, A.; Chiaraluce, F.; Pelosi, G.; Rosenthal, J.; Santini, P.; Schipani, D. Design and implementation of a digital signature scheme based on low-density generator matrix codes. arXiv 2018, arXiv:1807.06127. [Google Scholar]
  29. Baldi, M.; Barenghi, A.; Chiaraluce, F.; Pelosi, G.; Santini, P. LEDAkem: A post-quantum key encapsulation mechanism based on QC-LDPC codes. arXiv 2018, arXiv:1801.08867. [Google Scholar]
  30. Baldi, M.; Barenghi, A.; Chiaraluce, F.; Pelosi, G.; Santini, P. LEDAkem: A Post-Quantum Key Encapsulation Mechanism Based on QC-LDPC Codes. In Proceedings of the Post-Quantum Cryptography—9th International Conference, PQCrypto 2018, Fort Lauderdale, FL, USA, 9–11 April 2018; Volume 10786, pp. 3–24. [Google Scholar]
  31. Baldi, M.; Barenghi, A.; Chiaraluce, F.; Pelosi, G.; Santini, P. LEDAcrypt: QC-LDPC Code-Based Cryptosystems with Bounded Decryption Failure Rate. In Proceedings of the Code-Based Cryptography, 7th International Workshop, CBC 2019, Darmstadt, Germany, 18–19 May 2019. [Google Scholar]
  32. McEliece, R.J. A Public-Key Cryptosystem Based on Algebraic Coding Theory; DSN Progress Report; 1978; pp. 114–116. Available online: https://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/19780016269.pdf (accessed on 27 September 2019).
  33. Baldi, M.; Barenghi, A.; Chiaraluce, F.; Pelosi, G.; Santini, P. LEDAcrypt Website. 2019. Available online: https://www.ledacrypt.org/ (accessed on 27 September 2019).
  34. Aragon, N.; Barreto, P.S.L.M.; Bettaieb, S.; Bidoux, L.; Blazy, O.; Deneuville, J.C.; Gaborit, P.; Gueron, S.; Guneysu, T.; Aguilar Melchor, C.; et al. BIKE: Bit Flipping Key Encapsulation, 2017. NIST Post-Quantum Cryptography Project: First Round Candidate Algorithms. Available online: https://bikesuite.org/ (accessed on 27 September 2019).
  35. MacKay, D.J.C. Information Theory, Inference and Learning Algorithms, 1st ed.; Cambridge University Press: Cambridge, UK, 2003. [Google Scholar]
  36. Kirchner, P. Improved generalized birthday attack. IACR Cryptol. EPrint Arch. 2011, 2011, 377. [Google Scholar]
  37. Niebuhr, R.; Cayrel, P.L.; Buchmann, J. Improving the Efficiency of Generalized Birthday Attacks against Certain Structured Cryptosystems. In Proceedings of the Workshop on Coding And Cryptography (WCC 2011), Paris, France, 11–15 April 2011; pp. 163–172. [Google Scholar]
  38. Sendrier, N. Decoding One Out of Many. In Proceedings of the Post-Quantum Cryptography—4th International Workshop, PQCrypto 2011, Taipei, Taiwan, 29 November–2 December 2011; pp. 51–67. [Google Scholar]
  39. Grover, L.K. A Fast Quantum Mechanical Algorithm for Database Search. In Proceedings of the 28th Annual ACM Symposium on the Theory of Computing, Philadephia, PA, USA, 22–24 May 1996; pp. 212–219. [Google Scholar]
  40. Bernstein, D.J. Grover vs. McEliece. In Post-Quantum Cryptography; Sendrier, N., Ed.; Springer: Berlin/ Heidelberg, Germany, 2010; pp. 73–80. [Google Scholar]
  41. De Vries, S. Achieving 128-Bit Security Against Quantum Attacks in OpenVPN. Master’s Thesis, University of Twente, Enschede, The Netherlands, 2016. [Google Scholar]
  42. Kachigar, G.; Tillich, J. Quantum Information Set Decoding Algorithms. In Proceedings of the Post-Quantum Cryptography—8th International Workshop, PQCrypto 2017, Utrecht, The Netherlands, 26–28 June 2017; Volume 10346, pp. 69–89. [Google Scholar]
  43. Bernstein, D.J.; Chou, T.; Lange, T.; Maurich, I.V.; Misoczki, R.; Niederhagen, R.; Persichetti, E.; Peters, C.; Schwabe, P.; Sendrier, N.; et al. Classic McEliece: Conservative Code-Based Cryptography, 2019. NIST Post-Quantum Cryptography Project: Second Round Candidate Algorithms. Available online: https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-2-Submissions (accessed on 27 September 2019).
  44. Albrecht, M.; Cid, C.; Paterson, K.G.; Tjhai, C.J.; Tomlinson, M. NTS-KEM, 2019. NIST Post-Quantum Cryptography Project: Second Round Candidate Algorithms. Available online: https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-2-Submissions (accessed on 27 September 2019).
Table 1. Overview of ISDs costs in terms of execution time complexities, considering a constant access memory cost model, expressed as: Cost = NumberOfIterations × Cost single   iteration .
Table 1. Overview of ISDs costs in terms of execution time complexities, considering a constant access memory cost model, expressed as: Cost = NumberOfIterations × Cost single   iteration .
NameNo.of Iterations
(i.e., 1 / Pr succ )
Parameters to Optimize
Prange [10] n t r t none
Lee–Brickell [11] n t k p r t p 0 p t ( p = 2 is asymp. optimal)
Leon [12] n t k p r t p 0 p t , 0 r ( t p )
Stern [13] n t k / 2 p / 2 2 r t p 0 p t , 0 r ( t p )
Finiasz–Sendrier [14] n t ( k + ) / 2 p / 2 2 r t p 0 p t , 0 r ( t p )
MMT [15] n t k + p r t p , 0 p t , 1 + 2 = , 0 r ( t p ) , 2 log 2 k + 2 p / 4
BJMM [16] n t k + p r t p k + 2 p 3 2 k + p 2 4 2 log 2 p 1 p 1 / 2 k + p 1 ϵ 2 , 1 log 2 p p / 2 k + p ϵ 1 ,   0 p t , 0 r ,   0 2 1 , 0 ϵ 1 t p ,   0 ϵ 2 t p 1 , p 3 = p 2 2 ,   p 2 = p 1 2 + ε 2 ,   p 1 = p 2 + ε 1
NameSingle Iteration Cost
Prange [10] C IS ( n , r ) + O ( n )
Lee–Brickell [11] C IS ( n , r ) + k p ( p r )
Leon [12] C IS ( n , r ) + k p ( p r )
Stern [13] C IS ( n , r ) + k p p + p 2 p ( r )
Finasz-Sendrier [14] C IS ( n , r ) + k / 2 p / 2 p + k / 2 p / 2 2 p ( r )
MMT [15] C IS FS ( n , r , ) + min ( k + ) / 2 p / 4 , ( k + ) / 2 p / 2 p p / 2 · p 4 2 + ( k + ) / 2 p / 4 2 2 p 2 1 + ( k + ) / 2 p / 4 p 2 2 + ( k + ) / 2 p / 4 p 4 2 + ( k + ) / 2 p / 4 2 2 p 2 1 + ( k + ) / 2 p / 4 k + p / 2 2 1 + 2 p p / 2 p ( r )
BJMM [16] C IS FS ( n , r , ) + 4 k + + 2 k + 2 p 3 + 2 + k + 2 p 3 2 ( 2 p 3 2 ) + 2 p 1 p 1 / 2 k + p 1 ε 2 2 2 k + 2 p 3 2 2 ( 2 p 2 1 ) + 1 2 1 p p / 2 k + p ε 1 1 2 2 p 1 p 1 / 2 k + p 1 ε 2 k + 2 p 3 2 2 2 ( 2 p 1 ) + 1 2 1 2 1 p p / 2 k + p ε 1 1 2 2 p 1 p 1 / 2 k + p 1 ε 2 k + 2 p 3 2 2 2 ( p ( r ) )
Table 2. Summary of the code parameters for the second round submissions: code length n, code redundancy n k = r , and number of errors expected to be corrected t.
Table 2. Summary of the code parameters for the second round submissions: code length n, code redundancy n k = r , and number of errors expected to be corrected t.
CategoryCipherVariantnktwp
1Classic McEliece 3488272064-1
NTS-KEM 4096332864-1
BIKE-2KEM-CPA20,32610,16313414210,163
KEM-CCA23,55811,77913414211,779
LEDAcryptKEM, n 0 = 2 29,87814,93913615414,939
KEM, n 0 = 3 24,80716,538862438269
KEM, n 0 = 4 30,18822,641693647547
KEM-LT, n 0 = 2 71,79835,89913615435,899
KEM-XT, n 0 = 2 104,29452,14713615452,147
3Classic McEliece 4608336096-1
NTS-KEM 8192715280-1
BIKE-2KEM-CPA39,70619,58319920619,583
KEM-CCA49,64224,82119920624,821
LEDAcryptKEM, n 0 = 2 51,38625,69319921025,693
KEM, n 0 = 3 48,20132,13412736316,067
KEM, n 0 = 4 57,36443,02310154014,341
KEM-LT, n 0 = 2 115,79857,89919921057,899
KEM-XT, n 0 = 2 192,44296,22119921096,221
5Classic McEliece n = 6688 66885024128-1
n = 6960 69605413119-1
n = 8192 81926528128-1
NTS-KEM 81926424136-1
BIKE-2KEM-CPA65,49832,74926427432,749
KEM-CCA81,19440,59726427440,597
LEDAcryptKEM, n 0 = 2 73,75436,87726728636,877
KEM, n 0 = 3 82,31154,87416949527,437
KEM, n 0 = 4 90,76468,07313467622,691
KEM-LT, n 0 = 2 178,10289,05126728689,051
KEM-XT, n 0 = 2 304,534152,267267286152,267
Table 3. Explored parameter range for the different ISD variants.
Table 3. Explored parameter range for the different ISD variants.
ISD VariantParameter Range
Prange [10]none
Lee–Brickell [11] 1 p 12 ( p = 2 is asymp. optimal)
Leon [12] 1 p 12 , 0 min ( 100 , r ( t p ) )
Stern [13] 2 p 18 , 0 min ( 100 , r ( t p ) )
Finasz-Sendrier [14] 2 p 18 , 0 min ( 100 , r ( t p ) )
MMT [15] 4 p 34 ,   110 min ( 350 , r ( t p ) ) 1 + 2 = , 2 = log 2 k + 2 p / 4
BJMM [16] 10 p 24 , 90 min ( 330 , r ( t p ) ) , 2 = log 2 ( p 1 p 1 / 2 k + p 1 ϵ 2 , 1 = log 2 ( p p / 2 k + p ϵ 1 , 0 ϵ 1 4 ,   0 ϵ 2 4 ,
Table 4. Computational costs expressed as log 2 ( bit _ operations ) , for each ISDs applied to NIST round-2 code-based cryptosystems. Information Set Decoding (ISD) variants are labeled as: Prange (Pr), Lee and Brickell (LB), Leon (Le), Stern (St), Finiasz and Sendrier (FS), May–Meurer–Thomae (MMT), and Becker–Joux–May–Meurer (BJMM); quantum accelerated variants prefixed by “Q-”. The quantum complexities are expressed in log 2 ( bit _ operations ) for the corresponding non-reversible circuit, and thus provide a lower bound on the actual quantum circuit complexity. The table also reports a simple approximation for the asymptotic cost of classical ISDs, log 2 ( 1 k n ) t , computed for all parameters
Table 4. Computational costs expressed as log 2 ( bit _ operations ) , for each ISDs applied to NIST round-2 code-based cryptosystems. Information Set Decoding (ISD) variants are labeled as: Prange (Pr), Lee and Brickell (LB), Leon (Le), Stern (St), Finiasz and Sendrier (FS), May–Meurer–Thomae (MMT), and Becker–Joux–May–Meurer (BJMM); quantum accelerated variants prefixed by “Q-”. The quantum complexities are expressed in log 2 ( bit _ operations ) for the corresponding non-reversible circuit, and thus provide a lower bound on the actual quantum circuit complexity. The table also reports a simple approximation for the asymptotic cost of classical ISDs, log 2 ( 1 k n ) t , computed for all parameters
Category 1—Security Level Equivalent to Break AES-128 on a Classical Machine
ProblemCipherVariantPrLBLeStFSMMTBJMMQ-LBQ-St log 2 ( 1 k n ) t
Codeword Finding Problem (CFP)BIKE-2CPA167.28156.31154.66146.56146.54123.92151.0192.2893.696142.00
CCA167.61156.65154.91146.84146.82124.29151.3892.6694.074142.00
LEDAcrypt n 0 = 2 180.25169.06167.24158.76158.75135.21163.7999.21100.62154.00
n 0 = 3 169.46157.89156.60147.79147.76126.45151.1294.0695.469142.15
n 0 = 4 179.86167.79165.69157.13157.10135.17160.3599.71101.12151.07
LT, n 0 = 2 182.44171.27169.16160.88160.88137.96169.02101.5102.98154.00
XT, n 0 = 2 183.44172.28170.09161.91161.91138.90172.14102.6104.02154.00
Syndrome Decoding Problem (SDP)Classic McEliece 170.82160.38160.43152.51152.46118.61149.9196.4197.15139.73
NTS-KEM 186.03175.33175.33166.76166.72127.52162.54104.11104.81154.56
BIKE-2CPA165.86155.06153.37145.60145.58123.78150.3694.9896.39134.00
CCA166.30155.51153.74146.00145.99124.28150.8695.4896.88134.00
LEDAcrypt n 0 = 2 169.05158.23156.35148.59148.57126.83154.3097.2698.67136.00
n 0 = 3 167.89157.53154.65147.82147.81123.66152.3196.3197.72136.31
n 0 = 4 169.62159.40155.86149.32149.31123.17155.4997.4798.22138.00
LT, n 0 = 2 171.95161.15159.00151.46151.45129.63160.32100.30101.70136.00
XT, n 0 = 2 173.24162.44160.23152.78152.78130.88163.75101.62103.02136.00
Category 3—Security Level Equivalent to Break AES-192 on a Classical Machine
ProblemCipherVariantPrLBLeStFSMMTBJMMQ-LBQ-St log 2 ( 1 k n ) t
Codeword Finding Problem (CFP)BIKE-2CPA229.29217.29215.52205.50205.49176.73210.18123.7125.17201.99
CCA233.76221.73219.83209.79209.78181.12215.22126.2127.68206.00
LEDAcrypt n 0 = 2 237.86225.78223.87213.72213.72184.67219.33128.3129.76210.00
n 0 = 3 241.70228.98227.03216.59216.57188.66220.93130.5131.96212.34
n 0 = 4 254.92241.73238.97228.80228.78200.04232.76137.6139.01224.12
LT, n 0 = 2 239.86227.79225.65215.68215.68188.81224.99130.5131.93210.00
XT, n 0 = 2 241.21229.15226.93217.08217.07190.88227.63131.9133.34210.00
Syndrome Decoding Problem (SDP)Classic McEliece 214.70203.45203.36194.36194.32155.09190.53118.71120.18180.91
NTS-KEM 272.34260.40259.95248.01247.91190.18240.63147.85148.46238.21
BIKE-2CPA229.50217.61215.82205.99205.98178.12210.87127.49128.89195.12
CCA234.01222.09220.17210.33210.32182.57215.95130.11131.51199.00
LEDAcrypt n 0 = 2 234.12222.20220.26210.43210.42182.79216.33130.23131.63199.00
n 0 = 3 235.32223.84220.82211.91211.90180.13217.56130.67132.07201.29
n 0 = 4 235.98224.66220.97212.39212.39177.94218.56131.26132.66202.00
LT, n 0 = 2 236.74224.83222.67213.02213.02187.02222.64133.01134.41199.00
XT, n 0 = 2 238.47226.57224.33214.80214.80189.40225.67134.79136.19199.00
Category 5—Security Level Equivalent to Break AES-256 on a Classical Machine
ProblemCipherVariantPrLBLeStFSMMTBJMMQ-LBQ-St log 2 ( 1 k n ) t
Codeword Finding Problem (CFP)BIKE-2CPA302.77289.92288.03276.41276.40239.96281.57160.7162.18274.00
CCA303.23290.38288.41276.83276.83241.65282.72161.3162.72274.00
LEDAcrypt n 0 = 2 315.08302.11300.19288.35288.34250.97293.22167.0168.44286.00
n 0 = 3 320.55306.93304.48292.78292.77257.64297.70170.3171.71289.56
n 0 = 4 312.68298.84295.66284.59284.58250.96289.06166.8168.22280.57
LT, n 0 = 2 317.16304.20302.03290.38290.37257.62299.52169.3170.76286.00
XT, n 0 = 2 318.57305.61303.37291.83291.83261.01302.47170.8172.24286.00
Syndrome Decoding Problem (SDP)Classic McEliece n = 6688 293.55281.32281.17270.46270.42219.80263.74158.38159.84256.89
Classic McEliece n = 6960 294.49282.29282.05271.18271.13218.79264.39158.87160.33258.18
Classic McEliece n = 8192 331.64319.08318.77306.63306.54249.74299.89177.55179.01294.34
NTS-KEM 338.58325.94325.68313.52313.44256.88306.72181.02182.48300.85
BIKE-2CPA300.21287.47285.56274.15274.15239.12279.52163.30164.70264.00
CCA300.83288.10286.11274.75274.74240.81280.84164.00165.40264.00
LEDAcrypt n 0 = 2 303.56290.79288.84277.40277.39242.63282.64165.18166.58267.00
n 0 = 3 303.84291.53288.42277.98277.98238.73284.34165.48166.88267.86
n 0 = 4 303.68291.54287.78277.67277.67234.66282.96165.52166.92268.00
LT, n 0 = 2 306.33293.58291.40280.14280.14249.21289.67168.16169.55267.00
XT, n 0 = 2 308.15295.39293.14282.00282.00252.61293.04170.03171.43267.00
Table 5. Memory costs expressed as log 2 ( memory _ size _ in _ bits ) , for each list-based ISDs (i.e., St [13], FS [14], MMT [15], and BJMM [16]) applied to NIST round-2 code-based cryptosystems. Information Set Decoding (ISD) variants are labeled as: Stern (ST), Finiasz and Sendrier (FS), May–Meurer–Thomae (MMT), and Becker–Joux–May–Meurer (BJMM)
Table 5. Memory costs expressed as log 2 ( memory _ size _ in _ bits ) , for each list-based ISDs (i.e., St [13], FS [14], MMT [15], and BJMM [16]) applied to NIST round-2 code-based cryptosystems. Information Set Decoding (ISD) variants are labeled as: Stern (ST), Finiasz and Sendrier (FS), May–Meurer–Thomae (MMT), and Becker–Joux–May–Meurer (BJMM)
Category 1—Security Level Equivalent to Break AES-128 on a Classical Machine
ProblemCipherVariantStFSMMTBJMM
Codeword Finding Problem (CFP)BIKE-2CPA40.7240.7453.4752.59
CCA41.3841.4054.3453.08
LEDAcrypt n 0 = 2 42.4642.4855.7455.48
n 0 = 3 39.8139.8352.2650.51
n 0 = 4 39.4039.4351.7350.59
LT, n 0 = 2 46.4046.4048.4161.44
XT, n 0 = 2 48.0648.0750.0864.26
Syndrome Decoding Problem (SDP)Classic McEliece 34.6834.7678.0368.19
NTS-KEM 35.6035.6580.2970.36
BIKE-2CPA40.7240.7453.4752.59
CCA41.3841.4054.3453.08
LEDAcrypt n 0 = 2 42.4642.4855.7455.48
n 0 = 3 42.8942.9156.3355.51
n 0 = 4 44.3144.3269.6358.72
LT, n 0 = 2 46.4046.4048.4161.44
XT, n 0 = 2 48.0648.0750.0864.26
Category 3—Security Level Equivalent to Break AES-192 on a Classical Machine
ProblemCipherVariantStFSMMTBJMM
Codeword Finding Problem (CFP)BIKE-2CPA43.6743.6879.5157.23
CCA44.7444.7581.5858.66
LEDAcrypt n 0 = 2 44.9044.9081.8959.01
n 0 = 3 42.8042.8177.7856.22
n 0 = 4 42.3042.3176.7955.07
LT, n 0 = 2 48.5448.5476.5465.32
XT, n 0 = 2 50.8150.8166.7468.52
Syndrome Decoding Problem (SDP)Classic McEliece 35.6635.7180.4170.51
NTS-KEM 77.6377.7488.9980.42
BIKE-2CPA43.6743.6879.5157.23
CCA44.7444.7581.5858.66
LEDAcrypt n 0 = 2 44.9044.9081.8959.01
n 0 = 3 45.8845.8983.8461.30
n 0 = 4 47.1847.1898.2063.29
LT, n 0 = 2 48.5448.5463.7465.32
XT, n 0 = 2 50.8150.8166.7468.52
Category 5—Security Level Equivalent to Break AES-256 on a Classical Machine
ProblemCipherVariantStFSMMTBJMM
Codeword Finding Problem (CFP)BIKE-2CPA45.9845.98106.6161.50
CCA46.9546.96109.1162.69
LEDAcrypt n 0 = 2 46.5146.52108.0061.71
n 0 = 3 45.2045.21104.5659.68
n 0 = 4 44.3544.36102.3658.74
LT, n 0 = 2 50.4650.4692.8068.73
XT, n 0 = 2 52.8652.8683.6472.22
Syndrome Decoding Problem (SDP)Classic McEliece n = 6688 37.4847.1884.9775.83
Classic McEliece n = 6960 47.5857.0285.8177.02
Classic McEliece n = 8192 67.6476.8287.9579.97
NTS-KEM 67.5067.5987.7779.72
BIKE-2CPA45.9845.98106.6261.50
CCA46.9546.9697.6262.69
LEDAcrypt n 0 = 2 46.5146.52108.0061.71
n 0 = 3 48.2748.28112.6264.77
n 0 = 4 49.2349.24115.1365.98
LT, n 0 = 2 50.4650.4692.8068.73
XT, n 0 = 2 52.8652.8683.6472.22

Share and Cite

MDPI and ACS Style

Baldi, M.; Barenghi, A.; Chiaraluce, F.; Pelosi, G.; Santini, P. A Finite Regime Analysis of Information Set Decoding Algorithms. Algorithms 2019, 12, 209. https://doi.org/10.3390/a12100209

AMA Style

Baldi M, Barenghi A, Chiaraluce F, Pelosi G, Santini P. A Finite Regime Analysis of Information Set Decoding Algorithms. Algorithms. 2019; 12(10):209. https://doi.org/10.3390/a12100209

Chicago/Turabian Style

Baldi, Marco, Alessandro Barenghi, Franco Chiaraluce, Gerardo Pelosi, and Paolo Santini. 2019. "A Finite Regime Analysis of Information Set Decoding Algorithms" Algorithms 12, no. 10: 209. https://doi.org/10.3390/a12100209

APA Style

Baldi, M., Barenghi, A., Chiaraluce, F., Pelosi, G., & Santini, P. (2019). A Finite Regime Analysis of Information Set Decoding Algorithms. Algorithms, 12(10), 209. https://doi.org/10.3390/a12100209

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop