Improved Information Set Decoding Decoding Random Linear Codes in O(20.054n)
Alexander May, Alexander Meurer, Enrico Thomae
ASIACRYPT 2011, Seoul
HORST GÖRTZ INSTITUTE FOR IT-SECURITY
FACULTY OF MATHEMATICS Department for IT-Security and Cryptology
Recap Binary Linear Codes
A binary linear code C is a k-dimensional subspace of F2n
n
●
Generator matrix
G =k
0/1
C = { xt·G : x 2 F2k }
n
●
Parity check matrix
H = n-k
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
0/1
C = { H·c = 0 : c 2 F2n }
Recap Binary Linear Codes
A binary linear code C is a k-dimensional subspace of F2n
n
●
Generator matrix
G =k
0/1
C = { xt·G : x 2 F2k }
n
●
Parity check matrix
H = n-k
0/1
C = { H·c = 0 : c 2 F2n }
·
Minimum distance d = minx≠y2C{ wt(x+y) }
C is called binary [n,k,d] code.
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
·
d
x
y
·
Recap Binary Linear Codes
n
A binary
linear
code
C
is
a
k-dimensional
subspace
of
F
2
●
● Running
Running time
time of
of decoding
decoding algorithms:
algorithms: T(n,k,d)
T(n,k,d)
n
In
this
talk:
Analysis
for
random
binary
linear
In
this
talk:
Analysis
for
random
binary
linear
k
0
/
1
Generator matrix
G =
C = { xt·G : x 2 F2k }
codes
codes with
with constant
constant rate
rate R=k/n
R=k/n
●
●
●
n
For
For n→∞,
n→∞, kk and
and dd are
are related
related via
via GilbertGilbertVarshamov
bound,
Varshamov
bound, thus
thus
Parity
check matrix
H = n-k 0 / 1
●
●
●
C = { H·c = 0 : c 2 F2n }
T(n,k,d)
T(n,k,d) == T(n,k)
T(n,k)
●
·
● We
We compare
compare algorithms
algorithms by
by their
their complexity
complexity
Minimum
distance
d i.e.
=i.e.minc2C{ wt(c) }
coeffcient
F(k),
coeffcient
F(k),
·
F(k)n
F(k)n
T(n,k)
== O(2
))
Such C is called binary
[n,k,d]
T(n,k)
O(2code.
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
d
x
y
·
Scenario (Bounded Distance Decoding)
4 5
d-1
·
Obtain x = c + e with c 2 C and w := wt(e) =
2
·
·
x
Goal: Find e and thus c = x + e
4 5
d-1
2
·
Consider syndrome s := s(x) = H·x = H·(c+e) = H·e
→ Find linear combination of w columns of H matching s
weight w
n
n-k
H
=
+
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
+
=
s
c
·
Scenario (Bounded Distance Decoding)
4 5
d-1
·
Obtain x = c + e with c 2 C and w := wt(e) =
2
·
·
x
Goal: Find e and thus c = x + e
4 5
d-1
2
c
·
·
Consider syndrome s := s(x) = H·x = H·(c+e) = H·e
→ Find linear combination of w columns of H matching s
weight w
n
n-k
H
Brute-Force
Brute-Force complexity
complexity
=
+
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
+
n
s
T(n,k,d)
T(n,k,d) == w
=
Scenario (Bounded Distance Decoding)
4 5
d-1
·
Obtain x = c + e with c 2 C and w := wt(e) =
2
·
·
x
Goal: Find e and thus c = x + e
4 5
d-1
2
·
Consider syndrome s := s(x) = H·x = H·(c+e) = H·e
→ Find linear combination of w columns of H matching s
weight w
n
n-k
H
Complexity
Complexity
=
+
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
s
F(k) ≤ 0.38677
+
=
c
·
Some very basic observations
Allowed (linear algebra) transformations
●
Permuting the columns of H does not change the problem
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Some very basic observations
Allowed (linear algebra) transformations
●
Permuting the columns of H does not change the problem
weight w
n
n-k
H
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
= s
Some very basic observations
Allowed (linear algebra) transformations
●
Permuting the columns of H does not change the problem
weight w
n
n-k
H
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
= s
Some very basic observations
Allowed (linear algebra) transformations
●
Permuting the columns of H does not change the problem
●
Elementary row operations on H do not change the problem
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Some very basic observations
Allowed (linear algebra) transformations
●
Permuting the columns of H does not change the problem
●
Elementary row operations on H do not change the problem
weight w
n
n-k
H
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
= s
Some very basic observations
Allowed (linear algebra) transformations
●
Permuting the columns of H does not change the problem
●
Elementary row operations on H do not change the problem
weight w
n
UG
n-k
H
Invertible (n-k)x(n-k) matrix
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
=
UG
s
Randomized systematic form
From now on, we work on a randomly column-permuted version
of H in systematic form
(n-k) x k matrix
UG
*
H
=
*
Q
In-k
UP
(n-k)-dimensional
idendity matrix
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Basic Information Set Decoding
''Reducing the brute-force search
space by linear algebra.''
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Basic Information Set Decoding
Fundamental principle:
●
Randomization: transform H into column-permuted
systematic form
H
●
→
Q
In-k
Search phase: Try to fnd solution e =
weight w
weight w
Q
●
In-k
= s
If no solution found: Rerandomize and try again!
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
, i.e.
Basic Information Set Decoding
Fundamental principle:
●
Randomization: transform H into column-permuted
systematic form
H
Q In-k
→
-1
T(n,k,d)
T(n,k,d) == Pr[“good”
Pr[“good” randomization]
randomization]-1 xx C[Search]
C[Search]
●
Search phase: Try to fnd solution e =
weight w
weight w
Q
●
In-k
= s
If no solution found: Rerandomize and try again!
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
, i.e.
Classical ISD variants
Lee-Brickel (1988)
p
w-p
k
n-k
Q
In-k
= s
●
Brute force on Q, i.e. search e'=
●
If so, fll up e''=
w-p
p
with wt(Qe'+s) = w-p
with remaining (w-p) 1's
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Classical ISD variants
Lee-Brickel (1988)
p
w-p
e'
k
n-k
k
Q
In-k
= s
⇔
Q
+ s
= e''
wt(Qe'+s) = w-p
●
Brute force on Q, i.e. search e'=
●
If so, fll up e''=
w-p
p
with wt(Qe'+s) = w-p
with remaining (w-p) 1's
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Classical ISD variants
Lee-Brickel (1988)
p
w-p
e'
k
n-k
k
Q
In-k
= s
⇔
Q
+ s
= e''
wt(Qe'+s) = w-p
●
●
-1
-1
T(n,k,d)
=
Pr[“good”
randomization]
xxwith
C[Brute
force]
T(n,k,d)
=
Pr[“good”
randomization]
C[Brute
force]= w-p
p
Brute force on Q, i.e. search e'= −1
wt(Qe'+s)
If so, fll up e''=
==
w-p
k n−k
p with
w− p remaining
n
w
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
w-p
xx 1's
k
p
Classical ISD variants
Lee-Brickel (1988)
p
w-p
e'
k
n-k
k
Q
In-k
= s
⇔
Q
+ s
= e''
wt(Qe'+s) = w-p
●
●
Complexity (bounded
distance
decoding)
(bounded
decoding)
p
Brute forceComplexity
on Q, i.e. search
e'= distance
with wt(Qe'+s) = w-p
If so, fll up e''=
remaining w-p 1's
F(k) ≤with
0.05751
w-p
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Classical ISD variants
Stern (1989)
●
Meet-in-the-middle on Q
p/2
p/2
0
w-p
k/2
k/2
l
n-k-l
q1 , … , qk
Q'
In-k
= s
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Classical ISD variants
Stern (1989)
●
p/2
Find
with
Find e'=
e'= p/2
with
Qe'=s'
Qe'=s' on
on frst
frst ll coordinates,
coordinates, i.e.
i.e.
p/2
Meet-in-the-middle on Q
p/2
p/2
0
w-p
k/2
k/2
l
n-k-l
q1 , … , qk
Q'
In-k
p/2
=
Q'
= s
s'
q1 , … , qk
*
:
*
via
via standard
standard sort
sort &
& match
match
∑ qi
i ∈I 1
k
I 1⊂[ 1, , ]
2
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
match
∑ qis '
i ∈I 2
k
I 2⊂[ 1,, k ]
2
Classical ISD variants
Stern (1989)
●
Meet-in-the-middle on Q
p/2
p/2
0
w-p
k/2
k/2
l
n-k-l
q1 , … , qk
Q'
In-k
p/2
p/2
0
w-p
q1 , … , qk
= s
⇔
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Q'
+ s
=
In-k
Classical ISD variants
Stern (1989)
●
Meet-in-the-middle on Q
p/2
p/2
0
w-p
k/2
k/2
l
n-k-l
q1 , … , qk
Q'
In-k
0
= s
⇔
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
w-p
s'
*
:
*
+ s
=
In-k
Classical ISD variants
Stern (1989)
●
Meet-in-the-middle on Q
p/2
p/2
0
w-p
k/2
k/2
l
n-k-l
q1 , … , qk
Q'
In-k
0
= s
⇔
⇔
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
w-p
s'
*
:
*
+ s
=
0
*
:
*
= e''
In-k
Classical ISD variants
Stern (1989)
●
Meet-in-the-middle on Q
p/2
p/2
0
w-p
k/2
k/2
l
n-k-l
q1 , … , qk
Q'
In-k
T(n,k,d)
T(n,k,d)
0
= s
==
==
s'
⇔
*
:
*
+ s
=
-1
Pr[“good”
randomization]
Pr[“good” randomization]-1 xx0C[MitM]
C[MitM]
[
⇔
2
k / 2 ⋅ n−k −l
p/ 2
w− p
n
w
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
w-p
]
−1
*
xx:
*
k=/2 e''
p/2
In-k
Classical ISD variants
Stern (1989)
●
Meet-in-the-middle on Q
p/2
p/2
0
w-p
k/2
k/2
l
n-k-l
q1 , … , qk
Q'
In-k
0
= s
⇔
s'
*
:
*
+ s
=
Complexity
Complexity (bounded
(bounded distance
distance decoding)
decoding)
0
F(k) ⇔
≤ 0.05563
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
w-p
*
:
*
= e''
In-k
Wrapping up so far
●
Different methods search for different error-distributions
●
Lee-Brickel (1988)
●
Stern (1989)
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
p
p/2
w-p
p/2
0
w-p
Wrapping up so far
●
●
Different methods search for different error-distributions
●
Lee-Brickel (1988)
●
Stern (1989)
p
p/2
w-p
p/2
0
w-p
Recently: Ball-collision decoding (CRYPTO11) by Bernstein et al.
●
Improving Pr[good rand.] by allowing q extra 1's within the
length l zero-window
●
F(k) ≤ 0.05558
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
p/2
p/2
q/2 q/2
w-p-q
Wrapping up so far
●
●
Different methods search for different error-distributions
●
Lee-Brickel (1988)
●
Stern (1989)
p/2
w-p
p/2
0
w-p
Recently: Ball-collision decoding (CRYPTO11) by Bernstein et al.
●
Improving Pr[good rand.] by allowing q extra 1's within the
length l zero-window
●
●
p
p/2
p/2
q/2 q/2
w-p-q
F(k) ≤ 0.05558
Both Stern and BallColl improve runtime at the cost of increased
space consumption (→ see paper for details)
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Wrapping up so far
Asymptotic complexity (Bounded Distance Decoding)
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Lee-Brickel
F(k) = 0.05751
Stern
F(k) = 0.05563
BallColl
F(k) = 0.05558
Our New Algorithm
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Generalized ISD framework
●
Starting point: Generalized ISD framework of Finiasz and
Sendrier (ASIACRYPT 2009)
●
Observation: Since frst l columns of In-k can not be used in
Stern's algorithm, we can simply „shift“ them to the Q-part
of H
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Generalized ISD framework
●
Starting point: Generalized ISD framework of Finiasz and
Sendrier (ASIACRYPT 2009)
●
Observation: Since frst l columns of In-k can not be used in
Stern's algorithm, we can simply „shift“ them to the Q-part
of H
k
H=
Q
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
n-k
In-k
Generalized ISD framework
●
Starting point: Generalized ISD framework of Finiasz and
Sendrier (ASIACRYPT 2009)
●
Observation: Since frst l columns of In-k can not be used in
Stern's algorithm, we can simply „shift“ them to the Q-part
of H
k+l
n-k-l
0
H=
Q
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
In-k-l
l rows
Generalized ISD framework
●
Major subproblem: Finding exactly p columns amongst
q1 , ..., qk+l matching s on it's frst l coordinates s'
k+l
n-k-l
q1 , ..., qk+l
0
Q'
In-k-l
H=
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
l rows
Generalized ISD framework
●
Major subproblem: Finding exactly p columns amongst
q1 , ..., qk+l matching s on it's frst l coordinates s'
●
Stern divides the qi into disjoint sets, i.e. searches index sets
kl
k l
q i qi =s '
I 1⊂[1, ,
] and I 2 ⊂[
1, , k l] with
2
2
i ∈I 1
i∈ I 2
∑
k+l
n-k-l
q1 , ..., qk+l
0
Q'
In-k-l
H=
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
l rows
∑
Our New Algorithm
●
Main contribution: More effcient non-disjoint matching
inspired by representation technique of Howgrave-Graham
and Joux (in the context of subset sum algorithms), i.e. pick
p
q i qi =s '
and
I 1, I 2⊂[1, , kl ] with ∣I j∣=
2
i ∈I 1
i∈ I 2
∑
k+l
n-k-l
q1 , ..., qk+l
0
Q'
In-k-l
H=
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
∑
l rows
The representation trick in detail
●
k+l
Aim: Find
such that
weight p
p
k+l
q1 , ..., qk+l
●
There are
=
ways of decomposing
p
p/2
p/2
p/2
,
→ It suffces to fnd one of them!
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
p/2
p/2
s1'
:
sl'
p
, ...
, e.g.
How can we proft from representations?
p
w-p
k+l
n-k-l
q1 , ..., qk+l
0
Q'
In-k-l
p
equivalent solutions
p/2
/ 2
k l
from k l
to
p/2
p/2
●
Advantage: Every solution expands into
●
Disadvantage: Search space grows
●
Goal: Find one solution via Divide & Conquer strategy
●
Rule of thumb: We get better if
k l
p/2
k l / 2
p
p/2
p/2
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
How can we proft from representations?
●
●
●
●
p
w-p
k+l
n-k-l
q1 , ..., qk+l
0
Q'
In-k-l
p
Advantage:
Every
solution
expands
into
equivalent
solutions
Complexity
0
p/2
Complexity
/ 2
k l
Disadvantage: Search space grows from k l
* to= e''
p/2
-1
-1 p / 2 :
T(n,k,d)
=
Pr[“good”
randomization]
x
C[RepTrick]
T(n,k,d) = Pr[“good” randomization] x C[RepTrick]
* attack (Wagner)
Goal: Find one solution via
Generalized
Birthday
k l
k l n−k −l
kl
==
p / 2 k l / 2 xx
Rule of thumb: We get better if
p
p/2
p / 2
⇔
[
]
−1
p
⋅
w−p
n
w
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
p/2
p
p/2
How can we proft from representations?
●
●
p
w-p
k+l
n-k-l
q1 , ..., qk+l
0
Q'
In-k-l
p
equivalent
solutions
0
p/2
k l / 2
k l
Disadvantage:
Search
space
grows
from
to
*
=
Complexity
(bounded
distance
decoding)
Complexity (bounded distance decoding)
p /e''
2
p/2
Advantage: Every solution expands into
⇔
●
Goal: Find one solution via Generalized
●
Rule of thumb: We get better if
:
Birthday*
k l
F(k) ≤ 0.05364
p/2
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
p
p/2
k l / 2
p/2
attack (Wagner)
Complexity comparison
Asymptotic complexitiy (Bounded Distance Decoding)
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Lee-Brickel
F(k) = 0.05751
BallColl
F(k) = 0.05558
MMT
F(k) = 0.05364
Summary
●
Asymptotically fastest generic decoding algorithm
●
Not a mere time-memory trade-off (→ see paper)
●
First application of HGJ representation trick to a different
scenario
Open questions
●
Precise analysis w.r.t. polynomial factors (e.g. linear algebra)
●
Transfer Bernstein's speed-up tricks for Stern's algorithm
●
What is the real break even point compared to other methods?
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Summary
●
Asymptotically fastest generic decoding algorithm
●
Not a mere time-memory trade-off (→ see paper)
●
First application of HGJ representation trick to a different
scenario
Thank you!
Open questions
●
Precise analysis w.r.t. polynomial factors (e.g. linear algebra)
●
Transfer Bernstein's speed-up tricks for Stern's algorithm
●
What is the real break even point compared to other methods?
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
© Copyright 2026 Paperzz