U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

Presentation

Decoding failures and error floors

July 27, 2022

Presenters

Angela Robinson - NIST

Description

Abstract:

There is a class of public-key cryptography (PKC) based on linear error-correcting codes (ECC). Early code-based cryptosystems offered provable security but impractically large public keys. As such, over the past few decades, cryptographers have attempted to find more efficient code-based designs while maintaining sufficient security. The decoder used during error correction directly affects the security of a code-based cryptosystem because, often, the private key is used in the process of recovering a shared secret from a syndrome. Correlations between error patterns that lead to decoding failures and the private key of a scheme have been discovered, leading cryptographers to work diligently to minimize decoding failures.

We present experimental findings on the decoding failure rate (DFR) of BIKE, a fourth-round candidate in the NIST Post-Quantum Standardization process, at the 20-bit security level. We select parameters according to BIKE design principles and conduct a series of experiments. We directly compute the average DFR on a range of BIKE block sizes and identify both the waterfall and error floor regions of the DFR curve. We then study the influence on the average DFR of three sets C, N, and 2N of near-codewords — vectors of low weight that induce syndromes of low weight — defined by Vasseur in 2021. We find that error vectors leading to decoding failures have small maximum support intersection with elements of these sets; further, the distribution of intersections is quite similar to that of sampling random error vectors and counting the intersections with C, N, and 2N. Our results indicate that these three sets are not sufficient in classifying vectors expected to cause decoding failures. Finally, we study the role of syndrome weight on the decoding behavior and conclude that the set of error vectors that lead to decoding failures differ from random vectors by having low syndrome weight.

Presented at

Crypto Reading Club talk on 2022-Jul-27

Parent Project

See: Crypto Reading Club

Related Topics

Security and Privacy: cryptography

Created July 26, 2022