decoding linear codes with high error rate and its impact
play

Decoding Linear Codes with High Error Rate and its Impact for LPN - PowerPoint PPT Presentation

Jun 28, 2023 •198 likes •554 views

Decoding Linear Codes with High Error Rate and its Impact for LPN Security PQCrypto 2018 , 09.-11.04.2018 Leif Both , Alexander May Horst Grtz Institute for IT-Security Ruhr-University Bochum, Germany Faculty of Mathematics Our work

  1. Decoding Linear Codes with High Error Rate and its Impact for LPN Security PQCrypto 2018 , 09.-11.04.2018 Leif Both , Alexander May Horst Görtz Institute for IT-Security Ruhr-University Bochum, Germany Faculty of Mathematics

  2. Our work ◮ Improved running times for decoding of random linear codes. State of the art Our algorithm 2 0 . 0953 n 2 0 . 0885 n Full Distance (FD) 2 0 . 0473 n 2 0 . 0465 n Half Distance (HD) ◮ Based on the BJMM algorithm (Becker, Joux, May, Meurer EC2012) and Nearest Neighbors (May, Ozerov EC2015). ◮ Works best for high error rates. ◮ Application: Hybrid algorithm for LPN (Esser, Kübler, May Crypto2017). Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 2/24

  3. On Linear Codes Definition (Linear Code) A linear code C is a k -dimensional subspace of F n 2 . ◮ Alternative definition via Parity Check matrix P 2 | P c = 0 } , where P ∈ F ( n − k ) × n C = { c ∈ F n . 2 Definition (Distance) For a linear code C the distance is defined as c � = c ′ ∈ C { ∆( c , c ′ ) } . d = min Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 3/24

  4. The Decoding Problem Definition (Decoding Problem) Given: P , ω, x = c + e with c ∈ C , ∆( e ) = ω Find: e ( ⇒ c = x + e ) . ◮ Unique decoding of x if ω ≤ d − 1 2 . ◮ HD Decoding : ω = d − 1 2 . ◮ FD Decoding : ω = d . Definition (Syndrome) The Syndrome s of a vector x is defined as s := P x . ◮ s = P x = P c + P e ⇔ s = P e . Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 4/24

  5. Compare Decoding Algorithms ◮ Running Time T ( n , k , d ). ◮ Use the Gilbert-Varshamov bound ⇒ d = f ( n , k ) ⇒ T ( n , k , d ) = T ( n , k ) . ◮ Worst case running time: T ( n ) = max k { T ( n , k ) } . ◮ Assumption: Exponential complexity of HD/FD decoding ⇒ T ( n ) = 2 c T n . Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 5/24

  6. Prange: Basic Idea for Decoding (1962) Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 6/24

  7. Prange: Basic Idea for Decoding (1962) Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 6/24

  8. Prange: Basic Idea for Decoding (1962) Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 6/24

  9. Prange: Basic Idea for Decoding (1962) Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 6/24

  10. Prange: Basic Idea for Decoding (1962) Algorithm (Idea) 1. Bring P into systematic form. 2. Permute columns. 3. Enumerate all e 1 . 4. Check if ∆( H e 1 + ¯ s ) = ω − p . Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 6/24

  11. Advanced Ideas ◮ Exact matching on some coordinates (Stern 1989). ◮ Meet in the middle (Stern 1989). ◮ Representations techniques (BJMM EC2012). ◮ Binary search tree (BJMM EC2012). ◮ Nearest Neighbors (May, Ozerov EC2015). Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 7/24

  12. Advanced Ideas (Our work) ◮ No exact matching (Bernstein et al. Crypto2011). ◮ Meet in the middle (Stern 1989). ◮ Representations techniques (BJMM EC2012). ◮ Binary search tree (BJMM EC2012). ◮ Nearest Neighbors (May, Ozerov EC2015). Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 8/24

  13. Advanced Ideas (Our work) ◮ No exact matching (Bernstein et al. Crypto2011). ◮ Meet in the middle (Stern 1989). ◮ Representations techniques (BJMM EC2012). ◮ Binary search tree (BJMM EC2012). ◮ Nearest Neighbors (May, Ozerov EC2015). ◮ Division into blocks of different weight (Our work). Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 9/24

  14. Advanced Ideas (Our work) ◮ No exact matching (Bernstein et al. Crypto2011). ◮ Meet in the middle (Stern 1989). ◮ Representations techniques (BJMM EC2012). ◮ Binary search tree (BJMM EC2012). ◮ Nearest Neighbors (May, Ozerov EC2015). ◮ Division into blocks of different weight (Our work). Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 10/24

  15. Representations Techniques ◮ Split the error vector again. Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 11/24

  16. Representations Techniques ◮ Split the error vector again. ◮ Many possible combinations create more solutions. Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 11/24

  17. Division into Blocks ◮ Solve equation blockwise. Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 12/24

  18. Division into Blocks ◮ Solve equation blockwise. Main Equations ”∆( H e 1 + H e 2 + ¯ s ) = ω 1 ” on the first block ”∆( H e 1 + H e 2 + ¯ s ) = ω 2 ” on the second block Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 12/24

  19. Our Algorithm Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 13/24

  20. Our Algorithm Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 14/24

  21. Our Algorithm Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 15/24

  22. Our Algorithm Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 16/24

  23. Our Algorithm Algorithm (Idea) 1. Enumerate all vectors of length k / 2 and weight p 1 / 2. Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 16/24

  24. Our Algorithm Algorithm (Idea) 1. Enumerate all vectors of length k / 2 and weight p 1 / 2. 2. Nearest Neighbor search for weight ω 3 . Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 16/24

  25. Our Algorithm Algorithm (Idea) 1. Enumerate all vectors of length k / 2 and weight p 1 / 2. 2. Nearest Neighbor search for weight ω 3 . 3. Nearest Neighbor search for weight ω 1 . Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 16/24

  26. Our Algorithm Algorithm (Idea) 1. Enumerate all vectors of length k / 2 and weight p 1 / 2. 2. Nearest Neighbor search for weight ω 3 . 3. Nearest Neighbor search for weight ω 1 . 4. Filter for weight p , ω 2 . Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 16/24

  27. Our Algorithm ◮ Can be generalized for an arbitrary number of levels. ◮ Uses May Ozerov Nearest Neighbor search whenever possible. ◮ Comparison to BJMM: NNS on every level, no exact matching. Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 17/24

  28. Results ◮ Comparison: Running time exponent c T for different code rates. Prange BJMM D3 BJMM+NN D3 Our D3 Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 18/24

  29. Results ◮ Comparison: Running time exponent c T and memory exponent c M for different numbers of layers. BJMM-NN Our algorithm Layers c T c M c T c M 2 0.1003 0.0781 0.0982 0.0717 3 0.0967 0.0879 0.0926 0.0647 (FD) 4 0.0953 0.0915 0.0885 0.0736 2 0.0491 0.0309 0.0488 0.0290 3 0.0473 0.0363 0.0478 0.0290 (HD) 4 0.0473 0.0351 0.0465 0.0294 Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 19/24

  30. Results ◮ Comparison: Running time exponent c T and memory exponent c M for different numbers of layers. BJMM-NN Our algorithm Layers c T c M c T c M 2 0.1003 0.0781 0.0982 0.0717 3 0.0967 0.0879 0.0926 0.0647 (FD) 4 0.0953 0.0915 0.0885 0.0736 2 0.0491 0.0309 0.0488 0.0290 3 0.0473 0.0363 0.0478 0.0290 (HD) 4 0.0473 0.0351 0.0465 0.0294 Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 20/24

  31. Application: Hybrid Algorithm for LPN Definition (LPN k ,τ ) Given: Samples of the form ( a i , b i ) := ( a i , � a i , s � + e i ) , for i = 1 , 2 , . . . where a i ∈ R F k 2 and e i ∈ { 0 , 1 } with Pr[ e i = 1] = τ ∈ [0 , 1 2 ). Find: s ∈ F k 2 . ◮ Alternative form: Write n samples as ( A , b ) ∈ F n × k × F n satisfying b = A s + e . 2 2 ◮ Connection to Decoding: b is noisy codeword. Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 21/24

  32. Application: Hybrid Algorithm for LPN ◮ Step 1: Use BKW algorithm to reduce dimension. ◮ Comes at cost of an increased error rate. LPN 512 , 1 4 → LPN 117 , 255 512 ◮ Step 2: Solve instance via decoding. ◮ Comparison: Running time exponents for a typical instance log( T ) log( M ) LPN 117 , 255 512 Prange 117 - BJMM-NN 117 64 Our algorithm 75 47 Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 22/24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

6.02 Fall 2012 Lecture #5 Error correction for linear block codes - Syndrome decoding

6.02 Fall 2012 Lecture #5 Error correction for linear block codes - Syndrome decoding

6.02 Fall 2012 Lecture #5 Error correction for linear block codes - Syndrome decoding Burst errors and interleaving 6.02 Fall 2012 Lecture 5, Slide #1 Matrix Notation for Linear Block Codes Task: given k-bit message, compute n-bit

417 views • 18 slides
Improved bounds on the word error probability of RA(2) codes with linear programming based

Improved bounds on the word error probability of RA(2) codes with linear programming based

Improved bounds on the word error probability of RA(2) codes with linear programming based decoding Nissim Halabi Tel-Aviv University Joint work with Guy Even Outline Turbo-like codes. classic Turbo codes & turbo-like

502 views • 34 slides
List Decoding of Algebraic Codes Peter Beelen, Kristian Brander and Johan S.R. Nielsen DTU

List Decoding of Algebraic Codes Peter Beelen, Kristian Brander and Johan S.R. Nielsen DTU

Contents List decoding of error-correcting codes Fast list decoding of ReedSolomon codes Fast list decoding of certain AG codes List Decoding of Algebraic Codes Peter Beelen, Kristian Brander and Johan S.R. Nielsen DTU Mathematics

1.33k views • 81 slides
Algorithms in the Real World Error Correcting Codes I Overview Hamming Codes Linear

Algorithms in the Real World Error Correcting Codes I Overview Hamming Codes Linear

Algorithms in the Real World Error Correcting Codes I Overview Hamming Codes Linear Codes Page 1 General Model message m Errors introduced by the noisy channel: coder changed fields in the codeword (e.g., a flipped bit)

307 views • 28 slides
Error Codes Correcting Gary Lecture 11 toolkit CMU Preliminaries Setting Error of

Error Codes Correcting Gary Lecture 11 toolkit CMU Preliminaries Setting Error of

Rohan Error Codes Correcting Gary Lecture 11 toolkit CMU Preliminaries Setting Error of Correcting Codes Linear Error Correcting codes and Hadamard Codes Hamming Reed Solomon Code Definitions Basic Def An Error code is

291 views • 18 slides
Linear-Time Erasure List-Decoding of Expander Codes Noga Ron-Zewi (University of Haifa) Mary

Linear-Time Erasure List-Decoding of Expander Codes Noga Ron-Zewi (University of Haifa) Mary

Linear-Time Erasure List-Decoding of Expander Codes Noga Ron-Zewi (University of Haifa) Mary Wootters (Stanford) Gilles Zmor (Universit de Bordeaux) ISIT 2020 Linear-Time 3 Erasure List-Decoding of 1 Expander Codes 2 1. Erasure

559 views • 18 slides
List decoding of RM(1,m) codes and Multi-linear Power Analysis attacks (MLPA) Ilya Dumer , Rafael

List decoding of RM(1,m) codes and Multi-linear Power Analysis attacks (MLPA) Ilya Dumer , Rafael

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA List decoding of RM(1,m) codes and Multi-linear Power Analysis attacks (MLPA) Ilya Dumer , Rafael Fourquet , Grigory

675 views • 33 slides
Local Optimality Certificates for LP Decoding of Tanner Codes Nissim Halabi Guy Even 1 1 th

Local Optimality Certificates for LP Decoding of Tanner Codes Nissim Halabi Guy Even 1 1 th

Local Optimality Certificates for LP Decoding of Tanner Codes Nissim Halabi Guy Even 1 1 th Haifa Workshop on Interdisciplinary Applications of Graph Theory , Combinatorics and Algorithms. May 2011 1 Error Correcting Codes Worst Case Vs.

305 views • 28 slides
Decoding Reed-Muller codes over product sets John Kim, Swastik Kopparty Rutgers University May

Decoding Reed-Muller codes over product sets John Kim, Swastik Kopparty Rutgers University May

Error-correcting codes Polynomial-based codes Efficient decoding of Reed-Muller codes Decoding Reed-Muller codes over product sets John Kim, Swastik Kopparty Rutgers University May 30, 2016 John Kim, Swastik Kopparty Decoding Reed-Muller

429 views • 18 slides
Decoding F q -linear codes over erasure channels Sara D. Cardell Universidad de Alicante

Decoding F q -linear codes over erasure channels Sara D. Cardell Universidad de Alicante

Decoding F q -linear codes over erasure channels Sara D. Cardell Universidad de Alicante SPCoding School S.D. Cardell Decoding F q -linear codes over erasure channels Erasure channel We consider as model of errors the erasure channel

290 views • 9 slides
Error Detection Codes Error Detection Two types Nave scheme Error Detection Codes

Error Detection Codes Error Detection Two types Nave scheme Error Detection Codes

Srinidhi Varadarajan 02/14/2000 Error Detection Codes Error Detection Two types Nave scheme Error Detection Codes (e.g. CRC, Send a duplicate copy of the Parity, Checksums) message Error Correction Codes (e.g. Problems

269 views • 5 slides
Decoding error-correcting codes with Grbner bases Stanislav Bulygin Ruud Pellikaan WIC, May

Decoding error-correcting codes with Grbner bases Stanislav Bulygin Ruud Pellikaan WIC, May

12 Decoding error-correcting codes with Grbner bases Stanislav Bulygin Ruud Pellikaan WIC, May 24, 2007 / department of mathematics and computer science 1/25 1/25 Outline

396 views • 25 slides
Recent Advances in Decoding Random Binary Linear Codes and Their Implications to Crypto

Recent Advances in Decoding Random Binary Linear Codes and Their Implications to Crypto

Recent Advances in Decoding Random Binary Linear Codes and Their Implications to Crypto Alexander May Horst Grtz Institute for IT-Security Faculty of Mathematics Ruhr-University of Bochum L ATTICE C ODING AND C RYPTO M EETING M AY 2017,

793 views • 32 slides
Some rece cent results on high rate local codes Shubhangi Saraf Rutgers Joint works with

Some rece cent results on high rate local codes Shubhangi Saraf Rutgers Joint works with

Some rece cent results on high rate local codes Shubhangi Saraf Rutgers Joint works with Sivakanth Gopi, Swastik Kopparty, Or Meir, Rafael Oliveira, Noga Ron- Zewi, Mary Wootters This talk Error-correcting codes with: low redundancy

905 views • 54 slides
Decoding error-correcting codes with Grbner bases Ruud Pellikaan joint work with Stanislav

Decoding error-correcting codes with Grbner bases Ruud Pellikaan joint work with Stanislav

12 Decoding error-correcting codes with Grbner bases Ruud Pellikaan joint work with Stanislav Bulygin EMS Joint Math Weekend, March 1, 2008 / department of mathematics and computer science 1/39 1/39

644 views • 39 slides
G ENERALIZED R EED -S OLOMON CODES (GRS CODES ) A CHARACTERIZATION OF MDS CODES THAT HAVE AN ERROR

G ENERALIZED R EED -S OLOMON CODES (GRS CODES ) A CHARACTERIZATION OF MDS CODES THAT HAVE AN ERROR

A CHARACTERIZATION OF MDS CODES THAT HAVE AN ERROR CORRECTING PAIR I NTRODUCTION TO C ODING T HEORY MDS CODES A CHARACTERIZATION OF MDS CODES THAT GRS CODES HAVE AN ERROR CORRECTING PAIR ECP M OTIVATION O UR GOAL ARQUEZ -C ORBELLA 1 R. P ELLIKAAN

689 views • 19 slides
Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview

Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview

FSE 2011, February 14 -16, Lyngby, Denmark Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview A decoding problem LFSR-based stream ciphers Correlation attacks Fast correlation

908 views • 54 slides
Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, equipe-projet SECRET

Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, equipe-projet SECRET

Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, equipe-projet SECRET Code-based Cryptography Workshop 11-12 May 2011, Eindhoven, The Netherlands Computational Syndrome Decoding Problem: Syndrome Decoding H { 0 , 1 }

882 views • 37 slides
Syndrome Decoding in the Non-Standard Cases Matthieu Finiasz Outline The Problem of Syndrome

Syndrome Decoding in the Non-Standard Cases Matthieu Finiasz Outline The Problem of Syndrome

Syndrome Decoding in the Non-Standard Cases Matthieu Finiasz Outline The Problem of Syndrome Decoding I The Cryptosystems of McEliece and Niederreiter II McEliece-Based Signatures III Provably Secure Syndrome-Based Hash Functions IV The

441 views • 32 slides
Quantum Information Set Decoding Algorithms Ghazal Kachigar Jean-Pierre Tillich Institut de

Quantum Information Set Decoding Algorithms Ghazal Kachigar Jean-Pierre Tillich Institut de

Quantum Information Set Decoding Algorithms Ghazal Kachigar Jean-Pierre Tillich Institut de Math ematiques de Bordeaux, Universit e de Bordeaux Inria, EPI SECRET PQCrypto, Utrecht - 27/06/2017 Ghazal Kachigar , Jean-Pierre Tillich

775 views • 24 slides
Code-based One Way Functions Nicolas Sendrier INRIA Rocquencourt, projet CODES Ecrypt Summer

Code-based One Way Functions Nicolas Sendrier INRIA Rocquencourt, projet CODES Ecrypt Summer

Code-based One Way Functions Nicolas Sendrier INRIA Rocquencourt, projet CODES Ecrypt Summer School Emerging Topics in Cryptographic Design and Cryptanalysis I. Introduction Binary linear code n the length C a ( n, k ) binary

501 views • 35 slides
Error-Correcting Codes G. Eric Moorhouse, UW Math Corrected copies of transparencies for this

Error-Correcting Codes G. Eric Moorhouse, UW Math Corrected copies of transparencies for this

Error-Correcting Codes G. Eric Moorhouse, UW Math Corrected copies of transparencies for this sem- inar series should soon be available at http://math.uwyo.edu/~moorhous/quantum/ References F.J. MacWilliams and N.J.A. Sloane, The North-

421 views • 20 slides
Security Bounds for the Design of Code-based Cryptosystems M. Finiasz et N. Sendrier The

Security Bounds for the Design of Code-based Cryptosystems M. Finiasz et N. Sendrier The

Security Bounds for the Design of Code-based Cryptosystems M. Finiasz et N. Sendrier The Syndrome Decoding Problem e S r H n Syndrome Decoding (SD) Does e { 0 , 1 } n of weight w such that e H = S exist? NP-complete problem.

445 views • 31 slides
Information Theory Lecture 6 Block Codes and Finite Fields Codes: Roth (R) 12, 4.14

Information Theory Lecture 6 Block Codes and Finite Fields Codes: Roth (R) 12, 4.14

Information Theory Lecture 6 Block Codes and Finite Fields Codes: Roth (R) 12, 4.14 codes, minimum distance, linear codes, G and H matrices, decoding, bounds, weight distribution,. . . Finite fields: R3 (R7) groups,

911 views • 9 slides

More recommend