decoding linear codes with high error rate and its impact
play

Decoding Linear Codes with High Error Rate and its Impact for LPN - PowerPoint PPT Presentation

Jun 28, 2023 •198 likes •554 views

Decoding Linear Codes with High Error Rate and its Impact for LPN Security PQCrypto 2018 , 09.-11.04.2018 Leif Both , Alexander May Horst Grtz Institute for IT-Security Ruhr-University Bochum, Germany Faculty of Mathematics Our work

  1. Decoding Linear Codes with High Error Rate and its Impact for LPN Security PQCrypto 2018 , 09.-11.04.2018 Leif Both , Alexander May Horst Görtz Institute for IT-Security Ruhr-University Bochum, Germany Faculty of Mathematics

  2. Our work ◮ Improved running times for decoding of random linear codes. State of the art Our algorithm 2 0 . 0953 n 2 0 . 0885 n Full Distance (FD) 2 0 . 0473 n 2 0 . 0465 n Half Distance (HD) ◮ Based on the BJMM algorithm (Becker, Joux, May, Meurer EC2012) and Nearest Neighbors (May, Ozerov EC2015). ◮ Works best for high error rates. ◮ Application: Hybrid algorithm for LPN (Esser, Kübler, May Crypto2017). Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 2/24

  3. On Linear Codes Definition (Linear Code) A linear code C is a k -dimensional subspace of F n 2 . ◮ Alternative definition via Parity Check matrix P 2 | P c = 0 } , where P ∈ F ( n − k ) × n C = { c ∈ F n . 2 Definition (Distance) For a linear code C the distance is defined as c � = c ′ ∈ C { ∆( c , c ′ ) } . d = min Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 3/24

  4. The Decoding Problem Definition (Decoding Problem) Given: P , ω, x = c + e with c ∈ C , ∆( e ) = ω Find: e ( ⇒ c = x + e ) . ◮ Unique decoding of x if ω ≤ d − 1 2 . ◮ HD Decoding : ω = d − 1 2 . ◮ FD Decoding : ω = d . Definition (Syndrome) The Syndrome s of a vector x is defined as s := P x . ◮ s = P x = P c + P e ⇔ s = P e . Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 4/24

  5. Compare Decoding Algorithms ◮ Running Time T ( n , k , d ). ◮ Use the Gilbert-Varshamov bound ⇒ d = f ( n , k ) ⇒ T ( n , k , d ) = T ( n , k ) . ◮ Worst case running time: T ( n ) = max k { T ( n , k ) } . ◮ Assumption: Exponential complexity of HD/FD decoding ⇒ T ( n ) = 2 c T n . Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 5/24

  6. Prange: Basic Idea for Decoding (1962) Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 6/24

  7. Prange: Basic Idea for Decoding (1962) Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 6/24

  8. Prange: Basic Idea for Decoding (1962) Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 6/24

  9. Prange: Basic Idea for Decoding (1962) Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 6/24

  10. Prange: Basic Idea for Decoding (1962) Algorithm (Idea) 1. Bring P into systematic form. 2. Permute columns. 3. Enumerate all e 1 . 4. Check if ∆( H e 1 + ¯ s ) = ω − p . Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 6/24

  11. Advanced Ideas ◮ Exact matching on some coordinates (Stern 1989). ◮ Meet in the middle (Stern 1989). ◮ Representations techniques (BJMM EC2012). ◮ Binary search tree (BJMM EC2012). ◮ Nearest Neighbors (May, Ozerov EC2015). Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 7/24

  12. Advanced Ideas (Our work) ◮ No exact matching (Bernstein et al. Crypto2011). ◮ Meet in the middle (Stern 1989). ◮ Representations techniques (BJMM EC2012). ◮ Binary search tree (BJMM EC2012). ◮ Nearest Neighbors (May, Ozerov EC2015). Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 8/24

  13. Advanced Ideas (Our work) ◮ No exact matching (Bernstein et al. Crypto2011). ◮ Meet in the middle (Stern 1989). ◮ Representations techniques (BJMM EC2012). ◮ Binary search tree (BJMM EC2012). ◮ Nearest Neighbors (May, Ozerov EC2015). ◮ Division into blocks of different weight (Our work). Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 9/24

  14. Advanced Ideas (Our work) ◮ No exact matching (Bernstein et al. Crypto2011). ◮ Meet in the middle (Stern 1989). ◮ Representations techniques (BJMM EC2012). ◮ Binary search tree (BJMM EC2012). ◮ Nearest Neighbors (May, Ozerov EC2015). ◮ Division into blocks of different weight (Our work). Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 10/24

  15. Representations Techniques ◮ Split the error vector again. Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 11/24

  16. Representations Techniques ◮ Split the error vector again. ◮ Many possible combinations create more solutions. Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 11/24

  17. Division into Blocks ◮ Solve equation blockwise. Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 12/24

  18. Division into Blocks ◮ Solve equation blockwise. Main Equations ”∆( H e 1 + H e 2 + ¯ s ) = ω 1 ” on the first block ”∆( H e 1 + H e 2 + ¯ s ) = ω 2 ” on the second block Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 12/24

  19. Our Algorithm Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 13/24

  20. Our Algorithm Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 14/24

  21. Our Algorithm Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 15/24

  22. Our Algorithm Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 16/24

  23. Our Algorithm Algorithm (Idea) 1. Enumerate all vectors of length k / 2 and weight p 1 / 2. Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 16/24

  24. Our Algorithm Algorithm (Idea) 1. Enumerate all vectors of length k / 2 and weight p 1 / 2. 2. Nearest Neighbor search for weight ω 3 . Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 16/24

  25. Our Algorithm Algorithm (Idea) 1. Enumerate all vectors of length k / 2 and weight p 1 / 2. 2. Nearest Neighbor search for weight ω 3 . 3. Nearest Neighbor search for weight ω 1 . Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 16/24

  26. Our Algorithm Algorithm (Idea) 1. Enumerate all vectors of length k / 2 and weight p 1 / 2. 2. Nearest Neighbor search for weight ω 3 . 3. Nearest Neighbor search for weight ω 1 . 4. Filter for weight p , ω 2 . Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 16/24

  27. Our Algorithm ◮ Can be generalized for an arbitrary number of levels. ◮ Uses May Ozerov Nearest Neighbor search whenever possible. ◮ Comparison to BJMM: NNS on every level, no exact matching. Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 17/24

  28. Results ◮ Comparison: Running time exponent c T for different code rates. Prange BJMM D3 BJMM+NN D3 Our D3 Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 18/24

  29. Results ◮ Comparison: Running time exponent c T and memory exponent c M for different numbers of layers. BJMM-NN Our algorithm Layers c T c M c T c M 2 0.1003 0.0781 0.0982 0.0717 3 0.0967 0.0879 0.0926 0.0647 (FD) 4 0.0953 0.0915 0.0885 0.0736 2 0.0491 0.0309 0.0488 0.0290 3 0.0473 0.0363 0.0478 0.0290 (HD) 4 0.0473 0.0351 0.0465 0.0294 Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 19/24

  30. Results ◮ Comparison: Running time exponent c T and memory exponent c M for different numbers of layers. BJMM-NN Our algorithm Layers c T c M c T c M 2 0.1003 0.0781 0.0982 0.0717 3 0.0967 0.0879 0.0926 0.0647 (FD) 4 0.0953 0.0915 0.0885 0.0736 2 0.0491 0.0309 0.0488 0.0290 3 0.0473 0.0363 0.0478 0.0290 (HD) 4 0.0473 0.0351 0.0465 0.0294 Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 20/24

  31. Application: Hybrid Algorithm for LPN Definition (LPN k ,τ ) Given: Samples of the form ( a i , b i ) := ( a i , � a i , s � + e i ) , for i = 1 , 2 , . . . where a i ∈ R F k 2 and e i ∈ { 0 , 1 } with Pr[ e i = 1] = τ ∈ [0 , 1 2 ). Find: s ∈ F k 2 . ◮ Alternative form: Write n samples as ( A , b ) ∈ F n × k × F n satisfying b = A s + e . 2 2 ◮ Connection to Decoding: b is noisy codeword. Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 21/24

  32. Application: Hybrid Algorithm for LPN ◮ Step 1: Use BKW algorithm to reduce dimension. ◮ Comes at cost of an increased error rate. LPN 512 , 1 4 → LPN 117 , 255 512 ◮ Step 2: Solve instance via decoding. ◮ Comparison: Running time exponents for a typical instance log( T ) log( M ) LPN 117 , 255 512 Prange 117 - BJMM-NN 117 64 Our algorithm 75 47 Decoding Linear Codes with High Error Rate and its Impact for LPN Security|PQCrypto 2018|09.-11.04.2018 22/24

Recommend

6.02 Fall 2012 Lecture #5 Error correction for linear block codes - Syndrome decoding

6.02 Fall 2012 Lecture #5 Error correction for linear block codes - Syndrome decoding

6.02 Fall 2012 Lecture #5 Error correction for linear block codes - Syndrome decoding Burst errors and interleaving 6.02 Fall 2012 Lecture 5, Slide #1 Matrix Notation for Linear Block Codes Task: given k-bit message, compute n-bit

417 views • 18 slides
Improved bounds on the word error probability of RA(2) codes with linear programming based

Improved bounds on the word error probability of RA(2) codes with linear programming based

Improved bounds on the word error probability of RA(2) codes with linear programming based decoding Nissim Halabi Tel-Aviv University Joint work with Guy Even Outline Turbo-like codes. classic Turbo codes & turbo-like

502 views • 34 slides
List Decoding of Algebraic Codes Peter Beelen, Kristian Brander and Johan S.R. Nielsen DTU

List Decoding of Algebraic Codes Peter Beelen, Kristian Brander and Johan S.R. Nielsen DTU

Contents List decoding of error-correcting codes Fast list decoding of ReedSolomon codes Fast list decoding of certain AG codes List Decoding of Algebraic Codes Peter Beelen, Kristian Brander and Johan S.R. Nielsen DTU Mathematics

1.33k views • 81 slides
Algorithms in the Real World Error Correcting Codes I Overview Hamming Codes Linear

Algorithms in the Real World Error Correcting Codes I Overview Hamming Codes Linear

Algorithms in the Real World Error Correcting Codes I Overview Hamming Codes Linear Codes Page 1 General Model message m Errors introduced by the noisy channel: coder changed fields in the codeword (e.g., a flipped bit)

307 views • 28 slides
Error Codes Correcting Gary Lecture 11 toolkit CMU Preliminaries Setting Error of

Error Codes Correcting Gary Lecture 11 toolkit CMU Preliminaries Setting Error of

Rohan Error Codes Correcting Gary Lecture 11 toolkit CMU Preliminaries Setting Error of Correcting Codes Linear Error Correcting codes and Hadamard Codes Hamming Reed Solomon Code Definitions Basic Def An Error code is

291 views • 18 slides
Linear-Time Erasure List-Decoding of Expander Codes Noga Ron-Zewi (University of Haifa) Mary

Linear-Time Erasure List-Decoding of Expander Codes Noga Ron-Zewi (University of Haifa) Mary

Linear-Time Erasure List-Decoding of Expander Codes Noga Ron-Zewi (University of Haifa) Mary Wootters (Stanford) Gilles Zmor (Universit de Bordeaux) ISIT 2020 Linear-Time 3 Erasure List-Decoding of 1 Expander Codes 2 1. Erasure

559 views • 18 slides
List decoding of RM(1,m) codes and Multi-linear Power Analysis attacks (MLPA) Ilya Dumer , Rafael

List decoding of RM(1,m) codes and Multi-linear Power Analysis attacks (MLPA) Ilya Dumer , Rafael

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA List decoding of RM(1,m) codes and Multi-linear Power Analysis attacks (MLPA) Ilya Dumer , Rafael Fourquet , Grigory

675 views • 33 slides
Local Optimality Certificates for LP Decoding of Tanner Codes Nissim Halabi Guy Even 1 1 th

Local Optimality Certificates for LP Decoding of Tanner Codes Nissim Halabi Guy Even 1 1 th

Local Optimality Certificates for LP Decoding of Tanner Codes Nissim Halabi Guy Even 1 1 th Haifa Workshop on Interdisciplinary Applications of Graph Theory , Combinatorics and Algorithms. May 2011 1 Error Correcting Codes Worst Case Vs.

305 views • 28 slides
Decoding Reed-Muller codes over product sets John Kim, Swastik Kopparty Rutgers University May

Decoding Reed-Muller codes over product sets John Kim, Swastik Kopparty Rutgers University May

Error-correcting codes Polynomial-based codes Efficient decoding of Reed-Muller codes Decoding Reed-Muller codes over product sets John Kim, Swastik Kopparty Rutgers University May 30, 2016 John Kim, Swastik Kopparty Decoding Reed-Muller

429 views • 18 slides
Decoding F q -linear codes over erasure channels Sara D. Cardell Universidad de Alicante

Decoding F q -linear codes over erasure channels Sara D. Cardell Universidad de Alicante

Decoding F q -linear codes over erasure channels Sara D. Cardell Universidad de Alicante SPCoding School S.D. Cardell Decoding F q -linear codes over erasure channels Erasure channel We consider as model of errors the erasure channel

290 views • 9 slides
Error Detection Codes Error Detection Two types Nave scheme Error Detection Codes

Error Detection Codes Error Detection Two types Nave scheme Error Detection Codes

Srinidhi Varadarajan 02/14/2000 Error Detection Codes Error Detection Two types Nave scheme Error Detection Codes (e.g. CRC, Send a duplicate copy of the Parity, Checksums) message Error Correction Codes (e.g. Problems

269 views • 5 slides
Decoding error-correcting codes with Grbner bases Stanislav Bulygin Ruud Pellikaan WIC, May

Decoding error-correcting codes with Grbner bases Stanislav Bulygin Ruud Pellikaan WIC, May

12 Decoding error-correcting codes with Grbner bases Stanislav Bulygin Ruud Pellikaan WIC, May 24, 2007 / department of mathematics and computer science 1/25 1/25 Outline

396 views • 25 slides
Recent Advances in Decoding Random Binary Linear Codes and Their Implications to Crypto

Recent Advances in Decoding Random Binary Linear Codes and Their Implications to Crypto

Recent Advances in Decoding Random Binary Linear Codes and Their Implications to Crypto Alexander May Horst Grtz Institute for IT-Security Faculty of Mathematics Ruhr-University of Bochum L ATTICE C ODING AND C RYPTO M EETING M AY 2017,

793 views • 32 slides
Some rece cent results on high rate local codes Shubhangi Saraf Rutgers Joint works with

Some rece cent results on high rate local codes Shubhangi Saraf Rutgers Joint works with

Some rece cent results on high rate local codes Shubhangi Saraf Rutgers Joint works with Sivakanth Gopi, Swastik Kopparty, Or Meir, Rafael Oliveira, Noga Ron- Zewi, Mary Wootters This talk Error-correcting codes with: low redundancy

905 views • 54 slides
Decoding error-correcting codes with Grbner bases Ruud Pellikaan joint work with Stanislav

Decoding error-correcting codes with Grbner bases Ruud Pellikaan joint work with Stanislav

12 Decoding error-correcting codes with Grbner bases Ruud Pellikaan joint work with Stanislav Bulygin EMS Joint Math Weekend, March 1, 2008 / department of mathematics and computer science 1/39 1/39

644 views • 39 slides
G ENERALIZED R EED -S OLOMON CODES (GRS CODES ) A CHARACTERIZATION OF MDS CODES THAT HAVE AN ERROR

G ENERALIZED R EED -S OLOMON CODES (GRS CODES ) A CHARACTERIZATION OF MDS CODES THAT HAVE AN ERROR

A CHARACTERIZATION OF MDS CODES THAT HAVE AN ERROR CORRECTING PAIR I NTRODUCTION TO C ODING T HEORY MDS CODES A CHARACTERIZATION OF MDS CODES THAT GRS CODES HAVE AN ERROR CORRECTING PAIR ECP M OTIVATION O UR GOAL ARQUEZ -C ORBELLA 1 R. P ELLIKAAN

689 views • 19 slides
Linear-Programming Decoding of Tanner Codes with Local-Optimality Certificates Nissim Halabi Guy

Linear-Programming Decoding of Tanner Codes with Local-Optimality Certificates Nissim Halabi Guy

Linear-Programming Decoding of Tanner Codes with Local-Optimality Certificates Nissim Halabi Guy Even School of Electrical Engineering, Tel-Aviv University July 6, 2012 1/16 Communication Over a Noisy Channel u { 0 , 1 } k c C { 0

510 views • 16 slides
Decoding of Linear Codes Arman Fazeli Alexander Vardy Hanwen Yao afazelic@ucsd.edu

Decoding of Linear Codes Arman Fazeli Alexander Vardy Hanwen Yao afazelic@ucsd.edu

Hardness of Successive-Cancellation Decoding of Linear Codes Arman Fazeli Alexander Vardy Hanwen Yao afazelic@ucsd.edu avardy@ucsd.edu hwyao@ucsd.edu Virtual Presentation at International Symposium on Information Theory 2020 Outline

542 views • 31 slides
Information Theory Lecture 8 BCH codes BCH codes: R8.45 (R5.6) Decoding BCH (and

Information Theory Lecture 8 BCH codes BCH codes: R8.45 (R5.6) Decoding BCH (and

Information Theory Lecture 8 BCH codes BCH codes: R8.45 (R5.6) Decoding BCH (and RS) codes: R6 Reed-Solomon codes RS codes: R5.13 Mikael Skoglund, Information Theory 1/15 The BCH Bound Theorem : Let C be cyclic of

276 views • 8 slides
Closed formulas for the error locator polynomials of cyclic codes Dedicated to Tom Hholdt in

Closed formulas for the error locator polynomials of cyclic codes Dedicated to Tom Hholdt in

Closed formulas for the error locator polynomials of cyclic codes Dedicated to Tom Hholdt in honour of his 60-th birthday by Ruud Pellikaan Discrete Mathematics Technical University of Eindhoven June 2, 2005 Decoding cyclic codes beyond

441 views • 33 slides
Simplified high-speed high-distance list decoding for alternant codes cr.yp.to/papers.html

Simplified high-speed high-distance list decoding for alternant codes cr.yp.to/papers.html

Simplified high-speed high-distance list decoding for alternant codes cr.yp.to/papers.html #simplelist D. J. Bernstein University of Illinois at Chicago Thanks to: Cisco University Research Program And thanks to: NIST grant 60NANB10D263

580 views • 20 slides
Error Detection Two types Error Detection Codes (e.g. CRC, Parity, Checksums) Error

Error Detection Two types Error Detection Codes (e.g. CRC, Parity, Checksums) Error

Error Detection Two types Error Detection Codes (e.g. CRC, Parity, Checksums) Error Correction Codes (e.g. Hamming, Reed Solomon) Basic Idea Add redundant information to determine if errors have been introduced Why

643 views • 25 slides
Turning error-reducing quantum turbo codes into error-correcting codes Mamdouh Abbara (MEc),

Turning error-reducing quantum turbo codes into error-correcting codes Mamdouh Abbara (MEc),

Turning error-reducing quantum turbo codes into error-correcting codes Mamdouh Abbara (MEc), Iryna Andriyanova (ENSEA), Jean-Pierre Tillich (INRIA) QEC14 December the 17th, 2014 introduction The 5 qubit code Probability of error after

382 views • 35 slides
Syndrome-Coupled Rate-Compatible Error-Correcting Codes for Flash Memories Pengfei Huang 1 , Yi

Syndrome-Coupled Rate-Compatible Error-Correcting Codes for Flash Memories Pengfei Huang 1 , Yi

Syndrome-Coupled Rate-Compatible Error-Correcting Codes for Flash Memories Pengfei Huang 1 , Yi Liu 1 , Xiaojie Zhang 2 , Paul H. Siegel 1 , Erich F. Haratsch 3 1 Center for Memory and Recording Research, UCSD 2 CNEX Labs, San Jose, CA 3 Seagate

687 views • 47 slides

More recommend