Information-Set Decoding with Hints

Abstract

This paper studies how to incorporate small information leakages (called “hints”) into information-set decoding (ISD) algorithms. In particular, the influence of these hints on solving the (n, k, t)-syndrome-decoding problem (SDP), i.e., generic syndrome decoding of a code of length n, dimension k, and an error of weight t, is analyzed. We motivate all hints by leakages obtainable through realistic side-channel attacks on code-based post-quantum cryptosystems. One class of studied hints consists of partial knowledge of the error or message, which allow to reduce the length, dimension, or error weight using a suitable transformation of the problem. As a second class of hints, we assume that the Hamming weights of sub-blocks of the error are known, which can be motivated by a template attack. We present adapted ISD algorithms for this type of leakage. For each third-round code-based NIST submission (Classic McEliece, BIKE, HQC), we show how many hints of each type are needed to reduce the work factor below the claimed security level. E.g., for Classic McEliece mceliece348864, the work factor is reduced below \(2^{128}\) for 9 known error locations, 650 known error-free positions or known Hamming weights of 29 sub-blocks of roughly equal size.

This work was supported by the German Research Foundation (Deutsche Forschungsgemeinschaft, DFG) under Grant No. WA3907/4-1 and SE2989/1-1 and the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 801434). This work was partly done while S. Puchinger was with the Technical University of Denmark, Lyngby, Denmark, where he was supported by the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement no. 713683.

A Framework for Birthday Decoding with Known Block Error Distribution

As an outlook for future work, we describe a general framework for generalized birthday decoders, for the case that we know the error distribution over prescribed blocks of the error vector. For this we will use the “Partial Gaussian Elimination (PGE) \(+\) Small SDP” setup. In the “Small SDP” step several versions of birthday decoding can be used, see e.g. [6, 21], however we will restrict ourselves to Wagner’s original idea from [41].

As in Sect. 4 consider an SDP instance with parity check matrix \(\boldsymbol{H}\in \mathbb F_2^{(n-k)\times n}\) and syndrome \(\boldsymbol{s}\in \mathbb F_2^{n-k}\). Assume we have a partition of \(\{1,\dots ,n\}\) into \(\mathcal {W}_1,\dots ,\mathcal {W}_\ell \) and \([t_1,\dots ,t_\ell ]\) such that \(t_i = \mathrm {wt}_\mathrm {H}(\boldsymbol{e}_{\mathcal {W}_i})\) and \(\sum _{i=1}^\ell t_i = t\).

We proceed as follows:

1. 1.

   Partial Gaussian Elimination:

   Choose some \(v\le n-k\) and subsets \(\mathcal {X}_i \subseteq \mathcal {W}_i\) such that for \(x_i:= |\mathcal {X}_i|\) we have \(\sum _i x_i = k+v\). Find an \(n\times n\) permutation matrix \(\boldsymbol{P}\) that moves the columns of \(\boldsymbol{H}\) indexed by the \(\mathcal {X}_i\) to the left³, and find and invertible \(\boldsymbol{U}\in \mathbb F_2^{(n-k)\times (n-k)}\) such that

   $$ \boldsymbol{UHP} = \begin{pmatrix} \boldsymbol{A} &{} \boldsymbol{I}_{n-k-v} \\ \boldsymbol{B} &{} \boldsymbol{0} \end{pmatrix} .$$

   Denote \([\boldsymbol{s}_1 \; \boldsymbol{s}_2] := \boldsymbol{sU^\top }\) and \(\boldsymbol{e}\boldsymbol{P} := [\boldsymbol{e}_1 \; \boldsymbol{e}_2] \), then the original syndrome equation \(\boldsymbol{e}\boldsymbol{H}^\top =\boldsymbol{s}\) is equivalent to \(\boldsymbol{eP(P^\top H^\top U^\top )} =\boldsymbol{s}\boldsymbol{U}^\top \) and splits into

   $$\begin{aligned} \boldsymbol{e}_1 \boldsymbol{A}^\top + \boldsymbol{e}_2&= \boldsymbol{s}_1 \\ \boldsymbol{e}_1 \boldsymbol{B}^\top&= \boldsymbol{s}_2 . \end{aligned}$$

   Prescribe an error weight \(p\le t\) for \(\boldsymbol{e}_1\), with which the second equation is now a smaller SDP instance, with possibly more than one solution. Find these solutions as explained in the step below, and for each of those check if the first equation above gives a valid solution, i.e., if \(\mathrm {wt}_\mathrm {H}(\boldsymbol{s}_1 - \boldsymbol{e}_1 \boldsymbol{A}^\top )=t-p\). If so, then this is a solution to the original SDP.

2. 2.

   Small SDP with Wagner:

   We choose a number b of levels for this step, and partition \(\mathcal {X}=\bigcup _{i=1}^\ell \mathcal {X}_i\) into \(2^b\) subsets of size \(v_i\), respectively, such that \(\sum _{i=1}^{2^b} v_i = \sum _{i=1}^\ell x_i = k+v\). Then we distribute the p errors over the corresponding entries of \(\boldsymbol{e}_1\), assuming that \(p_i\) errors happened in the i-th subset. Here the first open question arises, namely how to choose these sets and the error distribution. In the classical setup you can simply choose (random) subsets of the same size, and assume that each of the corresponding sets of coordinates in \(\boldsymbol{e}_1\) has weight \(\frac{p}{2^b}\). However, in our setting this is most likely a suboptimal choice, and the subsets should be chosen with respect to the block partition and the error distribution.

   In particular, if \(\ell =2^b\), then we can choose the \(2^b\) subsets equal to \(\mathcal {X}_1,\dots ,\mathcal {X}_\ell \), and assume that \(p_i \le t_i\) errors are spread over the coordinates of \(\boldsymbol{e}\) indexed by \(\mathcal {X}_i\), such that \(\sum _{i=1}^\ell p_i= p\).

   Next we build the initial lists of vectors in \(\mathbb F_2^{v_i}\) of weight \(p_i\), for \(i=1,\dots , 2^b\), respectively. Then we proceed with the merge-concatenate operation on the b levels as in the classical setting (where for each level, we can choose \(u_1<u_2<\dots <u_b=k+v\), which indicates how many coordinates we want to merge on), until we have a final list of candidates for \(\boldsymbol{e}_1\), solving the small SDP instance.

   As an example, if we consider the simplest case with \(b=1\) and \(\ell =2^b=2\), we construct two lists

   $$ \mathcal L_1^{(0)} := \{ \boldsymbol{v}\in \mathbb F_2^{x_1} \mid \mathrm {wt}_\mathrm {H}(\boldsymbol{v})= p_1\} $$
   $$ \mathcal L_2^{(0)} := \{\boldsymbol{v}\in \mathbb F_2^{x_2} \mid \mathrm {wt}_\mathrm {H}(\boldsymbol{v})= p_2\} $$

   such that \(x_1+x_2=k+v\) and \(p_1+p_2 = p\).⁴ Let us write \(\boldsymbol{B} = [ \boldsymbol{B}_1 \; \boldsymbol{B}_2]\), such that \(\boldsymbol{B}_i \in \mathbb F_2^{v\times x_i}\). Then we merge-concatenate to produce the final list

   $$ \mathcal L^{(1)} := \{ (\boldsymbol{v}_1, \boldsymbol{v}_2)\in \mathcal L_1^{(0)} \times \mathcal L_2^{(0)} \mid \boldsymbol{v}_1 \boldsymbol{B}_1^\top = \boldsymbol{s}_2-\boldsymbol{v}_2\boldsymbol{B}_2^\top \} ,$$

   which consists of solutions to the small SDP, i.e., candidates for \(\boldsymbol{e}_1\).

Finally, we will give some idea about the computational complexity of this algorithm:

1. 1.

   The success probability depends on the assumed error distribution and the choices of the free parameters. Similarly to the Lee-Brickell adaptation, it is

   $$ \sum _{\begin{array}{c} \boldsymbol{a}\in \mathbb {Z}^\ell \\ 0 \le a_i \le t_i \\ \sum _i a_i = p \end{array}} \prod _{i=1}^\ell \frac{\left( {\begin{array}{c}x_i\\ a_i\end{array}}\right) \left( {\begin{array}{c}\eta _i - x_i\\ t_i - a_i\end{array}}\right) }{\left( {\begin{array}{c}\eta _i\\ t_i\end{array}}\right) } \cdot P_\text {merge}(u_1,\dots ,u_{b-1}),$$

   where \(P_\text {merge}(u_1,\dots ,u_{b-1})\) is the probability that the sought-after solution has zeros in the coordinates prescribed by \(u_1,\dots ,u_{b-1}\).⁵

2. 2.

   Each iteration depends on the number of levels, the \(u_i\) and the size of the original lists, and is comparable to the cost of one iteration of the algorithm in the classical setting (assuming that the initial lists are of the same size).

The speed-up compared to not using the knowledge about the error distribution in the blocks of the error vector is hence mainly in the success probability. This is analogous to the algorithms studied in Sect. 4.