Decoding Random Binary Linear Codes in 2 n/20: How 1 + 1 = 0 Improves Information Set Decoding

Abstract: Decoding random linear codes is a well studied problem with many applications in complexity theory and cryptography. The security of almost all coding and LPN/LWE-based schemes relies on the assumption that it is hard to decode random linear codes. Recently, there has been progress in improving the running time of the best decoding algorithms for binary random codes. The ball collision technique of Bernstein, Lange and Peters lowered the complexity of Stern's information set decoding algorithm to 2 0.0556n. Us… Show more

“…(Experiments indicate that the probability is somewhat worse, although still inverse polynomial in n, if all R ij1 are chosen to be identical, even if this set is randomized as discussed in [17]. The idea of choosing independent sets appeared in [4] with credit to Bernstein. ) Overall the probability of I being decomposed in this way, i.e., of I being found by this algorithm, is inverse polynomial in n. As above, one expects a negligible failure probability after a polynomial number of repetitions of the algorithm.…”

“…to the exponents of other algorithms. One can reasonably speculate that analogous quantum speedups can also be applied to the algorithms of [24] and [4]. However, establishing this will require considerable extra work, similar to the extra work of [24] and [4] compared to [17] and [3] respectively.…”

“…However, the algorithmic techniques used to attack subset-sum problems are among the central algorithmic techniques used to attack lattice problems and decoding problems. For example, the best attack known against code-based cryptography, at least asymptotically, is a very recent decoding algorithm by Becker, Joux, May, and Meurer [4], improving upon a decoding algorithm by May, Meurer, and Thomae [24]; the algorithm of [4] is an adaptation of a subset-sum algorithm by Becker, Coron, and Joux [3], improving analogously upon a subset-sum algorithm by Howgrave-Graham and Joux [17].…”

Quantum Algorithms for the Subset-Sum Problem

“…(Experiments indicate that the probability is somewhat worse, although still inverse polynomial in n, if all R ij1 are chosen to be identical, even if this set is randomized as discussed in [17]. The idea of choosing independent sets appeared in [4] with credit to Bernstein. ) Overall the probability of I being decomposed in this way, i.e., of I being found by this algorithm, is inverse polynomial in n. As above, one expects a negligible failure probability after a polynomial number of repetitions of the algorithm.…”

“…to the exponents of other algorithms. One can reasonably speculate that analogous quantum speedups can also be applied to the algorithms of [24] and [4]. However, establishing this will require considerable extra work, similar to the extra work of [24] and [4] compared to [17] and [3] respectively.…”

“…However, the algorithmic techniques used to attack subset-sum problems are among the central algorithmic techniques used to attack lattice problems and decoding problems. For example, the best attack known against code-based cryptography, at least asymptotically, is a very recent decoding algorithm by Becker, Joux, May, and Meurer [4], improving upon a decoding algorithm by May, Meurer, and Thomae [24]; the algorithm of [4] is an adaptation of a subset-sum algorithm by Becker, Coron, and Joux [3], improving analogously upon a subset-sum algorithm by Howgrave-Graham and Joux [17].…”

Quantum Algorithms for the Subset-Sum Problem

“…Finally, a general lower-bound on the complexity of the information set decoding algorithm was derived by Finiasz and Sendrier [23] using idealized algorithms. However, it was shown in [9,45] and very recently in [4] that it is possible to do better than this bound.…”

HELEN: A Public-Key Cryptosystem Based on the LPN and the Decisional Minimal Distance Problems

“…Nowadays, there exists eight probabilistic algorithms to compute a solution to the SD problem : Lee and Brickell's algorithm [70], Leon's algorithm [71], Stern's algorithm [100], the toolbox of A. Canteaut and F. Chabaud [25], Johansson and Jönsonn's algorithm [69], the "ball-collision" decoding algorithm [18], the MMT algorithm [75] and the "1+1=0" decoding algorithm [10]. All these algorithms are devoted to search a word of small weight in a random code.…”

Code Based Cryptography and Steganography