Information Set Decoding in the Lee Metric

Information Set Decoding in the Lee Metric

Violetta Weger

joint work with Franco Chiaraluce, Marco Baldi,Massimo Battaglioni, Anna-Lena

Horlemann-Trautmann, Edoardo Persichetti andPaolo Santini

University of Zurich

CBCrypto 2020

9 May 2020Violetta Weger Information Set Decoding in the Lee Metric

Motivation

Changing the Metric

The original McEliece cryptosystem using Goppa codesremains unbroken but suffers from large key sizes.Many attempts of fixing this issue by exchanging thefamily of codes.Example: Niederreiter proposed to use GRS codes, whichhave the highest error correction capacity, hence promiselow key sizes, but are vulnerable to algebraic attacks.Within the 7 code-based cryptosystems in the NIST round2, the ones that are achieving the lowest key sizes are basedon the rank metric.

Violetta Weger Information Set Decoding in the Lee Metric

Motivation

Rank Metric

Definition (Rank Metric)For A,B ∈ Fm×n

q we define the rank weight to bewtR(A) = rk(A) and the rank distance between A and B to bedR(A, b) = wtR(A − B).

Definition (Fq-linear Rank Metric Code)C is a Fq-linear rank metric code of length n and dimension k, ifC is a k -dimensional linear subspace of Matm×n(Fq) equippedwith the rank metric.


Motivation

Rank Metric

Definition (Rank Metric)For x, y ∈ Fn

qm we define the rank weight to bewtR(x) = dim(⟨x1, . . . , xn⟩Fq) and the distance between x and y tobe dR(x, y) = wtR(x − y).

Definition (Fqm-linear Rank Metric Code)C is a Fqm-linear rank metric code of length n and dimension k,if C is a k -dimensional linear subspace of Fn

qm equipped with therank metric.

Note: all Fqm-linear rank metric codes are also Fq-linear rankmetric codes.


Motivation

Difference between Rank and Hamming Metric

Let x ∈ Fnqm .

Hamming Rank

Supp(x) {1 ≤ i ≤ n | xi ̸= 0} ⟨x1, . . . , xn ⟩Fq

wt(x) | Supp(x) | dim(Supp(x))

Bruteforce cost(n

t)(qm − 1)t [m

t]

q =t−1∏i=0

qm−qi

qt−qi ∼ q(m−t)t


Motivation

Difference between Rank and Hamming Metric

Hamming Rank

NP-complete SDP more costlyAdvantages

studied thoroughly low key sizes

large key sizes not studied thoroughlyDisadvantages

only randomized reduction


Lee Metric

Properties

Definition (Lee Weight)Let x ∈ Z/mZ, then wtL(x) = min{x, | m − x |}.

Example (Z/8Z)

wtL(0) = 0wtL(1) = wtL(7) = 1wtL(2) = wtL(6) = 2wtL(3) = wtL(5) = 3

wtL(4) = 4


Lee Metric

Properties



Lee Metric

Properties



Lee Metric

Properties

Definition (Lee Metric)Let x, y ∈ (Z/mZ)n, then the Lee weight is defined aswtL(x) =

n∑i=1

wtL(xi) and the Lee distance between x and y is

dL(x, y) = wtL(x − y).

Clearly: For all x ∈ (Z/mZ)n : wtH(x) ≤ wtL(x).

Definition (Lee Metric Code)C is a linear Lee metric code of length n and type | C |, if C is anadditive subgroup of (Z/mZ)n equipped with the Lee metric.


Lee Metric

Quaternary Codes

Definition (Quaternary Code)C is a quaternary code of length n and type 4k12k2, if C is anadditive subgroup of (Z/4Z)n equipped with the Lee metric.

Definition (Gray Isometry)

φ : (Z/4Z,wtL) → (F22,wtH)

0 7→ (0, 0)1 7→ (0, 1)2 7→ (1, 1)3 7→ (1, 0)

We can extend φn : (Z/4Z)n → F2n2 .


Lee Metric

Quaternary Codes

Definition (Quaternary Code)C is a quaternary code of length n and type 4k12k2, if C is anadditive subgroup of (Z/4Z)n equipped with the Lee metric.

Definition (Gray Isometry)

φ : (Z/4Z,wtL) → (F22,wtH)

0 7→ (0, 0)1 7→ (0, 1)2 7→ (1, 1)3 7→ (1, 0)

We can extend φn : (Z/4Z)n → F2n2 .


Lee Metric

Differences

Let C be a quaternary code of length n and type 4k12k2 , thenthe systematic form of the generator matrix is given by

G =

(Idk1 A B

0 2Idk2 2C

),

where A ∈ Zk1×k22 ,B ∈ Zk1×(n−k1−k2)

4 ,C ∈ Zk2×(n−k1−k2)2 .

The systematic form of the parity check matrix is given by

H =

(D E Idn−k1−k22F 2Idk2 0

),

where D ∈ Z(n−k1−k2)×k14 ,E ∈ Z(n−k1−k2)×k2

4 ,F ∈ Zk2×k12 .


ISD in the Lee Metric

ISD over the Hamming Metric

Prange’s algorithm:Given: H ∈ F(n−k)×n

q , s ∈ Fn−kq , t ∈ N.

Find: e ∈ Fnq , such that He⊤ = s⊤ and wtH(e) = t.

Main idea: Assume no error happen in the information set.

UHe⊤ =(A Idn−k

)( 0e′⊤

)= Us⊤.

Thus we get the condition e′⊤ = Us⊤.



Structure of ISD Algorithms

1. Choose an information set.2. Bring the parity check matrix into systematic form and

perform the same row operations on the syndrome.3. By assuming a certain weight distribution of the error

vector we get conditions on the error vector.4. Go through all possible vectors and check if conditions are

satisfied, if they are output the error vector.5. If not, start over with a new information set.



Cost of ISD Algorithms

The cost of an ISD algorithm is given by

number of iterations · cost of one iteration.

number of iterations = reciprocal of the success probability ofone iteration.Example:Prange in the Hamming metric has a success probability of(

n − kt

)(nt

)−1.



Quaternary Prange

Given: H ∈ Z(n−k1)×n4 , s ∈ Zn−k1

4 , t ∈ N.Find: e ∈ Zn

4 with He⊤ = s⊤ and wtL(e) = t.

UHe⊤ =

(A Idn−k1−k22C 0

)(0

e′⊤)

=

(s⊤12s⊤2

).

From this we get the conditions e′ = s1 and s2 = 0.New success probability:(

2(n − k1 − k2)

t

)(2nt

)−1.


Performance

GV - Bounds

Proposition (Gilbert-Varshamov Bound)Let n and d be positive integers. There exists a linear binarycode C of length n and minimum Hamming distance d, such that

| C |≥ 2n∑d−1j=0

(nj) .

Furthermore there exists a linear quaternary code C of length nand minimum Lee distance d, such that

| C |≥ 4n

(∑d−1

j=0(2n

j)− 1)3 + 1

.


Performance

Performance for theoretical Parameters

In the Lee metric:n k1 k2 dL tL cost Prange Key Size

101 5 90 25 12 83.42 1050463 230 3 105 52 80.29 107180173 9 154 41 20 129.96 3106863 430 3 193 96 128.82 372380375 20 334 85 42 256.03 145341943 970 3 431 215 256.33 1887620

In the Hamming metric:n k dH tH cost Prange Key Size

903 451 103 51 80.53 2038521683 841 189 94 128.03 7081223863 1931 429 214 256.68 3730692


Performance

Disclaimer

These are only theoretical parameters, since we are not actuallyproposing a code to be used within the quaternary McEliececryptosystem!


Lee Metric over Zps

Difficulties of Generalizing

Let C be a linear Lee metric code over Zps of length n and type(ps)k1(ps−1)k2 . . . pks . Then the systematic form of the generatormatrix is

G =

Idk1 A1,2 . . . A1,s A1,s+1

0 pIdk2 . . . pA2,s pA2,s+1...

... . . . ......

0 0 . . . ps−1Idks ps−1As,s+1

,

and the systematic form of the parity check matrix is

H =

B1,1 B1,2 . . . B1,s Idn−KpB2,1 pB2,2 . . . pIdks 0

...... . . . ...

...ps−1Bs,1 ps−1Idk2 . . . 0 0

,

where K =∑s

i=1 ki.Violetta Weger Information Set Decoding in the Lee Metric

Lee Metric over Zps

Simplification for ISD

For the purpose of ISD algorithms we can choose the followingform

G =

(Idk1 A

0 pB

), H =

(C Idn−KpD 0

),

with A ∈ Zk1×(n−k1)ps ,B ∈ Z(K−k1)×(n−k1)

ps−1 ,C ∈ Z(n−K)×Kps and

D ∈ Z(K−k1)×Kps−1 .

This way we are putting all the zero-divisors together, onlyconsidering k1.


Lee Metric over Zps

Simplification for ISD

Example: Lee-BrickellWe assume that the error vector has weight v in the informationset and t − v outside the information set.

UHe⊤ =

(C Idn−KpD 0

)(e⊤1e⊤2

)=

(s⊤1ps⊤2

)= Us⊤.

From this we get the conditions

Ce⊤1 + e⊤2 = s⊤1pDe⊤1 = ps⊤2

Note that the second condition is again a syndrome decodingproblem, but over a smaller ring and of smaller size.


Conclusion

Open Problems

Find quaternary code with the properties from code-basedcryptography: large error correction capacity, efficientdecoding algorithm and a large family of codes.Find applications of the Lee metric for code-basedcryptography, ongoing work: identification scheme,signature scheme.Computation of the cost of the iterative ISD algorithm.Is there a faster way to solve the SDP using tools fromlattice-based cryptography?


Thank you!


Documents

Information Set Decoding in the Lee Metric