Improved Information Set Decoding - Decoding Random Linear ...
Improved Information Set Decoding - Decoding Random Linear ...
Improved Information Set Decoding - Decoding Random Linear ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Improved</strong> <strong>Information</strong> <strong>Set</strong> <strong>Decoding</strong> -<br />
<strong>Decoding</strong> <strong>Random</strong> <strong>Linear</strong> Codes in O(2 0.054n )<br />
Alexander May, Alexander Meurer, Enrico Thomae<br />
ASIACRYPT 2011, Seoul<br />
HORST GÖRTZ INSTITUTE FOR IT-SECURITY<br />
FACULTY OF MATHEMATICS Department for IT-Security and Cryptology
Recap Binary <strong>Linear</strong> Codes<br />
A binary linear code C is a k-dimensional subspace of F 2<br />
n<br />
0 / 1<br />
k<br />
● Generator matrix G = C = { x t·G k<br />
: x 2 F 2<br />
}<br />
n<br />
n-k<br />
● Parity check matrix H = 0 / 1<br />
n<br />
C = { H·c = 0 : c 2 F 2<br />
}<br />
n<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Recap Binary <strong>Linear</strong> Codes<br />
A binary linear code C is a k-dimensional subspace of F 2<br />
n<br />
k<br />
● Generator matrix G = C = { x t·G k<br />
: x 2 F 2<br />
}<br />
n<br />
0 / 1<br />
n-k<br />
● Parity check matrix H = 0 / 1<br />
n<br />
C = { H·c = 0 : c 2 F 2<br />
}<br />
n<br />
Minimum distance d = min x≠y2C<br />
{ wt(x+y) }<br />
C is called binary [n,k,d] code.<br />
·<br />
d<br />
x<br />
· ·<br />
y<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Recap Binary <strong>Linear</strong> Codes<br />
n<br />
A binary linear code C is a k-dimensional subspace of F<br />
●<br />
Running time of decoding algorithms: T(n,k,d)<br />
2<br />
●<br />
In<br />
● Generator this talk: Analysis<br />
matrix for random<br />
G k<br />
=<br />
0 binary / 1 linear<br />
C = { x t·G k<br />
: x 2 F 2<br />
}<br />
codes with constant rate R=k/n<br />
●<br />
For n→∞, k and d are related via Gilbert-<br />
n<br />
n-k<br />
n<br />
● Parity Varshamov check matrix bound, thus<br />
H = 0 / 1 C = { H·c = 0 : c 2 F 2<br />
}<br />
T(n,k,d) = T(n,k)<br />
●<br />
We compare algorithms by their complexity<br />
·<br />
y<br />
d<br />
Minimum coeffcient distance F(k), d i.e. = min c2C<br />
{ wt(c) }<br />
x<br />
· ·<br />
Such C is called binary T(n,k) [n,k,d] = O(2 code.<br />
F(k)n )<br />
n<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Scenario (Bounded Distance <strong>Decoding</strong>)<br />
Obtain x = c + e with c 2 C and w := wt(e) =<br />
Goal: Find e and thus c = x + e<br />
Consider syndrome s := s(x) = H·x = H·(c+e) = H·e<br />
→ Find linear combination of w columns of H matching s<br />
weight w<br />
n<br />
4 5<br />
d-1<br />
2<br />
·<br />
x·<br />
4 5<br />
d-1<br />
2<br />
c<br />
· ·<br />
·<br />
n-k<br />
H<br />
= + + = s<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Scenario (Bounded Distance <strong>Decoding</strong>)<br />
Obtain x = c + e with c 2 C and w := wt(e) =<br />
Goal: Find e and thus c = x + e<br />
Consider syndrome s := s(x) = H·x = H·(c+e) = H·e<br />
→ Find linear combination of w columns of H matching s<br />
weight w<br />
n<br />
4 5<br />
d-1<br />
2<br />
n-k<br />
H<br />
= + + =<br />
T(n,k,d)<br />
s<br />
= <br />
n<br />
·<br />
x·<br />
4 5<br />
d-1<br />
2<br />
c<br />
· ·<br />
Brute-Force complexity<br />
w<br />
·<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Scenario (Bounded Distance <strong>Decoding</strong>)<br />
Obtain x = c + e with c 2 C and w := wt(e) =<br />
Goal: Find e and thus c = x + e<br />
4 5<br />
d-1<br />
2<br />
Consider syndrome s := s(x) = H·x = H·(c+e) = H·e<br />
→ Find linear combination of w columns of H matching s<br />
·<br />
x·<br />
4 5<br />
d-1<br />
2<br />
c<br />
· ·<br />
·<br />
weight w<br />
n<br />
Complexity<br />
n-k<br />
H<br />
= + + = s<br />
F(k) ≤ 0.38677<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Some very basic observations<br />
Allowed (linear algebra) transformations<br />
●<br />
Permuting the columns of H does not change the problem<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Some very basic observations<br />
Allowed (linear algebra) transformations<br />
●<br />
Permuting the columns of H does not change the problem<br />
weight w<br />
n<br />
n-k<br />
H<br />
= s<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Some very basic observations<br />
Allowed (linear algebra) transformations<br />
●<br />
Permuting the columns of H does not change the problem<br />
weight w<br />
n<br />
n-k<br />
H<br />
= s<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Some very basic observations<br />
Allowed (linear algebra) transformations<br />
●<br />
●<br />
Permuting the columns of H does not change the problem<br />
Elementary row operations on H do not change the problem<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Some very basic observations<br />
Allowed (linear algebra) transformations<br />
●<br />
●<br />
Permuting the columns of H does not change the problem<br />
Elementary row operations on H do not change the problem<br />
weight w<br />
n<br />
n-k<br />
H<br />
=<br />
s<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Some very basic observations<br />
Allowed (linear algebra) transformations<br />
●<br />
●<br />
Permuting the columns of H does not change the problem<br />
Elementary row operations on H do not change the problem<br />
weight w<br />
n<br />
U G<br />
n-k<br />
H<br />
U G<br />
= s<br />
Invertible (n-k)x(n-k) matrix<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
<strong>Random</strong>ized systematic form<br />
From now on, we work on a randomly column-permuted version<br />
of H in systematic form<br />
(n-k) x k matrix<br />
U G *<br />
H *<br />
=<br />
Q<br />
I n-k<br />
U P<br />
(n-k)-dimensional<br />
idendity matrix<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Basic <strong>Information</strong> <strong>Set</strong> <strong>Decoding</strong><br />
''Reducing the brute-force search<br />
space by linear algebra.''<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Basic <strong>Information</strong> <strong>Set</strong> <strong>Decoding</strong><br />
Fundamental principle:<br />
●<br />
<strong>Random</strong>ization: transform H into column-permuted<br />
systematic form<br />
H<br />
→<br />
Q<br />
I n-k<br />
● Search phase: Try to fnd solution e = weight w , i.e.<br />
weight w<br />
Q<br />
I n-k<br />
=<br />
s<br />
●<br />
If no solution found: Rerandomize and try again!<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Basic <strong>Information</strong> <strong>Set</strong> <strong>Decoding</strong><br />
Fundamental principle:<br />
●<br />
<strong>Random</strong>ization: transform H into column-permuted<br />
systematic form<br />
H → Q<br />
T(n,k,d) = Pr[“good” randomization] -1 x C[Search]<br />
● Search phase: Try to fnd solution e = weight w , i.e.<br />
I n-k<br />
weight w<br />
Q<br />
I n-k<br />
=<br />
s<br />
●<br />
If no solution found: Rerandomize and try again!<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Classical ISD variants<br />
Lee-Brickel (1988)<br />
p<br />
k<br />
w - p<br />
n-k<br />
Q<br />
I n-k<br />
= s<br />
● Brute force on Q, i.e. search e'= p with wt(Qe'+s) = w-p<br />
● If so, fll up e''= w - p with remaining (w-p) 1's<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Classical ISD variants<br />
Lee-Brickel (1988)<br />
p<br />
w - p<br />
e'<br />
k<br />
n-k<br />
k<br />
Q<br />
I n-k<br />
= s<br />
⇔<br />
Q<br />
+ s = e''<br />
wt(Qe'+s) = w-p<br />
● Brute force on Q, i.e. search e'= p with wt(Qe'+s) = w-p<br />
● If so, fll up e''= w - p with remaining (w-p) 1's<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Classical ISD variants<br />
Lee-Brickel (1988)<br />
p<br />
k<br />
w - p<br />
n-k<br />
e'<br />
k<br />
Q<br />
I n-k<br />
= s<br />
⇔<br />
Q<br />
+ s = e''<br />
wt(Qe'+s) = w-p<br />
● Brute T(n,k,d) force = on Q, Pr[“good” i.e. search randomization] e'= p<br />
-1 x with C[Brute wt(Qe'+s) force]<br />
= w-p<br />
k p n−k<br />
w<br />
n<br />
w− p<br />
● If so, fll up e''= w - p<br />
= with remaining w-p x<br />
1's<br />
−1<br />
k p<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Classical ISD variants<br />
Lee-Brickel (1988)<br />
p<br />
k<br />
w - p<br />
n-k<br />
e'<br />
k<br />
Q<br />
I n-k<br />
= s<br />
⇔<br />
Q<br />
+ s = e''<br />
wt(Qe'+s) = w-p<br />
Complexity<br />
● Brute force (bounded on Q, i.e. search distance e'= decoding)<br />
p<br />
with wt(Qe'+s) = w-p<br />
F(k) ≤ 0.05751<br />
● If so, fll up e''= w - p with remaining w-p 1's<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Classical ISD variants<br />
Stern (1989)<br />
●<br />
Meet-in-the-middle on Q<br />
p/2 p/2 0 w - p<br />
k/2 k/2 l n-k-l<br />
q 1<br />
, … , q k<br />
Q'<br />
I n-k<br />
= s<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Classical ISD variants<br />
Stern (1989)<br />
●<br />
Meet-in-the-middle on Q<br />
p/2 p/2 0 w - p<br />
k/2 k/2 l n-k-l<br />
q 1<br />
, … , q k<br />
Q'<br />
I n-k<br />
= s<br />
Find e'= p/2 p/2<br />
with<br />
Qe'=s' on frst l coordinates, i.e.<br />
p/2 p/2<br />
q 1<br />
, … , q k<br />
Q'<br />
via standard sort & match<br />
=<br />
s'<br />
*<br />
:<br />
*<br />
∑ q i<br />
i∈I 1<br />
match<br />
∑ q i s '<br />
i∈I 2<br />
I 1 ⊂[1, , k 2 ] I 2⊂[ k 2 1,, k ]<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Classical ISD variants<br />
Stern (1989)<br />
●<br />
Meet-in-the-middle on Q<br />
p/2 p/2 0 w - p<br />
k/2 k/2 l n-k-l<br />
q 1<br />
, … , q k<br />
Q'<br />
I n-k<br />
= s<br />
⇔<br />
p/2 p/2<br />
q 1<br />
, … , q k<br />
Q'<br />
+<br />
s<br />
=<br />
0<br />
I n-k<br />
w - p<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Classical ISD variants<br />
Stern (1989)<br />
●<br />
Meet-in-the-middle on Q<br />
p/2 p/2 0 w - p<br />
k/2 k/2 l n-k-l<br />
q 1<br />
, … , q k<br />
Q'<br />
I n-k<br />
= s<br />
⇔<br />
s'<br />
*<br />
:<br />
*<br />
+<br />
s<br />
=<br />
0<br />
I n-k<br />
w - p<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Classical ISD variants<br />
Stern (1989)<br />
●<br />
Meet-in-the-middle on Q<br />
p/2 p/2 0 w - p<br />
k/2 k/2 l n-k-l<br />
q 1<br />
, … , q k<br />
Q'<br />
I n-k<br />
= s<br />
⇔<br />
s'<br />
*<br />
:<br />
*<br />
+<br />
s<br />
=<br />
0<br />
I n-k<br />
w - p<br />
0<br />
⇔ *<br />
:<br />
*<br />
=<br />
e''<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Classical ISD variants<br />
Stern (1989)<br />
●<br />
Meet-in-the-middle on Q<br />
p/2 p/2 0 w - p<br />
k/2 k/2 l n-k-l<br />
q 1<br />
, … , q k<br />
Q'<br />
I n-k<br />
= s<br />
⇔<br />
s'<br />
*<br />
:<br />
*<br />
+<br />
s<br />
=<br />
0<br />
I n-k<br />
w - p<br />
T(n,k,d) = Pr[“good” randomization] -1 x 0C[MitM]<br />
⋅ <br />
n−k −l<br />
<br />
= e''<br />
= x k :<br />
p/2<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul<br />
[<br />
<br />
k /<br />
⇔<br />
2<br />
p/<br />
*<br />
22<br />
w− p<br />
n w<br />
]−1<br />
*
Classical ISD variants<br />
Stern (1989)<br />
●<br />
Meet-in-the-middle on Q<br />
p/2 p/2 0 w - p<br />
k/2 k/2 l n-k-l<br />
q 1<br />
, … , q k<br />
Q'<br />
I n-k<br />
= s<br />
⇔<br />
s'<br />
*<br />
:<br />
*<br />
+<br />
s<br />
=<br />
0<br />
I n-k<br />
w - p<br />
Complexity (bounded distance decoding)<br />
0<br />
⇔ *<br />
:<br />
*<br />
F(k) ≤ 0.05563<br />
=<br />
e''<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Wrapping up so far<br />
●<br />
Different methods search for different error-distributions<br />
● Lee-Brickel (1988)<br />
p/2 p/2 0 w-p<br />
● Stern (1989)<br />
p w-p<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Wrapping up so far<br />
●<br />
●<br />
Different methods search for different error-distributions<br />
● Lee-Brickel (1988)<br />
p w-p<br />
● Stern (1989)<br />
p/2 p/2 0 w-p<br />
Recently: Ball-collision decoding (CRYPTO11) by Bernstein et al.<br />
● Improving Pr[good rand.] by allowing q extra 1's within the<br />
length l zero-window<br />
p/2 p/2 q/2 q/2 w-p-q<br />
● F(k) ≤ 0.05558<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Wrapping up so far<br />
●<br />
Different methods search for different error-distributions<br />
● Lee-Brickel (1988)<br />
p<br />
w-p<br />
● Stern (1989)<br />
p/2 p/2 0 w-p<br />
●<br />
Recently: Ball-collision decoding (CRYPTO11) by Bernstein et al.<br />
●<br />
Improving Pr[good rand.] by allowing q extra 1's within the<br />
length l zero-window<br />
● F(k) ≤ 0.05558<br />
p/2 p/2 q/2 q/2 w-p-q<br />
●<br />
Both Stern and BallColl improve runtime at the cost of increased<br />
space consumption (→ see paper for details)<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Wrapping up so far<br />
Asymptotic complexity (Bounded Distance <strong>Decoding</strong>)<br />
Lee-Brickel F(k) = 0.05751<br />
Stern F(k) = 0.05563<br />
BallColl F(k) = 0.05558<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Our New Algorithm<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Generalized ISD framework<br />
●<br />
Starting point: Generalized ISD framework of Finiasz and<br />
Sendrier (ASIACRYPT 2009)<br />
●<br />
Observation: Since frst l columns of I n-k<br />
can not be used in<br />
Stern's algorithm, we can simply „shift“ them to the Q-part<br />
of H<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Generalized ISD framework<br />
●<br />
Starting point: Generalized ISD framework of Finiasz and<br />
Sendrier (ASIACRYPT 2009)<br />
●<br />
Observation: Since frst l columns of I n-k<br />
can not be used in<br />
Stern's algorithm, we can simply „shift“ them to the Q-part<br />
of H<br />
k<br />
n-k<br />
H =<br />
Q<br />
I n-k<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Generalized ISD framework<br />
●<br />
Starting point: Generalized ISD framework of Finiasz and<br />
Sendrier (ASIACRYPT 2009)<br />
●<br />
Observation: Since frst l columns of I n-k<br />
can not be used in<br />
Stern's algorithm, we can simply „shift“ them to the Q-part<br />
of H<br />
H =<br />
k+l<br />
Q<br />
n-k-l<br />
0<br />
I n-k-l<br />
l rows<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Generalized ISD framework<br />
●<br />
Major subproblem: Finding exactly p columns amongst<br />
q 1<br />
, ..., q k+l<br />
matching s on it's frst l coordinates s'<br />
k+l<br />
q 1<br />
, ..., q k+l<br />
n-k-l<br />
0<br />
l rows<br />
H =<br />
Q'<br />
I n-k-l<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Generalized ISD framework<br />
●<br />
Major subproblem: Finding exactly p columns amongst<br />
q 1<br />
, ..., q k+l<br />
matching s on it's frst l coordinates s'<br />
●<br />
Stern divides the q i<br />
into disjoint sets, i.e. searches index sets<br />
I 1 ⊂[1, , kl and<br />
2 ] I 2⊂[ k l 1,,k l]<br />
2<br />
with<br />
∑ q ∑ i q i =s '<br />
i∈I 1 i∈ I 2<br />
k+l<br />
q 1<br />
, ..., q k+l<br />
n-k-l<br />
0<br />
l rows<br />
H =<br />
Q'<br />
I n-k-l<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Our New Algorithm<br />
●<br />
Main contribution: More effcient non-disjoint matching<br />
inspired by representation technique of Howgrave-Graham<br />
and Joux (in the context of subset sum algorithms), i.e. pick<br />
I 1, I 2 ⊂[1,, kl ]<br />
with ∣I j ∣= p 2<br />
and<br />
∑ q ∑ i<br />
q i<br />
=s '<br />
i∈I 1 i∈ I 2<br />
k+l<br />
n-k-l<br />
q 1<br />
, ..., q k+l<br />
0<br />
l rows<br />
H =<br />
Q'<br />
I n-k-l<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
The representation trick in detail<br />
k+l<br />
● Aim: Find weight p such that<br />
p<br />
k+l<br />
q 1<br />
, ..., q k+l<br />
=<br />
s 1<br />
'<br />
:<br />
s l<br />
'<br />
<br />
p<br />
p/2<br />
● There are ways of decomposing p , e.g.<br />
p/2<br />
p/2<br />
, , ...<br />
p/2<br />
p/2<br />
→ It suffces to fnd one of them!<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
How can we proft from representations?<br />
p<br />
k+l<br />
q 1<br />
, ..., q k+l<br />
w-p<br />
n-k-l<br />
0<br />
Q'<br />
I n-k-l<br />
● Advantage: Every solution expands into <br />
p<br />
p/2 equivalent solutions<br />
● Disadvantage: Search space grows from kl/2<br />
to kl<br />
p/2 p/2<br />
● Goal: Find one solution via Divide & Conquer strategy<br />
kl<br />
p/2<br />
● Rule of thumb: We get better if<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul<br />
<br />
p<br />
p/2 kl/2<br />
p/2
How can we proft from representations?<br />
p<br />
k+l<br />
q 1<br />
, ..., q k+l<br />
w-p<br />
n-k-l<br />
0<br />
Q'<br />
I n-k-l<br />
● Advantage: Every solution expands into <br />
p<br />
Complexity<br />
p/2 equivalent 0 solutions<br />
● Disadvantage: Search space ⇔ grows from kl/2<br />
to *<br />
p/2<br />
=<br />
kl<br />
p/2 e''<br />
T(n,k,d) = Pr[“good” randomization] -1 x C[RepTrick]<br />
:<br />
● Goal: Find one solution via Generalized Birthday * attack (Wagner)<br />
kl<br />
p/2<br />
kl<br />
p<br />
= ⋅ n−k −l<br />
x<br />
p/2<br />
w− p ● Rule of thumb: We get better if<br />
[ kl<br />
n w<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul<br />
]−1<br />
<br />
p<br />
p/2 kl/2<br />
p/2<br />
<br />
p<br />
p/2
How can we proft from representations?<br />
p<br />
k+l<br />
q 1<br />
, ..., q k+l<br />
w-p<br />
n-k-l<br />
0<br />
Q'<br />
I n-k-l<br />
● Advantage: Every solution expands into <br />
p<br />
p/2 equivalent 0 solutions<br />
● Disadvantage: Complexity Search (bounded space ⇔ grows distance from decoding)<br />
kl/2<br />
to *<br />
p/2<br />
=<br />
kl<br />
p/2 e''<br />
:<br />
● Goal: Find one solution via Generalized Birthday * attack (Wagner)<br />
F(k) ≤ 0.05364<br />
kl<br />
p/2<br />
● Rule of thumb: We get better if<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul<br />
<br />
p<br />
p/2 kl/2<br />
p/2
Complexity comparison<br />
Asymptotic complexitiy (Bounded Distance <strong>Decoding</strong>)<br />
Lee-Brickel F(k) = 0.05751<br />
BallColl F(k) = 0.05558<br />
MMT F(k) = 0.05364<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Summary<br />
●<br />
●<br />
●<br />
Asymptotically fastest generic decoding algorithm<br />
Not a mere time-memory trade-off (→ see paper)<br />
First application of HGJ representation trick to a different<br />
scenario<br />
Open questions<br />
●<br />
●<br />
●<br />
Precise analysis w.r.t. polynomial factors (e.g. linear algebra)<br />
Transfer Bernstein's speed-up tricks for Stern's algorithm<br />
What is the real break even point compared to other methods?<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Summary<br />
●<br />
●<br />
●<br />
Asymptotically fastest generic decoding algorithm<br />
Not a mere time-memory trade-off (→ see paper)<br />
First application of HGJ representation trick to a different<br />
scenario<br />
Thank you!<br />
Open questions<br />
●<br />
●<br />
●<br />
Precise analysis w.r.t. polynomial factors (e.g. linear algebra)<br />
Transfer Bernstein's speed-up tricks for Stern's algorithm<br />
What is the real break even point compared to other methods?<br />
IMPROVED INFORMATION SET DECODING ASIACRYPT 2011 | December 2011, Seoul
Change language