Improvements of Decoding Attack

5. If column j has not an 1 on the i-th row, goto step 4. Otherwise goto step 6.

6. Let P_z+1 denote the permutation selected in previous step, decompose the matrix I|A_z into S_z+1

I|A_z+1

P_z+1, and calculate the corresponding c_z+1=c_zP_z+1. Increase z by 1, goto step 3.

7. Now, the c_zis error-free in the rst k bits, and c_z=cP₁P₂. . .P_z. Thus we can know the corresponding error-free bits in the original c, then the plaintext m can be obtained by a information-set-decoding.

3.1.4 Improvements of Decoding Attack

We propose two improvements in this section. We begin with an introduction to the rst im-provement, which aims to decrease the time comsumption of the guess-verication stage.

The structure of the McEliece's decoding algorithm can be described by two nested loops:

an outer-loop and an inner-loop. The outer-loop which repeats selecting different set of k columns till the selection luckily has few error bits in the ciphertext. And the inner-loop re-peats guessing then verifying the error vector hidden in the k columns selected by outer-loop, till a guess is veried to be correct or all possible k-vectors that have weight less than a threshold are examined to be wrong guesses. In the analysis of McEliece's decoding algorithm with para-meter j (see Theorem 3.1.1), we use Tj to denote the expected iterations of the outer-loop and use N_j to denote the expected iterations of the inner-loop. Note that the verication should be applied in each iteration of the inner-loop and its cost is non-negligible, thus we use V_{n,k,t, j}to de-note the bit-wise operations of it and take it into consideration in further discussion. According

3.1. GENERALIZED INFORMATION-SET-DECODING ATTACK 25 to the analysis from Theorem 3.1.1, the bit-wise operations required by McEliece's decoding algorithm can be approximated by Tj ×Nj× Vn,k,t, j. In the following sections, we propose an improvement to signicantly reduce Vn,k,t, j and slightly increase Tj, thus the total number of bit-wise operations requirement is reduced. In this chapter, we only show how to apply the improvement in the McEliece's decoding algorithm, but actually the idea of improvement can be applied to all other decoding algorithms with the same nested loops structure.

Recall the McEliece's decoding algorithm:

McEliece's Decoding Algorithm with parameter j

Input: A k × n generator matrix G⁰and a received vector c with length n.

Output: The vector m such that weight(m · G⁰⊕c) ≤ t.

1. Randomly select k columns of G⁰, such that the selected columns are linearly-independent.

2. Collect the selected columns to form a new k × k matrix G⁰_k. 3. Collect the corresponding k bits of c to form a new vector ck. 4. Calculate G⁰⁻_k ¹·G⁰and c ⊕ c_k(G⁰⁻_k ¹·G⁰).

5. Choose an unused k-bit error pattern e_k with less or equal to j ones.

If (c ⊕ ckG⁰⁻_k ¹G⁰) ⊕ ek(G⁰⁻_k ¹G⁰) has weight t or less, then stop and return (m = c_k⊕e_k) · G⁻_k¹.

6. If still exist unused k-bit error pattern, goto step 5.

Otherwise goto step 1.

The step 1-6 is the so-called outer-loop and the step 5-6 is the inner-loop. According to the analysis given by Theorem 3.1.1, the bit-wise operations required by verication in each itera-tion of the inner-loop is approximated to Vn,k,t, j = j/2 × (n − k). Our improvement introduces a probability method for verication which makes the expected number of bit-wise operations requirement be p( j/2 × (n − k)) + (1 − p)( j/2 × ), where p is a small probability and  is a parameter of the algorithm.

Observe that when we make a bad selection in step 1 (that is, there exists more than j errors in the selected columns), we still have to spend so much time in the inner-loop and nally realize that the selection in step 1 is bad. If we can realize it earlier that a bad selection has made in step 1, then a large amount of redundancy check can be skipped. The main idea of our improvement

Modied McEliece's Decoding Algorithm with parameter ( j, ) Input: A k × n generator matrix G⁰and a received vector c with length n.

Output: The vector m such that weight(m · G⁰⊕c) ≤ t.

1. Randomly select k columns of G⁰, such that the selected columns are linearly-independent.

2. Collect the selected columns to form a new k × k matrix G⁰_k. 3. Collect the corresponding k bits of c to form a new vector ck. 4. Calculate G⁰⁻¹_k ·G⁰and c ⊕ c_k(G⁰⁻¹_k ·G⁰).

5. Choose an unused k-bit error pattern e_kwith less or equal to j ones.

6. Randomly select  columns in the last n − k columns of G⁰⁻_k ¹G⁰, let C denote the indexes of the selected columns.

7. Calculate c ⊕ (c_kG⁰⁻_k ¹G⁰) ⊕ e_k(G⁰⁻_k ¹G⁰) bit-by-bit and ignore the unselected columns to form a vector DC with length .

8. If D_Cis a zero vector, then re-calculate c ⊕ (c_kG⁰⁻_k ¹G⁰) ⊕ e_k(G⁰⁻_k ¹G⁰) on the unselected columns to form a vector D_¯C with length n − k − .

Otherwise if still exist unused k-bit error pattern, goto step 5.

Otherwise goto step 1.

9. If weight(D_¯C) ≤ t − weight(ek) then stop and returns m = (ck⊕ek)G⁰_k⁻¹. Otherwise if still exist unused k-bit error pattern, goto step 5.

Otherwise goto step 1.

Figure 3.1: Modied McEliece's Decoding Algorithm with parameter ( j, )

is instead of checking if the whole vector consists with weight(c ⊕ c_kG⁰⁻_k ¹G⁰ ⊕e_kG⁰⁻_k ¹G⁰) ≤ t, we only calculate the vector (c ⊕ c_kG⁰⁻¹_k G⁰⊕e_kG⁰⁻¹_k G⁰) on some randomly selected positions to form a shorter vector D, and apply the original check if and only if D is a zero vector. The key point of this method is based on a conjecture [30]:

Conjecture 3.1.1. [30] When the selection in step 1 is bad, the weight of c⊕c_kG⁰⁻¹_k G⁰⊕e_kG⁰⁻¹_k G⁰ is not only larger than t but also has approximate weight density 0.5.

We apply the idea of the improvement in the McEliece's decoding algorithm and propose a modied version of it; see Figure 3.1. An analysis of the algorithm is given by the following theorem.

Theorem 3.1.3. If the Conjecture 3.1.1 holds, then the expected number of bit-wise operations required by the modied algorithm is different from the original requirement by a factor:

3.1. GENERALIZED INFORMATION-SET-DECODING ATTACK 27 Proof. we discuss the effect caused by modication.

speed-up factor: The modication reduces the time consumption on checking the weight of c ⊕ (ckG⁰⁻_k ¹G⁰) ⊕ ek(G⁰⁻_k ¹G⁰). The original requirement is j/2 × (n − k), when the modication is applied, there is a conditional probability _n−k

2

/

n−k

 of the event: the selected  columns results in a zero vector under the condition of bad selection in step 1. In these cases, original j/2 × (n − k) operations are needed, otherwise we need only j/2 ×  operations. Compared with the original requirement, the left-hand-side of the equation is obtained.

slow-down factor: Actually in the modied algorithm, the expected number of outer-loop iter-ations will increase slightly. The outer-loop of the original algorithm halts if and only if the k-column-set with fewer than j errors in it is selected, it occurs with a probabilityP_j

i=0 But in the modied algorithm, the outer-loop halts if and only if the k-column-set with fewer than j errors in it is selected, and we did not make an erroneous judgement in the ”partial check-ing” of step 6-8 when the actual error vector hidden in selected columns is examined. There is an conditional probability upper-bound P_

i=1 (^ti)(^n−k−t−i )

(^n−k ) of the event: erroneous judgement- the selected  positions have one or more errors under the condition of good selection in step 1.

Thus we have a lower-bound 1 −P_

i=1 (^ti)(^{n−k−t−}i )

(^n−k ) of correct judgement, the expected number of outer-loop iterations increase by a upper-bounded factor 1/

1 −P_

denote the expected number of bit-wise operations required by the original McEliece's decoding algorithm. The modied algorithm reduce the bit-wise operations requirement in inner-loop by a factor of 0.2525, and increase the iterations of outer-loop by a factor of 1.2348. Thus the overall bit-wise operation requirement is 0.311787 × C_orig.

Next, we give an introduction of the second improvement, which aims to eliminates the

duplicate guesses of the nearly error-free locations.

Recall that in the Tilburg's decoding algorithm, a random column-swap operation (in the step 4) is needed for each iteration of main-loop. Actually, randomly selecting two columns to swap may cause duplicate situation and imply redundant iterations of loop. One can easily build a hash-table to solve this problem but the size of the hash-table must be approximate to

n k

bits. It is not practical in implementation. We recommend to swap the columns according to a real-time generated Gray code for combinations, instead of selecting randomly. We dene the Gray code for combinations as follows.

Denition 3.1.1. [26] A (n, k)-Gray code for combinations is a sequence of all the 

nk



combi-nations so that successive combicombi-nations differ by only one element.

Example 3.1.3. We show a (5, 3)-Gray code for combinations:

134 → 234 → 124 → 145 → 245 → 345 → 135 → 235 → 125 → 123

Follow Example 3.1.3, to apply the Gray code for combinations in the algorithm, we may decompose G⁰ = S1[I|A1] P⁻₁¹ such that P1 permutes columns 1, 3, 4 to columns 1, 2, 3 in the

rst iteration of loop, then decompose G⁰ = S2[I|A2] P⁻₂¹such that P2permutes columns 2, 3, 4 to columns 1, 2, 3 in the second iteration of loop and so on.

Clearly, if we follow the sequence of Gray code for combinations, we will traverse all possi-ble combinations of

nk

 without missing one. Moreover, we swap one column each time (since the successive combinations differ by only one element), thus the Tilburg's second improvement idea is still able to apply here to speed up the Gaussian elimination of G⁰Pi.

Several algorithms to construct the Gray code for combinations were proposed; the most classical one is the revolving door algorithm [26]. However, this algorithm requires O(n) time complexity to generate the next combination. When applying in the decoding algorithm, an algorithm with constant-time requirement for generating each combination such as [10] [9] is more suitable.