## Faster 2-regular information-set decoding

Citations: | 2 - 1 self |

### BibTeX

@MISC{Bernstein_faster2-regular,

author = {Daniel J. Bernstein and Tanja Lange and Christiane Peters and Peter Schwabe},

title = {Faster 2-regular information-set decoding},

year = {}

}

### OpenURL

### Abstract

Abstract. Fix positive integers B and w. Let C be a linear code over F2 of length Bw. The 2-regular-decoding problem is to find a nonzero codeword consisting of w length-B blocks, each of which has Hamming weight 0 or 2. This problem appears in attacks on the FSB (fast syndromebased) hash function and related proposals. This problem differs from the usual information-set-decoding problems in that (1) the target codeword is required to have a very regular structure and (2) the target weight can be rather high, so that there are many possible codewords of that weight. Augot, Finiasz, and Sendrier, in the paper that introduced FSB, presented a variant of information-set decoding tuned for 2-regular decoding. This paper improves the Augot–Finiasz–Sendrier algorithm in a way that is analogous to Stern’s improvement upon basic information-set decoding. The resulting algorithm achieves an exponential speedup over the previous algorithm. Keywords: Information-set decoding, 2-regular decoding, FSB, binary codes.

### Citations

213 |
A Public-Key Cryptosystem Based on Algebraic Coding Theory. DSN progress report 42(44
- McEliece
- 1978
(Show Context)
Citation Context ...this is particularly obvious for the parameters n and k appearing in FSB. Plain information-set decoding. Information-set decoding was first suggested by Prange in [22] and was later used by McEliece =-=[21]-=- to estimate the security of code-based cryptography. One iteration of plain information-set decoding works as follows. Select a random set of r columns of the r × n parity check matrix H of the code.... |

91 | A New Algorithm for Finding MinimumWeight Words in a Linear Code: Application to McEliece’s Cryptosystem and to Narrow-Sense BCH Codes of Length 511
- Canteaut, Chabaud
- 1998
(Show Context)
Citation Context ...ments for this guess: • In the usual context of low-weight decoding, the standard improvements are often viewed as rather small. For example, Augot, Finiasz, and Sendrier in [2, Section 4.1] say that =-=[10]-=-, [18], and [24] merely “reduce the degree of the polynomial part” of the complexity of information-set decoding. • Plain information-set decoding and the Augot–Finiasz–Sendrier algorithm apply linear... |

52 |
An observation on the security of mceliece’s public-key cryptosystem
- Lee, Brickell
- 1988
(Show Context)
Citation Context ...e r×r submatrix of H ′ , allowing the submatrix to be non-invertible; this is the starting point for the algorithm of [2] discussed in the next section. The standard improvements. Lee and Brickell in =-=[18]-=- improved Prange’s method by choosing a small parameter p ≤ t and allowing p errors in the information set (together with ≤ t − p errors in the selected columns). This meansFaster 2-regular informati... |

51 |
A method for finding codewords of small weight
- Stern
- 1989
(Show Context)
Citation Context ...d from an r-row sum to an ℓ-row sum (plus an (r −ℓ)-row sum with probability about 1/2ℓ ), at the cost of missing error vectors that have errors in the ℓ columns corresponding to Z. The next year, in =-=[24]-=-, Stern suggested the same improvements together with a collision speedup. The information set is partitioned into two sets X and Y . The Lee–Brickell parameter p is required to be even and is split a... |

50 |
A probabilistic algorithm for computing minimum weights of large error-correcting codes
- Leon
- 1988
(Show Context)
Citation Context ...} {{ } (n−k)×(n−k) identity matrix Fig. 2.1. One check in Stern’s algorithm checking ( ) k p combinations of columns but amortizes the costs of Gaussian elimination across those combinations. Leon in =-=[19]-=-, independently of Lee and Brickell, suggested p errors in the information set together with ℓ-row early aborts. Instead of checking the weight of the sum of each set of p columns, this algorithm chec... |

36 | Security Bounds for the Design of Code-based Cryptosystems
- Finiasz, Sendrier
- 2009
(Show Context)
Citation Context ...of columns in X and Y are handled; and in how the full test is done6 D. J. Bernstein, T. Lange, C. Peters, P. Schwabe once a choice was successful on the ℓ positions. The most recent papers are [5], =-=[16]-=-, and [6]; see those papers for surveys of previous work. 3 The Augot–Finiasz–Sendrier algorithm for 2-regular decoding This section discusses the Augot–Finiasz–Sendrier algorithm [2, Section 4.2] for... |

28 | N.: Improved fast syndrome based cryptographic hash functions
- Finiasz, Gaborit, et al.
- 2007
(Show Context)
Citation Context ...istinct inputs that compress to the same output. Details about how the matrix is constructed and how the message blocks are chained can be found in the design document [1] and in the papers [2], [3], =-=[15]-=-, and [14] describing preliminary FSB designs. In [7] we proposed a more efficient family of syndrome-based hash functions called RFSB (for “really fast syndromebased” hashing); RFSB differs from FSB ... |

17 |
A note on Wyner’s wiretap channel
- Carleial, Hellman
- 1977
(Show Context)
Citation Context ...l exclude the possibility of uselessly finding codeword 0. Use Gaussian elimination to see whether the r selected vectors are linearly independent. This occurs with probability approximately 29%; see =-=[11]-=-. If the vectors are dependent, start the iteration over with a new selection of r positions; even with this restarting, Gaussian elimination is not a bottleneck for large x. An alternative is to cons... |

11 |
The use of information sets in decoding cyclic codes
- Prange
- 1962
(Show Context)
Citation Context ...re smaller than generator matrices; this is particularly obvious for the parameters n and k appearing in FSB. Plain information-set decoding. Information-set decoding was first suggested by Prange in =-=[22]-=- and was later used by McEliece [21] to estimate the security of code-based cryptography. One iteration of plain information-set decoding works as follows. Select a random set of r columns of the r × ... |

9 | A fast provably secure cryptographic hash function
- Augot, Finiasz, et al.
- 2003
(Show Context)
Citation Context ....e., two distinct inputs that compress to the same output. Details about how the matrix is constructed and how the message blocks are chained can be found in the design document [1] and in the papers =-=[2]-=-, [3], [15], and [14] describing preliminary FSB designs. In [7] we proposed a more efficient family of syndrome-based hash functions called RFSB (for “really fast syndromebased” hashing); RFSB differ... |

9 |
Tanja Lange, Christiane Peters: Attacking and defending the McEliece cryptosystem
- Bernstein
- 2008
(Show Context)
Citation Context ...ices of columns in X and Y are handled; and in how the full test is done6 D. J. Bernstein, T. Lange, C. Peters, P. Schwabe once a choice was successful on the ℓ positions. The most recent papers are =-=[5]-=-, [16], and [6]; see those papers for surveys of previous work. 3 The Augot–Finiasz–Sendrier algorithm for 2-regular decoding This section discusses the Augot–Finiasz–Sendrier algorithm [2, Section 4.... |

8 | Jintai Ding (editors), Post-quantum cryptography, second international workshop, PQCrypto 2008 - Buchmann |

6 | FSBday: implementing Wagner’s generalized birthday attack against the
- Bernstein, Lange, et al.
(Show Context)
Citation Context ... larger threat; the FSB submission [1, Table 4, “best attacks known”: “collision search” column] says that information-set decoding is a larger threat; both of the underlying analyses are disputed in =-=[4]-=-. We recommend continuing investigation of all of these approaches. 2 Low-weight information-set decoding This section reviews several improvements in low-weight information-set decoding, as backgroun... |

6 | Really Fast SyndromeBased hashing
- Bernstein, Lange, et al.
- 2011
(Show Context)
Citation Context ...ls about how the matrix is constructed and how the message blocks are chained can be found in the design document [1] and in the papers [2], [3], [15], and [14] describing preliminary FSB designs. In =-=[7]-=- we proposed a more efficient family of syndrome-based hash functions called RFSB (for “really fast syndromebased” hashing); RFSB differs from FSB in the parameter choices and in the way the matrix is... |

5 | Wolfmann (editors), Coding theory and applications - Cohen, Jacques - 1989 |

3 |
Tanja Lange, Christiane Peters, Henk van Tilborg, Explicit bounds for generic decoding algorithms for code-based cryptography
- Bernstein
(Show Context)
Citation Context ...rarguments. One can show that Stern’s speedup is superpolynomial when parameters are properly optimized, and that the cost of linear algebra inside Stern’s algorithm is asymptotically negligible. See =-=[8]-=-. For the same reasons, the cost of multiplying U by H is also negligible. To firmly settle the arguments we show that our new algorithm for 2-regular decoding is faster than the old algorithm by an e... |

3 | Syndrome based collision resistant hashing
- Finiasz
(Show Context)
Citation Context ...puts that compress to the same output. Details about how the matrix is constructed and how the message blocks are chained can be found in the design document [1] and in the papers [2], [3], [15], and =-=[14]-=- describing preliminary FSB designs. In [7] we proposed a more efficient family of syndrome-based hash functions called RFSB (for “really fast syndromebased” hashing); RFSB differs from FSB in the par... |

3 | Advances in cryptology — EUROCRYPT ’88, proceedings of the workshop on the theory and application of cryptographic techniques held - Günther - 1988 |

3 | Sendrier, A family of fast syndrome based cryptographic hash functions - Augot, Finiasz, et al. |

1 |
Tanja Lange, Christiane Peters, Ball-collision decoding
- Bernstein
- 2010
(Show Context)
Citation Context ... in X and Y are handled; and in how the full test is done6 D. J. Bernstein, T. Lange, C. Peters, P. Schwabe once a choice was successful on the ℓ positions. The most recent papers are [5], [16], and =-=[6]-=-; see those papers for surveys of previous work. 3 The Augot–Finiasz–Sendrier algorithm for 2-regular decoding This section discusses the Augot–Finiasz–Sendrier algorithm [2, Section 4.2] for 2-regula... |