This page is dedicated to the syndrome decoding problem for random quasi-cyclic binary linear codes, in the range of parameters similar to the BIKE cryptosystem.
Quasi-cyclic Syndrome Decoding problem. Given integers \(n, k, w\) such that \(k \leq n\) and \( w \leq n\), an instance of the problem \(\mathrm{QCSD}(n,k,w)\) consists of a quasi-cyclic parity-check matrix \({\rm \bf H} \in \mathbb{F}_2^{(n-k) \times n}\) and a vector \({\rm \bf s} \in \mathbb{F}_2^{n-k}\) (called the syndrome). A solution to the problem is a vector \( {\rm \bf e} \in \mathbb{F}_2^n \) of Hamming weight \(\leq w\) such that \( {\rm \bf He^{\top}} = {\rm \bf s^{\top}} \).
The challenge. Here, we focus on instances with code rate \( R = 0.5 \), that is \( n = 2k \). First, an even weight \( w \) is set. Then, the length \( n = w^2 + 2 \) and the dimension \( k = n/2 \) are derived, so that \( w \simeq \sqrt{n} \). Notice that the block length \( k \) is an odd integer, preventing the following attack. With these choices of parameters, we expect the problem to be as close as possible to the problem (2,1)-QCSD on which rely the BIKE, HQC and LEDAcrypt cryptosystems proposed for the NIST standardization process.
Under these conditions, instances with cryptographic size are assumed to be out of reach, so we propose instances with increasing size to see how hard this problem is in practice.
Trapdoor. The matrix \( {\rm \bf H} \) is picked uniformly at random among all quasi-cyclic matrices but the syndrome \( {\rm \bf s} \) is generated using a trapdoor, to ensure that there exists a solution of weight \(w\). First a vector \( {\rm \bf e} \in \mathbb{F}_2^n \) is chosen uniformly at random* among all vectors of weight \(w\), then we compute the value of \(\rm \bf s\) such that \( {\rm \bf He^{\top}} = {\rm \bf s^{\top}} \). To ensure that the challenge is fair, we provide different versions of the challenge for each size, generated independently by people in different institutions.
How to participate?
Length | Weight | Authors | Details |
---|---|---|---|
3602 | 60 | Shintaro Narisada, Hiroki Okada, Shusaku Uemura, Yusuke Aikawa, Kazuhide Fukushima and Shinsaku Kiyomoto | See details |
3366 | 58 | Shintaro Narisada, Hiroki Okada, Shusaku Uemura, Yusuke Aikawa, Kazuhide Fukushima, and Shinsaku Kiyomoto | See details |
3138 | 56 | Andre Esser and Floyd Zweydinger | See details |
2918 | 54 | Andre Esser, Alexander May and Floyd Zweydinger | See details |
2706 | 52 | Andre Esser, Alexander May and Floyd Zweydinger | See details |
* Note on the source of randomness (6th Sept. 2019). We are grateful to Taylor Campbell for pointing out the weakness induced by using the standard Python PRNG. Challenges have been replaced by freshly generated ones, using urandom as source of randomness.
- lines 1, 3, 5, 7 are comments
- line 2 is the length \( n \)
- line 4 is the target weight \( w \)
- lines 6 is a vector \( {\rm \bf h} \) whose cyclic shifts form a square matrix \( {\rm \bf M} \), such that \( {\rm \bf H} = [ {\rm \bf I}_{0.5 n} | {\rm \bf M}^\top ] \) is the parity-check matrix of the challenge
- line 9 is the target syndrome
Details here.
A list of instances (indexed by error weight \(w\)) generated by:
Tooltips give an indication of complexity.