U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.


Decoding failures and error floors

July 27, 2022


Angela Robinson - NIST



There is a class of public-key cryptography (PKC) based on linear error-correcting codes (ECC). Early code-based cryptosystems offered provable security but impractically large public keys. As such, over the past few decades, cryptographers have attempted to find more efficient code-based designs while maintaining sufficient security. The decoder used during error correction directly affects the security of a code-based cryptosystem because, often, the private key is used in the process of recovering a shared secret from a syndrome. Correlations between error patterns that lead to decoding failures and the private key of a scheme have been discovered, leading cryptographers to work diligently to minimize decoding failures.

We present experimental findings on the decoding failure rate (DFR) of BIKE, a fourth-round candidate in the NIST Post-Quantum Standardization process, at the 20-bit security level. We select parameters according to BIKE design principles and conduct a series of experiments. We directly compute the average DFR on a range of BIKE block sizes and identify both the waterfall and error floor regions of the DFR curve. We then study the influence on the average DFR of three sets C, N, and 2N of near-codewords — vectors of low weight that induce syndromes of low weight — defined by Vasseur in 2021. We find that error vectors leading to decoding failures have small maximum support intersection with elements of these sets; further, the distribution of intersections is quite similar to that of sampling random error vectors and counting the intersections with C, N, and 2N. Our results indicate that these three sets are not sufficient in classifying vectors expected to cause decoding failures. Finally, we study the role of syndrome weight on the decoding behavior and conclude that the set of error vectors that lead to decoding failures differ from random vectors by having low syndrome weight.

Presented at

Crypto Reading Club talk on 2022-Jul-27

Parent Project

See: Crypto Reading Club

Related Topics

Security and Privacy: cryptography

Created July 26, 2022