Estimating the Decoding Failure Rate of Binary Regular Codes Using Iterative Decoding

TL;DR

This work tackles the challenging problem of estimating the decoding failure rate (DFR) for a two-iteration parallel bit-flipping decoder applied to $(v,w)$-regular LDPC/MDPC codes used in post-quantum cryptosystems. The authors develop a three-part modeling framework: (i) a non-homogeneous Markov chain for the syndrome weight $ ext{Pr}(oldsymbol{ ext{W}}_t=y)$, (ii) first-iteration flip statistics and the resulting discrepancies $oldsymbol{ ext{d}}_+$, $oldsymbol{ ext{d}}_-$, and (iii) second-iteration flip probabilities conditioned on four bit-class categories, enabling the computation of $ ext{Pr}(oldsymbol{ ext{E}}_{(2)}=0)$. By aggregating these components via the law of total probability, they obtain a closed-form-like estimate of the two-iteration DFR and validate it against Monte Carlo simulations across both transmission- and cryptography-grade parameters. The method yields dramatically tighter DFR bounds than prior approaches, enabling substantial reductions in LEDAcrypt key and ciphertext sizes (e.g., improvements by factors of $2^{70}$ to achieve $2^{-128}$ security) while maintaining security, and it demonstrates potential applicability to BIKE to support IND-CCA$2$ guarantees. Overall, the work provides a practical, scalable framework for DFR estimation in cryptographic settings where direct simulation is infeasible.

Abstract

Providing closed form estimates of the decoding failure rate of iterative decoder for low- and moderate-density parity check codes has attracted significant interest in the research community over the years. This interest has raised recently due to the use of iterative decoders in post-quantum cryptosystems, where the desired decoding failure rates are impossible to estimate via Monte Carlo simulations. In this work, we propose a new technique to provide accurate estimates of the DFR of a two-iterations (parallel) bit flipping decoder, which is also employable for cryptographic purposes. In doing so, we successfully tackle the estimation of the bit flipping probabilities at the second decoder iteration, and provide a fitting estimate for the syndrome weight distribution at the first iteration. We numerically validate our results, providing comparisons of the modeled and simulated weight of the syndrome, incorrectly-guessed error bit distribution at the end of the first iteration, and two-iteration Decoding Failure Rates (DFR), both in the floor and waterfall regime for simulatable codes. Finally, we apply our method to estimate the DFR of LEDAcrypt parameters, showing improvements by factors larger than $2^{70}$ (for NIST category $1$) with respect to the previous estimation techniques. This allows for a $\approx 20$% shortening in public key and ciphertext sizes, at no security loss, making the smallest ciphertext for NIST category $1$ only $6$% larger than the one of BIKE. We note that the analyzed two-iterations decoder is applicable in BIKE, where swapping it with the current black-gray decoder (and adjusting the parameters) would provide strong IND-CCA$2$ guarantees.

Figures (7)

• Figure 1: Bit flipping algorithm variables at the beginning of the decoding procedure (i.e., when the number of iterations equals zero, $\mathtt{iter} = 0$) for a toy code $C[n=14, k=7]$, where the parity check matrix has column weight $v=2$ and row weight $w=4$, with a error weight $t=2$. Rows corresponding to unsatisfied parity-check equations, and their corresponding syndrome bits are highlighted in cyan. The unknown error vector is denoted as $e = [{e}_0, \ldots,{e}_{n-1}]$, the error vector estimate is denoted as $\bar{e}^{(0)} = [\bar{e}_0, \ldots, \bar{e}_{n-1}]$, while the sequence of discrepancies between the bits of the actual error vector and the corresponding bits in the error vector estimate just before the decoding computation is denoted as $e \oplus \bar{e}^{(0)}$. Note that the superscript of the coordinates of $\bar{e}$ is omitted for readability. At the end of each iteration of the decoding procedure the equality $s$$=$$H$$(e$$\oplus$$\bar{e}^{(\mathtt{iter})})^{\mathtt{T}}$ holds.
• Figure 2: Numerical validation of the model of syndrome weight distribution, simulation on a $(v,w)$-regular code parity-check matrix, picking a communications-grade code parameter set (left) and a cryptography grade code parameter set (right). Numerical results obtained with $10^9$ random syndrome samples
• Figure 3: Number flips on $\bar{e}_j$ which took place when $e_j=0$ ($\mathrm{d}_+$) and number of flips not made on $\bar{e}_j$ when $e_j=1$ ($t-\mathrm{d}_-$) after the first iteration for the LEDAcrypt code with parameters $n_0=4, p=13397, n=n_0p, k=(n_0-1)p, v=83$, results obtained with $10^5$ randomly generated error vectors of weight $t=95$ for each point.
• Figure 4: Flipping probabilities for bits in $\mathbf{J}_{0,0}$, $\mathbf{J}_{0,1}$, $\mathbf{J}_{1,0}$ and $\mathbf{J}_{1,1}$ during the second iteration of a parallel decoder, with two different choices for $\mathtt{th1}$ and $\mathtt{th2}$. Code parameters matching the ones in the LEDAcrypt specifications LEDA, Section $4$.$1$, Figure $4$.$1$: $n_0=2, p= 4801, n=n_0p, k=p, v=45$. Simulation data obtained from $10^5$ randomly generated error vectors of weight $t$.
• Figure 5: Two iterations DFR values for $(v,2v)$-regular LDPC codes, $v \in\{9,11,13,15,17\}$, with rate $\frac{k}{n}=\frac{1}{2}$, $t=18$, parallel decoder employing majority thresholds, i.e., $\mathtt{th1}= \mathtt{th2}=\lceil \frac{v+1}{2}\rceil$. Each data point was obtained performing $10^8$ decoding actions, or a sufficient number to obtain $100$ decoding failures.