On the minimum distance of elliptic curve codes

Computing the minimum distance of a linear code is one of the fundamental problems in algorithmic coding theory. Vardy [14] showed that it is an \np-hard problem for general linear codes. In practice, one often uses codes with additional mathematical structure, such as AG codes. For AG codes of genus $0$ (generalized Reed-Solomon codes), the minimum distance has a simple explicit formula. An interesting result of Cheng [3] says that the minimum distance problem is already \np-hard (under \rp-reduction) for general elliptic curve codes (ECAG codes, or AG codes of genus $1$). In this paper, we show that the minimum distance of ECAG codes also has a simple explicit formula if the evaluation set is suitably large (at least $2/3$ of the group order). Our method is purely combinatorial and based on a new sieving technique from the first two authors [8]. This method also proves a significantly stronger version of the MDS (maximum distance separable) conjecture for ECAG codes.Comment: 13 page

On Generalized First Fall Degree Assumptions

The first fall degree assumption provides a complexity approximation of Gröbner basis algorithms when the degree of regularity of a polynomial system cannot be precisely evaluated. Most importantly, this assumption was recently used by Petit and Quisquater\u27s to conjecture that the elliptic curve discrete logarithm problem can be solved in subexponential time for binary fields (binary ECDLP). The validity of the assumption may however depend on the systems in play. In this paper, we theoretically and experimentally study the first fall degree assumption for a class of polynomial systems including those considered in Petit and Quisquater\u27s analysis. In some cases, we show that the first fall degree assumption seems to hold and we deduce complexity improvements on previous binary ECDLP algorithms. On the other hand, we also show that the assumption is unlikely to hold in other cases where it would have very unexpected consequences. Our results shed light on a Gröbner basis assumption with major consequences on several cryptanalysis problems, including binary ECDLP

Stopping Sets of Algebraic Geometry Codes

Abstract — Stopping sets and stopping set distribution of a linear code play an important role in the performance analysis of iterative decoding for this linear code. Let C be an [n, k] linear code over Fq with parity-check matrix H, wheretherowsof H may be dependent. Let [n] ={1, 2,...,n} denote the set of column indices of H. Astopping set S of C with parity-check matrix H is a subset of [n] such that the restriction of H to S does not contain a row of weight 1. The stopping set distribution {Ti (H)} n i=0 enumerates the number of stopping sets with size i of C with parity-check matrix H. Denote H ∗ , the paritycheck matrix, consisting of all the nonzero codewords in the dual code C ⊥. In this paper, we study stopping sets and stopping set distributions of some residue algebraic geometry (AG) codes with parity-check matrix H ∗. First, we give two descriptions of stopping sets of residue AG codes. For the simplest AG codes, i.e., the generalized Reed–Solomon codes, it is easy to determine all the stopping sets. Then, we consider the AG codes from elliptic curves. We use the group structure of rational points of elliptic curves to present a complete characterization of stopping sets. Then, the stopping sets, the stopping set distribution, and the stopping distance of the AG code from an elliptic curve are reduced to the search, counting, and decision versions of the subset sum problem in the group of rational points of the elliptic curve, respectively. Finally, for some special cases, we determine the stopping set distributions of the AG codes from elliptic curves. Index Terms — Algebraic geometry codes, elliptic curves, stopping distance, stopping sets, stopping set distribution, subset sum problem. I

Computation of Trusted Short Weierstrass Elliptic Curves for Cryptography

Short Weierstrass's elliptic curves with underlying hard Elliptic Curve Discrete Logarithm Problems was widely used in Cryptographic applications. This paper introduces a new security notation 'trusted security' for computation methods of elliptic curves for cryptography. Three additional "trusted security acceptance criteria" is proposed to be met by the elliptic curves aimed for cryptography. Further, two cryptographically secure elliptic curves over 256 bit and 384 bit prime fields are demonstrated which are secure from ECDLP, ECC as well as trust perspectives. The proposed elliptic curves are successfully subjected to thorough security analysis and performance evaluation with respect to key generation and signing/verification and hence, proven for their cryptographic suitability and great feasibility for acceptance by the community.Comment: CYBERNETICS AND INFORMATION TECHNOLOGIES, Volume 21, No

Improved Lower Bounds for Approximating Parameterized Nearest Codeword and Related Problems under ETH

In this paper we present a new gap-creating randomized self-reduction for parameterized Maximum Likelihood Decoding problem over $\mathbb{F}_p$ ($k$-MLD$_p$). The reduction takes a $k$-MLD$_p$ instance with $k\cdot n$ vectors as input, runs in time $f(k)n^{O(1)}$ for some computable function $f$, outputs a $(3/2-\varepsilon)$-Gap-$k'$-MLD$_p$ instance for any $\varepsilon>0$, where $k'=O(k^2\log k)$. Using this reduction, we show that assuming the randomized Exponential Time Hypothesis (ETH), no algorithms can approximate $k$-MLD$_p$ (and therefore its dual problem $k$-NCP$_p$) within factor $(3/2-\varepsilon)$ in $f(k)\cdot n^{o(\sqrt{k/\log k})}$ time for any $\varepsilon>0$. We then use reduction by Bhattacharyya, Ghoshal, Karthik and Manurangsi (ICALP 2018) to amplify the $(3/2-\varepsilon)$-gap to any constant. As a result, we show that assuming ETH, no algorithms can approximate $k$-NCP$_p$ and $k$-MDP$_p$ within $\gamma$-factor in $f(k)n^{o(k^{\varepsilon_\gamma})}$ time for some constant $\varepsilon_\gamma>0$. Combining with the gap-preserving reduction by Bennett, Cheraghchi, Guruswami and Ribeiro (STOC 2023), we also obtain similar lower bounds for $k$-MDP$_p$, $k$-CVP$_p$ and $k$-SVP$_p$. These results improve upon the previous $f(k)n^{\Omega(\mathsf{poly} \log k)}$ lower bounds for these problems under ETH using reductions by Bhattacharyya et al. (J.ACM 2021) and Bennett et al. (STOC 2023).Comment: 32 pages, 3 figure

A Post-Quantum Digital Signature Scheme from QC-LDPC Codes

We propose a novel post-quantum code-based digital signature algorithm whose security is based on the difficulty of decoding Quasi-Cyclic codes in systematic form, and whose trapdoor relies on the knowledge of a hidden Quasi-Cyclic Low-Density-Parity-Check (QC-LDPC) code. The utilization of Quasi-Cyclic (QC) codes allows us to balance between security and key size, while the LDPC property lighten the encoding complexity, thus the signing algorithm complexity, significantly

Les codes algébriques principaux et leur décodage

National audienceLe premier exposé reprend les algorithmes classiques de décodage des codes géométriques, basés sur l'algorithme de Berlekamp-Massey et ses généralisations multivariées (Berlekamp-Massey-Sakata). Toutefois, avant de présenter ces algorithmes, je rappelerai les bases de la théorie des codes : codes linéaires, borne de Singleton, codes de Reed-Solomon, borne de Hamming. Ensuite, j'introduirai de manière motivée la famille des codes géométriques, comme généralisation des codes géométriques, après un bref rappel de la théorie des courbes algébriques sur les corps finis. La cadre sera alors en place pour introduire le décodage par syndrômes, qui est le décodage classique des codes géométriques. Le deuxième exposé est consacré aux progrès récents dans le domaine du codage algébrique, qui reposent sur le décodage par interpolation. Ces progrès sont dus à Guruswami-Sudan, et reposent sur une vision duale des codes de Reed-Solomon et des codes géométriques. Je présenterai dans l'ordre les algorithmes de Berlekamp-Welsh, Sudan et Guruswami-Sudan, dans le contexte des codes de Reed-Solomon et dans le contexte des codes géométriques. On verra finalement comment l'algorithme de Berlekamp-Massey-Sakata peut être recyclé dans ce contexte