On the List-Decodability of Random Linear Rank-Metric Codes

The list-decodability of random linear rank-metric codes is shown to match that of random rank-metric codes. Specifically, an $\mathbb{F}_q$-linear rank-metric code over $\mathbb{F}_q^{m \times n}$ of rate $R = (1-\rho)(1-\frac{n}{m}\rho)-\varepsilon$ is shown to be (with high probability) list-decodable up to fractional radius $\rho \in (0,1)$ with lists of size at most $\frac{C_{\rho,q}}{\varepsilon}$, where $C_{\rho,q}$ is a constant depending only on $\rho$ and $q$. This matches the bound for random rank-metric codes (up to constant factors). The proof adapts the approach of Guruswami, H\aa stad, Kopparty (STOC 2010), who established a similar result for the Hamming metric case, to the rank-metric setting

Decodability Attack against the Fuzzy Commitment Scheme with Public Feature Transforms

The fuzzy commitment scheme is a cryptographic primitive that can be used to store biometric templates being encoded as fixed-length feature vectors protected. If multiple related records generated from the same biometric instance can be intercepted, their correspondence can be determined using the decodability attack. In 2011, Kelkboom et al. proposed to pass the feature vectors through a record-specific but public permutation process in order to prevent this attack. In this paper, it is shown that this countermeasure enables another attack also analyzed by Simoens et al. in 2009 which can even ease an adversary to fully break two related records. The attack may only be feasible if the protected feature vectors have a reasonably small Hamming distance; yet, implementations and security analyses must account for this risk. This paper furthermore discusses that by means of a public transformation, the attack cannot be prevented in a binary fuzzy commitment scheme based on linear codes. Fortunately, such transformations can be generated for the non-binary case. In order to still be able to protect binary feature vectors, one may consider to use the improved fuzzy vault scheme by Dodis et al. which may be secured against linkability attacks using observations made by Merkle and Tams

Bounds on List Decoding of Rank-Metric Codes

So far, there is no polynomial-time list decoding algorithm (beyond half the minimum distance) for Gabidulin codes. These codes can be seen as the rank-metric equivalent of Reed--Solomon codes. In this paper, we provide bounds on the list size of rank-metric codes in order to understand whether polynomial-time list decoding is possible or whether it works only with exponential time complexity. Three bounds on the list size are proven. The first one is a lower exponential bound for Gabidulin codes and shows that for these codes no polynomial-time list decoding beyond the Johnson radius exists. Second, an exponential upper bound is derived, which holds for any rank-metric code of length $n$ and minimum rank distance $d$. The third bound proves that there exists a rank-metric code over \Fqm of length $n \leq m$ such that the list size is exponential in the length for any radius greater than half the minimum rank distance. This implies that there cannot exist a polynomial upper bound depending only on $n$ and $d$ similar to the Johnson bound in Hamming metric. All three rank-metric bounds reveal significant differences to bounds for codes in Hamming metric.Comment: 10 pages, 2 figures, submitted to IEEE Transactions on Information Theory, short version presented at ISIT 201

Generalized List Decoding

This paper concerns itself with the question of list decoding for general adversarial channels, e.g., bit-flip ($\textsf{XOR}$) channels, erasure channels, $\textsf{AND}$ ($Z$-) channels, $\textsf{OR}$ channels, real adder channels, noisy typewriter channels, etc. We precisely characterize when exponential-sized (or positive rate) $(L-1)$-list decodable codes (where the list size $L$ is a universal constant) exist for such channels. Our criterion asserts that: "For any given general adversarial channel, it is possible to construct positive rate $(L-1)$-list decodable codes if and only if the set of completely positive tensors of order-$L$ with admissible marginals is not entirely contained in the order-$L$ confusability set associated to the channel." The sufficiency is shown via random code construction (combined with expurgation or time-sharing). The necessity is shown by 1. extracting equicoupled subcodes (generalization of equidistant code) from any large code sequence using hypergraph Ramsey's theorem, and 2. significantly extending the classic Plotkin bound in coding theory to list decoding for general channels using duality between the completely positive tensor cone and the copositive tensor cone. In the proof, we also obtain a new fact regarding asymmetry of joint distributions, which be may of independent interest. Other results include 1. List decoding capacity with asymptotically large $L$ for general adversarial channels; 2. A tight list size bound for most constant composition codes (generalization of constant weight codes); 3. Rederivation and demystification of Blinovsky's [Bli86] characterization of the list decoding Plotkin points (threshold at which large codes are impossible); 4. Evaluation of general bounds ([WBBJ]) for unique decoding in the error correction code setting