211 research outputs found
The decoding failure probability of MDPC codes
Moderate Density Parity Check (MDPC) codes are defined here as codes which
have a parity-check matrix whose row weight is where is the
length of the code. They can be decoded like LDPC codes but they decode
much less errors than LDPC codes: the number of errors they can decode in this
case is of order . Despite this fact they have been proved
very useful in cryptography for devising key exchange mechanisms. They have
also been proposed in McEliece type cryptosystems. However in this case, the
parameters that have been proposed in \cite{MTSB13} were broken in
\cite{GJS16}. This attack exploits the fact that the decoding failure
probability is non-negligible. We show here that this attack can be thwarted by
choosing the parameters in a more conservative way. We first show that such
codes can decode with a simple bit-flipping decoder any pattern of
errors. This avoids the
previous attack at the cost of significantly increasing the key size of the
scheme. We then show that under a very reasonable assumption the decoding
failure probability decays almost exponentially with the codelength with just
two iterations of bit-flipping. With an additional assumption it has even been
proved that it decays exponentially with an unbounded number of iterations and
we show that in this case the increase of the key size which is required for
resisting to the attack of \cite{GJS16} is only moderate
Magic state distillation with punctured polar codes
We present a scheme for magic state distillation using punctured polar codes.
Our results build on some recent work by Bardet et al. (ISIT, 2016) who
discovered that polar codes can be described algebraically as decreasing
monomial codes. Using this powerful framework, we construct tri-orthogonal
quantum codes (Bravyi et al., PRA, 2012) that can be used to distill magic
states for the gate. An advantage of these codes is that they permit the
use of the successive cancellation decoder whose time complexity scales as
. We supplement this with numerical simulations for the erasure
channel and dephasing channel. We obtain estimates for the dimensions and error
rates for the resulting codes for block sizes up to for the erasure
channel and for the dephasing channel. The dimension of the
triply-even codes we obtain is shown to scale like for the binary
erasure channel at noise rate and for the dephasing
channel at noise rate . The corresponding bit error rates drop to
roughly for the erasure channel and for
the dephasing channel respectively.Comment: 18 pages, 4 figure
On a Low-Rate TLDPC Code Ensemble and the Necessary Condition on the Linear Minimum Distance for Sparse-Graph Codes
This paper addresses the issue of design of low-rate sparse-graph codes with
linear minimum distance in the blocklength. First, we define a necessary
condition which needs to be satisfied when the linear minimum distance is to be
ensured. The condition is formulated in terms of degree-1 and degree-2 variable
nodes and of low-weight codewords of the underlying code, and it generalizies
results known for turbo codes [8] and LDPC codes. Then, we present a new
ensemble of low-rate codes, which itself is a subclass of TLDPC codes [4], [5],
and which is designed under this necessary condition. The asymptotic analysis
of the ensemble shows that its iterative threshold is situated close to the
Shannon limit. In addition to the linear minimum distance property, it has a
simple structure and enjoys a low decoding complexity and a fast convergence.Comment: submitted to IEEE Trans. on Communication
New algorithms for decoding in the rank metric and an attack on the LRPC cryptosystem
We consider the decoding problem or the problem of finding low weight
codewords for rank metric codes. We show how additional information about the
codeword we want to find under the form of certain linear combinations of the
entries of the codeword leads to algorithms with a better complexity. This is
then used together with a folding technique for attacking a McEliece scheme
based on LRPC codes. It leads to a feasible attack on one of the parameters
suggested in \cite{GMRZ13}.Comment: A shortened version of this paper will be published in the
proceedings of the IEEE International Symposium on Information Theory 2015
(ISIT 2015
New Identities Relating Wild Goppa Codes
For a given support and a polynomial with no roots in , we prove equality
between the -ary Goppa codes where
denotes the norm of , that is In
particular, for , that is, for a quadratic extension, we get
. If has roots in
, then we do not necessarily have equality and we prove that
the difference of the dimensions of the two codes is bounded above by the
number of distinct roots of in . These identities provide
numerous code equivalences and improved designed parameters for some families
of classical Goppa codes.Comment: 14 page
New constructions of CSS codes obtained by moving to higher alphabets
We generalize a construction of non-binary quantum LDPC codes over \F_{2^m}
due to \cite{KHIS11a} and apply it in particular to toric codes. We obtain in
this way not only codes with better rates than toric codes but also improve
dramatically the performance of standard iterative decoding. Moreover, the new
codes obtained in this fashion inherit the distance properties of the
underlying toric codes and have therefore a minimum distance which grows as the
square root of the length of the code for fixed .Comment: 9 pages, 9 figures, full version of a paper submitted to the IEEE
Symposium on Information Theor
A Distinguisher-Based Attack on a Variant of McEliece's Cryptosystem Based on Reed-Solomon Codes
Baldi et \textit{al.} proposed a variant of McEliece's cryptosystem. The main
idea is to replace its permutation matrix by adding to it a rank 1 matrix. The
motivation for this change is twofold: it would allow the use of codes that
were shown to be insecure in the original McEliece's cryptosystem, and it would
reduce the key size while keeping the same security against generic decoding
attacks. The authors suggest to use generalized Reed-Solomon codes instead of
Goppa codes. The public code built with this method is not anymore a
generalized Reed-Solomon code. On the other hand, it contains a very large
secret generalized Reed-Solomon code. In this paper we present an attack that
is built upon a distinguisher which is able to identify elements of this secret
code. The distinguisher is constructed by considering the code generated by
component-wise products of codewords of the public code (the so-called "square
code"). By using square-code dimension considerations, the initial generalized
Reed-Solomon code can be recovered which permits to decode any ciphertext. A
similar technique has already been successful for mounting an attack against a
homomorphic encryption scheme suggested by Bogdanoc et \textit{al.}. This work
can be viewed as another illustration of how a distinguisher of Reed-Solomon
codes can be used to devise an attack on cryptosystems based on them.Comment: arXiv admin note: substantial text overlap with arXiv:1203.668
- …