An Algorithmic Reduction Theory for Binary Codes: LLL and More

In this article, we propose an adaptation of the algorithmic reduction theory of lattices to binary codes. This includes the celebrated LLL algorithm (Lenstra, Lenstra, Lovasz, 1982), as well as adaptations of associated algorithms such as the Nearest Plane Algorithm of Babai (1986). Interestingly, the adaptation of LLL to binary codes can be interpreted as an algorithmic version of the bound of Griesmer (1960) on the minimal distance of a code. Using these algorithms, we demonstrate —both with a heuristic analysis and in practice— a small polynomial speed-up over the Information-Set Decoding algorithm of Lee and Brickell (1988) for random binary codes. This appears to be the first such speed-up that is not based on a time-memory trade-off. The above speed-up should be read as a very preliminary example of the potential of a reduction theory for codes, for example in cryptanalysis. In constructive cryptography, this algorithmic reduction theory could for example also be helpful for designing trapdoor functions from codes.

[1]  Enrico Thomae,et al.  Decoding Random Linear Codes in Õ(20.054n) , 2012 .

[2]  Daniele Micciancio,et al.  A Deterministic Single Exponential Time Algorithm for Most Lattice Problems based on Voronoi Cell Computations ( Extended Abstract ) , 2009 .

[3]  Ernest F. Brickell,et al.  An Observation on the Security of McEliece's Public-Key Cryptosystem , 1988, EUROCRYPT.

[4]  Nicolas Gama,et al.  Rankin's Constant and Blockwise Lattice Reduction , 2006, CRYPTO.

[5]  Irving S. Reed,et al.  A class of multiple-error-correcting codes and the decoding scheme , 1954, Trans. IRE Prof. Group Inf. Theory.

[6]  Nicolas Sendrier Code-Based Cryptography , 2011, Encyclopedia of Cryptography and Security.

[7]  Thijs Laarhoven,et al.  Sieving for Shortest Vectors in Lattices Using Angular Locality-Sensitive Hashing , 2015, CRYPTO.

[8]  James H. Griesmer,et al.  A Bound for Error-Correcting Codes , 1960, IBM J. Res. Dev..

[9]  Yoshinori Aono,et al.  Random Sampling Revisited: Lattice Enumeration with Discrete Pruning , 2017, IACR Cryptol. ePrint Arch..

[10]  Alexander Vardy,et al.  The intractability of computing the minimum distance of a code , 1997, IEEE Trans. Inf. Theory.

[11]  Claus-Peter Schnorr,et al.  Lattice Basis Reduction: Improved Practical Algorithms and Solving Subset Sum Problems , 1991, FCT.

[12]  Felix Fontein,et al.  PotLLL: a polynomial time version of LLL with deep insertions , 2012, Designs, Codes and Cryptography.

[13]  Jacques Stern,et al.  A method for finding codewords of small weight , 1989, Coding Theory and Applications.

[14]  Claus-Peter Schnorr,et al.  Lattice basis reduction: Improved practical algorithms and solving subset sum problems , 1991, FCT.

[15]  Alain Couvreur,et al.  Polynomial Time Attack on Wild McEliece Over Quadratic Extensions , 2017, IEEE Transactions on Information Theory.

[16]  O. Antoine,et al.  Theory of Error-correcting Codes , 2022 .

[17]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[18]  Eugene Prange,et al.  The use of information sets in decoding cyclic codes , 1962, IRE Trans. Inf. Theory.

[19]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[20]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[21]  I. G. Núñez,et al.  Generalized Hamming Weights for Linear Codes , 2001 .

[22]  Martin R. Albrecht,et al.  On the complexity of the BKW algorithm on LWE , 2012, Des. Codes Cryptogr..

[23]  Jean-Pierre Tillich,et al.  Wave: A New Family of Trapdoor One-Way Preimage Sampleable Functions Based on Codes , 2018, ASIACRYPT.

[24]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[25]  W. Cary Huffman,et al.  Fundamentals of Error-Correcting Codes , 1975 .

[26]  Michael I. Boguslavsky,et al.  Radon transforms and packings , 2001, Discret. Appl. Math..

[27]  Ernst M. Gabidulin,et al.  Public_Key Cryptosystems Based on Linear Codes , 1995 .

[28]  Alexander May,et al.  On Computing Nearest Neighbors with Applications to Decoding of Binary Linear Codes , 2015, EUROCRYPT.

[29]  Nicolas Gama,et al.  Lattice Enumeration Using Extreme Pruning , 2010, EUROCRYPT.

[30]  Nicolas Gama,et al.  Finding short lattice vectors within mordell's inequality , 2008, STOC.

[31]  U. Fincke,et al.  Improved methods for calculating vectors of short length in a lattice , 1985 .

[32]  Michael A. Tsfasman,et al.  Geometric approach to higher weights , 1995, IEEE Trans. Inf. Theory.

[33]  Chris Peikert,et al.  An Efficient and Parallel Gaussian Sampler for Lattices , 2010, CRYPTO.

[34]  Claus-Peter Schnorr,et al.  Lattice Reduction by Random Sampling and Birthday Methods , 2003, STACS.

[35]  David E. Muller,et al.  Application of Boolean algebra to switching circuit design and to error detection , 1954, Trans. I R E Prof. Group Electron. Comput..

[36]  Phong Q. Nguyen,et al.  Approximating the densest sublattice from Rankin’s inequality , 2014 .

[37]  Léo Ducas,et al.  Shortest Vector from Lattice Sieving: a Few Dimensions for Free , 2018, IACR Cryptol. ePrint Arch..

[38]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[39]  Leif Both,et al.  Decoding Linear Codes with High Error Rate and its Impact for LPN Security , 2017, IACR Cryptol. ePrint Arch..

[40]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[41]  Thijs Laarhoven,et al.  Finding Closest Lattice Vectors Using Approximate Voronoi Cells , 2019, PQCrypto.

[42]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.

[43]  Antoine Joux,et al.  Decoding Random Binary Linear Codes in 2n/20: How 1+1=0 Improves Information Set Decoding , 2012, IACR Cryptol. ePrint Arch..

[44]  Daniel Dadush,et al.  Algorithms for the Densest Sub-Lattice Problem , 2013, SODA.