Improved information set decoding for code-based cryptosystems with constrained memory

Abstract

The decoding of random linear codes is one of the most fundamental problems in both computational complexity theory and algorithmic cryptanalysis. Specifically, the best attacks known against existing code-based cryptosystems, such as McEliece, are unstructural, i.e., these attacks directly use generic decoding algorithms that treat the hidden binary codes as random linear codes. This topic is also attracting increasing interest in a post-quantum context as this area becomes increasingly active. In an attempt to solve this problem, several algorithms and their variants have recently been proposed, with increasingly lower time complexities. However, their memory complexities, which are even more important in practice for real attacks, are neglected. In this paper, we consider the performance of information set decoding (ISD) algorithms for the problem of syndrome decoding for random binary linear codes with restricted memory. Using Finiasz and Sendrier’s standard framework for ISD algorithms, we propose an exact algorithm that performs better when the memory is constrained; also this improvement can be mathematically proven. From a practical standpoint, our approach can yield good time complexities for any given space bound, hence providing a good measure of the effectiveness of a cryptanalytic attack on code-based cryptosystems. Our method can also be seen as an extended application of the dissection technique proposed by Dinur et al. at CRYPTO 2012 [11].