Analysis of information set decoding for a sub-linear error weight

Abstract

The security of code-based cryptography is strongly related to the hardness of generic decoding of linear codes. The best known generic decoding algorithms all derive from the Information Set Decoding algorithm proposed by Prange in 1962. The ISD algorithm was later improved by Stern in 1989 (and Dumer in 1991). Those last few years, some significant improvements have occurred. First by May, Meurer, and Thomae at Asiacrypt 2011, then by Becker, Joux, May, and Meurer at Eurocrypt 2012, and finally by May and Ozerov at Eurocrypt 2015. With those methods, correcting w errors in a binary linear code of length n and dimension k has a cost 2cw(1+o(1)) when the length n grows, where c is a constant, depending of the code rate k/n and of the error rate w/n. The above ISD variants have all improved that constant c when they appeared. When the number of errors w is sub-linear, w = o(n), the cost of all ISD variants still has the form 2cw(1+o(1)). We prove here that the constant c only depends of the code rate k/n and is the same for all the known ISD variants mentioned above, including the fifty years old Prange algorithm. The most promising variants of McEliece encryption scheme use either Goppa codes, with w = O(n/ log(n)), or MDPC codes, with w = O(√n). Our result means that, in those cases, when we scale up the system parameters, the improvement of the latest variants of ISD become less and less significant. This fact has been observed already, we give here a formal proof of it. Moreover, our proof seems to indicate that any foreseeable variant of ISD should have the same asymptotic behavior.