International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Error floor prediction with Markov models for QC-MDPC codes

Authors:
Sarah Arpin , Virginia Polytechnic Institute and State University
Jun Bo Lau , KU Leuven
Antoine Mesnard , Inria de Paris
Ray Perlner , National Institute of Standards and Technology
Angela Robinson , National Institute of Standards and Technology
Jean-Pierre Tillich , Inria de Paris
Valentin Vasseur , Thales
Download:
Search ePrint
Search Google
Conference: CRYPTO 2025
Abstract: Quasi-cyclic moderate-density parity check (QC-MDPC) code-based encryption schemes under iterative decoders offer highly-competitive performance in quantum-resistant cryptography, but their IND-CCA2 security is an open question because the decoding failure rate (DFR) of these algorithms is not well-understood. The DFR decreases extremely rapidly as the blocklength increases, then decreases much more slowly in regimes known as the waterfall and error floor, respectively. The waterfall behavior is rather well predicted by a Markov model introduced by Sendrier and Vasseur \cite{SV19} but it does not capture the error floor behavior. Assessing precisely for which blocklength this error floor begins is crucial for the low DFRs sought the context of cryptography. By enriching the Markov model \cite{SV19} with information about near codewords we are able to capture this error-floor behavior for a step-by-step decoder. This decoder displays worse decoding performance than the parallel decoders used in practice but is more amenable to a Markov chain analysis. We already capture the error floor with a simplified model. A refined model taking into account certain structural features of the secret key is even able to give accurate key dependent predictions both in the waterfall and error floor regimes. We show that the error floor behavior is governed by convergence to a near codeword when decoding fails. We ran this model for the BIKE cryptosystem with this simpler step by step decoder to better ascertain whether the DFR is low enough to achieve IND-CCA2 security. Our model gives a DFR below $2^{-131.2}$, using a block length $r=13477$ instead of the BIKE parameter $r=12323$. This paper gives some strong evidence that the IND-CCA2 requirement can be met at the cost of a modest increase of less than 10\% in the key size.
BibTeX
@inproceedings{crypto-2025-35808,
  title={Error floor prediction with Markov models for QC-MDPC codes},
  publisher={Springer-Verlag},
  author={Sarah Arpin and Jun Bo Lau and Antoine Mesnard and Ray Perlner and Angela Robinson and Jean-Pierre Tillich and Valentin Vasseur},
  year=2025
}