Paper 2025/153

Error floor prediction with Markov models for QC-MDPC codes

Sarah Arpin, Virginia Polytechnic Institute and State University
Jun Bo Lau, KU Leuven
Antoine Mesnard, Inria
Ray Perlner, National Institute of Standards and Technology
Angela Robinson, National Institute of Standards and Technology
Jean-Pierre Tillich, Inria
Valentin Vasseur, Thales (France)
Abstract

Quasi-cyclic moderate-density parity check (QC-MDPC) code-based encryption schemes under iterative decoders offer highly-competitive performance in quantum-resistant cryptography, but their IND-CCA2 security is an open question because the decoding failure rate (DFR) of these algorithms is not well-understood. The DFR decreases extremely rapidly as the blocklength increases, then decreases much more slowly in regimes known as the waterfall and error floor, respectively. The waterfall behavior is rather well predicted by a Markov model introduced by Sendrier and Vasseur [SV19] but it does not capture the error floor behavior. Assessing precisely for which blocklength this error floor begins is crucial for the low DFRs sought the context of cryptography. By enriching the Markov model [SV19] with information about near codewords we are able to capture this error-floor behavior for a step-by-step decoder. This decoder displays worse decoding performance than the parallel decoders used in practice but is more amenable to a Markov chain analysis. We already capture the error floor with a simplified model. A refined model taking into account certain structural features of the secret key is even able to give accurate key dependent predictions both in the waterfall and error floor regimes. We show that error floor behavior is governed by convergence to a near codeword when decoding fails. We ran this model for the BIKE cryptosystem with this simpler step by step decoder to better ascertain whether the DFR is low enough to achieve IND-CCA2 security. Our model gives a DFR below $2^{-131.2}$, using a block length $r=13477$ instead of the BIKE parameter $r=12323$. This paper gives some strong evidence that the IND-CCA2 requirement can be met at the cost of a modest increase of less than 10% in the key size.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint.
Keywords
Code based cryptographyiterative decodingdecoding failure rateMarkov chain
Contact author(s)
sarpin @ vt edu
jblau @ ucsd edu
antoine mesnard @ inria fr
ray perlner @ nist gov
angela robinson @ nist gov
jean-pierre tillich @ inria fr
valentin vasseur @ thalesgroup com
History
2025-06-03: last of 2 revisions
2025-01-31: received
See all versions
Short URL
https://ia.cr/2025/153
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2025/153,
      author = {Sarah Arpin and Jun Bo Lau and Antoine Mesnard and Ray Perlner and Angela Robinson and Jean-Pierre Tillich and Valentin Vasseur},
      title = {Error floor prediction with Markov models for {QC}-{MDPC} codes},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/153},
      year = {2025},
      url = {https://eprint.iacr.org/2025/153}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.