Paper 2025/648

HQC Beyond the BSC: Towards Error Structure-Aware Decoding

Marco Baldi, Università Politecnica delle Marche, Ancona, Italy
Sebastian Bitzer, Technical University of Munich, Munich, Germany
Nicholas Lilla, Università Politecnica delle Marche, Ancona, Italy
Paolo Santini, Università Politecnica delle Marche, Ancona, Italy
Abstract

In Hamming Quasi-Cyclic (HQC), one of the finalists in the NIST competition for the standardization of post-quantum cryptography, decryption relies on decoding a noisy codeword through a public error-correcting code. The noise vector has a special form that depends on the secret key (a pair of sparse polynomials). However, the decoder, which is currently employed in HQC, is agnostic to the secret key, operating under the assumption that the error arises from a Binary Symmetric Channel (BSC). In this paper, we demonstrate that this special noise structure can instead be leveraged to develop more powerful decoding strategies. We first study the problem from a coding-theoretic perspective. The current code design, which admits a non-zero decryption failure rate, is close to optimal in the setting of a decoder that is agnostic to the error structure. We show that there are code-decoder pairs with a considerably shorter code length that can guarantee unique decoding by taking the error structure into account. This result is non-constructive, i.e., we do not provide an explicit code construction and it remains open whether efficient decoding is possible. Nevertheless, it highlights the potential that can be tapped by taking the error structure into account. We then argue that, in practice, the matter of decoding in HQC can be related to solving an instance of the noisy syndrome decoding problem, in which the parity-check matrix is constituted by the polynomials in the secret key. We show that, using decoders for Low-Density Parity-Check (LDPC) and Moderate-Density Parity-Check (MDPC) codes, one can significantly reduce the entity of the noise and, de facto, also the Decoding Failure Rate (DFR) of the HQC decoder. This preliminary study leaves some open questions and problems. While it shows that decoding in HQC can be improved, the modeling of the DFR gets more complicated: even for the basic decoder we propose in this paper, we have not been able to devise a reliable DFR model. This is likely due to the fact that the decoder structure resembles the iterative nature of LDPC/MDPC decoders, for which devising a reliable DFR estimation is a well-known difficult problem.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published elsewhere. Proceedings of CBCrypto 2024
Keywords
HQCDecryption Failure RateNoisy Syndrome DecodingDecoderError Structure
Contact author(s)
m baldi @ univpm it
sebastian bitzer @ tum de
lilla nicholas @ gmail com
p santini @ univpm it
History
2025-04-14: revised
2025-04-09: received
See all versions
Short URL
https://ia.cr/2025/648
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2025/648,
      author = {Marco Baldi and Sebastian Bitzer and Nicholas Lilla and Paolo Santini},
      title = {{HQC} Beyond the {BSC}: Towards Error Structure-Aware Decoding},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/648},
      year = {2025},
      url = {https://eprint.iacr.org/2025/648}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.