1 Introduction
Devising efficient and robust postquantum key encapsulation mechanisms (KEMs) is an important and urgent research target, as also witnessed by the recent NIST call for postquantum cryptographic systems [32]. Codebasedcryptosystems are among the most promising candidates to replace quantumvulnerable primitives which are still relying on the hardness of the integer factorization or discrete logarithm problems, such as the DiffieHellman key exchange and the RivestShamirAdleman (RSA) and ElGamal cryptosystems. Indeed, Shor’s algorithm [41] can be used to solve both the integer factorization and the discrete logarithm problems in polynomial time with a quantum computer. One of the problems for which no known polynomial time algorithm on a quantum computer exists is the decoding of a general linear code. Indeed, such a problem belongs to the non deterministicpolynomial (NP)complete computational equivalence class [11, 27], which is widely believed to contain problems which have no polynomial time solution on a quantum computer.
The first codebased publickey cryptosystem relying on the general linear code decoding problem was proposed by McEliece in 1978 [28], and used Goppa codes [18] to form the secret key. Such a choice yields large public keys, which is the main limitation of Goppa codebased systems. The Niederreiter cryptosystem [34] is a codebased cryptosystem exploiting the same trapdoor, but using syndromes and paritycheck matrices instead of codewords and generator matrices as in McEliece. When the same family of codes is used, Niederreiter and McEliece are equivalent [25] and therefore they achieve the same security levels.
Replacing Goppa codes with other families of more structured codes may reduce the public key size. However, this may also compromise the system security, as it occurred with some first McEliece variants based on quasicyclic (QC) codes [17], lowdensity paritycheck (LDPC) codes [31] and quasicyclic lowdensity paritycheck (QCLDPC) codes [35], quasidyadic (QD) codes [30], convolutional codes [26] and some instances based on generalized ReedSolomon (GRS) codes [7, 10]. Nevertheless, some variants exploiting QCLDPC and quasicyclic moderatedensity paritycheck (QCMDPC) codes [2, 3, 29] have been shown to be able to achieve very compact keys without endangering security.
Recently, some new statistical attacks have been developed that exploit the information coming from decryption failures in QCLDPC and QCMDPC codebased systems to perform key recovery attacks, thus forcing to renew keys frequently in these systems [16, 20].
In this paper, we start from the QCLDPC codebased system proposed in [3, 2] and we develop a new key encapsulation mechanism (KEM) based on the the Niederreiter cryptosystem. We also introduce an improved decoding algorithm which exploits correlation among intentional errors seen by the private code. This way, the correction capability of the private code is exploited to the utmost, thus allowing to achieve significant reductions in the public key size. We call the new system LEDAkem and study its properties and security. We take into account the fact that Grover’s algorithm running on a quantum computer may be exploited to speedup attacks based on information set decoding (ISD) [22, 43], and we propose some sets of parameters for LEDAkem achieving different security levels against attacks exploiting both classical and quantum computers. We also describe an optimized software implementation of the proposed system and provide and discuss some performance figures. LEDAkem currently is one of the first round candidate algorithms of the NIST postquantum cryptography standardization project [32], along with other codebased KEMs. In this work we will highlight the differences between our proposal and the closest one among the others, i.e. BIKE [1], which relies on QCMDPC codes for its construction.
The organization of the paper is as follows. In Section 2 we describe LEDAkem. In Section 3 we present its security analysis and in Section 4 its peculiar features. In Section 5 we discuss some implementation issues and we show some numerical results. Finally, some conclusions are drawn in Section 6.
2 The LEDAkem cryptosystem
The LEDAkem cryptosystem is derived from the Niederreiter cryptosystem with the following main differences:

Nonalgebraic codes known as QCLDPC codes are used as secret codes.

The public code is neither coincident with nor equivalent to the private code.

Suitably designed iterative nonboundeddistance decoding algorithms are used.
The motivation for using QCLDPC codes as private codes is in the fact that these such codes are known to achieve important reductions in the public key size when used in this context [2, 29]. Moreover, when LDPC codes are used as private codes, the public code cannot be either coincident with or equivalent to the private code. Indeed, in such a case, an attacker could search for low weight codewords in the dual of the public code and find a sparse paritycheck matrix of the private code which allows efficient decoding.
For this reason, following [2], LEDAkem uses a transformation matrix that hides the sparse paritycheck matrix of the private code into a denser paritycheck matrix
of the public code. This also affects the error vector that must be corrected during decryption, which is obtained from the error vector used during encryption through multiplication by
. In this work, we show how it is possible to exploit the knowledge of to design an adhoc decoding algorithm achieving very good performance in terms of both decoding speed and decryption failure rate (DFR).In fact, a wellknown feature of LDPC
coding is that the decoding radius of iterative decoders is not sharp and cannot be estimated in a deterministic way. It follows that some residual
DFRmust be tolerated, and it must be estimated heuristically through Montecarlo simulations. This is done for all the proposed instances of LEDAkem in order to guarantee that they achieve a sufficiently low
DFR. Providing quantitative estimates of the DFR for the proposed instances of LEDAkem allows us to prevent attacks such as the ones described in [16, 20] changing the key either at each round of the KEM, or before a sufficient amount of decoding failures are observed by the attacker.2.1 Coding background
A QC code is defined as a linear block code with dimension and length , in which each cyclic shift of a codeword by symbols results in another valid codeword. It follows from their definition that QC codes have generator and paritycheck matrices in “blocks circulant” form or, equivalently, in “circulants block” form. The latter is used in LEDAkem. A circulant matrix has the following form
(1) 
According to its definition, any circulant matrix is regular, since all its rows and columns are cyclic shifts of the first row and column, respectively.
The set of binary circulant matrices forms an algebraic ring under the standard operations of modulo
matrix addition and multiplication. The zero element is the allzero matrix, and the identity element is the
identity matrix. The algebra of the polynomial ring is isomorphic to the ring of circulant matrices over with the following map(2) 
According to (2), any binary circulant matrix is associated to a polynomial in the variable having coefficients over which coincide with the entries of the first row of the matrix
(3) 
According to (2), the allzero circulant matrix corresponds to the null polynomial and the identity matrix to the unitary polynomial. The ring of polynomials includes elements that are zero divisors which are mapped to singular circulant matrices over . Avoiding such matrices is important in some parts of LEDAkem, and smart ways exist to design nonsingular circulant matrices. As it will be described next, the main part of the secret key of LEDAkem is formed by a binary QCLDPC code described through its paritycheck matrix . Let denote the code length in bits and denote the code dimension in bits, then has size , where is the code redundancy.
2.2 Description of the primitives
The main functions of LEDAkem are described next.
2.2.1 Key generation.
Both private and public keys consist of binary matrices. These matrices, in their turn, are formed by circulant blocks, being an integer properly chosen.
Secret key.
The key generation input is formed by:

The circulant block size (usually in the order of some thousands bits).

The integer (usually between and ), representing the number of circulant blocks forming the matrix .

The integer , representing the row/column weight (usually between and ) of the circulant blocks forming the matrix .

The vector of integers , representing the row/column weights (each entry usually smaller than ) of the circulant blocks forming the matrix (the structure of is clarified below).
Given these inputs, the secret key is obtained as follows.
First, sparse circulant matrices with size are generated at random. Each of them has row/column weight . We denote such matrices as . The secret lowdensity paritycheck matrix is then obtained as
(4) 
The size of is . Other sparse circulant blocks are then randomly generated to form the secret sparse matrix
(5) 
The row/column weight of each block is fixed according to the following matrix:
(6) 
such that each row and each column of has weight .
The choice of the weights and the size of the circulant blocks composing it is very important since it allows to discern if is invertible or not. In particular, denoting with the permanent of a matrix, the following theorem holds.
Theorem 2.1
Proof.
Omitted for the sake of brevity. ∎
With this result, we can guarantee that, when the sequence is properly chosen, the matrix is always non singular, which is a necessary condition for the key generation process to be successful.
Definition 1
The secret key (SK) of LEDAkem is formed by .
Since both and are formed by sparse circulant blocks, it is convenient to represent each of these blocks through the indexes of the symbols in their first row, i.e. adopt a sparse representation for them. Each index of this type requires bits to be stored. If we consider that the circulant blocks in any block row of have overall weight , the size of SK in bits is
(7) 
In practice, the secret matrices are generated through a deterministic random bit generator (DRBG), seeded with a bit string extracted from a true random number generator (TRNG). In this case, to obtain and it is sufficient to know the TRNG extracted seed of the DRBG that has been used to generate the positions of their nonnull coefficients, since this process is rather fast. This approach allows reducing the size of the secret key to the minimum required, as it is assumed that the TRNG output cannot be compressed. The entity of the reduction depends on the values of the parameters involved in (7).
Public key.
Starting from and , the following binary matrices are computed. First of all, the matrix is obtained as
(8) 
If both and are odd, then has fullrank. In fact, and has weight equal to (where is the number of cancellations occurred in the product). It is possible to demonstrate that if is odd and then is nonsingular.
After inverting , the following matrix is computed:
(9) 
Definition 2
The public key (PK) of LEDAkem is formed by .
Since the circulant blocks forming are dense, it is convenient to store them through the binary representation of their first row (the other rows are then obtained as cyclic shifts of the first row). The bitsize of the PK hence is
(10) 
2.2.2 Encryption.
The plaintext of LEDAkem is an ephemeral random secret generated by Bob who is willing to share it with Alice. The encryption inputs are:

The values of and , from which is computed.

The number of intentional errors .
Bob generates a secret in the form of a random binary vector with length of bits and Hamming weight . Given a key derivation function (KDF), the shared secret key is generated from as . In order to encapsulate the shared secret , Bob fetches Alice’s PK and computes where denotes matrix transposition. The syndrome vector representing the encapsulated secret is then sent to Alice.
2.2.3 Decryption.
In order to perform decryption, Alice must recover from . The latter can be written as The first decryption step for Alice is computing . For this purpose, Alice needs to know that, according to (8), is the last circulant block of the matrix . Hence, it can be easily computed from the SK which contains both and . If we define the expanded error vector as
(11) 
then we have . Hence, QCLDPC decoding through can be exploited for recovering from . QCLDPC decoders are not bounded distance decoders, and some DFR must be tolerated. However, the system parameters can be chosen such that the DFR is acceptably small. For this purpose, the average decoding radius of the private code must be sufficiently larger than the Hamming weight of , which is approximately equal to (due to the sparsity of and ). Then, multiplication by would be needed to obtain from , that is,
(12) 
However, by exploiting the efficient decoding algorithm described in Section 2.3, this last step can be avoided, which also allows avoiding the computation and storage of as part of the secret key. In fact, the decoding algorithm described in Section 2.3 allows recovering directly by performing decoding of through , while taking into account the effect of the multiplication of by . Then, the secret key is recovered as .
In case a decoding error occurs, the decryption procedure derives the shared secret combining with a KDF the syndrome with a secret constant, which may be derived via a PRNG from the secret key material [38]. Alternatively, using a secret permutation of the syndrome as input to the KDF was noted to be effective in [21]. Such an approach which is beneficial from the security standpoint in case of an accidental keypair reuse. More details concerning this aspect, which is related to formal security of LEDAkem, will be given in Section 4. According to this approach, Bob will become aware of the decoding failure upon reception of the message sent by Alice encrypted with the incorrectly derived shared secret.
2.3 Efficient decoding
Classical bit flipping (BF) decoding works as follows. At each iteration, for each codeword bit position, the number of unsatisfied paritycheck equations is computed, and if this number equals or exceeds a given threshold, then that bit is flipped. The decision threshold can be chosen in many ways, affecting the decoder performance, and it can be fixed or it can vary during iterations. A choice that often turns out to be optimal is to fix the threshold, at each iteration, as the maximum number of unsatisfied paritycheck equations in which any codeword bit is involved. In fact, a codeword bit participating in a higher number of unsatisfied paritycheck equations can be considered less reliable than a codeword bit participating in a smaller number of unsatisfied paritycheck equations. So, if the threshold is chosen in this way, the bits that are flipped are those that are most likely affected by errors.
Starting from classical BF, we have developed an improved decoder that is specifically designed for LEDAkem, where the position of the ones in the expanded error vector to be corrected is influenced by the value of , as is equivalent to a random error vector with weight multiplied by . Since this improved decoder takes into account such a multiplication by the transpose of matrix to estimate with greater efficiency the locations of the bits of the expanded error vector, we denote it as Qdecoder.
Inputs of the decoder are the syndrome and the matrices and according to (4) and (5), respectively. The output of the decoder is a vector or a decoding failure, where represents the decoder estimate of the error vector appearing in the equality . The decoding process performs a maximum of iterations, where the th iteration processes and (that is the values at the previous iteration) and outputs and . A threshold criterion is adopted to compute the positions in that must be changed. The threshold values can be chosen in different ways and affect the decoder performance. In the next section we describe a simple and effective procedure to design such values. The decoder initialization is performed by setting and , where is the length vector with allzero entries. It is important to note that (and, by extension, ) is a row vector. Moreover, let us consider that all multiplications are binary, expect those denoted with ‘’, which are performed in the integer domain . The th iteration of the Qdecoder performs the following operations:

Compute , resulting in a vector of integers having entries between and .

Compute .

Define .

Update as
where is a length binary vector with allzero entries, except those indexed by .

Update the syndrome as
where is the th row of .

If the weight of is zero then stop decoding and return .

If then increment and go back to step i), otherwise stop decoding and return a decoding failure.
As in classical BF, the first step of this algorithm computes the vector . Each entry of this vector counts the number of unsatisfied paritycheck equations corresponding to that bit position, and takes values in . This evaluates the likelihood that the binary element of at the same position is equal to one. Differently from classical BF, in step ii) the correlation between these likelihoods and the rows of is computed. In fact, the expanded error vector can be written as the sum of the rows of indexed by the support of , that is where denotes the support of .
Since both and are sparse (that is, ), cancellations between ones in the sum are very unlikely. When the correlation between and a generic row of is computed, two cases may occur:

If , then it is very likely that has a very small number of common ones with all the rows of forming , hence the correlation is small.

If , then is one of the rows of forming , hence the correlation is large.
The main difference with classical BF is that, while in the latter all error positions are considered as independent, the Qdecoder exploits the correlation among expanded errors which is present in LEDAkem, since their positions are influenced by . This allows achieving important reductions in the number of decoding iterations. As a further advantage, this decoder allows recovering , besides , without the need of computing and storing the inverse of the matrix . For this purpose, it is sufficient that, at each iteration, the Qdecoder flips the bits of the estimated error vector that correspond to the correlations values overcoming the threshold.
2.4 Choice of the Qdecoder decision thresholds
One important aspect affecting performance of the Qdecoder is the choice of the threshold values against which the correlation is compared at each iteration. A natural choice is to set the threshold used at iteration equal to the maximum value of the correlation , that is . This strategy ensures that only those few bits that have maximum likelihood of being affected by errors are flipped during each iteration, thus achieving the lowest DFR. However, such an approach has some drawbacks in terms of complexity, since the computation of the maximum correlation requires additional computations with respect to a fixed threshold.
Therefore, as in [14], we consider a different strategy, which allows computing the threshold values on the basis of the syndrome weight at each iteration. According to this approach, during an iteration it is sufficient to compute the syndrome weight and read the corresponding threshold value from a lookup table. This strategy still allows to achieve a sufficiently low DFR, while employing a significantly smaller number of decoding iterations.
Let us consider the th iteration of the Qdecoder, and denote by the weight of the error vector and with the weight of the corresponding expanded error vector
. Let us introduce the following probabilities
[6]:(13) 
where is the probability that a codeword bit is errorfree and a paritycheck equation evaluates it to be incorrect, and is the probability that a codeword bit is erroraffected and a paritycheck equation evaluates it to be correct. In both these cases, the syndrome bit is equal to . The probability that each syndrome bit is equal to can be therefore computed as , so the average syndrome weight at iteration results in
(14) 
where denotes the Hamming weight. Since both the paritycheck matrix and the error vector are sparse, the probability of being significantly different from is negligible.
So, (14) allows predicting the average syndrome weight starting from . In order to predict how varies during iterations, let us consider the th codeword bit and the corresponding correlation value at the th iteration. The probability that such a codeword bit is affected by an error can be written as
(15) 
where is the th bit of the error vector used during encryption. After some calculations, we obtain
(16) 
where and are given in (13), with as argument instead of .
Adding the th row of to the expanded error vector is the same as flipping the th bit of the error vector . Hence, we can focus on and on how its weight changes during decoding iterations. The values of can be estimated using (14), while, due to sparsity, those of can be estimated as .
The decision to flip the th codeword bit is taken when the following condition is fulfilled
(17) 
where represents a margin that must be chosen taking into account the DFR and complexity: increasing decreases the DFR but increases the number of decoding iterations. So, a tradeoff value of can be found that allows achieving a low DFR while avoiding unnecessary large numbers of iterations.
Since , (17) can be rewritten as
(18) 
is an increasing function of , hence the minimum value of such that (18) is satisfied can be computed as
(19) 
and used as the decision threshold at iteration .
Based on the above considerations, the procedure to compute the decision threshold value per each iteration as a function of the syndrome weight can be summarized as follows:

The syndrome weights corresponding to (which are all the possible values of neglecting cancellations) are computed according to (14). These values are denoted as .

At iteration , given the syndrome weight , the integer such that is as close as possible to is computed.
The above procedure can be implemented efficiently by populating a lookup table with the pairs , sequentially ordered. During an iteration, it is enough to compute , search the largest in the lookup table such that and set .
We have observed that, moving from large to smalle values of , the thresholds computed this way firstly exhibit a decreasing trend, then start to increase. According to numerical simulations, neglecting the final increase is beneficial from the performance standpoint. Therefore, in the lookup table we replace the threshold values after the minimum with a constant value equal to the minimum itself.
2.5 Relations with QCMDPC codebased systems
In LEDAkem, the public code is a QCMDPC code that admits as a valid paritycheck matrix. However, differently from QCMDPC codebased schemes, the private code is a QCLDPC code, which facilitates decoding. In fact, decoding directly the public QCMDPC code through classical BF decoders would be a possibility, but the approach we follow is different. By using the decoding algorithm described in Section 2.3, we decode the private QCLDPC code, taking into account the correlation introduced in the private error vector due to multiplication by . Since the private QCLDPC matrix is sparser than the QCMDPC matrix of the public code, this yields lower decoding complexity.
Besides working over different matrices, the main difference between these two decoding algorithms is in the use of integer multiplications in our decoder, while all multiplications are performed over in classical BF decoders. In fact, in our decoder we perform the following operation to compute
(20) 
where the last approximation comes from the fact that, for two sparse matrices and , we have . Thus, we can say that . So, if we consider classical BF decoding working over the matrix , the counter vector is computed as
(21) 
In the Qdecoder, the error vector is updated by summing rows of , which is equivalent to flipping bits of the public error vector.
Hence, there is a clear analogy between decoding of the private QCLDPC code through the Qdecoder and decoding of the public QCMDPC code through a classical BF decoder.
Through numerical simulations we have verified that the two approaches yield comparable performance in the waterfall region.
Performance in the error floor region is instead dominated by the minimum distance of the code over which decoding is performed.
Since QCLDPC codes have smaller minimum distance than QCMDPC codes, this reflects into a higher error floor when decoding is performed over the private QCLDPC code.
However, no error floor has been observed during simulations of LEDAkem with QCLDPC decoding, down to a DFR between and .
Since this is the working point of the codes we use, in terms of DFR, we can say that the error floor effect, if present, is negligible from our scheme performance standpoint.
3 Security analysis
LEDAkem is constructed starting from the computational problem of syndrome decoding, i.e., obtaining a bounded weight error vector from a given syndrome and a general linear code, which was shown to be NPcomplete in [11]. The main difference from the statement of the general hard problem on which our proposal is built is the nature of the code employed, which is quasicyclic and admits a representation with a lowdensity paritycheck matrix. To best of our knowledge, there is no superpolynomial advantage in performing syndrome decoding on QCLDPC, given our public code representation, either due to the quasicyclic form of the code or to the low density of its parity matrix. We point out that the same assumption on the lack of advantage due to the quasicyclic structure of a code has also been done in both the BIKE [1] and the BIG QUAKE [8]
proposals. With these statements standing, the security analysis of LEDAkem examines and quantifies the effectiveness of the best known attacks detailing the efficiency of algorithms running on both classical and quantum computers providing nonexponential speedups over an enumerative search for the correct error vector. We remark that currently no algorithm running on either a classical Turing Machine (TM) or a quantum TM provides an exponential speedup in solving the computational problem underlying LEDAkem compared to an exhaustive search approach.
3.1 Analysis of the algorithm with respect to known attacks
As mentioned in the previous sections, LEDAkem derives from QCLDPC codebased cryptosystems already established in the literature [6, 4]. As proved in [16], in case of using longterm keys, these cryptosystems may be subject to reaction attacks that are able to recover the secret key by exploiting the inherent nonzero DFR they exhibit and Bob’s reactions upon decryption failures. However, using ephemeral keys prevents the possibility to mount an attack of this kind, which requires long statistical evaluations. Nevertheless, the risks in case of an accidental keypair reuse must be considered, and this will be done in Section 4.
A first type of attacks that can be mounted against LEDAkem are decoding attacks aimed at performing decoding through the public code representation, without knowing the private code representation. The most powerful algorithms that can be used for this purpose are ISD algorithms. These algorithms aim at performing decoding of any linear block code by exploiting a general representation of it. ISD algorithms have been introduced by Prange [37] and subsequently improved by LeeBrickell [23], Leon [24] and Stern [42]. More recently, they have known great advances through modern approaches, also exploiting the generalized birthday paradox [27, 36, 12, 9, 33]. It is possible to show that the general decoding problem is equivalent to the problem of finding lowweight codewords in a general (randomlike) code. Therefore, algorithms for searching lowweight codewords can be used as ISD algorithms.
The availability of an efficient algorithm to search for lowweight codewords is also at the basis of key recovery attacks. In LEDAkem the matrix is a valid paritycheck matrix for the public code. Since is sparse, by knowing it an attacker could separate from and recover the secret key. In order to discover , an attacker must search for its rows in the dual of the public code. Due to the sparsity of and , any of these rows has weight in the order of . The attack can be implemented by exploiting again an efficient algorithm for the search of lowweight codewords in linear block codes.
Another potential attack to systems based on QCLDPC codes is that presented in [40]. This attack uses a special squaring technique and, by extracting the lowweight error vectors, finds lowweight codewords more efficiently than with a general ISD algorithm. This attack, however, is applicable if and only if is even. Therefore, in order to increase the system security it is advisable to choose odd values of . Choosing as a prime is an even more conservative choice against cryptanalysis exploiting factorization of . The value of in LEDAkem is chosen in such a way to prevent these attacks.
To estimate complexity of DAs and KRAs exploiting ISD and lowweight codeword searching algorithms, let us define the work factor (WF) of an algorithm as the base2 logarithm of the average number of binary operations it requires to complete its execution successfully. Let denote the WF of the most efficient algorithm searching for codewords of weight in a code having length and dimension . Such an algorithm can be used to perform ISD with the aim of decrypting a LEDAkem ciphertext without knowing the private key. In this case, we have , and . Moreover, due to the QC nature of the codes, a speedup in the order of must be taken into account [39]. Hence, the security level against decoding attacks of this type can be computed as
(22) 
Concerning the KRAs attack, based on the above considerations we have a similar formula, but with different parameters, that is,
(23) 
where the speedup factor is due to the fact that recovering only one out of sparse rows of , is enough for the attacker (due to the QC structure of ).
According to [43], the most efficient ISD algorithm taking into account Grover’s algorithm [19] running on a quantum computer is Stern’s algorithm. Therefore, the postquantum security levels have been estimated by considering the work factor of Stern’s algorithm with quantum speedup according to [43]. Instead, with classical computers the most efficient ISD algorithm turns out to be the BJMM algorithm in [9]. Therefore, the security levels against attackers provided with classical computers have been estimated by considering the work factor of BJMM in (22) and (23). We chose to employ the results provided in [43] to evaluate the computational efforts of Stern’s variant of the ISD as they provide exact formulas instead of asymptotic bounds. However, we note that a recent work [22] provides improved asymptotic bounds on the computational complexity of quantum ISD for increasing values of the codeword length . Deriving from this approach exact values for given parameters set is worth investigating.
3.2 System parameters
The NIST call for PostQuantum Cryptography Standardization [32] defines security categories, numbered from to and characterized by increasing strength (see [32] for details). According to this classification, nine instances of LEDAkem are proposed, grouped in three classes corresponding to different security levels. The three instances in each class correspond to three values of (), each one yielding a different balance between performance and public key size. The parameters of the nine instances of LEDAkem are reported in Table 1 for the security categories , and , respectively. In the table, the superscript (pq) denotes that the attack work factor has been computed taking into account quantum speedups due to Grover’s algorithm, while the superscript (cl) denotes that only classical computers have been considered.
For each security category and considered value of , we have fixed a value
of the paritycheck matrix row/column weight in the order of or
less (that is advisable to have good error correcting capability of the private
QCLDPC codes), and we have found the values of and that allow satisfying (23) for the target security level.
In fact, the value of must be chosen such that the dual of the public code, having minimum distance equal to , is robust against KRAs based on ISD.
Once is fixed, we can find many pairs of values and which satisfy this bound; among these, we have chosen the one having the lowest product , which is a metric affecting the error correcting capability of the private code.
Then, we have found the value of that allows satisfying (22)
and checked whether errors can be corrected by the private code
through Qdecoding with a sufficiently low DFR.
Otherwise, we have increased the value of keeping all the other parameters
fixed.
Concerning the estimation of the DFR, we have first exploited BF
asymptotic thresholds [6], and then we have performed Montecarlo
simulations for each system instance in order to evaluate its DFR.
In all Montecarlo simulations, except the one for the Category 1, parameter
set, we have encountered no errors, so the DFR can
be approximately bounded by the reciprocal of the number of simulated decryptions.
Concerning the parameter set for Category 1, , we obtained
failures on decoding computations, pointing to a DFR .
In order to make a conservative design of the system, we have considered some
margin in the complexity estimates of the attacks, such that the actual security
level for these instances is larger than the target one.
This also accounts for possible (though rare) cancellations occurring in ,
which may yield a row weight slightly smaller than .
The values of have been chosen greater than in order to avoid codes having too small minimum distances.
In addition, they are odd to ensure that the circulant blocks forming and
(and , in particular) have full rank.
Also the values of are always odd, and the sets
have been chosen in such a way to guarantee that has full rank.
In fact, is a valid paritycheck matrix for the public code: if is
singular, it might happen that the rank of is lower than , leading to a
code with a codimension lower than .
With the choice of an invertible , we guarantee that this does not occur.
Category  

–  
–  
4 Properties of the proposed cryptosystem
The QCLDPC codebased Niederreiter cryptosystem alone achieves only indistinguishability under chosen plaintext attack (INDCPA), that however is sufficient in case of using ephemeral keys. It is possible to convert a Niederreiter cryptosystem achieving only INDCPA into one achieving indistinguishability under chosen ciphertext attack (INDCCA), under the assumption that the DFR of the underlying code is zero. Such a conversion involves substituting the outcome of a decoding failure (due to an illformed ciphertext) with the outcome of a KDF taking as input either the public syndrome and a fixed secret bit sequence [21, 38], or a secret permutation of the syndrome itself [13]. We apply the conversion specified in [21] to our scheme, despite its DFR is not null, as it still proves beneficial in case of an accidental keypair reuse, against an attacker matching the INDCCA model whenever no decoding failures due to the QCLDPC code structure takes place. Furthermore, we note that LEDAkem ciphertexts are not malleable in a chosen plaintext scenario. Indeed, even if an attacker alters arbitrarily a ciphertext so that it decrypts to a valid error vector (e.g., discarding the ciphertext and forging a new one), the shared secret is derived via a hash based KDF, which prevents him from controlling the output of the decryption.
4.0.1 Relations with the security of QcMdpc codebased systems.
Differently from QCMDPC codebased systems, the public code in LEDAkem has a QCMDPC matrix that can be factorized into and , and this might appear to yielding lower security than a general QCMDPC matrix. However, in order to attempt factorization of , the attacker should first recover it by searching for lowweight codewords in the dual of the public code. Once has been recovered, trying to factorize it into and indeed becomes pointless, since the attacker could exploit to perform direct decoding of the public QCMDPC code. Alternatively, an attacker could try to perform decoding of the public code, which requires solving the syndrome decoding problem for the same code. The best known techniques for solving these two problems are based on ISD, and no method is known to facilitate their solution by exploiting the fact that can be factorized into and .
4.0.2 Risks in case of keypair reuse.
While LEDAkem uses ephemeral keys that are meant for single use, it is possible that implementation accidents lead to a reuse of the same keypair more than once. The main threat in case of keypair reuse is the reaction attack described in [16], where a correlation between the DFR and the private key is derived. However, for the attack to succeed, the attacker needs to reliably estimate the decoding failure rate for a set of carefully crafted or selected error vectors. Given the DFR for which LEDAkem was designed (), obtaining a reliable estimate requires a number of decryptions with the same key in the order of billions. Since the said evaluation should be obtained for all the possible distances between two set bits in the secret key, a conservative estimate of the number of decryption actions required is , which, considering the weakest case, corresponding to Category with , yields decryptions. Therefore, the attack presented in [16] is not a practical threat on LEDAkem with the proposed parameters, unless a significant amount of decryptions are performed with the same key. Moreover, even the chosen ciphertext attack (CCA) described in [13], where a ciphertext is crafted with a number of errors greater than to artificially increase the DFR of the system, can be thwarted through checking the weight of the decoded error vector and reporting a decoding failure if it exceeds .
4.0.3 Protection against sidechannel attacks.
The two most common side channels exploited to breach practical implementations of cryptosystems are the execution time of the primitive and the instantaneous power consumption during its computation. In particular, in [15], it was shown how a QCLDPC codebased system can be broken by means of simple power analysis, exploiting the controlflow dependent differences of the decoding algorithm. We note that employing ephemeral keys provides a natural resistance against nonprofiled power consumption side channel attacks, as a significant amount of measurements with the same key () must be collected before the key is revealed.
Concerning execution time side channel information leakage, the main portion of the LEDAkem decryption algorithm which is not characterized by a constant execution time is decoding. Indeed, the number of iterations made by the decoder depends on the values being processed. However, for the proposed parameters, we note that the number of iterations is between 3 and 5, with a significant bias towards 4. Hence, it is simple to achieve a constant time decoding by modifying the algorithm so that it always runs for the maximum needed amount of iterations to achieve the desired DFR. Such a choice completely eliminates the timing leakage, albeit trading it off for a performance penalty.
Category  KeyGen  Encrypt  Decrypt  Total CPU time  

(ms)  (ms)  (ms)  Ephemeral KEM (ms)  
1  ()  ()  ()  
()  ()  ()  
()  ()  ()  
2–3  ()  ()  ()  
()  ()  ()  
()  ()  ()  
4–5  ()  ()  ()  
()  ()  ()  
()  ()  () 
5 Implementation and numerical results
An effort has been made to realize a fast and efficient C99 implementation of LEDAkem without platformdependent optimizations, which is publicly available in [5]. To this end, we represented each circulant block as a polynomial in thanks to the isomorphism described in Section 2.1. Consequently, all the involved block circulant matrices are represented as matrices of polynomials in . The polynomials are materialized employing a bitpacked form of their binary coefficients in all the cases where the number of non null coefficients is high. In case a polynomial has a low number of non null coefficients with respect to the maximum possible, i.e., the circulant matrix is sparse, we materialize only the positions of its one coefficients as integers.
We provide below the results of a set of execution time benchmarks. The results were obtained measuring the required time for key generation, encryption (key encapsulation) and decryption (key decapsulation) as a function of the chosen security category and the number of circulant blocks . The measurements reported are obtained as the average of executions of the reference implementation. The generated binaries were run on an AMD Ryzen 5 1600 CPU at 3.2 GHz, locking the frequency scaling to the top frequency.
Table 2 reports the running times in terms of CPU time taken by the process. As it can be noticed, the most computationally demanding primitive is the key generation, which has more than % of its computation time taken by the execution of a single modular inverse in required to obtain the value of . The encryption primitive is the fastest among all, and its computation time is substantially entirely devoted () to the polynomial multiplications performing the encryption. The decryption primitive computation is dominated by the Qdecoder computation ( of the time), with a minimal portion taken by the modular multiplications which reconstruct and the one to compute the private syndrome fed into the Qdecoder.
Considering the computational cost of performing a KEM with ephemeral keys, the most advantageous choice is to pick for any security level, although the computational savings are more significant when considering highsecurity parameter choices (Category 3 and 5).
Category  Private Key Size (B)  Public Key  Shared secret  Enc secret  

At rest  In memory  size (B)  size (B)  size (B)  
1  
2–3  
4–5  
Table 3 reports the sizes of both the keypairs and the encapsulated secrets for LEDAkem. In particular, regarding the size of the private keys we report both the size of the stored private key and the required amount of main memory to store the expanded key during the decryption phase. We note that, for a given security category, increasing the value of enlarges the public key, as it is constituted of bits. This increase in the size of the public key represents a tradeoff with the decrease of the size of the ciphertext to be transmitted since it is only bits long, and decreases if a larger number of blocks is selected, for a fixed security category. The size of the derived encapsulated secret is at least bits, in order to meet the requirement reported in [32]. The shared secret is derived employing the SHA hash function with a , or bits digest, in order to match the requirements of Categories , , and , respectively.
6 Conclusion
We have introduced a postquantum KEM based on QCLDPC codes with the following advantages: it is built on an NPcomplete problem under reasonable assumptions; it exploits improved BF decoders which are faster than classical BF decoders; it requires compact keypairs (below 23 kiB at most), with minimum size private keys; it needs only addition and multiplication over , and modular inverse over besides singleprecision integer operations; it is particularly efficient in applying countermeasures against nonprofiled power consumption side channel attacks. As regards implementation, no platform specific optimizations have been exploited, thus we expect these results to be quite consistent across different platforms. On the other hand, starting from this platformagnostic reference implementation, a number of optimizations can be applied to make LEDAkem faster.
Acknowledgments
Paolo Santini was partly funded by Namirial SpA.
References
 [1] Aragon, N., Barreto, P.S.L.M., Bettaieb, S., Bidoux, L., Blazy, O., Deneuville, J.C., Gaborit, P., Gueron, S., Güneysu, T., Melchor, C.A., Misoczki, R., Persichetti, E., Sendrier, N., Tillich, J.P., Zémor, G.: BIKE: Bit flipping key encapsulation (2017), http://bikesuite.org/files/BIKE.pdf
 [2] Baldi, M., Bianchi, M., Chiaraluce, F.: Optimization of the paritycheck matrix density in QCLDPC codebased McEliece cryptosystems. In: Proc. IEEE ICC 2013  Workshop on Information Security over Noisy and Lossy Communication Systems. Budapest, Hungary (Jun 2013)
 [3] Baldi, M., Bodrato, M., Chiaraluce, F.: A new analysis of the McEliece cryptosystem based on QCLDPC codes. In: Security and Cryptography for Networks, LNCS, vol. 5229, pp. 246–262. Springer Verlag (2008)
 [4] Baldi, M.: QCLDPC CodeBased Cryptography. SpringerBriefs in Electrical and Computer Engineering, Springer International Publishing (2014)
 [5] Baldi, M., Barenghi, A., Chiaraluce, F., Pelosi, G., Santini, P.: LEDAkem: Low dEnsity coDebAsed key encapsulation mechanism (2017), https://www.ledacrypt.org/
 [6] Baldi, M., Bianchi, M., Chiaraluce, F.: Security and complexity of the McEliece cryptosystem based on QCLDPC codes. IET Inf. Security 7(3), 212–220 (Sep 2012)
 [7] Baldi, M., Bianchi, M., Chiaraluce, F., Rosenthal, J., Schipani, D.: Enhanced public key security for the McEliece cryptosystem. J. of Cryptology 29(1), 1–27 (Jan 2016)
 [8] Bardet, M., Élise Barelli, Blazy, O., Torres, R.C., Couvreur, A., Gaborit, P., Otmani, A., Sendrier, N., Tillich, J.P.: BIG QUAKE: BInary Goppa QUAsicyclic Key Encapsulation (2017), https://bigquake.inria.fr/files/2017/12/proposal.pdf
 [9] Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes in : How 1 + 1 = 0 improves information set decoding. In: Pointcheval, D., Johansson, T. (eds.) Advances in Cryptology  EUROCRYPT 2012, LNCS, vol. 7237, pp. 520–536. Springer Verlag (2012)
 [10] Berger, T.P., Loidreau, P.: How to mask the structure of codes for a cryptographic use. Designs, Codes and Cryptography 35(1), 63–79 (Apr 2005)
 [11] Berlekamp, E., McEliece, R., van Tilborg, H.: On the inherent intractability of certain coding problems. IEEE Trans. Inf. Theory 24(3), 384–386 (May 1978)
 [12] Bernstein, D.J., Lange, T., Peters, C.: Smaller decoding exponents: ballcollision decoding. In: CRYPTO 2011, LNCS, vol. 6841, pp. 743–760. Springer Verlag (2011)
 [13] Cayrel, P.L., Gueye, C.T., Mboup, E.H.M., Ndiaye, O., Persichetti, E.: Efficient Implementation of Hybrid Encryption from Coding Theory, pp. 254–264. Springer International Publishing, Cham (2017)
 [14] Chaulet, J., Sendrier, N.: Worst case QCMDPC decoder for McEliece cryptosystem. In: Proc. IEEE International Symposium on Information Theory (ISIT 2016). pp. 1366–1370. Barcelona, Spain (Jul 2016)
 [15] Fabšič, T., Gallo, O., Hromada, V.: Simple power analysis attack on the QCLDPC McEliece cryptosystem. Tatra Mountains Math. Pub. 67(1), 85–92 (Sep 2016)
 [16] Fabšič, T., Hromada, V., Stankovski, P., Zajac, P., Guo, Q., Johansson, T.: A reaction attack on the QCLDPC McEliece cryptosystem. In: Lange, T., Takagi, T. (eds.) PostQuantum Cryptography: 8th International Workshop, PQCrypto 2017, pp. 51–68. Springer, Utrecht, The Netherlands (Jun 2017)
 [17] Gaborit, P.: Shorter keys for code based cryptography. In: Proc. Int. Workshop on Coding and Cryptography (WCC 2005). pp. 81–90. Bergen, Norway (Mar 2005)
 [18] Goppa, V.D.: A new class of linear correcting codes. Probl. Pered. Info. 6(3), 24–30 (1970)

[19]
Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proc. 28th Annual ACM Symposium on the Theory of Computing. pp. 212–219. Philadephia, PA (May 1996)
 [20] Guo, Q., Johansson, T., Stankovski, P.: A key recovery attack on MDPC with CCA security using decoding errors. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, LNCS, vol. 10031, pp. 789–815. Springer Berlin Heidelberg (2016)
 [21] Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the FujisakiOkamoto transformation. Cryptology ePrint Archive, Report 2017/604 (2017), https://eprint.iacr.org/2017/604
 [22] Kachigar, G., Tillich, J.P.: Quantum information set decoding algorithms. In: Lange, T., Takagi, T. (eds.) PostQuantum Cryptography: 8th International Workshop, PQCrypto 2017, pp. 69–89. Springer, Utrecht, The Netherlands (Jun 2017)
 [23] Lee, P., Brickell, E.: An observation on the security of McEliece’s publickey cryptosystem. In: Advances in Cryptology  EUROCRYPT 88, vol. 330, pp. 275–280. Springer Verlag (1988)
 [24] Leon, J.: A probabilistic algorithm for computing minimum weights of large errorcorrecting codes. IEEE Trans. Inf. Theory 34(5), 1354–1359 (Sep 1988)
 [25] Li, Y.X., Deng, R., Wang, X.M.: On the equivalence of McEliece’s and Niederreiter’s publickey cryptosystems. IEEE Trans. Inf. Theory 40(1), 271–273 (Jan 1994)
 [26] Löndahl, C., Johansson, T.: A new version of McEliece PKC based on convolutional codes. In: Chim, T.W., Yuen, T.H. (eds.) Proc. ICICS 2012, pp. 461–470. No. 7618 in LNCS, Springer Berlin Heidelberg (2012)
 [27] May, A., Meurer, A., Thomae, E.: Decoding random linear codes in . In: ASIACRYPT 2011, LNCS, vol. 7073, pp. 107–124. Springer Verlag (2011)
 [28] McEliece, R.J.: A publickey cryptosystem based on algebraic coding theory. DSN Progress Report pp. 114–116 (1978)
 [29] Misoczki, R., Tillich, J.P., Sendrier, N., Barreto, P.S.L.M.: MDPCMcEliece: New McEliece variants from moderate density paritycheck codes. In: 2013 IEEE International Symposium on Information Theory. pp. 2069–2073 (July 2013)
 [30] Misoczki, R., Barreto, P.S.L.M.: Compact McEliece keys from Goppa codes. In: Selected Areas in Cryptography, LNCS, vol. 5867, pp. 376–392. Springer (2009)
 [31] Monico, C., Rosenthal, J., Shokrollahi, A.: Using low density parity check codes in the McEliece cryptosystem. In: Proc. IEEE International Symposium on Information Theory (ISIT 2000). p. 215. Sorrento, Italy (Jun 2000)
 [32] National Institute of Standards and Technology: Postquantum crypto project (Dec 2016), http://csrc.nist.gov/groups/ST/postquantumcrypto/
 [33] Niebuhr, R., Persichetti, E., Cayrel, P.L., Bulygin, S., Buchmann, J.: On lower bounds for information set decoding over and on the effect of partial knowledge. Int. J. Inf. Coding Theory 4(1), 47–78 (Jan 2017)
 [34] Niederreiter, H.: Knapsacktype cryptosystems and algebraic coding theory. Probl. Contr. and Inf. Theory 15, 159–166 (1986)
 [35] Otmani, A., Tillich, J.P., Dallot, L.: Cryptanalysis of two McEliece cryptosystems based on quasicyclic codes. In: Proc. First International Conference on Symbolic Computation and Cryptography (SCC 2008). Beijing, China (Apr 2008)
 [36] Peters, C.: Informationset decoding for linear codes over . In: PostQuantum Cryptography, LNCS, vol. 6061, pp. 81–94. Springer Verlag (2010)
 [37] Prange, E.: The use of information sets in decoding cyclic codes. IRE Transactions on Information Theory 8(5), 5–9 (Sep 1962)
 [38] Saito, T., Xagawa, K., Yamakawa, T.: Tightlysecure keyencapsulation mechanism in the quantum random oracle model. Cryptology ePrint Archive, Report 2017/1005 (2017), https://eprint.iacr.org/2017/1005
 [39] Sendrier, N.: Decoding one out of many. In: Yang, B.Y. (ed.) PostQuantum Cryptography, LNCS, vol. 7071, pp. 51–67. Springer Verlag (2011)
 [40] Shooshtari, M.K., AhmadianAttari, M., Johansson, T., Aref, M.R.: Cryptanalysis of McEliece cryptosystem variants based on quasicyclic lowdensity parity check codes. IET Information Security 10(4), 194–202 (Jun 2016)
 [41] Shor, P.W.: Polynomialtime algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (Oct 1997)
 [42] Stern, J.: A method for finding codewords of small weight. In: Cohen, G., Wolfmann, J. (eds.) Coding Theory and Applications, LNCS, vol. 388, pp. 106–113. Springer Verlag (1989)
 [43] de Vries, S.: Achieving 128bit Security against Quantum Attacks in OpenVPN. Master’s thesis, University of Twente (August 2016), http://essay.utwente.nl/70677/
Comments
There are no comments yet.