LEDAkem: a post-quantum key encapsulation mechanism based on QC-LDPC codes

01/26/2018 ∙ by Marco Baldi, et al. ∙ Politecnico di Milano UnivPM 0

This work presents a new code-based key encapsulation mechanism (KEM) called LEDAkem. It is built on the Niederreiter cryptosystem and relies on quasi-cyclic low-density parity-check codes as secret codes, providing high decoding speeds and compact keypairs. LEDAkem uses ephemeral keys to foil known statistical attacks, and takes advantage of a new decoding algorithm that provides faster decoding than the classical bit-flipping decoder commonly adopted in this kind of systems. The main attacks against LEDAkem are investigated, taking into account quantum speedups. Some instances of LEDAkem are designed to achieve different security levels against classical and quantum computers. Some performance figures obtained through an efficient C99 implementation of LEDAkem are provided.



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Devising efficient and robust post-quantum key encapsulation mechanisms (KEMs) is an important and urgent research target, as also witnessed by the recent NIST call for post-quantum cryptographic systems [32]. Code-basedcryptosystems are among the most promising candidates to replace quantum-vulnerable primitives which are still relying on the hardness of the integer factorization or discrete logarithm problems, such as the Diffie-Hellman key exchange and the Rivest-Shamir-Adleman (RSA) and ElGamal cryptosystems. Indeed, Shor’s algorithm [41] can be used to solve both the integer factorization and the discrete logarithm problems in polynomial time with a quantum computer. One of the problems for which no known polynomial time algorithm on a quantum computer exists is the decoding of a general linear code. Indeed, such a problem belongs to the non deterministic-polynomial (NP)-complete computational equivalence class [11, 27], which is widely believed to contain problems which have no polynomial time solution on a quantum computer.

The first code-based public-key cryptosystem relying on the general linear code decoding problem was proposed by McEliece in 1978 [28], and used Goppa codes [18] to form the secret key. Such a choice yields large public keys, which is the main limitation of Goppa code-based systems. The Niederreiter cryptosystem [34] is a code-based cryptosystem exploiting the same trapdoor, but using syndromes and parity-check matrices instead of codewords and generator matrices as in McEliece. When the same family of codes is used, Niederreiter and McEliece are equivalent [25] and therefore they achieve the same security levels.

Replacing Goppa codes with other families of more structured codes may reduce the public key size. However, this may also compromise the system security, as it occurred with some first McEliece variants based on quasi-cyclic (QC) codes [17], low-density parity-check (LDPC) codes [31] and quasi-cyclic low-density parity-check (QC-LDPC) codes [35], quasi-dyadic (QD) codes [30], convolutional codes [26] and some instances based on generalized Reed-Solomon (GRS) codes [7, 10]. Nevertheless, some variants exploiting QC-LDPC and quasi-cyclic moderate-density parity-check (QC-MDPC) codes [2, 3, 29] have been shown to be able to achieve very compact keys without endangering security.

Recently, some new statistical attacks have been developed that exploit the information coming from decryption failures in QC-LDPC and QC-MDPC code-based systems to perform key recovery attacks, thus forcing to renew keys frequently in these systems [16, 20].

In this paper, we start from the QC-LDPC code-based system proposed in [3, 2] and we develop a new key encapsulation mechanism (KEM) based on the the Niederreiter cryptosystem. We also introduce an improved decoding algorithm which exploits correlation among intentional errors seen by the private code. This way, the correction capability of the private code is exploited to the utmost, thus allowing to achieve significant reductions in the public key size. We call the new system LEDAkem and study its properties and security. We take into account the fact that Grover’s algorithm running on a quantum computer may be exploited to speedup attacks based on information set decoding (ISD) [22, 43], and we propose some sets of parameters for LEDAkem achieving different security levels against attacks exploiting both classical and quantum computers. We also describe an optimized software implementation of the proposed system and provide and discuss some performance figures. LEDAkem currently is one of the first round candidate algorithms of the NIST post-quantum cryptography standardization project [32], along with other code-based KEMs. In this work we will highlight the differences between our proposal and the closest one among the others, i.e. BIKE [1], which relies on QC-MDPC codes for its construction.

The organization of the paper is as follows. In Section 2 we describe LEDAkem. In Section 3 we present its security analysis and in Section 4 its peculiar features. In Section 5 we discuss some implementation issues and we show some numerical results. Finally, some conclusions are drawn in Section 6.

2 The LEDAkem cryptosystem

The LEDAkem cryptosystem is derived from the Niederreiter cryptosystem with the following main differences:

  • Non-algebraic codes known as QC-LDPC codes are used as secret codes.

  • The public code is neither coincident with nor equivalent to the private code.

  • Suitably designed iterative non-bounded-distance decoding algorithms are used.

The motivation for using QC-LDPC codes as private codes is in the fact that these such codes are known to achieve important reductions in the public key size when used in this context [2, 29]. Moreover, when LDPC codes are used as private codes, the public code cannot be either coincident with or equivalent to the private code. Indeed, in such a case, an attacker could search for low weight codewords in the dual of the public code and find a sparse parity-check matrix of the private code which allows efficient decoding.

For this reason, following [2], LEDAkem uses a transformation matrix that hides the sparse parity-check matrix of the private code into a denser parity-check matrix

of the public code. This also affects the error vector that must be corrected during decryption, which is obtained from the error vector used during encryption through multiplication by

. In this work, we show how it is possible to exploit the knowledge of to design an ad-hoc decoding algorithm achieving very good performance in terms of both decoding speed and decryption failure rate (DFR).

In fact, a well-known feature of LDPC

coding is that the decoding radius of iterative decoders is not sharp and cannot be estimated in a deterministic way. It follows that some residual


must be tolerated, and it must be estimated heuristically through Montecarlo simulations. This is done for all the proposed instances of LEDAkem in order to guarantee that they achieve a sufficiently low

DFR. Providing quantitative estimates of the DFR for the proposed instances of LEDAkem allows us to prevent attacks such as the ones described in [16, 20] changing the key either at each round of the KEM, or before a sufficient amount of decoding failures are observed by the attacker.

2.1 Coding background

A QC code is defined as a linear block code with dimension and length , in which each cyclic shift of a codeword by symbols results in another valid codeword. It follows from their definition that QC codes have generator and parity-check matrices in “blocks circulant” form or, equivalently, in “circulants block” form. The latter is used in LEDAkem. A circulant matrix has the following form


According to its definition, any circulant matrix is regular, since all its rows and columns are cyclic shifts of the first row and column, respectively.

The set of binary circulant matrices forms an algebraic ring under the standard operations of modulo-

matrix addition and multiplication. The zero element is the all-zero matrix, and the identity element is the

identity matrix. The algebra of the polynomial ring is isomorphic to the ring of circulant matrices over with the following map


According to (2), any binary circulant matrix is associated to a polynomial in the variable having coefficients over which coincide with the entries of the first row of the matrix


According to (2), the all-zero circulant matrix corresponds to the null polynomial and the identity matrix to the unitary polynomial. The ring of polynomials includes elements that are zero divisors which are mapped to singular circulant matrices over . Avoiding such matrices is important in some parts of LEDAkem, and smart ways exist to design non-singular circulant matrices. As it will be described next, the main part of the secret key of LEDAkem is formed by a binary QC-LDPC code described through its parity-check matrix . Let denote the code length in bits and denote the code dimension in bits, then has size , where is the code redundancy.

2.2 Description of the primitives

The main functions of LEDAkem are described next.

2.2.1 Key generation.

Both private and public keys consist of binary matrices. These matrices, in their turn, are formed by circulant blocks, being an integer properly chosen.

Secret key.

The key generation input is formed by:

  • The circulant block size (usually in the order of some thousands bits).

  • The integer (usually between and ), representing the number of circulant blocks forming the matrix .

  • The integer , representing the row/column weight (usually between and ) of the circulant blocks forming the matrix .

  • The vector of integers , representing the row/column weights (each entry usually smaller than ) of the circulant blocks forming the matrix (the structure of is clarified below).

Given these inputs, the secret key is obtained as follows.

First, sparse circulant matrices with size are generated at random. Each of them has row/column weight . We denote such matrices as . The secret low-density parity-check matrix is then obtained as


The size of is . Other sparse circulant blocks are then randomly generated to form the secret sparse matrix


The row/column weight of each block is fixed according to the following matrix:


such that each row and each column of has weight .

The choice of the weights and the size of the circulant blocks composing it is very important since it allows to discern if is invertible or not. In particular, denoting with the permanent of a matrix, the following theorem holds.

Theorem 2.1

Let be a prime such that and be an matrix of elements in ; if

is odd and

, then is non singular.


Omitted for the sake of brevity.

With this result, we can guarantee that, when the sequence is properly chosen, the matrix is always non singular, which is a necessary condition for the key generation process to be successful.

Definition 1

The secret key (SK) of LEDAkem is formed by .

Since both and are formed by sparse circulant blocks, it is convenient to represent each of these blocks through the indexes of the symbols in their first row, i.e. adopt a sparse representation for them. Each index of this type requires bits to be stored. If we consider that the circulant blocks in any block row of have overall weight , the size of SK in bits is


In practice, the secret matrices are generated through a deterministic random bit generator (DRBG), seeded with a bit string extracted from a true random number generator (TRNG). In this case, to obtain and it is sufficient to know the TRNG extracted seed of the DRBG that has been used to generate the positions of their non-null coefficients, since this process is rather fast. This approach allows reducing the size of the secret key to the minimum required, as it is assumed that the TRNG output cannot be compressed. The entity of the reduction depends on the values of the parameters involved in (7).

Public key.

Starting from and , the following binary matrices are computed. First of all, the matrix is obtained as


If both and are odd, then has full-rank. In fact, and has weight equal to (where is the number of cancellations occurred in the product). It is possible to demonstrate that if is odd and then is non-singular.

After inverting , the following matrix is computed:

Definition 2

The public key (PK) of LEDAkem is formed by .

Since the circulant blocks forming are dense, it is convenient to store them through the binary representation of their first row (the other rows are then obtained as cyclic shifts of the first row). The bit-size of the PK hence is


2.2.2 Encryption.

The plaintext of LEDAkem is an ephemeral random secret generated by Bob who is willing to share it with Alice. The encryption inputs are:

  • The values of and , from which is computed.

  • The number of intentional errors .

Bob generates a secret in the form of a random binary vector with length of bits and Hamming weight . Given a key derivation function (KDF), the shared secret key is generated from as . In order to encapsulate the shared secret , Bob fetches Alice’s PK and computes where denotes matrix transposition. The syndrome vector representing the encapsulated secret is then sent to Alice.

2.2.3 Decryption.

In order to perform decryption, Alice must recover from . The latter can be written as The first decryption step for Alice is computing . For this purpose, Alice needs to know that, according to (8), is the last circulant block of the matrix . Hence, it can be easily computed from the SK which contains both and . If we define the expanded error vector as


then we have . Hence, QC-LDPC decoding through can be exploited for recovering from . QC-LDPC decoders are not bounded distance decoders, and some DFR must be tolerated. However, the system parameters can be chosen such that the DFR is acceptably small. For this purpose, the average decoding radius of the private code must be sufficiently larger than the Hamming weight of , which is approximately equal to (due to the sparsity of and ). Then, multiplication by would be needed to obtain from , that is,


However, by exploiting the efficient decoding algorithm described in Section 2.3, this last step can be avoided, which also allows avoiding the computation and storage of as part of the secret key. In fact, the decoding algorithm described in Section 2.3 allows recovering directly by performing decoding of through , while taking into account the effect of the multiplication of by . Then, the secret key is recovered as .

In case a decoding error occurs, the decryption procedure derives the shared secret combining with a KDF the syndrome with a secret constant, which may be derived via a PRNG from the secret key material [38]. Alternatively, using a secret permutation of the syndrome as input to the KDF was noted to be effective in [21]. Such an approach which is beneficial from the security standpoint in case of an accidental keypair reuse. More details concerning this aspect, which is related to formal security of LEDAkem, will be given in Section 4. According to this approach, Bob will become aware of the decoding failure upon reception of the message sent by Alice encrypted with the incorrectly derived shared secret.

2.3 Efficient decoding

Classical bit flipping (BF) decoding works as follows. At each iteration, for each codeword bit position, the number of unsatisfied parity-check equations is computed, and if this number equals or exceeds a given threshold, then that bit is flipped. The decision threshold can be chosen in many ways, affecting the decoder performance, and it can be fixed or it can vary during iterations. A choice that often turns out to be optimal is to fix the threshold, at each iteration, as the maximum number of unsatisfied parity-check equations in which any codeword bit is involved. In fact, a codeword bit participating in a higher number of unsatisfied parity-check equations can be considered less reliable than a codeword bit participating in a smaller number of unsatisfied parity-check equations. So, if the threshold is chosen in this way, the bits that are flipped are those that are most likely affected by errors.

Starting from classical BF, we have developed an improved decoder that is specifically designed for LEDAkem, where the position of the ones in the expanded error vector to be corrected is influenced by the value of , as is equivalent to a random error vector with weight multiplied by . Since this improved decoder takes into account such a multiplication by the transpose of matrix to estimate with greater efficiency the locations of the bits of the expanded error vector, we denote it as Q-decoder.

Inputs of the decoder are the syndrome and the matrices and according to (4) and (5), respectively. The output of the decoder is a vector or a decoding failure, where represents the decoder estimate of the error vector appearing in the equality . The decoding process performs a maximum of iterations, where the -th iteration processes and (that is the values at the previous iteration) and outputs and . A threshold criterion is adopted to compute the positions in that must be changed. The threshold values can be chosen in different ways and affect the decoder performance. In the next section we describe a simple and effective procedure to design such values. The decoder initialization is performed by setting and , where is the length- vector with all-zero entries. It is important to note that (and, by extension, ) is a row vector. Moreover, let us consider that all multiplications are binary, expect those denoted with ‘’, which are performed in the integer domain . The -th iteration of the Q-decoder performs the following operations:

  1. Compute , resulting in a vector of integers having entries between and .

  2. Compute .

  3. Define .

  4. Update as

    where is a length- binary vector with all-zero entries, except those indexed by .

  5. Update the syndrome as

    where is the -th row of .

  6. If the weight of is zero then stop decoding and return .

  7. If then increment and go back to step i), otherwise stop decoding and return a decoding failure.

As in classical BF, the first step of this algorithm computes the vector . Each entry of this vector counts the number of unsatisfied parity-check equations corresponding to that bit position, and takes values in . This evaluates the likelihood that the binary element of at the same position is equal to one. Differently from classical BF, in step ii) the correlation between these likelihoods and the rows of is computed. In fact, the expanded error vector can be written as the sum of the rows of indexed by the support of , that is where denotes the support of .

Since both and are sparse (that is, ), cancellations between ones in the sum are very unlikely. When the correlation between and a generic row of is computed, two cases may occur:

  • If , then it is very likely that has a very small number of common ones with all the rows of forming , hence the correlation is small.

  • If , then is one of the rows of forming , hence the correlation is large.

The main difference with classical BF is that, while in the latter all error positions are considered as independent, the Q-decoder exploits the correlation among expanded errors which is present in LEDAkem, since their positions are influenced by . This allows achieving important reductions in the number of decoding iterations. As a further advantage, this decoder allows recovering , besides , without the need of computing and storing the inverse of the matrix . For this purpose, it is sufficient that, at each iteration, the Q-decoder flips the bits of the estimated error vector that correspond to the correlations values overcoming the threshold.

2.4 Choice of the Q-decoder decision thresholds

One important aspect affecting performance of the Q-decoder is the choice of the threshold values against which the correlation is compared at each iteration. A natural choice is to set the threshold used at iteration equal to the maximum value of the correlation , that is . This strategy ensures that only those few bits that have maximum likelihood of being affected by errors are flipped during each iteration, thus achieving the lowest DFR. However, such an approach has some drawbacks in terms of complexity, since the computation of the maximum correlation requires additional computations with respect to a fixed threshold.

Therefore, as in [14], we consider a different strategy, which allows computing the threshold values on the basis of the syndrome weight at each iteration. According to this approach, during an iteration it is sufficient to compute the syndrome weight and read the corresponding threshold value from a look-up table. This strategy still allows to achieve a sufficiently low DFR, while employing a significantly smaller number of decoding iterations.

Let us consider the -th iteration of the Q-decoder, and denote by the weight of the error vector and with the weight of the corresponding expanded error vector

. Let us introduce the following probabilities



where is the probability that a codeword bit is error-free and a parity-check equation evaluates it to be incorrect, and is the probability that a codeword bit is error-affected and a parity-check equation evaluates it to be correct. In both these cases, the syndrome bit is equal to . The probability that each syndrome bit is equal to can be therefore computed as , so the average syndrome weight at iteration results in


where denotes the Hamming weight. Since both the parity-check matrix and the error vector are sparse, the probability of being significantly different from is negligible.

So, (14) allows predicting the average syndrome weight starting from . In order to predict how varies during iterations, let us consider the -th codeword bit and the corresponding correlation value at the -th iteration. The probability that such a codeword bit is affected by an error can be written as


where is the -th bit of the error vector used during encryption. After some calculations, we obtain


where and are given in (13), with as argument instead of .

Adding the -th row of to the expanded error vector is the same as flipping the -th bit of the error vector . Hence, we can focus on and on how its weight changes during decoding iterations. The values of can be estimated using (14), while, due to sparsity, those of can be estimated as .

The decision to flip the -th codeword bit is taken when the following condition is fulfilled


where represents a margin that must be chosen taking into account the DFR and complexity: increasing decreases the DFR but increases the number of decoding iterations. So, a trade-off value of can be found that allows achieving a low DFR while avoiding unnecessary large numbers of iterations.

Since , (17) can be rewritten as


is an increasing function of , hence the minimum value of such that (18) is satisfied can be computed as


and used as the decision threshold at iteration .

Based on the above considerations, the procedure to compute the decision threshold value per each iteration as a function of the syndrome weight can be summarized as follows:

  1. The syndrome weights corresponding to (which are all the possible values of neglecting cancellations) are computed according to (14). These values are denoted as .

  2. At iteration , given the syndrome weight , the integer such that is as close as possible to is computed.

  3. Consider and compute according to (19) and (16). The value of , so obtained, is used as the decoding threshold for iteration .

The above procedure can be implemented efficiently by populating a look-up table with the pairs , sequentially ordered. During an iteration, it is enough to compute , search the largest in the look-up table such that and set .

We have observed that, moving from large to smalle values of , the thresholds computed this way firstly exhibit a decreasing trend, then start to increase. According to numerical simulations, neglecting the final increase is beneficial from the performance standpoint. Therefore, in the look-up table we replace the threshold values after the minimum with a constant value equal to the minimum itself.

2.5 Relations with QC-MDPC code-based systems

In LEDAkem, the public code is a QC-MDPC code that admits as a valid parity-check matrix. However, differently from QC-MDPC code-based schemes, the private code is a QC-LDPC code, which facilitates decoding. In fact, decoding directly the public QC-MDPC code through classical BF decoders would be a possibility, but the approach we follow is different. By using the decoding algorithm described in Section 2.3, we decode the private QC-LDPC code, taking into account the correlation introduced in the private error vector due to multiplication by . Since the private QC-LDPC matrix is sparser than the QC-MDPC matrix of the public code, this yields lower decoding complexity.

Besides working over different matrices, the main difference between these two decoding algorithms is in the use of integer multiplications in our decoder, while all multiplications are performed over in classical BF decoders. In fact, in our decoder we perform the following operation to compute


where the last approximation comes from the fact that, for two sparse matrices and , we have . Thus, we can say that . So, if we consider classical BF decoding working over the matrix , the counter vector is computed as


In the Q-decoder, the error vector is updated by summing rows of , which is equivalent to flipping bits of the public error vector. Hence, there is a clear analogy between decoding of the private QC-LDPC code through the Q-decoder and decoding of the public QC-MDPC code through a classical BF decoder. Through numerical simulations we have verified that the two approaches yield comparable performance in the waterfall region. Performance in the error floor region is instead dominated by the minimum distance of the code over which decoding is performed. Since QC-LDPC codes have smaller minimum distance than QC-MDPC codes, this reflects into a higher error floor when decoding is performed over the private QC-LDPC code. However, no error floor has been observed during simulations of LEDAkem with QC-LDPC decoding, down to a DFR between and . Since this is the working point of the codes we use, in terms of DFR, we can say that the error floor effect, if present, is negligible from our scheme performance standpoint.

3 Security analysis

LEDAkem is constructed starting from the computational problem of syndrome decoding, i.e., obtaining a bounded weight error vector from a given syndrome and a general linear code, which was shown to be NP-complete in [11]. The main difference from the statement of the general hard problem on which our proposal is built is the nature of the code employed, which is quasi-cyclic and admits a representation with a low-density parity-check matrix. To best of our knowledge, there is no superpolynomial advantage in performing syndrome decoding on QC-LDPC, given our public code representation, either due to the quasi-cyclic form of the code or to the low density of its parity matrix. We point out that the same assumption on the lack of advantage due to the quasi-cyclic structure of a code has also been done in both the BIKE [1] and the BIG QUAKE [8]

proposals. With these statements standing, the security analysis of LEDAkem examines and quantifies the effectiveness of the best known attacks detailing the efficiency of algorithms running on both classical and quantum computers providing non-exponential speedups over an enumerative search for the correct error vector. We remark that currently no algorithm running on either a classical Turing Machine (TM) or a quantum TM provides an exponential speedup in solving the computational problem underlying LEDAkem compared to an exhaustive search approach.

3.1 Analysis of the algorithm with respect to known attacks

As mentioned in the previous sections, LEDAkem derives from QC-LDPC code-based cryptosystems already established in the literature [6, 4]. As proved in [16], in case of using long-term keys, these cryptosystems may be subject to reaction attacks that are able to recover the secret key by exploiting the inherent non-zero DFR they exhibit and Bob’s reactions upon decryption failures. However, using ephemeral keys prevents the possibility to mount an attack of this kind, which requires long statistical evaluations. Nevertheless, the risks in case of an accidental keypair reuse must be considered, and this will be done in Section 4.

A first type of attacks that can be mounted against LEDAkem are decoding attacks aimed at performing decoding through the public code representation, without knowing the private code representation. The most powerful algorithms that can be used for this purpose are ISD algorithms. These algorithms aim at performing decoding of any linear block code by exploiting a general representation of it. ISD algorithms have been introduced by Prange [37] and subsequently improved by Lee-Brickell [23], Leon [24] and Stern [42]. More recently, they have known great advances through modern approaches, also exploiting the generalized birthday paradox [27, 36, 12, 9, 33]. It is possible to show that the general decoding problem is equivalent to the problem of finding low-weight codewords in a general (random-like) code. Therefore, algorithms for searching low-weight codewords can be used as ISD algorithms.

The availability of an efficient algorithm to search for low-weight codewords is also at the basis of key recovery attacks. In LEDAkem the matrix is a valid parity-check matrix for the public code. Since is sparse, by knowing it an attacker could separate from and recover the secret key. In order to discover , an attacker must search for its rows in the dual of the public code. Due to the sparsity of and , any of these rows has weight in the order of . The attack can be implemented by exploiting again an efficient algorithm for the search of low-weight codewords in linear block codes.

Another potential attack to systems based on QC-LDPC codes is that presented in [40]. This attack uses a special squaring technique and, by extracting the low-weight error vectors, finds low-weight codewords more efficiently than with a general ISD algorithm. This attack, however, is applicable if and only if is even. Therefore, in order to increase the system security it is advisable to choose odd values of . Choosing as a prime is an even more conservative choice against cryptanalysis exploiting factorization of . The value of in LEDAkem is chosen in such a way to prevent these attacks.

To estimate complexity of DAs and KRAs exploiting ISD and low-weight codeword searching algorithms, let us define the work factor (WF) of an algorithm as the base-2 logarithm of the average number of binary operations it requires to complete its execution successfully. Let denote the WF of the most efficient algorithm searching for codewords of weight in a code having length and dimension . Such an algorithm can be used to perform ISD with the aim of decrypting a LEDAkem ciphertext without knowing the private key. In this case, we have , and . Moreover, due to the QC nature of the codes, a speedup in the order of must be taken into account [39]. Hence, the security level against decoding attacks of this type can be computed as


Concerning the KRAs attack, based on the above considerations we have a similar formula, but with different parameters, that is,


where the speedup factor is due to the fact that recovering only one out of sparse rows of , is enough for the attacker (due to the QC structure of ).

According to [43], the most efficient ISD algorithm taking into account Grover’s algorithm [19] running on a quantum computer is Stern’s algorithm. Therefore, the post-quantum security levels have been estimated by considering the work factor of Stern’s algorithm with quantum speedup according to [43]. Instead, with classical computers the most efficient ISD algorithm turns out to be the BJMM algorithm in [9]. Therefore, the security levels against attackers provided with classical computers have been estimated by considering the work factor of BJMM in (22) and (23). We chose to employ the results provided in [43] to evaluate the computational efforts of Stern’s variant of the ISD as they provide exact formulas instead of asymptotic bounds. However, we note that a recent work [22] provides improved asymptotic bounds on the computational complexity of quantum ISD for increasing values of the codeword length . Deriving from this approach exact values for given parameters set is worth investigating.

3.2 System parameters

The NIST call for Post-Quantum Cryptography Standardization [32] defines security categories, numbered from to and characterized by increasing strength (see [32] for details). According to this classification, nine instances of LEDAkem are proposed, grouped in three classes corresponding to different security levels. The three instances in each class correspond to three values of (), each one yielding a different balance between performance and public key size. The parameters of the nine instances of LEDAkem are reported in Table 1 for the security categories , and , respectively. In the table, the superscript (pq) denotes that the attack work factor has been computed taking into account quantum speedups due to Grover’s algorithm, while the superscript (cl) denotes that only classical computers have been considered.

For each security category and considered value of , we have fixed a value of the parity-check matrix row/column weight in the order of or less (that is advisable to have good error correcting capability of the private QC-LDPC codes), and we have found the values of and that allow satisfying (23) for the target security level. In fact, the value of must be chosen such that the dual of the public code, having minimum distance equal to , is robust against KRAs based on ISD. Once is fixed, we can find many pairs of values and which satisfy this bound; among these, we have chosen the one having the lowest product , which is a metric affecting the error correcting capability of the private code. Then, we have found the value of that allows satisfying (22) and checked whether errors can be corrected by the private code through Q-decoding with a sufficiently low DFR. Otherwise, we have increased the value of keeping all the other parameters fixed. Concerning the estimation of the DFR, we have first exploited BF asymptotic thresholds [6], and then we have performed Montecarlo simulations for each system instance in order to evaluate its DFR. In all Montecarlo simulations, except the one for the Category 1, parameter set, we have encountered no errors, so the DFR can be approximately bounded by the reciprocal of the number of simulated decryptions. Concerning the parameter set for Category 1, , we obtained failures on decoding computations, pointing to a DFR .
In order to make a conservative design of the system, we have considered some margin in the complexity estimates of the attacks, such that the actual security level for these instances is larger than the target one. This also accounts for possible (though rare) cancellations occurring in , which may yield a row weight slightly smaller than . The values of have been chosen greater than in order to avoid codes having too small minimum distances. In addition, they are odd to ensure that the circulant blocks forming and (and , in particular) have full rank. Also the values of are always odd, and the sets have been chosen in such a way to guarantee that has full rank. In fact, is a valid parity-check matrix for the public code: if is singular, it might happen that the rank of is lower than , leading to a code with a co-dimension lower than . With the choice of an invertible , we guarantee that this does not occur.

Table 1: Parameters for LEDAkem and estimated computational efforts to break a given instance as a function of the security category and number of circulant blocks

4 Properties of the proposed cryptosystem

The QC-LDPC code-based Niederreiter cryptosystem alone achieves only indistinguishability under chosen plaintext attack (IND-CPA), that however is sufficient in case of using ephemeral keys. It is possible to convert a Niederreiter cryptosystem achieving only IND-CPA into one achieving indistinguishability under chosen ciphertext attack (IND-CCA), under the assumption that the DFR of the underlying code is zero. Such a conversion involves substituting the outcome of a decoding failure (due to an ill-formed ciphertext) with the outcome of a KDF taking as input either the public syndrome and a fixed secret bit sequence [21, 38], or a secret permutation of the syndrome itself [13]. We apply the conversion specified in [21] to our scheme, despite its DFR is not null, as it still proves beneficial in case of an accidental keypair reuse, against an attacker matching the IND-CCA model whenever no decoding failures due to the QC-LDPC code structure takes place. Furthermore, we note that LEDAkem ciphertexts are not malleable in a chosen plaintext scenario. Indeed, even if an attacker alters arbitrarily a ciphertext so that it decrypts to a valid error vector (e.g., discarding the ciphertext and forging a new one), the shared secret is derived via a hash based KDF, which prevents him from controlling the output of the decryption.

4.0.1 Relations with the security of Qc-Mdpc code-based systems.

Differently from QC-MDPC code-based systems, the public code in LEDAkem has a QC-MDPC matrix that can be factorized into and , and this might appear to yielding lower security than a general QC-MDPC matrix. However, in order to attempt factorization of , the attacker should first recover it by searching for low-weight codewords in the dual of the public code. Once has been recovered, trying to factorize it into and indeed becomes pointless, since the attacker could exploit to perform direct decoding of the public QC-MDPC code. Alternatively, an attacker could try to perform decoding of the public code, which requires solving the syndrome decoding problem for the same code. The best known techniques for solving these two problems are based on ISD, and no method is known to facilitate their solution by exploiting the fact that can be factorized into and .

4.0.2 Risks in case of keypair reuse.

While LEDAkem uses ephemeral keys that are meant for single use, it is possible that implementation accidents lead to a reuse of the same keypair more than once. The main threat in case of keypair reuse is the reaction attack described in [16], where a correlation between the DFR and the private key is derived. However, for the attack to succeed, the attacker needs to reliably estimate the decoding failure rate for a set of carefully crafted or selected error vectors. Given the DFR for which LEDAkem was designed (), obtaining a reliable estimate requires a number of decryptions with the same key in the order of billions. Since the said evaluation should be obtained for all the possible distances between two set bits in the secret key, a conservative estimate of the number of decryption actions required is , which, considering the weakest case, corresponding to Category with , yields decryptions. Therefore, the attack presented in [16] is not a practical threat on LEDAkem with the proposed parameters, unless a significant amount of decryptions are performed with the same key. Moreover, even the chosen ciphertext attack (CCA) described in [13], where a ciphertext is crafted with a number of errors greater than to artificially increase the DFR of the system, can be thwarted through checking the weight of the decoded error vector and reporting a decoding failure if it exceeds .

4.0.3 Protection against side-channel attacks.

The two most common side channels exploited to breach practical implementations of cryptosystems are the execution time of the primitive and the instantaneous power consumption during its computation. In particular, in [15], it was shown how a QC-LDPC code-based system can be broken by means of simple power analysis, exploiting the control-flow dependent differences of the decoding algorithm. We note that employing ephemeral keys provides a natural resistance against non-profiled power consumption side channel attacks, as a significant amount of measurements with the same key () must be collected before the key is revealed.

Concerning execution time side channel information leakage, the main portion of the LEDAkem decryption algorithm which is not characterized by a constant execution time is decoding. Indeed, the number of iterations made by the decoder depends on the values being processed. However, for the proposed parameters, we note that the number of iterations is between 3 and 5, with a significant bias towards 4. Hence, it is simple to achieve a constant time decoding by modifying the algorithm so that it always runs for the maximum needed amount of iterations to achieve the desired DFR. Such a choice completely eliminates the timing leakage, albeit trading it off for a performance penalty.

Category KeyGen Encrypt Decrypt Total CPU time
(ms) (ms) (ms) Ephemeral KEM (ms)
1 () () ()
() () ()
() () ()
2–3 () () ()
() () ()
() () ()
4–5 () () ()
() () ()
() () ()
Table 2: Running times for key generation, encryption and decryption as a function of the category and the number of circulant blocks on an AMD Ryzen 5 1600 CPU.

5 Implementation and numerical results

An effort has been made to realize a fast and efficient C99 implementation of LEDAkem without platform-dependent optimizations, which is publicly available in [5]. To this end, we represented each circulant block as a polynomial in thanks to the isomorphism described in Section 2.1. Consequently, all the involved block circulant matrices are represented as matrices of polynomials in . The polynomials are materialized employing a bit-packed form of their binary coefficients in all the cases where the number of non null coefficients is high. In case a polynomial has a low number of non null coefficients with respect to the maximum possible, i.e., the circulant matrix is sparse, we materialize only the positions of its one coefficients as integers.

We provide below the results of a set of execution time benchmarks. The results were obtained measuring the required time for key generation, encryption (key encapsulation) and decryption (key decapsulation) as a function of the chosen security category and the number of circulant blocks . The measurements reported are obtained as the average of executions of the reference implementation. The generated binaries were run on an AMD Ryzen 5 1600 CPU at 3.2 GHz, locking the frequency scaling to the top frequency.

Table 2 reports the running times in terms of CPU time taken by the process. As it can be noticed, the most computationally demanding primitive is the key generation, which has more than % of its computation time taken by the execution of a single modular inverse in required to obtain the value of . The encryption primitive is the fastest among all, and its computation time is substantially entirely devoted () to the polynomial multiplications performing the encryption. The decryption primitive computation is dominated by the Q-decoder computation ( of the time), with a minimal portion taken by the modular multiplications which reconstruct and the one to compute the private syndrome fed into the Q-decoder.

Considering the computational cost of performing a KEM with ephemeral keys, the most advantageous choice is to pick for any security level, although the computational savings are more significant when considering high-security parameter choices (Category 3 and 5).

Category Private Key Size (B) Public Key Shared secret Enc secret
At rest In memory size (B) size (B) size (B)
Table 3: Sizes of the keypair and encapsulated shared secret as a function of the chosen category and number of circulant blocks .

Table 3 reports the sizes of both the keypairs and the encapsulated secrets for LEDAkem. In particular, regarding the size of the private keys we report both the size of the stored private key and the required amount of main memory to store the expanded key during the decryption phase. We note that, for a given security category, increasing the value of enlarges the public key, as it is constituted of bits. This increase in the size of the public key represents a tradeoff with the decrease of the size of the ciphertext to be transmitted since it is only bits long, and decreases if a larger number of blocks is selected, for a fixed security category. The size of the derived encapsulated secret is at least bits, in order to meet the requirement reported in [32]. The shared secret is derived employing the SHA- hash function with a , or bits digest, in order to match the requirements of Categories , , and , respectively.

6 Conclusion

We have introduced a post-quantum KEM based on QC-LDPC codes with the following advantages: it is built on an NP-complete problem under reasonable assumptions; it exploits improved BF decoders which are faster than classical BF decoders; it requires compact keypairs (below 23 kiB at most), with minimum size private keys; it needs only addition and multiplication over , and modular inverse over besides single-precision integer operations; it is particularly efficient in applying countermeasures against non-profiled power consumption side channel attacks. As regards implementation, no platform specific optimizations have been exploited, thus we expect these results to be quite consistent across different platforms. On the other hand, starting from this platform-agnostic reference implementation, a number of optimizations can be applied to make LEDAkem faster.


Paolo Santini was partly funded by Namirial SpA.


  • [1] Aragon, N., Barreto, P.S.L.M., Bettaieb, S., Bidoux, L., Blazy, O., Deneuville, J.C., Gaborit, P., Gueron, S., Güneysu, T., Melchor, C.A., Misoczki, R., Persichetti, E., Sendrier, N., Tillich, J.P., Zémor, G.: BIKE: Bit flipping key encapsulation (2017), http://bikesuite.org/files/BIKE.pdf
  • [2] Baldi, M., Bianchi, M., Chiaraluce, F.: Optimization of the parity-check matrix density in QC-LDPC code-based McEliece cryptosystems. In: Proc. IEEE ICC 2013 - Workshop on Information Security over Noisy and Lossy Communication Systems. Budapest, Hungary (Jun 2013)
  • [3] Baldi, M., Bodrato, M., Chiaraluce, F.: A new analysis of the McEliece cryptosystem based on QC-LDPC codes. In: Security and Cryptography for Networks, LNCS, vol. 5229, pp. 246–262. Springer Verlag (2008)
  • [4] Baldi, M.: QC-LDPC Code-Based Cryptography. SpringerBriefs in Electrical and Computer Engineering, Springer International Publishing (2014)
  • [5] Baldi, M., Barenghi, A., Chiaraluce, F., Pelosi, G., Santini, P.: LEDAkem: Low dEnsity coDe-bAsed key encapsulation mechanism (2017), https://www.ledacrypt.org/
  • [6] Baldi, M., Bianchi, M., Chiaraluce, F.: Security and complexity of the McEliece cryptosystem based on QC-LDPC codes. IET Inf. Security 7(3), 212–220 (Sep 2012)
  • [7] Baldi, M., Bianchi, M., Chiaraluce, F., Rosenthal, J., Schipani, D.: Enhanced public key security for the McEliece cryptosystem. J. of Cryptology 29(1), 1–27 (Jan 2016)
  • [8] Bardet, M., Élise Barelli, Blazy, O., Torres, R.C., Couvreur, A., Gaborit, P., Otmani, A., Sendrier, N., Tillich, J.P.: BIG QUAKE: BInary Goppa QUAsi-cyclic Key Encapsulation (2017), https://bigquake.inria.fr/files/2017/12/proposal.pdf
  • [9] Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes in : How 1 + 1 = 0 improves information set decoding. In: Pointcheval, D., Johansson, T. (eds.) Advances in Cryptology - EUROCRYPT 2012, LNCS, vol. 7237, pp. 520–536. Springer Verlag (2012)
  • [10] Berger, T.P., Loidreau, P.: How to mask the structure of codes for a cryptographic use. Designs, Codes and Cryptography 35(1), 63–79 (Apr 2005)
  • [11] Berlekamp, E., McEliece, R., van Tilborg, H.: On the inherent intractability of certain coding problems. IEEE Trans. Inf. Theory 24(3), 384–386 (May 1978)
  • [12] Bernstein, D.J., Lange, T., Peters, C.: Smaller decoding exponents: ball-collision decoding. In: CRYPTO 2011, LNCS, vol. 6841, pp. 743–760. Springer Verlag (2011)
  • [13] Cayrel, P.L., Gueye, C.T., Mboup, E.H.M., Ndiaye, O., Persichetti, E.: Efficient Implementation of Hybrid Encryption from Coding Theory, pp. 254–264. Springer International Publishing, Cham (2017)
  • [14] Chaulet, J., Sendrier, N.: Worst case QC-MDPC decoder for McEliece cryptosystem. In: Proc. IEEE International Symposium on Information Theory (ISIT 2016). pp. 1366–1370. Barcelona, Spain (Jul 2016)
  • [15] Fabšič, T., Gallo, O., Hromada, V.: Simple power analysis attack on the QC-LDPC McEliece cryptosystem. Tatra Mountains Math. Pub. 67(1), 85–92 (Sep 2016)
  • [16] Fabšič, T., Hromada, V., Stankovski, P., Zajac, P., Guo, Q., Johansson, T.: A reaction attack on the QC-LDPC McEliece cryptosystem. In: Lange, T., Takagi, T. (eds.) Post-Quantum Cryptography: 8th International Workshop, PQCrypto 2017, pp. 51–68. Springer, Utrecht, The Netherlands (Jun 2017)
  • [17] Gaborit, P.: Shorter keys for code based cryptography. In: Proc. Int. Workshop on Coding and Cryptography (WCC 2005). pp. 81–90. Bergen, Norway (Mar 2005)
  • [18] Goppa, V.D.: A new class of linear correcting codes. Probl. Pered. Info. 6(3), 24–30 (1970)
  • [19]

    Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proc. 28th Annual ACM Symposium on the Theory of Computing. pp. 212–219. Philadephia, PA (May 1996)

  • [20] Guo, Q., Johansson, T., Stankovski, P.: A key recovery attack on MDPC with CCA security using decoding errors. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, LNCS, vol. 10031, pp. 789–815. Springer Berlin Heidelberg (2016)
  • [21] Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. Cryptology ePrint Archive, Report 2017/604 (2017), https://eprint.iacr.org/2017/604
  • [22] Kachigar, G., Tillich, J.P.: Quantum information set decoding algorithms. In: Lange, T., Takagi, T. (eds.) Post-Quantum Cryptography: 8th International Workshop, PQCrypto 2017, pp. 69–89. Springer, Utrecht, The Netherlands (Jun 2017)
  • [23] Lee, P., Brickell, E.: An observation on the security of McEliece’s public-key cryptosystem. In: Advances in Cryptology - EUROCRYPT 88, vol. 330, pp. 275–280. Springer Verlag (1988)
  • [24] Leon, J.: A probabilistic algorithm for computing minimum weights of large error-correcting codes. IEEE Trans. Inf. Theory 34(5), 1354–1359 (Sep 1988)
  • [25] Li, Y.X., Deng, R., Wang, X.M.: On the equivalence of McEliece’s and Niederreiter’s public-key cryptosystems. IEEE Trans. Inf. Theory 40(1), 271–273 (Jan 1994)
  • [26] Löndahl, C., Johansson, T.: A new version of McEliece PKC based on convolutional codes. In: Chim, T.W., Yuen, T.H. (eds.) Proc. ICICS 2012, pp. 461–470. No. 7618 in LNCS, Springer Berlin Heidelberg (2012)
  • [27] May, A., Meurer, A., Thomae, E.: Decoding random linear codes in . In: ASIACRYPT 2011, LNCS, vol. 7073, pp. 107–124. Springer Verlag (2011)
  • [28] McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. DSN Progress Report pp. 114–116 (1978)
  • [29] Misoczki, R., Tillich, J.P., Sendrier, N., Barreto, P.S.L.M.: MDPC-McEliece: New McEliece variants from moderate density parity-check codes. In: 2013 IEEE International Symposium on Information Theory. pp. 2069–2073 (July 2013)
  • [30] Misoczki, R., Barreto, P.S.L.M.: Compact McEliece keys from Goppa codes. In: Selected Areas in Cryptography, LNCS, vol. 5867, pp. 376–392. Springer (2009)
  • [31] Monico, C., Rosenthal, J., Shokrollahi, A.: Using low density parity check codes in the McEliece cryptosystem. In: Proc. IEEE International Symposium on Information Theory (ISIT 2000). p. 215. Sorrento, Italy (Jun 2000)
  • [32] National Institute of Standards and Technology: Post-quantum crypto project (Dec 2016), http://csrc.nist.gov/groups/ST/post-quantum-crypto/
  • [33] Niebuhr, R., Persichetti, E., Cayrel, P.L., Bulygin, S., Buchmann, J.: On lower bounds for information set decoding over and on the effect of partial knowledge. Int. J. Inf. Coding Theory 4(1), 47–78 (Jan 2017)
  • [34] Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Probl. Contr. and Inf. Theory 15, 159–166 (1986)
  • [35] Otmani, A., Tillich, J.P., Dallot, L.: Cryptanalysis of two McEliece cryptosystems based on quasi-cyclic codes. In: Proc. First International Conference on Symbolic Computation and Cryptography (SCC 2008). Beijing, China (Apr 2008)
  • [36] Peters, C.: Information-set decoding for linear codes over . In: Post-Quantum Cryptography, LNCS, vol. 6061, pp. 81–94. Springer Verlag (2010)
  • [37] Prange, E.: The use of information sets in decoding cyclic codes. IRE Transactions on Information Theory 8(5), 5–9 (Sep 1962)
  • [38] Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. Cryptology ePrint Archive, Report 2017/1005 (2017), https://eprint.iacr.org/2017/1005
  • [39] Sendrier, N.: Decoding one out of many. In: Yang, B.Y. (ed.) Post-Quantum Cryptography, LNCS, vol. 7071, pp. 51–67. Springer Verlag (2011)
  • [40] Shooshtari, M.K., Ahmadian-Attari, M., Johansson, T., Aref, M.R.: Cryptanalysis of McEliece cryptosystem variants based on quasi-cyclic low-density parity check codes. IET Information Security 10(4), 194–202 (Jun 2016)
  • [41] Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (Oct 1997)
  • [42] Stern, J.: A method for finding codewords of small weight. In: Cohen, G., Wolfmann, J. (eds.) Coding Theory and Applications, LNCS, vol. 388, pp. 106–113. Springer Verlag (1989)
  • [43] de Vries, S.: Achieving 128-bit Security against Quantum Attacks in OpenVPN. Master’s thesis, University of Twente (August 2016), http://essay.utwente.nl/70677/