Post-Quantum Cryptography - Codes

Lecture 1: An Intractable Problem Related to Codes, Decoding

Lecturer: Thomas Debris-Alazard

Introduction

In this course we will consider linear codes, but what are these mathematical objects known as a linear code?
It is a subspace of any n-dimensional space over some finite field. Linear codes were initially introduced
to preserve the quality of information stored on a physical device or transmitted across a noisy channel.
The key principle for achieving such task is extremely simple and natural: adding redundancy. A trivial
illustration is when we try to spell our name over the phone: S like Sophie, T like Terence, E like Emily, ...
In a digital environment the basic idea to mimic our example is as follows, let m be a message of k bits
that we would like to transmit over a noisy channel. Let us begin by fixing a linear code C (a subspace) of
dimension k over Fn2 (the words of n bits). By linearity it is easy to map (and to invert) any k-bits word to
some n-bits codeword. The task consisting in adding n − k bits of redundancy is commonly called encoding.
Once our message m to transmit is encoded into some codeword c, we send it across the noisy channel. The
receiver will therefore get a corrupted codeword c ⊕ e where some bits of c have been flipped. Receiver’s
challenge lies now in recovering c, and thus m, from C and c ⊕ e, a task called decoding. The situation is
described in the following picture.

Sender Encoding Noisy Channel Decoding

m c c⊕e c? m

Error e

A first, but quite simple, realistic and natural modelization for the noisy channel is the so-called binary
symmetric channel: each bit of c is independently flipped with some probability p ∈ [0, 1/2). In such a case,
given a received word y = (y1 , . . . , yn ), the probability that c = (c1 , . . . , cn ) was sent is given by:

P (c was sent | y is received) = pdH (c,y) (1 − p)n−dH (c,y)

def
where dH (c, y) = ♯ {i ∈ J1, nK : ci 6= yi } is known as the Hamming distance between c and y. Using this
probability, it is easily verified that any decoding candidate c ∈ C is even more likely as it is close to the
received message y for the Hamming distance. It explains why “decoding” has historically consisted, given an
input, to find the closest codeword for the Hamming distance (usually called maximum likelihood decoding).
Obviously, the naive procedure enumerating the ♯C = 2k codewords is to avoid. Coding theory aims at
proposing family of codes with an explicit and efficient decoding procedure. Until today two families
were roughly proposed: (i) codes derived from strong algebraic structures like Reed-Solomon codes
[MS86, Chapter 10] and their their natural generalization known as algebraic geometry codes [Gop81],
Goppa codes [MS86, Chapter 12] or (ii) those equipped with a probabilistic decoding algorithm like
convolutional codes [Eli55], LDPC codes [Gal63] or more recently polar codes [Arı09] (which are used in
the 5G). It has been necessary to introduce all these structures because (even after 70 years of research)
decoding a linear code without any “peculiar” structure is an intractable problem, topic of these lecture notes.

1
2

def
Basic notation. The notation x = y means that x is defined to be equal to y. Given a finite set E , we will
denote by ♯E its cardinality. We denote by Fq the finite field with q elements, Fnq will denote its n-dimensional
version for some n ∈ N. Vectors will be written with bold letters (such as e) and upper-case bold letters
are used to denote matrices (such as H). If e is a vector in Fnq , then its components are (e1 , . . . , en ). Let us
stress that vectors are in row notation.

1. Codes: Basic Definitions and Properties

The main objective of this section is to introduce the basic concept of a code and define some of its parameters.
Definition 1 (Linear code, length, dimension, rate, codewords). A linear code C of length n and dimension
k over Fq − for short, an [n, k]q -code − is a subspace of Fnq of dimension k. The rate of C is defined as k/n
and elements of C are called codewords.

Notice that the rate measures the amount of redundancy introduced by the code.
Remark 1. A code is more generally defined as a subset of Fnq . However in these lecture notes we will only
consider linear codes. It may happen that we confuse codes and linear codes but for us a code will always be
linear.
Exercise 1. Give the dimension of the following linear codes:
1. {(f (x1 ), . . . , f (xn )) : f ∈ Fq [X] and deg(f ) < k} where the xi ’s are distinct elements of Fq ,
2. {(u, u + v) : u ∈ U and v ∈ V } where U (resp. V ) is an [n, kU ]q -code (resp. [n, kV ]q -code).
def
Definition 2 (Inner product, dual code). The inner product between x, y ∈ Fnq is defined as x · y =
∑n ∗ def
{ ∗ ∗
}
i=1 xi yi ∈ Fq . The dual of a code C ⊆ Fq is defined as C = c ∈ Fq : ∀c ∈ C, c · c = 0 .
n n

The dual of an [n, k]q -code C is an [n, n − k]q -code. Although dim(C) + dim(C∗ ) = n, it may happen that
C and C∗ are not in direct sum. This is even more remarkable that coding theorists have given a name to
C ∩ C∗ : the hull of C.

Representation of a code. To represent an [n, k]q -code C we may take any basis of it, namely a set of k
linearly independent vectors g1 , . . . , gk ∈ C, and form the matrix G ∈ Fk×n
q whose rows are the gi ’s. Then
C can be written as
{ }
C = mG : m ∈ Fkq .
Conversely, any matrix G ∈ Fk×nq of rank k defines a code with the previous representation. Such matrix G
is usually called a generator matrix of C.
(n−k)×n
Another representation of C is by a so-called parity-check matrix. Let H ∈ Fq be such that its rows
form a basis of C∗ , the linear code C can be written as
{ ⊺ }
C = c ∈ Fnq : Hc = 0 .
(n−k)×n
Conversely, any matrix H ∈ Fq of rank n − k defines an [n, k]q -code with the previous representation.
We call H a parity-check matrix of C.
Notice now by basic linear algebra that for any non-singular matrix S of size k × k (resp. (n − k) × (n − k)),
SG (resp. SH) is still a generator (resp. parity-check) matrix of C. Therefore, left multiplication by an
invertible matrix “does not change the code”, it just gives another basis. This is not the case if we perform
some right multiplication. For instance if P denotes an n × n permutation matrix, then GP will be the
generator matrix of the code C permuted, namely {cP : c ∈ C}.
 3

(n−k)×n
Exercise 2. Let G ∈ Fk×n
q be a generator matrix of some code C. Let H ∈ Fq of rank n − k such
that GH⊺ = 0. Show that H is a parity-check matrix of C.

Among our two representations of a code, a natural question arises: are we able from one representation to
compute the other one? The answer is obviously yes. To see this let G ∈ Fk×n q be a generator matrix of
C. As G has rank k, by a Gaussian elimination we can put it into systematic form, namely to compute a
non-singular matrix S ∈ Fk×k
q such that SG = (1k | A) (up to a permutation of the columns). The matrix
SG is still a generator matrix of C. Now it is readily seen that H = (−A⊺ | 1n−k ) verifies GH⊺ = 0, has
def

rank n − k and therefore is a parity-check matrix of C.

Parity-check matrices may seem unnatural to represent a code when comparing to generator matrices.
However, even if both representations are equivalent, the parity-check representation is in many applications
more relevant (particularly in code-based cryptography). Let us give some illustration.

The Hamming code. Let CHam be the binary code of generator matrix:
 
1 0 0 0 0 1 1
def 0 1 0 0 1 0 1
G =  0

0 1 0 1 1 0
0 0 0 1 1 1 1
This code has length 7 and dimension 4. The following matrix:
 
0 0 0 1 1 1 1
H = 0 1 1 1
def
0 0 1
1 0 1 0 1 0 1
has rank 3 and verifies GH⊺ = 0. It is therefore a parity-check matrix of our code CHam . Notice that H has
a quite nice structure, its columns are the integers from 1 to 7 written in binary.
def
Suppose now that we would like to recover c ∈ CHam from y = c + ei where ei is the vector of all zeros
except a single 1 at the i’th position. It is not clear how to use G to recover c. However note that
Hy⊺ = Hc⊺ + He⊺i = He⊺i which is the i’thm column of H. Therefore the position i of the error is given by
the integer in the binary representation Hy⊺ .
The code CHam is in fact known as the Hamming code of length 7. It belongs to the family of Hamming
codes which are the [2r − 1, 2r − 1 − r]2 -codes built from the r × (2r − 1) parity-check matrix whose i-th
column is the binary representation of i. Hamming codes are the caricatural example of codes that are
better understood with their parity-check matrices. Furthermore we can easily correct one error by using
their parity-check matrix instead of their generator matrix.

Our example has shown the relevance of parity-check matrices to understand a code. In particular, we saw
how Hy⊺ could be a nice source of information when trying to decode y. This is even more remarkable that
we give a name to Hy⊺ .
. The syndrome of y with respect to H is defined as Hy⊺ .
(n−k)×n
Definition 3 (Syndrome). Let H ∈ Fq
Any element of Fn−k
q is called a syndrome.

Syndromes are a natural set of representatives of the code cosets:

Definition 4 (Coset). Let C be a linear code over Fq and a ∈ Fnq . The coset of a (relatively to C) is defined
as
def
C(a) = a + C.
4

(n−k)×n
Notice that any parity-check matrix H ∈ Fq of an [n, k]q -code C has rank n − k. Therefore for any
syndrome s ∈ Fn−k
q , there exists some as ∈ F n
q such that Ha⊺s = s⊺ .

Lemma 1. Let C be an [n, k]q -code of parity-check matrix H. Then for any a, b ∈ Fnq ,
⊺ ⊺
C(a) = C(b) ⇐⇒ Ha = Hb .

Proof. Notice that,

⊺ ⊺ ⊺
Ha = Hb ⇐⇒ H(a − b) = 0
⇐⇒ a − b ∈ C
which concludes the proof. □

Cosets play an important role in the geometry of a code. They partition the space Fnq according to C: they
are the representatives of the “torus” Fnq /C. Notice now that syndromes are a nice set of representatives
of Fnq /C via the isomorphism for some parity-check matrix of C: x ∈ Fnq /C 7→ Hx⊺ ∈ Fqn−k (which is well
defined and one to one by Lemma 1). In particular we can partition Fnq as follows
⊔
Fnq = (as + C )
s∈Fn
q

where as ∈ Fnq is such that Ha⊺s = s⊺ .

Minimum distance. Let us define now an important parameter for a code: its minimum distance. It
measures the quality of a code in terms of “decoding capacity”, namely how many errors has to be added
before a noisy codeword could be confused with another noisy codeword.
The minimum distance of a code relies on the definition of Hamming weight.

Definition 5 (Hamming weight, distance). The Hamming weight of x ∈ Fnq is defined as the number of its
non-zero coordinates,
def
|x| = ♯ {i ∈ J1, nK : xi 6= 0} .
The Hamming distance between x and y is defined as |x − y|.

Remark 2. Notice that the Hamming metric is a coarse metric which can only take n + 1 values. Further-
more, it does not distinguish “small” and “large” coefficients contrary to the Euclidean metric. For instance,
in F311 , vectors (5, 3, 0) and (1, 0, 1) have the same Hamming weight.

In what follows Fnq will always be embedded with the Hamming distance. However one may wonder if other
metrics could be interesting for telecommunication or cryptographic purposes. The answer is yes, we can
cite the Lee or rank metrics but this is out of the scope of these lecture notes.

Definition 6 (Minimum distance). The minimum distance of a linear code C is defined as the shortest
Hamming weight of non-zero codewords,
def
dmin (C) = min {|c| : c ∈ C\{0}} .

Exercise 3. Give the minimum distance of the following codes:

1. {(f (x1 ), . . . , f (xn )) : f ∈ Fq [X] and deg(f ) < k} where the xi ’s are distinct elements of Fq .
2. {(u, u + v) : u ∈ U and v ∈ V } where U (resp. V ) is a code of length n over Fq and minimum
distance dU (resp. dV ).
 5

3. The Hamming code of length 2r − 1.

Hint: A code has minimum distance d if and only if for some parity-check matrix H every (d − 1)-tuple
of columns are linearly independent and there is at least one linearly linked dtuple of columns.

The following elementary lemma asserts that for a code of minimum distance d, if a received word has less
than (d − 1)/2 errors (the error has an Hamming weight smaller than (d − 1)/2), then it can be successfully
decoded: the exhaustive search of the closest codeword will output the “right” codeword. We stress here
that this does not show the existence of an efficient decoding algorithm, which is far from being guaranteed.
Furthermore we will see later that for random codes of minimum distance d, balls centered at codewords and
with radius ≈ d typically do not intersect, showing that decoding can theoretically be done for these codes
up to distance ≈ d and not (d − 1)/2.
Lemma 2. Let C be a code of minimum distance d, then balls of radius d−1 2 centered at codewords are
disjoint, ( ) ( )
d−1 ∩ d−1
∀c, c′ ∈ C, c 6= c′ , B c, B c′ , =∅
2 2
where B(x, r) denotes the ball of radius r and center x for the Hamming distance.
( ) ( )
Proof. Let c, c′ ∈ C be two distinct codewords. Let us assume that there exists x ∈ B c, d−12 ∩ B c′ , d−1
2 .
By using the triangle inequality we obtain
|c − c′ | ≤ |c − x| + |x − c′ |
d−1 d−1
≤ +
2 2
=d−1
which contradicts the fact that C has minimum distance d. □
⊺
Exercise 4. Let H be a parity-check matrix of a code C of minimum distance d. Show that the He ’s are
distinct when |e| ≤ d−1
2 .

Exercise 5. Let C ⊆ Fn2 be a code of minimum distance d and t > n − d2 . Show that there exists at most
one codeword c ∈ C of weight t.

From this lemma we see that a code with a large minimum distance is a “good” code in terms of decoding
ability. However there is another parameter to take into account: the rate. A code of small rate asks
for adding a lot of redundancy when encoding a message to send, thing that we would like to avoid in
telecommunications (where the perfect situation corresponds to not adding any redundancy). Therefore we
would like to find a code with large minimum distance and large rate. As it might be expected these two
considerations are diametrically opposed to each other. There exists many bounds to quantify the relations
between the rate and the minimum distance but this is out of the scope of these lecture notes.
As we will see in lectures notes 2, a “random code” with a constant rate k/n ∈ (0, 1) has a very good
minimum distance, namely d ∼ Cn for some constant C > 0 (known as the relative Gilbert-Varshamov
bound) when n → +∞. However, while we expect a typical code to have a minimum distance linear in its
length given some rate, it is a hard problem to explicitly build linear codes with such minimum distance.

2. The Decoding Problem

Now that linear codes are defined we are ready to present more formally the decoding problem. Below are
presented two equivalent versions of this problem. The first presentation is natural when dealing with noisy
codewords (as we did until now) but we will mostly consider in these lecture notes the second one (with
6

syndromes) which is more suitable for cryptographic purposes. For each problem a code is given as input
but with a generator or parity-check representation.

Problem 1 (Noisy Codeword Decoding). Given G ∈ Fqk×n of rank k, t ∈ J0, nK, y ∈ Fnq where y = c + e
with c = mG for some m ∈ Fkq and |e| = t, find e.

of rank n − k, t ∈ J0, nK, s ∈ Fqn−k where He⊺ = s⊺

(n−k)×n
Problem 2 (Syndrome Decoding). Given H ∈ Fq
with |e| = t, find e.

Remark 3. Solving the decoding problem comes down to solve a linear system but with some non-linear
constraint on the solution (here its Hamming weight). Notice that without such constraint it would be easy
to solve the problem with a Gaussian elimination.

It turns out that these two (worst-case) problems are strictly equivalent, if we are able to solve one of them,
then we can turn our algorithm into another algorithm that solves the other one in the same running time
(up to some small polynomial time overhead).
Suppose that (i) we have an algorithm solving Problem 1 and (ii) we would like to solve Problem 2. To this
aim, let (H, s) be an input of Problem 2. First, as H has rank n − k we can compute a matrix G of rank
k such that GH⊺ = 0. It is equivalent to computing a generator matrix of the code C with parity-check
matrix H. This can be done in polynomial time (over n) by performing a Gaussian elimination. Then, by
solving a linear system (which also can be done in polynomial time) we can find y such that Hy⊺ = s⊺ .
⊺
Notice now that H(y − e) = 0 where He⊺ = s⊺ and |e| = t. Therefore y = c + e for some c ∈ C, namely
c = mG for some m ∈ Fkq . From this we can use our algorithm solving the noisy codeword version of the
decoding problem to recover the error e.

Exercise 6. Show that any solver of Problem 2 can be turned in polynomial time into an algorithm solving
Problem 1.

In what follows we will mainly consider the syndrome version of the decoding problem. Furthermore, we will
call decoding algorithm, any algorithm solving this problem (or its equivalent version with noisy codewords).

A little bit about the decoding problem hardness. Our aim in these lecture notes is to show that
decoding is hard
• in the worst case (NP–complete),
• in average (it will be defined in a precise manner later).
However, even though the decoding problem is hard in the “worst case” and in “average”, let us stress
that there are codes that we know how to decode efficiently (hopefully for telecommunications...). It may
seem counter-intuitive at first glance: is the decoding problem hard or not? All the subtlety lies in the
inputs that are given. Is the code given as input particular? How is the decoding distance t (for instance
with t = 1 we have an easy problem)? In fact the hardness of the decoding problem relies on how we
answer to these questions. There exists some codes and decoding distances for which the problem is easy to
solve. The NP–completeness shows that we cannot hope to solve the decoding problem in polynomial time
for all inputs while the average hardness ensures (for well chosen t) that for almost all code the problem
is intractable. Our aim in what follows is to show this. But we will first exhibit a family of codes with
associate decoding distances t for which decoding is easy. The existence of such codes is at the foundation
of code-based cryptography.
 7

Codes that we know to decode: Reed-Solomon codes. The family of ReedSolomon codes is of central
interest in coding theory: many algebraic constructions of codes that we know how to decode efficiently such
as BCH codes [MS86, Chapter 3], Goppa codes [MS86, Chapter 12] derive from this family. Reed-Solomon
codes are practically used for instance in compact discs, DVDs, BluRays, QR codes etc... They also play an
important role in code-based cryptography as we will see in lecture notes 4.

Definition 7 (Generalized Reed-Solomon Codes). Let z ∈ (F⋆q )n and x be an n-tuple of pairwise distinct
elements of Fq (in particular n ≤ q) and let k ≤ n. The code GRSk (x, z) is defined as
def
GRSk (x, z) = {(z1 f (x1 ), . . . , zn f (xn )) : f ∈ Fq [X] and deg(f ) < k} .

Generalized ReedSolomon codes GRSk (x, z) are [n, k]q -codes with many remarkable properties. Among
def
others, they are said “MDS”, i.e. their minimum distance equals d = n − k + 1 and there exists an efficient
decoding algorithm to correct any pattern of b d−1
2 c errors as we will see below. However, a major drawback
of Generalized Reed-Solomon codes is that their length is upper-bounded by the size of the alphabet Fq .

Exercise 7. Show that GRSk (x, z)∗ = GRSn−k (x, z′ ) where zi′ = zi ∏ 1(xi −xj ) . Deduce that GRSk (x, z) has
j̸=i
a parity-check matrix of the following form:
 
1 1 ··· 1  ′ 
z1 0
 x ··· 
 1 x2 xn   z2′ 
def   
(1) H =  x21 x22 ··· x2n   .. 
  . 
 ... ... ... ... 
′
xn−k−1 xn−k−1 · · · xn−k−1 0 zn
1 2 n

Furthermore, show that GRSk (x, z) has minimum distance n − k + 1.

Decoding Generalized Reed-Solomon codes at distance ≤ b n−k 2 c. Suppose that GRSk (x, z) is given
as input, namely that the xi ’s and zi ’s are known (or equivalently H given in Equation (1.1)). Let y be a
noisy codeword that we would like to decode:
def
y = c+e
where c = (z1 f (x1 ), · · · , zn f (xn )) ∈ GRSk (x, z) with f ∈ Fq [X] such that deg(f ) < k and e ∈ Fnq be an
error of Hamming weight t ≤ b n−k 2 c. Let us suppose without loss of generality that z1 = · · · = zn = 1 (for
the general case multiply each coordinate of y by zi−1 which does not change the weight of the error term).
Our aim is to recover f (or equivalently e). Let us introduce the following (unknown) polynomial:
def
∏
E(X) = (X − xi ).
i:ei ̸=0

Notice that deg(E) = t. The key ingredient of the decoding algorithm is the following fact

Fact 1.
(2) ∀i ∈ J1, nK, yi E(xi ) = f (xi )E(xi ).

Coordinates yi and xi are known while f and E are unknown. System (1.2) is not linear and the basic idea
to decode is to linearize it (to bring us to a pleasant case). Let,
def
N = Ef
Equation (1.2) can be rewritten as:
(3) ∀i ∈ J1, nK, yi E(xi ) = N (xi )
8

where coefficients of the polynomial N ∈ Fq [X] of degree < k + t and E ∈ Fq [X] of degree t are unknowns.
This system has a non-trivial solution: (E, Ef ) but it may have many other solutions. The following lemma
asserts that any other non-trivial solution enables to recover f .

Lemma 3. Let E1 , E2 ∈ Fq [X] of degree ≤ b n−k 2 c and N1 , N2 ∈ Fq [X] of degree < k + d 2 e such that
n−k

(E1 , N1 ) and (E2 , N2 ) are non-zero and solutions of Equation (1.3). Then,
N1 N2
= = f.
E1 E2

Proof. First, if Ei = 0 then Ni has n roots by Equation (1.3) while its degree is smaller than n. Therefore
def
we get that Ei 6= 0 as (Ei , Ni ) is non-zero. Let R = N1 E2 − N2 E1 , we have
⌊ ⌋ ⌈ ⌉
n−k n−k
deg(R) < k + + ≤ n.
2 2
By using now that (E1 , N1 ) and (E2 , N2 ) are solutions of Equation (1.3) we obtain for all i ∈ J1, nK,
R(xi ) = N1 (xi )E2 (xi ) − N2 (xi )E1 (xi )
= yi E1 (xi )E2 (xi ) − yi E2 (xi )E1 (xi )
=0
N1 N2
Therefore R has n roots while its degree is smaller than n. It shows that R = 0 and E1 = E2 . It concludes
the proof as (E, Ef ) is also a non-zero solution of Equation (1.3). □

The algorithm we just described to decode a generalized Reed-Solomon code up to the distance b n−k
2 c is
known as the Berlekamp-Welch algorithm.

2.1. Worst Case Hardness. The aim of this subsection is to show that the decoding problem is hard in the
worst case, namely NP–complete. We have to be careful with this kind of statement. First, NP–completeness
is designed for decisional problems: “is there a solution given some input?”. Furthermore, we need to be
very cautious with inputs that are being fed to our problem. The NP–completeness “only” shows (under the
assumption P 6= NP) that we cannot hope to have an algorithm solving our problem in polynomial time for
all inputs. The set of possible inputs is therefore important, it may happen that a problem is easy to solve
when its inputs are drawn from a set A while it becomes hard (NP–complete) when its inputs are taken from
some set B ⊋ A. This remark has to be carefully taken into consideration when using the NP–completeness
in cryptography as a safety guaranty. It is quite possible that the security of a cryptosystem relies on the
difficulty to solve an NP–complete problem but at the same time breaking the scheme amounts to solve the
problem on a subset of inputs for which it is easy. To summarize, the NP–completeness of a problem for a
cryptographic use is a nice property but it is not the panacea to ensure its hardness.
The foregoing discussion has shown that we have to rephrase the decoding problem as a decisional problem.
Furthermore, it will be important to have a careful look on the set of inputs.

Problem 3 (Decisional Decoding Problem).

(n−k)×n
• Input: H ∈ Fq , s ∈ Fn−k
q where n, k ∈ N with k ≤ n and an integer t ≤ n.
• Decision: it exists e ∈ Fnq of Hamming weight t such He⊺ = s⊺ .

Proposition 1 ([BMvT78]). Problem 3 for q = 2 is NP–complete.

The proof of this proposition relies on a reduction of the following combinatorial decision problem, which is
known to be NP–complete.
 9

Problem 4 (Three Dimensional Matching (3DM)).

• Input: a subset U ⊆ T × T × T where T is a finite set.
• Decision: it exists V ⊆ U such that ♯V = ♯T and for all (x1 , y1 , z1 ), (x2 , y2 , z2 ) ∈ V we have
x1 6= x2 , y1 6= y2 et z1 6= z2 .

The formalism of this problem may seem at first sight to be far away from the decoding problem. However
we can restate it with incidence matrices. We proceed as follows: first we take each first coordinate of
elements that belong to U , then we build an incidence matrix relatively to T of size ♯T × ♯U and similarly
for the two remaining coordinates. After that we vertically concatenate our three matrices. Therefore we
get in polynomial time a matrix of size 3♯T × ♯U , that we will call a 3DM-incidence matrix. But now, as
shown in the following lemma, we have a solution to the 3DM-problem associated to U and T if and only if
there are ♯T columns that sum up to the all one vector (which corresponds to our decoding problem). But
let us first give an example to illustrate this discussion.
Example 1. Let T = {1, 2, 3} and U = {u1 , u2 , u3 , u4 , u5 } such that:
u1 = (1, 1, 2), u2 = (2, 3, 1), u3 = (1, 2, 3)
u4 = (3, 1, 2) and u5 = (2, 2, 2).
The 3DM-incidence matrix associated to these sets is given by:
112 231 123 312 222
1 1 0 1 0 0
2 0 1 0 0 1
3 0 0 0 1 0

1 1 0 0 1 0
2 0 0 1 0 1
3 0 1 0 0 0

1 0 1 0 0 0
2 1 0 0 1 1
3 0 0 1 0 0
We obtain the all one vector by summing columns 2, 3 and 4. Therefore, V = {u2 , u3 , u4 } is a solution.
Lemma 4. Let T and U ⊆ T × T × T be an instance of 3DM and let H3DM ∈ F23 ♯T ×♯U be the associated
incidence matrix. We have
⊺ ⊺
There is a solution for the instance T, U ⇐⇒ ∃e ∈ F♯U
2 : |e| = ♯T and H3DM e = 1 (all one vector).

Proof. By definition, columns of H3DM have length 3♯T and Hamming weight 3. Therefore, ♯T columns sum
up to the all one vector if and only if their supports are pairwise distinct. □

We are now ready to prove Proposition 1.

Proof of Proposition 1. Let T, U be an instance of the three dimensional matching problem. We can build
in polynomial time the matrix H3DM . Now, by Lemma 4, there is a solution for T and U if and only if there
def
is a solution of the decoding problem for the input (H3DM , 1) and t = ♯T . □

We have just proven that decoding is an NP–complete problem but when is given as input a binary matrix
and a decoding distance. In other words, we cannot reasonably hope to find a polynomial time algorithm
to solve the decoding problem for all codes over F2 and for all decoding distances. But can we find a proof
10

that fits with a restricted set of inputs? The answer is yes. Below is presented an incomplete list of some
improvements. The decoding problem is still NP–complete if we restrict:
• the decoding distance at t = n/ log2 n [Fin09] or t = Cn for any constant C ∈ (0, 1) [Deb19].
• the input codes are restricted to Reed-Solomon codes [GV05]
• etc...
There are many other NP–complete problems related to codes. For instance, computing the minimum
distance of a code [Var97] or some codewords of weight w [BMvT78] are NP–complete.

2.2. Average Case Hardness. The decoding worst-case hardness makes it a suitable problem for
cryptographic applications. However we have to be careful when dealing with the decoding problem in
this context. Recall that the aim of any cryptosystem is to base its security on the “hardness” of solving
some problem. However to study and to ensure the hardness (thus the security) it would be preferable
first to define the problem exactly as it is stated when wanting to break the crypto-system. It leads
us to the following question: “how the decoding problem is used in cryptography?”. To answer this
question let us briefly present the McEliece public key encryption scheme [McE78] that was introduced just
few months after RSA. This scheme will motivate our definition of the “cryptographic” decoding in Problem 5.

McEliece encryption scheme. McEliece’s idea to build a public key encryption scheme based on codes
is as follows: Alice, the secret key owner, has a code C that she can efficiently decode up to some distance
t (some “quantity” that enables to decode is the secret). Alice publicly reveals a parity-check matrix of her
code, let us say H, as well as its associated decoding distance t. For obvious security reasons Alice does not
want H to reveal any information on how she decodes C. In that case, the perfect situation corresponds to a
matrix H which is uniformly distributed. Now Bob wants to send a message m to Alice. First he associates
with a public one to one mapping (in a sense to define) his message m to some vector e of Hamming weight
t. Then he computes He⊺ and sends it to Alice. Once again, for obvious security reasons, Bob does not
want e to share any information with m that could be used when observing He⊺ . The perfect situation
corresponds to a mapping such that e is uniformly distributed over words of Hamming weight t. Now Alice
who got He⊺ recovers e and m thanks to her decoding algorithm.
One may wonder why Bob has associated its message to some word of weight t and not ≤ t as Alice can
decode up to the distance t. The reason is that any malicious person looking at the discussion between Alice
and Bob observes He⊺ and to recover the message she/he has to find e. However, decoding is harder if |e|
is larger. Therefore it is preferable if e has a Hamming weight as large as possible, thus t.
Remark 4. McEliece encryption scheme relies on the use of generator matrices. We have actually presented
Niederreiter encryption scheme [Nie86]. The security of both schemes is the same. The only differences are
in term of efficiency, depending of the context.
Exercise 8. Describe how the encryption scheme works with generator matrices.

We are now ready to define the (average) decoding problem for cryptographic applications. In what follows
q will denote a fixed field size while R(n) and τ (n) will be functions taking their values in (0, 1). To simplify
notation, since n is clear here from the context, we will drop the dependency in n and simply write R and τ .
def def
Problem 5 (Decoding Problem - DP(n, q, R, τ )). Let k = bRnc and t = bτ nc.

• Input: (H, s = xH⊺ ) where H (resp. x) is uniformly distributed over Fq

def (n−k)×n
(resp. words of
Hamming weight t in Fnq ).
• Output: an error e ∈ Fnq of Hamming weight t such that eH⊺ = s.
 11

Remark 5. This problem really corresponds to decode a code of rate R and parity-check matrix H. We call
such a code a random code as its parity-check matrix is uniformly distributed (for more details see lecture
notes 2).

Remark 6. In our definition of DP, we ask given a code and a syndrome obtained via a vector x of weight
t, to find a vector e with the same weight that reaches the syndrome. In particular, we do not ask to recover
x. It may seem confusing when looking at the original definition of decoding problem in telecommunications
where it is requested to recover exactly x and thus the message that was sent. But such definition imposes
some constraints over t, for instance t smaller than the minimum distance of the code out of 2, which
ensures the uniqueness of the solution (see Lemma 2). However, in cryptography our constraints are not the
same. Sometimes we ask DP to have a unique solution given some instance (like in encryption schemes),
sometimes not (like in signatures). When thinking about the decoding problem in cryptography we have to
forget the “telecommunication context”. For now, our concern is the hardness of DP, whatever is the choice
of t, whatever is the number of solutions. We will further discuss this (important) remark in lecture notes 2
. As we will see, all the subtlety lies in the choice of t.

We could have defined DP without any distribution on its inputs. However we are interested in the algorithmic
hardness of this problem in the following way. Let us assume that we have a probabilistic algorithm A that
solves (sometimes) the decoding problem at distance t. Furthermore, let us suppose that a single run of
this algorithm costs a time T . Inputs of A are a parity-check matrix H and a syndrome s. We denote by
w ∈ {0, 1}ℓ the internal coins of A which tries to output some e of weight t that reaches the syndrome s
with respect to H. We are interested in its probability of success:
( ⊺ ⊺ )
ε = PH,x,w A (H, s = xH , w) = e s.t |e| = t and eH = s
where the probability is computed over the internal coins of A and H (resp. x) being uniformly distributed
(n−k)×n
over Fq (resp. words of Hamming weight t in Fnq ). This leads us to say that A solves the decoding
problem in average time
T /ε.
In lecture notes 3 we will study algorithms solving this problem and in each case their complexity will be
written as some T /ε.

Remark 7. We have spoken of “average time complexity”, it comes from the fact that ε is the average
success probability of A over all its possible inputs. By using the law of total probability it can be verified
that:
1 ∑ ( ⊺ ⊺ )
ε = (n−k)n ( n) Pw A (H, s = xH , w) = e s.t |e| = t and eH = s
q (q − 1) t
t
(n−k)×n
H∈Fq
|x|=t
( ( ⊺ ⊺ ))
= EH,x Pw A (H, s = xH , w) = e s.t |e| = t and eH = s
In particular we are interested in the probability to solve the decoding problem in average over all [n, k]q -codes.

DP is a problem parametrized by n and two functions of n: R and τ . In the overwhelming majority of

cryptographic applications the rate R ∈ (0, 1) is chosen as a constant. But it may be also interesting to
consider the case where R −→ 0. Actually this regime of parameters is basically the LPN problem that
n→+∞
will be discussed at the end of this subsection. Considering now the other parameter τ , that we will call the
relative decoding distance, many choices can be made but this greatly varies the difficulty DP. For instance,
when τ = O(log n/n), there is at most a polynomial number of errors of weight τ n and a simple enumeration
is enough to solve DP in polynomial time (over n). But surprisingly there are also many other non-trivial
12

regimes of parameters for which DP can be solved in polynomial[ time. We will see in lecture notes
] 3 that
DP(n, q, R, τ ) can be solved in polynomial time as soon as τ ∈ (1 − R) q−1
q , R + (1 − R) q−1
q . However,
despite many efforts, the best algorithms to solve DP (even after 70 years of research) are all exponential
in τ n for other relative distances τ , namely T /ε = 2nτ (α(q,R,τ )+o(1)) for some function α(q, R, τ ) which
n→+∞
depends of the used algorithm A , q, R and τ . Situation is depicted in Figure 1.1.

Hard Easy Hard

τ
0 (1 − R) q−1
q R + (1 − R) q−1
q 1

Figure 1. Hardness of DP(n, q, R, τ ) as function of τ .

DP(n, q, R, τ ) is hard in average but for well chosen relative distances τ . Therefore anyone who wants to
design a crypto-system whose security relies on the hardness of solving DP has to carefully choose τ (in
most cases the choice is constrained by the design itself). We list below some choices that have been made
according to the designed (asymmetric) primitive:
( )
• McEliece encryption [McE78]: τ = Θ log1 n ,
( )
• Encryption schemes [Ale03, MTSB13, AAB+ 17]: τ = Θ √1n ,
• Authentication protocol [Ste93]: τ = C for some constant C quite small,
• Signature [DST19]: τ = C for some constant C large, C ≈ 0.95.

The Learning Parity with Noise Problem. In the cryptographic literature, a problem closely related
to DP and referred to as Learning Parity with Noise (LPN) is sometimes considered. It is a problem where
is given as input an oracle that is function of some secret quantity. The aim is then to recover this secret
but with as many samples as wanted (outputs of the oracle).
Definition 8 (LPN-oracle). Let k ∈ N, τ ∈ [0, 1/2) and s ∈ Fk2 . We define the LPN(k, τ )-oracle Os,τ LPN
as
follows: on a call it outputs (a, hs, ai + e) where a ← F2 is uniformly distributed and e being distributed
k

according to a Bernoulli of parameter τ .

Problem 6 (Learning with Parity Noise Problem - LPN(k, τ )).
• Input: Os,τ
LPN
be an LPN(k, τ )-oracle parametrized by s ∈ Fk2 which has been chosen uniformly at
random.
• Output: s.

Let us stress that anyone who wants to solve this problem can ask as many samples (outputs of Os,τ LPN
) as he
wants. However, each call to the oracle costs one. All the game consists in finding efficient algorithms that
solves LPN(k, τ ) with as few queries as possible. Notice that the difficulty greatly varies with τ . The noise
parameter τ deeply affects the gain of information on s that we obtain with each sample.
When τ = 0, it is necessary to make at least k queries and then to solve a square linear system which has
a complexity roughly given by k 3 . On the other hand, when τ ∈ (0, 1) is some constant, best algorithms
[BKW03] have a sub-exponential time complexity 2O(k/ log2 k) and for them the number of queries is roughly
the running time.

LPN: a special case of DP. It turns out that solving LPN(k, τ ) with n samples basically corresponds to
solving DP(n, 2, R, τ ) where R = k/n. Therefore, as the number of samples n is a priori unlimited, LPN
really amounts to solve DP where the rate can be chosen arbitrarily close to 0.
 13

Suppose that an algorithm asks for n samples to solve LPN(k, τ ), here Os,τ
LPN
outputs the sequence:

s · a1 + e1 , . . . , s · an + en .
def
These n samples can be rewritten as sG + e where columns of G ∈ Fk×n 2 are the ai ’s and e = (e1 , . . . , en ).
Now notice that E(|e|) = τ n as each ei is a Bernoulli distribution of parameter τ . The algorithm that
( recovers )
s and thus e decodes at distance |e| the code of generator matrix G. It corresponds to solve DP n, q, nk , |e|
n

such that GH⊺ = 0 and the syndrome eH⊺ .

(n−k)×n
where is given as input a matrix H ∈ Fq

Remark 8. DPcould have been presented directly with generator matrix representation. For more details
see lecture notes 2, in particular Exercise 1.

2.3. Search to Decision Reduction. It is common in cryptography to consider for a same problem two
variants: search or decision/distinguish. Roughly speaking, for some one-way function f (easy to compute
but hard to invert) we ask in the search version given f (x) to recover x while in the decision version we ask
to distinguish between f (x) and a uniform string. Obviously, the decision version is easier and therefore to
rely a cryptosystem security on the hardness of some decision problem instead of its search counterpart is a
strongest assumption to make. It turns out that Diffie-Hellman [DH76] or El Gamal [ElG84] primitives rely
on this kind of assumption. But as we will see in this subsection, constructions based on codes do not suffer
from this flaw, it has been shown in [FS96], through a reduction that the decision and search versions of the
decoding problem are equivalent. The interesting direction has been to show that if there is an algorithm
solving the decision version, then there is an algorithm that solves (in essentially the same time) the search
part. We call such a result a search-to-decision reduction.
However it may be tempting to say that obtaining a search-to-decision reduction for the decoding
problem is “only interesting” but not crucial for any security guarantee. This is not true and to
see this let us present Alekhnovich scheme [Ale03], which is after McEliece scheme the second way of
building encryption schemes based on codes and the decoding problem (fore more details see lecture notes 4).

Alekhnovich encryption scheme. By contrast with McEliece’s idea, Alekhnovich did not seek to build
a public key encryption scheme based on the use of a decoding algorithm as a secret key. He proposed to
start from a code C of length n for which we do not necessarily have an efficient decoding algorithm. The
public key in Alekhnovich scheme is defined as (C, c + e) where c ∈ C and |e|  n while the secret key is e.
Now if someone wants to encrypt some bit b ∈ {0, 1} into Enc(b) he proceeds as follows:
def
• Enc(1) = u where u is a uniform vector,
def
• Enc(0) = c∗ + e′ where |e′ |  n and c∗ belongs to the dual of the code spanned by C and c + e.
Now to decrypt we just compute the inner product Enc(b) · e. The correction of this procedure relies on the
fact that
e · Enc(0) = e · (c∗ + e′ ) = e · e′ ,
where in the last equality we used that e belongs to the code spanned by C and c + e while c∗ is in its dual.
But now, with a high probability, e · e′ = 0 as both vectors have a very small hamming weight ( n). On
the other hand, e · Enc(1) = e · u will be a uniform bit. Therefore, to securely send a bit b, it is enough to
repeat this procedure a small amount of times and to choose the most likely input according to the most
probable outcome.
Notice now that a natural strategy for an adversary to decrypt is to distinguish between Enc(1) and Enc(0),
namely a uniform string and a noisy codeword. Therefore the security of Alekhnovich scheme critically
14

relies on the decision/distinguish version of the decoding problem.

Our aim now is to show how to obtain a search-to-decision reduction for the decoding problem. However
to explain how to get this result, let us come back to the viewpoint with one-way functions. Let A be an
algorithm that can distinguish between a random string u and f (x) be some one-way function f . Given
f (x0 ) we would like to use A to glean some information about x0 . A natural idea is to disturb a little bit
f (x0 ) and to feed A with it with the hope, when looking at its answer, to gain some information on x0 after
repeating a small amount of times the operation. Here the key is the meaning of “information”, we have
to be careful about this. For instance, does it make sense to have a direct proposition like: if given A and
f (x0 ) we can deduce a bit of x0 then we are able to invert f ? In fact not. Given f , the following function
g(b, x) = (b, f (x)) is also a one-way function but its first input bit is always revealed. In other words, to hope
to be able to invert f , we need to obtain another information than obtaining directly an input bit from A ,
but which information? A first answer to this question has been given in [Gol01, Proposition 2.5.4]. Roughly
speaking, it has been proven that if someone can extract from f (x) and a uniform string r the value x · r,
then one can invert f .

Proposition 2 ([GL89, Gol01]). Let f : {0, 1}∗ → {0, 1}∗ , A be a probabilistic algorithm running in time
T (n) and ε(n) ∈ (0, 1) be such that
1
P (A (f (xn ), rn ) = xn · rn ) =+ ε(n)
2
where the probability is computed over the internal coins of A , xn and rn that are uniformly distributed over
def ( )
{0, 1}n . Let ℓ(n) = log(1/ε(n)). Then, it exists an algorithm A ′ running in time O n2 ℓ(n)3 T (n) that
satisfies
( )
P (A ′ (f (xn ) = xn )) = Ω ε(n)2
where the probability is computed over the internal coins of A ′ and xn .

Proof. A nice proof of this proposition can be found here https://www.math.u-bordeaux.fr/~gzemor/

alekhnovich.pdf □

Remark 9. Interestingly, the proof of this proposition relies on the use of linear codes (and their associated
decoding algorithm) that are some Reed-Muller like codes of order one [MS86, Chapitre 13].

This proposition will be at the core of the search-to-decision reduction of the decoding problem. Let us start
by the formal definition of the decision decoding problem.
def def
Problem 7 (Decision Decoding Problem - DDP(n, q, R, τ )). Let k = bRnc and t = bτ nc.
• Distributions:
(n−k)×n
– D0 : (H, s) be uniformly distributed over Fq × Fn−k
q ,
– D1 : (H, xH⊺ ) where H (resp. x) being uniformly distributed over Fq
(n−k)×n
(resp. words of
Hamming weight t).
• Input: (H, s) distributed according to Db where b ∈ {0, 1} is uniform,
• Decision: b′ ∈ {0, 1}.

A first, but trivial, way to solve DDP would be to output a random bit b′ . It would give the right solution
with probability 1/2 which is not very interesting. The efficiency of an algorithm solving this problem is
measured by the difference between its probability of success and 1/2. This quantity is the right one to
consider and is defined as the advantage.
 15

Definition 9. The DDP(n, q, R, τ )-advantage of an algorithm A is defined as:

def 1
(4) Adv DDP(n,q,R,τ ) (A ) = (P (A (H, s) = 1 | b = 1) − P (A (H, s) = 1 | b = 0))
2
where the probabilities are computed over the internal randomness of A , a uniform b ∈ {0, 1} and inputs be
distributed according to Db which is defined in DDP(n, q, R, τ ) (Problem 7).

For the sake of simplicity we will omit the dependence in the parameters (n, q, R, τ ).
Exercise 9. Prove that when (H, s) is distributed according to Db (for a fixed b ∈ {0, 1}) we have:
1
P (A (H, s) = b) = + Adv DDP (A ).
2
Our aim now is to prove the following theorem which shows how an algorithm solving DDP can be turned
into an algorithm solving DP. More precisely, we will show how to turn A with advantage Adv DDP (A ) into
an algorithm that computes x · r with probability 1/2 + Adv DDP (A ) given as input xH⊺ and r. To conclude
it will simply remain to apply Proposition 2.
Theorem 1. Let A be a probabilistic algorithm running in time T (n) whose DDP(n, 2, R, τ )-advantage is
def
given by ε(n) and let ℓ(n) = log(1/ε(n)). Then it exists an algorithm A ′ that solves DDP(n, 2, R, τ ) in time
O(n2 ℓ(n)3 )T (n) and with probability Ω(ε(n)2 ).
Remark 10. Theorem 1 is stated for binary codes. However it can be extended to q-ary codes by using a
generalization of Proposition 2 proved in [GRS00].

Proof of Theorem 1. Let (H, s = xH⊺ ) be an instance of DP(n, q, R, τ ). In what follows, A ′ is an algorithm
def

such that on input (H, xH⊺ , r) it outputs x · r with probability 1/2 + ε. To end the proof it will be enough
to apply Proposition 2.
Algorithm A ′ :
(n−k)×n
Input : (H, s) ∈ F2 × Fn−k
2 and r ∈ Fn2 ,
1. u ∈ Fn−k
2 be uniformly distributed
2. H′ = H − u⊺ r
def

def
3. b = A (H′ , s)
Output : b
The matrix H is uniformly distributed by definition, therefore H′ is also uniformly distributed. Notice now,
⊺ ⊺
s = xH = xH′ + (x · r) u.
Let,
⊺
s′ = xH′ + u.
def

It is readily verified that s′ is uniformly distributed. Therefore, according to b = x · r ∈ {0, 1}, we obtain
distributions of DDP. The probability that A ′ outputs x · r is given by:
⊺ 1 ( ⊺ ) 1 ( ⊺ )
(5) P(A ′ (H, xH , r) = x · r) = P A ′ (H, xH , r) = 0 | r · x = 0 + P A ′ (H, xH , r) = 1 | r · x = 1
2 2
1( ( ′ ′⊺
)
′ ′
)
= P A (H , xH ) = 0 + P (A (H , s ) = 1)
2
1 1( ( ⊺
))
= + P (A (H′ , s′ ) = 1) − P A (H′ , xH′ ) = 1
2 2
1
(6) = +ε
2
16

where we used in (1.5) the fact that r is uniformly distributed and in (1.6) the DDP-advantage definition. □

References
[AAB+ 17] Carlos Aguilar Melchor, Nicolas Aragon, Slim Bettaieb, Loïc Bidoux, Olivier Blazy, Jean-Christophe Deneuville,
Philippe Gaborit, Edoardo Persichetti, and Gilles Zémor. HQC, November 2017. NIST Round 1 submission for
Post-Quantum Cryptography.
[Ale03] Alekhnovich, Michael. More on Average Case vs Approximation Complexity. In 44th Symposium on Foundations of
Computer Science (FOCS 2003), 11-14 October 2003, Cambridge, MA, USA, Proceedings, pages 298–307. IEEE
Computer Society, 2003.
[Arı09] Erdal Arıkan. Channel polarization: a method for constructing capacity-achieving codes for symmetric binary-input
memoryless channels. IEEE Trans. Inform. Theory, 55(7):3051–3073, 2009.
[BKW03] Avrim Blum, Adam Kalai, and Hal Wasserman. Noise-tolerant learning, the parity problem, and the statistical query
model. Journal of the ACM (JACM), 50(4):506–519, 2003.
[BMvT78] Elwyn Berlekamp, Robert McEliece, and Henk van Tilborg. On the inherent intractability of certain coding problems.
IEEE Trans. Inform. Theory, 24(3):384–386, May 1978.
[Deb19] Thomas Debris-Alazard. Cryptographie fondée sur les codes : nouvelles approches pour constructions et preuves ;
contribution en cryptanalyse. (Code-based Cryptography: New Approaches for Design and Proof ; Contribution to
Cryptanalysis). PhD thesis, Pierre and Marie Curie University, Paris, France, 2019.
[DH76] Whitfield Diffie and Martin Hellman. New directions in cryptography. IEEE transactions on Information Theory,
22(6):644–654, 1976.
[DST19] Thomas Debris-Alazard, Nicolas Sendrier, and Jean-Pierre Tillich. Wave: A new family of trapdoor one-way preim-
age sampleable functions based on codes. In Advances in Cryptology - ASIACRYPT 2019, LNCS, Kobe, Japan,
December 2019. Springer.
[ElG84] Taher ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. 1984.
[Eli55] Peter Elias. oding for noisy channels. IRE conv. Rec., 3:37, 1955.
[Fin09] Matthieu Finiasz. NP-completeness of certain sub-classes of the syndrome decoding problem, 2009. arXiv:0912.0453.
[FS96] Jean-Bernard Fischer and Jacques Stern. An efficient pseudo-random generator provably as secure as syndrome
decoding. In Ueli Maurer, editor, Advances in Cryptology - EUROCRYPT’96, volume 1070 of LNCS, pages 245–
255. Springer, 1996.
[Gal63] Robert G. Gallager. Low Density Parity Check Codes. M.I.T. Press, Cambridge, Massachusetts, 1963.
[GL89] Oded Goldreich and Leonid A Levin. A hard-core predicate for all one-way functions. In Proceedings of the twenty-
first annual ACM symposium on Theory of computing, pages 25–32. ACM, 1989.
[Gol01] Oded Goldreich. The Foundations of Cryptography - Volume 1, Basic Techniques. Cambridge University Press,
2001.
[Gop81] Valerii D. Goppa. Codes on algebraic curves. Dokl. Akad. Nauk SSSR, 259(6):1289–1290, 1981. In Russian.
[GRS00] Oded Goldreich, Ronitt Rubinfeld, and Madhu Sudan. Learning polynomials with queries: The highly noisy case.
SIAM J. Discrete Math., 13(4):535–570, 2000.
[GV05] Venkatesan Guruswami and Alexander Vardy. Maximum-likelihood decoding of reed-solomon codes is np-hard. IEEE
Trans. Inf. Theory, 51(7):2249–2256, 2005.
[McE78] Robert J. McEliece. A Public-Key System Based on Algebraic Coding Theory, pages 114–116. Jet Propulsion Lab,
1978. DSN Progress Report 44.
[MS86] Florence J. MacWilliams and Neil J. A. Sloane. The Theory of Error-Correcting Codes. North–Holland, Amsterdam,
fifth edition, 1986.
[MTSB13] Rafael Misoczki, Jean-Pierre Tillich, Nicolas Sendrier, and Paulo S. L. M. Barreto. MDPC-McEliece: New McEliece
variants from moderate density parity-check codes. In Proc. IEEE Int. Symposium Inf. Theory - ISIT, pages 2069–
2073, 2013.
[Nie86] Harald Niederreiter. Knapsack-type cryptosystems and algebraic coding theory. Problems of Control and Information
Theory, 15(2):159–166, 1986.
[Ste93] Jacques Stern. A new identification scheme based on syndrome decoding. In D.R. Stinson, editor, Advances in
Cryptology - CRYPTO’93, volume 773 of LNCS, pages 13–21. Springer, 1993.
[Var97] Alexander Vardy. The intractability of computing the minimum distance of a code. IEEE Trans. Inform. Theory,
43(6):1757–1766, November 1997.