Simplified High-Speed High-Distance List Decoding for Alternant Codes

Bernstein, Daniel J.

doi:10.1007/978-3-642-25405-5_13

Cited by 11 publications

(25 citation statements)

References 42 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Finally the part of this work which, beyond Hensel's lemma, addresses Coppersmith's technique, might have, up to slight modifications, some use in applications of the latter, for instance the list decoding algorithm for CRT-type codes, see [2,6], or for RS-codes already pointed out in Section 1.…”

Section: Discussionmentioning

confidence: 97%

Formally Verified Certificate Checkers for Hardest-to-Round Computation

et al. 2014

View full text Add to dashboard Cite

In order to derive efficient and robust floating-point implementations of a given function f , it is crucial to compute its hardest-to-round points, i.e. the floating-point numbers x such that f (x) is closest to the midpoint of two consecutive floating-point numbers. Depending on the floating-point format one is aiming at, this can be highly computationally intensive. In this paper, we show how certificates based on Hensel's lemma can be added to an algorithm using lattice basis reduction so that the result of a computation can be formally checked in the Coq proof assistant.

show abstract

Section: Discussionmentioning

confidence: 97%

Formally Verified Certificate Checkers for Hardest-to-Round Computation

et al. 2014

View full text Add to dashboard Cite

show abstract

“…First, as mentioned in Section 1, combinatorial list-decoding algorithms decode more errors, adding security for the same key size, by guessing a few error positions; in this case most decoding attempts fail (as in Section 7), and the analysis in [52] suggests that this makes Berlekamp's method faster than Patterson's method. Second, Berlekamp's method generalizes to algebraic list-decoding algorithms more easily than Patterson's method; see, e.g., [12]. Third, Berlekamp's method is of interest in a wider range of applications.…”

Section: A Complete Code-based Cryptosystemmentioning

confidence: 99%

“…We then find all roots of this polynomial and output the set of corresponding support positions as the signature. We split the root-finding problem into 256 separate 2 12 -point evaluation problems, again allowing fast constant-time bitsliced arithmetic for a single signature.…”

Section: New Speed Records For Cfs Signaturesmentioning

confidence: 99%

McBits: Fast Constant-Time Code-Based Cryptography

Bernstein

Chou

Schwabe

2013

Cryptographic Hardware and Embedded Systems - CHES 2013

Self Cite

View full text Add to dashboard Cite

Abstract. This paper presents extremely fast algorithms for code-based public-key cryptography, including full protection against timing attacks. For example, at a 2 128 security level, this paper achieves a reciprocal decryption throughput of just 60493 cycles (plus cipher cost etc.) on a single Ivy Bridge core. These algorithms rely on an additive FFT for fast root computation, a transposed additive FFT for fast syndrome computation, and a sorting network to avoid cache-timing attacks.

show abstract

“…. . , x σ are pairwise distinct, the best known cost bound for computing a minimal basis is O˜(m ω σ) (Bernstein, 2011;Cohn and Heninger, 2015;Nielsen, 2014); the cost bound O˜(m ω−1 σ) was achieved in (Chowdhury et al, 2015) with a probabilistic algorithm which outputs only one interpolant satisfying the degree constraints.…”

Section: Introductionmentioning

confidence: 99%

Computing minimal interpolation bases

Jeannerod¹,

Neiger²,

Schost³

et al. 2017

Journal of Symbolic Computation

View full text Add to dashboard Cite

International audienceWe consider the problem of computing univariate polynomial matrices over afield that represent minimal solution bases for a general interpolationproblem, some forms of which are the vector M-Pad\'e approximation problem in[Van Barel and Bultheel, Numerical Algorithms 3, 1992] and the rationalinterpolation problem in [Beckermann and Labahn, SIAM J. Matrix Anal. Appl. 22,2000]. Particular instances of this problem include the bivariate interpolationsteps of Guruswami-Sudan hard-decision and K\"otter-Vardy soft-decisiondecodings of Reed-Solomon codes, the multivariate interpolation step oflist-decoding of folded Reed-Solomon codes, and Hermite-Pad\'e approximation. In the mentioned references, the problem is solved using iterative algorithmsbased on recurrence relations. Here, we discuss a fast, divide-and-conquerversion of this recurrence, taking advantage of fast matrix computations overthe scalars and over the polynomials. This new algorithm is deterministic, andfor computing shifted minimal bases of relations between $m$ vectors of size$\sigma$ it uses $O~( m^{\omega-1} (\sigma + |s|) )$ field operations, where$\omega$ is the exponent of matrix multiplication, and $|s|$ is the sum of theentries of the input shift $s$, with $\min(s) = 0$. This complexity boundimproves in particular on earlier algorithms in the case of bivariateinterpolation for soft decoding, while matching fastest existing algorithms forsimultaneous Hermite-Pad\'e approximation

show abstract

Simplified High-Speed High-Distance List Decoding for Alternant Codes

Cited by 11 publications

References 42 publications

Formally Verified Certificate Checkers for Hardest-to-Round Computation

Formally Verified Certificate Checkers for Hardest-to-Round Computation

McBits: Fast Constant-Time Code-Based Cryptography

Computing minimal interpolation bases

Contact Info

Product

Resources

About