2

I am trying to understand how the parameters for HQC are chosen to achieve the desired security level. The security proof in the specification for IND-CPA shows that:

$Adv^{IND-CPA}_{HQC.PKE}(A)\leq2(Adv_{2-DQSCD-P}(B_1)+Adv_{3-DQSCD-PT}(B_2))$

where the advantages on the right side are decisional version of some variants of the syndrome decoding problem. This means that if one can break the IND-CPA security of HQC, then one can solve one of the decisional syndrome decoding problems on the right efficiently. Thus, parameters for the scheme are chosen so that the syndrome decoding problem instances which the scheme reduces to are resistant against the best known information set decoding (ISD) attacks.

This is what is bothering me - the concrete security bound pertains to the decisional version, rather than the search version of the problem, hence shouldn't one be choosing parameters that target the decision problem? Now, I know that there exists a search-to-decision reduction for the syndrome decoding problem. However, this only says that if we can break decisional syndrome decoding in polytime, we can solve the search problem in polytime, but without any concrete estimates. How does one then justify the parameter choice?

I believe something similar is happening in ML-KEM as well - the security reduction seems to be to decisional LWE, but parameters are chosen to make the search version computationally intractable. Would be grateful if someone could shed some light on this matter.

Jan Lynn
  • 121
  • 2

1 Answers1

1

This is because we know of no method to solve syndrome decoding distinguishability that is better than actual codeword recovery via search (which directly solves distinguishability).

This may feel like a shonky way to set parameters, but is typical of how things are done in public key cryptography. For example, in classical PKC, the IND-CPA security of ElGamal encryption is pretty much a direct conversion of the Decisional Diffie-Hellman (DDH) problem for the group being used. However, for those groups where we believe DDH is hard, we know of no attack that is more efficient than solving Computational Diffie-Hellman (CDH) and in fact nothing more efficient than solving discrete logarithms. Hence parameters for ElGamal encryption are set so that the discrete logarithm problem is believed to be harder than the security bound. There have been instances where new methods have reduced the known hardness of the discrete logarithm and parameters/key size recommendations have had to be commensurably updated. A similar point of view is used in setting parameters for lattice-based systems (IND-CCA2 dependent on decisional LWE; parameters based on CVP hardness). Although of questionable rigour, this approach has historically been accepted as the best way to bridge the gap between the desire of academic cryptographers for provable security and the desire of implementors for concrete parameters.

Daniel S
  • 29,316
  • 1
  • 33
  • 73