Paper 2025/2218

The Syndrome Weight Distribution in Quasi-Cyclic Codes, Applications to BIKE and HQC

Antoine Mesnard, Inria
Jean-Pierre Tillich, Inria
Valentin Vasseur, Thales
Abstract

Many important code-based cryptographic schemes such as the NIST post-quantum competition finalist BIKE and the to be standardized HQC scheme rely on Quasi-Cyclic Moderate-Density Parity-Check codes (QC-MDPC). A very important issue here is to predict accurately the Decoding Failure Rate (DFR). This DFR is intimately connected to the syndrome weight distribution of the QC-MDPC codes used in these schemes. This problem is treated in HQC by modeling the syndrome bits by Bernoulli variables which is known to be inaccurate. The rationale is that it gives a pessimistic estimate of the DFR. In BIKE the syndrome weight is modeled by the syndrome weight of a regular MDPC code which is itself computed by a simplified model. The accuracy of this modeling is not well understood. NIST perceived that BIKE DFR estimation lacked maturity. This led to its dismissal in the competition. The purpose of this paper is to advance on this difficult issue of understanding the syndrome weight distribution of quasi-cyclic codes. Our contribution here is threefold. First we provide a rigorous tool for computing the syndrome weight of a regular code through a generating function and a saddle point approximation. We use this approach to show that the Markov chain model used for estimating the syndrome weight in [ABP24] is remarkably accurate. Second, we also prove that the regular model is not accurate for very low syndrome weights and provide a complete model of the syndrome weight distribution of a QC-MDPC code which can at the same time be computed quickly and fits remarkably well the experiments. We use this to show that for BIKE the probability of the events where the regular model differs from the QC-MDPC syndrome distribution is too low to be of concern. We also show that the variance of the syndrome weight distribution of a QC-MDPC code can be computed efficiently and is a handy tool for estimating accurately the syndrome weight distribution in the moderate deviation regime. We use it to give an accurate prediction of the DFR for a given key of HQC. This gives compelling evidence that the DFR of a typical secret key of HQC is significantly below $2^{- \lambda}$ where $\lambda$ is the security parameter and that weak keys for HQC are too rare to be of concern.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint.
Keywords
Code-based cryptographyQC-MDPC codesDecoding Failure Rate
Contact author(s)
antoine mesnard @ inria fr
jean-pierre tillich @ inria fr
valentin vasseur @ thalesgroup com
History
2026-01-29: revised
2025-12-09: received
See all versions
Short URL
https://ia.cr/2025/2218
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2025/2218,
      author = {Antoine Mesnard and Jean-Pierre Tillich and Valentin Vasseur},
      title = {The Syndrome Weight Distribution in Quasi-Cyclic Codes, Applications to {BIKE} and {HQC}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/2218},
      year = {2025},
      url = {https://eprint.iacr.org/2025/2218}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.