https://hal.inria.fr/hal-01957037Tillich, Jean-PierreJean-PierreTillichSECRET - Security, Cryptology and Transmissions - Inria de Paris - Inria - Institut National de Recherche en Informatique et en AutomatiqueThe decoding failure probability of MDPC codesHAL CCSD2018[INFO.INFO-IT] Computer Science [cs]/Information Theory [cs.IT][INFO.INFO-CR] Computer Science [cs]/Cryptography and Security [cs.CR]Tillich, Jean-Pierre2018-12-17 09:05:522022-06-08 12:50:052018-12-17 10:34:11enConference papershttps://hal.inria.fr/hal-01957037/document10.1109/ISIT.2018.8437843application/pdf1Moderate Density Parity Check (MDPC) codes are defined here as codes which have a parity-check matrix whose row weight is of order the square root of the length n of the code. They can be decoded like LDPC codes but they decode much less errors than LDPC codes: the number of errors they can decode in this case is of order the square root of n. Despite this fact they have been proved very useful in cryptography for devising key exchange mechanisms [BGG + 17]. They have also been proposed in McEliece type cryptosystems. However in this case, the parameters that have been proposed in [MTSB13] were broken in [GJS16]. This attack exploits the fact that the decoding failure probability is non-negligible. We show here that this attack can be thwarted by choosing the parameters in a more conservative way. We first show that such codes can decode with a simple bit-flipping decoder any pattern of O √ n log log n log n errors. This avoids the previous attack at the cost of significantly increasing the key size of the scheme. We then show that under a very reasonable assumptions the error probability after decoding decays almost exponentially with the codelength with just two iterations of bit-flipping. With an additional assumption it has even been proved that it decays exponentially with an unbounded number of iterations and show that in this case the increase of the key size which is required for resisting to the [GJS16] attack is only moderate.