Estimating the Decoding Failure Rate of Binary Regular Codes Using Iterative Decoding

Providing closed-form estimates of the decoding failure rate of iterative decoders for low- and moderate-density binary parity-check codes has attracted significant interest in the research community. Recently, interest in this topic has increased due to the use of iterative decoders in post-quantum cryptosystems, where the desired decoding failure rates (DFRs) are less than or equal to $2^{-128}$ and impossible to estimate via Monte Carlo simulations. We propose a new technique that provides accurate DFR estimates for a two-iteration (parallel) bit-flipping decoder that can be used for cryptographic purposes. We estimate the bit-flipping probabilities at the second decoder iteration and the syndrome weight distribution before and after the first iteration as a function of the code parameters and error weight. We validate our results numerically by comparing the modelled and simulated syndrome weights, the incorrectly guessed error bit distribution at the end of the first iteration, and the DFR after two iterations in both the floor and waterfall regimes. Finally, we apply our method to estimate the DFR of the LEDAcrypt cryptographic system, a post-quantum key encapsulation method that employs a two-iteration bit-flipping decoder. We show that the DFR estimate resulting from the chosen code parameters can be improved by a factor larger than $2^{70}$ with respect to previous estimation techniques, when $128$-bit security is required. This allows for a $20$% reduction in public key and ciphertext sizes at no security loss. We note that our results can be applied to the post-quantum cryptosystem known as Bit Flipping Key Encapsulation (BIKE) replacing the current ``BIKE-flip decoder'' with the two-iteration decoder and consequently endowing BIKE with the property of indistinguishability under an adaptive chosen-ciphertext attack (IND-CCA$2$), provably.