International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

A Hybrid Algorithm for the Regular Syndrome Decoding Problem

Authors:
Tianrui Wang , Tsinghua University
Anyu Wang , Tsinghua University
Kang Yang , State Key Laboratory of Cryptology
Hanlin Liu , Northwestern University
Yu Yu , Shanghai Jiao Tong University
Jun Zhang , Capital Normal University
Xiaoyun Wang , Tsinghua University
Download:
Search ePrint
Search Google
Conference: ASIACRYPT 2025
Abstract: Regular Syndrome Decoding (RSD) is a variant of the traditional Syndrome Decoding (SD) problem, where the error vector is divided into consecutive, equal-length blocks, each containing exactly one nonzero element. Recently, RSD has gained significant attention due to its extensive applications in cryptographic constructions, including MPC, ZK protocols, and more. The computational complexity of RSD has primarily been analyzed using two methods: Information Set Decoding (ISD) approach and algebraic approach. In this paper, we introduce a new hybrid algorithm for solving the RSD problem. This algorithm can be viewed as replacing the meet-in-the-middle enumeration in ISD with a process that solves quadratic equations. Our new algorithm demonstrates superior performance across a wide range of concrete parameters compared to previous methods, including both ISD and algebraic approaches, for parameter sets over both large fields (q = 2^128) and binary fields (q = 2). For parameter sets used in prior works, our algorithm reduces the concrete security of RSD by up to 20 bits compared to the state-of-the-art algorithms. We also provide an asymptotic analysis, identifying a broader parameter region where RSD is solvable in polynomial time compared to ISD and algebraic methods over binary fields. Additionally, we apply our algorithm to evaluate the security of the ZK protocol Wolverine (IEEE S&P 2021) and the OT protocol Ferret (ACM CCS 2020). Our results reduce the security level of Wolverine, which targets a 128-bit security level, to about 111 bits, and also marginally lowers the security of Ferret below the targeted 128-bit level for the first time.
BibTeX
@inproceedings{asiacrypt-2025-35942,
  title={A Hybrid Algorithm for the Regular Syndrome Decoding Problem},
  publisher={Springer-Verlag},
  author={Tianrui Wang and Anyu Wang and Kang Yang and Hanlin Liu and Yu Yu and Jun Zhang and Xiaoyun Wang},
  year=2025
}