 OK, thanks for the introduction. As Jean-Cébassien said, I will talk about a new decoding algorithm for random binary linear codes. And this is joint work with Anya Becker and Antoine Jou, both from the University in Versailles, and Alex Mayer from the University in Bochum. So as some of you might have recognized, there's a subtle hint in my title slide about the main trick we employ. So basically, that's the simple equation 1 plus 1 equals 0 in module 2. And basically, the aim of my talk is to explain how this equation can be used. So let's start with a very simple illustration that still might be helpful to get an idea, a high level idea of our improvement. So assume that you are given a very large haystack age, and there's a tiny little needle, somewhere hidden in this haystack. And your task is now to find this particular haystack. At Eurocrypt 2010, Howard Graeme and Antoine Jou presented a method, a general strategy, to solve such a problem. And basically, this method works as follows, and I call it representation technique. So assume that you have a way to expand the small haystack into an even larger haystack. And while you do this expansion, you implicitly introduce a certain number of copies of the originally unique needle. So this sounds weird, but it works. And at the end, it might be sufficient to consider only a 1 over r fraction of the expanded haystack, simply because you could hope that one of the copies can be found in this particular fraction. So from a technical point of view, there's always the same bottleneck in this technique. Namely, since we only are interested in a 1 over r fraction of the expanded haystack, it would be good if we could construct this 1 over r fraction without having to construct the complete expanded haystack beforehand. And you will see at least a sketch how this can work for decoding. So I should say that the basic idea of representation has already been used in the decoding scenario. There was a paper at AsiaCrip 2011 by Alex Mai and Riko Tomi and myself. But we only use representations in a suboptimal way. So basically, this talk is about an optimized way of using representations. So this optimized way of using the representation technique is not new. It appeared last year at EuroCrip and presented by Antoine, Anya, and Jean-Celestien. And the high level idea of the optimization is as follows. I said our main task is to construct 1 over r fraction of the expanded haystack. So the efficiency seems to be determined by this fraction. And it might be a good idea to try to increase the number of representations and try to keep the expansion of the haystack quite small. And that's exactly what we try to do. And we can do so by simply exploiting the equation 1 plus 1 equals 0 modulo 2. So since I will be talking about decoding algorithms, let me do a very short recap about binary codes. So basically, in the rest of this talk, the C will always denote a random NKD code, a binary NKD code. That is, N is the code length, K is the code dimension, and D is just the minimum distance. And I will only study the following problem, which is called the bounded-distance decoding problem. So that works as follows. You start from a code with C, then you add some error vector on E, whose hemming rate is fixed to the error capability of the code. And then given such a vector x, your aim is to recover the vector E, or, equivalently, the code with C just by adding E to x. So this problem is quite old, and it's somewhat related to crypto, because, for example, message recovery from Euclides is exactly this problem. And there are other applications as well. So if I talk about decoding algorithms and I want to compare them, I need to provide a method that allows for comparison. And this method roughly goes as follows. So basically, the running time of decoding algorithms is a function of the three code parameters, N, K, and D. And in this talk, I will focus on codes that have a constant rate. That is, the ratio between the code dimension and the code length is a constant, or at least converges to a constant for very large N. Furthermore, for random binary codes, it is well known that if you make N very large, you can relate the parameter K and the parameter D tightly via the Gilbert-Bachanov bound. And thus, we can compute the running time as a function of N and K only. Furthermore, since we are interested in the asymptotic behavior of these algorithms, and the algorithms are essentially exponential time algorithms, we only need to study the exponential behavior. That is, we write the running time as 2 to the fk times n plus some sub exponential factor. And now, we are mainly interested in the size of the constant that appears in the exponent. And this constant is denoted fk, and usually called the complexity coefficient. So our task now is simply minimize fk. OK. As a warm-up, let's just take a look at a method that probably all of you know. That is one of the most simple ways of solving the BDD. It's basically syndrome decoding. So you just make use of a parity check matrix of the code, denoted by h, and then you can simply compute the syndrome of the given vector x. So that is, you simply multiply h by x. And by definition of the parity check matrix, the codeword part of x will cancel out. And all that remains is a vector that only depends on the vector e that you're looking for. So I can rephrase the BDD problem as follows. I now want to find linear combination of exactly W columns of the parity check matrix h. And my aim is to match the syndrome s at the end. So since I'm going to use a lot of illustrations in the rest of my talk, let me briefly explain how these illustrations are meant. So here, you can see the parity check matrix that contains n minus k rows and columns. And on top of it, I just put the vector e that I'm searching. And basically, because the vector is a binary vector, multiplying h and e is simply a prescription of picking a certain number of columns of h and then adding them up. So this picture is important for the rest of this talk. Once we are given the parity check matrix, we could now think about ways of solving the BDD problem. And obviously, the most simple one would be just to enumerate all possibilities for the vector e. So basically, e contains a certain number of ones, W many, and is a length n vector. So they are obviously n choose W many ways of trying e. And if you just consider this expression for our varying code dimensions k, you obtain the first very rough upper bound on the complexity coefficient, which is roughly 0.4. And I will now show some methods to improve this upper bound drastically. So basically, all of the methods I'm going to present fall into the class of information set decoding algorithms. And there are basically two observations I need to show you that will then be used by all these algorithms. And these two transformations look as follows. They're basically linear algebra transformations. So the first one is given a BDD input instance, we can always permute the columns of h. Why can we do this? Simply because multiplying h by e means to pick some columns to add them up and to result in a syndrome s. And now if we permute the columns of h, this is equivalent to permuting the coordinates of e. And this will not change the difficulty of the problem. So the second transformation that is always possible is to apply elementary raw operations on the parity check matrix. And this can also easily be seen by the following picture. So we start with our input instance. And now we can simply multiply both sides of the equation by invertible matrices of dimension n minus k. And now we simply consider the transformed input instance. That is, we consider the transformed parity check matrix ug times h and the transformed syndrome ug times s. So if we now use these two transformations, we can always assume that our parity check matrix is in a specific form. And I will call this form randomized for the systematic form. This form, I think, first appeared in the generalized information set decoding framework introduced by Finiac and Sonje at Azure Quick 2009. And it basically consists of a permuting step. So h has randomly commuted columns. And then we apply somehow Gaussian elimination with some additional structure. So at the end, h should contain a left part with exactly k plus l columns. And then there is a right part that contains in the upper right corner a zero block of l rows. And in the lower part, there will be the identity matrix of dimension n minus k minus l. And once we are given this very structured form of h, information set decoding now tries to recover the vector e in a more efficient way than just doing brute force enumeration. Or put differently, information set decoding is intuitively a way to reduce the brute force search space by applying linear algebra transformations. So how does this work, very roughly? As I said, h can be divided in two parts. And it seems to be a good idea to divide e also into two parts. So into a left part of k plus l coordinates and into a right part of n minus k minus l coordinates. And now if we multiply the matrix by the vector e, we can do this part by part. So we start by multiplying e1 to the left part of h. And we multiply e2 to the right part of h. And then we sum the resulting vectors. So now if you take a look at the right part for the multiplication of e2 and the right part of h, since there is a zero block in the matrix, you will always obtain a vector that contains zeros in the first l coordinates. Whereas the right part gives you a somewhat random looking vector. And since at the end, you want to match the given syndrome s, there is a necessary constraint, a necessary condition on e1. Namely, if you multiply e1 by the left part of the matrix, you always have to end up in a vector that matches the syndrome on the first l coordinates. And this observation can now be exploited because we can focus on those e1 that fulfills this restriction. Now usually in information set according algorithms, what you do is you introduce a new parameter. This parameter is called p. And it basically restricts the weight of the vector e1. So now we are not looking for every possible candidate of e1, but we restrict ourselves to e1 of hamming weight p, simply because this could increase the computational effort to enumerate those e1. And this idea has a drawback because now the method will only recover particular error patterns. That is, the error vector e in total has to contain exactly p1s in the first k plus l coordinates and the remaining w minus p1s in the n minus k minus l coordinates. So it is easy to compute the probability of getting such an error pattern. And even better, if we fail to find e1, we can simply revendimize h. That is, we can simply permute the columns and the coordinates of e. And then we can hope to find such a pattern. So for the rest of this talk, we can now continue with the central part. And this is to find such e1 using the equation 1 plus 1 equals 0 more efficiently. So from now on, I will only consider the sub-problem. And I will now switch from the vector annotation of e1 to index sets just because it simplifies to describe our idea. So now the problem can be stated as follows. We are looking for a selection of indices between 1 and k plus l. And this selection should be of size p. And the corresponding column sum should match the syndrome on the first l coordinates. So before presenting our method, let me briefly sketch two recent methods. So the first one is only a new method because it uses the generalized systematic form. Otherwise, it is known as Stern's algorithm. And it's basically a meet-in-the-middle approach to solve the problem. So what do we do? Essentially, we try to write the selection i as a disjoint partition into a left and a right half. And this can be seen in the following picture. So assume that i has exactly half of its coordinates in the left half and half of its coordinates in the right half. So then instead of enumerating all possible choices for i, it might be a good idea to just enumerate all the possible left halves denoted by i1 and all the possible right halves denoted by i2. And then I have to find a way to match those candidates. And the matching is pretty easy. It is a very standard meet-in-the-middle algorithm based on the following equation. So if I start from the initial equation in the upper right corner and I just separate i1 and i2, I obtain the necessary condition that the column sum of the index set i1 has to match the column sum of the index set i2 plus the center mass. And the meet-in-the-middle algorithm would simply enumerate all i1 and i2, put them into lists, and then search for pairs that match this equation. So let me now return to the initial picture I presented you. So what is the haystack and what is the needle in this first algorithm? So basically, the haystack can be seen as a set of all possible index sets i1. So namely, all vectors that contain exactly p half ones in the first k plus l half coordinates. And since there's only one unique way of writing i in such a decomposition, there will only be a unique needle in this haystack. So essentially, here, I'm not using any representation at all. Anyway, if you do the optimization and compute the complexity coefficient, you obtain, perhaps somehow surprisingly, complexity coefficient that is asymptotically, at least asymptotically equivalent to a method that has been presented at Kripto last year by Bernstein, Lange and Peters. And this approach is called ball-position decoding. And at the first sight, it looks a bit different, but it's at least asymptotically the same. So let me now, if you compute the concrete upper bound, you obtain something like 0.0556. OK. Let me go one step further. That is the method we proposed at Asia Kript last year. And this method already uses some representations. But we use them in a suboptimal way. So compared to the method we've seen before, we now want to write still as a disjoint partition, but we allow to write it in an arbitrary way. So what do I mean by arbitrary disjoint partition? So again, let's start from our initial picture. And still, it would be allowed to just pick the first coordinates of i and put them into i1 to take the last coordinates and put them into i2. But now it is also allowed to exchange coordinates between i1 and i2. So for example, I could just mix the third and the fourth coordinate, or I could mix the first and the last coordinate, or I could continue in many, many more ways. So the essential question here is now how many ways of writing i in this disjoint arbitrary way do we exist? And this is just an easy combinatorial question. So basically, we can just pick p half out of the p coordinates, put them into i1, and then the remaining p half coordinates have to be in i2. So essentially, we have p chose p half many representations. So once again, back to the initial picture, we increase now our haystack because the haystack is basically the set of all i1. And those i1 now contain p half once, but they are spread over the whole range of k plus l coordinates. But fortunately, we increase the number of copies of the unique solution by exactly the fraction p choose p half. So as I mentioned in the introduction, the technical bottleneck is now to compute an appropriate fraction of the expanded haystack without computing the whole haystack beforehand. And this can be done by a three-leveled computation tree. And if you do so and compute the complexity, you can slightly decrease the complexity coefficient to 0.054 roughly. So now it's time to explain how the equation 1 plus 1 equals 0 can actually be used. And the idea is pretty simple. The two methods before decomposed the index set i in a disjoint fashion. And now the idea is simply to allow for intersections. So that is, we no longer force a disjoint partition. We want to write i as the symmetric difference of two index sets i1 and i2. And we fix those index sets to intersect in a certain number of positions. And this number of positions is called epsilon. And this is an algorithm parameter that has to be optimized at the end. So just recall that the symmetric difference is just the union of the two index sets minus the intersection. And we can easily translate this to the picture we've seen before. So again, we start from the same selection i. And as before, I could choose the first coordinates and put them into i1. And I could choose the last coordinates and put them into i2. But now I require that i1 and i2 intersect in exactly epsilon many positions. And these intersections are here now presented by the green column. So here epsilon is 1. So how does this relate to the equation 1 plus 1 equals 0? So that's pretty simple. And how do we search for such index sets i1 and i2? Essentially, we explore the same equation as in the meat in the middle attack. That is, for a fixed i1, we compute the column sum. And then we search for i2 such that the corresponding column sum plus the syndrome s matches the column sum of i2. And now, if you just have some intersections in i1 and i2, obviously, there will be columns that appear on both sides of the equation. But due to 1 plus 1 equals 0, all those double columns cancel out. That is, we could simply remove those coordinates from i1 and i2. And this exactly recovers the symmetric difference. So I hope that now the link to 1 plus 1 equals 0 is somehow clear. And let's now see how we can benefit from this situation. So obviously, it seems that introducing intersections gives more flexibility in writing i. So for example, we could just shift the green column there amongst the right columns. So we could do a transformation like this. But we can still exchange gray coordinates. Or we could mix both of these transformations. So we can continue in many ways. And the question is, again, how many rays are there? And essentially, as before, we could first pick p half out of the p coordinates, of the p gray coordinates. But then we can combine these choices by just picking epsilon intersecting positions amongst the remaining k plus and minus p positions. So this is essentially the number of needles that we have now in our enlarged haystack. So what happened? The haystack is slightly increased, because we now have to consider all i1s that contain p half plus epsilon many i1 entries, instead of only p half. But as I said, we increased the number of needles by a factor of k plus and minus p choose epsilon. And this seems quite nice. So the remaining question is now, how can we compute such a corresponding fraction of the haystack? And this is quite technical, and I'm only going to sketch the main idea. So for the details, you should take a look in the paper. So again, recall that we basically use the meet in the middle equation. And also recall that this equation is a vectorial equation here. So basically on the left-hand side, you get a bunch of column vectors qi. On the right-hand side, you get a bunch of column vectors qi plus the center mass. And since we work over random binary codes, the coordinates of those vectors are essentially uniform 0, 1 coordinates. So if you're now interested in only one particular index set i1, or the 1 over r fraction of those index sets, it might be a good idea just to restrict the left-resulting vector to a certain fixed value on a certain number of coordinates. And if you think about it, since we want to eliminate a 1 over r fraction, it might be a good idea just to fix roughly log r many coordinates. And that's exactly what you could do. For example, you could fix the Kalemstanz corresponding to i1 to 0 vector on the first log r coordinates. And you can fix the Kalemstanz corresponding to i2 to the syndrome and also on log r many coordinates. And now, if you consider one of our copies that we are trying to find, and you assume that one of those copies fulfills the restriction corresponding to i1, then it implicitly will fulfill the restriction corresponding to i2 just because on these log r many coordinates, the combination has to match the center mass. So at the end, since we eliminate a 1 over r fraction and we have a total number of r copies, we can hope that one of these representations will survive. Of course, I'm hiding some details here because now I would have to explain how I can compute the index sets i1 that fulfills this constraint without enumerating them all, because then I wouldn't have won anything. So that's a technical problem. And as I said, the details can be found in the paper. But just to give you some more details, it's basically a generalized birthday algorithm at Crypto01, I guess. And it seems to be optimal if you choose a binary computation tree of three layers. If you do the analysis, the main technicality is to exclude some badly-distributed columns QI. But I will skip this, and you just take a look in the full version to see how this works. So graphically, our main result, for the first time, we were able to reduce the complexity to coefficient to something below 1 over 20. And also, if you compare it for varying co-dimensions K, it seems that our method outperforms all well-known methods. As you can see, the curve of our algorithm is a green one. OK, last slide. Short summary, I roughly sketched how to use the equation 1 plus 1 equals 0 in order to increase the number of representations. And this results in the asymptotety fastest generically coding algorithm. And as I said, all the proofs are in the full version that can be found on e-print. And just to sketch some open problems, which should not be seen as hard open problems, the solution is quite straightforward, but could be interesting anyway. Obviously, if we could find more representations, we could hope to improve the method. This seems hard over F2, but still it seems possible over FQ, and one could try to do this. And if you think about picking optimal or picking secure parameters for real-world code-based script or applications, you would have to consider low-level optimizations for our algorithm just to estimate its real practical behavior. All our analysis is purely asymptotic and should be refined to this purpose. OK, that's the end of my talk. And just enjoy the next retired talk. We have time for one question. No questions, so let's thank the speaker again.