Cryptography and Coding: 19th IMA International Conference, IMACC 2023, London, UK, December 12–14, 2023, Proceedings (Lecture Notes in Computer Science) 3031478177, 9783031478178

Table of contents :
Preface
Organization
Contents
Coding Theory
An Upper-Bound on the Decoding Failure Probability of the LRPC Decoder
1 Introduction
2 Preliminaries
2.1 Notation
2.2 Rank Metric
2.3 Auxiliary Results
3 Decoding of LRPC Codes
3.1 Description
3.2 Decoding Failure Probability
3.3 An Upper-Bound on `3́9`42`"̇613A``45`47`"603AP I
3.4 An Upper-Bound on `3́9`42`"̇613A``45`47`"603APII
4 Asymptotic Analysis
5 Conclusion
References
Coset Leaders of the First Order Reed-Muller Codes in the Classes of Niho Functions and Threshold Functions
1 Introduction
2 Preliminaries
3 Coset Leaders in the Class of the Niho Functions
4 Coset Leaders in the Class of Threshold Functions
References
Revisiting Nearest-Neighbor-Based Information Set Decoding
1 Introduction
2 Preliminaries
3 The Both-May Algorithm
3.1 Depth-2 Variant
3.2 Depth-4 Variant
4 A Strategy for Future Improvements
4.1 Combining Nearest Neighbor Search and Filtering
4.2 Further Improving the Approach
A Details on flaw in original Both-May analysis
References
Symmetric Cryptography: Constructions and Attacks
Feistel Ciphers Based on a Single Primitive*-12pt
1 Introduction
2 Preliminaries
2.1 Notation
2.2 (Tweakable) Block Cipher
2.3 Security Definitions
2.4 Coefficient-H Technique
3 Constructions
3.1 Block Ciphers
3.2 Cryptographic Permutations
4 Security of FeistelBC_r
4.1 Attack on FeistelBC_r, r = d+1
5 Security of FeistelCP_r
6 Indifferentiability of Feistel Cipher with Constants
7 Conclusions
A Security Proof of FeistelBC_d+1
References
Rectangle Attacks on Reduced Versions of the FBC Block Cipher
1 Introduction
2 Preliminaries
2.1 Notation
2.2 The FBC Block Cipher
2.3 Ren et al.'s Boomerang Attack on 13-Round FBC128-256
3 Rectangle Attacks on 14-Round FBC128-128 and 15-Round FBC128-256
3.1 A 12-Round Rectangle Distinguisher with Probability 2-234 of FBC128
3.2 Attacking 14-Round FBC128-128
3.3 Attacking 15-Round FBC128-256
4 Rectangle Attack on 19-Round FBC256
4.1 A 16-Round Rectangle Distinguisher with Probability 2-448 of FBC256
4.2 Attacking 19-Round FBC256
5 Conclusion
References
Zero-Knowledge Protocols
zk-SNARKs from Codes with Rank Metrics
1 Introduction
2 Preliminaries
2.1 Notations
2.2 Background on Code-Based Cryptography
2.3 Succinct Non-interactive Arguments
2.4 Encoding Schemes
2.5 Assumptions
2.6 Square Span Programs
3 Our Code-Based Encoding Scheme
3.1 Bound of Noise
3.2 Additive Homomorphism
4 Our Code-Based Zk-SNARK Scheme
5 Security Analysis of Our Zk-SNARK Scheme
5.1 Zero-Knowledge
5.2 Soundness
6 Efficiency and Parameters
6.1 Efficiency
6.2 Parameters
References
Zero-Knowledge Systems from MPC-in-the-Head and Oblivious Transfer
1 Introduction
1.1 Technical Overview
1.2 Comparison and Theoretical Value
2 Preliminaries
2.1 Notation
2.2 Zero-Knowledge Proof and Argument Systems
2.3 Oblivious Transfer Protocols
2.4 MPC
3 Zero-Knowledge from MPCitH and Oblivious Transfer
4 Suitable Oblivious Transfer Protocols
4.1 Generic MPCitH and 1-out-of-2 Oblivious Transfer
4.2 Broadcast MPCitH and 1-out-of- n Oblivious Transfer
4.3 Hypercube MPCitH and 1-out-of-2 Oblivious Transfer
A Constant-Round Zero-Knowledge
References
ZK-for-Z2K: MPC-in-the-Head Zero-Knowledge Proofs for Z2k
1 Introduction
1.1 Our Contribution
2 Preliminaries
2.1 Notation
2.2 Rings
2.3 Secret-Sharing Schemes Over Rings
2.4 MPC-in-the-Head via Linear Secret Sharing
3 Checking Multiplications Over Rings
3.1 Sacrifice Based Check
3.2 Inner Product Multiplication Check
3.3 Compressed Multiplication Check
4 Checking Base Ring Sharings
5 Protocol Communication Costs
5.1 Concrete Comparison of the Three MultCheck Subprotocols
References
Digital Signature Schemes and Extensions
Efficient Secure Two Party ECDSA
1 Introduction
1.1 Our Contribution
1.2 Paper Organization
2 Preliminaries
2.1 Hardness Assumptions
2.2 The ECDSA Scheme
2.3 Ideal Functionalities
3 Protocol
3.1 Cost Analysis
3.2 Implementation
4 Conclusion
A Proof of Theorem 1
B Proof of Theorem 2
B.1 Corrupted P1
B.2 Corrupted P2
References
Selective Delegation of Attributes in Mercurial Signature Credentials
1 Introduction
2 Preliminaries
2.1 Bilinear Maps
2.2 Zero-Knowledge Proofs of Knowledge
2.3 Anonymous Credentials
2.4 Delegatable Credentials
3 Previous Work
3.1 SPS-EQ Credentials
3.2 Randomisable Set Commitments
3.3 Mercurial Signatures
4 Providing Selective Disclosure
4.1 Selective Delegation
4.2 Construction of Mercurial Signature Credentials with Set Commitments
4.3 Security Analysis
5 Conclusion and Future Work
References
Advances in Post-Quantum Cryptography
Middle-Products of Skew Polynomials and Learning with Errors
1 Introduction
2 Preliminaries
3 Learning with Errors and Middle Products
4 Skew Polynomials
5 Cyclic Division Algebras and CLWE
6 The Middle Product for Skew Polynomials
7 Reduction from SPLWE to SMPLWE
8 Public Key Encryption Scheme
9 Conclusion
A Skew Polynomial Rings
B On the Equivalence of Embeddings for CLWE
References
Identity-Based Threshold Signatures from Isogenies
1 Introduction
2 Preliminaries
2.1 Isogeny-Based Cryptography
2.2 Identity-Based Signature Schemes
2.3 Identity-Based Threshold Signature Scheme
2.4 k-MT-GAIP Distributed Key Generation
2.5 Shamir Secret Sharing
3 Identity-Based Signatures from CSI-SharK
4 Identity-Based Threshold Signature with Abort
5 Robust Identity-Based Threshold Signature Scheme
6 Conclusion
References
Cryptography in Practice: Analyses and Constructions
Dynamic Security Aspects of Onion Routing
1 Introduction
2 Preliminaries
2.1 The Static Framework
3 A Dynamic Framework
4 Application of the Framework to Guard Nodes
4.1 Guard Nodes Policies
5 Analysis
5.1 Simplifications and Assumptions
5.2 Quantitative Formulas for Metrics
5.3 Simulation Program
5.4 Discussion: Relevant Parameter Ranges
5.5 Results
6 Conclusion
References
Practical and Efficient FHE-Based MPC
1 Introduction
1.1 Our Contribution
1.2 System Overview
1.3 Discussion
2 Homomorphic Building Blocks
2.1 Fully Homomorphic Encryption
2.2 Threshold-FHE
2.3 FHE Transciphering
2.4 Zero-Knowledge Proofs of Plaintext Knowledge
3 Ideal Functionality
4 The MPC-FHE Protocol
References
Author Index

Citation preview

LNCS 14421

Elizabeth A. Quaglia (Ed.)

Cryptography and Coding 19th IMA International Conference, IMACC 2023 London, UK, December 12–14, 2023 Proceedings

Lecture Notes in Computer Science Founding Editors Gerhard Goos Juris Hartmanis

Editorial Board Members Elisa Bertino, Purdue University, West Lafayette, IN, USA Wen Gao, Peking University, Beijing, China Bernhard Steffen , TU Dortmund University, Dortmund, Germany Moti Yung , Columbia University, New York, NY, USA

14421

The series Lecture Notes in Computer Science (LNCS), including its subseries Lecture Notes in Artificial Intelligence (LNAI) and Lecture Notes in Bioinformatics (LNBI), has established itself as a medium for the publication of new developments in computer science and information technology research, teaching, and education. LNCS enjoys close cooperation with the computer science R & D community, the series counts many renowned academics among its volume editors and paper authors, and collaborates with prestigious societies. Its mission is to serve this international community by providing an invaluable service, mainly focused on the publication of conference and workshop proceedings and postproceedings. LNCS commenced publication in 1973.

Elizabeth A. Quaglia Editor

Cryptography and Coding 19th IMA International Conference, IMACC 2023 London, UK, December 12–14, 2023 Proceedings

Editor Elizabeth A. Quaglia University of London Egham, UK

ISSN 0302-9743 ISSN 1611-3349 (electronic) Lecture Notes in Computer Science ISBN 978-3-031-47817-8 ISBN 978-3-031-47818-5 (eBook) https://doi.org/10.1007/978-3-031-47818-5 © The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG 2024 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors, and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland Paper in this product is recyclable.

Preface

The International Conference on Cryptography and Coding is the biennial conference of the Institute of Mathematics and its Applications (IMA) on cryptography and coding theory. The conference series was established in 1995 and its 19th edition was held on December 12–14, 2023, at Royal Holloway, University of London. The Program Committee for the conference, consisting of 21 international experts in cryptography and coding, selected 14 full papers from 36 submissions for presentation at the conference and inclusion in these proceedings. The review process was double-blind and rigorous. Each submission was reviewed independently by at least two reviewers in an individual review phase, and subsequently considered by the Program Committee in a discussion phase. Feedback from the reviews and discussions was provided to the authors and their revised submissions are included in these proceedings. The papers accepted at IMACC23, which appear in this book, present cutting-edge results in a variety of areas, including coding theory, symmetric cryptography, zeroknowledge protocols, digital signature schemes and extensions, post-quantum cryptography and cryptography in practice. The conference’s program included invited talks from prominent researchers in the area, namely Dario Fiore (IMDEA Software Institute) and Carla Ràfols (Pompeu Fabra University), as well as the presentation of posters showcasing recent advances in coding theory and cryptography. It was a pleasure to chair IMACC23, and I would like to thank in particular the Organizing Committee for their support, the Program Committee for their time, energy and very helpful work, and the IMA for their help in running the conference. December 2023

Elizabeth A. Quaglia

Organization

General Chair Elizabeth A. Quaglia

Royal Holloway, University of London, UK

Steering Committee Martin Albrecht Liqun Chen Christopher Mitchell Máire O’Neill Maura B. Paterson

King’s College London, UK University of Surrey, UK Royal Holloway, University of London, UK Queen’s University Belfast, UK Birkbeck, University of London, UK

Organizing Committee Angelo De Caro Christopher Mitchell Maura B. Paterson

IBM, Switzerland Royal Holloway, University of London, UK Birkbeck, University of London, UK

Program Committee Olivier Blazy Xavier Bultel Liqun Chen Elizabeth Crites Alex Davidson Gareth Davies Angelo De Caro Jean Paul Degabriele Itai Dinur Benjamin Dowling Ashley Fraser Lydia Garms Aurore Guillevic Christian Janson

École polytechnique, France INSA CVL, France University of Surrey, UK University of Edinburgh, UK Universidade Nova de Lisboa, Portugal NXP, Belgium IBM, Switzerland Technology Innovation Institute, UAE Ben-Gurion University, Israel University of Sheffield, UK University of Surrey, UK Keyless Technologies Limited, UK Inria, France TU Darmstadt, Germany

viii

Organization

Siaw-Lynn Ng Martha Norberg Hovd Maura B. Paterson Thomas Prest Elizabeth A. Quaglia (Chair) Benjamin Smith Gaven J. Watson

Additional Reviewers Carsten Baum Arghya Bhattacharjee Gianluca Brian Cyprien Delpech de Saint Guilhem Scott Griffy Jodie Knapp Francois Morain Christopher Newton Morten Oygarden Edoardo Persichetti Wrenna Robson Miruna Rosca Yifan Song

Royal Holloway, University of London, UK Simula UiB, Norway Birkbeck, University of London, UK PQShield Ltd., UK Royal Holloway, University of London Inria and École polytechnique, Frances Meta, USA

Contents

Coding Theory An Upper-Bound on the Decoding Failure Probability of the LRPC Decoder . . . Étienne Burle and Ayoub Otmani Coset Leaders of the First Order Reed-Muller Codes in the Classes of Niho Functions and Threshold Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Claude Carlet, Serge Feukoua, and Ana S˘al˘agean Revisiting Nearest-Neighbor-Based Information Set Decoding . . . . . . . . . . . . . . . Andre Esser

3

17

34

Symmetric Cryptography: Constructions and Attacks Feistel Ciphers Based on a Single Primitive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Kento Tsuji and Tetsu Iwata

57

Rectangle Attacks on Reduced Versions of the FBC Block Cipher . . . . . . . . . . . . Wenchang Zhou and Jiqiang Lu

80

Zero-Knowledge Protocols zk-SNARKs from Codes with Rank Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Xuan-Thanh Do, Dang-Truong Mac, and Quoc-Huy Vu

99

Zero-Knowledge Systems from MPC-in-the-Head and Oblivious Transfer . . . . . 120 Cyprien Delpech de Saint Guilhem, Ehsan Ebrahimi, and Barry van Leeuwen ZK-for-Z2K: MPC-in-the-Head Zero-Knowledge Proofs for Z2k . . . . . . . . . . . . . 137 Lennart Braun, Cyprien Delpech de Saint Guilhem, Robin Jadoul, Emmanuela Orsini, Nigel P. Smart, and Titouan Tanguy Digital Signature Schemes and Extensions Efficient Secure Two Party ECDSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Sermin Kocaman and Younes Talibi Alaoui

x

Contents

Selective Delegation of Attributes in Mercurial Signature Credentials . . . . . . . . . 181 Colin Putman and Keith M. Martin Advances in Post-Quantum Cryptography Middle-Products of Skew Polynomials and Learning with Errors . . . . . . . . . . . . . 199 Cong Ling and Andrew Mendelsohn Identity-Based Threshold Signatures from Isogenies . . . . . . . . . . . . . . . . . . . . . . . . 220 Shahla Atapoor Cryptography in Practice: Analyses and Constructions Dynamic Security Aspects of Onion Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Alessandro Melloni, Martijn Stam, and Øyvind Ytrehus Practical and Efficient FHE-Based MPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Nigel P. Smart Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Coding Theory

An Upper-Bound on the Decoding Failure Probability of the LRPC Decoder Étienne Burle and Ayoub Otmani(B) Univ Rouen Normandie, INSA Rouen Normandie, Université Le Havre Normandie, Normandie Univ, LITIS UR 4108, F-76000 Rouen, France {Etienne.Burle,Ayoub.Otmani}@univ-rouen.fr

Abstract. Low Rank Parity Check (LRPC) codes form a class of rankmetric error-correcting codes that was purposely introduced to design public-key encryption schemes. An LRPC code is defined from a parity check matrix whose entries belong to a relatively low dimensional vector subspace of a large finite field. This particular algebraic feature can then be exploited to correct with high probability rank errors when the parameters are appropriately chosen. In this paper, we present theoretical upper-bounds on the probability that the LRPC decoding algorithm fails. Keywords: Rank metric Homogeneous matrix

1

· Decoding problem · LRPC code ·

Introduction

Rank-metric cryptography has attracted a relative interest over the last years mainly thanks to the recent trend that appeared with the goal of standardizing quantum-safe public-key algorithms. ROLLO [3] and RQC [1] are two examples of rank-metric public-key encryption schemes that were submitted to the NIST call for standardizing quantum-resistant public-key cryptographic algorithms. The theory of codes endowed with the rank-metric was first studied in [6] where a Singleton-type bound was proved and a class of codes reaching the bound was given. A few years later, Gabidulin constructed [7] the first example of rankmetric error-correcting codes which can be seen as the counterparts of generalized Reed-Solomon (GRS) codes. The so-called Gabidulin codes are defined from the evaluation of non-commutative linearized polynomials [12]. They can be efficiently decoded by an equivalent of the Euclidean algorithm [13] while achieving the rank-Singleton upper-bound. Not long after, the first rank-metric public-key encryption scheme called the GPT cryptosystem appeared in [8]. It bore strong similarities with the famous McEliece cryptosystem [11]. The GPT scheme is indeed an analogue of the McEliece cryptosystem but based on Gabidulin codes. Not surprisingly, this strong resemblance to GRS codes is the reason why their use in the GPT cryptosystem has been subject to several attacks [9,10], as well as the different reparations that were subsequently cryptanalysed [14–16]. These c The Author(s), under exclusive license to Springer Nature Switzerland AG 2024  E. A. Quaglia (Ed.): IMACC 2023, LNCS 14421, pp. 3–16, 2024. https://doi.org/10.1007/978-3-031-47818-5_1

4

É. Burle and A. Otmani

flaws in the design do not mean that the rank-metric is not viable in cryptography. Indeed, the famous decoding problem has naturally its rank version which is also believed to be intractable both in a classical and quantum setting. ROLLO replaces Gabidulin codes with the class of (Ideal) Low Rank Parity Check (LRPC) codes introduced in [4]. An LRPC code  is defined by means of an homogeneous (n − k) × n parity-check matrix H = hi,j where each entry hi,j lies in a linear subspace W  Fqm over Fq of relatively low dimension w. This property can then be exploited to design a probabilistic decoding algorithm that can recover any error vector e ∈ Fnqm of rank weight t  (n − k)/w. The principle behind the LRPC decoder [4] is to view the syndrome s = eHT as a sample of a uniformly distributed random variable taking values on n−k where E  Fqm is the t-dimensional linear space generated over Fq by (E · W) the coordinates of e. Under the assumption that the linear space over Fq spanned by the entries of s denoted by S ⊂ Fqm is equal to E · W, the decoding walgorithm first recovers a basis ε1 , . . . , εt of E by computing the intersection i=1 fi−1 · S where {f1 , · · · , fw } is an arbitrary (known) basis of W. The success of this step lies in the fact that with high probability this intersection is equal to E. The last step then t consists in computing the coordinates e1 , . . . , en of e by writing that ej = d=1 xj,d εd where each xj,d ∈ Fq is unknown. One can then solve the linear system s = eHT and expect to find a unique solution when w  n/(n − k) because in that case the number of unknowns nt is at most the number (n−k)wt of linear equations. Recently, an encryption scheme based on LRPC codes has been proposed in [2] where the decoder receives a matrix of syndromes S = EHT where E is an homogeneous matrix so that the probability that the entries of S span E · W is increased. Another work [5] gives a new construction of error-correcting codes that can be decoded by the same techniques but relies on a generalization of the notion of homogeneous matrices. It introduced the concept of semi-homogenous parity-check matrices which are matrices such that the coordinates of each row span a different low-dimensional linear subspace of Fqm . This enables the authors to build a public-key encryption scheme where the public key is statistically close to a random matrix. Note that the security of ROLLO relies on the difficulty of the (Ideal) LRPC code indistinguishability problem which asserts that it is computationally hard to distinguish a randomly drawn parity-check matrix of an Ideal LRPC code from a random parity-check matrix of an Ideal code. All these schemes have to deal with the decryption failures that inherently come from the LRPC decoding algorithm. As an adversary could shatter the security of these schemes if he manages to exploit decryption failures, it is therefore of paramount importance to lower the decoding failure probability below the desired security threshold. The best existing bounds on the decoding failure probability are given in [3,4]. It is stated in [4] that the decoding failure probability behaves essentially as q −(n−k)+tw which comes from an approximation of the probability that the entries of the syndrome vector s does not span E · W. Another analysis is given in [3] resulting to the expression q −(n−k)+tw−1 + q −(w−1)(m−tw−t) . The first term corresponds to a tighter

An Upper-Bound on the Decoding Failure Probability of the LRPC Decoder

5

approximation of the one given in [4], and the quantity q −(w−1)(m−tw−t) reflects the probability that the intersection of random linear subspaces R1 , . . . , Rw all containing E is different from E. Several works [2–4] assumed that fi−1 · S behaves as a random linear space Ri containing E. But this hypothesis cannot be realistic because of the existence of the elements f1 , . . . , fw in Fqm such that fi · Ri = fj · Rj for every i = j when Ri = fi−1 · S. Although the validity of the approximation q −(w−1)(m−tw−t) is verified by simulations in [3], it does not necessarily predict the asymptotic behavior. Our Contribution and Main Results We revisit the analysis of the LRPC decoder with the main goal to establish provable theoretical bounds. Although we do not reach the best existing heuristic approximations, our work manages to close a little bit further the gap between the theoretical bounds and the practical approximations. We provide in Table 1 a comparison between existing bounds and the bounds we obtain in this work. As we have seen, there are several reasons that make the LRPC decoder fail. The first one comes from the fact that the entries of s might not span E · W. In [4, Proposition 4.3], the authors state that the coordinates of s are independently and uniformly distributed over E · W leading them to upperbound the probability1 by q −(n−k)+tw . We provide in Proposition 1 a simple argument that explains why the coordinates of s are independent and uniform random variables over the random choices over H and e. This enables us to use the closed-form expression of the probability that random vectors belonging to the same linear subspace span it. We apply this result to the coordinates of the syndrome vector s and we show in Proposition 5 that this probability is lower than q −(n−k)+tw /(q − 1). We notice that when dim(E · W) = tw the probability is equivalent to this term (see Remark 2). As a consequence, the upper-bound q −(n−k)+tw−1 given in [3] cannot hold. Next, the second reason why the LRPC decoder might not decode correctly w comes from the fact that we do not obtain E when computing i=1 fi−1 · S. In the literature there exists essentially two ways to upper-bound the probability of occurrence of this event. One approach is described in [4] where two upperbounds are given: in [4, Proposition 3.5] the probability is at most tq tw(w+1)/2−m and in [4, Proposition 3.8] it is at most tq (2w−1)t−m . The other path followed in [3, Proposition 2.4.2] and [2, Proposition 3] consists in assuming as explained previously that fi−1 · S behaves as a random linear space Ri containing E. This enables the authors to prove that the probability is at most q −(w−1)(m−tw−t) . In this work, we depart from this assumption and we prove in Theorem 2 that this probability is at most q (2w−1)t /(q m − q t−1 ). Although our bound is less interesting than q −(w−1)(m−tw−t) , it is however better than the theoretical ones given in [4]. Finally the last situation that induces a decoding failure is when the unknown coordinates of e cannot be recovered because the linear system inferred from 1

We can also get this result by using directly Theorem 2 from [2].

6

É. Burle and A. Otmani

s = eHT is not of full rank. This happens when the dimension of E · W is strictly less than dimFq E dimFq W = tw. The paper [4] shows in Proposition 3.3 that this case happens with probability at most tq tw−m over the random choice of E and for a given set W. In Proposition 4 weimprove this bound by showing that  this probability is at most q tw / q m − q t−1 . Theorem 1 summarizes all our theoretical analysis which allows us to prove that when twq −(n−k)+tw  1, tw = ω(1) and k = Θ(n), we obtain an upperbound asymptotically equivalent to q −(n−k)+tw /(q − 1) + q 2tw−m as n tends to +∞ (Corollary 1). Table 1. Comparison with previous theoretical bounds Case of error

Previous bound [4] Our bound

  P eHT Fq = E · W q −(n−k)+tw   w P E = i=1 fi−1 · W · E tq (2w−1)t−m   P dim E · W = tw tq tw−m

2 2.1

1− q q

tw−1  

i=0 (2w−1)t tw

1 − q i−(n−k)