Appendix: Code problems

A quick primer to essential notions useful in post-quantum cryptography. While this aims to be precise, it cannot and will not be exhaustive; please check out the wealth of resources available to students of cryptography¹ ².

Decoding problem

Informally, a code \(C\) maps message vectors \(m\) of length \(k\) into code words \(c\) of a greater length \(n\). If transmission over a noisy channel³ modifies received messages \(b = c + e\) by a sufficiently small error vector \(e\), for appropriately chosen \(C\), these errors can be corrected by an efficient decoding algorithm.

Linear code

An \(\lbrack n,k,d\rbrack_q\) linear code of length \(n\) and dimension \(k\) is a subspace \(C\) of the vector space \(\mathbb {F}_{q}^{n}\), where \(\mathbb {F} _{q}\) is the finite field with \(q\) elements.

\(C\) can be represented by

the row space of a generating matrix \(G \in \mathbb{F}^{k\times n}\) \(\begin{align*} C &= \lbrace mG \mid m \in \mathbb{F}^k \rbrace\end{align*}\)
the kernel space of a parity-check matrix \(H \in \mathbb{F}^{(n-k)\times n}\) \(\begin{align*} C &= \lbrace c \mid Hc^T=0, c \in \mathbb{F}^n \rbrace\end{align*}\)

If \(q = 2\), the code is called binary.

The size of a code is the number of codewords: \(|C|=q^k.\)
The Hamming weight of a codeword is the number of its non-zero elements: \(w(c)=\left| \lbrace j \mid c(j)\neq 0 \rbrace \right|.\)
The Hamming distance between two codewords is the number of elements in which they differ: \(d(c_1,c_2)=\left|\lbrace j \mid c_1(j) \neq c_2(j) \rbrace \right|.\)
The distance of a code is, equivalently:
- the minimum weight of its non-zero codewords;
- the distance between the non-zero codeword with smallest Hamming weight, and the zero codeword;
- the minimum distance between any two distinct codewords \(d(C)=\min \lbrace d(c_1,c_2) \mid c_1,c_2 \in C, c_1 \neq c_2 \rbrace.\)
The rows of \(G\) are codewords forming a basis of \(C\).

Decoding problem

Given

\(x\in \mathbb{F}^n\),

find the closest codeword \(c\in C\) to \(x\).

For specific code families and known codes, efficient decoding algorithms exist. In general, the problem is considered hard.

Equivalence: syndrome decoding

Syndrome decoding problem

The syndrome of \(b\) is \(s=Hb\), for a parity check matrix \(H\). Note that \(Hb=H(c+e)=He\).

Given \(s\), compute \(e\) such that \(He=s\), and \(w(e)\) is sufficiently small.

This is equivalent to the decoding problem because, computed \(e\), \(c=b-e\).

References

Lange, T. (2019). Code-based cryptography. Executive school on post-quantum cryptography. https://www.hyperelliptic.org/tanja/talks.html. https://pqcschool.org/slides/20190702-exec.pdf ↩︎
Menezes, A. J. (2024). Cryptography 101. https://cryptography101.ca/. ↩︎
Shannon, C. E. (1948). A mathematical theory of communication. The Bell System Technical Journal, 27(3), 379–423. https://doi.org/10.1002/j.1538-7305.1948.tb01338.x ↩︎

Last updated on August 3, 2025