Providing closed-form estimates of the decoding failure rate of iterative decoders for low- and moderate-density binary parity-check codes has attracted significant interest in the research community. Recently, interest in this topic has increased due to the use of iterative decoders in post-quantum cryptosystems, where the desired decoding failure rates (DFRs) are less than or equal to $2^{-128}$ and impossible to estimate via Monte Carlo simulations. We propose a new technique that provides accurate DFR estimates for a two-iteration (parallel) bit-flipping decoder that can be used for cryptographic purposes. We estimate the bit-flipping probabilities at the second decoder iteration and the syndrome weight distribution before and after the first iteration as a function of the code parameters and error weight. We validate our results numerically by comparing the modelled and simulated syndrome weights, the incorrectly guessed error bit distribution at the end of the first iteration, and the DFR after two iterations in both the floor and waterfall regimes. Finally, we apply our method to estimate the DFR of the LEDAcrypt cryptographic system, a post-quantum key encapsulation method that employs a two-iteration bit-flipping decoder. We show that the DFR estimate resulting from the chosen code parameters can be improved by a factor larger than $2^{70}$ with respect to previous estimation techniques, when $128$-bit security is required. This allows for a $20$% reduction in public key and ciphertext sizes at no security loss. We note that our results can be applied to the post-quantum cryptosystem known as Bit Flipping Key Encapsulation (BIKE) replacing the current ``BIKE-flip decoder'' with the two-iteration decoder and consequently endowing BIKE with the property of indistinguishability under an adaptive chosen-ciphertext attack (IND-CCA$2$), provably.

翻译：为低密度与中等密度二进制奇偶校验码的迭代译码器提供闭式译码失败率估计，一直是研究界关注的重点。近年来，由于迭代译码器在后量子密码系统中的应用，该主题受到更多关注。在这些系统中，目标译码失败率需小于或等于 $2^{-128}$，且无法通过蒙特卡洛模拟进行估计。本文提出一种新方法，可为适用于密码学目的的两轮（并行）比特翻转译码器提供精确的译码失败率估计。我们基于码参数与错误权重，估计了第二轮译码迭代中的比特翻转概率，以及第一轮迭代前后的校验子权重分布。通过数值实验，我们对比了模型预测与仿真得到的校验子权重、第一轮迭代结束时错误比特的误判分布，以及两种区域（错误平层区与瀑布区）下两轮迭代后的译码失败率，从而验证了所提方法的有效性。最后，我们将该方法应用于后量子密钥封装方法 LEDAcrypt 密码系统的译码失败率估计，该系统采用两轮比特翻转译码器。结果表明，在要求 $128$ 比特安全强度时，采用所选码参数得到的译码失败率估计值，相较于先前估计技术可提升超过 $2^{70}$ 倍。这允许在不损失安全性的前提下，将公钥与密文尺寸减少 $20$%。我们指出，本研究成果可应用于后量子密码系统 Bit Flipping Key Encapsulation（BIKE），通过将现有的“BIKE-flip 译码器”替换为两轮迭代译码器，可使 BIKE 系统在理论上具备自适应选择密文攻击下的不可区分性（IND-CCA$2$）。