decoding random codes asymptotics benchmarks challenges
play

Decoding random codes: asymptotics, benchmarks, challenges, and - PDF document

Jun 13, 2023 •448 likes •1.17k views

Decoding random codes: asymptotics, benchmarks, challenges, and implementations D. J. Bernstein University of Illinois at Chicago Assume that were using the McEliece cryptosystem (or Neiderreiter or ) to encrypt a plaintext.

  1. Decoding random codes: asymptotics, benchmarks, challenges, and implementations D. J. Bernstein University of Illinois at Chicago

  2. Assume that we’re using the McEliece cryptosystem (or Neiderreiter or ✿ ✿ ✿ ) to encrypt a plaintext. Usual standard for high security: Choose cryptosystem parameters so that the attacker cannot decrypt the ciphertext.

  3. Assume that we’re using the McEliece cryptosystem (or Neiderreiter or ✿ ✿ ✿ ) to encrypt a plaintext. Usual standard for high security: Choose cryptosystem parameters so that the attacker cannot decrypt the ciphertext. has negligible chance of distinguishing this ciphertext from the ciphertext for another plaintext.

  4. Assume that we’re using the McEliece cryptosystem (or Neiderreiter or ✿ ✿ ✿ ) to encrypt a plaintext. Usual standard for high security: Choose cryptosystem parameters so that the attacker cannot decrypt the ciphertext. has negligible chance of distinguishing this ciphertext from the ciphertext for another plaintext. (Maybe better to account for multi-target; see previous talk.)

  5. Attacker’s success chance increases with more computation, eventually reaching ✙ 1. Public-key cryptography is never information-theoretically secure!

  6. Attacker’s success chance increases with more computation, eventually reaching ✙ 1. Public-key cryptography is never information-theoretically secure! But real-world attackers do not have unlimited computation. The usual standard, quantified: Choose cryptosystem parameters so that attacker has success chance at most ✎ after 2 ❝ computations.

  7. These parameters depend on ❝ and ✎ .

  8. These parameters depend on ❝ and ✎ . Some people assume ❝ ❁ 80.

  9. These parameters depend on ❝ and ✎ . Some people assume ❝ ❁ 80. The ECC2K-130 project will reach 2 77 computations; future projects will break 2 80 . Some people assume ❝ = 128.

  10. These parameters depend on ❝ and ✎ . Some people assume ❝ ❁ 80. The ECC2K-130 project will reach 2 77 computations; future projects will break 2 80 . Some people assume ❝ = 128. Some people count #atoms in universe. Assume ❝ = 384?

  11. These parameters depend on ❝ and ✎ . Some people assume ❝ ❁ 80. The ECC2K-130 project will reach 2 77 computations; future projects will break 2 80 . Some people assume ❝ = 128. Some people count #atoms in universe. Assume ❝ = 384? Less discussion of ✎ . Is it okay for attacker to have 1% success chance? 1/1000? 1/1000000?

  12. How do we handle this variability in ( ❝❀ ✎ )? Strategy 1: A. Convince big community to focus on one ( ❝❀ ✎ ), eliminating the variability. B. Choose parameters.

  13. How do we handle this variability in ( ❝❀ ✎ )? Strategy 1: A. Convince big community to focus on one ( ❝❀ ✎ ), eliminating the variability. B. Choose parameters. Strategy 2—including this talk: A. Accept the variability. B. Choose parameters as functions of ( ❝❀ ✎ ).

  14. How do we handle this variability in ( ❝❀ ✎ )? Strategy 1: A. Convince big community to focus on one ( ❝❀ ✎ ), eliminating the variability. B. Choose parameters. Strategy 2—including this talk: A. Accept the variability. B. Choose parameters as functions of ( ❝❀ ✎ ). 1A more complicated than 2A.

  15. How do we handle this variability in ( ❝❀ ✎ )? Strategy 1: A. Convince big community to focus on one ( ❝❀ ✎ ), eliminating the variability. B. Choose parameters. Strategy 2—including this talk: A. Accept the variability. B. Choose parameters as functions of ( ❝❀ ✎ ). 1A more complicated than 2A. 2B more complicated than 1B.

  16. Helpful simplification for code-based cryptography: All of our best attacks consist of many iterations. Each iteration: small cost 2 ❝ , small success probability ✎ . Separate iterations are almost exactly independent: 2 ❝ ✵ � ❝ iterations cost 2 ❝ ✵ , have success probability almost exactly 1 � (1 � ✎ ) 2 ❝ ✵� ❝ . So parameters are really just functions of 2 ❝ ❂ log(1 ❂ (1 � ✎ )).

  17. Is this simplification correct? Objection 1: Is 2 ❝ ✵ � ❝ an integer?

  18. Is this simplification correct? Objection 1: Is 2 ❝ ✵ � ❝ an integer? Response: Use ❜ 2 ❝ ✵ � ❝ ❝ . Iteration success probability is so small that we care only about ❝ ✵ ✢ ❝ .

  19. Is this simplification correct? Objection 1: Is 2 ❝ ✵ � ❝ an integer? Response: Use ❜ 2 ❝ ✵ � ❝ ❝ . Iteration success probability is so small that we care only about ❝ ✵ ✢ ❝ . Objection 2: “Reusing pivots” makes our best attacks faster but loses some independence.

  20. Is this simplification correct? Objection 1: Is 2 ❝ ✵ � ❝ an integer? Response: Use ❜ 2 ❝ ✵ � ❝ ❝ . Iteration success probability is so small that we care only about ❝ ✵ ✢ ❝ . Objection 2: “Reusing pivots” makes our best attacks faster but loses some independence. Response: Yes, must replace ✎ by result of Markov-chain analysis.

  21. Is this simplification correct? Objection 1: Is 2 ❝ ✵ � ❝ an integer? Response: Use ❜ 2 ❝ ✵ � ❝ ❝ . Iteration success probability is so small that we care only about ❝ ✵ ✢ ❝ . Objection 2: “Reusing pivots” makes our best attacks faster but loses some independence. Response: Yes, must replace ✎ by result of Markov-chain analysis. But can still merge ( ❝❀ ✎ ) into 2 ❝ ❂ log(1 ❂ (1 � ✎ )).

  22. Attacker’s 2 ❝ ❂ log(1 ❂ (1 � ✎ )) depends not only on parameters but also on attack algorithm. Maybe attacker has found a much faster algorithm than anything we know!

  23. Attacker’s 2 ❝ ❂ log(1 ❂ (1 � ✎ )) depends not only on parameters but also on attack algorithm. Maybe attacker has found a much faster algorithm than anything we know! All public-key cryptosystems share this risk.

  24. Attacker’s 2 ❝ ❂ log(1 ❂ (1 � ✎ )) depends not only on parameters but also on attack algorithm. Maybe attacker has found a much faster algorithm than anything we know! All public-key cryptosystems share this risk. Responses to this risk: a huge amount of snake oil, and one standard approach that seems to be effective.

  25. The standard approach: Encourage many smart people to search for speedups. Monitor their progress: big speedup, big speedup, small speedup, big speedup, small, small, tiny, big, small, tiny, small, small, tiny, tiny, small, tiny, tiny, small, tiny, tiny, tiny, tiny. Eventually progress stops. After years, build confidence that optimal algorithm is known.

  26. The standard approach: Encourage many smart people to search for speedups. Monitor their progress: big speedup, big speedup, small speedup, big speedup, small, small, tiny, big, small, tiny, small, small, tiny, tiny, small, tiny, tiny, small, tiny, tiny, tiny, tiny. Eventually progress stops. After years, build confidence that optimal algorithm is known. ✿ ✿ ✿ or is it?

  27. Consider cost of multiplying two ♥ -coeff polys in R [ ① ], where cost means # adds and mults in R . Fast Fourier transform (Gauss): (15 + ♦ (1)) ♥ lg ♥ .

  28. Consider cost of multiplying two ♥ -coeff polys in R [ ① ], where cost means # adds and mults in R . Fast Fourier transform (Gauss): (15 + ♦ (1)) ♥ lg ♥ . Huge interest starting 1965. Split-radix FFT (1968 Yavne): (12 + ♦ (1)) ♥ lg ♥ . Many descriptions, analyses, implementations, followups; 12 was believed optimal.

  29. Consider cost of multiplying two ♥ -coeff polys in R [ ① ], where cost means # adds and mults in R . Fast Fourier transform (Gauss): (15 + ♦ (1)) ♥ lg ♥ . Huge interest starting 1965. Split-radix FFT (1968 Yavne): (12 + ♦ (1)) ♥ lg ♥ . Many descriptions, analyses, implementations, followups; 12 was believed optimal. Tangent FFT (2004 van Buskirk): (34 ❂ 3 + ♦ (1)) ♥ lg ♥ .

  30. Consider cost of multiplying two ♥ -coeff polys in F 2 [ ① ], where cost means # adds and mults in F 2 . Standard schoolbook method: 2 ♥ 2 � 2 ♥ + 1; e.g., 61 for ♥ = 6.

  31. Consider cost of multiplying two ♥ -coeff polys in F 2 [ ① ], where cost means # adds and mults in F 2 . Standard schoolbook method: 2 ♥ 2 � 2 ♥ + 1; e.g., 61 for ♥ = 6. 1963 Karatsuba method: e.g., 59 for ♥ = 6. Many descriptions, analyses, implementations, followups. Improved for large ♥ , but was believed optimal for small ♥ .

  32. Consider cost of multiplying two ♥ -coeff polys in F 2 [ ① ], where cost means # adds and mults in F 2 . Standard schoolbook method: 2 ♥ 2 � 2 ♥ + 1; e.g., 61 for ♥ = 6. 1963 Karatsuba method: e.g., 59 for ♥ = 6. Many descriptions, analyses, implementations, followups. Improved for large ♥ , but was believed optimal for small ♥ . 2000 Bernstein: e.g., 57 for ♥ = 6.

  33. Consider cost of multiplying two ♥ -bit integers in Z , where cost means # NAND gates. Schoolbook: ❖ ( ♥ 2 ).

  34. Consider cost of multiplying two ♥ -bit integers in Z , where cost means # NAND gates. Schoolbook: ❖ ( ♥ 2 ). Intense work after Karatsuba. 1971 Sch¨ onhage–Strassen: ❖ ( ♥ lg ♥ lg lg ♥ ). Used in many theorems. Was believed optimal.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Recent Advances in Decoding Random Binary Linear Codes and Their Implications to Crypto

Recent Advances in Decoding Random Binary Linear Codes and Their Implications to Crypto

Recent Advances in Decoding Random Binary Linear Codes and Their Implications to Crypto Alexander May Horst Grtz Institute for IT-Security Faculty of Mathematics Ruhr-University of Bochum L ATTICE C ODING AND C RYPTO M EETING M AY 2017,

793 views • 32 slides
Information Theory Lecture 8 BCH codes BCH codes: R8.45 (R5.6) Decoding BCH (and

Information Theory Lecture 8 BCH codes BCH codes: R8.45 (R5.6) Decoding BCH (and

Information Theory Lecture 8 BCH codes BCH codes: R8.45 (R5.6) Decoding BCH (and RS) codes: R6 Reed-Solomon codes RS codes: R5.13 Mikael Skoglund, Information Theory 1/15 The BCH Bound Theorem : Let C be cyclic of

276 views • 8 slides
List Decoding of Algebraic Codes Peter Beelen, Kristian Brander and Johan S.R. Nielsen DTU

List Decoding of Algebraic Codes Peter Beelen, Kristian Brander and Johan S.R. Nielsen DTU

Contents List decoding of error-correcting codes Fast list decoding of ReedSolomon codes Fast list decoding of certain AG codes List Decoding of Algebraic Codes Peter Beelen, Kristian Brander and Johan S.R. Nielsen DTU Mathematics

1.33k views • 81 slides
Decoding Reed-Muller codes over product sets John Kim, Swastik Kopparty Rutgers University May

Decoding Reed-Muller codes over product sets John Kim, Swastik Kopparty Rutgers University May

Error-correcting codes Polynomial-based codes Efficient decoding of Reed-Muller codes Decoding Reed-Muller codes over product sets John Kim, Swastik Kopparty Rutgers University May 30, 2016 John Kim, Swastik Kopparty Decoding Reed-Muller

429 views • 18 slides
Introduction to rank-based cryptography Philippe Gaborit University of Limoges, France ASCRYPTO

Introduction to rank-based cryptography Philippe Gaborit University of Limoges, France ASCRYPTO

Rank codes : definitions and basic properties Decoding in rank metric Complexity issues : decoding random rank codes Encryption Authentication and signature Introduction to rank-based cryptography Philippe Gaborit University of Limoges,

1.56k views • 115 slides
Decoding the Path Integral: Resurgent Asymptotics and Extreme QFT Gerald Dunne University of

Decoding the Path Integral: Resurgent Asymptotics and Extreme QFT Gerald Dunne University of

Decoding the Path Integral: Resurgent Asymptotics and Extreme QFT Gerald Dunne University of Connecticut Theoretical Physics Colloquium, Arizona State, October 28, 2020 Physical Motivation 300 250 Temperature (MeV) Quark-Gluon Plasma 200

801 views • 59 slides
Deletion Decoding Codes from GRS Codes L McAven, R Safavi-Naini, Y Wang CIS- UoW AUSTRALIA

Deletion Decoding Codes from GRS Codes L McAven, R Safavi-Naini, Y Wang CIS- UoW AUSTRALIA

Deletion Decoding Codes from GRS Codes L McAven, R Safavi-Naini, Y Wang CIS- UoW AUSTRALIA Motivation 1 2 3 4 4 1 2 3 2 1 3 4 Tracing shortened fingerprints Deletion Correction Codewords, of length n A received word has n-r

542 views • 8 slides
Local Optimality Certificates for LP Decoding of Tanner Codes Nissim Halabi Guy Even 1 1 th

Local Optimality Certificates for LP Decoding of Tanner Codes Nissim Halabi Guy Even 1 1 th

Local Optimality Certificates for LP Decoding of Tanner Codes Nissim Halabi Guy Even 1 1 th Haifa Workshop on Interdisciplinary Applications of Graph Theory , Combinatorics and Algorithms. May 2011 1 Error Correcting Codes Worst Case Vs.

305 views • 28 slides
6.02 Fall 2012 Lecture #7 Viterbi decoding of convolutional codes Path and branch metrics

6.02 Fall 2012 Lecture #7 Viterbi decoding of convolutional codes Path and branch metrics

6.02 Fall 2012 Lecture #7 Viterbi decoding of convolutional codes Path and branch metrics Hard-decision & soft-decision decoding Performance issues: decoder complexity, post- decoding BER, free distance concept 6.02 Fall 2012

488 views • 20 slides
On List Decoding of Alternant Codes in the Hamming and Lee metrics Ido Tal Ron M. Roth Computer

On List Decoding of Alternant Codes in the Hamming and Lee metrics Ido Tal Ron M. Roth Computer

On List Decoding of Alternant Codes in the Hamming and Lee metrics Ido Tal Ron M. Roth Computer Science Department, Technion, Haifa 32000, Israel. 1 Previous Work Berlekamp, 1968: Negacyclic codes for the Lee metric. Roth and Siegel, 1994:

850 views • 19 slides
LP Decoding of Regular LDPC Codes in Memoryless Channels Nissim Halabi Guy Even ISIT 2010 1

LP Decoding of Regular LDPC Codes in Memoryless Channels Nissim Halabi Guy Even ISIT 2010 1

LP Decoding of Regular LDPC Codes in Memoryless Channels Nissim Halabi Guy Even ISIT 2010 1 Low-Density Parity-Check Codes Factor graph representation of LDPC codes: Code C ( G ) and codewords x : x 1 x ( ) ( ) 2 =

580 views • 22 slides
Permutation-based decoding of Reed-Muller codes in binary erasure channel Kirill Ivanov, R

Permutation-based decoding of Reed-Muller codes in binary erasure channel Kirill Ivanov, R

Permutation-based decoding of Reed-Muller codes in binary erasure channel Kirill Ivanov, R udiger Urbanke Ecole Polytechnique F ed erale de Lausanne, Switzerland July 12, 2018 kirill.ivanov@epfl.ch (EPFL) Decoding of RM codes in

235 views • 6 slides
Successive Cancellation Decoding of Single Parity-Check Product Codes: Analysis and Improved

Successive Cancellation Decoding of Single Parity-Check Product Codes: Analysis and Improved

Institute for Communications Engineering Technische Universit at M unchen Successive Cancellation Decoding of Single Parity-Check Product Codes: Analysis and Improved Decoding Algorithms skun 1 , 2 Mustafa Cemil Co Joint work with

299 views • 17 slides
Practical Design and Decoding of Polar Codes Vera Miloslavskaya Saint-Petersburg State

Practical Design and Decoding of Polar Codes Vera Miloslavskaya Saint-Petersburg State

Practical Design and Decoding of Polar Codes Vera Miloslavskaya Saint-Petersburg State Polytechnic University veram@dcn.icc.spbstu.ru January 2015 Polar Codes Polar codes can achieve the capacity of 1 0 0 0 0 0 0 0 an arbitrary

323 views • 4 slides
List decoding of RM(1,m) codes and Multi-linear Power Analysis attacks (MLPA) Ilya Dumer , Rafael

List decoding of RM(1,m) codes and Multi-linear Power Analysis attacks (MLPA) Ilya Dumer , Rafael

List decoding of the First order Reed-Muller codes Application to cryptanalysis PA Attacks overview Ideal Countermeasure MLPA List decoding of RM(1,m) codes and Multi-linear Power Analysis attacks (MLPA) Ilya Dumer , Rafael Fourquet , Grigory

675 views • 33 slides
Decoding of Block Turbo Codes Mathematical Methods for Cryptography Dedicated to Celebrate Prof.

Decoding of Block Turbo Codes Mathematical Methods for Cryptography Dedicated to Celebrate Prof.

Decoding of Block Turbo Codes Mathematical Methods for Cryptography Dedicated to Celebrate Prof. Tor Helleseths 70 th Birthday September 4-8, 2017 Kyeongcheol Yang Pohang University of Science and Technology 1/35 Outline Product codes

601 views • 35 slides
3. Examples Show Correctness, Recursion and Recurrences [References to literatur at the examples]

3. Examples Show Correctness, Recursion and Recurrences [References to literatur at the examples]

3. Examples Show Correctness, Recursion and Recurrences [References to literatur at the examples] 41 3.1 Ancient Egyptian Multiplication Ancient Egyptian Multiplication Example on how to show correctness of algorithms. 42 Ancient Egyptian

923 views • 60 slides
15-251 Great Theoretical Ideas in Computer Science Lecture 10: Power of Algorithms February

15-251 Great Theoretical Ideas in Computer Science Lecture 10: Power of Algorithms February

15-251 Great Theoretical Ideas in Computer Science Lecture 10: Power of Algorithms February 16th, 2017 Computable cousins of uncomputable problems Halting Problem Input: Description of a TM M and an input x Question: Does M ( x ) halt? This is

502 views • 47 slides
CS 401 Integer Multiplication / Matrix Multiplication Xiaorui Sun 1 Integer Multiplication

CS 401 Integer Multiplication / Matrix Multiplication Xiaorui Sun 1 Integer Multiplication

CS 401 Integer Multiplication / Matrix Multiplication Xiaorui Sun 1 Integer Multiplication Integer Arithmetic 1 1 1 1 1 1 0 1 Add: Given two ! -bit integers 1 1 0 1 0 1 0 1 " and # , compute " + # . Add + 0 1 1 1

468 views • 19 slides
Basic Algorithms in Number Theory Francesco Pappalardi Algorithmic Complexity & more. July 19

Basic Algorithms in Number Theory Francesco Pappalardi Algorithmic Complexity & more. July 19

Algorithmic Complexity ... 1 Basic Algorithms in Number Theory Basic Algorithms in Number Theory Francesco Pappalardi Algorithmic Complexity & more. July 19 th 2010 Algorithmic Complexity ... 2 Basic Algorithms in Number Theory

416 views • 26 slides
tt tr rs r

tt tr rs r

tt tr rs r r s s t r t r s

848 views • 52 slides
Basic Algorithms in Number Theory Francesco Pappalardi #1 - Algorithmic Complexity & more.

Basic Algorithms in Number Theory Francesco Pappalardi #1 - Algorithmic Complexity & more.

Algorithmic Complexity ... 1 Basic Algorithms in Number Theory Basic Algorithms in Number Theory Francesco Pappalardi #1 - Algorithmic Complexity & more. August 31 st 2015 SEAMS School 2015 Number Theory and Applications in Cryptography

723 views • 27 slides
Two Fast Parallel GCD Algorithms of Many Integers Sidi Mohamed SEDJELMACI Laboratoire

Two Fast Parallel GCD Algorithms of Many Integers Sidi Mohamed SEDJELMACI Laboratoire

Two Fast Parallel GCD Algorithms of Many Integers Sidi Mohamed SEDJELMACI Laboratoire dInformatique Paris Nord, France . ISSAC 2017, Kaiserslautern, 24-28 July 2017 . 1 Motivations GCD of two integers : Used in CAS as a low operation,

701 views • 33 slides
Computing Nearest Gcd with Certification G. Chze, A. Galligo, B. Mourrain, J.-C. Yakoubsohn

Computing Nearest Gcd with Certification G. Chze, A. Galligo, B. Mourrain, J.-C. Yakoubsohn

Computing Nearest Gcd with Certification G. Chze, A. Galligo, B. Mourrain, J.-C. Yakoubsohn Institut de Mathmatiques de Toulouse, Universit de Nice, Inria. RAIM 2011 G. Chze (IMT) Computing Nearest Gcd with Certification 1 / 31

616 views • 32 slides

More recommend