Dissection-BKW CRYPTO 2018, Santa Barbara , August 20th 2018 Andre Esser , Felix Heuer, Robert Kübler, Alexander May, Christian Sohler Horst Görtz Institute for IT Security Ruhr University Bochum
What is LPN? Learning Parity with Noise (LPN) Problem $ ← F k 2 , Pr [ e i = 1] = τ < 1 Given: ( a i , � a i , s � + e i ) , a i 2 Find: s ∈ F k 2 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 2/13
What is LPN? Learning Parity with Noise (LPN) Problem $ ← F k 2 , Pr [ e i = 1] = τ < 1 Given: ( a i , � a i , s � + e i ) , a i 2 Find: s ∈ F k 2 • Cryptographic applications [HB01, Ale03, HKL + 12, DV13] Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 2/13
What is LPN? Learning Parity with Noise (LPN) Problem $ ← F k 2 , Pr [ e i = 1] = τ < 1 Given: ( a i , � a i , s � + e i ) , a i 2 Find: s ∈ F k 2 • Cryptographic applications [HB01, Ale03, HKL + 12, DV13] • Solve LPN: BKW algorithm [BKW00] ◦ Time = Memory = Samples , slightly subexponential ◦ only small experiments [BTV16, EKM17] Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 2/13
What is LPN? Learning Parity with Noise (LPN) Problem $ ← F k 2 , Pr [ e i = 1] = τ < 1 Given: ( a i , � a i , s � + e i ) , a i 2 Find: s ∈ F k 2 • Cryptographic applications [HB01, Ale03, HKL + 12, DV13] • Solve LPN: BKW algorithm [BKW00] ◦ Time = Memory = Samples , slightly subexponential ◦ only small experiments [BTV16, EKM17] • Goal: BKW-variant applicable for any given memory Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 2/13
Illustration of “BKW” ( a 1 , � a 1 , s � + e 1 ) ( a 2 , � a 2 , s � + e 2 ) Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13
Illustration of “BKW” ( a 1 , � a 1 , s � + e 1 ) + ( a 2 , � a 2 , s � + e 2 ) = ( a 1 + a 2 , � a 1 + a 2 , s � + e 1 + e 2 ) a ′ � a ′ , s � e ′ ( , + ) Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13
Illustration of “BKW” $ Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13
Illustration of “BKW” $ Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13
Illustration of “BKW” $ 0101 0101 $ stripe Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13
Illustration of “BKW” 0000 $ $ 0101 + 0101 $ stripe Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13
Illustration of “BKW” 0000 $ $ 0101 1111 $ 0101 $ $ 1111 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13
Illustration of “BKW” 0000 $ $ 0101 $ 0000 1111 $ + 0101 $ $ 1111 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13
Illustration of “BKW” 0000 $ $ 0101 $ 0000 $ 0000 1111 $ 0101 $ $ 1111 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13
Illustration of “BKW” 0000 $ $ 0101 $ 0000 $ 0000 1111 0000 $ $ 0101 $ $ 1111 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13
Illustration of “BKW” 0000 $ $ 0101 $ 0000 $ 0000 1111 0000 $ $ 0101 $ . . . . . . . . . $ 1111 0000 $ Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13
Illustration of “BKW” $ $ $ $ . . . . . . . . . $ Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13
Illustration of “BKW” $ $ $ $ $ $ $ $ → . . . . . . . . . . . . . . . . . . $ $ Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13
Illustration of “BKW” 1 $ $ $ $ 1 $ $ 1 1 $ $ → → . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 $ $ Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13
Illustration of “BKW” 1 $ $ $ $ 1 $ $ 1 1 $ $ → → . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 $ $ • a i = (1 , 0 , 0 , . . . , 0) ⇒ ( a i , � a i , s � + e i ) = ( a i , s 1 + e i ) • Majority vote! BKW Theorem [BKW00, LF06] BKW solves LPN in time, memory and sample complexity 2 k/ log k . Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 3/13
c -sum Observation $ 0000 0101 $ + $ 0101 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 4/13
c -sum Observation $ 0000 0101 $ + $ 0000 $ 0101 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 4/13
c -sum Observation $ 0000 0101 $ + $ 0000 number of c -sums increases exponentially in c $ 0101 ⇒ much smaller list (save Memory & Samples) Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 4/13
c -sum Observation $ 0000 0101 $ + $ 0000 number of c -sums increases exponentially in c $ 0101 ⇒ much smaller list (save Memory & Samples) c -sum-Problem ( c - SP ) Given a list L of N uniformly distributed elements from F b 2 . Find N combinations of c elements from L that each add up to 0 b . Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 4/13
c -sum Observation $ 0000 0101 $ + $ 0000 number of c -sums increases exponentially in c $ 0101 ⇒ much smaller list (save Memory & Samples) ! � N � / 2 b ≥ N c c -sum-Problem ( c - SP ) Given a list L of N uniformly distributed elements from F b 2 . Find N combinations of c elements from L that each add up to 0 b . Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 4/13
c -sum Observation $ 0000 0101 $ + $ 0000 number of c -sums increases exponentially in c $ 0101 ⇒ much smaller list (save Memory & Samples) N ≥ 2 b/ ( c − 1) c -sum-Problem ( c - SP ) Given a list L of N uniformly distributed elements from F b 2 . Find N combinations of c elements from L that each add up to 0 b . Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 4/13
c -sum Observation $ 0000 0101 $ + $ 0000 number of c -sums increases exponentially in c $ 0101 ⇒ much smaller list (save Memory & Samples) N = 2 b/ ( c − 1) c -sum-Problem ( c - SP ) Given a list L of N uniformly distributed elements from F b 2 . Find N combinations of c elements from L that each add up to 0 b . Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 4/13
c -sum Observation $ 0000 0101 $ + $ 0000 number of c -sums increases exponentially in c $ 0101 ⇒ much smaller list (save Memory & Samples) N = 2 b/ ( c − 1) Main Idea: solve c - SP repeatedly on stripes c -sum-Problem ( c - SP ) Given a list L of N uniformly distributed elements from F b 2 . Find N combinations of c elements from L that each add up to 0 b . Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 4/13
■t❡r❛t✐♦♥s ■t❡r❛t✐♦♥s Not just a memory reduction technique $ 0101 $ + $ 0101 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 5/13
■t❡r❛t✐♦♥s ■t❡r❛t✐♦♥s Not just a memory reduction technique $ 0101 $ + $ 0101 → → → $ $ $ 1 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 5/13
■t❡r❛t✐♦♥s Not just a memory reduction technique $ 0101 $ + $ 0101 sum of A = 2 # ■t❡r❛t✐♦♥s samples → → → $ $ $ 1 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 5/13
■t❡r❛t✐♦♥s Not just a memory reduction technique $ 0101 $ + $ 0000 $ 0101 sum of A = 2 # ■t❡r❛t✐♦♥s samples → → → $ $ $ 1 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 5/13
■t❡r❛t✐♦♥s Not just a memory reduction technique $ 0101 $ + $ 0000 $ 0101 sum of A = 2 # ■t❡r❛t✐♦♥s samples → → → $ $ $ 1 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 5/13
■t❡r❛t✐♦♥s Not just a memory reduction technique $ 0101 $ + $ 0000 $ 0101 sum of B = 3 # ■t❡r❛t✐♦♥s samples → → → $ $ $ 1 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 5/13
■t❡r❛t✐♦♥s Not just a memory reduction technique $ 1010101 $ + $ 1110000 $ 0100101 sum of B = 3 # ■t❡r❛t✐♦♥s samples → → → $ $ $ 1 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 5/13
■t❡r❛t✐♦♥s ■t❡r❛t✐♦♥s Not just a memory reduction technique $ 1010101 $ + $ 1110000 $ 0100101 → → $ $ 1 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 5/13
■t❡r❛t✐♦♥s ■t❡r❛t✐♦♥s Not just a memory reduction technique $ 1010101 $ + $ 1110000 $ 0100101 sum of A samples → → $ $ 1 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 5/13
■t❡r❛t✐♦♥s ■t❡r❛t✐♦♥s Not just a memory reduction technique $ 1010101 $ + $ 1110000 $ 0100101 sum of A samples → → $ $ 1 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 5/13
❛♥❞ → → $ $ 1 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 6/13
❛♥❞ → → N $ $ 1 Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 6/13
❛♥❞ → → N $ $ 1 solve c - SP Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 6/13
❛♥❞ → → N $ $ 1 solve c - SP Memory Dissection-BKW|CRYPTO 2018, Santa Barbara|August 20th 2018 6/13
Recommend
More recommend
