Grow & Cut - Using Representations in Cryptanalysis Alexander - - PowerPoint PPT Presentation

Grow & Cut - Using Representations in Cryptanalysis

Alexander Meurer, Ruhr-Universität Bochum ECRYPT Summer School on Tools, Mykonos, 2012

Motivation Motivation

• Generic technique for combinatorial problems
• Simple (no complicated math needed)
• Powerful (3x Eurocrypt, 1x Asiacrypt)
• Versatile (fnd more applications!)

Motivation Motivation

• Generic technique for combinatorial problems
• Simple (no complicated math needed)
• Powerful (3x Eurocrypt, 1x Asiacrypt)
• Versatile (fnd more applications!)

Motivation Motivation

• Generic technique for combinatorial problems
• Simple (no complicated math needed)
• Powerful (3x Eurocrypt, 1x Asiacrypt)
• Versatile (fnd more applications!)

Motivation Motivation

• Generic technique for combinatorial problems
• Simple (no complicated math needed)
• Powerful (3x Eurocrypt, 1x Asiacrypt)
• Versatile (fnd more applications!)

Motivation Motivation

• Generic technique for combinatorial problems
• Simple (no complicated math needed)
• Powerful (3x Eurocrypt, 1x Asiacrypt)
• Versatile (fnd more applications!)

This talk:

• High-level introduction
• Spotlight low-level pitfalls

Motivation Motivation

• Generic technique for combinatorial problems
• Simple (no complicated math needed)
• Powerful (3x Eurocrypt, 1x Asiacrypt)
• Versatile (fnd more applications!)

This talk:

• High-level introduction
• Spotlight low-level pitfalls

Corresponding slides marked with

Outline Outline

1 1

Knapsack problem

2 2

Basic representation technique

3 3

Information Set Decoding

4 4

Extended representation technique

5 5

Conclusion & open questions

The Knapsack Problem The Knapsack Problem

Knapsack Problem Knapsack Problem

• Given positive integers S and a1 , … , an consider

equation

• Decisional knapsack problem

Is there a {0,1} solution?

• Computational knapsack problem: Find it!

Knapsack Problem Knapsack Problem

• Given positive integers S and a1 , … , an consider

equation

• Decisional knapsack problem

Is there a {0,1} solution?

• Computational knapsack problem: Find it!

Simplifying Assumptions:

• Hamming weight wt(x) of x=( x1 , … , xn ) is known
• wt(x) = n / 2 (hardest case)

Basic Facts Basic Facts

• Decisional version is NP-complete
• Computational version is NP-hard
• Crucial parameter: Density
• There are a lot of easy knapsacks ( e.g. low

density d<0.94 or structured ai )

Basic Facts Basic Facts

• Decisional version is NP-complete
• Computational version is NP-hard
• Crucial parameter: Density
• There are a lot of easy knapsacks ( e.g. low

density d<0.94 or structured ai )

We will consider random knapsacks

• f density d ≈ 1, i.e. ai ←R {1,...,2n}

Elementary Algorithms Elementary Algorithms

• Brute-Force: Time O(2n) and Space O(1)
• Meet-in-the-Middle algorithm based on

yields Time O(2n/2) and Space O(2n/2)

Elementary Algorithms Elementary Algorithms

• Brute-Force: Time O(2n) and Space O(1)
• Meet-in-the-Middle algorithm based on

yields Time O(2n/2) and Space O(2n/2)

Schroeppel-Shamir Algorithm Schroeppel-Shamir Algorithm

• To run the MitM algorithm, it suffces to

enumerate the sets

• n-the-fy in increasing order
• Can be done with less memory
• Time O(2n/2) and Space O(2n/4)

Schroeppel-Shamir Algorithm Schroeppel-Shamir Algorithm

• To run the MitM algorithm, it suffces to

enumerate the sets

• n-the-fy in increasing order
• Can be done with less memory
• Time O(2n/2) and Space O(2n/4)

So far: All algorithms deterministic!

The Representation Technique The Representation Technique

The Representation Technique [HGJ10] The Representation Technique [HGJ10]

How to fnd a needle N in a haystack H

The Representation Technique [HGJ10] The Representation Technique [HGJ10]

...or how to fnd a grain of rice among sand...

The Representation Technique [HGJ10] The Representation Technique [HGJ10]

• Expand H into larger stack H'
• Expanding H' introduces r many representations

N1 , … , Nr

• Examine a 1/r – fraction of H' to fnd one Ni

The Representation Technique [HGJ10] The Representation Technique [HGJ10]

• Expand H into larger stack H'
• Expanding H' introduces r many representations

N1 , … , Nr

• Examine a 1/r – fraction of H' to fnd one Ni

Technicality: Find a way to examine a 1/r – fraction

• f H' without completely

constructing it beforehand Technicality: Find a way to examine a 1/r – fraction

• f H' without completely

constructing it beforehand

Building Block: Merging Lists Building Block: Merging Lists

• Given: two sorted lists of labeled elements

Building Block: Merging Lists Building Block: Merging Lists

• Given: two sorted lists of labeled elements
• Labeling function ¸
• Maps x onto totally
• rdered set ( ¤ , ≤ )
• Assigns „uniformly dis-

tributed“ labels

Building Block: Merging Lists Building Block: Merging Lists

• Given: two sorted lists of labeled elements
• Compute all ( xL , xR ) with ¸L(xL) = ¸R(xR)

Building Block: Merging Lists Building Block: Merging Lists

xL

1 , ¸L(xL 1)

xL

2 , ¸L(xL 2)

. . . . . . xL

m , ¸L(xL m)

xR

1 , ¸R(xR 1)

xR

2 , ¸R(xR 2)

. . . . . . xR

n , ¸R(xR n)

Building Block: Merging Lists Building Block: Merging Lists

xL

1 , ¸L(xL 1)

xL

2 , ¸L(xL 2)

. . . . . . xL

m , ¸L(xL m)

xR

1 , ¸R(xR 1)

xR

2 , ¸R(xR 2)

. . . . . . xR

n , ¸R(xR n)

Both lists sorted according to those labels

Building Block: Merging Lists Building Block: Merging Lists

xL

1 , ¸L(xL 1)

xL

2 , ¸L(xL 2)

. . . . . . xL

m , ¸L(xL m)

xR

1 , ¸R(xR 1)

xR

2 , ¸R(xR 2)

. . . . . . xR

n , ¸R(xR n)

i = 1 j = 1

Building Block: Merging Lists Building Block: Merging Lists

xL

1 , ¸L(xL 1)

xL

2 , ¸L(xL 2)

. . . . . . xL

m , ¸L(xL m)

xR

1 , ¸R(xR 1)

xR

2 , ¸R(xR 2)

. . . . . . xR

n , ¸R(xR n)

i = 1 j = 1

If ¸L(xL

i) < ¸R(xR j) then i++

Building Block: Merging Lists Building Block: Merging Lists

xL

1 , ¸L(xL 1)

xL

2 , ¸L(xL 2)

. . . . . . xL

m , ¸L(xL m)

xR

1 , ¸R(xR 1)

xR

2 , ¸R(xR 2)

. . . . . . xR

n , ¸R(xR n)

i = 2 j = 1

If ¸L(xL

i) < ¸R(xR j) then i++

Building Block: Merging Lists Building Block: Merging Lists

xL

1 , ¸L(xL 1)

xL

2 , ¸L(xL 2)

. . . . . . xL

m , ¸L(xL m)

xR

1 , ¸R(xR 1)

xR

2 , ¸R(xR 2)

. . . . . . xR

n , ¸R(xR n)

i = 2 j = 1

If ¸L(xL

i) > ¸R(xR j) then j++

Building Block: Merging Lists Building Block: Merging Lists

xL

1 , ¸L(xL 1)

xL

2 , ¸L(xL 2)

. . . . . . xL

m , ¸L(xL m)

xR

1 , ¸R(xR 1)

xR

2 , ¸R(xR 2)

. . . . . . xR

n , ¸R(xR n)

i = 2 j = 2

If ¸L(xL

i) > ¸R(xR j) then j++

Building Block: Merging Lists Building Block: Merging Lists

xL

1 , ¸L(xL 1)

xL

2 , ¸L(xL 2)

. . . . . . xL

m , ¸L(xL m)

xR

1 , ¸R(xR 1)

xR

2 , ¸R(xR 2)

. . . . . . xR

n , ¸R(xR n)

i = 2 j = 2

If ¸L(xL

i) = ¸R(xR j) then

• Find minimal i* with ¸L(xL

i) < ¸L(xL i*)

• Find minimal j* with ¸R(xR

j) < ¸R(xR j*)

Building Block: Merging Lists Building Block: Merging Lists

xL

1 , ¸L(xL 1)

xL

2 , ¸L(xL 2)

. . . . . . xL

m , ¸L(xL m)

xR

1 , ¸R(xR 1)

xR

2 , ¸R(xR 2)

. . . . . . xR

n , ¸R(xR n)

i = 2 j = 2 i* = 6 j* = 4

Building Block: Merging Lists Building Block: Merging Lists

xL

1 , ¸L(xL 1)

xL

2 , ¸L(xL 2)

. . . . . . xL

m , ¸L(xL m)

xR

1 , ¸R(xR 1)

xR

2 , ¸R(xR 2)

. . . . . . xR

n , ¸R(xR n)

i* = 6 j* = 4

Output all ( xL

I , xR J ) for i ≤ I < i* and j ≤ J < j*

i = 2 j = 2

Building Block: Merging Lists Building Block: Merging Lists

xL

1 , ¸L(xL 1)

xL

2 , ¸L(xL 2)

. . . . . . xL

m , ¸L(xL m)

xR

1 , ¸R(xR 1)

xR

2 , ¸R(xR 2)

. . . . . . xR

n , ¸R(xR n)

i = 6 j = 4

Continue with i := i* and j := j* until end

• f one list reached

Building Block: Merging Lists Building Block: Merging Lists

• Denote C the number of collisions
• Complexity at most
• Expected number of collisions C

since ¸ assigns uniform labels

Building Block: Merging Lists Building Block: Merging Lists

• Given: two sorted lists of labeled elements
• Compute all ( xL , xR ) with ¸L(xL) = ¸R(xR) that

fulfll a predicate ∏( xL , xR ) = 1

• Given: two sorted lists of labeled elements
• Compute all ( xL , xR ) with ¸L(xL) = ¸R(xR) that

fulfll a predicate ∏( xL , xR ) = 1 e.g. wt( xL + xR ) = w for some appropriately chosen parameter w

Building Block: Merging Lists Building Block: Merging Lists

• Given: two sorted lists of labeled elements
• Compute all ( xL , xR ) with ¸L(xL) = ¸R(xR) that

fulfll a predicate ∏( xL , xR ) = 1

Size of merged lists might be smaller than number of collisions C!

Building Block: Merging Lists Building Block: Merging Lists

e.g. wt( xL + xR ) = w for some appropriately chosen parameter w

Knapsack Representation Technique Knapsack Representation Technique

Expand H into larger stack H'

Expanding the Knapsack Haystack Expanding the Knapsack Haystack

• Recall: Classical MitM haystack

H = {0,1}n/2 x {0}n/2

• f size 2n/2

Expanding the Knapsack Haystack Expanding the Knapsack Haystack

• Recall: Classical MitM haystack

H = {0,1}n/2 x {0}n/2

• f size 2n/2

Contains unique Needle ( x1 , … , xn/2 )

Expanding the Knapsack Haystack Expanding the Knapsack Haystack

• Recall: Classical MitM haystack

H = {0,1}n/2 x {0}n/2

• f size 2n/2
• New expanded haystack

H' = { x 2 {0,1}n : wt(x) = n/4 }

Expanding the Knapsack Haystack Expanding the Knapsack Haystack

• Recall: Classical MitM haystack

H = {0,1}n/2 x {0}n/2

• f size 2n/2
• New expanded haystack

H' = { x 2 {0,1}n : wt(x) = n/4 }

Knapsack Representation Technique Knapsack Representation Technique

Expanding H' introduces r many representations N1 , … , Nr

Number of Knapsack Representations Number of Knapsack Representations

• Example (n=8)
• Denote x* = ( 1 0 1 1 0 0 1 0) the solution
• x* can be represented as

( 1 0 1 0 0 0 0 0 ) + ( 0 0 0 1 0 0 1 0 ) ( 1 0 0 1 0 0 0 0 ) + ( 0 0 1 0 0 0 1 0 ) ( 1 0 0 0 0 0 1 0 ) + ( 0 0 1 1 0 0 0 0 ) ( 0 0 1 1 0 0 0 0 ) + ( 1 0 0 0 0 0 1 0 ) ( 0 0 1 0 0 0 1 0 ) + ( 1 0 0 1 0 0 0 0 ) ( 0 0 0 1 0 0 1 0 ) + ( 1 0 1 0 0 0 0 0 )

Number of Knapsack Representations Number of Knapsack Representations

• Example (n=8)
• Denote x* = ( 1 0 1 1 0 0 1 0) the solution
• x* can be represented as

( 1 0 1 0 0 0 0 0 ) + ( 0 0 0 1 0 0 1 0 ) ( 1 0 0 1 0 0 0 0 ) + ( 0 0 1 0 0 0 1 0 ) ( 1 0 0 0 0 0 1 0 ) + ( 0 0 1 1 0 0 0 0 ) ( 0 0 1 1 0 0 0 0 ) + ( 1 0 0 0 0 0 1 0 ) ( 0 0 1 0 0 0 1 0 ) + ( 1 0 0 1 0 0 0 0 ) ( 0 0 0 1 0 0 1 0 ) + ( 1 0 1 0 0 0 0 0 )

Number of Knapsack Representations Number of Knapsack Representations

• Example (n=8)
• Denote x* = ( 1 0 1 1 0 0 1 0) the solution
• x* can be represented as

( 1 0 1 0 0 0 0 0 ) + ( 0 0 0 1 0 0 1 0 ) ( 1 0 0 1 0 0 0 0 ) + ( 0 0 1 0 0 0 1 0 ) ( 1 0 0 0 0 0 1 0 ) + ( 0 0 1 1 0 0 0 0 ) ( 0 0 1 1 0 0 0 0 ) + ( 1 0 0 0 0 0 1 0 ) ( 0 0 1 0 0 0 1 0 ) + ( 1 0 0 1 0 0 0 0 ) ( 0 0 0 1 0 0 1 0 ) + ( 1 0 1 0 0 0 0 0 )

Number of Knapsack Representations Number of Knapsack Representations

• Example (n=8)
• Denote x* = ( 1 0 1 1 0 0 1 0) the solution
• x* can be represented as

( 1 0 1 0 0 0 0 0 ) + ( 0 0 0 1 0 0 1 0 ) ( 1 0 0 1 0 0 0 0 ) + ( 0 0 1 0 0 0 1 0 ) ( 1 0 0 0 0 0 1 0 ) + ( 0 0 1 1 0 0 0 0 ) ( 0 0 1 1 0 0 0 0 ) + ( 1 0 0 0 0 0 1 0 ) ( 0 0 1 0 0 0 1 0 ) + ( 1 0 0 1 0 0 0 0 ) ( 0 0 0 1 0 0 1 0 ) + ( 1 0 1 0 0 0 0 0 )

Number of Knapsack Representations Number of Knapsack Representations

• Example (n=8)
• Denote x* = ( 1 0 1 1 0 0 1 0) the solution
• x* can be represented as

( 1 0 1 0 0 0 0 0 ) + ( 0 0 0 1 0 0 1 0 ) ( 1 0 0 1 0 0 0 0 ) + ( 0 0 1 0 0 0 1 0 ) ( 1 0 0 0 0 0 1 0 ) + ( 0 0 1 1 0 0 0 0 ) ( 0 0 1 1 0 0 0 0 ) + ( 1 0 0 0 0 0 1 0 ) ( 0 0 1 0 0 0 1 0 ) + ( 1 0 0 1 0 0 0 0 ) ( 0 0 0 1 0 0 1 0 ) + ( 1 0 1 0 0 0 0 0 )

Number of Knapsack Representations Number of Knapsack Representations

• Example (n=8)
• Denote x* = ( 1 0 1 1 0 0 1 0) the solution
• x* can be represented as

( 1 0 1 0 0 0 0 0 ) + ( 0 0 0 1 0 0 1 0 ) ( 1 0 0 1 0 0 0 0 ) + ( 0 0 1 0 0 0 1 0 ) ( 1 0 0 0 0 0 1 0 ) + ( 0 0 1 1 0 0 0 0 ) ( 0 0 1 1 0 0 0 0 ) + ( 1 0 0 0 0 0 1 0 ) ( 0 0 1 0 0 0 1 0 ) + ( 1 0 0 1 0 0 0 0 ) ( 0 0 0 1 0 0 1 0 ) + ( 1 0 1 0 0 0 0 0 )

Number of Knapsack Representations Number of Knapsack Representations

• Example (n=8)
• Denote x* = ( 1 0 1 1 0 0 1 0) the solution
• x* can be represented as

( 1 0 1 0 0 0 0 0 ) + ( 0 0 0 1 0 0 1 0 ) ( 1 0 0 1 0 0 0 0 ) + ( 0 0 1 0 0 0 1 0 ) ( 1 0 0 0 0 0 1 0 ) + ( 0 0 1 1 0 0 0 0 ) ( 0 0 1 1 0 0 0 0 ) + ( 1 0 0 0 0 0 1 0 ) ( 0 0 1 0 0 0 1 0 ) + ( 1 0 0 1 0 0 0 0 ) ( 0 0 0 1 0 0 1 0 ) + ( 1 0 1 0 0 0 0 0 )

Number of Knapsack Representations Number of Knapsack Representations

• Example (n=8)
• Denote x* = ( 1 0 1 1 0 0 1 0) the solution
• x* can be represented as

( 1 0 1 0 0 0 0 0 ) + ( 0 0 0 1 0 0 1 0 ) ( 1 0 0 1 0 0 0 0 ) + ( 0 0 1 0 0 0 1 0 ) ( 1 0 0 0 0 0 1 0 ) + ( 0 0 1 1 0 0 0 0 ) ( 0 0 1 1 0 0 0 0 ) + ( 1 0 0 0 0 0 1 0 ) ( 0 0 1 0 0 0 1 0 ) + ( 1 0 0 1 0 0 0 0 ) ( 0 0 0 1 0 0 1 0 ) + ( 1 0 1 0 0 0 0 0 ) We can choose 2 out of 4 of the 1-entries, so many representations

Number of Knapsack Representations Number of Knapsack Representations

• Example (n=8)
• Denote x* = ( 1 0 1 1 0 0 1 0) the solution
• x* can be represented as

( 1 0 1 0 0 0 0 0 ) + ( 0 0 0 1 0 0 1 0 ) ( 1 0 0 1 0 0 0 0 ) + ( 0 0 1 0 0 0 1 0 ) ( 1 0 0 0 0 0 1 0 ) + ( 0 0 1 1 0 0 0 0 ) ( 0 0 1 1 0 0 0 0 ) + ( 1 0 0 0 0 0 1 0 ) ( 0 0 1 0 0 0 1 0 ) + ( 1 0 0 1 0 0 0 0 ) ( 0 0 0 1 0 0 1 0 ) + ( 1 0 1 0 0 0 0 0 ) We can choose 2 out of 4 of the 1-entries, so many representations In general: many representations

Knapsack Representation Technique Knapsack Representation Technique

Examine a 1/r – fraction of H' to fnd one Ni

The Cutting Phase The Cutting Phase

• We need to flter out a 2-n/2 fraction of

H' = { x 2 {0,1}n : wt(x) = n/4 }

• For

compute two lists

• Find one (x,y) with
• ver

The Cutting Phase The Cutting Phase

• We need to flter out a 2-n/2 fraction of

H' = { x 2 {0,1}n : wt(x) = n/4 }

• For

compute two lists

• Find one (x,y) with
• ver

The Cutting Phase The Cutting Phase

• We need to flter out a 2-n/2 fraction of

H' = { x 2 {0,1}n : wt(x) = n/4 }

• For

compute two lists

• Find one (x,y) with
• ver

The Cutting Phase The Cutting Phase

• We need to flter out a 2-n/2 fraction of

H' = { x 2 {0,1}n : wt(x) = n/4 }

• For

compute two lists

• Find one (x,y) with
• ver

Complexity

The Cutting Phase The Cutting Phase

• We need to flter out a 2-n/2 fraction of

H' = { x 2 {0,1}n : wt(x) = n/4 }

• For

compute two lists

• Find one (x,y) with
• ver

Complexity Computing the is in fact more expensive!

Computing Computing L L1

1 - 1

• 1st

st Attempt

Attempt

• Idea: Do it in a Meet-in-the-Middle way
• Choose a (random) partition
• Merge the lists

Computing Computing L L1

1 - 1

• 1st

st Attempt

Attempt

• Idea: Do it in a Meet-in-the-Middle way
• Choose a (random) partition
• Merge the lists

Computing Computing L L1

1 - 1

• 1st

st Attempt

Attempt

• Idea: Do it in a Meet-in-the-Middle way
• Choose a (random) partition
• Merge the lists

Choose labels

Complexity Analysis: 1 Complexity Analysis: 1st

st Attempt

Attempt

List sizes

Complexity Analysis: 1 Complexity Analysis: 1st

st Attempt

Attempt

List sizes

Complexity Analysis: 1 Complexity Analysis: 1st

st Attempt

Attempt

List sizes

Complexity Analysis: 1 Complexity Analysis: 1st

st Attempt

Attempt

List sizes

Complexity Analysis: 1 Complexity Analysis: 1st

st Attempt

Attempt

x

List sizes

Complexity Analysis: 1 Complexity Analysis: 1st

st Attempt

Attempt

x

List sizes

Complexity* = Max = 20.4057n

Complexity Analysis: 1 Complexity Analysis: 1st

st Attempt

Attempt

x

List sizes

Complexity* = Max = 20.4057n

If assign uniform labels

¸ ¸L

L and

and ¸

¸R

R are almost always good

are almost always good

• Recall
• Example: Good and bad distributed labels (n=20)

random ai ai = 0 for i=1,...,n/2

• Recall
• Example: Good and bad distributed labels (n=20)

random ai ai = 0 for i=1,...,n/2

One can show: Fraction of bad knapsacks (a1, … , an) is exponentially small!

¸ ¸L

L and

and ¸

¸R

R are almost always good

are almost always good

Computing Computing L L1

1 - 2

• 2nd

nd Attempt

Attempt

• Aim: Compute 2-n/2 fraction of

H' = { x 2 2 {0,1}n : wt(x) = n/4 }

• Idea: Use representations again!
• Decompose x2H' as x = y+z where y,z 2

2 H'' and H'' = { y 2 2 {0,1}n : wt(y) = n/8 } → Every x has representations (y,z)

Computing Computing L L1

1 - 2

• 2nd

nd Attempt

Attempt

• Aim: Compute 2-n/2 fraction of

H' = { x 2 2 {0,1}n : wt(x) = n/4 }

• Idea: Use representations again!
• Decompose x2H' as x = y+z where y,z 2

2 H'' and H'' = { y 2 2 {0,1}n : wt(y) = n/8 } → Every x has representations (y,z)

• Choose coprime M(1) and M(2) of size 20.25n
• Choose random target values (of size 20.25n)

with with

• Compute lists
• Merge into

Computing Computing L L1

1 - 2

• 2nd

nd Attempt

Attempt

• Choose coprime M(1) and M(2) of size 20.25n
• Choose random target values (of size 20.25n)

with with

• Compute lists
• Merge into

Computing Computing L L1

1 - 2

• 2nd

nd Attempt

Attempt

• Choose coprime M(1) and M(2) of size 20.25n
• Choose random target values (of size 20.25n)

with with

• Compute lists
• Merge into

Computing Computing L L1

1 - 2

• 2nd

nd Attempt

Attempt

• Choose coprime M(1) and M(2) of size 20.25n
• Choose random target values (of size 20.25n)

with with

• Compute lists
• Merge into

Computing Computing L L1

1 - 2

• 2nd

nd Attempt

Attempt

Can be computed as before by a MitM approach!

• Choose coprime M(1) and M(2) of size 20.25n
• Choose random target values (of size 20.25n)

with with

• Compute lists
• Merge into

Computing Computing L L1

1 - 2

• 2nd

nd Attempt

Attempt

Complexity Analysis: 2 Complexity Analysis: 2nd

nd Attempt

Attempt

Randomly partioned base lists

List sizes

Randomly partioned base lists

List sizes

Complexity Analysis: 2 Complexity Analysis: 2nd

nd Attempt

Attempt

Randomly partioned base lists

List sizes

Complexity Analysis: 2 Complexity Analysis: 2nd

nd Attempt

Attempt

Randomly partioned base lists

List sizes

Complexity Analysis: 2 Complexity Analysis: 2nd

nd Attempt

Attempt

Randomly partioned base lists

List sizes

Complexity Analysis: 2 Complexity Analysis: 2nd

nd Attempt

Attempt

Randomly partioned base lists

List sizes

Complexity Analysis: 2 Complexity Analysis: 2nd

nd Attempt

Attempt

Randomly partioned base lists

List sizes Two modular constraints:

Complexity Analysis: 2 Complexity Analysis: 2nd

nd Attempt

Attempt

Randomly partioned base lists x

List sizes

Complexity Analysis: 2 Complexity Analysis: 2nd

nd Attempt

Attempt

Randomly partioned base lists x

List sizes

Complexity Analysis: 2 Complexity Analysis: 2nd

nd Attempt

Attempt

Complexity = Max = 20.3113n Lower bound achieved?

Randomly partioned base lists x

List sizes

No! Forgot merge costs!

Complexity Analysis: 2 Complexity Analysis: 2nd

nd Attempt

Attempt

Randomly partioned base lists x

List sizes

Complexity Analysis: 2 Complexity Analysis: 2nd

nd Attempt

Attempt

Summary (so far) Summary (so far)

• Represenation Technique gives fastest

(randomized) algorithm for random hard knapsacks Time Space Brute-Force 2n 1 MitM 2n/2 2n/2 Schroeppel-Shamir 2n/2 2n/4 Representations 20.3373n 20.2936n

Generic Decoding of Random Generic Decoding of Random Binary Linear Codes Binary Linear Codes

Recap Binary Linear Codes Recap Binary Linear Codes

• C = random binary [n,k,d] code
• n = length / k = dimension / d = minimum

distance

• Given x = c+e with c C

and w := wt(e) =

• Find e and thus c = x+e

2

4 5 d-1 2 · · · ·

c 4 5 d-1 2 x·

Bounded Distance Decoding (BDD) Bounded Distance Decoding (BDD)

Why do we care about BDD? Why do we care about BDD?

• BDD is connected to
• Message Recovery for classical McEliece

c = m*G + e

• Key recovery for Stern's identifcation scheme

id = H*s

• Hardness of the LPN problem (Learning

Parities with noise)

Comparing Running Times Comparing Running Times

How to compare performance of decoding algorithms

• Running time T(n,k,d)
• Fixed code rate R = k/n
• For n→∞, k and d are related via Gilbert-Varshamov

bound, thus T(n,k,d) = T(n,k) = T(n,R)

• Compare algorithms by complexity coeffcient F(R), i.e.

T(n,R) = 2F(R) • n + o(n)

How to compare performance of decoding algorithms

• Running time T(n,k,d)
• Fixed code rate R = k/n
• For n→∞, k and d are related via Gilbert-Varshamov

bound, thus T(n,k,d) = T(n,k) = T(n,R)

• Compare algorithms by complexity coeffcient F(R), i.e.

T(n,R) = 2F(R) • n + o(n) Minimize F(R)! Minimize F(R)!

Comparing Running Times Comparing Running Times

Syndrome Decoding Syndrome Decoding

• H = parity check matrix
• Consider syndrome s := s(x) = H·x = H·(c+e) = H·e

→ Find linear combination of w columns of H matching s

H

weight w n n-k

= + + =

s

(BDD) Given x = c+e with c C and wt(e)=w, fnd e!

2

Syndrome Decoding Syndrome Decoding

• H = parity check matrix
• Consider syndrome s := s(x) = H·x = H·(c+e) = H·e

→ Find linear combination of w columns of H matching s

H

weight w n n-k

= + + =

s

(BDD) Given x = c+e with c C and wt(e)=w, fnd e!

2

Brute-Force complexity T(n,k,d) = Brute-Force complexity T(n,k,d) =

Complexity Coeffcients (BDD) Complexity Coeffcients (BDD)

Brute-Force

F(R)

0,3868 0,06 0,05

Complexity Coeffcients (BDD) Complexity Coeffcients (BDD)

Brute-Force

F(R)

0,3868 0,06 0,05 0,0576 Prange

Complexity Coeffcients (BDD) Complexity Coeffcients (BDD)

Brute-Force

F(R)

0,3868 0,06 0,05 0,0576 Prange 0,0557 Stern

Complexity Coeffcients (BDD) Complexity Coeffcients (BDD)

Brute-Force

F(R)

0,3868 0,06 0,05 0,0576 Prange 0,0557 Stern 0,0556 Ball-Collision

Some Basic Observations for BDD Some Basic Observations for BDD

Allowed (linear algebra) transformations

• Permuting the columns of H does not change the

problem

Some Basic Observations for BDD Some Basic Observations for BDD

Allowed (linear algebra) transformations

• Permuting the columns of H does not change the

problem

= s

weight w

H

n-k n

Some Basic Observations for BDD Some Basic Observations for BDD

Allowed (linear algebra) transformations

• Permuting the columns of H does not change the

problem

= s

weight w

H

n-k n

= s

weight w

H

n-k n

= s

weight w

H

n-k n

Some Basic Observations for BDD Some Basic Observations for BDD

Allowed (linear algebra) transformations

• Permuting the columns of H does not change the

problem

• Elementary row operations on H do not change the

problem

Some Basic Observations for BDD Some Basic Observations for BDD

Allowed (linear algebra) transformations

• Permuting the columns of H does not change the

problem

• Elementary row operations on H do not change the

problem

=

weight w

H

n-k n

s

Some Basic Observations for BDD Some Basic Observations for BDD

Allowed (linear algebra) transformations

• Permuting the columns of H does not change the

problem

• Elementary row operations on H do not change the

problem

=

weight w

H

n-k n

s = s

weight w

H

n-k n

UG

Invertible (n-k)x(n-k) matrix

UG

Randomized quasi-systematic form Randomized quasi-systematic form

• Work on randomly column-permuted version of H
• Transform H into quasi-systematic form

First used in generalized ISD framework of [FS09]

In-k-l In-k-l

l rows

Q' q1 , ..., qk+l

k+l n-k-l

H =

Information Set Decoding Information Set Decoding

''Reducing the brute-force search space by linear algebra.''

The ISD Principle The ISD Principle

• Structure of H allows to divide e =

e1 e2

In-k-l In-k-l Q' q1 , ..., qk+l

e1 e2

k+l n-k-l

The ISD Principle The ISD Principle

• Structure of H allows to divide e =

e1 e2

In-k-l In-k-l Q' q1 , ..., qk+l

e1 e2

=

Q' q1 , ..., qk+l

e1

In-k-l In-k-l

e2

+

The ISD Principle The ISD Principle

• Structure of H allows to divide e =

e1 e2

In-k-l In-k-l Q' q1 , ..., qk+l

e1 e2

=

Q' q1 , ..., qk+l

e1

In-k-l In-k-l

e2

+

* *

= +

* * *

= !

s

l coordinates

The ISD Principle The ISD Principle

• Structure of H allows to divide e =

e1 e2

In-k-l In-k-l Q' q1 , ..., qk+l

e1 e2

=

Q' q1 , ..., qk+l

e1

In-k-l In-k-l

e2

+

* *

= +

* * *

= !

s

l coordinates

Focus on e1 matching s on frst l coordinates Focus on e1 matching s on frst l coordinates

The ISD Principle The ISD Principle

• Structure of H allows to divide e = e1

e2

In-k-l In-k-l Q' q1 , ..., qk+l

e1 e2

=

Q' q1 , ..., qk+l

e1

In-k-l In-k-l

e2

+

* *

= +

* * *

= !

s

l coordinates

Find all e1 of weight p matching s on frst l coordinates

The ISD Principle The ISD Principle

• Structure of H allows to divide e = e1

e2

In-k-l In-k-l Q' q1 , ..., qk+l

e1 e2

=

Q' q1 , ..., qk+l

e1

In-k-l In-k-l

e2

+

* *

= +

* * *

= !

s

l coordinates

Find all e1 of weight p matching s on frst l coordinates

In-k-l In-k-l Q' q1 , ..., qk+l

e1 e2

= =

• Method only recovers

particular error patterns

• If no solution found:

→ Rerandomize H

k+l n-k-l p w-p

e1 e2

The ISD Principle The ISD Principle

• 1st step (randomization): Compute „fresh“ random quasi-

systematic form of H

• 2nd step (search): Try to fnd a solution e amongst all

q1 , ..., qk+l

e1

=

s

H

k+l n-k-l p w-p

e1 e2

with

The ISD Principle The ISD Principle

• 1st step (randomization): Compute „fresh“ random quasi-

systematic form of H

• 2nd step (search): Try to fnd a solution e amongst all

q1 , ..., qk+l

e1

=

s

H

k+l n-k-l p w-p

e1 e2

with

T = Pr[„good rand.“]-1 * T[search]

Link to the Representation Technique Link to the Representation Technique

Find vector

• f weight p with

e1

q1 , ..., qk+l

e1

=

s

Link to the Representation Technique Link to the Representation Technique

Find vector

• f weight p with

e1

q1 , ..., qk+l

e1

=

s

This is exactly a binary coordinate-wise knapsack instance!

Link to the Representation Technique Link to the Representation Technique

Find vector

• f weight p with

e1

q1 , ..., qk+l

e1

=

s

Thus using representations improves T[search] !

Complexity Coeffcients (BDD) Complexity Coeffcients (BDD)

Brute-Force

F(R)

0,3868 0,06 0,05 0,0576 Prange 0,0557 Stern 0,0556 Ball-Collision 0,0537 MMT

Extended Representation Extended Representation Technique Technique

Extended Representation Technique Extended Representation Technique

• Expand H into larger stack H'
• Expanding H' introduces r many representations

N1 , … , Nr

• Examine a 1/r – fraction of H' to find one Ni

Extended Representation Technique Extended Representation Technique

• Expand H into larger stack H'
• Expanding H' introduces r many representations

N1 , … , Nr

• Examine a 1/r – fraction of H' to find one Ni
• Ratio |H'|/r determines

effciency

• Idea: Increase r while

keeping |H'| small

Extended Reps for knapsacks Extended Reps for knapsacks

• Recall: Basic representation technique allows

to write 1 = 1+0 = 0+1, i.e. x* = ( 1 0 1 1 0 0 1 0) has many reps

Extended Reps for knapsacks Extended Reps for knapsacks

• Recall: Basic representation technique allows

to write 1 = 1+0 = 0+1, i.e. x* = ( 1 0 1 1 0 0 1 0) has many reps

• Artifcially introduce ∆ many -1's and extra 1's

in each part y,z of x* = y + z

Extended Reps for knapsacks Extended Reps for knapsacks

• Recall: Basic representation technique allows

to write 1 = 1+0 = 0+1, i.e. x* = ( 1 0 1 1 0 0 1 0) has many reps

• Artifcially introduce ∆ many -1's and extra 1's

in each part y,z of x* = y + z

• This allows to represent 2∆ many 0's in x* as

0 = 1+(-1) = (-1)+1

Extended Reps for knapsacks Extended Reps for knapsacks

• Recall: Basic representation technique allows

to write 1 = 1+0 = 0+1, i.e. x* = ( 1 0 1 1 0 0 1 0) has many reps

• Artifcially introduce ∆ many -1's and extra 1's

in each part y,z of x* = y + z

• This allows to represent 2∆ many 0's in x* as

0 = 1+(-1) = (-1)+1 Size of expanded haystack

Number of Extended Representations Number of Extended Representations

• Example (n=8, ∆=1) for x* = ( 1 0 1 1 0 0 1 0)

( 1 -1 1 0 0 0 0 1 ) + ( 0 1 0 1 0 0 1 -1 ) ( 1 -1 0 1 0 0 0 1 ) + ( 0 1 1 0 0 0 1 -1 ) ( 1 0 0 1 -1 0 0 1 ) + ( 0 0 1 0 1 0 1 -1 ) . . .

Number of Extended Representations Number of Extended Representations

• Example (n=8, ∆=1) for x* = ( 1 0 1 1 0 0 1 0)

( 1 -1 1 0 0 0 0 1 ) + ( 0 1 0 1 0 0 1 -1 ) ( 1 -1 0 1 0 0 0 1 ) + ( 0 1 1 0 0 0 1 -1 ) ( 1 0 0 1 -1 0 0 1 ) + ( 0 0 1 0 1 0 1 -1 ) . . .

Number of Extended Representations Number of Extended Representations

• Example (n=8, ∆=1) for x* = ( 1 0 1 1 0 0 1 0)

( 1 -1 1 0 0 0 0 1 ) + ( 0 1 0 1 0 0 1 -1 ) ( 1 -1 0 1 0 0 0 1 ) + ( 0 1 1 0 0 0 1 -1 ) ( 1 0 0 1 -1 0 0 1 ) + ( 0 0 1 0 1 0 1 -1 ) . . .

Number of Extended Representations Number of Extended Representations

• Example (n=8, ∆=1) for x* = ( 1 0 1 1 0 0 1 0)

( 1 -1 1 0 0 0 0 1 ) + ( 0 1 0 1 0 0 1 -1 ) ( 1 -1 0 1 0 0 0 1 ) + ( 0 1 1 0 0 0 1 -1 ) ( 1 0 0 1 -1 0 0 1 ) + ( 0 0 1 0 1 0 1 -1 ) . . . Choose 2 (=n/4) out of 4 (=n/2) positions for 1 and (∆=) 1 positions for -1 and 1 amongst the Remaining 4 (=n/2) free 0-positions

Number of Extended Representations Number of Extended Representations

• Example (n=8, ∆=1) for x* = ( 1 0 1 1 0 0 1 0)

( 1 -1 1 0 0 0 0 1 ) + ( 0 1 0 1 0 0 1 -1 ) ( 1 -1 0 1 0 0 0 1 ) + ( 0 1 1 0 0 0 1 -1 ) ( 1 0 0 1 -1 0 0 1 ) + ( 0 0 1 0 1 0 1 -1 ) . . . representations

Number of Extended Representations Number of Extended Representations

• Example (n=8, ∆=1) for x* = ( 1 0 1 1 0 0 1 0)

( 1 -1 1 0 0 0 0 1 ) + ( 0 1 0 1 0 0 1 -1 ) ( 1 -1 0 1 0 0 0 1 ) + ( 0 1 1 0 0 0 1 -1 ) ( 1 0 0 1 -1 0 0 1 ) + ( 0 0 1 0 1 0 1 -1 ) . . . In general: representations

Lower Bound and Actual Complexity Lower Bound and Actual Complexity

• Minimizing |H'|/r yields optimal ∆=0.05677n and

complexity 20.173n

Lower Bound and Actual Complexity Lower Bound and Actual Complexity

• Minimizing |H'|/r yields optimal ∆=0.05677n and

complexity 20.173n

• Actual complexity is higher (due to all the

) Time Space Brute-Force 2n 1 MitM 2n/2 2n/2 Schroeppel-Shamir 2n/2 2n/4 Representations 20.3373n 20.2936n Extended Reps 20.291n 20.291n

Extended Reps for ISD Extended Reps for ISD

• The same trick applies to Information Set

Decoding

• Write ∆ many 0's as 0=1+1 mod 2
• Has large impact since usually error vectors are

very sparse (i.e. decomposing 0's introduces many new representations)

Main Result for ISD: F(R) Main Result for ISD: F(R) ≤ ≤ 0.0494 0.0494

Brute-Force

F(R)

0,3868 0,06 0,05 0,0576 Prange 0,0557 Stern 0,0556 Ball-Collision 0,0537 MMT BJMM 0,0494

Main Result for ISD: F(R) Main Result for ISD: F(R) ≤ ≤ 0.0494 0.0494

F(R) R

• - - Ball-Collisions

MMT BJMM

In Practical terms... In Practical terms...

• 256-Bit security for McEliece revisited

→ [n,k,d] = [6624,5129,117]

• Exact complexity analysis (using tricks from

[BLP08]) → Stern ≈ 2256 → Ball-Collisions ≈ 2254 → Our Algorithm ≈ 2239

Conclusion & Open Questions Conclusion & Open Questions

Wrapping up... Wrapping up...

• Representation technique gives asymptotically

fastest algorithms for

• Random knapsacks
• Decoding random binary linear codes
• Practical impact on parameter choice for code-

based crypto (high security levels)

Some Open Questions Some Open Questions

• For knapsacks:
• How far can we go? Use even more reps by

writing 1=(-1)+2=2+(-1) and so on...

• Tight lower bound?

Some Open Questions Some Open Questions

• For ISD:
• Generalization to non-binary codes?
• Does it work for multiple syndromes?

Some Open Questions Some Open Questions

• For ISD:
• Generalization to non-binary codes?
• Does it work for multiple syndromes?
• Are there further applications? (works also for

NTRU)

Some Open Questions Some Open Questions

• For ISD:
• Generalization to non-binary codes?
• Does it work for multiple syndromes?
• Are there further applications? (works also for

NTRU)

Thank you!