How to (Correctly) Invoke Wagner Sonia Bogos; Serge Vaudenay EPFL - - PowerPoint PPT Presentation

Rump Session 2016

How to (Correctly) Invoke Wagner

Sonia Bogos; Serge Vaudenay

EPFL

How to (Correctly) Invoke Mozart Wagner

New Results on LPN Solvers Sonia Bogos and Serge Vaudenay

ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE

http://lasec.epfl.ch/

SV 2016 invoking Mozart Wagner Eurocrypt 16 1 / 8

The Zero Four-Sum Problem

L1,L2,L3,L4: set of n ℓ-bit strings; look for s solutions

= ∈ = ∈ = ∈ = ∈ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ = = = = = = = = = =

x1 x2 x3 x4 L1 L2 L3 L4 need n = s

1 4 2

ℓ

4 SV 2016 invoking Mozart Wagner Eurocrypt 16 2 / 8

The Collision Algorithm (Mozart)

L1,L2,L3,L4: set of n ℓ-bit strings; look for s solutions

= ∈ = ∈ = ∈ = ∈ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ = = = = = = = = = =

x1 x2 x3 x4 L1 L2 L3 L4 Algorithm 1: make list of all x1 ⊕ x2 and x3 ⊕ x4 and look for collisions; comp = O(n2 + s) n = s

1 4 2

ℓ

4 , comp = O(s 1 2 2

ℓ

2 ) SV 2016 invoking Mozart Wagner Eurocrypt 16 3 / 8

The Wagner Algorithm

L1,L2,L3,L4: set of n ℓ-bit strings; look for s solutions

= ∈ = ∈ = ∈ = ∈ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ = = = = = = = = = = = = =

x1 x2 x3 x4 L1 L2 L3 L4

• b

Algorithm 2: same with list of XORs starting with b zero bits n = s

1 4 2 b+ℓ 4 , comp = O(n + n22−b + s)

bopt = ℓ+log2 s

3

, n = s

1 3 2

ℓ

3 , comp = O(s 1 3 2

ℓ

3 ) SV 2016 invoking Mozart Wagner Eurocrypt 16 4 / 8

[ZJW16] Invoking Mozart Wagner

Faster Algorithms for Solving LPN, Zhang, Jiao, Wang, EUROCRYPT 2016 In the algorithm to solve LPN(512,1/8): LF(4) algorithm with s = 254, ℓ = 156 [ZJW16] Mozart Wagner n s

1 4 2

ℓ

4 = 253

s

1 4 2

ℓ

4 = 253

s

1 3 2

ℓ

3 = 270

comp s

1 3 2

ℓ

3 = 270

s

1 2 2

ℓ

2 = 2105

s

1 3 2

ℓ

3 = 270

(Table 7, p.192; n ← n[1], s ← n[2], ℓ ← b)

SV 2016 invoking Mozart Wagner Eurocrypt 16 5 / 8

Strange Complexities in [ZJW16]

x1 ⊕···⊕ xa Bit complexity to XOR a = 10 u-bit strings (bytes: u = 8) naive approach: O(au) bit operations, too expensive (must be done 271 times for LPN(512,1/8)) [ZJW16] approach: O(1) using a table lookup just read T(x1∥···∥xa) BUT: cost of concatenation is neglected!

→ complexity results must be multiplied by 26

SV 2016 invoking Mozart Wagner Eurocrypt 16 6 / 8

Corrected Complexity Table

LPN instance

(512,1/8) (532,1/8) (592,1/8)

[GJL14] paper 279.9 281.82 288.07 (corrected) 289.04 290.43 297.87 [GJL14] talk 279.7 (corrected) 289.04 [ZJW16] 274.732 276.902 283.843 (corrected) 280.45 282.53 289.46

• ur results

(breaking news!) 278.85 281.90 288.16 algorithms as greedy as a raccoon

SV 2016 invoking Mozart Wagner Eurocrypt 16 7 / 8

Conclusion “My IQ is one of the highest — and you all know it! Please don’t feel so stupid or insecure; it’s not your fault.”

Donald Trump

Bogos, Vaudenay: Observations on the LPN Solving Algorithm from Eurocrypt’16, eprint 2016/451

SV 2016 invoking Mozart Wagner Eurocrypt 16 8 / 8