improved low memory subset sum and lpn algorithms via
play

Improved Low-Memory Subset Sum and LPN Algorithms via Multiple - PowerPoint PPT Presentation

Oct 08, 2023 •128 likes •1.12k views

Improved Low-Memory Subset Sum and LPN Algorithms via Multiple Collision January 2019 , Nancy Claire Delaplace, Andre Esser and Alexander May About Me Claire Delaplace: Postdoc researcher Ruhr University Bochum, Germany Team: Cryptology

  1. Improved Low-Memory Subset Sum and LPN Algorithms via Multiple Collision January 2019 , Nancy Claire Delaplace, Andre Esser and Alexander May

  2. About Me Claire Delaplace: Postdoc researcher • Ruhr University Bochum, Germany • Team: Cryptology and IT-Security • Scientific supervisor: Alexander May 2

  3. About Me Claire Delaplace: Postdoc researcher • Ruhr University Bochum, Germany • Team: Cryptology and IT-Security • Scientific supervisor: Alexander May Before that... • University of Rennes, IRISA. Team EMSEC • University of Lille, CRIStAL. Team CFHP • PhD supervisors: Pierre-Alain Fouque & Charles Bouillaguet • Thesis: Linear Algebra Algorithm for Cryptography 2

  4. Research Topic Attacking Underlying Cryptographic Problems 3

  5. Research Topic Attacking Underlying Cryptographic Problems • Generalised Birthday Problem ([B D F2018] + 2 in submission) • ECDLP ([ D M19] + 1 in submission) • LWE variants ([B D FK17,B D EFT18]) • Sparse Linear Algebra ([B D 16,B D V17]) • Subset Sum & LPN ([ D EM19]) 3

  6. Research Topic Attacking Underlying Cryptographic Problems • Generalised Birthday Problem ([B D F2018] + 2 in submission) • ECDLP ([ D M19] + 1 in submission) • LWE variants ([B D FK17,B D EFT18]) • Sparse Linear Algebra ([B D 16,B D V17]) • Subset Sum & LPN ([ D EM19]) 3

  7. Motivations Post-Quantum Cryptography • Popular families of schemes: Lattices & Codes based • Subset-sum & LPN related to Lattices & Codes ? • Better algo for subset-sum & LPN = ⇒ Better algo for Lattices & Codes 4

  8. Motivations Post-Quantum Cryptography • Popular families of schemes: Lattices & Codes based • Subset-sum & LPN related to Lattices & Codes ? • Better algo for subset-sum & LPN = ⇒ Better algo for Lattices & Codes Main drawback HUGE amount of memory these attacks require ⇒ Need for time-memory trade-offs 4

  9. Motivations Post-Quantum Cryptography • Popular families of schemes: Lattices & Codes based • Subset-sum & LPN related to Lattices & Codes ? • Better algo for subset-sum & LPN = ⇒ Better algo for Lattices & Codes Main drawback HUGE amount of memory these attacks require ⇒ Need for time-memory trade-offs This work New time-memory trade-offs for subset-sum & LPN Main tool: Parallel Collision Search algorithm [vOW99] 4

  10. Collisions Search Given: F, G : F n 2 → F n 2 with uniformly random outputs Goal: Find x, y ∈ F n 2 s.t. F ( x ) = G ( y ) x F Birthday Paradox F ( x ) = G ( y ) Recovering one collision: n � 2 � Time: O 2 y G 5

  11. Collisions Search Given: F, G : F n 2 → F n 2 with uniformly random outputs Goal: Find x, y ∈ F n 2 s.t. F ( x ) = G ( y ) x F Birthday Paradox F ( x ) = G ( y ) Recovering one collision: n � 2 � Time: O 2 y G Searching for 2 m collisions • 2 m Birthday method: Time O 2 m + n � 2 � � � • Parallel Collision Search [vOW99]: Time ˜ m + n O 2 2 5

  12. PCS: High level Idea F Collision F F Collision F Search for cycle 6

  13. PCS: High level Idea F F Collision F F F F Collision F F F Search for cycle 6

  14. PCS: High level Idea F Collision F F Collision F Search for cycle 6

  15. PCS: High level Idea F Collision Collision F F Collision Collision F Search for cycle Search for cycle 6

  16. PCS: High level Idea Collision F Collision Search for cycle Search for cycle 6

  17. PCS in a Nutshell Given: F, G : F n 2 → F n 2 with uniformly random outputs Goal: Find 2 m ( x, y ) ∈ ( F n 2 ) 2 s.t. F ( x ) = G ( y ) F 2 m ( x, y ) F ( x ) = G ( y ) PCS G � � n + m T = ˜ M = ˜ O (2 m ) O 2 2 7

  18. 1 Application 1: Random Subset-Sum Problem 2 Application 2: LPN 8

  19. 1 Application 1: Random Subset-Sum Problem 2 Application 2: LPN 9

  20. Random Subset-Sum (RSS) Problem Definition • a = ( a 1 . . . a n ) ∈ ( Z 2 n ) n • e = ( e 1 . . . e n ) ∈ { 0 , 1 } n wt ( e ) = n unknown 2 • t = � a , e � mod 2 n GOAL: Given ( a , t ) find e ∈ { 0 , 1 } n such that � a , e � = t 10

  21. Random Subset-Sum (RSS) Problem Definition • a = ( a 1 . . . a n ) ∈ ( Z 2 n ) n • e = ( e 1 . . . e n ) ∈ { 0 , 1 } n wt ( e ) = n unknown 2 • t = � a , e � mod 2 n GOAL: Given ( a , t ) find e ∈ { 0 , 1 } n such that � a , e � = t Our Work Two new algorithms • SS-PCS Better than previous work for M < 2 0 . 02 n • SS-PCS 4 Better than previous work for 2 0 . 13 n < M < 2 0 . 2 n 10

  22. Previous Work n • MitM (Folklore algorithm): T = M = 2 2 11

  23. Previous Work n • MitM (Folklore algorithm): T = M = 2 2 n n 2 , M = 2 • [SS81] Schroeppel-Shamir 4-list Algorithm: T = 2 4 11

  24. Previous Work n • MitM (Folklore algorithm): T = M = 2 2 n n 2 , M = 2 • [SS81] Schroeppel-Shamir 4-list Algorithm: T = 2 4 • [H-GJ10] Representation Technique. T = M ≃ 2 0 . 337 n 11

  25. Previous Work n • MitM (Folklore algorithm): T = M = 2 2 n n 2 , M = 2 • [SS81] Schroeppel-Shamir 4-list Algorithm: T = 2 4 • [H-GJ10] Representation Technique. T = M ≃ 2 0 . 337 n • [BCJ11] ◦ Improvement of [H-GJ10]: T = M ≃ 2 0 . 291 n ◦ Memoryless algorithm: T ≃ 2 0 . 71 n 11

  26. Previous Work n • MitM (Folklore algorithm): T = M = 2 2 n n 2 , M = 2 • [SS81] Schroeppel-Shamir 4-list Algorithm: T = 2 4 • [H-GJ10] Representation Technique. T = M ≃ 2 0 . 337 n • [BCJ11] ◦ Improvement of [H-GJ10]: T = M ≃ 2 0 . 291 n ◦ Memoryless algorithm: T ≃ 2 0 . 71 n • [DDKS12] Best 2 0 . 01 n ≤ M < 2 0 . 17 n 11

  27. MitM Algorithm Goal: Find e s.t. � a , e � = t e = e 1 e 2 + � a , e 1 � t − � a , e 2 � 2 n/ 2 2 n/ 2 Collision ⇒ � a , e 1 + e 2 � = t 12

  28. Schroeppel-Shamir [SS81] Goal: Find e s.t. � a , e � = t e = + + + 13

  29. Schroeppel-Shamir [SS81] Goal: Find e s.t. � a , e � = t e = + + + 2 n/ 4 � a , e 1 � � a , e 2 � � a , e 3 � � a , e 4 � 2 n/ 4 13

  30. Schroeppel-Shamir [SS81] Goal: Find e s.t. � a , e � = t e = + + + 2 n/ 4 � a , e 1 � � a , e 2 � � a , e 3 � � a , e 4 � 2 n/ 4 t 1 ∈ L 1 , . . . t 4 ∈ L 4 s.t. � ⇒ � a , e 1 + · · · + e 4 � = t i t i = t 13

  31. Schroeppel-Shamir 4 -list Algorithm 2 n/ 4 14

  32. Schroeppel-Shamir 4 -list Algorithm 2 n/ 4 n 2 n/ 4 R R ′ = t − R mod 2 R ′ 4 n/ 4 14

  33. Schroeppel-Shamir 4 -list Algorithm 2 n/ 4 Collision ⇒ n 2 n/ 4 R R ′ = t − R mod 2 R ′ 4 � i t i = t n/ 4 14

  34. Schroeppel-Shamir 4 -list Algorithm 2 n/ 4 Collision ⇒ n 2 n/ 4 R R ′ = t − R mod 2 R ′ 4 ∀ R ∈ Z 2 n/ 4 � i t i = t n/ 4 14

  35. Schroeppel-Shamir 4 -list Algorithm 2 n/ 4 Collision ⇒ n 2 n/ 4 R R ′ = t − R mod 2 R ′ 4 ∀ R ∈ Z 2 n/ 4 � i t i = t � 2 n/ 2 � T = O � 2 n/ 4 � M = O n/ 4 14

  36. Representations � e i = e n Representation of e : ( e 1 . . . e k ) wt ( e i ) = 2 k ∀ i Example e 1 = (10001000) e ′ 1 = (10000001) e 2 = (01000001) e ′ 2 = (01001000) ( e 1 , e 2 ) and ( e ′ 1 , e ′ 2 ) : representations of e = (11001001) 15

  37. Representations � e i = e n Representation of e : ( e 1 . . . e k ) wt ( e i ) = 2 k ∀ i Example e 1 = (10001000) e ′ 1 = (10000001) e 2 = (01000001) e ′ 2 = (01001000) ( e 1 , e 2 ) and ( e ′ 1 , e ′ 2 ) : representations of e = (11001001) Important remark e ∈ { 0 , 1 } n , wt ( e ) = n/ 2 ≈ 2 n/ 2 representations ( e 1 , e 2 ) of e � n/ 2 � There are n/ 4 15

  38. Representation Technique: Needles and Haystack Subset-sum Find e ∈ { 0 , 1 } n s.t. � a , e � = t mod 2 n 16

  39. Representation Technique: Needles and Haystack Representation Technique [H-GJ10] Find ( e 1 , e 2 ) ∈ { 0 , 1 } n × { 0 , 1 } n s.t. � a , e 1 + e 2 � = t mod 2 n 16

  40. Representation Technique: Needles and Haystack Representation Technique [H-GJ10] Find ( e 1 , e 2 ) ∈ { 0 , 1 } n × { 0 , 1 } n s.t. � a , e 1 + e 2 � = t mod 2 n With Rep. Without Rep. � n � 2 ≈ 2 1 . 623 n � n # search space: � ≈ 2 n � # search space: n/ 4 n/ 2 � n/ 2 � ≈ 2 n/ 2 # solutions: 1 # solutions: � n/ 4 16

  41. BCJ Memoryless Algorithm [BCJ11] • wt ( x ) = n 4 � n 2 r ≈ • g ( x ) = � a , x � mod 2 r , � n/ 4 • g t ( x ) = t − g ( x ) mod 2 r 17

  42. BCJ Memoryless Algorithm [BCJ11] g ( x ) = g t ( y ) • wt ( x ) = n 4 � n 2 r ≈ � • g ( x ) = � a , x � mod 2 r , � n/ 4 � a , x + y � = t mod 2 r • g t ( x ) = t − g ( x ) mod 2 r 17

  43. BCJ Memoryless Algorithm [BCJ11] g ( x ) = g t ( y ) • wt ( x ) = n 4 � n 2 r ≈ � • g ( x ) = � a , x � mod 2 r , � n/ 4 � a , x + y � = t mod 2 r • g t ( x ) = t − g ( x ) mod 2 r BCJ Memoryless Algorithm • Search a collision between g x g and g t • If x + y ∈ { 0 , 1 } n and � a , x + y � = t mod 2 n re- g ( x ) = g t ( y ) turn x + y • Else restart y g t 17

  44. BCJ Memoryless Algorithm [BCJ11] g ( x ) = g t ( y ) • wt ( x ) = n 4 � n 2 r ≈ � • g ( x ) = � a , x � mod 2 r , � n/ 4 � a , x + y � = t mod 2 r • g t ( x ) = t − g ( x ) mod 2 r BCJ Memoryless Algorithm • Search a collision between g x g and g t • If x + y ∈ { 0 , 1 } n and � a , x + y � = t mod 2 n re- g ( x ) = g t ( y ) turn x + y • Else restart # coll. y g t # rep. ≈ 2 r − n/ 2 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99

W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99

W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99 Given a sequence of integers a 1 , . . . , a n and a parameter k , NP-completeness of Subset Sum, Partition, Minimum Bin Packing. Decide

214 views • 3 slides
Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499

Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499

Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499 852 1927 2535 3596 3608 D. J. Bernstein 4688 5989 6385 7353 7650 9413) University of Illinois at

2.02k views • 163 slides
Approximation Algorithms Subset Sum III Instance : X = { x 1 , . . . , x n } n integer

Approximation Algorithms Subset Sum III Instance : X = { x 1 , . . . , x n } n integer

NEW CS 473: Theory II, Fall 2015 Subset Sum Approximation Algorithms Subset Sum III Instance : X = { x 1 , . . . , x n } n integer positive num- bers, t - target number Question: subset of X s.t. sum of its elements is t ? Lecture 10

200 views • 8 slides
Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 ,

Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 ,

Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 , May 11.-15. 2020 Andre Esser and Alexander May Horst Grtz Institute for IT Security Ruhr University Bochum Subset Sum Subset Sum Problem 0

464 views • 23 slides
CS4102 Algorithms Summer 2020 Warm up Why is an algorithms space complexity (how much memory

CS4102 Algorithms Summer 2020 Warm up Why is an algorithms space complexity (how much memory

CS4102 Algorithms Summer 2020 Warm up Why is an algorithms space complexity (how much memory it uses) important? Why might a memory- intensive algorithm be a bad one? 1 Why lots of memory is bad 2 Greedy Algorithms Require

1.05k views • 70 slides
EMPIRICAL COMPARISON OF COLUMN SUBSET SELECTION ALGORITHMS Yining Wang , Aarti Singh Machine

EMPIRICAL COMPARISON OF COLUMN SUBSET SELECTION ALGORITHMS Yining Wang , Aarti Singh Machine

EMPIRICAL COMPARISON OF COLUMN SUBSET SELECTION ALGORITHMS Yining Wang , Aarti Singh Machine Learning Department, Carnegie Mellon University 1 COLUMN SUBSET SELECTION M R n 1 n 2 C R n 1 s | C | s k M CC M k F min 2

385 views • 15 slides
Virtual Memory - II Least Recently Used (LRU) LRU Approximations Counting Algorithms

Virtual Memory - II Least Recently Used (LRU) LRU Approximations Counting Algorithms

CSE 421/521 - Operating Systems Roadmap Fall 2011 Virtual Memory Lecture - XVI Page Replacement Algorithms Optimal Algorithm Virtual Memory - II Least Recently Used (LRU) LRU Approximations Counting Algorithms

158 views • 5 slides
CPU Organization Scope We will build a CPU to implement our subset of the MIPS ISA Memory

CPU Organization Scope We will build a CPU to implement our subset of the MIPS ISA Memory

5.1 5.2 CPU Organization Scope We will build a CPU to implement our subset of the MIPS ISA Memory Reference Instructions: Load Word (LW) EE 457 Unit 5 Store Word (SW) Arithmetic and Logic Instructions: ADD, SUB, AND, OR,

274 views • 9 slides
Part 2: External Memory and Cache Oblivious Algorithms CR10: Data Aware Algorithms September 25,

Part 2: External Memory and Cache Oblivious Algorithms CR10: Data Aware Algorithms September 25,

Part 2: External Memory and Cache Oblivious Algorithms CR10: Data Aware Algorithms September 25, 2019 Outline Ideal Cache Model External Memory Algorithms and Data Structures External Memory Model Merge Sort Lower Bound on Sorting

575 views • 33 slides
Polynomial-Time Algorithms for the Subset Feedback Vertex Set Problem on Interval Graphs and

Polynomial-Time Algorithms for the Subset Feedback Vertex Set Problem on Interval Graphs and

Polynomial-Time Algorithms for the Subset Feedback Vertex Set Problem on Interval Graphs and Permutation Graphs Charis Papadopoulos Spyridon Tzimas 21st International Symposium on Fundamentals of Computation Theory - FCT 2017 Bordeaux, France,

1.5k views • 103 slides
Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago

Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago

Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven cr.yp.to/qsubsetsum.html Joint work with: Stacey Jeffery University of Waterloo Tanja Lange Technische

1.2k views • 98 slides
Chapter 4: Memory Management Part 1: Mechanisms for Managing Memory Memory management n Basic

Chapter 4: Memory Management Part 1: Mechanisms for Managing Memory Memory management n Basic

Chapter 4: Memory Management Part 1: Mechanisms for Managing Memory Memory management n Basic memory management n Swapping n Virtual memory n Page replacement algorithms n Modeling page replacement algorithms n Design issues for paging systems n

817 views • 35 slides
Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of

Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of

Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of numbers S. and a target number t. We have to determine of the exists a subset of S such that the summation of the numbers present in the subset is

353 views • 11 slides
Improved Algorithms for Amplitude- and Phase-Scin9lla9on

Improved Algorithms for Amplitude- and Phase-Scin9lla9on

Improved Algorithms for Amplitude- and Phase-Scin9lla9on Indices of GPS Signals Abram Farley-Kalamazoo College ASTRA Mentors: Irfan Azeem and Adam

555 views • 26 slides
Chapter 4: Memory Management Part 1: Mechanisms for Managing Memory Memory management Basic

Chapter 4: Memory Management Part 1: Mechanisms for Managing Memory Memory management Basic

Chapter 4: Memory Management Part 1: Mechanisms for Managing Memory Memory management Basic memory management Swapping Virtual memory Page replacement algorithms Modeling page replacement algorithms Design issues for paging

950 views • 69 slides
Memory Management 5A. Memory Management and Address Spaces 5B. Allocation Algorithms Operating

Memory Management 5A. Memory Management and Address Spaces 5B. Allocation Algorithms Operating

4/10/2016 Memory Management 5A. Memory Management and Address Spaces 5B. Allocation Algorithms Operating Systems Principles 5C. Advanced Allocation Techniques Memory Management 5D. Segment Relocation 5E. Garbage Collection Mark Kampe

711 views • 9 slides
Near optimal finite time identification of arbitrary linear dynamical systems Tuhin Sarkar &amp;

Near optimal finite time identification of arbitrary linear dynamical systems Tuhin Sarkar &amp;

Problem Definition Analysis and Techniques Results Main Results Poster Details Near optimal finite time identification of arbitrary linear dynamical systems Tuhin Sarkar &amp; Alexander Rakhlin Massachusetts Institute of Technology June 12,

516 views • 18 slides
VMM Emulation of Intel Hardware Transactional Memory Maciej Swiech, Kyle Hale, Peter Dinda

VMM Emulation of Intel Hardware Transactional Memory Maciej Swiech, Kyle Hale, Peter Dinda

VMM Emulation of Intel Hardware Transactional Memory Maciej Swiech, Kyle Hale, Peter Dinda Northwestern University V3VEE Project www.v3vee.org Hobbes Project 1 What will we talk about? We added the capability to run Intel HTM code on a

742 views • 63 slides
Ontology Learning: Framework, Techniques and a Software Environment MEANING WS Presentation, San

Ontology Learning: Framework, Techniques and a Software Environment MEANING WS Presentation, San

Ontology Learning: Framework, Techniques and a Software Environment MEANING WS Presentation, San Sebastian Alexander Maedche Forschungszentrum Informatik an der Universitt Karlsruhe Forschungsbereich Wissensmanagement (WIM)

527 views • 42 slides
Apache Ignite as MPP Accelerator Alexander Ermakov, CTO Agenda About us Why do

Apache Ignite as MPP Accelerator Alexander Ermakov, CTO Agenda About us Why do

Apache Ignite as MPP Accelerator Alexander Ermakov, CTO Agenda About us Why do traditional DWH needs in-memory grid? Real Time Analytics for Telco Cases Integrating Apache Ignite with Arenadata DB Using the power of

810 views • 47 slides
Transitioning to an Anatomic Diagnosis in Ischemic Stroke Alexander A. Khalessi MD MS Director

Transitioning to an Anatomic Diagnosis in Ischemic Stroke Alexander A. Khalessi MD MS Director

Stroke Clinical Trials Update Transitioning to an Anatomic Diagnosis in Ischemic Stroke Alexander A. Khalessi MD MS Director of Endovascular Neurosurgery Surgical Director of NeuroCritical Care University of California, San Diego Disclosure

425 views • 40 slides
Object-Oriented Programming In Mechatronic Systems Summer School 2018 Module 1 Introduction to

Object-Oriented Programming In Mechatronic Systems Summer School 2018 Module 1 Introduction to

Object-Oriented Programming In Mechatronic Systems Summer School 2018 Module 1 Introduction to Programming Aachen, Germany Cybernetics Lab IMA &amp; IfU Faculty of Mechanical Engineering RWTH Aachen University Organization 2

621 views • 46 slides
No Please, After You: Detecting Fraud in Affiliate Marketing Networks Peter Snyder

No Please, After You: Detecting Fraud in Affiliate Marketing Networks Peter Snyder

No Please, After You: Detecting Fraud in Affiliate Marketing Networks Peter Snyder &lt;psnyde2@uic.edu&gt; and Chris Kanich &lt;ckanich@uic.edu&gt; University of Illinois at Chicago Overview 1. Problem Area: affiliate marketing 2. Data Set :

671 views • 37 slides
Self-testing of qutrit systems Jdrzej Kaniewski QMATH, Department of Mathematical Sciences

Self-testing of qutrit systems Jdrzej Kaniewski QMATH, Department of Mathematical Sciences

Self-testing of qutrit systems Jdrzej Kaniewski QMATH, Department of Mathematical Sciences University of Copenhagen, Denmark joint work with Antonio Acn, Remigiusz Augusiak, Flavio Baccari, Alexia Salavrakos, Ivan upi, Jordi Tura

1.25k views • 72 slides

More recommend