smaller decoding exponents ball collision decoding d j
play

Smaller decoding exponents: ball-collision decoding D. J. Bernstein - PDF document

Nov 24, 2022 •139 likes •500 views

Smaller decoding exponents: ball-collision decoding D. J. Bernstein University of Illinois at Chicago Joint work with: Tanja Lange Technische Universiteit Eindhoven Christiane Peters University of Illinois at Chicago Context: speed What is

  1. Smaller decoding exponents: ball-collision decoding D. J. Bernstein University of Illinois at Chicago Joint work with: Tanja Lange Technische Universiteit Eindhoven Christiane Peters University of Illinois at Chicago

  2. Context: speed What is the fastest public-key encryption system?

  3. Context: speed What is the fastest public-key encryption system? RSA-1024 is quite fast.

  4. Context: speed What is the fastest public-key encryption system? RSA-1024 is quite fast. RSA-512 is faster.

  5. Context: speed What is the fastest public-key encryption system? RSA-1024 is quite fast. RSA-512 is faster. RSA-256 is even faster.

  6. Context: speed What is the fastest public-key encryption system? RSA-1024 is quite fast. RSA-512 is faster. RSA-256 is even faster. This question is stupid.

  7. Context: speed What is the fastest public-key encryption system with security level ✕ 2 ❜ ?

  8. Context: speed What is the fastest public-key encryption system with security level ✕ 2 ❜ ? (Plausible-sounding definition: breaking costs ✕ 2 ❜ .)

  9. Context: speed What is the fastest public-key encryption system with security level ✕ 2 ❜ ? (Plausible-sounding definition: breaking with probability 1 costs ✕ 2 ❜ .)

  10. Context: speed What is the fastest public-key encryption system with security level ✕ 2 ❜ ? (Plausible-sounding definition: for each ✎ ❃ 0, breaking with probability ✕ ✎ costs ✕ 2 ❜ ✎ .)

  11. Context: speed What is the fastest public-key encryption system with security level ✕ 2 ❜ ? (Plausible-sounding definition: for each ✎ ❃ 2 � ❜❂ 2 , breaking with probability ✕ ✎ costs ✕ 2 ❜ ✎ .)

  12. � � Context: speed What is the fastest public-key encryption system with security level ✕ 2 ❜ ? How to evaluate candidates: Encryption systems Analyze attack algorithms Systems with security ✕ 2 ❜ Analyze encryption algorithms Fastest systems with security ✕ 2 ❜

  13. Example of speed analysis RSA (with small exponent, reasonable padding, etc.): Factoring ♥ costs 2 (lg ♥ ) 1 ❂ 3+ ♦ (1) by the number-field sieve. Conjecture: this is the optimal attack against RSA. Key size: Can take lg ♥ ✷ ❜ 3+ ♦ (1) ensuring 2 (lg ♥ ) 1 ❂ 3+ ♦ (1) ✕ 2 ❜ . Encryption: Fast exp costs (lg ♥ ) 1+ ♦ (1) bit operations. Summary: RSA costs ❜ 3+ ♦ (1) .

  14. ECC (with strong curve/ F q , reasonable padding, etc.): ECDL costs 2 (1 ❂ 2+ ♦ (1)) lg q by Pollard’s rho method. Conjecture: this is the optimal attack against ECC. Can take lg q ✷ (2 + ♦ (1)) ❜ . Encryption: Fast scalar mult costs (lg q ) 2+ ♦ (1) = ❜ 2+ ♦ (1) . Summary: ECC costs ❜ 2+ ♦ (1) . Asymptotically faster than RSA. Bonus: also ❜ 2+ ♦ (1) decryption .

  15. 1978 McEliece system (with length- ♥ classical Goppa codes, reasonable padding, etc.): Conjecture: Fastest attacks cost 2 ( ☞ + ♦ (1)) ♥❂ lg ♥ . Can take ♥ ✷ (1 ❂☞ + ♦ (1)) ❜ lg ❜ . Encryption: Matrix mult costs ♥ 2+ ♦ (1) = ❜ 2+ ♦ (1) . Summary: McEliece costs ❜ 2+ ♦ (1) . Is this faster than ECC? Need more detailed analysis.

  16. ECC encryption: Θ(lg q ) operations in F q . Each operation in F q costs Θ(lg q lg lg q lg lg lg q ). Total Θ( ❜ 2 lg ❜ lg lg ❜ ). McEliece encryption, with 1986 Niederreiter speedup: Θ( ♥❂ lg ♥ ) additions in F ♥ 2 , each costing Θ( ♥ ). Total Θ( ❜ 2 lg ❜ ). McEliece is asymptotically faster. Bonus: Much faster decryption. Another bonus: Post-quantum.

  17. Algorithmic advances can change this picture. Examples: 1. Speed up ECC: can reduce lg lg ❜ using 2007 F¨ urer; maybe someday eliminate lg lg ❜ ?

  18. Algorithmic advances can change this picture. Examples: 1. Speed up ECC: can reduce lg lg ❜ using 2007 F¨ urer; maybe someday eliminate lg lg ❜ ? 2. This paper: asymptotically faster attack on McEliece . “Ball-collision decoding.” Need larger McEliece key sizes.

  19. Algorithmic advances can change this picture. Examples: 1. Speed up ECC: can reduce lg lg ❜ using 2007 F¨ urer; maybe someday eliminate lg lg ❜ ? 2. This paper: asymptotically faster attack on McEliece . “Ball-collision decoding.” Need larger McEliece key sizes. 3. Ongoing: we’re optimizing “subfield AG” variant of McEliece. Conjecture: Fastest attacks cost 2 ( ☛ + ♦ (1)) ♥ ; encryption costs Θ( ❜ 2 ).

  20. Generic decoding algorithms Some history: 1962 Prange; 1981 Clark (crediting Omura); 1988 Lee–Brickell; 1988 Leon; 1989 Krouk; 1989 Stern; 1989 Dumer; 1990 Coffey–Goodman; 1990 van Tilburg; 1991 Dumer; 1991 Coffey–Goodman–Farrell; 1993 Chabanne–Courteau; 1993 Chabaud; 1994 van Tilburg; 1994 Canteaut–Chabanne; 1998 Canteaut–Chabaud; 1998 Canteaut–Sendrier; 2008 B.–L.– P.: 2009 Finiasz–Sendrier; 2010 P.; 2011 B.–L.–P, this paper.

  21. A typical decoding problem Input: 500-bit vector s ; and a 900 ✂ 500 matrix of bits. Goal: Find 50 rows with xor s . r 1 ✿ ✿ ✿ 11001 ✿ ✿ ✿ r 2 ✿ ✿ ✿ 10111 ✿ ✿ ✿ r 3 ✿ ✿ ✿ 10101 ✿ ✿ ✿ . . . . . . r 900 ✿ ✿ ✿ 01011 ✿ ✿ ✿ s ✿ ✿ ✿ 01010 ✿ ✿ ✿

  22. A typical decoding problem Input: 500-bit vector s ; and a 900 ✂ 500 matrix of bits. Goal: Find 50 rows with xor s . r 1 ✿ ✿ ✿ 11001 ✿ ✿ ✿ r 2 ✿ ✿ ✿ 10111 ✿ ✿ ✿ r 3 ✿ ✿ ✿ 10101 ✿ ✿ ✿ . . . . . . r 900 ✿ ✿ ✿ 01011 ✿ ✿ ✿ s = r 2 ✟ r 7 ✟ r 34 ✟ r ✿ ✿ ✿ 01010 ✿ ✿ ✿ ✟ ✁ ✁ ✁

  23. Row randomization Can arbitrarily permute rows without changing problem. Goal: Find 50 rows with xor s . r 1 ✿ ✿ ✿ 11001 ✿ ✿ ✿ r 2 ✿ ✿ ✿ 10111 ✿ ✿ ✿ r 3 ✿ ✿ ✿ 10101 ✿ ✿ ✿ . . . . . . r 900 ✿ ✿ ✿ 01011 ✿ ✿ ✿ s = r 2 ✟ r 7 ✟ r 34 ✟ r ✿ ✿ ✿ 01010 ✿ ✿ ✿ ✟ ✁ ✁ ✁

  24. Row randomization Can arbitrarily permute rows without changing problem. Goal: Find 50 rows with xor s . r 1 ✿ ✿ ✿ 10111 ✿ ✿ ✿ r 2 ✿ ✿ ✿ 11001 ✿ ✿ ✿ r 3 ✿ ✿ ✿ 10101 ✿ ✿ ✿ . . . . . . r 900 ✿ ✿ ✿ 01011 ✿ ✿ ✿ s = r 1 ✟ r 7 ✟ r 34 ✟ r ✿ ✿ ✿ 01010 ✿ ✿ ✿ ✟ ✁ ✁ ✁

  25. Column normalization Can also permute columns without changing problem. Goal: Find 50 rows with xor s . r 1 ✿ ✿ ✿ 10111 ✿ ✿ ✿ r 2 ✿ ✿ ✿ 11001 ✿ ✿ ✿ r 3 ✿ ✿ ✿ 10101 ✿ ✿ ✿ . . . . . . r 900 ✿ ✿ ✿ 01011 ✿ ✿ ✿ s = r 1 ✟ r 7 ✟ r 34 ✟ r ✿ ✿ ✿ 01010 ✿ ✿ ✿ ✟ ✁ ✁ ✁

  26. Column normalization Can also permute columns without changing problem. Goal: Find 50 rows with xor s . r 1 ✿ ✿ ✿ 01111 ✿ ✿ ✿ r 2 ✿ ✿ ✿ 11001 ✿ ✿ ✿ r 3 ✿ ✿ ✿ 01101 ✿ ✿ ✿ . . . . . . r 900 ✿ ✿ ✿ 10011 ✿ ✿ ✿ s = r 1 ✟ r 7 ✟ r 34 ✟ r ✿ ✿ ✿ 10010 ✿ ✿ ✿ ✟ ✁ ✁ ✁

  27. Systematic form Can add one column to another. ✮ Build an identity matrix. Goal: Find 50 rows with xor s . r 1 1000 ✿ ✿ ✿ 0000 r 2 0100 ✿ ✿ ✿ 0000 r 3 0010 ✿ ✿ ✿ 0000 . ... . . r 500 0000 ✿ ✿ ✿ 0001 r 501 1010 ✿ ✿ ✿ 1100 . . . . . . r 900 1101 ✿ ✿ ✿ 0111 s = r 2 ✟ r 3 ✟ r 18 ✟ r 0110 ✿ ✿ ✿ 0000 ✟ ✁ ✁ ✁

  28. 1962 Prange, basic information-set decoding : Maybe xor involves none of last 400 rows. If so, immediately see that s has weight 50. Done! If not, re-randomize and restart.

  29. 1962 Prange, basic information-set decoding : Maybe xor involves none of last 400 rows. If so, immediately see that s has weight 50. Done! If not, re-randomize and restart. 1988 Lee–Brickell: More likely that xor involves exactly 2 of last 400 rows. Check for each ✐❀ ❥ whether s ✟ r ✐ ✟ r ❥ has weight 48.

  30. 1 ... 48 rows/500 1 r ✐ 2 rows/400 r ❥ s

  31. 1989 Leon, 1989 Krouk: Check for each ✐❀ ❥ whether s ✟ r ✐ ✟ r ❥ has weight 48 with first 10 bits all zero. Much faster to test, not much loss in success chance.

  32. 1989 Leon, 1989 Krouk: Check for each ✐❀ ❥ whether s ✟ r ✐ ✟ r ❥ has weight 48 with first 10 bits all zero. Much faster to test, not much loss in success chance. 1989 Stern, collision decoding : ♣ speedup! Find collisions between first 10 bits of s ✟ r ✐ and first 10 bits of r ❥ . For each collision, check whether s ✟ r ✐ ✟ r ❥ has weight 48.

  33. 0 rows/10 1 ... 48 rows/490 1 r ✐ 2 rows/400 r ❥ s

  34. 0 rows/10 1 ... 46 rows/490 1 r ✐ 1 r ✐ 2 4 rows/400 r ❥ 1 r ❥ 2 s Or s ✟ r ✐ 1 ✟ ✁ ✁ ✁ ✟ r ✐ ♣ and r ❥ 1 ✟ ✁ ✁ ✁ ✟ r ❥ ♣ . Optimize choice of ♣ . Of course, also optimize 10 etc.

  35. New, ball-collision decoding : Find collisions between (e.g.) weight-1 Hamming ball around first 10 bits of s ✟ r ✐ 1 ✟ r ✐ 2 and weight-1 Hamming ball around first 10 bits of r ❥ 1 ✟ r ❥ 2 . 2 rows/10 1 ... 44 rows/490 1 r ✐ 1 r ✐ 2 4 rows/400 r ❥ 1 r ❥ 2 s

  36. Our main theorem: For ✇ rows of ♥ ✂ ( ♥ � ❦ ) matrix, constant ✇❂♥❀ ❦❂♥ as ♥ ✦ ✶ , under standard assumptions, optimized collision decoding costs 2 ( ☛ + ♦ (1)) ♥ and optimized ball-collision decoding costs 2 ( ☛ ✵ + ♦ (1)) ♥ with ☛ ✵ ❁ ☛ . See cr.yp.to/ballcoll.html : ✎ proof of smaller exponents; ✎ conservative lower bounds; ✎ complete reference software.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Observation Decoding with Sensor Models: Recognition Tasks via Classical Planning Diego Aineto,

Observation Decoding with Sensor Models: Recognition Tasks via Classical Planning Diego Aineto,

Observation Decoding with Sensor Models: Recognition Tasks via Classical Planning Diego Aineto, Sergio Jimenez, Eva Onaindia October 16, 2020 Universitat Polit` ecnica de Val` encia 1 What is decoding? What is decoding? Decoding : finding

848 views • 26 slides
Chapter 6 Decoding Statistical Machine Translation Decoding We have a mathematical model for

Chapter 6 Decoding Statistical Machine Translation Decoding We have a mathematical model for

Chapter 6 Decoding Statistical Machine Translation Decoding We have a mathematical model for translation p ( e | f ) Task of decoding: find the translation e best with highest probability e best = argmax e p ( e | f ) Two types of

571 views • 34 slides
Why decoding? Understanding the neural code. Neural Decoding Given spikes, what was the

Why decoding? Understanding the neural code. Neural Decoding Given spikes, what was the

Why decoding? Understanding the neural code. Neural Decoding Given spikes, what was the stimulus? What aspects of the stimulus does the system encode? (capacity is limited) Mark van Rossum What information can be extracted from spike trains:

779 views • 16 slides
By et al Siegfried Engelmann Decoding Strategies: Decoding B1- Teacher's Presentation Book

By et al Siegfried Engelmann Decoding Strategies: Decoding B1- Teacher's Presentation Book

By et al Siegfried Engelmann Decoding Strategies: Decoding B1- Teacher's Presentation Book (Corrective Reading) (3rd Revised edition) From McGraw-Hill Inc.,US By et al Siegfried Engelmann Decoding Strategies: Decoding B1- Teacher's Presentation

233 views • 5 slides
Beyond Sequential decoding toward parallel decoding In the context of neural sequence modelling

Beyond Sequential decoding toward parallel decoding In the context of neural sequence modelling

Beyond Sequential decoding toward parallel decoding In the context of neural sequence modelling Kyunghyun Cho New York University & Facebook AI Research Joint work with Jason Lee and Elman Mansimov Neural sequence modeling An arbitrary

461 views • 25 slides
Decoding challenge Assessing the practical hardness of syndrome decoding for code-based

Decoding challenge Assessing the practical hardness of syndrome decoding for code-based

Decoding challenge Assessing the practical hardness of syndrome decoding for code-based cryptography Matthieu Lequesne Sorbonne Universit Inria Paris, team Cosmiq February 27, 2020 All you ever wanted to know about code-based crypto

1.53k views • 132 slides
Decoding in SMT Nitin Madnani February 8, 2006 The Decoding Problem Search Inputs:

Decoding in SMT Nitin Madnani February 8, 2006 The Decoding Problem Search Inputs:

Decoding in SMT Nitin Madnani February 8, 2006 The Decoding Problem Search Inputs: Input string Bunch of statistical models A function to assign score to any translation Output: Best scoring translation

660 views • 34 slides
Decoding Philipp Koehn 17 September 2020 Philipp Koehn Machine Translation: Decoding 17

Decoding Philipp Koehn 17 September 2020 Philipp Koehn Machine Translation: Decoding 17

Decoding Philipp Koehn 17 September 2020 Philipp Koehn Machine Translation: Decoding 17 September 2020 Decoding 1 We have a mathematical model for translation p ( e | f ) Task of decoding: find the translation e best with highest

1.04k views • 61 slides
Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, equipe-projet SECRET

Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, equipe-projet SECRET

Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, equipe-projet SECRET Code-based Cryptography Workshop 11-12 May 2011, Eindhoven, The Netherlands Computational Syndrome Decoding Problem: Syndrome Decoding H { 0 , 1 }

882 views • 37 slides
Efficient Video Decoding on GPUs Efficient Video Decoding on GPUs by Point Based Rendering by

Efficient Video Decoding on GPUs Efficient Video Decoding on GPUs by Point Based Rendering by

Efficient Video Decoding on GPUs Efficient Video Decoding on GPUs by Point Based Rendering by Point Based Rendering Bo Han, Bingfeng Zhou Peking University Outline Outline Motivation and Goal Previous work Review of video decoding

741 views • 30 slides
Missing-data masks in all-combinations multi-band decoding It is shown that for MAP decoding

Missing-data masks in all-combinations multi-band decoding It is shown that for MAP decoding

morris@idiap.ch http://www.idiap.ch/ Missing-data masks in all-combinations multi-band decoding It is shown that for MAP decoding with all-comb experts multi-band expert weighting can make use of same soft missing-data mask as used with

477 views • 5 slides
6.02 Fall 2012 Lecture #7 Viterbi decoding of convolutional codes Path and branch metrics

6.02 Fall 2012 Lecture #7 Viterbi decoding of convolutional codes Path and branch metrics

6.02 Fall 2012 Lecture #7 Viterbi decoding of convolutional codes Path and branch metrics Hard-decision & soft-decision decoding Performance issues: decoder complexity, post- decoding BER, free distance concept 6.02 Fall 2012

488 views • 20 slides
List Decoding of Algebraic Codes Peter Beelen, Kristian Brander and Johan S.R. Nielsen DTU

List Decoding of Algebraic Codes Peter Beelen, Kristian Brander and Johan S.R. Nielsen DTU

Contents List decoding of error-correcting codes Fast list decoding of ReedSolomon codes Fast list decoding of certain AG codes List Decoding of Algebraic Codes Peter Beelen, Kristian Brander and Johan S.R. Nielsen DTU Mathematics

1.33k views • 81 slides
Decoding in Statistical Machine Translation Christian Hardmeier 2016-05-04 Mid-course Evaluation

Decoding in Statistical Machine Translation Christian Hardmeier 2016-05-04 Mid-course Evaluation

Decoding in Statistical Machine Translation Christian Hardmeier 2016-05-04 Mid-course Evaluation http://stp.lingfil.uu.se/~sara/kurser/MT16/ mid-course-eval.html Decoding The decoder is the part of the SMT system that creates the

138 views • 10 slides
Jet list decoding D. J. Bernstein University of Illinois at Chicago Thanks to: NSF 1018836

Jet list decoding D. J. Bernstein University of Illinois at Chicago Thanks to: NSF 1018836

Jet list decoding D. J. Bernstein University of Illinois at Chicago Thanks to: NSF 1018836 NIST 60NANB10D263 No thanks to: IEEE violating IEEE policies and forcing authors to take papers offline; see cr.yp.to/writing/ieee.html Decoding

885 views • 64 slides
Neural Decoding Matthias Hennig School of Informatics, University of Edinburgh January 2019 0

Neural Decoding Matthias Hennig School of Informatics, University of Edinburgh January 2019 0

Neural Decoding Matthias Hennig School of Informatics, University of Edinburgh January 2019 0 Acknowledgements: Mark van Rossum, Chris Williams and slides from Gatsby Liam Paninski. 1 / 54 Decoding brain activity Classi cation Which one?

1.07k views • 54 slides
International Construction Measurement Standards (ICMS) PAQS 2016 | CHRISTCHURCH What are

International Construction Measurement Standards (ICMS) PAQS 2016 | CHRISTCHURCH What are

International Construction Measurement Standards (ICMS) PAQS 2016 | CHRISTCHURCH What are construction measurement standards? Construction measurement standards refer to the way construction project costs are calculated, classified and

704 views • 16 slides
The CMS HL-LHC Upgrades and Proposed U.S. CMS Contributions Vivian ODell, U. S. CMS HL-LHC

The CMS HL-LHC Upgrades and Proposed U.S. CMS Contributions Vivian ODell, U. S. CMS HL-LHC

The CMS HL-LHC Upgrades and Proposed U.S. CMS Contributions Vivian ODell, U. S. CMS HL-LHC USCMS Project Manager February 2, 2016 Outline Quick outline of the physics The LHC and CMS CMS Upgrades Funding and Costs

620 views • 50 slides
MANAGEMENT ACCOUNTING Standard Costing Chapter 5 Prepared and delivered by: Dhanushka

MANAGEMENT ACCOUNTING Standard Costing Chapter 5 Prepared and delivered by: Dhanushka

MANAGEMENT ACCOUNTING Standard Costing Chapter 5 Prepared and delivered by: Dhanushka Abeysekara Sithari Herath What is a Standard cost? Benchmark measurement of resource usage or revenue or profit generation, set in defined conditions .

341 views • 9 slides
XFEL Cost and Uncertainties/risk Analysis R. Brinkmann, DESY ILC workshop, Snowmass, August 2005

XFEL Cost and Uncertainties/risk Analysis R. Brinkmann, DESY ILC workshop, Snowmass, August 2005

XFEL Cost and Uncertainties/risk Analysis R. Brinkmann, DESY ILC workshop, Snowmass, August 2005 R. Brinkmann, DESY European XFEL costing Introductory remarks Construction cost estimate is based on the XFEL design described in the Oct

281 views • 17 slides
Assessing the precision of estimates of variance components Douglas Bates University of

Assessing the precision of estimates of variance components Douglas Bates University of

Assessing the precision of estimates of variance components Douglas Bates University of Wisconsin - Madison and R Development Core Team <Douglas.Bates@R-project.org> Max Planck Institute for Ornithology Seewiesen July 21, 2009 Douglas

464 views • 29 slides
There are old traders and there are bold traders, but... Kris Boudt Professor of finance and

There are old traders and there are bold traders, but... Kris Boudt Professor of finance and

DataCamp GARCH Models in R GARCH MODELS IN R There are old traders and there are bold traders, but... Kris Boudt Professor of finance and econometrics DataCamp GARCH Models in R About the instructor Kris Boudt PhD in financial risk

1.08k views • 42 slides
CS70: Lecture 28. Review: Independence Variance Definition Variance; Inequalities; WLLN X and Y

CS70: Lecture 28. Review: Independence Variance Definition Variance; Inequalities; WLLN X and Y

CS70: Lecture 28. Review: Independence Variance Definition Variance; Inequalities; WLLN X and Y are independent Pr [ X = x , Y = y ] = Pr [ X = x ] Pr [ Y = y ] , x , y 1. Review: Independence Pr [ X A , Y B ] = Pr [ X A

392 views • 5 slides
Procurement Standards 2018 CDBG-DR Problem Solving Clinic Atlanta, GA | D e c e m b e r 1 2 - 1

Procurement Standards 2018 CDBG-DR Problem Solving Clinic Atlanta, GA | D e c e m b e r 1 2 - 1

Procurement Standards 2018 CDBG-DR Problem Solving Clinic Atlanta, GA | D e c e m b e r 1 2 - 1 4 , 2 0 1 8 2018 CDBG-DR PROGRAM Welcome & Speakers Session Objectives To provide grantees with an understanding of procurement basics

454 views • 31 slides

More recommend