the k sum problem
play

The k -sum Problem Solutions and Applications Christiane Peters - PowerPoint PPT Presentation

Mar 13, 2023 •243 likes •845 views

The k -sum Problem Solutions and Applications Christiane Peters Ice Break June 8, 2013 Talk outline 1. Motivation 2. Information-set decoding 3. Linearization 4. Generalized birthday attacks 5. Outlook 1/42 1. Motivation 2.

  1. The k -sum Problem Solutions and Applications Christiane Peters Ice Break – June 8, 2013

  2. Talk outline 1. Motivation 2. Information-set decoding 3. Linearization 4. Generalized birthday attacks 5. Outlook 1/42

  3. 1. Motivation 2. Information-set decoding 3. Linearization 4. Generalized birthday attacks 5. Outlook 2/42

  4. The k -sum problem ◮ Given k lists L 1 , . . . , L k containing bit strings of length n . ◮ Find elements x 1 ∈ L 1 , . . . , x k ∈ L k : x 1 ⊕ . . . ⊕ x k = 0 . ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ = ◮ Examples in this talk: k = 2, k = w , k = 2 w , k = something related to n , k , w etc. 3/42

  5. The k -sum problem is well-studied Appears in many different Selected literature: fields in cryptanalysis: ◮ Yuval (1978) ◮ Hellman–Merkle (1981) ◮ birthday attacks ◮ Coppersmith (1985) ◮ meet-in-the-middle ◮ Camion–Patarin (1991) attacks on multiple ◮ Coppersmith (1992) encryption ◮ van Oorschot–Wiener (1996) ◮ Micciancio–Bellare (1997) ◮ multi-collisions ◮ Wagner (2002) ◮ solving knapsacks ◮ Augot–Finiasz–Sendrier (2003) ◮ syndrome decoding ◮ Saarinen (2007, 2009) ◮ Joux–Lucks (2009) ◮ attacking the ◮ Howgrave-Graham–Joux (2010) learning-parity-with-noise ◮ Bernstein–Lange–P.–Schwabe (2011) problem (LPN) ◮ Becker–Coron–Joux (2011) ◮ ... ◮ Dinur–Dunkelman–Keller–Shamir (2012) 4/42

  6. Applications in this talk Bellare–Micciancio (1997): Finiasz et al. (2003, 2007, 2008): ◮ fast syndrome-based hash ◮ “incrementable” hash function function w w � XHASH( f , m ) = f ( m i ) � FSB( H , m ) = H i [ m i ] i =1 i =1 ◮ Use as compression function in a Merkle–Damg˚ ard construction. ◮ Plus: fast, incrementable, parallelizable,. . . ◮ Minus: large matrix of random constants (fix: quasi-cyclic structure). 5/42

  7. A simple compression function ◮ Consider inputs of length w · b : w 2 b m = ( m 1 , m 2 , . . . , m w ) , each m i having b bits. n H 1 H 2 H 3 H w − 1 H w ◮ Take an n × w 2 b binary (pseudo-)random matrix, consisting of w blocks with 2 b columns each: H = ( H 1 , H 2 , . . . , H w ). 2 b ◮ Regard the m i as b -bit indices and define FSB( H , m ) = H 1 [ m 1 ] ⊕ H 2 [ m 2 ] ⊕ . . . ⊕ H w [ m w ] . 6/42

  8. Mini example: compression function sage: n=8; w=4; b=2 sage: set_random_seed (314) sage: # compression matrix sage: H=random_matrix(GF(2), n, w*2^b); print H [1 1 1 0 1 0 1 0 1 1 1 1 0 1 1 0] [1 1 1 0 1 1 0 0 1 0 1 0 1 1 0 0] [1 1 0 1 0 1 0 0 0 1 0 0 1 0 1 0] [0 0 0 0 0 1 0 0 0 1 0 0 1 1 0 0] [1 0 1 0 0 0 0 1 1 1 0 1 0 0 0 1] [0 1 0 0 0 0 0 1 1 0 1 0 0 0 1 1] [1 1 1 0 1 1 1 1 1 0 1 1 0 0 0 0] [1 1 0 0 1 0 0 1 1 1 1 1 0 0 0 0] sage: # message m=(m[1],..,m[w]), m[i] in [0 ,.. ,2^b-1] sage: m=random_vector( IntegerModRing (2^b),w); print m (2, 3, 3, 0) sage: # hash sage: x=sum([H.column(i*2^b+m[i]) for i in range(w)]); print x (0, 0, 1, 0, 0, 0, 0, 1) 7/42

  9. FSB parameters for 128-bit security FSB-256: 128 · 16384 = 2097152 ◮ FSB was a SHA-3 round-1 candidate; ◮ Parameters: b = 14, w = 128, n = 1024. ◮ FSB didn’t make it to round 2. H 1 H 2 H 3 H 127 H 128 1024 ◮ Too slow? No, sloppy security analysis. Parameters not tight. Loss in speed. 16384 8/42

  10. (R)FSB parameters for 128-bit security FSB-256: 112 · 256 = 28672 ◮ FSB was a SHA-3 round-1 candidate; ◮ Parameters: b = 14, w = 128, n = 1024. ◮ FSB didn’t make it to round 2. H 1 H 2 H 3 H 111 H 112 509 ◮ Too slow? No, sloppy security analysis. Parameters not tight. Loss in speed. RFSB-509 (really fast syndrome-based): 256 ◮ RFSB fast version of FSB by Bernstein et al. ◮ Parameters: b = 8, w = 112, n = 509. ◮ Fast software implementation by Bernstein and Schwabe in SUPERCOP. 8/42

  11. Preimages ◮ A preimage of x ∈ { 0 , 1 } n is given by w 2 b w columns, exactly one per block, which add up to x . ◮ Note the abuse of notation: ultimately n . . . we’re interested in the indices of those columns, not the columns themselves. ◮ A preimage here is in fact a 2 b pseudo-preimage for the actual hash function. ◮ In this talk we’re only interested in the compression function. 9/42

  12. Collisions ◮ A collision is given by 2 w columns, w 2 b exactly two per block, which add up to 0. ◮ Again abuse of notation: ultimately we’re n interested in the column indices. . . . ◮ Collisions are in fact pseudo-collisions for the actual hash function. 2 b ◮ In this talk we’re only interested in the compression function. 10/42

  13. Parameters Security obviously depends on b , w , and n . w 2 b ◮ Larger n makes it harder to find collisions (but reduces compression factor) n H 1 H 2 H 3 H w − 1 H w ◮ Smaller w or b makes it harder to find collisions (but reduces compression 2 b factor) 11/42

  14. Finding collisions and preimages ◮ Information-set decoding to find w 2 b regular low-weight codewords (Augot–Finiasz–Sendrier, Bernstein–Lange–P.–Schwabe). n H 1 H 2 H 3 H w − 1 H w ◮ Linearization (Bellare–Micchiancio, Saarinen) 2 b ◮ Generalized birthday attacks (Camion–Patarin, Wagner) 12/42

  15. 1. Motivation 2. Information-set decoding 3. Linearization 4. Generalized birthday attacks 5. Outlook 13/42

  16. Information-set decoding Finding a preimage of x ∈ { 0 , 1 } n x H means finding w columns with xor x . ◮ Forget the block structure of H for a moment. ◮ “Unstructured w -sum problem” 14/42

  17. Information-set decoding Finding a preimage of x ∈ { 0 , 1 } n x H means finding w columns with xor x . ◮ Pick a set of n linearly independent columns. ◮ Forget the block structure of H for a moment. ◮ “Unstructured w -sum problem” 14/42

  18. Information-set decoding Finding a preimage of x ∈ { 0 , 1 } n H ′ x ′ means finding w columns with xor x . 1 0 0 0 0 . . 0 1 0 . . ◮ Pick a set of n linearly . . . . 0 1 . . independent columns. . 0 . . . . ◮ Apply elementary row operations . . . to H and x to bring H into a . . 0 . form H ′ = [ I n | Q ] wrt to the . . . . . . 1 0 . . . 0 0 0 0 1 selected columns. ◮ If x ′ has weight w , it is sum of w ◮ Forget the block structure of H for a columns from the identity moment. submatrix. Done. ◮ “Unstructured w -sum problem” ◮ If not start with a fresh set of n columns (iterative algorithm). 14/42

  19. Cost information-set decoding Very rough cost: H ′ x ′ Cost Gauss Elim /Prob success 1 0 0 0 0 . . 0 1 0 . . . . where . . 0 1 . . . 0 . . � 2 b w � n � n . � � � . w w w Prob success = � · = . � 2 b w 2 n 2 n . . . . w 0 . . . . . . . 1 0 . . . ◮ E.g., n = 1024 , w = 128 , b = 14: 0 0 0 0 1 Prob success ≈ 2 − 472 . ◮ Forget the block structure of H for a Much better algorithms: moment. ◮ Stern’s collision decoding ◮ “Unstructured w -sum problem” (birthday paradox), ball-collision decoding etc 15/42

  20. Regular information-set decoding Finding a preimage of x ∈ { 0 , 1 } n x H means finding w columns, exactly one per block, with xor x . ◮ Don’t forget the block structure of H . ◮ w -sum problem 16/42

  21. Regular information-set decoding Finding a preimage of x ∈ { 0 , 1 } n H ′ x ′ means finding w columns, exactly one 1 0 0 0 0 per block, with xor x . . . . . 0 1 0 . . . . 0 1 ◮ Pick a set of n linearly . . . 0 . . independent columns, one per . . block. . . . . ◮ Apply elementary row operations . 0 . . . . . . . 1 0 . . . to H and x to bring H into a 0 0 0 0 1 form H ′ = [“ I n ” | Q ] where “ I n ” is spread over w blocks. ◮ Don’t forget the block structure of H . ◮ If x ′ has weight w , it is sum of w ◮ w -sum problem columns from the identity submatrix. Done. ◮ If not start with a fresh set of n columns. 16/42

  22. Cost of regular information-set decoding Finding a preimage of x ∈ { 0 , 1 } n H ′ x ′ means finding w columns, exactly one 1 0 0 0 0 per block, with xor x . . . . . 0 1 0 . . . . 0 1 Augot et al (2003): . . . 0 . . ◮ The probability of finding a . . preimage is roughly . . . . � n . � w 0 . . . . . . . 1 0 w . . . 0 0 0 0 1 2 n ◮ This probability is much smaller ◮ Don’t forget the block structure of H . than for the classical decoding ◮ w -sum problem problem (which is already NP-hard). ◮ Ratio w ! / w w . ◮ E.g., n = 1024 , w = 128 , b = 14: Prob success ≈ 2 − 640 . 17/42

  23. Cost of 2-regular information-set decoding Find collisions, i.e., two columns per H ′ x ′ block with xor 0. 1 0 0 0 0 Augot et al (2003): . . . . 0 1 0 . . . . 0 1 ◮ The expected number of . . . 0 . iterations of the 2-regular . . . syndrome-decoding algorithm is . . . . . 0 .   . . . . . . 1 0 . . .  2 n    0 0 0 0 1 min � w 0 : w 0 ∈ { 1 , 2 , . . . , w } . �� n / w 0 � + 1    2  ◮ Don’t forget the block structure of H . Bernstein et al (2011): ◮ 2 w -sum problem ◮ 2-regular syndrome decoding using birthday paradox. ◮ Faster, much more complicated. 18/42

  24. 1. Motivation 2. Information-set decoding 3. Linearization 4. Generalized birthday attacks 5. Outlook 19/42

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Problem-Solving with Only 28% of employers classify college graduates Think-Alouds problem

Problem-Solving with Only 28% of employers classify college graduates Think-Alouds problem

12/5/14 Analysis of the situation Problem-solving is viewed as necessary for success in STEM fields, with the American Chemical Society (ACS) going so far as to refer to problem-solving as the ultimate goal. Problem-Solving with

316 views • 4 slides
Problem Problem Problem A.R.S.S (Anonymity) AdBlock VPN DNS Crypt A.R.S.S (Reliability)

Problem Problem Problem A.R.S.S (Anonymity) AdBlock VPN DNS Crypt A.R.S.S (Reliability)

Problem Problem Problem A.R.S.S (Anonymity) AdBlock VPN DNS Crypt A.R.S.S (Reliability) OpenBSD Higher Availability IDS M:Tier A.R.S.S (Security) DNS Reshaping DNS Local Resolver NTP DMZ A.R.S.S (Stability) Packet

415 views • 16 slides
THE BIG PROBLEM Getting to know your team, the Big Problem and its Systemic Root Causes Dorica

THE BIG PROBLEM Getting to know your team, the Big Problem and its Systemic Root Causes Dorica

PHASE 1: SYSTEM CHANGE JOURNEY THE BIG PROBLEM Getting to know your team, the Big Problem and its Systemic Root Causes Dorica Dans team working for rare diseases CLARIFYING THE BIG PROBLEM 2. Consequences if problem is not solved (relevance)

179 views • 7 slides
BUFFERDeBLOAT A SURVEY OF DIFFERENT WAYS TO COUNTER-BUFFERBLOAT Problem Problem Problem

BUFFERDeBLOAT A SURVEY OF DIFFERENT WAYS TO COUNTER-BUFFERBLOAT Problem Problem Problem

BUFFERDeBLOAT A SURVEY OF DIFFERENT WAYS TO COUNTER-BUFFERBLOAT Problem Problem Problem Simulation Setup Result Analysis Suggestion Bufferbloat is the existence of excessively large (bloated) buffers in systems, AFFECTED

369 views • 26 slides
Statement Problem A: Bijection In this problem, you have to establish a bijection between

Statement Problem A: Bijection In this problem, you have to establish a bijection between

Problem A: Bijection Statement Statement Problem A: Bijection In this problem, you have to establish a bijection between combinations and pairs of a regular bracket sequence and an integer. Ivan Kazmenko (SPb SU) Problem Analysis 28.01.2020

2.1k views • 181 slides
Chapter Two Problem Solving Using Search Defining the Problem How do you represent a problem

Chapter Two Problem Solving Using Search Defining the Problem How do you represent a problem

Chapter Two Problem Solving Using Search Defining the Problem How do you represent a problem so that the computer can solve it? Even before that, how do you define the problem with enough precision so that you can figure out how to

498 views • 30 slides
Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem

Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem

Revised by Hankui Zhuo, March 7, 2018 Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem types Problem formulation Example problems Basic search algorithms Chapter 3 2 Problem-solving

934 views • 70 slides
Reduction Informal Definition A problem A is reducible to problem B iff the solution to problem B

Reduction Informal Definition A problem A is reducible to problem B iff the solution to problem B

Reduction Informal Definition A problem A is reducible to problem B iff the solution to problem B can be used to solve the problem A . Computability and Complexity This means that solving A cannot be more difficult than solving B . Lecture 5 In

187 views • 3 slides
Problem Definition Techniques 4. 1. K-T Problem Critical Analysis Thinking Problem

Problem Definition Techniques 4. 1. K-T Problem Critical Analysis Thinking Problem

Problem Definition Techniques 4. 1. K-T Problem Critical Analysis Thinking Problem Definition Techniques 3. 2. Statement Present / Desired Restatement State Duncker Diagram Slides mainly adapted from Dr. Foglers Strategies for

763 views • 33 slides
Last time: Problem-Solving Problem solving: Goal formulation Problem formulation

Last time: Problem-Solving Problem solving: Goal formulation Problem formulation

Last time: Problem-Solving Problem solving: Goal formulation Problem formulation (states, operators) Search for solution Problem formulation: Initial state ? ? ? ? 1 Last time: Problem-Solving Problem

361 views • 18 slides
Consciousness (cont.) Phil 255 The hard problem The hard problem is the mind - body problem

Consciousness (cont.) Phil 255 The hard problem The hard problem is the mind - body problem

Consciousness (cont.) Phil 255 The hard problem The hard problem is the mind - body problem Terminology due to renewed interest in Nagel s concerns from David Chalmers The easy problem ( which isn t so easy ) giving a scienti

411 views • 19 slides
with classical methods Visualisations Introduction The first problem Problem

with classical methods Visualisations Introduction The first problem Problem

with classical methods Visualisations Introduction The first problem Problem The second problem Given Problems Analysis Simplification Classification Discussion Complex Handling Lagrangian

689 views • 20 slides
Problem Sets E-M Reading: Problem Set 3 Forsyth & Ponce 16.1, 16.2

Problem Sets E-M Reading: Problem Set 3 Forsyth & Ponce 16.1, 16.2

Problem Sets E-M Reading: Problem Set 3 Forsyth & Ponce 16.1, 16.2 Distributed Tuesday, 3/18. Forsyth & Ponce 16.3 for challenge Due Thursday, 4/3 problem. Problem Set 4 Yair Weiss: Motion

197 views • 5 slides
Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem

Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem

Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem types Problem formulation Example problems Basic search algorithms Chapter 3 3 Problem-solving agents Restricted form of general

973 views • 64 slides
Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem

Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem

Problem solving and search Chapter 3 Chapter 3 1 Outline Problem-solving agents Problem types Problem formulation Example problems Basic search algorithms Chapter 3 2 Problem-solving agents Restricted form of general

1k views • 74 slides
Professor Sheena Asthana Outline Problem: what problem? Resource allocation: a brief

Professor Sheena Asthana Outline Problem: what problem? Resource allocation: a brief

Professor Sheena Asthana Outline Problem: what problem? Resource allocation: a brief overview So, are rural areas underfunded? Problem: what problem? Widespread perception that urban deprived areas have the highest needs for

1.03k views • 19 slides
SI425 : NLP Set 13 Information Extraction Information Extraction Yesterday GM released third

SI425 : NLP Set 13 Information Extraction Information Extraction Yesterday GM released third

SI425 : NLP Set 13 Information Extraction Information Extraction Yesterday GM released third quarter GM profit-increase 10% results showing a 10% in profit over the same period last year. John Doe was convicted Tuesday on John Doe

609 views • 41 slides
Defining Virtual Reality Websters New Universal Unabridged Dictionary (1989) defines

Defining Virtual Reality Websters New Universal Unabridged Dictionary (1989) defines

Defining Virtual Reality Websters New Universal Unabridged Dictionary (1989) defines Virtual as being in essence or effect, but not in fact Websters defines reality as the state or quality of being real Introduction

1.05k views • 83 slides
beRgoneday - elak Ca cna ! - "#!$%&'(&)#!*+##,! - elak Es bunelg 1 ! 123+'/456

beRgoneday - elak Ca cna ! - "#!$%&'(&)#!*+##,! - elak Es bunelg 1 ! 123+'/456

beRgoneday - elak Ca cna ! - "#!$%&'(&)#!*+##,! - elak Es bunelg 1 ! 123+'/456 ! !"#$% ! &%'"#!(')" *+,(!-."%$(/0" ! ! !"#$%&'()*+,+!-*./0"!12*-"3.4%"56+7+888+ ,8

1.64k views • 148 slides
Analysis of Multiple Time Series Kevin Sheppard

Analysis of Multiple Time Series Kevin Sheppard

Analysis of Multiple Time Series Kevin Sheppard ttsr Oxford MFE This version: February 24, 2020 February March, 2020 This weeks material Vector Autoregressions

867 views • 67 slides
Improved Fast Syndrome Based Cryptographic Hash Functions Matthieu Finiasz , Philippe Gaborit,

Improved Fast Syndrome Based Cryptographic Hash Functions Matthieu Finiasz , Philippe Gaborit,

ECRYPT Hash Workshop 2007 Improved Fast Syndrome Based Cryptographic Hash Functions Matthieu Finiasz , Philippe Gaborit, and Nicolas Sendrier The Original FSB Hash Function [Augot, Finiasz, Sendrier - Mycrypt 05] Based on the Merkle-Damg

303 views • 19 slides
Really fast syndrome-based hashing D. J. Bernstein University of Illinois at Chicago Joint work

Really fast syndrome-based hashing D. J. Bernstein University of Illinois at Chicago Joint work

Really fast syndrome-based hashing D. J. Bernstein University of Illinois at Chicago Joint work with: Tanja Lange Technische Universiteit Eindhoven Christiane Peters Technische Universiteit Eindhoven Peter Schwabe Academia Sinica Remember

252 views • 3 slides
Polytope Codes in Networks, Storage, and Multiple Descriptions Oliver Kosut Joint work with Lang

Polytope Codes in Networks, Storage, and Multiple Descriptions Oliver Kosut Joint work with Lang

Polytope Codes in Networks, Storage, and Multiple Descriptions Oliver Kosut Joint work with Lang Tong, David Tse, Aaron Wagner, and Xiaoqing Fan April 1, 2015 Networks with Active Adversaries Distributed system in the presence of active

1.44k views • 118 slides
Objectives Describe the process of change by which law enforcement is trained on appropriate

Objectives Describe the process of change by which law enforcement is trained on appropriate

8/2/2018 Feeling Safe and Understood in the Community One States Experience with People with Intellectual and Developmental Disabilities and the Training of Law Enforcement Logos for the MD Department of Disabilities, the MD Police and

467 views • 22 slides

More recommend