Decoding Random Binary Linear Codes in 2n/20 How 1+1=0 Improves Information Set Decoding

Transcription

1 Decoding Random Binary Linear Codes in 2n/20 How 1+1=0 Improves Information Set Decoding A. Becker, A. Joux, A. May, A. Meurer EUROCRYPT 2012, Cambridge

2 The Representation Technique [HGJ10] How to fnd a needle N in a haystack H... Expand H into larger stack H' Expanding H' introduces r many representations N1,, N r Examine a 1/r fraction of H' to fnd one Ni

3 The Representation Technique [HGJ10] How to fnd a needle N in a haystack H... Expand H into larger stack H' Expanding H' introduces r many representations N1,, N r Examine a 1/r fraction of H' to fnd one Ni Technicality: Technicality: Find Find aa way way to to examine examine aa 1/r 1/r fraction fraction of of H' H' without without completely completely constructing constructing itit beforehand beforehand

4 The Representation Technique [HGJ10] How to fnd a needle N in a haystack H... Expand H into larger stack H' Expanding H' introduces r many representations N1,, N r Technicality: Technicality: Find Find aa way way to to examine examine aa 1/r 1/r fraction fraction of of H' H' without without completely completely constructing constructing itit beforehand beforehand Examine a 1/r fraction of H' to fnd one Ni Has been used in [MMT11] to improve Information Set Decoding

5 The Representation Technique Optimizing the Representation Technique [BCJ11] r = number of needles H' = size of expanded haystack Ratio H' / r determines effciency Increase r while keeping H' small

6 The Representation Technique Optimizing the Representation Technique [BCJ11] r = number of needles H' = size of expanded haystack Ratio H' / r determines effciency Increase r while keeping H' small Can we use 1+1 = 0 to increase r?

7 Recap Binary Linear Codes C = random binary [n,k,d] code n = length / k = dimension / d = minimum distance Bounded Distance Decoding (BDD) Given x = c+e with c 2 C 4 5 and w := wt(e) = d-1 2 Find e and thus c = x+e x 4 5 d-1 2 c

8 Comparing Running Times How to compare performance of decoding algorithms Running time T(n,k,d) Fixed code rate R = k/n For n, k and d are related via Gilbert-Varshamov bound, thus T(n,k,d) = T(n,k) Compare algorithms by complexity coeffcient F(k), i.e. T(n,k) = 2 F(k) n + o(n)

9 Comparing Running Times How to compare performance of decoding algorithms Running time T(n,k,d) Fixed code rate R = k/n Minimize F(k)! For n, k and d are related via Gilbert-Varshamov bound, thus T(n,k,d) = T(n,k) Compare algorithms by complexity coeffcient F(k), i.e. T(n,k) = 2 F(k) n + o(n)

10 Syndrome Decoding (BDD) Given x = c+e with c 2 C and wt(e)=w, fnd e! H = parity check matrix Consider syndrome s := s(x) = H x = H (c+e) = H e Find linear combination of w columns of H matching s weight w n n-k H = + + = s

11 Syndrome Decoding (BDD) Given x = c+e with c 2 C and wt(e)=w, fnd e! H = parity check matrix Consider syndrome s := s(x) = H x = H (c+e) = H e Find linear combination of w columns of H matching s weight w n n-k H Brute-Force Brute-Force complexity = + + = s T(n,k,d) T(n,k,d) ==

12 Syndrome Decoding (BDD) Given x = c+e with c 2 C and wt(e)=w, fnd e! H = parity check matrix Consider syndrome s := s(x) = H x = H (c+e) = H e Find linear combination of w columns of H matching s weight w n n-k H = F(k) = s

13 Some Basic Observations for BDD Allowed (linear algebra) transformations Permuting the columns of H does not change the problem

14 Some Basic Observations for BDD Allowed (linear algebra) transformations Permuting the columns of H does not change the problem weight w n n-k H = s

15 Some Basic Observations for BDD Allowed (linear algebra) transformations Permuting the columns of H does not change the problem weight w n n-k H = s

16 Some Basic Observations for BDD Allowed (linear algebra) transformations Permuting the columns of H does not change the problem Elementary row operations on H do not change the problem

17 Some Basic Observations for BDD Allowed (linear algebra) transformations Permuting the columns of H does not change the problem Elementary row operations on H do not change the problem weight w n n-k H = s

18 Some Basic Observations for BDD Allowed (linear algebra) transformations Permuting the columns of H does not change the problem Elementary row operations on H do not change the problem weight w n UG n-k H Invertible (n-k)x(n-k) matrix = UG s

19 Randomized quasi-systematic form Work on randomly column-permuted version of H Transform H into quasi-systematic form H= n-k-l q1,..., q 0 Q' In-k-l l rows First used in generalized ISD framework of [FS09]

20 Information Set Decoding ''Reducing the brute-force search space by linear algebra.''

21 The ISD Principle Structure of H allows to divide e = e1 e2 q1,..., q 0 Q' In-k-l e1 n-k-l e2

22 The ISD Principle Structure of H allows to divide e = e1 e2 e1 e2 e1 e2 q1,..., q 0 q1,..., q 0 Q' In-k-l = Q' + In-k-l

23 The ISD Principle Structure of H allows to divide e = e1 e2 e1 e2 e1 e2 q1,..., q 0 q1,..., q 0 Q' In-k-l = = + Q' * * * + 0 * *! = In-k-l l coordinates s

24 The ISD Principle Structure of H allows to divide e = e1 e2 e1 e2 e1 e2 q1,..., q 0 q1,..., q 0 Q' In-k-l Focus Focus on on ee11 matching matching ss on on frst frst ll coordinates coordinates = = + Q' * * * + 0 * *! = In-k-l l coordinates s

25 The ISD Principle Structure e Find all e1 ofofweight p matching H allows to divide es=on frste l coordinates 1 2 e1 e2 e1 e2 q1,..., q 0 q1,..., q 0 Q' In-k-l = = + Q' * * * + 0 * *! = In-k-l l coordinates s

26 The ISD Principle Structure e Find all e1 ofofweight p matching H allows to divide es=on frste l coordinates 1 e1 e2 e1 e2 q1,..., q 0 q1,..., q 0 = Method only recovers I Q' n-k-l particular error patterns p 2 + Q' In-k-l n-k-l w-p If we fail to fnd e1 : Rerandomize H = * * * + 0 * *! = l coordinates s

27 The ISD Principle e We exploitof 1+1=0 fnd ee1=more eeffciently! Structure H allowsto to divide 1 2 e1 e2 e1 e2 q1,..., q 0 q1,..., q 0 Q' In-k-l = = + Q' * * * + 0 * *! = In-k-l l coordinates s

28 A Meet-in-the-Middle Approach Find a selection with Disjoint partition into left and right half () p () / 2 p/2 p/2 () / 2

29 A Meet-in-the-Middle Approach Find a selection To fnd with run a Meet-in-the-Middle algorithm based on Haystack = set of all () / 2 p/2 () / 2 p/2 () / 2 0 () / 2 0 Needle = unique Same F(k) as recent Ball-Collision decoding [BLP11] as shown in [MMT11]

30 A Meet-in-the-Middle Approach Find a selection To fnd with run a Meet-in-the-Middle algorithm based on Haystack = set of all () / 2 p/2 () / 2 p/2 () / 2 0 F(k) () / 2 0 Needle = unique Same F(k) as recent Ball-Collision decoding [BLP11] as shown in [MMT11]

31 Using Representations [MMT11] Find a selection with Basic representation technique Arbitrary disjoint partition p

32 Using Representations [MMT11] Find a selection with Basic representation technique Arbitrary disjoint partition p p/2 p/2

33 Using Representations [MMT11] Find a selection with Basic representation technique Arbitrary disjoint partition p p/2 p/2

34 Using Representations [MMT11] Find a selection with Basic representation technique Arbitrary disjoint partition p p/2 p/2

35 Using Representations [MMT11] Find a selection with Basic representation technique Arbitrary disjoint partition p p/2 and so on... p/2

36 Using Representations [MMT11] Find a selection with Basic representation technique Arbitrary disjoint partition p p/2 and so on... p/2 representations representations

37 Using Representations [MMT11] Find a selection with Haystack = set of all Needles = p/2 representations Bottleneck: Effcient computation of a - fraction of the haystack p/2 p/2,,...

38 Using Representations [MMT11] Find a selection with Haystack = set of all Needles = p/2 representations p/2 p/2,,... Bottleneck: Effcient computation of a - fraction of the haystack F(k)

39 Using = 0

40 How to use = 0 Write as the symmetric difference of intersecting sets

41 How to use = 0 Write as the symmetric difference of intersecting sets p p/2+² p/2+²

42 How to use = 0 Write as the symmetric difference of intersecting sets p/2+² p/2+²

43 How to use = 0 Write as the symmetric difference of intersecting sets Double columns cancel out p due to 1+1=0! p/2+² p/2+²

44 How to use = 0 Write as the symmetric difference of intersecting sets p p/2+² p/2+²

45 How to use = 0 Write as the symmetric difference of intersecting sets p p/2+² p/2+²

46 How to use = 0 Write as the symmetric difference of intersecting sets p p/2+² p/2+²

47 How to use = 0 Write as the symmetric difference of intersecting sets p p/2+² p/2+²

48 How to use = 0 Write as the symmetric difference of intersecting sets p p/2+² and so on... p/2+²

49 How to use = 0 Write as the symmetric difference of intersecting sets p p/2+² and so on... p/2+² representations representations

50 How to use = 0 Write as the symmetric difference of intersecting sets Haystack = set of all p/2+² Needles = representations p/2+² p/2+² How can we compute a 1/R fraction of the haystack?,,...

51 How to use = 0 How can we compute a 1/R fraction of the haystack? Want to fnd one needle (and suitable q1 + q3 + q4 + q11 = q2 + q4 + q7 + q12 + s ) with

52 How to use = 0 How can we compute a 1/R fraction of the haystack? Want to fnd one needle Uniform 0/1 coordinates (and suitable q1 + q3 + q4 + q11 = q2 + q4 + q7 + q12 + s ) with

53 How to use = 0 How can we compute a 1/R fraction of the haystack? Want to fnd one needle Uniform 0/1 coordinates (and suitable q1 + q3 + q4 + q11 = q2 + q4 + q7 + q12 + s Fix to 0 and ) with log(r) coordinates to s on log(r) coordinates Expect one needle to fulfll the extra constraint!

54 Some More Details The actual search for the needle à la Wagner's Generalized Birthday Algorithm Three-layered binary computation tree Some technicalities Need to exclude "badly distributed q1,, q Method introduces extra inverse-polynomial failure probability

55 Main Result F(k) < 1/20 F(k) Ball-Collisions MMT Our Algorithm k

56 Wrapping up... Summary Using 1+1=0 introduces extra representations Asymptotically fastest generic decoding algorithm Full Version eprint 2012/026 Open Questions More representations? Over Fq? (Low level) optimizations

57 Wrapping up... Summary Using 1+1=0 introduces extra representations Asymptotically fastest generic decoding algorithm Full Version eprint 2012/026 Open Questions Thank you! More representations? Over Fq? (Low level) optimizations