Improved Information Set Decoding Decoding Random Linear Codes in O(20.054n)

Transcription

1 Imroved Information Set Decoding Decoding Random Linear Codes in O(2.54n) Alexander May, Alexander Meurer, Enrico Thomae ASIACRYPT 211, Seoul HORST GÖRTZ INSTITUTE FOR IT-SECURITY FACULTY OF MATHEMATICS Deartment for IT-Security and Crytology

2 Reca Binary Linear Codes A binary linear code C is a k-dimensional subsace of F2n n Generator matrix G =k /1 C = { xt G : x 2 F2k } n Parity check matrix H = n-k /1 C = { H c = : c 2 F2n }

3 Reca Binary Linear Codes A binary linear code C is a k-dimensional subsace of F2n n Generator matrix G =k /1 C = { xt G : x 2 F2k } n Parity check matrix H = n-k /1 C = { H c = : c 2 F2n } Minimum distance d = minx y2c{ wt(x+y) } C is called binary [n,k,d] code. d x y

4 Reca Binary Linear Codes n A binary linear code C is a k-dimensional subsace of F 2 Running Running time time of of decoding decoding algorithms: algorithms: T(n,k,d) T(n,k,d) n In this talk: Analysis for random binary linear In this talk: Analysis for random binary linear k / 1 Generator matrix G = C = { xt G : x 2 F2k } codes codes with with constant constant rate rate R=k/n R=k/n n For For n, n, kk and and dd are are related related via via GilbertGilbertVarshamov bound, Varshamov bound, thus thus Parity check matrix H = n-k / 1 C = { H c = : c 2 F2n } T(n,k,d) T(n,k,d) == T(n,k) T(n,k) We We comare comare algorithms algorithms by by their their comlexity comlexity Minimum distance d i.e. =i.e.minc2c{ wt(c) } coeffcient F(k), coeffcient F(k), F(k)n F(k)n T(n,k) == O(2 )) Such C is called binary [n,k,d] T(n,k) O(2code. d x y

5 Scenario (Bounded Distance Decoding) 4 5 d-1 Obtain x = c + e with c 2 C and w := wt(e) = 2 x Goal: Find e and thus c = x + e 4 5 d-1 2 Consider syndrome s := s(x) = H x = H (c+e) = H e Find linear combination of w columns of H matching s weight w n n-k H = + + = s c

6 Scenario (Bounded Distance Decoding) 4 5 d-1 Obtain x = c + e with c 2 C and w := wt(e) = 2 x Goal: Find e and thus c = x + e 4 5 d-1 2 c Consider syndrome s := s(x) = H x = H (c+e) = H e Find linear combination of w columns of H matching s weight w n n-k H Brute-Force Brute-Force comlexity comlexity = + + n s T(n,k,d) T(n,k,d) == w =

7 Scenario (Bounded Distance Decoding) 4 5 d-1 Obtain x = c + e with c 2 C and w := wt(e) = 2 x Goal: Find e and thus c = x + e 4 5 d-1 2 Consider syndrome s := s(x) = H x = H (c+e) = H e Find linear combination of w columns of H matching s weight w n n-k H Comlexity Comlexity = + s F(k) = c

8 Some very basic observations Allowed (linear algebra) transformations Permuting the columns of H does not change the roblem

9 Some very basic observations Allowed (linear algebra) transformations Permuting the columns of H does not change the roblem weight w n n-k H = s

10 Some very basic observations Allowed (linear algebra) transformations Permuting the columns of H does not change the roblem weight w n n-k H = s

11 Some very basic observations Allowed (linear algebra) transformations Permuting the columns of H does not change the roblem Elementary row oerations on H do not change the roblem

12 Some very basic observations Allowed (linear algebra) transformations Permuting the columns of H does not change the roblem Elementary row oerations on H do not change the roblem weight w n n-k H = s

13 Some very basic observations Allowed (linear algebra) transformations Permuting the columns of H does not change the roblem Elementary row oerations on H do not change the roblem weight w n UG n-k H Invertible (n-k)x(n-k) matrix = UG s

14 Randomized systematic form From now on, we work on a randomly column-ermuted version of H in systematic form (n-k) x k matrix UG * H = * Q In-k UP (n-k)-dimensional idendity matrix

15 Basic Information Set Decoding ''Reducing the brute-force search sace by linear algebra.''

16 Basic Information Set Decoding Fundamental rincile: Randomization: transform H into column-ermuted systematic form H Q In-k Search hase: Try to fnd solution e = weight w weight w Q In-k = s If no solution found: Rerandomize and try again!, i.e.

17 Basic Information Set Decoding Fundamental rincile: Randomization: transform H into column-ermuted systematic form H Q In-k -1 T(n,k,d) T(n,k,d) == Pr[ good Pr[ good randomization] randomization]-1 xx C[Search] C[Search] Search hase: Try to fnd solution e = weight w weight w Q In-k = s If no solution found: Rerandomize and try again!, i.e.

18 Classical ISD variants Lee-Brickel (1988) w- k n-k Q In-k = s Brute force on Q, i.e. search e'= If so, fll u e''= w- with wt(qe'+s) = w- with remaining (w-) 1's

19 Classical ISD variants Lee-Brickel (1988) w- e' k n-k k Q In-k = s Q + s = e'' wt(qe'+s) = w- Brute force on Q, i.e. search e'= If so, fll u e''= w- with wt(qe'+s) = w- with remaining (w-) 1's

20 Classical ISD variants Lee-Brickel (1988) w- e' k n-k k Q In-k = s Q + s = e'' wt(qe'+s) = w T(n,k,d) = Pr[ good randomization] xxwith C[Brute force] T(n,k,d) = Pr[ good randomization] C[Brute force]= w- Brute force on Q, i.e. search e'= 1 wt(qe'+s) If so, fll u e''= == w- k n k with w remaining n w w- xx 1's k

21 Classical ISD variants Lee-Brickel (1988) w- e' k n-k k Q In-k = s Q + s = e'' wt(qe'+s) = w- Comlexity (bounded distance decoding) (bounded decoding) Brute forcecomlexity on Q, i.e. search e'= distance with wt(qe'+s) = w- If so, fll u e''= remaining w- 1's F(k) with.5751 w-

22 Classical ISD variants Stern (1989) Meet-in-the-middle on Q /2 /2 w- k/2 k/2 l n-k-l q1,, qk Q' In-k = s

23 Classical ISD variants Stern (1989) /2 Find with Find e'= e'= /2 with Qe'=s' Qe'=s' on on frst frst ll coordinates, coordinates, i.e. i.e. /2 Meet-in-the-middle on Q /2 /2 w- k/2 k/2 l n-k-l q1,, qk Q' In-k /2 = Q' = s s' q1,, qk * : * via via standard standard sort sort & & match match qi i I 1 k I 1 [ 1,, ] 2 match qi s ' i I 2 k I 2 [ 1,, k ] 2

24 Classical ISD variants Stern (1989) Meet-in-the-middle on Q /2 /2 w- k/2 k/2 l n-k-l q1,, qk Q' In-k /2 /2 w- q1,, qk = s Q' + s = In-k

25 Classical ISD variants Stern (1989) Meet-in-the-middle on Q /2 /2 w- k/2 k/2 l n-k-l q1,, qk Q' In-k = s w- s' * : * + s = In-k

26 Classical ISD variants Stern (1989) Meet-in-the-middle on Q /2 /2 w- k/2 k/2 l n-k-l q1,, qk Q' In-k = s w- s' * : * + s = * : * = e'' In-k

27 Classical ISD variants Stern (1989) Meet-in-the-middle on Q /2 /2 w- k/2 k/2 l n-k-l q1,, qk Q' In-k T(n,k,d) T(n,k,d) = s == == s' * : * + s = -1 Pr[ good randomization] Pr[ good randomization]-1 xxc[mitm] C[MitM] [ 2 k / 2 n k l / 2 w n w w- ] 1 * xx: * k=/2 e'' /2 In-k

28 Classical ISD variants Stern (1989) Meet-in-the-middle on Q /2 /2 w- k/2 k/2 l n-k-l q1,, qk Q' In-k = s s' * : * + s = Comlexity Comlexity (bounded (bounded distance distance decoding) decoding) F(k).5563 w- * : * = e'' In-k

29 Wraing u so far Different methods search for different error-distributions Lee-Brickel (1988) Stern (1989) /2 w- /2 w-

30 Wraing u so far Different methods search for different error-distributions Lee-Brickel (1988) Stern (1989) /2 w- /2 w- Recently: Ball-collision decoding (CRYPTO11) by Bernstein et al. Imroving Pr[good rand.] by allowing q extra 1's within the length l zero-window F(k).5558 /2 /2 q/2 q/2 w--q

31 Wraing u so far Different methods search for different error-distributions Lee-Brickel (1988) Stern (1989) /2 w- /2 w- Recently: Ball-collision decoding (CRYPTO11) by Bernstein et al. Imroving Pr[good rand.] by allowing q extra 1's within the length l zero-window /2 /2 q/2 q/2 w--q F(k).5558 Both Stern and BallColl imrove runtime at the cost of increased sace consumtion ( see aer for details)

32 Wraing u so far Asymtotic comlexity (Bounded Distance Decoding) Lee-Brickel F(k) =.5751 Stern F(k) =.5563 BallColl F(k) =.5558

33 Our New Algorithm

34 Generalized ISD framework Starting oint: Generalized ISD framework of Finiasz and Sendrier (ASIACRYPT 29) Observation: Since frst l columns of In-k can not be used in Stern's algorithm, we can simly shift them to the Q-art of H

35 Generalized ISD framework Starting oint: Generalized ISD framework of Finiasz and Sendrier (ASIACRYPT 29) Observation: Since frst l columns of In-k can not be used in Stern's algorithm, we can simly shift them to the Q-art of H k H= Q n-k In-k

36 Generalized ISD framework Starting oint: Generalized ISD framework of Finiasz and Sendrier (ASIACRYPT 29) Observation: Since frst l columns of In-k can not be used in Stern's algorithm, we can simly shift them to the Q-art of H k+l n-k-l H= Q In-k-l l rows

37 Generalized ISD framework Major subroblem: Finding exactly columns amongst q1,..., qk+l matching s on it's frst l coordinates s' k+l n-k-l q1,..., qk+l Q' In-k-l H= l rows

38 Generalized ISD framework Major subroblem: Finding exactly columns amongst q1,..., qk+l matching s on it's frst l coordinates s' Stern divides the qi into disjoint sets, i.e. searches index sets k l k l q i qi =s ' I 1 [1,, ] and I 2 [ 1,, k l] with 2 2 i I 1 i I 2 k+l n-k-l q1,..., qk+l Q' In-k-l H= l rows

39 Our New Algorithm Main contribution: More effcient non-disjoint matching insired by reresentation technique of Howgrave-Graham and Joux (in the context of subset sum algorithms), i.e. ick q i qi =s ' and I 1, I 2 [1,, k l ] with I j = 2 i I 1 i I 2 k+l n-k-l q1,..., qk+l Q' In-k-l H= l rows

40 The reresentation trick in detail k+l Aim: Find such that weight k+l q1,..., qk+l There are = ways of decomosing /2 /2 /2, It suffces to fnd one of them! /2 /2 s1' : sl',..., e.g.

41 How can we roft from reresentations? w- k+l n-k-l q1,..., qk+l Q' In-k-l equivalent solutions /2 / 2 k l from k l to /2 /2 Advantage: Every solution exands into Disadvantage: Search sace grows Goal: Find one solution via Divide & Conquer strategy Rule of thumb: We get better if k l /2 k l / 2 /2 /2

42 How can we roft from reresentations? w- k+l n-k-l q1,..., qk+l Q' In-k-l Advantage: Every solution exands into equivalent solutions Comlexity /2 Comlexity / 2 k l Disadvantage: Search sace grows from k l * to= e'' / / 2 : T(n,k,d) = Pr[ good randomization] x C[ReTrick] T(n,k,d) = Pr[ good randomization] x C[ReTrick] * attack (Wagner) Goal: Find one solution via Generalized Birthday k l k l n k l k l == / 2 k l / 2 xx Rule of thumb: We get better if /2 / 2 [ ] 1 w n w /2 /2

43 How can we roft from reresentations? w- k+l n-k-l q1,..., qk+l Q' In-k-l equivalent solutions /2 k l / 2 k l Disadvantage: Search sace grows from to * = Comlexity (bounded distance decoding) Comlexity (bounded distance decoding) /e'' 2 /2 Advantage: Every solution exands into Goal: Find one solution via Generalized Rule of thumb: We get better if : Birthday* k l F(k).5364 /2 /2 k l / 2 /2 attack (Wagner)

44 Comlexity comarison Asymtotic comlexitiy (Bounded Distance Decoding) Lee-Brickel F(k) =.5751 BallColl F(k) =.5558 MMT F(k) =.5364

45 Summary Asymtotically fastest generic decoding algorithm Not a mere time-memory trade-off ( see aer) First alication of HGJ reresentation trick to a different scenario Oen questions Precise analysis w.r.t. olynomial factors (e.g. linear algebra) Transfer Bernstein's seed-u tricks for Stern's algorithm What is the real break even oint comared to other methods?

46 Summary Asymtotically fastest generic decoding algorithm Not a mere time-memory trade-off ( see aer) First alication of HGJ reresentation trick to a different scenario Thank you! Oen questions Precise analysis w.r.t. olynomial factors (e.g. linear algebra) Transfer Bernstein's seed-u tricks for Stern's algorithm What is the real break even oint comared to other methods?