How to improve information set decoding exploiting that = 0 mod 2

Transcription

1 How to improve information set decoding exploiting that = 0 mod 2 Anja Becker Postdoc at EPFL Seminar CCA January 11, 2013, Paris

2 Representation Find unique solution to hard problem in cryptography Apply new algorithmic technique

3 Setting Problems in cryptography in focus Syndrome decoding problem in a random binary code Knapsack problem Difficulty for random codes and knapsack NP-hard Hard on average Generic algorithms We designed exponential algorithms O(2 α n ), α < 1 Goal: reduce α 2

4 Part I Subset sum problem over the integers Part II Distance decoding problem for binary linear codes

5 Subset Problem Knapsack problem Given n integers a i and a target integer value S, find {0,1}-values ε i: n a i ε i = S. i=1 NP-hard [Karp, 72] Density: D = n/ log 2 (a max) Random knapsack a i U [ 1, 2 n/d ] and ε U {0, 1} n n log 2 (a max) Few solutions of weight n/2 4

6 History In the past encryption cryptosystems were proposed Merkle-Hellman ( 78), Chor-Rivest ( 84),... Attacks exploit Disguised structure of the knapsack or Reduce problem to search of short vector Solvable for density < 0.94 via lattice oracle [LO, 85,.., CJLOSS 92] Solution found in polynomial time for reasonable parameters n log 2 (a max) non unique solution Most difficult case: density 1 leads to exponential complexity 5

7 Standard approach Split the sum n 2 a i ε i = S i=1 n i= n 2 +1 a i ε i 1. Create two lists of length = 2 n/2 n/2 L 1 = x, a ix i, L2 = y, S x i, y i {0, 1} i=1 n i= n/2 +1 a iy i, 2. Search for collision between elements in L 1 and L 2 Hash-join costs: L 1 + L 2 Time and memory: O(n 2 n 2 ) 6

8 Observations Solves all instances Solution found as concatenation: x y = ε Complexity dominated by size of lists and cost for join. Shamir-Schroeppel 81: Can split into 4 lists and keep same time Õ(2n/2 ) but reduce memory to Õ(2n/4 ) Wagner 02: Solves 4-list problem in time Õ(2n/3 ) for many solutions and large lists Õ(.) neglects polynomial factors in n 7

9 Transform problem to search of one-out-of-many...

10 Representation Write ε = x + y where len(x ) = len(y ) = len(ε) = n wt(x ) = wt(y ) N = ( n/2 n/4) = Õ(2 n/2 ) representations 9

11 Algorithm 1. Create L 1 = 2. Create L 2 = { { x of weight n/4, } n a i x i i=1 y of weight n/4, S } n a i y i 3. Search collision over the integers and check weight n a i (x i + y i) = S and wt(x + y) = wt(ε) i=1 ( ) n L = 2 H(1/4) n n n/4 Find solution N times i=1 10

12 Algorithm 1. Create L 1 = 2. Create L 2 = { { x of weight n/4, } n a i x i i=1 y of weight n/4, S } n a i y i 3. Search collision over the integers and check weight n a i (x i + y i) = S and wt(x + y) = wt(ε) i=1 i=1 i=1 n n a ix i + a i yi S mod M i=1 For N M representations: R a x mod M S R a y mod M 10

13 Algorithm 1. Create L 1 = 2. Create L 2 = { { x of weight n/4 y of weight n/4 } n a i x i R mod M i=1 } n a i y i S R mod M 3. Search collision over the integers and check weight n a i (x i + y i) = S and wt(x + y) = wt(ε) i=1 i=1 i=1 n n a ix i + a i yi S mod M i=1 For N M representations: R a x mod M S R a y mod M L i = ( n n/4) M, N M 10

14 Dominating cost 1. Shorter lists E( L ) = #x N 2. Collisions E(C) = L 2 2 n /N = (#x)2 N 2 n 3. Cost to create lists: Apply technique recursively 11

15 Subknapsacks a (x (1) + x (2) + x (3) + x (4) ) = S a (x (1) + x (2) ) M1 R a (x (3) + x (4) ) M1 S R a x (1) M2 R 1 a x (2) M2 R R 1 a x (3) M2 R 2 a x (4) M2 S R R 2 Join to match modular constraint Check weight 12

16 Subknapsacks a (x (1) + x (2) + x (3) + x (4) ) = S a (x (1) + x (2) ) M1 R a (x (3) + x (4) ) M1 S R a x (1) M2 R 1 a x (2) M2 R R 1 a x (3) M2 R 2 a x (4) M2 S R R 2 Solve random instances in time Õ(20.337n ) and memory Õ(20.311n ) Howgrave-Graham, Joux, 10 13

17 Increase number of representations Write solution ε = x + y Write 1 in ε as (1, 0) or (0, 1) in (x, y ) Write 0 in ε as (0, 0) 14

18 Increase number of representations Write solution ε = x + y Write 1 in ε as (1, 0) or (0, 1) in (x, y ) Write 0 in ε as (0, 0) or ( 1, 1) or (1, 1) N = ( ) ( ) n/2 n/4 n/2 c,c,n/2 2c Choose c to find minimal running time Recurse 14

19 Algorithms for hard knapsack problem Algorithms that find solution ε {0, 1} n for a given hard subset sums Time Memory Best known algorithm for all instances, Õ(2 n 2 ) Õ(2 n 4 ) Shamir-Schroeppel, 1979, 1981 For random instances, Õ( n ) Õ( n ) Howgrave-Graham, Joux, 2010 For random instances, B., Coron, Joux, 2011 Õ( n ) Õ( n ) Õ(.) neglects linear/logarithmic factors 15

20 Time-Memory 0.75 Disection Represent. Shamir-Schroeppel Cycle-finding Represent. Time Memory Representation technique: M T = n Dinur, Dunkelmann, Keller, Shamir, 12: Reduce M T down to n

21 Time-Memory 0.75 Disection Represent. Shamir-Schroeppel Cycle-finding Represent. Time Memory Representation technique: M T = n Dinur, Dunkelmann, Keller, Shamir, 12: Reduce M T down to n

22 Application to linear codes Decoding Problem

23 Vectorial subset sum Given random matrix H, random target vector s over F 2, find vector e of weight ω:... He = a 1 a 2 a n... e = s. 19

24 Binary linear codes Defined by a parity check matrix H 0 F n k n 2 Length n and dimension k Codeword c F n 2 : H 0c = 0 Shortest codeword minimal distance d McEliece/Niederreiter-encryption ( 78, 86) CFS-signature (CFS 01, F 10), special signatures (DV 09,MCGL11), zero-knowledge IDE schemes (S 77,MGS 11), hash functions (AF05) 20

25 Underlying computational problem Bounded distance decoding problem Given a linear code C and a random vector y F n 2, an integer ω, find a vector e of weight ω: y + e C. Weight ω d/2 > Unique decoding c+e c O 21

26 Underlying computational problem Bounded distance decoding problem Given a linear code C, a random vector y F n 2, an integer ω, find a vector e of weight ω: y + e C. Syndrome s: Hy = H(c + e) = He = s Comp. syndrome decoding problem Given H, s, an integer ω, find a vector e of weight ω such that He = s. Equivalent problems [LDW 94] NP-hard for binary linear codes [Berlekamp et al. 78] 22

27 Information Set Decoding (ISD) Most efficient method for random code Lee-Brickel 88,.., Finiasz, Sendrier 09 He = UH 0P e = s A 0 1 A... 1 e e [ = A e A e e ] = [ s up s low ] Given e, compute e = A e s low k + l n k l e = p e = ω p 23

28 Probability k + l n k l e = p e = ω p Probability of right weight structure P = ( k+l )( n k l p ω p ( n ω) ) p, l are optimization parameters 24

29 Information Set Decoding Repeat 1. Obtain systematic form by random permutation & Gaussian elimination 2. Search e of weight p where A e = s up. 3. Compute e candidate as A e s low, check weight for ω p 4. Apply inverse initial transformations to solve original problem 25

30 Information Set Decoding Repeat 1. Obtain systematic form by random permutation & Gaussian elimination 2. Search e of weight p where A e = s up. 3. Compute e candidate as A e s low, check weight for ω p 4. Apply inverse initial transformations to solve original problem 26

31 Classical algorithm Find e s.t. A e = s. Split columns: A = A 1 A 2 1. Compute all columns sums {A 1e 1}, {s A 2e 2} of p/2 columns 2. Search for collisions: A 1e 1 = s A 2e 2 p/2 p/2 27

32 Observation Find e in unique way: e 1 e 2 Stern, Barg, 89, Canteau-Chabanne,-Chabaud 94, 98,., BLP 08, Ball-collision ( 10) Amelioration in different phases of ISD What about the representation idea? 28

33 Method based on representations Construct e as e 1 e 2 k + l n k l e = p e = ω p e 1 = p/2 + c e 2 = p/2 + c c = 0 Finiasz, Sendrier 09, May, Meurer, Thomae 11, Johansson, Loendahl 11 c > 0, B., Joux, May, Meurer ( 11) 0,1,-1 integer case 29

34 Representation wt(e i ) = p/2 + c and wt(e 1 e 2) = p N = ( )( p m p ) p/2 c representations Constraint A e 1 = s A e 2 Some representations share same value on some bits t = [A e 1] r = [s A e 2] r for random t F r 2 We expect N/2 r representations for almost every t. 2 r N Algorithm Expect to find one (e 1, e 2) within all collisions: Verify wt(e 1 e 2) = p {e 1, [A 1e 1] r = t} and { e 2, [s A 2e 2] r = t }

35 Asymptotic time complexity Decoding problem for code C = [n, k, d] R := k/n, D := d/n Gilbert-Varshamov bound: R 1 H(D) W := ω/n Half distance decoding: W = D/2 Full distance decoding: W = D Can express complexity in terms of n, R: Time T (n, R) = 2 T (R)n+o(n)

36 Asymptotic time complexity Time T (n, R) = 2 T (R)n+o(n) Half-distance decoding FS-Stern Repres. MMT Leon 0.04 T(R) R:=k/n Almost same worst case information rate

37 Asymptotic worst-case in time Half distance decoding (W = D/2) memory time Stern Ball MMT Now % time 8% time Full distance decoding (W = D) memory time time Stern Ball MMT Now memory limited:

38 Comments and summary Algorithmic tweaks Can reduce memory by choosing slightly larger modulus and repeating Efficient join routine Probabilistic algorithm for random instances For a small fraction of instances and a proportion of targets, the algorithm will not succeed Choice of targets influences the outcome Large lists, many collisions Small number of repetitions 34

39 Experiments Optimal parameters are very small for feasible n Knapsack (n = 80) # 1s at first level: c 1 = 2, c 2 = 1, c 3 = random knapsacks 3 mins per repetition 5.47 repetitions on average (Intel Xeon X5560 at 2.80 GHz) Codes [n, k, ω, p, l] = [1024, 524, 50, 8, 46] (c 1, r 1) = (2, 23), (c 2, r 2) = (1, 13) 1000 instances 50% solved instances per repetition Increase restrictions: r 2 = 14, half time, memory, success Expected size of lists and number of collisions is as expected No special cases 35

40 Bibliography Improved Generic Algorithms for Hard Knapsacks Anja Becker, Antoine Joux, Jean-Sébastien Coron Eurocrypt 2011 eprint.iacr.org/2011/474 Decoding Random Binary Linear Codes in 2 n/20 : How = 0 Improves Information Set Decoding Anja Becker, Antoine Joux, Alexander May, Alexander Meurer Eurocrypt 2012 eprint.iacr.org/2012/026 36

41 Perspectives Possible generalization to other groups Allowing arbitrary coefficients Apply to other problems 37

42 Thank you