improved low memory subset sum and lpn algorithms via
play

Improved Low-Memory Subset Sum and LPN Algorithms via Multiple - PowerPoint PPT Presentation

Oct 08, 2023 •128 likes •1.12k views

Improved Low-Memory Subset Sum and LPN Algorithms via Multiple Collision January 2019 , Nancy Claire Delaplace, Andre Esser and Alexander May About Me Claire Delaplace: Postdoc researcher Ruhr University Bochum, Germany Team: Cryptology

  1. Improved Low-Memory Subset Sum and LPN Algorithms via Multiple Collision January 2019 , Nancy Claire Delaplace, Andre Esser and Alexander May

  2. About Me Claire Delaplace: Postdoc researcher • Ruhr University Bochum, Germany • Team: Cryptology and IT-Security • Scientific supervisor: Alexander May 2

  3. About Me Claire Delaplace: Postdoc researcher • Ruhr University Bochum, Germany • Team: Cryptology and IT-Security • Scientific supervisor: Alexander May Before that... • University of Rennes, IRISA. Team EMSEC • University of Lille, CRIStAL. Team CFHP • PhD supervisors: Pierre-Alain Fouque & Charles Bouillaguet • Thesis: Linear Algebra Algorithm for Cryptography 2

  4. Research Topic Attacking Underlying Cryptographic Problems 3

  5. Research Topic Attacking Underlying Cryptographic Problems • Generalised Birthday Problem ([B D F2018] + 2 in submission) • ECDLP ([ D M19] + 1 in submission) • LWE variants ([B D FK17,B D EFT18]) • Sparse Linear Algebra ([B D 16,B D V17]) • Subset Sum & LPN ([ D EM19]) 3

  6. Research Topic Attacking Underlying Cryptographic Problems • Generalised Birthday Problem ([B D F2018] + 2 in submission) • ECDLP ([ D M19] + 1 in submission) • LWE variants ([B D FK17,B D EFT18]) • Sparse Linear Algebra ([B D 16,B D V17]) • Subset Sum & LPN ([ D EM19]) 3

  7. Motivations Post-Quantum Cryptography • Popular families of schemes: Lattices & Codes based • Subset-sum & LPN related to Lattices & Codes ? • Better algo for subset-sum & LPN = ⇒ Better algo for Lattices & Codes 4

  8. Motivations Post-Quantum Cryptography • Popular families of schemes: Lattices & Codes based • Subset-sum & LPN related to Lattices & Codes ? • Better algo for subset-sum & LPN = ⇒ Better algo for Lattices & Codes Main drawback HUGE amount of memory these attacks require ⇒ Need for time-memory trade-offs 4

  9. Motivations Post-Quantum Cryptography • Popular families of schemes: Lattices & Codes based • Subset-sum & LPN related to Lattices & Codes ? • Better algo for subset-sum & LPN = ⇒ Better algo for Lattices & Codes Main drawback HUGE amount of memory these attacks require ⇒ Need for time-memory trade-offs This work New time-memory trade-offs for subset-sum & LPN Main tool: Parallel Collision Search algorithm [vOW99] 4

  10. Collisions Search Given: F, G : F n 2 → F n 2 with uniformly random outputs Goal: Find x, y ∈ F n 2 s.t. F ( x ) = G ( y ) x F Birthday Paradox F ( x ) = G ( y ) Recovering one collision: n � 2 � Time: O 2 y G 5

  11. Collisions Search Given: F, G : F n 2 → F n 2 with uniformly random outputs Goal: Find x, y ∈ F n 2 s.t. F ( x ) = G ( y ) x F Birthday Paradox F ( x ) = G ( y ) Recovering one collision: n � 2 � Time: O 2 y G Searching for 2 m collisions • 2 m Birthday method: Time O 2 m + n � 2 � � � • Parallel Collision Search [vOW99]: Time ˜ m + n O 2 2 5

  12. PCS: High level Idea F Collision F F Collision F Search for cycle 6

  13. PCS: High level Idea F F Collision F F F F Collision F F F Search for cycle 6

  14. PCS: High level Idea F Collision F F Collision F Search for cycle 6

  15. PCS: High level Idea F Collision Collision F F Collision Collision F Search for cycle Search for cycle 6

  16. PCS: High level Idea Collision F Collision Search for cycle Search for cycle 6

  17. PCS in a Nutshell Given: F, G : F n 2 → F n 2 with uniformly random outputs Goal: Find 2 m ( x, y ) ∈ ( F n 2 ) 2 s.t. F ( x ) = G ( y ) F 2 m ( x, y ) F ( x ) = G ( y ) PCS G � � n + m T = ˜ M = ˜ O (2 m ) O 2 2 7

  18. 1 Application 1: Random Subset-Sum Problem 2 Application 2: LPN 8

  19. 1 Application 1: Random Subset-Sum Problem 2 Application 2: LPN 9

  20. Random Subset-Sum (RSS) Problem Definition • a = ( a 1 . . . a n ) ∈ ( Z 2 n ) n • e = ( e 1 . . . e n ) ∈ { 0 , 1 } n wt ( e ) = n unknown 2 • t = � a , e � mod 2 n GOAL: Given ( a , t ) find e ∈ { 0 , 1 } n such that � a , e � = t 10

  21. Random Subset-Sum (RSS) Problem Definition • a = ( a 1 . . . a n ) ∈ ( Z 2 n ) n • e = ( e 1 . . . e n ) ∈ { 0 , 1 } n wt ( e ) = n unknown 2 • t = � a , e � mod 2 n GOAL: Given ( a , t ) find e ∈ { 0 , 1 } n such that � a , e � = t Our Work Two new algorithms • SS-PCS Better than previous work for M < 2 0 . 02 n • SS-PCS 4 Better than previous work for 2 0 . 13 n < M < 2 0 . 2 n 10

  22. Previous Work n • MitM (Folklore algorithm): T = M = 2 2 11

  23. Previous Work n • MitM (Folklore algorithm): T = M = 2 2 n n 2 , M = 2 • [SS81] Schroeppel-Shamir 4-list Algorithm: T = 2 4 11

  24. Previous Work n • MitM (Folklore algorithm): T = M = 2 2 n n 2 , M = 2 • [SS81] Schroeppel-Shamir 4-list Algorithm: T = 2 4 • [H-GJ10] Representation Technique. T = M ≃ 2 0 . 337 n 11

  25. Previous Work n • MitM (Folklore algorithm): T = M = 2 2 n n 2 , M = 2 • [SS81] Schroeppel-Shamir 4-list Algorithm: T = 2 4 • [H-GJ10] Representation Technique. T = M ≃ 2 0 . 337 n • [BCJ11] ◦ Improvement of [H-GJ10]: T = M ≃ 2 0 . 291 n ◦ Memoryless algorithm: T ≃ 2 0 . 71 n 11

  26. Previous Work n • MitM (Folklore algorithm): T = M = 2 2 n n 2 , M = 2 • [SS81] Schroeppel-Shamir 4-list Algorithm: T = 2 4 • [H-GJ10] Representation Technique. T = M ≃ 2 0 . 337 n • [BCJ11] ◦ Improvement of [H-GJ10]: T = M ≃ 2 0 . 291 n ◦ Memoryless algorithm: T ≃ 2 0 . 71 n • [DDKS12] Best 2 0 . 01 n ≤ M < 2 0 . 17 n 11

  27. MitM Algorithm Goal: Find e s.t. � a , e � = t e = e 1 e 2 + � a , e 1 � t − � a , e 2 � 2 n/ 2 2 n/ 2 Collision ⇒ � a , e 1 + e 2 � = t 12

  28. Schroeppel-Shamir [SS81] Goal: Find e s.t. � a , e � = t e = + + + 13

  29. Schroeppel-Shamir [SS81] Goal: Find e s.t. � a , e � = t e = + + + 2 n/ 4 � a , e 1 � � a , e 2 � � a , e 3 � � a , e 4 � 2 n/ 4 13

  30. Schroeppel-Shamir [SS81] Goal: Find e s.t. � a , e � = t e = + + + 2 n/ 4 � a , e 1 � � a , e 2 � � a , e 3 � � a , e 4 � 2 n/ 4 t 1 ∈ L 1 , . . . t 4 ∈ L 4 s.t. � ⇒ � a , e 1 + · · · + e 4 � = t i t i = t 13

  31. Schroeppel-Shamir 4 -list Algorithm 2 n/ 4 14

  32. Schroeppel-Shamir 4 -list Algorithm 2 n/ 4 n 2 n/ 4 R R ′ = t − R mod 2 R ′ 4 n/ 4 14

  33. Schroeppel-Shamir 4 -list Algorithm 2 n/ 4 Collision ⇒ n 2 n/ 4 R R ′ = t − R mod 2 R ′ 4 � i t i = t n/ 4 14

  34. Schroeppel-Shamir 4 -list Algorithm 2 n/ 4 Collision ⇒ n 2 n/ 4 R R ′ = t − R mod 2 R ′ 4 ∀ R ∈ Z 2 n/ 4 � i t i = t n/ 4 14

  35. Schroeppel-Shamir 4 -list Algorithm 2 n/ 4 Collision ⇒ n 2 n/ 4 R R ′ = t − R mod 2 R ′ 4 ∀ R ∈ Z 2 n/ 4 � i t i = t � 2 n/ 2 � T = O � 2 n/ 4 � M = O n/ 4 14

  36. Representations � e i = e n Representation of e : ( e 1 . . . e k ) wt ( e i ) = 2 k ∀ i Example e 1 = (10001000) e ′ 1 = (10000001) e 2 = (01000001) e ′ 2 = (01001000) ( e 1 , e 2 ) and ( e ′ 1 , e ′ 2 ) : representations of e = (11001001) 15

  37. Representations � e i = e n Representation of e : ( e 1 . . . e k ) wt ( e i ) = 2 k ∀ i Example e 1 = (10001000) e ′ 1 = (10000001) e 2 = (01000001) e ′ 2 = (01001000) ( e 1 , e 2 ) and ( e ′ 1 , e ′ 2 ) : representations of e = (11001001) Important remark e ∈ { 0 , 1 } n , wt ( e ) = n/ 2 ≈ 2 n/ 2 representations ( e 1 , e 2 ) of e � n/ 2 � There are n/ 4 15

  38. Representation Technique: Needles and Haystack Subset-sum Find e ∈ { 0 , 1 } n s.t. � a , e � = t mod 2 n 16

  39. Representation Technique: Needles and Haystack Representation Technique [H-GJ10] Find ( e 1 , e 2 ) ∈ { 0 , 1 } n × { 0 , 1 } n s.t. � a , e 1 + e 2 � = t mod 2 n 16

  40. Representation Technique: Needles and Haystack Representation Technique [H-GJ10] Find ( e 1 , e 2 ) ∈ { 0 , 1 } n × { 0 , 1 } n s.t. � a , e 1 + e 2 � = t mod 2 n With Rep. Without Rep. � n � 2 ≈ 2 1 . 623 n � n # search space: � ≈ 2 n � # search space: n/ 4 n/ 2 � n/ 2 � ≈ 2 n/ 2 # solutions: 1 # solutions: � n/ 4 16

  41. BCJ Memoryless Algorithm [BCJ11] • wt ( x ) = n 4 � n 2 r ≈ • g ( x ) = � a , x � mod 2 r , � n/ 4 • g t ( x ) = t − g ( x ) mod 2 r 17

  42. BCJ Memoryless Algorithm [BCJ11] g ( x ) = g t ( y ) • wt ( x ) = n 4 � n 2 r ≈ � • g ( x ) = � a , x � mod 2 r , � n/ 4 � a , x + y � = t mod 2 r • g t ( x ) = t − g ( x ) mod 2 r 17

  43. BCJ Memoryless Algorithm [BCJ11] g ( x ) = g t ( y ) • wt ( x ) = n 4 � n 2 r ≈ � • g ( x ) = � a , x � mod 2 r , � n/ 4 � a , x + y � = t mod 2 r • g t ( x ) = t − g ( x ) mod 2 r BCJ Memoryless Algorithm • Search a collision between g x g and g t • If x + y ∈ { 0 , 1 } n and � a , x + y � = t mod 2 n re- g ( x ) = g t ( y ) turn x + y • Else restart y g t 17

  44. BCJ Memoryless Algorithm [BCJ11] g ( x ) = g t ( y ) • wt ( x ) = n 4 � n 2 r ≈ � • g ( x ) = � a , x � mod 2 r , � n/ 4 � a , x + y � = t mod 2 r • g t ( x ) = t − g ( x ) mod 2 r BCJ Memoryless Algorithm • Search a collision between g x g and g t • If x + y ∈ { 0 , 1 } n and � a , x + y � = t mod 2 n re- g ( x ) = g t ( y ) turn x + y • Else restart # coll. y g t # rep. ≈ 2 r − n/ 2 17

Recommend

W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99

W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99

W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99 Given a sequence of integers a 1 , . . . , a n and a parameter k , NP-completeness of Subset Sum, Partition, Minimum Bin Packing. Decide

214 views • 3 slides
Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499

Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499

Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499 852 1927 2535 3596 3608 D. J. Bernstein 4688 5989 6385 7353 7650 9413) University of Illinois at

2.02k views • 163 slides
Approximation Algorithms Subset Sum III Instance : X = { x 1 , . . . , x n } n integer

Approximation Algorithms Subset Sum III Instance : X = { x 1 , . . . , x n } n integer

NEW CS 473: Theory II, Fall 2015 Subset Sum Approximation Algorithms Subset Sum III Instance : X = { x 1 , . . . , x n } n integer positive num- bers, t - target number Question: subset of X s.t. sum of its elements is t ? Lecture 10

200 views • 8 slides
Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 ,

Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 ,

Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 , May 11.-15. 2020 Andre Esser and Alexander May Horst Grtz Institute for IT Security Ruhr University Bochum Subset Sum Subset Sum Problem 0

464 views • 23 slides
CS4102 Algorithms Summer 2020 Warm up Why is an algorithms space complexity (how much memory

CS4102 Algorithms Summer 2020 Warm up Why is an algorithms space complexity (how much memory

CS4102 Algorithms Summer 2020 Warm up Why is an algorithms space complexity (how much memory it uses) important? Why might a memory- intensive algorithm be a bad one? 1 Why lots of memory is bad 2 Greedy Algorithms Require

1.05k views • 70 slides
EMPIRICAL COMPARISON OF COLUMN SUBSET SELECTION ALGORITHMS Yining Wang , Aarti Singh Machine

EMPIRICAL COMPARISON OF COLUMN SUBSET SELECTION ALGORITHMS Yining Wang , Aarti Singh Machine

EMPIRICAL COMPARISON OF COLUMN SUBSET SELECTION ALGORITHMS Yining Wang , Aarti Singh Machine Learning Department, Carnegie Mellon University 1 COLUMN SUBSET SELECTION M R n 1 n 2 C R n 1 s | C | s k M CC M k F min 2

385 views • 15 slides
Virtual Memory - II Least Recently Used (LRU) LRU Approximations Counting Algorithms

Virtual Memory - II Least Recently Used (LRU) LRU Approximations Counting Algorithms

CSE 421/521 - Operating Systems Roadmap Fall 2011 Virtual Memory Lecture - XVI Page Replacement Algorithms Optimal Algorithm Virtual Memory - II Least Recently Used (LRU) LRU Approximations Counting Algorithms

158 views • 5 slides
CPU Organization Scope We will build a CPU to implement our subset of the MIPS ISA Memory

CPU Organization Scope We will build a CPU to implement our subset of the MIPS ISA Memory

5.1 5.2 CPU Organization Scope We will build a CPU to implement our subset of the MIPS ISA Memory Reference Instructions: Load Word (LW) EE 457 Unit 5 Store Word (SW) Arithmetic and Logic Instructions: ADD, SUB, AND, OR,

274 views • 9 slides
Part 2: External Memory and Cache Oblivious Algorithms CR10: Data Aware Algorithms September 25,

Part 2: External Memory and Cache Oblivious Algorithms CR10: Data Aware Algorithms September 25,

Part 2: External Memory and Cache Oblivious Algorithms CR10: Data Aware Algorithms September 25, 2019 Outline Ideal Cache Model External Memory Algorithms and Data Structures External Memory Model Merge Sort Lower Bound on Sorting

575 views • 33 slides
Polynomial-Time Algorithms for the Subset Feedback Vertex Set Problem on Interval Graphs and

Polynomial-Time Algorithms for the Subset Feedback Vertex Set Problem on Interval Graphs and

Polynomial-Time Algorithms for the Subset Feedback Vertex Set Problem on Interval Graphs and Permutation Graphs Charis Papadopoulos Spyridon Tzimas 21st International Symposium on Fundamentals of Computation Theory - FCT 2017 Bordeaux, France,

1.5k views • 103 slides
Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago

Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago

Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven cr.yp.to/qsubsetsum.html Joint work with: Stacey Jeffery University of Waterloo Tanja Lange Technische

1.2k views • 98 slides
Chapter 4: Memory Management Part 1: Mechanisms for Managing Memory Memory management n Basic

Chapter 4: Memory Management Part 1: Mechanisms for Managing Memory Memory management n Basic

Chapter 4: Memory Management Part 1: Mechanisms for Managing Memory Memory management n Basic memory management n Swapping n Virtual memory n Page replacement algorithms n Modeling page replacement algorithms n Design issues for paging systems n

817 views • 35 slides
Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of

Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of

Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of numbers S. and a target number t. We have to determine of the exists a subset of S such that the summation of the numbers present in the subset is

353 views • 11 slides
Improved Algorithms for Amplitude- and Phase-Scin9lla9on

Improved Algorithms for Amplitude- and Phase-Scin9lla9on

Improved Algorithms for Amplitude- and Phase-Scin9lla9on Indices of GPS Signals Abram Farley-Kalamazoo College ASTRA Mentors: Irfan Azeem and Adam

555 views • 26 slides
Chapter 4: Memory Management Part 1: Mechanisms for Managing Memory Memory management Basic

Chapter 4: Memory Management Part 1: Mechanisms for Managing Memory Memory management Basic

Chapter 4: Memory Management Part 1: Mechanisms for Managing Memory Memory management Basic memory management Swapping Virtual memory Page replacement algorithms Modeling page replacement algorithms Design issues for paging

950 views • 69 slides
Memory Management 5A. Memory Management and Address Spaces 5B. Allocation Algorithms Operating

Memory Management 5A. Memory Management and Address Spaces 5B. Allocation Algorithms Operating

4/10/2016 Memory Management 5A. Memory Management and Address Spaces 5B. Allocation Algorithms Operating Systems Principles 5C. Advanced Allocation Techniques Memory Management 5D. Segment Relocation 5E. Garbage Collection Mark Kampe

711 views • 9 slides
Emerging memory technologies for improved energy efficiency Martin Wenzel Advanced Seminar

Emerging memory technologies for improved energy efficiency Martin Wenzel Advanced Seminar

Emerging memory technologies for improved energy efficiency Martin Wenzel Advanced Seminar WS2015 Memory Bandwidth Technology BW GB/s DDR3-1333 2GB 10,66 DDR4-2667 4GB 21,34 Hennessy, Patterson, Computer Architecture, A quantitative

445 views • 21 slides
General Cache Mechanics CPU Block: unit of data in cache and memory. (a.k.a. line) Memory

General Cache Mechanics CPU Block: unit of data in cache and memory. (a.k.a. line) Memory

General Cache Mechanics CPU Block: unit of data in cache and memory. (a.k.a. line) Memory Hierarchy: Cache Smaller, faster, more expensive. Cache 8 9 14 3 Stores subset of memory blocks . (lines) Data is moved in block units Memory

467 views • 8 slides
Memory Managing Algorithms on Distributed Systems Katie Becker and David Rodgers 1 External

Memory Managing Algorithms on Distributed Systems Katie Becker and David Rodgers 1 External

Memory Managing Algorithms on Distributed Systems Katie Becker and David Rodgers 1 External Memory Algorithms using a Coarse Grained Paradigm Written by Jens Gustedt, March 2004 Main idea: Present a framework that allows for

533 views • 26 slides
Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago

Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago

Quantum algorithms for the subset-sum problem D. J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Joint work with: Stacey Jeffery University of Waterloo Tanja Lange Technische Universiteit Eindhoven

1.2k views • 89 slides
More Recursion Summary Topics: more recursion Subset sum: finding if a subset of an

More Recursion Summary Topics: more recursion Subset sum: finding if a subset of an

csci 210: Data Structures More Recursion Summary Topics: more recursion Subset sum: finding if a subset of an array that sum up to a given target Permute: finding all permutations of a given string Subset: finding all

436 views • 15 slides
ECE 2574: Data Structures and Algorithms - Memory Management C. L. Wyatt Today we will review

ECE 2574: Data Structures and Algorithms - Memory Management C. L. Wyatt Today we will review

ECE 2574: Data Structures and Algorithms - Memory Management C. L. Wyatt Today we will review memory management in C++ and extend your toolbox for dealing with it. Warmup Allocation using new Freeing memory using delete RAII

171 views • 14 slides
Part I bers, t - target number Question: Is there a subset of X such the sum of its elements is t ?

Part I bers, t - target number Question: Is there a subset of X such the sum of its elements is t ?

Subset Sum Subset Sum Instance : X = { x 1 , . . . , x n } n integer positive num- Part I bers, t - target number Question: Is there a subset of X such the sum of its elements is t ? Subset Sum SolveSubsetSum ( X , t , M ) b [ 0 . . . Mn ] -

260 views • 5 slides
What You Must Know about Memory, Caches, and Shared Memory Kenjiro Taura 1 / 105 Contents 1

What You Must Know about Memory, Caches, and Shared Memory Kenjiro Taura 1 / 105 Contents 1

What You Must Know about Memory, Caches, and Shared Memory Kenjiro Taura 1 / 105 Contents 1 Introduction 2 Many algorithms are bounded by memory not CPU 3 Organization of processors, caches, and memory 4 So how costly is it to access data?

1.81k views • 166 slides

More recommend