low weight discrete logarithms and subset sum in 2 0 65 n
play

Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with - PowerPoint PPT Presentation

Sep 15, 2023 •218 likes •464 views

Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 , May 11.-15. 2020 Andre Esser and Alexander May Horst Grtz Institute for IT Security Ruhr University Bochum Subset Sum Subset Sum Problem 0

  1. Low Weight Discrete Logarithms and Subset Sum in 2 0 . 65 n with Polynomial Memory EUROCRYPT 2020 , May 11.-15. 2020 Andre Esser and Alexander May Horst Görtz Institute for IT Security Ruhr University Bochum

  2. Subset Sum Subset Sum Problem � 0 , 1 Given: ( a 1 , . . . , a n , t, ω ) , where a i , t ∈ Z 2 n and ω ∈ � 2 Find: e ∈ { 0 , 1 } n : � e i a i = t mod 2 n and ✇t ( e ) = ωn • Random instance: a i ∈ R Z 2 n • Cryptanalytic applications (Decoding, LPN, SIS, DLP) • a := ( a 1 , . . . , a n ) Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 2/18

  3. A memoryless Meet-in-the-Middle n x : 0 4 = + e : n/ 2 n y : 0 4 n 2 search for collision n n f ( x ) := � a , x � mod 2 g ( y ) := t − � a , y � mod 2 2 2 n � a , x � = t − � a , y � mod 2 collision: 2 n t = � a , x + y � mod 2 2 Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 3/18

  4. Folklore Algorithm 1. search for collision g f collision ( x , y ): � a , x + y � mod 2 n T = 2 0 . 75 n t $ 2a. n 2 2. repeat ? = t 2b. yes no out: x + y Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 4/18

  5. The Representation Technique x n/ 4 f : x 0 + n/ 4 y 0 = n/ 2 e g : e y Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 5/18

  6. The Representation Technique x 2 x 1 n/ 4 f : x + n/ 4 y = y 2 n/ 2 e g : e many representations y 1 Goal: increase domain and #useful collisions Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 5/18

  7. The memoryless BCJ Algorithm n/ 4 n/ 4 increased size ⇒ increased modulus more collisions many good � − 1 � #good Colls T = · T C collisions #all Colls = 2 0 . 72 n Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 6/18

  8. Folklore vs. BCJ 0 . 75 0.72 0 . 5 log T Folklore n BCJ 0 . 25 0 0 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 weight ω Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 7/18

  9. Discrete Logarithms (low weight) DLP Given: group G with | G | ≈ 2 n generated by g , β ∈ G and ω ∈ � 0 , 1 � 2 Find: α = ❞❧♦❣ g β satisfying g α = β and wt ( α ) = ωn � (MitM) �� n • Time lower bound ωn • ω = 1 2 usual case • Pollard Rho ( T = 2 0 . 5 n , M = poly) Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 8/18

  10. low-weight DLP Landscape 0 . 75 0.72 0 . 5 log T n Folklore 0 . 25 BCJ Pollard Lowerbound 0 0 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 weight ω Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 9/18

  11. Use of Carry Bits search for collision f 2 ( y ) := βg − y f 1 ( x ) := g x collision: g x + y = β = g α ωn x 2 + ωn y 2 = ωn e Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 10/18

  12. Use of Carry Bits search for collision f 2 ( y ) := βg − y f 1 ( x ) := g x collision: g x + y = β = g α ωn 2 + ε x x + y computed + over Z (mod | G | ) ωn y 2 + ε = α ωn Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 10/18

  13. Increase the Weight wt ( x ) = wt ( y ) = ωn 2 + ε = φ ( ω ) n 0 . 5 0 . 4 0 . 3 0 . 2 0 . 1 φ ( ω ) 0 ω/ 2 0 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 weight ω Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 11/18

  14. The new Algorithm search for collision f 1 ( x ) f 2 ( y ) φ ( ω ) n x increased domainsize φ ( ω ) n y ⇒ more Representations � − 1 � #good Colls T = · T C #all Colls = 2 ( H ( ω ) − H ( φ ) / 2) n Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 12/18

  15. Updated low-weight DLP Landscape 0 . 75 0.72 0 . 5 log T n Folklore BCJ 0 . 25 New Alg. Pollard Lowerbound 0 0 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 weight ω Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 13/18

  16. A new Time-Memory-Tradeoff search for collision f 1 ( x ) f 2 ( y ) φ ( ω ) n x increased domain size φ ( ω ) n y ⇒ more representations � − 1 � #good Colls T = · T C #all Colls = 2 ( H ( ω ) − H ( φ ) / 2) n Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 14/18

  17. A new Time-Memory-Tradeoff search for collision f 1 ( x ) f 2 ( y ) φ ( ω ) n x increased domain size φ ( ω ) n y ⇒ more representations �� #good Colls � − 1 � − 1 � #good Colls M = T = · T C #all Colls #all Colls H ( ω ) n = 2 2 Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 14/18

  18. Achieving the Square-Root Bound 0 . 5 time / memory exponent BCJ time BCJ memory 0 . 25 New time New memory 0 0 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 weight ω Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 15/18

  19. Back to Subset Sum search for 1. collision g f collision ( x , y ): � a , x + y � mod 2 n $ t 2a. repeat ? = t 2b. yes out: x + y no Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 16/18

  20. Back to Subset Sum h 1 ( s ) search for 1. s collision s g f collision ( x , y ): � a , x + y � mod 2 n v t v Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 16/18

  21. Back to Subset Sum h 1 ( s ) h 2 ( s ) search for 1. search for s s collision collision g 1 g 2 f 1 f 2 � a , x 1 + y 1 � mod 2 n � a , x 2 + y 2 � mod 2 n collision: v t v ’ 0 v t − v ′ search for 2. collision coll. ⇒ � a , x 1 + y 1 + x 2 + y 2 � = t mod 2 n Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 16/18

  22. Nested Rhos � − 1 � #good Colls T = · T C #all Colls = 2 0 . 65 n Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 17/18

  23. Results Folklore Group Subset Sum BCJ (low-weight) DLP Subset Sum Improved Algorithms improved poly memory Nested Collision Search 2 0 . 65 n , poly memory reduced MitM memory Subset Sum and low-weight DLP|EUROCRYPT 2020|May 11.-15. 2020 18/18

Recommend

Private key versus Public Key Reviews on PKC DH ElGamal Massey Omura Discrete Logarithms

Private key versus Public Key Reviews on PKC DH ElGamal Massey Omura Discrete Logarithms

Elliptic curves over F q Reviews on PKC DH ElGamal Massey Omura Discrete Logarithms DL Attacks BSGS PohlihHellmann DL records Square roots E LLIPTIC CURVES C RYPTOGRAPHY Reminder from Yesterday Points of finite order Important

664 views • 30 slides
Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la

Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la

Algorithms for integer factorization and discrete logarithms computation Algorithmes pour la factorisation dentiers et le calcul de logarithme discret Cyril Bouvier CARAMEL project-team, LORIA Universit de Lorraine / CNRS / Inria

470 views • 42 slides
Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in

Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in

Index Calculus Method Small char Finite Fields 9234 bits Impact on Pairings Breaking 128 bit Secure Supersingular Binary Curves (or how to solve Discrete Logarithms in F 2 4 1223 and F 2 12 367 ) Jens Zumbr agel Institute of

367 views • 32 slides
I-Complexity and Discrete Towards Precise . . . Derivative of Logarithms: Our Result Proof A

I-Complexity and Discrete Towards Precise . . . Derivative of Logarithms: Our Result Proof A

Kolmogorov Complexity Need for Approximate . . . I-Complexity Good Properties of I- . . . I-Complexity and Discrete Towards Precise . . . Derivative of Logarithms: Our Result Proof A Group-Theoretic Acknowledgments References Explanation

481 views • 12 slides
Complexity news: Also somewhat related: discrete logarithms in Im starting to analyze

Complexity news: Also somewhat related: discrete logarithms in Im starting to analyze

Complexity news: Also somewhat related: discrete logarithms in Im starting to analyze multiplicative groups of cost of NFS + CVP small-characteristic finite fields for class groups, unit groups, the algorithm of Barbulescu, short

912 views • 80 slides
Logarithms 2-1 Definition of Logarithms

Logarithms 2-1 Definition of Logarithms

Logarithms 2-1 Definition of Logarithms If x = b y then y = log b x where x and b are positive numbers and b 1 log b x is read as logarithm of x to the base of b . 2 - 2

318 views • 9 slides
Solving Discrete Logarithms in Smooth-Order Groups with CUDA Ryan Henry Ian Goldberg Solving

Solving Discrete Logarithms in Smooth-Order Groups with CUDA Ryan Henry Ian Goldberg Solving

Solving Discrete Logarithms in Smooth-Order Groups with CUDA Ryan Henry Ian Goldberg Solving Discrete Logarithms in Smooth-Order Groups with CUDA Definition Let G be a cyclic group of order q and let g G be a generator. Given G , the

468 views • 44 slides
DISCRETE LOGARITHMS Elliptic Curve Cryptography December 2019 Bochum, Germany IN

DISCRETE LOGARITHMS Elliptic Curve Cryptography December 2019 Bochum, Germany IN

ECC 2019: 23rd Workshop on DISCRETE LOGARITHMS Elliptic Curve Cryptography December 2019 Bochum, Germany IN QUASI-POLYNOMIAL TIME Based on a joint work with Thorsten Kleinjung IN FINITE FIELDS OF SMALL CHARACTERISTIC Benjamin Wesolowski

700 views • 47 slides
Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto

Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto

Quantum algorithms for computing short discrete logarithms and factoring RSA integers PQCrypto 2017, 8th International Workshop, Utrecht, June 26-28, 2017 Martin Eker 1 , 2 Johan Hstad 1 1 KTH Royal Institute of Technology, SE-100 44

728 views • 31 slides
Fixed points for discrete logarithms Carl Pomerance , Dartmouth College Suppose that G is a group

Fixed points for discrete logarithms Carl Pomerance , Dartmouth College Suppose that G is a group

ANTS IX, Nancy, France Fixed points for discrete logarithms Carl Pomerance , Dartmouth College Suppose that G is a group and g G has finite order m . Then for each t g the integers n with g n = t form a residue class mod m . Denote

585 views • 40 slides
JUST THE MATHS SLIDES NUMBER 1.4 ALGEBRA 4 (Logarithms) by A.J.Hobson 1.4.1 Common

JUST THE MATHS SLIDES NUMBER 1.4 ALGEBRA 4 (Logarithms) by A.J.Hobson 1.4.1 Common

JUST THE MATHS SLIDES NUMBER 1.4 ALGEBRA 4 (Logarithms) by A.J.Hobson 1.4.1 Common logarithms 1.4.2 Logarithms in general 1.4.3 Useful Results 1.4.4 Properties of logarithms 1.4.5 Natural logarithms 1.4.6 Graphs of logarithmic and

397 views • 13 slides
Number Theory Arithmetic Fermats and Eulers Theorems Discrete Cryptography Logarithms

Number Theory Arithmetic Fermats and Eulers Theorems Discrete Cryptography Logarithms

Cryptography Number Theory Divisibility and Primes Modular Number Theory Arithmetic Fermats and Eulers Theorems Discrete Cryptography Logarithms Computationally Hard Problems School of Engineering and Technology CQUniversity

964 views • 67 slides
Asymmetric cryptography from discrete logarithms Benjamin Smith Summer school on real-world

Asymmetric cryptography from discrete logarithms Benjamin Smith Summer school on real-world

Asymmetric cryptography from discrete logarithms Benjamin Smith Summer school on real-world crypto and privacy Sibenik, Croatia // June 17 2019 Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Asymmetric crypto settings

1.17k views • 86 slides
Discrete Logarithms and Galois Invariant Smoothness Basis (with J.-M. Couveignes) R. Lercier

Discrete Logarithms and Galois Invariant Smoothness Basis (with J.-M. Couveignes) R. Lercier

Background Function Field Sieve Galois Invariant Smoothness Basis Conclusion Discrete Logarithms and Galois Invariant Smoothness Basis (with J.-M. Couveignes) R. Lercier DGA/CELAR & University of Rennes France Reynald.Lercier (at)

650 views • 38 slides
Rules for logarithms We review the properties of logarithms from the previous lecture. In that

Rules for logarithms We review the properties of logarithms from the previous lecture. In that

Rules for logarithms We review the properties of logarithms from the previous lecture. In that lecture, we developed the following identities. The Product Property is an identity involving the logarithm of product: Elementary Functions log

93 views • 6 slides
Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve

Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve

Discrete Logs for Hyperelliptic Curves Summer School on Elliptic and Hyperelliptic Curve Cryptography Nicolas Thriault ntheriau@fields.utoronto.ca Fields Institute Discrete Logarithms Suppose that G = a , an additive group of order

230 views • 21 slides
Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of

Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of

Theorem 7.56 SUBSET-SUM is NP Complete ANSHUMAN MOHANTY SUBSET-SUM Problem Consider a set of numbers S. and a target number t. We have to determine of the exists a subset of S such that the summation of the numbers present in the subset is

353 views • 11 slides
W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99

W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99

W4231: Analysis of Algorithms Subset Sum The Subset Sum problem is defined as follows: 11/30/99 Given a sequence of integers a 1 , . . . , a n and a parameter k , NP-completeness of Subset Sum, Partition, Minimum Bin Packing. Decide

214 views • 3 slides
Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499

Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499

Quantum algorithms Subset-sum example: for the subset-sum problem Is there a subsequence of (499 852 1927 2535 3596 3608 D. J. Bernstein 4688 5989 6385 7353 7650 9413) University of Illinois at

2.02k views • 163 slides
Approximation Algorithms Subset Sum III Instance : X = { x 1 , . . . , x n } n integer

Approximation Algorithms Subset Sum III Instance : X = { x 1 , . . . , x n } n integer

NEW CS 473: Theory II, Fall 2015 Subset Sum Approximation Algorithms Subset Sum III Instance : X = { x 1 , . . . , x n } n integer positive num- bers, t - target number Question: subset of X s.t. sum of its elements is t ? Lecture 10

200 views • 8 slides
More Recursion Summary Topics: more recursion Subset sum: finding if a subset of an

More Recursion Summary Topics: more recursion Subset sum: finding if a subset of an

csci 210: Data Structures More Recursion Summary Topics: more recursion Subset sum: finding if a subset of an array that sum up to a given target Permute: finding all permutations of a given string Subset: finding all

436 views • 15 slides
/k Content 2/15 1. Introduction 2. Hamming weight 3. Rank weight 4. Extended rank weight

/k Content 2/15 1. Introduction 2. Hamming weight 3. Rank weight 4. Extended rank weight

On defining the generalized rank weight Ruud Pellikaan joint work with Relinde Jurrius Autonomous University Barcelona, 6 November 2014 /k Content 2/15 1. Introduction 2. Hamming weight 3. Rank weight 4. Extended rank weight enumerator

165 views • 15 slides
Part I bers, t - target number Question: Is there a subset of X such the sum of its elements is t ?

Part I bers, t - target number Question: Is there a subset of X such the sum of its elements is t ?

Subset Sum Subset Sum Instance : X = { x 1 , . . . , x n } n integer positive num- Part I bers, t - target number Question: Is there a subset of X such the sum of its elements is t ? Subset Sum SolveSubsetSum ( X , t , M ) b [ 0 . . . Mn ] -

260 views • 5 slides
MATH 12002 - CALCULUS I 5.2: Laws of Logarithms Professor Donald L. White Department of

MATH 12002 - CALCULUS I 5.2: Laws of Logarithms Professor Donald L. White Department of

MATH 12002 - CALCULUS I 5.2: Laws of Logarithms Professor Donald L. White Department of Mathematical Sciences Kent State University D.L. White (Kent State University) 1 / 4 Laws of Logarithms The familiar Laws of Logarithms all follow

223 views • 4 slides

More recommend