smaller decoding exponents ball collision decoding d j
play

Smaller decoding exponents: ball-collision decoding D. J. Bernstein - PDF document

Nov 24, 2022 •139 likes •500 views

Smaller decoding exponents: ball-collision decoding D. J. Bernstein University of Illinois at Chicago Joint work with: Tanja Lange Technische Universiteit Eindhoven Christiane Peters University of Illinois at Chicago Context: speed What is

  1. Smaller decoding exponents: ball-collision decoding D. J. Bernstein University of Illinois at Chicago Joint work with: Tanja Lange Technische Universiteit Eindhoven Christiane Peters University of Illinois at Chicago

  2. Context: speed What is the fastest public-key encryption system?

  3. Context: speed What is the fastest public-key encryption system? RSA-1024 is quite fast.

  4. Context: speed What is the fastest public-key encryption system? RSA-1024 is quite fast. RSA-512 is faster.

  5. Context: speed What is the fastest public-key encryption system? RSA-1024 is quite fast. RSA-512 is faster. RSA-256 is even faster.

  6. Context: speed What is the fastest public-key encryption system? RSA-1024 is quite fast. RSA-512 is faster. RSA-256 is even faster. This question is stupid.

  7. Context: speed What is the fastest public-key encryption system with security level ✕ 2 ❜ ?

  8. Context: speed What is the fastest public-key encryption system with security level ✕ 2 ❜ ? (Plausible-sounding definition: breaking costs ✕ 2 ❜ .)

  9. Context: speed What is the fastest public-key encryption system with security level ✕ 2 ❜ ? (Plausible-sounding definition: breaking with probability 1 costs ✕ 2 ❜ .)

  10. Context: speed What is the fastest public-key encryption system with security level ✕ 2 ❜ ? (Plausible-sounding definition: for each ✎ ❃ 0, breaking with probability ✕ ✎ costs ✕ 2 ❜ ✎ .)

  11. Context: speed What is the fastest public-key encryption system with security level ✕ 2 ❜ ? (Plausible-sounding definition: for each ✎ ❃ 2 � ❜❂ 2 , breaking with probability ✕ ✎ costs ✕ 2 ❜ ✎ .)

  12. � � Context: speed What is the fastest public-key encryption system with security level ✕ 2 ❜ ? How to evaluate candidates: Encryption systems Analyze attack algorithms Systems with security ✕ 2 ❜ Analyze encryption algorithms Fastest systems with security ✕ 2 ❜

  13. Example of speed analysis RSA (with small exponent, reasonable padding, etc.): Factoring ♥ costs 2 (lg ♥ ) 1 ❂ 3+ ♦ (1) by the number-field sieve. Conjecture: this is the optimal attack against RSA. Key size: Can take lg ♥ ✷ ❜ 3+ ♦ (1) ensuring 2 (lg ♥ ) 1 ❂ 3+ ♦ (1) ✕ 2 ❜ . Encryption: Fast exp costs (lg ♥ ) 1+ ♦ (1) bit operations. Summary: RSA costs ❜ 3+ ♦ (1) .

  14. ECC (with strong curve/ F q , reasonable padding, etc.): ECDL costs 2 (1 ❂ 2+ ♦ (1)) lg q by Pollard’s rho method. Conjecture: this is the optimal attack against ECC. Can take lg q ✷ (2 + ♦ (1)) ❜ . Encryption: Fast scalar mult costs (lg q ) 2+ ♦ (1) = ❜ 2+ ♦ (1) . Summary: ECC costs ❜ 2+ ♦ (1) . Asymptotically faster than RSA. Bonus: also ❜ 2+ ♦ (1) decryption .

  15. 1978 McEliece system (with length- ♥ classical Goppa codes, reasonable padding, etc.): Conjecture: Fastest attacks cost 2 ( ☞ + ♦ (1)) ♥❂ lg ♥ . Can take ♥ ✷ (1 ❂☞ + ♦ (1)) ❜ lg ❜ . Encryption: Matrix mult costs ♥ 2+ ♦ (1) = ❜ 2+ ♦ (1) . Summary: McEliece costs ❜ 2+ ♦ (1) . Is this faster than ECC? Need more detailed analysis.

  16. ECC encryption: Θ(lg q ) operations in F q . Each operation in F q costs Θ(lg q lg lg q lg lg lg q ). Total Θ( ❜ 2 lg ❜ lg lg ❜ ). McEliece encryption, with 1986 Niederreiter speedup: Θ( ♥❂ lg ♥ ) additions in F ♥ 2 , each costing Θ( ♥ ). Total Θ( ❜ 2 lg ❜ ). McEliece is asymptotically faster. Bonus: Much faster decryption. Another bonus: Post-quantum.

  17. Algorithmic advances can change this picture. Examples: 1. Speed up ECC: can reduce lg lg ❜ using 2007 F¨ urer; maybe someday eliminate lg lg ❜ ?

  18. Algorithmic advances can change this picture. Examples: 1. Speed up ECC: can reduce lg lg ❜ using 2007 F¨ urer; maybe someday eliminate lg lg ❜ ? 2. This paper: asymptotically faster attack on McEliece . “Ball-collision decoding.” Need larger McEliece key sizes.

  19. Algorithmic advances can change this picture. Examples: 1. Speed up ECC: can reduce lg lg ❜ using 2007 F¨ urer; maybe someday eliminate lg lg ❜ ? 2. This paper: asymptotically faster attack on McEliece . “Ball-collision decoding.” Need larger McEliece key sizes. 3. Ongoing: we’re optimizing “subfield AG” variant of McEliece. Conjecture: Fastest attacks cost 2 ( ☛ + ♦ (1)) ♥ ; encryption costs Θ( ❜ 2 ).

  20. Generic decoding algorithms Some history: 1962 Prange; 1981 Clark (crediting Omura); 1988 Lee–Brickell; 1988 Leon; 1989 Krouk; 1989 Stern; 1989 Dumer; 1990 Coffey–Goodman; 1990 van Tilburg; 1991 Dumer; 1991 Coffey–Goodman–Farrell; 1993 Chabanne–Courteau; 1993 Chabaud; 1994 van Tilburg; 1994 Canteaut–Chabanne; 1998 Canteaut–Chabaud; 1998 Canteaut–Sendrier; 2008 B.–L.– P.: 2009 Finiasz–Sendrier; 2010 P.; 2011 B.–L.–P, this paper.

  21. A typical decoding problem Input: 500-bit vector s ; and a 900 ✂ 500 matrix of bits. Goal: Find 50 rows with xor s . r 1 ✿ ✿ ✿ 11001 ✿ ✿ ✿ r 2 ✿ ✿ ✿ 10111 ✿ ✿ ✿ r 3 ✿ ✿ ✿ 10101 ✿ ✿ ✿ . . . . . . r 900 ✿ ✿ ✿ 01011 ✿ ✿ ✿ s ✿ ✿ ✿ 01010 ✿ ✿ ✿

  22. A typical decoding problem Input: 500-bit vector s ; and a 900 ✂ 500 matrix of bits. Goal: Find 50 rows with xor s . r 1 ✿ ✿ ✿ 11001 ✿ ✿ ✿ r 2 ✿ ✿ ✿ 10111 ✿ ✿ ✿ r 3 ✿ ✿ ✿ 10101 ✿ ✿ ✿ . . . . . . r 900 ✿ ✿ ✿ 01011 ✿ ✿ ✿ s = r 2 ✟ r 7 ✟ r 34 ✟ r ✿ ✿ ✿ 01010 ✿ ✿ ✿ ✟ ✁ ✁ ✁

  23. Row randomization Can arbitrarily permute rows without changing problem. Goal: Find 50 rows with xor s . r 1 ✿ ✿ ✿ 11001 ✿ ✿ ✿ r 2 ✿ ✿ ✿ 10111 ✿ ✿ ✿ r 3 ✿ ✿ ✿ 10101 ✿ ✿ ✿ . . . . . . r 900 ✿ ✿ ✿ 01011 ✿ ✿ ✿ s = r 2 ✟ r 7 ✟ r 34 ✟ r ✿ ✿ ✿ 01010 ✿ ✿ ✿ ✟ ✁ ✁ ✁

  24. Row randomization Can arbitrarily permute rows without changing problem. Goal: Find 50 rows with xor s . r 1 ✿ ✿ ✿ 10111 ✿ ✿ ✿ r 2 ✿ ✿ ✿ 11001 ✿ ✿ ✿ r 3 ✿ ✿ ✿ 10101 ✿ ✿ ✿ . . . . . . r 900 ✿ ✿ ✿ 01011 ✿ ✿ ✿ s = r 1 ✟ r 7 ✟ r 34 ✟ r ✿ ✿ ✿ 01010 ✿ ✿ ✿ ✟ ✁ ✁ ✁

  25. Column normalization Can also permute columns without changing problem. Goal: Find 50 rows with xor s . r 1 ✿ ✿ ✿ 10111 ✿ ✿ ✿ r 2 ✿ ✿ ✿ 11001 ✿ ✿ ✿ r 3 ✿ ✿ ✿ 10101 ✿ ✿ ✿ . . . . . . r 900 ✿ ✿ ✿ 01011 ✿ ✿ ✿ s = r 1 ✟ r 7 ✟ r 34 ✟ r ✿ ✿ ✿ 01010 ✿ ✿ ✿ ✟ ✁ ✁ ✁

  26. Column normalization Can also permute columns without changing problem. Goal: Find 50 rows with xor s . r 1 ✿ ✿ ✿ 01111 ✿ ✿ ✿ r 2 ✿ ✿ ✿ 11001 ✿ ✿ ✿ r 3 ✿ ✿ ✿ 01101 ✿ ✿ ✿ . . . . . . r 900 ✿ ✿ ✿ 10011 ✿ ✿ ✿ s = r 1 ✟ r 7 ✟ r 34 ✟ r ✿ ✿ ✿ 10010 ✿ ✿ ✿ ✟ ✁ ✁ ✁

  27. Systematic form Can add one column to another. ✮ Build an identity matrix. Goal: Find 50 rows with xor s . r 1 1000 ✿ ✿ ✿ 0000 r 2 0100 ✿ ✿ ✿ 0000 r 3 0010 ✿ ✿ ✿ 0000 . ... . . r 500 0000 ✿ ✿ ✿ 0001 r 501 1010 ✿ ✿ ✿ 1100 . . . . . . r 900 1101 ✿ ✿ ✿ 0111 s = r 2 ✟ r 3 ✟ r 18 ✟ r 0110 ✿ ✿ ✿ 0000 ✟ ✁ ✁ ✁

  28. 1962 Prange, basic information-set decoding : Maybe xor involves none of last 400 rows. If so, immediately see that s has weight 50. Done! If not, re-randomize and restart.

  29. 1962 Prange, basic information-set decoding : Maybe xor involves none of last 400 rows. If so, immediately see that s has weight 50. Done! If not, re-randomize and restart. 1988 Lee–Brickell: More likely that xor involves exactly 2 of last 400 rows. Check for each ✐❀ ❥ whether s ✟ r ✐ ✟ r ❥ has weight 48.

  30. 1 ... 48 rows/500 1 r ✐ 2 rows/400 r ❥ s

  31. 1989 Leon, 1989 Krouk: Check for each ✐❀ ❥ whether s ✟ r ✐ ✟ r ❥ has weight 48 with first 10 bits all zero. Much faster to test, not much loss in success chance.

  32. 1989 Leon, 1989 Krouk: Check for each ✐❀ ❥ whether s ✟ r ✐ ✟ r ❥ has weight 48 with first 10 bits all zero. Much faster to test, not much loss in success chance. 1989 Stern, collision decoding : ♣ speedup! Find collisions between first 10 bits of s ✟ r ✐ and first 10 bits of r ❥ . For each collision, check whether s ✟ r ✐ ✟ r ❥ has weight 48.

  33. 0 rows/10 1 ... 48 rows/490 1 r ✐ 2 rows/400 r ❥ s

  34. 0 rows/10 1 ... 46 rows/490 1 r ✐ 1 r ✐ 2 4 rows/400 r ❥ 1 r ❥ 2 s Or s ✟ r ✐ 1 ✟ ✁ ✁ ✁ ✟ r ✐ ♣ and r ❥ 1 ✟ ✁ ✁ ✁ ✟ r ❥ ♣ . Optimize choice of ♣ . Of course, also optimize 10 etc.

  35. New, ball-collision decoding : Find collisions between (e.g.) weight-1 Hamming ball around first 10 bits of s ✟ r ✐ 1 ✟ r ✐ 2 and weight-1 Hamming ball around first 10 bits of r ❥ 1 ✟ r ❥ 2 . 2 rows/10 1 ... 44 rows/490 1 r ✐ 1 r ✐ 2 4 rows/400 r ❥ 1 r ❥ 2 s

  36. Our main theorem: For ✇ rows of ♥ ✂ ( ♥ � ❦ ) matrix, constant ✇❂♥❀ ❦❂♥ as ♥ ✦ ✶ , under standard assumptions, optimized collision decoding costs 2 ( ☛ + ♦ (1)) ♥ and optimized ball-collision decoding costs 2 ( ☛ ✵ + ♦ (1)) ♥ with ☛ ✵ ❁ ☛ . See cr.yp.to/ballcoll.html : ✎ proof of smaller exponents; ✎ conservative lower bounds; ✎ complete reference software.

Recommend

Observation Decoding with Sensor Models: Recognition Tasks via Classical Planning Diego Aineto,

Observation Decoding with Sensor Models: Recognition Tasks via Classical Planning Diego Aineto,

Observation Decoding with Sensor Models: Recognition Tasks via Classical Planning Diego Aineto, Sergio Jimenez, Eva Onaindia October 16, 2020 Universitat Polit` ecnica de Val` encia 1 What is decoding? What is decoding? Decoding : finding

848 views • 26 slides
Chapter 6 Decoding Statistical Machine Translation Decoding We have a mathematical model for

Chapter 6 Decoding Statistical Machine Translation Decoding We have a mathematical model for

Chapter 6 Decoding Statistical Machine Translation Decoding We have a mathematical model for translation p ( e | f ) Task of decoding: find the translation e best with highest probability e best = argmax e p ( e | f ) Two types of

571 views • 34 slides
Why decoding? Understanding the neural code. Neural Decoding Given spikes, what was the

Why decoding? Understanding the neural code. Neural Decoding Given spikes, what was the

Why decoding? Understanding the neural code. Neural Decoding Given spikes, what was the stimulus? What aspects of the stimulus does the system encode? (capacity is limited) Mark van Rossum What information can be extracted from spike trains:

779 views • 16 slides
By et al Siegfried Engelmann Decoding Strategies: Decoding B1- Teacher's Presentation Book

By et al Siegfried Engelmann Decoding Strategies: Decoding B1- Teacher's Presentation Book

By et al Siegfried Engelmann Decoding Strategies: Decoding B1- Teacher's Presentation Book (Corrective Reading) (3rd Revised edition) From McGraw-Hill Inc.,US By et al Siegfried Engelmann Decoding Strategies: Decoding B1- Teacher's Presentation

233 views • 5 slides
Beyond Sequential decoding toward parallel decoding In the context of neural sequence modelling

Beyond Sequential decoding toward parallel decoding In the context of neural sequence modelling

Beyond Sequential decoding toward parallel decoding In the context of neural sequence modelling Kyunghyun Cho New York University & Facebook AI Research Joint work with Jason Lee and Elman Mansimov Neural sequence modeling An arbitrary

461 views • 25 slides
Decoding challenge Assessing the practical hardness of syndrome decoding for code-based

Decoding challenge Assessing the practical hardness of syndrome decoding for code-based

Decoding challenge Assessing the practical hardness of syndrome decoding for code-based cryptography Matthieu Lequesne Sorbonne Universit Inria Paris, team Cosmiq February 27, 2020 All you ever wanted to know about code-based crypto

1.53k views • 132 slides
Decoding in SMT Nitin Madnani February 8, 2006 The Decoding Problem Search Inputs:

Decoding in SMT Nitin Madnani February 8, 2006 The Decoding Problem Search Inputs:

Decoding in SMT Nitin Madnani February 8, 2006 The Decoding Problem Search Inputs: Input string Bunch of statistical models A function to assign score to any translation Output: Best scoring translation

660 views • 34 slides
Decoding Philipp Koehn 17 September 2020 Philipp Koehn Machine Translation: Decoding 17

Decoding Philipp Koehn 17 September 2020 Philipp Koehn Machine Translation: Decoding 17

Decoding Philipp Koehn 17 September 2020 Philipp Koehn Machine Translation: Decoding 17 September 2020 Decoding 1 We have a mathematical model for translation p ( e | f ) Task of decoding: find the translation e best with highest

1.04k views • 61 slides
Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, equipe-projet SECRET

Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, equipe-projet SECRET

Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, equipe-projet SECRET Code-based Cryptography Workshop 11-12 May 2011, Eindhoven, The Netherlands Computational Syndrome Decoding Problem: Syndrome Decoding H { 0 , 1 }

882 views • 37 slides
Efficient Video Decoding on GPUs Efficient Video Decoding on GPUs by Point Based Rendering by

Efficient Video Decoding on GPUs Efficient Video Decoding on GPUs by Point Based Rendering by

Efficient Video Decoding on GPUs Efficient Video Decoding on GPUs by Point Based Rendering by Point Based Rendering Bo Han, Bingfeng Zhou Peking University Outline Outline Motivation and Goal Previous work Review of video decoding

741 views • 30 slides
Missing-data masks in all-combinations multi-band decoding It is shown that for MAP decoding

Missing-data masks in all-combinations multi-band decoding It is shown that for MAP decoding

morris@idiap.ch http://www.idiap.ch/ Missing-data masks in all-combinations multi-band decoding It is shown that for MAP decoding with all-comb experts multi-band expert weighting can make use of same soft missing-data mask as used with

477 views • 5 slides
6.02 Fall 2012 Lecture #7 Viterbi decoding of convolutional codes Path and branch metrics

6.02 Fall 2012 Lecture #7 Viterbi decoding of convolutional codes Path and branch metrics

6.02 Fall 2012 Lecture #7 Viterbi decoding of convolutional codes Path and branch metrics Hard-decision & soft-decision decoding Performance issues: decoder complexity, post- decoding BER, free distance concept 6.02 Fall 2012

488 views • 20 slides
List Decoding of Algebraic Codes Peter Beelen, Kristian Brander and Johan S.R. Nielsen DTU

List Decoding of Algebraic Codes Peter Beelen, Kristian Brander and Johan S.R. Nielsen DTU

Contents List decoding of error-correcting codes Fast list decoding of ReedSolomon codes Fast list decoding of certain AG codes List Decoding of Algebraic Codes Peter Beelen, Kristian Brander and Johan S.R. Nielsen DTU Mathematics

1.33k views • 81 slides
Decoding in Statistical Machine Translation Christian Hardmeier 2016-05-04 Mid-course Evaluation

Decoding in Statistical Machine Translation Christian Hardmeier 2016-05-04 Mid-course Evaluation

Decoding in Statistical Machine Translation Christian Hardmeier 2016-05-04 Mid-course Evaluation http://stp.lingfil.uu.se/~sara/kurser/MT16/ mid-course-eval.html Decoding The decoder is the part of the SMT system that creates the

138 views • 10 slides
Jet list decoding D. J. Bernstein University of Illinois at Chicago Thanks to: NSF 1018836

Jet list decoding D. J. Bernstein University of Illinois at Chicago Thanks to: NSF 1018836

Jet list decoding D. J. Bernstein University of Illinois at Chicago Thanks to: NSF 1018836 NIST 60NANB10D263 No thanks to: IEEE violating IEEE policies and forcing authors to take papers offline; see cr.yp.to/writing/ieee.html Decoding

885 views • 64 slides
Neural Decoding Matthias Hennig School of Informatics, University of Edinburgh January 2019 0

Neural Decoding Matthias Hennig School of Informatics, University of Edinburgh January 2019 0

Neural Decoding Matthias Hennig School of Informatics, University of Edinburgh January 2019 0 Acknowledgements: Mark van Rossum, Chris Williams and slides from Gatsby Liam Paninski. 1 / 54 Decoding brain activity Classi cation Which one?

1.07k views • 54 slides
Successive Cancellation Decoding of Single Parity-Check Product Codes: Analysis and Improved

Successive Cancellation Decoding of Single Parity-Check Product Codes: Analysis and Improved

Institute for Communications Engineering Technische Universit at M unchen Successive Cancellation Decoding of Single Parity-Check Product Codes: Analysis and Improved Decoding Algorithms skun 1 , 2 Mustafa Cemil Co Joint work with

299 views • 17 slides
Fast decoding in neural machine translation with Ray MAREK STRELEC Time cost statistics for

Fast decoding in neural machine translation with Ray MAREK STRELEC Time cost statistics for

Fast decoding in neural machine translation with Ray MAREK STRELEC Time cost statistics for decoding Zhang, Wen, et al. (2018) Ray q A flexible, high-performance distributed execution framework q Implements a dynamic task graph

105 views • 6 slides
Wireless Notification without Packet Decoding International Conference on Autonomic Computing

Wireless Notification without Packet Decoding International Conference on Autonomic Computing

Wireless Notification without Packet Decoding International Conference on Autonomic Computing (USENIX : ICAC ), June 2013 Kevin Chen and H.T. Kung May 3, 2013 Receiver 1 Sensor Packet Decoding Speculative Packet Reception No information is

106 views • 6 slides
Decoding Chromatin States with Epigenome Data 02-715 Advanced Topics in

Decoding Chromatin States with Epigenome Data 02-715 Advanced Topics in

Decoding Chromatin States with Epigenome Data 02-715 Advanced Topics in Computa8onal Genomics HMMs for Decoding Chromatin States Epigene8c modifica8ons of the genome have been

887 views • 39 slides
Network Decoding C&C Channels - gcat Brought to you by... + = Red Team/Blue Team

Network Decoding C&C Channels - gcat Brought to you by... + = Red Team/Blue Team

Network Decoding C&C Channels - gcat Brought to you by... + = Red Team/Blue Team Awesomeness This will be a series! Positive response to decoding dnscat2 We've decided to make this a series Will dissect a C&C every few

642 views • 24 slides
Decoding an arbitrary continuous stimulus E.g. Gaussian tuning curves .. what is P(r a |s)? 2

Decoding an arbitrary continuous stimulus E.g. Gaussian tuning curves .. what is P(r a |s)? 2

1 Decoding an arbitrary continuous stimulus E.g. Gaussian tuning curves .. what is P(r a |s)? 2 Decoding an arbitrary continuous stimulus Many neurons voting for an outcome. Work through a specific example assume independence

677 views • 28 slides
Bidirectional and executable specifications of machine code decoding and encoding Gang Tan, Penn

Bidirectional and executable specifications of machine code decoding and encoding Gang Tan, Penn

Bidirectional and executable specifications of machine code decoding and encoding Gang Tan, Penn State Univ. Joint work with Greg Morrisett, Cornell At LangSec Workshop , San Francesco, May 24 th , 2018 Machine Code Decoding/Encoding Binary

552 views • 33 slides
Bidirectional and executable specifications of machine code decoding and encoding Gang Tan, Penn

Bidirectional and executable specifications of machine code decoding and encoding Gang Tan, Penn

Bidirectional and executable specifications of machine code decoding and encoding Gang Tan, Penn State Univ. Joint work with Greg Morrisett, Cornell At LangSec Workshop , San Francesco, May 24 th , 2018 Machine Code Decoding/Encoding Binary

449 views • 26 slides

More recommend