The k -sum Problem Solutions and Applications Christiane Peters - PowerPoint PPT Presentation

The k -sum Problem Solutions and Applications Christiane Peters Ice Break – June 8, 2013

Talk outline 1. Motivation 2. Information-set decoding 3. Linearization 4. Generalized birthday attacks 5. Outlook 1/42

1. Motivation 2. Information-set decoding 3. Linearization 4. Generalized birthday attacks 5. Outlook 2/42

The k -sum problem ◮ Given k lists L 1 , . . . , L k containing bit strings of length n . ◮ Find elements x 1 ∈ L 1 , . . . , x k ∈ L k : x 1 ⊕ . . . ⊕ x k = 0 . ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ = ◮ Examples in this talk: k = 2, k = w , k = 2 w , k = something related to n , k , w etc. 3/42

The k -sum problem is well-studied Appears in many different Selected literature: fields in cryptanalysis: ◮ Yuval (1978) ◮ Hellman–Merkle (1981) ◮ birthday attacks ◮ Coppersmith (1985) ◮ meet-in-the-middle ◮ Camion–Patarin (1991) attacks on multiple ◮ Coppersmith (1992) encryption ◮ van Oorschot–Wiener (1996) ◮ Micciancio–Bellare (1997) ◮ multi-collisions ◮ Wagner (2002) ◮ solving knapsacks ◮ Augot–Finiasz–Sendrier (2003) ◮ syndrome decoding ◮ Saarinen (2007, 2009) ◮ Joux–Lucks (2009) ◮ attacking the ◮ Howgrave-Graham–Joux (2010) learning-parity-with-noise ◮ Bernstein–Lange–P.–Schwabe (2011) problem (LPN) ◮ Becker–Coron–Joux (2011) ◮ ... ◮ Dinur–Dunkelman–Keller–Shamir (2012) 4/42

Applications in this talk Bellare–Micciancio (1997): Finiasz et al. (2003, 2007, 2008): ◮ fast syndrome-based hash ◮ “incrementable” hash function function w w � XHASH( f , m ) = f ( m i ) � FSB( H , m ) = H i [ m i ] i =1 i =1 ◮ Use as compression function in a Merkle–Damg˚ ard construction. ◮ Plus: fast, incrementable, parallelizable,. . . ◮ Minus: large matrix of random constants (fix: quasi-cyclic structure). 5/42

A simple compression function ◮ Consider inputs of length w · b : w 2 b m = ( m 1 , m 2 , . . . , m w ) , each m i having b bits. n H 1 H 2 H 3 H w − 1 H w ◮ Take an n × w 2 b binary (pseudo-)random matrix, consisting of w blocks with 2 b columns each: H = ( H 1 , H 2 , . . . , H w ). 2 b ◮ Regard the m i as b -bit indices and define FSB( H , m ) = H 1 [ m 1 ] ⊕ H 2 [ m 2 ] ⊕ . . . ⊕ H w [ m w ] . 6/42

Mini example: compression function sage: n=8; w=4; b=2 sage: set_random_seed (314) sage: # compression matrix sage: H=random_matrix(GF(2), n, w*2^b); print H [1 1 1 0 1 0 1 0 1 1 1 1 0 1 1 0] [1 1 1 0 1 1 0 0 1 0 1 0 1 1 0 0] [1 1 0 1 0 1 0 0 0 1 0 0 1 0 1 0] [0 0 0 0 0 1 0 0 0 1 0 0 1 1 0 0] [1 0 1 0 0 0 0 1 1 1 0 1 0 0 0 1] [0 1 0 0 0 0 0 1 1 0 1 0 0 0 1 1] [1 1 1 0 1 1 1 1 1 0 1 1 0 0 0 0] [1 1 0 0 1 0 0 1 1 1 1 1 0 0 0 0] sage: # message m=(m[1],..,m[w]), m[i] in [0 ,.. ,2^b-1] sage: m=random_vector( IntegerModRing (2^b),w); print m (2, 3, 3, 0) sage: # hash sage: x=sum([H.column(i*2^b+m[i]) for i in range(w)]); print x (0, 0, 1, 0, 0, 0, 0, 1) 7/42

FSB parameters for 128-bit security FSB-256: 128 · 16384 = 2097152 ◮ FSB was a SHA-3 round-1 candidate; ◮ Parameters: b = 14, w = 128, n = 1024. ◮ FSB didn’t make it to round 2. H 1 H 2 H 3 H 127 H 128 1024 ◮ Too slow? No, sloppy security analysis. Parameters not tight. Loss in speed. 16384 8/42

(R)FSB parameters for 128-bit security FSB-256: 112 · 256 = 28672 ◮ FSB was a SHA-3 round-1 candidate; ◮ Parameters: b = 14, w = 128, n = 1024. ◮ FSB didn’t make it to round 2. H 1 H 2 H 3 H 111 H 112 509 ◮ Too slow? No, sloppy security analysis. Parameters not tight. Loss in speed. RFSB-509 (really fast syndrome-based): 256 ◮ RFSB fast version of FSB by Bernstein et al. ◮ Parameters: b = 8, w = 112, n = 509. ◮ Fast software implementation by Bernstein and Schwabe in SUPERCOP. 8/42

Preimages ◮ A preimage of x ∈ { 0 , 1 } n is given by w 2 b w columns, exactly one per block, which add up to x . ◮ Note the abuse of notation: ultimately n . . . we’re interested in the indices of those columns, not the columns themselves. ◮ A preimage here is in fact a 2 b pseudo-preimage for the actual hash function. ◮ In this talk we’re only interested in the compression function. 9/42

Collisions ◮ A collision is given by 2 w columns, w 2 b exactly two per block, which add up to 0. ◮ Again abuse of notation: ultimately we’re n interested in the column indices. . . . ◮ Collisions are in fact pseudo-collisions for the actual hash function. 2 b ◮ In this talk we’re only interested in the compression function. 10/42

Parameters Security obviously depends on b , w , and n . w 2 b ◮ Larger n makes it harder to find collisions (but reduces compression factor) n H 1 H 2 H 3 H w − 1 H w ◮ Smaller w or b makes it harder to find collisions (but reduces compression 2 b factor) 11/42

Finding collisions and preimages ◮ Information-set decoding to find w 2 b regular low-weight codewords (Augot–Finiasz–Sendrier, Bernstein–Lange–P.–Schwabe). n H 1 H 2 H 3 H w − 1 H w ◮ Linearization (Bellare–Micchiancio, Saarinen) 2 b ◮ Generalized birthday attacks (Camion–Patarin, Wagner) 12/42

1. Motivation 2. Information-set decoding 3. Linearization 4. Generalized birthday attacks 5. Outlook 13/42

Information-set decoding Finding a preimage of x ∈ { 0 , 1 } n x H means finding w columns with xor x . ◮ Forget the block structure of H for a moment. ◮ “Unstructured w -sum problem” 14/42

Information-set decoding Finding a preimage of x ∈ { 0 , 1 } n x H means finding w columns with xor x . ◮ Pick a set of n linearly independent columns. ◮ Forget the block structure of H for a moment. ◮ “Unstructured w -sum problem” 14/42

Information-set decoding Finding a preimage of x ∈ { 0 , 1 } n H ′ x ′ means finding w columns with xor x . 1 0 0 0 0 . . 0 1 0 . . ◮ Pick a set of n linearly . . . . 0 1 . . independent columns. . 0 . . . . ◮ Apply elementary row operations . . . to H and x to bring H into a . . 0 . form H ′ = [ I n | Q ] wrt to the . . . . . . 1 0 . . . 0 0 0 0 1 selected columns. ◮ If x ′ has weight w , it is sum of w ◮ Forget the block structure of H for a columns from the identity moment. submatrix. Done. ◮ “Unstructured w -sum problem” ◮ If not start with a fresh set of n columns (iterative algorithm). 14/42

Cost information-set decoding Very rough cost: H ′ x ′ Cost Gauss Elim /Prob success 1 0 0 0 0 . . 0 1 0 . . . . where . . 0 1 . . . 0 . . � 2 b w � n � n . � � � . w w w Prob success = � · = . � 2 b w 2 n 2 n . . . . w 0 . . . . . . . 1 0 . . . ◮ E.g., n = 1024 , w = 128 , b = 14: 0 0 0 0 1 Prob success ≈ 2 − 472 . ◮ Forget the block structure of H for a Much better algorithms: moment. ◮ Stern’s collision decoding ◮ “Unstructured w -sum problem” (birthday paradox), ball-collision decoding etc 15/42

Regular information-set decoding Finding a preimage of x ∈ { 0 , 1 } n x H means finding w columns, exactly one per block, with xor x . ◮ Don’t forget the block structure of H . ◮ w -sum problem 16/42

Regular information-set decoding Finding a preimage of x ∈ { 0 , 1 } n H ′ x ′ means finding w columns, exactly one 1 0 0 0 0 per block, with xor x . . . . . 0 1 0 . . . . 0 1 ◮ Pick a set of n linearly . . . 0 . . independent columns, one per . . block. . . . . ◮ Apply elementary row operations . 0 . . . . . . . 1 0 . . . to H and x to bring H into a 0 0 0 0 1 form H ′ = [“ I n ” | Q ] where “ I n ” is spread over w blocks. ◮ Don’t forget the block structure of H . ◮ If x ′ has weight w , it is sum of w ◮ w -sum problem columns from the identity submatrix. Done. ◮ If not start with a fresh set of n columns. 16/42

Cost of regular information-set decoding Finding a preimage of x ∈ { 0 , 1 } n H ′ x ′ means finding w columns, exactly one 1 0 0 0 0 per block, with xor x . . . . . 0 1 0 . . . . 0 1 Augot et al (2003): . . . 0 . . ◮ The probability of finding a . . preimage is roughly . . . . � n . � w 0 . . . . . . . 1 0 w . . . 0 0 0 0 1 2 n ◮ This probability is much smaller ◮ Don’t forget the block structure of H . than for the classical decoding ◮ w -sum problem problem (which is already NP-hard). ◮ Ratio w ! / w w . ◮ E.g., n = 1024 , w = 128 , b = 14: Prob success ≈ 2 − 640 . 17/42

Cost of 2-regular information-set decoding Find collisions, i.e., two columns per H ′ x ′ block with xor 0. 1 0 0 0 0 Augot et al (2003): . . . . 0 1 0 . . . . 0 1 ◮ The expected number of . . . 0 . iterations of the 2-regular . . . syndrome-decoding algorithm is . . . . . 0 .   . . . . . . 1 0 . . .  2 n    0 0 0 0 1 min � w 0 : w 0 ∈ { 1 , 2 , . . . , w } . �� n / w 0 � + 1    2  ◮ Don’t forget the block structure of H . Bernstein et al (2011): ◮ 2 w -sum problem ◮ 2-regular syndrome decoding using birthday paradox. ◮ Faster, much more complicated. 18/42

1. Motivation 2. Information-set decoding 3. Linearization 4. Generalized birthday attacks 5. Outlook 19/42