Embed Size (px)
Citation preview
3. Message Attack (ISD)1. From Generic Decoding to Syndrome Decoding2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding3. Information Set Decoding: the Power of Linear Algebra4. Complexity Analysis5. Lee and Brickell Algorithm6. Stern/Dumer Algorithm7. May, Meurer, and Thomae Algorithm8. Becker, Joux, May, and Meurer Algorithm9. Generalized Birthday Algorithm for Decoding
10. Decoding One Out of Many
0Nicolas Sendrier CODE-BASED CRYPTOGRAPHY
Exhaustive Search
Problem: find w columns ofH adding to s (modulo 2) H = h1 h2 · · · hn s =
-� n
6
?
n − k
Answer: enumerate all w-tuples (j1, j2, · · · , jw ) such that 1 ≤ j1 < j2 < . . . < jw ≤ nand check whether s + hj1 + hj2 · · · + hjw = 0
How to enumerate nicely
1
Exhaustive Search
Problem: find w columns ofH adding to s (modulo 2) H = h1 h2 · · · hn s =
-� n
6
?
n − k
Answer: enumerate all w-tuples (j1, j2, · · · , jw ) such that 1 ≤ j1 < j2 < . . . < jw ≤ nand check whether s + hj1 + hj2 · · · + hjw = 0
How to enumerate nicely
1
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1:
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1:
for j2 from j1 + 1 to n2:
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1:
for j2 from j1 + 1 to n2:
. . .for jw from jw−1 + 1 to n
w :
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1:
for j2 from j1 + 1 to n2:
. . .for jw from jw−1 + 1 to n
w : sw ← s + hj1 + hj2 + · · ·+ hjw
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1:
for j2 from j1 + 1 to n2:
. . .for jw from jw−1 + 1 to n
w : sw ← s + hj1 + hj2 + · · ·+ hjw[if sw = 0 then return (j1, j2, . . . , jw )] or [store(sw , (j1, j2, . . . , jw ))]
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1:
for j2 from j1 + 1 to n2:
. . .for jw from jw−1 + 1 to n
w : sw ← s + hj1 + hj2 + · · ·+ hjw[if sw = 0 then return (j1, j2, . . . , jw )] or [store(sw , (j1, j2, . . . , jw ))]
Total cost is at most w(
nw
)column additions and
(nw
)tests
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1:
for j2 from j1 + 1 to n2:
. . .for jw from jw−1 + 1 to n
w : sw ← s + hj1 + hj2 + · · ·+ hjw[if sw = 0 then return (j1, j2, . . . , jw )] or [store(sw , (j1, j2, . . . , jw ))]
Total cost is at most w(
nw
)column additions
������
��and
(nw
)tests
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1:
for j2 from j1 + 1 to n2:
. . .for jw from jw−1 + 1 to n
w : sw ← s + hj1 + hj2 + · · ·+ hjw[if sw = 0 then return (j1, j2, . . . , jw )] or [store(sw , (j1, j2, . . . , jw ))]
Total cost is about w(
nw
)column operations
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1: s1 ← s + hj1
for j2 from j1 + 1 to n2:
. . .for jw from jw−1 + 1 to n
w :[if sw = 0 then return (j1, j2, . . . , jw )] or [store(sw , (j1, j2, . . . , jw ))]
Instead, we may keep track of partial sums
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1: s1 ← s + hj1
for j2 from j1 + 1 to n2: s2 ← s1 + hj2 (= s + hj1 + hj2 )
. . .for jw from jw−1 + 1 to n
w :[if sw = 0 then return (j1, j2, . . . , jw )] or [store(sw , (j1, j2, . . . , jw ))]
Instead, we may keep track of partial sums
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1: s1 ← s + hj1
for j2 from j1 + 1 to n2: s2 ← s1 + hj2
. . .for jw from jw−1 + 1 to n
w : sw ← sw−1 + hjw (= s + hj1 + hj2 + · · ·+ hjw )
[if sw = 0 then return (j1, j2, . . . , jw )] or [store(sw , (j1, j2, . . . , jw ))]
Instead, we may keep track of partial sums
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1: s1 ← s + hj1
for j2 from j1 + 1 to n2: s2 ← s1 + hj2
. . .for jw from jw−1 + 1 to n
w : sw ← sw−1 + hjw[if sw = 0 then return (j1, j2, . . . , jw )] or [store(sw , (j1, j2, . . . , jw ))]
Line i is executed about(
ni
)times
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1: s1 ← s + hj1
for j2 from j1 + 1 to n2: s2 ← s1 + hj2
. . .for jw from jw−1 + 1 to n
w : sw ← sw−1 + hjw[if sw = 0 then return (j1, j2, . . . , jw )] or [store(sw , (j1, j2, . . . , jw ))]
Line i is executed about(
ni
)times
→ total of about(
n1
)+
(n2
)+ · · ·+
(nw
)column additions
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1: s1 ← s + hj1
for j2 from j1 + 1 to n2: s2 ← s1 + hj2
. . .for jw from jw−1 + 1 to n
w : sw ← sw−1 + hjw[if sw = 0 then return (j1, j2, . . . , jw )] or [store(sw , (j1, j2, . . . , jw ))]
Line i is executed about(
ni
)times
→ total of about(
n1
)+
(n2
)+ · · ·+
(nw
)column additions
dominated by(
nw
)when w is not too large Back
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
Exhaustive Search
Problem: find w columns ofH adding to s (modulo 2) H = h1 h2 · · · hn s =
-� n
6
?
n − k
Answer: enumerate all w-tuples (j1, j2, · · · , jw ) such that 1 ≤ j1 < j2 < . . . < jw ≤ nand check whether s + hj1 + hj2 · · · + hjw = 0
How to enumerate nicely
Requires about(
nw
)column operations
Note that we obtain all solutions
1
Exhaustive Search
Problem: find w columns ofH adding to s (modulo 2) H = h1 h2 · · · hn s =
-� n
6
?
n − k
Answer: enumerate all w-tuples (j1, j2, · · · , jw ) such that 1 ≤ j1 < j2 < . . . < jw ≤ nand check whether s + hj1 + hj2 · · · + hjw = 0
How to enumerate nicely
Requires about(
nw
)column operations
Note that we obtain all solutions
1
Birthday Decoding
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
Answer: Split H into two equal parts and enumerate the two following sets
L1 ={
e1HT1 | wt(e1) =
w2
}and L2 =
{s + e2HT
2 | wt(e2) =w2
}If L1 ∩ L2 6= ∅, we have solution(s): s + e1HT
1 + e2HT2 = 0
Algorithm
2
Birthday Decoding
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
Answer: Split H into two equal parts and enumerate the two following sets
L1 ={
e1HT1 | wt(e1) =
w2
}and L2 =
{s + e2HT
2 | wt(e2) =w2
}If L1 ∩ L2 6= ∅, we have solution(s): s + e1HT
1 + e2HT2 = 0
Algorithm
2
Compute L1 ∩ L2 ={
e1HT1 | wt(e1) =
w2
}∩{
s + e2HT2 | wt(e2) =
w2
}
H = H1 H2
-� n
s6
?
n − k
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
2.0
Compute L1 ∩ L2 ={
e1HT1 | wt(e1) =
w2
}∩{
s + e2HT2 | wt(e2) =
w2
}
H = H1 H2
-� n
s6
?
n − k
Total cost:(n/2
w/2
)|L1|
for all e1 of weight w/2x ← e1HT
1 ; T [x ]← T [x ] ∪ {e1}
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
2.0
Compute L1 ∩ L2 ={
e1HT1 | wt(e1) =
w2
}∩{
s + e2HT2 | wt(e2) =
w2
}
H = H1 H2
-� n
s6
?
n − k
Total cost:(n/2
w/2
)+(n/2
w/2
)|L1| |L2|
for all e1 of weight w/2x ← e1HT
1 ; T [x ]← T [x ] ∪ {e1}for all e2 of weight w/2
x ← s + e2HT2
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
2.0
Compute L1 ∩ L2 ={
e1HT1 | wt(e1) =
w2
}∩{
s + e2HT2 | wt(e2) =
w2
}
H = H1 H2
-� n
s6
?
n − k
Total cost:(n/2
w/2
)+(n/2
w/2
)+
(n/2w/2
)2
2n−k
|L1| |L2| |L1|·|L2|2n−k
for all e1 of weight w/2x ← e1HT
1 ; T [x ]← T [x ] ∪ {e1}for all e2 of weight w/2
x ← s + e2HT2
for all e1 ∈ T [x ]I ← I ∪ {(e1,e2)}
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
2.0
Compute L1 ∩ L2 ={
e1HT1 | wt(e1) =
w2
}∩{
s + e2HT2 | wt(e2) =
w2
}
H = H1 H2
-� n
s6
?
n − k
Total cost:(n/2
w/2
)+(n/2
w/2
)+
(n/2w/2
)2
2n−k
|L1| |L2| |L1|·|L2|2n−k
for all e1 of weight w/2x ← e1HT
1 ; T [x ]← T [x ] ∪ {e1}for all e2 of weight w/2
x ← s + e2HT2
for all e1 ∈ T [x ]I ← I ∪ {(e1,e2)}
return I
Back
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
2.0
Birthday Decoding
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
Answer: Split H into two equal parts and enumerate the two following sets
L1 ={
e1HT1 | wt(e1) =
w2
}and L2 =
{s + e2HT
2 | wt(e2) =w2
}If L1 ∩ L2 6= ∅, we have solution(s): s + e1HT
1 + e2HT2 = 0
Algorithm
Requires about 2(n/2
w/2
)+
(n/2w/2
)2
2n−k column operations
Can also be written 2L + L2/2n−k where L = |L1| = |L2|2
Birthday Decoding – Complexity
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
3
Birthday Decoding – Complexity
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
P =
(n/2w/2
)2(nw
)One particular error of Hamming weight w splits evenly with probability
3
Birthday Decoding – Complexity
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
P =
(n/2w/2
)2(nw
)One particular error of Hamming weight w splits evenly with probability
We may have to repeat with H divided in several different ways
or more generally by picking the two halves randomly
3
Birthday Decoding – Complexity
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
P =
(n/2w/2
)2(nw
)To obtain all solutions:
3
Birthday Decoding – Complexity
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
P =
(n/2w/2
)2(nw
)To obtain��all most solutions:
repeat with ≈ 1P
different splitting:{
1. compute L1 and L22. compute L1 ∩ L2
3
Birthday Decoding – Complexity
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
P =
(n/2w/2
)2(nw
)To obtain��all most solutions:
repeat with ≈ 1P
different splitting:{
1. compute L1 and L22. compute L1 ∩ L2
Total cost2(n/2
w/2
)+(n/2
w/2
)2/2n−k
P=
2(n
w
)(n/2w/2
) + (nw
)2n−k operations
3
Birthday Decoding – Complexity
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
P =
(n/2w/2
)2(nw
)To obtain��all most solutions:
repeat with ≈ 1P
different splitting:{
1. compute L1 and L22. compute L1 ∩ L2
Total cost2(n/2
w/2
)+(n/2
w/2
)2/2n−k
P=
2(n
w
)(n/2w/2
) + (nw
)2n−k operations
≈ 4√
8πw√(n
w
)+#Solutions
3
Birthday Decoding – Complexity
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
P =
(n/2+εw/2
)2(nw
)-�-�
n/2 + εn/2 + ε
To obtain��all most solutions:
repeat with ≈ 1P
different splitting:{
1. compute L1 and L22. compute L1 ∩ L2
Relaxation: allow overlapping→ H1 and H2 are wider by ε
3
Birthday Decoding – Complexity
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
P =
(n/2+εw/2
)2(nw
) ≈ 1
-�-�n/2 + εn/2 + ε
To obtain��all most solutions:
repeat with ≈ 1P
different splitting:{
1. compute L1 and L22. compute L1 ∩ L2
Relaxation: allow overlapping→ H1 and H2 are wider by ε
We choose ε such that(n/2+ε
w/2
)≈√(n
w
)→ single repetition
3
Birthday Decoding – Complexity
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
P =
(n/2+εw/2
)2(nw
) ≈ 1
-�-�n/2 + εn/2 + ε
To obtain��all most solutions:
repeat with ≈ 1P
different splitting:{
1. compute L1 and L22. compute L1 ∩ L2
Relaxation: allow overlapping→ H1 and H2 are wider by ε
We choose ε such that(n/2+ε
w/2
)≈√(n
w
)→ single repetition
Total cost: 2√(n
w
)+(n
w
)/2n−k = 2L + L2/2n−k with L =
√(nw
)(up to a small constant factor)
3
3. Message Attack (ISD)1. From Generic Decoding to Syndrome Decoding2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding3. Information Set Decoding: the Power of Linear Algebra4. Complexity Analysis5. Lee and Brickell Algorithm6. Stern/Dumer Algorithm7. May, Meurer, and Thomae Algorithm8. Becker, Joux, May, and Meurer Algorithm9. Generalized Birthday Algorithm for Decoding
10. Decoding One Out of Many
Nicolas Sendrier CODE-BASED CRYPTOGRAPHY
