Top

Designs, Codes and Cryptography

Published in:

17-12-2018

An algorithmic framework for the generalized birthday problem

Author: Itai Dinur

Published in: Designs, Codes and Cryptography | Issue 8/2019

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

The generalized birthday problem (GBP) was introduced by Wagner in 2002 and has shown to have many applications in cryptanalysis. In its typical variant, we are given access to a function \(H:\{0,1\}^{\ell } \rightarrow \{0,1\}^n\) (whose specification depends on the underlying problem) and an integer \(K>0\). The goal is to find K distinct inputs to H (denoted by \(\{x_i\}_{i=1}^{K}\)) such that \(\sum _{i=1}^{K}H(x_i) = 0\). Wagner’s K-tree algorithm solves the problem in time and memory complexities of about \(N^{1/(\lfloor \log K \rfloor + 1)}\) (where \(N= 2^n\)). In this paper, we improve the best known GBP time-memory tradeoff curve (published independently by Nikolić and Sasaki and also by Biryukov and Khovratovich) for all \(K \ge 8\) from \(T^2M^{\lfloor \log K \rfloor -1} = N\) to \(T^{\lceil (\log K)/2 \rceil + 1 }M^{\lfloor (\log K)/2 \rfloor } = N\), applicable for a large range of parameters. We further consider values of K which are not powers of 2 and show that in many cases even more efficient time-memory tradeoff curves can be obtained. Finally, we optimize our techniques for several concrete GBP instances and show how to solve some of them with improved time and memory complexities compared to the state-of-the-art. Our results are obtained using a framework that combines several algorithmic techniques such as variants of the Schroeppel–Shamir algorithm for solving knapsack problems (devised in works by Howgrave-Graham and Joux and by Becker, Coron and Joux) and dissection algorithms (published by Dinur, Dunkelman, Keller and Shamir).

previous article Uniqueness of codes using semidefinite programming

next article At most three-weight binary linear codes from generalized Moisio’s exponential sums

GBP formally requires that \(\sum _{i=1}^{K}H(x_i) = 0\), but it is typically easy to tweak GBP algorithms to output \(\{x_i\}_{i=1}^{K}\), such that \(\sum _{i=1}^{K}H(x_i) = s\) for any fixed \(s \in \{0,1\}^n\).

In a sub-linear time-memory tradeoff, the exponent of T is larger than the exponent of M.

This definition does not capture algorithms (such as Minder and Sinclair’s algorithm [11]) that merge the initial lists into larger ones. However, the restriction typically does not result in loss of generality, as an initial merge can be considered as a preparation phase algorithm by defining the function H appropriately.

When the number of expected solutions to the list sum problem is S, then \(A_{K,S}\) typically coincides with \(A_{K}\). The more interesting case is when the number of expected solutions is greater than S and \(A_{K,S}\) could potentially be more efficient than \(A_{K}\).

Our algorithms will also assume that the number of solutions has low variance, hence such constraints have to be set carefully for this to hold.

We note that [1] extended this algorithm to a time-memory tradeoff. However, as it uses memory larger than \(2^m\) (the size of the input lists), we do not consider it in this paper.

We could try to fix additional intermediate target values that the algorithm \(A_{i}\) iterates over internally. However, this generally results in a less efficient tradeoff compared to \(TM^i = N\).

Note that in this section we rename the parameter of basic algorithms from K to P.

Note that the evaluation is performed at K / 2 rather than K.

These algorithms are not optimal for a very small domain size close to \(2^{n/K}\), which is the minimal value required for a solution to exist with high probability. In such cases it is more efficient to apply a final layer of random-walk collision search (as done in [4, 7]). However, the practical relevance of these algorithms is relatively limited and they are beyond the scope of this paper (as we focus on practical tradeoffs for GBP instances with limited domain sizes).

Becker A., Coron J., Joux A.: Improved generic algorithms for hard knapsacks. In: Paterson K.G. (ed) Advances in Cryptology—EUROCRYPT 2011—30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, May 15–19, 2011. Lecture Notes in Computer Science, vol. 6632, pp. 364–385. Springer, New York (2011).

Becker A., Joux A., May A., Meurer A.: Decoding random binary linear codes in \(2^{n/20}\): how \(1 + 1 = 0\) improves information set decoding. In: Pointcheval D., Johansson T. (eds.) Advances in Cryptology—EUROCRYPT 2012—31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, April 15-19, 2012. Lecture Notes in Computer Science, vol. 7237, pp. 520–536. Springer, New York (2012).

Bernstein D.J.: Better price-performance ratios for generalized birthday attacks. In: SHARCS07: Special-Purpose Hardware for Attacking Cryptographic Systems (2007).

Bernstein D.J., Lange T., Niederhagen R., Peters C., Schwabe P.: FSBday. In: Roy B.K., Sendrier N. (eds.) Progress in Cryptology—INDOCRYPT 2009, 10th International Conference on Cryptology in India, New Delhi, India, December 13–16, 2009. Lecture Notes in Computer Science, vol. 5922, pp. 18–38. Springer, New York (2009).

Biryukov A., Khovratovich D.: Equihash: asymmetric proof-of-work based on the generalized birthday problem. In: 23nd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21–24, 2016. The Internet Society (2016).

Canteaut A., Trabbia M.: Improved fast correlation attacks using parity-check equations of weight 4 and 5. In: Preneel B. (ed.) Advances in Cryptology—EUROCRYPT 2000, International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14–18, 2000. Lecture Notes in Computer Science, vol. 1807, pp. 573–588. Springer, New York (2000).

Dinur I., Dunkelman O., Keller N., Shamir A.: Efficient dissection of composite problems, with applications to cryptanalysis, knapsacks, and combinatorial search problems. In: Safavi-Naini R., Canetti R. (eds.) Advances in Cryptology—CRYPTO 2012—32nd Annual Cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2012. Lecture Notes in Computer Science, vol. 7417, pp. 719–740. Springer, New York (2012).

Finiasz M., Sendrier N.: Security bounds for the design of code-based cryptosystems. In: Matsui M. (ed.) Advances in Cryptology—ASIACRYPT 2009, 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, December 6–10, 2009. Lecture Notes in Computer Science, vol. 5912, pp. 88–105. Springer, New York (2009).

Howgrave-Graham N., Joux A.: New generic algorithms for hard knapsacks. In: Gilbert H. (ed.) Advances in Cryptology—EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May 30–June 3, 2010. Lecture Notes in Computer Science, vol. 6110, pp. 235–256. Springer, New York(2010).

10.

Meier W., Staffelbach O.: Fast correlation attacks on certain stream ciphers. J. Cryptol. 1(3), 159–176 (1989).MathSciNetCrossRefMATH

11.

Minder L., Sinclair A.: The extended k-tree algorithm. J. Cryptol. 25(2), 349–382 (2012).MathSciNetCrossRefMATH

12.

Nikolic I., Sasaki Y.: Refinements of the k-tree algorithm for the generalized birthday problem. In: Iwata T., Cheon J.H. (eds.) Advances in Cryptology—ASIACRYPT 2015—21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29–December 3, 2015. Lecture Notes in Computer Science, Part II, vol. 9453, pp. 683–703. Springer, New York (2015).

13.

Schroeppel R., Shamir A.: \(\text{ A } \text{ T }=\text{ O }(2^{n/2})\), \(\text{ S }=\text{ O }(2^{n/4})\) algorithm for certain NP-complete problems. SIAM J. Comput. 10(3), 456–464 (1981).MathSciNetCrossRefMATH

14.

van Oorschot P.C., Wiener M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999).MathSciNetCrossRefMATH

15.

Wagner D.A.: A generalized birthday problem. In: Yung M. (ed.) Advances in Cryptology—CRYPTO 2002, 22nd Annual International Cryptology Conference, Santa Barbara, California, USA, August 18–22, 2002. Lecture Notes in Computer Science, vol. 2442, pp. 288–303. Springer, New York(2002).

Title: An algorithmic framework for the generalized birthday problem
Author: Itai Dinur
Publication date: 17-12-2018
Publisher: Springer US
Published in: Designs, Codes and Cryptography / Issue 8/2019
Print ISSN: 0925-1022
Electronic ISSN: 1573-7586
DOI: https://doi.org/10.1007/s10623-018-00594-6

Springer Professional

An algorithmic framework for the generalized birthday problem

Abstract

Premium Partner

Springer Professional

Abstract

Please log in to get access to your license.

Other articles of this Issue 8/2019

Optimal binary constant weight codes and affine linear groups over finite fields

At most three-weight binary linear codes from generalized Moisio’s exponential sums

Correction to: Improved Singleton bound on frequency hopping sequences and optimal constructions

Codes with the rank metric and matroids

Additive perfect codes in Doob graphs

Polynomial time bounded distance decoding near Minkowski’s bound in discrete logarithm lattices

Premium Partner