3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to...
Transcript of 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to...
![Page 1: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/1.jpg)
3. Message Attack (ISD)1. From Generic Decoding to Syndrome Decoding2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding3. Information Set Decoding: the Power of Linear Algebra4. Complexity Analysis5. Lee and Brickell Algorithm6. Stern/Dumer Algorithm7. May, Meurer, and Thomae Algorithm8. Becker, Joux, May, and Meurer Algorithm9. Generalized Birthday Algorithm for Decoding
10. Decoding One Out of Many
0Nicolas Sendrier CODE-BASED CRYPTOGRAPHY
![Page 2: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/2.jpg)
Exhaustive Search
Problem: find w columns ofH adding to s (modulo 2) H = h1 h2 · · · hn s =
-� n
6
?
n − k
Answer: enumerate all w-tuples (j1, j2, · · · , jw ) such that 1 ≤ j1 < j2 < . . . < jw ≤ nand check whether s + hj1 + hj2 · · · + hjw = 0
How to enumerate nicely
1
![Page 3: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/3.jpg)
Exhaustive Search
Problem: find w columns ofH adding to s (modulo 2) H = h1 h2 · · · hn s =
-� n
6
?
n − k
Answer: enumerate all w-tuples (j1, j2, · · · , jw ) such that 1 ≤ j1 < j2 < . . . < jw ≤ nand check whether s + hj1 + hj2 · · · + hjw = 0
How to enumerate nicely
1
![Page 4: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/4.jpg)
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
![Page 5: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/5.jpg)
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1:
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
![Page 6: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/6.jpg)
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1:
for j2 from j1 + 1 to n2:
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
![Page 7: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/7.jpg)
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1:
for j2 from j1 + 1 to n2:
. . .for jw from jw−1 + 1 to n
w :
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
![Page 8: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/8.jpg)
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1:
for j2 from j1 + 1 to n2:
. . .for jw from jw−1 + 1 to n
w : sw ← s + hj1 + hj2 + · · ·+ hjw
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
![Page 9: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/9.jpg)
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1:
for j2 from j1 + 1 to n2:
. . .for jw from jw−1 + 1 to n
w : sw ← s + hj1 + hj2 + · · ·+ hjw[if sw = 0 then return (j1, j2, . . . , jw )] or [store(sw , (j1, j2, . . . , jw ))]
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
![Page 10: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/10.jpg)
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1:
for j2 from j1 + 1 to n2:
. . .for jw from jw−1 + 1 to n
w : sw ← s + hj1 + hj2 + · · ·+ hjw[if sw = 0 then return (j1, j2, . . . , jw )] or [store(sw , (j1, j2, . . . , jw ))]
Total cost is at most w(
nw
)column additions and
(nw
)tests
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
![Page 11: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/11.jpg)
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1:
for j2 from j1 + 1 to n2:
. . .for jw from jw−1 + 1 to n
w : sw ← s + hj1 + hj2 + · · ·+ hjw[if sw = 0 then return (j1, j2, . . . , jw )] or [store(sw , (j1, j2, . . . , jw ))]
Total cost is at most w(
nw
)column additions
������
��and
(nw
)tests
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
![Page 12: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/12.jpg)
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1:
for j2 from j1 + 1 to n2:
. . .for jw from jw−1 + 1 to n
w : sw ← s + hj1 + hj2 + · · ·+ hjw[if sw = 0 then return (j1, j2, . . . , jw )] or [store(sw , (j1, j2, . . . , jw ))]
Total cost is about w(
nw
)column operations
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
![Page 13: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/13.jpg)
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1: s1 ← s + hj1
for j2 from j1 + 1 to n2:
. . .for jw from jw−1 + 1 to n
w :[if sw = 0 then return (j1, j2, . . . , jw )] or [store(sw , (j1, j2, . . . , jw ))]
Instead, we may keep track of partial sums
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
![Page 14: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/14.jpg)
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1: s1 ← s + hj1
for j2 from j1 + 1 to n2: s2 ← s1 + hj2 (= s + hj1 + hj2 )
. . .for jw from jw−1 + 1 to n
w :[if sw = 0 then return (j1, j2, . . . , jw )] or [store(sw , (j1, j2, . . . , jw ))]
Instead, we may keep track of partial sums
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
![Page 15: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/15.jpg)
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1: s1 ← s + hj1
for j2 from j1 + 1 to n2: s2 ← s1 + hj2
. . .for jw from jw−1 + 1 to n
w : sw ← sw−1 + hjw (= s + hj1 + hj2 + · · ·+ hjw )
[if sw = 0 then return (j1, j2, . . . , jw )] or [store(sw , (j1, j2, . . . , jw ))]
Instead, we may keep track of partial sums
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
![Page 16: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/16.jpg)
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1: s1 ← s + hj1
for j2 from j1 + 1 to n2: s2 ← s1 + hj2
. . .for jw from jw−1 + 1 to n
w : sw ← sw−1 + hjw[if sw = 0 then return (j1, j2, . . . , jw )] or [store(sw , (j1, j2, . . . , jw ))]
Line i is executed about(
ni
)times
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
![Page 17: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/17.jpg)
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1: s1 ← s + hj1
for j2 from j1 + 1 to n2: s2 ← s1 + hj2
. . .for jw from jw−1 + 1 to n
w : sw ← sw−1 + hjw[if sw = 0 then return (j1, j2, . . . , jw )] or [store(sw , (j1, j2, . . . , jw ))]
Line i is executed about(
ni
)times
→ total of about(
n1
)+
(n2
)+ · · ·+
(nw
)column additions
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
![Page 18: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/18.jpg)
H = h1 h2 · · · hn s
-� n
6
?
n − k
Enumerate {s + eHT | wt(e) = w} = {s + hj1 + · · · + hjw | 1 ≤ j1 < . . . < jw ≤ n}
for j1 from 1 to n1: s1 ← s + hj1
for j2 from j1 + 1 to n2: s2 ← s1 + hj2
. . .for jw from jw−1 + 1 to n
w : sw ← sw−1 + hjw[if sw = 0 then return (j1, j2, . . . , jw )] or [store(sw , (j1, j2, . . . , jw ))]
Line i is executed about(
ni
)times
→ total of about(
n1
)+
(n2
)+ · · ·+
(nw
)column additions
dominated by(
nw
)when w is not too large Back
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
1.0
![Page 19: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/19.jpg)
Exhaustive Search
Problem: find w columns ofH adding to s (modulo 2) H = h1 h2 · · · hn s =
-� n
6
?
n − k
Answer: enumerate all w-tuples (j1, j2, · · · , jw ) such that 1 ≤ j1 < j2 < . . . < jw ≤ nand check whether s + hj1 + hj2 · · · + hjw = 0
How to enumerate nicely
Requires about(
nw
)column operations
Note that we obtain all solutions
1
![Page 20: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/20.jpg)
Exhaustive Search
Problem: find w columns ofH adding to s (modulo 2) H = h1 h2 · · · hn s =
-� n
6
?
n − k
Answer: enumerate all w-tuples (j1, j2, · · · , jw ) such that 1 ≤ j1 < j2 < . . . < jw ≤ nand check whether s + hj1 + hj2 · · · + hjw = 0
How to enumerate nicely
Requires about(
nw
)column operations
Note that we obtain all solutions
1
![Page 21: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/21.jpg)
Birthday Decoding
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
Answer: Split H into two equal parts and enumerate the two following sets
L1 ={
e1HT1 | wt(e1) =
w2
}and L2 =
{s + e2HT
2 | wt(e2) =w2
}If L1 ∩ L2 6= ∅, we have solution(s): s + e1HT
1 + e2HT2 = 0
Algorithm
2
![Page 22: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/22.jpg)
Birthday Decoding
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
Answer: Split H into two equal parts and enumerate the two following sets
L1 ={
e1HT1 | wt(e1) =
w2
}and L2 =
{s + e2HT
2 | wt(e2) =w2
}If L1 ∩ L2 6= ∅, we have solution(s): s + e1HT
1 + e2HT2 = 0
Algorithm
2
![Page 23: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/23.jpg)
Compute L1 ∩ L2 ={
e1HT1 | wt(e1) =
w2
}∩{
s + e2HT2 | wt(e2) =
w2
}
H = H1 H2
-� n
s6
?
n − k
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
2.0
![Page 24: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/24.jpg)
Compute L1 ∩ L2 ={
e1HT1 | wt(e1) =
w2
}∩{
s + e2HT2 | wt(e2) =
w2
}
H = H1 H2
-� n
s6
?
n − k
Total cost:(n/2
w/2
)|L1|
for all e1 of weight w/2x ← e1HT
1 ; T [x ]← T [x ] ∪ {e1}
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
2.0
![Page 25: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/25.jpg)
Compute L1 ∩ L2 ={
e1HT1 | wt(e1) =
w2
}∩{
s + e2HT2 | wt(e2) =
w2
}
H = H1 H2
-� n
s6
?
n − k
Total cost:(n/2
w/2
)+(n/2
w/2
)|L1| |L2|
for all e1 of weight w/2x ← e1HT
1 ; T [x ]← T [x ] ∪ {e1}for all e2 of weight w/2
x ← s + e2HT2
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
2.0
![Page 26: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/26.jpg)
Compute L1 ∩ L2 ={
e1HT1 | wt(e1) =
w2
}∩{
s + e2HT2 | wt(e2) =
w2
}
H = H1 H2
-� n
s6
?
n − k
Total cost:(n/2
w/2
)+(n/2
w/2
)+
(n/2w/2
)2
2n−k
|L1| |L2| |L1|·|L2|2n−k
for all e1 of weight w/2x ← e1HT
1 ; T [x ]← T [x ] ∪ {e1}for all e2 of weight w/2
x ← s + e2HT2
for all e1 ∈ T [x ]I ← I ∪ {(e1,e2)}
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
2.0
![Page 27: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/27.jpg)
Compute L1 ∩ L2 ={
e1HT1 | wt(e1) =
w2
}∩{
s + e2HT2 | wt(e2) =
w2
}
H = H1 H2
-� n
s6
?
n − k
Total cost:(n/2
w/2
)+(n/2
w/2
)+
(n/2w/2
)2
2n−k
|L1| |L2| |L1|·|L2|2n−k
for all e1 of weight w/2x ← e1HT
1 ; T [x ]← T [x ] ∪ {e1}for all e2 of weight w/2
x ← s + e2HT2
for all e1 ∈ T [x ]I ← I ∪ {(e1,e2)}
return I
Back
proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof proof
2.0
![Page 28: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/28.jpg)
Birthday Decoding
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
Answer: Split H into two equal parts and enumerate the two following sets
L1 ={
e1HT1 | wt(e1) =
w2
}and L2 =
{s + e2HT
2 | wt(e2) =w2
}If L1 ∩ L2 6= ∅, we have solution(s): s + e1HT
1 + e2HT2 = 0
Algorithm
Requires about 2(n/2
w/2
)+
(n/2w/2
)2
2n−k column operations
Can also be written 2L + L2/2n−k where L = |L1| = |L2|2
![Page 29: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/29.jpg)
Birthday Decoding – Complexity
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
3
![Page 30: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/30.jpg)
Birthday Decoding – Complexity
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
P =
(n/2w/2
)2(nw
)One particular error of Hamming weight w splits evenly with probability
3
![Page 31: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/31.jpg)
Birthday Decoding – Complexity
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
P =
(n/2w/2
)2(nw
)One particular error of Hamming weight w splits evenly with probability
We may have to repeat with H divided in several different ways
or more generally by picking the two halves randomly
3
![Page 32: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/32.jpg)
Birthday Decoding – Complexity
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
P =
(n/2w/2
)2(nw
)To obtain all solutions:
3
![Page 33: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/33.jpg)
Birthday Decoding – Complexity
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
P =
(n/2w/2
)2(nw
)To obtain��all most solutions:
repeat with ≈ 1P
different splitting:{
1. compute L1 and L22. compute L1 ∩ L2
3
![Page 34: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/34.jpg)
Birthday Decoding – Complexity
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
P =
(n/2w/2
)2(nw
)To obtain��all most solutions:
repeat with ≈ 1P
different splitting:{
1. compute L1 and L22. compute L1 ∩ L2
Total cost2(n/2
w/2
)+(n/2
w/2
)2/2n−k
P=
2(n
w
)(n/2w/2
) + (nw
)2n−k operations
3
![Page 35: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/35.jpg)
Birthday Decoding – Complexity
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
P =
(n/2w/2
)2(nw
)To obtain��all most solutions:
repeat with ≈ 1P
different splitting:{
1. compute L1 and L22. compute L1 ∩ L2
Total cost2(n/2
w/2
)+(n/2
w/2
)2/2n−k
P=
2(n
w
)(n/2w/2
) + (nw
)2n−k operations
≈ 4√
8πw√(n
w
)+#Solutions
3
![Page 36: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/36.jpg)
Birthday Decoding – Complexity
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
P =
(n/2+εw/2
)2(nw
)-�-�
n/2 + εn/2 + ε
To obtain��all most solutions:
repeat with ≈ 1P
different splitting:{
1. compute L1 and L22. compute L1 ∩ L2
Relaxation: allow overlapping→ H1 and H2 are wider by ε
3
![Page 37: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/37.jpg)
Birthday Decoding – Complexity
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
P =
(n/2+εw/2
)2(nw
) ≈ 1
-�-�n/2 + εn/2 + ε
To obtain��all most solutions:
repeat with ≈ 1P
different splitting:{
1. compute L1 and L22. compute L1 ∩ L2
Relaxation: allow overlapping→ H1 and H2 are wider by ε
We choose ε such that(n/2+ε
w/2
)≈√(n
w
)→ single repetition
3
![Page 38: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/38.jpg)
Birthday Decoding – Complexity
Problem: find w columns ofH adding to s (modulo 2) H = H1 H2 s =
-� n
6
?
n − k
P =
(n/2+εw/2
)2(nw
) ≈ 1
-�-�n/2 + εn/2 + ε
To obtain��all most solutions:
repeat with ≈ 1P
different splitting:{
1. compute L1 and L22. compute L1 ∩ L2
Relaxation: allow overlapping→ H1 and H2 are wider by ε
We choose ε such that(n/2+ε
w/2
)≈√(n
w
)→ single repetition
Total cost: 2√(n
w
)+(n
w
)/2n−k = 2L + L2/2n−k with L =
√(nw
)(up to a small constant factor)
3
![Page 39: 3. Message Attack (ISD) - fun-mooc.fr · 3. Message Attack (ISD) 1.From Generic Decoding to Syndrome Decoding 2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding 3.Information](https://reader030.fdocuments.us/reader030/viewer/2022040220/5e1e9c894ee4743950757763/html5/thumbnails/39.jpg)
3. Message Attack (ISD)1. From Generic Decoding to Syndrome Decoding2. Combinatorial Solutions: Exhaustive Search and Birthday Decoding3. Information Set Decoding: the Power of Linear Algebra4. Complexity Analysis5. Lee and Brickell Algorithm6. Stern/Dumer Algorithm7. May, Meurer, and Thomae Algorithm8. Becker, Joux, May, and Meurer Algorithm9. Generalized Birthday Algorithm for Decoding
10. Decoding One Out of Many
Nicolas Sendrier CODE-BASED CRYPTOGRAPHY