Improved Information Set Decoding Alexander Meurer , Ruhr-Universitt - - PowerPoint PPT Presentation

Improved Information Set Decoding

Alexander Meurer, Ruhr-Universität Bochum CBC Workshop 2012, Lyngby

The Asymptotic Playground The Asymptotic Playground

• We are interested in asymptotically fastest algorithms
• Prominent example: Matrix multiplication
• Measure runtime as

for n x n - matrices

The Asymptotic Playground The Asymptotic Playground

• We are interested in asymptotically fastest algorithms
• Prominent example: Matrix multiplication
• Measure runtime as

for n x n - matrices naive 3 2

The Asymptotic Playground The Asymptotic Playground

• We are interested in asymptotically fastest algorithms
• Prominent example: Matrix multiplication
• Measure runtime as

for n x n - matrices naive 3 2,808 Strassen 2

The Asymptotic Playground The Asymptotic Playground

• We are interested in asymptotically fastest algorithms
• Prominent example: Matrix multiplication
• Measure runtime as

for n x n - matrices naive 3 2,808 Strassen 2 2,376 CW

The Asymptotic Playground The Asymptotic Playground

• We are interested in asymptotically fastest algorithms
• Prominent example: Matrix multiplication
• Measure runtime as

for n x n - matrices naive 3 2,808 Strassen 2 2,376 CW 2,3727 Williams

The Asymptotic Playground The Asymptotic Playground

• We are interested in asymptotically fastest algorithms
• Prominent example: Matrix multiplication
• Measure runtime as

for n x n - matrices

• Strassen still performs best in practice (for reasonable n)

naive 3 2,808 Strassen 2 2,376 CW 2,3727 Williams

The Asymptotic Playground The Asymptotic Playground

• We are interested in asymptotically fastest algorithms
• Prominent example: Matrix multiplication
• Measure runtime as

for n x n - matrices

• Strassen still performs best in practice (for reasonable n)

naive 3 2,808 Strassen 2 2,376 CW 2,3727 Williams

This talk: recent (asymptotic) progress in ISD.

Recap Binary Linear Codes Recap Binary Linear Codes

• C = random binary [n,k,d] code
• n = length / k = dimension / d = minimum distance
• Given x = c+e with c C

and w := wt(e) =

• Find e and thus c = x+e

2

4 5 d-1 2 · · · ·

c 4 5 d-1 2 x·

Bounded Distance Decoding (BDD) Bounded Distance Decoding (BDD)

Comparing Running Times Comparing Running Times

How to compare performance of decoding algorithms

• Running time T(n,k,d)
• Fixed code rate R = k/n
• For n→∞, k and d are related via Gilbert-Varshamov

bound, thus T(n,k,d) = T(n,k)

• Compare algorithms by complexity coeffcient F(k), i.e.

T(n,k) = 2F(k) • n + o(n)

Comparing Running Times Comparing Running Times

How to compare performance of decoding algorithms

• Running time T(n,k,d)
• Fixed code rate R = k/n
• For n→∞, k and d are related via Gilbert-Varshamov

bound, thus T(n,k,d) = T(n,k)

• Compare algorithms by complexity coeffcient F(k), i.e.

T(n,k) = 2F(k) • n + o(n) Minimize F(k)! Minimize F(k)!

Syndrome Decoding Syndrome Decoding

• H = parity check matrix
• Consider syndrome s := s(x) = H·x = H·(c+e) = H·e

→ Find linear combination of w columns of H matching s

H

weight w n n-k

= + + =

s

(BDD) Given x = c+e with c C and wt(e)=w, fnd e!

2

Syndrome Decoding Syndrome Decoding

• H = parity check matrix
• Consider syndrome s := s(x) = H·x = H·(c+e) = H·e

→ Find linear combination of w columns of H matching s

H

weight w n n-k

= + + =

s

(BDD) Given x = c+e with c C and wt(e)=w, fnd e!

2

Brute-Force complexity T(n,k,d) = Brute-Force complexity T(n,k,d) =

Complexity Coeffcients (BDD) Complexity Coeffcients (BDD)

Brute-Force

F(k)

0,3868 0,06 0,05

Complexity Coeffcients (BDD) Complexity Coeffcients (BDD)

Brute-Force

F(k)

0,3868 0,06 0,05 0,0576 Prange

Complexity Coeffcients (BDD) Complexity Coeffcients (BDD)

Brute-Force

F(k)

0,3868 0,06 0,05 0,0576 Prange 0,0557 Stern

Some Basic Observations for BDD Some Basic Observations for BDD

Allowed (linear algebra) transformations

• Permuting the columns of H does not change the

problem

Some Basic Observations for BDD Some Basic Observations for BDD

Allowed (linear algebra) transformations

• Permuting the columns of H does not change the

problem

= s

weight w

H

n-k n

Some Basic Observations for BDD Some Basic Observations for BDD

Allowed (linear algebra) transformations

• Permuting the columns of H does not change the

problem

= s

weight w

H

n-k n

= s

weight w

H

n-k n

Some Basic Observations for BDD Some Basic Observations for BDD

Allowed (linear algebra) transformations

• Permuting the columns of H does not change the

problem

• Elementary row operations on H do not change the

problem

Some Basic Observations for BDD Some Basic Observations for BDD

Allowed (linear algebra) transformations

• Permuting the columns of H does not change the

problem

• Elementary row operations on H do not change the

problem

=

weight w

H

n-k n

s

Some Basic Observations for BDD Some Basic Observations for BDD

Allowed (linear algebra) transformations

• Permuting the columns of H does not change the

problem

• Elementary row operations on H do not change the

problem

= s

weight w

H

n-k n

UG

Invertible (n-k)x(n-k) matrix

UG

Randomized quasi-systematic form Randomized quasi-systematic form

• Work on randomly column-permuted version of H
• Transform H into quasi-systematic form

First used in generalized ISD framework of [FS09]

In-k-l In-k-l

l rows

Q' q1 , ..., qk+l

k+l n-k-l

H =

Information Set Decoding Information Set Decoding

''Reducing the brute-force search space by linear algebra.''

The ISD Principle The ISD Principle

• Structure of H allows to divide e =

e1 e2

In-k-l In-k-l Q' q1 , ..., qk+l

e1 e2

k+l n-k-l

The ISD Principle The ISD Principle

• Structure of H allows to divide e =

e1 e2

In-k-l In-k-l Q' q1 , ..., qk+l

e1 e2

=

Q' q1 , ..., qk+l

e1

In-k-l In-k-l

e2

+

The ISD Principle The ISD Principle

• Structure of H allows to divide e =

e1 e2

In-k-l In-k-l Q' q1 , ..., qk+l

e1 e2

=

Q' q1 , ..., qk+l

e1

In-k-l In-k-l

e2

+

* *

= +

* * *

= !

s

l coordinates

The ISD Principle The ISD Principle

• Structure of H allows to divide e =

e1 e2

In-k-l In-k-l Q' q1 , ..., qk+l

e1 e2

=

Q' q1 , ..., qk+l

e1

In-k-l In-k-l

e2

+

* *

= +

* * *

= !

s

l coordinates

Focus on e1 matching s on frst l coordinates Focus on e1 matching s on frst l coordinates

The ISD Principle The ISD Principle

• Structure of H allows to divide e =

e1 e2

In-k-l In-k-l Q' q1 , ..., qk+l

e1 e2

=

Q' q1 , ..., qk+l

e1

In-k-l In-k-l

e2

+

* *

= +

* * *

= !

s

l coordinates

Find all e1 of weight p matching s on frst l coordinates

The ISD Principle The ISD Principle

• Structure of H allows to divide e =

e1 e2

In-k-l In-k-l Q' q1 , ..., qk+l

e1 e2

=

Q' q1 , ..., qk+l

e1

In-k-l In-k-l

e2

+

* *

= +

* * *

= !

s

l coordinates

Find all e1 of weight p matching s on frst l coordinates

In-k-l In-k-l Q' q1 , ..., qk+l

e1 e2

= =

• Method only recovers

particular error patterns

• If no solution found:

→ Rerandomize H

k+l n-k-l p w-p

e1 e2

The ISD Principle The ISD Principle

• 1st step (randomization): Compute „fresh“ random quasi-

systematic form of H

• 2nd step (search): Try to fnd a solution e amongst all

q1 , ..., qk+l

e1

=

s

H

k+l n-k-l p w-p

e1 e2

with

The ISD Principle The ISD Principle

• 1st step (randomization): Compute „fresh“ random quasi-

systematic form of H

• 2nd step (search): Try to fnd a solution e amongst all

q1 , ..., qk+l

e1

=

s

H

k+l n-k-l p w-p

e1 e2

with

T = Pr[„good rand.“]-1 * T[search]

The ISD Search Step (Notation) The ISD Search Step (Notation)

• Find vector
• f weight p with

e1

q1 , ..., qk+l

e1

=

s

The ISD Search Step (Notation) The ISD Search Step (Notation)

• Find vector
• f weight p with
• Find selection

with

e1

q1 , ..., qk+l

e1

=

s

The ISD Search Step (Notation) The ISD Search Step (Notation)

• Find vector
• f weight p with
• Find selection

with

e1

q1 , ..., qk+l

e1

=

s

We exploit 1+1=0 to fnd e1 more effciently!

A Meet-in-the-Middle Approach A Meet-in-the-Middle Approach

• Disjoint partition

into left and right half Find a selection with

p / 2

(k+l) / 2

p / 2

(k+l) / 2

p

(k+l)

A Meet-in-the-Middle Approach A Meet-in-the-Middle Approach

• To fnd

run a Meet-in-the-Middle algorithm based on

• Same F(k) as recent Ball-Collision decoding [BLP11]

as shown in [MMT11] Find a selection with

Complexity Coeffcients (BDD) Complexity Coeffcients (BDD)

Brute-Force

F(k)

0,3868 0,06 0,05 0,0576 Prange 0,0557 Stern 0,0556 Ball-Collision

The Representation Technique [HGJ10] The Representation Technique [HGJ10]

• Expand H into larger

stack H'

• Expanding H' introduces

r many representations N1 , … , Nr

• Examine a 1/r – fraction
• f H' to fnd one Ni

How to fnd a needle N in a haystack H...

The Representation Technique [HGJ10] The Representation Technique [HGJ10]

• Expand H into larger

stack H'

• Expanding H' introduces

r many representations N1 , … , Nr

• Examine a 1/r – fraction
• f H' to fnd one Ni

How to fnd a needle N in a haystack H... Technicality: Find a way to examine a 1/r – fraction

• f H' without completely

constructing it beforehand Technicality: Find a way to examine a 1/r – fraction

• f H' without completely

constructing it beforehand

Back to the MitM Approach Back to the MitM Approach

• The disjoint partition forces a unique solution
• Needle = unique
• Haystack = all vectors

p / 2 (k+l) / 2 (k+l) / 2 p / 2 (k+l) / 2 (k+l) / 2

Using Representations [MMT11] Using Representations [MMT11]

• Basic representation technique
• Arbitrary disjoint partition

Find a selection with

p

k+l

Using Representations [MMT11] Using Representations [MMT11]

• Basic representation technique
• Arbitrary disjoint partition

Find a selection with

p / 2

k+l

p / 2

k+l

p

k+l

Using Representations [MMT11] Using Representations [MMT11]

• Basic representation technique
• Arbitrary disjoint partition

Find a selection with

p / 2

k+l k+l

p

k+l

p / 2

Using Representations [MMT11] Using Representations [MMT11]

• Basic representation technique
• Arbitrary disjoint partition

Find a selection with

p / 2

k+l k+l

p

k+l

p / 2

Using Representations [MMT11] Using Representations [MMT11]

• Basic representation technique
• Arbitrary disjoint partition

Find a selection with

p / 2

k+l k+l

p

k+l

p / 2

… and so on ...

Using Representations [MMT11] Using Representations [MMT11]

• Basic representation technique
• Arbitrary disjoint partition

Find a selection with

p / 2

k+l k+l

p

k+l

p / 2

… and so on ...

representations representations

Using Representations [MMT11] Using Representations [MMT11]

• Haystack = set of all
• Needles =

representations

• Bottleneck: Effcient computation of a
• fraction of the haystack

Find a selection with

p / 2 k+l p / 2 k+l p / 2 p / 2 k+l p / 2

, , ...

Complexity Coeffcients (BDD) Complexity Coeffcients (BDD)

Brute-Force

F(k)

0,3868 0,06 0,05 0,0576 Prange 0,0557 Stern 0,0556 Ball-Collision 0,0537 MMT

The Representation Technique The Representation Technique

• r = number of needles
• |H'| = size of expanded haystack
• Ratio |H'| / r determines effciency

→ Increase r while keeping |H'| small Optimizing the Representation Technique [BCJ11]

The Representation Technique The Representation Technique

• r = number of needles
• |H'| = size of expanded haystack
• Ratio |H'| / r determines effciency

→ Increase r while keeping |H'| small Optimizing the Representation Technique [BCJ11]

Can we use 1+1 = 0 to increase r ?

Using 1 + 1 = 0 Using 1 + 1 = 0

''Decoding Random Binary Linear Codes in 2n/20: How 1 + 1 = 0 Improves Information Set Decoding.'' joint work with A.Becker, A.Joux & A.May (EUROCRYPT'12)

How to use How to use 1 1 + + 1 1 = 0 = 0

Write as the symmetric difference of intersecting sets

How to use How to use 1 1 + + 1 1 = 0 = 0

p

k+l k+l

p / 2 + ²

k+l

p / 2 + ²

Write as the symmetric difference of intersecting sets

How to use How to use 1 1 + + 1 1 = 0 = 0

k+l

p / 2 + ²

k+l

p / 2 + ²

Write as the symmetric difference of intersecting sets

How to use How to use 1 1 + + 1 1 = 0 = 0

p

k+l k+l

p / 2 + ²

k+l

p / 2 + ²

Write as the symmetric difference of intersecting sets Double columns cancel out due to 1+1=0 !

How to use How to use 1 1 + + 1 1 = 0 = 0

p

k+l k+l

p / 2 + ²

k+l

p / 2 + ²

Write as the symmetric difference of intersecting sets

How to use How to use 1 1 + + 1 1 = 0 = 0

p

k+l k+l

p / 2 + ²

k+l

p / 2 + ²

Write as the symmetric difference of intersecting sets

How to use How to use 1 1 + + 1 1 = 0 = 0

p

k+l k+l k+l

p / 2 + ² p / 2 + ²

Write as the symmetric difference of intersecting sets

How to use How to use 1 1 + + 1 1 = 0 = 0

p

k+l k+l k+l

p / 2 + ² p / 2 + ²

Write as the symmetric difference of intersecting sets

How to use How to use 1 1 + + 1 1 = 0 = 0

p

k+l k+l k+l

p / 2 + ² p / 2 + ²

… and so on ...

Write as the symmetric difference of intersecting sets

How to use How to use 1 1 + + 1 1 = 0 = 0

p

k+l k+l k+l

p / 2 + ² p / 2 + ²

… and so on ...

representations representations Write as the symmetric difference of intersecting sets

How to use How to use 1 1 + + 1 1 = 0 = 0

• Haystack = set of all
• Needles =

representations

p / 2 + ² k+l k+l k+l

, , ...

p / 2 + ² p / 2 + ²

How can we compute a 1/R – fraction of the haystack ? Write as the symmetric difference of intersecting sets

How to use How to use 1 1 + + 1 1 = 0 = 0

How can we compute a 1/R – fraction of the haystack ?

q1 q3 + q4 + q11 + = q2 q4 + q7 + q12 + s +

• Want to fnd one needle (and suitable ) with

How to use How to use 1 1 + + 1 1 = 0 = 0

How can we compute a 1/R – fraction of the haystack ?

q1 q3 + q4 + q11 + = q2 q4 + q7 + q12 + s +

• Want to fnd one needle (and suitable ) with

Uniform 0/1 - coordinates

How to use How to use 1 1 + + 1 1 = 0 = 0

• Fix

to r and to s+r on log(R) coordinates → Expect one needle to fulfll the extra constraint! How can we compute a 1/R – fraction of the haystack ?

q1 q3 + q4 + q11 + = q2 q4 + q7 + q12 + s +

• Want to fnd one needle (and suitable ) with

Uniform 0/1 - coordinates

log(R) coordinates

How to use How to use 1 1 + + 1 1 = 0 = 0

• Fix

to r and to s+r on log(R) coordinates → Expect one needle to fulfll the extra constraint! How can we compute a 1/R – fraction of the haystack ?

q1 q3 + q4 + q11 + = q2 q4 + q7 + q12 + s +

• Want to fnd one needle (and suitable ) with

Uniform 0/1 - coordinates

log(R) coordinates

But how do we compute those restricted and ?

How to Fix log(R) Coordinates How to Fix log(R) Coordinates

• We want to compute

How to Fix log(R) Coordinates How to Fix log(R) Coordinates

• We want to compute

On log(R) coordinates!

How to Fix log(R) Coordinates How to Fix log(R) Coordinates

• We want to compute
• Choose random partition

with On log(R) coordinates!

How to Fix log(R) Coordinates How to Fix log(R) Coordinates

• We want to compute
• Choose random partition

with

• Compute base lists

On log(R) coordinates!

How to Fix log(R) Coordinates How to Fix log(R) Coordinates

• We want to compute
• Choose random partition

with

• Compute base lists

On log(R) coordinates!

Merge and into !

How to Fix log(R) Coordinates How to Fix log(R) Coordinates

• We want to compute
• Choose random partition

with

• Compute base lists

On log(R) coordinates!

Merge and into ! Can be improved! Use representations again!

How to Fix log(R) Coordinates How to Fix log(R) Coordinates

• We want to compute

where

How to Fix log(R) Coordinates How to Fix log(R) Coordinates

• We want to compute

where

• Write

with and

How to Fix log(R) Coordinates How to Fix log(R) Coordinates

• We want to compute

where

• Write

with and

• Introduces

reps for each

How to Fix log(R) Coordinates How to Fix log(R) Coordinates

• We want to compute

where

• Write

with and

• Introduces

reps for each Compute two lists containing a 1/R2-fraction

• f those !

The Complete Computation Tree The Complete Computation Tree

Randomly partioned base lists and

The Complete Computation Tree The Complete Computation Tree

Randomly partioned base lists and log(R2) coordi- nates fxed

The Complete Computation Tree The Complete Computation Tree

Randomly partioned base lists and log(R1) coordi- nates fxed

The Complete Computation Tree The Complete Computation Tree

Randomly partioned base lists and

Warning! Inconsistencies (i.e. matchings

• f false weight) have to be sorted out!

The Complete Computation Tree The Complete Computation Tree

Randomly partioned base lists and Candidate solutions l coordi- nates fxed

Some Technicalities Some Technicalities

• Need to exclude "badly distributed“ q1 , … , qk+l

→ intermediate lists become too large (abort) → solution get's lost w.h.p.

Some Technicalities Some Technicalities

• Need to exclude "badly distributed“ q1 , … , qk+l

→ intermediate lists become too large (abort) → solution get's lost w.h.p.

• Method introduces extra inverse-polynomial failure

probability (due to disjoint partitions on bottom level) Can be avoided in implementations! Do non-disjoint base lists!

Some Technicalities Some Technicalities

• Need to exclude "badly distributed“ q1 , … , qk+l

→ intermediate lists become too large (abort) → solution get's lost w.h.p.

• Method introduces extra inverse-polynomial failure

probability (due to disjoint partitions on bottom level)

• We only fx parameters to guarantee

E[# surviving reps] ≥ 1

Some Technicalities Some Technicalities

• Need to exclude "badly distributed“ q1 , … , qk+l

→ intermediate lists become too large (abort) → solution get's lost w.h.p.

• Method introduces extra inverse-polynomial failure

probability (due to disjoint partitions on bottom level)

• We only fx parameters to guarantee

E[# surviving reps] ≥ 1

Main Result F(k) Main Result F(k) ≤ ≤ 0.0494 0.0494

Brute-Force

F(k)

0,3868 0,06 0,05 0,0576 Prange 0,0557 Stern 0,0556 Ball-Collision 0,0537 MMT BJMM 0,0494

Main Result F(k) Main Result F(k) ≤ ≤ 0.0494 0.0494

F(k) k

• - - Ball-Collisions

MMT BJMM

In Practical terms... In Practical terms...

• 256-Bit security for McEliece revisited

→ [n,k,d] = [6624,5129,117]

• Exact complexity analysis (using tricks from [BLP08])

→ Stern ≈ 2256 → Ball-Collisions ≈ 2254 → Our Algorithm ≈ 2239

• Parameters: l = 286 p = 44 ²1 = 12 ²2 = 1

In Practical terms... In Practical terms...

• 256-Bit security for McEliece revisited

→ [n,k,d] = [6624,5129,117]

• Exact complexity analysis (using tricks from [BLP08])

→ Stern ≈ 2256 → Ball-Collisions ≈ 2254 → Our Algorithm ≈ 2239

• Parameters: l = 286 p = 44 ²1 = 12 ²2 = 1

Toolkit for optimal para- meter choices will be available soon (includes all ISD algorithms up-to- date)

Wrapping up... Wrapping up...

Summary

• Using 1+1=0 introduces extra representations
• Asymptotically fastest generic decoding algorithm
• Even practical impact (e.g. for high security levels of

McEliece)

• Full Version ePrint 2012/026

Wrapping up... Wrapping up...

Summary

• Using 1+1=0 introduces extra representations
• Asymptotically fastest generic decoding algorithm
• Even practical impact (e.g. for high security levels of

McEliece)

• Full Version ePrint 2012/026

Thank you!