An algorithmic framework for the generalized birthday problem

An algorithmic framework for the generalized birthday problem

The generalized birthday problem (GBP) was introduced by Wagner in 2002 and has shown to have many applications in cryptanalysis. In its typical variant, we are given access to a function H : { 0 , 1 } ℓ → { 0 , 1 } n (whose specification depends on the underlying problem) and an integer K > 0 ....

Full description

Saved in:
Bibliographic Details
Published in:Designs, codes, and cryptography Vol. 87; no. 8; pp. 1897 - 1926
Main Author: Dinur, Itai
Format: Journal Article
Language:English
Published: New York Springer US 15-08-2019
Springer Nature B.V
Subjects:
Algorithms
Circuits
Coding and Information Theory
Computer Science
Cryptography
Cryptology
Data Structures and Information Theory
Discrete Mathematics in Computer Science
Information and Communication
Tradeoffs
Cryptanalysis
K-tree algorithm
Time-memory tradeoff
94A60
Generalized birthday problem
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:The generalized birthday problem (GBP) was introduced by Wagner in 2002 and has shown to have many applications in cryptanalysis. In its typical variant, we are given access to a function H : { 0 , 1 } ℓ → { 0 , 1 } n (whose specification depends on the underlying problem) and an integer K > 0 . The goal is to find K distinct inputs to H (denoted by { x i } i = 1 K ) such that ∑ i = 1 K H ( x i ) = 0 . Wagner’s K-tree algorithm solves the problem in time and memory complexities of about N 1 / ( ⌊ log K ⌋ + 1 ) (where N = 2 n ). In this paper, we improve the best known GBP time-memory tradeoff curve (published independently by Nikolić and Sasaki and also by Biryukov and Khovratovich) for all K ≥ 8 from T 2 M ⌊ log K ⌋ - 1 = N to T ⌈ ( log K ) / 2 ⌉ + 1 M ⌊ ( log K ) / 2 ⌋ = N , applicable for a large range of parameters. We further consider values of K which are not powers of 2 and show that in many cases even more efficient time-memory tradeoff curves can be obtained. Finally, we optimize our techniques for several concrete GBP instances and show how to solve some of them with improved time and memory complexities compared to the state-of-the-art. Our results are obtained using a framework that combines several algorithmic techniques such as variants of the Schroeppel–Shamir algorithm for solving knapsack problems (devised in works by Howgrave-Graham and Joux and by Becker, Coron and Joux) and dissection algorithms (published by Dinur, Dunkelman, Keller and Shamir).
ISSN:0925-1022
1573-7586
DOI:10.1007/s10623-018-00594-6