An algorithmic framework for the generalized birthday problem

Abstract

The generalized birthday problem (GBP) was introduced by Wagner in 2002 and has shown to have many applications in cryptanalysis. In its typical variant, we are given access to a function $$H:\{0,1\}^{\ell } \rightarrow \{0,1\}^n$$ (whose specification depends on the underlying problem) and an integer $$K>0$$ . The goal is to find K distinct inputs to H (denoted by $$\{x_i\}_{i=1}^{K}$$ ) such that $$\sum _{i=1}^{K}H(x_i) = 0$$ . Wagner’s K-tree algorithm solves the problem in time and memory complexities of about $$N^{1/(\lfloor \log K \rfloor + 1)}$$ (where $$N= 2^n$$ ). In this paper, we improve the best known GBP time-memory tradeoff curve (published independently by Nikolic and Sasaki and also by Biryukov and Khovratovich) for all $$K \ge 8$$ from $$T^2M^{\lfloor \log K \rfloor -1} = N$$ to $$T^{\lceil (\log K)/2 \rceil + 1 }M^{\lfloor (\log K)/2 \rfloor } = N$$ , applicable for a large range of parameters. We further consider values of K which are not powers of 2 and show that in many cases even more efficient time-memory tradeoff curves can be obtained. Finally, we optimize our techniques for several concrete GBP instances and show how to solve some of them with improved time and memory complexities compared to the state-of-the-art. Our results are obtained using a framework that combines several algorithmic techniques such as variants of the Schroeppel–Shamir algorithm for solving knapsack problems (devised in works by Howgrave-Graham and Joux and by Becker, Coron and Joux) and dissection algorithms (published by Dinur, Dunkelman, Keller and Shamir).