Abstract
We study a generalization of the k-list problem, also known as the Generalized Birthday problem. In the k-list problem, one starts with k lists of binary vectors and has to find a set of vectors – one from each list – that sum to the all-zero target vector. In our generalized Approximate k-list problem, one has to find a set of vectors that sum to a vector of small Hamming weight ω. Thus, we relax the condition on the target vector and allow for some error positions. This in turn helps us to significantly reduce the size of the starting lists, which determines the memory consumption, and the running time as a function of ω. For ω = 0, our algorithm achieves the original k-list run-time/memory consumption, whereas for ω = n/2 it has polynomial complexity. As in the k-list case, our Approximate k-list algorithm is defined for all k = 2m,m > 1. Surprisingly, we also find an Approximate 3-list algorithm that improves in the runtime exponent compared to its 2-list counterpart for all 0 < ω < n/2. To the best of our knowledge this is the first such improvement of some variant of the notoriously hard 3-list problem. As an application of our algorithm we compute small weight multiples of a given polynomial with more flexible degree than with Wagner’s algorithm from Crypto 2002 and with smaller time/memory consumption than with Minder and Sinclair’s algorithm from SODA 2009.
Highlights
Birthday-type attacks and their generalization by Wagner in 2002 [Wag02] to the so-called k-list algorithm are one of the most fundamental tools in cryptanalysis, and of invaluable importance for assessing secure instantiations of cryptographic problems.Wagner’s algorithm and its variations found numerous applications, e.g. for attacking problems like e.g. hash function constructions [CJ04], LPN [LF06, GJL14, ZJW16], codes [MO15, BJMM12, MMT11], lattices [AKS01, KS01] and subset sum [Lyu05, BCJ11, HGJ10]
As an application of our approximate k-list problem, we show how to compute small weight multiples of a given polynomial P (x) ∈ F[x] of degree n
Our approximate k-list algorithm can be used to find near collisions for those hash functions
Summary
Birthday-type attacks and their generalization by Wagner in 2002 [Wag02] to the so-called k-list algorithm are one of the most fundamental tools in cryptanalysis, and of invaluable importance for assessing secure instantiations of cryptographic problems. This belief is directly linked to the famous 3SUM-problem in complexity theory [KPP14], where it is conjectured that any algorithm for the 3-list problem requires running time at least quadratic in the list sizes This means that every algorithm basically has to look at every pair of L1 × L2 and compare with the elements in L3. We first give a non-optimized version of our algorithm that allows for explicitly stating the original lists sizes |Li| and the run-time/memory consumption as a closed formula of the parameters (n, k, ω). Such a closed formula is certainly useful for direct application by cryptanalysts – our formula is somewhat less handy than Wagner’s formula for the k-list problem.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
