Improved algorithms for finding low-weight polynomial multiples in \(\mathbb {F}_{2}^{}[x]\) and some cryptographic applications

Abstract

In this paper we present an improved algorithm for finding low-weight multiples of polynomials over the binary field using coding theoretic methods. The associated code defined by the given polynomial has a cyclic structure, allowing an algorithm to search for shifts of the sought minimum-weight codeword. Therefore, a code with higher dimension is constructed, having a larger number of low-weight codewords and through some additional processing also reduced minimum distance. Applying an algorithm for finding low-weight codewords in the constructed code yields a lower complexity for finding low-weight polynomial multiples compared to previous approaches. As an application, we show a key-recovery attack against  that has a lower complexity than the chosen security level indicate. Using similar ideas we also present a new probabilistic algorithm for finding a multiple of weight 4, which is faster than previous approaches. For example, this is relevant in correlation attacks on stream ciphers.

Appendix: Proof of Proposition 1

The complexity function \(C^*\) refers to the expected complexity of running Algorithm 1 with an instance where we have one single solution, i.e., only one codeword of weight \(w\) exists in the code, whereas in the case of LWPMb, there will exist several weight \(w\) codewords. Having \(y+1\) possible solutions instead of one suggests that finding at least one is roughly \(y+1\) times more likely. However, for this to be true, the probability \(\xi \) of finding one single codeword in one iteration must be small. In particular, we require that \(y\xi \ll 1\). Secondly, we require the events of finding the shifted low-weight codewords to be independent of each other.

Let the set of solutions, i.e., the set of shifts of \(K(x)\) represented as vectors, be the rows of the matrix

$$\begin{aligned} \mathbf{{K}} =\left[ \begin{array}{lllllllllll} 1 &{} k_1 &{} k_2 &{} \cdots &{} \cdots &{}\cdots &{} k_{d-1} &{} 1\\ &{} 1 &{} k_1 &{} k_2 &{} \cdots &{} \cdots &{} \cdots &{} k_{d-1} &{} 1\\ &{} &{} \ddots &{} \ddots &{} \ddots &{} &{} &{} &{} \ddots &{} \ddots \\ &{} &{} &{} 1 &{} k_1 &{} k_2 &{} \cdots &{}\cdots &{} \cdots &{} k_{d-1} &{} 1 \end{array}\right] . \end{aligned}$$

The weight reduction using of the expanded generator matrix \(\mathbf{{G}}_y\) will result in a new codeword matrix, which we write as

$$\begin{aligned} \mathbf{{K}} \mathbf {\Gamma } = \left[ \begin{array}{llllllll} 0 &{} k_1 &{} k_2 &{} \cdots &{} \cdots &{} \cdots &{}\cdots &{} k_{d-1}\\ k_{d-1} &{} 0 &{} k_1 &{} k_2 &{} \cdots &{} \cdots &{} \cdots &{} k_{d-2}\\ \vdots &{} &{} \ddots &{} \ddots &{} \ddots &{} &{} &{} \vdots \\ k_{d-y} &{} \cdots &{} k_{d-1} &{} 0 &{} k_1 &{} k_2 &{} \cdots &{} k_{d-y-1} \end{array}\right] . \end{aligned}$$

The column permutation \(\pi \) acting on \(\mathbf{\mathbf{{G}}_y \mathbf {\Gamma }}\) (used in Algorithm 1) permutes all codewords accordingly, thus permuting the columns of \(\mathbf{{K}}\). Let \(r=d-d_P\). For a set of arbitrary indices \(\{i_1,i_2,\ldots ,i_{r}\} \subset \{0,1,\ldots ,d-1\}\), the resulting permutation of \(\mathbf{{K}} \mathbf{{\Gamma }}\) is

$$\begin{aligned} \pi (\mathbf{{K}} \mathbf {\Gamma }) = \left[ \begin{array}{llll} k_{i_1} &{} k_{i_2} &{} \cdots &{} k_{i_{r}}\\ k_{i_1-1} &{} k_{i_2-1} &{} \cdots &{} k_{i_{r}-1} \\ \vdots &{} \vdots &{} &{} \vdots \\ k_{i_1-y} &{} k_{{i_2}-y} &{} \cdots &{} k_{{i_{r}}-y} \end{array}\cdots \right] . \end{aligned}$$

Now, assume that the two vectors

$$\begin{aligned} \mathbf{{k}} = \begin{array}{llll} k_{i_1}&k_{i_2}&\cdots&k_{i_{r}} \end{array} \hbox { and } \mathbf{{k}}' = \begin{array}{llll} k_{i_1-j}&k_{i_2-j}&\cdots&k_{i_{r}-j} \end{array} \end{aligned}$$

constitute two rows of the first \(r\) columns of \(\pi (\mathbf{{K}} \mathbf{{\Gamma }})\) for some \(j\) such that \(1 \le j \le y\) and where each \(k_i\) is an i.i.d. random variable. Note that the indices are taken modulo \(d\). For a codeword \(\mathbf{{k}}\) to be considered as a possible solution in one iteration of Algorithm 1, a necessary but not sufficient condition is that \(\mathbf{{k}}\) can have at most \(2p\) nonzero elements in the first \(r\) columns. We want to show that these two events are approximately independent. We provide some informal argument. A more formal derivation would require quite some space, which we avoid.

The set of indices \(\{i_1, i_2,\ldots , i_{r}\}\) are chosen uniformly in the permutation. As a consequence, there is a non-zero probability that \(\{i_1, i_2,\ldots , i_r\}\cap \{i_{1}-j, i_{2}-j,..., i_{r}-j\}\ne \emptyset \), meaning that one or several random variables in \(\mathbf{{k}}\) and \(\mathbf{{k}}'\) are identical. More specifically, we have

$$\begin{aligned} \mu \mathop {=}\limits ^{{ \tiny def }}\mathbf{{E}}\left[ |\{i_1, i_2,\ldots , i_{r}\} \cap \{i_{1}-j, i_{2}-j,\ldots , i_{r}-j\}|\right] \end{aligned}$$

common indices in \(\{i_1, i_2,\ldots , i_{r}\}\) and \(\{i_{1}-j, i_{2}-j,..., i_{r}-j\}\) on average. The probability of having \(i\) overlapping variables describes the probability function of a hypergeometric distribution, i.e.,

$$\begin{aligned} \mathbf {Pr}\left[ j \hbox { overlapping variables}\right] = \frac{{r \atopwithdelims ()j}{d-r\atopwithdelims ()r-j}}{{d \atopwithdelims ()j}} \end{aligned}$$

and thus,

$$\begin{aligned} \mu = \frac{r^2}{d}. \end{aligned}$$

Let \({A_{0}}\) denote the sum of random variables in positions \({i_1}, {i_2}, \ldots , {i_r}\) and \(A_1\) the sum of random variables in positions \(\{i_{1}-j, i_{2}-j,..., i_{r}-j\}\) respectively. Moreover, let B denote the sum of the intersecting variables in positions \(\{i_1, i_2,\ldots , i_r\}\cap \{i_{1}-j, i_{2}-j,..., i_{r}-j\}\). The expected intersection is \(\mu \), so \(B\) is sum of \(\mu \) random variables. By assuming the worst-case \(A_0 = 2p\), we obtain the following

$$\begin{aligned} \mathbf{{E}}\left[ {A}_1 | A_0 = 2p\right] =&\mathbf{{E}}\left[ B | A_0 = 2p\right] + \mathbf{{E}}\left[ A_1-B | A_0 = 2p\right] \\ =&2p \frac{\mu }{r} + (w-2p) \frac{r-\mu }{d-r}= 2p \frac{r}{d}+(w-2p) \frac{r-\frac{r^2}{d}}{d-r}\\ =&2p \left( \frac{r(d-r) - d\left( r-\frac{r^2}{d}\right) }{d(d-r)}\right) +w \frac{r \left( 1-\frac{r}{d}\right) }{d\left( 1-\frac{r}{d}\right) }= w\frac{r}{d}\\ =&w \left( 1-\frac{d_P}{d}\right) . \end{aligned}$$

Hence, if \(w \left( 1-\frac{d_P}{d}\right) \gg 2p\) then the expected value is significantly larger than \(2p\). If so, \(A_1\) is very unlikely to take a value below or equal to \(2p\) and, thus, we argue that the events of finding the shifted codewords are approximately independent.

Under the two conditions \(y \xi \ll 1\) and \(w \left( 1-\frac{d_P}{d}\right) \gg 2p\), we can conclude that the probability of finding at least one out of \(y+1\) codewords is \(1-(1-\xi )^{y+1} \approx (y+1) \xi \), since all codewords are equally likely to be found. Moreover, the complexity \(C^*\) is \(\mathcal {O}\left( \xi ^{-1}\right) \) and therefore Algorithm 2 has complexity \(\mathcal {O}\left( (y+1)^{-1}\xi ^{-1}\right) \). This concludes the proof of Proposition 1.