# Improved algorithms for finding low-weight polynomial multiples in \(\mathbb {F}_{2}^{}[x]\) and some cryptographic applications

- 244 Downloads
- 2 Citations

## Abstract

In this paper we present an improved algorithm for finding low-weight multiples of polynomials over the binary field using coding theoretic methods. The associated code defined by the given polynomial has a cyclic structure, allowing an algorithm to search for shifts of the sought minimum-weight codeword. Therefore, a code with higher dimension is constructed, having a larger number of low-weight codewords and through some additional processing also reduced minimum distance. Applying an algorithm for finding low-weight codewords in the constructed code yields a lower complexity for finding low-weight polynomial multiples compared to previous approaches. As an application, we show a key-recovery attack against Open image in new window that has a lower complexity than the chosen security level indicate. Using similar ideas we also present a new probabilistic algorithm for finding a multiple of weight 4, which is faster than previous approaches. For example, this is relevant in correlation attacks on stream ciphers.

## Keywords

Low-weight polynomial multiple Low-weight codeword Information-set decoding Public-key cryptography Open image in new window Correlation attacks## Mathematics Subject Classification

11T71 11T06## Notes

### Acknowledgments

We would like to thank the anonymous reviewers in the submission to DCC and WCC for their valuable and insightful comments that helped improve the manuscript. We also want to thank Martin Ågren for helping out with the initial implementation of the algorithm described in Sect. 6. This research was funded by a grant (621-2009-4646) from the Swedish Research Council.

## References

- 1.Ågren M., Hell M., Johansson T., Löndahl C.: Improved message passing techniques in fast correlation attacks on stream ciphers. In: 7th International Symposium on Turbo Codes & Iterative Information Processing (2012).Google Scholar
- 2.Aumasson J., Finiasz M., Meier W., Vaudenay S.: TCHo: a hardware-oriented trapdoor cipher. In: Pieprzyk J., Ghodosi H., Dawson E. (eds.) ACISP. Lecture Notes in Computer Science, vol. 4586, pp. 184–199. Springer, Berlin (2007).Google Scholar
- 3.Becker A., Joux A., May A., Meurer A.: Decoding random binary linear codes in \(2^n/20\): How 1 + 1 = 0 improves information set decoding. In: Pointcheval D., Johansson T. (eds.) Advances in Cryptology—EUROCRYPT 2012. Lecture Notes in Computer Science, vol. 7237, pp. 520–536. Springer, Berlin (2012).Google Scholar
- 4.Bernstein D.J.: Introduction to post-quantum cryptography. In: Bernstein D.J., Buchmann J., Dahmen E. (eds.) Post-Quantum Cryptography, pp. 1–14. Springer, Berlin (2009).Google Scholar
- 5.Bernstein D.J., Lange T., Peters C.: Attacking and defending the McEliece cryptosystem. In: PQCrypto 2008, pp. 31–46 (2008).Google Scholar
- 6.Bernstein D.J., Lange T., Peters C.: Smaller decoding exponents: ball collision decoding. In: Rogway P. (ed.) Advances in Cryptology—CRYPTO 2011. Lecture Notes in Computer Science, vol. 6841, pp. 743–760. Springer, Berlin (2011).Google Scholar
- 7.Canteaut A., Chabaud F.: A new algorithm for finding minimum-weight words in a linear code: application to McEliece’s cryptosystem and to narrow-sense BCH codes of length 511. IEEE Trans. Inf. Theory
**44**, 367–378 (1998).Google Scholar - 8.Canteaut A., Trabbia M.: Improved fast correlation attacks using parity-check equations of weight 4 and 5. In: Preneel B. (ed.) Advances in Cryptology–EUROCRYPT 2000. Lecture Notes in Computer Science, vol. 1807, pp. 573–588. Springer, Berlin (2000).Google Scholar
- 9.Chose P., Joux A., Mitton M.: Fast correlation attacks: an algorithmic point of view. In: Boneh D. (ed.) Advances in Cryptology–EUROCRYPT 2002. Lecture Notes in Computer Science, vol. 2332, pp. 209–221. Springer, Berlin (2002).Google Scholar
- 10.Didier F., Laigle-Chapuy Y.: Finding low-weight polynomial multiples using discrete logarithm. In: Goldsmith A., Shokrollahi A., Medard M., Zamir R. (eds.) International Symposium on Information Theory–ISIT 2007. IEEE, CCSd (2007).Google Scholar
- 11.El Aimani L., von zur Gathen J.: Finding low weight polynomial multiples using lattices. In: Cryptology ePrint Archive, Report 2007/423 (2007).Google Scholar
- 12.Finiasz M., Vaudenay S.: When stream cipher analysis meets public-key cryptography. In: Biham E., Youssef A.M. (eds.) Selected Areas in Cryptography. Lecture Notes in Computer Science, vol. 4356 , pp. 266–284. Springer, Berlin (2006).Google Scholar
- 13.Finiasz M., Sendrier N.: Security bounds for the design of code-based cryptosystems. In: Matsui M. (ed.) Advances in Cryptology—ASIACRYPT 2009. Lecture Notes in Computer Science, vol. 4586, pp. 88–105. Springer, Berlin (2009).Google Scholar
- 14.Golić, J.D.: Computation of low-weight parity-check polynomials. Electron. Lett.
**32**(21), 1981–1982 (1996).Google Scholar - 15.Herrmann M., Leander G.: A practical key recovery attack on basic. In: Jarecki S., Tsudik G. (eds) Public Key Cryptography—PKC 2009. Lecture Notes in Computer Science, vol. 5443, pp. 411–424. Springer, Berlin (2009).Google Scholar
- 16.Johansson T., Löndahl C.: An improvement to Stern’s algorithm. Internal Report. http://lup.lub.lu.se/record/2204753 (2011). Accessed 20 Aug 2013.
- 17.Joux A.: Algorithmic Cryptanalysis. Chapman & Hall/CRC, Boco Raton (2009).Google Scholar
- 18.May A., Meurer A., Thomae E.: Decoding random linear codes in \(\tilde{\cal O}{2^{0.054n}}\). In: Lee D.-H., Wang X. (eds.) Advances in Cryptology–ASIACRYPT 2011. Lecture Notes in Computer Science, vol. 7073, pp. 107–124. Springer, Berlin (2011).Google Scholar
- 19.McEliece R.J.: A public-key cryptosystem based on algebraic coding theory. DSN Progress Report 42–44, pp. 114–116 (1978).Google Scholar
- 20.Meier W., Staffelbach O.: Fast correlation attacks on certain stream ciphers. J. Cryptol.
**1**(3), 159–176 (1989).Google Scholar - 21.Shor P.W.: Algorithms for quantum computation: Discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, 20–22 Nov 1994, Santa Fe, NM, pp. 124–134. IEEE Press, Washington (1994).Google Scholar
- 22.Stern J.: A method for finding codewords of small weight. In: Wolfmann J., Cohen G.D. (eds.) Coding Theory and Applications. Lecture Notes in Computer Science, vol. 388, pp. 106–113. Springer, Berlin (1989).Google Scholar
- 23.Wagner D.: A generalized birthday problem. In: Yung M. (ed.) Advances in Cryptology—CRYPTO 2002. Lecture Notes in Computer Science, vol. 2442, pp. 288–303. Springer, Berlin (2002).Google Scholar