Designs, Codes and Cryptography

, Volume 73, Issue 2, pp 625–640 | Cite as

Improved algorithms for finding low-weight polynomial multiples in \(\mathbb {F}_{2}^{}[x]\) and some cryptographic applications

  • Carl Löndahl
  • Thomas Johansson


In this paper we present an improved algorithm for finding low-weight multiples of polynomials over the binary field using coding theoretic methods. The associated code defined by the given polynomial has a cyclic structure, allowing an algorithm to search for shifts of the sought minimum-weight codeword. Therefore, a code with higher dimension is constructed, having a larger number of low-weight codewords and through some additional processing also reduced minimum distance. Applying an algorithm for finding low-weight codewords in the constructed code yields a lower complexity for finding low-weight polynomial multiples compared to previous approaches. As an application, we show a key-recovery attack against Open image in new window  that has a lower complexity than the chosen security level indicate. Using similar ideas we also present a new probabilistic algorithm for finding a multiple of weight 4, which is faster than previous approaches. For example, this is relevant in correlation attacks on stream ciphers.


Low-weight polynomial multiple Low-weight codeword Information-set decoding Public-key cryptography Open image in new window Correlation attacks 

Mathematics Subject Classification

11T71 11T06 



We would like to thank the anonymous reviewers in the submission to DCC and WCC for their valuable and insightful comments that helped improve the manuscript. We also want to thank Martin Ågren for helping out with the initial implementation of the algorithm described in Sect. 6. This research was funded by a grant (621-2009-4646) from the Swedish Research Council.


  1. 1.
    Ågren M., Hell M., Johansson T., Löndahl C.: Improved message passing techniques in fast correlation attacks on stream ciphers. In: 7th International Symposium on Turbo Codes & Iterative Information Processing (2012).Google Scholar
  2. 2.
    Aumasson J., Finiasz M., Meier W., Vaudenay S.: TCHo: a hardware-oriented trapdoor cipher. In: Pieprzyk J., Ghodosi H., Dawson E. (eds.) ACISP. Lecture Notes in Computer Science, vol. 4586, pp. 184–199. Springer, Berlin (2007).Google Scholar
  3. 3.
    Becker A., Joux A., May A., Meurer A.: Decoding random binary linear codes in \(2^n/20\): How 1 + 1 = 0 improves information set decoding. In: Pointcheval D., Johansson T. (eds.) Advances in Cryptology—EUROCRYPT 2012. Lecture Notes in Computer Science, vol. 7237, pp. 520–536. Springer, Berlin (2012).Google Scholar
  4. 4.
    Bernstein D.J.: Introduction to post-quantum cryptography. In: Bernstein D.J., Buchmann J., Dahmen E. (eds.) Post-Quantum Cryptography, pp. 1–14. Springer, Berlin (2009).Google Scholar
  5. 5.
    Bernstein D.J., Lange T., Peters C.: Attacking and defending the McEliece cryptosystem. In: PQCrypto 2008, pp. 31–46 (2008).Google Scholar
  6. 6.
    Bernstein D.J., Lange T., Peters C.: Smaller decoding exponents: ball collision decoding. In: Rogway P. (ed.) Advances in Cryptology—CRYPTO 2011. Lecture Notes in Computer Science, vol. 6841, pp. 743–760. Springer, Berlin (2011).Google Scholar
  7. 7.
    Canteaut A., Chabaud F.: A new algorithm for finding minimum-weight words in a linear code: application to McEliece’s cryptosystem and to narrow-sense BCH codes of length 511. IEEE Trans. Inf. Theory 44, 367–378 (1998).Google Scholar
  8. 8.
    Canteaut A., Trabbia M.: Improved fast correlation attacks using parity-check equations of weight 4 and 5. In: Preneel B. (ed.) Advances in Cryptology–EUROCRYPT 2000. Lecture Notes in Computer Science, vol. 1807, pp. 573–588. Springer, Berlin (2000).Google Scholar
  9. 9.
    Chose P., Joux A., Mitton M.: Fast correlation attacks: an algorithmic point of view. In: Boneh D. (ed.) Advances in Cryptology–EUROCRYPT 2002. Lecture Notes in Computer Science, vol. 2332, pp. 209–221. Springer, Berlin (2002).Google Scholar
  10. 10.
    Didier F., Laigle-Chapuy Y.: Finding low-weight polynomial multiples using discrete logarithm. In: Goldsmith A., Shokrollahi A., Medard M., Zamir R. (eds.) International Symposium on Information Theory–ISIT 2007. IEEE, CCSd (2007).Google Scholar
  11. 11.
    El Aimani L., von zur Gathen J.: Finding low weight polynomial multiples using lattices. In: Cryptology ePrint Archive, Report 2007/423 (2007).Google Scholar
  12. 12.
    Finiasz M., Vaudenay S.: When stream cipher analysis meets public-key cryptography. In: Biham E., Youssef A.M. (eds.) Selected Areas in Cryptography. Lecture Notes in Computer Science, vol. 4356 , pp. 266–284. Springer, Berlin (2006).Google Scholar
  13. 13.
    Finiasz M., Sendrier N.: Security bounds for the design of code-based cryptosystems. In: Matsui M. (ed.) Advances in Cryptology—ASIACRYPT 2009. Lecture Notes in Computer Science, vol. 4586, pp. 88–105. Springer, Berlin (2009).Google Scholar
  14. 14.
    Golić, J.D.: Computation of low-weight parity-check polynomials. Electron. Lett. 32(21), 1981–1982 (1996).Google Scholar
  15. 15.
    Herrmann M., Leander G.: A practical key recovery attack on basic. In: Jarecki S., Tsudik G. (eds) Public Key Cryptography—PKC 2009. Lecture Notes in Computer Science, vol. 5443, pp. 411–424. Springer, Berlin (2009).Google Scholar
  16. 16.
    Johansson T., Löndahl C.: An improvement to Stern’s algorithm. Internal Report. (2011). Accessed 20 Aug 2013.
  17. 17.
    Joux A.: Algorithmic Cryptanalysis. Chapman & Hall/CRC, Boco Raton (2009).Google Scholar
  18. 18.
    May A., Meurer A., Thomae E.: Decoding random linear codes in \(\tilde{\cal O}{2^{0.054n}}\). In: Lee D.-H., Wang X. (eds.) Advances in Cryptology–ASIACRYPT 2011. Lecture Notes in Computer Science, vol. 7073, pp. 107–124. Springer, Berlin (2011).Google Scholar
  19. 19.
    McEliece R.J.: A public-key cryptosystem based on algebraic coding theory. DSN Progress Report 42–44, pp. 114–116 (1978).Google Scholar
  20. 20.
    Meier W., Staffelbach O.: Fast correlation attacks on certain stream ciphers. J. Cryptol. 1(3), 159–176 (1989).Google Scholar
  21. 21.
    Shor P.W.: Algorithms for quantum computation: Discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, 20–22 Nov 1994, Santa Fe, NM, pp. 124–134. IEEE Press, Washington (1994).Google Scholar
  22. 22.
    Stern J.: A method for finding codewords of small weight. In: Wolfmann J., Cohen G.D. (eds.) Coding Theory and Applications. Lecture Notes in Computer Science, vol. 388, pp. 106–113. Springer, Berlin (1989).Google Scholar
  23. 23.
    Wagner D.: A generalized birthday problem. In: Yung M. (ed.) Advances in Cryptology—CRYPTO 2002. Lecture Notes in Computer Science, vol. 2442, pp. 288–303. Springer, Berlin (2002).Google Scholar

Copyright information

© Springer Science+Business Media New York 2014

Authors and Affiliations

  1. 1.Department of Electrical and Information TechnologyLund UniversityLundSweden

Personalised recommendations