Abstract
Consider the following problem: Given k=2q random lists of n-bit vectors, L 1,…,L k , each of length m, find x 1∈L 1,…,x k ∈L k such that x 1+⋅⋅⋅+x k =0, where + is the XOR operation. This problem has applications in a number of areas, including cryptanalysis, coding theory, finding shortest lattice vectors, and learning theory. The so-called k-tree algorithm, due to Wagner, solves this problem in \(\tilde{O}(2^{q+n/(q+1)})\) expected time provided the length m of the lists is large enough, specifically if m≥2n/(q+1).
In many applications, however, it is necessary to work with lists of smaller length, where the above algorithm breaks down. In this paper we generalize the algorithm to work for significantly smaller values of the list length m, all the way down to the threshold value for which a solution exists with reasonable probability. Our algorithm exhibits a tradeoff between the value of m and the running time. We also provide the first rigorous bounds on the failure probability of both our algorithm and that of Wagner.
As a third contribution, we give an extension of this algorithm to the case where the vectors are not binary, but defined over an arbitrary finite field \(\mathbb{F}_{r}\), and a solution to λ 1 x 1+⋅⋅⋅+λ k x k =0 with \(\lambda_{i} \in \mathbb{F}_{r}^{*}\) and x i ∈L i is sought.
Article PDF
Similar content being viewed by others
References
M. Ajtai, R. Kumar, D. Sivakumar, A sieve algorithm for the shortest lattice vector problem, in Proceedings of the 31st Annual ACM Symposium on Theory of Computing (2001), pp. 601–610
D. Augot, M. Finiasz, N. Sendrier, A family of fast syndrome based cryptographic hash functions, in Proceedings of Mycrypt 2005. LNCS, vol. 3715 (Springer, Berlin, 2005), pp. 64–83
M. Bellare, D. Micciancio, A new paradigm for collision-free hashing: incrementality at reduced cost, in Proceedings of Eurocrypt ’97. LNCS, vol. 1233 (Springer, Berlin, 1997), pp. 163–192
D.J. Bernstein, T. Lange, R. Niederhagen, C. Peters, P. Schwabe, FSBday: Implementing Wagner’s generalized birthday attack against the SHA-3 round-1 candidate FSB, in INDOCRYPT 2009. LNCS, vol. 5922 (Springer, Berlin, 2009), pp. 18–38
A. Blum, A.T. Kalai, H. Wasserman, Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM 50(4), 506–519 (2003)
A. Brown, A. Shokrollahi, Algebraic-geometric codes over the erasure channel, in Proceedings of the IEEE International Symposium on Information Theory (2004), p. 77
P. Camion, J. Patarin, The knapsack hash function proposed at Crypto’89 can be broken, in Proceedings of Eurocrypt ’91. LNCS, vol. 547 (Springer, Berlin, 1991), pp. 39–53
P. Chose, A. Joux, M. Mitton, Fast correlation attacks: an algorithmic point of view, in Proceedings of Eurocrypt ’02. LNCS, vol. 2332 (Springer, Berlin, 2002), pp. 209–221
J.-S. Coron, A. Joux, Cryptanalysis of a provably secure cryptographic hash function, Cryptology ePrint Archive Report 2004/013, 2004. http://eprint.iacr.org/2004/013
R. Kumar, D. Sivakumar, On polynomial approximation to the shortest lattice vector length, in Proceedings of the 12th Annual ACM-SIAM Symposium on Discrete Algorithms (2001), pp. 126–127
V. Lyubashevsky, The parity problem in the presence of noise, decoding random linear codes, and the subset sum problem, in Proceedings of APPROX-RANDOM 2005. LNCS, vol. 3624 (Springer, Berlin, 2005), pp. 378–389
V. Lyubashevsky, D. Micciancio, C. Peikert, A. Rosen, SWIFFT: A modest proposal for FFT hashing, in Proceedings of Fast Software Encryption 2008. LNCS, vol. 8086 (Springer, Berlin, 2008), pp. 54–72
L. Minder, A. Sinclair, The extended k-tree algorithm, in Proceedings of the 19th Annual ACM-SIAM Symposium on Discrete Algorithms (2009), pp. 586–595
A. Shallue, An improved multi-set algorithm for the dense subset sum problem, in Proceedings of Algorithmic Number Theory Symposium, ANTS VIII. LNCS, vol. 5011 (Springer, Berlin, 2008), pp. 416–429
D. Wagner, A generalized birthday problem, in Proceedings of CRYPTO 2002. LNCS, vol. 2442 (Springer, Berlin, 2002), pp. 288–303
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Ronald Cramer
A preliminary version of this paper appeared as [13].
L. Minder supported by grant PBEL2–120932 from the Swiss National Science Foundation, and by NSF grants 0528488 and 0635153.
A. Sinclair supported in part by NSF grant 0635153 and by a UC Berkeley Chancellor’s Professorship.
Rights and permissions
Open Access This is an open access article distributed under the terms of the Creative Commons Attribution Noncommercial License (https://creativecommons.org/licenses/by-nc/2.0), which permits any noncommercial use, distribution, and reproduction in any medium, provided the original author(s) and source are credited.
About this article
Cite this article
Minder, L., Sinclair, A. The Extended k-tree Algorithm. J Cryptol 25, 349–382 (2012). https://doi.org/10.1007/s00145-011-9097-y
Received:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-011-9097-y