Abstract
The generalized birthday problem (GBP) was introduced by Wagner in 2002 and has shown to have many applications in cryptanalysis. In its typical variant, we are given access to a function H: { 0 , 1 } ℓ→ { 0 , 1 } n (whose specification depends on the underlying problem) and an integer K> 0. The goal is to find K distinct inputs to H (denoted by {xi}i=1K) such that ∑i=1KH(xi)=0. Wagner’s K-tree algorithm solves the problem in time and memory complexities of about N1/(⌊logK⌋+1) (where N= 2 n). In this paper, we improve the best known GBP time-memory tradeoff curve (published independently by Nikolić and Sasaki and also by Biryukov and Khovratovich) for all K≥ 8 from T2M⌊logK⌋-1= N to T⌈(logK)/2⌉+1M⌊(logK)/2⌋= N, applicable for a large range of parameters. We further consider values of K which are not powers of 2 and show that in many cases even more efficient time-memory tradeoff curves can be obtained. Finally, we optimize our techniques for several concrete GBP instances and show how to solve some of them with improved time and memory complexities compared to the state-of-the-art. Our results are obtained using a framework that combines several algorithmic techniques such as variants of the Schroeppel–Shamir algorithm for solving knapsack problems (devised in works by Howgrave-Graham and Joux and by Becker, Coron and Joux) and dissection algorithms (published by Dinur, Dunkelman, Keller and Shamir).
Original language | English |
---|---|
Pages (from-to) | 1897-1926 |
Number of pages | 30 |
Journal | Designs, Codes, and Cryptography |
Volume | 87 |
Issue number | 8 |
DOIs | |
State | Published - 15 Aug 2019 |
Keywords
- Cryptanalysis
- Generalized birthday problem
- K-tree algorithm
- Time-memory tradeoff
ASJC Scopus subject areas
- Theoretical Computer Science
- Computer Science Applications
- Discrete Mathematics and Combinatorics
- Applied Mathematics