TY - GEN

T1 - Fine-Grained Cryptanalysis

T2 - 62nd IEEE Annual Symposium on Foundations of Computer Science, FOCS 2021

AU - Dinur, Itai

AU - Keller, Nathan

AU - Klein, Ohad

N1 - Publisher Copyright:
© 2022 IEEE.

PY - 2022/1/1

Y1 - 2022/1/1

N2 - An average-case variant of the k-SUM conjecture asserts that finding k numbers that sum to 0 in a list of r random numbers, each of the order r k, cannot be done in much less than r\lceil k/2\rceil time. On the other hand, in the dense regime of parameters, where the list contains more numbers and many solutions exist, the complexity of finding one of them can be significantly improved by Wagner's k-tree algorithm. Such algorithms for k-SUM in the dense regime have many applications, notably in cryptanalysis. In this paper, assuming the average-case k-SUM conjecture, we prove that known algorithms are essentially optimal for k=3,4,5. For k > 5, we prove the optimality of the k-tree algorithm for a limited range of parameters. We also prove similar results for k-XOR, where the sum is replaced with exclusive or. Our results are obtained by a self-reduction that, given an instance of k-SUM which has a few solutions, produces from it many instances in the dense regime. We solve each of these instances using the dense k-SUM oracle, and hope that a solution to a dense instance also solves the original problem. We deal with potentially malicious oracles (that repeatedly output correlated useless solutions) by an obfuscation process that adds noise to the dense instances. Using discrete Fourier analysis, we show that the obfuscation eliminates correlations among the oracle's solutions, even though its inputs are highly correlated.

AB - An average-case variant of the k-SUM conjecture asserts that finding k numbers that sum to 0 in a list of r random numbers, each of the order r k, cannot be done in much less than r\lceil k/2\rceil time. On the other hand, in the dense regime of parameters, where the list contains more numbers and many solutions exist, the complexity of finding one of them can be significantly improved by Wagner's k-tree algorithm. Such algorithms for k-SUM in the dense regime have many applications, notably in cryptanalysis. In this paper, assuming the average-case k-SUM conjecture, we prove that known algorithms are essentially optimal for k=3,4,5. For k > 5, we prove the optimality of the k-tree algorithm for a limited range of parameters. We also prove similar results for k-XOR, where the sum is replaced with exclusive or. Our results are obtained by a self-reduction that, given an instance of k-SUM which has a few solutions, produces from it many instances in the dense regime. We solve each of these instances using the dense k-SUM oracle, and hope that a solution to a dense instance also solves the original problem. We deal with potentially malicious oracles (that repeatedly output correlated useless solutions) by an obfuscation process that adds noise to the dense instances. Using discrete Fourier analysis, we show that the obfuscation eliminates correlations among the oracle's solutions, even though its inputs are highly correlated.

KW - Computational complexity

UR - http://www.scopus.com/inward/record.url?scp=85127111256&partnerID=8YFLogxK

U2 - 10.1109/FOCS52979.2021.00017

DO - 10.1109/FOCS52979.2021.00017

M3 - Conference contribution

AN - SCOPUS:85127111256

T3 - Proceedings - Annual IEEE Symposium on Foundations of Computer Science, FOCS

SP - 80

EP - 91

BT - Proceedings - 2021 IEEE 62nd Annual Symposium on Foundations of Computer Science, FOCS 2021

PB - Institute of Electrical and Electronics Engineers

Y2 - 7 February 2022 through 10 February 2022

ER -