{"title":"Fine-Grained Cryptanalysis: Tight Conditional Bounds for Dense k-SUM and k-XOR","authors":"Itai Dinur, Nathan Keller, Ohad Klein","doi":"10.1145/3653014","DOIUrl":null,"url":null,"abstract":"<p>An average-case variant of the <i>k</i>-SUM conjecture asserts that finding <i>k</i> numbers that sum to 0 in a list of <i>r</i> random numbers, each of the order <i>r<sup>k</sup></i>, cannot be done in much less than <i>r</i><sup>⌈<i>k</i>/2⌉</sup> time. On the other hand, in the <i>dense regime</i> of parameters, where the list contains more numbers and many solutions exist, the complexity of finding one of them can be significantly improved by Wagner’s <i>k</i>-tree algorithm. Such algorithms for <i>k</i>-SUM in the dense regime have many applications, notably in cryptanalysis. </p><p>In this paper, assuming the average-case <i>k</i>-SUM conjecture, we prove that known algorithms are essentially optimal for <i>k</i> = 3, 4, 5. For <i>k</i> > 5, we prove the optimality of the <i>k</i>-tree algorithm for a limited range of parameters. We also prove similar results for <i>k</i>-XOR, where the sum is replaced with exclusive or. </p><p>Our results are obtained by a self-reduction that, given an instance of <i>k</i>-SUM which has a few solutions, produces from it many instances in the dense regime. We solve each of these instances using the dense <i>k</i>-SUM oracle, and hope that a solution to a dense instance also solves the original problem. We deal with potentially malicious oracles (that repeatedly output correlated useless solutions) by an obfuscation process that adds noise to the dense instances. Using discrete Fourier analysis, we show that the obfuscation eliminates correlations among the oracle’s solutions, even though its inputs are highly correlated.</p>","PeriodicalId":50022,"journal":{"name":"Journal of the ACM","volume":"13 26 1","pages":""},"PeriodicalIF":2.3000,"publicationDate":"2024-03-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of the ACM","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1145/3653014","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}
引用次数: 0
Abstract
An average-case variant of the k-SUM conjecture asserts that finding k numbers that sum to 0 in a list of r random numbers, each of the order rk, cannot be done in much less than r⌈k/2⌉ time. On the other hand, in the dense regime of parameters, where the list contains more numbers and many solutions exist, the complexity of finding one of them can be significantly improved by Wagner’s k-tree algorithm. Such algorithms for k-SUM in the dense regime have many applications, notably in cryptanalysis.
In this paper, assuming the average-case k-SUM conjecture, we prove that known algorithms are essentially optimal for k = 3, 4, 5. For k > 5, we prove the optimality of the k-tree algorithm for a limited range of parameters. We also prove similar results for k-XOR, where the sum is replaced with exclusive or.
Our results are obtained by a self-reduction that, given an instance of k-SUM which has a few solutions, produces from it many instances in the dense regime. We solve each of these instances using the dense k-SUM oracle, and hope that a solution to a dense instance also solves the original problem. We deal with potentially malicious oracles (that repeatedly output correlated useless solutions) by an obfuscation process that adds noise to the dense instances. Using discrete Fourier analysis, we show that the obfuscation eliminates correlations among the oracle’s solutions, even though its inputs are highly correlated.
k-SUM 猜想的一个平均情况变体断言,在一个由 r 个随机数(每个随机数的阶数为 rk)组成的列表中,找到总和为 0 的 k 个数所需的时间不可能少于 r⌈k/2⌉。另一方面,在参数密集的情况下,即列表包含更多数字且存在许多解时,利用瓦格纳的 k 树算法可以显著提高找到其中一个解的复杂度。这种密集机制下的 k-SUM 算法有很多应用,特别是在密码分析中。在本文中,假设存在平均情况下的 k-SUM 猜想,我们证明已知算法在 k = 3、4、5 时基本上是最优的。对于 k > 5,我们证明了 k 树算法在有限参数范围内的最优性。对于 k-XOR,我们也证明了类似的结果,其中的和用排他或代替。我们的结果是通过自还原法获得的,给定一个有少量解的 k-SUM 实例,就能从中产生许多密集机制中的实例。我们使用密集 k-SUM 算法求解每个实例,并希望密集实例的解也能解决原始问题。我们通过在密集实例中添加噪音的混淆过程来处理潜在的恶意神谕(重复输出相关的无用解)。通过离散傅立叶分析,我们证明了混淆过程可以消除神谕解之间的相关性,即使其输入是高度相关的。
期刊介绍:
The best indicator of the scope of the journal is provided by the areas covered by its Editorial Board. These areas change from time to time, as the field evolves. The following areas are currently covered by a member of the Editorial Board: Algorithms and Combinatorial Optimization; Algorithms and Data Structures; Algorithms, Combinatorial Optimization, and Games; Artificial Intelligence; Complexity Theory; Computational Biology; Computational Geometry; Computer Graphics and Computer Vision; Computer-Aided Verification; Cryptography and Security; Cyber-Physical, Embedded, and Real-Time Systems; Database Systems and Theory; Distributed Computing; Economics and Computation; Information Theory; Logic and Computation; Logic, Algorithms, and Complexity; Machine Learning and Computational Learning Theory; Networking; Parallel Computing and Architecture; Programming Languages; Quantum Computing; Randomized Algorithms and Probabilistic Analysis of Algorithms; Scientific Computing and High Performance Computing; Software Engineering; Web Algorithms and Data Mining