Decoding random linear codes is a well studied problem with many applications in complexity theory and cryptography. The security of almost all coding and LPN/LWE-based schemes relies on the assumption that it is hard to decode random linear codes. Recently, there has been progress in improving the running time of the best decoding algorithms for binary random codes. The ball collision technique of Bernstein, Lange and Peters lowered the complexity of Stern's information set decoding algorithm to 2 0.0556n. Using representations this bound was improved to 2 0.0537n by May, Meurer and Thomae. We show how to further increase the number of representations and propose a new information set decoding algorithm with running time 2 0.0494n .
Decoding random linear codes is a fundamental problem in complexity theory and lies at the heart of almost all code-based cryptography. The best attacks on the most prominent code-based cryptosystems such as McEliece directly use decoding algorithms for linear codes. The asymptotically best decoding algorithm for random linear codes of length n was for a long time Stern's variant of information-set decoding running in timeÕ 2 0.05563n. Recently, Bernstein, Lange and Peters proposed a new technique called Ball-collision decoding which offers a speed-up over Stern's algorithm by improving the running time toÕ 2 0.05558n. In this paper, we present a new algorithm for decoding linear codes that is inspired by a representation technique due to Howgrave-Graham and Joux in the context of subset sum algorithms. Our decoding algorithm offers a rigorous complexity analysis for random linear codes and brings the time complexity down toÕ 2 0.05363n .
Abstract. Let pk = (N , e) be an RSA public key with corresponding secret key sk = (p, q, d , dp , dq , q −1 p ). Assume that we obtain partial error-free information of sk, e.g., assume that we obtain half of the most significant bits of p. Then there are well-known algorithms to recover the full secret key. As opposed to these algorithms that allow for correcting erasures of the key sk, we present for the first time a heuristic probabilistic algorithm that is capable of correcting errors in sk provided that e is small. That is, on input of a full but error-prone secret key sk we reconstruct the original sk by correcting the faults.More precisely, consider an error rate of δ ∈ [0,), where we flip each bit in sk with probability δ resulting in an erroneous key sk. Our Las-Vegas type algorithm allows to recover sk from sk in expected time polynomial in log N with success probability close to 1, provided that δ < 0.237. We also obtain a polynomial time Las-Vegas factorization algorithm for recovering the factorization (p, q) from an erroneous version with error rate δ < 0.084.
Abstract. We address the problem of polynomial time factoring RSA moduli N1 = p1q1 with the help of an oracle. As opposed to other approaches that require an oracle that explicitly outputs bits of p1, we use an oracle that gives only implicit information about p1. Namely, our oracle outputs a different N2 = p2q2 such that p1 and p2 share the t least significant bits. Surprisingly, this implicit information is already sufficient to efficiently factor N1, N2 provided that t is large enough. We then generalize this approach to more than one oracle query.
We propose a new decoding algorithm for random binary linear codes. The so-called information set decoding algorithm of Prange (1962) achieves worst-case complexity 2 0.121n . In the late 80s, Stern proposed a sort-and-match version for Prange's algorithm, on which all variants of the currently best known decoding algorithms are build. The fastest algorithm of Becker, Joux, May and Meurer (2012) achieves running time 2 0.102n in the full distance decoding setting and 2 0.0494n with half (bounded) distance decoding. In this work we point out that the sort-and-match routine in Stern's algorithm is carried out in a non-optimal way, since the matching is done in a two step manner to realize an approximate matching up to a small number of error coordinates. Our observation is that such an approximate matching can be done by a variant of the so-called High Dimensional Nearest Neighbor Problem. Namely, out of two lists with entries from F m 2 we have to find a pair with closest Hamming distance. We develop a new algorithm for this problem with sub-quadratic complexity which might be of independent interest in other contexts. Using our algorithm for full distance decoding improves Stern's complexity from 2 0.117n to 2 0.114n . Since the techniques of Becker et al apply for our algorithm as well, we eventually obtain the fastest decoding algorithm for binary linear codes with complexity 2 0.097n . In the half distance decoding scenario, we obtain a complexity of 2 0.0473n .
We present several attacks on RSA that factor the modulus in polynomial time under the condition that a fraction of the most significant bits or least significant bits of the private exponent is available to the attacker. Our new attacks on RSA are the first attacks of this type that work up to full size public or private exponent.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.