 Hi everyone! This is a presentation for PKC 2022. I'm Charlotte Lefevre and it is this work in collaboration with Pierre Carman and the paper is named Time Memory Trade-offs for large white syndrome decoding in ternary codes. So I will first start with a few definitions and the motivation of our work. In this work we will be always in a ternary setting and consider linear codes where n denotes the codeland and k the dimension. We will study a particular instance of the fixed white syndrome decoding problem. The fixed white syndrome decoding problem takes as input a rectangular matrix full rank also called the parity check matrix then a vector called the syndrome and an integer called the weight. The aim is to solve the linear system HE equals S where there is a constraint on the humming weight of the solution. We will restrict ourselves in a case where the parity check matrix and the syndrome are assumed to be both sample uniformly at random and the code rates and weight rates are both fixed. In particular we will be in a setting where there are many solutions to this problem exponential in the codeland yet the search space is comparatively huge making thus this problem hard. The main motivation of our work is the waves signature scheme introduced by debris al azaret al in 2018. Its high-level view is quite classical in code-based crypto. The private key is a structural parity check matrix and the public key is a random obfuscation of the latter making it undistinguishable from a random parity check matrix. Next the signature of the message consists of solving a syndrome decoding instance where the parity check matrix is the public key the syndrome is the hash of the message and the relative weight is fixed by the scheme in particular we are in the high-weight regime. The knowledge of the private key provides a trapdoor that makes the syndrome decoding problem much easier. On the other side we must ensure that anyone with only access to the public key cannot produce valid signatures therefore one needs to ensure that the underlying syndrome decoding problem must be computationally intractable. So to give a global picture of the state of the art with respect to the syndrome decoding problem this problem is easy for a certain weight range in other words a polynomial algorithm in the codeland was formed by French. Outside of this interval no polynomial algorithm is known so the problem is believed to be hard in particular the weights used in waves signature scheme is in the hard zone but this is far away from the Gilbert Vashemov bound. Not that this is safe to ensure that the syndrome decoding problem in waves signature scheme is intractable for an adversary one needs to know about the best possible attacks at this particular weight and this has been studied by Brickhout et al in 2019 they use the PG plus SS framework instantiated with a combination of the k-tree and the representation technique and the cost that they derived is given here however this cost is in time and in memory making it making it unattractive in some applications that's why we propose in this work to study the time memory tradeoffs for this problem so to do this we just started the same way as Brickhout et al and use the PG plus SS framework which stands for partial Gaussian elimination plus subset sum this framework has been formalized by them and this is a modular description of what most ISD based algorithm do here we won't present the framework in all of its generality since we fixed some parameters the first step in the framework consists of doing a partial Gaussian elimination on some rows of the parity check matrix and the number of rows is parameterized by a quantity called l this is an input to this framework then we split the syndrome and the candidate solution according to this division the next step is to solve a smaller problem which is a sort of syndrome decoding problem and the parity check matrix is given by h2 the syndrome s2 in particular it has l coordinates and the solution e2 will have k plus l coordinates we require you that it is full weight and one important difference with the syndrome decoding problem is that here we ask for many solutions and the idea is that for every e2 solution of the previous problem there exists a unique vector e1 such that the concatenation of both vectors give a solution to the linear system in particular we solve the syndrome decoding problem if and only if the hamming weight of the concatenation is w and here it translates on the on the condition on the hamming weight of e1 the design number of solution that the step number two is in particular the inverse of the probability that e1 gets the right hamming weight so this framework allows us to transform the problem into a slightly different one so in other words find many solutions to a smaller sub-syndrome decoding problem as pointed by Brickadette R this problem reduces in reality to the subset some problem moreover asking for many solutions opened the way to several optimization and in particular we can require that solution or return in constant amortize time to go back on this l parameter this is a quite important parameter so from now we denote by sl the design number of solutions to the small sub-problem what is interesting here is that when l increases the size of s2 is going to increase thus the problem becomes harder but on the other side the requirements on the hamming weight of e1 is going to be much easier to satisfy so concretely it means that the design number of solution is going to decrease so this is what we can see on the first stage of this curve that plots the logarithm of sl according to l so this l parameter will be central in our tradeoffs since one l parameter plus a fixed algorithm to solve the smaller problem can provide us one tradeoff and usually the memory consumption is going to increase along with l parameter so this particular plot was done by fixing the code length in the wave region not that l equal to zero corresponds to French algorithm which is memory less and recorded l shows the following l parameters and it could provide them solution it was able to provide them solutions in constant amortize time and in no case we are going to explore the l parameter between these two quantities we are now going to see how can we transform the sub-problem into or only some problem from now i'm going to drop the two index notation so that now we want to solve he equal to s with e full weight we are going to use algorithm solving the all is some problem also called the generalized birthday problem so this generalized birthday problem takes as input all list each list containing vector and the aim is to find one element in each list such that the sum of all of these elements give the null vector the syndrome decoding problem can be transformed into all this problem by doing the following so first we split the evenly the parity check matrix columns into our slices we do the same for the candidate solution and now the linear system he equals s can be rewritten as follow so now the list li is going to contain full weight linear combinations of columns of hi unless the last list which will also have the syndrome subtracted so this is quite a classical approach and was for instance used by brick or that are in their work so here even despite the partial Gaussian elimination done within the PG plus SS framework we will be still in a setting where the desire number of solution is smaller than the total expecting number of solution to the sub syndrome decoding problem here therefore in particular we are not obliged to consider all possible full weight linear combinations in each list each list thus we have some freedom on the size of the list however on the other side we cannot have lists as large as we want because in particular each list contains full weight linear combination of k plus l over r columns of a matrix so it cannot be as large as we want and this is exactly what this constraint translates to solve the underlying only some problem we are going to use algorithms and all of them enumerate smartly a fraction of the solutions we have some freedom on the number of lists the size of the syndrome and to a certain extent the size of the list so here are the algorithm that we consider the dissection and the k3 algorithm can be seen as improvements of the meet in the middle algorithm and this is also possible to hybrid them in what we will call here dissection in tree and this is the algorithm that will provide us our best instances the algorithm presented here are able to return solutions to the only some problem in constant amortized time so with respect to time course we could first think that this is optimal however sometimes the algorithm return too much solution compared to the number of solution that we want so that the amortized cost regime works only when we require you at least a certain number of solutions and in and if this is not satisfied this yields a loss that's why we introduce the notion of granularity and it's going to help us to assess if an algorithm is adapted with respect to this quantity the granularity is simply the smallest number of solution that an algorithm can return while not changing its amortized cost looking ahead the dissection is an algorithm which is very memory friendly which has on the other side a granularity not adapted for many l parameters and concretely it will only give interesting instances for small l parameter that corresponds to quite extreme trade-offs in this work we spent a significant time trying to lower the granularity of some of this algorithm when it is too coarse now i'm going to present the different algorithms and we start with the k tree the k tree was introduced by Wagner in 2002 so for simplicity we require that the number of least is a power of two so two to the a where a denotes the number of levels so here is the example of a k tree with r equals eight so that the number of levels is free the target is split evenly into three slices and at each level a meat in the middle algorithm is applied with one slice of the target in no case the tree is balanced so that the number of written solutions after each merging is expected to be equal to the initial this size we can see that one solution written by this tree is highly structured since you require for instance that the first two elements in l one and l two some on zero on l over three coordinates by construction therefore the k tree decimates the solutions but this is not a problem in no case since once again we do not want all of the solution so it's even an advantage and even better than that because decimating the solution will give an algorithm with a fine granularity and if we want more solution we can just iterate this tree using different intermediate targets so for example here we can take an arbitrary vector t instead of the zero target and here replace this zero by minus t now given the constraint that we want solution in constant amortized time for fixed l and a parameters there exists an optimal choice for the least size in the sense that it would minimize both the granularity and the memory consumption and both quantities are asymptotically equal to three to the l of a therefore given one fixed l one wants to have a number of levels as large as possible but this quantity is limited because of the constraint on the least size that we mentioned earlier so it limits it limits the maximal number of levels that we can use given one fixed l parameter here are the tradeoffs offered by the k tree algorithm on y axis this is the logarithm of the time cost divided by the code let and on x axis the same for the memory cost this diamond points is the cost that breakhooded alphonse in particular they use the smooth k tree algorithm that i'll mention in a slide combined with the representation technique that i won't present here so going back to the k tree graph here one point represents the application of the k tree with one l parameters and the values of l are increasing from left to right not worthy is that this graph is made out of several lines in fact one line represents the k tree with one fixed number of levels for each line take for example the origin line it corresponds to six levels and the right test point is the largest l parameter such that we can use the k tree with six levels so for any larger l parameter this constraint is no more satisfied therefore the number of levels needs to be decreased since in our case decreasing the number of levels leads to a larger memory consumption this explains why we have some gaps in the memory consumption between when we change the number of levels in fact there exists a way to obtain a smooth graph with slightly better trade-offs this is given by the extended k tree algorithm presented by minder and singular and adapted in the tanner resetting by breakhooded alphonse i won't go into the details but the raw id is that the merging at the first level is unbalanced and partially dedicated to increase the list size and concretely it allows to add one more level than what the constraint on the list size dictated as we can see on this graph it provides us a smooth curve on better results than the k tree so now i will mention the dissection framework that we explored in this work too it was introduced by dinner at al in 2012 and is another generalization of the meet in the middle algorithm i won't present the inner working of the dissection but rather the key ideas so it's a memory friendly family of algorithm that was designed initially to be exhausted so return all of the possible solutions but it is still possible to not return them all and have and adapt slightly the granularity but the the overall granularity is going to remain somehow coarse some trade-offs are possible with the choice of the initial list size but there are only a few choices that provide solution in constant amortized time and contrary to the k tree where the problem is split in a symmetric way the dissection decomposes the early sum problem into a small one and a large one the smaller problem has its solution stored in memory while the large one has its solution returned on the fly and this decomposition can be done recursively within the dissection framework now i will present the possible trade-offs on this plot the rate points represent the trade-off offered by our dissection with our smaller than 400 we did not increase our any further and it would only add more points in this zone of the graph that corresponds to quite extreme trade-offs this graph was drawn using one single l parameter fixed to 0.0 0.04 times n this gray horizontal line represents the desired number of solutions for this particular l and in the dis and the dissection curve does not reach it so it means that it cannot return the desired number of solution in constant amortized time and the reason for that is that the dissection has a granularity which is not adapted here and this is true for a quite large range of l parameters in general the dissection matches the desired number of solutions only for very small l values so we tried to lower the granularity of the dissection and it gives us the following black dots but it gives only a very small improvement one last remark on this graph is that after a certain point there is a little interest in increasing further the memory because increasing further the memory would only give a small gain in the time cost and now that this is said we would like to extract the best trade-offs by varying l parameters and it gives the following plot where each color represents the dissection plot for one l parameter to obtain only the interesting points we can extract the outline of the curve and obtain then this figure and we can now compare the dissection trade-offs to the ones of the k3 so the dissection outperforms the k3 algorithm for small memories it is meaningful since in this zone the dissection granularity usually matches the desired number of solution and we can thus benefit from the memory friendliness of the dissection on the contrary the k3 is less memory efficient yet its granularity is not limiting up to large l values so so far we have seen two generalizations of the mid in the middle which are by instance very different then one possibility is to consider a hybrid version that somehow combines the idea of both algorithm that we'll call here dissection entry it's an algorithm presented by dinner in 2019 and the idea here is that the list are merged in a tree structure just like with the k3 but instead of applying the mid in the middle on couples of lists now a x dissection is applied on list apples so here is the example of one of the dissection dissection tree that gave us our best results it is a tree with three levels and each dissection done is the full dissection at the moment we impose that every dissection done is exhaustive and still require that solutions are returned in constant amortized time and we shall not forget the constraint on the initially size in fact i didn't mention this before but the full dissection is the base case in the dissection framework and this is the only one which is symmetric in particular this is just an exhaustive variant of the k3 therefore if we unfold in this tree what happens within the full dissection we obtain a tree that has exactly the same structure as the one of a k3 with six levels so we might wonder what's the difference between these two algorithms one of the main difference between them is in the merging strategy the k3 decimates solution in a somehow steady way while the dissection entry is locally exhaustive so on this plot the rank point represents the trade-offs with the dissectioning tree and the square ones with the k3 additionally there is here a color scale that represents the value of the underlying l parameters used for every point unless for this particular part of the curve that i will mention in a moment one horizontal line gives two points with the same l values in particular the same target size and the same time cost so now this is clear that the dissectioning tree outperforms the k3 since it has a smaller memory consumption one possible explanation is that the layer dissection is going to return much less structured solution thus it can explore more quantities solution within the list but on the other side for amortized cost reason the dissectioning tree is going to return also much more solutions than the k3 yet in this case the memory consumption is still better and because the memory consumption is lower there are more l values such that we can apply this dissection entry because the constraints on the on the list size limits the memory up to this particular value one downside with the layer dissection is that it has a coarser granularity with the k3 the granularity was given by the initial list size why for the dissectioning tree the granularity is the square of the list size we can see that granularity programs appear exactly at this straight off t equals m square and from this point of this point one iteration of the layer of the dissection tree is going to return too much solutions so that's why in particular the curve rebounds the bottleneck in the granularity was because of the dissection granularity so that's why to solve these granularity problems we consider non-exhaustive dissection so that its granularity matches exactly the number of desired solution in particular by doing that we decimate the solution quite rapidly so that the memory efficiency decreases it gave us the extra points in brown and we see the loss in the slope of the curve in the case of the four dissection with three levels by doing that we go back gradually to what does a classical k3 do when we increase the memory consumption but in this case what stops the curve is the constraint on the list size one natural idea to extend the plot is then to apply the smoothing technique on top of that and it gave us the following green points unsurprisingly the right most point correspond in fact to the smooth k3 with six levels so at this particular point the four dissection is just a four tree without any repetition of the tree with intermediate targets now let's see a summary of our results this is a table with the asymptotic curves given several tradeoffs the first line corresponds to the cost found by recouped out with time equals memory we can see that when the memory consumption relative to the time decreases it is more interesting to consider larger dissections not wuffy is that the product memory time which can be helpful as a tool to compare different tradeoffs is smaller with all tradeoffs and we can see all of the results plotted on this graph here this is clear that the dissection in gray and the k3 in black are outperformed by layered dissection for small memories globally what works best is the dissection with two levels while for larger memory we should rather use a full dissection with three of four levels in this plot the cost computed is asymptotic and many quantities were not taken into account for example the factors when doing operation in every to the end and the polynomial factors in the cost estimates were omitted so we refined the estimate of the cost by taking these quantities into account the idea here is to have a sort of intermediate cost between the asymptotic ones and the full and accurate modeling of the attack here is the plot that we derived using the wave signature scheme parameters in particular lots of craft disappeared here because these factors made them uninteresting to use for example the full dissection with four levels becomes always less interesting than the full dissection with three levels now to conclude in this work we investigated time memory tradeoffs for a particular instance of the syndrome decoding problem underlying wave signature scheme security to do that we use the PG plus SS framework and instantiated it with the K tree dissection and dissection entry we spent a significant time trying to decrease the granularity of the building blocks so that it matched it it matched the desired number of solutions in our case so this is all for this presentation I hope that you enjoy it and I wish you a nice day