How to Sequentialize Independent Parallel Attacks? - Biased Distributions Have a Phase Transition

We assume a scenario where an attacker can mount several independent attacks on a single CPU. Each attack can be run several times in independent ways. Each attack can succeed after a given number of steps with some given and known probability. A natural question is to wonder what is the optimal strategy to run steps of the attacks in a sequence. In this paper, we develop a formalism to tackle this problem. When the number of attacks is infinite, we show that there is a magic number of steps m such that the optimal strategy is to run an attack for m steps and to try again with another attack until one succeeds. We also study the case of a finite number of attacks. We describe this problem when the attacks are exhaustive key searches, but the result is more general. We apply our result to the learning parity with noise $$\mathsf {LPN}$$ problem and the password search problem. Although the optimal m decreases as the distribution is more biased, we observe a phase transition in all cases: the decrease is very abrupt from m corresponding to exhaustive search on a single target to $$m=1$$ corresponding to running a single step of the attack on each target. For all practical biased examples, we show that the best strategy is to use $$m=1$$. For $$\mathsf {LPN}$$, this means to guess that the noise vector is 0 and to solve the secret by Gaussian elimination. This is actually better than all variants of the Blum-Kalai-Wasserman $$\mathsf {BKW}$$ algorithm.

[1]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[2]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[3]  Serge Vaudenay,et al.  Better Algorithms for LWE and LWR , 2015, EUROCRYPT.

[4]  Philippe Oechslin,et al.  Making a Faster Cryptanalytic Time-Memory Trade-Off , 2003, CRYPTO.

[5]  J. Massey Guessing and entropy , 1994, Proceedings of 1994 IEEE International Symposium on Information Theory.

[6]  Martin R. Albrecht,et al.  Lazy Modulus Switching for the BKW Algorithm on LWE , 2014, Public Key Cryptography.

[7]  Gildas Avoine,et al.  Optimal Storage for Rainbow Tables , 2013, ICISC.

[8]  Serge Vaudenay,et al.  Capacity and Data Complexity in Multidimensional Linear Attack , 2015, CRYPTO.

[9]  Hideki Imai,et al.  A Novel Probabilistic Passive Attack on the Protocols HB and HB+ , 2008, IACR Cryptol. ePrint Arch..

[10]  A. Odlyzko,et al.  Lattice points in high-dimensional spheres , 1990 .

[11]  Serge Vaudenay,et al.  On solving LPN using BKW and variants , 2015, Cryptography and Communications.

[12]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[13]  Chris Peikert,et al.  Hardness of SIS and LWE with Small Parameters , 2013, CRYPTO.

[14]  Michael Alekhnovich More on Average Case vs Approximation Complexity , 2011, computational complexity.

[15]  Vadim Lyubashevsky,et al.  The Parity Problem in the Presence of Noise, Decoding Random Linear Codes, and the Subset Sum Problem , 2005, APPROX-RANDOM.

[16]  Vitaly Shmatikov,et al.  Fast dictionary attacks on passwords using time-space tradeoff , 2005, CCS '05.

[17]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.

[18]  Martin R. Albrecht,et al.  On the complexity of the BKW algorithm on LWE , 2012, Des. Codes Cryptogr..

[19]  Gildas Avoine,et al.  Analysis of Rainbow Tables with Fingerprints , 2015, ACISP.

[20]  Éric Levieil,et al.  An Improved LPN Algorithm , 2006, SCN.

[21]  Kousha Etessami,et al.  Recursive Markov chains, stochastic grammars, and monotone systems of nonlinear equations , 2005, JACM.

[22]  Hideki Imai,et al.  An Algorithm for Solving the LPN Problem and Its Application to Security Evaluation of the HB Protocols for RFID Authentication , 2006, INDOCRYPT.

[23]  Thomas Johansson,et al.  Solving LPN Using Covering Codes , 2014, ASIACRYPT.

[24]  RegevOded On lattices, learning with errors, random linear codes, and cryptography , 2009 .

[25]  Pietro Michiardi,et al.  Password Strength: An Empirical Analysis , 2010, 2010 Proceedings IEEE INFOCOM.

[26]  Ivan Damgård,et al.  Is Public-Key Encryption Based on LPN Practical? , 2012, IACR Cryptol. ePrint Arch..

[27]  Pascal Junod,et al.  Time-Memory Trade-Offs: False Alarm Detection Using Checkpoints , 2005, INDOCRYPT.

[28]  Willi Meier,et al.  Analysis of Pseudo Random Sequence Generated by Cellular Automata , 1991, EUROCRYPT.