Finding Low Weight Polynomial Multiples Using Lattices

The low weight polynomial multiple problem arises in the context of stream ciphers cryptanalysis and of efficient finite field arithmetic, and is believed to be difficult. It can be formulated as follows: given a polynomial f ∈ F2[X] of degree d, and a bound n, the task is to find a low weight multiple of f of degree at most n. The best algorithm known so far to solve this problem is based on a time memory trade-off and runs in time O(n) using O(n) of memory, where w is the estimated minimal weight. In this paper, we propose a new technique to find low weight multiples using lattice basis reduction. Our algorithm runs in time O(n) and uses O(nd) of memory. This improves the space needed and gives a better theoretical time estimate when w ≥ 12 . Such a situation is plausible when the bound n, which represents the available keystream, is small. We run our experiments using the NTL library on some known polynomials in cryptanalysis and we confirm our analysis.