Improved Algorithms for the Permuted Kernel Problem

In 1989, Adi Shamir published a new asymmetric identification scheme, based on the intractability of the Permuted Kernel Problem (PKP) [3]. In 1992, an algorithm to solve the P K P problem was suggested by J. Georgiades [Z], and also in 1992 T. Baritaud, M. Campana, P. Chauvaud and H. Gilbert [l] have independently found another algorithm for this problem. These algorithms still need huge amount of time and/or memory in order to solve the PKP problem with the values suggested by A. Slianiir. In this paper, we will see that i t is possible to solve the P K P problem using less time that which was needed in (11 and (21, and much less memory than that needed in 111, First we will investigate how the ideas of [l] and [2] can be combined. This will enable us to obtain a little reduction in the time needed. Then, some new ideas will enable us to obtain a considerable reduction in the memory required, and another small reduction in time. Since o u r new algorithms are quicker and inore practical than previous algorithms they confirm the idea stated i n [I] that for strong security requirements, the smallest values ( n = 32, m = 16, p = 251) mentioned in [3] are not recommended. 1 Recall of the algorithms of [l]. In this section, we will briefly recall the attack given i n [l] for the PKP Problem (see [l] for more details). Then in the nest sections, we will study how to improve these algorithms. The PKP problem is the following : Given : a prime nuliiber p , a ??I x n matrix A = ( u , ~ ) , i = 1.. , n7, J = I . . . n, over Z,, a n-vector I/ = (IS), j = I . . . ? I . over Z, a permutation r over (1,. . . , n) such that A * V, = 0, where V , = (V,,j,), j = 1,. . . , n. Find : D.R. Stlnson (Ed.): Advances in Cryptology CRYPT0 '93, LNCS 773, pp. 391-402, 1994. 0 Spnnger-Verlag Berlln Heidelberg 1994