TY - JOUR AU - Bouillaguet, Charles AU - Delaplace, Claire AU - Fouque, Pierre-Alain PY - 2018/03/01 Y2 - 2024/03/28 TI - Revisiting and Improving Algorithms for the 3XOR Problem JF - IACR Transactions on Symmetric Cryptology JA - ToSC VL - 2018 IS - 1 SE - Articles DO - 10.13154/tosc.v2018.i1.254-276 UR - https://tosc.iacr.org/index.php/ToSC/article/view/851 SP - 254-276 AB - <p>The 3SUM problem is a well-known problem in computer science and many geometric problems have been reduced to it. We study the 3XOR variant which is more cryptologically relevant. In this problem, the attacker is given black-box access to three random functions <em>F</em>,<em>G</em> and <em>H</em> and she has to find three inputs <em>x</em>, <em>y</em> and <em>z</em> such that <em>F</em>(<em>x</em>) ⊕ <em>G</em>(<em>y</em>) ⊕ <em>H</em>(<em>z</em>) = 0. The 3XOR problem is a difficult case of the more-general <em>k</em>-list birthday problem. Wagner’s celebrated <em>k</em>-list birthday algorithm, and the ones inspired by it, work by querying the functions more than strictly necessary from an information-theoretic point of view. This gives some leeway to target a solution of a specific form, at the expense of processing a huge amount of data. However, to handle such a huge amount of data can be very difficult in practice. This is why we first restricted our attention to solving the 3XOR problem for which the total number of queries to <em>F</em>, <em>G</em> and <em>H</em> is minimal. If they are <em>n</em>-bit random functions, it is possible to solve the problem with roughly</p> ER -