Algebraic attacks using SAT-solvers (original) (raw)
Related papers
An Improvement of Linearization-Based Algebraic Attacks
Lecture Notes in Computer Science, 2011
In an algebraic attack on a cipher, one expresses the encryption function as a system (usually overdefined) of multivariate polynomial equations in the bits of the plaintext, the ciphertext and the key, and subsequently solves the system for the unknown key bits from the knowledge of one or more plaintext/ciphertext pairs. The standard eXtended Linearization algorithm (XL) expands the initial system of equations by monomial multiplications. The expanded system is treated as a linear system in the monomials. For most block ciphers (like the Advanced Encryption Standard (AES)), the size of the linearized system turns out to be very large, and consequently, the complexity to solve the system often exceeds the complexity of brute-force search. In this paper, we propose a heuristic strategy XL SGE to reduce the number of linearized equations. This reduction is achieved by applying structured Gaussian elimination before each stage of monomial multiplication. Experimentation on small random systems indicates that XL SGE has the potential to improve the performance of the XL algorithm in terms of the size of the final solvable system. This performance gain is exhibited by our heuristic also in the case of a toy version of AES.
Comparative Study of Algebraic Attacks
IARJSET, 2016
Cryptographic schemes have an algebraic structure and can be described as multivariate polynomial equations. Even though algebra is the default tool in the cryptanalysis of asymmetric cryptosystems, there has been recently an increase in interest in the use of algebraic cryptanalysis techniques in the analysis of symmetric cryptosystems. The basic idea behind the algebraic attack is to express the whole cryptosystem as a large system of multivariate polynomial equations, then considers methods for solving the system to recover the key. Solving multivariate polynomial systems is a typical problem studied in Algebraic Geometry and Computational Algebra. Computing Grobner basis is the best well known method to solve this problem. Finding grobner bases is a difficult task which requires lots of computational resources. This paper discusses and explains in depth different algorithms to compute grobner bases using examples. This paper also, compares these algorithms from the point of views of accuracy and efficiency (the required resources: time and effort) to get the accurate results. Finally, the worthiness of these algorithms to be applied to cryptanalysis has been discussed.
Groups – Complexity – Cryptology, 2009
This is the first in a two-part survey of current techniques in algebraic cryptanalysis. After introducing the basic setup of algebraic attacks and discussing several attack scenarios for symmetric cryptosystems, public key cryptosystems, and stream ciphers, we discuss a number of individual methods. The XL, XSL, and MutantXL attacks are based on linearization techniques for multivariate polynomial systems. Then we look at Gröbner basis and border bases methods. In the last section we introduce attacks based on integer programming techniques and try them in some concrete cases.
Extending SAT Solvers to Cryptographic Problems
2009
Cryptography ensures the confidentiality and authenticity of information but often relies on unproven assumptions. SAT solvers are a powerful tool to test the hardness of certain problems and have successfully been used to test hardness assumptions. This paper extends a SAT solver to efficiently work on cryptographic problems. The paper further illustrates how SAT solvers process cryptographic functions using automatically generated visualizations, introduces techniques for simplifying the solving process by modifying cipher representations, and demonstrates the feasibility of the approach by solving three stream ciphers. To optimize a SAT solver for cryptographic problems, we extended the solver’s input language to support the XOR operation that is common in cryptography. To better understand the inner workings of the adapted solver and to identify bottlenecks, we visualize its execution. Finally, to improve the solving time significantly, we remove these bottlenecks by altering the function representation and by pre-parsing the resulting system of equations. The main contribution of this paper is a new approach to solving cryptographic problems by adapting both the problem description and the solver synchronously instead of tweaking just one of them. Using these techniques, we were able to solve a well-researched stream cipher 26 times faster than was previously possible.
Improvements of Algebraic Attacks Based on Structured Gaussian Elimination
Algebraic attacks are studied as a potential cryptanalytic procedure for various types of ciphers. The XL SGE algorithm has been recently proposed to improve the complexity of the XL attack. XL SGE uses structured Gaussian elimination (SGE) during the expansion phase of XL. In this paper, we establish that XL SGE suffers from some serious drawbacks that impair the effectiveness of SGE-based reduction at all multiplication stages except the first. In order to avoid this problem, we propose several improvements of XL SGE. Our modifications are based upon partial monomial multiplication and handling of columns of weight two. Our modified algorithms have been experimentally verified to be substantially superior to XL SGE.
On selection of samples in algebraic attacks and a new technique to find hidden low degree equations
International Journal of Information Security, 2015
The best way of selecting samples in algebraic attacks against block ciphers is not well explored and understood. We introduce a simple strategy for selecting the plaintexts and demonstrate its strength by breaking reducedround KATAN32, LBlock and SIMON. For each case, we present a practical attack on reduced round version which outperforms previous attempts of algebraic cryptanalysis whose complexities were close to exhaustive search. The attack is based on the selection of samples using cube attack and ElimLin which was presented at FSE'12, and a new technique called Universal Proning. In the case of LBlock, we break 10 out of 32 rounds. In KATAN32, we break 78 out of 254 rounds. Unlike previous attempts which break smaller number of rounds, we do not guess any bit of the key and we only use structural properties of the cipher to be able to break a higher number of rounds with much lower complexity. We show that cube attacks owe their success to the same properties and therefore, can be used as a heuristic for selecting the samples in an algebraic attack. The performance of ElimLin is further enhanced by the new Universal Proning technique, which allows
Guess-and-Determine Attack and Algebraic Attack
2010
Recently, algebraic attacks on cryptosystems as a method that tries to solve a system of multivariate polynomial equations, has gained a lot of attention. In this approach, we must do two phases, one phase is to find a system of multivariate polynomial equations and second phase is to solve the system of equations. There are many methods for solving a system of multivariate polynomial equations, such as XL and Gröbner basis algorithms, but these algorithms have a high complexity for a system with many numbers of variables and equations. On the other hand, usually the system of equations, obtained from a cryptosystems, has a high total degree. So one way for reducing the complexity of solving such a system by current algorithms is reducing the total degree of the system and one way for reducing the total degree of the system can be guessing some unknowns in the system. As a contribution, we consider the effect of guessing some unknowns within reducing the total degree of the system of multivariate polynomial equations on the complexity of solving the system by XL and Gröbner basis algorithms.
SAT as a programming environment for linear algebra and cryptanalysis
2007
In this paper we present an application of the propositional SATisfiability environment to computing some simple orthogonal matrices and some interesting tasks in the area of cryptanalysis. We show how one can code a search for some kind of desired objects as a propositional formulae in such a way that their satisfying valuations code such objects. Some encouraging (and not very encouraging) experimental results are reported for the proposed propositional search procedures using the currently best SAT solvers.
system
The computational hardness of solving large systems of sparse and low-degree multivariate equations is a necessary condition for the security of most modern symmetric cryptographic schemes. Notably, most cryptosystems can be implemented with inexpensive hardware, and have a low gate counts, resulting in a sparse system of equations, which in turn renders such attacks feasible. On one hand, numerous recent papers on the XL algorithm and more sophisticated Gröbner-bases techniques [5, 7, 13, 14] demonstrate that systems of equations are efficiently solvable when they are sufficiently overdetermined or have a hidden internal algebraic structure that implies the existence of some useful algebraic relations. On the other hand, most of this work, as well as most successful algebraic attacks, involve dense, not sparse systems, at least until linearization by XL or a similar algorithm. No polynomial-system-solving algorithm we are aware of, demonstrates that a significant benefit is obtained from the extreme sparsity of some systems of equations. In this paper, we study methods for efficiently converting systems of low-degree sparse multivariate equations into a conjunctive normal form satisfiability (CNF-SAT) problem, for which excellent heuristic algorithms have been developed in recent years. A direct application of this method gives very efficient results: we show that sparse multivariate quadratic systems (especially if over-defined) can be solved much faster than by exhaustive search if β ≤ 1/100. In particular, our method requires no additional memory beyond that required to store the problem, and so often terminates with an answer for problems that cause Magma and Singular to crash. On the other hand, if Magma or Singular do not crash, then they tend to be faster than our method, but this case includes only the smallest sample problems.
Reducing hard SAT instances to polynomial ones
2007 IEEE International Conference on Information Reuse and Integration, 2007
This last decade, propositional reasoning and search has been one of the hottest topics of research in the A.I. community, as the Boolean framework has been recognized as a powerful setting for many reasoning paradigms thanks to dramatic improvements of the efficiency of satisfiability checking procedures. SAT, namely checking whether a set of propositional clauses is satisfiable or not, is the technical core of this framework. In the paper, a new linear-time pre-treatment of SAT instances is introduced. Interestingly, it allows us to discover a new polynomial-time fragment of SAT that can be recognized in linear-time, and show that some benchmarks from international SAT competitions that were believed to be difficult ones, are actually polynomialtime and thus easy-to-solve ones.