Introduction

Introduction • In this type of attack which is applicable both to stream ciphers and block ciphers, ciphers are rewritten to systems of multivariate equations • Solving the system of equations will give unknown • Thus in short An algebraic attack consists of these two steps: • Set up system of equations in key bits and output bits • Solve it

Algebraic equations of LFSR

Algebraic equations of LFSR with combiner function

Algebraic equations of LFSR with combiner function • Using direct algebraic approach we can derive equations in key bits k0, k1,…. kn-1 as

Algebraic equations of LFSR with combiner function • In general we cannot expect to find an efficient solver for all kinds of systems of equations. • But the situation changes if the system is over defined. • In these cases the linearization is used. This method has the advantage of solving an over-defined system of nonlinear equations in polynomial time if enough linearly independent equations are given. Principle for the Linearization algorithm is: • Use an over-defined equation • Replace each monomial with a new variable • Solve as linear system

Linearization Example Solve following quadratic equation of GF(7) x2 +4y2 + z2 +5xy +2xz +6yz +5x +3y +5z +1 = 0 3x2 +2y2 +3z2 +4xy +6xz+2yz +6x +4y +3z +2 = 0 2x2 +3y2 +2z2 +5xy +2yz + 4x + y + z + 4 = 0 6x2 +3y2 +3z2 +5xz + yz+ 5y + 2z + 2 = 0

Linearization x2 y2z2xyxzyz       A B C D E F A +4B + C +5D +2E +6F +5x +3y +5z +1 = 0 3A +2B +3C +4D +6E +2F +6x +4y +3z +2 = 0 2A +3B +2C +5D +2F + 4x + y + z + 4 = 0 6A +3B +3C+5E + F + 5y + 2z + 2 = 0

Add Extra Equations • # {variables} >> # {equations}  There are too many solutions to the system of linear equations. • Add relations of new variables to reduce the number of solutions. For example, • Dz = Ey = Fx [since (xy)z = (xz)y = (yz)x] • Ay = Dx, ... [since (x2)y = (xy)x, ...] • DE = AF , ... [since (xy)(xz) = (x2)(yz), ...]

Relinearization • Consider each quadratic monomial as a new variable and linearize again. • In general, with more variables: • (ab)(cd ) = (ac)(bd ) = (ad )(bc) • (ab)(cd )(ef ) = (ad )(cf )(eb) = … • This idea was used by: Kipnis and Shamir, Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization, Crypto '99, LNCS 1666, pp. 19-30. • Relinearization is not as efficient as expected.

XL  EXtendedLinearization • Previous system of quadratic equations: l1 : x2 +4y2 + z2 +5xy +2xz +6yz +5x +3y +5z +1 = 0 l2 : 3x2 +2y2 +3z2 +4xy +6xz+2yz +6x +4y +3z +2 = 0 l3 : 2x2 +3y2 +2z2 +5xy +2yz + 4x + y + z + 4 = 0 l4 : 6x2 +3y2 +3z2 +5xz + yz+ 5y + 2z + 2 = 0 • Try degree D = 3: • Multiply each li by x, y, z respectively. • Linearize: Consider all monomials as variables. • How many equations now? 44 = 16 • And Number of variables = 20

Matrix of Coefficients x2yx2zxy2xyzxz2y2zyz2xyxzyzx3x2xy3y2yz3 z2z 1 0 0 0 0 0 0 0 5 2 6 0 1 5 0 4 3 0 1 5 1 0 0 0 0 0 0 0 4 6 2 0 3 6 0 2 4 0 3 3 2 0 0 0 0 0 0 0 5 0 2 0 2 4 0 3 1 0 2 1 4 0 0 0 0 0 0 0 0 5 1 0 6 0 0 3 5 0 3 2 2 5 2 4 6 1 0 0 3 5 0 1 5 1 0 0 0 0 0 0 0 1 0 5 2 0 6 1 5 0 5 0 0 0 4 3 1 0 0 0 0 0 1 0 5 2 4 6 0 5 3 0 0 0 0 0 0 1 5 1 0 4 6 2 2 3 0 0 4 3 0 3 6 2 0 0 0 0 0 0 0 3 0 4 6 0 2 3 6 0 3 0 0 0 2 4 2 0 0 0 0 0 3 0 4 6 2 2 0 6 4 0 0 0 0 0 0 3 3 2 0 5 0 3 2 2 0 0 1 1 0 2 4 4 0 0 0 0 0 0 0 2 0 5 0 0 2 2 4 0 1 0 0 0 3 1 4 0 0 0 0 0 2 0 5 0 3 2 0 4 1 0 0 0 0 0 0 2 1 4 0 0 5 3 1 3 0 0 5 2 0 6 0 2 0 0 0 0 0 0 0 6 0 0 5 0 1 3 0 0 2 0 0 0 3 5 2 0 0 0 0 0 6 0 0 5 3 1 0 0 5 0 0 0 0 0 0 3 2 2 0

Gaussian Elimination • x2yx2zxy2xyzxz2y2zyz2xyxzyzx3x2xy3y2yz3 z2z 1 • 5 2 4 6 1 0 0 3 5 0 1 5 1 0 0 0 0 0 0 0 • 0 1 0 5 4 6 1 3 6 5 4 6 4 4 3 1 0 0 0 0 • 0 0 3 6 0 3 4 1 2 6 0 5 6 2 5 4 0 0 0 0 • 0 0 0 1 0 2 3 4 5 3 0 2 1 2 4 2 0 0 0 0 • 0 0 0 0 5 5 5 4 6 5 3 1 3 3 4 6 1 5 1 0 • 0 0 0 0 0 5 3 2 4 0 0 1 4 1 2 1 0 2 6 0 • 0 0 0 0 0 0 6 4 2 0 5 1 5 6 5 6 1 0 0 0 • 0 0 0 0 0 0 0 5 0 2 0 2 4 0 3 1 0 2 1 4 • 0 0 0 0 0 0 0 0 5 1 0 6 0 0 3 5 0 3 2 2 • 0 0 0 0 0 0 0 0 0 2 0 4 0 0 3 0 0 2 4 2 • 0 0 0 0 0 0 0 0 0 0 6 0 6 3 1 0 4 1 6 1 • 0 0 0 0 0 0 0 0 0 0 0 2 1 0 0 0 0 4 3 1 • 0 0 0 0 0 0 0 0 0 0 0 0 3 1 2 4 2 0 1 0 • 0 0 0 0 0 0 0 0 0 0 0 0 0 1 4 6 0 0 1 5 • 0 0 0 0 0 0 0 0 0 0 0 0 0 0 63 6 1 5 5 • 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 5 2 1 6

XL Algorithm • The last row in the previous matrix represents 5z3 + 2z2 + z + 6 = 0. Its solutions in GF(7) are z = 1, z = 2, and z = 5. • Solve the remaining variables recursively: • 2 row: 6y2 + 3y + 6z3 + z2 + 5z + 5 = 0 • 4 row: 3x + y3 + 2y2 + 4y + 2z3 + z = 0 • Use other equations to erase all extraneous solutions. • This system has a unique solution: • x = 1 , y = 3 , and z = 5.

Gaussian Elimination

XL Algorithm • The complexity of the algorithm mainly depends on the time it takes to row reduce the final matrix. Therefore the number of equations and distinct monomials in the expanded system will determine the complexity. • The authors of XL claimed that their algorithm solves a randomly generated system of polynomial equations in sub-exponential time when the number of equations slightly exceeds the number of variables. These claims are still impractical but better than the theoretical worst case.

Complexity of the attack

Algebraic Attacks • If we can set up a true system of lower degree r < d complexity becomes smaller, • So need is to decrease the degree of the system

Annihilators of a function • Let f(x1; x2; x3) = x1x2 +x2x3 +x3 • Let and

Attack using Annihilators

Fast algebraic attacks: reducing thedegree

Introduction

Introduction

Presentation Transcript

Introduction to introduction to introduction to … Optimization

INTRODUCTION/ INTRODUCTION

Introduction

INTRODUCTION

Introduction

Introduction