A Characteristic Set Method for Equation Solving in F 2 and Applications in Cryptanalysis of Stream Ciphers 1

Transcription

1 MM Research Preprints, KLMM, AMSS, Academia Sinica Vol. 25, December 2006 A Characteristic Set Method for Equation Solving in F 2 and Applications in Cryptanalysis of Stream Ciphers 1 Xiao-Shan Gao, Fengjuan Chai, and Chunming Yuan Key Laboratory of Mathematics Mechanization Institute of Systems Science, AMSS, Academia Sinica Beijing, , China Abstract. In this paper, we present a characteristic set method to solve polynomial equation systems in the finite field F 2. Due to the special property of F 2, the given characteristic set methods are much more efficient and simpler than the general characteristic set method. We also use our methods to solve equations raised from cryptanalysis of stream ciphers based on nonlinear filter generators. Keywords. Characteristic set method, polynomial equation system, finite field F 2, cryptanalysis, stream ciphers. 1. Introduction The characteristic set (CS) method is a tool for studying systems of polynomial or algebraic differential equations [9, 11]. The idea of the method is to reduce equation systems in general form to equation systems in a special triangular form, also called ascending chains. The zero-set of any finitely generated polynomial or algebraic differential polynomial systems of equations may be decomposed into the union of the zero-sets of ascending chains. With this method, solving an equation system can be reduced to solving univariate equations. We can also use the method to determine the dimension, the degree, and the order for a finitely generated polynomial or differential polynomial systems, to solve the radical ideal membership problem, and to prove theorems from elementary and differential geometries. Existing CS methods always consider the zeros of polynomial equations in an algebraically closed field which is an infinite field. No CS methods were proposed to take into the account of the special property of finite fields. In this paper, we extend the CS method to solve equations in the finite field F 2. More precisely, we consider polynomials in the ring R 2 = F 2 [x 1,..., x n ]/(H) where H = {x x 1,..., x 2 n + x n }. A polynomial in R 2 could be treated as a Boolean function. Therefore, solving a system of equations in R 2 can be considered as solving a system of Boolean function equations. Due to the special property of F 2, the proposed CS methods are much more efficient and simpler than the general CS method. Comparing to the general CS method, our CS method in R 2 has the following major improvements. 1) Partially supported by a National Key Basic Research Project of China.

2 Characteristic Set Method in F 2 43 We could decompose the zero set of a polynomial equation system in R 2 as the disjoint union of the zero sets of ascending chains consisting of monic polynomials. As a consequence, we could give an explicit formula for the number of solutions of the equation system. The well-ordering principle is a basic step of the CS method, which can be used to compute a so called characteristic set for a polynomial system. If the CS is nontrivial, it provides at least one solution to the original equation system. We prove that in R 2 the well-ordering principle can be executed in a polynomial number of steps. Equation solving in F 2 has many important applications in the cryptanalysis of ciphers [3, 4, 5], hardware verification [7], and SAT problem solution [6]. It is known that the problem of deciding whether an equation system in R 2 has a solution in F 2 is a NP-complete problem [10]. We use our methods to solve equations raised from cryptanalysis of stream ciphers based on nonlinear filter generators. Extensive experiments have been done for equation systems with variables ranging from 40 to 128. The purpose of the experiments are two folds: to compare different variants of our algorithms and to show that our algorithm could provide an effective tool for solving equations over F 2. The rest of this paper is organized as follows. In Section 2, we introduce the notations and give some preliminary results. In Section 3, we present the CS methods. In Section 4, we present a direct algorithm to decompose the zero set of a polynomial system into the zero sets of monic ascending chains. In Section 5, our methods are used to solve equations raised from cryptanalysis of stream ciphers based on nonlinear filter generators. In Section 6, conclusions are given. 2. Notations and Preliminary Results Let F 2 be the field consisting of 0 and 1. We will consider the problem of solving a set of algebraic equations over F 2. Let X = {x 1,..., x n } be a set of indeterminants and where R 2 = F 2 [X]/(H) H = {x x 1,..., x 2 n + x n }. (1) Then R 2 is a ring with zero divisors. For instance, x i and x i +1 are zero divisors. An element P in R 2 has the following canonical representation: P = M s + + M 0 (2) where M i is a product of several distinct variables. To obtain such a canonical representation for a P Z[X], we will replace the sign by the + sign, replace an integer coefficients n by n mod 2, and replace x d i by x i. For instance, x 1 x 2 2 x can be represented as x 1 x 2 + x We still call an element in R 2 a polynomial. Let P be a set of polynomials in R 2. We use Zero(P) to denote the common zeros of the polynomials in P in the affine space F n 2, that is, Zero(P) = {(a 1,..., a n ), a i F 2, s.t. P P, P (a 1,..., a n ) = 0}.

3 44 X.S. Gao, F. Chai, and C. Yuan Let D be a polynomial in R 2. We define a quasi variety to be Zero(P/D) = Zero(P) \ Zero(D). Let P be a set of polynomials in F 2 [X]. Denote the zeros of P in an algebraically closed extension of F 2 as Zero(P). We use P to denote the image of P under the natural ring homomorphism: F 2 [X] R 2. Lemma 2.1 Use the notations just introduced. We have Zero(P H) = Zero(P), where H is defined in (1). Proof: Let P P. By the definition, we have P = P + i B i(x 2 i + x i), where B i are some polynomials. Note that any zero in Zero(P) is also a zero of x i (x i + 1). Then the formula to be proved is a direct consequence of the above relation between P and P. From Lemma 2.1, to solve a set of equations over F 2, we need only consider polynomials in R 2. In the rest of this paper, when we say polynomials, we mean an element of R 2 with the canonical representation (2). We will give some preliminary results about the polynomials in R 2. Lemmas 2.2 and 2.3 are known results [5]. We give proofs for them to the selfcontentness of the paper. Lemma 2.2 Let P R 2 and s an integer. Then P s = P. Proof: Since x 2 i = x i, we have x s i = x i. If m is a monomial in R 2, then m s = m. Let P = i m i where m i are monomials. We have P 2 = ( i m i) 2 = i m2 i = i m i = P. By induction on s, it is easy to prove that P s = P. Lemma 2.3 Let I be a polynomial ideal in R 2. (1) I = (x 0 + a 0,..., x n + a n ) if and only if (a 0,..., a n ) is the only solution of I. (2) I = (1) if any only I has no solutions. Proof: If I = (x 0 + a 0,..., x n + a n ), it is easy to see that (a 0,..., a n ) is the only solution of I. Conversely, let (a 0,..., a n ) be the only solution of I. By Lemma 2.1, we have x i + a i = 0 on Zero(I H) in F 2 [X], where H is defined in (1). By Hilbert s Nullstellensatz, there is an integer s such that (x i + a i ) s is in the ideal generated by I H. By Lemma 2.2, (x i + a i ) s = x i + a i I. This prove (1). For (2), if I has no solution, we have Zero(I H) =. By Hilbert s Nullstellensatz, 1 (I H). That is, 1 I. Lemma 2.4 Let U, V, and D be polynomials in R 2. We have Zero(UV ) = Zero(U) Zero(V ). (3) Zero( /D) = Zero(D + 1). (4) Zero(UV + 1) = Zero({U + 1, V + 1}). (5) Zero(UV + U + V ) = Zero({U, V }). (6) Zero(P) = Zero(P {U}) Zero(P {U + 1}). (7)

4 Characteristic Set Method in F 2 45 Proof: Since F 2 is a field, (3) is obviously true. For any element α F n 2, D(α) 0 implies D(α) = 1. This proves (4). For any element α F n 2, U(α)V (α) = 1 implies U(α) = 1 and V (α) = 1. This proves (5). To prove (6), let us note that f = UV + U + V = (V + 1)U + V. Thus if V = 0, f = 0 becomes U = 0. If V = 1, f = 1. This means f = 0 if and only if U = V = 0. This proves (6). Note that U(U + 1) 0. Then (7) is a consequence of (3). 3. A Characteristic Set Method in R 2 The existing CS methods are for infinite fields and do not take into account of the special property of finite fields. In our case, the polynomials are in R 2 and hence are much simpler than the case of characteristic zero. These conditions enable us to give a much simpler and more efficient algorithm to compute the characteristic set than in the case of characteristic zero Triangular Sets Let P R 2. The class of P, denoted by class(p ), is the least c such that x c occurs in P. If P F 2, we set class(p ) = 0. If class(p ) = c, we called x c the leading variable of P, denoted as lvar(p ). The leading coefficient of P as a univariate polynomial in lvar(p ) is called the initial of P, and is denoted as init(p ). If class(p ) = c, P can also be represented uniquely as the following form: P = Ix c + U (8) where I = init(p ) and U is polynomials with class less than c. A polynomial P 1 has higher ordering than a polynomial P 2, denoted as P 2 P 1, if class(p 1 ) > class(p 2 ). If class(p 1 ) = class(p 2 ), they are said to have the same ordering, denoted as P 1 P 2. It is easy to see that is a partial order on the polynomials in R 2. A sequence of nonzero polynomials A : A 1, A 2,..., A r (9) is a triangular set if either r = 1 and A 1 0 or class(a 1 ) < < class(a r ). A trivial triangulated set is a polynomial set consisting of 1. For a triangular A, we denote I A as the product of the initials of the polynomials in A. Let A : A 1, A 2,..., A r and A : A 1, A 2,..., A r be two triangular sets. A is said to be of lower ordering than A, denoted as A A, if either there is some k such that A 1 A 1,..., A k 1 A k 1, while A k A k ; or r > r and A 1 A 1,..., A r A r. We have the following basic property for triangular sets. Lemma 3.1 A sequence of triangular sets steadily lower in ordering is finite. More precisely, let A 1 A 2 A m be a strictly decreasing sequence of triangular sets in R 2. Then m 2 n 1. Proof: Since we only consider the ordering of the triangular sets, we may assume that the triangular sets consists of variables. We call the class of the first polynomial in a triangular set to be the class of that triangular set. The triangular set with the highest ordering is C 1 = x n. The next two triangular sets are C 2 = x n 1, C 3 = x n 1, x n. Following these triangular sets are the triangular sets with x n 2 as the first polynomial: C 4 = x n 2, C 5 = x n 2, x n, C 6 =

5 46 X.S. Gao, F. Chai, and C. Yuan x n 2, x n 1, C 7 = x n 2, x n 1, x n. Let C 1 C ak be the triangular sets with class k. Then the triangular sets with class k 1 are x n k+1, {x n k+1 } C 1,..., {x n k+1 } C ak. As a consequence, we have a k 1 = 2a k + 1 and a 1 = 2a = 2 2 a = a 3 a = 2 n = 2 n 1. Let A 1 A 2 A m be a strictly decreasing sequence of triangular sets and B i the triangular set obtained from A i by replacing a polynomial in A i by its leading variable. Then B 1 B 2 B m is also a strictly decreasing sequence of triangular sets. This sequence must be a sub-sequence of C 1 C 2 n 1. Hence, m 2 n 1. Let P be given in (8) with c > 0. For another polynomial Q, write Q as a polynomial in x c : Q = I 1 x c + U 1. Then the pseudo-remainder of Q wrt P is defined as prem(q, P ) = IQ + I 1 P = IU 1 + I 1 U. If P = 1, define prem(q, P ) = 0. For a triangular set A defined in (9), the pseudo-remainder of Q wrt A is defined recursively as prem(q, A) = prem(prem(q, A r ), A 1,..., A r 1 ) and prem(q, ) = Q. Let R = prem(q, A). By Lemma 2.2, we have I A G = i Q i A i + R (10) for some polynomials Q i. The above formula is called the remainder formula. A polynomial Q is reduced wrt P 0 if class(p ) = c > 0 and x c does not occur in Q. A polynomial Q is reduced wrt a triangular set A if P is reduced wrt to all the polynomials in A. It is clear that the pseudo-remainder of any polynomial wrt A is reduced wrt A. A triangulated set A is called monic if the initial of each polynomial in A is 1. A monic triangular set can be written as the following form: A 1 = x k1 + U 1 (U) A = (11) A p = x kp + U p (U) where U = {x i i k j } is called the parameter set of A. Let q = U. It is clear that p+q = n. The dimension of A is defined to be dim(a) = q = n A. We have Lemma 3.2 Let A be a monic triangular set. Then Zero(A) = 2 dim(a). Proof: The dimension of A is the number of parameters of A, that is, dim(a) = U. For any x i U, we assign x i values 0 and 1. Then, there are 2 dim(a) parametric values for U. For each of these parametric value, A = 0 has exactly one solution since A is monic. This proves the lemma. A triangular set is called conflict if prem(i A, A) = 0. Lemma 3.3 Let A be a non-conflict triangular set. Then Zero(A/I A ).

6 Characteristic Set Method in F 2 47 Proof: If I A = 1, A is a monic triangular set. By Lemma 3.2, Zero(A/I A ) = Zero(A). Otherwise, let A = A 1,..., A p and A i = I i x ni + U i. Denote B i = x ni + U i. By (10), I = prem(i A, A) = I 2 A + i Q ia i = I A + i Q ia i = I A + i R ib i + i R i(i i + 1) 0. Represent I as the standard form (8): I = I 0 x s + V. By (4) and (5), Zero(A/I A ) = Zero({A 1,..., A p, I A + 1}) = Zero({A 1,..., A p, I 1 + 1,..., I p + 1}) = Zero({B 1,..., B p, I 1 + 1,..., I p + 1}) = Zero({B 1,..., B p, I A + 1}) = Zero({B 1,..., B p, I + 1}) = Zero({B 1,..., B p, I 0 x s + V + 1}/I 0 ) Zero({B 1,..., B p, I 0, V + 1}). Since I is reduced wrt A, x s is not a leading variable of any A i. Then I 0 x s + V + 1, B 1,..., B p is also a triangular set. Note that I 0 is reduced wrt A. Repeat the above procedure for Zero({I 0 x s + V + 1, B 1,..., B p }/I 0 ), we will obtain a monic triangular set D such that Zero(D) Zero(A/I A ). By Lemma 3.2, we have Zero(A) Zero(D) Well-Ordering Principles A triangular set A in (9) is called an ascending chain, or simply a chain, if A j is reduced wrt A i for i < j. A basic set of a polynomial set P is any chain of lowest ordering contained in P. It is evident that any two basic sets of a polynomial set are of the same ordering. We have the following basic property for the basic set[9, 11]. Lemma 3.4 Let A be a basic set of a polynomial set P. If P is reduced wrt A, then the basic set of P {P } is of lower ordering than that of P. Let P be a polynomial set. We set P 0 = P and choose a basic set B 0 of P 0. Let R 0 be the nonzero remainders of polynomials in P 0 \ B 0 wrt B 0. Suppose that R 0. Then we form a new polynomial set P 1 = P B 0 R 0. Choose now an arbitrary basic set B 1 of P 1. By Lemma 3.4, B 1 is of lower ordering than B 0. Continuing in this way, we will obtain successively P i, B i, R i, i = 1, 2,..., for which B 0 B 1 B 2. By Lemma 3.1, the sequence can only be a finite one so that up to a certain stage m we should have R m =. The above procedure can be exhibited in the form of the scheme (12) below: P = P 0 P 1 P i P m B 0 B 1 B i B m = C (12) R 0 R 1 R i R m = where P i = P i 1 R i 1 (13) B i is a basic set of P i, and R i is the set of nonzero remainders of the polynomials in P i wrt B i.

7 48 X.S. Gao, F. Chai, and C. Yuan In scheme (12), the corresponding basic set B m = C verifies prem(p, C) = {0} and Zero(P) Zero(C). (14) Any chain C obtained from a polynomial set P by means of some procedures in accordance to the scheme (12) is called a characteristic set (CS) of P. More generally, any chain C verifying the property (14) is called a CS of the P. As a consequence of the remainder formula (10), we have the following key properties of the CS. Theorem 3.5 (Well-ordering principle) Let C be a CS of a polynomial set P. Then we have Zero(P) = Zero(C/I C ) p i=1 Zero(P C {I i}) (15) = Zero(C {I 1 + 1,..., I p + 1}) p i=1 Zero(P C {I i}) (16) = Zero(C {I 1 + 1,..., I p + 1}) p i=1 Zero(P C {I 1 + 1,..., I i 1 + 1, I i }) (17) where I i, i = 1,..., p are the initials of the polynomials in C. When i < 0, I i is assumed not occurring in the formula. This result is significant because it represents the zero set for a general polynomial set as the zero set of an ascending chain. By Lemma 3.3, if the CS is non-conflict, then Zero(P). In procedure (12), the size of P i could increase very fast. We may adopt the following way to compute P i and Theorem 3.5 is still valid. P i = P B i 1 R i 1 (18) A more drastic way to reduce the size of P i is give below. In [13], Wu proposed that instead of (18), we use the the following way to compute P i P i = B i 1 + R i 1. (19) Then P i is always less than or equal to P. In the case of characteristic zero, Wu proved the following theorem. Theorem 3.6 ([13]) Let C be a CS of a polynomials et P using scheme (12) and (19). Then Zero(P) = Zero(C/K m ) m k=0 Zero(P {J k}/k k 1 ). where J i is the product of initials of polynomials in B i, and K i = i j=0 J i. In R 2, the above theorem may fail because some of the J i or K j may become zero. This problem could be solved by modifying the formula as the following form.

8 Characteristic Set Method in F 2 49 Theorem 3.7 (Modified well-ordering principle) Let C be a chain computed from a polynomial set P with procedures (12) and (19), I j, j = 1,..., s the initials of the polynomials in B m,..., B 0 (note that the initials of polynomials in A m appear first in the sequence), and K m the product for all the I j. Then, we have Zero(P) = Zero(C/K m ) s i=1zero(p C {I 1 + 1,..., I i 1 + 1, I i }) (20) = Zero(C {I 1 + 1,..., I s + 1}) s i=1zero(p C {I 1 + 1,..., I i 1 + 1, I i }) (21) When i < 0, I i will not appear in the formula Zero Decomposition Theorems in R 2 We can now give the zero decomposition theorems. Theorem 3.8 (Zero Decomposition Theorem) There is an algorithm which permits to determine for a given polynomial set P in a finite number of steps non-conflict chains A j, j = 1,..., s such that Zero(P) = s j=1zero(a j /I Aj ). Proof: By Theorem 3.5, we obtain (15). If C is conflict, we have Zero(C/I C ) =. Otherwise, let A 1 = C. Since I i is reduced wrt C and C is a basic set of P C, by Lemma 3.4, the basic set of P = P C {I i } is of lower ordering than that of C. Repeat the well-ordering principle for P, we obtain a CS A 2 which has lower ordering than A 1. By Lemma 3.1, the procedure will terminate and gives the zero decomposition. In R 2, we may give the following simpler form of zero decomposition theorem. Theorem 3.9 (Monic Zero Decomposition Theorem) There is an algorithm which permits to determine for a given polynomial set P in a finite number of steps moninc chains A j, j = 1,..., t such that Zero(P) = t j=1zero(a j ). Proof: By Theorem 3.5, we have (16). One may repeat the procedure (12) for each C {I 1 1,..., I p 1} and P C {I i }. Since I i is reduced wrt C, according to Lemma 3.4, the new chains obtained in this way will be of lower ordering than that of C. By Lemma 3.1, the procedure will end in a finite number of steps. Note that we could also use (21) to obtain the decomposition. In (21), since the initials of C are always in the sets {I 1 + 1,..., I s + 1} and {I 1 + 1,..., I i 1 + 1, I i }, there exists a polynomial P in P = C {I 1 + 1,..., I s + 1} or P = P C {I 1 + 1,..., I i 1 + 1, I i } which is reduced wrt C. By Lemma 3.4, a basic set of P or P must be of lower ordering than that of C. Hence, when repeating the procedure (12) for P and P, the process will terminate in a finite number of steps. Example 3.10 Let P = x 1 x 2 x 3 1. By Theorem 3.8, we have Zero(P ) = Zero(P/x 1 x 2 ). By Theorem 3.9, or (16), Zero(P ) = Zero(x 1 + 1, x 2 + 1, P ) Zero(x 1, P ) Zero(x 2, P ) = Zero(x 1 +1, x 2 +1, x 3 +1). Of course, we can use Lemma 2.4 (4) to obtain the result directly. The following theorem gives a refined zero decomposition theorem which allows to compute the number of solutions for a finite set of polynomials.

9 50 X.S. Gao, F. Chai, and C. Yuan Theorem 3.11 (Disjoint Zero Decomposition Theorem) For a finite polynomial set P, we can find moninc chains A j, j = 1,..., s such that Zero(P) = s i=1zero(a i ) and Zero(A i ) Zero(A j ) = for i j. As a consequence, we have Zero(P) = s 2 dim(ai). i=1 Proof: The proof is similar to that of Theorem 3.9. We just need to use (17) instead of (16). Since the components are disjoint, by Lemma 3.2, the number of solutions are s i=1 2dim(Ai). Similar to Theorem 3.8, we could also use (21) to obtain the decomposition. Example 3.12 Let P = {x 1 x 2 +x 2 +x 1 +1}. Then By Theorem 3.11, Zero(P) = Zero(A 1 ) Zero(A 2 ), where A 1 = x 1, x 2 + 1; A 2 = x Then, Zero(P) = = Complexity Analysis of the Modified Well-ordering Principle We will show that the key step of the zero decomposition, the modified well-ordering principle, can be done in a polynomial number of steps and with a polynomial number of polynomial multiplications. This result shows that the CS method could be a potentially fast and feasible method for solving polynomial equations in F 2. For two polynomials in R 2, we call their multiplicity is a meta-operator. We will estimate the number of meta-operators needed in the modified well-ordering principle (Theorem 3.7). Note that to do a pseudo-remainder needs two polynomial multiplications. We repeat the modified well-ordering principle here. P = P 0 P 1 P i P m B 0 B 1 B i B m = C R 0 R 1 R i R m = where P i = B i 1 R i 1, B i is a basic set of P i, and R i is the set of nonzero remainders of the polynomials in P i wrt B i. The following lemma gives a bound for the length of procedure (22). Lemma 3.13 Let B 0 B 1 B m be the sequence of chains in procedure (22). Then m n. Proof: We denote by X (i) the set of the leading variables of polynomials occurring in B 0,..., B i. We will prove that X (0) < X (1) < < X (m 1) = X (m). Since there are at most n leading variables, the above formula implies that m n. Essentially, we need to prove that if X (i) = X (i+1) then R i+1 = and the procedure will end. First let us note that P i+1 = B i R i, and for x k X (i) there exists at most one polynomial in P i+1 with x k as the leading variable. If X (i) = X (i+1), we will show that the leading variables of (22)

10 Characteristic Set Method in F 2 51 the polynomials in R i are in X (i 1). Otherwise, let P be a polynomial with leading variable x i0 which is the one with the smallest order and not in X (i 1). We consider two cases: (1) x i0 x for x X (i). Then P is a polynomial in P S i+1 with smallest order and should be in the basic set B i+1, which contradicts to the fact X (i) = X (i+1). (2) B i = B 1,..., B s and x i0 B t B t 1 B 1. Take t to be the largest to satisfy the above condition. Since P i+1 = B i R i, when select a basic set for Pi + 1, B 1,..., B t could be first selected. Since P R i, it must be reduced wrt B i. Hence, the next polynomial to be selected is P and P will be in the basic set of P i+1, which again contradicts to X (i) = X (i+1). We have proved that if X (i) = X (i+1) then the leading variables of the polynomials in R i are in X (i 1). As mentioned before, for each x k X (i 1), there is at most one polynomial in P i involving x k. So R i is a chain. For the same reason, B i R i is also a chain which should be B i+1. Hence R i+1 = and we proved the result. Theorem 3.14 Let l = P. The modified well-ordering principle, or procedure (22), will stop for at most n iterations and needs O(n 2 l) polynomial multiplications. Proof: By Lemma 3.13, in procedure (22), m n. That is, the procedure will stop at most n + 1 iterations. To compute R i, since P i l, we need to do at most 2 R i B i 2nl multiplications. So the total number of multiplications is at most m (n + 1)l = 2n(n + 1)l Implementation of the Algorithms We implemented the zero decomposition algorithms reported in this paper with the C language. A triangular set A defined in (9) is said to be a Wu chain if init(a i ) is reduced wrt A i 1. A is called a weak chain if prem(init(a i ), A i 1 ) 0. Wu chain is defined in [12]. Weak chain is defined in [2]. Similar to [12] and [2], we can develop the zero decomposition theorems for these types of chains. The purpose of using these chains is to reduce the size of the polynomials that might occur in the algorithm. We have three ways to generate new polynomial sets in the well-ordering principle: (13), (18), and (19) and three types of chains. Therefore, we have nine types of combinations to do zero decomposition. We will compare these approaches in Section A Direct Algorithm for Monic Zero Decomposition In the preceding section, the zero decomposition for a polynomial set P repeatedly uses the well-ordering principle to P and to the enlarged set of polynomials obtained by adding the initials of the CS to P to obtain their CSs. In this section, we will give a more direct algorithm to obtain a monic zero decomposition. The algorithm is given as Algorithm DMZDA. Theorem 4.1 Algorithm DMZDA is correct and to obtain each chain of P, we need O(nl) polynomial arithmetic operations where l = P. Proof. We consider a set Q of polynomials. Q 1 Q is the set of polynomials with the highest class and Q Q 1 a polynomial whose initial is of the lowest ordering. Let c = class(q) and

11 52 X.S. Gao, F. Chai, and C. Yuan Algorithm 1 DMZDA(P) Input: A finite set of polynomials P. Output: A sequence of monic chains A i such that Zero(P) = i Zero(A i ). Set P = {P}, A =. While P do Choose a Q from P. Set A =. While Q do Let Q 1 Q be the polynomials with the highest class. Let Q Q 1 be a polynomial whose initial is of the lowest ordering. If Q = 1, Zero(QS) =. Set A = and skip this loop for Q. Let Q = Ix c + U such that class(q) = c, init(q) = I. If I = 1, do A = A {Q}. Q := (Q \ Q 1 ) {prem(p, Q) 0 P Q 1 }. Else, do Let Q 1 = x c + U, Q 2 = Q 1 \ {Q}. A = A {Q 1 }. Q := (Q \ Q 1 ) {I + 1} {prem(p, Q 1 ) 0 P Q 2 }. P 1 = (Q \ {Q}) {I, U}. P := P {P 1 }. If A =, do Set A := A {A}. Return A I = init(q). If I = 1, then for P = I 1 x c + U 1 Q 1 we have P 1 = prem(p, Q) = P + I 1 Q. As a consequence, Zero({Q, P }) = Zero({Q, P 1 }). Therefore, we have Zero(Q) = Zero((Q \ Q 1 ) {Q} {prem(p, Q) 0 P Q 1 }). If I 1 and Q = Ix c + U, by (4), we can split the zero set of Q as two parts: Zero(Q) = Zero(Q {I + 1}) Zero(Q {I}) = Zero((Q \ {Q}) {Q 1 }) Zero((Q \ {Q}) {I, U}). The first part can be treated similarly to the case of I = 1 and the second case will be treated recursively with algorithm DMZDA. This proves that if A i, i = 1,..., s are the output of the algorithm, then Zero(P) = i Zero(A i ). The termination of the algorithm can be proved in two steps. First, we will show the termination for the inner loop, that is, for each finite polynomial set Q, the algorithm will construct a chain. After each iteration of the loop, the polynomial Q will be added to A and the highest class of the polynomials in Q will be reduced. Hence, this loop will end and give a chain A. Second, we need to show the termination for the outer loop. For a polynomial set

12 Characteristic Set Method in F 2 53 P, we assign an index (c n,..., c 1 ) where c i is the number of polynomials in P and with class i. In the algorithm, there are essentially two cases where new polynomial sets are generated. In the first case, we replace Q with Q = (Q \ Q 1 ) {Q} {prem(p, Q) 0 P Q 1 }. In the second case, we add Q = (Q \ {Q}) {I, U} to P, where Q = Ix c + U. It is clear that the index of Q if less than the index of Q in the lexicographical ordering in both cases. It is easy to show that a strictly decreasing sequence of indexes must be finite. This proves the termination of the algorithm. Finally, we will analyze the complexity of the inner loop of the algorithm, that is, the complexity to obtain a chain from Q. After each iteration, the highest class of the polynomials in Q will be reduced at least by one. Then, this loop will execute at most n times. In each iteration, we need to select the polynomials with the highest class and the polynomials with lowest initials. These operations need O(n) comparison of integers. Let l = Q. If I = 1, then the new Q contains at most l 1 polynomials. If I 1, the new Q contains at most l polynomials. Then, after each iteration, the new Q contains at most l polynomials. In each iteration, we also need to compute at most l 1 pseudo-remainders. Since each pseudo-remainder takes at most three polynomial arithmetic operations, we need to do 3l polynomial arithmetic operations in each iteration. In all, the algorithm needs O(nl) polynomial arithmetic operations and O(n 2 ) comparison of integers. 5. Cryptanalysis of Stream Ciphers with the CS Method 5.1. Nonlinear Filter Generators Stream ciphers are an important class of encryption algorithms [8]. In this paper we consider stream ciphers based on the linear feedback shift register (LFSR). An LFSR of length L can be simply considered to be L numbers (c 1, c 2,..., c L ) from F 2 such that c L 0. For an initial state S 0 = (s 0, s 1,..., s L 1 ) F L 2, we can use the given LFSR to produce an infinite sequence satisfying s i = c 1 s i 1 + c 2 s i 2 + c L s i L, i = L, L + 1,. (23) A key property of an LFSR is that if the related feedback polynomial P (x) = c L x L + c L 1 x L c 1 X 1 is primitive, then the sequence (23) has period 2 L 1. Let m 0, m 1,... be the plaintext digits. We may use the sequence (23) as keystrems to generate the ciphertext digits: c i = m i s i, i = 0, 1,... where is the XOR function. Decryption is defined by m i = c i s i. For a given sequence s j of sufficient length, the Berlekamp-Massey algorithm may be used to recover the c i in polynomial time [8]. Then, to use s j as key-streams is not secure. An often used technique to enhance the security of an LFSR is to add a nonlinear filter to the LFSR. Let f(x 1,..., x m ) be a polynomial in R 2 with m variables. We assume that m L. Then we can use f and the sequence (23) to generate a new sequence as follows z i = f(s i m,..., s i 1 ), i = m, m + 1,. (24)

13 54 X.S. Gao, F. Chai, and C. Yuan L= chain time(s) #sols wuchain time(s) (13) #sols wchain time(s) * #sols chain time(s) x #sols x wuchain time(s) (18) #sols wchain time(s) #sols chain time(s) * #sols wuchain time(s) * (19) #sols wchain time(s) #sols Table 1. Cryptanalysis of Nonlinear Filter Generator based on Ganfil 6. A combination of an LFSR and a nonlinear polynomial f is called a nonlinear filter generator. The sequence (24) could be used as the key-streams. Since the sequence (23) has a period 2 L 1, the sequence (24) also has a period less than or equal to 2 L Algebraic Attack of Nonlinear Filter Generators with CS Method An algebraic attack of the nonlinear filter generator is to recover the initial state of the LFSR from a certain number of key-streams from (24). Equivalently, we need to solve the following equations for S 0 = (s 0, s 1,..., s L 1 ) with the c i, z i, and f given z i = f(s i m,..., s i 1 ), i = m,, m + k (25) where k is a positive integer and s i satisfy (23). Successful attacks on many kinds of stream ciphers were reported using the XL method [3, 4] and the Gröbner basis method [5]. We use the software packages based on the zero decomposition algorithms developed in this paper to solve the equation system (25). The statistic results are given in Tables 1 and 2. In these tables, L is the length of the LFSR. The running time is given in seconds. The parameter #sols is the number of solutions for the corresponding equation system. In Table 1, the parameters chain, wuchain, and wchain mean that we use the chain, the wu chain, and the weak chain in the computation respectively. The parameter in the first column means that we use (13), (18), or (19) in the well-ordering principle respectively. In some cases, the timing is marked with a. This means that the program is stopped after running one hour and the number of solutions found is given. In Table 2, the parameters in the first column gives the filter functions used in the computation.

14 Characteristic Set Method in F 2 55 n time(s) x x x x CanFil1 #sols x x x x #cs x x x x time(s) x x x CanFil2 #sols x x x #cs x x x time(s) x x x x x CanFil3 #sols x x x x x #cs x x x x x time(s) x x x x CanFil4 #sols x x x x #cs x x x x time(s) 26.6 x CanFil5 #sols 8 x #cs 1302 x time(s) CanFil6 #sols #cs time(s) 0.7 x x x 94.6 CanFil7 #sols 2 x 2 5 x x 20 #cs 40 x x x 568 time(s) x x CanFil8 #sols x x 20 #cs x x Table 2. Cryptanalysis of Nonlinear Filter Generators with DMZDA. In the experiments, we always set k = L 1 in (25). For such a system, the number of equations and the number of variables are the same. In our experiments, we use the equations generated with the original filter f. The methods introduced in [3, 4, 5] to generate lower degree equations are not used. The experiments were done on a PC with a 3.19G CPU and 2G memory. The filter functions are from [1, 5]: CanFil 1, x 1 x 2 x 3 + x 1 x 4 + x 2 x 5 + x 3 CanFil 2, x 1 x 2 x 3 + x 1 x 2 x 4 + x 1 x 2 x 5 + x 1 x 4 + x 2 x 5 + x 3 + x 4 + x 5 CanFil 3, x 2 x 3 x 4 x 5 + x 1 x 2 x 3 + x 2 x 4 + x 3 x 5 + x 4 + x 5 CanFil 4, x 1 x 2 x 3 + x 1 x 4 x 5 + x 2 x 3 + x 1 CanFil 5, x 2 x 3 x 4 x 5 + x 2 x 3 + x 1 CanFil 6, x 1 x 2 x 3 x 5 + x 2 x 3 + x 4 CanFil 7, x 1 x 2 x 3 + x 2 x 3 x 4 + x 2 x 3 x 5 + x 1 + x 2 + x 3

15 56 X.S. Gao, F. Chai, and C. Yuan CanFil 8, x 1 x 2 x 3 + x 2 x 3 x 6 + x 1 x 2 + x 3 x 4 + x 5 x 6 + x 4 + x 5 These are preliminary experimental results. Further experiments will be done later. 6. Conclusions In this paper, we present several methods to solve nonlinear equation systems over the finite field F 2 based on the idea of CSs. Due to the special property of F 2, the given CS methods are much more efficient and simpler than the general CS method. In particular, the well-ordering principle can be executed in a polynomial number of steps. We use our methods to solve equations raised from cryptanalysis of stream ciphers based on nonlinear filter generators. Extensive experiments have been done for equation systems with variables ranging from 40 to 128. The purpose of the experiments is two folds: to compare different variants of our algorithms and to show that our algorithm could provide an effective tool for solving equations over F 2. References [1] A. Canteaut and E. Filiol, Ciphertext only Reconstruction of Stream Ciphers Based on Combination Generators, Fast Software Encryption, LNCS 1978, , [2] S.C. Chou and X.S. Gao, Ritt-Wu s Decomposition Algorithm and Geometry Theorem Proving, Proc. of CADE-10, LNAI 449, , Springer, [3] N. Courtois, Higher Order Correlation Attacks, XL Algorithm, and Cryptanalysis of Toyocrypt, ICISC, LNCS 2587, , Springer, [4] N. Courtois, Algebraic Attacks on Stream Ciphers with Linear Feedback, EUROCRPYT 2003, LNCS 2656, , Springer, [5] J.C. Faugère and G. Ars, An Algebraic Cryptanalysis of Nonlinear Filter Generators Using Gröbner Bases, TR No. 4739, INRIA, [6] S. He and B. Zhang, Solving SAT by Algorithm Transform of Wu s Method, J. Comput. Sci. and Technnol., 14, , [7] W. Mao and J. Wu, Application of Wu s Method to Symbolic Model Checking, , Proc. ISSAC 05, ACM Press, New York, [8] A. Menezes, P. van Ooschot, and S. Vanstone, Hanndbook of Applied Cryptography, CRC Press, [9] J.F. Ritt, Differential Algebra, Amer. Math. Soc. Colloquium, [10] S. Smale, Mathematical Problems for The Next Century, Math. Intelligencer, 20, 7-15, [11] W.T. Wu, Basic Principle of Mechanical Theorem Proving in Geometries, (in Chinese) Science Press, Beijing, 1984; English translation, Springer, Wien, [12] W.T. Wu, On Zeros of Algebraic Equations - An Application of Ritt Principle, Chinese Science Bulletin, 31, 1-5, [13] W.T. Wu, Some Remarks on Characeteristic-Set Formation, MM-Preprints, Vol. 3, 27-29, 1989.