New Gröbner Bases for formal verification and cryptography

Transcription

1 New Gröbner Bases for formal verification and cryptography Gert-Martin Greuel Diamant/Eidma Symposium November 29th - November 30th November 29th, 2007

2 Introduction Focus of this talk New developements for Gröbner bases Gröbner bases in polynomial rings over general rings Gröbner bases in Boolean rings Implementations and Applications Formal verification of hardware Algebraic attacks on block ciphers

3 Introduction Contributors Michael Brickenstein (PhD student) Stanislav Bulygin (PhD student) Alexander Dreyer (Fraunhofer ITWM) Oliver Wienand (PhD student) Cooperation Joint project with Prof. Kunz, Dept. of Electrical Engineering and Information Technology, University of Kaiserslautern Sponsored by the Deutsche Forschungsgemeinschaft

4 Outline 1 Introduction 2 Formal verification of hardware 3 Standard Bases over Rings 4 Standard Bases over Weak Factorial Rings 5 A Polynomial Framework for Boolean Rings 6 Gröbner Bases on Top of PolyBoRi 7 Cryptography 8 Conclusion

5 Formal verification of hardware Property checking Motivation Limitations in hardware design are imposed by the scope of the designer. Automated tools help to extend the abilities of the designer. Already standard in a later part of the production process. Key Ideas of Property Checking Design the circuit and develop easy properties which the circuit should fulfill. Try to cover all possible behaviors. Use automated tools to prove all properties given the circuit design.

6 Formal verification of hardware Production flow

7 Formal verification of hardware Problem A set of axioms M representing the circuit with variables V. A set of statements P representing the property. Does the circuit M fulfill the property P. Reformulation Assume M is consistent, i.e. there is no contradiction. Example If M P is contradictable, then M implies P. M be a multiplication unit. P the property, that after one cycle the output of M is the multiplication of the inputs of M.

8 Formal verification of hardware Example: Formulation Equations in Z/ 2 n, n {8, 16, 32, 64} number of bits System M M = {b + c d, a d e} Property P P = {b, a c f } M P M P {f e 0} (not closed) f e iff s : s(f e) = 2 n 1 (in Z/ 2 n!)

9 Formal verification of hardware Proving a property with SAT

10 Formal verification of hardware Example: Encoding b+c=d, ad=e Encoding in Z/ 2 = Z 2 (bit level) Display every number trough bits: a = ( a 0 + a a n 1 2 n 1) Rewrite equations in a i, b i, c i, d i, e i, f i. The polynomial for e 5 contains the variables a 0, a 1, a 2, a 3, a 4, a 5, b 0, b 1, b 2, b 3, b 4, b 5. For every equation n (number of bits) equations are created. Add (1 f i + e i ) (= 0 f e) Gather all polynomials in I. Is V Z2 ( I ) =? Encoding in Z/ 2 n = Z 2 n (word level) I = M P {s(e f ) 2 n 1 } V Z2 n ( I ) = M satisfies P.

11 Formal verification of hardware Example for n = 4: p = a b a = a 0 + 2a a a 3 b = b 0 + 2b b b 3 p = p 0 + 2p p p 3 p 3 = a 3 b 0 + a 2 b 1 + a 1 b 2 + a 0 b 3 + a 2 a 1 a 0 b 1 b 0 + a 2 a 1 b 1 b 0 + a 2 a 0 b 2 b 0 + a 1 a 0 b 2 b 1 b 0 + a 1 a 0 b 2 b 1 + a 1 a 0 b 1 b 0 p 2 = a 2 b 0 + a 1 b 1 + a 0 b 2 + a 1 a 0 b 1 b 0 p 1 = a 1 b 0 + a 0 b 1 p 0 = a 0 b 0

12 Formal verification of hardware Solving in Z 2 Let I 0 be the ideal of vanishing polynomials in Z 2 [x], i.e. generated by x 2 i x i for every variable x i. Compute a Gröbner basis of I in the ring Z 2 [x]/i 0. In this ring every ideal is a principal ideal. Moreover, I = 1 V ( I ) = property P holds (since we added the field equations). Solving in Z 2 n Let I 0 be the ideal of vanishing polynomials in Z 2 n[x]. This ideal has more structure than in the field case and even its Gröbner basis can become huge. Compute a Gröbner basis of I in the ring Z 2 n[x]/i 0. There is no theorem similar to the Nullstellensatz.

13 Modeling advantages and disadvantages Utilizing Z 2 Bit-level modeling is always possible disadvantage: Huge number of variables and equations Utilizing Z 2 n Word-level modeling not always possible (more functions than polynomial functions) The ring Z 2 n has zero-divisors advantage: Requires less variables and equations

14 Modeling advantages and disadvantages Functions versus polynomials functions: Z k m Z m Theorem: Gröbner basis for the ideal of vanishing polynomials There exists a Gröbner basis G 0 of I 0 independent of the global ordering and it can be stated explicitly. Polynomial functions Functions, k=1 There are a lot more functions than polynomial functions in the case of Z/ m = Z m, where m is not prime. m = 2 2 F R R[x]/I 0 m = 2 8 F R R[x]/I 0 m = 2 16 F R R[x]/I 0 m = 2 32 F R R[x]/I 0

15 Standard Bases over Rings Assumption: Let R be a noetherian ring with 1. Assume that linear equations are solvable in R (we allow zero-divisors). Then we can compute standard bases and syzygies. Standard bases theory For arbitrary monomials orders there exists a weak normal form algorithm and a variant of Buchberger s algorithm. Hence standard bases are computable for arbitrary orders, given that linear equations are solvable. Note that linear equations are solvable includes the computations of syzygy generators in the coefficient ring.

16 Standard Bases over Rings Monomial order < monomial order (global, local or mixed) LT (f ), LM (f ), LC (f ) leading term, monomial, coefficient L (I ) ideal of the leading terms R[x 1,..., x n ] < = { f g } f R[x], LT (g) R. Definition of Standard Bases I R[x 1,..., x n ] < an ideal. G is a standard basis of I G I, L (G) = L (I ). G is a strong standard basis of I f I \{0} g G : LT (g) LT (f ).

17 Standard Bases over Weak Factorial Rings Let R be a noetherian ring with 1 and R the multiplicative subgroups of its units. Definition A map ν = (ν p ) p P : R (N) P, ν p : C N, P R\R is an element factorization for R, if ν(a) < for all a R and If further for any a, b R n R : a = n p νp(a) = n p ν(a). p P a b ν(a) ν(b), we call R weak factorial w.r.t. (ν, P). Note that we allow zero divisors.

18 Standard Bases over Weak Factorial Rings Problem in rings with zero-divisors: Z 12 : 6 = 3 6 = =... (no finite decomposition into irreducible elements) Element factorization In the case of Z/ m with m = p e 1 1 pen n, we define ν as ν i (a) = min{ν Z p i (a), e i }, with P = {p 1,..., p n } i.e. it is ν 3 (9) = 1 in Z/ = 3 3 but also 9 = 7 3. (nice weak factorial) Example: Noetherian weak factorial principal rings Examples: The ring of integers Z, the quotient rings Z m and for every prime ideal P Z the local ring (Z\P) 1 Z. Also the finite product of such rings is noetherian weak factorial and principal.

19 Standard Bases over Weak Factorial Rings Theorem: Buchberger algorithm over weak factorial principal rings Example There exists an algorithm to compute a weak normal form for any ordering, similar to the classical one. New type of s-poly due to zero divisors as leading coefficients Take leading terms instead of leading monomials Buchberger criterion and syzygy basis theorem are valid (same formulation but with new s-polynomials) 2x + y I Z/ 12 [x, y] = 6y I, (a single polynomial need not be a Gröbner basis) NF (x {2x, 3x}) = 0, but NF (x {2x}) = x and NF (x {3x}) = x

20 Standard Bases over Weak Factorial Rings The 1-factorial case (Z/ p n ) Normal form No solving of linear equations necessary, only divisibility tests. Similar running time as for finite fields. Buchberger algorithm Extra s-polynomials for every polynomial f with p LC (f ). More possibilities for the leading ideal, since coefficients matter. Further chain-like criterium due to new s-polynomials Gröbner bases in the ring of polynomial functions (I 0 added) Possible, but computational difficult due to very large G 0. Even if only the needed elements of G 0 are generated on the fly.

21 Benchmarks: Gröbner bases in Z 2 10[x] #mons. #vars. #polys. maxdeg #polys. #GB Singular Magma s s s s s time out after 1h s s s time out after 1h s s s time out after 1h s s s time out after 1h s s s time out after 1h s time out after 1h s time out after 1h Table: Computation of a Gröbner basis in Z 2 10 with degree reverse lexicographical ordering. Randomly generated examples on an AMD Dual Opteron 2.2 GHz, 16 GB RAM.

22 Standard Bases over Weak Factorial Rings The general case (Z/ m ) Problem In the normal form computation solving of linear equations is necessary. Idea Compute a strong standard basis. How? Generate extra gcd-polynomials, as we generated s-polynomials to compute classic standard bases.

23 Standard Bases over Weak Factorial Rings gcd-polynomials The general case (Z/ m ) Let g, f R[x] with g = c g x g +... and f = c f x f Now compute d g c g + d f c f = gcd (c g, c f ) and add gcd poly(g, f ) = d g g + d f f = gcd (c g, c f ) lcm (x g, x f ) +... to the critical pair set. Benefits No solving of linear equations in every step of the normal form algorithm. Reduce the coefficient growth in infinite rings.

24 A Polynomial Framework for Boolean Rings Boolean Functions and Polynomials B n := {f : Z n 2 > Z 2} is the ring of Boolean functions. R n := the ring of Boolean polynomials, consists of polynomials of the form p = a 1 x ν x ν 1n n a m x ν m xn νmn under the restrictions: a i {0, 1} (coefficients in Z 2 ) ν ij 1 (degree bound due to constraints x 2 i = x i )

25 A Polynomial Framework for Boolean Rings Boolean Rings R n Z 2 [x 1,..., x n ] is given a ring structure via the canonical bijection to the quotient ring Q n := Z 2 [x 1,, x n ]/ x 2 1 x 1,, x 2 n x n. Since Z 2 is a field, B n, R n and Q n can be canonically identified. We call any of them a Boolean ring. Note that they have a quite different representation.

26 Ideals and Varieties over Boolean Rings One to one correspondences Boolean polynomials Boolean functions (interpolation) sets algebraic sets in Z n 2 (indicator functions) algebraic sets Boolean ideals (Boolean ideals are radical) Boolean polynomials ideals containing field polynomials reduced Gröbner bases (Boolean ideals are principal) In the case of Z m none of these correspondences survives.

27 Boolean Polynomials as Sets Set Representation of Boolean polynomials A Boolean monomial can be considered as a subset s of {x 1,, x n } and any Boolean polynomial p as a subset S p of the set of all monomials, such that p = s S p ( x ν s x ν). Example: x y + x + z = {{x, y}, {x}, {z}} Addition in Set Representation Let p = s S p ( x x ) ( ν s ν, q = s S q x x ν s ν) be Boolean polynomials, then addition is given as p + q = s S p+q ( x x ν s ν), for the set S p+q = (S p S q )\(S p S q ).

28 Binary Decision Diagrams A Binary Decision Diagram (BDD) is a rooted tree with terminal nodes {0, 1} decision nodes, two edges per node (corresponding to x i := true or x i := false) A BDD is ordered if the variable order is constant over all paths f = xy + x + z

29 Zero-suppressed Binary Decision Diagrams A Zero-suppressed BDD (ZDD) is an ordered BDD reduced by Merging of equal subgraphs Node elimination rule: remove node, if its then-edge 0 f = xy + x + z

30 Zero-suppressed Binary Decision Diagrams A Zero-suppressed BDD (ZDD) is an ordered BDD reduced by Merging of equal subgraphs Node elimination rule: remove node, if its then-edge 0 f = xy + x + z

31 Zero-suppressed Binary Decision Diagrams A Zero-suppressed BDD (ZDD) is an ordered BDD reduced by Merging of equal subgraphs Node elimination rule: remove node, if its then-edge 0 f = xy + x + z

32 Zero-suppressed Binary Decision Diagrams A Zero-suppressed BDD (ZDD) is an ordered BDD reduced by Merging of equal subgraphs Node elimination rule: remove node, if its then-edge 0 f = xy + x + z

33 Zero-suppressed Binary Decision Diagrams A Zero-suppressed BDD (ZDD) is an ordered BDD reduced by Merging of equal subgraphs Node elimination rule: remove node, if its then-edge 0 f = xy + x + z

34 Boolean Polynomials as ZDDs Use ZDDs to store the term structure represented as sparse sets, not the Boolean function behind! Advantages Compact data structure, suitable for sparse subsets S p of the power set over the variables. Polynomial structure still recognizable Properties Polynomial arithmetic can be done using set operations Valid paths (to 1-terminal) correspond to polynomial terms Natural path sequence is in lexicographical order Ordering-dependent functionality possible for degree and product orderings with reasonable effort (trivial for lex.)

35 C++Library PolyBoRi Internal data structure based on ZDDs High-level data types for Boolean polynomials, monomials, and exponent vectors hide ZDD management from the user Implements polynomial arithmetic and basic functionality Ordering-dependent procedures for leading terms, monomial comparisions, iterating over terms... Singular interface is scheduled Python Interface Parsing of complex polynomial systems, interactive use as command line tool (via ipython) Extensive testsuite for periodic checks during development (mainly satisfiability examples; some from cryptography) Sophisticated and extendable strategies for Gröbner bases

36 Gröbner Bases on Top of PolyBoRi Task: Algorithm and Implementation Design and implement a Gröbner Basis algorithm of an ideal in a Boolean ring generated by Boolean ploynomials. Proposed Method: symmgbf2 ( = slimgb + symmetry) Use slimgb which introduced new concepts into GB calculation Use symmetry, i.e. special structure of ideals in boolean rings Many examples from practice are highly symmetric Cryptography (AES) Electrical engineering (integrated circuits) Invariant theory Avoid multiple computations for similar patterns

37 PolyBoRi Benchmarks - Formal Verification PolyBoRi FGb via Maple Magma Singular Example Vars./Eqs. s MB s MB s MB s MB mult4x mult5x mult6x failed mult8x mult10x Table: Timings and memory usage for benchmark examples. The symbols in time and memory columns mark timeout after 1 hour and out of memory at 15 GB.

38 TITLE Example Vars./Eqs. Order. PolyBoRi Magma uuf lp 8.76 s MB 9.77 s MB dlex 8.98 s MB s MB dp asc 8.14 s MB 8.40 s MB uuf lp s MB s MB dlex s MB s MB dp asc s MB s MB uuf lp s MB dlex s MB dp asc s MB Table: Timings and memory usage for Gröbner basis computations w. r. t. various orderings. The symbols means timeout after 2 days, failed stopped with error message, and dp asc denotes dp with reversed variable order.

39 TITLE Vars./Eqs. PolyBoRi MiniSat hole s MB 0.30 s 2.08 MB hole s MB 2.31 s 2.35 MB hole s MB s 3.24 MB hole s MB s 7.19 MB hole s MB s MB mult4x s MB 0.00 s 1.95 MB mult5x s MB 0.01 s 1.95 MB mult6x s MB 0.03 s 1.95 MB mult8x s MB 0.96 s 2.21 MB mult10x s MB s 3.61 MB Table: Deciding satisfiability with PolyBoRi using Gröbner basis computations in comparison with MiniSat, a state-of-the-art SAT solver.

40 PolyBoRi - Cryptography Cryptography: CTC and AES final goal: attack AES (Advanced Encryption Standard since 2001) originally encodes 128-bit blocks with 128-bit keys (4 by 4 arrays of bytes), 10 rounds: AES test algorithms on easier, but similar ciphers Small Scale Variants of AES-n-r-c-e variable number of rounds (n) (1 10) rows (r), columns (c) in the arrays (1,2, or 4) size of a bit vector e (4 or 8) Courtois Toy Cipher, 2006 similarly designed, but more scalable than AES designed for testing algebraic attacks

41 PolyBoRi - Cryptography Cryptography: Scaled AES description Perform some prescribed sets of operations n times (rounds) Plaintext (known), ciphertext (known), key (unknown), and all intermediate states are vectors of length r c e bits, and are seen as arrays with r rows and c columns. For example, if r = 2, c = 4, e = 8: P 1 P 3 P 5 P 7 P 2 P 4 P 6 P 8 So the vector p = (p 1,..., p 64 ) is seen as array above with entries P 1 = (p 1,..., p 8 ), P 2 = (p 9,..., p 16 ),... Initial AES has n = 10, r = c = 4, e = 8 (there are keys)

42 PolyBoRi - Cryptography Cryptography: Scaled AES description Cyphertext c is created from plaintext p and key k 0 as follows: Initial componentwise key addition: w 0 := p + k 0. w 0 is an array with entries w 0,1,..., w 0,r c. For i = 1,..., rc perform a nonlinear transformation: SBOX (w 0,i ), where w 0,i is seen as an element of GF (2 e ). SBOX (a) is defined as: 1 a b, where { a 1 a 0 b = 0 a = 0 2 b is seen as a vector from GF (2) e, then b c = L SBOX (b), where L SBOX is an affine transformation defined over GF (2) e. Result is an array x 1 with entries x 1,1,..., x 1,r c, where x 1,i = SBOX (w 0,i ).

43 PolyBoRi - Cryptography Cryptography: Scaled AES description The array x 1 is then processed with two linear transformations, namely: 1 ShiftRows: i-th row of the array x 1 is cyclically shifted by (i 1) positions to the right, so an array x 1 is obtained 2 MixColumns: denote the columns of x 1 by α 1,..., α c. They are considered as vectors from GF (2 e ) r. There is a prescribed matrix M using which β i = Mα i, i = 1,..., c are calculated. 3 The result ˆx 1 has β 1,..., β c as its columns.

44 PolyBoRi - Cryptography Cryptography: Scaled AES description In parallel to the above, a similar procedure (called key schedule) is performed to obtain k 1 from the initial key k 0 key addition: w 1 = ˆx 1 + k 1 repeat the whole procedure above (n 1) rounds more. The c = w n is a resulting ciphertext It is possible to write a corresponding polynomial system defined over GF (2). It is possible to rewrite a round in such a way that SBOX transformation only does inversion and a composition of three maps (one affine and two linear) is done next on the whole array.

45 PolyBoRi - Cryptography Cryptography: Structure of equations Structure of equations for AES and CTC is similar System for AES can be seen as iterative blocks of equations, where output variables of one block are input variables for the next block (system S). So blocks only intersect on a frontier. every block has similar structure and equations therein are of two types: quadratic equations correspond to Substitution Box (nonlinear operation) linear equations correspond to the Diffusion Layer

46 PolyBoRi - Cryptography Cryptography: Ideas Schematically: at the beginning we have the system S of the form w 0 = p + k 0, SBOX (x i, w i 1 ) = 0, i = 1,..., n, w i = L(x i ) + k i, i = 1,..., n 1, SBOX K (s i, k i 1 ) = 0, i = 1,..., n, k i = L K (s i ), i = 1,..., n, c = L(x n ) + k n, together with the field equations. Here SBOX, SBOX K are quadratic S-Box transformations for the encryption and the key schedule resp.; L, L K are affine transformations.

47 PolyBoRi - Cryptography Cryptography: Ideas Rewrite equations in the S-Boxes so that every output variable could be expressed via input variables of the S-Box (by a GB computation w.r.t. some block ordering) + It is easier to see how every variable depends on preceding variables - Degree of equations rises from 2 to 3 (for e = 4) or to 7 (for e = 8) Get system S 1 by writing equations in such a way. The major part of this system S 1 is already a Gröbner basis w.r.t to some degree ordering Get system S 2 by doing normal form computation of the remaining equations modulo the major part. S 2 is a system in the initial key variables only

48 PolyBoRi - Cryptography Cryptography: Ideas Rewriting S-Boxes yields the system S 1 : w 0 = p + k 0, x i = sbox(w i 1 ), i = 1,..., n, w i = L(x i ) + k i, i = 1,..., n 1, s i = sbox K (k i 1 ), i = 1,..., n, k i = L K (s i ), i = 1,..., n, c = L(x n ) + k n, which are satisfied with high probability. Here sbox, sbox K are higher degree S-Box transformations for the encryption and the key schedule resp.

49 PolyBoRi - Cryptography Cryptography: Ideas An example on how an S-Box changes for e = 4 follows. A quadratic S-Box from the system S (from ab = 1): x 2 w 3 + x 1 w 3 + x 3 w 2 + x 2 w 2 + x 3 w 1 + x 0 w = 0, x 3 w 3 + x 1 w 3 + x 2 w 2 + x 3 w 1 + x 0 w 1 + x 1 w 0 = 0, x 1 w 3 + x 2 w 2 + x 0 w 2 + x 3 w 1 + x 1 w 1 + x 2 w 0 = 0, x 1 w 3 + x 0 w 3 + x 2 w 2 + x 1 w 2 + x 3 w 1 + x 2 w 1 + x 3 w 0 = 0. A cubic S-Box from the system S 1 (rewrite b = f (a)): x 0 = w 3 w 2 w 1 + w 2 w 1 w 0 + w 2 w 1 + w 2 w 0 + w 3 + w 2 + w 1 + w 0, x 1 = w 3 w 1 w 0 + w 3 w 1 + w 2 w 1 + w 2 w 0 + w 1 w 0 + w 3, x 2 = w 3 w 2 w 0 + w 3 w 0 + w 2 w 0 + w 1 w 0 + w 3 + w 2, x 3 = w 3 w 2 w 1 + w 3 w 2 + w 3 w 1 + w 3 w 0 + w 3 + w 2 + w 1.

50 PolyBoRi - Cryptography Example (S 1 ) var eq PolyBoRi Singular ctc s 49 MB 32 s 69 MB ctc s 52 MB 117 s 154 MB ctc s 69 MB 748 s 379 MB aes pp s 0.25 s aes pp s 50 MB 18 s aes pp s 51 MB 1080 s 694 MB Example (S 1 ) var eq Magma Maple ctc s 64 MB > 1800 s ctc s 335 MB ctc > 3000 s > 570 MB aes pp s 9.25 MB > 1000 s aes pp s 211 MB aes pp s 477 MB > 70 h

51 Cryptography Cryptography: Ideas The method of S 2 system gives an opportunity to use many plaintext/ciphertext pairs, it was not possible if working with the systems S or S 1 We could attack keys of weight up to 4 in the small scale cipher of 3 rounds, dimensions 2 2, e = 4: aes in 250 sec with SINGULAR using 100 pairs Drawback: high degree (r c e) dense equations (every term appears practically with probability 1/2) in the resulting system S 2 composed of only key variables.

52 Cryptography Cryptography: Cutting technique Let f i (x 1,..., x n ) = 0, i = 1,..., m be a polynomial system over GF (2). If a GF (2) n is a solution: f i (a) = 0 i, such that weight(a) := #{i a i 0} = s, then a is also a solution of f i (x 1,..., x n ) = 0, i = 1,..., m. Here f i is obtained from f i by dropping out the monomials of degree > s So, if we are looking for solutions of low weight in a system composed of high degree polynomials, it is sufficient to consider low-degree parts of every polynomial in the system.

53 Cryptography Cryptography: Cutting technique Let supp(a) = {i a i 0} and weight(a) = s. Perform a coordinate change x i x i + 1 for i I supp(a) on the initial system f i (x 1,..., x n ) = 0, i = 1,..., m Let s = s I, then there is a solution a for the system f i (x 1,..., x n ) = 0, i = 1,..., m, where each f i is obtained from f i by dropping out the monomials of degree > s By doing x i x i + 1 for i I again we are able to find the solution a of weight s > s, working with a system composed of polynomials of degree s Thus, by doing coordinate change x i x i + 1 for several i s on the initial system S 1 and working with linear (or quadratic) parts of equations we reduce the problem of finding a key to solving many simple linear (or quadratic) systems instead of one large S 2

54 Cryptography Cryptography: Cutting technique Using this cutting technique even with a naive Python script half of the key space of - aes can be scanned in < 3 min - aes can be scanned in < 30 min - negligible memory consumption Exhaustive search turns out to be a particular case of the above, if we consider only constant terms in the system every time; coordinate change corresponds to a trial key selection. It is faster, than linear or quadratic analogue Further analysis may reveal benefits of the linear (or quadratic) cutting technique

55 Conclusion More problems in mathematics, science and engineering wait for new, perhaps specialized, applications of Gröbner bases We considered real life challenges coming from formal verification (in collaboration with electrical engineers) crypto systems We considered improvements for GB computations over weak factorial rings (new s-polys, new criteria) by special data structures (PolyBoRi) by specialized algorithms (using symmetry) By using this we showed that Gröbner bases are comparable to state-of-the-art SAT solvers in verification can be used to rewrite crypto systems in the key variables only for better algebraic attacks to AES