Gröbner Bases. Applications in Cryptology

Size: px

Start display at page:

Download "Gröbner Bases. Applications in Cryptology"

Alan Perkins
5 years ago
Views:

1 Gröbner Bases. Applications in Cryptology Jean-Charles Faugère INRIA, Université Paris 6, CNRS with partial support of Celar/DGA FSE Luxembourg E cient

2 Goal: how Gröbner bases can be used to break (block) ciphers? 1. Basic Properties of Gröbner Bases E cient

3 Goal: how Gröbner bases can be used to break (block) ciphers? 1. Basic Properties of Gröbner Bases 2. Use the same benchmark during the talk: non-trivial iterated block ciphers from "Block Ciphers Sensitive to Gröbner Basis Attacks", J. Buchmann, A. Pyshkin and R.-P. Weinmann, CT-RSA 2006 E cient

4 Goal: how Gröbner bases can be used to break (block) ciphers? 1. Basic Properties of Gröbner Bases 2. Use the same benchmark during the talk: non-trivial iterated block ciphers from "Block Ciphers Sensitive to Gröbner Basis Attacks", J. Buchmann, A. Pyshkin and R.-P. Weinmann, CT-RSA E cient algorithms for computing Gröbner Bases E cient

5 Goal: how Gröbner bases can be used to break (block) ciphers? 1. Basic Properties of Gröbner Bases 2. Use the same benchmark during the talk: non-trivial iterated block ciphers from "Block Ciphers Sensitive to Gröbner Basis Attacks", J. Buchmann, A. Pyshkin and R.-P. Weinmann, CT-RSA E cient algorithms for computing Gröbner Bases 4. Test di erent algorithms and strategies: Direct, Substitution of some s, several plaintexts/ciphertexts. E cient

6 Properties of Gröbner bases I K a eld, K[x 1,..., x n ] polynomials in n s. 8 < : Linear systems l 1 (x 1,..., x n ) = 0 l m (x 1,..., x n ) = 0 V = Vect K (l 1,..., l m ) Triangular/diagonal basis of V 8 Polynomial equations < f 1 (x 1,..., x n ) = 0 : f m (x 1,..., x n ) = 0 Ideal generated by f i : I = Id(f 1,..., f m ) Gröbner basis of I De nition (Buchberger) < admissible ordering (lexicographical, total degree, DRL) G K[x 1,..., x n ] is a Gröbner basis of an ideal I if E cient 8f 2 I, exists g 2 G such that LT < (g) j LT < (f )

7 Properties of Gröbner bases II Solving algebraic systems: Computing the algebraic variety: K L (for instance L=K the algebraic closure) V L = f(z 1,..., z n ) 2 L n j f i (z 1,..., z n ) = 0, i = 1,..., mg Solutions in nite elds: We compute the Gröbner basis of G F2 of [f 1,..., f m, x1 2 x 1,..., xn 2 x n ], in F 2 [x 1,..., x n ]. It is a description of all the solutions of V F2. E cient

8 Properties of Gröbner bases III Theorem I V F2 = ( no solution) i G F2 = [1]. I V F2 has exactly one solution i G F2 = [x 1 a 1,..., x n a n ] where (a 1,..., a n ) 2 F n 2. Shape position: If m n and the number of solutions is nite ( #V K < ), then in general the shape of a lexicographical Gröbner basis: x 1 > > x n : 8 >< Shape Position >: h n (x n )(= 0) x n 1 h n 1 (x n )(= 0). x 1 h 1 (x n )(= 0) E cient

9 I Flurry(k, t, r, f, D) the parameters used are: I k size of the nite eld K. I t is the size of the message/secret key and m = t 2 the half size. I r the number of rounds. I f a non-linear mapping giving the S-Box of the round function. In practice: f (x) = f p (x) = x p or f (x) = f inv (x) = x k 2. I D a m m matrix describing the linear di usion mapping of the round function (coe cients in K). E cient

10 II We set L = [l 1,..., l m ] 2 K m and R = [r 1,..., r m ] the left/right side of the current state. and K = [k 1,..., k m ] the secret key. We de ne the round function ρ : K m K m K m! K m K m as ρ(l, R, K ) = (R, D. T [f (r 1 + k 1 ),..., f (r m + k m )]) The key schedule. from an initial secret key [K 0, K 1 ] (size t = 2 m) we compute subsequent round keys for 2 i r + 1 as follows: E cient K i = D. T K i 1 + K i 2 + v i, i = 2, 3,..., (r + 1) where v i are round constants.

11 III A plaintext [L 0, R 0 ] (size t) is encrypted into a ciphertext (L r, R r ) by iterating the round function ρ over r rounds: (L i, R i ) = ρ(l i 1, R i 1, K i 1 ) for i = 1, 2,..., (r 1) (L r, R r ) = ρ(l r 1, R r 1, K r 1 ) + (0, K r +1 ) and L i = R i 1. E cient

12 algebraic attack. I Algebraic attack: The encryption process can be described by very simple polynomial equations: introduce s for each round L j = [x 1,j,..., x m,j ], R j = [x m+1,j,..., x t,j ] and K j = [k 1,j,..., k m,j ]! F algebraic set of equations. for plaintex: ~p = L 0 [ R 0 ciphertext: ~c = L r +1 [ R r +1 secret key: ~ k = K0 [ K 1 of size t equations: S ~k (~p,~c) is the corresponding algebraic system In the following: if ~p is explicitly known then we note ~p ; hence we obtain S ~k (~p,~c ) E cient

13 algebraic attack. II Theorem [Buchmann, Pyshkin, Weinmann]. If f (x) = x p, for an appropriate order x i,j, k i,j then S ~k (~p,~c ) is already a Gröbner basis for a total degree ordering. Main problem: we are computing V K and not V K! and many solutions: p m r E cient

14 I : for computing Gröbner bases. I Buchberger (1965,1979,1985) I F 4 using linear algebra (1999) (strategies) I F 5 no reduction to zero (2002) Linear Algebra and Matrices Trivial link: Linear Algebra $ Polynomials De nition: F = (f 1,..., f m ), < ordering. A Matrix representation M F of F is such that T F = M F. T X where X all the terms (sorted for <) occurring in F : E cient M F = m 1 > m 2 > m f 1... f A f 3...

15 II Linear Algebra and Matrices Trivial link: Linear Algebra $ Polynomials If Y is a vector of monomials, M a matrix then its polynomial representation is T [f 1,..., f m ] = M Ṭ Y method bound (for homogeneous polynomials): D = 1 + m i=1 (deg(f i ) 1) E cient

16 III We compute the matrix representation of ftf i, deg(t) D deg(f i ), i = 1,..., mg, < DRL M Mac = m 1 > m 2 > m 3 > > m r 0 1 t 1 f 1... t 1 0 f 1... t 0 2 f 2 B... C t 2 f A t 3 f 3... Let M Mac be the result of Gaussian elimination. Theorem (Lazard 83) If F is regular then the polynomial representation of M Mac is a Gröbner basis. E cient

17 E cient F 4 (1999) linear algebra E cient

18 E cient F 4 (1999) linear algebra Small subset of rows: F 5 (2002) full rank matrix E cient

19 E cient F 4 (1999) linear algebra Small subset of rows: F 5 (2002) full rank matrix F 5 /2 (2002) full rank matrix GF(2) (includes Frobenius h 2 = h) A d = momoms degree d in x 1,..., x n 0 1 monom f i1... monom f A monom f i3... E cient

20 F 5 the idea I We consider the following example: (b parameter): S b 8 < : f 3 = x xy + 19 y xz + 5 yz + 7 z 2 f 2 = 3 x 2 + (7 + b) x y + 22 x z + 11 yz + 22 z y 2 f 1 = 6 x xy + 4 y xz + 9 yz + 7 z 2 With Buchberger x > y > z: I I 5 useless reductions 5 useful pairs E cient

21 F 5 the idea II We proceed degree by degree. A 2 = fa 2 = x 2 x y y 2 x z y z z 2 f f f x 2 x y y 2 x z y z z 2 f f f new polynomials f 4 = xy + 4 yz + 2 xz + 3 y 2 f 5 = y 2 11 xz 3 yz 5 z 2 z 2 and E cient

22 F 5 the idea III f 3 = x xy + 19 y xz + 5 yz + 7 z 2 f 2 = 3 x 2 + 7x y + 22 x z + 11 yz + 22 z y 2 f 1 = 6 x xy + 4 y xz + 9 yz + 7 z 2 f 4 = xy + 4 yz + 2 xz + 3 y 2 z 2 f 5 = y 2 11 xz 3 yz 5 z 2 f 2! f 4 f 1! f 5 E cient

23 Degree 3 I x 3 x 2 y xy2 y 3 x 2 z z f y f x f z f y f x f z f y f x f E cient

24 Degree 3 II x 3 x 2 y xy2 y 3 x 2 z z f y f x f z f y f x f z f y f x f E cient

25 Degree 3 III A 3 = x 3 x 2 y xy2 y 3 x 2 z z f y f x f z f y f x f z f y f x f E cient

26 Degree 3 IV f 2 f 4 f 1 f 5 x 3 x 2 y xy2 y 3 x 2 z z f y f x f z f y f x f z f y f x f E cient

27 Degree 3 V x 3 x 2 y xy2 y 3 x 2 z xyz y2z xz2 yz 2 z 3 z f y f x f z f y f fa 3 = x f z f y f x f We have constructed 3 new polynomials f 6 = y y 2 z + xz yz z 3 f 7 = xz yz z 3 f 8 = yz z 3 E cient We have the linear equivalences: x f 2 $ x f 4 $ f 6 and f 4! f 2

28 Degree 4: reduction to 0! The matrix whose rows are is not full rank! x 2 f i, x yf i, y 2 f i, x zf i, y zf i, z 2 f i, i = 1, 2, 3 E cient

29 Why? 6 3 = 18 rows but only x 4, x 3 y,..., y z 3, z 4 15 columns Simple linear algebra theorem: 3 useless row (which ones?) E cient

30 Trivial relations can be rewritten f 2 f 3 f 3 f 2 = 0 3 x 2 f 3 + (7 + b) xy f y 2 f xz f yz f z 2 f 3 x 2 f 2 18 xy f 2 19 y 2 f 2 8 xz f 2 5 yz f 2 7 z 2 f 2 = 0 We can remove the row x 2 f 2 same way f 1 f 3 f 3 f 1 = 0! remove x 2 f 1 but f 1 f 2 f 2 f 1 = 0! remove x 2 f 1!??? E cient

31 Combining trivial relations 0 = (f 2 f 1 f 1 f 2 ) 3(f 3 f 1 f 1 f 3 ) 0 = (f 2 3f 3 )f 1 f 1 f 2 + 3f 1 f 3 0 = f 4 f 1 f 1 f 2 + 3f 1 f 3 0 = (1 b)xy + 4 yz + 2 xz + 3 y 2 z 2 f 1 (6x 2 + )f 2 + 3(6x 2 + )f 3 I if b 6= 1 remove x y f 1 I if b = 1 remove y z f 1 Need some computation E cient

32 New Criterion Any combination of the trivial relations f i f j = f j f i can always be written: u(f 2 f 1 f 1 f 2 ) + v(f 3 f 1 f 1 f 3 ) + w(f 2 f 3 f 3 f 2 ) where u, v, w are arbitrary polynomials. (u f 2 + v f 3 ) f 1 uf 1 f 2 vf 1 f 3 + wf 2 f 3 wf 3 f 2 (trivial) relation hf 1 + = 0 $ h 2 Id(f 2, f 3 ) Compute a Gröbner basis of (f 2, f 3 )! G prev. E cient Remove line h f 1 i LT(h) top reducible by G prev

33 Degree 4 I y 2 f 1, x zf 1, y zf 1, z 2 f 1, x yf 2, y 2 f 2, x zf 2, y zf 2, z 2 f 2, x 2 f 3, x yf 3, y 2 f 3, x zf 3, y zf 3, z 2 f 3 In order to use previous computations (degree 2 and 3): xf 2! f 6 f 2! f 4 xf 1! f 8 yf 1! f 7 f 1! f 5 yf 7, zf 8, zf 7, z 2 f 5, yf 6, y 2 f 4, zf 6, y zf 4, z 2 f 4, x 2 f 3, x yf 3, y 2 f 3, x zf 3, y zf 3, z 2 f 3, E cient

34 Degree 4 II E cient

35 Degree 4 III Sub matrix: xyz 2 y 2 z 2 xz yz 3 z z 2 f 4 2 z 2 f 5 8 z f 7 3 z f 8 8 y f E cient

36 New algorithm I I I Incremental algorithm (f ) + G old Incremental degree by degree Give a unique name to each row E cient Remove h f 1 + if LT(h) 2 LT(G old ) LT(h) signature/index of the row

37 F 5 matrix Special/Simpler version of F 5 for dense/generic polynomials. the maximal degree D is a parameter of the algorithm. degree d m = 2, deg(f i ) = 2 homogeneous quadratic polynomials, degree d: We may assume that we have already computed: G i,d Gröbner basis [f 1,..., f i ] up do degree d E cient

38 In degree d m 1 m 2 m 3 m 4 m 5 u 1 f 1 1 x x x x u 2 f x x x u 3 f x x v 1 f x v 2 f w 1 f w 2 f with deg(u i ) = deg(v i ) = deg(w i ) = d 2 E cient

39 From degree d to d + 1 I Select a row in degree d: m 1 m 2 m 3 m 4 m x x x v 1 f x v 2 f w 1 f w 2 f E cient

40 From degree d to d + 1 II m 1 m 2 m 3 m 4 m x x x v 1 f x v 2 f w 1 f w 2 f if w 1 x1 1 x j j t 1 t 2 t 3 t 4 t 5. w 1 x j f x x x w 1 x j 1 f x x w 1 x n f x. E cient

41 From degree d to d + 1 III m 1 m 2 m 3 m 4 m x x x v 1 f x v 2 f w 1 f w 2 f if w 1 x1 1 x j j t 1 t 2 t 3 t 4 t 5. w 1x j f x x x w 1 x j 1 f x x w 1 x n f x. Keep w 1 x i f 3 iff w 1 x i LT f 1 f 2 E cient

42 From degree d to d + 1 IV m 1 m 2 m 3 m 4 m x x x v 1 f x v 2 f w 1 f w 2 f if w 1 x1 1 x j j t 1 t 2 t 3 t 4 t 5. w 1 x j f x x x w 1x j 1 f x x w 1 x n f x. Keep w 1 x i f 3 iff w i x i not reducible by LT G 2 d 2 E cient

43 F 5 Full version of F 5 : D the maximal degree is not given. Theorem If F = [f 1,..., f m ] is a (semi) regular sequence then all the matrices are full rank. I I I I Easy to adapt for the special case of F 2 (new trivial syzygy: fi 2 = f i ). Incremental in degree/equations (swap 2 loops) Fast in general (but not always) F 5 matrix: easy to implement, used in applications (HFE). E cient

44 : rst step Magma 2.11 Magma 2.13 FGb Flurry dim(i ) F 4 F 4 F 5 t=2 r=4 x s 0s 0s t,r,x p p r 2 t 0s 0s 0s t=4 r=4 x s 0s 0s t=2 r=10 x s 10.7 s 0.8 s t=2 r=12 x s 9.1 s t=4 r=5 x s 14.3 s 1.2 s t=4 r=6 x s 46.9 s t=6 r=4 x s 12.2s Rand 20, s CPU Time: Gröbner DRL E cient

45 Solving zero-dimensional system When dim(i ) = 0 ( nite number of solutions); in general: I It is easier to compute a Gröbner Basis of I for a total degree (< DRL ) ordering I Triangular structure of Gb valid only for a lex. ordering: 8 >< Shape Position >: h n (x n ) = 0 x n 1 = h n 1 (x n ). x 1 = h 1 (x n ) Dedicated Algorithm: e ciently change the ordering E cient FGLM, Gröbner Walk, LLL,...

46 FGLM Dedicated Algorithm: e ciently change the ordering FGLM = use only linear algebra. Theorem (FGLM) If dim(i ) = 0 and D=deg(I ). Assume that G a Gröbner basis of I is already computed, then G new a Gröbner basis for the same ideal I and a new ordering < new can be computed in O(n D 3 ). E cient

47 Initial System Gröbner Basis DRL order Gröbner Basis Lexico order E cient RUR Factorization Real Roots isolation

48 Solving Magma 2.11 Magma 2.13 FGb Flurry Dim FGLM FGLM FGLM t=2 r=4 x s 6.9s 0.6 s t=2 r=5 x s 0.57s 0.07s t=2 r=6 x s 14.5s 1.5s t=2 r=7 x Out of memory Out of memory 34.2s t=4 r=4 x Out of memory Out of memory 991s t=2 r=10x s 10.7 s 1.1 s t=2 r=12x s 15.1 s t=4 r=5 x s 21.8 s 2.0 s t=4 r=6 x m 35 1 m 21 t=6 r=4 x s 26.8s Untractable systems for large t, r E cient For x 7! x p the complexity is O p 3 2 m r, #K and β 9.

49 Compute a Gröbner basis of I + hx n αi for some α 2 K ( nite eld). Now we have an overdetermined algebraic system and only 1 or 0 solution! DRL + FGLM?! (#K) (CPU overdetermined) E cient

50 Magma 2.13 FGb Flurry dim(i ) F 4 F 5 t=4 r=4 x s 0.21 s t=4 r=6 x s 0.39 s t=6 r=4 x s 0.10 s CPU Time: Gröbner overdetermined to be compared with: Magma 2.13 FGb Flurry Dim FGLM FGLM t=4 r=4 x Out of memory 991s t=4 r=6 x m 35 1 m 21 t=6 r=4 x s 26.8s CPU Time: Gröbner DRL + FGLM E cient

51 FGb FGb Flurry dim(i ) FGLM F 5 t=4 r=4 x s 0.21 s t=4 r=6 x m s t=6 r=4 x s 0.10 s CPU Time: Gröbner overdetermined Hence the second method is more e cient if #K for FGb if #K for Magma the complexity is O (#K) 2 E cient

52 I We choose randomly several plaintexts: ~p 1,...,~p N and we assume that we known the corresponding ciphertex: ~c i We obtain an algebraic system: S N = N[ i=1 S ~k (~p i,~c i ) It is much more di cult to compute the Gröbner basis: N Nb of plain/cipher text CPU 0.43 s 25.8s 16m42s Nb of solutions K = GF (2 7 ), t = 4, f = f inv E cient Same behavior if we x k 1 0 (1 component of the secret key):

53 II N Nb of plain/cipher text CPU 0.01s 0.09s 2.3s 99.5sc Nb of solutions K = GF (2 7 ), t = 4, f = f inv, substitution of 1 E cient

54 Chosen plaintexts Notation: ~e i = [..., 0, 1, 0,...] canonical basis of K t. From an initial message: ~p 0 = [p 0,1,..., p 0,t ] we can construct a new set of messages; for instance for i = 2 to N: ~p i = ~p j +~e k with j < i, 1 k t We obtain an algebraic system: E cient S N = N[ i=1 S ~k (~p i,~c i )

55 Experimental results: up to 6 rounds N FGb CPU 137 s 0.08 sec Nb of solutions K = GF (65521), t = 6, f = f inv, r = 4. N FGb CPU 502 s 8.9s 5.2s 12.2s Nb of sols K = GF (2 7 ), t = 6, f = f inv, r = 5. N FGb CPU > 2 h s Nb of solutions? K = GF (65521), t = 6, f = f inv, r = 6. Degree in Gb computation bounded: complexity O (t r) β? E cient

56 And after 7 rounds? N Nb of solutions F 4 CPU 0 s 980.9s 152s 208.4s 175.9s K = GF (2 7 ), t = 2, f = x 3, r = 8. But does not work for the inverse function! N Nb of sols D max F 4 CPU 0.07s 3.9s > 293s > 6527s K = GF (65521), t = 2, f = x 1, r = 7. The attack fails for the inverse function! E cient

57 I One test example: Flurry(k, m, r, f, D) Buchmann, Pyshkin, Weinmann I Several e cient algorithms for computing Gröbner Bases: F 4, F 5, FGLM I Several implementations: Magma, FGb, Singular,... I Di erent strategies: Direct, Substution of some s, chosen plaintexts I Direct computation: Gb + FGLM O p 2 3 m r, #K I Chosen plaintexts: I I Flurry broken (?) when f = x 3 and chosen plaintexts, complexity O (t r ) β, #K and β 9. The attack does not work for f = x 1 (or too big) E cient

Gröbner Bases. Applications in Cryptology

Gröbner - Crypto J.-C. Faugère Plan Gröbner bases: properties Gröbner Bases. Applications in Cryptology Jean-Charles Faugère INRIA, Université Paris 6, CNRS Zero dim solve Algorithms Buchberger and Macaulay