New Gröbner Bases for formal verification and cryptography

Similar documents
Algebraic Aspects of Symmetric-key Cryptography

Gröbner Bases. Applications in Cryptology

Groebner Bases in Boolean Rings. for Model Checking and. Applications in Bioinformatics

A Polynomial Description of the Rijndael Advanced Encryption Standard

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

Current Advances. Open Source Gröbner Basis Algorithms

Obtaining and solving systems of equations in key variables only for the small variants of AES

DESPITE considerable progress in verification of random

Lecture Notes, Week 6

Anatomy of SINGULAR talk at p. 1

CPSC 467b: Cryptography and Computer Security

Polynomials, Ideals, and Gröbner Bases

Decoding linear codes via systems solving: complexity issues

Virtual isomorphisms of ciphers: is AES secure against differential / linear attack?

arxiv: v1 [cs.sc] 16 Nov 2016

LOOKING INSIDE AES AND BES

Elliptic Curve Discrete Logarithm Problem

WORKING WITH MULTIVARIATE POLYNOMIALS IN MAPLE

Division Property: a New Attack Against Block Ciphers

From Gauss. to Gröbner Bases. John Perry. The University of Southern Mississippi. From Gauss to Gröbner Bases p.

Journal of Symbolic Computation. The Gröbner basis of the ideal of vanishing polynomials

A Five-Round Algebraic Property of the Advanced Encryption Standard

Algebraic Attacks and Stream Ciphers

Intro to Rings, Fields, Polynomials: Hardware Modeling by Modulo Arithmetic

Enhancing the Signal to Noise Ratio

The XL and XSL attacks on Baby Rijndael. Elizabeth Kleiman. A thesis submitted to the graduate faculty

arxiv: v1 [math.ac] 14 Sep 2016

A variant of the F4 algorithm

Chapter 4 Mathematics of Cryptography

Algebraic Varieties. Notes by Mateusz Micha lek for the lecture on April 17, 2018, in the IMPRS Ringvorlesung Introduction to Nonlinear Algebra

Polynomial multiplication and division using heap.

Algebra Homework, Edition 2 9 September 2010

CPSC 467b: Cryptography and Computer Security

Sparse Polynomial Multiplication and Division in Maple 14

The Advanced Encryption Standard

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

The Hash Function JH 1

Understanding and Implementing F5

Attacking AES via SAT

An Improved Affine Equivalence Algorithm for Random Permutations

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Block Ciphers and Systems of Quadratic Equations

Algebraic Cryptanalysis of Symmetric Primitives

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Fields in Cryptography. Çetin Kaya Koç Winter / 30

Algebraic Techniques in Differential Cryptanalysis

Abstract Algebra for Polynomial Operations. Maya Mohsin Ahmed

Slimgb. Gröbner bases with slim polynomials

MCS 563 Spring 2014 Analytic Symbolic Computation Monday 27 January. Gröbner bases

Linear Algebra, Boolean Rings and Resolution? Armin Biere. Institute for Formal Models and Verification Johannes Kepler University Linz, Austria

Calcul d indice et courbes algébriques : de meilleures récoltes

Computing Minimal Polynomial of Matrices over Algebraic Extension Fields

POLYNOMIAL DIVISION AND GRÖBNER BASES. Samira Zeada

PREMUR Seminar Week 2 Discussions - Polynomial Division, Gröbner Bases, First Applications

The F 4 Algorithm. Dylan Peifer. 9 May Cornell University

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Differential Fault Analysis of Trivium

CPSC 467b: Cryptography and Computer Security

UNDERSTANDING THE COST OF GROVER'S ALGORITHM FOR FINDING A SECRET KEY

Algebraic Cryptanalysis of MQQ Public Key Cryptosystem by MutantXL

Graph structure in polynomial systems: chordal networks

Optimized Interpolation Attacks on LowMC

1 Introduction to information theory

Introduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard

8. Prime Factorization and Primary Decompositions

Algebraic Techniques in Differential Cryptanalysis

Course 311: Michaelmas Term 2005 Part III: Topics in Commutative Algebra

Affine equivalence in the AES round function

Algebraic Side-Channel Collision Attacks on AES

Hybrid Approach : a Tool for Multivariate Cryptography

Exercise Sheet Cryptography 1, 2011

Complexity Theory VU , SS The Polynomial Hierarchy. Reinhard Pichler

Outline. Complexity Theory EXACT TSP. The Class DP. Definition. Problem EXACT TSP. Complexity of EXACT TSP. Proposition VU 181.

Linear Ciphers. Klaus Pommerening Fachbereich Physik, Mathematik, Informatik der Johannes-Gutenberg-Universität Saarstraße 21 D Mainz

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Mathematical Foundations of Public-Key Cryptography

ADVANCED TOPICS IN ALGEBRAIC GEOMETRY

ECEN 5022 Cryptography

ABSTRACT. Department of Mathematics. interesting results. A graph on n vertices is represented by a polynomial in n

Summer Project. August 10, 2001

Graph structure in polynomial systems: chordal networks

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

Gröbner Bases. eliminating the leading term Buchberger s criterion and algorithm. construct wavelet filters

Groebner Bases and Applications

Non-commutative reduction rings

Signature-based algorithms to compute Gröbner bases

GRÖBNER BASES AND POLYNOMIAL EQUATIONS. 1. Introduction and preliminaries on Gróbner bases

Finite Fields. Mike Reiter

Decision Diagrams for Discrete Optimization

Lecture 15: Algebraic Geometry II

12. Hilbert Polynomials and Bézout s Theorem

Decoding linear codes via systems solving: complexity issues and generalized Newton identities

Homomorphic Evaluation of the AES Circuit

Introduction to Cryptography. Lecture 8

16.41 NCPOLY: Non commutative polynomial ideals

Groebner Bases, Toric Ideals and Integer Programming: An Application to Economics. Tan Tran Junior Major-Economics& Mathematics

Verification using Satisfiability Checking, Predicate Abstraction, and Craig Interpolation. Himanshu Jain THESIS ORAL TALK

CHAPTER 3: THE INTEGERS Z

1 Algebraic Methods. 1.1 Gröbner Bases Applied to SAT

QR Decomposition. When solving an overdetermined system by projection (or a least squares solution) often the following method is used:

Transcription:

New Gröbner Bases for formal verification and cryptography Gert-Martin Greuel Diamant/Eidma Symposium November 29th - November 30th November 29th, 2007

Introduction Focus of this talk New developements for Gröbner bases Gröbner bases in polynomial rings over general rings Gröbner bases in Boolean rings Implementations and Applications Formal verification of hardware Algebraic attacks on block ciphers

Introduction Contributors Michael Brickenstein (PhD student) Stanislav Bulygin (PhD student) Alexander Dreyer (Fraunhofer ITWM) Oliver Wienand (PhD student) Cooperation Joint project with Prof. Kunz, Dept. of Electrical Engineering and Information Technology, University of Kaiserslautern Sponsored by the Deutsche Forschungsgemeinschaft

Outline 1 Introduction 2 Formal verification of hardware 3 Standard Bases over Rings 4 Standard Bases over Weak Factorial Rings 5 A Polynomial Framework for Boolean Rings 6 Gröbner Bases on Top of PolyBoRi 7 Cryptography 8 Conclusion

Formal verification of hardware Property checking Motivation Limitations in hardware design are imposed by the scope of the designer. Automated tools help to extend the abilities of the designer. Already standard in a later part of the production process. Key Ideas of Property Checking Design the circuit and develop easy properties which the circuit should fulfill. Try to cover all possible behaviors. Use automated tools to prove all properties given the circuit design.

Formal verification of hardware Production flow

Formal verification of hardware Problem A set of axioms M representing the circuit with variables V. A set of statements P representing the property. Does the circuit M fulfill the property P. Reformulation Assume M is consistent, i.e. there is no contradiction. Example If M P is contradictable, then M implies P. M be a multiplication unit. P the property, that after one cycle the output of M is the multiplication of the inputs of M.

Formal verification of hardware Example: Formulation Equations in Z/ 2 n, n {8, 16, 32, 64} number of bits System M M = {b + c d, a d e} Property P P = {b, a c f } M P M P {f e 0} (not closed) f e iff s : s(f e) = 2 n 1 (in Z/ 2 n!)

Formal verification of hardware Proving a property with SAT

Formal verification of hardware Example: Encoding b+c=d, ad=e Encoding in Z/ 2 = Z 2 (bit level) Display every number trough bits: a = ( a 0 + a 1 2 + + a n 1 2 n 1) Rewrite equations in a i, b i, c i, d i, e i, f i. The polynomial for e 5 contains the variables a 0, a 1, a 2, a 3, a 4, a 5, b 0, b 1, b 2, b 3, b 4, b 5. For every equation n (number of bits) equations are created. Add (1 f i + e i ) (= 0 f e) Gather all polynomials in I. Is V Z2 ( I ) =? Encoding in Z/ 2 n = Z 2 n (word level) I = M P {s(e f ) 2 n 1 } V Z2 n ( I ) = M satisfies P.

Formal verification of hardware Example for n = 4: p = a b a = a 0 + 2a 1 + 2 2 a 2 + 2 3 a 3 b = b 0 + 2b 1 + 2 2 b 2 + 2 3 b 3 p = p 0 + 2p 1 + 2 2 p 2 + 2 3 p 3 p 3 = a 3 b 0 + a 2 b 1 + a 1 b 2 + a 0 b 3 + a 2 a 1 a 0 b 1 b 0 + a 2 a 1 b 1 b 0 + a 2 a 0 b 2 b 0 + a 1 a 0 b 2 b 1 b 0 + a 1 a 0 b 2 b 1 + a 1 a 0 b 1 b 0 p 2 = a 2 b 0 + a 1 b 1 + a 0 b 2 + a 1 a 0 b 1 b 0 p 1 = a 1 b 0 + a 0 b 1 p 0 = a 0 b 0

Formal verification of hardware Solving in Z 2 Let I 0 be the ideal of vanishing polynomials in Z 2 [x], i.e. generated by x 2 i x i for every variable x i. Compute a Gröbner basis of I in the ring Z 2 [x]/i 0. In this ring every ideal is a principal ideal. Moreover, I = 1 V ( I ) = property P holds (since we added the field equations). Solving in Z 2 n Let I 0 be the ideal of vanishing polynomials in Z 2 n[x]. This ideal has more structure than in the field case and even its Gröbner basis can become huge. Compute a Gröbner basis of I in the ring Z 2 n[x]/i 0. There is no theorem similar to the Nullstellensatz.

Modeling advantages and disadvantages Utilizing Z 2 Bit-level modeling is always possible disadvantage: Huge number of variables and equations Utilizing Z 2 n Word-level modeling not always possible (more functions than polynomial functions) The ring Z 2 n has zero-divisors advantage: Requires less variables and equations

Modeling advantages and disadvantages Functions versus polynomials functions: Z k m Z m Theorem: Gröbner basis for the ideal of vanishing polynomials There exists a Gröbner basis G 0 of I 0 independent of the global ordering and it can be stated explicitly. Polynomial functions Functions, k=1 There are a lot more functions than polynomial functions in the case of Z/ m = Z m, where m is not prime. m = 2 2 F R 256 64 R[x]/I 0 m = 2 8 F R 10 616 10 16 R[x]/I 0 m = 2 16 F R 10 315652 10 52 R[x]/I 0 m = 2 32 F R 10 41373247567 10 184 R[x]/I 0

Standard Bases over Rings Assumption: Let R be a noetherian ring with 1. Assume that linear equations are solvable in R (we allow zero-divisors). Then we can compute standard bases and syzygies. Standard bases theory For arbitrary monomials orders there exists a weak normal form algorithm and a variant of Buchberger s algorithm. Hence standard bases are computable for arbitrary orders, given that linear equations are solvable. Note that linear equations are solvable includes the computations of syzygy generators in the coefficient ring.

Standard Bases over Rings Monomial order < monomial order (global, local or mixed) LT (f ), LM (f ), LC (f ) leading term, monomial, coefficient L (I ) ideal of the leading terms R[x 1,..., x n ] < = { f g } f R[x], LT (g) R. Definition of Standard Bases I R[x 1,..., x n ] < an ideal. G is a standard basis of I G I, L (G) = L (I ). G is a strong standard basis of I f I \{0} g G : LT (g) LT (f ).

Standard Bases over Weak Factorial Rings Let R be a noetherian ring with 1 and R the multiplicative subgroups of its units. Definition A map ν = (ν p ) p P : R (N) P, ν p : C N, P R\R is an element factorization for R, if ν(a) < for all a R and If further for any a, b R n R : a = n p νp(a) = n p ν(a). p P a b ν(a) ν(b), we call R weak factorial w.r.t. (ν, P). Note that we allow zero divisors.

Standard Bases over Weak Factorial Rings Problem in rings with zero-divisors: Z 12 : 6 = 3 6 = 3 3 6 =... (no finite decomposition into irreducible elements) Element factorization In the case of Z/ m with m = p e 1 1 pen n, we define ν as ν i (a) = min{ν Z p i (a), e i }, with P = {p 1,..., p n } i.e. it is ν 3 (9) = 1 in Z/ 2 2 3 1 9 = 3 3 but also 9 = 7 3. (nice weak factorial) Example: Noetherian weak factorial principal rings Examples: The ring of integers Z, the quotient rings Z m and for every prime ideal P Z the local ring (Z\P) 1 Z. Also the finite product of such rings is noetherian weak factorial and principal.

Standard Bases over Weak Factorial Rings Theorem: Buchberger algorithm over weak factorial principal rings Example There exists an algorithm to compute a weak normal form for any ordering, similar to the classical one. New type of s-poly due to zero divisors as leading coefficients Take leading terms instead of leading monomials Buchberger criterion and syzygy basis theorem are valid (same formulation but with new s-polynomials) 2x + y I Z/ 12 [x, y] = 6y I, (a single polynomial need not be a Gröbner basis) NF (x {2x, 3x}) = 0, but NF (x {2x}) = x and NF (x {3x}) = x

Standard Bases over Weak Factorial Rings The 1-factorial case (Z/ p n ) Normal form No solving of linear equations necessary, only divisibility tests. Similar running time as for finite fields. Buchberger algorithm Extra s-polynomials for every polynomial f with p LC (f ). More possibilities for the leading ideal, since coefficients matter. Further chain-like criterium due to new s-polynomials Gröbner bases in the ring of polynomial functions (I 0 added) Possible, but computational difficult due to very large G 0. Even if only the needed elements of G 0 are generated on the fly.

Benchmarks: Gröbner bases in Z 2 10[x] #mons. #vars. #polys. maxdeg #polys. #GB Singular Magma 2 5 15 69.2 3 0.40 s 68.16 s 3 3 10 6.7 254 8.50 s 1287.80 s 3 3 15 7.4 599 204.82 s time out after 1h 4 4 10 2.8 120 0.04 s 10.68 s 4 4 10 3.0 361 20.36 s time out after 1h 5 5 10 2.4 584 0.15 s 455.35 s 5 5 10 2.8 1043 1.11 s time out after 1h 7 5 10 2.0 614 0.14 s 40.06 s 7 5 10 2.2 2547 2.23 s time out after 1h 10 10 4 1.9 436 0.11 s 92.45 s 10 10 4 3.0 11734 963.39 s time out after 1h 12 10 3 2.3 5536 18.40 s time out after 1h 12 10 3 3.0 1940 3.69 s time out after 1h Table: Computation of a Gröbner basis in Z 2 10 with degree reverse lexicographical ordering. Randomly generated examples on an AMD Dual Opteron 2.2 GHz, 16 GB RAM.

Standard Bases over Weak Factorial Rings The general case (Z/ m ) Problem In the normal form computation solving of linear equations is necessary. Idea Compute a strong standard basis. How? Generate extra gcd-polynomials, as we generated s-polynomials to compute classic standard bases.

Standard Bases over Weak Factorial Rings gcd-polynomials The general case (Z/ m ) Let g, f R[x] with g = c g x g +... and f = c f x f +.... Now compute d g c g + d f c f = gcd (c g, c f ) and add gcd poly(g, f ) = d g g + d f f = gcd (c g, c f ) lcm (x g, x f ) +... to the critical pair set. Benefits No solving of linear equations in every step of the normal form algorithm. Reduce the coefficient growth in infinite rings.

A Polynomial Framework for Boolean Rings Boolean Functions and Polynomials B n := {f : Z n 2 > Z 2} is the ring of Boolean functions. R n := the ring of Boolean polynomials, consists of polynomials of the form p = a 1 x ν 11 1... x ν 1n n +... + a m x ν m1 1... xn νmn under the restrictions: a i {0, 1} (coefficients in Z 2 ) ν ij 1 (degree bound due to constraints x 2 i = x i )

A Polynomial Framework for Boolean Rings Boolean Rings R n Z 2 [x 1,..., x n ] is given a ring structure via the canonical bijection to the quotient ring Q n := Z 2 [x 1,, x n ]/ x 2 1 x 1,, x 2 n x n. Since Z 2 is a field, B n, R n and Q n can be canonically identified. We call any of them a Boolean ring. Note that they have a quite different representation.

Ideals and Varieties over Boolean Rings One to one correspondences Boolean polynomials Boolean functions (interpolation) sets algebraic sets in Z n 2 (indicator functions) algebraic sets Boolean ideals (Boolean ideals are radical) Boolean polynomials ideals containing field polynomials reduced Gröbner bases (Boolean ideals are principal) In the case of Z m none of these correspondences survives.

Boolean Polynomials as Sets Set Representation of Boolean polynomials A Boolean monomial can be considered as a subset s of {x 1,, x n } and any Boolean polynomial p as a subset S p of the set of all monomials, such that p = s S p ( x ν s x ν). Example: x y + x + z = {{x, y}, {x}, {z}} Addition in Set Representation Let p = s S p ( x x ) ( ν s ν, q = s S q x x ν s ν) be Boolean polynomials, then addition is given as p + q = s S p+q ( x x ν s ν), for the set S p+q = (S p S q )\(S p S q ).

Binary Decision Diagrams A Binary Decision Diagram (BDD) is a rooted tree with terminal nodes {0, 1} decision nodes, two edges per node (corresponding to x i := true or x i := false) A BDD is ordered if the variable order is constant over all paths f = xy + x + z

Zero-suppressed Binary Decision Diagrams A Zero-suppressed BDD (ZDD) is an ordered BDD reduced by Merging of equal subgraphs Node elimination rule: remove node, if its then-edge 0 f = xy + x + z

Zero-suppressed Binary Decision Diagrams A Zero-suppressed BDD (ZDD) is an ordered BDD reduced by Merging of equal subgraphs Node elimination rule: remove node, if its then-edge 0 f = xy + x + z

Zero-suppressed Binary Decision Diagrams A Zero-suppressed BDD (ZDD) is an ordered BDD reduced by Merging of equal subgraphs Node elimination rule: remove node, if its then-edge 0 f = xy + x + z

Zero-suppressed Binary Decision Diagrams A Zero-suppressed BDD (ZDD) is an ordered BDD reduced by Merging of equal subgraphs Node elimination rule: remove node, if its then-edge 0 f = xy + x + z

Zero-suppressed Binary Decision Diagrams A Zero-suppressed BDD (ZDD) is an ordered BDD reduced by Merging of equal subgraphs Node elimination rule: remove node, if its then-edge 0 f = xy + x + z

Boolean Polynomials as ZDDs Use ZDDs to store the term structure represented as sparse sets, not the Boolean function behind! Advantages Compact data structure, suitable for sparse subsets S p of the power set over the variables. Polynomial structure still recognizable Properties Polynomial arithmetic can be done using set operations Valid paths (to 1-terminal) correspond to polynomial terms Natural path sequence is in lexicographical order Ordering-dependent functionality possible for degree and product orderings with reasonable effort (trivial for lex.)

C++Library PolyBoRi Internal data structure based on ZDDs High-level data types for Boolean polynomials, monomials, and exponent vectors hide ZDD management from the user Implements polynomial arithmetic and basic functionality Ordering-dependent procedures for leading terms, monomial comparisions, iterating over terms... Singular interface is scheduled Python Interface Parsing of complex polynomial systems, interactive use as command line tool (via ipython) Extensive testsuite for periodic checks during development (mainly satisfiability examples; some from cryptography) Sophisticated and extendable strategies for Gröbner bases

Gröbner Bases on Top of PolyBoRi Task: Algorithm and Implementation Design and implement a Gröbner Basis algorithm of an ideal in a Boolean ring generated by Boolean ploynomials. Proposed Method: symmgbf2 ( = slimgb + symmetry) Use slimgb which introduced new concepts into GB calculation Use symmetry, i.e. special structure of ideals in boolean rings Many examples from practice are highly symmetric Cryptography (AES) Electrical engineering (integrated circuits) Invariant theory Avoid multiple computations for similar patterns

PolyBoRi Benchmarks - Formal Verification PolyBoRi FGb via Maple Magma Singular Example Vars./Eqs. s MB s MB s MB s MB mult4x4 55 48 0.00 54.54 1.76 5.50 0.91 10.48 0.02 0.66 mult5x5 83 74 0.01 54.66 219.09 6.37 31.28 46.05 0.01 1.67 mult6x6 117 106 0.03 54.92 failed 4.28 21.19 mult8x8 203 188 0.40 55.43 mult10x10 313 294 18.11 85.91 Table: Timings and memory usage for benchmark examples. The symbols in time and memory columns mark timeout after 1 hour and out of memory at 15 GB.

TITLE Example Vars./Eqs. Order. PolyBoRi Magma uuf50 10 50 218 lp 8.76 s 71.98 MB 9.77 s 28.21 MB dlex 8.98 s 72.53 MB 10.35 s 32.71 MB dp asc 8.14 s 72.24 MB 8.40 s 27.42 MB uuf75 8 75 325 lp 843.38 s 819.80 MB 14015.21 s 1633.62 MB dlex 553.43 s 490.86 MB 14291.45 s 2439.53 MB dp asc 448.53 s 472.04 MB 13679.42 s 2539.24 MB uuf100 01 100 430 lp 44779.77 s 12309.79 MB dlex 11961.86 s 6101.43 MB dp asc 10635.72 s 6146.47 MB Table: Timings and memory usage for Gröbner basis computations w. r. t. various orderings. The symbols means timeout after 2 days, failed stopped with error message, and dp asc denotes dp with reversed variable order.

TITLE Vars./Eqs. PolyBoRi MiniSat hole8 72 297 1.88 s 56.59 MB 0.30 s 2.08 MB hole9 90 415 8.01 s 84.04 MB 2.31 s 2.35 MB hole10 110 561 44.40 s 97.68 MB 25.20 s 3.24 MB hole11 132 738 643.14 s 130.83 MB 782.65 s 7.19 MB hole12 156 949 10264.92 s 338.66 MB 22920.20 s 17.13 MB mult4x4 55 48 0.00 s 54.54 MB 0.00 s 1.95 MB mult5x5 83 74 0.01 s 54.66 MB 0.01 s 1.95 MB mult6x6 117 106 0.03 s 54.92 MB 0.03 s 1.95 MB mult8x8 203 188 0.40 s 55.43 MB 0.96 s 2.21 MB mult10x10 313 294 18.11 s 85.91 MB 22.85 s 3.61 MB Table: Deciding satisfiability with PolyBoRi using Gröbner basis computations in comparison with MiniSat, a state-of-the-art SAT solver.

PolyBoRi - Cryptography Cryptography: CTC and AES final goal: attack AES (Advanced Encryption Standard since 2001) originally encodes 128-bit blocks with 128-bit keys (4 by 4 arrays of bytes), 10 rounds: AES-10-4-4-8 test algorithms on easier, but similar ciphers Small Scale Variants of AES-n-r-c-e variable number of rounds (n) (1 10) rows (r), columns (c) in the arrays (1,2, or 4) size of a bit vector e (4 or 8) Courtois Toy Cipher, 2006 similarly designed, but more scalable than AES designed for testing algebraic attacks

PolyBoRi - Cryptography Cryptography: Scaled AES description Perform some prescribed sets of operations n times (rounds) Plaintext (known), ciphertext (known), key (unknown), and all intermediate states are vectors of length r c e bits, and are seen as arrays with r rows and c columns. For example, if r = 2, c = 4, e = 8: P 1 P 3 P 5 P 7 P 2 P 4 P 6 P 8 So the vector p = (p 1,..., p 64 ) is seen as array above with entries P 1 = (p 1,..., p 8 ), P 2 = (p 9,..., p 16 ),... Initial AES has n = 10, r = c = 4, e = 8 (there are 2 128 keys)

PolyBoRi - Cryptography Cryptography: Scaled AES description Cyphertext c is created from plaintext p and key k 0 as follows: Initial componentwise key addition: w 0 := p + k 0. w 0 is an array with entries w 0,1,..., w 0,r c. For i = 1,..., rc perform a nonlinear transformation: SBOX (w 0,i ), where w 0,i is seen as an element of GF (2 e ). SBOX (a) is defined as: 1 a b, where { a 1 a 0 b = 0 a = 0 2 b is seen as a vector from GF (2) e, then b c = L SBOX (b), where L SBOX is an affine transformation defined over GF (2) e. Result is an array x 1 with entries x 1,1,..., x 1,r c, where x 1,i = SBOX (w 0,i ).

PolyBoRi - Cryptography Cryptography: Scaled AES description The array x 1 is then processed with two linear transformations, namely: 1 ShiftRows: i-th row of the array x 1 is cyclically shifted by (i 1) positions to the right, so an array x 1 is obtained 2 MixColumns: denote the columns of x 1 by α 1,..., α c. They are considered as vectors from GF (2 e ) r. There is a prescribed matrix M using which β i = Mα i, i = 1,..., c are calculated. 3 The result ˆx 1 has β 1,..., β c as its columns.

PolyBoRi - Cryptography Cryptography: Scaled AES description In parallel to the above, a similar procedure (called key schedule) is performed to obtain k 1 from the initial key k 0 key addition: w 1 = ˆx 1 + k 1 repeat the whole procedure above (n 1) rounds more. The c = w n is a resulting ciphertext It is possible to write a corresponding polynomial system defined over GF (2). It is possible to rewrite a round in such a way that SBOX transformation only does inversion and a composition of three maps (one affine and two linear) is done next on the whole array.

PolyBoRi - Cryptography Cryptography: Structure of equations Structure of equations for AES and CTC is similar System for AES can be seen as iterative blocks of equations, where output variables of one block are input variables for the next block (system S). So blocks only intersect on a frontier. every block has similar structure and equations therein are of two types: quadratic equations correspond to Substitution Box (nonlinear operation) linear equations correspond to the Diffusion Layer

PolyBoRi - Cryptography Cryptography: Ideas Schematically: at the beginning we have the system S of the form w 0 = p + k 0, SBOX (x i, w i 1 ) = 0, i = 1,..., n, w i = L(x i ) + k i, i = 1,..., n 1, SBOX K (s i, k i 1 ) = 0, i = 1,..., n, k i = L K (s i ), i = 1,..., n, c = L(x n ) + k n, together with the field equations. Here SBOX, SBOX K are quadratic S-Box transformations for the encryption and the key schedule resp.; L, L K are affine transformations.

PolyBoRi - Cryptography Cryptography: Ideas Rewrite equations in the S-Boxes so that every output variable could be expressed via input variables of the S-Box (by a GB computation w.r.t. some block ordering) + It is easier to see how every variable depends on preceding variables - Degree of equations rises from 2 to 3 (for e = 4) or to 7 (for e = 8) Get system S 1 by writing equations in such a way. The major part of this system S 1 is already a Gröbner basis w.r.t to some degree ordering Get system S 2 by doing normal form computation of the remaining equations modulo the major part. S 2 is a system in the initial key variables only

PolyBoRi - Cryptography Cryptography: Ideas Rewriting S-Boxes yields the system S 1 : w 0 = p + k 0, x i = sbox(w i 1 ), i = 1,..., n, w i = L(x i ) + k i, i = 1,..., n 1, s i = sbox K (k i 1 ), i = 1,..., n, k i = L K (s i ), i = 1,..., n, c = L(x n ) + k n, which are satisfied with high probability. Here sbox, sbox K are higher degree S-Box transformations for the encryption and the key schedule resp.

PolyBoRi - Cryptography Cryptography: Ideas An example on how an S-Box changes for e = 4 follows. A quadratic S-Box from the system S (from ab = 1): x 2 w 3 + x 1 w 3 + x 3 w 2 + x 2 w 2 + x 3 w 1 + x 0 w 0 + 1 = 0, x 3 w 3 + x 1 w 3 + x 2 w 2 + x 3 w 1 + x 0 w 1 + x 1 w 0 = 0, x 1 w 3 + x 2 w 2 + x 0 w 2 + x 3 w 1 + x 1 w 1 + x 2 w 0 = 0, x 1 w 3 + x 0 w 3 + x 2 w 2 + x 1 w 2 + x 3 w 1 + x 2 w 1 + x 3 w 0 = 0. A cubic S-Box from the system S 1 (rewrite b = f (a)): x 0 = w 3 w 2 w 1 + w 2 w 1 w 0 + w 2 w 1 + w 2 w 0 + w 3 + w 2 + w 1 + w 0, x 1 = w 3 w 1 w 0 + w 3 w 1 + w 2 w 1 + w 2 w 0 + w 1 w 0 + w 3, x 2 = w 3 w 2 w 0 + w 3 w 0 + w 2 w 0 + w 1 w 0 + w 3 + w 2, x 3 = w 3 w 2 w 1 + w 3 w 2 + w 3 w 1 + w 3 w 0 + w 3 + w 2 + w 1.

PolyBoRi - Cryptography Example (S 1 ) var eq PolyBoRi Singular ctc-5-3 190 354 3.04 s 49 MB 32 s 69 MB ctc-8-3 298 561 4.8 s 52 MB 117 s 154 MB ctc-15-3 550 1044 8.04 s 69 MB 748 s 379 MB aes-10-1-1-4pp 170 184 0.14 s 0.25 s aes-7-1-2-4pp 210 255 3.24 s 50 MB 18 s aes-10-1-2-4pp 288 318 6.7 s 51 MB 1080 s 694 MB Example (S 1 ) var eq Magma Maple ctc-5-3 190 354 83 s 64 MB > 1800 s ctc-8-3 298 561 817 s 335 MB ctc-15-3 550 1044 > 3000 s > 570 MB aes-10-1-1-4pp 170 184 0.92 s 9.25 MB > 1000 s aes-7-1-2-4pp 210 255 366 s 211 MB aes-10-1-2-4pp 288 318 978 s 477 MB > 70 h

Cryptography Cryptography: Ideas The method of S 2 system gives an opportunity to use many plaintext/ciphertext pairs, it was not possible if working with the systems S or S 1 We could attack keys of weight up to 4 in the small scale cipher of 3 rounds, dimensions 2 2, e = 4: aes-3-2-2-4 in 250 sec with SINGULAR using 100 pairs Drawback: high degree (r c e) dense equations (every term appears practically with probability 1/2) in the resulting system S 2 composed of only key variables.

Cryptography Cryptography: Cutting technique Let f i (x 1,..., x n ) = 0, i = 1,..., m be a polynomial system over GF (2). If a GF (2) n is a solution: f i (a) = 0 i, such that weight(a) := #{i a i 0} = s, then a is also a solution of f i (x 1,..., x n ) = 0, i = 1,..., m. Here f i is obtained from f i by dropping out the monomials of degree > s So, if we are looking for solutions of low weight in a system composed of high degree polynomials, it is sufficient to consider low-degree parts of every polynomial in the system.

Cryptography Cryptography: Cutting technique Let supp(a) = {i a i 0} and weight(a) = s. Perform a coordinate change x i x i + 1 for i I supp(a) on the initial system f i (x 1,..., x n ) = 0, i = 1,..., m Let s = s I, then there is a solution a for the system f i (x 1,..., x n ) = 0, i = 1,..., m, where each f i is obtained from f i by dropping out the monomials of degree > s By doing x i x i + 1 for i I again we are able to find the solution a of weight s > s, working with a system composed of polynomials of degree s Thus, by doing coordinate change x i x i + 1 for several i s on the initial system S 1 and working with linear (or quadratic) parts of equations we reduce the problem of finding a key to solving many simple linear (or quadratic) systems instead of one large S 2

Cryptography Cryptography: Cutting technique Using this cutting technique even with a naive Python script half of the key space of - aes-10-2-2-4 can be scanned in < 3 min - aes-10-1-2-8 can be scanned in < 30 min - negligible memory consumption Exhaustive search turns out to be a particular case of the above, if we consider only constant terms in the system every time; coordinate change corresponds to a trial key selection. It is faster, than linear or quadratic analogue Further analysis may reveal benefits of the linear (or quadratic) cutting technique

Conclusion More problems in mathematics, science and engineering wait for new, perhaps specialized, applications of Gröbner bases We considered real life challenges coming from formal verification (in collaboration with electrical engineers) crypto systems We considered improvements for GB computations over weak factorial rings (new s-polys, new criteria) by special data structures (PolyBoRi) by specialized algorithms (using symmetry) By using this we showed that Gröbner bases are comparable to state-of-the-art SAT solvers in verification can be used to rewrite crypto systems in the key variables only for better algebraic attacks to AES

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback