Solving Non-Linear Random Sparse Equations over Finite Fields

Size: px

Start display at page:

Download "Solving Non-Linear Random Sparse Equations over Finite Fields"

Shauna Hart
7 years ago
Views:

1 Solving Non-Linear Random Sparse Equations over Finite Fields Thorsten Schilling UiB May 6, 2009 Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

2 Motivation Algebraic Cryptanalysis Algebraic Cryptanalysis Express cipher as system of equations Well known examples: AES, DES, Trivium etc. Obtaining solution to systems might break cipher Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

3 Motivation Algebraic Cryptanalysis l-sparse Equation System f 1 (X 1 ) = 0, f 2 (X 2 ) = 0,..., f m (X m ) = 0 X i X X i l Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

4 Motivation Example Example Trivium 80 bits IV, 80 bits key 288 bits internal state Output bit is linear combination of state bits Overall very simple design Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

5 Motivation Example Example Trivium (2) Expressed as equation system a i = c i 66 + c i c i 110 c i a i 69 b i = a i 66 + a i 93 + a i 92 a i 91 + b i 78 c i = b i 69 + b i 84 + b i 83 b i 82 + c i 87 Output bit z i z i = c i 66 + c i a i 66 + a i 93 + b i 69 + b i 84 Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

6 Motivation Example Example Trivium (2) Expressed as equation system a i = c i 66 + c i c i 110 c i a i 69 b i = a i 66 + a i 93 + a i 92 a i 91 + b i 78 c i = b i 69 + b i 84 + b i 83 b i 82 + c i 87 Output bit z i z i = c i 66 + c i a i 66 + a i 93 + b i 69 + b i 84 For state recovery solve system: 6-sparse 951 variables 663 quadric equations, 288 linear Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

7 Solving Strategies Introduction Solving Strategies Linearization Gröbner Basis Algorithms Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

8 Solving Strategies Introduction Solving Strategies Linearization Gröbner Basis Algorithms SAT-Solving Is φ = (x i x j... x k )... (x u x v... x w ) SAT? Theoretical worst case bounds [Iwama,04]: sparsity worst case n n n n Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

9 Solving Strategies Introduction Solving Strategies Linearization Gröbner Basis Algorithms SAT-Solving Is φ = (x i x j... x k )... (x u x v... x w ) SAT? Theoretical worst case bounds [Iwama,04]: sparsity worst case n n n n Gluing & Agreeing [Raddum, Semaev] Expected Running Times: sparsity Gluing[Semaev,WCC 07] n n n n Agr.-Gluing[Semaev,ACCT 08] n n n n Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

10 Solving Strategies SAT-solving SAT-solving - DPLL/Davis-Putnam-Logemann-Loveland General structure of the algorithm (input φ in CNF): Extend a partial guess Propagate information Clause Resolution Backtrack if a conflict was detected Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

11 Solving Strategies SAT-solving Past Major Enhancements Algorithmic [Silvia, Sakallah 1996] Non-chronological backtracking Conflict clauses Technical Watched literals [Moskewicz et. al. 2001] Instance specific Guessing heuristics Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

12 Gluing & Agreeing Introduction A New Approach Generalization of a backtracking solving method for sparse non-linear equation systems over finite fields CNF-instances are specialization Exploit sparsity of equations Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

13 Gluing & Agreeing Representation Equation as Symbol f (X i ) = 0 as pair of sets S i = (X i, V i ) X i variables in which the equation is defined V i its satisfying vectors/assignments Random equation over F 2 expected V i = 2 X i 1 Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

14 Gluing & Agreeing Representation Equation as Symbol f (X i ) = 0 as pair of sets S i = (X i, V i ) X i variables in which the equation is defined V i its satisfying vectors/assignments Random equation over F 2 expected V i = 2 X i 1 Example: becomes f e (x 1, x 2, x 3 ) = x 1 x 2 x 3 = 0 S e x 1 x 2 x 3 a a a a Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

15 Gluing & Agreeing Fundamental Operations Gluing Create new symbol S 1 S 2 = (X 1 X 2, U) from two symbols S 1, S 2 where U = {(a 1, b, a 2 ) (a 1, b) V 1 and (b, a 2 ) V 2 } Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

16 Gluing & Agreeing Fundamental Operations Gluing Create new symbol S 1 S 2 = (X 1 X 2, U) from two symbols S 1, S 2 where Example: U = {(a 1, b, a 2 ) (a 1, b) V 1 and (b, a 2 ) V 2 } S a a a a S b b b = S 0 S c c c Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

17 Gluing & Agreeing Fundamental Operations Agreeing Delete from symbols S 1, S 2 vectors whose projections do not match in their common variables X 1 X 2. If symbol gets empty contradiction. Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

18 Gluing & Agreeing Fundamental Operations Agreeing Delete from symbols S 1, S 2 vectors whose projections do not match in their common variables X 1 X 2. If symbol gets empty contradiction. Example: S a a a a , S b b b become S a , S b b b Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

19 Gluing & Agreeing Fundamental Operations Gluing-Agreeing Algorithm Glue intermediate symbol with another symbol, then agree the intermediate equation system. Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

20 Gluing & Agreeing Agreeing2 Agreeing2 Aim: Reduce number of steps for Agreeing Addresses of common projections stored as tuples S a a a a , S b b b b {a 0, a 1, a 2 ; b 0 }, {a 3 ; b 1, b 2, b 3 } Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

21 Gluing & Agreeing Agreeing2 Mark groups of common projections Example: a 0, a 1, a 3 marked b 1, b 2, b 3 marked {a 0, a 1, a 2 ; b 0 }, {a 3 ; b 1, b 2, b 3 } S a a a a , S b b b b { a 0, a 1, a 2 ; b 0 }, { a 3 ; b 1, b 2, b 3 } S a , S b Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

22 Gluing & Agreeing Agreeing2 Agreeing2 Advantages Information propagation through tuples Asymptotically faster Overhead for reading and writing decreases Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

23 Dynamic Gluing Continuos Implicit Agreeing Continous Implicit Agreeing Tree search through possible Gluings Works only on tuple markings Keep obtained knowledge Persistent marking Flexible in the Gluing order Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

24 Dynamic Gluing Continuos Implicit Agreeing General Algorithm 1 Pick symbol 2 Mark all yet unmarked assignments, except one Guess assignment 3 Run Agreeing2 4 Backtrack on contradiction Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

25 Dynamic Gluing Guessing Heuristics vs. Sorting Guessing Heuristics Which symbol keeps search tree narrow Gluing complexity roughly 2 max i X (i) i sort and keep X (i) i = X 0 X 1... X i i low Better: choose symbol with smallest V i (only unmarked assignments) Other heuristics possible, e.g. maximum X i / V i etc. Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

26 Results Example Result n = m = 150, l = 5 MiniSAT dynglue Decisions 6844 Guesses 1549 Conflicts 5046 Contradictions 280 Propagations Tuple Propagations Time 0.15s Time 0.08s Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

27 Open Questions Open Questions Conflict handling Learning Dynamic Static Heuristics Random systems Equation systems from ciphers Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, / 21

Satisfiability Checking

Satisfiability Checking SAT-Solving Prof. Dr. Erika Ábrahám Theory of Hybrid Systems Informatik 2 WS 10/11 Prof. Dr. Erika Ábrahám - Satisfiability Checking 1 / 40 A basic SAT algorithm Assume the CNF