Solving Non-Linear Random Sparse Equations over Finite Fields

Similar documents
Satisfiability Checking

APP INVENTOR. Test Review

University of Potsdam Faculty of Computer Science. Clause Learning in SAT Seminar Automatic Problem Solving WS 2005/06

Design of LDPC codes

CS510 Software Engineering

npsolver A SAT Based Solver for Optimization Problems

Heuristics for Dynamically Adapting Constraint Propagation in Constraint Programming

COLLEGE ALGEBRA 10 TH EDITION LIAL HORNSBY SCHNEIDER 1.1-1

Block Ciphers that are Easier to Mask: How Far Can we Go?

Common Patterns and Pitfalls for Implementing Algorithms in Spark. Hossein

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

A Numerical Study on the Wiretap Network with a Simple Network Topology

Closest Pair Problem

Data Structure [Question Bank]

Discuss the size of the instance for the minimum spanning tree problem.

Load Balancing. Load Balancing 1 / 24

Integer Factorization using the Quadratic Sieve

Improved Differential Fault Attack on MICKEY 2.0

Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT

Logic in general. Inference rules and theorem proving

Linear Equations in One Variable

B-Trees. Algorithms and data structures for external memory as opposed to the main memory B-Trees. B -trees

11 Multivariate Polynomials

Chapter 13: Query Processing. Basic Steps in Query Processing

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

CS Introduction to Data Mining Instructor: Abdullah Mueen

Previous Lectures. B-Trees. External storage. Two types of memory. B-trees. Main principles

MPBO A Distributed Pseudo-Boolean Optimization Solver

Optimizing Description Logic Subsumption

Physical Data Organization

Cpt S 223. School of EECS, WSU

Questions 1 through 25 are worth 2 points each. Choose one best answer for each.

Y. Xiang, Constraint Satisfaction Problems

Practical Survey on Hash Tables. Aurelian Țuțuianu

Between Restarts and Backjumps

Regression Verification: Status Report

Lecture 2: Universality

DATA ANALYSIS II. Matrix Algorithms

Short Programs for functions on Curves

Search Taxonomy. Web Search. Search Engine Optimization. Information Retrieval

A hybrid approach for solving real-world nurse rostering problems

Arithmetic Coding: Introduction

1. The memory address of the first element of an array is called A. floor address B. foundation addressc. first address D.

Adaptive Tolerance Algorithm for Distributed Top-K Monitoring with Bandwidth Constraints

Computer Science MS Course Descriptions

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Bounded Treewidth in Knowledge Representation and Reasoning 1

Table of Contents. Bibliografische Informationen digitalisiert durch

7. LU factorization. factor-solve method. LU factorization. solving Ax = b with A nonsingular. the inverse of a nonsingular matrix

Lecture 3: Finding integer solutions to systems of linear equations

Solutions to Problem Set 1

Nonlinear Iterative Partial Least Squares Method

Rethinking SIMD Vectorization for In-Memory Databases

MAC. SKE in Practice. Lecture 5

SkyRecon Cryptographic Module (SCM)

Conjugating data mood and tenses: Simple past, infinite present, fast continuous, simpler imperative, conditional future perfect

Randomized algorithms

Memory Efficient All-Solutions SAT Solver and Its Application for Reachability Analysis

Linear Codes. Chapter Basics

Chapter 6: Episode discovery process

5. A full binary tree with n leaves contains [A] n nodes. [B] log n 2 nodes. [C] 2n 1 nodes. [D] n 2 nodes.

Programming Exercise 3: Multi-class Classification and Neural Networks

On Boolean Ideals and Varieties with Application to Algebraic Attacks

Theoretical Computer Science (Bridging Course) Complexity

The Geometry of Polynomial Division and Elimination

Efficient Recovery of Secrets

Chapter 6 Quantum Computing Based Software Testing Strategy (QCSTS)

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

A Tool for Generating Partition Schedules of Multiprocessor Systems

1 Data Encryption Algorithm

10/27/14. Streaming & Sampling. Tackling the Challenges of Big Data Big Data Analytics. Piotr Indyk

How To Model A System

Unit 7 Quadratic Relations of the Form y = ax 2 + bx + c

Solving simultaneous equations using the inverse matrix

The Bi-Objective Pareto Constraint

Complexity Theory. IE 661: Scheduling Theory Fall 2003 Satyaki Ghosh Dastidar

Guessing Game: NP-Complete?

Genetic Algorithms commonly used selection, replacement, and variation operators Fernando Lobo University of Algarve

Probability Using Dice

Healthcare data analytics. Da-Wei Wang Institute of Information Science

Application of cube attack to block and stream ciphers

Information, Entropy, and Coding

DATABASE DESIGN - 1DL400

IMPROVING PERFORMANCE OF RANDOMIZED SIGNATURE SORT USING HASHING AND BITWISE OPERATORS

Removing Partial Inconsistency in Valuation- Based Systems*

LDPC Codes: An Introduction

Abstract Data Type. EECS 281: Data Structures and Algorithms. The Foundation: Data Structures and Abstract Data Types

How to make the computer understand? Lecture 15: Putting it all together. Example (Output assembly code) Example (input program) Anatomy of a Computer

BOĞAZİÇİ UNIVERSITY COMPUTER ENGINEERING

Performance Test of Local Search Algorithms Using New Types of

Chapter 7: Functional Programming Languages

CSE 326: Data Structures B-Trees and B+ Trees

Searching Algorithms

Improving SAT-Based Weighted MaxSAT Solvers CP 2012 (Quebec)

1 Review of Newton Polynomials

GRASP: A Search Algorithm for Propositional Satisfiability

Network coding for security and robustness

Fast Contextual Preference Scoring of Database Tuples

Lecture Note 8 ATTACKS ON CRYPTOSYSTEMS I. Sourav Mukhopadhyay

Transcription:

Solving Non-Linear Random Sparse Equations over Finite Fields Thorsten Schilling UiB May 6, 2009 Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 1 / 21

Motivation Algebraic Cryptanalysis Algebraic Cryptanalysis Express cipher as system of equations Well known examples: AES, DES, Trivium etc. Obtaining solution to systems might break cipher Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 2 / 21

Motivation Algebraic Cryptanalysis l-sparse Equation System f 1 (X 1 ) = 0, f 2 (X 2 ) = 0,..., f m (X m ) = 0 X i X X i l Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 3 / 21

Motivation Example Example Trivium 80 bits IV, 80 bits key 288 bits internal state Output bit is linear combination of state bits Overall very simple design Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 4 / 21

Motivation Example Example Trivium (2) Expressed as equation system a i = c i 66 + c i 111 + c i 110 c i 109 + a i 69 b i = a i 66 + a i 93 + a i 92 a i 91 + b i 78 c i = b i 69 + b i 84 + b i 83 b i 82 + c i 87 Output bit z i z i = c i 66 + c i 111 + a i 66 + a i 93 + b i 69 + b i 84 Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 5 / 21

Motivation Example Example Trivium (2) Expressed as equation system a i = c i 66 + c i 111 + c i 110 c i 109 + a i 69 b i = a i 66 + a i 93 + a i 92 a i 91 + b i 78 c i = b i 69 + b i 84 + b i 83 b i 82 + c i 87 Output bit z i z i = c i 66 + c i 111 + a i 66 + a i 93 + b i 69 + b i 84 For state recovery solve system: 6-sparse 951 variables 663 quadric equations, 288 linear Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 5 / 21

Solving Strategies Introduction Solving Strategies Linearization Gröbner Basis Algorithms Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 6 / 21

Solving Strategies Introduction Solving Strategies Linearization Gröbner Basis Algorithms SAT-Solving Is φ = (x i x j... x k )... (x u x v... x w ) SAT? Theoretical worst case bounds [Iwama,04]: sparsity 3 4 5 6 worst case 1.324 n 1.474 n 1.569 n 1.637 n Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 6 / 21

Solving Strategies Introduction Solving Strategies Linearization Gröbner Basis Algorithms SAT-Solving Is φ = (x i x j... x k )... (x u x v... x w ) SAT? Theoretical worst case bounds [Iwama,04]: sparsity 3 4 5 6 worst case 1.324 n 1.474 n 1.569 n 1.637 n Gluing & Agreeing [Raddum, Semaev] Expected Running Times: sparsity 3 4 5 6 Gluing[Semaev,WCC 07] 1.262 n 1.355 n 1.425 n 1.479 n Agr.-Gluing[Semaev,ACCT 08] 1.113 n 1.205 n 1.276 n 1.334 n Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 6 / 21

Solving Strategies SAT-solving SAT-solving - DPLL/Davis-Putnam-Logemann-Loveland General structure of the algorithm (input φ in CNF): Extend a partial guess Propagate information Clause Resolution Backtrack if a conflict was detected Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 7 / 21

Solving Strategies SAT-solving Past Major Enhancements Algorithmic [Silvia, Sakallah 1996] Non-chronological backtracking Conflict clauses Technical Watched literals [Moskewicz et. al. 2001] Instance specific Guessing heuristics Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 8 / 21

Gluing & Agreeing Introduction A New Approach Generalization of a backtracking solving method for sparse non-linear equation systems over finite fields CNF-instances are specialization Exploit sparsity of equations Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 9 / 21

Gluing & Agreeing Representation Equation as Symbol f (X i ) = 0 as pair of sets S i = (X i, V i ) X i variables in which the equation is defined V i its satisfying vectors/assignments Random equation over F 2 expected V i = 2 X i 1 Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 10 / 21

Gluing & Agreeing Representation Equation as Symbol f (X i ) = 0 as pair of sets S i = (X i, V i ) X i variables in which the equation is defined V i its satisfying vectors/assignments Random equation over F 2 expected V i = 2 X i 1 Example: becomes f e (x 1, x 2, x 3 ) = x 1 x 2 x 3 = 0 S e x 1 x 2 x 3 a 0 0 0 0 a 1 0 1 0 a 2 1 0 0 a 3 1 1 1 Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 10 / 21

Gluing & Agreeing Fundamental Operations Gluing Create new symbol S 1 S 2 = (X 1 X 2, U) from two symbols S 1, S 2 where U = {(a 1, b, a 2 ) (a 1, b) V 1 and (b, a 2 ) V 2 } Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 11 / 21

Gluing & Agreeing Fundamental Operations Gluing Create new symbol S 1 S 2 = (X 1 X 2, U) from two symbols S 1, S 2 where Example: U = {(a 1, b, a 2 ) (a 1, b) V 1 and (b, a 2 ) V 2 } S 0 1 2 3 a 0 0 0 0 a 1 0 1 0 a 2 1 0 0 a 3 1 1 1 S 1 3 4 5 b 0 1 0 0 b 1 1 0 1 b 2 1 1 1 = S 0 S 1 1 2 3 4 5 c 1 1 1 1 0 0 c 2 1 1 1 0 1 c 3 1 1 1 1 1 Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 11 / 21

Gluing & Agreeing Fundamental Operations Agreeing Delete from symbols S 1, S 2 vectors whose projections do not match in their common variables X 1 X 2. If symbol gets empty contradiction. Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 12 / 21

Gluing & Agreeing Fundamental Operations Agreeing Delete from symbols S 1, S 2 vectors whose projections do not match in their common variables X 1 X 2. If symbol gets empty contradiction. Example: S 0 1 2 3 a 0 0 0 0 a 1 0 1 0 a 2 1 0 0 a 3 1 1 1, S 1 3 4 5 b 0 1 0 0 b 1 1 0 1 b 2 1 1 1 become S 0 1 2 3 a 3 1 1 1, S 1 3 4 5 b 0 1 0 0 b 1 1 0 1 b 2 1 1 1 Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 12 / 21

Gluing & Agreeing Fundamental Operations Gluing-Agreeing Algorithm Glue intermediate symbol with another symbol, then agree the intermediate equation system. Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 13 / 21

Gluing & Agreeing Agreeing2 Agreeing2 Aim: Reduce number of steps for Agreeing Addresses of common projections stored as tuples S 0 1 2 3 a 0 0 0 0 a 1 0 1 0 a 2 1 0 0 a 3 1 1 1, S 1 3 4 5 b 0 0 0 0 b 1 1 0 0 b 2 1 0 1 b 3 1 1 1 {a 0, a 1, a 2 ; b 0 }, {a 3 ; b 1, b 2, b 3 } Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 14 / 21

Gluing & Agreeing Agreeing2 Mark groups of common projections Example: a 0, a 1, a 3 marked b 1, b 2, b 3 marked {a 0, a 1, a 2 ; b 0 }, {a 3 ; b 1, b 2, b 3 } S 0 1 2 3 a 0 0 0 0 a 1 0 1 0 a 2 1 0 0 a 3 1 1 1, S 1 3 4 5 b 0 0 0 0 b 1 1 0 0 b 2 1 0 1 b 3 1 1 1 { a 0, a 1, a 2 ; b 0 }, { a 3 ; b 1, b 2, b 3 } S 0 1 2 3 a 2 1 0 0, S 1 3 4 5 b 0 0 0 0 Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 15 / 21

Gluing & Agreeing Agreeing2 Agreeing2 Advantages Information propagation through tuples Asymptotically faster Overhead for reading and writing decreases Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 16 / 21

Dynamic Gluing Continuos Implicit Agreeing Continous Implicit Agreeing Tree search through possible Gluings Works only on tuple markings Keep obtained knowledge Persistent marking Flexible in the Gluing order Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 17 / 21

Dynamic Gluing Continuos Implicit Agreeing General Algorithm 1 Pick symbol 2 Mark all yet unmarked assignments, except one Guess assignment 3 Run Agreeing2 4 Backtrack on contradiction Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 18 / 21

Dynamic Gluing Guessing Heuristics vs. Sorting Guessing Heuristics Which symbol keeps search tree narrow Gluing complexity roughly 2 max i X (i) i sort and keep X (i) i = X 0 X 1... X i i low Better: choose symbol with smallest V i (only unmarked assignments) Other heuristics possible, e.g. maximum X i / V i etc. Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 19 / 21

Results Example Result n = m = 150, l = 5 MiniSAT dynglue Decisions 6844 Guesses 1549 Conflicts 5046 Contradictions 280 Propagations 120239 Tuple Propagations 541128 Time 0.15s Time 0.08s Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 20 / 21

Open Questions Open Questions Conflict handling Learning Dynamic Static Heuristics Random systems Equation systems from ciphers Thorsten Schilling (UiB) Solving Equations over Finite Fields May 6, 2009 21 / 21

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information