Introduction
description
Transcript of Introduction
Algebraic Attack on Stream Ciphers
MSIS 7 IS department MCS NUST
In this type of attack which is applicable both to stream ciphers and block ciphers, ciphers are rewritten to systems of multivariate equations
Solving the system of equations will give unknown
Thus in short An algebraic attack consists of these two steps:◦ Set up system of equations in key bits and
output bits◦ Solve it
Introduction
Algebraic equations of LFSR
Algebraic equations of LFSR
Algebraic equations of LFSR
Algebraic equations of LFSR with combiner function
Algebraic equations of LFSR with combiner function
Using direct algebraic approach we can derive equations in key bits k0, k1,…. kn-1 as
Algebraic equations of LFSR with combiner function
In general we cannot expect to find an efficient solver for all kinds of systems of equations.
But the situation changes if the system is over defined.
In these cases the linearization is used. This method has the advantage of solving an over-defined system of nonlinear equations in polynomial time if enough linearly independent equations are given. Principle for the Linearization algorithm is:◦ Use an over-defined equation◦ Replace each monomial with a new variable◦ Solve as linear system
Algebraic equations of LFSR with combiner function
In general we cannot expect to find an efficient solver for all kinds of systems of equations.
But the situation changes if the system is over defined.
In these cases the linearization is used. This method has the advantage of solving an over-defined system of nonlinear equations in polynomial time if enough linearly independent equations are given. Principle for the Linearization algorithm is:◦ Use an over-defined equation◦ Replace each monomial with a new variable◦ Solve as linear system
LinearizationExample Solve following quadratic equation of
GF(7)
x2 +4y2 + z2 +5xy +2xz +6yz +5x +3y +5z +1 = 03x2 +2y2 +3z2 +4xy +6xz +2yz +6x +4y +3z +2 = 02x2 +3y2 +2z2 +5xy +2yz + 4x + y + z + 4 = 06x2 +3y2 +3z2 +5xz + yz + 5y + 2z + 2 = 0
Linearizationx2 y2 z2 xy xz yz A B C D E F A +4B + C +5D +2E +6F +5x +3y +5z +1 = 03A +2B +3C +4D +6E +2F +6x +4y +3z +2 = 02A +3B +2C +5D +2F + 4x + y + z + 4 = 06A +3B +3C +5E + F + 5y + 2z + 2 = 0
Add Extra Equations # {variables} >> # {equations}
There are too many solutions to the system of linear equations.
Add relations of new variables to reduce the number of solutions. For example, Dz = Ey = Fx [since (xy)z = (xz)y = (yz)x] Ay = Dx , ... [since (x2)y = (xy)x, ...] DE = AF , ... [since (xy)(xz) = (x2)(yz), ...]
Relinearization Consider each quadratic monomial as a new
variable and linearize again. In general, with more variables: (ab)(cd ) = (ac)(bd ) = (ad )(bc) (ab)(cd )(ef ) = (ad )(cf )(eb) = … This idea was used by: Kipnis and Shamir,
Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization, Crypto '99, LNCS 1666, pp. 19-30.
Relinearization is not as efficient as expected.
XL EXtended Linearization Previous system of quadratic equations:
l1 : x2 +4y2 + z2 +5xy +2xz +6yz +5x +3y +5z +1 = 0l2 : 3x2 +2y2 +3z2 +4xy +6xz +2yz +6x +4y +3z +2 = 0l3 : 2x2 +3y2 +2z2 +5xy +2yz + 4x + y + z + 4 = 0l4 : 6x2 +3y2 +3z2 +5xz + yz + 5y + 2z + 2 = 0
Try degree D = 3: Multiply each li by x, y, z respectively. Linearize: Consider all monomials as variables.
How many equations now? 44 = 16 And Number of variables = 20
Matrix of Coefficientsx2y x2z xy2 xyz xz2 y2z yz2 xy xz yz x3 x2 x y3 y2 y z3 z2 z 1 0 0 0 0 0 0 0 5 2 6 0 1 5 0 4 3 0 1 5 1 0 0 0 0 0 0 0 4 6 2 0 3 6 0 2 4 0 3 3 2 0 0 0 0 0 0 0 5 0 2 0 2 4 0 3 1 0 2 1 4 0 0 0 0 0 0 0 0 5 1 0 6 0 0 3 5 0 3 2 2 5 2 4 6 1 0 0 3 5 0 1 5 1 0 0 0 0 0 0 0 1 0 5 2 0 6 1 5 0 5 0 0 0 4 3 1 0 0 0 0 0 1 0 5 2 4 6 0 5 3 0 0 0 0 0 0 1 5 1 0 4 6 2 2 3 0 0 4 3 0 3 6 2 0 0 0 0 0 0 0 3 0 4 6 0 2 3 6 0 3 0 0 0 2 4 2 0 0 0 0 0 3 0 4 6 2 2 0 6 4 0 0 0 0 0 0 3 3 2 0 5 0 3 2 2 0 0 1 1 0 2 4 4 0 0 0 0 0 0 0 2 0 5 0 0 2 2 4 0 1 0 0 0 3 1 4 0 0 0 0 0 2 0 5 0 3 2 0 4 1 0 0 0 0 0 0 2 1 4 0 0 5 3 1 3 0 0 5 2 0 6 0 2 0 0 0 0 0 0 0 6 0 0 5 0 1 3 0 0 2 0 0 0 3 5 2 0 0 0 0 0 6 0 0 5 3 1 0 0 5 0 0 0 0 0 0 3 2 2 0
Gaussian Elimination x2y x2z xy2 xyz xz2 y2z yz2 xy xz yz x3 x2 x y3 y2 y z3 z2 z 1 5 2 4 6 1 0 0 3 5 0 1 5 1 0 0 0 0 0 0 0 0 1 0 5 4 6 1 3 6 5 4 6 4 4 3 1 0 0 0 0 0 0 3 6 0 3 4 1 2 6 0 5 6 2 5 4 0 0 0 0 0 0 0 1 0 2 3 4 5 3 0 2 1 2 4 2 0 0 0 0 0 0 0 0 5 5 5 4 6 5 3 1 3 3 4 6 1 5 1 0 0 0 0 0 0 5 3 2 4 0 0 1 4 1 2 1 0 2 6 0 0 0 0 0 0 0 6 4 2 0 5 1 5 6 5 6 1 0 0 0 0 0 0 0 0 0 0 5 0 2 0 2 4 0 3 1 0 2 1 4 0 0 0 0 0 0 0 0 5 1 0 6 0 0 3 5 0 3 2 2 0 0 0 0 0 0 0 0 0 2 0 4 0 0 3 0 0 2 4 2 0 0 0 0 0 0 0 0 0 0 6 0 6 3 1 0 4 1 6 1 0 0 0 0 0 0 0 0 0 0 0 2 1 0 0 0 0 4 3 1 0 0 0 0 0 0 0 0 0 0 0 0 3 1 2 4 2 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 4 6 0 0 1 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 6 3 6 1 5 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 5 2 1 6
XL Algorithm The last row in the previous matrix represents 5z3 +
2z2 + z + 6 = 0. Its solutions in GF(7) are z = 1, z = 2, and z = 5.
Solve the remaining variables recursively: 2 row: 6y2 + 3y + 6z3 + z2 + 5z + 5 = 0 4 row: 3x + y3 + 2y2 + 4y + 2z3 + z = 0
Use other equations to erase all extraneous solutions.
This system has a unique solution: x = 1 , y = 3 , and z = 5.
Gaussian Elimination
XL Algorithm The complexity of the algorithm mainly depends on the
time it takes to row reduce the final matrix. Therefore the number of equations and distinct monomials in the expanded system will determine the complexity.
The authors of XL claimed that their algorithm solves a randomly generated system of polynomial equations in sub-exponential time when the number of equations slightly exceeds the number of variables. These claims are still impractical but better than the theoretical worst case.
Complexity of the attack
Algebraic Attacks If we can set up a true system of lower degree
r < d complexity becomes smaller,
So need is to decrease the degree of the system
Annihilators of a function Let f(x1; x2; x3) = x1x2 +x2x3 +x3
Let and
0.,,, gfiffofrannihilatoisgthenfunctionsBooleanbeBgf n
}0.|{)( gfBgfAn n
Attack using Annihilators
Attack using Annihilators
A=
Fast algebraic attacks: reducing thedegree