ALGORITHMS FOR SOLVING LINEAR AND POLYNOMIAL ...

More documents

Recommendations

Info

Table of ContentsList of TablesList of FiguresList of Abbreviationsxvxviixix1 Summary 1I Polynomial Systems 52 An Extended Example: The Block-Cipher Keeloq 62.1 Special Acknowledgment of Joint Work . . . . . . . . . . . . . . . . . 72.2 Notational Conventions and Terminology . . . . . . . . . . . . . . . . 72.3 The Formulation of Keeloq . . . . . . . . . . . . . . . . . . . . . . . . 82.3.1 What is Algebraic Cryptanalysis? . . . . . . . . . . . . . . . . 82.3.2 The CSP Model . . . . . . . . . . . . . . . . . . . . . . . . . . 82.3.3 The Keeloq Specification . . . . . . . . . . . . . . . . . . . . . 92.3.4 Modeling the Non-linear Function . . . . . . . . . . . . . . . . 102.3.5 I/O Relations and the NLF . . . . . . . . . . . . . . . . . . . 112.3.6 Disposing of the Secret Key Shift-Register . . . . . . . . . . . 122.3.7 Describing the Plaintext Shift-Register . . . . . . . . . . . . . 122.3.8 The Polynomial System of Equations . . . . . . . . . . . . . . 132.3.9 Variable and Equation Count . . . . . . . . . . . . . . . . . . 142.3.10 Dropping the Degree to Quadratic . . . . . . . . . . . . . . . 142.3.11 Fixing or Guessing Bits in Advance . . . . . . . . . . . . . . . 162.3.12 The Failure of a Frontal Assault . . . . . . . . . . . . . . . . . 162.4 Our Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.4.1 A Particular Two Function Representation . . . . . . . . . . . 182.4.2 Acquiring an f (8)k-oracle . . . . . . . . . . . . . . . . . . . . . 182.4.3 The Consequences of Fixed Points . . . . . . . . . . . . . . . . 192.4.4 How to Find Fixed Points . . . . . . . . . . . . . . . . . . . . 202.4.5 How far must we search? . . . . . . . . . . . . . . . . . . . . . 222.4.6 Fraction of Plainspace Required . . . . . . . . . . . . . . . . . 232.4.7 Comparison to Brute Force . . . . . . . . . . . . . . . . . . . 252.4.8 Some Lemmas . . . . . . . . . . . . . . . . . . . . . . . . . . . 262.4.9 Cycle Lengths in a Random Permutation . . . . . . . . . . . . 292.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322.6 A Note about Keeloq’s Utilization . . . . . . . . . . . . . . . . . . . . 34xi
3 Converting MQ to CNF-SAT 353.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353.2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363.2.1 Application to Cryptanalysis . . . . . . . . . . . . . . . . . . . 373.3 Notation and Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 393.4 Converting MQ to SAT . . . . . . . . . . . . . . . . . . . . . . . . . . 403.4.1 The Conversion . . . . . . . . . . . . . . . . . . . . . . . . . . 403.4.1.1 Minor Technicality . . . . . . . . . . . . . . . . . . . 403.4.2 Measures of Efficiency . . . . . . . . . . . . . . . . . . . . . . 433.4.3 Preprocessing . . . . . . . . . . . . . . . . . . . . . . . . . . . 453.4.4 Fixing Variables in Advance . . . . . . . . . . . . . . . . . . . 463.4.4.1 Parallelization . . . . . . . . . . . . . . . . . . . . . 483.4.5 SAT-Solver Used . . . . . . . . . . . . . . . . . . . . . . . . . 483.4.5.1 Note About Randomness . . . . . . . . . . . . . . . 483.5 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . 493.5.1 The Source of the Equations . . . . . . . . . . . . . . . . . . . 503.5.2 The Log-Normal Distribution of Running Times . . . . . . . . 503.5.3 The Optimal Cutting Number . . . . . . . . . . . . . . . . . . 523.5.4 Comparison with MAGMA, Singular . . . . . . . . . . . . . . 553.6 Previous Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553.7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573.8 Cubic Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573.9 NP-Completeness of MQ . . . . . . . . . . . . . . . . . . . . . . . . . 604 How do SAT-Solvers Operate? 624.1 The Problem Itself . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624.1.1 Conjunctive Normal Form . . . . . . . . . . . . . . . . . . . . 634.2 Chaff and its Descendants . . . . . . . . . . . . . . . . . . . . . . . . 644.2.1 Variable Management . . . . . . . . . . . . . . . . . . . . . . . 644.2.2 The Method of Watched Literals . . . . . . . . . . . . . . . . 664.2.3 How to Actually Make This Happen . . . . . . . . . . . . . . 664.2.4 Back-Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . 684.3 Enhancements to Chaff . . . . . . . . . . . . . . . . . . . . . . . . . . 704.3.1 Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704.3.2 The Alarm Clock . . . . . . . . . . . . . . . . . . . . . . . . . 714.3.3 The Third Finger . . . . . . . . . . . . . . . . . . . . . . . . . 714.4 Walk-SAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724.5 Economic Motivations . . . . . . . . . . . . . . . . . . . . . . . . . . 72II Linear Systems 745 The Method of Four Russians 755.1 Origins and Previous Work . . . . . . . . . . . . . . . . . . . . . . . . 765.1.1 Strassen’s Algorithm . . . . . . . . . . . . . . . . . . . . . . . 77xii
Page 1 and 2: ABSTRACTTitle of dissertation:ALGOR
Page 3 and 4: ALGORITHMS FOR SOLVING LINEAR AND P
Page 5 and 6: PrefacePigmaei gigantum humeris imp
Page 7 and 8: ForewordThe ignoraunte multitude do
Page 9 and 10: AcknowledgmentsI am deeply indebted
Page 11 and 12: NSF grant for the Sage project [sag
Page 13: for many years and taught me matric
Page 17 and 18: 6.4.4 The Conservative Algorithm .
Page 19 and 20: B.1 Algorithms and Performance, for
Page 21 and 22: List of Algorithms1 Method of Four
Page 23 and 24: Chapter 1SummaryGenerally speaking,
Page 25 and 26: adopted the author’s software lib
Page 27 and 28: Part IPolynomial Systems5
Page 29 and 30: 2.1 Special Acknowledgment of Joint
Page 31 and 32: Figure 2.1: The Keeloq Circuit Diag
Page 33 and 34: around regions of ones of size 32,
Page 35 and 36: the bit generated in the 528th and
Page 37 and 38: β = aeSince the non-linear functio
Page 39 and 40: were an obvious failure, and so we
Page 41 and 42: 2.4.3 The Consequences of Fixed Poi
Page 43 and 44: points. If it is the case that f k
Page 45 and 46: 2.4.6 Fraction of Plainspace Requir
Page 47 and 48: Then we can apply the probability d
Page 49 and 50: e the case for all block ciphers. T
Page 51 and 52: Thus h has p fixed points with prob
Page 53 and 54: expected points. Since we require f
Page 55 and 56: too long, we may elect to “guess
Page 57 and 58: Chapter 3Converting MQ to CNF-SAT3.
Page 59 and 60: Another NP-hard problem is finding
Page 61 and 62: 3.3 Notation and DefinitionsAn inst
Page 63 and 64: Step One: From a Polynomial System
Page 65 and 66:
x 1 + x 2 + x 3 + y 1 = 0y 1 + x 6
Page 67 and 68:
Table 3.1 CNF Expression Difficulty
Page 69 and 70:
that a satisfying solution is found
Page 71 and 72:
andomness is seeded from a hash of
Page 73 and 74:
Figure 3.1: The Distribution of Run
Page 75 and 76:
takes only a few seconds. Furthermo
Page 77 and 78:
3.5.4 Comparison with MAGMA, Singul
Page 79 and 80:
systems of equations over finite fi
Page 81 and 82:
Table 3.4 CNF Expression Difficulty
Page 83 and 84:
polynomial equation. The number of
Page 85 and 86:
of variables, and the operators fro
Page 87 and 88:
variables). However, the original v
Page 89 and 90:
of variables that it contains.When
Page 91 and 92:
If the contradiction stack becomes
Page 93 and 94:
enough to produce a contradiction.I
Page 95 and 96:
those two simple examples).Over the
Page 97 and 98:
Chapter 5The Method of Four Russian
Page 99 and 100:
matrix without calculating the othe
Page 101 and 102:
exactly one bit in one position fro
Page 103 and 104:
5.3.1 Role of the Gray CodeThe Gray
Page 105 and 106:
Then substitute k = γ log n and ob
Page 107 and 108:
and putting matrix A in unit upper
Page 109 and 110:
(see Section 5.5 on page 92) that s
Page 111 and 112:
= (1 − 2 −n )(1 − 2 −n+1 )
Page 113 and 114:
Table 5.3 Probabilities of a Fair-C
Page 115 and 116:
time was trivially perturbed if the
Page 117 and 118:
Table 5.6 Percentage Error for Offs
Page 119 and 120:
so there may be no work to perform
Page 121 and 122:
calculation proceeds exactly as in
Page 123 and 124:
ank is 1 − l −2c . Since there
Page 125 and 126:
ond, 10, 000 × 10, 000, where M4RI
Page 127 and 128:
algorithm (the 18 matrix additions,
Page 129 and 130:
⎡⎤⎡⎤A =⎢⎣1 0 0 01 0 1 0
Page 131 and 132:
and P can be kept invertible. The d
Page 133 and 134:
Table 5.9 Trials between M4RI and G
Page 135 and 136:
Chapter 6An Impractical Method of A
Page 137 and 138:
6.2 The Algorithm over a Finite Rin
Page 139 and 140:
c(n/b) ω multiplies in the ring M
Page 141 and 142:
which is to be compared with∼ 4cn
Page 143 and 144:
yielding a time requirement of[ (ω
Page 145 and 146:
kind. (The all zero matrix has been
Page 147 and 148:
(∼ (1 + log 2 n)n 2 1 + o(1) )log
Page 149 and 150:
Table 6.2 Memory Required (in bits)
Page 151 and 152:
While the cases of matrix rings, fi
Page 153 and 154:
Appendix ASome Basic Facts about Li
Page 155 and 156:
not orthogonal. Thus the algorithm
Page 157 and 158:
Appendix BA Model for the Complexit
Page 159 and 160:
B.1.3Success and FailureThe model d
Page 161 and 162:
example, in a matrix multiplication
Page 163 and 164:
listed in Algorithm 10 on page 142,
Page 165 and 166:
allowing one to calculate, for a la
Page 167 and 168:
Appendix COn the Exponent of Certai
Page 169 and 170:
C.2.1Figure C.1: The Relationship o
Page 171 and 172:
If the original matrix is unit lowe
Page 173 and 174:
we can write[ ] [ ] [ ] [ ]Im/2 0 I
Page 175 and 176:
Proof: If A = LUP then det(A) = det
Page 177 and 178:
[BH74]J. Bunch and J. Hopcroft. Tri
Page 179 and 180:
[FMM03]C. Fiorini, E. Martinelli, a
Page 181:
[Rys57][sag][San79][Sch81]H. J. Rys
show all

ALGORITHMS FOR SOLVING LINEAR AND POLYNOMIAL ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?