ALGORITHMS FOR SOLVING LINEAR AND POLYNOMIAL ...

More documents

Recommendations

Info

with probability 3/4 for a random function GF(2) 5 → GF(2), and a random input.Heuristically, relations that are valid with low probability for a random functionand random input produce a more rapid narrowing of the keyspace in the sense ofa Constraint Satisfaction Problem or CSP. We are unaware of any attack on Keeloqthat uses this fact to its advantage.An example of the possibility of using I/O degree to take cryptanalytic advantageis the attack from the author’s joint paper on DES, with Nicolas T. Courtois,where the S-Boxes have I/O degree 2 but their actual closed-form formulas are ofhigher degree [CB06].2.3.6 Disposing of the Secret Key Shift-RegisterThe 64-bit shift-register containing the secret key rotates by one bit per round.Only one bit per round (the rightmost) is used during the encryption process. Furthermore,the key is not modified as it rotates. Therefore the key bit being used isthe same in round t, t + 64, t + 128, t + 192, . . .Therefore we can dispose of the key shift-register entirely. Denote k 63 , . . . , k 0the original secret key. The key bit used during round t is merely k t−1 mod 64 .2.3.7 Describing the Plaintext Shift-RegisterDenote as the initial condition of this shift-register as L 31 , . . . , L 0 . This correspondsto the plaintext P 31 , . . . , P 0 . Then in round 1, the values will move one placeto the right, and a new value will enter in the first bit. Call this new bit L 32 . Thus12
the bit generated in the 528th and thus last round will be L 559 . The ciphertext isthe final condition of this shift-register, which is L 559 , . . . , L 528 = C 31 , . . . , C 0 .A subtle change of index is useful here. The computation of L i , for 32 ≤ i ≤559, occurs during the round numbered t = i − 31. Thus the key bit used duringthe computation of L i is k i−32 mod . 642.3.8 The Polynomial System of EquationsThis now gives rise to the following system of equations.L i = P i ∀i ∈ [0, 31]L i = k i−32 mod 64 ⊕ L i−32 ⊕ L i−16 ⊕ NLF (L i−1 , L i−6 , L i−12 , L i−23 , L i−30 ) ∀i ∈ [32, 559]C i = L i−528 ∀i ∈ [528, 559]Note, some descriptions of the cipher omit the L i−16 . This should have noimpact on the attack at all. The specification given by the company [Daw] includesthe L i−16 .Since the NLF is actually a cubic function this is a cubic system of equations.Substituting, we obtainL i = P i ∀i ∈ [0, 31]L i = k i−32 mod 64 ⊕ L i−32 ⊕ L i−16 ⊕ L i−23 ⊕ L i−30 ⊕ L i−1 L i−12 ⊕ L i−1 L i−30⊕L i−6 L i−12 ⊕ L i−6 L i−30 ⊕ L i−12 L i−23 ⊕ L i−23 L i−30⊕L i−1 L i−23 L i−30 ⊕ L i−1 L i−12 L i−30 ⊕ L i−1 L i−6 L i−23 ⊕ L i−1 L i−6 L i−12 ∀i ∈ [32, 559]C i = L i−528 ∀i ∈ [528, 559]13
Page 1 and 2: ABSTRACTTitle of dissertation:ALGOR
Page 3 and 4: ALGORITHMS FOR SOLVING LINEAR AND P
Page 5 and 6: PrefacePigmaei gigantum humeris imp
Page 7 and 8: ForewordThe ignoraunte multitude do
Page 9 and 10: AcknowledgmentsI am deeply indebted
Page 11 and 12: NSF grant for the Sage project [sag
Page 13 and 14: for many years and taught me matric
Page 15 and 16: 3 Converting MQ to CNF-SAT 353.1 Su
Page 17 and 18: 6.4.4 The Conservative Algorithm .
Page 19 and 20: B.1 Algorithms and Performance, for
Page 21 and 22: List of Algorithms1 Method of Four
Page 23 and 24: Chapter 1SummaryGenerally speaking,
Page 25 and 26: adopted the author’s software lib
Page 27 and 28: Part IPolynomial Systems5
Page 29 and 30: 2.1 Special Acknowledgment of Joint
Page 31 and 32: Figure 2.1: The Keeloq Circuit Diag
Page 33: around regions of ones of size 32,
Page 37 and 38: β = aeSince the non-linear functio
Page 39 and 40: were an obvious failure, and so we
Page 41 and 42: 2.4.3 The Consequences of Fixed Poi
Page 43 and 44: points. If it is the case that f k
Page 45 and 46: 2.4.6 Fraction of Plainspace Requir
Page 47 and 48: Then we can apply the probability d
Page 49 and 50: e the case for all block ciphers. T
Page 51 and 52: Thus h has p fixed points with prob
Page 53 and 54: expected points. Since we require f
Page 55 and 56: too long, we may elect to “guess
Page 57 and 58: Chapter 3Converting MQ to CNF-SAT3.
Page 59 and 60: Another NP-hard problem is finding
Page 61 and 62: 3.3 Notation and DefinitionsAn inst
Page 63 and 64: Step One: From a Polynomial System
Page 65 and 66: x 1 + x 2 + x 3 + y 1 = 0y 1 + x 6
Page 67 and 68: Table 3.1 CNF Expression Difficulty
Page 69 and 70: that a satisfying solution is found
Page 71 and 72: andomness is seeded from a hash of
Page 73 and 74: Figure 3.1: The Distribution of Run
Page 75 and 76: takes only a few seconds. Furthermo
Page 77 and 78: 3.5.4 Comparison with MAGMA, Singul
Page 79 and 80: systems of equations over finite fi
Page 81 and 82: Table 3.4 CNF Expression Difficulty
Page 83 and 84: polynomial equation. The number of
Page 85 and 86:
of variables, and the operators fro
Page 87 and 88:
variables). However, the original v
Page 89 and 90:
of variables that it contains.When
Page 91 and 92:
If the contradiction stack becomes
Page 93 and 94:
enough to produce a contradiction.I
Page 95 and 96:
those two simple examples).Over the
Page 97 and 98:
Chapter 5The Method of Four Russian
Page 99 and 100:
matrix without calculating the othe
Page 101 and 102:
exactly one bit in one position fro
Page 103 and 104:
5.3.1 Role of the Gray CodeThe Gray
Page 105 and 106:
Then substitute k = γ log n and ob
Page 107 and 108:
and putting matrix A in unit upper
Page 109 and 110:
(see Section 5.5 on page 92) that s
Page 111 and 112:
= (1 − 2 −n )(1 − 2 −n+1 )
Page 113 and 114:
Table 5.3 Probabilities of a Fair-C
Page 115 and 116:
time was trivially perturbed if the
Page 117 and 118:
Table 5.6 Percentage Error for Offs
Page 119 and 120:
so there may be no work to perform
Page 121 and 122:
calculation proceeds exactly as in
Page 123 and 124:
ank is 1 − l −2c . Since there
Page 125 and 126:
ond, 10, 000 × 10, 000, where M4RI
Page 127 and 128:
algorithm (the 18 matrix additions,
Page 129 and 130:
⎡⎤⎡⎤A =⎢⎣1 0 0 01 0 1 0
Page 131 and 132:
and P can be kept invertible. The d
Page 133 and 134:
Table 5.9 Trials between M4RI and G
Page 135 and 136:
Chapter 6An Impractical Method of A
Page 137 and 138:
6.2 The Algorithm over a Finite Rin
Page 139 and 140:
c(n/b) ω multiplies in the ring M
Page 141 and 142:
which is to be compared with∼ 4cn
Page 143 and 144:
yielding a time requirement of[ (ω
Page 145 and 146:
kind. (The all zero matrix has been
Page 147 and 148:
(∼ (1 + log 2 n)n 2 1 + o(1) )log
Page 149 and 150:
Table 6.2 Memory Required (in bits)
Page 151 and 152:
While the cases of matrix rings, fi
Page 153 and 154:
Appendix ASome Basic Facts about Li
Page 155 and 156:
not orthogonal. Thus the algorithm
Page 157 and 158:
Appendix BA Model for the Complexit
Page 159 and 160:
B.1.3Success and FailureThe model d
Page 161 and 162:
example, in a matrix multiplication
Page 163 and 164:
listed in Algorithm 10 on page 142,
Page 165 and 166:
allowing one to calculate, for a la
Page 167 and 168:
Appendix COn the Exponent of Certai
Page 169 and 170:
C.2.1Figure C.1: The Relationship o
Page 171 and 172:
If the original matrix is unit lowe
Page 173 and 174:
we can write[ ] [ ] [ ] [ ]Im/2 0 I
Page 175 and 176:
Proof: If A = LUP then det(A) = det
Page 177 and 178:
[BH74]J. Bunch and J. Hopcroft. Tri
Page 179 and 180:
[FMM03]C. Fiorini, E. Martinelli, a
Page 181:
[Rys57][sag][San79][Sch81]H. J. Rys
show all

ALGORITHMS FOR SOLVING LINEAR AND POLYNOMIAL ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?