Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers

The computational hardness of solving large systems of sparse and low-degree multivariate equations is a necessary condition for the security of most modern symmetric cryptographic schemes. Notably, most cryptosystems can be implemented with inexpensive hardware, and have a low gate counts, resulting in a sparse system of equations, which in turn renders such attacks feasible. On one hand, numerous recent papers on the XL algorithm and more sophisticated Grobner-bases techniques [5, 7, 13, 14] demonstrate that systems of equations are efficiently solvable when they are sufficiently overdetermined or have a hidden internal algebraic structure that implies the existence of some useful algebraic relations. On the other hand, most of this work, as well as most successful algebraic attacks, involve dense, not sparse systems, at least until linearization by XL or a similar algorithm. No polynomial-system-solving algorithm we are aware of, demonstrates that a significant benefit is obtained from the extreme sparsity of some systems of equations. In this paper, we study methods for efficiently converting systems of low-degree sparse multivariate equations into a conjunctive normal form satisfiability (CNF-SAT) problem, for which excellent heuristic algorithms have been developed in recent years. A direct application of this method gives very efficient results: we show that sparse multivariate quadratic systems (especially if over-defined) can be solved much faster than by exhaustive search if β ≤ 1/100. In particular, our method requires no additional memory beyond that required to store the problem, and so often terminates with an answer for problems that cause Magma and Singular to crash. On the other hand, if Magma or Singular do not crash, then they tend to be faster than our method, but this case includes only the smallest sample problems.

[1]  Fabio Massacci Towards the Formal Verification of Ciphers: Logical Cryptanalysis of DES , 1999 .

[2]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[3]  Laurent Simon,et al.  Preface to the Special Volume on the SAT 2005 Competitions and Evaluations , 2006, J. Satisf. Boolean Model. Comput..

[4]  Ilya Mironov,et al.  Applications of SAT Solvers to Cryptanalysis of Hash Functions , 2006, SAT.

[5]  Timothy A. Davis,et al.  Direct methods for sparse linear systems , 2006, Fundamentals of algorithms.

[6]  Fabio Massacci,et al.  Logical Cryptanalysis as a SAT Problem ? Encoding and Analysis of the U.S. Data Encryption Standard , 2000 .

[7]  Jean Charles Faugère,et al.  A new efficient algorithm for computing Gröbner bases without reduction to zero (F5) , 2002, ISSAC '02.

[8]  Ilkka Niemelä,et al.  DES: a Challenge Problem for Nonmonotonic Reasoning Systems , 2000, ArXiv.

[9]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[10]  Fabio Massacci,et al.  Using Walk-SAT and Rel-Sat for Cryptographic Key Search , 1999, IJCAI.

[11]  Thomas Jakobson,et al.  Cryptanalysis of Block Ciphers with Probabilistic Non-linear Relations of Low Degree , 1998, CRYPTO.

[12]  Josef Pieprzyk,et al.  Cryptanalysis of Block Ciphers with Overdefined Systems of Equations , 2002, ASIACRYPT.

[13]  Adi Shamir,et al.  Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations , 2000, EUROCRYPT.

[14]  Jacques Patarin,et al.  QUAD: A Practical Stream Cipher with Provable Security , 2006, EUROCRYPT.

[15]  Sharad Malik,et al.  Chaff: engineering an efficient SAT solver , 2001, Proceedings of the 38th Design Automation Conference (IEEE Cat. No.01CH37232).

[16]  Fabio Massacci,et al.  How to fake an RSA signature by encoding modular root finding as a SAT problem , 2003, Discret. Appl. Math..

[17]  Nadia Creignou,et al.  Satisfiability Threshold for Random XOR-CNF Formulas , 1999, Discret. Appl. Math..

[18]  Gregory V. Bard Achieving a log(n) Speed Up for Boolean Matrix Operations and Calculating the Complexity of the Dense Linear Algebra step of Algebraic Stream Cipher Attacks and of Integer Factorization Methods , 2006, IACR Cryptol. ePrint Arch..

[19]  Gregory V. Bard,et al.  Algebraic Cryptanalysis of the Data Encryption Standard , 2007, IMACC.

[20]  Matthew J. B. Robshaw,et al.  Essential Algebraic Structure within the AES , 2002, CRYPTO.

[21]  Predrag Janicic,et al.  Logical Analysis of Hash Functions , 2005, FroCoS.