Mengce Zheng,Zhigang Chen,Yaohui Wu

DOI: https://doi.org/10.1109/access.2023.3264590

IF: 3.9

2023-04-14

IEEE Access

Abstract:In this paper, we propose two improved theorems for addressing generalized bivariate integer equations using the lattice-based method. We examine the application of these theorems to the problem of factoring general RSA (Rivest–Shamir–Adleman) moduli of the form where and are prime numbers. These moduli, which are commonly used in the RSA cryptosystem and its variants, have previously been subjected to attacks primarily through the solution of univariate modular equations. In contrast, we investigate the possibility of factoring using leaked most significant bits (MSBs) or least significant bits (LSBs) of the prime numbers by solving generalized bivariate integer equations. We determine the minimum amount of known bits required for implementing the proposed factoring attacks and establish a unifying attack strategy. Furthermore, our results are verified through numerical computer experiments.

computer science, information systems,telecommunications,engineering, electrical & electronic

Wansu Bao,Heliang Huang

DOI: https://doi.org/10.48550/arXiv.1507.03480

2015-07-13

Abstract:Algebraic cryptanalysis usually requires to recover the secret key by solving polynomial equations. Grobner bases algorithm is a well-known method to solve this problem. However, a serious drawback exists in the Grobner bases based algebraic attacks, namely, any information won't be got if we couldn't work out the Grobner bases of the polynomial equations system. In this paper, firstly, a generalized model of Grobner basis algorithms is presented, which provides us a platform to analyze and solve common problems of the algorithms. Secondly, we give and prove the degree bound of the polynomials appeared during the computation of Grobner basis after field polynomials is added. Finally, by detecting the temporary basis during the computation of Grobner bases and then extracting the univariate polynomials contained unique solution in the temporary basis, a heuristic strategy named Middle-Solving is presented to solve these polynomials at each iteration of the algorithm. Farther, two specific application mode of Middle-Solving strategy for the incremental and non-incremental Grobner bases algorithms are presented respectively. By using the Middle-Solving strategy, even though we couldn't work out the final Grobner bases, some information of the variables still leak during the computational process.

Cryptography and Security,Symbolic Computation

HaiJian Zhou,Ping Luo,DaoShun Wang,YiQi Dai

DOI: https://doi.org/10.1007/s11432-009-0159-9

2009-01-01

Science in China Series F Information Sciences

Abstract:Finding the solution to a general multivariate modular linear equation plays an important role in cryptanalysis field. Earlier results show that obtaining a relatively short solution is possible in polynomial time. However, one problem arises here that if the equation has a short solution in given bounded range, the results outputted by earlier algorithms are often not the ones we are interested in. In this paper, we present a probability method based on lattice basis reduction to solve the problem. For a general multivariate modular linear equation with short solution in the given bounded range, the new method outputs this short solution in polynomial time, with a high probability. When the number of unknowns is not too large (smaller than 68), the probability is approximating 1. Experimental results show that Knapsack systems and Lu-Lee type systems are easily broken in polynomial time with this new method.

Johannes Buchmann,Daniel Cabarcas,Jintai Ding,Mohamed Saied Emam Mohamed

DOI: https://doi.org/10.1007/978-3-642-12678-9_5

2010-01-01

Abstract:Recent developments in multivariate polynomial solving algorithms have made algebraic cryptanalysis a plausible threat to many cryptosystems. However, theoretical complexity estimates have shown this kind of attack unfeasible for most realistic applications. In this paper we present a strategy for computing Gröbner basis that challenges those complexity estimates. It uses a flexible partial enlargement technique together with reduced row echelon forms to generate lower degree elements–mutants. This new strategy surpasses old boundaries and obligates us to think of new paradigms for estimating complexity of Gröbner basis computation. The new proposed algorithm computed a Gröbner basis of a degree 2 random system with 32 variables and 32 equations using 30 GB which was never done before by any known Gröbner bases solver.

Roberto La Scala,Federico Pintore,Sharwan K. Tiwari,Andrea Visconti

2024-06-05

Abstract:In this paper we introduce a multistep generalization of the guess-and-determine or hybrid strategy for solving a system of multivariate polynomial equations over a finite field. In particular, we propose performing the exhaustive evaluation of a subset of variables stepwise, that is, by incrementing the size of such subset each time that an evaluation leads to a polynomial system which is possibly unfeasible to solve. The decision about which evaluation to extend is based on a preprocessing consisting in computing an incomplete Grobner basis after the current evaluation, which possibly generates linear polynomials that are used to eliminate further variables. If the number of remaining variables in the system is deemed still too high, the evaluation is extended and the preprocessing is iterated. Otherwise, we solve the system by a complete Grobner basis computation. Having in mind cryptanalytic applications, we present an implementation of this strategy in an algorithm called MultiSolve which is designed for polynomial systems having at most one solution. We prove explicit formulas for its complexity which are based on probability distributions that can be easily estimated by performing the proposed preprocessing on a testset of evaluations for different subsets of variables. We prove that an optimal complexity of MultiSolve is achieved by using a full multistep strategy with a maximum number of steps and in turn the standard guess-and-determine strategy, which essentially is a strategy consisting of a single step, is the worst choice. Finally, we extensively study the behaviour of MultiSolve when performing an algebraic attack on the well-known stream cipher Trivium.

Symbolic Computation,Cryptography and Security,Commutative Algebra

Xiaoyan Zhang,Qichun Wang,Bin Wang,Haibin Kan

DOI: https://doi.org/10.1587/transfun.e94.a.2059

2011-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:In algebraic attack on stream ciphers based on LFSRs, the secret key is found by solving an overdefined system of multivariate equations. There are many known algorithms from different point of view to solve the problem, such as linearization, relinearization, XL and Grobner Basis. The simplest method, linearization, treats each monomial of different degrees as a new variable, and consists of $\\sum_{i=1}^{d}{n \\choose i}$ variables (the degree of the system of equations is denoted by d). Thus it needs at least $\\sum_{i=1}^{d}{n \\choose i}$ equations, i.e. keystream bits to recover the secret key by Gaussian reduction or other. In this paper we firstly propose a concept, called equivalence of LFSRs. On the basis of it, we present a constructive method that can solve an overdefined system of multivariate equations with less keystream bits by extending the primitive polynomial.

Matthias Johann Steiner

DOI: https://doi.org/10.46586/tosc.v2024.i1.357-411

2024-03-04

Abstract:For Arithmetization-Oriented ciphers and hash functions Gröbner basis attacks are generally considered as the most competitive attack vector. Unfortunately, the complexity of Gröbner basis algorithms is only understood for special cases, and it is needless to say that these cases do not apply to most cryptographic polynomial systems. Therefore, cryptographers have to resort to experiments, extrapolations and hypotheses to assess the security of their designs. One established measure to quantify the complexity of linear algebra-based Gröbner basis algorithms is the so-called solving degree. Caminata \& Gorla revealed that under a certain genericity condition on a polynomial system the solving degree is always upper bounded by the Castelnuovo-Mumford regularity and henceforth by the Macaulay bound, which only takes the degrees and number of variables of the input polynomials into account. In this paper we extend their framework to iterated polynomial systems, the standard polynomial model for symmetric ciphers and hash functions. In particular, we prove solving degree bounds for various attacks on MiMC, Feistel-MiMC, Feistel-MiMC-Hash, Hades and GMiMC. Our bounds fall in line with the hypothesized complexity of Gröbner basis attacks on these designs, and to the best of our knowledge this is the first time that a mathematical proof for these complexities is provided. Moreover, by studying polynomials with degree falls we can prove lower bounds on the Castelnuovo-Mumford regularity for attacks on MiMC, Feistel-MiMC and Feistel-MiMC-Hash provided that only a few solutions of the corresponding iterated polynomial system originate from the base field. Hence, regularity-based solving degree estimations can never surpass a certain threshold, a desirable property for cryptographic polynomial systems.

Cryptography and Security,Commutative Algebra

ZHAO Xin-jie,GUO Shi-ze,WANG Tao,ZHANG Fan,LIU Huiying,JI Ke-ke

DOI: https://doi.org/10.3969/j.issn.1671-1742.2012.04.001

2012-01-01

Abstract:The security of a lightweight block cipher KLEIN against the algebraic side-channel attack is evaluated by combining algebraic attack with side-channel attack under the Hamming weight leakage model.Firstly,the algebraic representation of KLEIN is given.Then,the Hamming weights of the intermediate states are deduced from analyzing the power leakages and converted into algebraic equations.Finally,the CryptoMinisat solver is applied to solve for the key.Based on three different error tolerant strategies,many physical experiments are conducted on KLEIN under an 8-bit microcontroller and the complexity of the attack is also evaluated.Experiment results show that: the unprotected software implementation of KLEIN is vulnerable to algebraic side-channel attack.Full 64-bit master key of KLEIN can be recovered by analyzing the Hamming weight leakages of the first round under know plaintext/ciphertext scenario and 2 rounds under unknown plaintext/ciphertext scenario.

Jiaxin Song,Hongfei Fu,Charles Zhang

2024-02-26

Abstract:Bit-vectors, which are integers in a finite number of bits, are ubiquitous in software and hardware systems. In this work, we consider the satisfiability modulo theories (SMT) of bit-vectors. Unlike normal integers, the arithmetics of bit-vectors are modular upon integer overflow. Therefore, the SMT solving of bit-vectors needs to resolve the underlying modular arithmetics. In the literature, two prominent approaches for SMT solving are bit-blasting (that transforms the SMT problem into boolean satisfiability) and integer solving (that transforms the SMT problem into integer properties). Both approaches ignore the algebraic properties of the modular arithmetics and hence could not utilize these properties to improve the efficiency of SMT solving. In this work, we consider the equational theory of bit-vectors and capture the algebraic properties behind them via strong Gr\"obner bases. First, we apply strong Gr\"obner bases to the quantifier-free equational theory of bit-vectors and propose a novel algorithmic improvement in the key computation of multiplicative inverse modulo a power of two. Second, we resolve the important case of invariant generation in quantified equational bit-vector properties via strong Gr\"obner bases and linear congruence solving. Experimental results over an extensive range of benchmarks show that our approach outperforms existing methods in both time efficiency and memory consumption.

Programming Languages,Logic in Computer Science

Alain Couvreur,Rocco Mora,Jean-Pierre Tillich

2023-08-24

Abstract:We bring in here a novel algebraic approach for attacking the McEliece cryptosystem. It consists in introducing a subspace of matrices representing quadratic forms. Those are associated with quadratic relationships for the component-wise product in the dual of the code used in the cryptosystem. Depending on the characteristic of the code field, this space of matrices consists only of symmetric matrices or skew-symmetric matrices. This matrix space is shown to contain unusually low-rank matrices (rank $2$ or $3$ depending on the characteristic) which reveal the secret polynomial structure of the code. Finding such matrices can then be used to recover the secret key of the scheme. We devise a dedicated approach in characteristic $2$ consisting in using a Gröbner basis modeling that a skew-symmetric matrix is of rank $2$. This allows to analyze the complexity of solving the corresponding algebraic system with Gröbner bases techniques. This computation behaves differently when applied to the skew-symmetric matrix space associated with a random code rather than with a Goppa or an alternant code. This gives a distinguisher of the latter code family. We give a bound on its complexity which turns out to interpolate nicely between polynomial and exponential depending on the code parameters. A distinguisher for alternant/Goppa codes was already known [FGO+11]. It is of polynomial complexity but works only in a narrow parameter regime. This new distinguisher is also polynomial for the parameter regime necessary for [FGO+11] but contrarily to the previous one is able to operate for virtually all code parameters relevant to cryptography. Moreover, we use this matrix space to find a polynomial time attack of the McEliece cryptosystem provided that the Goppa code is distinguishable by the method of [FGO+11] and its degree is less than $q-1$, where $q$ is the alphabet size of the code.

Cryptography and Security

Morten Øygarden,Patrick Felke,Håvard Raddum

DOI: https://doi.org/10.1007/s00145-024-09501-w

2024-04-20

Journal of Cryptology

Abstract:A common strategy for constructing multivariate encryption schemes is to use a central map that is easy to invert over an extension field, along with a small number of modifications to thwart potential attacks. In this work, we study the effectiveness of these modifications, by deriving estimates for the number of degree fall polynomials. After developing the necessary tools, we focus on encryption schemes using the and Dobbertin central maps, with the internal perturbation ( ip ), and modifications. For these constructions, we are able to accurately predict the number of degree fall polynomials produced in a Gröbner basis attack, up to and including degree 5 for the Dob encryption scheme and four for . The predictions remain accurate even when fixing variables. Based on this new theory, we design a novel attack on Dob, which completely recovers the secret key for the parameters suggested by its designers. Due to the generality of the presented techniques, we also believe that they are of interest to the analysis of other big-field schemes.

computer science, theory & methods,engineering, electrical & electronic,mathematics, applied

Gregory V. Bard,Nicolas T. Courtois,Jorge Nakahara Jr,Pouyan Sepehrdad,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-642-17401-8_14

2010-01-01

Abstract:This paper presents the first results on AIDA/cube, algebraic and side-channel attacks on variable number of rounds of all members of the KATAN family of block ciphers. Our cube attacks reach 60, 40 and 30 rounds of KATAN32, KATAN48 and KATAN64, respectively. In our algebraic attacks, we use SAT solvers as a tool to solve the quadratic equations representation of all KATAN ciphers. We introduced a novel pre-processing stage on the equations system before feeding it to the SAT solver. This way, we could break 79, 64 and 60 rounds of KATAN32, KATAN48, KATAN64, respectively. We show how to perform side channel attacks on the full 254-round KATAN32 with one-bit information leakage from the internal state by cube attacks. Finally, we show how to reduce the attack complexity by combining the cube attack with the algebraic attack to recover the full 80-bit key. Further contributions include new phenomena observed in cube, algebraic and side-channel attacks on the KATAN ciphers. For the cube attacks, we observed that the same maxterms suggested more than one cube equation, thus reducing the overall data and time complexities. For the algebraic attacks, a novel pre-processing step led to a speed up of the SAT solver program. For the side-channel attacks, 29 linearly independent cube equations were recovered after 40-round KATAN32. Finally, the combined algebraic and cube attack, a leakage of key bits after 71 rounds led to a speed up of the algebraic attack.

Roberto La Scala,Sharwan K. Tiwari

DOI: https://doi.org/10.1016/j.jsc.2021.09.001

IF: 0.97

2022-03-01

Journal of Symbolic Computation

Abstract:In this paper we model a class of stream and block ciphers as systems of (ordinary) explicit difference equations over a finite field. We call this class "difference ciphers" and we show that ciphers of application interest, as for example systems of LFSRs with a combiner, Trivium and KeeLoq, belong to the class. By using Difference Algebra, that is, the formal theory of difference equations, we can properly define and study important properties of these ciphers, such as their invertibility and periodicity. We describe then general cryptanalytic methods for difference ciphers that follow from these properties and are useful to assess the security. We illustrate such algebraic attacks in practice by means of the ciphers Bivium and KeeLoq.

mathematics, applied,computer science, theory & methods

Jintai Ding,Ai Ren,Chengdong Tao

DOI: https://doi.org/10.1007/978-3-642-38519-3_9

2012-01-01

Abstract:Let X = (x 1,.;x n ) and Y = (y 1,.;y m ) be a pair of corresponding plaintext and ciphertext for a cryptosystem. We define an embedded surface of this cryptosystem as any polynomial equation: which is satisfied by all such pairs. In this paper, we present a new attack on the multivariate public key cryptosystems from Diophantine equations developed by Gao and Heindl by using the embedded surfaces associated to this family of multivariate cryptosystems. © 2013 Springer-Verlag Berlin Heidelberg.

Monika Trimoska,Sorina Ionica,Gilles Dequen

DOI: https://doi.org/10.48550/arXiv.2001.11229

2020-01-30

Cryptography and Security

Abstract:Cryptographic problems can often be reduced to solving Boolean polynomial systems, whose equivalent logical formulas can be treated using SAT solvers. Given the algebraic nature of the problem, the use of the logical XOR operator is common in SAT-based cryptanalysis. Recent works have focused on advanced techniques for handling parity (XOR) constraints, such as the Gaussian Elimination technique. First, we propose an original XOR-reasoning SAT solver, named WDSat (Weil Descent SAT solving), dedicated to a specific cryptographic problem. Secondly, we show that in some cases Gaussian Elimination on SAT instances does not work as well as Gaussian Elimination on algebraic systems. We demonstrate how this oversight is fixed in our solver, which is adapted to read instances in algebraic normal form (ANF). Finally, we propose a novel preprocessing technique based on the Minimal Vertex Cover Problem in graph theory. This preprocessing technique is, within the framework of multivariate Boolean polynomial systems, used as a DLL branching selection rule that leads to quick linearization of the underlying algebraic system. Our benchmarks use a model obtained from cryptographic instances for which a significant speedup is achieved using the findings in this paper. We further explain how our preprocessing technique can be used as an assessment of the security of a cryptographic system.

Haijian Zhou,Ping Luo,Daoshun Wang,Yiqi Dai

DOI: https://doi.org/10.1007/978-3-540-79499-8_32

2008-01-01

Abstract:The Lu-Lee public key cryptosystem and Adiga-Shankar's modification are considered to be insecure with cryptanalysis by integer linear programing, since only 2 or 3 unknown message blocks are used in the modular linear equation for encryption procedure. Unfortunately integer linear programming algorithms falls in trouble with more unknowns. In this paper we present a probabilistic algorithm for cryptanalysis of general Lu-Lee type systems with nmessage blocks. The new algorithm is base on lattice reduction and succeeds to break Lu-Lee type systems with up to 68 message blocks.

Mohamed Saied Emam Mohamed,Jintai Ding,Johannes Buchmann,Fabian Werner

DOI: https://doi.org/10.1007/978-3-642-10433-6_26

2009-01-01

Abstract:In this paper, we present an efficient attack on the multivariate Quadratic Quasigroups (MQQ) public key cryptosystem. Our cryptanalysis breaks the MQQ cryptosystem by solving a system of multivariate quadratic polynomial equations using both the MutantXL algorithm and the F4 algorithm. We present the experimental results that show that MQQ systems is broken up to size n equal to 300. Based on these results we show also that MutantXL solves MQQ systems with much less memory than the F4 algorithm implemented in Magma.

Jintai Ding,John Wagner

DOI: https://doi.org/10.1007/978-3-540-88403-3_9

2008-01-01

Abstract:In 1989, Tsujii, Fujioka, and Hirayama proposed a family of multivariate public key cryptosystems, where the public key is given as a set of multivariate rational functions of degree 4. These cryptosystems are constructed via composition of two quadratic rational maps. In this paper, we present the cryptanalysis of this family of cryptosystems. The key point of our attack is to transform a problem of decomposition of two rational maps into a problem of decomposition of two polynomial maps. We develop a new improved 2R decomposition method and other new techniques, which allows us to find an equivalent decomposition of the rational maps to break the system completely. For the example suggested for practical applications, it is very fast to derive an equivalent private key, and it requires only a few seconds on a standard PC.

Matthias Johann Steiner

2024-05-08

Abstract:Ciminion and Hydra are two recently introduced symmetric key Pseudo-Random Functions for Multi-Party Computation applications. For efficiency both primitives utilize quadratic permutations at round level. Therefore, polynomial system solving-based attacks pose a serious threat to these primitives. For Ciminion we construct a quadratic degree reverse lexicographic (DRL) Gröbner basis for the iterated polynomial model via affine transformations. For Hydra we provide a computer-aided proof in SageMath that a quadratic DRL Gröbner basis is already contained within the iterated polynomial system for the Hydra heads after affine transformations and a linear change of coordinates.

Cryptography and Security

Riddhi Ghosal

DOI: https://doi.org/10.48550/arXiv.1708.04495

2017-06-14

Abstract:In the present day, AES is one the most widely used and most secure Encryption Systems prevailing. So, naturally lots of research work is going on to mount a significant attack on AES. Many different forms of Linear and differential cryptanalysis have been performed on AES. Of late, an active area of research has been Algebraic Cryptanalysis of AES, where although fast progress is being made, there are still numerous scopes for research and improvement. One of the major reasons behind this being that algebraic cryptanalysis mainly depends on I/O relations of the AES S- Box (a major component of the AES). As, already known, that the key recovery algorithm of AES can be broken down as an MQ problem which is itself considered hard. Solving these equations depends on our ability reduce them into linear forms which are easily solvable under our current computational prowess. The lower the degree of these equations, the easier it is for us to linearlize hence the attack complexity reduces. The aim of this paper is to analyze the various relations involving small number of monomials of the AES S- Box and to answer the question whether it is actually possible to have such monomial equations for the S- Box if we restrict the degree of the monomials. In other words this paper aims to study such equations and see if they can be applicable for AES.

Cryptography and Security