Bernhard Andraschko,Julian Danner,Martin Kreuzer

2024-09-26

Abstract:This paper introduces the XOR-OR-AND normal form (XNF) for logical formulas. It is a generalization of the well-known Conjunctive Normal Form (CNF) where literals are replaced by XORs of literals. As a first theoretic result, we show that every CNF formula is equisatisfiable to a formula in 2-XNF, i.e., a formula in XNF where each clause involves at most two XORs of literals. Subsequently, we present an algorithm which converts Boolean polynomials efficiently from their Algebraic Normal Form (ANF) to formulas in 2-XNF. Experiments with the cipher ASCON-128 show that cryptographic problems, which by design are based strongly on XOR-operations, can be represented using far fewer variables and clauses in 2-XNF than in CNF. In order to take advantage of this compact representation, new SAT solvers based on input formulas in 2-XNF need to be designed. By taking inspiration from graph-based 2-CNF SAT solving, we devise a new DPLL-based SAT solver for formulas in 2-XNF. Among others, we present advanced pre- and in-processing techniques. Finally, we give timings for random 2-XNF instances and instances related to key recovery attacks on round reduced ASCON-128, where our solver outperforms state-of-the-art alternative solving approaches.

Logic in Computer Science,Commutative Algebra,Logic

Jakob Rath,Clemens Eisenhofer,Daniela Kaufmann,Nikolaj Bjørner,Laura Kovács

2024-06-07

Abstract:PolySAT is a word-level decision procedure supporting bit-precise SMT reasoning over polynomial arithmetic with large bit-vector operations. The PolySAT calculus extends conflict-driven clause learning modulo theories with two key components: (i) a bit-vector plugin to the equality graph, and (ii) a theory solver for bit-vector arithmetic with non-linear polynomials. PolySAT implements dedicated procedures to extract bit-vector intervals from polynomial inequalities. For the purpose of conflict analysis and resolution, PolySAT comes with on-demand lemma generation over non-linear bit-vector arithmetic. PolySAT is integrated into the SMT solver Z3 and has potential applications in model checking and smart contract verification where bit-blasting techniques on multipliers/divisions do not scale.

Logic in Computer Science

Matthew Gwynne,Oliver Kullmann

DOI: https://doi.org/10.1007/978-3-319-04921-2_33

2013-12-19

Abstract:We study the representation of systems S of linear equations over the two-element field (aka xor- or parity-constraints) via conjunctive normal forms F (boolean clause-sets). First we consider the problem of finding an "arc-consistent" representation ("AC"), meaning that unit-clause propagation will fix all forced assignments for all possible instantiations of the xor-variables. Our main negative result is that there is no polysize AC-representation in general. On the positive side we show that finding such an AC-representation is fixed-parameter tractable (fpt) in the number of equations. Then we turn to a stronger criterion of representation, namely propagation completeness ("PC") --- while AC only covers the variables of S, now all the variables in F (the variables in S plus auxiliary variables) are considered for PC. We show that the standard translation actually yields a PC representation for one equation, but fails so for two equations (in fact arbitrarily badly). We show that with a more intelligent translation we can also easily compute a translation to PC for two equations. We conjecture that computing a representation in PC is fpt in the number of equations.

Computational Complexity,Artificial Intelligence

Thomas Hader,Daniela Kaufmann,Laura Kovács

DOI: https://doi.org/10.29007/4n6w

2023-05-15

Abstract:Non-linear polynomial systems over finite fields are used to model functional behavior of cryptosystems, with applications in system security, computer cryptography, and post-quantum cryptography. Solving polynomial systems is also one of the most difficult problems in mathematics. In this paper, we propose an automated reasoning procedure for deciding the satisfiability of a system of non-linear equations over finite fields. We introduce zero decomposition techniques to prove that polynomial constraints over finite fields yield finite basis explanation functions. We use these explanation functions in model constructing satisfiability solving, allowing us to equip a CDCL-style search procedure with tailored theory reasoning in SMT solving over finite fields. We implemented our approach and provide a novel and effective reasoning prototype for non-linear arithmetic over finite fields.

Logic in Computer Science

Muhammad Yasin,Bodhisatwa Mazumdar,Ozgur Sinanoglu,Jeyavijayan Rajendran

DOI: https://doi.org/10.1109/aspdac.2017.7858346

2017-01-01

Abstract:Logic encryption protects integrated circuits (ICs) against intellectual property (IP) piracy and overbuilding attacks by encrypting the IC with a key. A Boolean satisfiability (SAT) based attack breaks all existing logic encryption technique within few hours. Recently, a defense mechanism known as Anti-SAT was presented that protects against SAT attack, by rendering the SAT-attack effort exponential in terms of the number of key gates. In this paper, we highlight the vulnerabilities of Anti-SAT and propose signal probability skew (SPS) attack against Anti-SAT block. SPS attack leverages the structural traces in Anti-SAT block to identify and isolate Anti-SAT block. The attack is 100% successful on all variants of Anti-SAT block. SPS attack is scalable to large circuits, as it breaks circuits with up to 22K gates within two minutes.

Matthew Gwynne,Oliver Kullmann

DOI: https://doi.org/10.48550/arXiv.1406.7398

2014-08-05

Abstract:We present a general framework for good CNF-representations of boolean constraints, to be used for translating decision problems into SAT problems (i.e., deciding satisfiability for conjunctive normal forms). We apply it to the representation of systems of XOR-constraints, also known as systems of linear equations over the two-element field, or systems of parity constraints. The general framework defines the notion of "representation", and provides several methods to measure the quality of the representation by the complexity ("hardness") needed for making implicit "knowledge" of the representation explicit (to a SAT-solving mechanism). We obtain general upper and lower bounds. Applied to systems of XOR-constraints, we show a super-polynomial lower bound on "good" representations under very general circumstances. A corresponding upper bound shows fixed-parameter tractability in the number of constraints. The measurement underlying this upper bound ignores the auxiliary variables needed for shorter representations of XOR-constraints. Improved upper bounds (for special cases) take them into account, and a rich picture begins to emerge, under the various hardness measurements.

Computational Complexity

Leroy Chew,Alexis de Colnet,Friedrich Slivovsky,Stefan Szeider

2024-02-01

Abstract:Parity reasoning is challenging for Conflict-Driven Clause Learning (CDCL) SAT solvers. This has been observed even for simple formulas encoding two contradictory parity constraints with different variable orders (Chew and Heule 2020). We provide an analytical explanation for their hardness by showing that they require exponential resolution refutations with high probability when the variable order is chosen at random. We obtain this result by proving that these formulas, which are known to be Tseitin formulas, have Tseitin graphs of linear treewidth with high probability. Since such Tseitin formulas require exponential resolution proofs, our result follows. We generalize this argument to a new class of formulas that capture a basic form of parity reasoning involving a sum of two random parity constraints with random orders. Even when the variable order for the sum is chosen favorably, these formulas remain hard for resolution. In contrast, we prove that they have short DRAT refutations. We show experimentally that the running time of CDCL SAT solvers on both classes of formulas grows exponentially with their treewidth.

Computational Complexity

Mate Soos,Kuldeep S. Meel

DOI: https://doi.org/10.24963/kr.2021/55

2021-09-01

Abstract:Given a set of constraints F and a weight function W over the assignments, the problem of MaxSAT is to compute a maximum weighted solution of F. MaxSAT is a fundamental problem with applications in numerous areas. The success of MaxSAT solvers has prompted researchers in AI and formal methods communities to develop algorithms that can use MaxSAT solver as oracle. One such problem that stands to benefit from advances in MaxSAT solving is discrete integration. Recently, Ermon et al. achieved a significant breakthrough by reducing the problem of integration to polynomially many queries to an optimization oracle where $F$ is conjuncted with randomly chosen XOR constraints. Unlike approximate model counting, where hashing-based approaches have been able to achieve scalability as well as rigorous formal guarantees, the practical evaluation of Ermon et al's approach, called WISH, often sacrifice theoretical guarantees, largely due to lack of existing MaxSAT solvers with native XOR support. The primary contribution of this paper is a new MaxSAT solver, GaussMaxHS, with built-in XOR support. The architecture of GaussMaxHS is inspired by CryptoMiniSAT, which has been the workhorse of hashing-based approximate model counting techniques. The resulting solver, GaussMaxHS, outperforms MaxHS over 9628 benchmarks arising from spin glass models and network reliability domains. In particular, with a timeout of 5000 seconds, MaxHS could solve only 5473 benchmarks while GaussMaxHS could solve 6120 benchmarks.

Matthias Johann Steiner

DOI: https://doi.org/10.46586/tosc.v2024.i1.357-411

2024-03-04

Abstract:For Arithmetization-Oriented ciphers and hash functions Gröbner basis attacks are generally considered as the most competitive attack vector. Unfortunately, the complexity of Gröbner basis algorithms is only understood for special cases, and it is needless to say that these cases do not apply to most cryptographic polynomial systems. Therefore, cryptographers have to resort to experiments, extrapolations and hypotheses to assess the security of their designs. One established measure to quantify the complexity of linear algebra-based Gröbner basis algorithms is the so-called solving degree. Caminata \& Gorla revealed that under a certain genericity condition on a polynomial system the solving degree is always upper bounded by the Castelnuovo-Mumford regularity and henceforth by the Macaulay bound, which only takes the degrees and number of variables of the input polynomials into account. In this paper we extend their framework to iterated polynomial systems, the standard polynomial model for symmetric ciphers and hash functions. In particular, we prove solving degree bounds for various attacks on MiMC, Feistel-MiMC, Feistel-MiMC-Hash, Hades and GMiMC. Our bounds fall in line with the hypothesized complexity of Gröbner basis attacks on these designs, and to the best of our knowledge this is the first time that a mathematical proof for these complexities is provided. Moreover, by studying polynomials with degree falls we can prove lower bounds on the Castelnuovo-Mumford regularity for attacks on MiMC, Feistel-MiMC and Feistel-MiMC-Hash provided that only a few solutions of the corresponding iterated polynomial system originate from the base field. Hence, regularity-based solving degree estimations can never surpass a certain threshold, a desirable property for cryptographic polynomial systems.

Cryptography and Security,Commutative Algebra

Roberto Civino,Valerio Fedele

2024-04-15

Abstract:In a XOR-based alternating block cipher the plaintext is masked by a sequence of layers each performing distinct actions: a highly nonlinear permutation, a linear transformation, and the bitwise key addition. When assessing resistance against classical differential attacks (where differences are computed with respect to XOR), the cryptanalysts must only take into account differential probabilities introduced by the nonlinear layer, this being the only one whose differential transitions are not deterministic. The temptation of computing differentials with respect to another difference operation runs into the difficulty of understanding how differentials propagate through the XOR-affine levels of the cipher. In this paper we introduce a special family of braces that enable the derivation of a set of differences whose interaction with every layer of an XOR-based alternating block cipher can be understood. We show that such braces can be described also in terms of alternating binary algebras of nilpotency class two. Additionally, we present a method to compute the automorphism group of these structures through an equivalence between bilinear maps. By doing so, we characterise the XOR-linear permutations for which the differential transitions with respect to the new difference are deterministic, facilitating an alternative differential attack.

Group Theory,Cryptography and Security,Rings and Algebras

Gregory Morse,Tamás Kozsik,Oskar Mencer,Peter Rakyta

2024-09-11

Abstract:We aim to advance the state-of-the-art in Quadratic Unconstrained Binary Optimization formulation with a focus on cryptography algorithms. As the minimal QUBO encoding of the linear constraints of optimization problems emerges as the solution of integer linear programming (ILP) problems, by solving special boolean logic formulas (like ANF and DNF) for their integer coefficients it is straightforward to handle any normal form, or any substitution for multi-input AND, OR or XOR operations in a QUBO form. To showcase the efficiency of the proposed approach we considered the most widespread cryptography algorithms including AES-128/192/256, MD5, SHA1 and SHA256. For each of these, we achieved QUBO instances reduced by thousands of logical variables compared to previously published results, while keeping the QUBO matrix sparse and the magnitude of the coefficients low. In the particular case of AES-256 cryptography function we obtained more than 8x reduction in variable count compared to previous results. The demonstrated reduction in QUBO sizes notably increases the vulnerability of cryptography algorithms against future quantum annealers, capable of embedding around $30$ thousands of logical variables.

Cryptography and Security,Mathematical Physics,Quantum Physics

Kaveh Shamsi,Meng Li,Travis Meade,Zheng Zhao,David Z. Pan,Yier Jin

DOI: https://doi.org/10.1145/3060403.3060458

2017-01-01

Abstract:Logic locking and IC camouflaging are proactive circuit obfuscation methods that if proven secure can thwart hardware attacks such as reverse engineering and IP theft. However, the security of both these schemes is called into question by recent SAT based attacks. While a number of methods have been proposed in literature that exponentially increase the running time of such attacks, they are vulnerable to \"findand-remove\" attacks, and only slightly hide the circuit functionality. In this paper, we present a novel approach towards creating SAT attack resiliency based on creating densely cyclic obfuscated circuit topologies by adding dummy paths to the circuit. Our methodology is applicable to both IC camouflaging and logic locking. We demonstrate that cyclic logic locking creates SAT resilient circuits with 40% less area and 20% less delay compared to an insecure XOR/XNOR-obfuscation with the same key length. Furthermore, we show that cyclic IC camouflaging can be implemented at the layout level with no substrate area overhead and little delay and power overhead with respect to the original circuit.

Yang Xie,Ankur Srivastava

DOI: https://doi.org/10.1109/tcad.2018.2801220

2019-02-01

Abstract:Logic locking is a technique that is proposed to protect outsourced IC designs from piracy and counterfeiting by untrusted foundries. A locked IC preserves the correct functionality only when a correct key is provided. Recently, the security of logic locking is threatened by a new attack called SAT attack, which can decipher the correct key of most logic locking techniques within a few hours even for a reasonably large key-size. This attack iteratively solves SAT formulas which progressively eliminate the incorrect keys till the circuit is unlocked. In this paper, we present a circuit block (referred to as Anti-SAT block) to enhance the security of existing logic locking techniques against the SAT attack. We show using a mathematical proof that the number of SAT attack iterations to reveal the correct key in a circuit comprising an Anti-SAT block is an exponential function of the key-size thereby making the SAT attack computationally infeasible. Besides, we address the vulnerability of the Anti-SAT block to various removal attacks and investigate obfuscation techniques to prevent these removal attacks. More importantly, we provide a proof showing that these obfuscation techniques for making Anti-SAT un-removable would not weaken the Anti-SAT block’s resistance to SAT attack. Through our experiments, we illustrate the effectiveness of our approach to securing modern chips fabricated in untrusted foundries.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Isaac McDaniel,Michael Zuzak,Ankur Srivastava

DOI: https://doi.org/10.1145/3674903

IF: 1.447

2024-07-09

ACM Transactions on Design Automation of Electronic Systems

Abstract:Logic obfuscation is a prominent approach to protect intellectual property within integrated circuits during fabrication. Many attacks on logic locking have been proposed, particularly in the Boolean satifiability (SAT) attack family, leading to the development of stronger obfuscation techniques. Some obfuscation techniques, including Full-Lock and InterLock, resist SAT attacks by inserting SAT-hard instances into the design, making the SAT attack infeasible. In this work, we observe that this class of obfuscation leaves most of the original design topology visible to an attacker, who can reverse-engineer the original design given the functionality of the SAT-hard instance. We show that an attacker can expose the SAT-hard instance functionality of Full-Lock or InterLock with a polynomial number of queries of its inputs and outputs. We then develop a mathematical framework showing how the functionality can be inferred using only a black-box oracle, as is commonly used in attacks in the literature. Using this framework, we develop a novel attack that allows a SAT-capable attacker to efficiently unlock designs obfuscated with Full-Lock. Our attack recovers the intellectual property from these obfuscation techniques that were previously thought secure. We empirically demonstrate the potency of our novel sensitization attack against benchmark circuits obfuscated with Full-Lock.

computer science, software engineering, hardware & architecture

Kaveh Shamsi,Meng Li,David Z. Pan,Yier Jin

DOI: https://doi.org/10.23919/DATE.2019.8715053

2019-01-01

Abstract:Logic locking and IC camouflaging are two promising techniques for thwarting an array of supply chain threats. Logic locking can hide the design from the foundry as well as end-users and IC camouflaging can thwart IC reverse engineering by end-users. Oracle-guided SAT-based deobfuscation attacks against these schemes have made it more and more difficult to securely implement them with low overhead. Almost all of the literature on SAT attacks is focused on combinational circuits. A recent first implementation of oracle-guided attacks on sequential circuits showed a drastic increase in deobfuscation time versus combinational circuits. In this paper we show that integrating the sequential SAT-attack with incremental bounded-model-checking, and dynamic simplification of key-conditions (Key-Condition Crunching or KC2), we are able to reduce the runtime of sequential SAT-attacks by two orders of magnitude across benchmark circuits, significantly reducing the gap between sequential and combinational deobfuscation. These techniques are applicable to combinational deobfuscation as well and thus represent a generic improvement to deobfuscation procedures and help better understand the complexity of deobfuscation for designing secure locking/camouflaging schemes.

Markus Anders,Pascal Schweitzer,Mate Soos

2024-01-01

Abstract:Dedicated treatment of symmetries in satisfiability problems (SAT) is indispensable for solving various classes of instances arising in practice. However, the exploitation of symmetries usually takes a black box approach. Typically, off-the-shelf external, general-purpose symmetry detection tools are invoked to compute symmetry groups of a formula. The groups thus generated are a set of permutations passed to a separate tool to perform further analyzes to understand the structure of the groups. The result of this second computation is in turn used for tasks such as static symmetry breaking or dynamic pruning of the search space. Within this pipeline of tools, the detection and analysis of symmetries typically incurs the majority of the time overhead for symmetry exploitation. In this paper we advocate for a more holistic view of what we call the SAT-symmetry interface. We formulate a computational setting, centered around a new concept of joint graph/group pairs, to analyze and improve the detection and analysis of symmetries. Using our methods, no information is lost performing computational tasks lying on the SAT-symmetry interface. Having access to the entire input allows for simpler, yet efficient algorithms. Specifically, we devise algorithms and heuristics for computing finest direct disjoint decompositions, finding equivalent orbits, and finding natural symmetric group actions. Our algorithms run in what we call instance-quasi-linear time, i.e., almost linear time in terms of the input size of the original formula and the description length of the symmetry group returned by symmetry detection tools. Our algorithms improve over both heuristics used in state-of-the-art symmetry exploitation tools, as well as theoretical general-purpose algorithms.

Data Structures and Algorithms

Florian Frohn,Jürgen Giesl

2024-06-06

Abstract:SMT solvers use sophisticated techniques for polynomial (linear or non-linear) integer arithmetic. In contrast, non-polynomial integer arithmetic has mostly been neglected so far. However, in the context of program verification, polynomials are often insufficient to capture the behavior of the analyzed system without resorting to approximations. In the last years, incremental linearization has been applied successfully to satisfiability modulo real arithmetic with transcendental functions. We adapt this approach to an extension of polynomial integer arithmetic with exponential functions. Here, the key challenge is to compute suitable lemmas that eliminate the current model from the search space if it violates the semantics of exponentiation. An empirical evaluation of our implementation shows that our approach is highly effective in practice.

Logic in Computer Science

Kaveh Shamsi,Meng Li,Travis Meade,Zheng Zhao,David Z. Pan,Yier Jin

DOI: https://doi.org/10.1109/HST.2017.7951805

2017-01-01

Abstract:In today's diversified semiconductor supply-chain, protecting intellectual property (IP) and maintaining manufacturing integrity are important concerns. Circuit obfuscation techniques such as logic encryption and IC camouflaging can potentially defend against a majority of supply-chain threats such as stealthy malicious design modification, IP theft, overproduction, and cloning.Recently, a Boolean Satisfiability (SAT) based attack, namely the SAT attack has been able to deobfuscate almost all traditional circuit obfuscation schemes, and as a result, a number of defense solutions have been proposed in literature. All these defenses are based on the implicit assumption that the attacker needs a perfect deobfuscation accuracy which may not be true in many practical cases. Therefore, in this paper by relaxing the exactness constraint on deobfuscation, we propose the AppSAT attack, an approximate deobfuscation algorithm based on the SAT attack and random testing. We show how the AppSAT attack can deobfuscate 68 out of the 71 benchmark circuits that were obfuscated with state-of-the-art SAT attack defenses with an accuracy of 1/n, n being the number of inputs. AppSAT shows that with current SAT attack defenses there will be a trade-off between exact-attack resiliency and approximation resiliency.

Yameen Ajani,Curtis Bright

2024-06-29

Abstract:The difficulty of factoring large integers into primes is the basis for cryptosystems such as RSA. Due to the widespread popularity of RSA, there have been many proposed attacks on the factorization problem such as side-channel attacks where some bits of the prime factors are available. When enough bits of the prime factors are known, two methods that are effective at solving the factorization problem are satisfiability (SAT) solvers and Coppersmith's method. The SAT approach reduces the factorization problem to a Boolean satisfiability problem, while Coppersmith's approach uses lattice basis reduction. Both methods have their advantages, but they also have their limitations: Coppersmith's method does not apply when the known bit positions are randomized, while SAT-based methods can take advantage of known bits in arbitrary locations, but have no knowledge of the algebraic structure exploited by Coppersmith's method. In this paper we describe a new hybrid SAT and computer algebra approach to efficiently solve random leaked-bit factorization problems. Specifically, Coppersmith's method is invoked by a SAT solver to determine whether a partial bit assignment can be extended to a complete assignment. Our hybrid implementation solves random leaked-bit factorization problems significantly faster than either a pure SAT or pure computer algebra approach.

Cryptography and Security,Discrete Mathematics,Logic in Computer Science,Symbolic Computation

Nicolas T. Courtois,Marios Georgiou

DOI: https://doi.org/10.48550/arXiv.1902.02748

2019-02-08

Abstract:One of the major open problems in symmetric cryptanalysis is to discover new specif i c types of invariant properties which can hold for a larger number of rounds of a block cipher. We have Generalised Linear Cryptanalysis (GLC) and Partitioning Cryptanalysis (PC). Due to double-exponential combinatorial explosion of the number of possible invariant properties systematic exploration is not possible and extremely few positive working examples of GLC are known. Our answer is to work with polynomial algebraic invariants which makes partitions more intelligible. We have developed a constructive algebraic approach which is about making sure that a certain combination of polynomial equations is zero. We work with an old block cipher from 1980s which has particularly large hardware complexity compared to modern ciphers e.g. AES. However all this complexity is not that useful if we are able to construct powerful non-linear invariants which work for any number of rounds. A key feature of our invariant attacks is that we are able to completely eliminate numerous state and key bits. We also construct invariants for the (presumably stronger) KT1 keys. Some of these lead to powerful ciphertext-only correlation attacks.

Cryptography and Security,Algebraic Geometry,Combinatorics,Group Theory,Rings and Algebras