Introduction

Algebraic Attack on Stream Ciphers

MSIS 7 IS department MCS NUST

In this type of attack which is applicable both to stream ciphers and block ciphers, ciphers are rewritten to systems of multivariate equations

Solving the system of equations will give unknown

Thus in short An algebraic attack consists of these two steps:◦ Set up system of equations in key bits and

output bits◦ Solve it

Introduction

Algebraic equations of LFSR

Algebraic equations of LFSR

Algebraic equations of LFSR

Algebraic equations of LFSR with combiner function

Algebraic equations of LFSR with combiner function

Using direct algebraic approach we can derive equations in key bits k0, k1,…. kn-1 as

Algebraic equations of LFSR with combiner function

In general we cannot expect to find an efficient solver for all kinds of systems of equations.

But the situation changes if the system is over defined.

In these cases the linearization is used. This method has the advantage of solving an over-defined system of nonlinear equations in polynomial time if enough linearly independent equations are given. Principle for the Linearization algorithm is:◦ Use an over-defined equation◦ Replace each monomial with a new variable◦ Solve as linear system

Algebraic equations of LFSR with combiner function

In general we cannot expect to find an efficient solver for all kinds of systems of equations.

But the situation changes if the system is over defined.

In these cases the linearization is used. This method has the advantage of solving an over-defined system of nonlinear equations in polynomial time if enough linearly independent equations are given. Principle for the Linearization algorithm is:◦ Use an over-defined equation◦ Replace each monomial with a new variable◦ Solve as linear system

LinearizationExample Solve following quadratic equation of

GF(7)

x2 +4y2 + z2 +5xy +2xz +6yz +5x +3y +5z +1 = 03x2 +2y2 +3z2 +4xy +6xz +2yz +6x +4y +3z +2 = 02x2 +3y2 +2z2 +5xy +2yz + 4x + y + z + 4 = 06x2 +3y2 +3z2 +5xz + yz + 5y + 2z + 2 = 0

Linearizationx2 y2 z2 xy xz yz A B C D E F A +4B + C +5D +2E +6F +5x +3y +5z +1 = 03A +2B +3C +4D +6E +2F +6x +4y +3z +2 = 02A +3B +2C +5D +2F + 4x + y + z + 4 = 06A +3B +3C +5E + F + 5y + 2z + 2 = 0

Add Extra Equations # {variables} >> # {equations}

There are too many solutions to the system of linear equations.

Add relations of new variables to reduce the number of solutions. For example, Dz = Ey = Fx [since (xy)z = (xz)y = (yz)x] Ay = Dx , ... [since (x2)y = (xy)x, ...] DE = AF , ... [since (xy)(xz) = (x2)(yz), ...]

Relinearization Consider each quadratic monomial as a new

variable and linearize again. In general, with more variables: (ab)(cd ) = (ac)(bd ) = (ad )(bc) (ab)(cd )(ef ) = (ad )(cf )(eb) = … This idea was used by: Kipnis and Shamir,

Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization, Crypto '99, LNCS 1666, pp. 19-30.

Relinearization is not as efficient as expected.

XL EXtended Linearization Previous system of quadratic equations:

l1 : x2 +4y2 + z2 +5xy +2xz +6yz +5x +3y +5z +1 = 0l2 : 3x2 +2y2 +3z2 +4xy +6xz +2yz +6x +4y +3z +2 = 0l3 : 2x2 +3y2 +2z2 +5xy +2yz + 4x + y + z + 4 = 0l4 : 6x2 +3y2 +3z2 +5xz + yz + 5y + 2z + 2 = 0

Try degree D = 3: Multiply each li by x, y, z respectively. Linearize: Consider all monomials as variables.

How many equations now? 44 = 16 And Number of variables = 20

Matrix of Coefficientsx2y x2z xy2 xyz xz2 y2z yz2 xy xz yz x3 x2 x y3 y2 y z3 z2 z 1 0 0 0 0 0 0 0 5 2 6 0 1 5 0 4 3 0 1 5 1 0 0 0 0 0 0 0 4 6 2 0 3 6 0 2 4 0 3 3 2 0 0 0 0 0 0 0 5 0 2 0 2 4 0 3 1 0 2 1 4 0 0 0 0 0 0 0 0 5 1 0 6 0 0 3 5 0 3 2 2 5 2 4 6 1 0 0 3 5 0 1 5 1 0 0 0 0 0 0 0 1 0 5 2 0 6 1 5 0 5 0 0 0 4 3 1 0 0 0 0 0 1 0 5 2 4 6 0 5 3 0 0 0 0 0 0 1 5 1 0 4 6 2 2 3 0 0 4 3 0 3 6 2 0 0 0 0 0 0 0 3 0 4 6 0 2 3 6 0 3 0 0 0 2 4 2 0 0 0 0 0 3 0 4 6 2 2 0 6 4 0 0 0 0 0 0 3 3 2 0 5 0 3 2 2 0 0 1 1 0 2 4 4 0 0 0 0 0 0 0 2 0 5 0 0 2 2 4 0 1 0 0 0 3 1 4 0 0 0 0 0 2 0 5 0 3 2 0 4 1 0 0 0 0 0 0 2 1 4 0 0 5 3 1 3 0 0 5 2 0 6 0 2 0 0 0 0 0 0 0 6 0 0 5 0 1 3 0 0 2 0 0 0 3 5 2 0 0 0 0 0 6 0 0 5 3 1 0 0 5 0 0 0 0 0 0 3 2 2 0

Gaussian Elimination x2y x2z xy2 xyz xz2 y2z yz2 xy xz yz x3 x2 x y3 y2 y z3 z2 z 1 5 2 4 6 1 0 0 3 5 0 1 5 1 0 0 0 0 0 0 0 0 1 0 5 4 6 1 3 6 5 4 6 4 4 3 1 0 0 0 0 0 0 3 6 0 3 4 1 2 6 0 5 6 2 5 4 0 0 0 0 0 0 0 1 0 2 3 4 5 3 0 2 1 2 4 2 0 0 0 0 0 0 0 0 5 5 5 4 6 5 3 1 3 3 4 6 1 5 1 0 0 0 0 0 0 5 3 2 4 0 0 1 4 1 2 1 0 2 6 0 0 0 0 0 0 0 6 4 2 0 5 1 5 6 5 6 1 0 0 0 0 0 0 0 0 0 0 5 0 2 0 2 4 0 3 1 0 2 1 4 0 0 0 0 0 0 0 0 5 1 0 6 0 0 3 5 0 3 2 2 0 0 0 0 0 0 0 0 0 2 0 4 0 0 3 0 0 2 4 2 0 0 0 0 0 0 0 0 0 0 6 0 6 3 1 0 4 1 6 1 0 0 0 0 0 0 0 0 0 0 0 2 1 0 0 0 0 4 3 1 0 0 0 0 0 0 0 0 0 0 0 0 3 1 2 4 2 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 4 6 0 0 1 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 6 3 6 1 5 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 5 2 1 6

XL Algorithm The last row in the previous matrix represents 5z3 +

2z2 + z + 6 = 0. Its solutions in GF(7) are z = 1, z = 2, and z = 5.

Solve the remaining variables recursively: 2 row: 6y2 + 3y + 6z3 + z2 + 5z + 5 = 0 4 row: 3x + y3 + 2y2 + 4y + 2z3 + z = 0

Use other equations to erase all extraneous solutions.

This system has a unique solution: x = 1 , y = 3 , and z = 5.

Gaussian Elimination

XL Algorithm The complexity of the algorithm mainly depends on the

time it takes to row reduce the final matrix. Therefore the number of equations and distinct monomials in the expanded system will determine the complexity.

The authors of XL claimed that their algorithm solves a randomly generated system of polynomial equations in sub-exponential time when the number of equations slightly exceeds the number of variables. These claims are still impractical but better than the theoretical worst case.

Complexity of the attack

Algebraic Attacks If we can set up a true system of lower degree

r < d complexity becomes smaller,

So need is to decrease the degree of the system

Annihilators of a function Let f(x1; x2; x3) = x1x2 +x2x3 +x3

Let and

0.,,, gfiffofrannihilatoisgthenfunctionsBooleanbeBgf n

}0.|{)( gfBgfAn n

Attack using Annihilators

Attack using Annihilators

A=

Fast algebraic attacks: reducing thedegree