Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Solving...

Ruhr-Ruhr-UniversitätUniversitätBochumBochumFakultät für MathematikFakultät für Mathematik

Informationssicherheit und KryptologieInformationssicherheit und Kryptologie

Solving Systems of Equations Solving Systems of Equations

with Incompatible Operationswith Incompatible Operations

CITS – Cryptology and Information SecurityCITS – Cryptology and Information Security

Fakultät für MathematikFakultät für Mathematik

Ruhr-Universität BochumRuhr-Universität Bochum

Magnus Daum

1.12.2004 Daum - Solving Systems of Equations with Incompatible Operations 3

Systems of EquationsSystems of Equations

• Cryptanalysis often uses systems of equations, e.g.– linear equations– quadratic equations (e.g. algebraic attack)

• But many cryptosystems include different, mathematically incompatible kinds of operations:– integer operations modulo 2n

– bitwise defined functions– bitrotations / -shifts

• could be also represented by polynomial equations• better to have tools for directly solving equations

involving such different operations

Motivation/ApplicationMotivation/Application

• Dobbertin‘s attacks on hash functions:– e.g. solve

where f is a bitwise defined function

– Idea: Xk,…,0 solution for least significant k+1 bit) Xk-1,…,0 solution for least significant k bit

– Solve „from right to left“

• T-functions (Klimov/Shamir):– f T-function , k-th output bit of f depends only on

least significant k-1 input bits– solvable „from right to left“

Dobbertin‘s AlgorithmDobbertin‘s Algorithm

tree of solutions

Dobbertin‘s AlgorithmDobbertin‘s Algorithm

tree of solutions

• Often possible to stop early• Faster than exhaustive search• For each solution there exists

a leaf in the tree• Complexity directly related to

the number of solutions• Problem: We are mainly

interested in equations with many solutions.

Improvement:Improvement: Exploiting RedundancyExploiting Redundancy

• Idea:Combine redundant subtrees

• Problem:Detect redundancy during the construction of the graph

• Only the carrybit is relevant for the solution for the third bit

• Labeling the vertices with the carrybits makes it possible to detect redundancies on the fly tree of solutions

ExampleExample

Tree of solutions fromDobbertin‘s algorithm

ExampleExample

solution graph

1100 1001

solution graph

ExampleExample

• Compact representation of the set of solutions

• Can be simplified even more

Solution GraphsSolution Graphs

• One root and one sink• Labelling of the edges describes

solutions:Each path from the root to the sink represents a solution (and vice versa)

• Also possible to consider equations with more than one variable:

– E.g. label edges with XiYiZi instead of only Xi

Size of Solution GraphsSize of Solution Graphs

• possible to minimize size:– delete „dead-ends“– merge equivalent vertices

• Size is hardly predictable in general• worst-Case: exponential size• here: upper bounds

– because of labelling with carrybits– T-functions: narrowness gives upper

bound on possible labels

Algorithms for Solution GraphsAlgorithms for Solution Graphs

• Solution graphs are closely related to binary decision diagrams (BDDs)

• Further efficient algorithms from the theory of BDDs deriveable:– computing the number of solutions– choosing random solutions– combining solution graphs

(e.g. intersecting two sets of solutions)

ConclusionConclusion

• presented a new data structure, a solution graph• closely related to BDDs• allows efficient computation and representation

of special systems of equations with incompatible operations

• especially for T-functions with small narrowness

Thank you!Thank you!

Questions???Questions???

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Solving...

Documents

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Cryptanalysis of Hash Functions of the MD4-Family CITS – Cryptology

Kryptologie für Jedermannund -Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene Marken der SAP AG ... schriftlichen Fibel-Version. 10. 2 Kryptologie in

Úvod do kryptologie Historie a klasické šifry

CITS Construe Solutions 2013

VDA Whitepaper Risikomanagement in der Informationssicherheit · Whitepaper „Risikomanagement in der Informationssicherheit“ Schutzziele: Vertraulichkeit, Integrität, Verfügbarkeit

CITS 2021 - nstijamshedpur.dgt.gov.in

Informationssicherheit im Übersetzungsprozess

CITS Presentation IPDEletron · CITS | IPD ELETRON SOBRE NÓS CITS– CentroInternacionaldeTecnologia deSoftware Rua do#Semeador,#702,#Parque de#Software Curitiba/PR#> Brasil

Civil disobedience cits

Kapitel 9: Informationssicherheit und Datenschutz · 2020. 6. 17. · Kapitel 9: Informationssicherheit und Datenschutz. Lehrbuch WIRTSCHAFTSINFORMATIK 9. Informationssicherheit und

Kryptologie - informatik.bildung-rp.de · Kryptographie: Nicht die Nachricht als Ganzes, sondern nur ihr Inhalt ist verborgen Bsp. 15 Wegweiser durch die Kryptologie Verfahrensarten

Komplexit atstheorie & Kryptologie Computational ... - CCC

Kryptologie und Datensicherheit - Uni Tübingen :: WSI ...dm.inf.uni-tuebingen.de/skripte/Kryptologie/Kryptologie_WS0809.pdf · Universit¨at T ¨ubingen Wilhelm-Schickard-Institut

CITS - Company Profile UPDATED

Kryptologie Klaus Becker 2014. 2 Kryptologie An: b@ob.de Von: a@lice.de Hallo Bob!

CITS Strategic Plan

Kryptologie – von einer Geheimwissenschaft zu einer Wissenschaft

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Which Hash Functions will survive? Xiaoyun Wang Xuejia Lai Magnus

Facharbeit Mathematik - · PDF fileFacharbeit Mathematik Thorsten Ferres Kryptologie Kryptologie - Was ist das für eine Wissenschaft? Die Kryptologie ist, wie ich schon in der Überschrift

Datenschutz Informationssicherheit Urheberrecht …homepage.bildungsserver.com/spaw21/uploads/105/images/... · 2017. 10. 6. · IT-Recht Datenschutz Informationssicherheit Urheberrecht