Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Solving Systems of Equations with Incompatible Operations CITS

Ruhr-Ruhr-UniversitätUniversitätBochumBochumFakultät für MathematikFakultät für Mathematik

Informationssicherheit und KryptologieInformationssicherheit und Kryptologie

Solving Systems of Equations Solving Systems of Equations

with Incompatible Operationswith Incompatible Operations

CITS – Cryptology and Information SecurityCITS – Cryptology and Information Security

Fakultät für MathematikFakultät für Mathematik

Ruhr-Universität BochumRuhr-Universität Bochum

Magnus Daum

1.12.2004 Daum - Solving Systems of Equations with Incompatible Operations 3



Systems of EquationsSystems of Equations

• Cryptanalysis often uses systems of equations, e.g.– linear equations– quadratic equations (e.g. algebraic attack)

• But many cryptosystems include different, mathematically incompatible kinds of operations:– integer operations modulo 2n

– bitwise defined functions– bitrotations / -shifts

• could be also represented by polynomial equations• better to have tools for directly solving equations

involving such different operations




Motivation/ApplicationMotivation/Application

• Dobbertin‘s attacks on hash functions:– e.g. solve

where f is a bitwise defined function

– Idea: Xk,…,0 solution for least significant k+1 bit) Xk-1,…,0 solution for least significant k bit

– Solve „from right to left“

• T-functions (Klimov/Shamir):– f T-function , k-th output bit of f depends only on

least significant k-1 input bits– solvable „from right to left“




Dobbertin‘s AlgorithmDobbertin‘s Algorithm

x

x

x

x

tree of solutions




Dobbertin‘s AlgorithmDobbertin‘s Algorithm

x

x

x

x

tree of solutions

• Often possible to stop early• Faster than exhaustive search• For each solution there exists

a leaf in the tree• Complexity directly related to

the number of solutions• Problem: We are mainly

interested in equations with many solutions.




Improvement:Improvement: Exploiting RedundancyExploiting Redundancy

x

x

x

x

• Idea:Combine redundant subtrees

• Problem:Detect redundancy during the construction of the graph

• Only the carrybit is relevant for the solution for the third bit

• Labeling the vertices with the carrybits makes it possible to detect redundancies on the fly tree of solutions




ExampleExample

x

x

x

x

Tree of solutions fromDobbertin‘s algorithm




x

ExampleExample

xx

x

x

solution graph

1100 1001

1100 1001

1100 1001

00

x

x

x




solution graph

ExampleExample

x

x

x

x

• Compact representation of the set of solutions

• Can be simplified even more




Solution GraphsSolution Graphs

• One root and one sink• Labelling of the edges describes

solutions:Each path from the root to the sink represents a solution (and vice versa)

• Also possible to consider equations with more than one variable:

– E.g. label edges with XiYiZi instead of only Xi

sink

root




Size of Solution GraphsSize of Solution Graphs

x

x

x

x

• possible to minimize size:– delete „dead-ends“– merge equivalent vertices

• Size is hardly predictable in general• worst-Case: exponential size• here: upper bounds

– because of labelling with carrybits– T-functions: narrowness gives upper

bound on possible labels




Algorithms for Solution GraphsAlgorithms for Solution Graphs

• Solution graphs are closely related to binary decision diagrams (BDDs)

• Further efficient algorithms from the theory of BDDs deriveable:– computing the number of solutions– choosing random solutions– combining solution graphs

(e.g. intersecting two sets of solutions)




ConclusionConclusion

• presented a new data structure, a solution graph• closely related to BDDs• allows efficient computation and representation

of special systems of equations with incompatible operations

• especially for T-functions with small narrowness




Thank you!Thank you!

Questions???Questions???

Documents

Ruhr- Universität Bochum Fakultät für Mathematik Informationssicherheit und Kryptologie Solving Systems of Equations with Incompatible Operations CITS