html5
1 / 14

Solving Systems of Equations with Incompatible Operations

Solving Systems of Equations with Incompatible Operations. CITS – Cryptology and Information Security Fakultät für Mathematik Ruhr-Universität Bochum. Magnus Daum. Systems of Equations. Cryptanalysis often uses systems of equations, e.g. linear equations

otto-sexton
Download Presentation

Solving Systems of Equations with Incompatible Operations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Solving Systems of Equations with Incompatible Operations CITS – Cryptology and Information Security Fakultät für Mathematik Ruhr-Universität Bochum Magnus Daum

  2. Systems of Equations • Cryptanalysis often uses systems of equations, e.g. • linear equations • quadratic equations (e.g. algebraic attack) • But many cryptosystems include different, mathematically incompatible kinds of operations: • integer operations modulo 2n • bitwise defined functions • bitrotations / -shifts • could be also represented by polynomial equations • better to have tools for directly solving equations involving such different operations Daum - Solving Systems of Equations with Incompatible Operations

  3. Motivation/Application • Dobbertin‘s attacks on hash functions: • e.g. solve where f is a bitwise defined function • Idea: Xk,…,0 solution for least significant k+1 bit)Xk-1,…,0 solution for least significant k bit • Solve „from right to left“ • T-functions (Klimov/Shamir): • f T-function , k-th output bit of f depends only on least significant k-1 input bits • solvable „from right to left“ Daum - Solving Systems of Equations with Incompatible Operations

  4. Dobbertin‘s Algorithm tree of solutions Daum - Solving Systems of Equations with Incompatible Operations

  5. Dobbertin‘s Algorithm tree of solutions • Often possible to stop early • Faster than exhaustive search • For each solution there exists a leaf in the tree • Complexity directly related to the number of solutions • Problem: We are mainly interested in equations with many solutions. Daum - Solving Systems of Equations with Incompatible Operations

  6. Improvement:Exploiting Redundancy • Idea:Combine redundant subtrees • Problem:Detect redundancy during the construction of the graph • Only the carrybit is relevant for the solution for the third bit • Labeling the vertices with the carrybits makes it possible to detect redundancies on the fly tree of solutions Daum - Solving Systems of Equations with Incompatible Operations

  7. Example Tree of solutions fromDobbertin‘s algorithm Daum - Solving Systems of Equations with Incompatible Operations

  8. Example solution graph 00 01 10 11 00 01 10 11 00 01 10 11 00 Daum - Solving Systems of Equations with Incompatible Operations

  9. Example • Compact representation of the set of solutions • Can be simplified even more solution graph Daum - Solving Systems of Equations with Incompatible Operations

  10. Solution Graphs • One root and one sink • Labelling of the edges describes solutions:Each path from the root to the sink represents a solution (and vice versa) • Also possible to consider equations with more than one variable: • E.g. label edges with XiYiZi instead of only Xi sink root Daum - Solving Systems of Equations with Incompatible Operations

  11. Size of Solution Graphs • possible to minimize size: • delete „dead-ends“ • merge equivalent vertices • Size is hardly predictable in general • worst-Case: exponential size • here: upper bounds • because of labelling with carrybits • T-functions: narrowness gives upper bound on possible labels Daum - Solving Systems of Equations with Incompatible Operations

  12. Algorithms for Solution Graphs • Solution graphs are closely related to binary decision diagrams (BDDs) • Further efficient algorithms from the theory of BDDs deriveable: • computing the number of solutions • choosing random solutions • combining solution graphs (e.g. intersecting two sets of solutions) Daum - Solving Systems of Equations with Incompatible Operations

  13. Conclusion • presented a new data structure, a solution graph • closely related to BDDs • allows efficient computation and representation of special systems of equations with incompatible operations • especially for T-functions with small narrowness Daum - Solving Systems of Equations with Incompatible Operations

  14. Thank you!Questions??? Daum - Solving Systems of Equations with Incompatible Operations

More Related