solving systems of equations with incompatible operations
DESCRIPTION
Solving Systems of Equations with Incompatible Operations. CITS – Cryptology and Information Security Fakultät für Mathematik Ruhr-Universität Bochum. Magnus Daum. Systems of Equations. Cryptanalysis often uses systems of equations, e.g. linear equations - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Solving Systems of Equations with Incompatible Operations](https://reader031.vdocuments.net/reader031/viewer/2022020718/568135bc550346895d9d21ae/html5/thumbnails/1.jpg)
Ruhr-Ruhr-UniversitätUniversitätBochumBochumFakultät für MathematikFakultät für Mathematik
Informationssicherheit und KryptologieInformationssicherheit und Kryptologie
Solving Systems of Equations Solving Systems of Equations
with Incompatible Operationswith Incompatible Operations
CITS – Cryptology and Information SecurityCITS – Cryptology and Information Security
Fakultät für MathematikFakultät für Mathematik
Ruhr-Universität BochumRuhr-Universität Bochum
Magnus Daum
![Page 2: Solving Systems of Equations with Incompatible Operations](https://reader031.vdocuments.net/reader031/viewer/2022020718/568135bc550346895d9d21ae/html5/thumbnails/2.jpg)
1.12.2004 Daum - Solving Systems of Equations with Incompatible Operations 3
Ruhr-Ruhr-UniversitätUniversitätBochumBochumFakultät für MathematikFakultät für Mathematik
Informationssicherheit und KryptologieInformationssicherheit und Kryptologie
Systems of EquationsSystems of Equations
• Cryptanalysis often uses systems of equations, e.g.– linear equations– quadratic equations (e.g. algebraic attack)
• But many cryptosystems include different, mathematically incompatible kinds of operations:– integer operations modulo 2n
– bitwise defined functions– bitrotations / -shifts
• could be also represented by polynomial equations• better to have tools for directly solving equations
involving such different operations
![Page 3: Solving Systems of Equations with Incompatible Operations](https://reader031.vdocuments.net/reader031/viewer/2022020718/568135bc550346895d9d21ae/html5/thumbnails/3.jpg)
1.12.2004 Daum - Solving Systems of Equations with Incompatible Operations 4
Ruhr-Ruhr-UniversitätUniversitätBochumBochumFakultät für MathematikFakultät für Mathematik
Informationssicherheit und KryptologieInformationssicherheit und Kryptologie
Motivation/ApplicationMotivation/Application
• Dobbertin‘s attacks on hash functions:– e.g. solve
where f is a bitwise defined function
– Idea: Xk,…,0 solution for least significant k+1 bit) Xk-1,…,0 solution for least significant k bit
– Solve „from right to left“
• T-functions (Klimov/Shamir):– f T-function , k-th output bit of f depends only on
least significant k-1 input bits– solvable „from right to left“
![Page 4: Solving Systems of Equations with Incompatible Operations](https://reader031.vdocuments.net/reader031/viewer/2022020718/568135bc550346895d9d21ae/html5/thumbnails/4.jpg)
1.12.2004 Daum - Solving Systems of Equations with Incompatible Operations 5
Ruhr-Ruhr-UniversitätUniversitätBochumBochumFakultät für MathematikFakultät für Mathematik
Informationssicherheit und KryptologieInformationssicherheit und Kryptologie
Dobbertin‘s AlgorithmDobbertin‘s Algorithm
x
x
x
x
tree of solutions
![Page 5: Solving Systems of Equations with Incompatible Operations](https://reader031.vdocuments.net/reader031/viewer/2022020718/568135bc550346895d9d21ae/html5/thumbnails/5.jpg)
1.12.2004 Daum - Solving Systems of Equations with Incompatible Operations 6
Ruhr-Ruhr-UniversitätUniversitätBochumBochumFakultät für MathematikFakultät für Mathematik
Informationssicherheit und KryptologieInformationssicherheit und Kryptologie
Dobbertin‘s AlgorithmDobbertin‘s Algorithm
x
x
x
x
tree of solutions
• Often possible to stop early• Faster than exhaustive search• For each solution there exists
a leaf in the tree• Complexity directly related to
the number of solutions• Problem: We are mainly
interested in equations with many solutions.
![Page 6: Solving Systems of Equations with Incompatible Operations](https://reader031.vdocuments.net/reader031/viewer/2022020718/568135bc550346895d9d21ae/html5/thumbnails/6.jpg)
1.12.2004 Daum - Solving Systems of Equations with Incompatible Operations 7
Ruhr-Ruhr-UniversitätUniversitätBochumBochumFakultät für MathematikFakultät für Mathematik
Informationssicherheit und KryptologieInformationssicherheit und Kryptologie
Improvement:Improvement: Exploiting RedundancyExploiting Redundancy
x
x
x
x
• Idea:Combine redundant subtrees
• Problem:Detect redundancy during the construction of the graph
• Only the carrybit is relevant for the solution for the third bit
• Labeling the vertices with the carrybits makes it possible to detect redundancies on the fly tree of solutions
![Page 7: Solving Systems of Equations with Incompatible Operations](https://reader031.vdocuments.net/reader031/viewer/2022020718/568135bc550346895d9d21ae/html5/thumbnails/7.jpg)
1.12.2004 Daum - Solving Systems of Equations with Incompatible Operations 8
Ruhr-Ruhr-UniversitätUniversitätBochumBochumFakultät für MathematikFakultät für Mathematik
Informationssicherheit und KryptologieInformationssicherheit und Kryptologie
ExampleExample
x
x
x
x
Tree of solutions fromDobbertin‘s algorithm
![Page 8: Solving Systems of Equations with Incompatible Operations](https://reader031.vdocuments.net/reader031/viewer/2022020718/568135bc550346895d9d21ae/html5/thumbnails/8.jpg)
1.12.2004 Daum - Solving Systems of Equations with Incompatible Operations 9
Ruhr-Ruhr-UniversitätUniversitätBochumBochumFakultät für MathematikFakultät für Mathematik
Informationssicherheit und KryptologieInformationssicherheit und Kryptologie
x
ExampleExample
xx
x
x
solution graph
1100 1001
1100 1001
1100 1001
00
x
x
x
![Page 9: Solving Systems of Equations with Incompatible Operations](https://reader031.vdocuments.net/reader031/viewer/2022020718/568135bc550346895d9d21ae/html5/thumbnails/9.jpg)
1.12.2004 Daum - Solving Systems of Equations with Incompatible Operations 10
Ruhr-Ruhr-UniversitätUniversitätBochumBochumFakultät für MathematikFakultät für Mathematik
Informationssicherheit und KryptologieInformationssicherheit und Kryptologie
solution graph
ExampleExample
x
x
x
x
• Compact representation of the set of solutions
• Can be simplified even more
![Page 10: Solving Systems of Equations with Incompatible Operations](https://reader031.vdocuments.net/reader031/viewer/2022020718/568135bc550346895d9d21ae/html5/thumbnails/10.jpg)
1.12.2004 Daum - Solving Systems of Equations with Incompatible Operations 11
Ruhr-Ruhr-UniversitätUniversitätBochumBochumFakultät für MathematikFakultät für Mathematik
Informationssicherheit und KryptologieInformationssicherheit und Kryptologie
Solution GraphsSolution Graphs
• One root and one sink• Labelling of the edges describes
solutions:Each path from the root to the sink represents a solution (and vice versa)
• Also possible to consider equations with more than one variable:
– E.g. label edges with XiYiZi instead of only Xi
sink
root
![Page 11: Solving Systems of Equations with Incompatible Operations](https://reader031.vdocuments.net/reader031/viewer/2022020718/568135bc550346895d9d21ae/html5/thumbnails/11.jpg)
1.12.2004 Daum - Solving Systems of Equations with Incompatible Operations 12
Ruhr-Ruhr-UniversitätUniversitätBochumBochumFakultät für MathematikFakultät für Mathematik
Informationssicherheit und KryptologieInformationssicherheit und Kryptologie
Size of Solution GraphsSize of Solution Graphs
x
x
x
x
• possible to minimize size:– delete „dead-ends“– merge equivalent vertices
• Size is hardly predictable in general• worst-Case: exponential size• here: upper bounds
– because of labelling with carrybits– T-functions: narrowness gives upper
bound on possible labels
![Page 12: Solving Systems of Equations with Incompatible Operations](https://reader031.vdocuments.net/reader031/viewer/2022020718/568135bc550346895d9d21ae/html5/thumbnails/12.jpg)
1.12.2004 Daum - Solving Systems of Equations with Incompatible Operations 14
Ruhr-Ruhr-UniversitätUniversitätBochumBochumFakultät für MathematikFakultät für Mathematik
Informationssicherheit und KryptologieInformationssicherheit und Kryptologie
Algorithms for Solution GraphsAlgorithms for Solution Graphs
• Solution graphs are closely related to binary decision diagrams (BDDs)
• Further efficient algorithms from the theory of BDDs deriveable:– computing the number of solutions– choosing random solutions– combining solution graphs
(e.g. intersecting two sets of solutions)
![Page 13: Solving Systems of Equations with Incompatible Operations](https://reader031.vdocuments.net/reader031/viewer/2022020718/568135bc550346895d9d21ae/html5/thumbnails/13.jpg)
1.12.2004 Daum - Solving Systems of Equations with Incompatible Operations 19
Ruhr-Ruhr-UniversitätUniversitätBochumBochumFakultät für MathematikFakultät für Mathematik
Informationssicherheit und KryptologieInformationssicherheit und Kryptologie
ConclusionConclusion
• presented a new data structure, a solution graph• closely related to BDDs• allows efficient computation and representation
of special systems of equations with incompatible operations
• especially for T-functions with small narrowness
![Page 14: Solving Systems of Equations with Incompatible Operations](https://reader031.vdocuments.net/reader031/viewer/2022020718/568135bc550346895d9d21ae/html5/thumbnails/14.jpg)
1.12.2004 Daum - Solving Systems of Equations with Incompatible Operations 20
Ruhr-Ruhr-UniversitätUniversitätBochumBochumFakultät für MathematikFakultät für Mathematik
Informationssicherheit und KryptologieInformationssicherheit und Kryptologie
Thank you!Thank you!
Questions???Questions???