Abstract
When new symmetric-key ciphers and hash functions are proposed they are expected to document resilience against a number of known attacks. Good, easy to use tools may help designers in this process and give improved cryptanalysis. In this paper we introduce CryptaPath, a tool for doing algebraic cryptanalysis which utilizes Compressed Right-Hand Side (CRHS) equations to attack SPN ciphers and sponge constructions. It requires no previous knowledge of CRHS equations to be used, only a reference implementation of a primitive.
The connections between CRHS equations, binary decision diagrams and Boolean polynomials have not been described earlier in literature. A comprehensive treatment of these relationships is made before we explain how CryptaPath works. We then describe the process of solving CRHS equation systems while introducing a new operation, dropping variables.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_17
Albrecht, M.R., et al.: Algebraic cryptanalysis of STARK-friendly designs: application to MARVELlous and MiMC. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11923, pp. 371–397. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_13
Bollig, B.: On the complexity of some ordering problems. In: Csuhaj-Varjú, E., Dietzfelbinger, M., Ésik, Z. (eds.) MFCS 2014. LNCS, vol. 8635, pp. 118–129. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44465-8_11
Brickenstein, M., Dreyer, A.: POLYBORI: a framework for gröbner-basis computations with Boolean polynomials. J. Symbol. Comput. 44(9), 1326–1345 (2009). Effective Methods in Algebraic Geometry
Bryant, R.E.: Graph-based algorithms for Boolean function manipulation. IEEE Trans. Comput. 100(8), 677–691 (1986)
Bryant, R.E.: Symbolic Boolean manipulation with ordered binary-decision diagrams. ACM Comput. Surv. (CSUR) 24(3), 293–318 (1992)
Courtois, N.T., Bard, G.V.: Algebraic cryptanalysis of the data encryption standard. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 152–169. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77272-9_10
van Dijk, T.: Sylvan (2019). https://github.com/utwente-fmt/sylvan
Dolmatov, V.: GOST 28147-89: Encryption, Decryption, and Message Authentication Code (MAC) Algorithms, March 2010. https://tools.ietf.org/rfc/rfc5830.txt
Faugère, J.C.: A new efficient algorithm for computing gröbner bases (F4). J. Pure Appl. Algebra 139, 61–88 (1999)
Faugère, J.C.: A new efficient algorithm for computing gröbner bases without reduction to zero (F5). In: ISSAC 2002 (2002)
Filippidis, I.: dd (2020). https://github.com/tulip-control/dd
Garey, M.R., Johnson, D.S.: A guide to the theory of NP-completeness. Computers and intractability, pp. 641–650 (1979)
Gossen, F., Murtovi, A., Linden, J., Steffen, B.: Add-lib 2.0.0 beta (2018). https://add-lib.scce.info
Groth, K., Wang, C., Mosleh, A.: Hybrid causal methodology and software platform for probabilistic risk assessment and safety monitoring of socio-technical systems. Reliab. Eng. Syst. Safety 95(12), 1276–1285 (2010)
Hall-Andersen, M., Vejre, P.S.: Generating graphs packed with paths estimation of linear approximations and differentials. IACR Trans. Symmetric Cryptol. 2018(3), 265–289 (2018)
Kawahara, J., Sonoda, K., Inoue, T., Kasahara, S.: Efficient construction of binary decision diagrams for network reliability with imperfect vertices. Reliab. Eng. Syst. Safety 188, 142–154 (2019)
Kazymyrov, O., Oliynykov, R., Raddum, H.: Influence of addition modulo \(2^n\) on algebraic attacks. Cryptogr. Commun. 8(2), 277–289 (2016)
Krause, M.: BDD-based cryptanalysis of keystream generators. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 222–237. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_15
Kölbl, S., Tischhauser, E., Derbez, P., Bogdanov, A.: Troika: a ternary cryptographic hash function. Designs Codes Cryptogr. 88(1), 91–117 (2020)
Lind-Nielsen, J., Cohen, H., Gorogiannis, N.: Buddy (2014). https://sourceforge.net/projects/buddy/
Mironov, I., Zhang, L.: Applications of SAT solvers to cryptanalysis of hash functions. In: Biere, A., Gomes, C.P. (eds.) SAT 2006. LNCS, vol. 4121, pp. 102–115. Springer, Heidelberg (2006). https://doi.org/10.1007/11814948_13
Nyberg, K., knudsen, L.R.: Provable security against a differential attack. J. Cryptol. 8(1), 27–37 (1995). https://doi.org/10.1007/BF00204800
Raddum, H., Kazymyrov, O.: Algebraic attacks using binary decision diagrams. In: Ors, B., Preneel, B. (eds.) BalkanCryptSec 2014. LNCS, vol. 9024, pp. 40–54. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21356-9_4
Raddum, H., Semaev, I.: Solving multiple right hand sides linear equations. Designs Codes Cryptogr. 49(1), 147–160 (2008). https://doi.org/10.1007/s10623-008-9180-z
Rudell, R.: Dynamic variable ordering for ordered binary decision diagrams. In: Proceedings of 1993 International Conference on Computer Aided Design (ICCAD), pp. 42–47. IEEE (1993)
Schilling, T.E., Raddum, H.: Analysis of trivium using compressed right hand side equations. In: Kim, H. (ed.) ICISC 2011. LNCS, vol. 7259, pp. 18–32. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31912-9_2
Schilling, T.E., Raddum, H.: Solving compressed right hand side equation systems with linear absorption. In: Helleseth, T., Jedwab, J. (eds.) SETA 2012. LNCS, vol. 7280, pp. 291–302. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30615-0_27
Shannon, C.E.: A symbolic analysis of relay and switching circuits. Electr. Eng. 57(12), 713–723 (1938)
Somenzi, F.: CUDD: CU decision diagram package release 3.0.0. https://github.com/ivmai/cudd
Soos, M., Nohl, K., Castelluccia, C.: Extending SAT solvers to cryptographic problems. In: Kullmann, O. (ed.) SAT 2009. LNCS, vol. 5584, pp. 244–257. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02777-2_24
Stegemann, D.: Extended BDD-based cryptanalysis of keystream generators. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 17–35. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77360-3_2
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Overview of the Code and Usage of CryptaPath
A Overview of the Code and Usage of CryptaPath
The code base of CryptaPath is broken into two parts:
-
The Crush library which provides an implementation of the CRHS equations and System of CRHS equations along with several APIs for the operations that one can be performed on them (swap, add, absorb, drop and more). An interface (a Rust trait) to construct solvers, with default implementation for several methods is also provided.
-
the CryptaPath tool uses the Crush library. The tool itself is composed of a simple command line interface (CLI), a set of generic methods for building specifications for a SOC from an implementation of a cipher, and several example ciphers that we implemented for analysis. It also provides a generic solver, built from the interface of the Crush library.
We decided to make this separation from the belief that the usage of CRHS equations can be explored outside of cryptanalysis, and in that case the Crush library as a standalone will be sufficient. However, when used in the case of cryptanalysis, the main obstacle to usage for researchers would be to generate the SOC for every cipher and variant they want to analyze. The goal of CryptaPath is to simplify this task. By specifying an implementation that respects the provided interface, the tool will generate the SOC from the Rust source code.
While we provide several implementations of primitives (reduced versions of AES, LowMC, Skinny, Prince, Present, DES and Keccak) we encourage users to add their own if they want to analyze it. To facilitate any future implementation job we are providing several helper functions making it possible to run an implementation against test vectors to ensure its correctness. As already mentioned, we provide a general good solving algorithm which will work out of the box for any SPN cipher or sponge construction implemented in Rust. As a user gets familiar with the tool, tailor made solvers can be created and tested.
1.1 A.1 Usage
Simple usage of the tool can be made by using the provided CLI. A user can generate a SOC for any of the primitives implemented in CryptaPath for any number of rounds and run the solver on it. The user can provide a specific plaintext/ciphertext pair and solve for the key. The user may also fix arbitrary bits of the key to see how much easier solving becomes with a partially guessed key. If no plaintext/ciphertext pair is provided CryptaPath will generate a random plaintext and a random key respecting any fixed bits, and compute the corresponding ciphertext at runtime. Any solution found will be validated by encrypting the plaintext and ensuring the result matches the ciphertext. The system of CRHS equations can be output in the form of a .bdd file for studying and fed back into CryptaPath later.
As specified earlier, it is possible and encouraged to add new ciphers into CryptaPath. We provide for that purpose a Cipher trait which a reference implementation has to follow. Existing ciphers can be used as examples on how to make an implementation.
We provide two similar solvers which we believe to be a good general fit for all algorithms. The main difference between them is the use of the drop operation which as noted earlier can either increase or decrease the complexity.
In the case of the solver which uses dropping of variables we consider variables that can be dropped without any joining of CRHS equations, and compare the cost of dropping them against the cost of absorbing the cheapest dependency found. The cost of resolving a dependency or dropping a variable is estimated by summing up the number of nodes in the levels that have to be swapped or added to resolve it. There are a lot of heuristics which can be explored to improve the solving, and in particular we expect a tailor made solver to outperform ours when targeting a specific algorithm. A new solver can be implemented using the traits we provide with a minimal amount of code to rewrite.
A specific part of the solver which we encourage users to tweak is the feedback function. This function is called by the solver every time it completes an operation on the system and is used to provide feedback to the user. Its role is to allow for gathering data from the SOC during the solving process. Our default implementation prints several metrics on the terminal window such as the number of individual CRHS equations left in the system, the maximal number of node reached and the number of absorbed dependencies.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Indrøy, J.P., Costes, N., Raddum, H. (2021). Boolean Polynomials, BDDs and CRHS Equations - Connecting the Dots with CryptaPath. In: Dunkelman, O., Jacobson, Jr., M.J., O'Flynn, C. (eds) Selected Areas in Cryptography. SAC 2020. Lecture Notes in Computer Science(), vol 12804. Springer, Cham. https://doi.org/10.1007/978-3-030-81652-0_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-81652-0_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-81651-3
Online ISBN: 978-3-030-81652-0
eBook Packages: Computer ScienceComputer Science (R0)