Improved Algebraic Cryptanalysis of QUAD, Bivium and Trivium via Graph Partitioning on Equation Systems

Transcription

1 Improved Algebraic of QUAD, Bivium and Trivium via on Equation Systems Kenneth Koon-Ho Wong 1, Gregory V. Bard 2 1 Information Security Institute Queensland University of Technology, Brisbane, Australia 2 Mathematics Department Fordham University, The Bronx, NY, USA 5 July 2010, Algebraic, QUAD, Trivium

2 Acknowledgements Ed Dawson Information Security Institute Queensland University of Technology, Brisbane, Australia Gary Carter Information Security Institute Queensland University of Technology, Brisbane, Australia, Algebraic, QUAD, Trivium

3 Algebraic Attacks Our Contribution Equations Partitioning Partitioning Experiments QUAD Trivium, Algebraic, QUAD, Trivium

4 Algebraic Attacks Our Contribution Algebraic Attacks Algebraic attacks are a method of cryptanalysis primarily on symmetric ciphers Courtois and Meier (2003) The cipher is described as a system of equations relating its keys or internal states and its outputs Solving the system of equations means recovering the keys or internal states Very little keystream required compared to other attacks Solving the equations generated is the main bottleneck, Algebraic, QUAD, Trivium

5 Algebraic Attacks Our Contribution Algebraic Attacks Building Equations Multivariate polynomial equations Usually over GF(2) for stream ciphers Tradeoff between degree and number of variables via relabelling Example: {x 1 x 2 x 3 = 1} {x 4 = x 1 x 2, x 3 x 4 = 1} Solving Equations Time complexity is exponential in number of variables and maximum degree for general systems Linearisation, Gröbner basis, XL SAT, AIDA, Raddum-Samaev, Triangulation, Algebraic, QUAD, Trivium

6 Algebraic Attacks Our Contribution Our Contribution We develop a method of preprocessing systems of multivariate equations to reduce time spent in solving equation systems Introduce the concept of variable-sharing graphs Split equations and varaiables using these graphs into independent ones The resulting equations systems can be much easier to solve than the original Exponential reduction in time complexity with less variables Applications to algebraic cryptanalysis are presented Exploit weak parameters in QUAD under this technique Significantly improve partial key guess attacks for Trivium, Algebraic, QUAD, Trivium

7 Algebraic Attacks Our Contribution Variable-Sharing Graphs Converts an equation system in n variables to graph representation A vertex for each variable An edge between two vertices if both variables appear in an equation f 1 (x 0, x 1,..., x n 1 ) = 0 f 2 (x 0, x 1,..., x n 1 ) = 0. f m (x 0, x 1,..., x n 1 ) = 0 Graph represents links among variables in the equation system, Algebraic, QUAD, Trivium

8 Algebraic Attacks Our Contribution Variable-Sharing Graphs Example: x 1 x 3 + x 1 + x 5 = 1 x 2 x 4 + x 4 x 5 = 0 x 1 x 5 + x 3 x 5 = 1 x 2 x 5 + x 2 + x 4 = 0 x 2 + x 4 x 5 = 1 No equations involving the following pairs of variables v 1, v 2 v 1, v 4 v 2, v 3 v 3, v 4, Algebraic, QUAD, Trivium

9 Algebraic Attacks Our Contribution Variable-Sharing Graphs If the graph has disjoint subgraphs, the equation system can also be separated into individual ones which can be solved separately g 1 (y 0, y 1,..., y r 1 ) = 0 g m1 (y r, y r+1,..., y n 1 ) = 0. h 1 (y r, y r+1,..., y n 1 ) = 0 h m2 (y r, y r+1,..., y n 1 ) = 0., Algebraic, QUAD, Trivium

10 Algebraic Attacks Our Contribution Variable-Sharing Graphs Example: x 1 x 3 + x 1 = 0 x 2 x 4 + x 4 = 0 x 1 + x 3 = 1 x 2 + x 4 = 1 The variable-sharing graph can identify independent equation subsystems Some parallels to matrix row and column reordering on linear systems, Algebraic, QUAD, Trivium

11 Algebraic Attacks Our Contribution Partitioning Graphs and Separating Equations In reality, graphs from algebraic cryptanalysis do not usually have disjoint subgraphs All variables are often related to each other in a good cipher However, these equations are often sparse. Disjoint subgraphs could be obtained by removing a small number of vertices This is equivalent to guessing the values of the corresponding variables to eliminate them from the equation system Our aim is to find these sets of variables through graph theory techniques, Algebraic, QUAD, Trivium

12 Equations Partitioning Partitioning Experiments Graph Connectivity Let G = (V, E) be a graph with vertex set V and edge set E Definition A graph is connected if there is a path from a vertex to all other vertices. Otherwise, the graph is disconnected. Definition The vertex connectivity of κ of G is the minimum number of vertices that must be removed to disconnect G The complete graph K n with n vertices has vertex connectivity (n 1) A disconnected graph has zero vertex connectivity, Algebraic, QUAD, Trivium

13 Equations Partitioning Partitioning Experiments A graph can be made disconnected by removing certain vertices or edges This process is called vertex partitioning or edge partitioning Definition A vertex partition (V 1, C, V 2 ) of G is a partition of V into sets V 1, C, V 2 where V 1, V 2 are non-empty, and no edges exist between vertices in V 1 and vertices in V 2. The removal of C from V causes G to disconnect into subgraphs G 1, G 2 with vertex sets V 1, V 2 respectively The set C is called the vertex separator The size of C is at least κ(g), Algebraic, QUAD, Trivium

14 Equations Partitioning Partitioning Experiments Example: All non-trivial graphs can be partitioned by removing all connections to a single vertex This is not useful for solving equations A balanced vertex separator is needed where the resulting disjoint subgraphs have similar sizes, Algebraic, QUAD, Trivium

15 Equations Partitioning Partitioning Experiments Balanced Define the balance β of a vertex partition (V 1, C, V 2 ) of G as β = max( V 1, V 2 ) V 1 + V 2 = max( V 1, V 2 ) V C A balanced vertex partition is such that β 0.5, Algebraic, QUAD, Trivium

16 Equations Partitioning Partitioning Experiments Equation Systems Partitioning Definition Let F be the polynomial system {f 1 ( x) = 0, f 2 ( x) = 0,..., f m ( x) = 0} of m polynomial equations in the variables x 1, x 2,..., x n. The variable-sharing graph G = (V, E) of F is obtained by creating a vertex v i V for each variable x i, and creating an edge (v i, v j ) E if two variables x i, x j appear together in any polynomial f k. A vertex partition can then be computed from the graph The corresponding equation subsystems can be solved independently by guessing variables corresponding to vertices in the separator, Algebraic, QUAD, Trivium

17 Equations Partitioning Partitioning Experiments Partitioning Example Quadratic system in 5 variables x i GF(2) Balanced vertex partition with C = 1 x 1 x 3 + x 1 + x 5 = 1 x 2 x 4 + x 4 x 5 = 0 x 1 x 5 + x 3 x 5 = 1 x 2 x 5 + x 2 + x 4 = 0 x 2 + x 4 x 5 = 1, Algebraic, QUAD, Trivium

18 Equations Partitioning Partitioning Experiments Partitioning Example Split the original system into two with x 5 as the common variable x 1 x 3 + x 1 + x 5 = 1 x 2 x 4 + x 4 x 5 = 0 x 1 x 5 + x 3 x 5 = 1 x 2 x 5 + x 2 + x 4 = 0 x 2 + x 4 x 5 = 1 Guess each possible value of x 5 and compute solutions x 5 = 0 no solution x 5 = 1 (x 1, x 3 ) = (0, 1), (x 2, x 4 ) = (1, 0) x = (0, 1, 1, 0, 1) Same result as solving the full system, Algebraic, QUAD, Trivium

19 Equations Partitioning Partitioning Experiments Balanced Partitioning Algorithms Balanced graph partitioning is NP-hard Nevertheless, heuristic algorithms are very efficient Balanced edge partitioning is widely used Applications includes circuit design, matrix computations, finite element analysis Software packages includes Metis, Chaco, LINK, Goblin, SCOTCH, PARTY, JOSTLE Balanced vertex partitioning software is not readily available In this work, Metis is used with an algorithm to convert edge partitions into vertex partitions, Algebraic, QUAD, Trivium

20 Equations Partitioning Partitioning Experiments Experiments Vertex partitioning experiments was run to test the feasibility of this technique Random graphs of prescribed number of vertices, edges and average degree were generated Vertex partitions are computed using the Meshpart interface to the Metis partitioning software Experiments were run under a laptop on a Pentium M 1.4 GHz CPU with 1GB RAM running Windows XP SP2, Algebraic, QUAD, Trivium

21 Equations Partitioning Partitioning Experiments Vertex Partitioning Experiments V E density deg C V 1 V 2 β Time ms ms ms ms ms ms ms ms Balanced vertex partitions can be obtained very efficiently Balance parameter β roughly proportional to the average degree of graph, Algebraic, QUAD, Trivium

22 QUAD Trivium QUAD QUAD is a family of provably secure stream ciphers Berbain, Gilbert and Patarin (2006) Security is based on the Multivariate Quadratic (MQ) problem. The MQ equations form maps for state transition and keystream generation Solving these equations means key recovery Malicious host can generate weak systems with effective graph partitions Appears to be secure as a full system Check needs to be made for low vertex connectivity, Algebraic, QUAD, Trivium

23 QUAD Trivium Trivium Trivium is a bit-based stream cipher in the estream project hardware portfolio Cannière and Preneel (2007) 80 bit key, 80 bit initialisation vector, 288 bit internal state The cipher is secure against basic algebraic attacks 288 dense polynomial equations in 288 variables Raddum (2006) gave an alternative algebraic analysis with relabelling Obtained sparse quadratic system for Trivium Bivium-A and Bivium-B developed as reduced versions, Algebraic, QUAD, Trivium

24 QUAD Trivium Trivium Algebraic analysis with relabelling Trivium described as 954 quadratic equations in 954 variables Bivium-A and Bivium-B described as 399 equations in 399 variables Trivium Adjacency Matrix, Algebraic, QUAD, Trivium

25 QUAD Trivium Partitioning Bivium and Trivium Equations State Number of Cipher Size Variables C V 1 V 2 β Bivium-A Bivium-B Trivium Balanced partitions are obtained with reasonable vertex separators Guessing all bits in C is not useful as the cost is the same as exhaustive key search Guessing a subset of bits in C could yield a more effective attack, Algebraic, QUAD, Trivium

26 QUAD Trivium Partial Key Guessing with Vertex Separator All Guesses Number of Number of Cipher in C Guesses Equations Time Memory Bivium-A No s 843 MB Bivium-A Yes s 1200 MB Bivium-B No s 1044 MB Bivium-B Yes s 1569 MB Trivium No s 80 MB Trivium No s 554 MB Trivium No s 1569 MB Trivium Yes s 596 MB Trivium Yes s 1875 MB Trivium Yes s 3150 MB, Algebraic, QUAD, Trivium

27 QUAD Trivium Algebraic Attacks on Bivium and Trivium Choosing guesses entirely within vertex separators gives a significant efficiency gain in partial key guessing attacks Feasible attacks could be made against Bivium-A (14-bit guess) and Bivium-B (62-bit guess) Let T be the time required to solve a reduced system of Trivium The vertex separator technique roughly reduces the attack complexity from T to T A reduction in time complexity is achieved Best bits to guess are identified for Trivium, Algebraic, QUAD, Trivium

28 Summary and s Variable-sharing graphs can aid in solving multivariate equation systems Vertex partitions on the graph yield split equation systems that can be solved individually Significant efficiency gain over solving full systems Algebraic cryptanalysis can be improved using this technique Weak equations for QUAD can be tailored and need to be checked Partial key guess attacks on Trivium can be made much more efficient, Algebraic, QUAD, Trivium

29 Future Directions and Open Problems A new design criteria for ciphers? The graph partitioning technique is most effective on sparse equations whose graphs have very low vertex connectivity Graphs who are near complete provide maximum security against this technique The effects of relabelling in algebraic analysis on equation systems are unknown Most likely sparsity would increase and vertex connectivity would decrease Methods of ensuring high connectivity under relabelling may be developed, Algebraic, QUAD, Trivium

30 Thank You, Algebraic, QUAD, Trivium