Solving Systems of Equations with Incompatible Operations

1
Solving Systems of Equations with Incompatible
Operations
Magnus Daum

• CITS Cryptology and Information Security
• Fakultät für Mathematik
• Ruhr-Universität Bochum

2
Overview

• Motivation
• Dobbertins Algorithm
• Solution Graphs
• Algorithms for Solution Graphs
• Conclusions

3
Systems of Equations

• Cryptanalysis often uses systems of equations,
  e.g.
• linear equations
• quadratic equations (e.g. algebraic attack)
• But many cryptosystems include different,
  mathematically incompatible kinds of operations
• integer operations modulo 2n
• bitwise defined functions
• bitrotations / -shifts
• could be also represented by polynomial equations
• better to have tools for directly solving
  equations involving such different operations

4
Motivation/Application

• Dobbertins attacks on hash functions
• e.g. solve where f is a bitwise defined function
• Idea Xk,,0 solution for least significant k1
  bit ) Xk-1,,0 solution for least significant k
  bit
• Solve from right to left
• T-functions (Klimov/Shamir)
• f T-function , k-th output bit of f depends only
  on least significant k-1 input bits
• solvable from right to left

5
Dobbertins Algorithm

• tree of solutions

6
Dobbertins Algorithm

• Often possible to stop early
• Faster than exhaustive search
• For each solution there exists a leaf in the tree
• Complexity directly related to the number of
  solutions
• Problem We are mainly interested in equations
  with many solutions.

• tree of solutions

7
Improvement Exploiting Redundancy

• IdeaCombine redundant subtrees
• ProblemDetect redundancy during the
  construction of the graph

• Only the carrybit is relevant for the solution
  for the third bit
• Labeling the vertices with the carrybits makes it
  possible to detect redundancies on the fly

tree of solutions
8
Example
Tree of solutions fromDobbertins algorithm
9
Example
11
00
10
01
11
00
10
01
11
00
10
01
00

• solution graph

10
Example

• Compact representation of the set of solutions
• Can be simplified even more

solution graph
11
Solution Graphs

• One root and one sink
• Labelling of the edges describes solutionsEach
  path from the root to the sink represents a
  solution (and vice versa)
• Also possible to consider equations with more
  than one variable
• E.g. label edges with XiYiZi instead of only Xi

sink
root
12
Size of Solution Graphs

• possible to minimize size
• delete dead-ends
• merge equivalent vertices
• Size is hardly predictable in general
• worst-Case exponential size
• here upper bounds
• because of labelling with carrybits
• T-functions narrowness gives upper bound on
  possible labels

13
T-functions Narrowness

• generalT-function
• w-narrowT-function

14
Algorithms for Solution Graphs

• Solution graphs are closely related to binary
  decision diagrams (BDDs)
• Further efficient algorithms from the theory of
  BDDs deriveable
• computing the number of solutions
• choosing random solutions
• combining solution graphs (e.g. intersecting two
  sets of solutions)

15
Computing the Number of Solutions

• Counting the number of ways to reach the sink
  from each of the vertices
• Complexity linear in der size of the graph
• allows choosing solutions uniformly at random

1
1
112
1
123
2
235
4
459 solutions
16
Intersection

• Complexity roughly quadratic in the sizes

17
Generalized Solution Graphs

• Use variables, which are not represented
  explicitly in the graph(allows representing 9
  Y ...-like statements)

18
Generalized Solution Graphs

• Use variables, which are not represented
  explicitly in the graph(allows representing 9
  Y ...-like statements)
• Allow similar, but more sophisticated algorithms
• right bit shifts and bit rotations can be
  integrated

19
Conclusion

• presented a new data structure, a solution graph
• closely related to BDDs
• allows efficient computation and representation
  of special systems of equations with incompatible
  operations
• especially for T-functions with small narrowness

20
Thank you!Questions???