extending sat solvers to cryptographic problems · m. soos, k. nohl, c. castelluccia extending sat...
Post on 17-Feb-2021
1 Views
Preview:
TRANSCRIPT
-
Extending SAT Solvers to Cryptographic Problems
Mate Soos, Karsten Nohl, Claude Castelluccia
INRIA Rhône-Alpes, University of Virginia
July 1, 2009
M. Soos, K. Nohl, C. Castelluccia () Extending SAT Solvers to Crypto July 1, 2009 1 / 22
-
Table of Contents
1 BackgroundDPLL-based SAT solversStream ciphers
2 Adapting the SAT solverXOR-supportGaussian eliminationDynamic behaviour analysis
3 Adapting the cipher representationLogical circuit representationRepresentation of non-linear functions
4 Implemented attacksCrypto-1 and HiTag2Bivium
M. Soos, K. Nohl, C. Castelluccia () Extending SAT Solvers to Crypto July 1, 2009 2 / 22
-
Outline
1 BackgroundDPLL-based SAT solversStream ciphers
2 Adapting the SAT solverXOR-supportGaussian eliminationDynamic behaviour analysis
3 Adapting the cipher representationLogical circuit representationRepresentation of non-linear functions
4 Implemented attacksCrypto-1 and HiTag2Bivium
M. Soos, K. Nohl, C. Castelluccia () Extending SAT Solvers to Crypto July 1, 2009 3 / 22
-
DPLL-based SAT solvers
A tool to solve a problem given in clauses (’and’ of ’or’-s)
Performs unit propagation
Picks a variable to branch on, works on the two sub-problems
Optimisations:
learningnon-chronological backjumpingrestartingvariable choiceimplementation details
We used MiniSat2
M. Soos, K. Nohl, C. Castelluccia () Extending SAT Solvers to Crypto July 1, 2009 4 / 22
-
Stream ciphers
Uses a set of shift registers
Shift registers’ feedback function is either linear or non-linear
Uses a filter function to generate 1 secret bit from the state
Working: clock-filter-clock-filter. . . = feedback-filter-feedback-filter. . .
M. Soos, K. Nohl, C. Castelluccia () Extending SAT Solvers to Crypto July 1, 2009 5 / 22
-
Outline
1 BackgroundDPLL-based SAT solversStream ciphers
2 Adapting the SAT solverXOR-supportGaussian eliminationDynamic behaviour analysis
3 Adapting the cipher representationLogical circuit representationRepresentation of non-linear functions
4 Implemented attacksCrypto-1 and HiTag2Bivium
M. Soos, K. Nohl, C. Castelluccia () Extending SAT Solvers to Crypto July 1, 2009 6 / 22
-
Problem with XOR-s
The trutha⊕ b⊕ c
must be put into the solver as
a ∨ b ∨ c (1) a ∨ b ∨ c (2)a ∨ b ∨ c (3) a ∨ b ∨ c (4)
So, it takes 2n−1 clauses to model an n-long XOR
M. Soos, K. Nohl, C. Castelluccia () Extending SAT Solvers to Crypto July 1, 2009 7 / 22
-
Problem with XOR-s
To model the truth
x1 ⊕ x2 ⊕ x3 ⊕ x4 ⊕ x5 ⊕ x6 ⊕ x7 ⊕ x8
the following truths are put into the SAT solver (cutting)
y1 ⊕ x1 ⊕ x2 ⊕ x3 ⊕ x4y2 ⊕ x5 ⊕ x6 ⊕ x7 ⊕ x8 y1 ⊕ y2
Problems: still too long, extra vars
M. Soos, K. Nohl, C. Castelluccia () Extending SAT Solvers to Crypto July 1, 2009 8 / 22
-
Solution to XOR-s
Xor-clauses [Massacci00Taming]:
a⊕ b⊕ c
represents all the regular clauses
a ∨ b ∨ c (1) a ∨ b ∨ c (2)a ∨ b ∨ c (3) a ∨ b ∨ c (4)
and changes appearance to match the regular clause that is the mostpertinent to the situation. Gives this changed appearance to theanalyze() method
Uses a watched variable scheme instead of a watched literal scheme
Gain:
2.2x in speed
order of magnitude in memory
M. Soos, K. Nohl, C. Castelluccia () Extending SAT Solvers to Crypto July 1, 2009 9 / 22
-
Gaussian elimination
Gaussian elimination is an efficient algorithm for solving systems oflinear equations
XOR-clause is a linear equation → use Gauss elim. to solve thesystem of XORs-clauses
xor-clauseswith v8 assigned to true
v10 v8 v9 v12 const1 − 1 1 10 − 1 1 10 − 0 1 00 − 0 0 0
actual xor-clauses
v10 v8 v9 v12 const1 1 1 1 00 0 1 1 10 1 0 1 10 1 0 0 1
make temp. XOR-clause out of the interesting clauses found
given prop. row 3, save temp. XOR-clause for a short while
given a conflict, give it to analyze() and delete it
M. Soos, K. Nohl, C. Castelluccia () Extending SAT Solvers to Crypto July 1, 2009 10 / 22
-
Gaussian elimination results
300600900
12001500
0 3 6 9 12 15 18
Tim
e(s)
Gaussian elimination until depth
04e+088e+08
1.2e+091.6e+09
0 3 6 9 12 15 18
No.
ofpr
opag
atio
ns
(∼se
arch
spac
e)
Gaussian elimination until depth
Search space reduced by up to 87%However, takes more time to run the algo than the benefits it bringsPossible to improve the implementation
M. Soos, K. Nohl, C. Castelluccia () Extending SAT Solvers to Crypto July 1, 2009 11 / 22
-
Visual representation
It’s hard to follow how a solver operates. So we implemented dynamicbehaviour analysis
Figure: Graphviz visualisation of an example search for the Crypto-1 cipher’sstates. The tree is read from left to right, top to bottom: the left- andbottommost pentagon is the first conflict clause, the right- and bottommost circleis the satisfying assignment.
M. Soos, K. Nohl, C. Castelluccia () Extending SAT Solvers to Crypto July 1, 2009 12 / 22
-
Detailed statistics
Statistics generated:
No. times variable branched upon
Number of conflicts made by clause groups
Propagation depth order of clause groups
Avg. conflict depth order of clause groups
M. Soos, K. Nohl, C. Castelluccia () Extending SAT Solvers to Crypto July 1, 2009 13 / 22
-
Outline
1 BackgroundDPLL-based SAT solversStream ciphers
2 Adapting the SAT solverXOR-supportGaussian eliminationDynamic behaviour analysis
3 Adapting the cipher representationLogical circuit representationRepresentation of non-linear functions
4 Implemented attacksCrypto-1 and HiTag2Bivium
M. Soos, K. Nohl, C. Castelluccia () Extending SAT Solvers to Crypto July 1, 2009 14 / 22
-
Logical circuit representation
Best to look at the cipher as a logical circuit inside the solver. The logicalcircuit has variables (boxes), functions (hexagons) and the knownkeystream.
M. Soos, K. Nohl, C. Castelluccia () Extending SAT Solvers to Crypto July 1, 2009 15 / 22
-
Measures of the logical circuit representation
Measures of this logical circuit representation:
Depth of each keystream bit is the number of functions traversedfrom the reference state
Reference state dependency numbers: no. bits each keystream bitdepends on. A large part of these must be guessed before evaluationcan take place
Function difficulty. When traversed, these must be calculated
Goal: minimise all of these
M. Soos, K. Nohl, C. Castelluccia () Extending SAT Solvers to Crypto July 1, 2009 16 / 22
-
Generate logical circuit from CNF
We wrote an extension to MiniSat to visualise the logical circuit. ExampleHiTag2 logical circuit:
feed
back
func
. 48
stat
e 48
fa [3
6,45
,46,
48]
stat
e 47
feed
back
func
. 50
feed
back
func
. 51
feed
back
func
. 52
fa [3
5,44
,45,
47]
fa [3
7,46
,47,
49]
stat
e 46
feed
back
func
. 49
fa [3
4,43
,44,
46]
stat
e 43
fa [3
3,42
,43,
45]
stat
e 42
stat
e 41
stat
e 30
fb [2
7,28
,30,
32]
fb [2
9,30
,32,
34]
fb [3
0,31
,33,
35]
stat
e 26
fb [1
7,21
,23,
26]
fb [2
0,24
,26,
29]
stat
e 23
fb [1
9,23
,25,
28]
stat
e 22
fb [1
6,20
,22,
25]
fb [1
8,22
,24,
27]
stat
e 16
fb [9
,13,
15,1
6]
fb [1
0,14
,16,
17]
stat
e 8
fb [8
,12,
14,1
5]
fa [4
,5,7
,8]
fa [5
,6,8
,9]
stat
e 7
fb [7
,11,
13,1
4]
fa [3
,4,6
,7]
stat
e 6
fa [2
,3,5
,6]
stat
e 3
stat
e 2
fa [1
,2,4
,5]
stat
e 0
stat
e 49
stat
e 44
stat
e 31
fb [2
8,29
,31,
33]
fb [3
1,32
,34,
36]
stat
e 27
stat
e 24
stat
e 17
fb [1
1,15
,17,
18]
stat
e 9
stat
e 4
stat
e 1
stat
e 50
stat
e 45
stat
e 32
stat
e 28
stat
e 25
stat
e 18
stat
e 10
stat
e 5
stat
e 51
stat
e 33
stat
e 29
stat
e 19
stat
e 11
stat
e 52
stat
e 34
stat
e 20
stat
e 12
stat
e 13
stat
e 14
stat
e 15
stat
e 21
stat
e 35
stat
e 36
stat
e 37
fa [1
,2,4
,5]
inte
rnal
var
fcou
tput
0
fb [7
,11,
13,1
4]
inte
rnal
var
fb [1
6,20
,22,
25]
inte
rnal
var
fb [2
7,28
,30,
32]
inte
rnal
var
fa [3
3,42
,43,
45]
inte
rnal
var
fa [2
,3,5
,6]
inte
rnal
var
fcou
tput
1
fb [8
,12,
14,1
5]
inte
rnal
var
fb [1
7,21
,23,
26]
inte
rnal
var
fb [2
8,29
,31,
33]
inte
rnal
var
fa [3
4,43
,44,
46]
inte
rnal
var
fa [3
,4,6
,7]
inte
rnal
var
fcou
tput
2
fb [9
,13,
15,1
6]
inte
rnal
var
fb [1
8,22
,24,
27]
inte
rnal
var
fb [2
9,30
,32,
34]
inte
rnal
var
fa [3
5,44
,45,
47]
inte
rnal
var
fa [4
,5,7
,8]
inte
rnal
var
fcou
tput
3
fb [1
0,14
,16,
17]
inte
rnal
var
fb [1
9,23
,25,
28]
inte
rnal
var
fb [3
0,31
,33,
35]
inte
rnal
var
fa [3
6,45
,46,
48]
inte
rnal
var
fa [5
,6,8
,9]
inte
rnal
var
fcou
tput
4
fb [1
1,15
,17,
18]
inte
rnal
var
fb [2
0,24
,26,
29]
inte
rnal
var
fb [3
1,32
,34,
36]
inte
rnal
var
fa [3
7,46
,47,
49]
inte
rnal
var
M. Soos, K. Nohl, C. Castelluccia () Extending SAT Solvers to Crypto July 1, 2009 17 / 22
-
Optimising representation of non-linear functions
Simple GF(2) polynomial
x1 + x1x2 + x2x3 + x1x3
It is usually represented with each non-single monomial expressed as a setof clauses, setting additional variables i1 . . . i3. The polynomial thenbecomes
x1 + i1 + i2 + i3
With this representation, no. of clauses is 3× 3 regular + 1 xor-clause,avg. clause length 4.14. Three extra variables also needed
However, representation using a Karnaugh table is
x̄1 ∨ x̄3 x̄2 ∨ x3 x̄1 ∨ x̄2
M. Soos, K. Nohl, C. Castelluccia () Extending SAT Solvers to Crypto July 1, 2009 18 / 22
-
Outline
1 BackgroundDPLL-based SAT solversStream ciphers
2 Adapting the SAT solverXOR-supportGaussian eliminationDynamic behaviour analysis
3 Adapting the cipher representationLogical circuit representationRepresentation of non-linear functions
4 Implemented attacksCrypto-1 and HiTag2Bivium
M. Soos, K. Nohl, C. Castelluccia () Extending SAT Solvers to Crypto July 1, 2009 19 / 22
-
Crypto-1&HiTag2
Crypto-1
Best attack with SAT-solvers[Courtois08Algebraic]: 200 seconds, butthis uses mathematical means to bring down the complexity (simple,as Crypto-1 uses only an LFSR)
We break it in 40 seconds.
HiTag2
Without our optimisation: 221 s to breakTakes 214.5 s to break with our technique
M. Soos, K. Nohl, C. Castelluccia () Extending SAT Solvers to Crypto July 1, 2009 20 / 22
-
Bivium
Bivium is a simplified version of Trivium. Best attack against it takes 243 s.
100
1000
10000
100000
1e+06
42 44 46 48 50 52 54 56
Tim
e(s
)
No. of randomly guessed bits
We break it in 236.5 s.
M. Soos, K. Nohl, C. Castelluccia () Extending SAT Solvers to Crypto July 1, 2009 21 / 22
-
Thank you for your time
Thank you for your time!
M. Soos, K. Nohl, C. Castelluccia () Extending SAT Solvers to Crypto July 1, 2009 22 / 22
BackgroundDPLL-based SAT solversStream ciphers
Adapting the SAT solverXOR-supportGaussian eliminationDynamic behaviour analysis
Adapting the cipher representationLogical circuit representationRepresentation of non-linear functions
Implemented attacksCrypto-1 and HiTag2Bivium
top related