SAT as a Programming Environment for Linear Algebra and Cryptanalysis

نویسندگان

  • Marian Srebrny
  • Mateusz Srebrny
  • Lidia Stepien
چکیده

In this paper we present an application of the propositional SATisfiability environment to computing some simple orthogonal matrices and some interesting tasks in the area of cryptanalysis. We show how one can code a search for some kind of desired objects as a propositional formulae in such a way that their satisfying valuations code such objects. Some encouraging (and not very encouraging) experimental results are reported for the proposed propositional search procedures using the currently best SAT solvers. In this paper we pursue a propositional programming paradigm. To solve your problem: (1) translate the problem to SAT (in such a way that a satisfying valuation represents a solution to the problem); (2) run the currently best SAT checker to solve it for you. The propositional encoding formula can be thought of as a declarative program. The hope you can get a solution relatively fast is based on the fact that the SAT solving algorithm is one of the best optimized. A SAT solving algorithm decides whether a given propositional (Boolean) formula has a satisfying valuation. SAT was the first known NP-complete problem, as proved by Stephen Cook in 1971. Finding a satisfying valuation is infeasible in general, but many SAT instances can be solved surprisingly efficiently. There are many competing algorithms for it and many implementations, most of them were developed over the last two decades as highly optimized versions of the DPLL procedure of (Davis & Putnam 1960) and (Davis, Logeman & Loveland 1962). In the area of cryptanalysis we apply that idea to try out the power of the SAT solvers in breaking two of the currently most exciting challenges: RSA and SHA-1. Although our experimental results have not turned out to be a success in breaking those cryptosystems, they seem interesting in their own right as reasonable testing benchmarks for the SAT solvers. Similarly, some formulae encoding search for orthogonal matrices in some linear spaces over Galois field F2 are presented below. Copyright c © 2007, authors listed above. All rights reserved. In the next section we present an overview of our propositional translation of the RSA (factorization) problem and our experimental results on performance of the best SAT solvers on the RSA propositional formula. Section 2 is devoted to another currently most challenging cryptosystem SHA1, our translation of it into propositional calculus and our experiments with the SAT solvers on it. In section 3 we run the MiniSat solver on a propositional formula encoding orthogonality of square matrices over Galois field F2. The last section contains some conclusion and open problems. 1 RSA (factorization) and SAT For the story of RSA, the best known cipher, we refer the interested reader to (Menezes, van Oorschot & Vanstone 2001) and (RSA labs 2007). For the sake of next sections, we only recall here that breaking RSA amounts to integer factorization of a given positive integer n of the form n = p ∗ q with unknown prime factors p and q. Usual requirements are: n large, p and q of similar bit length, p and q cryptographically strong. (See (Menezes, van Oorschot & Vanstone 2001).) No polynomial time factorization algorithm is known, and all non-polynomial time algorithms are not feasible. In other terms, performing over 2 instructions is considered infeasible for today. We implement RSA as a propositional formula, rsasat: given n, we generate a propositional formula so that its satisfying valuation encodes two integer factors p and q of n. We represent an l-bit integer p as l propositional variables P0, . . . , Pl−1. E.g., 13 = (1101)2 is represented as formula P = 13: P3 ∧ P2 ∧ ¬P1 ∧ P0. Formula R = P represents equality r = p: ∧l−1 i=0(Ri∧Pi)∨(¬Ri∧¬Pi). Its conjunctive normal form, CNF, is: ∧l−1 i=0(Ri ∨ ¬Pi) ∧ (Pi ∨ ¬Ri). R = 2P represents r = 2p: ¬R0 ∧ ∧l−1 i=1(Ri ∧ Pi−1) ∨ (¬Ri ∧ ¬Pi−1). We write R = P + Q to represent r = p + q with (C0, C1, . . . , Cl) representing the carry bits. For i > 0, we need (Ci ∧ ((Ci−1 ∧ Pi) ∨ (Ci−1 ∧ Qi) ∨ (Pi ∧ Qi))) ∨ (¬Ci∧ ((¬Ci−1∧¬Pi)∨ (¬Ci−1∧¬Qi)∨ (¬Pi∧¬Qi))). Its CNF is: (¬Ci ∨ Pi ∨ Ci−1) ∧ (¬Ci ∨ Pi ∨Qi)∧ (¬Ci ∨Qi ∨ Ci−1) ∧ (Ci ∨ ¬Pi ∨ ¬Ci−1)∧ (Ci ∨ ¬Pi ∨ ¬Qi) ∧ (Ci ∨ ¬Qi ∨ ¬Ci−1). It gives the result for R = P + Q as: (Ri∧ ((Ci−1 ∧ ¬Pi ∧ ¬Qi) ∨ (¬Ci−1 ∧ Pi ∧ ¬Qi) ∨ (¬Ci−1 ∧ ¬Pi ∧Qi) ∨ (Ci−1 ∧ Pi ∧Qi))) ∨ (¬Ri∧ ((Ci−1 ∧ Pi ∧ ¬Qi) ∨ (¬Ci−1 ∧ Pi ∧Qi) ∨ (Ci−1 ∧ ¬Pi ∧Qi) ∨ (¬Ci−1 ∧ ¬Pi ∧ ¬Qi))). Its CNF is: (Ri∨Qi∨Pi∨¬Ci−1)∧(Ri∨Qi∨¬Pi∨Ci−1)∧ (Ri ∨ ¬Qi ∨ Pi ∨ Ci−1) ∧ (Ri ∨ ¬Qi ∨ ¬Pi ∨ ¬Ci−1)∧ (¬Ri ∨Qi ∨ Pi ∨ Ci−1) ∧ (¬Ri ∨Qi ∨ ¬Pi ∨ ¬Ci−1)∧ (¬Ri ∨ ¬Qi ∨ Pi ∨ ¬Ci−1) ∧ (¬Ri ∨ ¬Qi ∨ ¬Pi ∨Ci−1). The whole R = P +Q can now be written in the conjunctive normal form as: ¬C0 ∧¬Cl∧ ∧l i=1( (¬Ci ∨Pi ∨Ci−1)∧ (¬Ci ∨Pi ∨Qi)∧ (¬Ci∨Qi∨Ci−1)∧(Ci∨¬Pi∨¬Ci−1)∧ (Ci∨¬Pi∨¬Qi)∧ (Ci∨¬Qi∨¬Ci−1) ) ∧ ∧l−1 i=0( (Ri∨Qi∨Pi∨¬Ci)∧(Ri∨ Qi∨¬Pi∨Ci)∧ (Ri∨¬Qi∨Pi∨Ci)∧ (Ri∨¬Qi∨¬Pi∨ ¬Ci)∧ (¬Ri ∨Qi ∨ Pi ∨Ci) ∧ (¬Ri ∨Qi ∨ ¬Pi ∨ ¬Ci)∧ (¬Ri ∨ ¬Qi ∨ Pi ∨ ¬Ci) ∧ (¬Ri ∨ ¬Qi ∨ ¬Pi ∨ Ci) ). Similarly, we write N = PQ to represent n = pq via the bit operations. Since pq = q0p + q12p + q22p + . . . + ql−12p we eventually get: (S = P ) ∧ ( ∧l−1 i=1 S i = 2Si−1) ∧ ( ∧l−1 i=0 M i = QiS) ∧ (R = M) ∧ ( ∧l−1 i=1 R i = Ri−1 + M ) ∧ (Rl−1 = N). For n of bit length l, the resulting factorization formula has 4l+2l propositional variables and 19l−13l−1 clauses. One can optimize it to l + O(l) variables. Our experiments with SAT solver zChaff (zChaff 2007) were carried out on a 2GHz, 2GB RAM IBM PC. The 32bit RSA was broken in 15 seconds, 46-bit – 3 hours, 47-bit – 3 days wasn’t enough, 48-bit – 33 hours, 49-bit – 3 days wasn’t enough, 212-bit key chosen at random – 10 seconds (one of the factors was 11). It should be compared with the currently best 640-bit RSA-number factored out in the on-going RSA Factoring Challenge in November 2005 in an effort of 30 2.2GHz-Opteron-CPU years, over five months of calendar time. See (RSA labs 2007). Taken together, our experimental results show that breaking RSA is unattainable by this method (without any modifications). But one can use the rsasat formula to test what can be done on the computers available today, as an interesting benchmark for performance of the computers and of the SAT solvers.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Algorithms for Solving Linear and Polynomial Systems of Equations over Finite Fields with Applications to Cryptanalysis

Title of dissertation: ALGORITHMS FOR SOLVING LINEAR AND POLYNOMIAL SYSTEMS OF EQUATIONS OVER FINITE FIELDS WITH APPLICATIONS TO CRYPTANALYSIS Gregory Bard Doctor of Philosophy, 2007 Dissertation directed by: Professor Lawrence C. Washington Department of Mathematics This dissertation contains algorithms for solving linear and polynomial systems of equations over GF(2). The objective is to prov...

متن کامل

Fuzzy Multi-Objective Linear Programming for Project Management Decision under Uncertain Environment with AHP Based Weighted Average Method

Smooth implementation and controlling conflicting goals of a project with the usage of all related resources through organization is inherently a complex task to management. At the same time deterministic models are never efficient in practical project management (PM) decision problems because the related parameters are frequently fuzzy in nature. The project execution time is a major concern o...

متن کامل

Impossible differential cryptanalysis of SPN ciphers

Impossible differential cryptanalysis is a very popular tool for analyzing the security of modern block ciphers and the core of such attack is based on the existence of impossible differentials. Currently, most methods for finding impossible differentials are based on the miss-in-the-middle technique and they are very ad-hoc. In this paper, we concentrate SPN ciphers whose diffusion layer is de...

متن کامل

Design of supply chain in fuzzy environment

Nowadays, customer expectations are increasing and organizations are prone to operate in an uncertain environment. Under this uncertain environment, the ultimate success of the firm depends on its ability to integrate business processes among supply chain partners. Supply chain management emphasizes cross-functional links to improve the competitive strategy of organizations. Now, companies are ...

متن کامل

Algorithmic algebraic techniques and their application to block cipher cryptanalysis

In Part I we present and discuss implementations of both well-known and novel algorithms for fundamental problems of linear algebra over the field with two elements GF(2). In particular, we present the best known implementations for matrix-matrix multiplication and matrix decomposition for dense matrices over GF(2). These implementations are based on novel variants of the “M4RM” multiplication ...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:
  • Fundam. Inform.

دوره 102  شماره 

صفحات  -

تاریخ انتشار 2008