Preprints and early-stage research may not have been peer reviewed yet.
To read the file of this research, you can request a copy directly from the authors.


Models for cryptographic problems are often expressed as boolean polynomial systems, whose equivalent logical formulas can be treated using SAT solvers. Given the algebraic nature of the problem, the use of the logical XOR operator is common in SAT-based cryptanalysis. Recent works have focused on advanced techniques for handling parity (XOR) constraints, such as the Gaussian Elimination technique. First, we propose an original XOR-reasoning SAT solver, named WDSat, dedicated to a specific cryptographic problem. Secondly, we show that in some cases Gaussian Elimination on SAT instances does not work as well as Gaussian Elimination on algebraic systems. We demonstrate how this oversight is fixed in our solver, which is adapted to read instances in algebraic normal form (ANF). Finally, we propose a novel preprocessing technique based on the Minimal Vertex Cover Problem in graph theory. Our benchmarks use a model obtained from cryptographic instances for which a significant speedup is achieved using the findings in this paper. We further explain how our preprocessing technique can be used as an assessment of the security of a cryptographic system.

No file available

Request Full-text Paper PDF

To read the file of this research,
you can request a copy directly from the authors.

ResearchGate has not been able to resolve any citations for this publication.
Full-text available
The Advanced Encryption Standard (AES) is one of the most studied symmetric encryption schemes. During the last years, several attacks have been discovered in different adversarial models. In this paper, we focus on related-key differential attacks, where the adversary may introduce differences in plaintext pairs and also in keys. We show that Constraint Programming (CP) can be used to model these attacks, and that it allows us to efficiently find all optimal related-key differential characteristics for AES-128, AES-192 and AES-256. In particular, we improve the best related-key differential for the whole AES-256 and give the best related-key differential on 10 rounds of AES-192, which is the differential trail with the longest path. Those results allow us to improve existing related-key distinguishers, basic related-key attacks and q-multicollisions on AES-256.
Full-text available
In this paper, we present an improved approach to solve multivariate systems over finite fields. Our approach is a tradeoff between exhaustive search and Gröbner bases techniques. We give theoretical evidences that our method brings a significant improvement in a very large context and we clearly define its limitations. The efficiency depends on the choice of the tradeoff. Our analysis gives an explicit way to choose the best tradeoff as well as an approximation. From our analysis, we present a new general algorithm to solve multivariate polynomial systems. Our theoretical results are experimentally supported by successful cryptanalysis of several multivariate schemes (TRMS, UOV, . . .). As a proof of concept, we were able to break the proposed parameters assumed to be secure until now. Parameters that resists to our method are also explicitly given. Our work permits to refine the parameters to be choosen for multivariate schemes.
Full-text available
The aim of the paper is the construction of the index calculus algorithm for the discrete logarithm problem on elliptic curves. The construction presented here is based on the problem of finding bounded solutions to some explicit modular multivariate polynomial equations. These equations arise from the elliptic curve summation polynomials introduced here and may be computed easily. Roughly speaking, we show that given the algorithm for solving such equations, which works in polynomial or low exponential time in the size of the input, one finds discrete logarithms faster than by means of Pollard's methods.
Modern conflict-driven clause learning (CDCL) SAT solvers are very good in solving conjunctive normal form (CNF) formulas. However, some application problems involve lots of parity (xor) constraints which are not necessarily efficiently handled if translated into CNF. This paper studies solving CNF formulas augmented with xor-clauses in the DPLL(XOR) framework where a CDCL SAT solver is coupled with a separate xor-reasoning module. New techniques for analyzing xor-reasoning derivations are developed, allowing one to obtain smaller CNF clausal explanations for xor-implied literals and also to derive and learn new xor-clauses. It is proven that these new techniques allow very short unsatisfiability proofs for some formulas whose CNF translations do not have polynomial size resolution proofs, even when a very simple xor-reasoning module capable only of unit propagation is applied. The efficiency of the proposed techniques is evaluated on a set of challenging logical cryptanalysis instances.
Conference Paper
Recent research on Boolean satisfiability (SAT) reveals modern solvers' inability to handle formulae in the abundance of parity (xor) constraints. Although xor-handling in SAT solving has attracted much attention, challenges remain to completely deduce xor-inferred implications and conflicts, to effectively reduce expensive overhead, and to directly generate compact interpolants. This paper integrates SAT solving tightly with Gaussian elimination in the style of Dantzig's simplex method. It yields a powerful tool overcoming these challenges. Experiments show promising performance improvements and efficient derivation of compact interpolants, which are otherwise unobtainable.
This paper introduces a new efficient algorithm for computin g Grobner bases. To avoid as much as possible intermediate computation, the algorithm computes successive truncated Grobner bases and it replaces the classical polynomial reduction found in the Buchberger algorithm by the simultaneous reduction of several polynomials. This powerful reduction mechanism is achieved by means of a symbolic precomputation and by extensive use of sparse linear algebra methods. Current techniques in linear algebra used in Computer Al- gebra are reviewed together with other methods coming from the numerical field. Some previously untractable problems (Cyclic 9) are presented as well as an empirical comparison of a first implementation of this algorithm with other well kn own programs. This compari- son pays careful attention to methodology issues. All the benchmarks and CPU times used in this paper are frequently updated and available on a Web page. Even though the new algorithm does not improve the worst case complexity it is several times faster than previous implementations both for integers and modulo computations.
We study the elliptic curve discrete logarithm problem over finite extension fields. We show that for any sequences of prime powers (q i)i∈ℕ and natural numbers (ni) i∈ℕ with ni → ∞ and ni/log (qi) → 0 for i → ∞, the elliptic curve discrete logarithm problem restricted to curves over the fields Fqini can be solved in subexponential expected time (qini)o(1). We also show that there exists a sequence of prime powers (qi)i∞ℕ such that the problem restricted to curves over Fqi can be solved in an expected time of eO(log (qi)2/3).
We propose an index calculus algorithm for the discrete logarithm problem on general abelian varieties of small dimension. The main difference with the previous approaches is that we do not make use of any embedding into the Jacobian of a well-suited curve. We apply this algorithm to the Weil restriction of elliptic curves and hyperelliptic curves over small degree extension fields. In particular, our attack can solve an elliptic curve discrete logarithm problem defined over Fq3 in heuristic asymptotic running time ; and an elliptic problem over Fq4 or a genus 2 problem over Fq2 in heuristic asymptotic running time .
Conference Paper
In this paper, we propose a new stream cipher construction based on block cipher design principles. The main idea is to replace the building blocks used in block ciphers by equivalent stream cipher components. In order to illustrate this approach, we construct a very simple synchronous stream cipher which provides a lot of flexibility for hardware implementations, and seems to have a number of desirable cryptographic properties.
Conference Paper
Beside impressive progresses made by SAT solvers over the last ten years, only few works tried to un- derstand why Conflict Directed Clause Learning algorithms (CDCL) are so strong and efficient on most industrial applications. We report in this work a key observation of CDCL solvers behavior on this family of benchmarks and explain it by an unsus- pected side effect of their particular Clause Learn- ing scheme. This new paradigm allows us to solve an important, still open, question: How to design- ing a fast, static, accurate, and predictive measure of new learnt clauses pertinence. Our paper is fol- lowed by empirical evidences that show how our new learning scheme improves state-of-the art re- sults by an order of magnitude on both SAT and UNSAT industrial problems.
In the rst of two papers on Magma, a new system for computational algebra, we present the Magma language, outline the design principles and theoretical background, and indicate its scope and use. Particular attention is given to the constructors for structures, maps, and sets. c 1997 Academic Press Limited Magma is a new software system for computational algebra, the design of which is based on the twin concepts of algebraic structure and morphism. The design is intended to provide a mathematically rigorous environment for computing with algebraic struc- tures (groups, rings, elds, modules and algebras), geometric structures (varieties, special curves) and combinatorial structures (graphs, designs and codes). The philosophy underlying the design of Magma is based on concepts from Universal Algebra and Category Theory. Key ideas from these two areas provide the basis for a gen- eral scheme for the specication and representation of mathematical structures. The user language includes three important groups of constructors that realize the philosophy in syntactic terms: structure constructors, map constructors and set constructors. The util- ity of Magma as a mathematical tool derives from the combination of its language with an extensive kernel of highly ecient C implementations of the fundamental algorithms for most branches of computational algebra. In this paper we outline the philosophy of the Magma design and show how it may be used to develop an algebraic programming paradigm for language design. In a second paper we will show how our design philoso- phy allows us to realize natural computational \environments" for dierent branches of algebra. An early discussion of the design of Magma may be found in Butler and Cannon (1989, 1990). A terse overview of the language together with a discussion of some of the implementation issues may be found in Bosma et al. (1994).
The programming of a proof procedure is discussed in connection with trial runs and possible improvements.
Cryptographic key length recommendation
  • Bluekrypt
BlueKrypt. Cryptographic key length recommendation., 2018. Accessed: 2019-11-15.
An extensible satsolver
  • Niklas Eén
  • Niklas Sörensson
Niklas Eén and Niklas Sörensson. An extensible satsolver. In Enrico Giunchiglia and Armando Tacchella, editors, Theory and Applications of Satisfiability Testing, pages 502-518, Berlin, Heidelberg, 2004. Springer Berlin Heidelberg.
Improving the Complexity of Index Calculus Algorithms in Elliptic Curves over Binary Fields
  • Jean-Charles Faugère
  • Ludovic Perret
  • Christophe Petit
  • Guénaël Renault
Jean-Charles Faugère, Ludovic Perret, Christophe Petit, and Guénaël Renault. Improving the Complexity of Index Calculus Algorithms in Elliptic Curves over Binary Fields. In Advances in Cryptology -EUROCRYPT 2012 -31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, April 15-19, 2012. Proceedings, pages 27-44, 2012.
Summation polynomial algorithms for elliptic curves in characteristic two
  • D Steven
  • Shishay W Galbraith
  • Gebregiyorgis
Steven D. Galbraith and Shishay W. Gebregiyorgis. Summation polynomial algorithms for elliptic curves in characteristic two. In Willi Meier and Debdeep Mukhopadhyay, editors, Progress in Cryptology -IN-DOCRYPT 2014 -15th International Conference on Cryptology in India, volume 8885 of Lecture Notes in Computer Science, pages 409-427. Springer, 2014.
On Polynomial Systems Arising from a Weil Descent
  • Christophe Petit
  • Jean-Jacques Quisquater
Christophe Petit and Jean-Jacques Quisquater. On Polynomial Systems Arising from a Weil Descent. In Advances in Cryptology -ASIACRYPT 2012 -18th International Conference on the Theory and Application of Cryptology and Information Security, volume 7658 of Lecture Notes in Computer Science, pages 451-466. Springer, 2012.
Extending SAT Solvers to Cryptographic Problems
  • Mate Soos
  • Karsten Nohl
  • Claude Castelluccia
Mate Soos, Karsten Nohl, and Claude Castelluccia. Extending SAT Solvers to Cryptographic Problems. In SAT, volume 5584 of Lecture Notes in Computer Science, pages 244-257. Springer, 2009.