# Parity (XOR) Reasoning for the Index Calculus Attack

ResearchGate has not been able to resolve any citations for this publication.

The Advanced Encryption Standard (AES) is one of the most studied symmetric encryption schemes. During the last years, several attacks have been discovered in different adversarial models. In this paper, we focus on related-key differential attacks, where the adversary may introduce differences in plaintext pairs and also in keys. We show that Constraint Programming (CP) can be used to model these attacks, and that it allows us to efficiently find all optimal related-key differential characteristics for AES-128, AES-192 and AES-256. In particular, we improve the best related-key differential for the whole AES-256 and give the best related-key differential on 10 rounds of AES-192, which is the differential trail with the longest path. Those results allow us to improve existing related-key distinguishers, basic related-key attacks and q-multicollisions on AES-256.

Non-Chronological Backtracking (NCB) has been implemented in every modern CDCL SAT solver since the original CDCL solver GRASP. NCB’s importance has never been questioned. This paper argues that NCB is not always helpful. We show how one can implement the alternative to NCB–Chronological Backtracking (CB)–in a modern SAT solver. We demonstrate that CB improves the performance of the winner of the latest SAT Competition, Maple_LCM_Dist, and the winner of the latest MaxSAT Evaluation Open-WBO.

In the last two decades, many computational problems arising in cryptography have been successfully reduced to various systems of polynomial equations. In this paper, we revisit a class of polynomial systems introduced by Faugère, Perret, Petit and Renault. Based on new experimental results and heuristic evidence, we conjecture that their degrees of regularity are only slightly larger than the original degrees of the equations, resulting in a very low complexity compared to generic systems. We then revisit the application of these systems to the elliptic curve discrete logarithm problem (ECDLP) for binary curves. Our heuristic analysis suggests that an index calculus variant due to Diem requires a subexponential number of bit operations $(O2^{c\,n^{2/3}\log n})$ over the binary field ${\mathbb F}{2^n}$, where c is a constant smaller than 2. According to our estimations, generic discrete logarithm methods are outperformed for any n>N where N≈2000, but elliptic curves of currently recommended key sizes (n≈160) are not immediately threatened. The analysis can be easily generalized to other extension fields.

We analyze how fast we can solve general systems of multivariate equations of various low degrees over \({\mathbb{F}_{2}}\); this is a well known hard problem which is important both in itself and as part of many types of algebraic cryptanalysis. Compared to the standard exhaustive search technique, our improved approach is more efficient both asymptotically and practically. We implemented several optimized versions of our techniques on CPUs and GPUs. Our technique runs more than 10 times faster on modern graphic cards than on the most powerful CPU available. Today, we can solve 48+ quadratic equations in 48 binary variables on a 500-dollar NVIDIA GTX 295 graphics card in 21 minutes. With this level of performance, solving systems of equations supposed to ensure a security level of 64 bits turns out to be feasible in practice with a modest budget. This is a clear demonstration of the computational power of GPUs in solving many types of combinatorial and cryptanalytic problems.

In this paper, we present an improved approach to solve multivariate systems over finite fields. Our approach is a tradeoff between exhaustive search and Gröbner bases techniques. We give theoretical evidences that our method brings a significant improvement in a very large context and we clearly define its limitations. The efficiency depends on the choice of the tradeoff. Our analysis gives an explicit way to choose the best tradeoff as well as an approximation. From our analysis, we present a new general algorithm to solve multivariate polynomial systems. Our theoretical results are experimentally supported by successful cryptanalysis of several multivariate schemes (TRMS, UOV, . . .). As a proof of concept, we were able to break the proposed parameters assumed to be secure until now. Parameters that resists to our method are also explicitly given. Our work permits to refine the parameters to be choosen for multivariate schemes.

The goal of this paper is to further study the index calculus method that was first introduced by Semaev for solving the ECDLP and later developed by Gaudry and Diem. In particular, we focus on the step which consists in decomposing points of the curve with respect to an appropriately chosen factor basis. This part can be nicely reformulated as a purely algebraic problem consisting in finding solutions to a multivariate polynomial f(x
1,…,x
m
) = 0 such that x
1,…,x
m
all belong to some vector subspace of \(\mathbb{F}_{2^n}/\mathbb{F}_2\). Our main contribution is the identification of particular structures inherent to such polynomial systems and a dedicated method for tackling this problem. We solve it by means of Gröbner basis techniques and analyze its complexity using the multi-homogeneous structure of the equations. A direct consequence of our results is an index calculus algorithm solving ECDLP over any binary field \(\mathbb{F}_{2^n}\) in time O(2ω
t
) , with t ≈ n/2 (provided that a certain heuristic assumption holds). This has to be compared with Diem’s [14] index calculus based approach for solving ECDLP over \(\mathbb{F}_{q^n}\) which has complexity \(\mathrm{exp}\big({O(n\log(n)^{{1}/{2}})}\big)\) for q = 2 and n a prime (but this holds without any heuristic assumption). We emphasize that the complexity obtained here is very conservative in comparison to experimental results. We hope the new ideas provided here may lead to efficient index calculus based methods for solving ECDLP in theory and practice.

Cryptography ensures the confidentiality and authenticity of information but often relies on unproven assumptions. SAT solvers are a powerful tool to test the hardness of certain problems and have successfully been used to test hardness assumptions. This paper extends a SAT solver to efficiently work on cryptographic problems. The paper further illustrates how SAT solvers process cryptographic functions using automatically generated visualizations, introduces techniques for simplifying the solving process by modifying cipher representations, and demonstrates the feasibility of the approach by solving three stream ciphers.
To optimize a SAT solver for cryptographic problems, we extended the solver’s input language to support the XOR operation that is common in cryptography. To better understand the inner workings of the adapted solver and to identify bottlenecks, we visualize its execution. Finally, to improve the solving time significantly, we remove these bottlenecks by altering the function representation and by pre-parsing the resulting system of equations.
The main contribution of this paper is a new approach to solving cryptographic problems by adapting both the problem description and the solver synchronously instead of tweaking just one of them. Using these techniques, we were able to solve a well-researched stream cipher 26 times faster than was previously possible.

The aim of the paper is the construction of the index calculus algorithm for the discrete logarithm problem on elliptic curves. The construction presented here is based on the problem of finding bounded solutions to some explicit modular multivariate polynomial equations. These equations arise from the elliptic curve summation polynomials introduced here and may be computed easily. Roughly speaking, we show that given the algorithm for solving such equations, which works in polynomial or low exponential time in the size of the input, one finds discrete logarithms faster than by means of Pollard's methods.

Cryptanalysis aims at testing the properties of encryption processes, and this usually implies solving hard optimization problems. In this paper, we focus on related-key differential attacks for the Advanced Encryption Standard (AES), which is the encryption standard for block ciphers. To mount these attacks, cryptanalysts need to solve the optimal related-key differential characteristic problem. Dedicated approaches do not scale well for this problem, and need weeks to solve its hardest instances.
In this paper, we improve existing Constraint Programming (CP) approaches for computing optimal related-key differential characteristics: we add new constraints that detect inconsistencies sooner, and we introduce a new decomposition of the problem in two steps. These improvements allow us to compute all optimal related-key differential characteristics for AES-128, AES-192 and AES-256 in a few hours.

AES is a mainstream block cipher used in many protocols and whose resilience against attack is essential for cybersecurity. In [14], Oren and Wool discuss a Tolerant Algebraic Side-Channel Analysis (TASCA) and show how to use optimization technology to exploit side-channel information and mount a computational attack against AES. This paper revisits the results and posits that Constraint Programming is a strong contender and a potent optimization solution. It extends bit-vector solving as introduced in [8], develops a CP and an IP model and compares them with the original Pseudo-Boolean formulation. The empirical results establish that CP can deliver solutions with orders of magnitude improvement in both run time and memory usage, traits that are essential to potential adoption by cryptographers.

We describe Constraint Programming (CP) models to solve a cryptanalytic problem: the chosen key differential attack against the standard block cipher AES. We show that CP solvers are able to solve these problems quicker than dedicated cryptanalysis tools, and we prove that a solution claimed to be optimal in two recent cryptanalysis papers is not optimal by providing a better solution.

The paper is about the discrete logarithm problem for elliptic curves over characteristic 2 finite fields \({\mathbb {F}}_{2^n}\) of prime degree \(n\). We consider practical issues about index calculus attacks using summation polynomials in this setting. The contributions of the paper include: a new choice of variables for binary Edwards curves (invariant under the action of a relatively large group) to lower the degree of the summation polynomials; a choice of factor base that “breaks symmetry” and increases the probability of finding a relation; an experimental investigation of the use of SAT solvers rather than Gröbner basis methods for solving multivariate polynomial equations over \({\mathbb {F}}_2\).
We show that our new choice of variables gives a significant improvement to previous work in this case. The symmetry-breaking factor base and use of SAT solvers seem to give some benefits in practice, but our experimental results are not conclusive. Our work indicates that Pollard rho is still much faster than index calculus algorithms for the ECDLP over prime extension fields \({\mathbb {F}}_{2^n}\) of reasonable size.

This paper introduces a new efficient algorithm for computing Gröbner bases. We replace the Buchberger criteria by an optimal criteria. We give a proof that the resulting algorithm (called F5) generates no useless critical pairs if the input is a regular sequence. This a new result by itself but a first implementation of the algorithm F5 shows that it is also very efficient in practice: for instance previously untractable problems can be solved (cyclic 10). In practice for most examples there is no reduction to zero. We illustrate this algorithm by one detailed example.

We study the elliptic curve discrete logarithm problem over finite extension fields. We show that for any sequences of prime powers (q i)i∈ℕ and natural numbers (ni) i∈ℕ with ni → ∞ and ni/log (qi) → 0 for i → ∞, the elliptic curve discrete logarithm problem restricted to curves over the fields Fqini can be solved in subexponential expected time (qini)o(1). We also show that there exists a sequence of prime powers (qi)i∞ℕ such that the problem restricted to curves over Fqi can be solved in an expected time of eO(log (qi)2/3).

We propose an index calculus algorithm for the discrete logarithm problem on general abelian varieties of small dimension. The main difference with the previous approaches is that we do not make use of any embedding into the Jacobian of a well-suited curve. We apply this algorithm to the Weil restriction of elliptic curves and hyperelliptic curves over small degree extension fields. In particular, our attack can solve an elliptic curve discrete logarithm problem defined over Fq3 in heuristic asymptotic running time ; and an elliptic problem over Fq4 or a genus 2 problem over Fq2 in heuristic asymptotic running time .

In this paper, we propose a new stream cipher construction based on block cipher design principles. The main idea is to replace
the building blocks used in block ciphers by equivalent stream cipher components. In order to illustrate this approach, we
construct a very simple synchronous stream cipher which provides a lot of flexibility for hardware implementations, and seems
to have a number of desirable cryptographic properties.

Beside impressive progresses made by SAT solvers over the last ten years, only few works tried to un- derstand why Conflict Directed Clause Learning algorithms (CDCL) are so strong and efficient on most industrial applications. We report in this work a key observation of CDCL solvers behavior on this family of benchmarks and explain it by an unsus- pected side effect of their particular Clause Learn- ing scheme. This new paradigm allows us to solve an important, still open, question: How to design- ing a fast, static, accurate, and predictive measure of new learnt clauses pertinence. Our paper is fol- lowed by empirical evidences that show how our new learning scheme improves state-of-the art re- sults by an order of magnitude on both SAT and UNSAT industrial problems.

In the rst of two papers on Magma, a new system for computational algebra, we present the Magma language, outline the design principles and theoretical background, and indicate its scope and use. Particular attention is given to the constructors for structures, maps, and sets. c 1997 Academic Press Limited Magma is a new software system for computational algebra, the design of which is based on the twin concepts of algebraic structure and morphism. The design is intended to provide a mathematically rigorous environment for computing with algebraic struc- tures (groups, rings, elds, modules and algebras), geometric structures (varieties, special curves) and combinatorial structures (graphs, designs and codes). The philosophy underlying the design of Magma is based on concepts from Universal Algebra and Category Theory. Key ideas from these two areas provide the basis for a gen- eral scheme for the specication and representation of mathematical structures. The user language includes three important groups of constructors that realize the philosophy in syntactic terms: structure constructors, map constructors and set constructors. The util- ity of Magma as a mathematical tool derives from the combination of its language with an extensive kernel of highly ecient C implementations of the fundamental algorithms for most branches of computational algebra. In this paper we outline the philosophy of the Magma design and show how it may be used to develop an algebraic programming paradigm for language design. In a second paper we will show how our design philoso- phy allows us to realize natural computational \environments" for dierent branches of algebra. An early discussion of the design of Magma may be found in Butler and Cannon (1989, 1990). A terse overview of the language together with a discussion of some of the implementation issues may be found in Bosma et al. (1994).

The programming of a proof procedure is discussed in connection with trial runs and possible improvements.

CaDiCaL Simplified Satisfiability Solver

- A Biere

Biere, A.: CaDiCaL Simplified Satisfiability Solver. http://fmv.jku.at/cadical/, accessed: 2020-05-27

Cryptographic key length recommendation

- Bluekrypt

BlueKrypt: Cryptographic key length recommendation. https://www.keylength.
com (2018), accessed: 2020-05-27

Grain of Salt -an Automated Way to Test Stream Ciphers through SAT Solvers

- M Soos

Soos, M.: Grain of Salt -an Automated Way to Test Stream Ciphers through
SAT Solvers. In: Tools'10: the Workshop on Tools for Cryptanalysis 2010. pp.
131-144. London, United Kingdom (Jun 2010), https://hal.archives-ouvertes.fr/
hal-01288922

EC Index Calculus Benchmarks

- M Trimoska
- S Ionica
- G Dequen

Trimoska, M., Ionica, S., Dequen, G.: EC Index Calculus Benchmarks. https://
github.com/mtrimoska/EC-Index-Calculus-Benchmarks (2020)