a sat based approach for index calculus on binary
play

A SAT-Based Approach for Index Calculus on Binary Elliptic Curves - PowerPoint PPT Presentation

A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica Gilles Dequen MIS Laboratory, University of Picardie Jules Verne AfricaCrypt 2020 Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based


  1. A SAT-Based Approach for Index Calculus on Binary Elliptic Curves Monika Trimoska Sorina Ionica Gilles Dequen MIS Laboratory, University of Picardie Jules Verne AfricaCrypt 2020 Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 1/19

  2. Discrete log Defining discrete log Given a finite cyclic group ( G , +) and two elements g , h ∈ G , find x ∈ Z such that h = x · g . Generic attacks Pollard rho, Baby-step Giant-step, Kangaroo Index calculus attack Subexponential in (( Z / p Z ) ∗ , · ). Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 2/19

  3. Index calculus on elliptic curves Let F 2 n be a finite field and E be an elliptic curve defined by E : y 2 + xy = x 3 + ax 2 + b with a , b ∈ F 2 n . Discrete log: Find x , such that xP = Q , where P , Q ∈ E ( F 2 n ). Point decomposition phase of the Index calculus algorithm: Find P 1 , . . . , P m − 1 ∈ E ( F 2 n ), such that P m = P 1 + . . . + P m − 1 Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 3/19

  4. Point Decomposition Problem (PDP) Semaev’s summation polynomials (2004) S 2 ( X 1 , X 2 ) = X 1 + X 2 , S 3 ( X 1 , X 2 , X 3 ) = X 2 1 X 2 2 + X 2 1 X 2 3 + X 1 X 2 X 3 + X 2 2 X 2 3 + b , For m ≥ 4 S m ( X 1 , . . . , X m ) = Res X ( S m − k ( X 1 , . . . , X m − k − 1 , X ) , S k +2 ( X m − k , . . . , X m , X )) For P 1 , . . . , P m ∈ E ( F 2 n ) P 1 + . . . + P m = O ⇐ ⇒ S m ( x P 1 , . . . , x P m ) = 0 Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 4/19

  5. Gaudry and Diem (2008 and 2009) Weil descent Rewrite the equation S m ( X 1 , . . . , X m ) = 0 as a system of n equations over F 2 . Example (trivial case of m = 2): S 2 ( X 1 , X 2 ) = 0 X 1 + X 2 = 0 ( a 1 , 0 + a 1 , 1 t + . . . + a 1 , n − 1 t n − 1 ) + ( a 2 , 0 + a 2 , 1 t + . . . + a 2 , n − 1 t n − 1 ) = 0 ( a 1 , 0 + a 2 , 0 ) + ( a 1 , 1 + a 2 , 1 ) t + . . . + ( a 1 , n − 1 + a 2 , n − 1 ) t n − 1 = 0 8 a 1 , 0 + a 2 , 0 = 0 > > > > a 1 , 1 + a 2 , 1 = 0 < . . . > > > > a 1 , n − 1 + a 2 , n − 1 = 0 : Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 5/19

  6. Gaudry and Diem (2008 and 2009) Symmetrization Rewrite S m in terms of the elementary symmetric polynomials X = X i 1 , e 1 1 ≤ i 1 ≤ m X = X i 1 X i 2 , e 2 1 ≤ i 1 , i 2 ≤ m . . . Y = X i . e m 1 ≤ i ≤ m Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 6/19

  7. PDP algebraic model Choice of a factor base : an l -dimensional vector subspace V of F 2 n / F 2 . When l ∼ n m the system has a reasonable chance to have a solution. e i -variables X i -variables X 1 = a 1 , 0 + . . . + a 1 , l − 1 t l − 1 e 1 = e 1 , 0 + . . . + e 1 , l − 1 t l − 1 X 2 = a 2 , 0 + . . . + a 2 , l − 1 t l − 1 e 2 = e 2 , 0 + . . . + e 2 , 2 l − 2 t 2 l − 2 . . . . . . X m = a m , 0 + . . . + a m , l − 1 t l − 1 e m = e m , 0 + . . . + e m , m ( l − 1) t m ( l − 1) Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 7/19

  8. PDP algebraic model Two sets of equations Equations defining symmetric polynomials e 1 , 0 = a 1 , 0 + . . . + a m , 0 e 1 , 1 = a 1 , 1 + . . . + a m , 1 . . . e m , m ( l − 1) = a 1 , l · . . . · a m , l . Equations derived from the Weil descent The system is commonly solved using Gr¨ obner basis methods. Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 8/19

  9. Algebraic model to SAT-reasoning model Using sat solvers as a cryptanalytic tool requires expressing the cryptographic problem as a Boolean formula in conjunc- tive normal form ( cnf ) - a conjunction ( ∧ ) of or -clauses. Example. ( ¬ x 1 ∨ x 2 ) ∧ ( ¬ x 2 ∨ x 4 ∨ ¬ x 5 )) ∧ ( x 5 ∨ x 6 ) Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 9/19

  10. Algebraic model to SAT-reasoning model xor -enabled sat solvers are adapted to read a formula in cnf-xor form - a conjunction ( ∧ ) of or -clauses and xor - clauses. Example. ( ¬ x 1 ∨ x 2 ) ∧ ( ¬ x 2 ∨ x 4 ∨ ¬ x 5 )) ∧ ( x 1 ⊕ x 5 ⊕ x 6 ) Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 10/19

  11. Algebraic model to CNF-XOR model Variables in F 2 : Propositional variables: x 1 , x 2 , x 3 , x 4 , x 5 , x 6 . x 1 , x 2 , x 3 , x 4 , x 5 , x 6 with truth values in { true , false } ( x 1 ⊕ ( x 2 ∧ x 4 ) ⊕ ( x 5 ∧ x 6 )) ∧ x 1 + x 2 · x 4 + x 5 · x 6 + 1 = 0 ( x 1 ⊕ x 2 ⊕ x 4 ⊕ x 5 ) ∧ x 1 + x 2 + x 4 + x 5 + 1 = 0 ( x 3 ⊕ x 4 ⊕ ( x 2 ∧ x 4 )) ∧ x 3 + x 4 + x 2 · x 4 + 1 = 0 ( x 2 ⊕ x 5 ⊕ ( x 2 ∧ x 4 ) ⊕ ( x 5 ∧ x 6 )) ∧ x 2 + x 5 + x 2 · x 4 + x 5 · x 6 + 1 = 0 ( x 3 ⊕ x 4 ⊕ x 6 ) x 3 + x 4 + x 6 + 1 = 0 Multiplication in F 2 ( · ) becomes the logical and operation ( ∧ ) and addition in F 2 (+) becomes the logical xor ( ⊕ ). Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 11/19

  12. Algebraic model to CNF-XOR model Add new variable x 7 to substitute the conjunction x 2 ∧ x 4 . We have that x 7 ⇔ ( x 2 ∧ x 4 ) ( x 7 ⇒ ( x 2 ∧ x 4 )) ∧ (( x 2 ∧ x 4 ) ⇒ x 7 ) ¬ x 7 ∨ ( x 2 ∧ x 4 ) ¬ ( x 2 ∧ x 4 ) ∨ x 7 ¬ x 2 ∨ ¬ x 4 ∨ x 7 ( ¬ x 7 ∨ x 2 ) ∧ ( ¬ x 7 ∨ x 4 ) Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 12/19

  13. Algebraic model to CNF-XOR model Propositional variables: x 1 , x 2 , x 3 , x 4 , x 5 , x 6 with truth values in { true , false } ( ¬ x 7 ∨ x 2 ) ∧ ( ¬ x 7 ∨ x 4 ) ∧ ( ¬ x 2 ∨ ¬ x 4 ∨ x 7 ) ∧ ( ¬ x 8 ∨ x 5 ) ∧ ( x 1 ⊕ ( x 2 ∧ x 4 ) ⊕ ( x 5 ∧ x 6 )) ∧ ( ¬ x 8 ∨ x 6 ) ∧ ( x 1 ⊕ x 2 ⊕ x 4 ⊕ x 5 ) ∧ ( ¬ x 5 ∨ ¬ x 6 ∨ x 8 ) ∧ ( x 3 ⊕ x 4 ⊕ ( x 2 ∧ x 4 )) ∧ ( x 1 ⊕ x 7 ⊕ x 8 ) ∧ ( x 2 ⊕ x 5 ⊕ ( x 2 ∧ x 4 ) ⊕ ( x 5 ∧ x 6 )) ∧ ( x 1 ⊕ x 2 ⊕ x 4 ⊕ x 5 ) ∧ ( x 3 ⊕ x 4 ⊕ x 6 ) ( x 3 ⊕ x 4 ⊕ x 7 ) ∧ ( x 2 ⊕ x 5 ⊕ x 7 ⊕ x 8 ) ∧ ( x 3 ⊕ x 4 ⊕ x 6 ) Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 13/19

  14. WDSat algorithm Based on the Davis-Putnam-Logemann-Loveland (DPLL) al- gorithm. Recursively building a binary search-tree of height equivalent (at worst) to the number of variables. x 1 F T x 2 x 2 F F T x 3 X OK F T x 4 x 4 F T F T X X X X Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 14/19

  15. WDSat - Three reasoning modules cnf module Performs unit propagation on cnf -clauses. xorset module Performs unit propagation on the parity constraints. When all except one literal in a xor clause is assigned, we infer the truth value of the last literal according to parity reasoning. xorgauss module Performs Gaussian elimination on the xor system. Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 15/19

  16. WDSat - breaking symmetry Exploiting the symmetry of Semaev’s summation polynomials: when X 1 , ..., X m is a solution, all permutations of this set are a solution as well. Establish the following constraint X 1 ≤ X 2 ≤ . . . ≤ X m . Implement constraint in the solver using a tree-pruning-like technique. Optimizes the complexity by a factor of m !. Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 16/19

  17. Experimental results sat isfiable unsat isfiable Approach l n Runtime #Conflicts Memory Runtime #Conflicts Memory 17 207.220 NA 3601 142.119 NA 3291 6 19 215.187 NA 3940 155.765 NA 4091 Gr¨ obner basis 19 3854.708 NA 38763 2650.696 NA 38408 7 23 3128.844 NA 35203 2286.136 NA 35162 17 15.673 61812 34.5 62.396 260843 39.3 6 19 14.128 53767 33.2 64.563 259688 42.1 CryptoMiniSat 19 176.463 484098 41.5 843.367 2077747 72.3 7 23 300.021 638152 48.9 1012.412 2070190 73.6 17 .601 49117 1.4 3.851 254686 1.4 6 19 .470 38137 1.4 3.913 255491 1.4 WDSat 19 9.643 534867 16.7 44.107 2073089 16.7 7 23 9.303 477632 16.7 47.347 2067168 16.7 17 .220 17792 1.4 .605 43875 1.4 6 19 .243 19166 1.4 .639 44034 1.4 WDSat +br-sym 19 2.205 130062 1.4 6.859 351353 1.4 7 23 3.555 189940 1.4 7.478 350257 1.4 Table: Comparing Gr¨ obner basis and sat -based approaches for solving the pdp . Running times are in seconds and memory is in MB. Monika Trimoska Sorina Ionica Gilles Dequen A SAT-Based Approach for Index Calculus 17/19

Recommend


More recommend