Logical Cryptanalysis as a SAT Problem
 Fabio Massacci,
 Laura Marraro
 … show all 2 hide
Purchase on Springer.com
$39.95 / €34.95 / £29.95*
Rent the article at a discount
Rent now* Final gross prices may vary according to local VAT.
Abstract
Cryptographic algorithms play a key role in computer security and the formal analysis of their robustness is of utmost importance. Yet, logic and automated reasoning tools are seldom used in the analysis of a cipher, and thus one cannot often get the desired formal assurance that the cipher is free from unwanted properties that may weaken its strength.
In this paper, we claim that one can feasibly encode the lowlevel properties of stateoftheart cryptographic algorithms as SAT problems and then use efficient automated theoremproving systems and SATsolvers for reasoning about them. We call this approach logical cryptanalysis.
In this framework, for instance, finding a model for a formula encoding an algorithm is equivalent to finding a key with a cryptanalytic attack. Other important properties, such as cipher integrity or algebraic closure, can also be captured as SAT problems or as quantified boolean formulae. SAT benchmarks based on the encoding of cryptographic algorithms can be used to effectively combine features of “realworld” problems and randomly generated problems.
Here we present a case study on the U.S. Data Encryption Standard (DES) and show how to obtain a manageable encoding of its properties.
We have also tested three SAT provers, TABLEAU by Crawford and Auton, SATO by Zhang, and relSAT by Bayardo and Schrag, on the encoding of DES, and we discuss the reasons behind their different performance.
A discussion of open problems and future research concludes the paper.
 Abadi, M. and Needham, R.: Prudent engineering practice for cryptographic protocols, IEEE Trans. Software Engng. 22(1) (1996), 6–15.
 Anderson, R. and Needham, R.: Programming Satan's computer, in Computer Science TodayRecent Trends and Developments, Lecture Notes in Comput. Sci. 1000, SpringerVerlag, 1996, pp. 426–440.
 Andleman, D. and Reeds, J.: On the cryptanalysis of rotor machines and substitutionpermutations networks, IEEE Trans. Inform. Theory 28(4) (1982), 578–584.
 Ascione, M.: Validazione e benchmarking dei BDD per la criptanalisi del data encryption standard, Master's thesis, Facoltà di Ingegneria, Univ. di Roma I “La Sapienza”, March 1999. In Italian.
 Bayardo, R. and Schrag, R.: Using CSP lookback techniques to solve realworld SAT instances, in Proc. of the 14th Nat. (US) Conf. on Artificial Intelligence (AAAI97), AAAI Press/The MIT Press, 1997, pp. 203–208.
 Biham, E. and Biryukov, A.: An improvement of Davies' attack on DES, in Advances in CryptologyEurocrypt 94, Lecture Notes in Comput. Sci., SpringerVerlag, 1994.
 Biham, E. and Shamir, A.: Differential cryptanalysis of DESlike cryptosystems, J. Cryptology 4(1) (1991), 3–72.
 Bryant, R.: Graphbased algorithms for Boolean function manipulation, IEEE Trans. Computers 35(8) (1986), 677–691.
 Büning, H., Karpinski, M. and Flögel, A.: Resolution for quantified Boolean formulas, Inform. Comput. 117(1) (1995), 12–18.
 Burrows, M., Abadi, M. and Needham, R.: A logic for authentication, ACM Trans. Comput. Systems 8(1) (1990), 18–36.
 Cadoli, M., Giovanardi, A. and Schaerf, M.: An algorithm to evaluate quantified Boolean formulae, in Proc. of the 15th (US) Nat. Conf. on Artificial Intelligence (AAAI98), AAAI Press/The MIT Press, 1998, pp. 262–267.
 Campbell, K. and Weiner, M.: DES is not a group, in Proc. of Advances in Cryptography (CRYPTO92), Lecture Notes in Comput. Sci., SpringerVerlag, 1992, pp. 512–520.
 Claesen, L. (ed.): Formal VLSI Correctness Verification: VLSI Design Methods, Vol. II, Elsevier Science Publishers, NorthHolland, 1990.
 Cook, S. and Mitchel, D.: Finding hard instances of the satisfiability problem: A survey, in Satisfiability Problem: Theory and Applications, Vol. 35, DIMACS Series in Discrete Math. Theoret. Comput. Sci. Amer. Math. Soc., 1997, pp. 1–17.
 Crawford, J. and Auton, L.: Experimental results on the crossover point in random 3SAT, Artif. Intell. 81(1–2) (1996), 31–57.
 Cryptography Research Inc. DES key search project information, Technical report, Cryptography Research Inc., 1998. Available on the web at http://www.cryptography.com/des/.
 Davis, M., Longemann, G. and Loveland, D.: A machine program for theoremproving, Comm. ACM 5(7) (1962), 394–397.
 Davis, M. and Putnam, H.: A computing procedure for quantificational theory, J. ACM 7(3) (1960), 201–215.
 De Millo, R., Lynch, L. and Merrit, M.: Cryptographic protocols, in Proc. of the 14th ACM SIGACT Symposium on Theory of Computing (STOC82), 1982, pp. 383–400.
 Feistel, H., Notz, W. and Smith, L.: Some cryptographic techniques for machinetomachine data communication, Proc. of the IEEE 63(11) (1975), 1545–1554.
 Gomes, C. and Selman, B.: Problem structure in the presence of perturbation, in Proc. of the 14th Nat. (US) Conf. on Artificial Intelligence (AAAI97), AAAI Press/The MIT Press, 1997.
 Gomes, C., Selman, B. and Crato, N.: Heavytailed distributions in combinatorial search, in Third Internal. Conf. on Principles and Practice of Constraint Programming (CP97), Lecture Notes in Comput. Sci. 1330, SpringerVerlag, 1997, pp. 121–135.
 Group of Experts on Information Security and Privacy. Inventory of controls on cryptography technologies, OLIS DSTI/ICCP/REG(98)4/REV3, Organization for Economic Cooperation and Development, Paris, Sep. 1998.
 Harrison, J.: Stalmarck's algorithm as a HOL derived rule, in Proc. of the 9th Internal. Conf. on Theorem Proving in Higher Order Logics (TPHOLs'96), Lecture Notes in Comput. Sci. 1125, SpringerVerlag, 1996, pp. 221–234.
 Johnson, D. and Trick, M. (eds): Cliques, Coloring, Satisfiability: The Second DIMACS Implementation Challenge, AMS Series in Discrete Math. and Theoret. Comput. Sci. 26, Amer. Math. Soc., 1996.
 Kaliski, B., Rivest, R. and Sherman, A.: Is the Data Encryption Standard a group? (preliminary abstract), in Advances in CryptologyEurocrypt 85, Lecture Notes in Comput. Sci. 219, SpringerVerlag, 1985, pp. 81–95.
 Liberatore, P.: Algorithms and experiments on finding minimal models, Technical Report 09–99, Dipartimento di Informatica e Sistemistica, Università di Roma “La Sapienza”, 1999.
 Lowe, G.: Breaking and fixing the NeedhamSchroeder publickey protocol using CSP and FDR, in Tools and Algorithms for the Construction and Analysis of Systems, Lecture Notes in Comput. Sci. 1055, SpringerVerlag, 1996, pp. 147–166.
 Marraro, L.: Analisi crittografica del DES mediante logica booleana, Master's thesis, Facolta di Ingegneria, Univ. di Roma I “La Sapienza”, December 1998. In Italian.
 Marraro, L. and Massacci, F.: A new challenge for automated reasoning: Verification and cryptanalysis of cryptographic algorithms, Technical Report 05–99, Dipartimento di Informatica e Sistemistica, Università di Roma “La Sapienza”, 1999.
 Massacci, F.: Using walkSAT and relSAT for cryptographic key search, in Proc. of the 16th Internat. Joint Conf. on Artificial Intelligence (IJCAI99), Morgan Kaufmann, 1999, pp. 290–295.
 Matsui, M.: The first experimental cryptanalysis of the Data Encryption Standard, in Proc. of Advances in Cryptography (CRYPTO94), Lecture Notes in Comput. Sci. 839, SpringerVerlag, 1994, pp. 1–11.
 Matsui, M.: Linear cryptanalysis method for DES cipher, in Advances in CryptologyEwocrypt 93, Lecture Notes in Comput. Sci. 765, SpringerVerlag, 1994, pp. 368–397.
 Mitchell, J., Mitchell, M. and Stern, U.: Automated analysis of cryptographic protocols using Murphi, in Proc. of the 16th IEEE Symposium on Security and Privacy, IEEE Computer Society Press, 1997, pp. 141–151.
 Organization for Economic Cooperation and Development OECD emerging market economy forum (EMEF): Report of the ministerial workshop on cryptography policy, OLIS SG/EMEF/ICCP(98)1, Organization for Economic Cooperation and Development, Paris, Feb. 1998.
 National Institute of Standards and Technology. Data encryption standard. Federal Information Processing Standards Publications FIPS PUB 46–2, National (U.S.) Bureau of Standards, Dec. 1997. Supersedes FIPS PUB 46–1 of Jan. 1988.
 National Institute of Standards and Technology. Request for comments on candidate algorithms for the advanced encryption standard (AES), (U.S.) Federal Register 63(177), September 1998.
 Committee on Payment, Settlement Systems, and the Group of Computer Experts of the central banks of the Group of Ten countries, Security of Electronic Money, Banks for International Settlements, Basle, August 1996.
 Paulson, L.: The inductive approach to verifying cryptographic protocols, J. Comput. Security (1998).
 Rivest, R.: The RC5 encryption algorithm, in Proc. of the Fast Software Encryption Workshop (FSE95), Lecture Notes in Comput. Sci. 1008, SpringerVeriag, 1995, pp. 86–96.
 Rudell, R.: Espresso 1OCTTOOLS, January 1988.
 Rudell, R. and SangiovanniVincentelli, A.: Multiple valued minimization for PLA optimization, IEEE Trans. Comput. Aided Design. 6(5) (1987), 727–750.
 Ryan, P. and Schneider, S.: An attack on a recurive authentication protocol: A cautionary tale, Inform. Process. Lett. 65(15) (1998), 7–16.
 Schaefer, T.: The complexity of satisfiability problems, in Proc. of the 10th ACM Symposium on Theory of Computing (STOC78), ACM Press and Addison Wesley, 1978, pp. 216–226.
 Schneier, B.: Applied Cryptography: Protocols, Algorithms, and Source Code in C, Wiley, 1994.
 Selman, B. and Kautz, H.: Knowledge compilation and theory approximation, J. ACM 43(2) (1996), 193–224.
 Selman, B., Kautz, H. and McAllester, D.: Ten challenges in propositional resoning and search, in Proc. of the 15th Internat. Joint Conf. on Artificial Intelligence (IJCAI97), Morgan Kaufmann, Los Altos, 1997.
 Selman, B., Mitchell, D. and Levesque, H.: Generating hard satisfiability problems, Artif. Intell. 81(1–2) (1996), 17–29.
 Shannon, C.: Communication theory of secrecy systems, Bell System Technical J. 28 (1949), 656–715.
 Suttner, C. and Sutcliffe, G.: The CADE14 ATP system competition, J. Automated Reasoning 21(1) (1998), 99–134.
 Zhang, H.: SATO: An efficient propositional prover, in Proc. of the 14th Internat. Conf. on Automated Deduction (CADE97), Lecture Notes in Comput. Sci., 1997.
 Zhang, H.: Personal communication, Nov. 1998.
 Zhang, H. and Stickel, M.: An efficient algorithm for unitpropagation, in Proc. of the 4th Internat. Symposium on AI and Mathematics, 1996.
 Title
 Logical Cryptanalysis as a SAT Problem
 Journal

Journal of Automated Reasoning
Volume 24, Issue 12 , pp 165203
 Cover Date
 20000201
 DOI
 10.1023/A:1006326723002
 Print ISSN
 01687433
 Online ISSN
 15730670
 Publisher
 Kluwer Academic Publishers
 Additional Links
 Topics
 Keywords

 cipher verification
 Data Encryption Standard
 logical cryptanalysis
 propositional satisfiability
 quantified boolean formulae
 SAT benchmarks
 Industry Sectors
 Authors