Logical Cryptanalysis as a SAT Problem Abstract
Cryptographic algorithms play a key role in computer security and the formal analysis of their robustness is of utmost importance. Yet, logic and automated reasoning tools are seldom used in the analysis of a cipher, and thus one cannot often get the desired formal assurance that the cipher is free from unwanted properties that may weaken its strength.
In this paper, we claim that one can feasibly encode the low-level properties of state-of-the-art cryptographic algorithms as SAT problems and then use efficient automated theorem-proving systems and SAT-solvers for reasoning about them. We call this approach
In this framework, for instance, finding a model for a formula encoding an algorithm is equivalent to finding a key with a cryptanalytic attack. Other important properties, such as cipher integrity or algebraic closure, can also be captured as SAT problems or as quantified boolean formulae. SAT benchmarks based on the encoding of cryptographic algorithms can be used to effectively combine features of “real-world” problems and randomly generated problems.
Here we present a case study on the U.S. Data Encryption Standard (DES) and show how to obtain a manageable encoding of its properties.
We have also tested three SAT provers, TABLEAU by Crawford and Auton, SATO by Zhang, and rel-SAT by Bayardo and Schrag, on the encoding of DES, and we discuss the reasons behind their different performance.
A discussion of open problems and future research concludes the paper.
cipher verification Data Encryption Standard logical cryptanalysis propositional satisfiability quantified boolean formulae SAT benchmarks References
Abadi, M. and Needham, R.: Prudent engineering practice for cryptographic protocols,
IEEE Trans. Software Engng.
(1) (1996), 6–15.
Anderson, R. and Needham, R.: Programming Satan's computer, in
Computer Science Today-Recent Trends and Developments
, Lecture Notes in Comput. Sci. 1000, Springer-Verlag, 1996, pp. 426–440.
Andleman, D. and Reeds, J.: On the cryptanalysis of rotor machines and substitution-permutations networks,
IEEE Trans. Inform. Theory
(4) (1982), 578–584.
Ascione, M.: Validazione e benchmarking dei BDD per la criptanalisi del data encryption standard, Master's thesis, Facoltà di Ingegneria, Univ. di Roma I “La Sapienza”, March 1999. In Italian.
Bayardo, R. and Schrag, R.: Using CSP look-back techniques to solve real-world SAT instances, in
Proc. of the 14th Nat.
Conf. on Artificial Intelligence
), AAAI Press/The MIT Press, 1997, pp. 203–208.
Biham, E. and Biryukov, A.: An improvement of Davies' attack on DES, in
Advances in Cryptology-Eurocrypt 94
, Lecture Notes in Comput. Sci., Springer-Verlag, 1994.
Biham, E. and Shamir, A.: Differential cryptanalysis of DES-like cryptosystems,
(1) (1991), 3–72.
Bryant, R.: Graph-based algorithms for Boolean function manipulation,
IEEE Trans. Computers
(8) (1986), 677–691.
Büning, H., Karpinski, M. and Flögel, A.: Resolution for quantified Boolean formulas,
(1) (1995), 12–18.
Burrows, M., Abadi, M. and Needham, R.: A logic for authentication,
ACM Trans. Comput. Systems
(1) (1990), 18–36.
Cadoli, M., Giovanardi, A. and Schaerf, M.: An algorithm to evaluate quantified Boolean formulae, in
Proc. of the 15th
Nat. Conf. on Artificial Intelligence
), AAAI Press/The MIT Press, 1998, pp. 262–267.
Campbell, K. and Weiner, M.: DES is not a group, in
Proc. of Advances in Cryptography
), Lecture Notes in Comput. Sci., Springer-Verlag, 1992, pp. 512–520.
Claesen, L. (ed.):
Formal VLSI Correctness Verification: VLSI Design Methods
, Vol. II, Elsevier Science Publishers, North-Holland, 1990.
Cook, S. and Mitchel, D.: Finding hard instances of the satisfiability problem: A survey, in
Satisfiability Problem: Theory and Applications
, Vol. 35, DIMACS Series in Discrete Math. Theoret. Comput. Sci. Amer. Math. Soc., 1997, pp. 1–17.
Crawford, J. and Auton, L.: Experimental results on the crossover point in random 3SAT,
(1–2) (1996), 31–57.
Cryptography Research Inc. DES key search project information, Technical report, Cryptography Research Inc., 1998. Available on the web at http://www.cryptography.com/des/.
Davis, M., Longemann, G. and Loveland, D.: A machine program for theorem-proving,
(7) (1962), 394–397.
Davis, M. and Putnam, H.: A computing procedure for quantificational theory,
(3) (1960), 201–215.
De Millo, R., Lynch, L. and Merrit, M.: Cryptographic protocols, in
Proc. of the 14th ACM SIGACT Symposium on Theory of Computing
), 1982, pp. 383–400.
Feistel, H., Notz, W. and Smith, L.: Some cryptographic techniques for machine-to-machine data communication,
Proc. of the IEEE
(11) (1975), 1545–1554.
Gomes, C. and Selman, B.: Problem structure in the presence of perturbation, in
Proc. of the 14th Nat.
Conf. on Artificial Intelligence
), AAAI Press/The MIT Press, 1997.
Gomes, C., Selman, B. and Crato, N.: Heavy-tailed distributions in combinatorial search, in
Third Internal. Conf. on Principles and Practice of Constraint Programming
), Lecture Notes in Comput. Sci. 1330, Springer-Verlag, 1997, pp. 121–135.
Group of Experts on Information Security and Privacy. Inventory of controls on cryptography technologies, OLIS DSTI/ICCP/REG(98)4/REV3, Organization for Economic Co-operation and Development, Paris, Sep. 1998.
Harrison, J.: Stalmarck's algorithm as a HOL derived rule, in
Proc. of the 9th Internal. Conf. on Theorem Proving in Higher Order Logics
'96), Lecture Notes in Comput. Sci. 1125, Springer-Verlag, 1996, pp. 221–234.
Johnson, D. and Trick, M. (eds):
Cliques, Coloring, Satisfiability: The Second DIMACS Implementation Challenge
, AMS Series in Discrete Math. and Theoret. Comput. Sci. 26, Amer. Math. Soc., 1996.
Kaliski, B., Rivest, R. and Sherman, A.: Is the Data Encryption Standard a group? (preliminary abstract), in
Advances in Cryptology-Eurocrypt 85
, Lecture Notes in Comput. Sci. 219, Springer-Verlag, 1985, pp. 81–95.
Liberatore, P.: Algorithms and experiments on finding minimal models, Technical Report 09–99, Dipartimento di Informatica e Sistemistica, Università di Roma “La Sapienza”, 1999.
Lowe, G.: Breaking and fixing the Needham-Schroeder public-key protocol using CSP and FDR, in
Tools and Algorithms for the Construction and Analysis of Systems
, Lecture Notes in Comput. Sci. 1055, Springer-Verlag, 1996, pp. 147–166.
Marraro, L.: Analisi crittografica del DES mediante logica booleana, Master's thesis, Facolta di Ingegneria, Univ. di Roma I “La Sapienza”, December 1998. In Italian.
Marraro, L. and Massacci, F.: A new challenge for automated reasoning: Verification and cryptanalysis of cryptographic algorithms, Technical Report 05–99, Dipartimento di Informatica e Sistemistica, Università di Roma “La Sapienza”, 1999.
Massacci, F.: Using walk-SAT and rel-SAT for cryptographic key search, in
Proc. of the 16th Internat. Joint Conf. on Artificial Intelligence
), Morgan Kaufmann, 1999, pp. 290–295.
Matsui, M.: The first experimental cryptanalysis of the Data Encryption Standard, in
Proc. of Advances in Cryptography
), Lecture Notes in Comput. Sci. 839, Springer-Verlag, 1994, pp. 1–11.
Matsui, M.: Linear cryptanalysis method for DES cipher, in
Advances in Cryptology-Ewocrypt 93
, Lecture Notes in Comput. Sci. 765, Springer-Verlag, 1994, pp. 368–397.
Mitchell, J., Mitchell, M. and Stern, U.: Automated analysis of cryptographic protocols using Murphi, in
Proc. of the 16th IEEE Symposium on Security and Privacy
, IEEE Computer Society Press, 1997, pp. 141–151.
Organization for Economic Co-operation and Development OECD emerging market economy forum (EMEF): Report of the ministerial workshop on cryptography policy, OLIS SG/EMEF/ICCP(98)1, Organization for Economic Co-operation and Development, Paris, Feb. 1998.
National Institute of Standards and Technology. Data encryption standard. Federal Information Processing Standards Publications FIPS PUB 46–2, National (U.S.) Bureau of Standards, Dec. 1997. Supersedes FIPS PUB 46–1 of Jan. 1988.
National Institute of Standards and Technology. Request for comments on candidate algorithms for the advanced encryption standard (AES), (U.S.) Federal Register 63(177), September 1998.
Committee on Payment, Settlement Systems, and the Group of Computer Experts of the central banks of the Group of Ten countries, Security of Electronic Money, Banks for International Settlements, Basle, August 1996.
Paulson, L.: The inductive approach to verifying cryptographic protocols,
J. Comput. Security
Rivest, R.: The RC5 encryption algorithm, in
Proc. of the Fast Software Encryption Workshop
), Lecture Notes in Comput. Sci. 1008, Springer-Veriag, 1995, pp. 86–96.
Rudell, R.: Espresso 1OCTTOOLS, January 1988.
Rudell, R. and Sangiovanni-Vincentelli, A.: Multiple valued minimization for PLA optimization,
IEEE Trans. Comput. Aided Design.
(5) (1987), 727–750.
Ryan, P. and Schneider, S.: An attack on a recurive authentication protocol: A cautionary tale,
Inform. Process. Lett.
(15) (1998), 7–16.
Schaefer, T.: The complexity of satisfiability problems, in
Proc. of the 10th ACM Symposium on Theory of Computing
), ACM Press and Addison Wesley, 1978, pp. 216–226.
Applied Cryptography: Protocols, Algorithms, and Source Code in C
, Wiley, 1994.
Selman, B. and Kautz, H.: Knowledge compilation and theory approximation,
(2) (1996), 193–224.
Selman, B., Kautz, H. and McAllester, D.: Ten challenges in propositional resoning and search, in
Proc. of the 15th Internat. Joint Conf. on Artificial Intelligence
), Morgan Kaufmann, Los Altos, 1997.
Selman, B., Mitchell, D. and Levesque, H.: Generating hard satisfiability problems,
(1–2) (1996), 17–29.
Shannon, C.: Communication theory of secrecy systems,
Bell System Technical J.
Suttner, C. and Sutcliffe, G.: The CADE-14 ATP system competition,
J. Automated Reasoning
(1) (1998), 99–134.
Zhang, H.: SATO: An efficient propositional prover, in
Proc. of the 14th Internat. Conf. on Automated Deduction
), Lecture Notes in Comput. Sci., 1997.
Zhang, H.: Personal communication, Nov. 1998.
Zhang, H. and Stickel, M.: An efficient algorithm for unit-propagation, in
Proc. of the 4th Internat. Symposium on AI and Mathematics
Google Scholar Copyright information
© Kluwer Academic Publishers 2000