Skip to main content

Logical Cryptanalysis as a SAT Problem

Journal of Automated Reasoning volume 24pages 165–203 (2000)Cite this article

Abstract

Cryptographic algorithms play a key role in computer security and the formal analysis of their robustness is of utmost importance. Yet, logic and automated reasoning tools are seldom used in the analysis of a cipher, and thus one cannot often get the desired formal assurance that the cipher is free from unwanted properties that may weaken its strength.

In this paper, we claim that one can feasibly encode the low-level properties of state-of-the-art cryptographic algorithms as SAT problems and then use efficient automated theorem-proving systems and SAT-solvers for reasoning about them. We call this approach logical cryptanalysis.

In this framework, for instance, finding a model for a formula encoding an algorithm is equivalent to finding a key with a cryptanalytic attack. Other important properties, such as cipher integrity or algebraic closure, can also be captured as SAT problems or as quantified boolean formulae. SAT benchmarks based on the encoding of cryptographic algorithms can be used to effectively combine features of “real-world” problems and randomly generated problems.

Here we present a case study on the U.S. Data Encryption Standard (DES) and show how to obtain a manageable encoding of its properties.

We have also tested three SAT provers, TABLEAU by Crawford and Auton, SATO by Zhang, and rel-SAT by Bayardo and Schrag, on the encoding of DES, and we discuss the reasons behind their different performance.

A discussion of open problems and future research concludes the paper.

This is a preview of subscription content, access via your institution.

Access options

Buy single article

Instant access to the full article PDF.

USD 39.95

Price includes VAT (USA)
Tax calculation will be finalised during checkout.

References

  1. Abadi, M. and Needham, R.: Prudent engineering practice for cryptographic protocols, IEEE Trans. Software Engng. 22(1) (1996), 6–15.

    Google Scholar 

  2. Anderson, R. and Needham, R.: Programming Satan's computer, in Computer Science Today-Recent Trends and Developments, Lecture Notes in Comput. Sci. 1000, Springer-Verlag, 1996, pp. 426–440.

  3. Andleman, D. and Reeds, J.: On the cryptanalysis of rotor machines and substitution-permutations networks, IEEE Trans. Inform. Theory 28(4) (1982), 578–584.

    Google Scholar 

  4. Ascione, M.: Validazione e benchmarking dei BDD per la criptanalisi del data encryption standard, Master's thesis, Facoltà di Ingegneria, Univ. di Roma I “La Sapienza”, March 1999. In Italian.

  5. Bayardo, R. and Schrag, R.: Using CSP look-back techniques to solve real-world SAT instances, in Proc. of the 14th Nat. (US) Conf. on Artificial Intelligence (AAAI-97), AAAI Press/The MIT Press, 1997, pp. 203–208.

  6. Biham, E. and Biryukov, A.: An improvement of Davies' attack on DES, in Advances in Cryptology-Eurocrypt 94, Lecture Notes in Comput. Sci., Springer-Verlag, 1994.

  7. Biham, E. and Shamir, A.: Differential cryptanalysis of DES-like cryptosystems, J. Cryptology 4(1) (1991), 3–72.

    Google Scholar 

  8. Bryant, R.: Graph-based algorithms for Boolean function manipulation, IEEE Trans. Computers 35(8) (1986), 677–691.

    Google Scholar 

  9. Büning, H., Karpinski, M. and Flögel, A.: Resolution for quantified Boolean formulas, Inform. Comput. 117(1) (1995), 12–18.

    Google Scholar 

  10. Burrows, M., Abadi, M. and Needham, R.: A logic for authentication, ACM Trans. Comput. Systems 8(1) (1990), 18–36.

    Google Scholar 

  11. Cadoli, M., Giovanardi, A. and Schaerf, M.: An algorithm to evaluate quantified Boolean formulae, in Proc. of the 15th (US) Nat. Conf. on Artificial Intelligence (AAAI-98), AAAI Press/The MIT Press, 1998, pp. 262–267.

  12. Campbell, K. and Weiner, M.: DES is not a group, in Proc. of Advances in Cryptography (CRYPTO-92), Lecture Notes in Comput. Sci., Springer-Verlag, 1992, pp. 512–520.

  13. Claesen, L. (ed.): Formal VLSI Correctness Verification: VLSI Design Methods, Vol. II, Elsevier Science Publishers, North-Holland, 1990.

    Google Scholar 

  14. Cook, S. and Mitchel, D.: Finding hard instances of the satisfiability problem: A survey, in Satisfiability Problem: Theory and Applications, Vol. 35, DIMACS Series in Discrete Math. Theoret. Comput. Sci. Amer. Math. Soc., 1997, pp. 1–17.

    Google Scholar 

  15. Crawford, J. and Auton, L.: Experimental results on the crossover point in random 3SAT, Artif. Intell. 81(1–2) (1996), 31–57.

    Google Scholar 

  16. Cryptography Research Inc. DES key search project information, Technical report, Cryptography Research Inc., 1998. Available on the web at http://www.cryptography.com/des/.

  17. Davis, M., Longemann, G. and Loveland, D.: A machine program for theorem-proving, Comm. ACM 5(7) (1962), 394–397.

    Google Scholar 

  18. Davis, M. and Putnam, H.: A computing procedure for quantificational theory, J. ACM 7(3) (1960), 201–215.

    Google Scholar 

  19. De Millo, R., Lynch, L. and Merrit, M.: Cryptographic protocols, in Proc. of the 14th ACM SIGACT Symposium on Theory of Computing (STOC-82), 1982, pp. 383–400.

  20. Feistel, H., Notz, W. and Smith, L.: Some cryptographic techniques for machine-to-machine data communication, Proc. of the IEEE 63(11) (1975), 1545–1554.

    Google Scholar 

  21. Gomes, C. and Selman, B.: Problem structure in the presence of perturbation, in Proc. of the 14th Nat. (US) Conf. on Artificial Intelligence (AAAI-97), AAAI Press/The MIT Press, 1997.

  22. Gomes, C., Selman, B. and Crato, N.: Heavy-tailed distributions in combinatorial search, in Third Internal. Conf. on Principles and Practice of Constraint Programming (CP-97), Lecture Notes in Comput. Sci. 1330, Springer-Verlag, 1997, pp. 121–135.

  23. Group of Experts on Information Security and Privacy. Inventory of controls on cryptography technologies, OLIS DSTI/ICCP/REG(98)4/REV3, Organization for Economic Co-operation and Development, Paris, Sep. 1998.

    Google Scholar 

  24. Harrison, J.: Stalmarck's algorithm as a HOL derived rule, in Proc. of the 9th Internal. Conf. on Theorem Proving in Higher Order Logics (TPHOLs'96), Lecture Notes in Comput. Sci. 1125, Springer-Verlag, 1996, pp. 221–234.

  25. Johnson, D. and Trick, M. (eds): Cliques, Coloring, Satisfiability: The Second DIMACS Implementation Challenge, AMS Series in Discrete Math. and Theoret. Comput. Sci. 26, Amer. Math. Soc., 1996.

  26. Kaliski, B., Rivest, R. and Sherman, A.: Is the Data Encryption Standard a group? (preliminary abstract), in Advances in Cryptology-Eurocrypt 85, Lecture Notes in Comput. Sci. 219, Springer-Verlag, 1985, pp. 81–95.

  27. Liberatore, P.: Algorithms and experiments on finding minimal models, Technical Report 09–99, Dipartimento di Informatica e Sistemistica, Università di Roma “La Sapienza”, 1999.

  28. Lowe, G.: Breaking and fixing the Needham-Schroeder public-key protocol using CSP and FDR, in Tools and Algorithms for the Construction and Analysis of Systems, Lecture Notes in Comput. Sci. 1055, Springer-Verlag, 1996, pp. 147–166.

  29. Marraro, L.: Analisi crittografica del DES mediante logica booleana, Master's thesis, Facolta di Ingegneria, Univ. di Roma I “La Sapienza”, December 1998. In Italian.

  30. Marraro, L. and Massacci, F.: A new challenge for automated reasoning: Verification and cryptanalysis of cryptographic algorithms, Technical Report 05–99, Dipartimento di Informatica e Sistemistica, Università di Roma “La Sapienza”, 1999.

  31. Massacci, F.: Using walk-SAT and rel-SAT for cryptographic key search, in Proc. of the 16th Internat. Joint Conf. on Artificial Intelligence (IJCAI-99), Morgan Kaufmann, 1999, pp. 290–295.

  32. Matsui, M.: The first experimental cryptanalysis of the Data Encryption Standard, in Proc. of Advances in Cryptography (CRYPTO-94), Lecture Notes in Comput. Sci. 839, Springer-Verlag, 1994, pp. 1–11.

  33. Matsui, M.: Linear cryptanalysis method for DES cipher, in Advances in Cryptology-Ewocrypt 93, Lecture Notes in Comput. Sci. 765, Springer-Verlag, 1994, pp. 368–397.

  34. Mitchell, J., Mitchell, M. and Stern, U.: Automated analysis of cryptographic protocols using Murphi, in Proc. of the 16th IEEE Symposium on Security and Privacy, IEEE Computer Society Press, 1997, pp. 141–151.

  35. Organization for Economic Co-operation and Development OECD emerging market economy forum (EMEF): Report of the ministerial workshop on cryptography policy, OLIS SG/EMEF/ICCP(98)1, Organization for Economic Co-operation and Development, Paris, Feb. 1998.

    Google Scholar 

  36. National Institute of Standards and Technology. Data encryption standard. Federal Information Processing Standards Publications FIPS PUB 46–2, National (U.S.) Bureau of Standards, Dec. 1997. Supersedes FIPS PUB 46–1 of Jan. 1988.

  37. National Institute of Standards and Technology. Request for comments on candidate algorithms for the advanced encryption standard (AES), (U.S.) Federal Register 63(177), September 1998.

  38. Committee on Payment, Settlement Systems, and the Group of Computer Experts of the central banks of the Group of Ten countries, Security of Electronic Money, Banks for International Settlements, Basle, August 1996.

  39. Paulson, L.: The inductive approach to verifying cryptographic protocols, J. Comput. Security (1998).

  40. Rivest, R.: The RC5 encryption algorithm, in Proc. of the Fast Software Encryption Workshop (FSE-95), Lecture Notes in Comput. Sci. 1008, Springer-Veriag, 1995, pp. 86–96.

  41. Rudell, R.: Espresso 1OCTTOOLS, January 1988.

  42. Rudell, R. and Sangiovanni-Vincentelli, A.: Multiple valued minimization for PLA optimization, IEEE Trans. Comput. Aided Design. 6(5) (1987), 727–750.

    Google Scholar 

  43. Ryan, P. and Schneider, S.: An attack on a recurive authentication protocol: A cautionary tale, Inform. Process. Lett. 65(15) (1998), 7–16.

    Google Scholar 

  44. Schaefer, T.: The complexity of satisfiability problems, in Proc. of the 10th ACM Symposium on Theory of Computing (STOC-78), ACM Press and Addison Wesley, 1978, pp. 216–226.

  45. Schneier, B.: Applied Cryptography: Protocols, Algorithms, and Source Code in C, Wiley, 1994.

  46. Selman, B. and Kautz, H.: Knowledge compilation and theory approximation, J. ACM 43(2) (1996), 193–224.

    Google Scholar 

  47. Selman, B., Kautz, H. and McAllester, D.: Ten challenges in propositional resoning and search, in Proc. of the 15th Internat. Joint Conf. on Artificial Intelligence (IJCAI-97), Morgan Kaufmann, Los Altos, 1997.

  48. Selman, B., Mitchell, D. and Levesque, H.: Generating hard satisfiability problems, Artif. Intell. 81(1–2) (1996), 17–29.

    Google Scholar 

  49. Shannon, C.: Communication theory of secrecy systems, Bell System Technical J. 28 (1949), 656–715.

    Google Scholar 

  50. Suttner, C. and Sutcliffe, G.: The CADE-14 ATP system competition, J. Automated Reasoning 21(1) (1998), 99–134.

    Google Scholar 

  51. Zhang, H.: SATO: An efficient propositional prover, in Proc. of the 14th Internat. Conf. on Automated Deduction (CADE-97), Lecture Notes in Comput. Sci., 1997.

  52. Zhang, H.: Personal communication, Nov. 1998.

  53. Zhang, H. and Stickel, M.: An efficient algorithm for unit-propagation, in Proc. of the 4th Internat. Symposium on AI and Mathematics, 1996.

Download references

Authors
  1. Fabio Massacci
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Laura Marraro
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Massacci, F., Marraro, L. Logical Cryptanalysis as a SAT Problem. Journal of Automated Reasoning 24, 165–203 (2000). https://doi.org/10.1023/A:1006326723002

Download citation

  • Issue Date:

  • DOI: https://doi.org/10.1023/A:1006326723002

  • cipher verification
  • Data Encryption Standard
  • logical cryptanalysis
  • propositional satisfiability
  • quantified boolean formulae
  • SAT benchmarks