Journal of Automated Reasoning

, Volume 24, Issue 1–2, pp 165–203 | Cite as

Logical Cryptanalysis as a SAT Problem

  • Fabio Massacci
  • Laura Marraro


Cryptographic algorithms play a key role in computer security and the formal analysis of their robustness is of utmost importance. Yet, logic and automated reasoning tools are seldom used in the analysis of a cipher, and thus one cannot often get the desired formal assurance that the cipher is free from unwanted properties that may weaken its strength.

In this paper, we claim that one can feasibly encode the low-level properties of state-of-the-art cryptographic algorithms as SAT problems and then use efficient automated theorem-proving systems and SAT-solvers for reasoning about them. We call this approach logical cryptanalysis.

In this framework, for instance, finding a model for a formula encoding an algorithm is equivalent to finding a key with a cryptanalytic attack. Other important properties, such as cipher integrity or algebraic closure, can also be captured as SAT problems or as quantified boolean formulae. SAT benchmarks based on the encoding of cryptographic algorithms can be used to effectively combine features of “real-world” problems and randomly generated problems.

Here we present a case study on the U.S. Data Encryption Standard (DES) and show how to obtain a manageable encoding of its properties.

We have also tested three SAT provers, TABLEAU by Crawford and Auton, SATO by Zhang, and rel-SAT by Bayardo and Schrag, on the encoding of DES, and we discuss the reasons behind their different performance.

A discussion of open problems and future research concludes the paper.

cipher verification Data Encryption Standard logical cryptanalysis propositional satisfiability quantified boolean formulae SAT benchmarks 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, M. and Needham, R.: Prudent engineering practice for cryptographic protocols, IEEE Trans. Software Engng. 22(1) (1996), 6–15.Google Scholar
  2. 2.
    Anderson, R. and Needham, R.: Programming Satan's computer, in Computer Science Today-Recent Trends and Developments, Lecture Notes in Comput. Sci. 1000, Springer-Verlag, 1996, pp. 426–440.Google Scholar
  3. 3.
    Andleman, D. and Reeds, J.: On the cryptanalysis of rotor machines and substitution-permutations networks, IEEE Trans. Inform. Theory 28(4) (1982), 578–584.Google Scholar
  4. 4.
    Ascione, M.: Validazione e benchmarking dei BDD per la criptanalisi del data encryption standard, Master's thesis, Facoltà di Ingegneria, Univ. di Roma I “La Sapienza”, March 1999. In Italian.Google Scholar
  5. 5.
    Bayardo, R. and Schrag, R.: Using CSP look-back techniques to solve real-world SAT instances, in Proc. of the 14th Nat. (US) Conf. on Artificial Intelligence (AAAI-97), AAAI Press/The MIT Press, 1997, pp. 203–208.Google Scholar
  6. 6.
    Biham, E. and Biryukov, A.: An improvement of Davies' attack on DES, in Advances in Cryptology-Eurocrypt 94, Lecture Notes in Comput. Sci., Springer-Verlag, 1994.Google Scholar
  7. 7.
    Biham, E. and Shamir, A.: Differential cryptanalysis of DES-like cryptosystems, J. Cryptology 4(1) (1991), 3–72.Google Scholar
  8. 8.
    Bryant, R.: Graph-based algorithms for Boolean function manipulation, IEEE Trans. Computers 35(8) (1986), 677–691.Google Scholar
  9. 9.
    Büning, H., Karpinski, M. and Flögel, A.: Resolution for quantified Boolean formulas, Inform. Comput. 117(1) (1995), 12–18.Google Scholar
  10. 10.
    Burrows, M., Abadi, M. and Needham, R.: A logic for authentication, ACM Trans. Comput. Systems 8(1) (1990), 18–36.Google Scholar
  11. 11.
    Cadoli, M., Giovanardi, A. and Schaerf, M.: An algorithm to evaluate quantified Boolean formulae, in Proc. of the 15th (US) Nat. Conf. on Artificial Intelligence (AAAI-98), AAAI Press/The MIT Press, 1998, pp. 262–267.Google Scholar
  12. 12.
    Campbell, K. and Weiner, M.: DES is not a group, in Proc. of Advances in Cryptography (CRYPTO-92), Lecture Notes in Comput. Sci., Springer-Verlag, 1992, pp. 512–520.Google Scholar
  13. 13.
    Claesen, L. (ed.): Formal VLSI Correctness Verification: VLSI Design Methods, Vol. II, Elsevier Science Publishers, North-Holland, 1990.Google Scholar
  14. 14.
    Cook, S. and Mitchel, D.: Finding hard instances of the satisfiability problem: A survey, in Satisfiability Problem: Theory and Applications, Vol. 35, DIMACS Series in Discrete Math. Theoret. Comput. Sci. Amer. Math. Soc., 1997, pp. 1–17.Google Scholar
  15. 15.
    Crawford, J. and Auton, L.: Experimental results on the crossover point in random 3SAT, Artif. Intell. 81(1–2) (1996), 31–57.Google Scholar
  16. 16.
    Cryptography Research Inc. DES key search project information, Technical report, Cryptography Research Inc., 1998. Available on the web at Scholar
  17. 17.
    Davis, M., Longemann, G. and Loveland, D.: A machine program for theorem-proving, Comm. ACM 5(7) (1962), 394–397.Google Scholar
  18. 18.
    Davis, M. and Putnam, H.: A computing procedure for quantificational theory, J. ACM 7(3) (1960), 201–215.Google Scholar
  19. 19.
    De Millo, R., Lynch, L. and Merrit, M.: Cryptographic protocols, in Proc. of the 14th ACM SIGACT Symposium on Theory of Computing (STOC-82), 1982, pp. 383–400.Google Scholar
  20. 20.
    Feistel, H., Notz, W. and Smith, L.: Some cryptographic techniques for machine-to-machine data communication, Proc. of the IEEE 63(11) (1975), 1545–1554.Google Scholar
  21. 21.
    Gomes, C. and Selman, B.: Problem structure in the presence of perturbation, in Proc. of the 14th Nat. (US) Conf. on Artificial Intelligence (AAAI-97), AAAI Press/The MIT Press, 1997.Google Scholar
  22. 22.
    Gomes, C., Selman, B. and Crato, N.: Heavy-tailed distributions in combinatorial search, in Third Internal. Conf. on Principles and Practice of Constraint Programming (CP-97), Lecture Notes in Comput. Sci. 1330, Springer-Verlag, 1997, pp. 121–135.Google Scholar
  23. 23.
    Group of Experts on Information Security and Privacy. Inventory of controls on cryptography technologies, OLIS DSTI/ICCP/REG(98)4/REV3, Organization for Economic Co-operation and Development, Paris, Sep. 1998.Google Scholar
  24. 24.
    Harrison, J.: Stalmarck's algorithm as a HOL derived rule, in Proc. of the 9th Internal. Conf. on Theorem Proving in Higher Order Logics (TPHOLs'96), Lecture Notes in Comput. Sci. 1125, Springer-Verlag, 1996, pp. 221–234.Google Scholar
  25. 25.
    Johnson, D. and Trick, M. (eds): Cliques, Coloring, Satisfiability: The Second DIMACS Implementation Challenge, AMS Series in Discrete Math. and Theoret. Comput. Sci. 26, Amer. Math. Soc., 1996.Google Scholar
  26. 26.
    Kaliski, B., Rivest, R. and Sherman, A.: Is the Data Encryption Standard a group? (preliminary abstract), in Advances in Cryptology-Eurocrypt 85, Lecture Notes in Comput. Sci. 219, Springer-Verlag, 1985, pp. 81–95.Google Scholar
  27. 27.
    Liberatore, P.: Algorithms and experiments on finding minimal models, Technical Report 09–99, Dipartimento di Informatica e Sistemistica, Università di Roma “La Sapienza”, 1999.Google Scholar
  28. 28.
    Lowe, G.: Breaking and fixing the Needham-Schroeder public-key protocol using CSP and FDR, in Tools and Algorithms for the Construction and Analysis of Systems, Lecture Notes in Comput. Sci. 1055, Springer-Verlag, 1996, pp. 147–166.Google Scholar
  29. 29.
    Marraro, L.: Analisi crittografica del DES mediante logica booleana, Master's thesis, Facolta di Ingegneria, Univ. di Roma I “La Sapienza”, December 1998. In Italian.Google Scholar
  30. 30.
    Marraro, L. and Massacci, F.: A new challenge for automated reasoning: Verification and cryptanalysis of cryptographic algorithms, Technical Report 05–99, Dipartimento di Informatica e Sistemistica, Università di Roma “La Sapienza”, 1999.Google Scholar
  31. 31.
    Massacci, F.: Using walk-SAT and rel-SAT for cryptographic key search, in Proc. of the 16th Internat. Joint Conf. on Artificial Intelligence (IJCAI-99), Morgan Kaufmann, 1999, pp. 290–295.Google Scholar
  32. 32.
    Matsui, M.: The first experimental cryptanalysis of the Data Encryption Standard, in Proc. of Advances in Cryptography (CRYPTO-94), Lecture Notes in Comput. Sci. 839, Springer-Verlag, 1994, pp. 1–11.Google Scholar
  33. 33.
    Matsui, M.: Linear cryptanalysis method for DES cipher, in Advances in Cryptology-Ewocrypt 93, Lecture Notes in Comput. Sci. 765, Springer-Verlag, 1994, pp. 368–397.Google Scholar
  34. 34.
    Mitchell, J., Mitchell, M. and Stern, U.: Automated analysis of cryptographic protocols using Murphi, in Proc. of the 16th IEEE Symposium on Security and Privacy, IEEE Computer Society Press, 1997, pp. 141–151.Google Scholar
  35. 35.
    Organization for Economic Co-operation and Development OECD emerging market economy forum (EMEF): Report of the ministerial workshop on cryptography policy, OLIS SG/EMEF/ICCP(98)1, Organization for Economic Co-operation and Development, Paris, Feb. 1998.Google Scholar
  36. 36.
    National Institute of Standards and Technology. Data encryption standard. Federal Information Processing Standards Publications FIPS PUB 46–2, National (U.S.) Bureau of Standards, Dec. 1997. Supersedes FIPS PUB 46–1 of Jan. 1988.Google Scholar
  37. 37.
    National Institute of Standards and Technology. Request for comments on candidate algorithms for the advanced encryption standard (AES), (U.S.) Federal Register 63(177), September 1998.Google Scholar
  38. 38.
    Committee on Payment, Settlement Systems, and the Group of Computer Experts of the central banks of the Group of Ten countries, Security of Electronic Money, Banks for International Settlements, Basle, August 1996.Google Scholar
  39. 39.
    Paulson, L.: The inductive approach to verifying cryptographic protocols, J. Comput. Security (1998).Google Scholar
  40. 40.
    Rivest, R.: The RC5 encryption algorithm, in Proc. of the Fast Software Encryption Workshop (FSE-95), Lecture Notes in Comput. Sci. 1008, Springer-Veriag, 1995, pp. 86–96.Google Scholar
  41. 41.
    Rudell, R.: Espresso 1OCTTOOLS, January 1988.Google Scholar
  42. 42.
    Rudell, R. and Sangiovanni-Vincentelli, A.: Multiple valued minimization for PLA optimization, IEEE Trans. Comput. Aided Design. 6(5) (1987), 727–750.Google Scholar
  43. 43.
    Ryan, P. and Schneider, S.: An attack on a recurive authentication protocol: A cautionary tale, Inform. Process. Lett. 65(15) (1998), 7–16.Google Scholar
  44. 44.
    Schaefer, T.: The complexity of satisfiability problems, in Proc. of the 10th ACM Symposium on Theory of Computing (STOC-78), ACM Press and Addison Wesley, 1978, pp. 216–226.Google Scholar
  45. 45.
    Schneier, B.: Applied Cryptography: Protocols, Algorithms, and Source Code in C, Wiley, 1994.Google Scholar
  46. 46.
    Selman, B. and Kautz, H.: Knowledge compilation and theory approximation, J. ACM 43(2) (1996), 193–224.Google Scholar
  47. 47.
    Selman, B., Kautz, H. and McAllester, D.: Ten challenges in propositional resoning and search, in Proc. of the 15th Internat. Joint Conf. on Artificial Intelligence (IJCAI-97), Morgan Kaufmann, Los Altos, 1997.Google Scholar
  48. 48.
    Selman, B., Mitchell, D. and Levesque, H.: Generating hard satisfiability problems, Artif. Intell. 81(1–2) (1996), 17–29.Google Scholar
  49. 49.
    Shannon, C.: Communication theory of secrecy systems, Bell System Technical J. 28 (1949), 656–715.Google Scholar
  50. 50.
    Suttner, C. and Sutcliffe, G.: The CADE-14 ATP system competition, J. Automated Reasoning 21(1) (1998), 99–134.Google Scholar
  51. 51.
    Zhang, H.: SATO: An efficient propositional prover, in Proc. of the 14th Internat. Conf. on Automated Deduction (CADE-97), Lecture Notes in Comput. Sci., 1997.Google Scholar
  52. 52.
    Zhang, H.: Personal communication, Nov. 1998.Google Scholar
  53. 53.
    Zhang, H. and Stickel, M.: An efficient algorithm for unit-propagation, in Proc. of the 4th Internat. Symposium on AI and Mathematics, 1996.Google Scholar

Copyright information

© Kluwer Academic Publishers 2000

Authors and Affiliations

  • Fabio Massacci
  • Laura Marraro

There are no affiliations available

Personalised recommendations