DISSERTATION Algebraic and Logic Solving Methods for Cryptanalysis Submitted to the Faculty of Computer Science and Mathematics of the University of Passau in Partial Fulfillment of the Requirements for the Degree of Doctor of Natural Sciences Jan Hor´aˇcek Advisor: Prof. Dr. Martin Kreuzer Chair of Symbolic Computation, University of Passau External Referee: Prof. Dr. Armin Biere Institute for Formal Models and Verification, Johannes Kepler University Linz Passau, June 2019 Abstract Algebraic solving of polynomial systems and satisfiability of propositional logic for- mulas are not two completely separate research areas, as it may appear at first sight. In fact, many problems coming from cryptanalysis, such as algebraic fault attacks, can be rephrased as solving a set of Boolean polynomials or as deciding the satisfiability of a propositional logic formula. Thus one can analyze the security of cryptosystems by ap- plying standard solving methods from computer algebra and SAT solving. This doctoral thesis is dedicated to studying solvers that are based on logic and algebra separately as well as integrating them into one such that the combined solvers become more powerful tools for cryptanalysis. This disseration is divided into three parts. In this first part, we recall some theory and basic techniques for algebraic and logic solving. We focus mainly on DPLL-based SAT solving and techniques that are related to border bases and Gr¨obnerbases. In particular, we describe in detail the Border Basis Algorithm and discuss its specialized version for Boolean polynomials called the Boolean Border Basis Algorithm. In the second part of the thesis, we deal with connecting solvers based on algebra and logic. The ultimate goal is to combine the strength of different solvers into one. Namely, we fuse the XOR reasoning from algebraic solvers with the light, efficient design of SAT solvers. As a first step in this direction, we design various conversions from sets of clauses to sets of Boolean polynomials, and vice versa, such that solutions and models are preserved via the conversions. In particular, based on a block-building mechanism, we design a new blockwise algorithm for the CNF to ANF conversion which is geared towards producing fewer and lower degree polynomials. The above conversions allow us to integrate both solvers via a communication interface. To reach an even tighter integration, we consider proof systems that combine resolu- tion and polynomial calculus, i.e. the two most used proof systems in logic and algebraic solving. Based on such a proof system, which we call SRES, we introduce new types of solving algorithms that demostrate the synergy between Gr¨obner-like and DPLL-like solving. At the end of the second part of the dissertation, we provide some experiments based on a new benchmark which illustrate that the our new method based on DPLL has the potential to outperform CDCL SAT solvers. In the third part of the thesis, we focus on practical attacks on various cryptograhic primitives. For instance, we apply SAT solvers in the case of algebraic fault attacks on the symmetric ciphers LED and derivatives of the block cipher AES. The main goal there is to derive so-called fault equations automatically from the hardware description of the cryptosystem and thus automatizate the attack. To give some extra power to a SAT solver that inverts the hash functions SHA-1 and SHA-2, we describe how to tweak the SAT solver using a programmatic interface such that the propagation of the solver and thus the attack itself is improved. Keywords: Boolean polynomial, border basis, SAT solving, combined proof system, algebraic normal form, conjunctive normal form, algebraic fault attack Acknowledgements First of all, I would like to thank my advisor Martin Kreuzer for supporting me on the path of academic research, for proofreading this text, and for continuously inspiring me to learn new things. He also accepted me to the DFG project \Algebraic Fault Attacks" [KR 1907/6-1(2)] where I was able to work with Jan Burchard, Ma¨elGay, Tobias Paxian, Ange-Salom´eMesseng Ekossono, Bernd Becker, Tobias Schubert, Martin Kreuzer and Ilia Polian in a very productive atmosphere. My special thanks go to Matthew England for introducing me to the EU project \SC-square" [H2020-FETOPEN-2015-CSA] such that I was able to meet many top re- searchers interested in combining computer algebra systems and SAT solving. I want to express my deep appreciation to Vijay Ganesh and his team who invited me twice to col- laborate with University of Waterloo. Besides the names mentioned above, I would like to thank the following persons for many fruitful discussions over the years: Ilias Kot- sireas, Saeed Nejati, Michael Brickenstein, Alexander Dreyer, Anna M. Bigatti, John Abbott, Lorenzo Robbiano, Mate Soos, Manuel Kauers, Martin Albrecht, Armin Biere, Bruno Buchberger, Christopher W. Brown, Daniel Lichtblau, Thomas Sturm, Stephen Forrest, Philipp Jovanovic, Jan Kraj´ıˇcek,Mikol´aˇsJanota and many others. I would also like to thank Armin Biere for accepting to be the external referee for this thesis. Moreover, I would like thank my colleagues and the staff at the University of Passau, in particular, our secretary, Nathalie Vollst¨adt,for advising me in organizational matters and our assistant at the chair, Florian Walsh, for helping me to implement some test scripts. Finally, I deeply appreciate the care and the support from my mom, my dad, and my brother Jaroslav, who always motivate me to go on. I wish I could adequately express how much love and positive energy I have got from my girlfriend Marie. Unfortunately, there would be no space left for the thesis itself. Contents List of Symbols ..................................... v 1 Introduction ..................................... 1 1.1 Motivation . 1 1.2 The State-of-the-Art and the Contributions of This Dissertation . 3 1.3 Structure and Content . 6 2 Background ...................................... 9 2.1 Some Algebra Fundamentals . 9 2.2 Some Logic Fundamentals . 16 2.3 Algebraic Solvers . 19 2.4 SAT Solvers . 23 2.5 SMT and Programmatic SAT . 31 2.6 An Overview of Other Solving Techniques . 34 2.7 Block Ciphers and Hash Functions . 35 2.8 Cryptanalysis and Fault Attacks . 38 3 The Boolean Border Basis Algorithm ....................... 41 3.1 Border Bases . 42 3.2 The Border Basis Algorithms . 44 3.3 Squarefree Terms and Their Order Ideals . 46 3.4 Linear Interreduction for Boolean Polynomials . 49 3.5 Implementation of Boolean Polynomials and Linear Interreduction . 52 3.6 The BBBA Refined . 55 3.7 Improvements of the BBBA . 59 3.8 Experiments . 60 4 Integrating Algebraic and SAT Solving ...................... 65 4.1 Preliminaries . 66 4.2 Conversions from ANF to CNF . 67 4.3 The Standard Conversion from CNF to ANF . 68 4.4 A Blockwise Conversion from CNF to ANF . 69 4.5 Conversion to Linear Polynomials . 74 4.6 Some Applications of the Conversion Algorithms . 77 4.7 The Integration of the BBBA with a SAT Solver . 78 iii Contents 4.8 Design of the Communication . 81 4.9 Modifications of the SAT Solver . 82 4.10 Experiments . 83 5 Proof Systems and SRES .............................. 89 5.1 Preliminaries . 90 5.2 An Algebraic Extension of Resolution . 96 5.3 Completeness of SRES .............................101 5.4 Some Example Proofs Using SRES . 103 5.5 SRES Closure Algorithms . 108 5.6 SRES Refutation Using DPLL Techniques . 115 5.7 Experiments . 118 6 Attacking AES and LED ..............................123 6.1 Description of AES ...............................124 6.2 Description of LED ...............................125 6.3 An Automatic Construction of AFA . 126 6.4 Experiments . 127 7 Attacking SHA using Programmatic SAT Solvers ................133 7.1 Preliminaries . 134 7.2 Description of SHA-1 . 134 7.3 Description of SHA-256 . 135 7.4 Algebraic Fault Attacks on SHA . 136 7.5 Experiments . 137 Bibliography .......................................143 Publications .......................................153 iv List of Symbols # the cardinality of a finite set N the natural numbers including 0 N+ the natural numbers excluding 0 Z the ring of integers F2 the field of two elements K a field σ a term ordering n T the set of terms in the indeterminates x1; : : : ; xn n S the set of squarefree terms in the indeterminates x1; : : : ; xn n O an order ideal in T hT iOI the order ideal cogenerated by T @O the border of O P a polynomial ring K[x1; : : : ; xn] I an ideal in P LTσ(f) the leading term of f w.r.t. σ deg(f) the degree of f Supp(f) the support of f Var(f) the set of all indeterminates (variables) appearing in f hSi the ideal generated by S hSiK the K-linear subspace generated by S CMσ(S) the coefficient matrix of S w.r.t. σ S sf the squarefree subset of S Bn the ring of Boolean polynomials Z(S) the set of F2-rational zeros of S S(C) the set of models of C ¯, ^, _, ⊕ logical NOT, AND, OR, and XOR v Chapter 1 Introduction 1.1 Motivation The theory and techniques described in this doctoral thesis are motivated by solving hard problems coming from cryptology. Cryptography is a research field whose main goals are to study and design cryptographic primitives (i.e. low-level, basic cryptographic algorithms) such as block ciphers, stream ciphers, one-way functions, hash functions, etc., as well as to integrate several cryptographic primitives into cryptographic protocols such as key agreement methods, digital cash, secure multiparty computation, e-voting, etc. Cryptanalysis is a research area whose main objectives are to analyze and conduct attacks on cryptographic algorithms. Typically, an attacker wants to recover the secret key or an inner state of the cryptosystem. Both fields can be seen as one discipline, cryptology, because cryptographers must have a good overview of attacks when designing new protocols, and cryptanalysts set new standards for cryptography by new attack techniques.