Mixed Integer Programming: Algorithms and Applications
advertisement
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Mixed Integer Programming: Algorithms and
Applications
Julia Borghoff
Mykonos May 2012
1 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Outline
1
Motivation
2
Mixed Integer Programming
Definition
Basic algorithms for integer optimization
3
Application in Cryptanalysis
Conversion Methods
Other MIP parameters
Features
4
Example A2U2
The Cipher
Attack
5
Conclusion
References
2 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Motivation for using optimization in cryptography
Cryptographic site
cryptographic problems can often be described as a set of
non-linear Boolean equations
⇒ algebraic attacks
solver for non-linear Boolean equations (algebraic attacks)
often not successful
⇒ need for new solvers
Optimization
of great industrial interest ⇒ many well-develop
algorithms/solver available
additional feature such as
use of probabilistic equations
use of inequalities
possibility of minimizing distances
etc.
3 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Which approach to use?
Optimization is a big field
meta-heuristics
simulated annealing
tabu search
etc.
evolutionary/genetic algorithms
constrained programming
linear programming
mixed-integer linear programming
non-linear optimization
non-smooth optimization
4 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Which approach to use?
Optimization is a big field
meta-heuristics
simulated annealing
tabu search
etc.
evolutionary/genetic algorithms
constrained programming
linear programming
mixed-integer linear programming
non-linear optimization
non-smooth optimization
4 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Outline
1
Motivation
2
Mixed Integer Programming
Definition
Basic algorithms for integer optimization
3
Application in Cryptanalysis
Conversion Methods
Other MIP parameters
Features
4
Example A2U2
The Cipher
Attack
5
Conclusion
References
5 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Definition
What is a constrained optimization problem?
Given:
a set of variables
an objective function
a set of constraints
Find the best solution for the objective function in the set of
solution that satisfy the constraints.
Constraints can be e.g.:
equations
inequalities
linear or non-linear
restrictions on the type of a variable
6 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Definition
Mixed Integer Linear Programming Problem (MILP/MIP)
A linear mixed-integer linear programming problem
(MILP/MIP) is a problem of the form
min cx
x
subject to
Ax ≤ b
where x ∈ Zn × Rp
Important:
objective function and all constraints are linear
some variables are integers, some variables are continuous
7 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Definition
Special cases
Linear programming problem (LP): all variables are
continuous
=⇒ efficiently solvable
Integer programming problem (IP): all variables are
restricted to be integer.
0-1 Integer programming problem (BIP): all variables are
restricted to be binary.
8 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Definition
Feasible Solution
The set S of all x ∈ Zn × Rp which satisfy the linear constraints
Ax ≤ b
S = {x ∈ Zn × Rp , Ax ≤ b}
is called feasible set.
An element x ∈ S is called feasible solution.
9 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Definition
Problem types
Optimization Problem
Find a solution in the feasible set that yields the best objective
value.
Feasibility Problem
Find an element that satisfies all constraints and restrictions,i.e.,
find an element in the feasible set.
10 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Basic algorithms for integer optimization
Three different approaches
Branch and Bound
Cutting Plane
=⇒ optimal solution
Feasibility Pump
=⇒ feasible solution
11 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Basic algorithms for integer optimization
LP-relaxation
LP constraints form a polytope
IP feasible set is given by set of all
integer-valued points within the
polytope
=⇒ feasible set of IP⊂ feasible set of LP
12 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Basic algorithms for integer optimization
LP-relaxation
LP constraints form a polytope
IP feasible set is given by set of all
integer-valued points within the
polytope
=⇒ feasible set of IP⊂ feasible set of LP
Definition (LP-relaxation)
The LP-relaxation of a MIP or IP is obtain by removing the integer
constraints on all variables.
e.g. in the binary case
replace x ∈ {0, 1}
by 0 ≤ x ≤ 1
12 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Basic algorithms for integer optimization
The branch-and-bound algorithm
Tree search where the tree is built using three main steps
Branch Pick a variable and divide the problem in two
subproblems at this variable. (e.g. if x ∈ {0, 1} solve
the problem with x = 0 and the problem x = 1)
Bound Solve the LP-relaxation to determine the best
possible objective value for the node
Prune Prune the branch of the tree (i.e. the tree will not be
develop any further in this node) if
the subproblem is infeasible
the best achievable objective value is worse than
a known optimum
13 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Basic algorithms for integer optimization
Branch-and-bound - a binary example
min −x1 + x2 − 2x3 + x4 − x5
-3.1
subject to
x1 + x2
≤
1
x1 − 5x2 + x3
≤
2
2x3 + 2x4 − 4x5
≤
1
x2 − 2x4 + x5
≤
0
x
∈
{0, 1}5
solve the linear problem
14 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Basic algorithms for integer optimization
Branch-and-bound - a binary example
min −x1 + x2 − 2x3 + x4 − x5
-3.1
0
x2
-1
subject to
1
-2.5
x1 + x2
≤
1
x1 − 5x2 + x3
≤
2
2x3 + 2x4 − 4x5
≤
1
x2 − 2x4 + x5
≤
0
x
∈
{0, 1}5
solve the linear problem
pick a variable for which
the solution violates the
binary constraint. Branch
14 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Basic algorithms for integer optimization
Branch-and-bound - a binary example
min −x1 + x2 − 2x3 + x4 − x5
-3.1
0
x2
-1
subject to
1
-2.5
x1 + x2
≤
1
x1 − 5x2 + x3
≤
2
2x3 + 2x4 − 4x5
≤
1
x2 − 2x4 + x5
≤
0
x
∈
{0, 1}5
Fathoming: the best
solution is already a
feasible solution in an early
state of the tree
Incumbent:best feasible
solution found so far
14 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Basic algorithms for integer optimization
Branch-and-bound - a binary example
min −x1 + x2 − 2x3 + x4 − x5
-3.1
subject to
0
x2
1
-1
-2.5
0
x3
-1.5
1
-2.5
x1 + x2
≤
1
x1 − 5x2 + x3
≤
2
2x3 + 2x4 − 4x5
≤
1
x2 − 2x4 + x5
≤
0
x
∈
{0, 1}5
choose the most promising
node
14 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Basic algorithms for integer optimization
Branch-and-bound - a binary example
min −x1 + x2 − 2x3 + x4 − x5
-3.1
subject to
0
x2
1
-1
-2.5
0
x3
1
-1.5
-2.5
0
x4
1
-2
x1 + x2
≤
1
x1 − 5x2 + x3
≤
2
2x3 + 2x4 − 4x5
≤
1
x2 − 2x4 + x5
≤
0
x
∈
{0, 1}5
node can be pruned if it
won’t yield a better
solution than the
incumbent or if it violates
a constraint
14 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Basic algorithms for integer optimization
Branch-and-bound - a binary example
min −x1 + x2 − 2x3 + x4 − x5
-3.1
subject to
0
x2
1
-1
-2.5
0
x3
1
-1.5
x4
≤
1
≤
2
2x3 + 2x4 − 4x5
≤
1
x2 − 2x4 + x5
≤
0
x
∈
{0, 1}5
the optimal solution is
found when tree cannot
grow further
-2.5
0
x1 + x2
x1 − 5x2 + x3
1
-2
14 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Basic algorithms for integer optimization
Cutting plane algorithm
Idea: iterative reduction of the feasible region
solve LP-relaxation and obtain fractional solution
add a new constraint (cut) that removes the fractional
solution from the feasible set of the LP-relaxation
15 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Basic algorithms for integer optimization
Cutting plane - an example
Two dimensional example
linear constraints
both variables are
integers
16 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Basic algorithms for integer optimization
Cutting plane - an example
The green area is the
feasible set of the LPrelaxation
16 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Basic algorithms for integer optimization
Cutting plane - an example
The green dots are the
feasible set of the IP
16 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Basic algorithms for integer optimization
Cutting plane - an example
Solving the LP yields a
fractional solution
16 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Basic algorithms for integer optimization
Cutting plane - an example
Add a constraint (cut)
such that
every feasible
integer solution is
feasible for the cut
the current
fractional solution is
not feasible for the
cut
16 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Basic algorithms for integer optimization
Feasibility pump (1/2)
algorithm for finding feasible solution
maintains to solution
x ∗ satisfies linear constraints
x̃ satisfies integer requirements
idea: ”pump” integrality of x̃ into x ∗
both solution are iteratively updated until they are the same
17 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Basic algorithms for integer optimization
Feasibility pump (2/2)
Problem: Find feasible solution of {Ax ≤ b, x ∈ Z}
1:
2:
3:
4:
5:
6:
7:
initialize x ∗ as solution of {x : Ax ≤ b}
repeatPumping cycle
Round continuous solution x̃ = [x ∗ ] P
Update objective function ∆(x, x̃) = |xi − x̃i |
Solve LP x ∗ = min{∆(x, x̃) : Ax ≤ b}
until ∆(x ∗ , x̃) = 0
return x ∗
18 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Basic algorithms for integer optimization
Feasibility pump (2/2)
Problem: Find feasible solution of {Ax ≤ b, x ∈ Z}
1:
2:
3:
4:
5:
6:
7:
initialize x ∗ as solution of {x : Ax ≤ b}
repeatPumping cycle
Round continuous solution x̃ = [x ∗ ] P
Update objective function ∆(x, x̃) = |xi − x̃i |
Solve LP x ∗ = min{∆(x, x̃) : Ax ≤ b}
until ∆(x ∗ , x̃) = 0
return x ∗
limit on running time
random flips to avoid stalling if x ∗ = x̃
perturbation to avoid cycling
18 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Outline
1
Motivation
2
Mixed Integer Programming
Definition
Basic algorithms for integer optimization
3
Application in Cryptanalysis
Conversion Methods
Other MIP parameters
Features
4
Example A2U2
The Cipher
Attack
5
Conclusion
References
19 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Possible application of MIPs in cryptanalysis
solving Boolean equation systems e.g. key recovery attack
finding preimages/second preimages/collisions/nearcollisions
search for differentials etc
every situation in cryptanalysis where one considers a system
of (in)equalities and preferable can optimize something.
20 / 46
Motivation
Mixed Integer Programming
Cryptographic problem
Application in Cryptanalysis
Example A2U2
Conclusion
MIP
Boolean space
(modular arithmetic)
reals with integer/binary
restrictions
non-linear equations
linear constraints/linear
objective function
not necessarily
objective function
objective function (usually)
needed
I Boolean equation system → set of constraints
I conversion of Boolean equations to equations over the reals
I linearization of higher order terms
I integer restrictions
I objective function
21 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Conversion Methods
Conversion methods
every solution for Boolean equation must be solution for real
equation
additional fractional solutions do not matter
convert either
each operator
or
the entire equation at once
I Standard Conversion Method
I Integer Adapted Standard Conversion Method
22 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Conversion Methods
Standard Conversion Method (SCM)
s1 , s2 ∈ {false, true}
false → 0
true → 1
¬s1 → −x1
s1 ∧ s2 → x1 x2
s1 ∨ s2 → x1 + x2 − x1 x2
s1 ⊕ s2 → x1 + x2 − 2x1 x2
where xi = 0 if si = false and xi = 1 if si = true.
23 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Conversion Methods
Observations (SCM)
For converting a Boolean polynomial in ANF using the Standard
Conversion methods holds:
degree of polynomial equals number of variables in Boolean
polynomial (assuming: xi2 = xi )
monomial degree of polynomial is 2m − 1 where m is
monomial degree of Boolean polynomial.
24 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Conversion Methods
Conversion trick (SCM)
These two equations have the same set of solutions.
x ⊕y ⊕z ⊕v =0
x ⊕y =z ⊕v
25 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Conversion Methods
Conversion trick (SCM)
These two equations have the same set of solutions.
x ⊕y ⊕z ⊕v =0
After Conversion:
Degree: 4
# monomials: 24 − 1 = 15
x ⊕y =z ⊕v
After Conversion:
Degree: 2
# monomials: 2 · (22 − 1) = 6
25 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Conversion Methods
Conversion trick (SCM)
These two equations have the same set of solutions.
x ⊕y ⊕z ⊕v =0
After Conversion:
Degree: 4
# monomials: 24 − 1 = 15
x ⊕y =z ⊕v
After Conversion:
Degree: 2
# monomials: 2 · (22 − 1) = 6
To keep real-valued equation sparse and of low degree
1
rewrite the equations s.t each side contains the same number
of variables
2
convert each side
3
subtract the results
25 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Conversion Methods
Integer adapted standard conversion
Boolean equations in ANF
converts the entire equation at once
uses integer restriction
consider as a polynomial over the reals
replace
AND by multiplication
XOR by addition
subtract a factor of 2
26 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Conversion Methods
Integer adapted standard conversion - an example
maps {false, true} → {0, 1} (as standard conversion)
Let e.g.
s1 ∧ s2 ⊕ s3 ⊕ s4 ⊕ s5 ∧ s6 = 0
evaluate the real polynomial for solution of Boolean equation
let u be minimum and l be maximum value
Corresponding equations over reals
x1 x2 + x3 + x4 + x5 x6 − 2y = 0
with u/2 ≤ y ≤ l/2, y integer
27 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Other MIP parameters
Linearization
Recall:
linear constraints
not necessarily only equalities
replace quadratic term xi xj by new variable y
add constraints :
y ≤ xi
(1)
y ≤ xj
(2)
xi + xj − 1 ≤ y
(3)
28 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Other MIP parameters
Linearization
Recall:
linear constraints
not necessarily only equalities
replace cubic term xi xj xk by new variable y
add constraints :
y ≤ xi
(1)
y ≤ xj
(2)
y ≤ xk
(3)
xi + xj + xk − 2 ≤ y
(4)
28 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Other MIP parameters
Integer/Binary vs Continuous
# binary/integer variables influences complexity significantly
(WC: enumeration of all possible configurations)
all variables continuous ⇒ fractional solution
IASC requires integer restrictions
dependencies between variables ⇒ not all variables∈ Z
e.g. y = x1 x2 : if x1 , x2 ∈ {0, 1} then y will be binary.
Conclusion Find minimal number of binary/integer variables
Disclaimer
number of binary/integer variables not solely determines
complexity
all variables binary/integer might be beneficial in some cases
29 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Other MIP parameters
Objective function
MIPs work best if
optimization rather than feasibility problem
several feasible solution
if a good but not optimal solution is already useful
Finding objective function
deductible from the problem
e.g. near-collision: objective function is distance between two
hash values
arbitrary choice
e.g. key recovery attack
important for performance: choose objective function that
leads to solution
e.g. sum of all variables, if know that HW of solution is
different from HW of a random point
30 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Other MIP parameters
Objective function
If you find an objective function that works well, don’t ask
questions, just keep it!
30 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Features
Probabilistic Equations
Sometimes additional probabilistic equations are available e.g.
side channel attacks
S-box equations that do not hold for all inputs
noisy keystream
How to handle those?
1
add probabilistic equations to equation system
if probabilistic equations hold, solution will be found
if probabilistic equations do not hold, problem not solvable
2
partial Max-PoSSo: split equation into two sets
hard set H: all equation have to be satisfied
soft set S: maximize number of equation that are satisfied
31 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Features
Max-PoSSo as MIP
Hard set H: transform as usual
Soft set S
1
2
3
transform into constraints
add slack variables to constraint
minimize over slack variables
Example
Constraint: x1 + x2 + 2x3 − x4 = 2
Introduce to slack variable
sp ≥ 0 for a positive deviation
sn ≥ 0 for a negative deviation
Constraints with slack variables: x1 + x2 + 2x3 − x4 +sp − sn = 2
Minimize sp + sn
32 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Outline
1
Motivation
2
Mixed Integer Programming
Definition
Basic algorithms for integer optimization
3
Application in Cryptanalysis
Conversion Methods
Other MIP parameters
Features
4
Example A2U2
The Cipher
Attack
5
Conclusion
References
33 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
The Cipher
The Cipher A2U2
stream cipher presented at IEEE RFID
less than 300 GE (estimate)
key = 56 bit master key + 5 bit counter key
master key: state initialization and update
counter key: varying number of initialization rounds
plaintext
Counter LFSR C
NFSR A
Key bit
mechanism
output
generator
NFSR B
ciphertext
secret key
34 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
The Cipher
State update
C[6]
A
16 15 14 13 12 11 10
B
8
9 8 A
7
NFSR
6
5
4
3
2
1
0
ht
7
6
5NFSR
4 A
3
2
1
0
Key bit
mechanism
state: two interconnected NFSRs (17+9 bits)
state update: state, key and counter bits are used
guessing state no sufficient
35 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
The Cipher
Output generation
A[0]
C[0]
MUX2to1
B[0]
Y
P
output starts when counter is all-ones
Yt = MUXAt (Bt ⊕ Ct , Bt ⊕ Pσ(t) )
plaintext bits have to “wait” until At = 1 before being
encrypted.
ciphertext is about twice as long as plaintext
36 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
The Cipher
Output generation
At
Ct
MUX2to1
Bt
Yt
Pσ(t)
output starts when counter is all-ones
Yt = MUXAt (Bt ⊕ Ct , Bt ⊕ Pσ(t) )
plaintext bits have to “wait” until At = 1 before being
encrypted.
ciphertext is about twice as long as plaintext
36 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
The Cipher
Cipher Equations
Key register: rotation register K t = (k5t , k5t+1 , . . . , k5t+55 )
Buffer: S t = (S0t , . . . , S4t ) = (k5t , . . . , k5t+4 )
Subkey bit ht :
ht = MUXCt−5 (S0t , S1t )·MUXCt−1 (S4t , At−2 )⊕MUXCt−3 (S2t , S3t )+1
Updating NFSRs: At = (At , . . . , At−16 ) and B t = (Bt , . . . , Bt−8 )
Bt
= At−17 ⊕ At−15 At−14 ⊕ At−12 ⊕ At−10 Ct−7
⊕At−7 At−6 At−5 ⊕ At−4 At−2
At
= Bt−9 ⊕ Bt−8 Bt−7 ⊕ Bt−6 ⊕ Bt−3 ⊕ ht ⊕ 1
Ciphertext
Yt =
Bt ⊕ Ct
if
Bt ⊕ Pσ(t) if
At = 0
At = 1
37 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Attack
Idea
Useful properties
known counter: outputs start when counter has all-one state
chosen plaintext/ciphertext attacks possible
Bt = Yt + Ct holds with probability
3
4
Attack idea:
1
noisy sequence Bt : calculate Et = Yt + Ct
2
set up an equation system
3
add probabilistic equation Bt = Et
38 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Attack
Idea
Useful properties
known counter: outputs start when counter has all-one state
chosen plaintext/ciphertext attacks possible
Bt = Yt + Ct holds with probability
3
4
Attack idea:
1
noisy sequence Bt : calculate Et = Yt + Ct
2
set up an equation system
3
add probabilistic equation Bt = Et
Partial Max-PoSSo as MIP
38 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Attack
Boolean Equation system
Variables
introduce variables for state bits At , Bt and key bits ki
counter bits Ct known
in each clocking introduce 3 new variables
one for updating register A
one for updating register B
one for the subkey bit ht
Equations
hard set H: 3 non-linear equations
updating B: cubic equation in bits of A
updating A: quadratic equation in bits of B and ht
ht : quadratic equation in key bits depending on counter
soft set S: 1 probablistic equation Et = Bt
39 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Attack
MIP-Model
Hard Set H:
convert using IASC
linearize (replace non-linear terms and add
corresp. inequalities)
Example
At = Bt−9 ⊕ Bt−8 Bt−7 ⊕ Bt−6 ⊕ Bt−3 ⊕ ht ⊕ 1
Corresponding constraints:
At + Bt−9 + Q(t,1) + Bt−6 + Bt−3 + ht − 2I(t,1) = 1,
Q(t,1) − Bt−8 ≤ 0,
Q(t,1) − Bt−7 ≤ 0,
Bt−8 + Bt−7 − Q(t,1) ≤ 1,
I(t,1) ∈ {0, 1, 2, 3}
40 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Attack
MIP-Model
Hard Set H:
convert using IASC
linearize (replace non-linear terms and add
corresp. inequalities)
Soft Set S:
add Bt + st = 1 if Et = 1
add Bt − st = 0 if Et = 0
where st ≥ 0 is the slack variable.
40 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Attack
MIP-Model
Hard Set H:
convert using IASC
linearize (replace non-linear terms and add
corresp. inequalities)
Soft Set S:
add Bt + st = 1 if Et = 1
add Bt − st = 0 if Et = 0
where st ≥ 0 is the slack variable.
Objective function:
minimize
X
si
40 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Attack
Results
Simplify the problem:
chosen Plaintext attack with 1 chosen plaintext: all zeros
⇒ if Ct = 0: Bt ⊕ Et = 0 with prob 1
⇒ move to hard set
guess ht for the first 35 clockings
Results:
Cplex yields 1-3 solution
success probability 90%
average solution time 116 seconds
total complexity: 242 seconds
41 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Outline
1
Motivation
2
Mixed Integer Programming
Definition
Basic algorithms for integer optimization
3
Application in Cryptanalysis
Conversion Methods
Other MIP parameters
Features
4
Example A2U2
The Cipher
Attack
5
Conclusion
References
42 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Conclusion
MIP is a promising technique in cryptanalysis for
attacking primitives
proving/arguing security bounds (see next talk)
it is NOT the ultimate solver
offers a lot of flexibility when modeling the problem
small attack success but no big kill yet
43 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
Conclusion
MIP is a promising technique in cryptanalysis for
attacking primitives
proving/arguing security bounds (see next talk)
it is NOT the ultimate solver
offers a lot of flexibility when modeling the problem
small attack success but no big kill yet
⇒ there is still lots of work to do
Thanks for your attention
43 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
References
Solvers
This list is far away from begin complete
IBM ILOG Cplex (available under academic license)
Gurobi (avaiable under academic license)
SCIP (open source)
···
44 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
References
References I
M. A. Abdelraheem, J. B., E. Zenner, and M. David.
Cryptanalysis of the light-weight cipher a2u2.
In IMA Cryptography and Coding, volume 7089 of LNCS,
pages 375–390. Springer, 2011.
M. Albrecht and C. Cid.
Cold boot key recovery by solving polynomial systems with
noise.
In ACNS 2011,, volume 6715 of LNCS, pages 57–72. Springer,
2011.
J. B., L. R. Knudsen, and M. Stolpe.
Bivium as a mixed-integer linear programming problem.
In IMA Cryptography and Coding,, volume 5921 of LNCS,
pages 133–152. Springer, 2009.
45 / 46
Motivation
Mixed Integer Programming
Application in Cryptanalysis
Example A2U2
Conclusion
References
References II
N. Mouha, Q. Wang, G. Gu, and B. Preneel.
Differential and linear cryptanalysis using mixed-integer linear
programming.
In Inscrypt 2011, LNCS. Springer, 2011.
C. H. Papadimitriou and K. Steiglitz.
Combinatorial Optimization.
Prentice-Hall, Inc., 1982.
L. A. Wolsey and G. L. Nemhauser.
Integer and Combinatorial Optimization.
Wiley-Interscience, November 1999.
46 / 46
