Algebraic attack

Algebraic attacks can be used for a variety of cryptosystems which is the encryption scheme consisting of five tuples which are^[1]

• Set of plaintext units denoted as ${\displaystyle {\mathcal {P}}}$
• Set of ciphertext units denoted as ${\displaystyle {\mathcal {C}}}$
• Set called key space denoted as ${\displaystyle {\mathcal {K}}}$
• Encryption function for every ${\displaystyle k\in K}$ where ${\displaystyle E_{k}:{\mathcal {P}}\rightarrow {\mathcal {C}}}$
• Decryption function for every ${\displaystyle k\in K}$ where ${\displaystyle D_{k}:{\mathcal {C}}\rightarrow {\mathcal {P}}}$

A map between ${\displaystyle E_{k(1)}}$ and ${\displaystyle D_{k(2)}}$ exists such that ${\displaystyle E_{k(1)}\circ D_{k(2)}=id_{k}}$ for every ${\displaystyle k\in K}$. Thus the pair ${\displaystyle (k(1),k(2))}$ becomes key pair.

The most basic process of describing encryption and decryption in cryptography using XOR cipher is as follows with an example :

• ${\displaystyle {\mathcal {P}}}$ (10011) XOR ${\displaystyle {\mathcal {K}}}$ (10110) = ${\displaystyle {\mathcal {C}}}$ (00101)
• ${\displaystyle {\mathcal {C}}}$ (00101) XOR ${\displaystyle {\mathcal {K}}}$ (10110) = ${\displaystyle {\mathcal {P}}}$ (10011)

The cryptosystem becomes symmetric when ${\displaystyle k(2)}$ can be computed efficiently from ${\displaystyle E_{k(1)}}$ and ${\displaystyle k}$ else if not then it is a public key cryptosystem. In block cipher, the plaintext is broken into plaintext units and encrypted by fixed key ${\displaystyle k}$ meanwhile in stream cipher, a Boolean function is used to generate a set of keys or keystream ${\displaystyle k_{1},k_{2},\ldots }$ from an initial key ${\displaystyle k}$ and then this keystream is used to encrypt the plaintext units individually.^[1]

Assuming ${\displaystyle {\mathcal {P}}}$ and ${\displaystyle {\mathcal {C}}}$ as subsets of finite vector spaces of characteristic 2 where the field is ${\displaystyle K=F_{q}}$ and ${\displaystyle q=2^{e}}$ or ${\displaystyle p^{e}}$ where ${\displaystyle p}$ is the characteristic and

every map ${\displaystyle \phi :K^{n}\rightarrow K^{m}}$ is a polynomial such that

${\displaystyle \phi (a_{1},\ldots ,a_{n})=(f_{1}(a_{1},\ldots ,a_{n}),\ldots ,f_{m}(a_{1},\ldots ,a_{n}))}$

The main criteria for deciding to algebraic attack a stream or a block cipher is algebraic immunity ${\displaystyle AI}$.

For a set of all Boolean functions ${\displaystyle B_{n}}$ of n input variables with mapping of strings to values as ${\displaystyle \{0,1\}^{n}\rightarrow {0,1}}$ then each Boolean function ${\displaystyle f}$ can be represented as a multivariate polynomial over GF(2) which is called the algebraic normal form (ANF).^[2]

${\displaystyle f(x_{1},\ldots ,x_{n})=a_{0}+\sum _{1\leqslant i\leqslant n}a_{i}x_{i}+\sum _{1\leqslant i\leqslant j\leqslant n}a_{i,j}x_{i}x_{j}+\ldots +a_{1,2,\ldots ,n}x_{1}x_{2}\ldots x_{n},}$

where the coefficients ${\displaystyle a_{0},a_{i},a_{i,j},\ldots ,a_{1,2,\ldots ,n}\in \{0,1\}}$ and ${\displaystyle deg(f)}$ is the algebraic degree or number of variables in highest order term with non zero coefficient.

Also ${\displaystyle g\in B_{n}}$ is annihilator of ${\displaystyle f\in B_{n}}$ if ${\displaystyle f\cdot g=0}$

Given ${\displaystyle f\in B_{n}}$, algebraic immunity ${\displaystyle AI(f)}$ is defined as minimum degree of all annihilators of ${\displaystyle f}$ or ${\displaystyle 1+f}$.^[2]

${\displaystyle AI(f)=(f\oplus 1)\cdot g=0}$

This annihilator is exactly located at ${\displaystyle \left\lceil {\frac {N}{2}}\right\rceil }$ therefore,^[2]

${\displaystyle AI(f)\leqslant \left\lceil {\frac {N}{2}}\right\rceil }$

Early algorithms

edit

Algebraic attack has many ways of decrypting an encrypted message using well developed cryptanalysis algorithms. The overall one-size-fits-all approach is breaking the stream or block cipher as a system of multivariate polynomial equations using a GF(2) binary field. The unknowns in the equations are what we need to solve for as they are the keys. If it is solved the key is recovered.^[3]

One of the approaches to achieve this is the attack on stream cipher done with the help of an over defined system of algebraic equations. Thus the ${\displaystyle 2^{92}}$ toyocrypt (TOYOCRYPT-HRI) stream cipher^[4] can be attacked in ${\displaystyle 2^{49}}$ CPU clocks with only 20 KB of keystream which is the fastest attack to break this encryption. LILI-128 can be broken with an algebraic attack in ${\displaystyle 2^{57}}$ CPU clocks. If the stream cipher will at most use 10 Linear Feedback Shift Registers (LFSR) and a Boolean function ${\displaystyle f}$, the cipher can be broken with a general algebraic attack.^[5]

If the cipher is having non linear equation system the attacker can try to replace the non linear terms with variables thus exceeding the variable count than in the original non linear equation. If the new equation system is solvable, they put the variable solution thus making the original equation linear. Common algebraic equation can be used then to solve the system.

To make good approximation for the key value pairs in the cipher sent using linear cryptanalysis is another method of solving the cipher. One can use ${\displaystyle 2^{21}}$ known plaintexts to break the 8 round Data Encryption Standard (DES) and ${\displaystyle 2^{47}}$ plaintexts to break the 16 round DES in this method which is also one of the first practically described use case of algebraic attack using linear cryptanalysis.^[6]

Cube attacks later developed are one of the algebraic attack sub method by which the Bluetooth E0 encryption can be converted into the plaintext in fraction of a second. This was further improvement from the precomputation algorithms that were the fastest known to break the Bluetooth cipher.^[7]

Modern algorithms

edit

SAT solvers are widely used standard of doing algebraic attacks.^[3][8] It is similar to how we solve NP-complete problems which are the hardest problems to solve in the NP class and easy to verify in polynomial time. SAT solvers take up the logical formula and return the Boolean true or false value depending on whether the solution exists for the problem or not.

Gröbner basis attack uses Gröbner basis of an ideal which is a polynomial equation system with same variety (or solutions) and is easier to solve but computationally expensive. The reduced Gröbner basis generating the zero dimensional ideal has a univariate form and can be solved with factorization. On a 3 round pure cipher, a 96 bit key is found under a second and uses very less (plaintext, ciphertext) pairs. Thus this is a lot faster than using exhaustive search of key space using Gröbner basis.^[9] This algorithm is directly based from Bruno Buchberger as he had computed the Gröbner basis of an ideal.^[10]

Preventive techniques

edit

There has been research work for strengthening the Crypto-1 stream cipher by causing the attackers to use too high CPU time and too high memory in the modified version of Crypto-1. This is one of the demonstrated ways to protect encryption from algebraic attack in RFID systems.^[11]

S-box technique^[12] is used for securing image transfer so that the information enclosed within the image cannot be decrypted.^[8] It has thus been used in satellite image encryption using Fredkin logic.^[13]

Keeloq remote access to car and door alarms with an experimental attack was successfully broken in 2007. Given ${\displaystyle 2^{16}}$ known plaintexts, a slide-algebraic attack that uses a SAT solver can break ${\displaystyle 2^{53}}$ Keeloq encryptions in ${\displaystyle 2^{64}}$ CPU clocks. It is also the first time that a real life full round cipher has been broken using an algebraic attack.^[14]

Bluetooth stream cipher E0 is decoded easily by many attacks including algebraic and hence are removed from 4.0 versions which used the AES-CCM encryption standard. For E0's four LFSR system its initial value can be found using an algebraic attack that has a realistic space complexity of ${\displaystyle 2^{83}}$ (84MB RAM) and time complexity of ${\displaystyle 2^{87}}$ CPU clocks.^[15]

Data Encryption Standard (DES) although robust from complete break was last widely used in 2001 for banking services and government websites as a result of vulnerability to algebraic attacks. One of the algebraic attacks on 6 round DES can be done with just a single plaintext.^[16]

Reduced round version of Data Encryption Standard (DES) and KeeLoq remote car locking ciphers were broken by SAT solvers which outperformed the Gröbner basis technique which is used when the keystream is extremely small. It was shown that the Hitag2 ciphers commonly used in automobiles can be broken in few hours using the same SAT solvers and algebraic attack with conversion.^[17]

Modern cryptography algorithms such as Post Quantum Cryptography are trying to prevent algebraic attacks made by hackers using quantum computer in future. One such algorithm is Cryptographic Suite for Crystal Lattices (CRYSTALS). ^[18][19]

• Benny Applebaum and Shachar Lovett. 2016. Algebraic attacks against random local functions and their countermeasures. In Proceedings of the forty-eighth annual ACM symposium on Theory of Computing (STOC '16). Association for Computing Machinery, New York, NY, USA, 1087–1100. https://doi.org/10.1145/2897518.2897554
• Méaux, P., & Wang, Q. (2024). Extreme Algebraic Attacks. https://eprint.iacr.org/2024/064
• Liu, F., Mahzoun, M., Øygarden, M., & Meier, W. (2023). Algebraic Attacks on RAIN and AIM Using Equivalent Representations. IACR Transactions on Symmetric Cryptology, 2023(4), 166-186. https://doi.org/10.46586/tosc.v2023.i4.166-186