Estimations of cryptographic resistance of ciphers in the trivium family to sat-based cryptanalysis | Applied Discrete Mathematics. Supplement. 2016. № 9.

Estimations of cryptographic resistance of ciphers in the trivium family to sat-based cryptanalysis

Here we present the cryptanalysis results for three stream ciphers in the Trivium family: Bivium, Trivium toy, and Bivium toy. The crypt-analysis was performed via reducing the inversion problems for corresponding discrete functions to Boolean satisfiability problem (SAT). This approach made it possible to perform the cryptanalysis of Bivium toy cipher using common sequential SAT solvers. On average, to solve one cryptanalysis instance for Bivium toy on one core of AMD Opteron 6276 processor, it took about two minutes. For cryptanalysis of Bivium, we designed a variant of "guess-and-determine" attack, in which it is assumed that the values of the last 9 cells at the end of the second Bivium register are known. Thus, the problem is to find values of 168 remaining cells of Bivium registers (the total length of two registers used in Bivium is 177 bits). For this purpose, we analyze 200 bits of keystream. To solve one corresponding cryptanalysis instance, it took about two weeks of work of volunteer computing project SAT@home. The Trivium toy cipher, in its non-weakened form, turned out to be highly resistant to SAT-based cryptanalysis. It proves once more that the general design of the Trivium cipher is very good. We considered the recovery problem for values of registers in Trivium toy based on 100 bits of keystream. At the current stage, we only managed to perform in a reasonable time the variant of "guess-and-determine" attack, in which we know the initial values of the first 16 cells of the second register. Thus, in the corresponding cryptanalysis instances, we need to find values of remaining 80 out of 96 cells. Using the computing cluster of Irkutsk Supercomputer center SB RAS, we managed to solve several instances of Trivium toy cryptanalysis. For this purpose, we used the PD-SAT parallel solver developed in ISDCT SB RAS. On average, to solve one instance using 320 cores of AMD Opteron 6276, it took about one day.

Download file

Counter downloads: 249

Keywords

stream cipher, Trivium, Bivium, cryptanalysis, Boolean satisfiability problem, поточный шифр, шифр Trivium, шифр Bivium, криптоанализ, задача о булевой выполнимости

Authors

Name	Organization	E-mail
Zaikin O.S.	Institute for System Dynamics and Control Theory SB RAS	zaikin.icc@gmail.com
Otpuschennikov I. V.	Institute for System Dynamics and Control Theory SB RAS	otilya@yandex.ru
Semenov A. A.	Institute for System Dynamics and Control Theory SB RAS	biclop.rambler@yandex.ru

Всего: 3

References

Canniere C. D. Trivium: A stream cipher construction inspired by block cipher design principles // LNCS. 2006. V.4176. P. 171-186.

Maximov A. and Biryukov A. Two trivial attacks on Trivium // SAC'07. LNCS. 2007. V. 4876. P. 36-55.

Mcdonald C., Charnes C., and Pieprzyk J. Attacking Bivium with MiniSat. Technical Report 2007/040. ECRYPT Stream Cipher Project, 2007.

Eibach T., Pilz E., and Volkel G. Attacking Bivium using SAT solvers // LNCS. 2008. V. 4996. P. 63-76.

Soos M., NohlK., and Castelluccia C. Extending SAT solvers to cryptographic problems // LNCS. 2009. V. 5584. P. 244-257.

Заикин О. С., Семенов А. А. Применение метода Монте-Карло к прогнозированию времени параллельного решения проблемы булевой выполнимости // Вычислительные методы и программирование: новые вычислительные технологии. 2014. Т. 15. №1. С. 22-35.

Semenov A. A. and Zaikin O. S. Using Monte Carlo method for searching partitionings of hard variants of Boolean satisfiability problem // LNCS. 2015. V.9251. P. 222-230.

Lechtaler A. C., Cipriano M., Garcia E., et al. Model design for a reduced variant of a Trivium type stream cipher //J. Computer Science & Technology. 2014. V. 14. No. 1. P. 55-58.

Отпущенников И. В., Семeнов А. А. Технология трансляции комбинаторных проблем в булевы уравнения // Прикладная дискретная математика. 2011. №1. С. 96-115.

Otpuschennikov I. V., Semenov A. A., and Kochemazov S. E. Transalg: a tool for translating procedural descriptions of discrete functions to SAT // Proc. 5th Intern. Workshop on Computer Science and Engineering: Information Processing and Control Engineering (WCSE 2015-IPCE). 2015. P. 289-294.

Bard G. V. Algebraic Cryptanalysis. Springer, 2009.