Algebraic Attacks

Cryptography is the study of methods of sending messages in disguised form so that only the intended recipients can remove the disguise and read the message. The message we want to sent is called the plaintext, and the disguised message is called the ciphertext.

The process of converting a plaintext to a ciphertext is called enciphering or encryption, and the reverse process is called deciphering or decryption. The plaintext and ciphertext are broken up into message units. We refer to [114] for a detailed study of the subject.

In the following, we follow [117] to describe some important applications.

Definition 2.3.1. A cryptosystem, also called as cipher or encryption scheme, has the following basic components:

1. A set of plaintext units P which is also called the message space.

2. A set of ciphertext units C which is also called the ciphertext space.

3. A set K called the key space.

4. An encryption map, ε_k: P −→ C, for every element k ∈ K.

5. A decryption map, δ_k : C −→ P, for every element k ∈ K.

6. Finally a map η : K −→ K such that δ_η(k)◦ ε_k = id_K for every element k ∈ K.

For every element k ∈ K the pair (k, η(k)) is called a key pair.

As we know, the two major cryptosystems that have been used in modern cryp-tography are known as symmetric cryptosystems and asymmetric cryptosystems. In other words, if we can compute η_k efficiently using the knowledge of the key k and the

encryption map ε_k, the cryptosystem is called symmetric. Otherwise, the system is called asymmetric. If the cryptosystem is asymmetric the knowledge of the key k is used depending on weather the cipher is a block cipher such as AES or a stream cipher such as DES. In a block cipher, after breaking the plaintext into plaintext units, the encryption is done using a fixed key k. In a stream cipher, we generate a sequence k₁, k₂, . . . of keys called the key stream. The key steam is generated using some chosen function and then k₁, k₂, . . . are used for the encryption of the individual plaintext units.

Many cryptographic protocols that play an essential role in modern life are build on cryptosystems. In his seminal paper [160], C.E. Shannon, who is also known as the father of information theory, remarked:

Thus, if we could show that solving a certain system requires at least as much work as solving a system of simultaneous equations in a large number of unknowns, of a complex type, then we would have a lower bound of sorts for the work characteristic.

In the following, let p be a prime number, let q = p^e for some e > 0, and let K = Fq

be the finite field with q elements.

Definition 2.3.2. A polynomial map is a map f : Kⁿ −→ K^m such that for all points (x₁, . . . , x_n) ∈ Kⁿ,

f (x1, . . . , xn) = (f1(x1, . . . , xn), . . . , fm(x1, . . . , xn)), for suitable polynomials f₁, . . . , f_m ∈ K[x₁, . . . , x_n].

The set of all zero of f is precisely the set of all solutions of the simultaneous equations f₁ = · · · = f_m = 0. Polynomial maps can be defined on any non-empty subset of Kⁿ. We consider the sets P and C are (subsets of) finite dimensional vector spaces over a finite fields, usually of characteristic 2.

Remark 2.3.3. Over the field K, for every map f : Kⁿ−→ K^m there exist polyno-mials f₁, . . . , f_m ∈ K[x₁, . . . , x_n] such that

f (x1, . . . , xn) = (f1(x1, . . . , xn), . . . , fm(x1, . . . , xn)),

for all (x₁, . . . , x_n) ∈ Kⁿ. The polynomials f_i are not uniquely determined. In other words, the map f is a polynomial map. Since we are interested in finding K-rational

solutions, we consider Kⁿ as finite point set and modify the polynomials f_i by adding elements of the field ideal (vanishing ideal I(Kⁿ)). The vanishing ideal is generated by the field polynomials. Every time we represent an encryption map (or a family of encryption maps) via polynomials f₁, . . . , f_m, we modify them using field polynomials.

In [117], we have the following example which gives us a non-standard look at the RSA cryptosystem.

Example 2.3.4. Consider the RSA cryptosystem. Choose two prime numbers p = 3 and q = 5 such that n = 15 = p.q. Knowing the factorization of n, we can eas-ily compute ϕ(n) = (p − 1)(q − 1) = n + 1 − p − q. Next we randomly choose an integer e = 5 known as public exponent between 1 and ϕ(n) which is prime to ϕ(n). The secret exponent is d = 5 such that de ≡ 1( mod 8) with 8 = ϕ(n).

We represent the plaintest and ciphertext units as tuples (a₀, a₁, a₂, a₃) ∈ F⁴2 cor-responding to elements a₀ + 2a₁ + 4a₂ + 8a₃ ∈ Z/(15). By a straightforward cal-culation we can represent ε₅(a₀, a₁, a₂, a₃) = (a₀ + 2a₁ + 4a₂ + 8a₃)⁵ by the tuple (c₀(a₀, a₁, a₂, a₃), . . . , c₃(a₀, a₁, a₂, a₃)) ∈ F⁴2 where

c₀ = a₀a₁a₃a₃+ a₀a₁a₂+ a₀a₂+ a₀a₃ + a₂a₃+ a₀+ a₃

c₁ = a₀a₁a₂a₃+ a₀a₁a₂+ a₀a₁a₃+ a₀a₂a₃+ a₀a₁+ a₁+ a₂+ a₃ c₂ = a₁a₂a₃+ a₀a₁+ a₁a₂+ a₁a₃+ a₁+ a₂

c₃ = a₀a₁a₂a₃+ a₀a₁a₂+ a₁a₂a₃+ a₀a₁+ a₀a₂+ a₀a₃+ a₂a₃+ a₃

Now consider the ciphertext (1, 1, 0, 0). We can recover the plaintext from this cipher by solving the polynomial system c₀− 1 = 0, c₁− 1 = 0, c₂ = 0, c₃ = 0 for F2-rational solutions. The most obvious way to solve this system is to compute a Gr¨obner basis.

The reduced Gr¨obner basis of the ideal I = hc₀ − 1, c₁ − 1, c₂, c₃, a²₀− a₀, . . . a²₃ − a₃i is {a₀ − 1, a₁ − 1, a₂, a₃}, therefore plaintext unit was (1, 1, 0, 0) which agrees with 3⁵ ≡ 3(mod 15).

Remark 2.3.5. We do not know a standard way to express the RSA cryptosystem and many others as a systems of polynomial equations. Therefore, a natural question is to ask about the construction of the polynomials f₁, . . . , f_m which represent the encryption map ε_k. The encryption map ε_k carry some specific information with it which is exploited while construction the polynomials f₁, . . . , f_m. This suggests that the polynomials f₁, . . . , f_m are constructed on case-by-case basis. For instance, for the

construction of polynomials f₁, . . . , f_m from the so-called Courtois Toy Cipher (CTC) see [57].

A partial answer to the above question is to use the Buchberger-M¨oller Algorithm (see [121], Theorem 6.3.10 and Corollary 6.3.11 for general setting and [117], Proposi-tion 3.1 for cryptanalysis setting) that yields all polynomials which model the encryp-tion map εk for the given plaintext units and keys. But this is possible in practice if the space of plaintext units P (and possibly the key space) is not too large. For large real-world cryptosystems, we can generate polynomial relations between the plaintext and key bits tuples, and the ciphertext tuple.

Furthermore, for more details and a description of several attack scenarios using the algebraic representation of the encryption ε_k and decryption δ_k maps we refer to the article titled “Algebraic Attacks Galore!” [117] by M. Kreuzer. We can summarize the discussion above as follows. The main task for a successful algebraic attack on a cipher (or for examining the security of a cipher) is to solve a multivariate polynomial system over a finite field. Therefore, in this thesis we develop new techniques that can be used in the context of polynomial systems derived from algebraic attacks to examine the security of different ciphers.