Mixed Integer Programming: Algorithms and Applications Julia - - PowerPoint PPT Presentation

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion

Mixed Integer Programming: Algorithms and Applications

Julia Borghoff Mykonos May 2012

1 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion

Outline

1

Motivation

2

Mixed Integer Programming Definition Basic algorithms for integer optimization

3

Application in Cryptanalysis Conversion Methods Other MIP parameters Features

4

Example A2U2 The Cipher Attack

5

Conclusion References

2 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion

Motivation for using optimization in cryptography

Cryptographic site cryptographic problems can often be described as a set of non-linear Boolean equations ⇒ algebraic attacks solver for non-linear Boolean equations (algebraic attacks)

• ften not successful

⇒ need for new solvers Optimization

• f great industrial interest ⇒ many well-develop

algorithms/solver available additional feature such as

use of probabilistic equations use of inequalities possibility of minimizing distances etc.

3 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion

Which approach to use?

Optimization is a big field meta-heuristics

simulated annealing tabu search etc.

evolutionary/genetic algorithms constrained programming linear programming mixed-integer linear programming non-linear optimization non-smooth optimization

4 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion

Which approach to use?

Optimization is a big field meta-heuristics

simulated annealing tabu search etc.

evolutionary/genetic algorithms constrained programming linear programming mixed-integer linear programming non-linear optimization non-smooth optimization

4 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion

Outline

1

Motivation

2

Mixed Integer Programming Definition Basic algorithms for integer optimization

3

Application in Cryptanalysis Conversion Methods Other MIP parameters Features

4

Example A2U2 The Cipher Attack

5

Conclusion References

5 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Definition

What is a constrained optimization problem?

Given: a set of variables an objective function a set of constraints Find the best solution for the objective function in the set of solution that satisfy the constraints. Constraints can be e.g.: equations inequalities linear or non-linear restrictions on the type of a variable

6 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Definition

Mixed Integer Linear Programming Problem (MILP/MIP)

A linear mixed-integer linear programming problem (MILP/MIP) is a problem of the form min

x cx

subject to Ax ≤ b where x ∈ Zn × Rp Important:

• bjective function and all constraints are linear

some variables are integers, some variables are continuous

7 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Definition

Special cases

Linear programming problem (LP): all variables are continuous = ⇒ efficiently solvable Integer programming problem (IP): all variables are restricted to be integer. 0-1 Integer programming problem (BIP): all variables are restricted to be binary.

8 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Definition

Feasible Solution

The set S of all x ∈ Zn × Rp which satisfy the linear constraints Ax ≤ b S = {x ∈ Zn × Rp, Ax ≤ b} is called feasible set. An element x ∈ S is called feasible solution.

9 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Definition

Problem types

Optimization Problem Find a solution in the feasible set that yields the best objective value. Feasibility Problem Find an element that satisfies all constraints and restrictions,i.e., find an element in the feasible set.

10 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Basic algorithms for integer optimization

Three different approaches

Branch and Bound Cutting Plane = ⇒ optimal solution Feasibility Pump = ⇒ feasible solution

11 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Basic algorithms for integer optimization

LP-relaxation

12 / 46

LP constraints form a polytope IP feasible set is given by set of all integer-valued points within the polytope = ⇒ feasible set of IP⊂ feasible set of LP

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Basic algorithms for integer optimization

LP-relaxation

12 / 46

LP constraints form a polytope IP feasible set is given by set of all integer-valued points within the polytope = ⇒ feasible set of IP⊂ feasible set of LP Definition (LP-relaxation) The LP-relaxation of a MIP or IP is obtain by removing the integer constraints on all variables. e.g. in the binary case replace x ∈ {0, 1} by 0 ≤ x ≤ 1

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Basic algorithms for integer optimization

The branch-and-bound algorithm

Tree search where the tree is built using three main steps Branch Pick a variable and divide the problem in two subproblems at this variable. (e.g. if x ∈ {0, 1} solve the problem with x = 0 and the problem x = 1) Bound Solve the LP-relaxation to determine the best possible objective value for the node Prune Prune the branch of the tree (i.e. the tree will not be develop any further in this node) if the subproblem is infeasible the best achievable objective value is worse than a known optimum

13 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Basic algorithms for integer optimization

Branch-and-bound - a binary example

14 / 46

• 3.1

min −x1 + x2 − 2x3 + x4 − x5 subject to x1 + x2 ≤ 1 x1 − 5x2 + x3 ≤ 2 2x3 + 2x4 − 4x5 ≤ 1 x2 − 2x4 + x5 ≤ x ∈ {0, 1}5

solve the linear problem

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Basic algorithms for integer optimization

Branch-and-bound - a binary example

14 / 46

• 3.1
• 2.5
• 1

1

x2

min −x1 + x2 − 2x3 + x4 − x5 subject to x1 + x2 ≤ 1 x1 − 5x2 + x3 ≤ 2 2x3 + 2x4 − 4x5 ≤ 1 x2 − 2x4 + x5 ≤ x ∈ {0, 1}5

solve the linear problem pick a variable for which the solution violates the binary constraint. Branch

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Basic algorithms for integer optimization

Branch-and-bound - a binary example

14 / 46

• 3.1
• 2.5
• 1

1

x2

min −x1 + x2 − 2x3 + x4 − x5 subject to x1 + x2 ≤ 1 x1 − 5x2 + x3 ≤ 2 2x3 + 2x4 − 4x5 ≤ 1 x2 − 2x4 + x5 ≤ x ∈ {0, 1}5

Fathoming: the best solution is already a feasible solution in an early state of the tree Incumbent:best feasible solution found so far

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Basic algorithms for integer optimization

Branch-and-bound - a binary example

14 / 46

• 3.1
• 2.5
• 1

1

• 2.5
• 2.5
• 1.5

1

x2 x3

min −x1 + x2 − 2x3 + x4 − x5 subject to x1 + x2 ≤ 1 x1 − 5x2 + x3 ≤ 2 2x3 + 2x4 − 4x5 ≤ 1 x2 − 2x4 + x5 ≤ x ∈ {0, 1}5

choose the most promising node

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Basic algorithms for integer optimization

Branch-and-bound - a binary example

14 / 46

• 3.1
• 2.5
• 1

1

• 2.5
• 2.5
• 1.5

1

• 2.5
• 2

1

x2 x4 x3

min −x1 + x2 − 2x3 + x4 − x5 subject to x1 + x2 ≤ 1 x1 − 5x2 + x3 ≤ 2 2x3 + 2x4 − 4x5 ≤ 1 x2 − 2x4 + x5 ≤ x ∈ {0, 1}5

node can be pruned if it won’t yield a better solution than the incumbent or if it violates a constraint

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Basic algorithms for integer optimization

Branch-and-bound - a binary example

14 / 46

• 3.1
• 2.5
• 1

1

• 2.5
• 2.5
• 1.5

1

• 2.5
• 2

1

x2 x4 x3

min −x1 + x2 − 2x3 + x4 − x5 subject to x1 + x2 ≤ 1 x1 − 5x2 + x3 ≤ 2 2x3 + 2x4 − 4x5 ≤ 1 x2 − 2x4 + x5 ≤ x ∈ {0, 1}5

the optimal solution is found when tree cannot grow further

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Basic algorithms for integer optimization

Cutting plane algorithm

Idea: iterative reduction of the feasible region solve LP-relaxation and obtain fractional solution add a new constraint (cut) that removes the fractional solution from the feasible set of the LP-relaxation

15 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Basic algorithms for integer optimization

Cutting plane - an example

16 / 46

Two dimensional example linear constraints both variables are integers

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Basic algorithms for integer optimization

Cutting plane - an example

16 / 46

The green area is the feasible set of the LP- relaxation

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Basic algorithms for integer optimization

Cutting plane - an example

16 / 46

The green dots are the feasible set of the IP

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Basic algorithms for integer optimization

Cutting plane - an example

16 / 46

Solving the LP yields a fractional solution

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Basic algorithms for integer optimization

Cutting plane - an example

16 / 46

Add a constraint (cut) such that every feasible integer solution is feasible for the cut the current fractional solution is not feasible for the cut

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Basic algorithms for integer optimization

Feasibility pump (1/2)

algorithm for finding feasible solution maintains to solution

x∗ satisfies linear constraints ˜ x satisfies integer requirements

idea: ” pump”integrality of ˜ x into x∗ both solution are iteratively updated until they are the same

17 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Basic algorithms for integer optimization

Feasibility pump (2/2)

Problem: Find feasible solution of {Ax ≤ b, x ∈ Z}

1: initialize x∗ as solution of {x : Ax ≤ b} 2: repeatPumping cycle 3:

Round continuous solution ˜ x = [x∗]

4:

Update objective function ∆(x, ˜ x) = |xi − ˜ xi|

5:

Solve LP x∗ = min{∆(x, ˜ x) : Ax ≤ b}

6: until ∆(x∗, ˜

x) = 0

7: return x∗

18 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Basic algorithms for integer optimization

Feasibility pump (2/2)

Problem: Find feasible solution of {Ax ≤ b, x ∈ Z}

1: initialize x∗ as solution of {x : Ax ≤ b} 2: repeatPumping cycle 3:

Round continuous solution ˜ x = [x∗]

4:

Update objective function ∆(x, ˜ x) = |xi − ˜ xi|

5:

Solve LP x∗ = min{∆(x, ˜ x) : Ax ≤ b}

6: until ∆(x∗, ˜

x) = 0

7: return x∗

limit on running time random flips to avoid stalling if x∗ = ˜ x perturbation to avoid cycling

18 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion

Outline

1

Motivation

2

Mixed Integer Programming Definition Basic algorithms for integer optimization

3

Application in Cryptanalysis Conversion Methods Other MIP parameters Features

4

Example A2U2 The Cipher Attack

5

Conclusion References

19 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion

Possible application of MIPs in cryptanalysis

solving Boolean equation systems e.g. key recovery attack finding preimages/second preimages/collisions/nearcollisions search for differentials etc every situation in cryptanalysis where one considers a system

• f (in)equalities and preferable can optimize something.

20 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion 21 / 46

Cryptographic problem Boolean space (modular arithmetic) non-linear equations not necessarily

• bjective function

MIP reals with integer/binary restrictions linear constraints/linear

• bjective function
• bjective function (usually)

needed ◮ Boolean equation system → set of constraints ◮ conversion of Boolean equations to equations over the reals ◮ linearization of higher order terms ◮ integer restrictions ◮ objective function

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Conversion Methods

Conversion methods

every solution for Boolean equation must be solution for real equation additional fractional solutions do not matter convert either

each operator

• r

the entire equation at once

◮ Standard Conversion Method ◮ Integer Adapted Standard Conversion Method

22 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Conversion Methods

Standard Conversion Method (SCM)

s1, s2 ∈ {false, true} false → true → 1 ¬s1 → −x1 s1 ∧ s2 → x1x2 s1 ∨ s2 → x1 + x2 − x1x2 s1 ⊕ s2 → x1 + x2 − 2x1x2 where xi = 0 if si = false and xi = 1 if si = true.

23 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Conversion Methods

Observations (SCM)

For converting a Boolean polynomial in ANF using the Standard Conversion methods holds: degree of polynomial equals number of variables in Boolean polynomial (assuming: x2

i = xi)

monomial degree of polynomial is 2m − 1 where m is monomial degree of Boolean polynomial.

24 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Conversion Methods

Conversion trick (SCM)

These two equations have the same set of solutions. x ⊕ y ⊕ z ⊕ v = 0 x ⊕ y = z ⊕ v

25 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Conversion Methods

Conversion trick (SCM)

These two equations have the same set of solutions. x ⊕ y ⊕ z ⊕ v = 0 After Conversion: Degree: 4 # monomials: 24 − 1 = 15 x ⊕ y = z ⊕ v After Conversion: Degree: 2 # monomials: 2 · (22 − 1) = 6

25 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Conversion Methods

Conversion trick (SCM)

These two equations have the same set of solutions. x ⊕ y ⊕ z ⊕ v = 0 After Conversion: Degree: 4 # monomials: 24 − 1 = 15 x ⊕ y = z ⊕ v After Conversion: Degree: 2 # monomials: 2 · (22 − 1) = 6 To keep real-valued equation sparse and of low degree

1 rewrite the equations s.t each side contains the same number

• f variables

2 convert each side 3 subtract the results 25 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Conversion Methods

Integer adapted standard conversion

Boolean equations in ANF converts the entire equation at once uses integer restriction consider as a polynomial over the reals replace

AND by multiplication XOR by addition

subtract a factor of 2

26 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Conversion Methods

Integer adapted standard conversion - an example

maps {false, true} → {0, 1} (as standard conversion) Let e.g. s1 ∧ s2 ⊕ s3 ⊕ s4 ⊕ s5 ∧ s6 = 0 evaluate the real polynomial for solution of Boolean equation let u be minimum and l be maximum value Corresponding equations over reals x1x2 + x3 + x4 + x5x6 − 2y = 0 with u/2 ≤ y ≤ l/2, y integer

27 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Other MIP parameters

Linearization

Recall: linear constraints not necessarily only equalities replace quadratic term xixj by new variable y add constraints : y ≤ xi (1) y ≤ xj (2) xi + xj − 1 ≤ y (3)

28 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Other MIP parameters

Linearization

Recall: linear constraints not necessarily only equalities replace cubic term xixjxk by new variable y add constraints : y ≤ xi (1) y ≤ xj (2) y ≤ xk (3) xi + xj + xk − 2 ≤ y (4)

28 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Other MIP parameters

Integer/Binary vs Continuous

# binary/integer variables influences complexity significantly (WC: enumeration of all possible configurations) all variables continuous ⇒ fractional solution IASC requires integer restrictions dependencies between variables ⇒ not all variables∈ Z e.g. y = x1x2: if x1, x2 ∈ {0, 1} then y will be binary. Conclusion Find minimal number of binary/integer variables Disclaimer number of binary/integer variables not solely determines complexity all variables binary/integer might be beneficial in some cases

29 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Other MIP parameters

Objective function

MIPs work best if

• ptimization rather than feasibility problem

several feasible solution if a good but not optimal solution is already useful Finding objective function deductible from the problem e.g. near-collision: objective function is distance between two hash values arbitrary choice e.g. key recovery attack important for performance: choose objective function that leads to solution e.g. sum of all variables, if know that HW of solution is different from HW of a random point

30 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Other MIP parameters

Objective function

If you find an objective function that works well, don’t ask questions, just keep it!

30 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Features

Probabilistic Equations

Sometimes additional probabilistic equations are available e.g. side channel attacks S-box equations that do not hold for all inputs noisy keystream How to handle those?

1 add probabilistic equations to equation system

if probabilistic equations hold, solution will be found if probabilistic equations do not hold, problem not solvable

2 partial Max-PoSSo: split equation into two sets

hard set H: all equation have to be satisfied soft set S: maximize number of equation that are satisfied

31 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Features

Max-PoSSo as MIP

Hard set H: transform as usual Soft set S

1

transform into constraints

2

add slack variables to constraint

3

minimize over slack variables

Example Constraint: x1 + x2 + 2x3 − x4 = 2 Introduce to slack variable sp ≥ 0 for a positive deviation sn ≥ 0 for a negative deviation Constraints with slack variables: x1 + x2 + 2x3 − x4+sp − sn = 2 Minimize sp + sn

32 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion

Outline

1

Motivation

2

Mixed Integer Programming Definition Basic algorithms for integer optimization

3

Application in Cryptanalysis Conversion Methods Other MIP parameters Features

4

Example A2U2 The Cipher Attack

5

Conclusion References

33 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion The Cipher

The Cipher A2U2

stream cipher presented at IEEE RFID less than 300 GE (estimate) key = 56 bit master key + 5 bit counter key master key: state initialization and update counter key: varying number of initialization rounds

NFSR A NFSR B Counter LFSR C

Key bit mechanism

• utput

generator

plaintext secret key ciphertext

34 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion The Cipher

State update

NFSR A

16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0

NFSR A

8 7 6 5 4 3 2 1 0 C[6]

A B

Key bit mechanism ht

state: two interconnected NFSRs (17+9 bits) state update: state, key and counter bits are used guessing state no sufficient

35 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion The Cipher

Output generation

MUX2to1

C[0] P B[0] A[0] Y

• utput starts when counter is all-ones

Yt = MUXAt(Bt ⊕ Ct, Bt ⊕ Pσ(t)) plaintext bits have to“wait”until At = 1 before being encrypted. ciphertext is about twice as long as plaintext

36 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion The Cipher

Output generation

MUX2to1

Ct Pσ(t) Bt At Yt

• utput starts when counter is all-ones

Yt = MUXAt(Bt ⊕ Ct, Bt ⊕ Pσ(t)) plaintext bits have to“wait”until At = 1 before being encrypted. ciphertext is about twice as long as plaintext

36 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion The Cipher

Cipher Equations

Key register: rotation register K t = (k5t, k5t+1, . . . , k5t+55) Buffer: St = (St

0, . . . , St 4) = (k5t, . . . , k5t+4)

Subkey bit ht: ht = MUXCt−5(St

0, St 1)·MUXCt−1(St 4, At−2)⊕MUXCt−3(St 2, St 3)+1

Updating NFSRs: At = (At, . . . , At−16) and Bt = (Bt, . . . , Bt−8) Bt = At−17 ⊕ At−15At−14 ⊕ At−12 ⊕ At−10Ct−7 ⊕At−7At−6At−5 ⊕ At−4At−2 At = Bt−9 ⊕ Bt−8Bt−7 ⊕ Bt−6 ⊕ Bt−3 ⊕ ht ⊕ 1 Ciphertext Yt = Bt ⊕ Ct if At = 0 Bt ⊕ Pσ(t) if At = 1

37 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Attack

Idea

Useful properties known counter: outputs start when counter has all-one state chosen plaintext/ciphertext attacks possible Bt = Yt + Ct holds with probability 3

4

Attack idea:

1 noisy sequence Bt: calculate Et = Yt + Ct 2 set up an equation system 3 add probabilistic equation Bt = Et 38 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Attack

Idea

Useful properties known counter: outputs start when counter has all-one state chosen plaintext/ciphertext attacks possible Bt = Yt + Ct holds with probability 3

4

Attack idea:

1 noisy sequence Bt: calculate Et = Yt + Ct 2 set up an equation system 3 add probabilistic equation Bt = Et

Partial Max-PoSSo as MIP

38 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Attack

Boolean Equation system

Variables introduce variables for state bits At, Bt and key bits ki counter bits Ct known in each clocking introduce 3 new variables

• ne for updating register A
• ne for updating register B
• ne for the subkey bit ht

Equations hard set H: 3 non-linear equations

updating B: cubic equation in bits of A updating A: quadratic equation in bits of B and ht ht: quadratic equation in key bits depending on counter

soft set S: 1 probablistic equation Et = Bt

39 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Attack

MIP-Model

Hard Set H: convert using IASC linearize (replace non-linear terms and add

• corresp. inequalities)

Example At = Bt−9 ⊕ Bt−8Bt−7 ⊕ Bt−6 ⊕ Bt−3 ⊕ ht ⊕ 1 Corresponding constraints: At + Bt−9 + Q(t,1) + Bt−6 + Bt−3 + ht − 2I(t,1) = 1, Q(t,1) − Bt−8 ≤ 0, Q(t,1) − Bt−7 ≤ 0, Bt−8 + Bt−7 − Q(t,1) ≤ 1, I(t,1) ∈ {0, 1, 2, 3}

40 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Attack

MIP-Model

Hard Set H: convert using IASC linearize (replace non-linear terms and add

• corresp. inequalities)

Soft Set S: add Bt + st = 1 if Et = 1 add Bt − st = 0 if Et = 0 where st ≥ 0 is the slack variable.

40 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Attack

MIP-Model

Hard Set H: convert using IASC linearize (replace non-linear terms and add

• corresp. inequalities)

Soft Set S: add Bt + st = 1 if Et = 1 add Bt − st = 0 if Et = 0 where st ≥ 0 is the slack variable. Objective function: minimize

• si

40 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion Attack

Results

Simplify the problem: chosen Plaintext attack with 1 chosen plaintext: all zeros ⇒ if Ct = 0: Bt ⊕ Et = 0 with prob 1 ⇒ move to hard set guess ht for the first 35 clockings Results: Cplex yields 1-3 solution success probability 90% average solution time 116 seconds total complexity: 242 seconds

41 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion

Outline

1

Motivation

2

Mixed Integer Programming Definition Basic algorithms for integer optimization

3

Application in Cryptanalysis Conversion Methods Other MIP parameters Features

4

Example A2U2 The Cipher Attack

5

Conclusion References

42 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion

Conclusion

MIP is a promising technique in cryptanalysis for

attacking primitives proving/arguing security bounds (see next talk)

it is NOT the ultimate solver

• ffers a lot of flexibility when modeling the problem

small attack success but no big kill yet

43 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion

Conclusion

MIP is a promising technique in cryptanalysis for

attacking primitives proving/arguing security bounds (see next talk)

it is NOT the ultimate solver

• ffers a lot of flexibility when modeling the problem

small attack success but no big kill yet ⇒ there is still lots of work to do

Thanks for your attention

43 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion References

Solvers

This list is far away from begin complete IBM ILOG Cplex (available under academic license) Gurobi (avaiable under academic license) SCIP (open source) · · ·

44 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion References

References I

• M. A. Abdelraheem, J. B., E. Zenner, and M. David.

Cryptanalysis of the light-weight cipher a2u2. In IMA Cryptography and Coding, volume 7089 of LNCS, pages 375–390. Springer, 2011.

• M. Albrecht and C. Cid.

Cold boot key recovery by solving polynomial systems with noise. In ACNS 2011,, volume 6715 of LNCS, pages 57–72. Springer, 2011.

• J. B., L. R. Knudsen, and M. Stolpe.

Bivium as a mixed-integer linear programming problem. In IMA Cryptography and Coding,, volume 5921 of LNCS, pages 133–152. Springer, 2009.

45 / 46

Motivation Mixed Integer Programming Application in Cryptanalysis Example A2U2 Conclusion References

References II

• N. Mouha, Q. Wang, G. Gu, and B. Preneel.

Differential and linear cryptanalysis using mixed-integer linear programming. In Inscrypt 2011, LNCS. Springer, 2011.

• C. H. Papadimitriou and K. Steiglitz.

Combinatorial Optimization. Prentice-Hall, Inc., 1982.

• L. A. Wolsey and G. L. Nemhauser.

Integer and Combinatorial Optimization. Wiley-Interscience, November 1999.

46 / 46