Sparse Boolean equations and circuit lattices by Semaev, Igor
Des. Codes Cryptogr.
DOI 10.1007/s10623-010-9465-x
Sparse Boolean equations and circuit lattices
Igor Semaev
Received: 10 February 2009 / Revised: 17 April 2009 / Accepted: 1 August 2010
© The Author(s) 2010. This article is published with open access at Springerlink.com
Abstract A system of Boolean equations is called sparse if each equation depends on a
small number of variables. Finding efficiently solutions to the system is an underlying hard
problem in the cryptanalysis of modern ciphers. In this paper we study new properties of
the Agreeing Algorithm, which was earlier designed to solve such equations. Then we show
that mathematical description of the Algorithm is translated straight into the language of
electric wires and switches. Applications to the DES and the Triple DES are discussed. The
new approach, at least theoretically, allows a faster key-rejecting in brute-force than with
COPACOBANA.
Keywords Sparse Boolean equations · Equation graph · Electrical circuits · Switches
Mathematics Subject Classification (2000) 94A60 · 68Q25 · 94C15 · 94C10
1 Introduction
Let X = {x1, x2, . . . , xn} be a set of Boolean variables. By Xi , 1 ≤ i ≤ m we denote subsets
of X of size li ≤ l. The system of equations
f1(X1) = 0, . . . , fm(Xm) = 0 (1)
is considered, where fi are Boolean functions (polynomials in algebraic normal form) and
they only depend on variables Xi . Such equations are called l-sparse. We look for the set
of all 0, 1-solutions to (1). Obviously, the equation fi (Xi ) = 0 is determined by the pair
Ei = (Xi , Vi ), where Vi is the set of 0, 1-vectors in variables Xi , also called Xi -vectors,
where fi is zero. In other words, Vi is the set of all solutions to fi = 0. The function fi is
uniquely defined by Vi . Given fi , the set Vi is computed with 2li trials.
I. Semaev (B)
Department of Informatics, University of Bergen, Bergen, Norway
e-mail: igor@ii.uib.no; igor.semaev@ii.uib.no
123
I. Semaev
Table 1 Algorithms’ running time
l 3 4 5 6
The worst case [12] 1.324n 1.474n 1.569n 1.637n
Gluing1, expectation [18] 1.262n 1.355n 1.425n 1.479n
Gluing2, expectation [18] 1.238n 1.326n 1.393n 1.446n
Agreeing-Gluing1, expectation [19] 1.113n 1.205n 1.276n 1.334n
Weak IAG, expectation [20] 1.029n 1.107n 1.182n 1.239n
In [15] Agreeing and Gluing procedures were described. Then they were combined with
variables guessing to solve (1). See also related earlier work [23]. Assume uniform distribution
on instances (1). Table 1 summarizes expected complexity estimates for simple combinations
of the Agreeing and Gluing in case of m = n and a variety of l. Each instance of (1) may
be encoded by a CNF formula with clause length l in the same variables. So l-SAT solving
algorithms provide with worst case complexity estimates. The table data suggests that Agree-
ing-Gluing based methods should be very fast in practice. This is the reason why a hardware
implementation of the Agreeing Algorithm is here proposed. In spite of relatively high worst
case bound on l-SAT problem complexity, there exist a number of efficient l-SAT solvers.
They became useful tools in cryptanalysis [4,5]. However, an efficient hardware version of
the approach is still unknown.
Conjectured asymptotic bounds on the complexity of the popular Gröbner Basis Algo-
rithm and its variants as XL, see [3,8], are found in [1,21]. They are far worse than the
estimates by the brute force approach except for quadratic and very over-defined equation
system. It was found in [16] that a linear algebra variant (called MRHS) of the Agreeing-
Gluing significantly overcomes (on AES type Boolean equations in around 50 variables) the
F4 method, a Gröbner Basis Algorithm implemented in MAGMA.
We first study here a new property of the Agreeing Algorithm. This algorithm implements
pairwise simplification to the initial equations after some suitable guess. We will show that
the result only depends on a smaller subset of equation pairs. This significantly reduces
memory requirements for the Agreeing Algorithm. For example, for DES instead of 3,545
pairs, the algorithm should only run through 1,404 of them with the same output. In case of
the Triple DES the figure is 3,929 instead of 16,831, see Table 2.
Then we suggest implementing the Agreeing Algorithm in hardware. The main features
of the related device, called Circuit Lattice(CL), are:
– No memory locations are necessary as no one bit is kept by the device in common sense.
Solutions to particular equations are circuits with two type of switches and the whole
system is a network of connections between them represented as a circuit lattice. See
Fig. 6 for instance.
– Voltage is induced by guessing variables. Its expansion is then directed by switches
implemented as electronic relays or transistors on a semiconductor chip. The potential
difference detected in some particular circuits indicates the system is inconsistent after
the guess.
– The number of input contacts is essentially 2s, where s is the number of variables guessed
during the solution of the system. That is at most 2n anyway. Some power contacts and
one output contact that sends out a signal when the system is found inconsistent should
be added.
123
Sparse Boolean equations and circuit lattices
– The speed of the device is determined by the time of switching, where lots of switches
turn simultaneously. Switches are not necessarily synchronized, so the device does not
work as a conventional computer.
It is very unlikely to solve the system by Agreeing alone. So some guesses on the variable
values should be made. The system is then checked for consistence with the Agreeing Algo-
rithm. As most of the guesses should be incorrect, it is important to have an efficient way
to check the system’s inconsistence. The suggested Circuit Lattice is designed to achieve
this goal. Implementing equations from a cipher, it may be used for a brute force attack.
When trying the current key, one introduces the guess into the device, and checks whether
the system is inconsistent.
Common approaches to the key search [2,6,7,13,14,17,22] are based on the paralleliza-
tion of the job to many special purpose chips, which efficiently implement the encryption.
The best reported speed for one DES encryption with COPACOBANA is about 0.1 GHz per
chip, [13]. Approximately the same speed per each of its SPU is achieved by Cell Processor,
see [14]. This results in about 0.034 GHz for the Triple DES. This is the key rejecting rate.
In contrast, our idea is to not implement any encryption. If constructed, the Circuit Lattice
might achieve a higher key rejecting rate, see the discussion in Sect. 7. Moreover, depending
on the equation system from the cipher, the number of key bits necessary to guess before
solving or observing an inconsistence may vary. For instance, in [15] it was reported that
37–38 key variables out of 56 are guessed and the rest of the system from 6 rounds of the
DES is solved by the Agreeing Algorithm alone. So it is sometimes not necessary to guess all
key bits. There may exist a lot of equation systems describing one particular cipher produced,
for instance, with the Gluing procedure. Our approach therefore has more flexibility.
It was also reported in [16] that admitting up to 2s right hand sides (produced with Gluing
during system solution) in MRHS equations for the AES-128, one should only guess 128-s
of the key bits before the system is solved. A fast way, based on some physical principle,
for checking the system’s inconsistence after the guess might result in breaking a real world
cipher. Two principles may be in use here: electric potential expansion and the expansion of
light. We will presently follow the first principle.
This proposal is different from an independent work by Geiselmann et al., which describes
a hardware implementation of main MRHS routines, see [11].
2 Agreeing procedure
For equations E1 = (X1, V1) and E2 = (X2, V2), let X1,2 = X1 ∩ X2. Then let V1,2 be the
set of X1,2-subvectors of V1, that is the set of projections of V1 to variables X1,2. Similarly,
the set V2,1 of X1,2-subvectors of V2 is defined. We say the equations E1 and E2 agree if
V1,2 = V2,1. Otherwise, we apply the procedure called Agreeing. All vectors whose X1,2-
subvectors are not in V2,1 ∩ V1,2 are deleted from V1 and V2. Obviously, we delete Vi -vectors
which can’t make part of any common solution to the equations. Then we put Ei ← (Xi , V ′i ),
where V ′i ⊆ Vi consist of the survived vectors.
2.1 Agreeing algorithm
The goal of the Agreeing Algorithm is to identify wrong solutions to equations Ei and remove
them from Vi by pairwise application of the Agreeing Procedure. The output doesn’t depend
on the order of pairwise agreeings, see [16]. Application of the procedure to Ei and E j where
Xi ∩ X j = ∅ can be avoided. We will show that some pairs Ei , E j can be avoided too even if
123
I. Semaev
Xi ∩ X j = ∅. This significantly optimizes memory requirement of the Agreeing Algorithm
and the hardware implementation described in Sect. 3.
The equations E1, . . . , Em are vertices in an equation graph G. Vertices Ei and E j are
connected by the edge (Ei , E j ) labeled with Xi, j = Xi ∩ X j = ∅. There may occur different
edges with the same labels. The Agreeing Procedure, being applied to Ei and E j , imple-
ments a kind of information exchange between them through the edge (Ei , E j ). That is for
Y ⊆ Xi, j the information Y = a for some binary string a is transmitted from Ei to E j or
backwards. For simplicity, the same symbol Y also denotes an ordered string of variables Y .
We will now show that some of the edges in the graph G are obsolete in this respect.
A subgraph Gm of G is called minimal if it is on the same vertices and
1. For any (Ei , E j ) in G, there exists a sequence of vertices
Ei , Ek, El , . . . , Er , E j , (2)
where (Ei , Ek), (Ek, El), . . . , (Er , E j ) are in Gm and Xi, j is a subset in each label
Xi,k, Xk,l , . . . , Xr, j .
2. Gm has minimal number of edges among subgraphs that satisfy property 1.
This definition is correct as G itself satisfies property 1. Also it implies that any minimal
subgraph has the same number of edges. Therefore our goal is to find such a subgraph, see
Algorithm and Lemma 2 below. In particular, the second statement of the Lemma says that
any subgraph of G that satisfies property 1 has at least as many edges as the algorithm’s
output graph. The edges of a minimal subgraph are called maximal and denoted A for some
fixed Gm . Minimal subgraphs are not uniquely defined.
Lemma 1 The Agreeing Algorithm output doesn’t depend on whether the Agreeing proce-
dure runs through all edges of G or through only maximal edges.
Proof Let Y ⊆ Xi, j for the equations Ei and E j . Assume we learn, from the equation Ei ,
that Y = a for some string a. The Agreeing procedure expands Y = a from Ei to E j . That
is all vectors in Vj whose projection to Y is a are wrong and should be removed from Vj .
There exists a path (2) in the minimal graph Gm , where
Y ⊆ Xi, j ⊆ Xi , Xk, Xl , . . . , Xr , X j .
So Y = a is expanded from Ei to E j through the path (2) by first agreeing pairwise Ei , Ek .
That is one removes all vectors in Vk whose projection to Y is a. Then one agrees Ek, El ,…,
and finally Er , E j . All Vj -vectors whose projection to Y is a are found wrong and removed.
We therefore see that the results produced by agreeing through (Ei , E j ) and through the path
(2) in Gm are the same. This proves the Lemma. 	unionsq
We now formulate the algorithm to compute a minimal subgraph of G:
1. For every label Y ⊆ X find all edges (Es, Er ) in G such that Y ⊆ Xs,r . Denote a
subgraph of G with all such edges (Es, Er ) and related vertices by GY . We remark that
GY is a complete graph.
2. Find the set VY of edges (Es, Er ) in GY , where Xs,r = Y . Find a subset WY ⊆ VY such
that GY is still connected after removing the edges WY and WY has the largest number
of edges. We remark that WY is not uniquely defined, and taking different WY produces
different minimal subgraphs.
3. Remove the edges WY from G for all Y and get Gm .
123
Sparse Boolean equations and circuit lattices
Lemma 2 Let Gm be the algorithm’s output graph.
1. Then Gm satisfies property 1 from the minimal subgraph definition.
2. Any subgraph of G that satisfies property 1 has at least as many edges as Gm.
Therefore Gm is minimal.
Proof We prove that for any edge (Ei , E j ) in G there is a path (2) on Gm . That will imply
the first claim of the Lemma. Let Y = Xi, j . If (Ei , E j ) is not in WY , then it is nothing to
prove as (Ei , E j ) in Gm . Assume (Ei , E j ) ∈ WY . Then there is a path on GY from Ei to
E j through the edges (Er , Es) /∈ WY and Y ⊆ Xr,s . This is because GY remains connected
after removing WY . If all such (Er , Es) /∈ WXr,s , then the required path is found, as all these
edges are in Gm .
Otherwise, assume some (Er , Es) ∈ WZ , where Z = Xr,s . Therefore Y  Z and the
edge (Er , Es) was removed from G. Then there is a path on G Z from Er to Es through
edges (Ek, El) /∈ WZ . This is because G Z is still connected after removing the edges WZ .
Moreover, Y  Z ⊆ Xk,l for (Ek, El). If all such (Ek, El) /∈ WXk,l , then the required path
is found, as all these edges are in Gm .
Otherwise, we continue so on and stop at some point as the sequence of the graphs
GY  G Z  . . . is strictly decreasing.
Let G ′ be any subgraph that satisfies property 1 from the minimal subgraph definition.
The subgraph G ′ is produced by removing some edges W ′Y from every VY , where Y is a label
in G. We claim that GY should be connected after removing edges W ′Y . Otherwise, there are
two disconnected in GY vertices Ei and E j , where Xi, j = Y and the edge (Ei , E j ) was
removed. Therefore the path (2) on G ′ does not exist for Ei and E j . This contradicts with
the definition of G ′. Therefore |WY | ≥ |W ′Y | for every label Y as WY is the largest in size
subset of edges in VY such that GY remains connected after removing WY . One concludes
that G ′ has at least as many edges as Gm . The Lemma is proved. 	unionsq
Example. Let there be five Boolean equations in five variables, where X1 = {x1, x2, x4},
X2 = {x1, x2, x3}, X3 = {x2, x3, x5}, X4 = {x3, x4, x5} and X5 = {x1, x4, x5}. The equa-
tion graph G has 5 vertices and 10 edges: (E1, E2) labeled with X1,2 = {x1, x2}, (E2, E3)
labeled with X2,3 = {x2, x3}, and so on. Five edges
(E1, E3), (E1, E4), (E2, E4), (E2, E5), (E3, E5)
are to be removed as they are obsolete for the Agreeing Algorithm; see Fig. 1.
2.2 Agreeing2 algorithm
This is an asymtotically faster variant of the Agreeing Algorithm, see [16].
(Precomputation.) For each maximal edge (Ei , E j ) find the set Xi, j and the number
r = |Xi, j |. For each r -bit address b the unordered tuple of lists
{Vi, j (b); Vj,i (b)} (3)
is precomputed. The lists Vi, j (b) and Vj,i (b) consist of vectors from
Vi and respectively Vj whose projection to variables Xi, j is b. The
list of tuples is sorted using some linear order. The algorithm marks
vectors, which are wrong solutions, in tuples (3). Then all marked
vectors are deleted from Vi . We say list Vi, j (b) empty if it does not
contain any entries or all its entries are marked.
123
I. Semaev
Fig. 1 Edges removing
(Agreeing.) The Algorithm starts with the first tuple {Vi, j (b); Vj,i (b)}, where
just one of two lists is empty. If no such tuples are found, then a
variable guess is necessary to produce some initial marking in tuples
(see example below). Another option is to glue, see [18], some of
the equations and recompute tuples. The Algorithm follows the rules:
1. Let the current tuple be {Vi, j (b); Vj,i (b)}, where Vi, j (b) is
empty, while Vj,i (b) is not.
2. For every unmarked a in Vj,i (b) do: mark a in Vj,i (b), for every
maximal edge (E j , Ek) do: compute the projection d of a to
variables X j,k , mark a in Vj,k(d), the tuple {Vj,k(d); Vk, j (d)} is
now current.
3. If just one of Vj,k(d) or Vk, j (d) is found empty, then apply step
1. If not, then take another maximal edge (E j , Ek) or another
unmarked a in Vj,i (b). If Vj,i (b) is already empty, then back-
track to the tuple last to {Vi, j (b); Vj,i (b)}. If the former was the
starting tuple, then start a new walk with the next tuple, where
just one of the lists is empty or terminate walking.
4. All vectors that have been earlier marked in the tuples are now
deleted from Vi .
We see that for each starting tuple the algorithm walks through a search tree with backtrack-
ing. If new markings do not occur in the current tree, then the next tuple, where just one list
is empty, is taken. The algorithm stops when in all tuples {Vi, j (b); Vj,i (b)} the lists both are
empty or both non-empty.
We remark that each tuple {a1, . . . , ar ; b1, . . . , bs} implements two implications.
First, marking all {a1, . . . , ar } implies marking all {b1, . . . , bs}, which can be denoted
a¯1, . . . , a¯r ⇒ b¯1, . . . , b¯s , and vice versa b¯1, . . . , b¯s ⇒ a¯1, . . . , a¯r . Agreeing2 Algorithm
simply expands marking through these implications.
Lemma 3 Equation 1 are pairwise agreed if and only if in all {Vi, j (b); Vj,i (b)} defined for
maximal edges (Ei , E j ) the lists both are empty or both non-empty.
Lemma 4 Let for at least one edge (Ei , E j ) the lists Vi, j (b) be empty for all b. Then the
system is inconsistent.
123
Sparse Boolean equations and circuit lattices
Fig. 2 The marking expansion
2.3 Example
Let three Boolean equations E1, E2, E3 be given in algebraic normal form:
1 + x3 + x1x2 + x1x3 + x1x2x3 = 0,
1 + x1 + x4 = 0,
1 + x3 + x2x4 + x3x4 + x2x3x4 = 0.
Represent them as lists of solutions:
x1 x2 x3
a1 0 0 1
a2 0 1 1
a3 1 1 0
,
x1 x4
b1 0 1
b2 1 0
,
x2 x3 x4
c1 0 1 0
c2 1 0 1
c3 1 1 0
. (4)
The list of tuples: P = {a1, a2; b1}, Q = {a3; b2}, R = {b1; c2}, T = {b2; c1, c3}, U =
{a1; c1}, V = {a2; c3}, W = {a3; c2}. As there are no tuples with just one list empty, a guess
is necessary to start marking. We mark with a bar.
Assume x4 = 0. So b1 should be marked. We now have two tuples, where just one of
the lists is empty: {b¯1; a1, a2} and {b¯1; c2}. According to the algorithm, take the first of two.
Then a1 get marked in {b¯1; a1, a2} and {a1; c1}. Therefore, c1 get marked in {a¯1; c1} and
then in {c1, c3; b2}. Now backtrack and mark a2 in {b¯1; a¯1, a2} and {a2; c3}, and so on. The
sequence of marking is represented in Fig. 2. Instances in all tuples have been marked. The
guess was wrong. We alternatively could add a new tuple {b1; ∅} to the tuple list and start
marking. Similarly, all tuple lists become empty in case x4 = 1. The system has no solution.
3 Agreeing with a circuit lattice
Switches. Circuit lattice is a combination of switches and wires. There are two types of
switches as in Fig. 3. Type 1 switch(1-switch) controls vertical circuits connected in parallel
and powered by the same battery by any of horizontal circuits also connected in parallel and
powered by another battery. So that voltage detected in at least one horizontal circuit makes
the switch close. That may induce voltage in all vertical circuits simultaneously. Similarly,
type 2 switch(2-switch) controls horizontal circuits connected in parallel by any of vertical
circuits; voltage detected in a vertical circuit makes the switch close. That may induce voltage
in all horizontal circuits. Only switches with one vertical and one horizontal input circuits
are used in this Section in order to construct Circuit Lattice. Later, in Sect. 4 we will see
that using switches with multiple horizontal and vertical input circuits enables constructing
Reduced Circuit Lattices with a much lower number of switches.
123
I. Semaev
Fig. 3 The type 1 and 2 switches
Fig. 4 The horizontal circuit for a particular solution a
Circuit lattice construction. Assume the list of tuples (3) is precomputed. The device is a
lattice of horizontal and vertical circuits with intersections at switches of two types as in
Fig. 6. The horizontal circuits are in one-to-one correspondence with solutions a ∈ Vi to
equations Ei in (1). So
1. each a ∈ Vi defines the horizontal circuit labeled a as in Fig. 4. 1-switches on the
horizontal circuit a are connected either in series or in parallel. We choose here series
connection. 2-switches should be connected in parallel.
2. each tuple {a1, . . . , ar ; b1, . . . , bs} defines two vertical circuits, see Fig. 5. They imple-
ment two related implications. The left crosses horizontal circuits a1, . . . , ar at switches
of type 1 and b1, . . . , bs at switches of type 2. Therefore it implements implication
a¯1, . . . , a¯r ⇒ b¯1, . . . , b¯s . That means potential in all horizontal circuits a1, . . . , ar im-
plies potential in all horizontal circuits b1, . . . , bs simultaneously. Similarly, the right
circuit in Fig. 5 implements another implication b¯1, . . . , b¯s ⇒ a¯1, . . . , a¯r . Also see
Fig. 6, which represents circuit lattice for Eq. 4.
The number of 1-switches equals the number of 2-switches on each horizontal circuit. This
is the number of tuples (3), where a occurs. As the horizontal circuits are labeled by vectors
a ∈ Vi , there are ∑i |Vi | horizontal circuits. Assume voltage (potential) is detected in a
horizontal circuit. That is due to one of 2-switches on that circuit being closed. Then all
1-switches on this circuit get closed too. This may imply voltage in vertical circuits, e.g. in
circuits P1 and T1 in Fig. 4. That happens if all other 1-switches on these vertical circuits
(e.g. on P1 and T1) are closed. Then their 2-switches get closed. That affects new horizontal
circuits and voltage expands, and so on. We remark that all horizontal circuits consume power
from the same battery. All vertical circuits may be powered from another battery.
Solving. Solving starts with inducing potential into the circuit lattice. The potential may
appear due to the tuples with just one of the lists empty. That is similar to Agreeing2 method
explained before, as we start the algorithm with such tuples. So potential appears in one of
two vertical circuit constructed from {∅; b1, . . . , bs} as soon as the battery is switched on.
This induces voltage in the horizontal circuits b1, . . . , bs . Voltage may be then induced in
some new vertical and horizontal circuits, and so on. One easily sees that potential is detected
in a horizontal circuit labeled a if and only if a is marked by Agreeing2 algorithm. That is
123
Sparse Boolean equations and circuit lattices
Fig. 5 The vertical circuits
defined by
{a1, . . . , ar ; b1, . . . , bs }
a can’t be a part of any common solution to Eq. 1. Therefore, the following statement is
obvious.
Lemma 5 Assume that after inducing potential in the circuit lattice, it is detected in each
horizontal circuit a j ∈ Vi for at least one Vi . Then the system is inconsistent.
If there are no tuples with just one empty list, then the device won’t start. So variable
guesses are to be introduced to start voltage expansion. Assume we are to guess the value
x ∈ Xi for some equation Ei . Let a1, . . . , at be all vectors in Vi , where x = 0, and
at+1, . . . , ar all vectors in Vi , where x = 1. Each horizontal circuit a ∈ Vi is provided
with one additional 2-switch. It is connected in parallel with other 2-switches. Two vertical
circuits are constructed: S1 and S2 by connecting new 2-switches above on horizontal circuits
at+1, . . . , ar and a1, . . . , at respectively. It is not necessary to use 1-switches here as they
won’t play any role. To guess x = 0 one switches on the vertical circuit S1, while S2 is off.
To guess x = 1 one switches on another vertical circuit S2 with S1 is off. See Fig. 6 for an
example. Remark that S1 and S2 are there constructed for guessing the value x4 in E2.
Example. Circuit lattice for Eq. 4 is represented in Fig. 6. Two vertical circuits related to
each tuple P, Q . . . are denoted P1, P2, Q1, Q2 . . .. So that for the tuple P = {a1, a2; b1}
we define two circuits, where P1 implements implication a¯1, a¯2 ⇒ b¯1 and P2 implements
implication b¯1 ⇒ a¯1, a¯2. Similarly for the remaining tuples. There are two additional circuits
S1 and S2 used for introducing guesses on x4. Each of these two circuits incorporates one
additional 2-switch. So the device is composed of 34 switches on the whole. In order to
check x4 = 0, one turns the circuit S1 on, while S2 is off. This results in 2-switch on the
circuit S1 get close and voltage appears in the horizontal circuit b1. Two 1-switches on b1
get closed and therefore voltage appears in two vertical circuits R2 and P2. All 2-switches
on them become closed and voltage expands to the horizontal circuits a1, a2, c2, and so on.
Finally, after a number of simultaneous switch turns, voltage is detected in all horizontal
circuits. The guess was wrong. Similarly, the circuit S2 is switched on, S1 is off, in order to
check x4 = 1. All horizontal circuits get voltage. The guess was wrong too. The system is
therefore inconsistent.
The number of switches. The main characteristic of the device is the number of switches.
This is twice the number of vectors in all tuples (3) for maximal edges and computed by the
formula
123
I. Semaev
Fig. 6 The circuit lattice for Eq. 4
2
∑
A
∑
b
(|Vi, j (b)| + |Vj,i (b)|) = 2
∑
A
(|Vi | + |Vj |). (5)
The external sum is over all maximal edges (Ei , E j ) ∈ A in G. For guessing s variables
x1 ∈ Xi1 , . . . , xs ∈ Xis there should be also |Vi1 | + · · · + |Vis | additional switches.
The number of wires. We also count the number of wires necessary to connect switches
in the circuit lattice. The number of wires in all vertical circuits is obviously the number
of the lattice switches (5) plus the number of vertical circuits themselves. The latter value
equals twice the number of tuples. In a horizontal circuit the type 2 switches are connected
in parallel. So the number of wires is the number of type 1 switches plus twice the num-
ber of type 2 switches plus two. Therefore, the number of wires in all horizontal circuits is
3
∑
A(|Vi | + |Vj |) + 2
∑
i |Vi |. So the total number of wires should be
5
∑
A
(|Vi | + |Vj |) + 2
∑
i
|Vi | + 2
∑
tuples
1. (6)
For guessing s variables x1 ∈ Xi1 , . . . , xs ∈ Xis there should be also |Vi1 | + · · · + |Vis | + 2s
additional wires.
4 Reduced circuit lattices
In this section we briefly discuss how to reduce the parameters of the device(the number of
switches and wires) through using switches that control several circuits connected in parallel,
and controlled themselves by any of several parallel circuits, see Fig. 3.
123
Sparse Boolean equations and circuit lattices
Fig. 7 The reduced horizontal circuit for a particular solution a
Fig. 8 The reduced vertical
circuits defined by
{a1, . . . , ar ; b1, . . . , bs }
First, we modify each horizontal circuit so that it now comprises only one 1-switch and one
2-switch. The same 1-switch now controls all vertical circuits that passed via 1-switches on a
horizontal circuit in above Circuit Lattice(CL). Then the same 2-switch controls that horizon-
tal circuit by any of vertical circuits passing via 2-switches in CL. So the horizontal circuit
in Fig. 4 now transforms into that in Fig. 7. We keep all vertical circuits intact. The number
of switches becomes 2
∑
i |Vi |, while the number of wires is essentially 2
∑
A(|Vi | + |Vj |).
We call the described device Reduced Circuit Lattice 1(RCL1). It operates similarly to how
CL operates.
We will further reduce the device parameters by observing that one 2-switch can control
several horizontal circuits. We keep one type 1 switch on each horizontal circuit as above.
Particular a ∈ Vi are in one-to-one correspondence with 1-switches. So we say there is volt-
age in the horizontal circuit a if the related 1-switch is closed. However the connections in the
vertical circuits related to a tuple are now as in Fig. 8, compare with that in Fig. 5. The number
of switches now becomes
∑
i |Vi | + 2
∑
tuples 1, while the number of wires is essentially
2
∑
A(|Vi | + |Vj |). We call the described device Reduced Circuit Lattice 2(RCL2).
123
I. Semaev
5 Guessing the variable values
Equations from a cipher. The number of key variables is commonly very small if compared
with all system variables. Guessing all key variables results in the whole system collapsing
by any of the Agreeing Algorithms. This is a variant of the brute force attack. If Agreeing
works faster than this cipher encryption, then an advantage over common brute force attack
is observed. It might well be that a proper subset of key variables should be guessed before
the system is solved with Agreeing, see this paper Introduction, where the issue is briefly
discussed.
Random equations. Generally, s-variable guesses result in 2s trials(Agreeing runs). How-
ever, in randomly generated sparse equations there is a more efficient approach based on
Gluing [15]. Assume that an s-bit guess is enough for solving (1) or finding it inconsistent
with Agreeing. Look at the gluing of some t equations:
(X (t), Ut ) = (Xi1 , Vi1) ◦ (Xi2 , Vi2) ◦ · · · ◦ (Xit , Vit ),
where s = |X (t)| and X (t) = Xi1 ∪ Xi2 ∪ . . . ∪ Xit . In other words, Ut is the set of all
common solutions to the equations Ei1 , . . . , Eit . The number of vectors in Ut is 2s−t on the
average, see Lemma 4 in [18]. The vectors Ut are produced one after the other as in [18] with
the cost per vector proportional to t . So it is not necessary to keep the whole set Ut . This is
true for t smaller than some critical value α0nl , where α0 = 21/ l ln
(
1−1/2
1−(1/2)1/ l
)
, see [18]. So
the total complexity of solving is roughly proportional to 2s−t of Agreeing runs.
6 DES and triple DES equations
The DES and the Triple DES equation systems are constructed in Appendix, where
input/output 64-bit blocks are considered variables too. So each equation comprises 20 vari-
ables and admits 216 solutions. Table 2 provides with the equation system parameters as the
number of equations, the number of variables, the number of edges of the adjacent graph
with nonempty labels, the number of maximal edges and the number of tuples (3). Any of
Circuit Lattices may be used to compute the key for any given plain-texts and related cipher-
texts. These are introduced into a Circuit Lattice similarly to the guessed key-bits. However
plain-text, cipher-text bits are not changing during the whole computation. So any CL should
have 2 × 56 + 2 × 128 = 368 input contacts for the DES and 2 × 112 + 2 × 128 = 480
input contacts for the Triple DES.
Tables 3 and 4 show main characteristics of Circuit Lattices for DES and Triple DES: the
number of necessary switches, wires and input contacts, which are computed by formulas
(5) and (6) and in Sect. 4.
Two plain-text, cipher-text 64-bit blocks uniquely define 112-bit key in the Triple DES. So
for the key search there should be two above described devices working in parallel. The speed
Table 2 DES and triple DES equations
Nmbr of Eqns Vrbls Edges Mx.edges Tuples
DES 128 632 3,545 1,409 16,636
TDES 384 1,712 16,831 3,929 71,320
123
Sparse Boolean equations and circuit lattices
Table 3 DES circuit lattice
implementations Nmbr of Switches Wires Input contacts
CL 3.9 × 108 9.5 × 108 368
RCL1 1.7 × 107 3.9 × 108 368
RCL2 8.5 × 106 3.9 × 108 368
Table 4 TDES circuit lattice
implementations Nmbr of Switches Wires Input contacts
CL 1.1 × 109 2.7 × 109 480
RCL1 5.1 × 107 1.1 × 109 480
RCL2 2.6 × 107 1.1 × 109 480
of computation is determined by the time that a switch takes to turn. However, how many
switch turns are necessary before the system is found inconsistent looks generally difficult
to estimate. This is an open problem. Voltage expands in a highly parallel manner through
several circuits which affect each other and many switches turn simultaneously. Fortunately,
this is easy for round ciphers like DES or Triple DES. Assume guessing all key variables at
once. Then all Type 1 switches in tuples related to pairs of equations in subsequent rounds
turn simultaneously when voltage expands from one round to another. That makes related
Type 2 switches turn too. This is so even if the Agreeing only runs through maximal edges
of the adjacent graph. Therefore the time measured in switch turns that the solver takes to
agree pairwise all equations is twice the number of rounds. In particular, to reject one wrong
key in the Triple DES takes at most 2 × 48 switch turns.
7 Conclusion, open problems and discussion
The paper describes a hardware implementation of the Agreeing Algorithm aimed to find
solutions to a system of sparse Boolean equations, e.g. coming from ciphers. Some variables
guess is introduced into the device which signals out if the system is inconsistent after that
guess. The device architecture implemented with a lattice of circuits is transparent. However,
this is an open problem whether the circuit lattice for a real world cipher like DES or Triple
DES is implementable within the current technology in computer industry.
There are several related problems:
1. The number of switches is the most important parameter of the solver. Table 3 and 4 data
shows that the equation systems for the DES and the Triple DES require the number of
switches which is within the number of transistors now available on one semiconductor
crystal. For instance, Intel announced Dual-Core Itanium2 processor with more than 1.7
billion transistors, see [9]. Obviously, a transistor is able to work as a switch.
2. Special purpose hardware to supply one after the other guesses on fixed variables is to be
devised. Its speed should be comparable with that of the solver. The device is similarly
constructed in wires and switches and controlled by the output signal from the solver. We
do not discuss this in detail as its construction is rather obvious. It is easy to understand
that its speed should be only 2 switch turns on the average.
3. The transistor speed(the speed of a turn) is constantly increasing. E.g., historical 17%
year performance improvement is also predicted in [24] for the next decade. Then a new
123
I. Semaev
speed record for the world fastest transistor which is more than 1THz(1,000 GHz), see
[10], was reported. However, to be on the safe side we assume available transistors with
speed about 100 GHz. Assume it is feasible to integrate one billion or so such transistors
on one semiconductor chip as a Triple DES Circuit Lattice. We remark that Reduced
Circuit Lattices require a much lower number of transistors; see Table 4. Then average
time for producing a guess on 112 key variables and finding the system’s inconsistence
is approximately 2 × 48 + 2 = 98 switch turns. So the key rejecting rate is approx-
imately 1 GHz in this case. It is compared favorably with what is currently achieved,
about 0.034 GHz.
Acknowledgments The author is grateful to Håvard Raddum and Valerij Kutuzov for useful discussions,
Thorsten Schilling for indicating a flaw in the first version of Lemma 2, anonymous referees from WCC’09 and
“Designs, Codes and Cryptography” for thoroughly reading the paper and numerous suggestions on improving
the presentation. The author was partially supported by the grant NIL-I-004 from Iceland, Lichtenstein and
Norway through the EEA Financial Mechanism and the Norwegian Financial Mechanism.
Open Access This article is distributed under the terms of the Creative Commons Attribution Noncommer-
cial License which permits any noncommercial use, distribution, and reproduction in any medium, provided
the original author(s) and source are credited.
8 Appendix
In this Appendix we describe how to make the equation system from the DES algorithm.
The similar equations are constructed for the Triple DES. The input and output applications
of the permutation IP are ignored as well as the final swap between 32-bit sub-blocks. The
64-bit internal state of the cipher after the i-th round is denoted by (Ri−1, Ri ). In particular,
(R−1, R0) denotes the 64-bit plain-text block and (R15, R16) is the related cipher-text block.
All these 128 bits are generally considered known constants. But we write them variables.
So that when the Agreeing algorithm is being run, these 128 variables are substituted by con-
stants as if for guessing. Therefore, 576 state variables are bits of R−1, R0, R1, . . . , R15, R16.
They are numbered −63,−62, . . . , 512. 56 key variables are numbered by 512 + j , where
1 ≤ j ≤ 64 and j = 8, 16, . . . , 64.
At every round i = 1, 2, . . . , 16, sub-blocks Ri are related as
Ri ⊕ Ri−2 = P S(Ri−1 ⊕ Ki ), (7)
where Ri−1 is the 48-bit expansion of the 32-bit Ri−1 and Ki is the round key. P denotes the
fixed permutation on 32 symbols and S is the transform implemented by 8 S-boxes. The Eq.
7 is equivalent to 8 equations related to each of the S-boxes S j :
(P−1(Ri )) j ⊕ (P−1(Ri−2)) j = S j ((Ri−1) j ⊕ Ki, j ), (8)
where Ri, j is a 4-bit sub-block of Ri , and Ki, j is a 6-bit sub-block of Ki and (T ) j denotes a
6(or 4)-bit sub-block of T . The Eq. 8 is denoted by Ei, j = E j+8(i−1). The full system of the
DES equations consists of 128 equations Et , t = 1, 2, . . . , 128. One equation incorporates
20 variables. For instance, E8,4 = E60 depends on 20 variables:
(P−1(R6))4 = (x161, x170, x180, x186),
(R7)4 = (x204, x205, x206, x207, x208, x209),
(P−1(R8))4 = (x225, x234, x244, x250),
K8,4 = (x514, x529, x538, x539, x556, x561).
123
Sparse Boolean equations and circuit lattices
These variables compose the set X60. For any values of the following 16 variables:
x204, x205, x206, x207, x208, x209, x225, x234,
x244, x250, x514, x529, x538, x539, x556, x561,
the values of x161, x170, x180, x186 are uniquely defined by (8). So 216 vectors of length 20
compose the list V60. That is all equations have 216 solutions. Let m → EK (m) denote
the encryption function on plain-text blocks with the DES algorithm. Then the Triple DES
implements the mapping:
m → EK1(EK2(EK1(m))).
Therefore Triple DES equations are determined similarly to those for the DES.
References
1. Bardet M., Faugére J.-C., Salvy B.: Complexity of Gröbner basis computation for semi-regular overde-
termined sequences over F2 with solutions in F2, Research report RR–5049, INRIA (2003).
2. Clayon R., Bond M.: Experience using a low-cost FPGA design to crack DES keys. In: CHES 2002,
LNCS 2523, pp. 579–592, Springer-Verlag (2002).
3. Courtois N., Klimov A., Patarin J., Shamir A.: Efficient algorithms for solving overdefined systems
of multivariate polynomial equations. In: Eurocrypt 2000, LNCS 1807, pp. 392–407, Springer-Verlag
(2000).
4. Courtois N.T., Bard G.V.: Algebraic Cryptanalysis of the Data Encryption Standard, Cryptology ePrint
Archive: Report 2006/402.
5. Courtois N.T., Bard G.V., Wagner D.: Algebraic and Slide Attacks on KeeLoq, Cryptology ePrint Archive:
Report 2007/062.
6. Diffie W., Hellman M.: Exhaustive cryptanalysis of the NBS Data Encryption Standard. Computer 10(6),
74–84 (1977).
7. Electronic Frontier Foundation: Cracking DES: Secrets of Encryption Research, Wiretap Politics and
Chip Design, O’Reilly and Assotiates Inc. (1998).
8. Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5),
Proc. of ISSAC 2002, pp. 75–83, ACM Press (2002).
9. http://www.intel.com.
10. http://www.semiconductor.net/article/CA6514491.html.
11. Geiselmann W., Matheis K., Steinwandt R.: PET SNAKE: A Special Purpose Architecture to Implement
an Algebraic Attack in Hardware, Cryptology ePrint Archive, 2009/222.
12. Iwama K.: Worst-case upper bounds for kSAT, The Bulletin of the EATCS, 82, 61–71 (2004).
13. Kumar S., Paar C., Pelzl J., Pfeiffer G., Schimmler M.: Breaking ciphers with Copacobana-a cost-opti-
mized parallel code breaker. In: CHES2006, LNCS 4249, pp. 101–118, Springer-Verlag(2006).
14. Osvik D.A., Tromer E.: Cryptologic applications of the Playstation3: Cell SPEED, http://www.
hyperelliptic.org/SPEED/slides/Osvik_cell-speed.pdf.
15. Raddum H., Semaev I.: New technique for solving sparse equation systems, Cryptology ePrint Archive,
2006/475.
16. Raddum H., Semaev I.: Solving Multiple Right Hand Sides linear equations, Designs, Codes and Cryp-
tography, vol. 49, pp. 147–160 (2008), extended abstract in Proceedings of WCC’07, 16-20 April 2007,
Versailles, France, INRIA (2007).
17. Rouvroy G., Standaert F.-X., Quisquater J.-J., Legat, J.-D.: Design strategies and modified desciptions to
optimize cipher FPGA implementations: fast and compact results for DES and Triple-DES. In: FPL2003,
LNCS 2778, pp. 181–193, Springer-Verlag (2003).
18. Semaev I.: On solving sparse algebraic equations over finite fields, Designs, Codes and Cryptography,
vol. 49, pp. 47–60,(2008), extended abstract in Proceedings of WCC’07, 16-20 April 2007, Versailles,
France, INRIA(2007).
19. Semaev I.: Sparse algebraic equations over finite fields. SIAM J. Comput. 39, 388–409 (2009).
20. Semaev I.: Improved Agreeing-Gluing algorithm. In: Proceedings of SCC’10, 23–25 June 2010, Royal
Holloway, University of London, UK, pp. 73–88.
21. Yang B.-Y., Chen J-M., Courtois, N.: On asymptotic security estimates in XL and Gröbner bases-related
algebraic cryptanalysis. In: ICICS 2004, LNCS 3269, pp. 401–413, Springer-Verlag (2004).
123
I. Semaev
22. Wiener M.J.: Efficient DES key search. In: Stalling, W.R. (ed.) Practical Cryptography for Data Inter-
works, pp.31–79. IEEE Computer Society Press (1996).
23. Zakrevskij A., Vasilkova I.: Reducing large systems of Boolean equations. In: 4th Int. Workshop on
Boolean Problems, Freiberg University, September, pp. 21–22 (2000).
24. Zeitzoff P.: 2007 International Technology Roadmap: MOSFET scaling challenges, Solid State Technol-
ogy Magazine, February (2008).
123
