PageRenderTime 46ms CodeModel.GetById 18ms RepoModel.GetById 1ms app.codeStats 0ms

/Experimentation/Investigations/Cryptography/AdvancedEncryptionStandard/plans/SAT2011/Representations/general.hpp

https://github.com/exp04shy/oklibrary
C++ Header | 271 lines | 0 code | 1 blank | 270 comment | 0 complexity | f6ff16b8f13efdd51a16ec3d35012468 MD5 | raw file
    

  1. // Matthew Gwynne, 2.1.2011 (Swansea)
    2. 

  2. /* Copyright 2011 Oliver Kullmann
    3. 

  3. This file is part of the OKlibrary. OKlibrary is free software; you can redistribute
    4. 

  4. it and/or modify it under the terms of the GNU General Public License as published by
    5. 

  5. the Free Software Foundation and included in this library; either version 3 of the
    6. 

  6. License, or any later version. */
    7. 

  7. 

  8. /*!
    9. 

  9.   \file Experimentation/Investigations/Cryptography/AdvancedEncryptionStandard/plans/SAT2011/Representations/general.hpp
    10. 

  10.   \brief Investigations into representations for components of the AES related to the SAT 2011 paper
    11. 

    12. 

    13. 

  13.   \todo Connections
    14. 

  14.   <ul>
    15. 

  15.    <li> See
    16. 

  16.    ComputerAlgebra/Satisfiability/Lisp/LinearConditions/plans/general.hpp for
    17. 

  17.    the handling of linear constraints in general. </li>
    18. 

  18.   </ul>
    19. 

    20. 

    21. 

  21.   \todo Considering output bits on their own
    22. 

  22.   <ul>
    23. 

  23.    <li> For better comparison with the DES-paper (see
    24. 

  24.    Cryptography/AdvancedEncryptionStandard/plans/general.hpp), we also need
    25. 

  25.    to consider the treatment of the boxes as 8 boolean functions (one for each
    26. 

  26.    output bit). </li>
    27. 

  27.    <li> In this way at least encryption by just UCP is ensured. </li>
    28. 

  28.    <li> We need to compare it with our standard approach, considering the
    29. 

  29.    whole boolean function. </li>
    30. 

  30.    <li> This needs to be done for all approaches (minimum, canonical, and
    31. 

  31.    bases). </li>
    32. 

  32.   </ul>
    33. 

    34. 

    35. 

  35.   \todo Overview
    36. 

  36.   <ul>
    37. 

  37.    <li> One needs to systematically explore CNF representations, with and
    38. 

  38.    without new variables. </li>
    39. 

  39.    <li> We consider methods for computing the following representations
    40. 

  40.    for the AES boxes:
    41. 

  41.    <ul>
    42. 

  42.     <li> the prime implicates.
    43. 

  43.     <li> minimum CNF representations. </li>
    44. 

  44.     <li> small (minimal) CNF representations 
    45. 

  45.     (in cases where minimum representations are infeasible). </li>
    46. 

  46.    </ul>
    47. 

  47.    These are described in 
    48. 

  48.    Experimentation/Investigations/Cryptography/AdvancedEncryptionStandard/plans/SAT2011/Representations/Methods.hpp .
    49. 

  49.    </li>
    50. 

  50.    <li> There are currently open investigations in the following files:
    51. 

  51.    <ul>
    52. 

  52.     <li> 8-bit Sbox:
    53. 

  53.     Experimentation/Investigations/Cryptography/AdvancedEncryptionStandard/plans/SAT2011/Representations/Sbox_8.hpp </li>
    54. 

  54.     <li> 8-bit Multiplication by 3:
    55. 

  55.     Experimentation/Investigations/Cryptography/AdvancedEncryptionStandard/plans/SAT2011/Representations/Mul_3_8.hpp </li>
    56. 

  56.     <li> 8-bit Multiplication by 9:
    57. 

  57.     Experimentation/Investigations/Cryptography/AdvancedEncryptionStandard/plans/SAT2011/Representations/Mul_9_8.hpp </li>
    58. 

  58.     <li> 8-bit Multiplication by 11:
    59. 

  59.     Experimentation/Investigations/Cryptography/AdvancedEncryptionStandard/plans/SAT2011/Representations/Mul_11_8.hpp </li>
    60. 

  60.     <li> 8-bit Multiplication by 13:
    61. 

  61.     Experimentation/Investigations/Cryptography/AdvancedEncryptionStandard/plans/SAT2011/Representations/Mul_13_8.hpp </li>
    62. 

  62.     <li> 8-bit Multiplication by 14:
    63. 

  63.     Experimentation/Investigations/Cryptography/AdvancedEncryptionStandard/plans/SAT2011/Representations/Mul_14_8.hpp </li>
    64. 

  64.    </ul>
    65. 

  65.    </li>
    66. 

  66.    <li> For R-based representations see "R-based representations". </li>
    67. 

  67.   </ul>
    68. 

    69. 

    70. 

  70.   \todo Combining linear components
    71. 

  71.   <ul>
    72. 

  72.    <li> A full description of all of the possibilities for recombining
    73. 

  73.    AES and small scale linear components (from the Sbox and MixColumns)
    74. 

  74.    needs to be provided. </li>
    75. 

  75.    <li> The idea here is that, due to the linearity of the Sbox's affine
    76. 

  76.    transformation, and the MixColumns operations, as well as the
    77. 

  77.    fact the Shiftrows simply permutes bytes, the linear aspects of the Sbox
    78. 

  78.    can be moved out, and seperated (in the case of the affine addition),
    79. 

  79.    or merged into the boxes for the MixColumn. </li>
    80. 

  80.    <li> For the Sbox, we have 3 possibilities:
    81. 

  81.     <ul>
    82. 

  82.      <li> Full Sbox (M . s^(-1) + A) . </li>
    83. 

  83.      <li> Sbox minus addition of the affine constant (M . s^(-1)). </li>
    84. 

  84.      <li> Sbox minus affine transform entirely (s^(-1)). </li>
    85. 

  85.     </ul>
    86. 

  86.    </li>
    87. 

  87.    <li> For the MixColumn multiplications, we have 2 possibilities:
    88. 

  88.    <ul>
    89. 

  89.     <li> Standard byte-field multiplications. </li>
    90. 

  90.     <li> Sbox linear component (M) and Standard byte-field multiplications
    91. 

  91.     together. </li>
    92. 

  92.    </ul>
    93. 

  93.    </li>
    94. 

  94.    <li> A description of how to generate such translation is needed. </li>
    95. 

  95.    <li> See also "Rearranging linear components of Sbox and MixColumns" in
    96. 

  96.    ComputerAlgebra/Cryptology/Lisp/Cryptanalysis/Rijndael/plans/Translations.hpp. 
    97. 

  97.    </li>
    98. 

  98.   </ul>
    99. 

    100. 

  100.   
    101. 

  101.   \todo Scripts for generating statistics on random boxes
    102. 

  102.   <ul>
    103. 

  103.    <li> We currently wish to investigate various types of random 
    104. 

  104.    boxes to see how they compare with the standard AES components. </li>
    105. 

  105.    <li> Therefore, we need scripts to generate and almalgamate this data.
    106. 

  106.    </li>
    107. 

  107.    <li> We can generate the various random boxes using:
    108. 

  108.    <ul>
    109. 

  109.     <li> Random boolean function - random_full_fcs in 
    110. 

  110.     ComputerAlgebra/Satisfiability/Lisp/Generators/RandomClauseSets.mac .
    111. 

  111.     </li>
    112. 

  112.     <li> Random linear maps - ss_sbox_linmap_gen_cnfp in
    113. 

  113.     ComputerAlgebra/Cryptology/Lisp/Cryptanalysis/Rijndael/SboxAnalysis.mac .
    114. 

  114.     </li>
    115. 

  115.     <li> Random permutations - random_permutation and perm2cnffcs in
    116. 

  116.     ComputerAlgebra/Satisfiability/Lisp/FiniteFunctions/Permutations.mac .
    117. 

  117.     </li>
    118. 

  118.    </ul>
    119. 

  119.    </li>
    120. 

  120.    <li> We also need scripts to investigate the small scale multiplications,
    121. 

  121.    as well as the multiplications combined with the Sbox linear map (see
    122. 

  122.    ComputerAlgebra/Cryptology/Lisp/Cryptanalysis/Rijndael/FieldOperationsAnalysis.mac).
    123. 

  123.    </li>
    124. 

  124.   </ul>
    125. 

    126. 

    127. 

  127.   \todo Find "best" solver(s) and local search algorithms for minimisation
    128. 

  128.   <ul>
    129. 

  129.    <li> There are currently a considerable number of problems in our
    130. 

  130.    investigation which require the solving of minimisation problems 
    131. 

  131.    and finding transversals of subsumption hypergraphs when looking for 
    132. 

  132.    minimum CNF representations
    133. 

  133.    (see 
    134. 

  134.    Experimentation/Investigations/Cryptography/AdvancedEncryptionStandard/plans/SAT2011/Representations/Methods.hpp)
    135. 

  135.    </li>
    136. 

  136.    <li> We need a survey of the various solvers and local search algorithms
    137. 

  137.    that we can use with these problems, along with their performance on
    138. 

  138.    small instances, so that we can apply the best methods we have given
    139. 

  139.    limited resources. </li>
    140. 

  140.   </ul>
    141. 

    142. 

    143. 

  143.   \todo Standard naming scheme for experiment files
    144. 

  144.   <ul>
    145. 

  145.    <li> We need to think of a naming scheme for the AES boxes so
    146. 

  146.    we can create the hpp files discussing them in this directory. </li>
    147. 

  147.    <li> We have the following boxes to investigate:
    148. 

  148.    <ul>
    149. 

  149.     <li> Sboxes with the following variants and parameters:
    150. 

  150.     <ul>
    151. 

  151.      <li> Sboxes with exponent / number of bits ranging from 1-8. </li>
    152. 

  152.      <li> Sboxes without and without the affine constant addition
    153. 

  153.      and linear multiplication (see "Combining linear components"). </li>
    154. 

  154.      <li> random permutations for the Sbox. </li>
    155. 

  155.      <li> random linear maps inside and outside the Sbox. </li>
    156. 

  156.     </ul>
    157. 

  157.     At the simplest level we vary the exponent (as in the 
    158. 

  158.     [Small Scale Variants of the AES; Cid, Murphy, Robshaw]) and
    159. 

  159.     keep the rest as defaults.
    160. 

  160.     </li>
    161. 

  161.     <li> Multiplication within the field with following variants:
    162. 

  162.     <ul>
    163. 

  163.      <li> the field element to multiply by. </li>
    164. 

  164.      <li> the exponent / number of bits ranging from 1-8. </li>
    165. 

  165.      <li> multiplications with and without the combination of
    166. 

  166.      the Sbox linear map (see "Combining linear components").
    167. 

  167.     </ul>
    168. 

  168.     </li>
    169. 

  169.    </ul>
    170. 

  170.    </li>
    171. 

  171.    <li> For now, we name:
    172. 

  172.    <ul>
    173. 

  173.     <li> the small scale Sboxes: Sbox_${e}.cnf , where ${e} is
    174. 

  174.     the field of the Sbox is a GF(2^e) finite field. </li>
    175. 

  175.     <li> the small scale multiplications by element "a", in the
    176. 

  176.     default field with exponent e: Mul_${a}_${e}.cnf . </li>
    177. 

  177.    </ul>
    178. 

  178.   </ul>
    179. 

    180. 

    181. 

  181.   \todo R-based representations
    182. 

  182.   <ul>
    183. 

  183.    <li> r-bases for r in {r_1,r_2}? (see rand_rbase_cs(F,r) in
    184. 

  184.    ComputerAlgebra/Satisfiability/Lisp/Reductions/RBases.mac.) </li>
    185. 

  185.    <li> One could consider certain prime implicates more important than others;
    186. 

  186.    for example ensuring that at least given a full input and/or a full output
    187. 

  187.    to one permutation the output resp. input can be inferred.
    188. 

  188.     <ol>
    189. 

  189.      <li> Can one formulate (relatively efficiently) the minimisation target
    190. 

  190.      that these inferences are "easily" available while otherwise using the
    191. 

  191.      smallest representation? </li>
    192. 

  192.      <li> We could generalise the notion of r-base w.r.t. specific clauses
    193. 

  193.      which have to be deducible via r, while all (other) removed clauses just
    194. 

  194.      need to follow logically, or perhaps using some stronger reduction. </li>
    195. 

  195.     </ol>
    196. 

  196.    </li>
    197. 

  197.    <li> When investigations begin fully in this area, this todo should be
    198. 

  198.    moved to a new file, and most likely a new sub-module. </li>
    199. 

  199.   </ul>
    200. 

    201. 

    202. 

  202.   \todo The square of the Sbox
    203. 

  203.   <ul>
    204. 

  204.    <li> As a start into the consideration of mergers within the AES-"circuit"
    205. 

  205.    we consider the square of the sbox. </li>
    206. 

  206.    <li> As a Maxima boolean-function this is obtained by
    207. 

  207.    \verbatim
    208. 

  208. s2 : square_bf(rijn_sbox_bf);
    209. 

  209.    \endverbatim
    210. 

  210.    </li>
    211. 

  211.    <li> The full CNF representation is then obtained by
    212. 

  212.    \verbatim
    213. 

  213. F2 : bf2relation_fullcnf_fcs(s2,8)$
    214. 

  214.    \endverbatim
    215. 

  215.    </li>
    216. 

  216.    <li> A DIMACS file is created via
    217. 

  217.    \verbatim
    218. 

  218. output_fcs(
    219. 

  219.     sconcat("The squared AES Sbox in full CNF representation."),
    220. 

  220.     F2,
    221. 

  221.     "AES_Sbox2_full.cnf")$
    222. 

  222.    \verbatim
    223. 

  223.    </li>
    224. 

  224.    <li> Prime clauses:
    225. 

  225.    \verbatim
    226. 

  226. > QuineMcCluskey-n16-O3-DNDEBUG AES_Sbox2_full.cnf > AES_PK2.cnf
    227. 

  227. > cat AES_PK2.cnf | ExtendedDimacsFullStatistics-O3-DNDEBUG 
    228. 

  228.  n non_taut_c red_l taut_c orig_l comment_count finished_bool
    229. 

  229. 16 137185 1007214 0 1007214 1 1
    230. 

  230.  length count
    231. 

  231. 5 5
    232. 

  232. 6 3898
    233. 

  233. 7 83267
    234. 

  234. 8 49203
    235. 

  235. 9 812
    236. 

  236.    \endverbatim
    237. 

  237.    </li>
    238. 

  238.    <li> This doesn't look much different from the Sbox itself; one needs to
    239. 

  239.    consider further properties. </li>
    240. 

  240.   </ul>
    241. 

    242. 

    243. 

  243.   \todo Understanding prime implicates after any partial assignment
    244. 

  244.   <ul>
    245. 

  245.    <li> To consider the AES boxes as an "active clause", we want to first be 
    246. 

  246.    able, given a partial assignment, to infer as many forced assignments
    247. 

  247.    as possible. This can be done simply with the DNF representation. </li>
    248. 

  248.    <li> However, secondly one needs, given a partial assignment, to be able to
    249. 

  249.    determine various measures for heuristics. </li>
    250. 

  250.    <li> Therefore, investigating several statistics (most notably the number of
    251. 

  251.    clauses for a given variable) of the prime implicates of the clause-set, 
    252. 

  252.    formed after taking the Sbox and applying each partial assignment, is 
    253. 

  253.    necessary to try and discern a pattern. </li>
    254. 

  254.    <li> If such patterns can be deduced for particular clause-set measures,
    255. 

  255.    then the active clause can use this pattern, given a partial assignment, 
    256. 

  256.    to return reasonable values for these measures which can be used for 
    257. 

  257.    statistics. </li>
    258. 

  258.    <li> A C++ implementation of such a system whereby the set of prime 
    259. 

  259.    implicates is taken as input, and each partial assignment along with
    260. 

  260.    the relevant statistics is returned is necessary. </li>
    261. 

  261.    <li> Such a C++ implementation would need to be able to apply a partial
    262. 

  262.    assignment to a clause-set and then compute various statistics on the 
    263. 

  263.    result. This would need to be done for every partial assignment. </li>
    264. 

  264.    <li> After applying the partial assignment, to gain the prime implicates
    265. 

  265.    of the new boolean function, one must simply apply subsumption elimination
    266. 

  266.    to the new clause-set (which is just result of applying a partial assignment
    267. 

  267.    to the prime implicates of the original function). This can be done using 
    268. 

  268.    functionality already in the library (MG: Where?). </li>
    269. 

  269.   </ul>
    270. 

    271. 

  271. */
    272. 

  272.