用SMT求解器求解MQ问题
SAT求解MQ问题已经成为求解MQ问题的主要思路之一,但是其变元复杂度高,因此我将目光瞄准了描述理论更强的SMT求解器并给出了初步实现;
MQ问题
多元多项式映射的单向性在于难以计算来找到多元多项式方程组(MP问题)的解;特别是,如果MP问题中涉及的多元多项式仅由二次多项式组成,则该问题称为MQ问题(对于许多和密码协议等价的MQ问题,还可以限定系数和解都在 F 2 \mathbb{F}_2 F2上):
f 1 ( x 1 , … , x n ) = ∑ 1 ≤ i ≤ j ≤ n a i j ( 1 ) x i x j + ∑ 1 ≤ i ≤ n b i ( 1 ) x i + c ( 1 ) = d 1 , f 2 ( x 1 , … , x n ) = ∑ 1 ≤ i ≤ j ≤ n a i j ( 2 ) x i x j + ∑ 1 ≤ i ≤ n b i ( 2 ) x i + c ( 2 ) = d 2 , ⋮ f m ( x 1 , … , x n ) = ∑ 1 ≤ i ≤ j ≤ n a i j ( m ) x i x j + ∑ 1 ≤ i ≤ n b i ( m ) x i + c ( m ) = d m , \begin{aligned} f_{1}\left(x_{1}, \ldots, x_{n}\right) &=\sum_{1 \leq i \leq j \leq n} a_{i j}^{(1)} x_{i} x_{j}+\sum_{1 \leq i \leq n} b_{i}^{(1)} x_{i}+c^{(1)}=d_{1}, \\ f_{2}\left(x_{1}, \ldots, x_{n}\right) &=\sum_{1 \leq i \leq j \leq n} a_{i j}^{(2)} x_{i} x_{j}+\sum_{1 \leq i \leq n} b_{i}^{(2)} x_{i}+c^{(2)}=d_{2}, \\ & \vdots \\ f_{m}\left(x_{1}, \ldots, x_{n}\right) &=\sum_{1 \leq i \leq j \leq n} a_{i j}^{(m)} x_{i} x_{j}+\sum_{1 \leq i \leq n} b_{i}^{(m)} x_{i}+c^{(m)}=d_{m}, \end{aligned} f1(x1,…,xn)f2(x1,…,xn)fm(x1,…,xn)=1≤i≤j≤n∑aij(1)xixj+1≤i≤n∑bi(1)xi+c(1)=d1,=1≤i≤j≤n∑aij(2)xixj+1≤i≤n∑bi(2)xi+c(2)=d2,⋮=1≤i≤j≤n∑aij(m)xixj+1≤i≤n∑bi(m)xi+c(m)=dm,
求解MQ问题的意义:基于MQ(multivariate quadratic)问题困难性的公钥密码MPKC (multivariate-based PKC)被认为比其他诸多竞争者的速度更快,因而成为后量子密码学界的研究热点.代数攻击的主要思想是,将密码体制内在加密活动描述为输入(密钥)和输出之间的多元方程组,并且通过求解低次超定或稀疏方程组来恢复密钥(即求解MQ问题),这需要对付求解大型低次超定稀疏多元方程组计算上的困难性;由于这样的代数描述密码协议的方法具有很好的通用性,因此研究求解MQ问题的方法对密码分析具有重要的价值.
SMT求解器
我们已经在SMT简介这篇博文里对SMT求解器作了初步介绍;
SMT(Satisfiability Modulo Theories)问题的基础是一阶逻辑公式,在命题逻辑的基础上补充了项和量词,公式中的函数和谓词符号需要用对应的背景理论解释.通常情况下,SMT公式是无量词(存在 ∃ \exists ∃、任意 ∀ \forall ∀)的一阶逻辑公式(quantifier free formula),判定公式可满足性的问题称为SMT问题.综上所述,SMT问题可以看作基于一阶逻辑"强化"的SAT问题,其描述能力和求解能力大大增强,当然问题的复杂度也随之增加.
从经典的SMT求解器 T \mathcal{T} T-DPLL的算法可以看出,SMT求解器是SAT求解器和SMT理论求解器的结合;SMT理论求解器负责分析逻辑子句之间的冲突或者联系,以推出矛盾或者学得新的子句,增进求解效率,可以实现这样的效果的本质是因为它引入了一阶逻辑,这就是SMT求解器和SAT求解器最大的不同;
MQ问题的SMT求解
假设需要求解的MQ问题如下:
# ---------------- EQUATIONS ------------------------------
t1*t7 + t2*t8 + t2*t9 + t7*t11 + t4*t12 + t10*t13 + t6*t14 + t11*t14 + t10*t15 + t11*t15 + t1*t16 + t11*t16 + t3 + t6 + t9 + t14 = 0;
t2*t6 + t1*t7 + t4*t7 + t3*t10 + t9*t10 + t9*t11 + t2*t12 + t1*t14 + t9*t14 + t9*t15 + t10*t15 + t4*t16 + t13 + 1 = 0;
t1*t4 + t1*t6 + t5*t6 + t1*t8 + t7*t9 + t2*t10 + t6*t10 + t8*t10 + t1*t11 + t4*t11 + t2*t12 + t9*t12 + t15*t16 = 0;
t1*t6 + t3*t6 + t5*t6 + t4*t8 + t4*t9 + t5*t10 + t7*t10 + t7*t11 + t4*t13 + t11*t14 + t3*t15 + t6*t15 + t7*t15 + t10*t16 + t15*t16 + t8 = 0;
t1*t2 + t5*t7 + t3*t8 + t4*t8 + t6*t8 + t2*t9 + t5*t9 + t9*t14 + t4*t15 + t13*t15 + t5*t16 + t15*t16 + t3 + t5 + t9 + t15 = 0;
t1*t4 + t4*t15 + t6*t16 + t12*t16 + t14*t16 = 0;
t1*t4 + t2*t5 + t2*t7 + t1*t8 + t2*t8 + t3*t9 + t5*t9 + t7*t9 + t8*t12 + t3*t13 + t4*t13 + t10*t13 + t13*t14 + t1*t15 + t12*t15 + t1 + t6 + 1 = 0;
t6*t8 + t5*t10 + t7*t10 + t2*t12 + t6*t12 + t9*t12 + t11*t13 + t8*t14 + t10*t14 + t4*t15 + t11*t16 = 0;
t1*t2 + t1*t4 + t3*t6 + t1*t7 + t2*t9 + t1*t10 + t9*t10 + t3*t13 + t8*t13 + t11*t15 + t1*t16 + t12*t16 + t2 + t10 + t16 = 0;
t1*t6 + t2*t6 + t4*t6 + t6*t7 + t3*t8 + t7*t9 + t6*t10 + t3*t12 + t8*t14 + t4*t16 + t7*t16 + t5 + t9 + t12 + t15 = 0;
t5*t6 + t2*t7 + t6*t8 + t7*t8 + t8*t12 + t5*t14 + t13*t14 + t4*t15 + t10 = 0;
t3*t4 + t2*t6 + t6*t7 + t2*t8 + t5*t9 + t2*t11 + t8*t13 + t9*t13 + t13*t15 + t4*t16 + t9*t16 + t3 + t11 = 0;
t5*t7 + t7*t10 + t2*t11 + t7*t11 + t3*t13 + t10*t13 + t11*t13 + t8*t14 + t1*t15 + t9*t15 + t14*t15 + t1*t16 + t2*t16 + t6*t16 + t2 + t8 + t12 + 1 = 0;
t1*t3 + t1*t5 + t2*t8 + t7*t9 + t1*t10 + t3*t10 + t4*t10 + t5*t14 + t14*t15 + t5*t16 + t6*t16 + t14*t16 + t12 + 1 = 0;
t2*t4 + t8*t9 + t2*t11 + t9*t11 + t9*t12 + t6*t13 + t4*t15 + t5*t15 + t13*t15 + t7*t16 + t13*t16 + t3 + t4 = 0;
t2*t3 + t5*t8 + t8*t9 + t2*t10 + t2*t11 + t2*t13 + t12*t13 + t5*t14 + t10*t14 + t7*t15 + t2*t16 + t5*t16 + t10*t16 + t11*t16 + 1 = 0;
t1*t4 + t4*t6 + t6*t9 + t5*t11 + t8*t12 + t1*t15 + t5*t15 + t6*t16 + t7 + t8 + t13 = 0;
t2*t5 + t2*t6 + t5*t6 + t2*t9 + t2*t11 + t7*t13 + t1*t14 + t1*t15 + t5*t15 + t8*t15 + t12*t15 + t1*t16 + t7*t16 + t7 + t10 + t11 + t13 = 0;
t3*t7 + t4*t10 + t3*t13 + t10*t13 + t1*t14 + t5*t14 + t13*t14 + t10*t16 + t12 = 0;
t1*t4 + t1*t7 + t7*t9 + t4*t10 + t6*t11 + t8*t11 + t8*t12 + t9*t13 + t10*t13 + t6*t14 + t10*t14 + t1*t15 + t2*t16 + t10*t16 = 0;
t4*t5 + t4*t8 + t5*t9 + t6*t11 + t4*t12 + t5*t13 + t9*t13 + t3*t14 + t8*t16 + t1 + t6 + 1 = 0;
t1*t2 + t4*t7 + t7*t8 + t2*t11 + t8*t12 + t12*t13 + t6*t14 + t7*t14 + t9*t14 + t13*t14 + t3*t15 + t7*t15 + t4*t16 + t6 + t7 = 0;
t1*t4 + t2*t7 + t4*t7 + t1*t8 + t10*t12 + t11*t16 + t6 = 0;
t3*t6 + t4*t6 + t1*t8 + t6*t8 + t3*t9 + t4*t10 + t2*t11 + t8*t11 + t9*t11 + t2*t12 + t3*t12 + t6*t12 + t2*t13 + t10*t13 + t6*t15 + t1*t16 + t8*t16 = 0;
t4*t5 + t9*t10 + t3*t11 + t5*t12 + t9*t15 + t6*t16 + t7 + t11 + t14 = 0;
t1*t3 + t3*t7 + t5*t7 + t6*t7 + t7*t9 + t1*t10 + t7*t11 + t3*t12 + t4*t13 + t7*t13 + t5*t15 + t13*t16 + t16 + 1 = 0;
t3*t4 + t3*t6 + t1*t8 + t4*t8 + t6*t8 + t8*t9 + t5*t10 + t10*t11 + t2*t12 + t11*t13 + t2*t14 + t13*t14 + t2*t15 + t10*t15 + t3*t16 + t15*t16 + t9 + t16 + 1 = 0;
t2*t5 + t6*t7 + t4*t10 + t5*t11 + t6*t11 + t9*t11 + t1*t12 + t9*t12 + t4*t15 + t10*t15 + t12*t15 + t14 + t15 = 0;
t1*t3 + t3*t4 + t2*t5 + t3*t9 + t3*t12 + t6*t12 + t9*t13 + t3*t15 + t12*t15 + t15 = 0;
t1*t2 + t6*t8 + t3*t9 + t8*t9 + t6*t10 + t7*t10 + t8*t10 + t1*t11 + t2*t11 + t4*t12 + t7*t12 + t8*t12 + t6*t13 + t9*t13 + t10*t13 + t12*t13 + t13*t15 + t12*t16 + t15*t16 + t2 = 0;
t1*t5 + t4*t5 + t6*t7 + t6*t8 + t8*t9 + t6*t12 + t11*t13 + t3*t14 + t8*t14 + t13*t14 + t6*t15 + t12*t15 + t3 + t10 + t13 = 0;
t6*t8 + t2*t10 + t3*t10 + t3*t11 + t4*t13 + t3*t14 + t2*t15 + t3 + t10 = 0;
这个方程组的解是:
{
t1: 0, t2: 0, t3: 1, t4: 0, t5: 1, t6: 1, t7: 1, t8: 0, t9: 1, t10: 1, t11: 1, t12: 1, t13: 0, t14: 0, t15: 1, t16: 0}
套用 L A ( Z ) \mathcal{LA}(\mathbb{Z}) LA(Z)理论(详情见"SMT Solvers-Theory and Practice[Clark Barrett]"),那么SMT求解器输入的子句事实上是(这里我们不妨把原式的符号 t 1 , . . . , t 16 t_1,...,t_{16} t1,...,t16替换为 c 0 , . . . , c 15 c_0,...,c_{15} c0,...,c15):
∀ c i , 0 ≤ c i ≤ 1 , c i ∈ N \forall c_i, 0\le c_i \le 1,c_i \in \mathbb{N} ∀ci,0≤ci≤1,ci∈N
对每个方程的限定子句是:
∃ c 0 , . . . , c 15 , f j ( c 0 , . . . , c 15 ) ≡ 0 mod 2 \exist c_0,...,c_{15},f_j(c_0,...,c_{15}) \equiv 0 \text{ mod }2 ∃c0,...,c15,fj(c0,...,c15)≡0 mod 2
那么使用Python3.6的z3-solver包进行求解:
... ... # 导入包和读取方程组的函数...
SMT_SOLVER = Solver();
MAX_USED_VARS = 16;
ITEMS_VAR_USED = ITEMS_ALL[0:MAX_USED_VARS];
EQUATIONS_MQ = mq_coeff_2_poly("mq20.coeff",MAX_USED_VARS,ITEMS_VAR_USED);
for MONOMIAL in ITEMS_VAR_USED:
SMT_SOLVER.add(MONOMIAL<=1);SMT_SOLVER.add(MONOMIAL>=0);
for EQUATION in EQUATIONS_MQ:
SMT_SOLVER.add(EQUATION%2 == 0);
print(SMT_SOLVER.check());
print(SMT_SOLVER.model());
求得结果:
sat
[c9 = 1,c15 = 0,c10 = 1,c3 = 0,c6 = 1,c5 = 1,c14 = 1,c0 = 0,c13 = 0,c4 = 1,c7 = 0,c8 = 1,c1 = 0,c11 = 1,c2 = 1,c12 = 0]
[Finished in 1.6s]
另外我发现当变元数 n > 16 n>16 n>16时求解器就瘫了,目前具体原因还在思考,需要更多的实验来解释这个现象;