Solving underdetermined system of quadratic equations over GF(2)

asked 2018-07-05 10:21:25 -0500

Chewie gravatar image

updated 2018-07-05 16:06:36 -0500

tmonteil gravatar image

Hi folks!

All of the following operations are done over GF(2).

I want introduce you to my problem with a little example: I have two algebraic expressions of the keystream bits Z0 and Z1 of a stream cipher. The algebraic expressions just consist of key bits (key bits are named with X). For example:

Z0=X56+X43+X31+X10+X4+X2+X1

Z1=X57+X44+X32+X11+X5+X3+X2

In this little example we have, m = 2 = number_of_equations and n = 13 = number_of_unknown_variables. If I would now have konwledge about the Z0 and Z1 bit (e.g. Z0 = Z1 = 0), it must be possible to gain knowledge about key bits again by solving these underdetermined system of equations. My normal approach would be guessing 11 of the 13 and try to solve equation system for the unknown 2. If the system has a solution I know that could be the right answer.

At the moment my sage script says the following:

F=GF(2) //Define the Galois Field

M=Matrix(F, [[0, 1, 0, 1, 0,    1, 0, 1, 0, 1, 0, 1, 1],  [1,0, 1, 0, 1,0, 1, 0, 1, 0, 1, 1, 0]]) //Define the equation system

v = vector(F, (0,0)) //Define vector for solve_right()

M.solve_right(v)

My abstract algorithm is the following to make it more clear:

for all 2^13 possible values:

  1. Guess variables till m = n.
  2. Try to solve the system. If system has a solution, save it.

How would get the guessing of the variables realized in a smart way (matrice syntax or symbolic syntax?), that automatically all possible values of the variables will be guessed and what would be the normal approach for that problem?

A little syntax example will be appreciated!

Greetings Chewie

edit retag flag offensive close merge delete

Comments

Could you please provide the actual equtions, not the toy one, which are linear ?

tmonteil gravatar imagetmonteil ( 2018-07-05 17:03:09 -0500 )edit

Hi, these are the real first 17 keystream bit equations,

m: 17 n_s (Number variables single occurences): 38 n_m (Number variables multiple occurences): 31 n_o (Number of variables overall): 69

Z0=X56+X43+X31+X10+X4+X2+X1 Z1=X57+X44+X32+X11+X5+X3+X2 Z2=X58+X45+X33+X12+X6+X4+X3 Z3=X59+X46+X34+X13+X7+X5+X4 Z4=X60+X47+X35+X14+X8+X6+X5 Z5=X61+X48+X36+X15+X9+X7+X6 Z6=X62+X49+X37+X16+X10+X8+X7 Z7=X63+X50+X38+X17+X11+X9+X8 Z8=X64+X51+X39+X18+X12+X10+X9 Z9=X65+X52+X40+X19+X13+X11+X10 Z10=X66+X53+X41+X20+X14+X12+X11 Z11=X67+X54+X42+X21+X15+X13+X12 Z12=X68+X55+X43+X22+X16+X14+X13 Z13=X69+X56+X44+X23+X17+X15+X14 Z14=X70+X57+X45+X24+X18+X16+X15 ...(more)

Chewie gravatar imageChewie ( 2018-07-06 03:35:38 -0500 )edit

I just wanted to make it as simple as it could be at first with just two linear equations. If that works, it shouldn't be that hard to expand the working example. That was the reason, why I just posted the first two linear equations of the system. With my guessing approach, I think it should be also possible to find a possible solution but just considering the first two equations.

Greetings Chewie

Chewie gravatar imageChewie ( 2018-07-06 03:49:00 -0500 )edit