# Algebraic Cryptanalysis with MRHS Equations

## Abstract

**:**

## 1. Introduction

## 2. What Is a MRHS Equation System?

- Symbol $\mathbb{F}$ denotes a finite field, $\mathbb{Z}$ denotes a ring of integers, $\mathbb{N}$ denotes natural numbers.
- We are using row vectors, denoted by bold lowercase letters: $\mathbf{v}\in {\mathbb{F}}^{n}$.
- Matrices are denoted by bold uppercase letters: $\mathbf{M}\in {\mathbb{F}}^{n\times k}$.
- Standard sets are denoted by uppercase slanted letters: $S\subset {\mathbb{F}}^{n}$. The size of the set S is denoted by $\left|S\right|$. When S is a set of vectors, $\mathbf{S}$ denotes a matrix with $\left|S\right|$ rows, where each row is in S. By $S\xb7\mathbf{A}$ we denote a set of vectors ${S}^{\prime}=\{\mathbf{v}\xb7\mathbf{A};\mathbf{v}\in S\}$.
- Special sets are denoted by calligraphic font: $\mathcal{M}$.

**Definition**

**1.**

**Definition**

**2.**

**Definition**

**3.**

**Example**

**1.**

## 3. Algorithms for Solving MRHS Equations

#### 3.1. Solving MRHS Systems with Linear Algebra

**Column operations.**Let $\mathbf{B}$ be an invertible diagonal matrix$$\mathbf{B}=\left(\begin{array}{cccc}{\mathbf{B}}_{1}& \mathbf{0}& \cdots & \mathbf{0}\\ \mathbf{0}& {\mathbf{B}}_{2}& \cdots & \mathbf{0}\\ \vdots & \vdots & \ddots & \vdots \\ \mathbf{0}& \mathbf{0}& \cdots & {\mathbf{B}}_{m}\end{array}\right)$$$$\mathbf{x}\xb7\mathbf{M}\xb7\mathbf{B}\in {S}_{1}\xb7{\mathbf{B}}_{1}\times \cdots \times {S}_{m}\xb7{\mathbf{B}}_{m}$$

**Row operations.**Let $\mathbf{A}$ be an invertible $n\times n$ matrix. Vector $\mathbf{x}$ is a solution of $\mathcal{M}$ if and only if vector $\mathbf{y}$ is a solution of$$\mathbf{y}\xb7(\mathbf{A}\xb7\mathbf{M})\in {S}_{1}\times \cdots \times {S}_{m}$$**RHS joining.**Vector $\mathbf{x}$ is a solution of $\mathcal{M}$ if and only if it is a solution of the equivalent MRHS system$$\mathbf{x}\xb7\mathbf{M}\in {S}_{1}\times \cdots \times {S}_{m-2}\times {S}_{m-1}^{\prime}$$**RHS compression.**Let rank $\left({\mathbf{M}}_{i}\right)<{l}_{i}$ for some i. We can use**column operations**with matrix ${\mathbf{B}}_{i}$ to change the first column of ${\mathbf{M}}_{i}$ to all zeroes. The vector $\mathbf{x}$ is a solution of $\mathcal{M}$ if and only if it is a solution of$$\mathbf{x}\xb7\mathbf{M}\in {S}_{1}\xb7\times \cdots {S}_{i}^{\prime}\xb7\times \cdots {S}_{m}$$

#### 3.2. Solving MRHS Systems with Local Reduction

#### 3.3. Solving MRHS Systems in Dual Code

#### 3.4. Solving MRHS Systems with Heuristic Search

## 4. Using MRHS Systems in Algebraic Cryptanalysis

**Example**

**2.**

## 5. Experimental MRHS Cryptanalysis

## 6. Conclusions

## Funding

## Data Availability Statement

## Conflicts of Interest

## Abbreviations

AES | Advanced Encryption Standard |

CRHS | Compressed Right-Hand Sides |

MQ | Multivariate Quadratic |

MRHS | Multiple Right-Hand Sides |

RHS | Right-Hand Side |

SPN | Substitution-Permutation Network |

## References

- Shannon, C.E. Communication theory of secrecy systems. Bell Syst. Tech. J.
**1949**, 28, 656–715. [Google Scholar] [CrossRef] - Bard, G. Algebraic Cryptanalysis; Springer: Berlin/Heidelberg, Germany, 2009. [Google Scholar]
- Semaev, I.; Mikuš, M. Methods to solve algebraic equations in cryptanalysis. Tatra Mt. Math. Publ.
**2010**, 45, 107–136. [Google Scholar] [CrossRef] - Faugere, J.C.; Joux, A. Algebraic cryptanalysis of hidden field equation (HFE) cryptosystems using Gröbner bases. In Proceedings of the Advances in Cryptology-CRYPTO 2003: 23rd Annual International Cryptology Conference, Santa Barbara, CA, USA, 17–21 August 2003; Springer: Berlin/Heidelberg, Germany, 2003; pp. 44–60. [Google Scholar]
- Courtois, N.; Klimov, A.; Patarin, J.; Shamir, A. Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In Proceedings of the Advances in Cryptology—EUROCRYPT 2000: International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, 14–18 May 2000; Springer: Berlin/Heidelberg, Germany, 2000; pp. 392–407. [Google Scholar]
- Courtois, N.T.; Pieprzyk, J. Cryptanalysis of block ciphers with overdefined systems of equations. In Proceedings of the Advances in Cryptology—ASIACRYPT 2002: 8th International Conference on the Theory and Application of Cryptology and Information Security, Queenstown, New Zealand, 1–5 December 2002; Springer: Berlin/Heidelberg, Germany, 2002; pp. 267–287. [Google Scholar]
- Courtois, N.T. Higher order correlation attacks, XL algorithm and cryptanalysis of Toyocrypt. In Proceedings of the Information Security and Cryptology—ICISC 2002: 5th International Conference, Seoul, South Korea, 28–29 November 2002; Springer: Berlin/Heidelberg, Germany, 2003; pp. 182–199. [Google Scholar]
- Cho, J.Y.; Pieprzyk, J. Algebraic Attacks on SOBER-t32 and SOBER-t16 without Stuttering. In Proceedings of the Fast Software Encryption, New Delhi, India, 5–7 February 2004; Roy, B., Meier, W., Eds.; Springer: Berlin/Heidelberg, Germany, 2004; pp. 49–64. [Google Scholar]
- Courtois, N.T.; Bard, G.V. Algebraic cryptanalysis of the data encryption standard. In Proceedings of the Cryptography and Coding: 11th IMA International Conference, Cirencester, UK, 18–20 December 2007; Springer: Berlin/Heidelberg, Germany, 2007; pp. 152–169. [Google Scholar]
- Courtois, N.T. Algebraic complexity reduction and cryptanalysis of GOST. Cryptology ePrint Archive, Paper 2011/626. 2011. Available online: https://eprint.iacr.org/2011/626 (accessed on 1 March 2023).
- Cook, S.A.; Mitchell, D.G. Finding hard instances of the satisfiability problem: A survey. Satisf. Probl. Theory Appl.
**1997**, 35, 1–17. [Google Scholar] - Massacci, F. Using Walk-SAT and Rel-SAT for cryptographic key search. In Proceedings of the IJCAI, Stockholm, Sweden, 31 July–6 August 1999; Volume 99, pp. 290–295. [Google Scholar]
- McDonald, C.; Charnes, C.; Pieprzyk, J. An algebraic analysis of trivium ciphers based on the boolean satisfiability problem. In Proceedings of the 4th International Workshop on Boolean Functions: Cryptography and Applications, Paris, France, 3 June 2008; Laboratoire d’Informatique Algorithmique: Fondements et Applications: Paris, France, 2008; pp. 173–184. [Google Scholar]
- Dwivedi, A.D.; Klouček, M.; Morawiecki, P.; Nikolic, I.; Pieprzyk, J.; Wöjtowicz, S. SAT-based Cryptanalysis of Authenticated Ciphers from the CAESAR Competition. Cryptology ePrint Archive, Paper 2016/1053. 2016. Available online: https://eprint.iacr.org/2016/1053 (accessed on 1 March 2023).
- Andrzejczak, M.; Dudzic, W. SAT Attacks on ARX Ciphers with Automated Equations Generation. Infocommunications
**2019**, 9, 2–7. [Google Scholar] [CrossRef] - Hromada, V.; Öllős, L.; Zajac, P. Using SAT solvers in large scale distributed algebraic attacks against low entropy keys. Tatra Mt. Math. Publ.
**2015**, 64, 187–203. [Google Scholar] [CrossRef] [Green Version] - Albrecht, M.; Cid, C. Algebraic techniques in differential cryptanalysis. In Proceedings of the International Workshop on Fast Software Encryption, Leuven, Belgium, 22–25 February 2009; Springer: Berlin/Heidelberg, Germany, 2009; pp. 193–208. [Google Scholar]
- Faugère, J.C.; Perret, L.; Spaenlehauer, P.J. Algebraic-differential cryptanalysis of DES. In Proceedings of the Western European Workshop on Research in Cryptology-WEWoRC, Graz, Austria, 7–9 July2009; pp. 1–5. [Google Scholar]
- Wang, M.; Sun, Y.; Mouha, N.; Preneel, B. Algebraic techniques in differential cryptanalysis revisited. In Proceedings of the Australasian Conference on Information Security and Privacy, Melbourne, VI, Australia, 11–13 July 2011; Springer: Berlin/Heidelberg, Germany, 2011; pp. 120–141. [Google Scholar]
- Bednáriková, A.; Zajac, P. A new representation of S-boxes for algebraic differential cryptanalysis. Rad Hrvat. Akad. Znan. Umjet. Mat. Znan.
**2021**, 25, 33–49. [Google Scholar] [CrossRef] - Renauld, M.; Standaert, F.X. Algebraic side-channel attacks. In Proceedings of the Information Security and Cryptology: 5th International Conference, Inscrypt 2009, Beijing, China, 12–15 December 2009; Springer: Berlin/Heidelberg, Germany, 2010; pp. 393–410. [Google Scholar]
- Carlet, C.; Faugere, J.C.; Goyet, C.; Renault, G. Analysis of the algebraic side channel attack. J. Cryptogr. Eng.
**2012**, 2, 45–62. [Google Scholar] [CrossRef] [Green Version] - Oren, Y.; Kirschbaum, M.; Popp, T.; Wool, A. Algebraic side-channel analysis in the presence of errors. In Proceedings of the Cryptographic Hardware and Embedded Systems, CHES 2010: 12th International Workshop, Santa Barbara, CA, USA, 17–20 August 2010; Springer: Berlin/Heidelberg, Germany, 2010; pp. 428–442. [Google Scholar]
- Raddum, H. MRHS equation systems. In Proceedings of the Selected Areas in Cryptography: 14th International Workshop, SAC 2007, Ottawa, ON, Canada, 16–17 August 2007; Springer: Berlin/Heidelberg, Germany, 2007; pp. 232–245. [Google Scholar]
- Zajac, P. MRHS equation systems that can be solved in polynomial time. Tatra Mt. Math. Publ.
**2016**, 67, 205–219. [Google Scholar] [CrossRef] [Green Version] - Zajac, P. Using Local Reduction for the Experimental Evaluation of the Cipher Security. Comput. Inform.
**2018**, 37, 349–366. [Google Scholar] [CrossRef] - Zakrevskij, A.; Vasilkova, I. Reducing large systems of Boolean equations. In Proceedings of the 4th Internationl Workshop on Boolean Problems, San Jose, CA, USA, 20–22 March 2000. [Google Scholar]
- Raddum, H.; Semaev, I. New Technique for Solving Sparse Equation Systems. Cryptology ePrint Archive, Paper 2006/475. 2006. Available online: https://eprint.iacr.org/2006/475 (accessed on 1 March 2023).
- Semaev, I. Sparse algebraic equations over finite fields. SIAM J. Comput.
**2009**, 39, 388–409. [Google Scholar] [CrossRef] - Raddum, H.; Semaev, I. Solving multiple right hand sides linear equations. Des. Codes Cryptogr.
**2008**, 49, 147–160. [Google Scholar] [CrossRef] - Zajac, P. Connecting the Complexity of MQ-and Code-Based Cryptosystems. Tatra Mt. Math. Publ.
**2017**, 70, 163–177. [Google Scholar] [CrossRef] [Green Version] - Schilling, T.E.; Raddum, H. Analysis of trivium using compressed right hand side equations. In Proceedings of the Information Security and Cryptology-ICISC 2011: 14th International Conference, Seoul, South Korea, 30 November–2 December 2011; Springer: Berlin/Heidelberg, Germany, 2012; pp. 18–32. [Google Scholar]
- Schilling, T.E.; Raddum, H. Solving compressed right hand side equation systems with linear absorption. In Proceedings of the International Conference on Sequences and Their Applications, Waterloo, ON, Canada, 4–8 June 2012; Springer: Berlin/Heidelberg, Germany, 2012; pp. 291–302. [Google Scholar]
- Raddum, H.; Zajac, P. MRHS solver based on linear algebra and exhaustive search. J. Math. Cryptol.
**2018**, 12, 143–157. [Google Scholar] [CrossRef] - Semaev, I. Sparse Boolean equations and circuit lattices. Des. Codes Cryptogr.
**2011**, 59, 349–364. [Google Scholar] [CrossRef] [Green Version] - Geiselmann, W.; Matheis, K.; Steinwandt, R. PET SNAKE: A Special Purpose Architecture to Implement an Algebraic Attack in Hardware. In Transactions on Computational Science X; Springer: Berlin/Heidelberg, Germany, 2010; pp. 298–328. [Google Scholar]
- Schilling, T.; Zajac, P. Phase transition in a system of random sparse Boolean equations. Tatra Mt. Math. Publ.
**2010**, 45, 93–105. [Google Scholar] [CrossRef] [Green Version] - Davis, M.; Putnam, H. A computing procedure for quantification theory. J. ACM (JACM)
**1960**, 7, 201–215. [Google Scholar] [CrossRef] - Schilling, T.E.; Raddum, H. Solving equation systems by agreeing and learning. In Proceedings of the International Workshop on the Arithmetic of Finite Fields, Istanbul, Turkey, 27–30 June 2010; Springer: Berlin/Heidelberg, Germany, 2010; pp. 151–165. [Google Scholar]
- Semaev, I. Improved agreeing-gluing algorithm. Math. Comput. Sci.
**2013**, 7, 321–339. [Google Scholar] [CrossRef] [Green Version] - Horak, P.; Semaev, I.; Tuza, Z. An application of Combinatorics in Cryptography. Electron. Notes Discret. Math.
**2015**, 49, 31–35. [Google Scholar] [CrossRef] - Semaev, I. MaxMinMax problem and sparse equations over finite fields. Des. Codes Cryptogr.
**2016**, 79, 383–404. [Google Scholar] [CrossRef] - Horak, P.; Semaev, I.; Tuza, Z. A combinatorial problem related to sparse systems of equations. Des. Codes Cryptogr.
**2017**, 85, 129–144. [Google Scholar] [CrossRef] [Green Version] - Zajac, P. A new method to solve MRHS equation systems and its connection to group factorization. J. Math. Cryptol.
**2013**, 7, 367–381. [Google Scholar] [CrossRef] - Zajac, P. Upper bounds on the complexity of algebraic cryptanalysis of ciphers with a low multiplicative complexity. Des. Codes Cryptogr.
**2017**, 82, 43–56. [Google Scholar] [CrossRef] - Zajac, P. On solving sparse MRHS equations with bit-flipping. Publ. Math. Debrecen
**2022**, 100 (Suppl. S8), 683–700. [Google Scholar] [CrossRef] - Smičík, M.; Zajac, P. MRHS cryptanalysis of Ascon. In Proceedings of Central European Conference on Cryptology—CECC’22, Smolenice, Slovakia, 26–29 June 2022; Mathematical Institute, Slovak Academy of Sciences: Bratislava, Slovakia, 2022; pp. 87–89. [Google Scholar]
- Tito-Corrioso, O.; Borges-Quintana, M.; Borges-Trenard, M.A. Improving search of solutions of MRHS systems using the Genetic Algorithm. Rev. Cuba. Cienc. Inform.
**2023**, 17, 38–52. [Google Scholar] - Zajac, P.; Spacek, P. A New Type of Signature Scheme Derived from a MRHS Representation of a Symmetric Cipher. Infocommunications J.
**2019**, 11, 23–30. [Google Scholar] [CrossRef] - Biryukov, A.; De Cannière, C. Data encryption standard (DES). In Encyclopedia of Cryptography and Security; Springer: Berlin/Heidelberg, Germany, 2011; pp. 295–301. [Google Scholar]
- Zajac, P.; Čagala, R. Local reduction and the algebraic cryptanalysis of the block cipher GOST. Period. Math. Hung.
**2012**, 65, 239–255. [Google Scholar] [CrossRef] - Courtois, N.T. Security evaluation of GOST 28147-89 in view of international standardisation. Cryptologia
**2012**, 36, 2–13. [Google Scholar] [CrossRef] - Wu, H. The hash function JH. Submission to NIST (Round 3). 2011. Available online: https://www3.ntu.edu.sg/home/wuhj/research/jh/jh_round3.pdf (accessed on 1 March 2023).
- Bertoni, G.; Daemen, J.; Peeters, M.; Van Assche, G. Keccak. In Proceedings of the Advances in Cryptology—EUROCRYPT 2013: 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece, 26–30 May 2013; Springer: Berlin/Heidelberg, Germany, 2013; pp. 313–314. [Google Scholar]
- Adamček, P.; Loderer, M.; Zajac, P. A comparison of local reduction and SAT-solver based algebraic cryptanalysis of JH and Keccak. Tatra Mt. Math. Publ.
**2012**, 53, 1–20. [Google Scholar] [CrossRef] [Green Version] - Zajac, P. Solving Trivium-based Boolean Equations Using the Method of Syllogisms. Fundam. Informaticae
**2012**, 114, 359–373. [Google Scholar] [CrossRef] - De Canniere, C.; Preneel, B. Trivium. New Stream Cipher Designs: The eSTREAM Finalists; Springer: Berlin/Heidelberg, Germany, 2008; pp. 244–266. [Google Scholar]
- Lacko-Bartošová, L. Algebraic cryptanalysis of Present based on the method of syllogisms. Tatra Mt. Math. Publ.
**2012**, 53, 201–212. [Google Scholar] [CrossRef] - Bogdanov, A.; Knudsen, L.R.; Leander, G.; Paar, C.; Poschmann, A.; Robshaw, M.J.; Seurin, Y.; Vikkelsoe, C. PRESENT: An ultra-lightweight block cipher. In Proceedings of the Cryptographic Hardware and Embedded Systems-CHES 2007: 9th International Workshop, Vienna, Austria, 10–13 September 2007; Springer: Berlin/Heidelberg, Germany, 2007; pp. 450–466. [Google Scholar]
- Poschmann, A.; Leander, G.; Schramm, K.; Paar, C. A family of light-weight block ciphers based on DES suited for RFID applications. In Proceedings of the Workshop on RFID Security–RFIDSec, Graz, Austria, 12–14 July 2006; Volume 6. [Google Scholar]
- Matheis, K.; Steinwandt, R.; Suárez Corona, A. Algebraic Properties of the Block Cipher DESL. Symmetry
**2019**, 11, 1411. [Google Scholar] [CrossRef] [Green Version] - Raddum, H.; Kazymyrov, O. Algebraic attacks using binary decision diagrams. In Proceedings of the International Conference on Cryptography and Information Security in the Balkans, Istanbul, Turkey, 16–17 October 2014; Springer: Berlin/Heidelberg, Germany, 2014; pp. 40–54. [Google Scholar]
- Daemen, J.; Rijmen, V. The Design of Rijndael; Springer: Berlin/Heidelberg, Germany, 2002. [Google Scholar]
- Indrøy, J.P. Algebraic Attack on Small Scale Variants of AES using Compressed Right Hand Sides. Master’s Thesis, The University of Bergen, Bergen, Norway, 2018. [Google Scholar]
- Raddum, H.; Varadharajan, S. Factorization using binary decision diagrams. Cryptogr. Commun.
**2019**, 11, 443–460. [Google Scholar] [CrossRef] - Indrøy, J.P.; Costes, N.; Raddum, H. Boolean Polynomials, BDDs and CRHS Equations-Connecting the Dots with CryptaPath. In Proceedings of the International Conference on Selected Areas in Cryptography, Kingston, ON, Canada, 11–12 August 2020; Springer: Berlin/Heidelberg, Germany, 2020; pp. 229–251. [Google Scholar]
- Albrecht, M.R.; Rechberger, C.; Schneider, T.; Tiessen, T.; Zohner, M. Ciphers for MPC and FHE. In Proceedings of the Advances in Cryptology–EUROCRYPT 2015: 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, 26–30 April 2015; Springer: Berlin/Heidelberg, Germany, 2015; pp. 430–454. [Google Scholar]
- Grassi, L.; Kales, D.; Rechberger, C.; Schofnegger, M. Survey of Key-Recovery Attacks on LowMC in a Single Plaintext/Ciphertext Scenario. 2020. Available online: https://raw.githubusercontent.com/lowmcchallenge/lowmcchallenge-material/master/docs/survey.pdf (accessed on 1 March 2023).
- Dobraunig, C.; Eichlseder, M.; Mendel, F.; Schläffer, M. Ascon v1. 2. Submiss. CAESAR Compet.
**2016**, 5, 7. [Google Scholar] - Semaev, I. New results in the linear cryptanalysis of DES. Cryptology ePrint Archive, Paper 2014/361. 2006. Available online: https://eprint.iacr.org/2014/361 (accessed on 1 March 2023).
- Fauskanger, S.; Semaev, I. Separable statistics and multidimensional linear cryptanalysis. IACR Trans. Symmetric Cryptol.
**2018**, 2, 79–110. [Google Scholar] [CrossRef]

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |

© 2023 by the author. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Zajac, P.
Algebraic Cryptanalysis with MRHS Equations. *Cryptography* **2023**, *7*, 19.
https://doi.org/10.3390/cryptography7020019

**AMA Style**

Zajac P.
Algebraic Cryptanalysis with MRHS Equations. *Cryptography*. 2023; 7(2):19.
https://doi.org/10.3390/cryptography7020019

**Chicago/Turabian Style**

Zajac, Pavol.
2023. "Algebraic Cryptanalysis with MRHS Equations" *Cryptography* 7, no. 2: 19.
https://doi.org/10.3390/cryptography7020019