4

I know that

In cryptography, the linearization attack is a method of cryptanalysis for block ciphers

I am looking for an example of linearization attack couldn't find it online

Could anyone please explain it with an example?

Ella Rose
  • 19,603
  • 6
  • 53
  • 101

2 Answers2

6

A cryptosystem can be represented by multivariate equations and the analyzer tries to solve these equations efficiently in order to mount the algebraic attack. It is known that this is an NP-hard problem.

Linearization is a method for solving these where the degree of monomials is at most two. It first appears in Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization by Kipnis and Shamir. It is simply renaming the variables and solving the new system and then determining the real solutions to the original problem.

Linearization is well written in Bard's book

Given a quadratic system of $m$ equations in $n$ variables;

\begin{align*} x_1 + x_2 x_3 &= 1\\ x_1 x_2 + x_1 x_3 + x_1 & = 0\\ x_2 x_3 + x_2 & = 0\\ x_1 x_2 + x_1 + x_3 + x_2 & = 0\\ x_1 + x_1 x_2 + x_3 & = 0\\ x_2 x_3 + x_1 + x_2 &=1 \end{align*}

we are renaming the total ${n \choose 2}$ quadratic monomials and $n$ linear monomials. With renaming (linearization);

\begin{align*} x_1 &= y_1\\ x_2 &= y_2\\ x_3 &= y_3\\ x_1 x_2 &= y_4\\ x_1 x_3 &= y_5\\ x_2 x_3 &=y_6 \end{align*}

we get a linear system;

\begin{align*} y_1 + y_6 &= 1 \\ y_4 + y_5 + y_1 &= 0\\ y_6 + y_2 &= 0\\ y_4 + y_1 + y_3 + y_2 &= 0\\ y_1 + y_4 + y_3 &= 0\\ y_6 + y_1 + y_2 &= 1 \end{align*}

Now one can perfrom the Gaussian Elimination to get; \begin{align*} y_1 & = 1\\ y_2 & = 0\\ y_3 & = y_5\\ y_4 & = y_5 + 1\\ y_5 & = \text{free}\\ y_6 & = 0\\ \end{align*}

This gives out two solutions $(1, 0, 0, 1, 0, 0)$ and $(1, 0, 1, 0, 1, 0)$. One is valid and one is not (left to reader). This is due to the fact that linearization destroy information. Therefore;

  • The solution of the original system of equation is also the solution of its linearization but the reverse will be not correct.

What is the benefit of the linearization?

  • If one can given $m = (n^2+n)/2$ equations the linearization will yield a few candiate solutions.
  • if $m \approx n' \approx n^2/2$ then the system will have too much information that will yield numerous spurious solutions.
kelalaka
  • 48,443
  • 11
  • 116
  • 196
0

You need to read the Wikipedia page on the theoretical XSL attack: https://en.wikipedia.org/wiki/XSL_attack

...which, in theory, implements linearization attack against block ciphers. Take note however, while this was proposed, it's never been shown to work. And the theory behind it suggests it's as computationally intensive (work factor) as a plain brute force of the key space anyway.

thepip3r
  • 101