Adaptive Restart and CEGAR-Based Solver for Inverting Cryptographic Hash Functions
1.University of WaterlooWaterlooCanada
Abstract
|
SAT solvers are increasingly being used for cryptanalysis of hash functions and symmetric encryption schemes. Inspired by this trend, we present MapleCrypt which is a SAT solver-based cryptanalysis tool for inverting hash functions.译文:SAT解算器正越来越多地用于哈希函数和对称加密方案的密码分析。受这一趋势的启发,我们提出了MapleCrypt,这是一个基于SAT求解器的用于反哈希函数的密码分析工具。 We reduce the hash function inversion problem for fixed targets into the satisfiability problem for Boolean logic, and use MapleCrypt to construct preimages for these targets. MapleCrypt has two key features, namely, a multi-armed bandit based adaptive restart (MABR) policy and a counterexample-guided abstraction refinement (CEGAR) technique.译文:将固定目标的哈希函数反演问题简化为布尔逻辑的可满足性问题,并使用MapleCrypt构造这些目标的前像。MapleCrypt有两个关键特性,即基于多武装强盗的自适应重启(MABR)策略和反例引导的抽象细化(CEGAR)技术 The MABR technique uses reinforcement learning to adaptively choose between different restart policies during the run of the solver.译文:MABR技术利用强化学习在求解器运行过程中自适应地在不同的重启策略之间进行选择。 The CEGAR technique abstracts away certain steps of the input hash function, replacing them with the identity function, and verifies whether the solution constructed by MapleCrypt indeed hashes to the previously fixed targets.译文:CEGAR技术抽象出输入哈希函数的某些步骤,用恒等函数替换它们,并验证由MapleCrypt构造的解是否确实哈希到先前固定的目标。 If it is determined that the solution produced is spurious, the abstraction is refined until a correct inversion to the input hash target is produced. We show that the resultant system is faster for inverting the SHA-1 hash function than state-of-the-art inversion tools.译文:如果确定产生的解决方案是假的,则对抽象进行细化,直到产生对输入哈希目标的正确反演。我们证明,合成的系统在反求SHA-1哈希函数方面比最先进的反演工具更快。 |
|
1 Introduction
2 Background on Cryptographic Hash Functions
3 Architecture of MapleCrypt
|
The adaptive restart is not directly dealing with the structure of the function and therefore could be used in solving other SAT instances. 译文:自适应重启不直接处理函数的结构,因此可用于解决其他SAT实例。 |
|
3.2 CEGAR Loop Design |
|
|
The intuition behind this procedure is that, first of all, 20 steps are very easy to solve, and it is the highest number of steps that we are better off solving directly, rather than using an abstraction.译文:这个过程背后的直觉是,首先,20个步骤是很容易解决的,这是我们最好直接解决的最多的步骤,而不是使用抽象。 Secondly, the first few intermediate variables have the most degree of freedom when searching for a preimage or collision.译文:其次,前几个中间变量在搜索前像或碰撞时自由度最大。
Lastly, blocking a subset of intermediate values, although might block some legitimate solutions, but also blocks many spurious solutions. We can divide our main procedure into two main functions, listed in Algorithm 1. 译文:最后,阻塞一个中间值子集,虽然可能阻塞一些合法的解,但也阻塞了许多伪解。我们可以把我们的主要过程分为两个主要函数,列在算法1中。 |
|
3.3 Multi-armed Bandit Restart |
|
|
Many restart policies have been proposed in the SAT literature [4, 5, 6, 34], in particular we focus on the uniform, linear, Luby, and geometric restart policies [10]. For a given preimage attack instance, we can not know a priori which of the 4 restart policies will perform the best. 译文:对于给定的前映像攻击实例,我们无法预先知道4种重启策略中哪一种执行得最好。 To compensate for this, we use multi-armed bandits (MAB) [50], a special case of reinforcement learning, to switch between the 4 policies dynamically during the run of the solver.译文:为了弥补这一点,我们使用了多武装强盗(MAB)[50],这是一种强化学习的特殊情况,在求解器运行期间在4种策略之间动态切换。 We chose to use discounted UCB algorithm [24] from MAB literature, as it accounts for the nonstationary environment of the CDCL solver, in particular changes in the learnt clause database over time.译文:我们选择使用来自MAB文献的打折UCB算法[24],因为它考虑了CDCL求解器的非平稳环境,特别是已学习子句数据库随时间的变化。 Discounted UCB has 4 actions to choose from corresponding to the uniform, linear, Luby, and geometric restart policies. 译文:折扣UCB有4个动作可供选择,分别对应于统一、线性、Luby和几何重启策略。 Once the action is selected, the solver will proceed to perform the CDCL backtracking search until the chosen restart policy decides to restart. 译文:一旦选择了该操作,求解器将继续执行CDCL回溯搜索,直到所选择的重启策略决定重启。 The algorithm computes the average LBD (Literals Block Distance [3]) of the learnt clauses generated since the action was selected, and the reciprocal of the average is the reward given to the selected action.译文:算法计算自动作被选择以来生成的已学习子句的平均LBD(文字块距离[3]),平均值的倒数是对所选动作的奖励。
Intuitively, a restart policy which generates small LBDs will receive larger rewards and UCB will increase the probability of selecting that restart policy in the future.译文:直观上,一个重启策略产生的lbd较小,将获得更大的奖励,UCB将增加未来选择该重启策略的概率。 Over time, this will bias UCB towards restart policies that generate small LBDs.译文:随着时间的推移,这将使UCB倾向于生成较小lbd的重启策略。 |
|
5 Related Work
|
Adaptive Restarts. Armin Biere proposed monitoring variable assignment flips in PicoSAT, and delayed restarts when the weighted average of flips is below a predetermined threshold [5].译文:Armin Biere提出了PicoSAT监测变量分配翻转,当加权平均翻转低于预定阈值[5]时延迟重新启动.
Audemard and Simon proposed monitoring the LBD of learnt clauses, and a restart is triggered if the short term LBDs exceeds the long term LBDs by a constant factor [4].译文:Audemard和Simon建议监控已学习条款的LBD,如果短期LBD超过长期LBD一个常数因子[4],则重启LBD。
Haim and Walsh used machine learning to train a classifier to select from a portfolio of restart policies [25]. Gagliolo and Schmidhuber used bandits to select between Luby and uniform restart heuristic [23]. 译文:Haim和Walsh使用机器学习训练分类器从重启策略组合[25]中进行选择。Gagliolo和Schmidhuber使用强盗在Luby和均匀重启启发式[23]之间进行选择。
|
|
