Next Article in Journal
Convex Neural Networks Based Reinforcement Learning for Load Frequency Control under Denial of Service Attacks
Previous Article in Journal
An Evasion Attack against Stacked Capsule Autoencoder
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Algorithms
Volume 15
Issue 2
10.3390/a15020033
Review Report
algorithms-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

Converting of Boolean Expression to Linear Equations, Inequalities and QUBO Penalties for Cryptanalysis

Algorithms 2022, 15(2), 33; https://doi.org/10.3390/a15020033
by Aleksey I. Pakhomchik, Vladimir V. Voloshinov, Valerii M. Vinokur * and Gordey B. Lesovik
Reviewer 1: Anonymous
Reviewer 2: Anonymous
Algorithms 2022, 15(2), 33; https://doi.org/10.3390/a15020033
Submission received: 21 December 2021 / Revised: 8 January 2022 / Accepted: 19 January 2022 / Published: 21 January 2022
(This article belongs to the Section Analysis of Algorithms and Complexity Theory)

Round 1

Reviewer 1 Report

Constraint satisfaction problems (CSPs) have an essential role in many fields of computer science. In cryptography, CSPs are important because certain structures can be converted to CSPs. Obviously, conversion does not mean that the corresponding cryptographic primitives have vulnerabilities. Finding an efficient, exact or approximate method of solving CSPs remains. It is known that MAX-SAT problems are APX-complete, which means that not even polynomial approximate algorithms exist for these problems.

In this paper, the authors propose two methods for transforming Boolean expressions into linear equations and inequalities to apply specific SAT-solver techniques. The proposed methods are more or less known, even if they were not explicitly published in any paper. They are then applied to two hash functions, MD5 and SHA-256. I do not consider the innovative part of this paper too convincing, but the fact that it shows how the method works for these cryptographic primitives is a positive aspect.

Nicolas Courtois has repeatedly shown how AES can be specified as a system of quadratic equations. Can the authors of this paper apply their results in this case?

Author Response

Reviewer: Constraint satisfaction problems (CSPs) have an essential role in many fields of computer science. In cryptography, CSPs are important because certain structures can be converted to CSPs. Obviously, conversion does not mean that the corresponding cryptographic primitives have vulnerabilities. Finding an efficient, exact or approximate method of solving CSPs remains. It is known that MAX-SAT problems are APX-complete, which means that not even polynomial approximate algorithms exist for these problems.

In this paper, the authors propose two methods for transforming Boolean expressions into linear equations and inequalities to apply specific SAT-solver techniques. The proposed methods are more or less known, even if they were not explicitly published in any paper. They are then applied to two hash functions, MD5 and SHA-256. I do not consider the innovative part of this paper too convincing, but the fact that it shows how the method works for these cryptographic primitives is a positive aspect.

Reply: We are happy that Reviewer positively evaluated the significance of our demonstration for the MD5 and SHA-256 hash functions.

Reviewer: Nicolas Courtois has repeatedly shown how AES can be specified as a system of quadratic equations. Can the authors of this paper apply their results in this case?

Reply: We are grateful to the Reviewer for this reference. Following this guidance, we have added the additional section for this cryptographic cipher. The Reviewer’s reference suggests an additional area for the application of our approach. This is certainly a deserving project in itself, which we, thanks to Reviewer, are going to undertake. We feel however that the corresponding detailed research will overload the present manuscript and, therefore, we leave it for the forthcoming publication, having added only a rough estimate of the required for the AES number of bits/qubits and the proper reference to N. Courtois works.

Reviewer 2 Report

The manuscript 1541771 "Converting of Boolean Expression to Linear
Equations, Inequalities and QUBO penalties for Cryptanalysis" by
Alexey Pakhomchik, Vladimir Voloshinov, Valerii Vinokur, and Gordey
Lesovik presents two general approaches to rewriting a boolean
function [e.g., entering a constraint programming (CP) problem] as a
single equation combining the original binary variables and ancillary
variables, or as a set of inequalities, with only one additional
variable.  The former approach gives an exact represenation of the
original problem as a quadratic unconstrained binary optimization
(QUBO) problem, which allows a solution with the help of a quantum
annealer.

While the manuscript is reasonably well structured, I had some
difficulty reading the text due to a large number of grammatical
mistakes and cases of awkward phrasing (please see some examples at
the end of the report).  While the results (rather, the improvement
compared with the naive methods given in the introduction) look
impressive, it would be nice to somehow quantify the complexity.
Specifically, given a binary function with n variables (or its circuit
representation with m gates), what are the complexities of the
suggested algorithms to construct an equation, or a set of
inequalities?  How many auxiliary variables (respectively, constraint
conditions) would be required?  Does sparcity of the graph associated
with the function matter?

Second, as far as I know, the D-Wave machines have limited
connectivity between the variables (each processor is characterized by
a certain connectivity graph).  Given this limitation, can any problem
be solved by such a machine in principle (assuming a sufficiently
large number of available variables)?  If yes, what is the scaling of
the required number of variables in a processor with that in the QUBO
problem?

The following comments are on notations and grammar: 

1. the integer range notation a:b is not conventional and should be
defined.  I would suggest instead to use a more commonly used notation
[n]\equiv {1,2,...,n} (which should also be defined).


line 18: "which are solved either by the generic MILP solvers." I think 
     "either" and "the" should be dropped.

line 172, below: replace "less" with "fewer" (any in a few other places)

below 176: "let we know " -> "let us assume that we know"

line 196: replace "as me" with "as in this work"

 

Author Response

Reviewer: The manuscript 1541771 "Converting of Boolean Expression to Linear Equations, Inequalities and QUBO penalties for Cryptanalysis" by Alexey Pakhomchik, Vladimir Voloshinov, Valerii Vinokur, and Gordey Lesovik presents two general approaches to rewriting a boolean

function [e.g., entering a constraint programming (CP) problem] as a single equation combining the original binary variables and ancillary variables, or as a set of inequalities, with only one additional

variable.  The former approach gives an exact represenation of the original problem as a quadratic unconstrained binary optimization (QUBO) problem, which allows a solution with the help of a quantum annealer.

Reply: We thank the Reviewer for nice evaluation of our work and constructive comments.

Reviewer: While the results (rather, the improvement compared with the naive methods given in the introduction) look impressive, it would be nice to somehow quantify the complexity.  Specifically, given a binary function with n variables (or its circuit representation with m gates), what are the complexities of the suggested algorithms to construct an equation, or a set of inequalities? How many auxiliary variables (respectively, constraint conditions) would be required?  Does sparcity of the graph associated with the function matter?

Reply: At this point, it is still hard to estimate the complexities of the suggested algorithms since we used numerical methods, but did not construct analytical approaches for converting the binary functions. We developed our methods keeping in mind their application for the current hash functions and found out that indeed they work pretty well. The success is based on the fact that the current hash functions do not require a large Boolean function with a lot of variables as one can see in the given examples (MD5, SHA-256). The required estimates will appear in our future detailed research. This future research will accordingly provide answers concerning the number of auxiliary variables and the graph’s sparcity.

Reviewer: Second, as far as I know, the D-Wave machines have limited connectivity between the variables (each processor is characterized by a certain connectivity graph).  Given this limitation, can any problem be solved by such a machine in principle (assuming a sufficiently large number of available variables)?  If yes, what is the scaling of the required number of variables in a processor with that in the QUBO problem?

Reply: We like to thank the Reviewer for this thoughtful question. Indeed, we found the suitable embedding for one round for both mentioned hash functions (MD5, SHA-256), which indicates that the D-Wave is, in principle, capable of solving any problem of this kind. To accomplish the task to the end, we have to merge similar embeddings with the overlapping small number of qubits. Unfortunately, the whole QUBO requires more qubits than are provided by current quantum devices.

When this task will be completed on the D-Wave machine with the larger qubit number, the reliable determination of the scaling of the number of variables will be accomplished.

Reviewer: The following comments are on notations and grammar: 

  1. the integer range notation a:b is not conventional and should be defined.  I would suggest instead to use a more commonly used notation [n]\equiv {1,2,...,n} (which should also be defined).

line 18: "which are solved either by the generic MILP solvers." I think 

     "either" and "the" should be dropped.

line 172, below: replace "less" with "fewer" (any in a few other places)

below 176: "let we know " -> "let us assume that we know"

line 196: replace "as me" with "as in this work"

Reply: We thank the Reviewer for the attentiveness. We took care of the indicated grammar typos and carefully checked the revised version of our manuscript.

Round 2

Reviewer 2 Report

The resubmitted manuscript 1541771 "Converting of Boolean Expression
to Linear Equations, Inequalities and QUBO penalties for
Cryptanalysis" by Alexey Pakhomchik, Vladimir Voloshinov, Valerii
Vinokur, and Gordey Lesovik.

The authors partially addressed my questions.  Although no general
expressions on complexity are given, the authors comment that such
estimates are hard, and extended their range of examples by adding the
analysis of the AES family of cryptographic algorithms.  The examples
do help to understand the complexities involved.  The authors also
addressed the issue of node connectivity in D-Wave systems by
demonstrating that required embeddings can be found and that the
overheads required are reasonable, at least for two of the
cryptosystems considered.

Overall, I am happy with the changes.  The map to the Pegasus graph
demonstrates that the attacks on MD5 and SHA-256 are feasible already
on the current generation of D-Wave machines, even though it is not
clear how long it would take to solve.  I strongly recommend this work
for publication in Algorithms.

 

Back to TopTop