Advanced Encryption Standard – AES

Volume 3373 of the series Lecture Notes in Computer Science pp 170-188

The Inverse S-Box, Non-linear Polynomial Relations and Cryptanalysis of Block Ciphers

  • Nicolas T. CourtoisAffiliated withAxalto Cryptographic Research & Advanced Security

* Final gross prices may vary according to local VAT.

Get Access


This paper is motivated by the design of AES. We consider a broader question of cryptanalysis of block ciphers having very good non-linearity and diffusion. Can we expect anyway, to attacks such ciphers, clearly designed to render hopeless the main classical attacks ? Recently a lot of attention have been drawn to the existence of multivariate algebraic relations for AES (and other) S-boxes. Then, if the XSL-type algebraic attacks on block ciphers [10] are shown to work well, the answer would be positive. In this paper we show that the answer is certainly positive for many other constructions of ciphers. This is not due to an algebraic attack, but to new types of generalised linear cryptanalysis, highly-nonlinear in flavour. We present several constructions of somewhat special practical block ciphers, seemingly satisfying all the design criteria of AES and using similar S-boxes, and yet being extremely weak. They can be generalised, and evolve into general attacks that can be applied – potentially- to any block cipher.


Block ciphers AES Rijndael interpolation attack on block ciphers fractional transformations homographic functions multivariate equations Feistel ciphers generalised linear cryptanalysis bi-linear cryptanalysis