Cryptanalysis of Block Ciphers with Overdefined Systems of Equations
 Nicolas T. Courtois,
 Josef Pieprzyk
 … show all 2 hide
Abstract
Several recently proposed ciphers, for example Rijndael and Serpent, are built with layers of small Sboxes interconnected by linear keydependent layers. Their security relies on the fact, that the classical methods of cryptanalysis (e.g. linear or differential attacks) are based on probabilistic characteristics, which makes their security grow exponentially with the number of rounds N _{ r } r.
In this paper we study the security of such ciphers under an additional hypothesis: the Sbox can be described by an overdefined system of algebraic equations (true with probability 1). We show that this is true for both Serpent (due to a small size of Sboxes) and Rijndael (due to unexpected algebraic properties). We study general methods known for solving overdefined systems of equations, such as XL from Eurocrypt’00, and show their inefficiency. Then we introduce a new method called XSL that uses the sparsity of the equations and their specific structure.
The XSL attack uses only relations true with probability 1, and thus the security does not have to grow exponentially in the number of rounds. XSL has a parameter P, and from our estimations is seems that P should be a constant or grow very slowly with the number of rounds. The XSL attack would then be polynomial (or subexponential) in N _{ r> }, with a huge constant that is doubleexponential in the size of the Sbox. The exact complexity of such attacks is not known due to the redundant equations. Though the presented version of the XSL attack always gives always more than the exhaustive search for Rijndael, it seems to (marginally) break 256bit Serpent. We suggest a new criterion for design of Sboxes in block ciphers: they should not be describable by a system of polynomial equations that is too small or too overdefined.
 Ross Anderson, Eli Biham and Lars Knudsen: Serpent: A Proposal for the Advanced Encryption Standard. Available from http://www.cl.cam.ac.uk/~rja14/serpent.html
 Anne Canteaut, Marion Videau: Degree of composition of highly nonlinear functions and applications to higher order differential cryptanalysis; Eurocrypt 2002, LNCS 2332, Springer. CrossRef
 Don Coppersmith, Shmuel Winograd: “Matrix multiplication via arithmetic progressions”; J. Symbolic Computation (1990), 9, pp. 251–280. CrossRef
 Joan Daemen, Vincent Rijmen: AES proposal: Rijndael; The latest revised version of the proposal is available on the internet, http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
 Nicolas Courtois, Louis Goubin, Willi Meier, JeanDaniel Tacier: Solving Underdefined Systems of Multivariate Quadratic Equations; PKC 2002, LNCS 2254, Springer, pp. 211–225.
 Nicolas Courtois: The security of Hidden Field Equations (HFE); Cryptographers’ Track Rsa Conference 2001, San Francisco 8–12 April 2001, LNCS 2020, SpringerVerlag, pp. 266–281. CrossRef
 Horst Feistel: Cryptography and computer privacy; Scientific American, vol. 228, No. 5, pp. 15–23, May 1973. CrossRef
 Niels Ferguson, Richard Schroeppel and Doug Whiting: A simple algebraic representation of Rijndael; SAC’01, page 103, LNCS 2259, Springer.
 Niels Ferguson, John Kelsey, Stefan Lucks, Bruce Schneier, Mike Stay, David Wagner, Doug Whiting: Improved Cryptanalysis of Rijndael, FSE 2000, Springer.
 J.B. Kam and G.I. Davida: Structured design of substitutionpermutation encryption networks; IEEE Trans. on Computers, Vol. C28, 1979, pp. 747–753. CrossRef
 Lars R. Knudsen, Vincent Rijmen: On the Decorrelated Fast Cipher (DFC) and its Theory; FSE’99, Springer, LNCS 1636, pp. 81–94.
 Michael Luby, Charles W. Rackoff, How to construct pseudorandom permutations from pseudorandom functions; SIAM Journal on Computing, vol. 17, n. 2, pp. 373–386, April 1988. CrossRef
 T.T. Moh: On The Method of XL and Its Inefficiency Against TTM, available at http://eprint.iacr.org/2001/047/.
 S. Murphy, M. Robshaw: Essential Algebraic Structure within the AES, Crypto 2002, Springer.
 Moni Naor and Omer Reingold: On the construction of pseudorandom permutations: LubyRackoff revisited; Journal of Cryptology, vol 12, 1999, pp. 29–66. CrossRef
 Kaisa Nyberg: Differentially Uniform Mappings for Cryptography; Eurocrypt’93, LNCS 765, Springer, pp. 55–64.
 Jacques Patarin: Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt’88; Crypto’95, SpringerVerlag, pp. 248–261.
 Jacques Patarin: Generic Attacks on Feistel Schemes; Asiacrypt 2001, LNCS 2248, Springer, pp. 222–238. CrossRef
 Jacques Patarin: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of Asymmetric Algorithms; in Eurocrypt’96, Springer Verlag, pp. 33–48.
 Jacques Patarin, Nicolas Courtois, Louis Goubin: Improved Algorithms for Isomorphism of Polynomials; Eurocrypt 1998, SpringerVerlag.
 Adi Shamir, Alex Biryukov: Structural Cryptanalysis of SASAS; Eurocrypt 2001, LNCS 2045, Springer, pp. 394–405.
 Adi Shamir, Aviad Kipnis: Cryptanalysis of the HFE Public Key Cryptosystem; In Advances in Cryptology, Proceedings of Crypto’99, SpringerVerlag, LNCS.
 Adi Shamir, Jacques Patarin, Nicolas Courtois, Alexander Klimov, Efficient Algorithms for solving Overdefined Systems of Multivariate Polynomial Equations, Eurocrypt’2000, LNCS 1807, Springer, pp. 392–407.
 Robert D. Silverman: A CostBased Security Analysis of Symmetric and Asymmetric Key Lengths; RSA Lab. report, http://www.rsasecurity.com/rsalabs/bulletins/bulletin13.html.
 Claude Elwood Shannon: Communication theory of secrecy systems; Bell System Technical Journal 28 (1949), see in patricular page 704.
 Serge Vaudenay: Provable Security for Block Ciphers by Decorrelation; Technical Report LIENS988, ENS, France, available at http://lasecwww.epfl.ch/query.msql?ref=Vau98b.
 Serge Vaudenay, Shiho Moriai: On the Pseudorandomness of TopLevel Schemes of Block Ciphers; Asiacrypt 2000, LNCS 1976, Springer, pp. 289–302.
 Title
 Cryptanalysis of Block Ciphers with Overdefined Systems of Equations
 Book Title
 Advances in Cryptology — ASIACRYPT 2002
 Book Subtitle
 8th International Conference on the Theory and Application of Cryptology and Information Security Queenstown, New Zealand, December 1–5, 2002 Proceedings
 Pages
 pp 267287
 Copyright
 2002
 DOI
 10.1007/3540361782_17
 Print ISBN
 9783540001713
 Online ISBN
 9783540361787
 Series Title
 Lecture Notes in Computer Science
 Series Volume
 2501
 Series ISSN
 03029743
 Publisher
 Springer Berlin Heidelberg
 Copyright Holder
 SpringerVerlag Berlin Heidelberg
 Additional Links
 Topics
 Keywords

 Block ciphers
 AES
 Rijndael
 Square
 Serpent
 Camellia
 multivariate quadratic equations
 MQ problem
 overdefined systems of multivariate equations
 XL algorithm
 Gröbner bases
 sparse multivariate polynomials
 Multivariate Cryptanalysis
 Industry Sectors
 eBook Packages
 Editors

 Yuliang Zheng ^{(4)}
 Editor Affiliations

 4. Department of Software and Information Systems, University of North Carolina at Charlotte
 Authors

 Nicolas T. Courtois ^{(5)}
 Josef Pieprzyk ^{(6)}
 Author Affiliations

 5. CP8 Crypto Lab, SchlumbergerSema, 3638, rue de la Princesse, BP 45, 78430, Louveciennes Cedex, France
 6. Center for Advanced Computing  Algorithms and Cryptography, Department of Computing, Macquarie University, Sydney, NSW, 2109, Australia
Continue reading...
To view the rest of this content please follow the download PDF link above.