Advances in Cryptology — ASIACRYPT 2002
Volume 2501 of the series Lecture Notes in Computer Science pp 267287
Cryptanalysis of Block Ciphers with Overdefined Systems of Equations
 Nicolas T. CourtoisAffiliated withCP8 Crypto Lab, SchlumbergerSema
 , Josef PieprzykAffiliated withCenter for Advanced Computing  Algorithms and Cryptography, Department of Computing, Macquarie University
Abstract
Several recently proposed ciphers, for example Rijndael and Serpent, are built with layers of small Sboxes interconnected by linear keydependent layers. Their security relies on the fact, that the classical methods of cryptanalysis (e.g. linear or differential attacks) are based on probabilistic characteristics, which makes their security grow exponentially with the number of rounds N _{ r } r.
In this paper we study the security of such ciphers under an additional hypothesis: the Sbox can be described by an overdefined system of algebraic equations (true with probability 1). We show that this is true for both Serpent (due to a small size of Sboxes) and Rijndael (due to unexpected algebraic properties). We study general methods known for solving overdefined systems of equations, such as XL from Eurocrypt’00, and show their inefficiency. Then we introduce a new method called XSL that uses the sparsity of the equations and their specific structure.
The XSL attack uses only relations true with probability 1, and thus the security does not have to grow exponentially in the number of rounds. XSL has a parameter P, and from our estimations is seems that P should be a constant or grow very slowly with the number of rounds. The XSL attack would then be polynomial (or subexponential) in N _{ r> }, with a huge constant that is doubleexponential in the size of the Sbox. The exact complexity of such attacks is not known due to the redundant equations. Though the presented version of the XSL attack always gives always more than the exhaustive search for Rijndael, it seems to (marginally) break 256bit Serpent. We suggest a new criterion for design of Sboxes in block ciphers: they should not be describable by a system of polynomial equations that is too small or too overdefined.
Key Words
Block ciphers AES Rijndael Square Serpent Camellia multivariate quadratic equations MQ problem overdefined systems of multivariate equations XL algorithm Gröbner bases sparse multivariate polynomials Multivariate Cryptanalysis Title
 Cryptanalysis of Block Ciphers with Overdefined Systems of Equations
 Book Title
 Advances in Cryptology — ASIACRYPT 2002
 Book Subtitle
 8th International Conference on the Theory and Application of Cryptology and Information Security Queenstown, New Zealand, December 1–5, 2002 Proceedings
 Pages
 pp 267287
 Copyright
 2002
 DOI
 10.1007/3540361782_17
 Print ISBN
 9783540001713
 Online ISBN
 9783540361787
 Series Title
 Lecture Notes in Computer Science
 Series Volume
 2501
 Series ISSN
 03029743
 Publisher
 Springer Berlin Heidelberg
 Copyright Holder
 SpringerVerlag Berlin Heidelberg
 Additional Links
 Topics
 Keywords

 Block ciphers
 AES
 Rijndael
 Square
 Serpent
 Camellia
 multivariate quadratic equations
 MQ problem
 overdefined systems of multivariate equations
 XL algorithm
 Gröbner bases
 sparse multivariate polynomials
 Multivariate Cryptanalysis
 Industry Sectors
 eBook Packages
 Editors

 Yuliang Zheng ^{(4)}
 Editor Affiliations

 4. Department of Software and Information Systems, University of North Carolina at Charlotte
 Authors

 Nicolas T. Courtois ^{(5)}
 Josef Pieprzyk ^{(6)}
 Author Affiliations

 5. CP8 Crypto Lab, SchlumbergerSema, 3638, rue de la Princesse, BP 45, 78430, Louveciennes Cedex, France
 6. Center for Advanced Computing  Algorithms and Cryptography, Department of Computing, Macquarie University, Sydney, NSW, 2109, Australia
Continue reading...
To view the rest of this content please follow the download PDF link above.