Specific S-Box Criteria in Algebraic Attacks on Block Ciphers with Several Known Plaintexts
- Cite this paper as:
- Courtois N.T., Debraize B. (2008) Specific S-Box Criteria in Algebraic Attacks on Block Ciphers with Several Known Plaintexts. In: Lucks S., Sadeghi AR., Wolf C. (eds) Research in Cryptology. WEWoRC 2007. Lecture Notes in Computer Science, vol 4945. Springer, Berlin, Heidelberg
In this paper we study algebraic attacks on block ciphers that exploit several (i.e. more than 2) plaintext-ciphertext pairs. We show that this considerably lowers the maximum degree of polynomials that appear in the attack, which allows much faster attacks, some of which can actually be handled experimentally. We point out a theoretical reason why such attacks are more efficient, lying in certain types of multivariate equations that do exist for some S-boxes. Then we show that when the S-box is on 3 bits, such equations do always exist. For S-boxes on 4 bits, the existence of these equations is no longer systematic. We apply our attacks to a toy version of Serpent, a toy version of Rijndael, and a reduced round version of Present, a recently proposed lightweight block cipher. It turns out that some S-boxes are much stronger than others against our attack.
Keywordsalgebraic attacks on block ciphers Rijndael Serpent multivariate equations Gröbner bases design of S-boxes algebraic immunity
Unable to display preview. Download preview PDF.