Skip to main content
Log in

On selection of samples in algebraic attacks and a new technique to find hidden low degree equations

  • Special Issue Paper
  • Published:
International Journal of Information Security Aims and scope Submit manuscript


The best way of selecting samples in algebraic attacks against block ciphers is not well explored and understood. We introduce a simple strategy for selecting the plaintexts and demonstrate its strength by breaking reduced-round KATAN32, LBlock and SIMON. For each case, we present a practical attack on reduced-round version which outperforms previous attempts of algebraic cryptanalysis whose complexities were close to exhaustive search. The attack is based on the selection of samples using cube attack and ElimLin which was presented at FSE’12, and a new technique called Universal Proning. In the case of LBlock, we break 10 out of 32 rounds. In KATAN32, we break 78 out of 254 rounds. Unlike previous attempts which break smaller number of rounds, we do not guess any bit of the key and we only use structural properties of the cipher to be able to break a higher number of rounds with much lower complexity. We show that cube attacks owe their success to the same properties and therefore can be used as a heuristic for selecting the samples in an algebraic attack. The performance of ElimLin is further enhanced by the new Universal Proning technique, which allows to discover linear equations that are not found by ElimLin.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1

Similar content being viewed by others


  1. We assume that our equations are sound in the sense being fully “Describing” equations [15] for each component of the encryption process.

  2. since \({\mathcal {S}}_{{\chi }, \star , {\kappa }}\) is a maximal ideal the reduction modulo it is in \(\mathbf {F}_2\). Equivalently, the ideal reduction is equivalent to the evaluation of the polynomial.


  1. Albrecht, M.R., Cid, C., Faugère, J.-C., Perret, L.: On the relation between the mutant strategy and the normal selection strategy in Gröbner basis algorithms. IACR Cryptol. ePrint Arch. 2011, 164 (2011)

    Google Scholar 

  2. Albrecht, M.R., Cid, C., Faugère, J.-C., Perret, L.: On the relation between the MXL family of algorithms and Gröbner basis algorithms. J. Symb. Comput. 47(8), 926–941 (2012)

    Article  MATH  Google Scholar 

  3. Al-Hinai, S., Dawson, E., Henricksen, M., Simpson, L.-R.: On the security of the LILI family of stream ciphers against algebraic attacks. In: Josef, P., Hossein, G., Dawson, E. (eds.) ACISP 07, vol. 4586 of LNCS, pp. 11–28, Townsville, Australia, July 2–4. Springer, Berlin (2007)

  4. Ars, G., Faugère, J.-C., Imai, H., Kawazoe, M., Sugita, M.: Comparison between XL and Gröbner basis algorithms. In: Pil Joong, L. (ed.) ASIACRYPT 2004, vol. 3329 of LNCS, pp. 338–353, Jeju Island, Korea, December 5–9. Springer, Berlin (2004)

  5. Aumasson, J.-P., Dinur, I., Meier, W., Shamir, A.: Cube testers and key recovery attacks on reduced-round MD6 and Trivium. In: Orr, D. (ed.) FSE 2009, vol. 5665 of LNCS, pp. 1–22, Leuven, Belgium, February 22–25. Springer, Berlin (2009)

  6. Bard, G.-V., Courtois, N., Nakahara, J., Sepehrdad, P., Zhang, B.: Algebraic, AIDA/cube and side channel analysis of KATAN family of block ciphers. In: Guang, G., Kishan-Chand G. (eds.) INDOCRYPT 2010, vol. 6498 of LNCS, pp. 176–196, Hyderabad, India, December 12–15. Springer, Berlin (2010)

  7. Bardet, M., Faugère, J.-C., Salvy, B., Yang, B.-Y.: Asymptotic behaviour of the degree of regularity of semi-regular polynomial systems. In: MEGA’05, 2005. Eighth International Symposium on Effective Methods in Algebraic Geometry, Porto Conte, Alghero, Sardinia (Italy), May 27th – June 1st

  8. Bardet, M., Faugère, J.-C., Salvy, B., Spaenlehauer, P.-J.: On the complexity of solving quadratic boolean systems. J. Complex. 29(1), 53–75 (2013)

    Article  MATH  Google Scholar 

  9. Cannière, C.T.: A stream cipher construction inspired by block cipher design principles. In: Sokratis, K.K., Javier, L., Michael, B., Stefanos, G., Bart P. (eds.) Information Security, vol. 4176 of Lecture Notes in Computer Science, pp. 171–186. Springer, Berlin Heidelberg (2006)

  10. Cheng, C.-M., Chou, T., Niederhagen, R., Yang, B.-Y.: Solving quadratic equations with XL on parallel architectures. In: Emmanuel, P., Patrick, S. (eds.) CHES 2012, vol. 7428 of LNCS, pp. 356–373, Leuven, Belgium, September 9–12. Springer, Berlin (2012)

  11. Choy, J., Yap, H., Khoo, K.: An analysis of the compact XSL attack on BES and embedded SMS4. In: Juan, A.G., Atsuko, M., Akira, O. (eds.) CANS 09, vol. 5888 of LNCS, pp. 103–118, Kanazawa, Japan, December 12–14. Springer, Berlin (2009)

  12. Cid, C., Leurent, G.: An analysis of the XSL algorithm. In: Bimal, K.R. (ed.) ASIACRYPT 2005, vol. 3788 of LNCS, pp. 333–352, Chennai, India, December 4–8. Springer, Berlin (2005)

  13. Courtois, N., Bard, G.-V., Wagner, D.: Algebraic and slide attacks on KeeLoq. In: Kaisa, N. (ed.) FSE 2008, vol. 5086 of LNCS, pp. 97–115, Lausanne, Switzerland, February 10–13. Springer, Berlin (2008)

  14. Courtois, N., Bard, G.-V.: Algebraic cryptanalysis of the data encryption standard. In: Steven, D.G. (eds.) 11th IMA International Conference on Cryptography and Coding, vol. 4887 of LNCS, pp. 152–169, Cirencester, UK, December 18–20. Springer, Berlin (2007)

  15. Courtois, N., Debraize, B.: Algebraic description and simultaneous linear approximations of addition in Snow 2.0. In: Liqun, C., Mark-Dermot, R., Guilin, W. (eds.) ICICS 08, vol. 5308 of LNCS, pp. 328–344, Birmingham, UK, October 20–22. Springer, Berlin (2008)

  16. Courtois, N., Mourouzis, T., Song, G., Sepehrdad, P., Susil, P.: Combined algebraic and truncated differential cryptanalysis on reduced-round simon. In: Mohammad, S.O., Andreas, H., Pierangela, S. (eds.) SECRYPT 2014—Proceedings of the 11th International Conference on Security and Cryptography, Vienna, Austria, 28-30 August, 2014, pp. 399–404. SciTePress (2014)

  17. Courtois, N., Pieprzyk, J.: Cryptanalysis of block ciphers with overdefined systems of equations. In: Yuliang, Z., (eds.) ASIACRYPT 2002, vol. 2501 of LNCS, pp. 267–287. Queenstown, New Zealand, December 1–5. Springer, Berlin (2002)

  18. Courtois, N.-T., Pouyan, S., Petr S., Serge V.: ElimLin algorithm revisited. In: Anne, C. (ed.) FSE 2012, vol. 7549 of LNCS, pp. 306–325, Washington, DC, USA, March 19–21. Springer, Berlin (2012)

  19. Courtois, N.-T.: A New Frontier in Symmetric Cryptanalysis. Invited talk, Indocrypt, (2008).

  20. Courtois, N.: Algebraic attacks over GF\((2^{k})\), application to HFE challenge 2 and Sflash-v2. In: Feng, B., Robert, D., Jianying Z. (eds.) PKC 2004, vol. 2947 of LNCS, pp. 201–217, Singapore, March 1–4. Springer, Berlin (2004)

  21. Courtois, N.: Higher order correlation attacks, XL algorithm and cryptanalysis of toyocrypt. In: Pil-Joong, L., Chae-Hoon, L. (eds.) ICISC 02, vol. 2587 of LNCS, pp. 182–199, Seoul, Korea, November 28–29. Springer, Berlin (2002)

  22. De Cannière, C., Dunkelman, O., Knežević, M.: KATAN and KTANTAN - a family of small and efficient hardware-oriented block ciphers. In: Christophe, C., Kris, G. (eds.) CHES 2009, vol. 5747 of LNCS, pp. 272–288, Lausanne, Switzerland, September 6–9. Springer, Berlin (2009)

  23. Dinur, I., Shamir, A.: Breaking grain-128 with dynamic cube attacks. In: Antoine, J. (ed.) FSE 2011, vol. 6733 of LNCS, pp. 167–187, Lyngby, Denmark, February 13–16. Springer, Berlin (2011)

  24. Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Antoine, J. (ed.) EUROCRYPT 2009, vol. 5479 of LNCS, pp. 278–299, Cologne, Germany, April 26–30. Springer, Berlin (2009)

  25. Dinur, I., Shamir, A.: Side channel cube attacks on block ciphers. IACR Cryptol. ePrint Arch. 2009, 127 (2009)

    Google Scholar 

  26. Dinur, I., Shamir, A.: Applying cube attacks to stream ciphers in realistic scenarios. Cryptogr. Commun. 4(3–4), 217–232 (2012)

    Article  MathSciNet  MATH  Google Scholar 

  27. Erickson, J., Ding, J., Christensen, C.: Algebraic cryptanalysis of SMS4: Gröbner basis attack and SAT attack compared. In: Donghoon, L., Seokhie, H. (eds.) ICISC 09, vol. 5984 of LNCS, pp. 73–86, Seoul, Korea, December 2–4. Springer, Berlin (2009)

  28. Faugère, J.-C., Perret, L.: Algebraic cryptanalysis of curry and flurry using correlated messages. In: Bao, F., Yung, M., Lin, D., Jing, J. (eds.) Information Security and Cryptology. Lecture Notes in Computer Science, vol. 6151, pp. 266–277. Springer, Berlin Heidelberg (2010)

  29. Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: ISSAC 02: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation, pp. 75–83 (2002)

  30. Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases (F4). J. Pure Appl. Algebr. 139(1–3), 61–88 (1999)

    Article  MATH  Google Scholar 

  31. Fouque, P.A., Vannet, T.: Improving Key Recovery to 784 and 799 rounds of Trivium using Optimized Cube Attacks. FSE2013

  32. Hell, M., Johansson, T., Meier, W.: Grain: a stream cipher for constrained environments. Int. J. Wire. Mob. Comput. 2(1), 86–93 (2007)

    Article  Google Scholar 

  33. Hodges, Ti., Christophe P., Jacob S.: Degree of regularity for systems arising from weil descent. In: YAC2012—Yet Another Conference in Cryptography, vol. 9 (2012)

  34. Isobe, T., Sasaki, Y., Chen, J.: Related-key boomerang attacks on KATAN32/48/64. In: Colin, B., Leonie, S (eds.) ACISP 13, vol. 7959 of LNCS, pp. 268–285. Brisbane, Australia, July 1–3. Springer, Berlin (2013)

  35. Knellwolf, S., Meier, W., Naya-Plasencia, M.: Conditional differential cryptanalysis of Trivium and KATAN. In: Ali, M., Serge, V. (eds.) SAC 2011, vol. 7118 of LNCS, pp. 200–212. Toronto, Ontario, Canada, August 11–12. Springer, Berlin (2011)

  36. Knudsen, L.-R.: Truncated and higher order differentials. In: Bart, P. (eds.) FSE’94, vol. 1008 of LNCS, pp. 196–211, Leuven, Belgium, December 14–16. Springer, Berlin (1994)

  37. Lim, C.-W., Khoo, K.: An analysis of XSL applied to BES. In: Alex, B. (ed.) FSE 2007, vol. 4593 of LNCS, pp. 242–253, Luxembourg, Luxembourg, March 26–28. Springer, Berlin (2007)

  38. Lipton, R.-J., Viglas, A.: On the complexity of SAT. In: 40th FOCS, pp. 459–464, New York, New York, USA, October 17–19. IEEE Computer Society Press (1999)

  39. Mohamed, M.S.-E., Cabarcas, D., Ding, J., Buchmann, J., Bulygin, S.: MXL3: an efficient algorithm for computing Gröbner bases of zero-dimensional ideals. In: Donghoon, L., Seokhie, H. (eds.) ICISC 09, vol. 5984 of LNCS, pp. 87–100. Seoul, Korea, December 2–4. Springer, Berlin (2009)

  40. Mohamed, M.-S., Mohamed, W.-S., Ding, J., Buchmann, J.: MXL2: solving polynomial equations over GF(2) using an improved mutant strategy. In: Proceedings of the 2nd International Workshop on Post-Quantum Cryptography, PQCrypto ’08, pp. 203–215, Springer, Berlin, Heidelberg (2008)

  41. Rostovtsev, A., Mizyukin, A.: On boolean ideals and varieties with application to algebraic attacks. IACR Cryptol. ePrint Arch. 2012, 151 (2012). informal publication

    Google Scholar 

  42. Song, L., Hu, L.: Improved algebraic and differential fault attacks on the katan block cipher. In: Robert, H.D., Tao, F. (eds.) Information Security Practice and Experience, vol. 7863 of Lecture Notes in Computer Science, pp. 372–386. Springer, Berlin Heidelberg (2013)

  43. Soos, M.: Cryptominisat 2.5.0. In: SAT Race Competitive Event Booklet (2010)

  44. Stegers, T.: Faugère’s F5 algorithm revisited. Cryptol. ePrint Arch. Rep. 2006/404, (2006).

  45. Wu, W., Zhang, L.: LBlock: a lightweight block cipher. In: Javier, L., Gene, T. (eds.) ACNS 11, vol. 6715 of LNCS, pp. 327–344, Nerja, Spain, June 7–10. Springer, Berlin (2011)

  46. Yang, B.-Y., Chen, J.-M., Courtois, N.: On asymptotic security estimates in XL and Gröbner bases-related algebraic cryptanalysis. In: Javier, L., Sihan, Q., Eiji, O. (eds.) ICICS 04, vol. 3269 of LNCS, pp. 401–413, Malaga, Spain, October 27–29. Springer, Berlin (2004)

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Petr Sušil.

Additional information

Supported by a grant of the Swiss National Science Foundation, 200021_134860/1.

Appendix: Additional proofs

Appendix: Additional proofs

Proof of Theorem 13

$$\begin{aligned}&\sum _{\tiny {x}\in C_{m, t}} f({x}, {k}) \\&\quad = \sum _{\tiny {x}\in C_{m, t}} \sum _{\tiny IJ} a_{IJ} \prod _{ \tiny i\in I} x_i \prod _{ \tiny j\in J} {k}_{j}\\&\quad = \sum _{\tiny IJ} a_{IJ} \left( \sum _{\tiny {x}\in C_{m, t}} \prod _{ \tiny i\in I} x_i\right) \prod _{ \tiny j\in J} {k}_{j}\\&\quad = \sum _{\tiny IJ} a_{IJ} \left( \left( \sum _{\tiny {x}\in C_{m, t}} \prod _{ \tiny i\in I \cap I_m } x_i \right) \prod _{ \tiny i\in I \setminus I_m} t_i \right) \prod _{ \tiny j\in J} {k}_{j}\\&\quad \buildrel \star \over {=} \sum _{\tiny IJ} a_{IJ} \left( {1}_{I_m\subseteq I} \prod _{ \tiny i\in I \setminus I_m} t_i \right) \prod _{ \tiny j\in J} {k}_{j}\\&\quad = \sum _{\tiny \begin{array}{c} J, \\ I:I_m \subseteq I \end{array} } a_{IJ} \prod _{ \tiny i\in I} t_i \prod _{ \tiny j\in J} {k}_{j}\\&\quad = \sum _{\tiny J } \left( \sum _{\tiny I:I_m \subseteq I } a_{IJ} \prod _{ \tiny i\in I} t_i \right) \prod _{ \tiny j\in J} {k}_{j}\\&\quad = \sum _{\tiny J } a_J' \prod _{ \tiny j\in J} {k}_{j} \end{aligned}$$

The equality \(\star \) is satisfied, since

$$\begin{aligned} \sum _{\tiny {x}\in C_{m, t}} \prod _{ \tiny i\in I \cap I_m } x_i = \left\{ \begin{array}{l l} 0 &{} \quad \text {if }I \not \subseteq I_m \\ 1 &{} \quad \text {if }I \supseteq I_m \end{array} \right. \end{aligned}$$

since \(\prod \) appears twice for every \(i \in I\setminus I_m\). \(\square \)

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Sušil, P., Sepehrdad, P., Vaudenay, S. et al. On selection of samples in algebraic attacks and a new technique to find hidden low degree equations. Int. J. Inf. Secur. 15, 51–65 (2016).

Download citation

  • Published:

  • Issue Date:

  • DOI: