The Inverse S-Box, Non-linear Polynomial Relations and Cryptanalysis of Block Ciphers

  • Nicolas T. Courtois
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3373)


This paper is motivated by the design of AES. We consider a broader question of cryptanalysis of block ciphers having very good non-linearity and diffusion. Can we expect anyway, to attacks such ciphers, clearly designed to render hopeless the main classical attacks ? Recently a lot of attention have been drawn to the existence of multivariate algebraic relations for AES (and other) S-boxes. Then, if the XSL-type algebraic attacks on block ciphers [10] are shown to work well, the answer would be positive. In this paper we show that the answer is certainly positive for many other constructions of ciphers. This is not due to an algebraic attack, but to new types of generalised linear cryptanalysis, highly-nonlinear in flavour. We present several constructions of somewhat special practical block ciphers, seemingly satisfying all the design criteria of AES and using similar S-boxes, and yet being extremely weak. They can be generalised, and evolve into general attacks that can be applied – potentially- to any block cipher.


Block ciphers AES Rijndael interpolation attack on block ciphers fractional transformations homographic functions multivariate equations Feistel ciphers generalised linear cryptanalysis bi-linear cryptanalysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Armknecht, F., Krause, M.: Algebraic Atacks on Combiners with Memory. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 162–176. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. 2.
    Aoki, K., Vaudenay, S.: On the Use of GF-Inversion as a Cryptographic Primitive. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 234–247. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Anderson, R., Biham, E., Knudsen, L.: Serpent: A Proposal for the Advanced Encryption StandardGoogle Scholar
  4. 4.
    Canteaut, A., Videau, M.: Degree of composition of highly nonlinear functions and applications to higher order differential cryptanalysis. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, p. 518. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. 5.
    Campbell, K.W., Wiener, M.J.: Proof that DES is not a group. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 512–520. Springer, Heidelberg (1993)Google Scholar
  6. 6.
    Courtois, N.: Feistel Schemes and Bi-Linear Cryptanalysis. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 15–19. Springer, Heidelberg (2004)Google Scholar
  7. 7.
    Courtois, N.: The security of Hidden Field Equations (HFE). In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 266–281. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
    Courtois, N.: Algebraic Attacks on Combiners with Memory and Several Outputs (June 23, 2003), Available on,
  9. 9.
    Courtois, N.: Fast Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 176–194. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. 10.
    Courtois, N., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002); a preprint with a different version of the attack is available at, CrossRefGoogle Scholar
  11. 11.
    Courtois, N.: Higher Order Correlation Attacks, XL algorithm and Cryptanalysis of Toyocrypt. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 182–199. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  12. 12.
    Courtois, N., Meier, W.: Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003); An extended version is available at, CrossRefGoogle Scholar
  13. 13.
    Courtois, N., Daum, M., Felke, P.: On the Security of HFE, HFEv- and Quartz. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 337–350. Springer, Heidelberg (2002); The extended version can be found at, CrossRefGoogle Scholar
  14. 14.
    Daemen, J., Rijmen, V.: AES proposal: Rijndael,
  15. 15.
    Daemen, J., Rijmen, V.: The Design of Rijndael. AES - The Advanced Encryption Standard. Springer, Berlin (2002) ISBN 3-540-42580-2zbMATHGoogle Scholar
  16. 16.
    Daemen, J., Rijmen, V., Preneel, B., Bosselaers, A., De Win, E.: The Cipher SHARK. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039. Springer, Heidelberg (1996)Google Scholar
  17. 17.
    Ferguson, N., Schroeppel, R., Whiting, D.: A simple algebraic representation of Rijndael. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, p. 103. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  18. 18.
    Knudsen, L.: Block Ciphers - Analysis, Design and Applications, PhD thesis, Aarhus University, Denmark (1994)Google Scholar
  19. 19.
    Harpes, C., Kramer, G., Massey, J.: A Generalization of Linear Cryptanalysis and the Applicability of Matsui’s Piling-up Lemma. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 24–38. Springer, Heidelberg (1995), Google Scholar
  20. 20.
    Jakobsen, T., Knudsen, L.: Attacks on Block Ciphers of Low Algebraic Degree. Journal of Cryptology 14(3), 197–210 (2001)zbMATHMathSciNetGoogle Scholar
  21. 21.
    Jakobsen, T.: Higher-Order Cryptanalysis of Block Ciphers. Ph.D. thesis, Dept. of Math., Technical University of Denmark (1999)Google Scholar
  22. 22.
    Jakobsen, T.: Cryptanalysis of Block Ciphers with Probabilistic Non-Linear Relations of Low Degree. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 212–222. Springer, Heidelberg (1998)Google Scholar
  23. 23.
    Jakobsen, T., Knudsen, L.R.: The Interpolation Attack on Block Ciphers. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 28–40. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  24. 24.
    Joux, A., Faugère, J.-C.: Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Gröbner Bases. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 44–60. Springer, Heidelberg (2003)Google Scholar
  25. 25.
    Lidl, R., Niederreiter, H.: Finite Fields. In: Encyclopedia of Mathematics and its applications, vol. 20. Cambridge University Press, CambridgeGoogle Scholar
  26. 26.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefGoogle Scholar
  27. 27.
    Murphy, S., Robshaw, M.: Essential Algebraic Structure within the AES. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 1. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  28. 28.
    Nyberg, K.: Differentially Uniform Mappings for Cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994)Google Scholar
  29. 29.
    Patarin, J.: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of Asymm. Algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996)Google Scholar
  30. 30.
    Shamir, A., Patarin, J., Courtois, N., Klimov, A.: Efficient Algorithms for solving Overdefined Systems of Multivariate Polynomial Equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  31. 31.
    Shannon, C.E.: Communication theory of secrecy systems. Bell System Technical Journal 28 (1949)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Nicolas T. Courtois
    • 1
  1. 1.Axalto Cryptographic Research & Advanced SecurityLouveciennes CedexFrance

Personalised recommendations