General Principles of Algebraic Attacks and New Design Criteria for Cipher Components

  • Nicolas T. Courtois
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3373)


This paper is about the design of multivariate public key schemes, as well as block and stream ciphers, in relation to recent attacks that exploit various types of multivariate algebraic relations. We survey these attacks focusing on their common fundamental principles and on how to avoid them. From this we derive new very general design criteria, applicable for very different cryptographic components. These amount to avoiding (if possible) the existence of, in some sense “too simple” algebraic relations. Though many ciphers that do not satisfy this new paradigm probably still remain secure, the design of ciphers will never be the same again.


algebraic attacks polynomial relations multivariate equations finite fields design of cryptographic primitives generalised linear cryptanalysis multivariate public key encryption and signature schemes HFE Quartz Sflash stream ciphers Boolean functions combiners with memory block ciphers AES Rijndael Serpent elimination methods Gröbner bases 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Armknecht, F.: Improving Fast Algebraic Attacks. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 65–82. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  2. 2.
    Armknecht, F., Krause, M.: Algebraic Atacks on Combiners with Memory. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 162–176. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Aoki, K., Vaudenay, S.: On the Use of GF-Inversion as a Cryptographic Primitive. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 234–247. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    Anderson, R., Biham, E., Knudsen, L.: Serpent: A Proposal for the Advanced Encryption Standard Google Scholar
  5. 5.
    Canteaut, A., Videau, M.: Degree of composition of highly nonlinear functions and applications to higher order differential cryptanalysis. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, p. 518. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Cho, J.Y., Pieprzyk, J.: Algebraic Attacks on SOBER-t32 and SOBER-128. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 49–64. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  7. 7.
    Coppersmith, D., Winograd, S.: Matrix multiplication via arithmetic progressions. J. Symbolic Computation 9, 251–280 (1990)zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Courtois, N.: Feistel Schemes and Bi-Linear Cryptanalysis. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 23–40. Springer, Heidelberg (2004)Google Scholar
  9. 9.
    Courtois, N.: The security of Hidden Field Equations (HFE). In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 266–281. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  10. 10.
    Courtois, N.: Algebraic Attacks on Combiners with Memory and Several Outputs (June 23, 2003), Available on,
  11. 11.
    Courtois, N.: La sécurité des primitives cryptographiques basées sur les problèmes algébriques multivariables MQ, IP, MinRank, et HFE, PhD thesis, Paris 6 University (September 2001), in French, (available at),
  12. 12.
    Courtois, N.: Fast Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 177–194. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. 13.
    Courtois, N.: The Inverse S-box, Non-linear Polynomial Relations and Cryptanalysis of Block Ciphers. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2005. LNCS, vol. 3373, pp. 170–188. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  14. 14.
    Courtois, N., Patarin, J.: About the XL Algorithm over GF(2). In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 141–157. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    Courtois, N., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002); a preprint with a different version of the attack is available at, CrossRefGoogle Scholar
  16. 16.
    Courtois, N.: Higher Order Correlation Attacks, XL algorithm and Cryptanalysis of Toyocrypt. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 182–199. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  17. 17.
    Courtois, N., Meier, W.: Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003); An extended version is available at, CrossRefGoogle Scholar
  18. 18.
    Courtois, N., Daum, M., Felke, P.: On the Security of HFE, HFEv- and Quartz. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 337–350. Springer, Heidelberg (2002); The extended version can be found at, CrossRefGoogle Scholar
  19. 19.
    Daemen, J., Rijmen, V.: AES proposal: Rijndael,
  20. 20.
    Daemen, J., Rijmen, V.: The Design of Rijndael. In: AES - The Advanced Encryption Standard. Springer, Berlin (2002) ISBN 3-540-42580-2Google Scholar
  21. 21.
    Daemen, J., Rijmen, V., Preneel, B., Bosselaers, A., De Win, E.: The Cipher SHARK. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039. Springer, Heidelberg (1996)Google Scholar
  22. 22.
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases (F4). Journal of Pure and Applied Algebra 139, 61–88 (1999), See, zbMATHCrossRefMathSciNetGoogle Scholar
  23. 23.
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: Workshop on Applications of Commutative Algebra, Catania, Italy, April 3-6. ACM Press, New York (2002)Google Scholar
  24. 24.
    Ferguson, N., Schroeppel, R., Whiting, D.: A simple algebraic representation of Rijndael. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, p. 103. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  25. 25.
    Golic, J.D.: On the Security of Nonlinear Filter Generators. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 173–188. Springer, Heidelberg (1996)Google Scholar
  26. 26.
    Harpes, C., Kramer, G., Massey, J.: A Generalization of Linear Cryptanalysis and the Applicability of Matsui’s Piling-up Lemma. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 24–38. Springer, Heidelberg (1995), Google Scholar
  27. 27.
    Hawkes, P., Rose, G.: Rewriting Variables: the Complexity of Fast Algebraic Attacks on Stream Ciphers. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 390–406. Springer, Heidelberg (2004), Google Scholar
  28. 28.
    Jakobsen, T., Knudsen, L.: Attacks on Block Ciphers of Low Algebraic Degree. Journal of Cryptology 14(3), 197–210 (2001)zbMATHMathSciNetGoogle Scholar
  29. 29.
    Thomas Jakobsen: Higher-Order Cryptanalysis of Block Ciphers. Ph.D. thesis, Dept. of Math., Technical University of Denmark (1999)Google Scholar
  30. 30.
    Jakobsen, T.: Cryptanalysis of Block Ciphers with Probabilistic Non-Linear Relations of Low Degree. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 212–222. Springer, Heidelberg (1998)Google Scholar
  31. 31.
    Joux, A., Faugère, J.-C.: Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Gröbner Bases. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 44–60. Springer, Heidelberg (2003)Google Scholar
  32. 32.
    Knudsen, L.R., Robshaw, M.J.B.: Non-Linear Characteristics in Linear Cryptoanalysis. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 224–236. Springer, Heidelberg (1996)Google Scholar
  33. 33.
    Lee, D.H., Kim, J., Hong, J., Han, J.W., Moon, D.: Algebraic Attacks on Summation Generators. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 34–48. Springer, Heidelberg (2004) (to appear), CrossRefGoogle Scholar
  34. 34.
    Lidl, R., Niederreiter, H.: Finite Fields. In: Encyclopedia of Mathematics and its applications, vol. 20. University Press, CambridgeGoogle Scholar
  35. 35.
    Menezes, A.J., van Oorschot, P.C., Scott, A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefGoogle Scholar
  36. 36.
    Matsumoto, T., Imai, H.: Public Quadratic Polynomial-tuples for efficient signature-verification and message-encryption. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 419–453. Springer, Heidelberg (1988)Google Scholar
  37. 37.
    Meier, W., Pasalic, E., Carlet, C.: Algebraic Attacks and Decomposition of Boolean Functions. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 474–491. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  38. 38.
    Murphy, S., Robshaw, M.: Essential Algebraic Structure within the AES. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 1. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  39. 39.
    Nyberg, K.: Differentially Uniform Mappings for Cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994)Google Scholar
  40. 40.
    Patarin, J.: Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt 1988. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 248–261. Springer, Heidelberg (1995)Google Scholar
  41. 41.
    Patarin, J.: Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of Asymm. Algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996)Google Scholar
  42. 42.
    Shamir, A., Kipnis, A.: Cryptanalysis of the HFE Public Key Cryptosystem. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, p. 19. Springer, Heidelberg (1999); The paper can be found at, Google Scholar
  43. 43.
    Shamir, A., Patarin, J., Courtois, N., Klimov, A.: Efficient Algorithms for solving Overdefined Systems of Multivariate Polynomial Equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  44. 44.
    Shannon, C.E.: Communication theory of secrecy systems. Bell System Technical Journal 28, 704 (1949)Google Scholar
  45. 45.
    Wang, D.: Elimination Methods. In: Texts and Monographs in Symbolic Computation, p. XIII. Springer, Heidelberg (2001) ISBN 3-211-83241-6Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Nicolas T. Courtois
    • 1
  1. 1.Axalto Cryptographic Research & Advanced SecurityLouveciennes CedexFrance

Personalised recommendations