Essential Algebraic Structure within the AES

  • Sean Murphy
  • Matthew J.B. Robshaw
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2442)


One difficulty in the cryptanalysis of the Advanced Encryption Standard AES is the tension between operations in the two fields GF(28) and GF(2). This paper outlines a new approach that avoids this conflict. We define a new block cipher, the BES, that uses only simple algebraic operations in GF(28). Yet the AES can be regarded as being identical to the BES with a restricted message space and key space, thus enabling the AES to be realised solely using simple algebraic operations in one field GF(28). This permits the exploration of the AES within a broad and rich setting. One consequence is that AES encryption can be described by an extremely sparse overdetermined multivariate quadratic system over GF(28), whose solution would recover an AES key.


Advanced Encryption Standard AES Rijndael BES Algebraic Structure (Finite) Galois Field (Field) Conjugate Multivariate Quadratic (MQ) Equations 


  1. 1.
    E. Biham and A. Shamir. Differential Cryptanalysis of the Data Encryption Standard. Springer-Verlag, New York, 1993.zbMATHGoogle Scholar
  2. 2.
    D. Coppersmith. Personal communication, 30 April 2002.Google Scholar
  3. 3.
    N. Courtois, L. Goubin, and J. Patarin. Quartz, 128-bit long digital signatures. In D. Naccache, editor, Proceedings of Cryptographers’ Track RSA Conference 2001, LNCS 2020, pages 282–297, Springer-Verlag, 2001.Google Scholar
  4. 4.
    N. Courtois, L. Goubin, W. Meier, and J. Tacier. Solving underdefined systems of multivariate quadratic equations. In D. Paillier, editor, Proceedings of Public Key Cryptography 2002, LNCS 2274, pages 211–227, Springer-Verlag, 2002.Google Scholar
  5. 5.
    N. Courtois, A. Klimov, J. Patarin, and A. Shamir. Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In B. Preneel, editor, Proceedings of Eurocrypt 2000, LNCS 1807, pages 392–407, Springer-Verlag, 2000.Google Scholar
  6. 6.
    N. Courtois and J. Pieprzyk. Cryptanalysis of block ciphers with overdefined systems of equations. IACR eprint server, April 2002.
  7. 7.
    J. Daemen and V. Rijmen. AES Proposal: Rijndael (Version 2). NIST AES website, 1999.
  8. 8.
    J. Daemen and V. Rijmen. The Design of Rijndael: AES-The Advanced Encryption Standard. Springer-Verlag, 2002.Google Scholar
  9. 9.
    J. Daemen and V. Rijmen. Answers to “New Observations on Rijndael”. NIST AES website, August 2000.
  10. 10.
    N. Ferguson, J. Kelsey, B. Schneier, M. Stay, D. Wagner, and D. Whiting. Improved cryptanalysis of Rijndael. In B. Schneier, editor, Proceedings of Fast Software Encryption 2000, LNCS, pages 213–230, Springer-Verlag, 2000.Google Scholar
  11. 11.
    N. Ferguson, R. Shroeppel, and D. Whiting. A simple algebraic representation of Rijndael. In S. Vaudenay and A. Youssef, editors, Proceedings of Selected Areas in Cryptography, LNCS, pages 103–111, Springer-Verlag, 2001.Google Scholar
  12. 12.
    H. Gilbert and M. Minier. A collision attack on seven rounds of Rijndael. Third AES Conference, NIST AES website, April 2000.
  13. 13.
    T. Jakobsen and L.R. Knudsen. The interpolation attack on block ciphers. In E. Biham, editor, Proceedings of Fast Software Encryption 1997, LNCS 1267, pages 28–40, Springer-Verlag, 1997.Google Scholar
  14. 14.
    A. Kipnis and A. Shamir. Cryptanalysis of the HFE Public Key Cryptosystem be Relinearization. In M. Wiener, editor, Proceedings of Crypto’ 99, LNCS 1666, pages 19–30, Springer-Verlag, 1999.Google Scholar
  15. 15.
    L. Knudsen and H. Raddum. Recommendation to NIST for the AES. NIST second round comment, NIST AES website, 2000.
  16. 16.
    R. Lidl and H. Niederreiter. Introduction to Finite Fields and Their Applications. Cambridge University Press, 1984.Google Scholar
  17. 17.
    S. Lucks. Attacking seven rounds of Rijndael under 192-bit and 256-bit keys. In Proceedings of Third AES Conference and also via NIST AES website, April 2000.
  18. 18.
    M. Matsui. Linear cryptanalysis method for DES cipher. In T. Helleseth, editor, Proceedings of Eurocrypt’ 93, LNCS 765, pages 386–397, Springer-Verlag, 1994.Google Scholar
  19. 19.
    S. Murphy and M.J.B. Robshaw. New observations on Rijndael. NIST AES website, August 2000.
  20. 20.
    S. Murphy and M.J.B. Robshaw. Further comments on the structure of Rijndael. NIST AES website, August 2000.
  21. 21.
    National Institute of Standards and Technology. Advanced Encryption Standard. FIPS 197. 26 November 2001.Google Scholar
  22. 22.
    J. Patarin. Hidden field equations (HFE) and isomorphisms of polynomials (IP): Two new families of asymmetric algorithms. In U. Maurer, editor, Proceedings of Eurocrypt’ 96, LNCS 1070, pages 33–48, Springer-Verlag, 1996.Google Scholar
  23. 23.
    R. Schroeppel. Second round comments to NIST. NIST second round comment, NIST AES website, 2000.
  24. 24.
    R. Wernsdorf. The round functions of Rijndael generate the alternating group. In V. Rijmen, editor, Proceedings of Fast Software Encryption, LNCS, Springer-Verlag, to appear.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Sean Murphy
    • 1
  • Matthew J.B. Robshaw
    • 1
  1. 1.Information Security GroupUniversity of LondonEghamUK

Personalised recommendations