Specific S-Box Criteria in Algebraic Attacks on Block Ciphers with Several Known Plaintexts

  • Nicolas T. Courtois
  • Blandine Debraize
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4945)


In this paper we study algebraic attacks on block ciphers that exploit several (i.e. more than 2) plaintext-ciphertext pairs. We show that this considerably lowers the maximum degree of polynomials that appear in the attack, which allows much faster attacks, some of which can actually be handled experimentally. We point out a theoretical reason why such attacks are more efficient, lying in certain types of multivariate equations that do exist for some S-boxes. Then we show that when the S-box is on 3 bits, such equations do always exist. For S-boxes on 4 bits, the existence of these equations is no longer systematic. We apply our attacks to a toy version of Serpent, a toy version of Rijndael, and a reduced round version of Present, a recently proposed lightweight block cipher. It turns out that some S-boxes are much stronger than others against our attack.


algebraic attacks on block ciphers Rijndael Serpent multivariate equations Gröbner bases design of S-boxes algebraic immunity 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anderson, R., Biham, E., Knudsen, L.: Serpent, a flexible Block Cipher With Maximum Assurance First AES Candidate Conference, Ventura California (1998),
  2. 2.
    Ars, G., Faugère, J.-C., Sugita, M., Kawazoe, M., Imai, H.: Comparison between XL and Gröbner Basis Algorithms. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 338–353. Springer, Heidelberg (2004)Google Scholar
  3. 3.
    Courtois, N.: The Inverse S-box, Non-linear Polynomial Relations and Cryptanalysis of Block Ciphers. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2005. LNCS, vol. 3373, pp. 170–188. Springer, Heidelberg (2005)Google Scholar
  4. 4.
    Courtois, N., Bard, G.V., Wagner, D.: Algebraic and Slide Attacks on KeeLoq, preprint (2007),
  5. 5.
    Courtois, N. Bard G.V.: Algebraic Cryptanalysis of the Data Encryption Standard. In: Cryptography and Coding, 11-th IMA Conference, Cirencester, UK (December 18-20, 2007) (to appear),; Also presented at ECRYPT workshop Tools for Cryptanalysis, Krakow (September 24-25, 2007)
  6. 6.
    Courtois, N., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501. pp. 267–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Courtois, N., Shamir, A., Patarin, J., Klimov, A.: Efficient Algorithms for solving Overdefined Systems of Multivariate Polynomial Equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807. pp. 392–407. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  8. 8.
    Courtois, N.T. : How Fast can be Algebraic Attacks on Block Ciphers? In: Biham, E., Handschuh, H. Lucks, S. Rijmen, V. (eds.) Proceedings of Dagstuhl Seminar 07021, Symmetric Cryptography (January 2007),, ISSN 1862 - 4405
  9. 9.
    Courtois, N.: CTC2 and Fast Algebraic Attacks on Block Ciphers Revisited,
  10. 10.
    Dunkelman, O., Keller, N.: Linear Cryptanalysis of CTC,
  11. 11.
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases (F4). Journal of Pure and Applied Algebra 139, 61–88 (1999), zbMATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: Workshop on Applications of Commutative Algebra, Catania, Italy, April, 3-6. ACM Press, New York (2002)Google Scholar
  13. 13.
    MAGMA, High performance software for Algebra, Number Theory, and Geometry, — a large commercial software package,
  14. 14.
    Buchberger, B., Winkler, F.: Gröbner Bases and Application. London Mathematical Society, vol. 251. Cambridge University Press, CambridgeGoogle Scholar
  15. 15.
    Cid, C., Murphy, S., Robshaw, M.J.B.: Small Scale Variants of the AES. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557. pp. 145–162. Springer, Heidelberg (2005)Google Scholar
  16. 16.
  17. 17.
    Cid, C., Leurent, G.: An Analysis of the XSL Algorithm. In: Roy, B. (ed.), ASIACRYPT 2005. LNCS, vol. 3788, pp. 333–352. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    Buchmann, J., Pyshkin, A., Weinmann, R.-P.: Block Ciphers Sensitive to Gröbner Basis Attacks. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860. pp. 313–331. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  19. 19.
    Lim, C.-W., Khoo, K.: Detailed Analysis on XSL Applied to BES. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593. pp. 242–253. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  20. 20.
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poshmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: An Ultra-Lightweight Block Cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727. pp. 450–466. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  21. 21.
    Debraize, B.: Versailles University, France, PhD Thesis, (to be published, 2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Nicolas T. Courtois
    • 1
  • Blandine Debraize
    • 2
    • 3
  1. 1.University College of LondonLondonUK
  2. 2.Gemalto, MeudonFrance
  3. 3.University of VersaillesFrance

Personalised recommendations