Specific S-Box Criteria in Algebraic Attacks on Block Ciphers with Several Known Plaintexts

  • Nicolas T. Courtois
  • Blandine Debraize
Conference paper

DOI: 10.1007/978-3-540-88353-1_9

Part of the Lecture Notes in Computer Science book series (LNCS, volume 4945)
Cite this paper as:
Courtois N.T., Debraize B. (2008) Specific S-Box Criteria in Algebraic Attacks on Block Ciphers with Several Known Plaintexts. In: Lucks S., Sadeghi AR., Wolf C. (eds) Research in Cryptology. WEWoRC 2007. Lecture Notes in Computer Science, vol 4945. Springer, Berlin, Heidelberg


In this paper we study algebraic attacks on block ciphers that exploit several (i.e. more than 2) plaintext-ciphertext pairs. We show that this considerably lowers the maximum degree of polynomials that appear in the attack, which allows much faster attacks, some of which can actually be handled experimentally. We point out a theoretical reason why such attacks are more efficient, lying in certain types of multivariate equations that do exist for some S-boxes. Then we show that when the S-box is on 3 bits, such equations do always exist. For S-boxes on 4 bits, the existence of these equations is no longer systematic. We apply our attacks to a toy version of Serpent, a toy version of Rijndael, and a reduced round version of Present, a recently proposed lightweight block cipher. It turns out that some S-boxes are much stronger than others against our attack.


algebraic attacks on block ciphers Rijndael Serpent multivariate equations Gröbner bases design of S-boxes algebraic immunity 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Nicolas T. Courtois
    • 1
  • Blandine Debraize
    • 2
    • 3
  1. 1.University College of LondonLondonUK
  2. 2.Gemalto, MeudonFrance
  3. 3.University of VersaillesFrance

Personalised recommendations