Block Ciphers: Algebraic Cryptanalysis and Gröbner Bases

  • Carlos CidEmail author
  • Ralf-Philipp Weinmann


Block ciphers are one of the most important classes of cryptographic algorithms in current use. Commonly used to provide confidentiality for transmission and storage of information, they encrypt and decrypt blocks of data according to a secret key. Several recently proposed block ciphers (in particular the AES (Daemen and Rijmen in The Design of Rijndael, Springer, Berlin, 2002)) exhibit a highly algebraic structure: their round transformations are based on simple algebraic operations over a finite field of characteristic 2. This has caused an increasing amount of cryptanalytic attention to be directed to the algebraic properties of these ciphers. Of particular interest is the proposal of the so-called algebraic attacks against block ciphers. In these attacks, a cryptanalyst describes the encryption operation as a large set of multivariate polynomial equations, which—once solved—can be used to recover the secret key. Thus the difficulty of solving these systems of equations is directly related to the cipher’s security. As a result computational algebra is becoming an important tool for the cryptanalysis of block ciphers. In this paper we give an overview of block ciphers design and recall some of the work that has been developed in the area of algebraic cryptanalysis. We also consider a few computational and algebraic techniques that could be used in the analysis of block ciphers and discuss possible directions for future work.


Boolean Function Block Cipher Advance Encryption Standard Polynomial System Stream Cipher 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. S. B. Akers, Binary decision diagrams, IEEE Trans. on Computers 27 (1978), no. 6, 509–516. zbMATHCrossRefGoogle Scholar
  2. M. Albrecht, Algebraic attacks on the Courtois Toy Cipher, Master’s thesis, Diplomarbeit—Universität Bremen, 2007. Google Scholar
  3. M. Albrecht and C. Cid, Algebraic techniques in differential cryptanalysis, Crypto. ePrint Arch., Rep. 2008/177, 2008,
  4. F. Armknecht and G. Ars, Algebraic attacks on stream ciphers with Gröbner bases, this volume, 2009, pp. 329–348. Google Scholar
  5. G. Ars, Applications of Gröbner bases to cryptography, Ph.D. thesis, University of Rennes I, 2005. Google Scholar
  6. G. Ars, J. C. Faugère, H. Imai, M. Kawazoe, and M. Sugita, Comparison between XL and Gröbner basis algorithms, Proc. of Asiacrypt 2004 (P. J. Lee, ed.), LNCS, vol. 3329, Springer, Berlin, 2004, pp. 338–353. Google Scholar
  7. O. Billet and J. Ding, Overview of cryptanalysis techniques in multivariate public key cryptography, this volume, 2009, pp. 263–283. Google Scholar
  8. A. Biryukov, Methods of cryptanalysis, Ph.D. thesis, Technion, 1999. Google Scholar
  9. A.A. Biryukov and C. De Cannière, Block ciphers and systems of quadratic equations, Proc. of FSE 2003, LNCS, vol. 2887, Springer, Berlin, 2003, pp. 274–289. Google Scholar
  10. A. Bogdanov, L. R. Knudsen, G. Leander, C. Paar, A. Poschmann, M. Robshaw, Y. Seurin, and C. Vikkelsoe, PRESENT: An ultra-lightweight block cipher, Proc. of CHES 2007, LNCS, vol. 7427, Springer, Berlin, 2007, pp. 450–466. Google Scholar
  11. M. Brickenstein, Gröbner bases with slim polynomials, Reports in Comp. Alg. 35, Univ. Kaiserslautern, Kaiserslautern, 2005,
  12. M. Brickenstein and A. Dreyer, PolyBoRi: A framework for Gröbner basis computations with Boolean polynomials, Elec. Proc. of MEGA 2007, 2007,
  13. B. Buchberger, Ein Algorithmus zum Auffinden der Basiselemente des Restklassenringes nach einem nulldimensionalen Polynomideal, Ph.D. thesis, Innsbruck, 1965. Google Scholar
  14. B. Buchberger, Gröbner-bases: An algorithmic method in polynomial ideal theory, Multidimensional systems theory, Reidel, Dordrecht, 1985, pp. 184–232. CrossRefGoogle Scholar
  15. B. Buchberger, Bruno Buchberger’s PhD thesis 1965: An algorithm for finding the basis elements of the residue class ring of a zero dimensional polynomial ideal, J. Symb. Comput. 41 (2006), nos. 3–4, 475–511. MathSciNetzbMATHCrossRefGoogle Scholar
  16. J. Buchmann, A. Pyshkin, and R. P. Weinmann, A zero-dimensional Gröbner basis for AES-128, Proc. of FSE 2006, LNCS, vol. 4047, Springer, Berlin, 2006a, pp. 78–88. Google Scholar
  17. J. Buchmann, A. Pyshkin, and R. P. Weinmann, Block ciphers sensitive to Gröbner basis attacks, Proc. of CT-RSA 2006, LNCS, vol. 3860, Springer, Berlin, 2006b, pp. 313–331. Google Scholar
  18. C. Carlet, Boolean methods and models, ch. Boolean Functions for Cryptography and Error Correcting Codes, Cambridge University Press, 2009, to appear, Google Scholar
  19. C. Cid and G. Leurent, An analysis of the XSL algorithm, Proc. of ASIACRYPT 2005, LNCS, vol. 3788, Springer, Berlin, 2005, pp. 333–352. Google Scholar
  20. C. Cid, S. Murphy, and M. J. B. Robshaw, An algebraic framework for cipher embeddings, Proc. of 10th IMA International Conference on Coding and Cryptography, LNCS, vol. 3796, Springer, Berlin, 2005a, pp. 278–289. Google Scholar
  21. C. Cid, S. Murphy, and M. J. B. Robshaw, Small scale variants of the AES, Proc. of FSE 2005, LNCS, vol. 3557, Springer, Berlin, 2005b, pp. 145–162. Google Scholar
  22. C. Cid, S. Murphy, and M. J. B. Robshaw, Algebraic aspects of the Advanced Encryption Standard, Springer, Berlin, 2007. Google Scholar
  23. N. T. Courtois, How fast can be algebraic attacks on block ciphers? Tech. Report Rep. 2006/168, Crypto. ePrint Arch., 2006,
  24. N. T. Courtois, CTC2 and fast algebraic attacks on block ciphers revisited, Tech. Report Rep. 2007/152, Crypto. ePrint Arch., 2007,
  25. N. T. Courtois and G. V. Bard, Algebraic cryptanalysis of the data encryption standard, Cryptography and Coding, LNCS, vol. 4887, Springer, Berlin, 2007, pp. 152–169. CrossRefGoogle Scholar
  26. N. Courtois and J. Pieprzyk, Cryptanalysis of block ciphers with overdefined systems of equations, Cryptology ePrint Archive 2002/044, 2002a,
  27. N. Courtois and J. Pieprzyk, Cryptanalysis of block ciphers with overdefined systems of equations, Proc. of ASIACRYPT 2002, LNCS, vol. 2501, Springer, Berlin, 2002b, pp. 267–287. Google Scholar
  28. N. Courtois, A. Klimov, J. Patarin, and A. Shamir, Efficient algorithms for solving overdefined systems of multivariate polynomial equations, Proc. of EUROCRYPT 2000, LNCS, vol. 1807, Springer, Berlin, 2000, pp. 392–407. Google Scholar
  29. N. Courtois, G. V. Bard, and D. Wagner, Algebraic and slide attacks on KeeLoq, Proc. of FSE 2008, LNCS, vol. 5086, Springer, Berlin, 2008, pp. 97–115. Google Scholar
  30. J. Daemen and V. Rijmen, The design of Rijndael, Springer, Berlin, 2002. zbMATHGoogle Scholar
  31. O. Dunkelman and N. Keller, Linear cryptanalysis of CTC, Tech. Report Rep. 2006/250, Crypto. ePrint Arch., 2006,
  32. N. Een and N. Sorensson, MiniSat—a SAT solver with conflict-clause minimization, 2006,
  33. J. C. Faugére, A new efficient algorithm for computing Gröbner bases (F 4), J. Pure Appl. Algebra 139 (1999), nos. 1–3, 61–88. MathSciNetzbMATHCrossRefGoogle Scholar
  34. J. C. Faugère, Gröbner bases. Applications in cryptology, Talk at FSE 2007, 2007. Google Scholar
  35. J. C. Faugère, P. Gianni, D. Lazard, and T. Mora, Efficient computation of zero-dimensional Gröbner bases by change of ordering, J. Symbolic Comput. 16 (1993), no. 4, 329–344. MathSciNetzbMATHCrossRefGoogle Scholar
  36. H. Feistel, Cryptography and computer privacy, Scientific American 228 (1973), no. 5, 15–23. CrossRefGoogle Scholar
  37. T. Jakobsen and L. R. Knudsen, The interpolation attack on block ciphers, Proc. of FSE 1997, LNCS, vol. 1267, Springer, Berlin, 1997, pp. 28–40. Google Scholar
  38. A. Kerckhoffs, La cryptographie militaire, Journal des Sciences Militaires (1883a), 161–191. Google Scholar
  39. A. Kerckhoffs, La cryptographie militaire, Journal des sciences militaires IX (1883b), 3–72. Google Scholar
  40. C. Y. Lee, Representation of switching circuits by binary-decision programs, Bell System Technical Journal 38 (1959), 985–999. MathSciNetGoogle Scholar
  41. C. W. Lim and K. Khoo, Detailed analysis on XSL applied to BES, Proc. of FSE 2007, LNCS, vol. 4593, Springer, Berlin, 2007, pp. 242–253. Google Scholar
  42. MAGMA, J. J. Cannon, W. Bosma (eds.), Handbook of MAGMA functions, edition 2.15, 2008. Google Scholar
  43. A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook of applied cryptography, CRC press series on discrete mathematics and its applications, CRC Press, Boca Raton, 1997. zbMATHGoogle Scholar
  44. S. Murphy and M. J. B. Robshaw, Essential algebraic structure within the AES, Proc. of CRYPTO 2002, LNCS, vol. 2442, Springer, Berlin, 2002, pp. 1–16. Google Scholar
  45. M. A. Musa, E. F. Schaefer, and S. Wedig, A simplified AES algorithm and its linear and differential cryptanalysis, Cryptologia XXVII (2003), no. 2, 148–177. CrossRefGoogle Scholar
  46. National Bureau of Standards, The Data Encryption Standard, Federal Information Processing Standards Publication (FIPS) 46, 1977. Google Scholar
  47. National Institute of Standards and Technology, The Advanced Encryption Standard, Federal Information Processing Standards Publication (FIPS) 197, 2001. Google Scholar
  48. K. Nyberg, Differentially uniform mappings for cryptography, Proc. of EUROCRYPT 1993, LNCS, vol. 765, Springer, Berlin, 1994, pp. 55–64. Google Scholar
  49. R. C. W. Phan, Mini Advanced Encryption Standard (Mini-AES): A testbed for cryptanalysis students, Cryptologia XXVI (2002), no. 4, 283–306. CrossRefGoogle Scholar
  50. H. Raddum and I. Semaev, New technique for solving sparse equation systems, Cryptology ePrint Archive, Report 2006/475, 2006,
  51. H. Raddum and I. Semaev, Solving MRHS linear equations, Proc. of WCC 2007, INRIA, 2007, pp. 323–332. Google Scholar
  52. B. Schneier, The Blowfish encryption algorithm, Dr. Dobb’s Journal (1994), 38–40. Google Scholar
  53. C. E. Shannon, Communication theory of secrecy systems, Bell System Tech. J. 28 (1949), 656–715. MathSciNetzbMATHGoogle Scholar
  54. T. Shimoyama and T. Kaneko, Quadratic relation of S-box and its application to the linear attack of full round DES, Proc. of CRYPTO 1998, LNCS, vol. 1462, Springer, Berlin, 1998, pp. 200–211. Google Scholar
  55. W. Stein, Sage: Open Source Mathematical Software (Version 2.8.5), The Sage Group, 2008,
  56. S. Stéphane Collart, M. Kalkbrener, and D. Mall, Converting bases with the Gröbner Walk, J. of Symbolic Comput. 24 (1997), nos. 3–4, 465–469. CrossRefGoogle Scholar
  57. I. Toli and A. Zanoni, An algebraic interpretation of AES-128, Proc. of AES 2004, LNCS, vol. 3373, Springer, Berlin, 2005, pp. 84–97. Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  1. 1.Information Security Group, Royal HollowayUniversity of LondonLondonUK
  2. 2.University of LuxembourgLuxembourg CityLuxembourg

Personalised recommendations