ElimLin Algorithm Revisited

  • Nicolas T. Courtois
  • Pouyan Sepehrdad
  • Petr Sušil
  • Serge Vaudenay
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7549)


ElimLin is a simple algorithm for solving polynomial systems of multivariate equations over small finite fields. It was initially proposed as a single tool by Courtois to attack DES. It can reveal some hidden linear equations existing in the ideal generated by the system. We report a number of key theorems on ElimLin. Our main result is to characterize ElimLin in terms of a sequence of intersections of vector spaces. It implies that the linear space generated by ElimLin is invariant with respect to any variable ordering during elimination and substitution. This can be seen as surprising given the fact that it eliminates variables. On the contrary, monomial ordering is a crucial factor in Gröbner basis algorithms such as F4. Moreover, we prove that the result of ElimLin is invariant with respect to any affine bijective variable change. Analyzing an overdefined dense system of equations, we argue that to obtain more linear equations in the succeeding iteration in ElimLin some restrictions should be satisfied. Finally, we compare the security of LBlock and MIBS block ciphers with respect to algebraic attacks and propose several attacks on Courtois Toy Cipher version 2 (CTC2) with distinct parameters using ElimLin.


block ciphers algebraic cryptanalysis systems of sparse polynomial equations of low degree 


  1. 1.
    Armknecht, F., Ars, G.: Algebraic Attacks on Stream Ciphers with Gröbner Bases. In: Gröbner Bases, Coding, and Cryptography, pp. 329–348 (2009)Google Scholar
  2. 2.
    Aumasson, J.-P., Henzen, L., Meier, W., Naya-Plasencia, M.: Quark: A Lightweight Hash. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 1–15. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  3. 3.
    Bard, G., Courtois, N., Jefferson, C.: Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers. Presented at ECRYPT Workshop Tools for Cryptanalysis (2007),
  4. 4.
    Bard, G.V.: Algebraic Cryptanalysis. Springer (2009)Google Scholar
  5. 5.
    Bay, A., Nakahara Jr., J., Vaudenay, S.: Cryptanalysis of Reduced-Round MIBS Block Cipher. In: Heng, S.-H., Wright, R.N., Goi, B.-M. (eds.) CANS 2010. LNCS, vol. 6467, pp. 1–19. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  6. 6.
    Bogdanov, A., Knežević, M., Leander, G., Toz, D., Varıcı, K., Verbauwhede, I.: spongent: A Lightweight Hash Function. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 312–325. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  7. 7.
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M., Seurin, Y., Vikkelsoe, C.: PRESENT: An Ultra-Lightweight Block Cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  8. 8.
    Brickenstein, M., Dreyer, A.: PolyBoRi: A framework for Gröbner basis computations with Boolean polynomials. In: Electronic Proceedings of MEGA 2007 (2007),
  9. 9.
    Buchberger, B.: Bruno Buchberger’s PhD thesis 1965: An algorithm for finding the basis elements of the residue class ring of a zero dimensional polynomial ideal. Journal of Symbolic Computation 41(3-4), 475–511 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Courtois, N.T.: Higher Order Correlation Attacks, XL Algorithm and Cryptanalysis of Toyocrypt. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 182–199. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Courtois, N.T.: Fast Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 176–194. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  12. 12.
    Courtois, N.: CTC2 and Fast Algebraic Attacks on Block Ciphers Revisited. In: Cryptology ePrint Archive (2007),
  13. 13.
    Courtois, N.: How Fast can be Algebraic Attacks on Block Ciphers? In: Symmetric Cryptography. Dagstuhl Seminar Proceedings, vol. 07021 (2007)Google Scholar
  14. 14.
    Courtois, N.: The Dark Side of Security by Obscurity - and Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime. In: SECRYPT, pp. 331–338 (2009)Google Scholar
  15. 15.
    Courtois, N.: Algebraic Complexity Reduction and Cryptanalysis of GOST. In: Cryptology ePrint Archive (2011),
  16. 16.
    Courtois, N.T., Bard, G.V.: Algebraic Cryptanalysis of the Data Encryption Standard. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 152–169. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  17. 17.
    Courtois, N.T., Debraize, B.: Algebraic Description and Simultaneous Linear Approximations of Addition in Snow 2.0. In: Chen, L., Ryan, M.D., Wang, G. (eds.) ICICS 2008. LNCS, vol. 5308, pp. 328–344. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Courtois, N.T., Meier, W.: Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  19. 19.
    Courtois, N.T., O’Neil, S., Quisquater, J.-J.: Practical Algebraic Attacks on the Hitag2 Stream Cipher. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 167–176. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  20. 20.
    Courtois, N.T., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  21. 21.
    Courtois, N.T., Klimov, A.B., Patarin, J., Shamir, A.: Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  22. 22.
    De Cannière, C., Dunkelman, O., Knežević, M.: KATAN and KTANTAN — A Family of Small and Efficient Hardware-Oriented Block Ciphers. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 272–288. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  23. 23.
    Dinur, I., Shamir, A.: Cube Attacks on Tweakable Black Box Polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  24. 24.
    Dinur, I., Shamir, A.: Breaking Grain-128 with Dynamic Cube Attacks. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 167–187. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  25. 25.
    Dunkelman, O., Keller, N.: Linear Cryptanalysis of CTC. In: Cryptology ePrint Archive (2006),
  26. 26.
    Dunkelman, O., Keller, N.: Cryptanalysis of CTC2. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 226–239. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  27. 27.
    Eén, N., Sörensson, N.: MiniSat 2.0. An open-source SAT solver package,
  28. 28.
    Een, N., Sorensson, N.: Minisat - A SAT Solver with Conflict-Clause Minimization. In: Theory and Applications of Satisfiability Testing (2005)Google Scholar
  29. 29.
    Engels, D., Saarinen, M.-J.O., Schweitzer, P., Smith, E.M.: The Hummingbird-2 Lightweight Authenticated Encryption Algorithm. In: Juels, A., Paar, C. (eds.) RFIDSec 2011. LNCS, vol. 7055, pp. 19–31. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  30. 30.
    Faugère, J.: A new effcient algorithm for computing Gröbner bases (F4). Journal of Pure and Applied Algebra 139(1-3), 61–88 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    Faugère, J.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: Symbolic and Algebraic Computation - ISSAC, pp. 75–83 (2002)Google Scholar
  32. 32.
    Fusco, G., Bach, E.: Phase transition of multivariate polynomial systems. Journal of Mathematical Structures in Computer Science 19(1) (2009)Google Scholar
  33. 33.
    Ghasemzadeh, M.: A New Algorithm for the Quantified Satisfiability Problem, Based on Zero-suppressed Binary Decision Diagrams and Memoization. PhD thesis, University of Potsdam, Germany (2005)Google Scholar
  34. 34.
    Gong, Z., Nikova, S., Law, Y.W.: KLEIN: A New Family of Lightweight Block Ciphers. In: Juels, A., Paar, C. (eds.) RFIDSec 2011. LNCS, vol. 7055, pp. 1–18. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  35. 35.
    Guo, J., Peyrin, T., Poschmann, A.: The PHOTON Family of Lightweight Hash Functions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 222–239. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  36. 36.
    Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.J.B.: The LED Block Cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  37. 37.
    Indesteege, S., Keller, N., Dunkelman, O., Biham, E., Preneel, B.: A Practical Attack on KeeLoq. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 1–18. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  38. 38.
    Izadi, M., Sadeghiyan, B., Sadeghian, S., Arabnezhad, H.: MIBS: A New Lightweight Block Cipher. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 334–348. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  39. 39.
    Knudsen, L., Leander, G., Poschmann, A., Robshaw, M.J.B.: PRINTcipher: A Block Cipher for IC-Printing. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 16–32. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  40. 40.
    Magma, software package,
  41. 41.
    Mroczkowski, P., Szmidt, J.: The Cube Attack on Courtois Toy Cipher. In: Cryptology ePrint Archive (2009),
  42. 42.
    Murphy, S., Robshaw, M.J.B.: Essential Algebraic Structure within the AES. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 1–16. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  43. 43.
    Nakahara Jr., J., Sepehrdad, P., Zhang, B., Wang, M.: Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 58–75. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  44. 44.
    Raddum, H., Semaev, I.: Solving Multiple Right Hand Sides linear equations. Journal of Designs, Codes and Cryptography 49(1-3), 147–160 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  45. 45.
    Shannon, C.E.: Communication theory of secrecy systems. Bell System Technical Journal 28 (1949)Google Scholar
  46. 46.
    Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., Shirai, T.: Piccolo: An Ultra-Lightweight Blockcipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 342–357. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  47. 47.
    Vielhaber, M.: Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack. In: Cryptology ePrint Archive (2007),
  48. 48.
    Weinmann, R.: Evaluating Algebraic Attacks on the AES. Master’s thesis, Technische Universität Darmstadt (2003)Google Scholar
  49. 49.
    Wu, W., Zhang, L.: LBlock: A Lightweight Block Cipher. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 327–344. Springer, Heidelberg (2011)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Nicolas T. Courtois
    • 1
  • Pouyan Sepehrdad
    • 2
  • Petr Sušil
    • 2
  • Serge Vaudenay
    • 2
  1. 1.University College LondonUK
  2. 2.EPFLLausanneSwitzerland

Personalised recommendations