Optimized Interpolation Attacks on LowMC

  • Itai Dinur
  • Yunwen Liu
  • Willi Meier
  • Qingju Wang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9453)


LowMC is a collection of block cipher families introduced at Eurocrypt 2015 by Albrecht et al. Its design is optimized for instantiations of multi-party computation, fully homomorphic encryption, and zero-knowledge proofs. A unique feature of LowMC is that its internal affine layers are chosen at random, and thus each block cipher family contains a huge number of instances. The Eurocrypt paper proposed two specific block cipher families of LowMC, having 80-bit and 128-bit keys.

In this paper, we mount interpolation attacks (algebraic attacks introduced by Jakobsen and Knudsen) on LowMC, and show that a practically significant fraction of \(2^{-38}\) of its 80-bit key instances could be broken \(2^{23}\) times faster than exhaustive search. Moreover, essentially all instances that are claimed to provide 128-bit security could be broken about 1000 times faster. In order to obtain these results we optimize the interpolation attack using several new techniques. In particular, we present an algorithm that combines two main variants of the interpolation attack, and results in an attack which is more efficient than each one.


Block cipher LowMC High-order differentialcryptanalysis Interpolation attack 


  1. 1.
    Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015) Google Scholar
  2. 2.
    Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  3. 3.
    Hell, M., Johansson, T., Maximov, A., Meier, W.: The grain family of stream ciphers. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 179–190. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  4. 4.
    Jakobsen, T., Knudsen, L.R.: The interpolation attack on block ciphers. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 28–40. Springer, Heidelberg (1997) CrossRefGoogle Scholar
  5. 5.
    Joux, A.: Algorithmic Cryptanalysis, 1st edn. Chapman & Hall/CRC, Boca Raton (2009) zbMATHCrossRefGoogle Scholar
  6. 6.
    Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) Fast Software Encryption. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1994) CrossRefGoogle Scholar
  7. 7.
    Lai, X.: Higher order derivatives and differential cryptanalysis. In: Blahut, R.E., Costello, D.J., Maurer, U., Mittelholzer, T. (eds.) Communications and Cryptography. SLSECS, vol. 276, pp. 227–233. Springer, Heidelberg (1994) CrossRefGoogle Scholar
  8. 8.
    Shimoyama, T., Moriai, S., Kaneko, T.: Improving the higher order differential attack and cryptanalysis of the KN cipher. In: Okamoto, E., Davida, G., Mambo, M. (eds.) Information Security. LNCS, vol. 1396, pp. 32–42. Springer, Heidelberg (1997) CrossRefGoogle Scholar
  9. 9.
    Strassen, V.: Gaussian elimination is not optimal. Numerische Mathematik 13, 354–356 (1969)zbMATHMathSciNetCrossRefGoogle Scholar

Copyright information

© International Association for Cryptologc Research 2015

Authors and Affiliations

  • Itai Dinur
    • 1
  • Yunwen Liu
    • 2
  • Willi Meier
    • 3
  • Qingju Wang
    • 2
    • 4
  1. 1.Département d’InformatiqueÉcole Normale SupérieureParisFrance
  2. 2. Department of Electrical Engineering, ESAT/COSICKU Leuven and iMindsLeuvenBelgium
  3. 3.FHNWWindischSwitzerland
  4. 4. Department of Computer Science and EngineeringShanghai Jiao Tong UniversityShanghaiChina

Personalised recommendations