The interpolation attack on block ciphers

  • Thomas Jakobsen
  • Lars R. Knudsen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1267)


In this paper we introduce a new method of attacks on block ciphers, the interpolation attack. This new method is useful for attacking ciphers using simple algebraic functions (in particular quadratic functions) as S-boxes. Also, ciphers of low non-linear order are vulnerable to attacks based on higher order differentials. Recently, Knudsen and Nyberg presented a 6-round prototype cipher which is provably secure against ordinary differential cryptanalysis. We show how to attack the cipher by using higher order differentials and a variant of the cipher by the interpolation attack. It is possible to successfully cryptanalyse up to 32 rounds of the variant using about 232 chosen plaintexts with a running time less than 264. Using higher order differentials, a new design concept for block ciphers by Kiefer is also shown to be insecure. Rijmen et al presented a design strategy for block ciphers and the cipher SHARK. We show that there exist ciphers constructed according to this design strategy which can be broken faster than claimed. In particular, we cryptanalyse 5 rounds of a variant of SHARK, which deviates only slightly from the proposed SHARK.


  1. 1.
    E. Biham and A. Shamir. Differential Cryptanalysis of the Data Encryption Standard. Springer Verlag, 1993.Google Scholar
  2. 2.
    P.M. Cohn. Algebra, Volume 1. John Wiley & Sons, 1982.Google Scholar
  3. 3.
    K. Kiefer. A New Design Concept for Building Secure Block Ciphers. In J. Pribyl, editor, Proceedings of the 1st International Conference on the Theory and Applications of Cryptology, PRAGOCRYPT’96, Prague, Czech Republic, pages 30–41. CTU Publishing House, 1996.Google Scholar
  4. 4.
    L.R. Knudsen. Block Ciphers — Analysis, Design and Applications. PhD thesis, Aarhus University, Denmark, 1994.Google Scholar
  5. 5.
    L.R. Knudsen. Truncated and higher order differentials. In B. Preneel, editor, Fast Software Encryption — Second International Workshop, Leuven, Belgium, LNCS 1008, pages 196–211. Springer Verlag, 1995.Google Scholar
  6. 6.
    X. Lai. Higher order derivatives and differential cryptanalysis. In Proc. ≓Symposium on Communication, Coding and Cryptography≓, in honor of James L. Massey on the occasion of his 60’th birthday, Feb. 10–13, 1994, Monte-Verita, Ascona, Switzerland, 1994.Google Scholar
  7. 7.
    M. Matsui. Linear cryptanalysis method for DES cipher. In T. Helleseth, editor, Advances in Cryptology — Proc. Eurocrypt’93, LNCS 765, pages 386–397. Springer Verlag, 1993.Google Scholar
  8. 8.
    K. Nyberg. Differentially uniform mappings for cryptography. In T. Helleseth, editor, Advances in Cryptology — Proc. Eurocrypt’93, LNCS 765, pages 55–64. Springer Verlag, 1993.Google Scholar
  9. 9.
    K. Nyberg. Linear approximations of block ciphers. In A. De Santis, editor, Advances in Cryptology — Proc. Eurocrypt’94, LNCS 950, pages 439–444. Springer Verlag, 1994.Google Scholar
  10. 10.
    K. Nyberg and L.R. Knudsen. Provable security against a differential attack. The Journal of Cryptology, 8(1):27–38, 1995.MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    V. Rijmen, J. Daemen, B. Preneel, A. Bosselaers, and E. De Win. The cipher SHARK. In Gollmann D., editor, Fast Software Encryption, Third International Workshop, Cambridge, U.K., February 1996, LNCS 1039, pages 99–112. Springer Verlag, 1996.Google Scholar

Copyright information

© Springer-Verlag 1997

Authors and Affiliations

  • Thomas Jakobsen
    • 1
  • Lars R. Knudsen
    • 2
  1. 1.Department of Mathematics, Building 303Technical University of DenmarkLyngbyDenmark
  2. 2.Dept. Electrical Engineering-ESATKatholieke Universiteit LeuvenHeverleeBelgium

Personalised recommendations