Skip to main content

Can a Differential Attack Work for an Arbitrarily Large Number of Rounds?

  • Conference paper
  • First Online:
Information Security and Cryptology – ICISC 2020 (ICISC 2020)


Differential cryptanalysis is one of the oldest attacks on block ciphers. Can anything new be discovered on this topic? A related question is that of backdoors and hidden properties. There is substantial amount of research on how Boolean functions affect the security of ciphers, and comparatively, little research, on how block cipher wiring can be very special or abnormal. In this article we show a strong type of anomaly: where the complexity of a differential attack does not grow exponentially as the number of rounds increases. It will grow initially, and later will be lower bounded by a constant. At the end of the day the vulnerability is an ordinary single differential attack on the full state. It occurs due to the existence of a hidden polynomial invariant. We conjecture that this type of anomaly is not easily detectable if the attacker has limited resources.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others


  1. 1.

    This happens with probability at least \(2^{-8}\) for any Boolean function, see Appendix A.

  2. 2.

    This function is used twice as W and as Y for 2 disjoints sets of 6 inputs.

  3. 3.

    For example if one input A is b the other must be e.


  1. Courtois, N.T., Bard, G.V., Wagner, D.: Algebraic and slide attacks on KeeLoq. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 97–115. Springer, Heidelberg (2008).

    Chapter  Google Scholar 

  2. Courtois, N.T., Bard, G.V.: Random permutation statistics and an improved slide-determine attack on KeeLoq. In: Naccache, D. (ed.) Cryptography and Security: From Theory to Applications. LNCS, vol. 6805, pp. 35–54. Springer, Heidelberg (2012).

    Chapter  MATH  Google Scholar 

  3. Bard, G.V., Courtois, N.T., Nakahara, J., Sepehrdad, P., Zhang, B.: Algebraic, AIDA/Cube and side channel analysis of KATAN family of block ciphers. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 176–196. Springer, Heidelberg (2010).

    Chapter  Google Scholar 

  4. Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4, 3–72 (1991).

    Article  MathSciNet  MATH  Google Scholar 

  5. Brown, L., Seberry, J.: On the design of permutation P in des type cryptosystems. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 696–705. Springer, Heidelberg (1990).

    Chapter  Google Scholar 

  6. Çalık, Ç., Sönmez Turan, M., Peralta, R.: The multiplicative complexity of 6-variable Boolean functions. Cryptogr. Commun. 11(1), 93–107 (2018).

    Article  MathSciNet  MATH  Google Scholar 

  7. Charpin, P.: Normal Boolean functions. J. Complex. 20(2–3), 245–265 (2004)

    Article  MathSciNet  Google Scholar 

  8. Courtois, N.T.: The dark side of security by obscurity and cloning MiFare classic rail and building passes anywhere, anytime. In: SECRYPT 2009, pp. 331–338. INSTICC Press (2009). ISBN 978-989-674-005-4

    Google Scholar 

  9. Courtois, N.T., Mourouzis, T.: Propagation of truncated differentials in GOST. In: SECURWARE (2013).

  10. Courtois, N.T.: Algebraic complexity reduction and cryptanalysis of GOST. Monograph study on GOST cipher, 224 p.

  11. Courtois, N., Gawinecki, J.A., Song, G.: Contradiction immunity and guess-then-determine attacks on GOST. In: CECC 2912, Tatra Mt. Math. Publ. vol. 53, no. 3, pp. 65–79 (2012).

  12. Courtois, N.T., Georgiou, M.: Variable elimination strategies and construction of nonlinear polynomial invariant attacks on T-310. Cryptologia 44(1), 20–38 (2020).

    Article  Google Scholar 

  13. Courtois, N.T., Patrick, A., Abbondati, M.: Construction of a polynomial invariant annihilation attack of degree 7 for T-310. Cryptologia 44(4), 289–314 (2020)

    Article  Google Scholar 

  14. Courtois, N.T.: On the existence of non-linear invariants and algebraic polynomial constructive approach to backdoors in block ciphers. Accessed 27 Mar 2019

  15. Courtois, N.T., Patrick, A.: Lack of unique factorization as a tool in block cipher cryptanalysis. Accessed 12 May 2019

  16. Courtois, N.T.: Structural nonlinear invariant attacks on T-310: attacking arbitrary Boolean functions. Accessed 12 Sept 2019

  17. Courtois, N.T.: A nonlinear invariant attack on T-310 with the original Boolean function. Cryptologia, 23 Apr 2020. to appear also in paper version in 2020

  18. Courtois, N.T.: Invariant hopping attacks on block ciphers. In: Presented at WCC 2019, Abbaye de Saint-Jacut de la Mer, France, 31 March–5 April 2019. Accessed 8 Feb 2020

  19. Courtois, N.T., Abbondati, M., Ratoanina, H., Grajek, M.: Systematic construction of nonlinear product attacks on block ciphers. In: Seo, J.H. (ed.) ICISC 2019. LNCS, vol. 11975, pp. 20–51. Springer, Cham (2020).

    Chapter  Google Scholar 

  20. Courtois, N.T.: Feistel schemes and bi-linear cryptanalysis. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 23–40. Springer, Heidelberg (2004).

    Chapter  Google Scholar 

  21. Courtois, N.T., et al.: Cryptographic security analysis of T-310. Monography study on the T-310 block cipher, 132 p. 20 May 2017. Accessed 29 June 2018

  22. Courtois, N.T., Oprisanu, M.-B.: Ciphertext-only attacks and weak long-term keys in T-310. Cryptologia, 42(4), 316–336 (2018).

  23. Courtois, N., Drobick, J., Schmeh, K.: Feistel ciphers in East Germany in the communist era. Cryptologia 42(6), 427–444 (2018)

    Article  Google Scholar 

  24. Courtois, N.T.: Block ciphers: lessons from the cold war. In: Slides presented at 2019 biennial Symposium on Cryptologic History, Laurel, Maryland, US, October 2019.

  25. Courtois, N.T.: The inverse S-Box, non-linear polynomial relations and cryptanalysis of block ciphers. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2004. LNCS, vol. 3373, pp. 170–188. Springer, Heidelberg (2005).

  26. Courtois, N.: The inverse S-box and two paradoxes of whitening. Long extended version of the Crypto 2004 rump session presentation, Whitening the AES S-box.

  27. Courtois, N., Oprisanu, M.-B., Schmeh, K.: Linear cryptanalysis and block cipher design in East Germany in the 1970s. Cryptologia (2018).

  28. Courtois, N.: The best differential characteristics and subtleties of the Biham-Shamir attacks on DES.

  29. Courtois, N.T.: An improved differential attack on full GOST. In: Ryan, P.Y.A., Naccache, D., Quisquater, J.-J. (eds.) The New Codebreakers. LNCS, vol. 9100, pp. 282–303. Springer, Heidelberg (2016).

    Chapter  Google Scholar 

  30. Courtois, N.: An improved differential attack on full GOST. Cryptology ePrint Archive, Report 2012/138, 15 March 2012. Accessed Dec 2015

  31. Courtois, N., Misztal, M.: Aggregated differentials and cryptanalysis of PP-1 and GOST. Periodica Mathematica Hungarica 65(2), 11–26 (2012). In CECC 2011, 11th Central European Conference on Cryptology

    Article  MathSciNet  MATH  Google Scholar 

  32. Courtois, N.T., Mourouzis, T., Misztal, M., Quisquater, J.J., Song, G.: Can GOST be made secure against differential cryptanalysis? Cryptologia 39(2), 145–156 (2015)

    Article  Google Scholar 

  33. Courtois, N.: On multiple symmetric fixed points in GOST. Cryptologia 39(4), 322–334 (2015)

    Article  Google Scholar 

  34. Dobbertin, H.: Construction of bent functions and balanced Boolean functions with high nonlinearity. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 61–74. Springer, Heidelberg (1995).

    Chapter  Google Scholar 

  35. Dubuc, S.: Etude des propriétés de dégénérescence et de normalité des fonctions booléennes et construction de fonctions q-aires parfaitement non-linéaires, Ph.D. thesis, Université de Caen (2001)

    Google Scholar 

  36. Feistel, H., Notz, W.A., Smith, J.L.: Cryptographic techniques for machine to machine data communications, 27 Dec 1971, Report RC-3663, IBM T. J. Watson Research (1971)

    Google Scholar 

  37. Golić, J.D.: Cryptanalytic attacks on MIFARE classic protocol. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 239–258. Springer, Heidelberg (2013).

    Chapter  Google Scholar 

  38. Harpes, C., Kramer, G.G., Massey, J.L.: A generalization of linear cryptanalysis and the applicability of Matsui’s Piling-up lemma. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 24–38. Springer, Heidelberg (1995).

    Chapter  Google Scholar 

  39. Harpes, C., Massey, J.L.: Partitioning cryptanalysis. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 13–27. Springer, Heidelberg (1997).

    Chapter  Google Scholar 

  40. Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995).

    Chapter  Google Scholar 

  41. Kovalchuk, L.V.: Generalized Markov ciphers: evaluation of practical security against differential cryptanalysis. In: Proceedings of 5th All-Russian Scientific Conference MaBIT-06, 25–27 Oct 2006, MGU, Moscow, pp. 595–599 (2006). (in Russian)

    Google Scholar 

  42. Lai, X., Massey, J.L., Murphy, S.: Markov ciphers and differential cryptanalysis. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 17–38. Springer, Heidelberg (1991).

    Chapter  Google Scholar 

  43. Leander, G., Abdelraheem, M.A., AlKhzaimi, H., Zenner, E.: A cryptanalysis of PRINTcipher: the invariant subspace attack. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 206–221. Springer, Heidelberg (2011).

    Chapter  Google Scholar 

  44. Knudsen, L.R., Robshaw, M.J.B.: Non-Linear Characteristics in Linear Cryptoanalysis. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 224–236. Springer, Heidelberg (1996)

    Google Scholar 

  45. Maiorana, J.A.: A classification of the cosets of the Reed-Muller code R(1,6). Math. Comput. 57(195), 403–414 (1991)

    MathSciNet  MATH  Google Scholar 

  46. John Nash, handwritten letters and documents relating to their evaluation, available at NSA crypto museum, January-March 1955. declassified in 2012

  47. Nyberg, K., Knudsen, L.R.: Provable security against differential cryptanalysis. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 566–574. Springer, Heidelberg (1993).

    Chapter  Google Scholar 

  48. Peyrin, T., Wang, H.: The MALICIOUS framework: embedding backdoors into tweakable block ciphers. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 249–278. Springer, Cham (2020).

    Chapter  Google Scholar 

  49. Referat 11: Kryptologische Analyse des Chiffriergerätes T-310/50. Central Cipher Organ, Ministry of State Security of the GDR, document referenced as ‘ZCO 402/80’, a.k.a. MfS-Abt-XI-594, Berlin, 123 p. (1980)

    Google Scholar 

  50. Schmeh, K.: The East German encryption machine T-310 and the algorithm it used. Cryptologia 30(3), 251–257 (2006)

    Article  Google Scholar 

  51. Todo, Y., Leander, G., Sasaki, Y.: Nonlinear invariant attack: practical attack on full SCREAM, iSCREAM and Midori 64. J. Cryptol. 32, 1–40 (2018)

    MATH  Google Scholar 

  52. Vielhaber, M.: AIDA Breaks BIVIUM (A&B) in 1 Minute Dual Core CPU Time.

  53. Winter, R., Salagean, A., Phan, R.C.-W.: Comparison of cube attacks over different vector spaces. In: Groth, J. (ed.) IMACC 2015. LNCS, vol. 9496, pp. 225–238. Springer, Cham (2015).

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Nicolas T. Courtois .

Editor information

Editors and Affiliations


Appendix A On Boolean Function Vulnerability

It is possible to see that a Boolean function chosen at random will satisfy our exact property \(Z({a+d})({b+e})({c+f})=0\) with probability \(2^{-8}\), cf. Section 5 in [13] and/or Appendix C in [16]. The result is the same as long as we have three linear factors which are linearly independent. In general, Boolean functions which are constant over large affine spaces are not an exception, it is systematic. 100% of Boolean functions in 6 variables are 3-normal and can be annihilated by a product of 3 affine polynomials. cf. Section 5 in [19] and [35]. We use another method to obtain the same result. It is sufficient to check all the 150357 classes of Boolean functions based on a database of Boolean functions of [6] based on earlier work by Maiorana [45].

Moreover, our experience shows that typically (when the Boolean function is balanced) both Z or \(Z+1\) will admit numerous solutions of this type, some of which could work with an attack such as described in this paper.

Table 3. Classes of Boolean Functions with 6 Variables w.r.t. k-normality
Table 4. Classes of Boolean Functions with 6 Variables w.r.t. k-weak-normality

No Boolean function whatsoever should be assumed to be secure against the attacks such as described in this paper. For example with the original Boolean function used in T-310 we have \(Zc(b+d)f=0\) and \(Z(a+b)c(1+e)=0\) and many other relations of this type. From here it is possible to construct a product invariant attack on demand, using exactly one single relation like this, see [17]. In other words, just one such annihilation equation, which was not chosen by the attacker, can lead to an attack on T-310 working for any number of rounds. This is already for an invariant attack at order 1. Properties which involve two encryptions like in our Theorem 5.1.1 and the existence of multiple ways to annihilate polynomials further increase the freedom for the attacker.

Appendix B The Key Recovery Question

There exists multiple ways in which non-linear invariant attacks can be exploited in cryptanalysis in order to decrypt actual encrypted communications. This question was already studied in Section 9 in [16] and Section 6 in [12] and Section 6 in [13] and there are several distinct ways to approach this problem. Some invariants (not all) introduce pervasive biases made of higher order correlation properties which do not degrade as the number of rounds increases. Other invariants do directly involve some key bits. In some sense we expect that most invariants are NOT suitable for actual attacks, in the sense that other invariants are more suitable for various technical reasons.

1.1 Appendix B.1 New Ways to Exploit Polynomial Invariants

In this paper we discover a possibility to convert a non-linear invariant attack into a differential attack. This opens new possibilities for key recovery in 3 steps as follows. First, we guess some key bits, then, determine some internal values, finally, confirm through a statistical distinguisher. It is important to note that the question of which key bits should be guessed and which ones are determined, is a major practical combinatorial optimization problem in cryptanalysis. It leads to interesting security “metric” notions such as SAT immunity and UNSAT immunity, cf. [11].

1.2 Appendix B.2 Multiple Simultaneous Differentials and Cube Attacks

A more advanced method to enable key recovery would be to explore the rich world of cube attacks which is a form of a higher order differential attack. This type of discrete differential properties is much older than it is usually assumed, it was studied since at least 1976, cf. [24], and there are many flavours of cube attacks [52, 53]. It is quite rare that several differential properties can work simultaneously and that the overall combined probability remains very high. One example of this is with MiFare classic in [8, 37], and it happens again here. Our attack has 8 differences which form a linear space and could be used simultaneously in a variety of combined differential, invariant or/and cube attacks. An interesting question is then how quickly the complexity of such attacks increases as the number of rounds grows. Here we need to look at a new type of conditional cube attack: when a certain product of polynomials is at 1. We need to focus on cube properties which involve key bits, which cannot be taken for granted in general, cf. Section 4.1. in [3]. The space of possible attacks is enormous and we leave this for future research.

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Courtois, N.T., Quisquater, JJ. (2021). Can a Differential Attack Work for an Arbitrarily Large Number of Rounds?. In: Hong, D. (eds) Information Security and Cryptology – ICISC 2020. ICISC 2020. Lecture Notes in Computer Science(), vol 12593. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-68889-9

  • Online ISBN: 978-3-030-68890-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics