Two Philosophies for Solving Non-linear Equations in Algebraic Cryptanalysis

  • Nicolas T. CourtoisEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10311)


Algebraic Cryptanalysis [45] is concerned with solving of particular systems of multivariate non-linear equations which occur in cryptanalysis. Many different methods for solving such problems have been proposed in cryptanalytic literature: XL and XSL method, Gröbner bases, SAT solvers, as well as many other. In this paper we survey these methods and point out that the main working principle in all of them is essentially the same. One quantity grows faster than another quantity which leads to a “phase transition” and the problem becomes efficiently solvable. We illustrate this with examples from both symmetric and asymmetric cryptanalysis.

In this paper we point out that there exists a second (more) general way of formulating algebraic attacks through dedicated coding techniques which involve redundancy with addition of new variables. This opens numerous new possibilities for the attackers and leads to interesting optimization problems where the existence of interesting equations may be somewhat deliberately engineered by the attacker.


Algebraic cryptanalysis Overdefined systems of equations NP-hard problems Phase transitions XL algorithm Gröbner bases XSL algorithm ElimLin Degree falls Error correcting codes Algebraic codes Elliptic curves ECDL problem Semaev polynomials Block ciphers DES GOST Simon 



I would like to thank the following people who have either inspired and motivated me for writing this paper, or who provided me with some valuable feedback: Moti Yung, David Naccache, Raphael Phan, Christophe Petit, Steven Galbraith, Jacques Patarin, Louis Goubin, Daniel Augot, Jonathan Bootle and Mary Maller.


  1. 1.
    Bardet, M., Faugère, J.-C., Salvy, B.: On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations. In: ICPSS, Paris, France, pp. 71–75 (2004)Google Scholar
  2. 2.
    Boyar, J., Peralta, R.: A new combinational logic minimization technique with applications to cryptology. In: Festa, P. (ed.) SEA 2010. LNCS, vol. 6049, pp. 178–189. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-13193-6_16. An early version was published in 2009 Accessed 13 Mar 2010CrossRefGoogle Scholar
  3. 3.
    Boyar, J., Find, M., Peralta, R.: Four measures of nonlinearity. In: Spirakis, P.G., Serna, M. (eds.) CIAC 2013. LNCS, vol. 7878, pp. 61–72. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-38233-8_6 CrossRefGoogle Scholar
  4. 4.
    Yang, B.-Y., Chen, J.-M., Courtois, N.T.: On asymptotic security estimates in XL and Gröbner bases-related algebraic cryptanalysis. In: Lopez, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 401–413. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30191-2_31 CrossRefGoogle Scholar
  5. 5.
    Courtois, N.T.: The security of hidden field equations (HFE). In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 266–281. Springer, Heidelberg (2001). doi: 10.1007/3-540-45353-9_20 CrossRefGoogle Scholar
  6. 6.
    Courtois, N.T., Bard, G.V.: Algebraic cryptanalysis of the data encryption standard. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 152–169. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-77272-9_10 CrossRefGoogle Scholar
  7. 7.
    Courtois, N.T., Klimov, A., Patarin, J., Shamir, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000). doi: 10.1007/3-540-45539-6_27 CrossRefGoogle Scholar
  8. 8.
    Courtois, N.T., Patarin, J.: About the XL algorithm over GF(2). In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 141–157. Springer, Heidelberg (2003). doi: 10.1007/3-540-36563-X_10 CrossRefGoogle Scholar
  9. 9.
    Courtois, N.T.: How fast can be algebraic attacks on block ciphers? In: Biham, E., Handschuh, H., Lucks, S., Rijmen, V. (eds.) Online Proceedings of Dagstuhl Seminar 07021, Symmetric Cryptography 07–12 January 2007 (2007)., ISSN 1862 - 4405
  10. 10.
    Courtois, N.T.: CTC2 and fast algebraic attacks on block ciphers revisited.
  11. 11.
    Courtois, N.T.: Some algebraic cryptanalysis software.
  12. 12.
    Courtois, N.T., Papapanagiotakis-Bousy, I., Sepehrdad, P., Song, G.: Predicting outcomes of ElimLin attack on lightweight block cipher simon. In: Secrypt 2016 Proceedings (2016)Google Scholar
  13. 13.
    Courtois, N.T., Debraize, B.: Specific S-box criteria in algebraic attacks on block ciphers with several known plaintexts. In: Lucks, S., Sadeghi, A.-R., Wolf, C. (eds.) WEWoRC 2007. LNCS, vol. 4945, pp. 100–113. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-88353-1_9 CrossRefGoogle Scholar
  14. 14.
    Courtois, N.T.: Algebraic attacks on combiners with memory and several outputs. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 3–20. Springer, Heidelberg (2005). doi: 10.1007/11496618_3. CrossRefGoogle Scholar
  15. 15.
    Courtois, N.T.: Security evaluation of GOST 28147-89 in view of international standardisation. Cryptologia 36(1), 2–13 (2012)CrossRefGoogle Scholar
  16. 16.
    Courtois, N.T.: Algebraic complexity reduction and cryptanalysis of GOST. Monograph Study of Security of GOST, 2010–2014.
  17. 17.
    Courtois, N.T., Sepehrdad, P., Sušil, P., Vaudenay, S.: ElimLin algorithm revisited. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 306–325. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34047-5_18 CrossRefGoogle Scholar
  18. 18.
    Courtois, N.T., Hulme, D., Mourouzis, T.: Solving circuit optimisation problems in cryptography and cryptanalysis. In: SHARCS 2012, pp. 179–191 (2012).
  19. 19.
    Courtois, N.T., Hulme, D., Mourouzis, T.: Multiplicative complexity and solving generalized Brent equations with SAT solvers. In: COMPUTATION TOOLS 2012, pp. 22–27 (2012)Google Scholar
  20. 20.
    Courtois, N.T., Gawinecki, J.A., Song, G.: Contradiction immunity and guess-then-determine attacks on GOST. Tatra Mt. Math. Publ. 53(3), 65–79 (2012). MathSciNetzbMATHGoogle Scholar
  21. 21.
    Courtois, N.T., Mourouzis, T., Misztal, M., Quisquater, J.-J., Song, G.: Can GOST be made secure against differential cryptanalysis? Cryptologia 39(2), 145–156 (2015)CrossRefGoogle Scholar
  22. 22.
    Courtois, N.T.: New frontier in symmetric cryptanalysis, invited Talk at Indocrypt 2008, 14–17 December 2008 (2008).
  23. 23.
    Courtois, N.T., Debraize, B.: Algebraic description and simultaneous linear approximations of addition in snow 2.0. In: Chen, L., Ryan, M.D., Wang, G. (eds.) ICICS 2008. LNCS, vol. 5308, pp. 328–344. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-88625-9_22 CrossRefGoogle Scholar
  24. 24.
    Courtois, N.T.: Fast algebraic attacks on stream ciphers with linear feedback. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 176–194. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-45146-4_11 CrossRefGoogle Scholar
  25. 25.
    Courtois, N.T.: General principles of algebraic attacks and new design criteria for cipher components. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2004. LNCS, vol. 3373, pp. 67–83. Springer, Heidelberg (2005). doi: 10.1007/11506447_7 CrossRefGoogle Scholar
  26. 26.
    Courtois, N.T.: Algebraic attacks vs. design of block and stream ciphers. Slides Used in GA18 Course Cryptanalysis taught at University College London, 2014–2016.
  27. 27.
    Courtois, N.T., Pieprzyk, J.: Cryptanalysis of block ciphers with overdefined systems of equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002). doi: 10.1007/3-540-36178-2_17 CrossRefGoogle Scholar
  28. 28.
    Courtois, N.T., Pieprzyk, J.: Cryptanalysis of block ciphers with overdefined systems of equations. Contains two different (earlier) versions of the XSL attack, see also [27]
  29. 29.
    Courtois, N.T.: High Saturation Complete Graph Approach for EC Point Decomposition and ECDL Problem, preprint July–September 2016 (2016).
  30. 30.
    Susil, P., Sepehrdad, P., Vaudenay, S., Courtois, N.: On selection of samples in algebraic attacksand a new technique to find hidden low degree equations. Int. J. Inf. Secur. 15(1), 51–65 (2016). SpringerCrossRefGoogle Scholar
  31. 31.
    Diem, C.: On the discrete logarithm problem in elliptic curves. Compos. Math. 147, 75–104 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  32. 32.
    Galbraith, S.D., Gaudry, P.: Recent progress on the elliptic curve discrete logarithm problem, preprint, 22 October 2015 (2015).
  33. 33.
    Faugère, J.-C., Joux, A.: Algebraic cryptanalysis of hidden field equation (HFE) cryptosystems using Gröbner bases. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 44–60. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-45146-4_3 CrossRefGoogle Scholar
  34. 34.
    Minder, L.: Cryptography based on error correcting codes. Ph.D. thesis 3846 (2007). EPFL, 27 July 2007.
  35. 35.
    Huang, M.-D.A., Kosters, M., Yeo, S.L.: Last fall degree, HFE, and weil descent attacks on ECDLP. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 581–600. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-47989-6_28 CrossRefGoogle Scholar
  36. 36.
    Mourouzis, T.: Optimizations in algebraic and differential cryptanalysis. Ph.D. thesis, under superivsion of Dr. Nicolas T. Courtois, University College London, January 2015.
  37. 37.
    Patarin, J.: Cryptanalysis of the matsumoto and imai public key scheme of Eurocrypt’88. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 248–261. Springer, Heidelberg (1995). doi: 10.1007/3-540-44750-4_20 Google Scholar
  38. 38.
    Perret, L.: Gröbner bases techniques in cryptography.
  39. 39.
    Petit, C., Kosters, M., Messeng, A.: Algebraic approaches for the elliptic curve discrete logarithm problem over prime fields. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9615, pp. 3–18. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49387-8_1 CrossRefGoogle Scholar
  40. 40.
    Petit, C., Quisquater, J.-J.: On polynomial systems arising from a weil descent. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 451–466. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34961-4_28 CrossRefGoogle Scholar
  41. 41.
    Arabnezhad-Khanoki, H., Sadeghiyan, B., Pieprzyk, J.: Algebraic attack efficiency versus S-box representation.
  42. 42.
    Raddum, H.: Algebraic analysis of the simon block cipher family. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 157–169. Springer, Cham (2015). doi: 10.1007/978-3-319-22174-8_9. CrossRefGoogle Scholar
  43. 43.
    Semaev, I.: New algorithm for the discrete logarithm problem on elliptic curves. Preprint 10 April 2015.
  44. 44.
    Semaev, I.: Summation polynomials and the discrete logarithm problem on elliptic curves. Preprint.
  45. 45.
    Shannon, C.E.: Communication theory of secrecy systems. Bell Syst. Tech. J. 28, 656–715 (1949). See in particular p. 704MathSciNetCrossRefzbMATHGoogle Scholar
  46. 46.
    Song, G.: Optimization and guess-then-solve attacks in cryptanalysis. Ph.D. thesis, will be presented at University College London in 2017 (2017)Google Scholar
  47. 47.
    Stoffelen, K.: Optimizing S-box implementations for several criteria using SAT solvers. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 140–160. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-52993-5_8. CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Computer ScienceUniversity College LondonLondonUK

Personalised recommendations