Abstract
Algebraic Cryptanalysis [45] is concerned with solving of particular systems of multivariate non-linear equations which occur in cryptanalysis. Many different methods for solving such problems have been proposed in cryptanalytic literature: XL and XSL method, Gröbner bases, SAT solvers, as well as many other. In this paper we survey these methods and point out that the main working principle in all of them is essentially the same. One quantity grows faster than another quantity which leads to a “phase transition” and the problem becomes efficiently solvable. We illustrate this with examples from both symmetric and asymmetric cryptanalysis.
In this paper we point out that there exists a second (more) general way of formulating algebraic attacks through dedicated coding techniques which involve redundancy with addition of new variables. This opens numerous new possibilities for the attackers and leads to interesting optimization problems where the existence of interesting equations may be somewhat deliberately engineered by the attacker.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Identical monomials are generated many times, for example \(x_1x_2x_3\) will be obtained 3 times, when multiplying \(x_1x_3\) by \(x_2\), etc. Cf. also slide 80 of [26].
- 2.
A situation where R grows faster than T permanently must be an illusion. Let \(F\le R\) be the number of linearly independent equations. These equations belong to the linear space of dimension T. Thus \(F\le T\) and very frequently \(F\le T-1\), cf. [8].
- 3.
- 4.
Interestingly one could repair the linearization technique by some form of decimation (erasing a subset of equations) where the redundancies are removed.
- 5.
A related concept is the concept of “Algebraic Complexity Reduction” of [16] which has been a great success in a restricted case of a block ciphers with a lot of high-level self-similarity and which is different and stronger. In [16] the attacker also makes well chosen guesses on special combinations of variables.
- 6.
This happens for example in the cryptanalysis of the multivariate public-key cryptosystems with the discovery of so called “implicit equations” [5, 37] which we call “I/O relations” in our Definition 4.1.1, see also [5, 33, 35]. Similarly some quite unexpected equations can be shown to always exist (worst case results) in algebraic attacks on stream ciphers [14, 24, 25]. We also have a closely related notion of so called “degree falls” sometimes also called “mutants” which are for example observed in ElimLin attacks [6, 12, 17, 42].
- 7.
- 8.
In terms of algebraic degree, sparsity, multiplicative complexity, etc.
- 9.
See Part 1 on slide 56 and 58 in [26].
References
Bardet, M., Faugère, J.-C., Salvy, B.: On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations. In: ICPSS, Paris, France, pp. 71–75 (2004)
Boyar, J., Peralta, R.: A new combinational logic minimization technique with applications to cryptology. In: Festa, P. (ed.) SEA 2010. LNCS, vol. 6049, pp. 178–189. Springer, Heidelberg (2010). doi:10.1007/978-3-642-13193-6_16. An early version was published in 2009 http://eprint.iacr.org/2009/191. Accessed 13 Mar 2010
Boyar, J., Find, M., Peralta, R.: Four measures of nonlinearity. In: Spirakis, P.G., Serna, M. (eds.) CIAC 2013. LNCS, vol. 7878, pp. 61–72. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38233-8_6
Yang, B.-Y., Chen, J.-M., Courtois, N.T.: On asymptotic security estimates in XL and Gröbner bases-related algebraic cryptanalysis. In: Lopez, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 401–413. Springer, Heidelberg (2004). doi:10.1007/978-3-540-30191-2_31
Courtois, N.T.: The security of hidden field equations (HFE). In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 266–281. Springer, Heidelberg (2001). doi:10.1007/3-540-45353-9_20
Courtois, N.T., Bard, G.V.: Algebraic cryptanalysis of the data encryption standard. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 152–169. Springer, Heidelberg (2007). doi:10.1007/978-3-540-77272-9_10
Courtois, N.T., Klimov, A., Patarin, J., Shamir, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000). doi:10.1007/3-540-45539-6_27
Courtois, N.T., Patarin, J.: About the XL algorithm over GF(2). In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 141–157. Springer, Heidelberg (2003). doi:10.1007/3-540-36563-X_10
Courtois, N.T.: How fast can be algebraic attacks on block ciphers? In: Biham, E., Handschuh, H., Lucks, S., Rijmen, V. (eds.) Online Proceedings of Dagstuhl Seminar 07021, Symmetric Cryptography 07–12 January 2007 (2007). http://drops.dagstuhl.de/portals/index.php?semnr=07021. http://eprint.iacr.org/2006/168/, ISSN 1862 - 4405
Courtois, N.T.: CTC2 and fast algebraic attacks on block ciphers revisited. http://eprint.iacr.org/2007/152/
Courtois, N.T.: Some algebraic cryptanalysis software. http://www.cryptosystem.net/aes/tools.html
Courtois, N.T., Papapanagiotakis-Bousy, I., Sepehrdad, P., Song, G.: Predicting outcomes of ElimLin attack on lightweight block cipher simon. In: Secrypt 2016 Proceedings (2016)
Courtois, N.T., Debraize, B.: Specific S-box criteria in algebraic attacks on block ciphers with several known plaintexts. In: Lucks, S., Sadeghi, A.-R., Wolf, C. (eds.) WEWoRC 2007. LNCS, vol. 4945, pp. 100–113. Springer, Heidelberg (2008). doi:10.1007/978-3-540-88353-1_9
Courtois, N.T.: Algebraic attacks on combiners with memory and several outputs. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 3–20. Springer, Heidelberg (2005). doi:10.1007/11496618_3. http://eprint.iacr.org/2003/125/
Courtois, N.T.: Security evaluation of GOST 28147-89 in view of international standardisation. Cryptologia 36(1), 2–13 (2012)
Courtois, N.T.: Algebraic complexity reduction and cryptanalysis of GOST. Monograph Study of Security of GOST, 2010–2014. http://eprint.iacr.org/2011/626
Courtois, N.T., Sepehrdad, P., Sušil, P., Vaudenay, S.: ElimLin algorithm revisited. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 306–325. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34047-5_18
Courtois, N.T., Hulme, D., Mourouzis, T.: Solving circuit optimisation problems in cryptography and cryptanalysis. In: SHARCS 2012, pp. 179–191 (2012). http://2012.sharcs.org/record.pdf
Courtois, N.T., Hulme, D., Mourouzis, T.: Multiplicative complexity and solving generalized Brent equations with SAT solvers. In: COMPUTATION TOOLS 2012, pp. 22–27 (2012)
Courtois, N.T., Gawinecki, J.A., Song, G.: Contradiction immunity and guess-then-determine attacks on GOST. Tatra Mt. Math. Publ. 53(3), 65–79 (2012). http://www.sav.sk/journals/uploads/0114113604CuGaSo.pdf
Courtois, N.T., Mourouzis, T., Misztal, M., Quisquater, J.-J., Song, G.: Can GOST be made secure against differential cryptanalysis? Cryptologia 39(2), 145–156 (2015)
Courtois, N.T.: New frontier in symmetric cryptanalysis, invited Talk at Indocrypt 2008, 14–17 December 2008 (2008). http://www.nicolascourtois.com/papers/front_indocrypt08.pdf
Courtois, N.T., Debraize, B.: Algebraic description and simultaneous linear approximations of addition in snow 2.0. In: Chen, L., Ryan, M.D., Wang, G. (eds.) ICICS 2008. LNCS, vol. 5308, pp. 328–344. Springer, Heidelberg (2008). doi:10.1007/978-3-540-88625-9_22
Courtois, N.T.: Fast algebraic attacks on stream ciphers with linear feedback. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 176–194. Springer, Heidelberg (2003). doi:10.1007/978-3-540-45146-4_11
Courtois, N.T.: General principles of algebraic attacks and new design criteria for cipher components. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2004. LNCS, vol. 3373, pp. 67–83. Springer, Heidelberg (2005). doi:10.1007/11506447_7
Courtois, N.T.: Algebraic attacks vs. design of block and stream ciphers. Slides Used in GA18 Course Cryptanalysis taught at University College London, 2014–2016. http://www.nicolascourtois.com/papers/algat_all_teach_2015.pdf
Courtois, N.T., Pieprzyk, J.: Cryptanalysis of block ciphers with overdefined systems of equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002). doi:10.1007/3-540-36178-2_17
Courtois, N.T., Pieprzyk, J.: Cryptanalysis of block ciphers with overdefined systems of equations. http://eprint.iacr.org/2002/044/. Contains two different (earlier) versions of the XSL attack, see also [27]
Courtois, N.T.: High Saturation Complete Graph Approach for EC Point Decomposition and ECDL Problem, preprint July–September 2016 (2016). http://eprint.iacr.org/2016/704.pdf
Susil, P., Sepehrdad, P., Vaudenay, S., Courtois, N.: On selection of samples in algebraic attacksand a new technique to find hidden low degree equations. Int. J. Inf. Secur. 15(1), 51–65 (2016). Springer
Diem, C.: On the discrete logarithm problem in elliptic curves. Compos. Math. 147, 75–104 (2011)
Galbraith, S.D., Gaudry, P.: Recent progress on the elliptic curve discrete logarithm problem, preprint, 22 October 2015 (2015). https://eprint.iacr.org/2015/1022.pdf
Faugère, J.-C., Joux, A.: Algebraic cryptanalysis of hidden field equation (HFE) cryptosystems using Gröbner bases. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 44–60. Springer, Heidelberg (2003). doi:10.1007/978-3-540-45146-4_3
Minder, L.: Cryptography based on error correcting codes. Ph.D. thesis 3846 (2007). EPFL, 27 July 2007. http://algo.epfl.ch/_media/en/projects/lorenz_thesis.pdf
Huang, M.-D.A., Kosters, M., Yeo, S.L.: Last fall degree, HFE, and weil descent attacks on ECDLP. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 581–600. Springer, Heidelberg (2015). doi:10.1007/978-3-662-47989-6_28
Mourouzis, T.: Optimizations in algebraic and differential cryptanalysis. Ph.D. thesis, under superivsion of Dr. Nicolas T. Courtois, University College London, January 2015. http://discovery.ucl.ac.uk/1462141/2/PhD_Thesis_Theodosis_Mourouzis.pdf
Patarin, J.: Cryptanalysis of the matsumoto and imai public key scheme of Eurocrypt’88. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 248–261. Springer, Heidelberg (1995). doi:10.1007/3-540-44750-4_20
Perret, L.: Gröbner bases techniques in cryptography. http://web.stevens.edu/algebraic/Files/SCPQ/SCPQ-2011-03-30-talk-Perret.pdf
Petit, C., Kosters, M., Messeng, A.: Algebraic approaches for the elliptic curve discrete logarithm problem over prime fields. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9615, pp. 3–18. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49387-8_1
Petit, C., Quisquater, J.-J.: On polynomial systems arising from a weil descent. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 451–466. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34961-4_28
Arabnezhad-Khanoki, H., Sadeghiyan, B., Pieprzyk, J.: Algebraic attack efficiency versus S-box representation. eprint.iacr.org/2017/007.pdf
Raddum, H.: Algebraic analysis of the simon block cipher family. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 157–169. Springer, Cham (2015). doi:10.1007/978-3-319-22174-8_9. https://www.simula.no/file/simonpaperrevisedpdf/download
Semaev, I.: New algorithm for the discrete logarithm problem on elliptic curves. Preprint 10 April 2015. eprint.iacr.org/2015/310/
Semaev, I.: Summation polynomials and the discrete logarithm problem on elliptic curves. Preprint. eprint.iacr.org/2004/031/
Shannon, C.E.: Communication theory of secrecy systems. Bell Syst. Tech. J. 28, 656–715 (1949). See in particular p. 704
Song, G.: Optimization and guess-then-solve attacks in cryptanalysis. Ph.D. thesis, will be presented at University College London in 2017 (2017)
Stoffelen, K.: Optimizing S-box implementations for several criteria using SAT solvers. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 140–160. Springer, Heidelberg (2016). doi:10.1007/978-3-662-52993-5_8. https://eprint.iacr.org/2016/198
Acknowledgments
I would like to thank the following people who have either inspired and motivated me for writing this paper, or who provided me with some valuable feedback: Moti Yung, David Naccache, Raphael Phan, Christophe Petit, Steven Galbraith, Jacques Patarin, Louis Goubin, Daniel Augot, Jonathan Bootle and Mary Maller.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Courtois, N.T. (2017). Two Philosophies for Solving Non-linear Equations in Algebraic Cryptanalysis. In: Phan, RW., Yung, M. (eds) Paradigms in Cryptology – Mycrypt 2016. Malicious and Exploratory Cryptology. Mycrypt 2016. Lecture Notes in Computer Science(), vol 10311. Springer, Cham. https://doi.org/10.1007/978-3-319-61273-7_27
Download citation
DOI: https://doi.org/10.1007/978-3-319-61273-7_27
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-61272-0
Online ISBN: 978-3-319-61273-7
eBook Packages: Computer ScienceComputer Science (R0)