Skip to main content
SpringerLink
Log in

Two Philosophies for Solving Non-linear Equations in Algebraic Cryptanalysis

  • Conference paper
  • First Online:
Paradigms in Cryptology – Mycrypt 2016. Malicious and Exploratory Cryptology (Mycrypt 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10311))

Included in the following conference series:

Abstract

Algebraic Cryptanalysis [45] is concerned with solving of particular systems of multivariate non-linear equations which occur in cryptanalysis. Many different methods for solving such problems have been proposed in cryptanalytic literature: XL and XSL method, Gröbner bases, SAT solvers, as well as many other. In this paper we survey these methods and point out that the main working principle in all of them is essentially the same. One quantity grows faster than another quantity which leads to a “phase transition” and the problem becomes efficiently solvable. We illustrate this with examples from both symmetric and asymmetric cryptanalysis.

In this paper we point out that there exists a second (more) general way of formulating algebraic attacks through dedicated coding techniques which involve redundancy with addition of new variables. This opens numerous new possibilities for the attackers and leads to interesting optimization problems where the existence of interesting equations may be somewhat deliberately engineered by the attacker.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Identical monomials are generated many times, for example \(x_1x_2x_3\) will be obtained 3 times, when multiplying \(x_1x_3\) by \(x_2\), etc. Cf. also slide 80 of [26].

  2. 2.

    A situation where R grows faster than T permanently must be an illusion. Let \(F\le R\) be the number of linearly independent equations. These equations belong to the linear space of dimension T. Thus \(F\le T\) and very frequently \(F\le T-1\), cf. [8].

  3. 3.

    Such software methods are sometimes called “plug and pray” attacks, cf. [29] and the main point in this paper and in [29] is that we would like to develop a richer galaxy of attacks where the attacker plays a more active role.

  4. 4.

    Interestingly one could repair the linearization technique by some form of decimation (erasing a subset of equations) where the redundancies are removed.

  5. 5.

    A related concept is the concept of “Algebraic Complexity Reduction” of [16] which has been a great success in a restricted case of a block ciphers with a lot of high-level self-similarity and which is different and stronger. In [16] the attacker also makes well chosen guesses on special combinations of variables.

  6. 6.

    This happens for example in the cryptanalysis of the multivariate public-key cryptosystems with the discovery of so called “implicit equations” [5, 37] which we call “I/O relations” in our Definition 4.1.1, see also [5, 33, 35]. Similarly some quite unexpected equations can be shown to always exist (worst case results) in algebraic attacks on stream ciphers [14, 24, 25]. We also have a closely related notion of so called “degree falls” sometimes also called “mutants” which are for example observed in ElimLin attacks [6, 12, 17, 42].

  7. 7.

    One (older) example which shows that the number of equations grows faster than linear as a function of the data complexity K in ElimLin can be found at slide 153 in [26] which example is from 2006–2007 and originally comes from [13].

  8. 8.

    In terms of algebraic degree, sparsity, multiplicative complexity, etc.

  9. 9.

    See Part 1 on slide 56 and 58 in [26].

References

  1. Bardet, M., Faugère, J.-C., Salvy, B.: On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations. In: ICPSS, Paris, France, pp. 71–75 (2004)

    Google Scholar 

  2. Boyar, J., Peralta, R.: A new combinational logic minimization technique with applications to cryptology. In: Festa, P. (ed.) SEA 2010. LNCS, vol. 6049, pp. 178–189. Springer, Heidelberg (2010). doi:10.1007/978-3-642-13193-6_16. An early version was published in 2009 http://eprint.iacr.org/2009/191. Accessed 13 Mar 2010

    Chapter  Google Scholar 

  3. Boyar, J., Find, M., Peralta, R.: Four measures of nonlinearity. In: Spirakis, P.G., Serna, M. (eds.) CIAC 2013. LNCS, vol. 7878, pp. 61–72. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38233-8_6

    Chapter  Google Scholar 

  4. Yang, B.-Y., Chen, J.-M., Courtois, N.T.: On asymptotic security estimates in XL and Gröbner bases-related algebraic cryptanalysis. In: Lopez, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 401–413. Springer, Heidelberg (2004). doi:10.1007/978-3-540-30191-2_31

    Chapter  Google Scholar 

  5. Courtois, N.T.: The security of hidden field equations (HFE). In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 266–281. Springer, Heidelberg (2001). doi:10.1007/3-540-45353-9_20

    Chapter  Google Scholar 

  6. Courtois, N.T., Bard, G.V.: Algebraic cryptanalysis of the data encryption standard. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 152–169. Springer, Heidelberg (2007). doi:10.1007/978-3-540-77272-9_10

    Chapter  Google Scholar 

  7. Courtois, N.T., Klimov, A., Patarin, J., Shamir, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000). doi:10.1007/3-540-45539-6_27

    Chapter  Google Scholar 

  8. Courtois, N.T., Patarin, J.: About the XL algorithm over GF(2). In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 141–157. Springer, Heidelberg (2003). doi:10.1007/3-540-36563-X_10

    Chapter  Google Scholar 

  9. Courtois, N.T.: How fast can be algebraic attacks on block ciphers? In: Biham, E., Handschuh, H., Lucks, S., Rijmen, V. (eds.) Online Proceedings of Dagstuhl Seminar 07021, Symmetric Cryptography 07–12 January 2007 (2007). http://drops.dagstuhl.de/portals/index.php?semnr=07021. http://eprint.iacr.org/2006/168/, ISSN 1862 - 4405

  10. Courtois, N.T.: CTC2 and fast algebraic attacks on block ciphers revisited. http://eprint.iacr.org/2007/152/

  11. Courtois, N.T.: Some algebraic cryptanalysis software. http://www.cryptosystem.net/aes/tools.html

  12. Courtois, N.T., Papapanagiotakis-Bousy, I., Sepehrdad, P., Song, G.: Predicting outcomes of ElimLin attack on lightweight block cipher simon. In: Secrypt 2016 Proceedings (2016)

    Google Scholar 

  13. Courtois, N.T., Debraize, B.: Specific S-box criteria in algebraic attacks on block ciphers with several known plaintexts. In: Lucks, S., Sadeghi, A.-R., Wolf, C. (eds.) WEWoRC 2007. LNCS, vol. 4945, pp. 100–113. Springer, Heidelberg (2008). doi:10.1007/978-3-540-88353-1_9

    Chapter  Google Scholar 

  14. Courtois, N.T.: Algebraic attacks on combiners with memory and several outputs. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 3–20. Springer, Heidelberg (2005). doi:10.1007/11496618_3. http://eprint.iacr.org/2003/125/

    Chapter  Google Scholar 

  15. Courtois, N.T.: Security evaluation of GOST 28147-89 in view of international standardisation. Cryptologia 36(1), 2–13 (2012)

    Article  Google Scholar 

  16. Courtois, N.T.: Algebraic complexity reduction and cryptanalysis of GOST. Monograph Study of Security of GOST, 2010–2014. http://eprint.iacr.org/2011/626

  17. Courtois, N.T., Sepehrdad, P., Sušil, P., Vaudenay, S.: ElimLin algorithm revisited. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 306–325. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34047-5_18

    Chapter  Google Scholar 

  18. Courtois, N.T., Hulme, D., Mourouzis, T.: Solving circuit optimisation problems in cryptography and cryptanalysis. In: SHARCS 2012, pp. 179–191 (2012). http://2012.sharcs.org/record.pdf

  19. Courtois, N.T., Hulme, D., Mourouzis, T.: Multiplicative complexity and solving generalized Brent equations with SAT solvers. In: COMPUTATION TOOLS 2012, pp. 22–27 (2012)

    Google Scholar 

  20. Courtois, N.T., Gawinecki, J.A., Song, G.: Contradiction immunity and guess-then-determine attacks on GOST. Tatra Mt. Math. Publ. 53(3), 65–79 (2012). http://www.sav.sk/journals/uploads/0114113604CuGaSo.pdf

    MathSciNet  MATH  Google Scholar 

  21. Courtois, N.T., Mourouzis, T., Misztal, M., Quisquater, J.-J., Song, G.: Can GOST be made secure against differential cryptanalysis? Cryptologia 39(2), 145–156 (2015)

    Article  Google Scholar 

  22. Courtois, N.T.: New frontier in symmetric cryptanalysis, invited Talk at Indocrypt 2008, 14–17 December 2008 (2008). http://www.nicolascourtois.com/papers/front_indocrypt08.pdf

  23. Courtois, N.T., Debraize, B.: Algebraic description and simultaneous linear approximations of addition in snow 2.0. In: Chen, L., Ryan, M.D., Wang, G. (eds.) ICICS 2008. LNCS, vol. 5308, pp. 328–344. Springer, Heidelberg (2008). doi:10.1007/978-3-540-88625-9_22

    Chapter  Google Scholar 

  24. Courtois, N.T.: Fast algebraic attacks on stream ciphers with linear feedback. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 176–194. Springer, Heidelberg (2003). doi:10.1007/978-3-540-45146-4_11

    Chapter  Google Scholar 

  25. Courtois, N.T.: General principles of algebraic attacks and new design criteria for cipher components. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2004. LNCS, vol. 3373, pp. 67–83. Springer, Heidelberg (2005). doi:10.1007/11506447_7

    Chapter  Google Scholar 

  26. Courtois, N.T.: Algebraic attacks vs. design of block and stream ciphers. Slides Used in GA18 Course Cryptanalysis taught at University College London, 2014–2016. http://www.nicolascourtois.com/papers/algat_all_teach_2015.pdf

  27. Courtois, N.T., Pieprzyk, J.: Cryptanalysis of block ciphers with overdefined systems of equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002). doi:10.1007/3-540-36178-2_17

    Chapter  Google Scholar 

  28. Courtois, N.T., Pieprzyk, J.: Cryptanalysis of block ciphers with overdefined systems of equations. http://eprint.iacr.org/2002/044/. Contains two different (earlier) versions of the XSL attack, see also [27]

  29. Courtois, N.T.: High Saturation Complete Graph Approach for EC Point Decomposition and ECDL Problem, preprint July–September 2016 (2016). http://eprint.iacr.org/2016/704.pdf

  30. Susil, P., Sepehrdad, P., Vaudenay, S., Courtois, N.: On selection of samples in algebraic attacksand a new technique to find hidden low degree equations. Int. J. Inf. Secur. 15(1), 51–65 (2016). Springer

    Article  Google Scholar 

  31. Diem, C.: On the discrete logarithm problem in elliptic curves. Compos. Math. 147, 75–104 (2011)

    Article  MathSciNet  MATH  Google Scholar 

  32. Galbraith, S.D., Gaudry, P.: Recent progress on the elliptic curve discrete logarithm problem, preprint, 22 October 2015 (2015). https://eprint.iacr.org/2015/1022.pdf

  33. Faugère, J.-C., Joux, A.: Algebraic cryptanalysis of hidden field equation (HFE) cryptosystems using Gröbner bases. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 44–60. Springer, Heidelberg (2003). doi:10.1007/978-3-540-45146-4_3

    Chapter  Google Scholar 

  34. Minder, L.: Cryptography based on error correcting codes. Ph.D. thesis 3846 (2007). EPFL, 27 July 2007. http://algo.epfl.ch/_media/en/projects/lorenz_thesis.pdf

  35. Huang, M.-D.A., Kosters, M., Yeo, S.L.: Last fall degree, HFE, and weil descent attacks on ECDLP. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 581–600. Springer, Heidelberg (2015). doi:10.1007/978-3-662-47989-6_28

    Chapter  Google Scholar 

  36. Mourouzis, T.: Optimizations in algebraic and differential cryptanalysis. Ph.D. thesis, under superivsion of Dr. Nicolas T. Courtois, University College London, January 2015. http://discovery.ucl.ac.uk/1462141/2/PhD_Thesis_Theodosis_Mourouzis.pdf

  37. Patarin, J.: Cryptanalysis of the matsumoto and imai public key scheme of Eurocrypt’88. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 248–261. Springer, Heidelberg (1995). doi:10.1007/3-540-44750-4_20

    Google Scholar 

  38. Perret, L.: Gröbner bases techniques in cryptography. http://web.stevens.edu/algebraic/Files/SCPQ/SCPQ-2011-03-30-talk-Perret.pdf

  39. Petit, C., Kosters, M., Messeng, A.: Algebraic approaches for the elliptic curve discrete logarithm problem over prime fields. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9615, pp. 3–18. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49387-8_1

    Chapter  Google Scholar 

  40. Petit, C., Quisquater, J.-J.: On polynomial systems arising from a weil descent. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 451–466. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34961-4_28

    Chapter  Google Scholar 

  41. Arabnezhad-Khanoki, H., Sadeghiyan, B., Pieprzyk, J.: Algebraic attack efficiency versus S-box representation. eprint.iacr.org/2017/007.pdf

  42. Raddum, H.: Algebraic analysis of the simon block cipher family. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 157–169. Springer, Cham (2015). doi:10.1007/978-3-319-22174-8_9. https://www.simula.no/file/simonpaperrevisedpdf/download

    Chapter  Google Scholar 

  43. Semaev, I.: New algorithm for the discrete logarithm problem on elliptic curves. Preprint 10 April 2015. eprint.iacr.org/2015/310/

  44. Semaev, I.: Summation polynomials and the discrete logarithm problem on elliptic curves. Preprint. eprint.iacr.org/2004/031/

  45. Shannon, C.E.: Communication theory of secrecy systems. Bell Syst. Tech. J. 28, 656–715 (1949). See in particular p. 704

    Article  MathSciNet  MATH  Google Scholar 

  46. Song, G.: Optimization and guess-then-solve attacks in cryptanalysis. Ph.D. thesis, will be presented at University College London in 2017 (2017)

    Google Scholar 

  47. Stoffelen, K.: Optimizing S-box implementations for several criteria using SAT solvers. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 140–160. Springer, Heidelberg (2016). doi:10.1007/978-3-662-52993-5_8. https://eprint.iacr.org/2016/198

    Chapter  Google Scholar 

Download references

Acknowledgments

I would like to thank the following people who have either inspired and motivated me for writing this paper, or who provided me with some valuable feedback: Moti Yung, David Naccache, Raphael Phan, Christophe Petit, Steven Galbraith, Jacques Patarin, Louis Goubin, Daniel Augot, Jonathan Bootle and Mary Maller.

Author information

Authors and Affiliations

  1. Computer Science, University College London, Room 6.18. Gower Street, London, WC1E 6BT, UK

    Nicolas T. Courtois

Authors
  1. Nicolas T. Courtois
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nicolas T. Courtois .

Editor information

Editors and Affiliations

  1. Multimedia University, MMU, Cyberjaya, Malaysia

    Raphaël C.-W. Phan

  2. Snapchat and Columbia University, New York, New York, USA

    Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Courtois, N.T. (2017). Two Philosophies for Solving Non-linear Equations in Algebraic Cryptanalysis. In: Phan, RW., Yung, M. (eds) Paradigms in Cryptology – Mycrypt 2016. Malicious and Exploratory Cryptology. Mycrypt 2016. Lecture Notes in Computer Science(), vol 10311. Springer, Cham. https://doi.org/10.1007/978-3-319-61273-7_27

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-61273-7_27

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-61272-0

  • Online ISBN: 978-3-319-61273-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation