Cryptanalysis of block ciphers with probabilistic non-linear relations of low degree

  • Thomas Jakobsen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1462)


Using recent results from coding theory, it is shown how to break block ciphers operating on GF(q) where the ciphertext is expressible as evaluations of an unknown univariate polynomial of low degree m over the plaintext with a typically low but non-negligible, probability Μ. The method employed is essentially Sudan's algorithm for decoding Reed-Solomon codes beyond the error-correction diameter. The known-plaintext attack needs n = 2m/Μ 2 plaintext/ciphertext pairs and the running time is polynomial in n. Furthermore, it is shown how to discover more general non-linear relations p(x, y)= 0 between plaintext x and ciphertext y that hold with small probability Μ. The second attack needs access to n = (2m/Μ)2 plaintext/ciphertext pairs where m = degp and its running time is also polynomial in n. As a demonstration, we break up to 10 rounds of a cipher constructed by Nyberg and Knudsen provably secure against differential and linear cryptanalysis.

Key words

Cryptanalysis block cipher interpolation attack non-linear relations Reed-Solomon codes Sudan's algorithm 


  1. 1.
    Sigal Ar, Richard J. Lipton, Ronitt Rubinfeld, and Madhu Sudan. Reconstructing Algebraic Functions from Mixed Data, Proceedings of the 33rd Annual IEEE Symposium on Foundations of Computer Science, 1992, pp. 503–512. To appear SIAM Journal on Computing.Google Scholar
  2. 2.
    Elwyn R. Berlekamp. Factoring Polynomials over Large Finite Fields. Mathematics of Computation, pp. 713, vol. 24, no. 111, 1970.MathSciNetCrossRefGoogle Scholar
  3. 3.
    Leonard Carlitz. The Distribution of Irreducible Polynomials in Several Indeterminates II. Canadian Journal of Mathematics 17:261–266, 1965.zbMATHGoogle Scholar
  4. 4.
    Weishi Feng and Richard E. Blahut. On Decoding Reed-Solomon Codes Beyond the Packing Radii. Preprint. Coordinated Science Laboratory, University of Illinois at Urbana-Champaign, Nov., 1997.Google Scholar
  5. 5.
    Joachim von zur Gathen and Erich Kaltofen. Factoring multivariate polynomials over finite fields. Math. Comput, 45:251–261, 1985.zbMATHCrossRefGoogle Scholar
  6. 6.
    Carlo Harpes, Gerhard G. Kramer, and James L. Massey. A Generalization of Linear Cryptanalysis and the Applicability of Matsui's Piling-up Lemma. Eurocrypt '95, Lectures Notes in Computer Science, Springer, 1995.Google Scholar
  7. 7.
    Robin Hartshorne. Algebraic Geometry. Springer-Verlag, New York, 1977.zbMATHGoogle Scholar
  8. 8.
    Tom Hoholdt. Private communication.Google Scholar
  9. 9.
    Thomas Jakobsen and Lars R. Knudsen. The Interpolation Attack on Block Ciphers. Fast Software Encryption IV, Lecture Notes in Computer Science, Springer, Haifa, 1997.Google Scholar
  10. 10.
    Xueijia Lai. Higher order derivatives and differential cryptanalysis. In Proc.“Symposium on Communication, Coding and Cryptography”, in honor of James L. Massey on the occasion of his 60'th birthday, Feb. 10–13, 1994, Monte-Verita, Ascona, Switzerland, 1994.Google Scholar
  11. 11.
    Xuejia Lai and James L. Massey. A Proposal for a New Block Encryption Standard, Advances in Cryptology — Eurocrypt '90 Proceedings, Springer-Verlag, Berlin, 1991, pp. 389–404.Google Scholar
  12. 12.
    Xuejia Lai, James L. Massey, and Sean Murphy. Markov ciphers and differential cryptanalysis. Advances in Cryptology, Proceedings Eurocrypt '91, LNCS 547, D. W. Davies, Ed., Springer-Verlag, 1991, pp. 17–38.Google Scholar
  13. 13.
    Florence J. MacWilliams and Neil J. A. Sloane. The Theory of Error-Correcting Codes. North-Holland, 1977.Google Scholar
  14. 14.
    Mitsuru Matsui. Linear cryptanalysis for DES cipher. Lecture Notes in Computer Science, 765 (1994), 386–397. (Advances in Cryptology — EUROCRYPT '93.)zbMATHCrossRefGoogle Scholar
  15. 15.
    Kaisa Nyberg and Lars R. Knudsen. Provable Security Against a Differential Attack. Journal of Cryptology, vol. 8, no. 1, 1995.Google Scholar
  16. 16.
    Ronald L. Rivest. The RC5 encryption algorithm. In Bart Preneel, editor, Fast Software Encryption: Second International Workshop, Lecture Notes in Computer Science, vol. 1008, pp. 86–96, Leuven, Belgium, Springer-Verlag, Published 1995.Google Scholar
  17. 17.
    Madhu Sudan. Decoding Reed Solomon Codes beyond the Error-Correction Diameter. Proc. 35th Annual Allerton Conference on Communication, Control and Computing, University of Illinois at Urbana-Champaign, 1997.Google Scholar
  18. 18.
    Madhu Sudan. Decoding of Reed Solomon Codes beyond the Error-Correction Bound. Journal of Complexity, 13(1):180–193, March 1997.zbMATHMathSciNetCrossRefGoogle Scholar
  19. 19.
    Madhu Sudan. Preprint. May 1998.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • Thomas Jakobsen
    • 1
  1. 1.Department of Mathematics, Building 303Technical University of DenmarkLyngbyDenmark

Personalised recommendations