Algatt All Teach 2015

“Algebraic” Attacks vs.
Design of
Block and Stream Ciphers
Nicolas T. Courtois
- University College London
A New Frontier in Symmetric Cryptanalysis
Modern Symmetric Cryptanalysis:

number of ciphers “broken w.r.t. claims”:
O(effort).
number of ciphers “broken in practice”:

o(effort).
DES, AES etc: never really broken etc..
2 Courtois, Indocrypt 2008

2 Small Remarks
Winston Churchill used to say:
“the truth is so precious that she should always be
attended by a bodyguard of lies”
Cryptanalysis is not very popular,

nb. of papers at major crypto conferences decreased
each year… for some reason… in the last 15 years.

Alternative Title:
A New Frontier in Symmetric

Cryptanalysis?
(e.g. low-data complexity attacks)
Algebraic Attacks on Block, Stream Ciphers
0. Intro…
5 2001-2015
Instead of a Summary
• How to design secure ciphers ?
Nobody knows, a complex question.
Remark: There exist provably secure stream ciphers:QUAD, NO good candidates for secure block ciphers…
• What components to choose? (bottom-up).

• Most of the current cipher design paradigms can be
expressed in terms of “good” Boolean functions / “good”
vectorial functions (S-boxes).
• What else? Good diffusion: WTS(later slides),
avalanche.
6 2001-2015
Boolean Functions, ANF

Any function GF(2)n → GF(2).
7 2001-2015
The Tale of “Good”

Boolean Functions..
•“Good” Boolean functions,
•“Good” S-boxes,
=> High non-linearity…
 Provable prevents
correlation/differential/linear/
GLC attacks….
A “Good” Boolean function…
Magical objects that

make ciphers secure ?
8 2001-2015
Avoiding Simple
Boolean Functions…
 Not enough !
Main claim / result:

One should rather think about avoiding
Boolean /Algebraic Relations !
9 2001-2015
Central Criterion for Designing

Cryptographic Components
[Courtois 1999; PhD Thesis]:

Non-existence of low-
degree/small size multivariate
relations between the input bits
and the output bits.
10 2001-2015
Special Case: I / O Degree:
A “good” cipher should use at least some

components with high I/O degree.
11 2001-2015
Claim / Proposal
This criterion is proposed (can be
necessary) for the security of:
• S-boxes in Block Ciphers
• Combiners in Stream Ciphers
• Trapdoor Functions (PK crypto,
HFE).
12 2001-2015
Why ?
• no proof
• some devastating attacks on some ciphers
• many ciphers not broken in the slightest
• overall, just another super-paranoid security criterion which

is probably not always necessary,
– frequent in crypto research
13 2001-2015
Another Interpretation of I/O

I = Inside block/stream cipher
O = Outside of your block/steam cipher
14 2001-2015
Multivariate Cryptography:
Cryptosystems using polynomials with
several variables over a finite field…
Multivariate Cryptanalysis
or Algebraic Cryptanalysis:
Cryptographic attacks using polynomials
with several variables
over a finite field…
15 2001-2015
Roadmap: Multivariate/Algebraic Cryptanalysis
Guess Then Determine: MITM

SAT/UNSAT strategy or mixed with many steps
Software / SAT Solvers ElimLin: amazingly powerful

XL, Grobner Basis, F4, F5
dense systems of eqs, inappropriate tools in most other cases
Cube Attacks
[Vielhaber, Dinur,Shamir’08]
other
combination tools
attacks Truncated
Differentials (DC)
Higher Order Differentials
”every cipher of low degree poly can be broken”
multiple points DC
Higher Order DC
GOST, Self-Similarity and Cryptanalysis of Block Ciphers
- My Favourite Groups
17 © Nicolas T. Courtois, 2006-2013

Different Types of Cryptanalysis

• The “approximation” approach:
– Linear, differential, high-order differential, impossible
differential, Jakobsen-Knudsen approximation attacks,
etc.. All are based on probabilistic characteristics true
with some probability.
– Consequently, the security will grow exponentially with
the number of rounds, and so does the number of
required plaintexts in the attacks (main limitation in
practice).
• The “exact algebraic” approach:
– Write equations to solve, true with probability 1.
– Very small number of known plaintexts required.
18 2001-2015
Exact/Algebraic/Multivariate Cryptanalysis:
Breaking a « good » cipher should require:
“as much work as solving a system of

simultaneous equations in a large
number of unknowns
of a complex type”
[Shannon, 1949]
Common belief: large systems of equations become

intractable very easily.
19 2001-2015
**However…
However, what makes the problem hard is
not the number of variables,
but the balance between
the number of equations
and the number of monomials:
– The XL algorithm and Gröbner bases techniques:
[Shamir, Patarin, Courtois, Klimov, Eurocrypt’2000], [Courtois, ICISC 2002], [Courtois, Patarin, CT-
RSA 2003], [F5/2 by Jean-Charles Faugère], [Old papers by Lazard]…
– The XSL variant: [Courtois, Pieprzyk, Asiacrypt’02]

Consequence: systems that are overdefined,
sparse, or both, turn out to be much easier to
solve than expected.
20 2001-2015
Problem 1: Overdefined Systems

Most cryptographic security relies on the
hardness of largely overdefined problems:
Much more information than necessary: great many
plaintexts, message and signature pairs, etc..
• Public key cryptography: the solution is:
Provable security: each utilization of the cryptographic
scheme does not leak useful information.
• Secret key cryptography: Yet little provable security.
And yet it is here that the problems become the most
overdefined: huge amounts of data encrypted with one key,
fast hardware, etc.
21 2001-2015
Problem 2: Algebraic Sparsity

Many cryptographic schemes (for practical
reasons) have a simple algebraic description.
Usually leads to a sparse system of equations.
• In software, large tables might be used…
• In hardware, the number of gates should be
small, which gives a simple description with
simple Boolean polynomials.
22 2001-2015
Problem 3: Linear Components

Linearity is commonly used for diffusion,
sequence generation (LFSR) etc.
Still believed OK.
• Problem: preserves the degree of algebraic

equations !!
23 2001-2015
The Role of Finite Fields, e.g. GF(2)

They allow to encode any cryptographic
problem as problem of solving
Boolean equations.

Multiplicative Complexity
MC = Definition
• Every function can be represented as a
number of multiplications + linear functions
over a finite field/ring.
• We call MC (Multiplicative Complexity)
the minimum number of multiplications
needed.
Home reading: set of slides multcomp.pdf Moodle.
25 ©Nicolas T. Courtois 2012

**The Role of NP-hard Problems

Guarantee “hardness” in the worst case.
Many are not that hard in practice…
• Many concrete problems can be solved.

• Multiple reductions allow to use algorithms that solve one problem to solve another.

Algebraization:
Theorem:
Every function over finite fields is a polynomial
function.
[can be proven as a corollary of Lagrange’s
interpolation formula]
False over rings!

E.g. false for T-functions.

Problem 4: Low Degree/Low Complexity

Bottom line:
“Every cipher which can be expressed by low degree polynomials is broken.”
Cf. Xuejia Lai paper.

• "Higher order derivatives and differential cryptanalysis" [1992]
28 2001-2015
Problem 4: Low Degree/Low Complexity
Bottom line:
“Every cipher which can be expressed by low degree polynomials is broken.”
Remark for LFSR-based stream ciphers:

later we will see how to substantially
LOWER the degree…
I/O Relations, Algebraic Immunity,
Annihilators, Courtois-Meier attack, etc…
29 2001-2015
Lai Essential Result
=>so we can decrease the non-linear degree by summing different polynomials

=> “every cipher which can be expressed by low degree polynomials is broken.”
30 2001-2015
Cube Attacks
[Vielhaber, Dinur,Shamir’08]
31 2001-2015
” Trivial – ε Attacks ”
Cube attack are highly sophisticated highly
technical attack BUT they achieve NOTHING
more than breaking XX – ε rounds of a cipher
where XX – ε rounds is already broken by an
attack which crypto community considers as
excessively trivial.
32 2001-2015
Step By Step
Cube attack is about summing
COMPLEX multivariate polynomials.
– most polynomials never written.
• Online phase CPA => several concrete
values added 0+1+…
• Their sum polynomial depends on the key
in a very simple way.
=>Gives simple equations on the key.
33 2001-2015
Cube Attacks Controversies [1]

Dan Bernstein: http://cr.yp.to/cubeattacks.html
• “Why haven't cube attacks broken anything?
actually it broke a VERY large number of rounds of Trivium
• Cube attacks work well for random polynomials

of small degree.
– Real-world ciphers, when viewed as polynomials, don't have small
degree.
– Lai 1992 explains how to break every small-degree cipher;
– It seems to me that "cube attacks" are simply a reinvention of Lai's HO DC attack; if Dinur and
Shamir had cited Lai's paper […] then they would have been forced to drop essentially all of their
advertising.
34 2001-2015
*Cube Controversy [2]

Plagiarism:
– Dinur and Shamir DO/DID NOT credit Michael
Vielhaber's "Algebraic IV Differential Attack"
(AIDA) as a precursor of the Cube attack.
– Dinur has stated at Eurocrypt 2009 that Cube generalises
and improves upon AIDA.
– However, Vielhaber contends that the cube
attack is no more than his attack under another
name.
35 2001-2015
1. Finite Fields, Block Ciphers

and AES
(2 separate files)
36 2001-2015
1.1. Block Ciphers

and Algebraic Relations
37 2001-2015
How do We Attack AES ?

– Very ambitious…
• AES pushes the classical design principles

(=high non-linearity) to their limits, optimality.
• Explore these limits. Look for pitfalls !
38 2001-2015
What About Block Ciphers ?

Q: Do these
polynomial relations
MATTER AT ALL
for Block Ciphers
(e.g. AES)?
Remark: they break a lot of stream ciphers very badly
39 2001-2015
YES !
Q: Do these polynomial relations
MATTER AT ALL for Block
Ciphers ?
YES,
(at least for some of them…)
40 2001-2015
This Cipher is Broken for 1 M rounds !
F: Inverse in GF(2n).
[Jakobsen-Knudsen FSE’97, Courtois AES’4]
41 2001-2015
***Bi-linear Cryptanalysis [Courtois Crypto’04]
42 2001-2015
***2. Weak Cipher Number 2:
Round function:
Very secure against all known

attacks on block ciphers…, but
broken for 1 M rounds !
43 2001-2015
***3. Another Insecure Cipher

64-bit Feistel cipher, 32-bit round
function:
Looks very secure…Etc.

Broken for up to 216 rounds !
[Courtois AES’4]
44 2001-2015
****4. Insecure Unbalanced Feistel Networks

(e.g. SHA-x)
This one again looks very secure:
Again, broken for up to 216 rounds !

45 2001-2015
AES Structure and Design Nicolas T. Courtois
Wide Trail Strategy (WTS):

Assures very good diffusion, proposed by the
designers of AES.
• The “approximation” attacks:

– Deadly. Forces to approximate great many S-boxes at
the same time. AES is very secure against LC/DC.
– WTS probably kills all these insecure ciphers that are
very special…
• The “exact algebraic” approach:
– Combine relations true with probability 1.
– The wide trail strategy still plays a huge role in practice/theory.
46 October 2006
*AES Under Attack
47 2001-2015
Controversial Paper [Asiacrypt’02 / eprint]
Cryptanalysis of Block Ciphers

with Overdefined Systems of
Equations
Nicolas T. Courtois
Advanced Crypto Research, Axalto Smart Cards, France
Josef Pieprzyk
Center for Advanced Computing - Algorithms and
Cryptography, ICS, Macquarie University, Australia
48 2001-2015
Echoes in the Press

Bruce Schneier, Cryptogram,
[the world’s No. 1 crypto/security newsletter]:
“ AES News
AES may have been broken […], there's
no need to panic. Yet. But there
might be soon […]
[…]These are amazing results. […]
Many cryptographers who previously

felt good about AES
are having second thoughts […] “
49 2001-2015
*Echoes in the Press
(worlds’ largest circulated scientific magazine)

27 Sept. 2002:
50 2001-2015
*Cover Page of New Scientist:
51 2001-2015
52 2001-2015
53 2001-2015
XSL Ciphers
K_i
X S L
54 2001-2015
The so-called
“XSL Attack” and AES
not a very efficient attack, a sort of scientific research programme…
“XSL is not an attack, it is a dream“

Vincent Rijmen, AES designer

XSL Attacks - Summary

Algebraic attacks on block ciphers work in 3 stages:
1. Write good equations – overdefined, sparse or both.
2. Expand - to obtain a very overdefined system.
3. Final "in place" elimination method – completely solve.
Two Versions of Courtois-Pieprzyk paper:

• The original paper is on eprint.iacr.org/2002/044
(archive, not updated anymore): “First XSL attack”, “Second
XSL attack”  The most powerful versions.
• Asiacrypt’02: “ Compact Version of the First XSL Attack ”
 The most general, least powerful,
simpler and easier to study.
56 2001-2015
**Reinvent it in 2015:
Algebraic attacks on block ciphers today:
1. Write good equations – overdefined, sparse or both.
• LESS TRIVIAL than expected [new tricks: higher degree, add
variables, etc.].
2. Expand - avoid / minimise impact of…
3. Final "in place" deduction / inference / elimination method.
• ElimLin alone and T’ method. Amazingly powerful.
• New tools [SAT solvers]. Amazingly powerful.

Part 1.
1. Find good equations: such that:
equations
__________ = 1/4 or so..
monomials
58 2001-2015
Part 2.
2. Expand to a very overdefined
system, close to saturation:
free eqs.
__________ = close to 1
monomials
59 2001-2015
Part 3.
3. Final step – achieve complete
saturation giving the key bits.
free eqs.
__________ = exactly 1
monomials
60 2001-2015
AES
• Won 2000 NIST vote.

• Serpent was second.
61 2001-2015
Unbelievable Security
Most people think: It is easy to achieve 2256,
Just mix sufficiently
many strange functions….
Security grows exponentially
in the number of rounds..
Our claim: It is hard to achieve

the security level of 2256.
62 2001-2015
Moore’s Law
The computing power of 2256
will not be available
before year 2200.
Until then, so much higher mathematics and
so much better methods of cryptanalysis will
be found…
Guess: all cryptosystems that claim today

the security level of 2256
will be broken by then.
63 2001-2015
Part 1.
1. Find good equations: such that:
equations
__________ = 1/4 or so..
monomials
64 2001-2015
MQ Problem
Find a solution to a system of

m quadratic equations with
n variables
over a field/ring.
65 2001-2015
MQ Problem
Find a solution (at least one),
i.e. find (x0, ...,xn-1) such that:
66 2001-2015
Known applications of MQ
Multivariate schemes such as UOV, HFE, Quartz and
Sflash are based on MQ.
• In usual applications, nobody is using these new
schemes. But:
• About the only solutions known for specific
applications: very short signatures with Quartz,
fastest signatures in the world with Sflash [Cf. PKC
2003].
Who cares about MQ ?
67 2001-2015
Surprising applications of MQ
Claim: 90 % of all applied cryptography
is based on MQ.
1. RSA is based on MQ with m=1 and n=2:

factoring N  solving x2=y2 mod N.
2. Rijndael is based on MQ ?
68 2001-2015
Rijndael S-boxes
(y1, …,y8) = S (x1, ...,x8) .
Theorem: For each S-box there are

r=39 quadratic equations
with 16 variables xi and yi,
that are true with probability 1.
Overdefined MQ system, 39 >> 8.

69 2001-2015
Origin of the equations

(cf. cryptanalysis of Matsumoto-Imai by J. Patarin, Crypto’95)
23 x0 1 =x y 7
bi-linear x x = x2 y 8
x y = y2 x 8
x x3 = x4 y 8
quadratic
x y3 = y4 x 8
39
70 2001-2015
Optimal S-boxes ?
[Anne Canteaut, Marion Videau, Eurocrypt 2002]:
Optimal for linear, differential and high-order differential
attacks.
We do not know any worse S-box in terms of r.

Power -1 3 5 7
Equations / S-box 39 39 34 24
r=
71 2001-2015
Reduction Rijndael  MQ
Rijndael 128 bit: to recover the secret key can
be rewritten as MQ:
8000 quadratic equations

1600 variables in GF(2).
But how to solve it ?
72 2001-2015
Part 2.
free eqs.
__________ = close to 1
monomials
73 2001-2015
Simple Explanation of How

XL Algorithm Works

Part 2.
free eqs.
__________ = close to 1
monomials
75 2001-2015
How to expand ? The XL idea:
Multiplying the
equations
by one or several
variables.
76 2001-2015
X L means…
• eXtended Linerisation
• Multiply (X) and Linearise
• eXpansion in the ideaL
spanned by the equations..
• doing things like x_1 * l_3
• etc…
77 2001-2015
XL Algorithm, F4, F5, etc…

• [Shamir, Patarin, Courtois, Klimov, Eurocrypt’2000]
• [Courtois, ICISC 2002], [Courtois, Patarin, CT-RSA 2003], [J.M.
Chen and Bo-Yin Yang papers]
• [Old papers by Lazard], [Buchberger algorithm and Gröbner
bases], [F4, F5, F5/2 by Faugère] etc… [Magali Bardet and
Gwenolé Ars work], etc…
• Asiacrypt 2004: [Claus Diem], [Gwenolé Ars, Jean-Charles
Faugère, Makoto Sugita, Mitsuru Kawazoe, Hideki Imai].
XL is about the best general attack we know
for MQ. Designed for systems that are
overdefined.
For 128-bit Rijndael: 2330
78 2001-2015
The principle of XL:

Multiply the initial equations by
low-degree monomials:
becomes:
(degreee 3 now).
79 2001-2015
The idea of XL:

Multiply equations by low-degree
monomials.
• Count new equations: R
• Count new monomials present: T
One term can be obtained in many
different ways,
 T grows slower than R.
80 2001-2015
How XL works:
Initial system: m equations and n2/2 terms.
Multiply each equation by
a product of any D-2 variables:
• Equations
• Terms
Idea: One term can be obtained in many different ways,
T grows more slowly than R.
Necessary condition: R/T > 1
gives and thus D 
If sufficient, the complexity of XL would be about
Sub-exponential ?
Not true !
81 2001-2015
XL will always work

Theorem:
Over any small finite field, when D>q and the
field equations xiq=xi can be included, XL
always do work, for ANY SYSTEM OF
EQUATIONS (worst case).
See: Jacques Patarin and Nicolas Courtois:
About the XL algorithm over GF(2),
In CT-RSA 2003, April 2003, San Francisco.
82 2001-2015
XL works quite well
83 2001-2015
The behaviour of XL
It is possible to predict the exact number
of linearly independent equations in XL.
84 2001-2015
Applying XL to Rijndael
1. Make little sense, XL is a tool for dense
systems of equations…
Except if there are “degree falls”: some combinations of unusually low degree, cf. HFE attacks…
85 2001-2015
Known attacks on AES

1. Combinatorial attacks:
Square attack [Rijmen-Daemen], Multiset attacks
[Shamir, Biryukov] - only for a few rounds...
2. Approximation attacks:
Differential/linear, interpolation attack, etc… The
security grows exponentially with the number of
rounds Nr ! (and so does the required number of
plaintexts).
86 2001-2015
From XL to “XSL”
“XSL is not an attack, it is a dream“

Vincent Rijmen, AES designer

Pure theory ?
XL: astronomical complexity
Remark: Our system of 8000 quadratic equations with

1600 variables
is not a general MQ system.
It is sparse,
 there must be a better method !!!
88 2001-2015
The XL idea:
Multiplying the
equations
by one or several
variables.
89 2001-2015
The XSL variant:

Multiplying the
equations
by one or several
monomials
.
(out of monomials present)
90 2001-2015
XSL Algorithm
Main idea:
In a sparse system R/T at the beginning is already much
bigger than in a random system.
Step 1: Optimise sparsity:

One variable for each input and each output bit for each S-
box.
Step 2. Multiply by selected monomials:

If we multiply by products of existing terms, each resulting
term will be obtained several times, thus R/T will be the
biggest possible.
91 2001-2015
Naive XSL Attack (on block ciphers)

Each S-box: r equations, t terms
Multiply by P-1 terms for other S-boxes.
S = number of S-boxes in the cipher
• Equations: mainly
• Terms:
Result: R / T  P * r/t
R/T1  P  t/r
92 2001-2015
The Complexity of the Naive XSL Attack

w * (Block size)O(t/r) * (Nb. of rounds)O(t/r)
Polynomial with a huge constant  = (t/s)t/r
depending only on the S-box parameters.
• For a random S-box,

 is double-exponential in s.
• For Rijndael S-box,
 is simply exponential in s.
93 2001-2015
Less Naive XSL Attack

Over-counting Problem:
It can be shown that an important part
of the equations in R are not linearly independent.
Only at most R = (tP – (t-r)P) of these equations are
linearly independent. Probably a bit less, but not much less.
Saturation Problem:
Simulations show that the number Free
of linearly independent equations
is never very close to T, and
for P=2 when the number of rounds Nr ,
we have Free  96.59 % T.
How to solve the system when T - Free is big ?

94 2001-2015
Part 3.
3. Final step – achieve complete
saturation giving the key bits.
free eqs.
__________ = exactly 1
monomials
95 2001-2015
The T’ Method [Courtois 2002]:

Let x1 be a variable.
Let T’ = number of terms that can be multiplied by x1
and still belong to the set of terms in T.
Claim: If Free > T-T’ then the system can be solved in about Tw:
• Each term in T is expressed as a linear combination of terms only in T’.
• We obtain one or more equations containing only the terms of T’.
• We do the same with respect to x2 (2 variables are probably enough).
• Multiply the exceeding equations of the first system by x1.
• We obtain new linearly independent equations, the rank grows !
• Early simulations show that this heuristic works very well.
• Transfer the new equations to the other system(s), i.e. eliminate all
terms that can be multiplied by x2.
• After at most T’ steps we expect to achieve Free = T-1 or so…
• It seems that the complexity of the whole is essentially Tw .
96 2001-2015
An Example of the T’ Method:

Let n=5 variables; therefore T=16 and T'=10.
We start with a random system that has exactly one solution,
and with Free > T-T' and with 2 “exceeding” equations,
i.e. Free = T-T'+2.
Here is a system in which T' is defined with respect to x1:
97 2001-2015
T’ Method contd.
Here is the same system in which T' is defined for x2:
The two systems allow to “transfer” an “exceeding” equation

from one representation to another in T’2 operations.
Kind of iterative decoding…
98 2001-2015
T’ Method contd.
Back to the first system in which T' is defined for x1:
We have rank=8.
Multiply the 2 “exceeding” equations of the first version by x1.
Miracle: we have rank=10.

New linearly independent equations !
99 2001-2015
T’ Method contd.
Now we have 4 “exceeding” equations (two old and two new).
Transfer them to the second system.
Then multiply them by x2:
We are not lucky, the second equation is invariant.

Still we get 3 new linearly independent equations
and rank=13.
100 2001-2015
T’ Method contd.
We rewrite the 3 new equations with terms that can be multiplied by x1.
Still rank=13. We multiply them by x1:
We have rank=14, one more linearly independent equation.

We rewrite the first equation with terms that can be multiplied by x2.
101 2001-2015
T’ Method contd.
We have still rank=14.
Then we multiply the new equation by x2.
We get another new linearly independent equation.

We have rank=15. The rank is the maximum that
can be achieved, there are 15 non-zero monomials
here, and rank=16 can only be achieved for a
system that is contradictory.
We expect that the number of additional equations in

the T' method grows quickly.
102 2001-2015
Remarks on the T’ Method

Theorem:
[Coppersmith 2002, never published]:
The T’ method cannot work with only a few

“special variables”.
 Use all of them !
*
103 2001-2015
Remarks on the T’ Method

Even in this case, the complexity is multiplied
only by n, a small factor compared to Tw.
For example n=211 and Tw=287.
Moderate increase, AES would still be
broken.
My simulations show that the T’ method

works very well…
Which is in fact very surprising … !
104 2001-2015
Application of the T’ trick:

If Free > T-T’ then the system can be solved in about Tw.
For AES-256 bits, we obtain for P=5: R/(T-T’)=1.0005

Then T = 296 and T’ = 290.
Consequence: If Free > 99.4 % T
Then AES-256 bits is broken in about 2203 .
Current simulations on a toy cipher give rather

Free  96.59 % T
apparently a size-independent constant !
Different constant for Rijndael ? To be seen.
For example when P=7,we have R/(T-T’)=1.004 , but then
XSL gives 2278, more than the exhaustive search.
105 2001-2015
CTC = “Courtois Toy Cipher” [eprint]
• 3-bit S-boxes.
• Diffusion: permuting wires (as DES P-box !).
• 1,2,4,8,… S-boxes per round.
• 1,2,3,…,10,…,30,… rounds.
• Key size == Block size.
• Simple key schedule: bit permutation (as in DES !)
106 2001-2015
Equations – From a Real Example
X[0][1]*X[0][2]+Z[0][1]+X[0][3]+X[0][2]+X[0][1]+1
1+X[0][1]=k_0
2. Linear (connecting S-boxes via key vars)

X[0][1]*X[0][3]+Z[0][2]+X[0][2]+1
X[0][1]*Z[0][1]+Z[0][2]+X[0][2]+1 1+X[0][2]=k_1
X[0][1]*Z[0][2]+Z[0][2]+Z[0][1]+X[0][3]
X[0][2]*X[0][3]+Z[0][3]+Z[0][2]+Z[0][1]+X[0][2]+X[0][1]+1 1+X[0][3]=k_2
X[0][2]*Z[0][1]+Z[0][3]+Z[0][2]+Z[0][1]+X[0][2]+X[0][1]+1
1+X[1][1]=k_3
1. Quadratic (for each S-box)
X[0][2]*Z[0][2]+X[0][1]*Z[0][3]+X[0][1]
X[0][2]*Z[0][3]+X[0][1]*Z[0][3]+Z[0][1]+X[0][3]+X[0][2]+1 1+X[1][2]=k_4
X[0][3]*Z[0][1]+X[0][1]*Z[0][3]+Z[0][3]+Z[0][1]
X[0][3]*Z[0][2]+Z[0][3]+Z[0][1]+X[0][3]+X[0][1]
1+X[1][3]=k_5
X[0][3]*Z[0][3]+X[0][1]*Z[0][3]+Z[0][2]+X[0][2]+X[0][1]+1 Z[0][3]+X[2][1]=k_1
Z[0][1]*Z[0][2]+Z[0][3]+X[0][1]
Z[0][1]*Z[0][3]+Z[0][3]+Z[0][2]+X[0][2]+X[0][1]+1
Z[1][1]+X[2][2]=k_2
Z[0][2]*Z[0][3]+Z[0][3]+Z[0][2]+Z[0][1]+X[0][3]+X[0][1] Z[1][2]+X[2][3]=k_3
X[1][1]*X[1][2]+Z[1][1]+X[1][3]+X[1][2]+X[1][1]+1
Z[1][3]+X[3][1]=k_4
X[1][1]*X[1][3]+Z[1][2]+X[1][2]+1 Z[0][1]+X[3][2]=k_5
X[1][1]*Z[1][1]+Z[1][2]+X[1][2]+1
X[1][1]*Z[1][2]+Z[1][2]+Z[1][1]+X[1][3] Z[0][2]+X[3][3]=k_0
X[1][2]*X[1][3]+Z[1][3]+Z[1][2]+Z[1][1]+X[1][2]+X[1][1] Z[2][3]+1=k_2
X[1][2]*Z[1][1]+Z[1][3]+Z[1][2]+Z[1][1]+X[1][2]+X[1][1]
X[1][2]*Z[1][2]+X[1][1]*Z[1][3]+X[1][1] Z[3][1]+1=k_3
X[1][2]*Z[1][3]+X[1][1]*Z[1][3]+Z[1][1]+X[1][3]+X[1][2] Z[3][2]+1=k_4
X[1][3]*Z[1][1]+X[1][1]*Z[1][3]+Z[1][3]+Z[1][1]
X[1][3]*Z[1][2]+Z[1][3]+Z[1][1]+X[1][3]+X[1][1] Z[3][3]+1=k_5
X[1][3]*Z[1][3]+X[1][1]*Z[1][3]+Z[1][2]+X[1][2]+X[1][1] Z[2][1]+0=k_0
Z[1][1]*Z[1][2]+Z[1][3]+X[1][1]
Z[1][1]*Z[1][3]+Z[1][3]+Z[1][2]+X[1][2]+X[1][1]+1 Z[2][2]+1=k_1
Z[1][2]*Z[1][3]+Z[1][3]+Z[1][2]+Z[1][1]+X[1][3]+X[1][1]
•
•
107 2001-2015
3. Part R (each S-box * some existing monomial)

More Equations: XSL expansion
If L1 denotes
If L57 denotes 1+X[0][1]=k_0
4. Part R’ (linear * some existing monomial)

X[0][1]*X[0][2]+Z[0][1]+X[0][3]+X[0][2]+X[0][1]+1
we have: we have:
L1*1
L1*X[1][1]
L57*1
L1*X[1][2]
L1*X[1][3] L57*X[0][1]
L1*Z[1][1] L57*X[0][2]
L1*Z[1][2] L57*X[0][3]
L1*Z[1][3]
L57*Z[0][1]
L1*X[1][1]*Z[1][1]
L1*X[1][1]*Z[1][2] L57*Z[0][2]
L1*X[1][1]*Z[1][3] L57*Z[0][3]
L1*X[1][2]*Z[1][1] L57*X[0][1]*Z[0][1]
L1*X[1][2]*Z[1][2]
L1*X[1][2]*Z[1][3]
L57*X[0][1]*Z[0][2]
• L57*X[0][1]*Z[0][3]
• •
•
•
L56*k_0
L56*k_1 •
L56*k_2 L57*k_1
L56*k_3 L57*k_2
L56*k_4
L57*k_3
L56*k_5
L57*k_4
L57*k_5
108 2001-2015
How to finish ?
• Initial proposal: T’ method.
– Works very well in practice, but requires to be run many
times (each time the rank increases).
• Alternatives:
– use Gröbner bases.
– better alternatives:
• SAT solvers,
• ElimLin.
109 2001-2015
5. New Equations: The T’ method

Example of how the rank grows:
(4 S-boxes).
7329 + 28
7329 + 52
7329 + 56
7329 + 96
7329 + 147
7329 + 165
7329 + 172
7329 + 173
7329 + 174
A unique solution found.

249.7 seconds
110 2001-2015
***Will the T’ method suffice ?
Maybe…
Free/(T-T’) - XSL expected to work for up to 16 rounds.
111 2001-2015
****Less Naive XSL Attack

• Over-counting Problem:
Now assume: R = P P
(t – (t-r) )
• Saturation Problem:
Use the T’ method.
112 2001-2015
Complexity of the Less Naive XSL

Very surprisingly, more realistic formulas give
very similar results than the naïve version:
w * (Block size)O(t/r) * (Nb. of rounds)O(t/r)
Is XSL polynomial with a huge constant  ?

Not sure at all. Simulations show that
P will rather increase (slowly) with Nr.
113 2001-2015
Summary:
XSL takes advantage of the fact that the
equations are overdefined and sparse.
Expected (at least) to work better than XL.
For 128-bit Rijndael

XSL claimed complexity
was at least 2230
114 2001-2015
Is AES 256 bits broken ?

For AES-256, XSL
seems to give 2203
(the version on eprint, with cubic equations)
Not proven,
based on heuristic assumptions:
115 2001-2015
Remark 1
People naively believe that

XSL does not work well…
The truth: nobody knows !
116 2001-2015
Remark 2:
We know MUCH BETTER

algebraic attacks on block
ciphers today.
117 2001-2015
Murphy and Robshaw Variant
[Murphy, Robshaw, Crypto 2002, see

Section 6, added after they read our paper].
They write an equivalent system of MQ

equations, but over GF(28).
Much more sparse than over GF(2).
For AES 128 bits, it seems that XSL could
solve such system in as little as 2100…
118 2001-2015
AES-128 broken in 288 ?

Gwenolé Ars PhD thesis
[June 2005]:
The author presents an
attack in 288 that might
“maybe” work… (?????)
119 2001-2015
Papers on XSL and AES

• The original paper (archive, not updated anymore)
is available on eprint.iacr.org /2002/044 :
“First XSL attack”,
“Second XSL attack”The most powerful version.
• Asiacrypt 2002: the so called
“ Compact Version of the First XSL Attack ”
 The most general version of XSL attack, least
powerful, simpler and easier to study.
Some software and tools:

Do check: www.cryptosystem.net/aes/
120 2001-2015
Algebraic Attacks on Block Ciphers
Fast Algebraic Attacks

On Block Ciphers

Fast Algebraic Attacks on Block Ciphers

Definition [informal on purpose] Methods to lower the degree of equations
that appear throughout the computations… [e.g. max deg in F4]
(more generally need to substantially lower the memory requirements of algebraic attacks compared to their running time).
 Very rich galaxy of attacks to be studied in the next 20 years…

How to lower the degree ?
• by having several P/C pairs (bigger yet much easier !)
• by CPA, CPCA, etc…
• by fixing internal variables (Guess-then-Algebraic).
• by finding [approximate] equations on bigger blocks
– by interpolation [cf. W. Meier’s talk] cumulative
– by guessing equations that have strong bias
• Linear-Algebraic or Bi-Linear-Algebraic Cryptanalysis
effect
• Differential-Algebraic.
!!!
• by clever choice of representation
• by introducing new variables (oh yes !)
• by having a larger key
• new tricks to be invented ?

How to Evaluate the Quality of Alg. Attacks

Compare ONLY to other similar attacks:
• Straightforward algebraic approach. Write + solve.
• Other attacks that work given VERY SMALL quantity of
plaintexts.
• NEVER compare to DC/LC etc. Doesn’t make sense. Two

independent areas of research that have no intersection.
– Both allow us to write 100s of papers but do not expect to break
3DES or AES tomorrow morning.

Solving Methods
Solver Software

Fact
In 2005-2006 huge progress have been made.

• Up to 510 S-boxes broken on a laptop:
Fast Algebraic attacks on block ciphers <= Cumulative effect
of improvements in many directions.

What’s New
The biggest discoveries in
Science are the simplest.

3.3. ElimLin – The Most Surprising

Complete description:
• Find linear equations in the linear span.
• Substitute, and repeat.
Amazingly powerful, (Surprisingly)

VERY HARD TO IMPLEMENT:
• Heuristics to preserve sparsity. Local optimization.
• Data Representation and Memory Management vs. Speed.

3.3. ElimLin – Remark:

In a way it is:
An ultra-light and super-simplified
version of F4 operating
at ”degree 1.05” or ”2.01”
(makes sense: relatively small number of higher-
degree monomials, and certain types of monomials much
more likely to ever appear).

3.4. ANF-to-CNF - The Outsider

Before we did try,
we actually never believed it could work…

Convert MQ to a SAT problem.

(both are NP-hard problems)

3.4. ANF-to-CNF - The Outsider

Principle 1:
each monomial = one dummy variable.
d+1 clauses for each degree d monomial

Also
Principle 2:
Handling XORs – Not obvious. Long XORs
known to be hard problems for SAT solvers.
• Split longer XORs in several shorter with

more dummy variables.
• About 4 h clauses for a XOR of size h.
ANF-to-CNF
This description is enough to produce a
working version.
Space for non-trivial optimisations. See:

Gregory V. Bard, Nicolas T. Courtois and Chris Jefferson:
“Efficient Methods for Conversion and Solution of Sparse
Systems of Low-Degree Multivariate Polynomials over
GF(2) via SAT-Solvers”.

Ready Software
Several ready programs to perform this
conversion are made available on this web
page:
www.cryptosystem.net/aes/tools.html

Solving SAT
What are SAT solvers?
Heuristic algorithms for solving SAT problems.
• Guess some variables.
• Examine consequences.
• If a contradiction found, I can add a new clause saying “In
this set of constraints one is false”.
Very advanced area of research.

Introduction for “dummies”:
Gregory Bard PhD thesis.
MiniSat 2.0.
Winner of SAT-Race 2006 competition.
An open-source SAT solver package,

by Niklas Eén, Niklas Sörensson,
Later improved A LOT by Mate Soos

=> CryptoMiniSat 2.9.X

Ready Software for Windows

Several ready programs to solve SAT
problems are also available on the same
web page:
www.cryptosystem.net/aes/tools.html

ANF-to-CNF + MiniSat 2.0.

Gives amazing results in algebraic cryptanalysis of
just any (not too complex/not too many rounds)
cipher, cf. (VSH). Also for random sparse MQ.
• Certain VERY large systems solved in seconds
on PC (thousands of variables !).
• Few take a couple hours/days…
• Then infeasible, sharp increase.
Jump from 0 to .

What Are the Limitations of Algebraic Attacks ?

• When the number of rounds grows:
complexity jumps from 0 to .
• With new attacks and new “tricks” being

proposed: some systems are suddenly
broken with no effort.
=> jumps from  to nearly 0 !

**What Can Be Done with SAT Solvers ?

• Clearly it is not the size of the system but the nature of it.
• Sometimes more powerful than GB, sometimes less.
Paradoxes:
• If you guess some variables, can become much slower .
• Great variability in results (hard to compute an average
running time, better to look at 20 % faster timings).
• Memory:
– For many cases tiny: 9 Mbytes while Magma hangs at > 2Gbytes
for the same system.
– For some working cases: 1.5 Gbytes and substantial time. Then
terminates with the solution as well.

***Toy Ciphers…

CTC/CT2 = “Courtois Toy Cipher” [eprint]
• 3-bit S-boxes.
• Diffusion D: permuting wires (as DES P-box !).
• 1,2,4,8,… S-boxes per round.
• 1,2,3,…,10,…,30,… rounds.
• Key size == Block size.
• Simple key schedule: bit permutation (as in DES !)
*CTC2 – more recent variant
• Virtually no difference
– Different D-box but difference only at 1 bit position (!).
– Changes everything w.r.t. linear cryptanalysis.
– Changes nothing w.r.t. algebraic cryptanalysis.
• In both cases 6 rounds are broken, 7 rounds maybe this year…

**CTC vs. CTC2
CTC2: Just remove one “weak” bit:
No other difference. Same for “99 % of positions”.

CTC2 S-box:
Random on 3 bits without linear equations.
Theorem [Courtois]: 14 MQ Equations:

ToyRijndael and ToySerpent:

Basically a 4-bit version of CTC…

ToyRijndael S-box [4 bits]

Inv+Affine a in AES, borrowed from Carlos Cid.
Theorem [Courtois]: 21 MQ equations.
ToySerpent S-box [4 bits]

Sbox number 2 [chosen at random] stolen from
Serpent [without permission from the authors].
Theorem [Courtois]: 21 MQ equations.

ToySerpent vs. ToyRijndael:

Both cases: 21 MQ equations.
Same degree, same number, yet TOTALLY DIFFERENT
results (and we can explain why!).
Bad news for the idea (IOH) that I/O degree implies the
existence of algebraic attacks.
• For some equations – good attacks [for 5 rounds].
• For some equations – little hope.
Rijndael S-box shows unexpected resistance w.r.t. our fast

algebraic attack on block ciphers. [ElimLin].

Weakness in Serpent S-box 2:

4 / 21 equations of types
• 2 are “Linear+ X2”.
• 2 are “Linear+ Y2”.
0 / 21 such equations for 4-bit Rijndael S-box !

Combined Effect of These:

They allow to “avoid” / “lower the relative rank of” the set of
higher degree monomials in the xi in algebraic equations
that can be written for several rounds.
In other words, some quadratic monomials / some linear
combinations of monomials can be systematically
eliminated:
Claim: Will greatly help to compute Gröbner bases at a lower

degree !
Now we will test the most optimistic version of this claim:
Replace F4 by ElimLin, how many linear equations can
we generate ?

Interesting and WEIRD Question

KPA. How many linear equations true with Pr=1:
0-few more
P1 C1
rounds rounds
0-few more
P2 C2
rounds rounds
0-few more
P3 C3
rounds rounds
Very Surprising and Powerful

Answer 1: They don’t exist (cf. LC).
Answer 2: They DO exist when the Pi are fixed !
• Can be recovered by interpolation ? I did program this.
Some toy examples take ages… Most relevant cases =>
infeasible ! Too large matrices.
• Fact: I have found a method to compute these equations
VERY EFFICIENTLY given the set of plaintexts
Pi. Arbitrary = a KPA.
Remark: A whole (big) part of the algebraic attacks that is
done for a truncated cipher, i.e. without knowing the
ciphertext - pre-computation possible give the spec. of the
cipher (Pb. to use: only easy with CPA).

When the Pi are fixed, how many equations ?

Nb. of linear equations found, 5 rounds x 3 S-boxes, KPA
truncated (unknown ciphertext) ToySerpent & ToyRijndael.
Equations with rounds 0-5.

Some totally avoid the first 2 rounds. Rounds 3-5.
More powerful with full cipher (the ciphertexts are known =>
WORKS FROM both directions !!!! ElimLin even easier !

Combinatorial Explosion
Nb. of new linear equations grows FASTER than LINEAR!!!
Nb. of variables grows linearly in K.
Unstoppable force of an asymptotic…
See our lab:

http://www.nicolascourtois.com/papers/ga18/AC_Lab1_Eli
mLin_Simon_CTC2.pdf
What About…
Real Life Ciphers?

DES
At a first glance,
DES seems to be a very poor target:
there is (apparently)
no strong algebraic structure
of any kind in DES

What’s Left ?
Idea 1: (IOH)
Algebraic I/O relations.
Theorem [Courtois-Pieprzyk]:
Every S-box has a low I/O degree.
=>3 for DES.
Idea 2: (VSH)
DES has been designed to be implemented in
hardware.
=> Very-sparse quadratic equations at the price of
adding some 40 new variables per S-box.
Results ?
Both Idea 1 (IOH) and Idea 2 (VSH)
(and some 20 other I have tried…)
can be exploited in working
key recovery attacks.

S-boxes S1-S4 [Matthew Kwan]

S-boxes S5-S8 [Matthew Kwan]

I / O Degree
A “good” cipher should use at least some

components with high I/O degree.
Theorem

Corollary
Cubic Equations and DES
Exactly 112 for all DES S-boxes.

5. Selected Results:
Some Successful Attacks

Results on CTC
Nicolas T. Courtois:
“How Fast can be Algebraic Attacks on Block
Ciphers ?”. eprint.iacr.org/2006/168/
6 rounds broken: 255-bit key, 510 S-boxes.

ElimLin: 80 hours after 210/255 bits are
guessed. 64 CP. About 10 times (slightly)
faster than exhaustive search…

Results on CTC2
Much more resistant to LC
[cf. Orr Dunkelman and Nathan Keller :
Linear Cryptanalysis of CTC,
eprint.iacr.org/2006/250/].
ElimLin still breaks 6 rounds in the same way

(no visible difference).
10 rounds broken if block=96, key=256.

Results on ToySerpent
ToySerpent, 5 rounds, 32 S-boxes * 4 bits.
84 first key bits guessed, 44 remain unknown.
4 CP => broken in 32 hours by ElimLin.
6 rounds should be feasible for 256-bit version.

Work in progress.

Results on ToyRijndael
Unexpectedly strong,
the only difference is the S-box:
0/21 “Linear+X2“ equations...

Results on DES
Nicolas T. Courtois and Gregory V. Bard:

Algebraic Cryptanalysis of the D.E.S.
In IMA conference 2007, pp. 152-169,
LNCS 4887, Springer.
See also:
eprint.iacr.org/2006/402/

What Can Be Done ?

Idea 1 (Cubic IOH) + ElimLin:
We recover the key of 5-round DES with
3 KP faster than brute force.
• When 23 variables fixed, takes 173 s.
• Magma crashes > 2 Gb of RAM.
Idea 2 (VSH40) + ANF-to-CNF + MiniSat 2.0.:
Key recovery for 6-round DES. Only 1 KP (!).
• Fix 20 variables takes 68 s.
• Magma crashes with > 2 Gb.
What Else Can We Do ?

Claim: Algebraic Cryptanalysis is an excellent tool TO STUDY
block and stream ciphers. For all properties that hold:
• With probability 1 or close.
• For 3,4,5,6 rounds.. (already a lot, very complex to
analyse by hand).
Proposed Application [probably feasible for many ciphers]:

• Find a 4-round differential that holds with probability 1.
• Show that there isn’t any (unsatisfiable/contradictory
system of equations).

Example:
Looking for another special property of DES.
An attack with a known key (glass-box).
Motivation:
educational, study differential cryptanalysis.
I present this one because it works on a laptop

PC for 12 full rounds of DES (which is the
best result I have for now).

DC
example

What We Can We Do:

Given a key, find a plaintext with difference
(`00196000',`00000000') that carries over 12
rounds.
Naïve method (exhaustive search): requires

248 trial encryptions  3 CPU years.
Idea 2 (SSH40) + MiniSat 2.0:

Only 6 hours.
This Was Easy !

Why ?
Reason:
There are many solutions (about 216).
Conclusion:
Algebraic attacks with SAT are easier when there
are many solutions.
=> Algebraic cryptanalysis should be a very good tool
for breaking hash functions [as shown by
Mironov-Zhang, Crypto 2006 Rump Session].

Conclusion:
Keys and special properties of block

ciphers CAN be computed in
practice with algebraic attacks,
and this with little [human] effort.

Back to Bigger Picture
176 2001-2015
Unified view of Algebraic Attacks

Algebraic Security Criterion
[Courtois 1999]:
Non-existence of low-degree/small
size multivariate relations between
the input bits and the output bits.
177 2001-2015
Avoid Algebraic Relations…

…between inputs/outputs.
• Applies to multivariate public key
cryptosystems: Sflash, Quartz
• Applies to the non-linear part of a
stream cipher, even if stateful.
• Applies to the S-boxes
of a block cipher.
178 2001-2015
Claim
This criterion is necessary for
the security of all these ciphers.
No proof.
A precaution.
Many ciphers still secure.
179 2001-2015
2. Algebraic Attacks
on HFE
and Other PKCs
Based on Multivariate
Polynomials
180 2001-2015
Security of HFE
Special case: Matsumoto-Imai
cryptosystem [Eurocrypt'88]
A power function
(as in Rijndael S-box)
x->x 3
181 2001-2015
Attack on Matsumoto-Imai
x->x 3
Inverse function gives Boolean functions of
very high degree
Attack: there are many multivariate bilinear

relations that allow to break the cipher in no
time.
[Jacques Patarin, Crypto’95]

182 2001-2015
Attack on HFE
x->Polynomial of degree d
Again multivariate relations,
attack in
n3/2 log d.
[Nicolas Courtois PhD thesis 1998,
published in CT-RSA 2001]
New paper about this: [Faugère, Joux, Crypto 2003].
Same attack, but explains the origin of these equations !
Forgot to acknowledge 4 previously published papers.
[Patarin, Courtois, Shamir-Kipnis, Courtois-Daum-Felke].
183 2001-2015
3. Algebraic Attacks
on Stream Ciphers
with Linear Feedback
(e.g. LFSR-based)
184 2001-2015
Main Problem: Linear Feedback

Great many stream ciphers have a linear
feedback (e.g. LFSRs)
state =
multivariate linear function (prev. state)
So what ?
185 2001-2015
Linear Feedback is Dangerous

It preserves the degree of the equations.
My claim: If one can relate state bits and outputs bits

by only one multivariate equation of low degree
without extra variables then:
• the cipher is broken in polynomial time,
• hard to find the right equations,
mix of insight and experimental results, but…
• such attacks may be surprisingly fast, e.g. 231.
186 2001-2015
One I/O Equation => Broken∈P

memory
linear
component
combiner
with
I memory O
187 2001-2015
Common Opinions
on Stream Ciphers
“Most real life designs centre around LFSRs
combined by a non-linear Boolean function.”
“State of the art in generic stream ciphers
cryptanalysis can be summarized as follows:
correlation and fast correlation attacks.“
[Eric Filliol, Decimation Attack of Stream Ciphers,
eprint.iacr.org, 2000]
188 2001-2015
Common belief:
Ciphers with linear
feedback (LFSR, etc…)
can be made secure using
highly non-linear Boolean
functions.
189 2001-2015

Boolean Functions..
•“Good” Boolean functions
•“Good” S-boxes etc…
 Prevent correlation and

other classical attacks.
A “Good” Boolean function…
There are other attacks!
190 2001-2015
Some Remarks ! (no comments)

“We can strongly affirm that a very consequent
theory of stream encryption exists…”
“Block ciphers are not secure, one should use
stream ciphers instead…”
“It is impossible to hide a trapdoor in a stream
cipher …“
[Eric Filliol, Plaintext-Dependent Repetition Codes …

the AES case, eprint.iacr.org, 2003]
191 2001-2015

Boolean Functions..
Naïve belief that ciphers build out of
such components would be secure.
In fact this approach fails, sometimes quite
miserably, to produce secure ciphers:
• Algebraic attacks on AES and Serpent
[Courtois-Pieprzyk, AsiaCrypt 2002].
• Stream ciphers: much worse.

[For some ciphers, there is no “good” Boolean functions !]
192 2001-2015
linear Popular stream ciphers:

feedback
Linear sequence generator +
a stateless combiner
non-linear
filter
Example: One/several LFSRs

+ a Boolean function.
state
193 2001-2015
Notations
linear • Initial key k  GF(2)n
feedback
n-bits k0, k1, k2,…,kn-1
• The state s  GF(2)n
s0 First s = k,
s1 • Then s = L(s) etc..
• Output bits: Apply f (s )
bi = f( Li(k) )
sn-1 Given: some of the bi

state Find: the secret key k
194 2001-2015
Direct Algebraic Attack Approach:
Solve this system of equations.

Extremely overdefined even for moderate
quantity of keystream, e.g. 20 Kbytes.
195 2001-2015
Example:
Toyocrypt, n=128, d=63.
What if the degree d is too big ?
1) Find a low degree approximation – not today, see

Nicolas Courtois: Higher Order Correlation Attacks, XL algorithm and
Cryptanalysis of Toyocrypt, ICISC 2002 or eprint.iacr.org
2) Better attacks – today.
196 2001-2015
Problem:
The degree is usually high…
(even AFTER taking a lower degree approximation)
As for HFE and Rijndael S-box,

consider multivariate relations
instead of equations…
197 2001-2015
Solution (the same as usual):

Relations instead of equations…
I/O equations = implicit eqs.
Their degree
turns out to be
much lower !
198 2001-2015
Toyocrypt
One of the only two stream
ciphers accepted to the
second phase of
CRYPTREC
(for the Japanese
government).
199 2001-2015
The design of Toyocrypt

• A bent function
• add s127 to make it balanced.
200 2001-2015
Fact: Toyocrypt
There is a multivariate relation being of degree
3 in the 128 key bits and involving 1
consecutive output bit.
Nicolas Courtois, Willi Meier:

Algebraic Attacks on Stream Ciphers with
Linear Feedback, Eurocrypt 2003.
201 2001-2015
LILI-128
One of the NESSIE candidates,

claimed very secure,
rejected
(all the other stream ciphers were

rejected too !)
202 2001-2015
Fact: LILI-128
consecutive output bit.
Nicolas Courtois, Willi Meier: Algebraic Attacks

on Stream Ciphers with Linear Feedback,
Eurocrypt 2003.
203 2001-2015
E0
stream cipher used in

the wireless interface
Bluetooth
204 2001-2015
Fact: E0
consecutive output bits.
Matthias Krause, Frederik Armknecht:

Algebraic Attacks on Combiners with
Memory, Crypto 2003.
205 2001-2015
So what ?
One equation is enough to break all these !
Due to the
• Recursive structure of the cipher
• Linear feedback (e.g. in LFSRs) preserves
the degree,
We may generate as many equations as we
want.
206 2001-2015
So what ?
One equation is enough to break all these !
• Given keystream bits -
• Using bits of memory -
• The secret key can be recovered
in .
• Verified experimentally.
207 2001-2015
Results
• Toyocrypt – Cryptrec submission  249

Verified, works perfectly well in practice.
• LILI-128 – Nessie submission  257
[Courtois, Meier, Eurocrypt 2003]
• E0 – Bluetooth keystream generator  270

[Armknecht, Krause, Crypto 2003]
208 2001-2015
Can We Do Better ?
If the keystream bits are consecutive;
Yes, much better !
Nicolas Courtois: “Fast Algebraic Attacks

on Stream Ciphers with Linear
Feedback”.
Crypto 2003.
Studied in more details by Armknecht,
and [Hawkes-Rose Crypto’04].
209 2001-2015
Improved Results
Gives the best attack known so far for

3 well known stream ciphers:
• Toyocrypt – Cryptrec submission  225
• LILI-128 – Nessie submission  231
• E0 – Bluetooth keystream generator  249
210 2001-2015
Broken at the First Glance…

In 2005 Braeken, Lano, Mentens,
Preneel and Varbauwhede have
invented a new stream cipher:
• SFINKS – ECRYPT submission  271
Nicolas Courtois: Cryptanalysis of Sfinks.
eprint.iacr.org/2005/243
Simply broken once you take the time to examine the (already known) algebraic attack –
BUT need to handle many computer simulations to determine if there exist suitable
equations, no theoretical method to predict the result...
211 2001-2015
Scary Algebraic Equations..

Goal: design an LFSR-based stream cipher
with security 2128.
Problem: How to make sure that there is no

algebraic relation of size 2100 that relates
key bits and output bits?
Example: Linear complexity may be 2100.

I cannot check if relations exist...
212 2001-2015
Scary Algebraic Equations..

Problem: How to make sure that there is no algebraic
relation of size 2100 ?
Crypto’03 paper clearly demonstrates that in MANY

interesting cases you cannot be sure unless you
can do about 2100 computations.
Also works for linear complexity

(many ciphers will be broken in a time being
about the linear complexity).
Murphy course: should be 240. Not enough !!!
Many other relations may exist…
213 2001-2015
Conclusion – Stream Ciphers

Good Boolean functions are by far
not enough to get secure ciphers.
LFSR-based stream ciphers cannot
claim security UNLESS they are
PROVABLY secure against
algebraic attacks.
How ? OPEN PROBLEM.
214 2001-2015
linear More on Stream Ciphers:

feedback
Linear sequence
generator +
a combiner
with memory,
may be
key-dependent
state
215 2001-2015
All Stream Ciphers Broken ?

It depends what we mean by
“BROKEN”…
• Fixed size filter/combiner and a LFSR
with n bits.
• Polynomial in n vs. non-polynomial in n.
• In this sense many of them are broken.
216 2001-2015
All Stream Ciphers Broken ?

1. A LFSR + Boolean function (fixed
number of inputs).  POLYNOMIAL.
Nicolas Courtois, Willi Meier: Algebraic Attacks on
Stream Ciphers with Linear Feedback, Eurocrypt
2003.
217 2001-2015
Stream Ciphers Broken in Poly…

2. A LFSR + Any Combiner with Memory
 POLYNOMIAL.
• Matthias Krause, Frederik Armknecht: Algebraic Attacks on
Combiners with Memory, Crypto 2003.
• Nicolas Courtois: Algebraic Attacks on Combiners with
Memory and Several Outputs. ICISC’04, available on
eprint.iacr.org/2003/125.
Different proof of the same Theorem, greatly improving the
result for combiners with several outputs.
218 2001-2015
More Ciphers Broken in Poly…

3. A LFSR + Secret or Key-Dependent
Boolean Function.
 POLYNOMIAL.
• - - work In progress - -
• Nicolas Courtois, Philip Hawkes: Fast Algebraic Attacks on
Stream Ciphers and the Discrete Fourier Transform,
Greg Rose, Philip Hawkes: Rewriting Variables: the
Complexity of Fast Algebraic Attacks on Stream Ciphers
In Crypto 2004.
219 2001-2015
More Ciphers Broken in P time…

4. A LFSR + Any Secret or Key-Dependent
Combiner with Memory.
Conjecture [Meier-Courtois 2003]
 POLYNOMIAL.
• Nicolas Courtois, Philip Hawkes, Willi Meier: Algebraic
Attacks on Stream Ciphers with Unknown or Key-
Dependent Components,
Work in progress…
Not sure about the result…
220 2001-2015

Algatt All Teach 2015

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Algatt All Teach 2015

Uploaded by

Copyright:

Available Formats

“Algebraic” Attacks vs.

Modern Symmetric Cryptanalysis:

number of ciphers “broken in practice”:

DES, AES etc: never really broken etc..

2 Courtois, Indocrypt 2008

Cryptanalysis is not very popular,

3 Courtois, Indocrypt 2008

A New Frontier in Symmetric

• What components to choose? (bottom-up).

Boolean Functions, ANF

The Tale of “Good”

Magical objects that

Main claim / result:

Central Criterion for Designing

[Courtois 1999; PhD Thesis]:

Special Case: I / O Degree:

A “good” cipher should use at least some

• overall, just another super-paranoid security criterion which

Another Interpretation of I/O

O = Outside of your block/steam cipher

Roadmap: Multivariate/Algebraic Cryptanalysis

Guess Then Determine: MITM

Software / SAT Solvers ElimLin: amazingly powerful

17 © Nicolas T. Courtois, 2006-2013

Different Types of Cryptanalysis

Breaking a « good » cipher should require:

“as much work as solving a system of

Common belief: large systems of equations become

– The XSL variant: [Courtois, Pieprzyk, Asiacrypt’02]

Problem 1: Overdefined Systems

Problem 2: Algebraic Sparsity

Problem 3: Linear Components

• Problem: preserves the degree of algebraic

The Role of Finite Fields, e.g. GF(2)

24 Courtois, Indocrypt 2008

25 ©Nicolas T. Courtois 2012

**The Role of NP-hard Problems

Many are not that hard in practice…

• Many concrete problems can be solved.

26 Courtois, Indocrypt 2008

False over rings!

27 Courtois, Indocrypt 2008

Problem 4: Low Degree/Low Complexity

Cf. Xuejia Lai paper.

Problem 4: Low Degree/Low Complexity

Remark for LFSR-based stream ciphers:

Lai Essential Result

=>so we can decrease the non-linear degree by summing different polynomials

Cube Attacks Controversies [1]

• Cube attacks work well for random polynomials

*Cube Controversy [2]

1. Finite Fields, Block Ciphers

1.1. Block Ciphers

How do We Attack AES ?

• AES pushes the classical design principles

What About Block Ciphers ?

Remark: they break a lot of stream ciphers very badly

This Cipher is Broken for 1 M rounds !

[Jakobsen-Knudsen FSE’97, Courtois AES’4]

***Bi-linear Cryptanalysis [Courtois Crypto’04]

***2. Weak Cipher Number 2:

Very secure against all known

***3. Another Insecure Cipher