Professional Documents
Culture Documents
Carlos Cid
For m-bit blocks and n-bits keys, we can describe a block cipher as
E : Fm × Fn → Fm
(P, K ) 7→ C
This approach was proposed in 2003 against the AES (Courtois and
Piepryzk), and attracted a lot of attention from the cryptographic
community.
The system for the AES was presented, together with a dedicated
method for solving the system.
the AES S-box (the only provider of non-linearity) gives rise to several
quadratic equations.
instead of y = x 254 , use xy = 1, x 2 y = x and xy 2 = y .
it was claimed that this was a particularly bad feature, and the
proposed methods could exploit this fact.
Two tasks:
1 How to construct the system of equations.
over GF(2): 8000 equations and 1600 variables.
over GF(28 ): 8576 equations, 4288 variables (derived from BES).
2 How to solve the resulting system (or obtain some insight into the
cipher).
XSL (eXtended Sparse Linearisation): based on linearization, but
attempting to exploit the sparsity and specific structure of the equation
system.
Gröbner Basis algorithms, SAT-solvers, etc.
AES may have been broken. Serpent, too. Or maybe not. In either case, there’s no need to panic. Yet. But
there might be soon. Maybe.
...
Basically, the attack works by trying to express the entire algorithm as multivariate quadratic polynomials, and
then using an innovative technique to treat the terms of those polynomials as individual variables. ... There are
a bunch of minimization techniques, and several other clever tricks you can use to make the solution easier.
(This is a gross oversimplification of the paper; read it for more detail.).
...
These are amazing results.
...
There was some buzz about the paper in the academic community, but it quickly died down. I believe the
problem was that the paper was dense and hard to understand. The attack technique, something called XSL,
was brand new.
...
In any case, there’s no cause for alarm yet. These attacks can be no more implemented in the field than they
can be tested in a lab....There’s so much security margin in these ciphers that the attacks are irrelevant.
But there is call for worry. If the attack really works, it can only get better. My fear is that we could see
optimizations of the XSL attack breaking AES with a 280 -ish complexity, in which case things starts to get dicey
about ten years from now...
The work is fascinating...
...
We’re starting to see the new attack tools that work against some of the AES finalists. It’s an open question as
to how long the tools will remain theoretical. But many cryptographers who previously felt good about AES are
having second thoughts.
I can say with certainty that no one knows for certain if XSL can break Rijndael or
Serpent or anything else. Actually, I can say something stronger: no one has
produced an actual demonstration of XSL breaking even a simplified version of
Rijndael or Serpent or anything else. This makes a lot of people skeptical.
Demonstrations are important....
...
The XSL techniques have not been demonstrated yet. A number of respectable
cryptographers, whose opinions I value highly, don’t think the techniques work. Don
Coppersmith has published a note on the topic. And T. Moh has a Web page about
this...
...
I know that several groups are working on the techniques, and if they work one of
those groups should be able to demonstrate something, on something, soon. I’ll
provide additional information when I learn of it.
The XSL method was certainly a valid attempt to exploit the particular
structure of the AES system; it was however shown (Asiacrypt 05 and FSE
07) that the algorithm did not work as expected (in particular, it is not an
efficient method to solve the system arising from the AES).
Other attempts: neat tricks (eg Meet-in-the-Middle) and known methods
of solving (eg GB, SAT-solvers) do not seem to have provide much success
either.
Note that much early work assumed that the method of generation of system of
equations was the best approach, and concentrated in studying/proposing methods for
solving the system.
Maybe we have to concentrate on finding new forms of generating the polynomial
systems.
Some promising approaches.
Combining statistical and algebraic cryptanalysis (Albrecht and Cid, 2009): use
probabilistic methods to simplify the system of equations; use the algebraic
structure to help distinguishing non-random patterns.
Study algebraically the behaviour of encryption operation on structured input (eg
Albrecht et al., 2010; Cube Attacks – Dinur and Shamir, 2009).
These gave rise to interesting results, but yet no significant progress or breakthrough in
this area (in particular, not against the AES)
The AES features a particularly strong diffusion layer (it is one of its main
features against conventional cryptanalysis).
Conjecture: the AES is a particularly strong cipher against
(polynomial system-solving) algebraic cryptanalysis (despite low
degree S-Boxes).
Ideally we would be able to quantify the protection provided by the
diffusion layer (it seems however very difficult to achieve).
Thank you!