Algebraic Analysis of AES

Carlos Cid

Information Security Group,

Royal Holloway, University of London

ECRYPT II AES Day

18 Oct 2012

Algebraic Analysis of AES Carlos Cid

Algebraic Analysis of AES

AES is an algorithm with a simple and very elegant design.

it has been designed to offer strong resistance against known attacks,
in particular differential and linear cryptanalysis, while enabling
efficient implementation on different platforms.
given its careful design criteria, it has always seemed unlikely that its
security can be affected by conventional methods of cryptanalysis.

Algebraic Analysis of AES Carlos Cid

Algebraic Analysis of AES

The AES has also a highly algebraic structure.

Fundamental component: byte as element of K = GF(28 ).
SubBytes: inversion + linearised polynomial in K[x] + addition in K.
ShiftRows + MixColumns: linear operation in K16 .
AddRoundKey: addition in K.
The selection of AES led to a growing interest in the study of algebraic
properties of block ciphers, and applications in cryptanalysis.

Algebraic Analysis of AES Carlos Cid

Algebraic Techniques in Cryptanalysis

Algebra is the default tool in the analysis of asymmetric

cryptosystems (RSA, ECC, Lattice-based, MPKC, etc).
For symmetric cryptography (block and stream ciphers), the most
commonly used techniques are statistical in nature:
block ciphers: in linear and differential cryptanalysis (and variants), the
attacker attempts to construct statistical patterns through many
interactions of the cipher.
stream ciphers: linear/differential, correlation attacks, distinguishing
attacks, etc.
The selection of AES (and proposal of algebraic attacks against stream
ciphers) led to an increasing interest in the use of algebraic techniques in
the analysis of symmetric cryptosystems in the past 10 years.

Algebraic Analysis of AES Carlos Cid

Algebraic Structure of AES

The algebraic properties of Rijndael were not really explored in detail

during the AES selection process.
focus mostly on the proposal of dedicated attacks, eg square and
bottleneck attacks.
There were however some early observations, eg:
moving F2 -affine S-Box operation into augmented linear layer (and
key schedule). (Murphy and Robshaw)
description of AES encryption using a form of continued fractions
(fully expanded expression for the full 10-round AES encryption would
have around 250 terms). (Ferguson et al.)

Algebraic Analysis of AES Carlos Cid

Big Encryption System - BES

Due to Murphy and Robshaw (2002), BES operated on 128-byte blocks

with 128-byte keys, with very simple algebraic structure:
S-Box Layer: inversion in GF(28 );
Linear Diffusion Layer: GF(28 )-linear transformation;
Subkey Layer : addition of round subkey.
The AES can be embedded into the BES via a vector conjugate mapping

φ(a) = (a, a2 , a4 , . . . , a128 )

BES restricted to a subspace provides an alternative description of AES.

Algebraic Analysis of AES Carlos Cid

Polynomial Representation

In principle, one can always attempt to represent a cipher as a system of

polynomial equations (over F2 ), and study its security based on the
properties of this system.
we can therefore consider polynomial system solving as a
cryptanalytic technique.
this has recently become an increasingly common technique to try to
analyse symmetric-key encryption algorithms.

Algebraic Analysis of AES Carlos Cid

Polynomial System Solving in Symmetric-Key Cryptanalysis

In the context of (symmetric-key) cryptanalysis, solving systems of

polynomial equations is typically associated with the technique called
Algebraic Attacks.
Algebraic Attacks: set up and solve a system of equations arising
from a stream cipher or block cipher, to recover the encryption key
(or other secret information, eg stream cipher secret state).
More generally, Algebraic Cryptanalysis: study algebraic systems to
obtain some non-trivial insight into the algorithm.
A form of analysis with several attractive features.

Algebraic Analysis of AES Carlos Cid

Algebraic Cryptanalysis

Two well-defined tasks/challenges for the cryptanalyst:

1 How to construct the system of equations.
2 How to solve the resulting system (or obtain some insight into the
cipher).
Both areas have attracted much attention of researchers.

Algebraic Analysis of AES Carlos Cid

Block Ciphers

For m-bit blocks and n-bits keys, we can describe a block cipher as

E : Fm × Fn → Fm
(P, K ) 7→ C

Block cipher encryption gives rise to a natural polynomial system:

for known (P, C ), the encryption C = E(P, K ) provides at the bit
level m equations over n variables (the key bits).
furthermore, we can add more equations to our system by using other
plaintext-ciphertext pairs.
as the encryption operation is by design a complex function, we
expect these polynomials to be very dense and of very high degree.
This form of attack is obviously impractical, and was never really
considered a threat.

Algebraic Analysis of AES Carlos Cid

Block Cipher Structure

However block ciphers are in practice designed with a very particular

structure:
most block ciphers present an iterated structure.
they are built in blocks, using low-cost simple operations, which are
repeated for several rounds.
this allows more efficient implementation and better study of the
security of the cipher.

Algebraic Analysis of AES Carlos Cid

Algebraic Attack against Block Ciphers: second attempt

We can consider a different way to generate a system of equations for a

block cipher.
rather than one very complex equation for each ciphertext bit, we
obtain simpler polynomials (low degree and sparse) for the
round/layer functions.
This approach gives rise to very large systems.
we need to add new variables for the intermediate unknown values.
encrypting more data does not seem to help (more equations, but
more variables).

Algebraic Analysis of AES Carlos Cid

Algebraic Attack against AES

This approach was proposed in 2003 against the AES (Courtois and
Piepryzk), and attracted a lot of attention from the cryptographic
community.
The system for the AES was presented, together with a dedicated
method for solving the system.
the AES S-box (the only provider of non-linearity) gives rise to several
quadratic equations.
instead of y = x 254 , use xy = 1, x 2 y = x and xy 2 = y .
it was claimed that this was a particularly bad feature, and the
proposed methods could exploit this fact.

Algebraic Analysis of AES Carlos Cid

Algebraic Analysis of AES

Two tasks:
1 How to construct the system of equations.
over GF(2): 8000 equations and 1600 variables.
over GF(28 ): 8576 equations, 4288 variables (derived from BES).
2 How to solve the resulting system (or obtain some insight into the
cipher).
XSL (eXtended Sparse Linearisation): based on linearization, but
attempting to exploit the sparsity and specific structure of the equation
system.
Gröbner Basis algorithms, SAT-solvers, etc.

Algebraic Analysis of AES Carlos Cid

XSL against AES

The claim was that with XSL one could:

mount a (at least theoretical) successful attack against the AES with
256-bit keys (using the system over GF(2));
mount a (at least theoretical) successful attack against the AES with
128-bit keys (using the system over GF(28 )).
This initial work spurred frantic activity (and much speculation) in the
area of algebraic cryptanalysis of block ciphers (and AES in particular).

Algebraic Analysis of AES Carlos Cid

AES news (Crypto-Gram Newsletter - Sep 15, 2002)

AES may have been broken. Serpent, too. Or maybe not. In either case, there’s no need to panic. Yet. But
there might be soon. Maybe.
...
Basically, the attack works by trying to express the entire algorithm as multivariate quadratic polynomials, and
then using an innovative technique to treat the terms of those polynomials as individual variables. ... There are
a bunch of minimization techniques, and several other clever tricks you can use to make the solution easier.
(This is a gross oversimplification of the paper; read it for more detail.).
...
These are amazing results.
...
There was some buzz about the paper in the academic community, but it quickly died down. I believe the
problem was that the paper was dense and hard to understand. The attack technique, something called XSL,
was brand new.
...
In any case, there’s no cause for alarm yet. These attacks can be no more implemented in the field than they
can be tested in a lab....There’s so much security margin in these ciphers that the attacks are irrelevant.
But there is call for worry. If the attack really works, it can only get better. My fear is that we could see
optimizations of the XSL attack breaking AES with a 280 -ish complexity, in which case things starts to get dicey
about ten years from now...
The work is fascinating...
...
We’re starting to see the new attack tools that work against some of the AES finalists. It’s an open question as
to how long the tools will remain theoretical. But many cryptographers who previously felt good about AES are
having second thoughts.

Algebraic Analysis of AES Carlos Cid

More on AES Cryptanalysis (Crypto-Gram Newsletter - Oct 15, 2002)

I can say with certainty that no one knows for certain if XSL can break Rijndael or
Serpent or anything else. Actually, I can say something stronger: no one has
produced an actual demonstration of XSL breaking even a simplified version of
Rijndael or Serpent or anything else. This makes a lot of people skeptical.
Demonstrations are important....
...
The XSL techniques have not been demonstrated yet. A number of respectable
cryptographers, whose opinions I value highly, don’t think the techniques work. Don
Coppersmith has published a note on the topic. And T. Moh has a Web page about
this...
...
I know that several groups are working on the techniques, and if they work one of
those groups should be able to demonstrate something, on something, soon. I’ll
provide additional information when I learn of it.

Algebraic Analysis of AES Carlos Cid

XSL against AES

The XSL method was certainly a valid attempt to exploit the particular
structure of the AES system; it was however shown (Asiacrypt 05 and FSE
07) that the algorithm did not work as expected (in particular, it is not an
efficient method to solve the system arising from the AES).
Other attempts: neat tricks (eg Meet-in-the-Middle) and known methods
of solving (eg GB, SAT-solvers) do not seem to have provide much success
either.

Algebraic Analysis of AES Carlos Cid

Algebraic Attacks: New Approaches to Generate the
System

Note that much early work assumed that the method of generation of system of
equations was the best approach, and concentrated in studying/proposing methods for
solving the system.
Maybe we have to concentrate on finding new forms of generating the polynomial
systems.
Some promising approaches.
Combining statistical and algebraic cryptanalysis (Albrecht and Cid, 2009): use
probabilistic methods to simplify the system of equations; use the algebraic
structure to help distinguishing non-random patterns.
Study algebraically the behaviour of encryption operation on structured input (eg
Albrecht et al., 2010; Cube Attacks – Dinur and Shamir, 2009).
These gave rise to interesting results, but yet no significant progress or breakthrough in
this area (in particular, not against the AES)

Algebraic Analysis of AES Carlos Cid

Algebraic Attacks: Limitations

In fact, despite early inflated hopes, results have been somewhat

disappointing.
it is safe to say that no known (serious) block cipher has been broken
using pure algebraic techniques faster than with other techniques.
early work concentrated on solving methods; more recently we have
considered how to generate more tractable systems and/or combine
these with other techniques.

Algebraic Analysis of AES Carlos Cid

Algebraic Attacks: Limitations

Maybe one of the reasons of the overestimation of success of these attacks

is a flaw on the approach.
One considers the several layers separately.
S-Box is the only source of non-linearity, so we do not need to worry
about the linear layer (it is linear!!).
Modern ciphers have however well-chosen linear layers, to provide
very strong diffusion (in place to protect against conventional
statistical attacks).
This same mechanism may provide more protection against algebraic
cryptanalysis than originally thought (by providing strong symbol
mixing between layers).

Algebraic Analysis of AES Carlos Cid

Algebraic Attacks against AES

The AES features a particularly strong diffusion layer (it is one of its main
features against conventional cryptanalysis).
Conjecture: the AES is a particularly strong cipher against
(polynomial system-solving) algebraic cryptanalysis (despite low
degree S-Boxes).
Ideally we would be able to quantify the protection provided by the
diffusion layer (it seems however very difficult to achieve).

Algebraic Analysis of AES Carlos Cid

Conclusions

AES has a very elegant algebraic structure.

It provides an interesting platform for study.
despite early buzz, algebraic attacks have had limited practical
success so far against block ciphers; no progress against AES!
in fact, AES may be particularly strong against system-solving attacks.
One could however try to go beyond solving the system (Algebraic
Analysis: obtain non-trivial information within cipher operation).
This is an interesting and active area of research... new ideas needed.

Thank you!

Algebraic Analysis of AES Carlos Cid