Cryptanalysis of Block Ciphers with Overdefined Systems of Equations
ASIACRYPT '02 Proceedings of the 8th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
PRESENT: An Ultra-Lightweight Block Cipher
CHES '07 Proceedings of the 9th international workshop on Cryptographic Hardware and Embedded Systems
Efficient algorithms for solving overdefined systems of multivariate polynomial equations
EUROCRYPT'00 Proceedings of the 19th international conference on Theory and application of cryptographic techniques
Algebraic cryptanalysis of the data encryption standard
Cryptography and Coding'07 Proceedings of the 11th IMA international conference on Cryptography and coding
An analysis of the XSL algorithm
ASIACRYPT'05 Proceedings of the 11th international conference on Theory and Application of Cryptology and Information Security
Small scale variants of the AES
FSE'05 Proceedings of the 12th international conference on Fast Software Encryption
Block ciphers sensitive to gröbner basis attacks
CT-RSA'06 Proceedings of the 2006 The Cryptographers' Track at the RSA conference on Topics in Cryptology
The inverse s-box, non-linear polynomial relations and cryptanalysis of block ciphers
AES'04 Proceedings of the 4th international conference on Advanced Encryption Standard
An analysis of XSL Applied to BES
FSE'07 Proceedings of the 14th international conference on Fast Software Encryption
Linear (Hull) and Algebraic Cryptanalysis of the Block Cipher PRESENT
CANS '09 Proceedings of the 8th International Conference on Cryptology and Network Security
Side Channel Cube Attack on PRESENT
CANS '09 Proceedings of the 8th International Conference on Cryptology and Network Security
Algebraic techniques in differential cryptanalysis revisited
ACISP'11 Proceedings of the 16th Australasian conference on Information security and privacy
| Hi-index | 0.00 |
In this paper we study algebraic attacks on block ciphers that exploit several (i.e. more than 2) plaintext-ciphertext pairs. We show that this considerably lowers the maximum degree of polynomials that appear in the attack, which allows much faster attacks, some of which can actually be handled experimentally. We point out a theoretical reason why such attacks are more efficient, lying in certain types of multivariate equations that do exist for some S-boxes. Then we show that when the S-box is on 3 bits, such equations do always exist. For S-boxes on 4 bits, the existence of these equations is no longer systematic. We apply our attacks to a toy version of Serpent, a toy version of Rijndael, and a reduced round version of Present, a recently proposed lightweight block cipher. It turns out that some S-boxes are much stronger than others against our attack.