Toward A More Efficient Gröbner-based Algebraic Cryptanalysis (original) (raw)

Related papers

Algebraic Precomputations in Differential and Integral Cryptanalysis

Lecture Notes in Computer Science, 2011

Algebraic cryptanalysis is a general tool which permits one to assess the security of a wide range of cryptographic schemes. Algebraic techniques have been successfully applied against a number of multivariate schemes and stream ciphers. Yet, their feasibility against block ciphers remains the source of much speculation. In this context, algebraic techniques have mainly been deployed in order to solve a system of equations arising from the cipher, so far with limited success. In this work we propose a different approach: to use Gröbner basis techniques to compute structural features of block ciphers, which may then be used to improve "classical" differential and integral attacks. We illustrate our techniques against the block ciphers Present and Ktantan32.

Comparative Study of Algebraic Attacks

IARJSET, 2016

Cryptographic schemes have an algebraic structure and can be described as multivariate polynomial equations. Even though algebra is the default tool in the cryptanalysis of asymmetric cryptosystems, there has been recently an increase in interest in the use of algebraic cryptanalysis techniques in the analysis of symmetric cryptosystems. The basic idea behind the algebraic attack is to express the whole cryptosystem as a large system of multivariate polynomial equations, then considers methods for solving the system to recover the key. Solving multivariate polynomial systems is a typical problem studied in Algebraic Geometry and Computational Algebra. Computing Grobner basis is the best well known method to solve this problem. Finding grobner bases is a difficult task which requires lots of computational resources. This paper discusses and explains in depth different algorithms to compute grobner bases using examples. This paper also, compares these algorithms from the point of views of accuracy and efficiency (the required resources: time and effort) to get the accurate results. Finally, the worthiness of these algorithms to be applied to cryptanalysis has been discussed.

Algebraic Attacks From a Groebner Basis Perspective

International Journal of …, 2010

In this paper we propose a new algorithm for computing Groebner basis for a system of multivariate polynomial equations describing a cryptosystem. The objective for designing this algorithm is to reduce the degree and number of polynomials resulting in a Groebner basis, which appears in the output of the algorithm. To attain this goal, a new division algorithm is proposed. The proposed algorithm, improved Buchberger and F4 algorithm have been applied to the system of algebraic equations extracted from the Courtois Toy Cipher and their efficiencies have been compared. The results show that the proposed algorithm has advantages over improved Buchberger and F4 algorithms from the view point of the number of polynomials within the obtained Groebner basis and computational (time) complexity.

Algebraic Attack Efficiency versus S-box Representation

IACR Cryptol. ePrint Arch., 2017

Algebraic analysis of block ciphers aims at finding the secret key by solving a collection of polynomial equations that describe the internal structure of a cipher for chosen observations of plaintext/ciphertext pairs. Although algebraic attacks are addressed for cryptanalysis of block and stream ciphers, there is a lack of understanding of the impact of algebraic representation of the cipher on efficiency of solving the resulting collection of equations. The work investigates different S-box representations and their effect on complexity of algebraic attacks. In particular, we observe that a S-box representation defined in the work as ForwardBackward (FWBW) leads to a collection of equations that can be solved efficiently. We show that the SR(10, 2, 1, 4) cipher can be broken using standard algebra software Singular and FGb. This is the best result achieved so far. The effect of description of S-boxes for some light-weight block ciphers is investigated. A by-product of this result ...

New Directions in Cryptanalysis of Block Ciphers

Journal of Computer Science, 2009

Problem statement: The algebraic expression of the Advanced Encryption Standard (AES) RIJNDAEL S-box involved only 9 terms. The selected mapping for RIJNDAEL S-box has a simple algebraic expression. This enables algebraic manipulations which can be used to mount interpolation attack. Approach: The interpolation attack was introduced as a cryptanalytic attack against block ciphers. This attack is useful for cryptanalysis using simple algebraic functions as S-boxes. Results: In this study, we presented an improved AES S-box with good properties to improve the complexity of AES S-box algebraic expression with terms increasing to 255. Conclusion: The improved S-box is resistant against interpolation attack. We can develop the derivatives of interpolation attack using the estimations of S-box with less nonlinearity.

The Inverse S-Box, Non-Linear Polynomial Relations and Cryptanalysis of Block Ciphers

Advanced Encryption Standard–AES, 2005

This paper is motivated by the design of AES. We consider a broader question of cryptanalysis of block ciphers having very good non-linearity and diffusion. Can we expect anyway, to attacks such ciphers, clearly designed to render hopeless the main classical attacks ? Recently a lot of attention have been drawn to the existence of multivariate algebraic relations for AES (and other) S-boxes. Then, if the XSL-type algebraic attacks on block ciphers [11] are shown to work well, the answer would be positive. In this paper we show that the answer is certainly positive for many other constructions of ciphers. This is not due to an algebraic attack, but to new types of generalised linear cryptanalysis, highly-nonlinear in flavour. We present several constructions of somewhat special practical block ciphers, seemingly satisfying all the design criteria of AES and using similar S-boxes, and yet being extremely weak. They can be generalised, and evolve into general attacks that can be applied-potentially-to any block cipher.

Combining Algebraic and Side-Channel Cryptanalysis against Block Ciphers

2009

This paper introduces a new type of cryptanalysis against block ciphers, denoted as algebraic side-channel attacks. In these attacks, we first write the target block cipher as a system of low degree equations. But since directly solving this system is generally hard, we additionally provide it with physical information. As a consequence, the algebraic cryptanalysis that was previously conjectured can be experimented and turns out to be very efficient to break block ciphers in practice. The proposed attacks differ from most previously known side-channel attacks in a number of interesting aspects. Namely they have a significantly reduced data complexity, the possibility to exploit the information of all the cipher rounds in an unknown plaintext/ciphertext scenario and different requirements for countermeasures. As an illustration, we apply them to the implementations of two block ciphers using a single leakage trace and discuss their specificities.

On selection of samples in algebraic attacks and a new technique to find hidden low degree equations

International Journal of Information Security, 2015

The best way of selecting samples in algebraic attacks against block ciphers is not well explored and understood. We introduce a simple strategy for selecting the plaintexts and demonstrate its strength by breaking reducedround KATAN32, LBlock and SIMON. For each case, we present a practical attack on reduced round version which outperforms previous attempts of algebraic cryptanalysis whose complexities were close to exhaustive search. The attack is based on the selection of samples using cube attack and ElimLin which was presented at FSE'12, and a new technique called Universal Proning. In the case of LBlock, we break 10 out of 32 rounds. In KATAN32, we break 78 out of 254 rounds. Unlike previous attempts which break smaller number of rounds, we do not guess any bit of the key and we only use structural properties of the cipher to be able to break a higher number of rounds with much lower complexity. We show that cube attacks owe their success to the same properties and therefore, can be used as a heuristic for selecting the samples in an algebraic attack. The performance of ElimLin is further enhanced by the new Universal Proning technique, which allows

Cryptanalysis of Block Ciphers with Overdefined Systems of Equations

Lecture Notes in Computer Science, 2002

Several recently proposed ciphers are built with layers of small S-boxes, interconnected by linear key-dependent layers. Their security relies on the fact, that the classical methods of cryptanalysis (e.g. linear or differential attacks) are based on probabilistic characteristics, which makes their security grow exponentially with the number of rounds Nr. In this paper we study the security of such ciphers under an additional hypothesis: the S-box can be described by an overdefined system of algebraic equations (true with probability 1). We show that this hypothesis is true for both Serpent (due to a small size of S-boxes) and Rijndael (due to unexpected algebraic properties). We study general methods known for solving overdefined systems of equations, such as XL from Eurocrypt'00, and show their inefficiency. Then we introduce a new method called XSL that uses the sparsity of the equations and their specific structure. The XSL attack has a parameter P , and in theory we show that P should be a constant. The XSL attack would then be polynomial in Nr, with a huge constant that is doubleexponential in the size of the S-box. We demonstrated by computer simulations that the XSL attack works well enough on a toy cipher. It seems however that P will rather increase very slowly with Nr. More simulations are needed for bigger ciphers. Our optimistic evaluation shows that the XSL attack might be able to break Rijndael 256 bits and Serpent for key lengths 192 and 256 bits. However if only P is increased by 2 (respectively 4) the XSL attack on Rijndael (respectively Serpent) would become slower than the exhaustive search. At any rate, it seems that the security of these ciphers does not grow exponentially with the number of rounds.

On Asymptotic Security Estimates In Xl and Gröbner Bases-Related Algebraic Cryptanalysis

Information and Communications …, 2004

Algebraic Cryptanalysis" against a cryptosystem often comprises finding enough relations that are generally or probabilistically valid, then solving the resultant system. The security of many schemes (most important being AES) thus depends on the difficulty of solving multivariate polynomial equations. Generically, this is NP-hard. The related methods of XL (eXtended Linearization), Gröbner Bases, and their variants (of which a large number has been proposed) form a unified approach to solving equations and thus affect our assessment and understanding of many cryptosystems. Building on prior theory, we analyze these XL variants and derive asymptotic formulas giving better security estimates under XL-related algebraic attacks; through this examination we have hopefully improved our understanding of such variants. In particular, guessing a portion of variables is a good idea for both XL and Gröbner Bases methods.