Papers by Nicolas T. Courtois
arXiv (Cornell University), Feb 7, 2019
One of the major open problems in symmetric cryptanalysis is to discover new specific types of in... more One of the major open problems in symmetric cryptanalysis is to discover new specific types of invariant properties which can hold for a larger number of rounds of a block cipher. We have Generalised Linear Cryptanalysis (GLC) and Partitioning Cryptanalysis (PC). Due to double-exponential combinatorial explosion of the number of possible invariant properties systematic exploration is not possible and extremely few positive working examples of GLC are known. Our answer is to work with polynomial algebraic invariants which makes partitions more intelligible. We have developed a constructive algebraic approach which is about making sure that a certain combination of polynomial equations is zero. We work with an old block cipher from 1980s which has particularly large hardware complexity compared to modern ciphers e.g. AES. However all this complexity is not that useful if we are able to construct powerful non-linear invariants which work for any number of rounds. A key feature of our invariant attacks is that we are able to completely eliminate numerous state and key bits. We also construct invariants for the (presumably stronger) KT1 keys. Some of these lead to powerful ciphertext-only correlation attacks.
IACR Cryptol. ePrint Arch., 2017
T-310/50 is an important Cold War cipher [76]. It was the principal encryption algorithm used to ... more T-310/50 is an important Cold War cipher [76]. It was the principal encryption algorithm used to protect various state communication lines in Eastern Germany throughout the 1980s. The cipher seems to be quite robust, and until now, no cryptography researcher have proposed an attack on T-310. In this paper we provide a detailed analysis of T-310 in the context of modern cryptography research and other important or similar ciphers developed in the same period. We introduce new notations which show the peculiar internal structure of this cipher in a new light. We point out a number of significant strong and weak properties of this cipher. Finally we propose several new attacks on T-310.
Cryptologia, 2019
One of the major open problems in symmetric cryptanalysis is to discover new specific types of in... more One of the major open problems in symmetric cryptanalysis is to discover new specific types of invariant properties for block ciphers. In this paper we study non-linear polynomial invariant attacks. The number of such attacks grows as 2 2 n and systematic exploration is not possible. The main question is HOW do we find such attacks? We have developed a constructive algebraic approach which is about making sure that a certain combination of polynomial equations is zero. We work by progressive elimination of specific variables in polynomial spaces and we show that one can totally eliminate big chunks of the cipher circuit. As an application we present several new attacks on the historical T-310 block cipher which has particularly large hardware complexity and a very large number of rounds compared to modern ciphers e.g. AES. However all this complexity is not that useful if we are able to construct new types of polynomial invariant attacks which work for any number of rounds.
Cryptologia, 2018
Linear Cryptanalysis (LC) is an important code-breaking method which has become popular in the 19... more Linear Cryptanalysis (LC) is an important code-breaking method which has become popular in the 1990s and has roots in earlier research [Shamir,Davies] in the 1980s. In this article we show evidence that Linear Cryptanalysis is even older. According to documents from the former Eastern German cipher authority ZCO, systematic study of linear characteristics for non-linear Boolean functions was routinely performed already in the 1970s. At the same period Eastern German cryptologists have produced an excessively complex set of requirements known as KT1, which the long term keys are required to satisfy and keys of this type were in widespread use to encrypt communications in the 1980s. An interesting question is then, to see if KT1 keys offer some level of protection against linear cryptanalysis. In this article we demonstrate that (strangely) not really. This is demonstrated by constructing specific counterexamples of pathologically weak keys which satisfy all the requirements of KT1. However, as T-310 is used in a stream cipher mode that uses only a tiny part of the internal state for actual encryption, it remains unclear whether this type of weak keys could lead to key recovery attacks on T-310.
Proceedings of the 13th International Joint Conference on e-Business and Telecommunications, 2016
There are two major families in cryptanalytic attacks on symmetric ciphers: statistical attacks a... more There are two major families in cryptanalytic attacks on symmetric ciphers: statistical attacks and algebraic attacks. In this position paper we argue that algebraic cryptanalysis has not yet been developed properly due to the weakness of the theory which has substantial difficulty to prove most basic results on the number of linearly independent equations in algebraic attacks. Consequently most authors present a restricted range of attacks which are shown experimentally to work with their computer but refrain from claiming results which would work on a larger computer but have not yet been tested. For example in recent 2015 work of Raddum we discover that (experimentally) ElimLin attack breaks up to 16 rounds of Simon block cipher however it is hard to know what happens for 17 rounds. In this paper we argue that one CAN predict and model the behavior of such attacks and evaluate complexity of the attacks which we cannot yet execute. To the best of our knowledge this has never been done before.
International Journal of Information Security, 2015
The best way of selecting samples in algebraic attacks against block ciphers is not well explored... more The best way of selecting samples in algebraic attacks against block ciphers is not well explored and understood. We introduce a simple strategy for selecting the plaintexts and demonstrate its strength by breaking reducedround KATAN32, LBlock and SIMON. For each case, we present a practical attack on reduced round version which outperforms previous attempts of algebraic cryptanalysis whose complexities were close to exhaustive search. The attack is based on the selection of samples using cube attack and ElimLin which was presented at FSE'12, and a new technique called Universal Proning. In the case of LBlock, we break 10 out of 32 rounds. In KATAN32, we break 78 out of 254 rounds. Unlike previous attempts which break smaller number of rounds, we do not guess any bit of the key and we only use structural properties of the cipher to be able to break a higher number of rounds with much lower complexity. We show that cube attacks owe their success to the same properties and therefore, can be used as a heuristic for selecting the samples in an algebraic attack. The performance of ElimLin is further enhanced by the new Universal Proning technique, which allows
Lecture Notes in Computer Science, 2008
In this paper we analyse the algebraic properties over the field GF(2) of the addition modulo 2 n... more In this paper we analyse the algebraic properties over the field GF(2) of the addition modulo 2 n. We look at implicit quadratic equations describing this operation, and at probabilistic conditional linear equations. We show that the addition modulo 2 n can be partly or totally linearized when the output is fixed, and this for a large family of outputs. We apply these results to analyse the resistance of the stream cipher Snow 2.0 against algebraic attacks.
Progress in Cryptology - INDOCRYPT 2010, 2010
This paper presents the first results on AIDA/cube, algebraic and sidechannel attacks on variable... more This paper presents the first results on AIDA/cube, algebraic and sidechannel attacks on variable number of rounds of all members of the KATAN family of block ciphers. Our cube attacks reach 60, 40 and 30 rounds of KATAN32, KATAN48 and KATAN64, respectively. In our algebraic attacks, we use SAT solvers as a tool to solve the quadratic equations representation of all KATAN ciphers. We introduced a novel pre-processing stage on the equations system before feeding it to the SAT solver. This way, we could break 79, 64 and 60 rounds of KATAN32, KATAN48, KATAN64, respectively. We show how to perform side channel attacks on the full 254-round KATAN32 with one-bit information leakage from the internal state by cube attacks. Finally, we show how to reduce the attack complexity by combining the cube attack with the algebraic attack to recover the full 80-bit key. Further contributions include new phenomena observed in cube, algebraic and side-channel attacks on the KATAN ciphers. For the cube attacks, we observed that the same maxterms suggested more than one cube equation, thus reducing the overall data and time complexities. For the algebraic attacks, a novel pre-processing step led to a speed up of the SAT solver program. For the side-channel attacks, 29 linearly independent cube equations were recovered after 40-round KATAN32. Finally, the combined algebraic and cube attack, a leakage of key bits after 71 rounds led to a speed up of the algebraic attack.
Decim is a new stream cipher designed for hardware applications with restricted resources. The de... more Decim is a new stream cipher designed for hardware applications with restricted resources. The design of the cipher is based on both a nonlinear filter LFSR and an irregular decimation mechanism recently introduced and called the ABSG. Apart from the security aspects, the design goal is to produce a stream cipher with a compact hardware implementation and operating at high
Lecture Notes in Computer Science, 2006
The central question in constructing a secure and efficient masking method for AES is to address ... more The central question in constructing a secure and efficient masking method for AES is to address the interaction between additive masking and the inverse S-box of Rijndael. All recently proposed methods to protect AES against power attacks try to avoid this problem and work by decomposing the inverse in terms of simpler operations that are more easily protected against DPA by generic methods. In this paper, for the first time, we look at the problem in the face, and show that this interaction is not as intricate as it seems. In fact, any operation, even complex, can be directly protected against DPA of any given order, if it can be embedded in a group that has a compact representation. We show that a secure computation of a whole masked inverse can be done directly in this way, using the group of homographic transformations over the projective space (but not exactly, with some non-trivial technicalities). This is used to propose a general high-level algebraic method to protect AES against power attacks of any given order.
The DES encryption standard resisted rather well to some 20 years of massive worldwide cryptanaly... more The DES encryption standard resisted rather well to some 20 years of massive worldwide cryptanalysis effort. DES S-boxes also haven't an obvious algebraic structure that could lead to algebraic attacks. For all these reasons, DES is not only very widely implemented and used today, but triple DES and other derived schemes will probably still be around in ten or twenty years from now. We suggest that, if an algorithm is so widely used, its security should still be under scrutiny, and not taken for granted. In this paper we study the S-boxes of DES. Many properties of these are already known, yet usually they concern one particular S-box. This comes from the known design criteria on DES, that strongly suggest that S-boxes have been chosen independently of each other. On the contrary, we are interested in properties of DES S-boxes that concern a subset of two or more DES S-boxes. For example we study the properties related to Davies-Murphy attacks on DES, recall the known uniformity criteria to resist this attack, and discuss a stronger criterion that would allow to resist a larger class of attacks. More generally we study many different properties, in particular related to linear cryptanalysis and algebraic attacks. The interesting question is to know if there are any interesting properties that hold for subsets of S-boxes bigger than 2. Such a property has already been shown by Shamir at Crypto'85 (and independently discovered by Franklin), but Coppersmith et al. explained that it was rather due to the known S-box design criteria. Our simulations confirm this, but not totally. We also present several new properties of similar flavour. These properties come from a new type of algebraic attack on block ciphers that we introduce. What we find is not easily explained by the known S-box design criteria, and the question should be asked if the S-boxes of DES are related to each other, or they follow some yet unknown criteria. Similarly, we also found that the s 5 DES S-boxes have an unexpected common structure that can be exploited in a certain type of generalised linear attack. This fact substantially decreases the credibility of s 5 DES as a DES replacement. This paper has probably no implications whatsoever on the security of DES.
AES 4 Conference, Bonn May 10-12 2004, LNCS 3373, 2005
CiteSeerX - Document Details (Isaac Councill, Lee Giles): Abstract. This paper is about the desig... more CiteSeerX - Document Details (Isaac Councill, Lee Giles): Abstract. This paper is about the design of multivariate public key schemes, as well as block and stream ciphers, in relation to recent attacks that exploit various types of multivariate algebraic relations. We survey these attacks ...
Public Key CryptographyPKC 2004, 2004
The problem MQ of solving a system of multivariate quadratic equations over a finite field is rel... more The problem MQ of solving a system of multivariate quadratic equations over a finite field is relevant to the security of AES and for several public key cryptosystems. For example Sflash, the fastest known signature scheme (cf. [1]), is based on MQ equations over GF (2 7), and Patarin's 500 $ HFE Challenge 2 is over GF (2 4). Similarly, the fastest alleged algebraic attack on AES due to Courtois, Pieprzyk, Murphy and Robshaw uses a MQ system over GF (2 8). At present very little is known about practical solvability of such systems of equations over GF (2 k). The XL algorithm for Eurocrypt 2000 was initially studied over GF (p), and only recently in two papers presented at CT-RSA'02 and ICISC'02 the behaviour of XL is studied for systems of equations over GF (2). In this paper we show (as expected) that XL over GF (2 k), k > 1 (never studied so far) does not always work very well. The reason is the existence of additional roots to the system in the extension field, which is closely related to the remark made by Moh, claiming that the XSL attack on AES cannot work. However, we explain that, the specific set of equations proposed by Murphy and Robshaw already contains a structure that removes the problem. From this, we deduce a method to modify XL so that it works much better over GF (2 k). In addition we show how to break the signature scheme Sflash-v2 recently selected by the European consortium Nessie, by three different methods derived from XL. Our fastest attack is in 2 58. All the three attacks apply also to HFE Challenge 2, and our best attack is in 2 63 .
Feistel Schemes and Bi-Linear Cryptanalysis
Advances in CryptologyCRYPTO 2004, 2004
The Inverse S-Box, Non-Linear Polynomial Relations and Cryptanalysis of Block Ciphers
Advanced Encryption StandardAES, 2005
Information Security and Privacy, 2006
Abstract. In this paper we are interested in algebraic immunity of several well known highly-nonl... more Abstract. In this paper we are interested in algebraic immunity of several well known highly-nonlinear vectorial Boolean functions (or S-boxes), designed for block and stream ciphers. Unfortunately, ciphers that use such S-boxes may still be vulnerable to so called ...
New, third version of Sflash specification (Sflash …
Note: SFLASH v2 is one of the three asymmetric signature schemes recommended by the Nessie Europe... more Note: SFLASH v2 is one of the three asymmetric signature schemes recommended by the Nessie European consortium for low-cost smart cards [21, 16]. The latest imple-mentation report shows that SFLASH v2 is the fastest signature scheme known, see [1] for details. This document ...
online proceedings of Dagstuhl Seminar
Information and Communications …, 2004
Algebraic Cryptanalysis" against a cryptosystem often comprises finding enough relations that are... more Algebraic Cryptanalysis" against a cryptosystem often comprises finding enough relations that are generally or probabilistically valid, then solving the resultant system. The security of many schemes (most important being AES) thus depends on the difficulty of solving multivariate polynomial equations. Generically, this is NP-hard. The related methods of XL (eXtended Linearization), Gröbner Bases, and their variants (of which a large number has been proposed) form a unified approach to solving equations and thus affect our assessment and understanding of many cryptosystems. Building on prior theory, we analyze these XL variants and derive asymptotic formulas giving better security estimates under XL-related algebraic attacks; through this examination we have hopefully improved our understanding of such variants. In particular, guessing a portion of variables is a good idea for both XL and Gröbner Bases methods.
Proceedings of the 11th IMA international …, 2007
In spite of growing importance of AES, the Data Encryption Standard is by no means obsolete. DES ... more In spite of growing importance of AES, the Data Encryption Standard is by no means obsolete. DES has never been broken from the practical point of view. The triple DES is believed very secure, is widely used, especially in the financial sector, and should remain so for many many years to come. In addition, some doubts have been risen whether its replacement AES is secure, given the extreme level of "algebraic vulnerability" of the AES S-boxes (their low I/O degree and exceptionally large number of quadratic I/O equations). Is DES secure from the point of view of algebraic cryptanalysis, a new very fast-growing area of research? We do not really hope to break it, but just to advance the field of cryptanalysis. At a first glance, DES seems to be a very poor target-as there is (apparently) no strong algebraic structure of any kind in DES. However in [14] it was shown that "small" S-boxes always have a low I/O degree (cubic for DES as we show below). In addition, due to their low gate count requirements, by introducing additional variables, we can always get an extremely sparse system of quadratic equations. To assess the algebraic vulnerabilities is the easy part, that may appear unproductive. In this paper we demonstrate that in this way, several interesting attacks on a real-life "industrial" block cipher can be found. One of our attack is the fastest known algebraic attack on 6 rounds of DES. Yet, it requires only one single known plaintext (instead of a very large quantity) which is quite interesting in itself. Though (on a PC) we recover the key for only six rounds, in a much weaker sense we can also attack 12 rounds of DES. These results are very interesting because DES is known to be a very robust cipher, and our methods are very generic. They can be applied to DES with modified S-boxes and potentially other reduced-round block ciphers.
Uploads
Papers by Nicolas T. Courtois