Some Algebraic Aspects of the Advanced Encryption Standard
carlos cid2004
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
Since being officially selected as the new Advanced Encryption Standard (AES), Rijndael has continued to receive great attention and has had its security continuously evaluated by the cryptographic community. Rijndael is a cipher with a simple, elegant and highly algebraic structure. Its selection as the AES has led to a growing interest in the study of algebraic properties of block ciphers, and in particular algebraic techniques that can be used in their cryptanalysis. In these notes we will examine some algebraic aspects of the AES and consider a number of algebraic techniques that could be used in the analysis of the cipher. In particular, we will focus on the large, though surprisingly simple, systems of multivariate quadratic equations derived from the encryption operation, and consider some approaches that could be used when attempting to solve these systems. These notes refer to an invited talk given at the Fourth Conference on the Advanced Encryption Standard (AES4) in May 2004, and are largely based on[4].
Related papers
Computational and Algebraic Aspects of the Advanced Encryption Standard
The new Advanced Encryption Standard (AES) has been recently selected by the US government to replace the old Data Encryption Standard (DES) for protecting sensitive official information. Due to its simplicity and elegant algebraic structure, the choice of the AES algorithm has motivated the study of a new approach to the analysis of block ciphers. While conventional methods of cryptanalysis (e.g. differential and linear cryptanalysis) are usually based on a "statistical" approach, where an attacker attempts to construct statistical patterns through many interactions of the cipher, the so-called algebraic attacks exploit the intrinsic algebraic structure of a cipher. More specifically, the attacker expresses the encryption transformation as a set of multivariate polynomial equations and attempts to recover the encryption key by solving the system. In this paper we consider a number of algebraic aspects of the AES, and examine a few computational and algebraic techniques that could be used in the cryptanalysis of cipher. We show how one can express the cipher as a very large, though surprisingly simple, system of multivariate quadratic equations over the finite field F 2 8 , and consider some approaches that can be used to solve this system.
The Inverse S-Box, Non-Linear Polynomial Relations and Cryptanalysis of Block Ciphers
Advanced Encryption StandardAES, 2005
This paper is motivated by the design of AES. We consider a broader question of cryptanalysis of block ciphers having very good non-linearity and diffusion. Can we expect anyway, to attacks such ciphers, clearly designed to render hopeless the main classical attacks ? Recently a lot of attention have been drawn to the existence of multivariate algebraic relations for AES (and other) S-boxes. Then, if the XSL-type algebraic attacks on block ciphers [11] are shown to work well, the answer would be positive. In this paper we show that the answer is certainly positive for many other constructions of ciphers. This is not due to an algebraic attack, but to new types of generalised linear cryptanalysis, highly-nonlinear in flavour. We present several constructions of somewhat special practical block ciphers, seemingly satisfying all the design criteria of AES and using similar S-boxes, and yet being extremely weak. They can be generalised, and evolve into general attacks that can be applied-potentially-to any block cipher.
Algebraic Cryptanalysis of Simplified AES∗
Cryptologia, 2009
Simplified AES was developed in 2003 as a teaching tool to help students understand AES. It was designed so that the two primary attacks on symmetric-key block ciphers of that time, differential cryptanalysis and linear cryptanalysis, are not trivial on simplified AES. Algebraic cryptanalysis is a technique that uses modern equation solvers to attack cryptographic algorithms. There have been some claims that AES is threatened by algebraic cryptanalysis. We will use algebraic cryptanalysis to attack simplified AES.
Counting equations in algebraic attacks on block ciphers
International Journal of Information Security, 2010
This paper is about counting linearly independent equations for so-called algebraic attacks on block ciphers. The basic idea behind many of these approaches, e.g., XL, is to generate a large set of equations from an initial set of equations by multiplication of existing equations by the variables in the system. One of the most difficult tasks is to determine the exact number of linearly independent equations one obtain in the attacks. In this paper, it is shown that by splitting the equations defined over a block cipher (an SP-network) into two sets, one can determine the exact number of linearly independent equations which can be generated in algebraic attacks within each of these sets of a certain degree. While this does not give us a direct formula for the success of algebraic attacks on block ciphers, it gives some interesting bounds on the number of equations one can obtain from a given block cipher. Our results are applied to the AES and to a variant of the AES, and the exact numbers of linearly independent equations in the two sets that one can generate by multiplication of an initial set of equations are given. Our results also indicate, in a novel way, that the AES is not vulnerable to the algebraic attacks as defined here.
Essential Algebraic Structure within the AES
2002
One difficulty in the cryptanalysis of the Advanced Encryption Standard AES is the tension between operations in the two fields GF (2 8 ) and GF (2). This paper outlines a new approach that avoids this conflict. We define a new block cipher, the BES, that uses only simple algebraic operations in GF ). Yet the AES can be regarded as being identical to the BES with a restricted message space and key space, thus enabling the AES to be realised solely using simple algebraic operations in one field GF (2 8 ). This permits the exploration of the AES within a broad and rich setting. One consequence is that AES encryption can be described by an extremely sparse overdetermined multivariate quadratic system over GF (2 8 ), whose solution would recover an AES key.
New Directions in Cryptanalysis of Block Ciphers
Journal of Computer Science, 2009
Problem statement: The algebraic expression of the Advanced Encryption Standard (AES) RIJNDAEL S-box involved only 9 terms. The selected mapping for RIJNDAEL S-box has a simple algebraic expression. This enables algebraic manipulations which can be used to mount interpolation attack. Approach: The interpolation attack was introduced as a cryptanalytic attack against block ciphers. This attack is useful for cryptanalysis using simple algebraic functions as S-boxes. Results: In this study, we presented an improved AES S-box with good properties to improve the complexity of AES S-box algebraic expression with terms increasing to 255. Conclusion: The improved S-box is resistant against interpolation attack. We can develop the derivatives of interpolation attack using the estimations of S-box with less nonlinearity.
Algebraic Cryptanalysis of the Data Encryption Standard
Proceedings of the 11th IMA international …, 2007
In spite of growing importance of AES, the Data Encryption Standard is by no means obsolete. DES has never been broken from the practical point of view. The triple DES is believed very secure, is widely used, especially in the financial sector, and should remain so for many many years to come. In addition, some doubts have been risen whether its replacement AES is secure, given the extreme level of "algebraic vulnerability" of the AES S-boxes (their low I/O degree and exceptionally large number of quadratic I/O equations). Is DES secure from the point of view of algebraic cryptanalysis, a new very fast-growing area of research? We do not really hope to break it, but just to advance the field of cryptanalysis. At a first glance, DES seems to be a very poor target-as there is (apparently) no strong algebraic structure of any kind in DES. However in [14] it was shown that "small" S-boxes always have a low I/O degree (cubic for DES as we show below). In addition, due to their low gate count requirements, by introducing additional variables, we can always get an extremely sparse system of quadratic equations. To assess the algebraic vulnerabilities is the easy part, that may appear unproductive. In this paper we demonstrate that in this way, several interesting attacks on a real-life "industrial" block cipher can be found. One of our attack is the fastest known algebraic attack on 6 rounds of DES. Yet, it requires only one single known plaintext (instead of a very large quantity) which is quite interesting in itself. Though (on a PC) we recover the key for only six rounds, in a much weaker sense we can also attack 12 rounds of DES. These results are very interesting because DES is known to be a very robust cipher, and our methods are very generic. They can be applied to DES with modified S-boxes and potentially other reduced-round block ciphers.
General Principles of Algebraic Attacks and New Design Criteria for Components of Symmetric Ciphers
AES 4 Conference, Bonn May 10-12 2004, LNCS 3373, 2005
CiteSeerX - Document Details (Isaac Councill, Lee Giles): Abstract. This paper is about the design of multivariate public key schemes, as well as block and stream ciphers, in relation to recent attacks that exploit various types of multivariate algebraic relations. We survey these attacks ...
Cryptanalysis of Block Ciphers with Overdefined Systems of Equations
Lecture Notes in Computer Science, 2002
Several recently proposed ciphers are built with layers of small S-boxes, interconnected by linear key-dependent layers. Their security relies on the fact, that the classical methods of cryptanalysis (e.g. linear or differential attacks) are based on probabilistic characteristics, which makes their security grow exponentially with the number of rounds Nr. In this paper we study the security of such ciphers under an additional hypothesis: the S-box can be described by an overdefined system of algebraic equations (true with probability 1). We show that this hypothesis is true for both Serpent (due to a small size of S-boxes) and Rijndael (due to unexpected algebraic properties). We study general methods known for solving overdefined systems of equations, such as XL from Eurocrypt'00, and show their inefficiency. Then we introduce a new method called XSL that uses the sparsity of the equations and their specific structure. The XSL attack has a parameter P , and in theory we show that P should be a constant. The XSL attack would then be polynomial in Nr, with a huge constant that is doubleexponential in the size of the S-box. We demonstrated by computer simulations that the XSL attack works well enough on a toy cipher. It seems however that P will rather increase very slowly with Nr. More simulations are needed for bigger ciphers. Our optimistic evaluation shows that the XSL attack might be able to break Rijndael 256 bits and Serpent for key lengths 192 and 256 bits. However if only P is increased by 2 (respectively 4) the XSL attack on Rijndael (respectively Serpent) would become slower than the exhaustive search. At any rate, it seems that the security of these ciphers does not grow exponentially with the number of rounds.
General Principles of Algebraic Attacks and New Design Criteria for Cipher Components
Advanced Encryption StandardAES, 2005
This paper is about the design of multivariate public key schemes, as well as block and stream ciphers, in relation to recent attacks that exploit various types of multivariate algebraic relations. We survey these attacks focusing on their common fundamental principles and on how to avoid them. From this we derive new very general design criteria, applicable for very different cryptographic components. These amount to avoiding (if possible) the existence of, in some sense "too simple" algebraic relations. Though many ciphers that do not satisfy this new paradigm probably still remain secure, the design of ciphers will never be the same again.
Algebraic and side-channel analysis of lightweight block ciphers
2012
The design and analysis of lightweight block ciphers is gaining increasing popularity due to the general assumption that in the future extensive use will be made of block ciphers in ubiquitous devices. In this PhD thesis we address cryptanalysis of several lightweight block ciphers using algebraic and side channel attacks. In the first part of the thesis, we investigate the security of the NOEKEON block cipher. We provide the first result of side channel attack on NOEKEON using side channel cube attack. In the second part of this thesis, we improve the original cube attack by Dinur and Shamir in EUROCRYPT 2009 by introducing an efficient method called extended cube for extracting low-degree nonlinear equations. We apply our extended cube method on PRESENT-80 and PRESENT-128. We show that using our extended cube method, we have been able to improve the previous side channel cube attack on PRESENT-80 from CANS 2009. However our attack on PRESENT-128 was the first attack in the side ch...
On the Algebraic Expression of the AES S-Box Like S-Boxes
Communications in Computer and Information Science, 2010
In the literature, there are several proposed block ciphers like AES, Square, Shark and Hierocrypt which use S-boxes that are based on inversion mapping over a finite field. Because of the simple algebraic structure of S-boxes generated in this way, these ciphers usually use a bitwise affine transformation after the inversion mapping. In some ciphers like Camellia, an additional affine transformation is used before the input of the S-box as well. In this paper, we study algebraic expressions of S-boxes based on power mappings with the aid of finite field theory and show that the number of terms in the algebraic expression of an S-box based on power mappings changes according to the place an affine transformation is added. Moreover, a new method is presented to resolve the algebraic expression of the AES S-box like S-boxes according to the given three probable cases.
Computing Symmetric Block Cipher Using Linear Algebraic Equation
International Journal of Communication Networks and Security
In this paper, a pair of symmetric block ciphers has been developed for encryption and decryption of text file. The characters in the file are represented by the ASCII codes. A substitution table and a reverse substitution table are formed by using a key. The process of encryption and decryption is carried by using linear algebraic equations. However, the cryptanalysis has been discussed for establishing the strength of the algorithm. Result and analysis exhibits that the current algorithm works well and more secured to break the cipher.
Attacks on Block Ciphers of Low Algebraic Degree
Journal of Cryptology, 2001
In this paper an attack on block ciphers is introduced, the interpolation attack. This method is useful for attacking ciphers that use simple algebraic functions (in particular quadratic functions) as S-boxes. Also, attacks based on higher-order differentials are introduced. They are special and important cases of the interpolation attacks. The attacks are applied to several block ciphers, the six-round prototype cipher by Nyberg and Knudsen, which is provably secure against ordinary differential cryptanalysis, a modified version of the block cipher SHARK, and a block cipher suggested by Kiefer.
Algebraic Precomputations in Differential and Integral Cryptanalysis
Lecture Notes in Computer Science, 2011
Algebraic cryptanalysis is a general tool which permits one to assess the security of a wide range of cryptographic schemes. Algebraic techniques have been successfully applied against a number of multivariate schemes and stream ciphers. Yet, their feasibility against block ciphers remains the source of much speculation. In this context, algebraic techniques have mainly been deployed in order to solve a system of equations arising from the cipher, so far with limited success. In this work we propose a different approach: to use Gröbner basis techniques to compute structural features of block ciphers, which may then be used to improve "classical" differential and integral attacks. We illustrate our techniques against the block ciphers Present and Ktantan32.
Algebraic Structures and Cycling Test of Rijndael
Abstract--- The Rijndael encryption algorithm is proposed by the United States government as an advanced encryption standard (AES) for the protection of computerized information in the next few decades. Given the postential uses of AES at large scale, it is important to analyze thoroughly its strength and weakness in various settings.
Obtaining and Solving Systems of Equations in Key Variables Only for the Small Variants of AES
Mathematics in Computer Science, 2010
This work is devoted to attacking the small scale variants of the Advanced Encryption Standard (AES) via systems that contain only the initial key variables. To this end, we introduce a system of equations that naturally arises in the AES, and then eliminate all the intermediate variables via normal form reductions. The resulting system in key variables only is solved then. We also consider a possibility to apply our method in the meet-in-the-middle scenario especially with several plaintext/ciphertext pairs. We elaborate on the method further by looking for subsystems which contain fewer variables and are overdetermined, thus facilitating solving the large system.
On the Existence of Non-Linear Invariants and Algebraic Polynomial Constructive Approach to Backdoors in Block Ciphers
IACR Cryptol. ePrint Arch., 2018
In this paper we study cryptanalysis with non-linear polynomials cf. Eurocrypt’95 (adapted to Feistel ciphers at Crypto 2004). Previously researchers had serious difficulties in making such attacks work. Even though this is less general than a general space partitioning attack (FSE’97), a polynomial algebraic approach has enormous advantages. Properties are more intelligible and algebraic computational methods can be applied in order to discover or construct the suitable properties. In this paper we show how round invariants can be found for more or less any block cipher, by solving a certain surprisingly simple single algebraic equation (or two). Then if our equation has solutions, which is far from being obvious, it will guarantee that some polynomial invariant will work for an arbitrarily large number of encryption rounds. This paper is a proof of concept showing that it IS possible, for at least one specific quite complex real-life cipher to construct in a systematic way, a non-...
Algebraic Cryptanalysis Of Stream Ciphers With Non Linear Update
2010
Stream ciphers are quite well known for providing security in comunication. Due to their efficient implementation they have received attention of many cipher designers in previous years. Many new designs have been proposed and extensively analyzed in the form of NESSIE and eSTREAM projects. In general a new proposed design has to ensure, at least, that it is resistant to the existing attacks. Algebraic attack is now quite a familiar threat for stream ciphers. Therefore, to make out the design components, that can strengthen a cipher, against algebraic cryptanalysis must also be of interest to stream cipher designers. Algebraic cryptanalysis, in its general form, aims at recovering the internal secret state bits of the registers of the cipher by solving non-linear algebraic equations. That is why it is considered, not to be applicable on stream ciphers, where registers are updated non-linearly. Since, in this case, degree of algebraic equations, which relate internal states with key-stream bits, increase with each clock. However, different designs with nonlinear update may offer disparate levels of resistance. In this thesis, we analyze some structures of stream ciphers with non-linear update and identify the level of resistance their design shows against the reocvery of secret internal states. Our objective is to analyze and compare the design of the key generating mechanism and not the cipher along with its initialization mechanism. Thus, we concentrate on the key generating part and compare the ciphers on the basis that how many of their internal state bits can be recovered by solving nonlinear algebraic equations, using guess and determine approach. Caused by a rise in the degree of equations with each clock, some of the internal state bits have to be guessed to recover the remaining. Our analysis reveals, that due to some thoughtful guessing, more internal state bits can be recovered which are not possible otherwise. However, some structures are resistent to give secret state bits by solving algebraic equations, even after guessing large number of bits. Aim of this thesis is to identify such structures. Ciphers considered for this work are A5/1, A5/2, Trivium, Grain and Mickey. Significance of this work also lies in the fact that we have analyzed those ciphers which have been selected for the final portfolio of completed eSTREAM project. Based on our analysis, we also propose some modifications in the design of Grain-v1 to strengthen it against intial state recovery attack, without any increase in the secret state bits. Some modifications in the design of Trivium are also suggested therefore, the same structure can be used with larger key bit space. Praise to Allah, the Almighty for blessing me with strength and patience to go through this difficult part of my career. Without His will and help I would never have managed to even start this journey. Throughout the years of my PhD, numerous people have supported me in different ways. I would like to take this opportunity to gratefully acknowledge their essential contribution. First of all I wish to thank my supervisor Dr. Ashraf Masood for his continuous support and encouragement. I am indebted to him not only for all kind of guidance and advice in my work but also for his help in some difficult times during these years. I would, also like to thank Dr. Akbar, Dr. Noman Jafri and Dr. Shamim Baig, the members of PhD guidance committee, for their valuable time. This research was financially supported by Higher Education Commission of Pakistan (HEC) and I am grateful to HEC for giving me this opportunity. I am also grateful to all those researchers of Cryptography, whose works have inspired me and guided me throughout my thesis. I would like to thank National University of Sciences and Technology to give me opportunity for the PhD program. I would also like to give credit, to all the helpful people, faculty and staff at NUST especially at Information security department, for their administrative and practical support. I also wish to thank all my friends and colleagues in department especially Firdous Kausar, Liaqat, Nazir, Ahmad Cheema, Imtiaz Ali Khokhar and Dr. Arif Wahla for their help and support. vi Throughout these years there was a life besides my studies also. I would like to extend my gratitude to my friends Rubeena, Shahida and Rabia for giving me encouragement as well as enjoyable time. Finally many thanks to my ammi and my sisters for giving me unending support and blessings. There were times, when I really doubted whether my work would ever be finished. In all such moments my family and my friends were a constant source of comfort and encouragement for me. I would also like to say thank you to, my father, for so many things in my life, although he is no more around me, but my achievement would comfort and solace his soul.
Algebraic cryptanalysis of a small-scale version of stream cipher Lex
IET Information Security, 2010
In this paper * we analyse with respect to algebraic attacks a small-scale version of the stream cipher Lex. We base it on a small-scale version of the block cipher AES with 16-bit state and 16-bit key. We represent the small-scale Lex and its key schedule in two alternative ways: as a system of cubic boolean equations and as a system of quadratic boolean equations. We use Gröbner bases to solve the two systems for different number of rounds and sizes of the leak. We obtain the best results for the quadratic representation of the cipher. For this case we are able to recover the secret key in time less than 2 minutes by solving a system of 374 quadratic boolean equations in 208 unknowns resulting from 5 rounds of the cipher.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.