Results 1  10
of
77
Cryptanalysis of block ciphers with overdefined systems of equations
, 2002
"... Abstract. Several recently proposed ciphers, for example Rijndael and Serpent, are built with layers of small Sboxes interconnected by linear keydependent layers. Their security relies on the fact, that the classical methods of cryptanalysis (e.g. linear or differential attacks) are based on proba ..."
Abstract

Cited by 253 (22 self)
 Add to MetaCart
Abstract. Several recently proposed ciphers, for example Rijndael and Serpent, are built with layers of small Sboxes interconnected by linear keydependent layers. Their security relies on the fact, that the classical methods of cryptanalysis (e.g. linear or differential attacks) are based on probabilistic characteristics, which makes their security grow exponentially with the number of rounds Nr. In this paper we study the security of such ciphers under an additional hypothesis: the Sbox can be described by an overdefined system of algebraic equations (true with probability 1). We show that this is true for both Serpent (due to a small size of Sboxes) and Rijndael (due to unexpected algebraic properties). We study general methods known for solving overdefined systems of equations, such as XL from Eurocrypt’00, and show their inefficiency. Then we introduce a new method called XSL that uses the sparsity of the equations and their specific structure. The XSL attack uses only relations true with probability 1, and thus the security does not have to grow exponentially in the number of rounds. XSL has a parameter P, and from our estimations is seems that P should be a constant or grow very slowly with the number of rounds. The XSL attack would then be polynomial (or subexponential) in Nr, with a huge constant that is doubleexponential in the size of the Sbox. The exact complexity of such attacks is not known due to the redundant equations. Though the presented version of the XSL attack always gives always more than the exhaustive search for Rijndael, it seems to (marginally) break 256bit Serpent. We suggest a new criterion for design of Sboxes in block ciphers: they should not be describable by a system of polynomial equations that is too small or too overdefined.
Survey and Benchmark of Block Ciphers for Wireless Sensor Networks
 ACM Transactions on Sensor Networks
, 2004
"... Choosing the most storage and energye#cient block cipher specifically for wireless sensor networks (WSNs) is not as straightforward as it seems. To our knowledge so far, there is no systematic evaluation framework for the purpose. In this paper, we have identified the candidates of block ciphe ..."
Abstract

Cited by 89 (1 self)
 Add to MetaCart
(Show Context)
Choosing the most storage and energye#cient block cipher specifically for wireless sensor networks (WSNs) is not as straightforward as it seems. To our knowledge so far, there is no systematic evaluation framework for the purpose. In this paper, we have identified the candidates of block ciphers suitable for WSNs based on existing literature.
Algebraic Cryptanalysis of the Data Encryption Standard
 IN PREPARATION. SEE IACR EPRINT
, 2006
"... In spite of growing importance of AES, the Data Encryption Standard is by no means obsolete. DES has never been broken from the practical point of view. The triple ..."
Abstract

Cited by 56 (14 self)
 Add to MetaCart
In spite of growing importance of AES, the Data Encryption Standard is by no means obsolete. DES has never been broken from the practical point of view. The triple
Efficient Methods for Conversion and Solution of Sparse Systems of LowDegree Multivariate Polynomials over GF(2) via SATSolvers
, 2007
"... The computational hardness of solving large systems of sparse and lowdegree multivariate equations is a necessary condition for the security of most modern symmetric cryptographic schemes. Notably, most cryptosystems can be implemented with inexpensive hardware, and have a low gate counts, resulti ..."
Abstract

Cited by 41 (13 self)
 Add to MetaCart
The computational hardness of solving large systems of sparse and lowdegree multivariate equations is a necessary condition for the security of most modern symmetric cryptographic schemes. Notably, most cryptosystems can be implemented with inexpensive hardware, and have a low gate counts, resulting in a sparse system of equations, which in turn renders such attacks feasible. On one hand, numerous recent papers on the XL algorithm and more sophisticated Gröbnerbases techniques [5, 7, 13, 14] demonstrate that systems of equations are efficiently solvable when they are sufficiently overdetermined or have a hidden internal algebraic structure that implies the existence of some useful algebraic relations. On the other hand, most of this work, as well as most successful algebraic attacks, involve dense, not sparse systems, at least until linearization by XL or a similar algorithm. No polynomialsystemsolving algorithm we are aware of, demonstrates that a significant benefit is obtained from the extreme sparsity of some systems of equations. In this paper, we study methods for efficiently converting systems of lowdegree sparse multivariate equations into a conjunctive normal form satisfiability (CNFSAT) problem, for which excellent heuristic algorithms have been developed in recent years. A direct application of this method gives very efficient results: we show that sparse multivariate quadratic systems (especially if overdefined) can be solved much faster than by exhaustive search if β ≤ 1/100. In particular, our method requires no additional memory beyond that required to store the problem, and so often terminates with an answer for problems that cause Magma and Singular to crash. On the other hand, if Magma or Singular do not crash, then they tend to be faster than our method, but this case includes only the smallest sample problems.
Algebraic Techniques in Differential Cryptanalysis
 Proceedings of the First International Conference on Symbolic Computation and Cryptography, SCC 2008
, 2008
"... Abstract. In this paper we propose a new cryptanalytic method against block ciphers, which combines both algebraic and statistical techniques. More specifically, we show how to use algebraic relations arising from differential characteristics to speed up and improve keyrecovery differential attacks ..."
Abstract

Cited by 34 (7 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we propose a new cryptanalytic method against block ciphers, which combines both algebraic and statistical techniques. More specifically, we show how to use algebraic relations arising from differential characteristics to speed up and improve keyrecovery differential attacks against block ciphers. To illustrate the new technique, we apply algebraic techniques to mount differential attacks against round reduced variants of Present128. 1
SFLASHv3  A Fast Asymmetric Signature Scheme  Revised Specification of SFLASH, version 3.0.
, 2003
"... this paper, see [27] ..."
A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms
 PROCEEDINGS OF EUROCRYPT 2003
, 2003
"... This paper presents two algorithms for solving the linear and the affine equivalence problem for arbitrary permutations (Sboxes). For a pair of n × nbit permutations the complexity of the linear equivalence algorithm (LE) is O(n 3 2 n). The affine equivalence algorithm (AE) has complexity O(n 3 ..."
Abstract

Cited by 22 (2 self)
 Add to MetaCart
(Show Context)
This paper presents two algorithms for solving the linear and the affine equivalence problem for arbitrary permutations (Sboxes). For a pair of n × nbit permutations the complexity of the linear equivalence algorithm (LE) is O(n 3 2 n). The affine equivalence algorithm (AE) has complexity O(n 3 2 2n). The algorithms are efficient and allow to study linear and affine equivalences for bijective Sboxes of all popular sizes (LE is efficient up to n ≤ 32). Using these tools new equivalent representations are found for a variety of ciphers: Rijndael, DES, Camellia, Serpent, Misty, Kasumi, Khazad, etc. The algorithms are furthermore extended for the case of nonbijective n to mbit Sboxes with a small value of n − m  and for the case of almost equivalent Sboxes. The algorithms also provide new attacks on a generalized EvenMansour scheme. Finally, the paper defines a new problem of Sbox decomposition in terms of Substitution Permutations Networks (SPN) with layers of smaller Sboxes. Simple informationtheoretic bounds are proved for such decompositions.
An Analysis of the XSL Algorithm
 Proceedings of Asiacrypt 2005, LNCS
, 2005
"... Abstract. The XSL “algorithm ” is a method for solving systems of multivariate polynomial equations based on the linearization method. It was proposed in 2002 as a dedicated method for exploiting the structure of some types of block ciphers, for example the AES and Serpent. Since its proposal, the p ..."
Abstract

Cited by 21 (4 self)
 Add to MetaCart
(Show Context)
Abstract. The XSL “algorithm ” is a method for solving systems of multivariate polynomial equations based on the linearization method. It was proposed in 2002 as a dedicated method for exploiting the structure of some types of block ciphers, for example the AES and Serpent. Since its proposal, the potential for algebraic attacks against the AES has been the source of much speculation. Although it has attracted a lot of attention from the cryptographic community, currently very little is known about the effectiveness of the XSL algorithm. In this paper we present an analysis of the XSL algorithm, by giving a more concise description of the method and studying it from a more systematic point of view. We present strong evidence that, in its current form, the XSL algorithm does not provide an efficient method for solving the AES system of equations. Keywords: XSL algorithm, T ′ method, Linearization, AES. 1
Small Scale Variants of the AES
 Proceedings of FSE 2005, LNCS
, 2005
"... Abstract. In this paper we define small scale variants of the AES. These variants inherit the design features of the AES and provide a suitable framework for comparing different cryptanalytic methods. In particular, we provide some preliminary results and insights when using offtheshelf computation ..."
Abstract

Cited by 17 (4 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we define small scale variants of the AES. These variants inherit the design features of the AES and provide a suitable framework for comparing different cryptanalytic methods. In particular, we provide some preliminary results and insights when using offtheshelf computational algebra techniques to solve the systems of equations arising from these small scale variants. 1
Block Ciphers and Systems of Quadratic Equations
 in the proceedings of FSE 2003, Lecture Notes in Computer Science
, 2003
"... In this paper we compare systems of multivariate polynomials, which completely define the block ciphers Khazad, Misty1, Kasumi, Camellia, Rijndael and Serpent in the view of a potential danger of an algebraic relinearization attack. ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
In this paper we compare systems of multivariate polynomials, which completely define the block ciphers Khazad, Misty1, Kasumi, Camellia, Rijndael and Serpent in the view of a potential danger of an algebraic relinearization attack.