# Cryptanalysis of block ciphers with overdefined systems of equations

Courtois, Nicolas T. & Pieprzyk, Josef
(2002)
Cryptanalysis of block ciphers with overdefined systems of equations.
*Advances in Cryptology — ASIACRYPT 2002*, *2501*, pp. 267-287.

## Abstract

Several recently proposed ciphers, for example Rijndael and Serpent, are built with layers of small S-boxes interconnected by linear key-dependent layers. Their security relies on the fact, that the classical methods of cryptanalysis (e.g. linear or differential attacks) are based on probabilistic characteristics, which makes their security grow exponentially with the number of rounds N r r.

In this paper we study the security of such ciphers under an additional hypothesis: the S-box can be described by an overdefined system of algebraic equations (true with probability 1). We show that this is true for both Serpent (due to a small size of S-boxes) and Rijndael (due to unexpected algebraic properties). We study general methods known for solving overdefined systems of equations, such as XL from Eurocrypt’00, and show their inefficiency. Then we introduce a new method called XSL that uses the sparsity of the equations and their specific structure.

The XSL attack uses only relations true with probability 1, and thus the security does not have to grow exponentially in the number of rounds. XSL has a parameter P, and from our estimations is seems that P should be a constant or grow very slowly with the number of rounds. The XSL attack would then be polynomial (or subexponential) in N r> , with a huge constant that is double-exponential in the size of the S-box. The exact complexity of such attacks is not known due to the redundant equations. Though the presented version of the XSL attack always gives always more than the exhaustive search for Rijndael, it seems to (marginally) break 256-bit Serpent. We suggest a new criterion for design of S-boxes in block ciphers: they should not be describable by a system of polynomial equations that is too small or too overdefined.

Impact and interest:

**Citation counts** are sourced monthly from **Scopus** and **Web of Science®** citation databases.

These databases contain citations from different subsets of available publications and different time periods and thus the citation count from each is usually different. Some works are not in either database and no count is displayed. Scopus includes citations from articles published in 1996 onwards, and Web of Science® generally from 1980 onwards.

Citations counts from the **Google Scholar™** indexing service can be viewed at the linked Google Scholar™ search.

ID Code: | 73365 |
---|---|

Item Type: | Journal Article |

Refereed: | Yes |

Additional Information: | An issue of Lecture Notes in Computer Science |

DOI: | 10.1007/3-540-36178-2_17 |

ISBN: | 978-3-540-00171-3 |

ISSN: | 0302-9743 |

Divisions: | Current > QUT Faculties and Divisions > Science & Engineering Faculty |

Deposited On: | 04 Jul 2014 00:44 |

Last Modified: | 04 Jul 2014 00:44 |

Export: EndNote | Dublin Core | BibTeX

Repository Staff Only: item control page