Algebraic Attacks vs. Design of Block and Stream Ciphers. Nicolas T. Courtois - University College London

Transcription

1 Algebraic Attacks vs. Design of Block and Stream Ciphers Nicolas T. Courtois - University College London

2 A New Frontier in Symmetric Cryptanalysis Modern Symmetric Cryptanalysis: number of ciphers broken w.r.t. claims : O(effort). number of ciphers broken in practice : o(effort). DES, AES etc: never really broken etc.. 2 Courtois, Indocrypt 2008

3 A New Frontier in Symmetric Cryptanalysis 2 Small Remarks Winston Churchill used to say: the truth is so precious that she should always be attended by a bodyguard of lies Cryptanalysis is not very popular, nb. of papers at major crypto conferences decreased each year for some reason in the last 15 years. 3 Courtois, Indocrypt 2008

4 Alternative Title: A New Frontier in Symmetric Cryptanalysis? (e.g. low-data complexity attacks)

5 0. Intro

6 Instead of a Summary How to design secure ciphers? Nobody knows, a complex question. Remark: There exist provably secure stream ciphers:quad, NO good candidates for secure block ciphers What components to choose? (bottom-up). Most of the current cipher design paradigms can be expressed in terms of good Boolean functions / good vectorial functions (S-boxes). What else? Good diffusion: WTS(later slides), avalanche

7 Boolean Functions, ANF Any function GF(2) n GF(2)

8 The Tale of Good Boolean Functions.. Good Boolean functions, Good S-boxes, => High non-linearity 8 Provable prevents correlation/differential/linear/ GLC attacks Magical objects that make ciphers secure? A Good Boolean function

9 Avoiding Simple Boolean Functions Not enough! Main claim / result: One should rather think about avoiding Boolean /Algebraic Relations!

10 Central Criterion for Designing Cryptographic Components [Courtois 1999; PhD Thesis]: Non-existence of lowdegree/small size multivariate relations between the input bits and the output bits

11 Special Case: I / O Degree: A good cipher should use at least some components with high I/O degree

12 Claim / Proposal This criterion is proposed (can be necessary) for the security of: S-boxes in Block Ciphers Combiners in Stream Ciphers Trapdoor Functions (PK crypto, HFE)

13 Why? no proof some devastating attacks on some ciphers many ciphers not broken in the slightest overall, just another super-paranoid security criterion which is probably not always necessary, frequent in crypto research

14 Another Interpretation of I/O I = Inside block/stream cipher O = Outside of your block/steam cipher

15 Multivariate Cryptography: Cryptosystems using polynomials with several variables over a finite field Multivariate Cryptanalysis or Algebraic Cryptanalysis: 15 Cryptographic attacks using polynomials with several variables over a finite field

16 A New Frontier in Symmetric Cryptanalysis Roadmap: Multivariate/Algebraic Cryptanalysis Guess Then Determine: SAT/UNSAT strategy or mixed with many steps MITM Software / SAT Solvers Cube Attacks [Vielhaber, Dinur,Shamir 08] Higher Order Differentials every cipher of low degree poly can be broken ElimLin: amazingly powerful XL, Grobner Basis, F4, F5 dense systems of eqs, inappropriate tools in most other cases combination attacks other tools Truncated Differentials (DC) multiple points DC 16 Courtois, Indocrypt 2008 Higher Order DC

17 GOST, Self-Similarity and Cryptanalysis of Block Ciphers - My Favourite Groups 17 Nicolas T. Courtois,

18 Different Types of Cryptanalysis The approximation approach: Linear, differential, high-order differential, impossible differential, Jakobsen-Knudsen approximation attacks, etc.. All are based on probabilistic characteristics true with some probability. Consequently, the security will grow exponentially with the number of rounds, and so does the number of required plaintexts in the attacks (main limitation in practice). The exact algebraic approach: Write equations to solve, true with probability 1. Very small number of known plaintexts required

19 Exact/Algebraic/Multivariate Cryptanalysis: Breaking a «good» cipher should require: as much work as solving a system of simultaneous equations in a large number of unknowns of a complex type [Shannon, 1949] Common belief: large systems of equations become intractable very easily

20 **However However, what makes the problem hard is not the number of variables, but the balance between the number of equations and the number of monomials: The XL algorithm and Gröbner bases techniques: [Shamir, Patarin, Courtois, Klimov, Eurocrypt 2000], [Courtois, ICISC 2002], [Courtois, Patarin, CT- RSA 2003], [F5/2 by Jean-Charles Faugère], [Old papers by Lazard] The XSL variant: [Courtois, Pieprzyk, Asiacrypt 02] Consequence: systems that are overdefined, sparse, or both, turn out to be much easier to solve than expected

21 Problem 1: Overdefined Systems Most cryptographic security relies on the hardness of largely overdefined problems: Much more information than necessary: great many plaintexts, message and signature pairs, etc.. Public key cryptography: the solution is: Provable security: each utilization of the cryptographic scheme does not leak useful information. Secret key cryptography: Yet little provable security. And yet it is here that the problems become the most overdefined: huge amounts of data encrypted with one key, fast hardware, etc

22 Problem 2: Algebraic Sparsity Many cryptographic schemes (for practical reasons) have a simple algebraic description. Usually leads to a sparse system of equations. In software, large tables might be used In hardware, the number of gates should be small, which gives a simple description with simple Boolean polynomials

23 Problem 3: Linear Components Linearity is commonly used for diffusion, sequence generation (LFSR) etc. Still believed OK. Problem: preserves the degree of algebraic equations!!

24 A New Frontier in Symmetric Cryptanalysis The Role of Finite Fields, e.g. GF(2) They allow to encode any cryptographic problem as problem of solving Boolean equations. 24 Courtois, Indocrypt 2008

25 Multiplicative Complexity MC = Definition Every function can be represented as a number of multiplications + linear functions over a finite field/ring. We call MC (Multiplicative Complexity) the minimum number of multiplications needed. Home reading: set of slides multcomp.pdf Moodle. 25 Nicolas T. Courtois 2012

26 A New Frontier in Symmetric Cryptanalysis **The Role of NP-hard Problems Guarantee hardness in the worst case. Many are not that hard in practice Many concrete problems can be solved. Multiple reductions allow to use algorithms that solve one problem to solve another. 26 Courtois, Indocrypt 2008

27 A New Frontier in Symmetric Cryptanalysis Theorem: Algebraization: Every function over finite fields is a polynomial function. [can be proven as a corollary of Lagrange s interpolation formula] False over rings! E.g. false for T-functions. 27 Courtois, Indocrypt 2008

28 Problem 4: Low Degree/Low Complexity Bottom line: Every cipher which can be expressed by low degree polynomials is broken. Cf. Xuejia Lai paper. "Higher order derivatives and differential cryptanalysis" [1992]

29 Problem 4: Low Degree/Low Complexity Bottom line: Every cipher which can be expressed by low degree polynomials is broken. Remark for LFSR-based stream ciphers: later we will see how to substantially LOWER the degree I/O Relations, Algebraic Immunity, Annihilators, Courtois-Meier attack, etc

30 Lai Essential Result =>so we can decrease the non-linear degree by summing different polynomials => every cipher which can be expressed by low degree polynomials is broken

31 Cube Attacks [Vielhaber, Dinur,Shamir 08]

32 Trivial ε Attacks Cube attack are highly sophisticated highly technical attack BUT they achieve NOTHING more than breaking XX ε rounds of a cipher where XX ε rounds is already broken by an attack which crypto community considers as excessively trivial

33 Step By Step Cube attack is about summing COMPLEX multivariate polynomials. most polynomials never written. Online phase CPA => several concrete values added 0+1+ Their sum polynomial depends on the key in a very simple way. =>Gives simple equations on the key

34 Cube Attacks Controversies [1] Dan Bernstein: Why haven't cube attacks broken anything? Cube attacks work well for random polynomials of small degree. Real-world ciphers, when viewed as polynomials, don't have small degree. Lai 1992 explains how to break every small-degree cipher; actually it broke a VERY large number of rounds of Trivium It seems to me that "cube attacks" are simply a reinvention of Lai's HO DC attack; if Dinur and Shamir had cited Lai's paper [ ] then they would have been forced to drop essentially all of their advertising

35 Plagiarism: *Cube Controversy [2] Dinur and Shamir DO/DID NOT credit Michael Vielhaber's "Algebraic IV Differential Attack" (AIDA) as a precursor of the Cube attack. Dinur has stated at Eurocrypt 2009 that Cube generalises and improves upon AIDA. However, Vielhaber contends that the cube attack is no more than his attack under another name

36 1. Finite Fields, Block Ciphers and AES (2 separate files)

37 1.1. Block Ciphers and Algebraic Relations

38 How do We Attack AES? Very ambitious AES pushes the classical design principles (=high non-linearity) to their limits, optimality. Explore these limits. Look for pitfalls!

39 What About Block Ciphers? Q: Do these polynomial relations MATTER AT ALL for Block Ciphers (e.g. AES)? Remark: they break a lot of stream ciphers very badly

40 YES! Q: Do these polynomial relations MATTER AT ALL for Block Ciphers? YES, (at least for some of them )

41 This Cipher is Broken for 1 M rounds! F: Inverse in GF(2 n ). [Jakobsen-Knudsen FSE 97, Courtois AES 4]

42 ***Bi-linear Cryptanalysis [Courtois Crypto 04]

43 ***2. Weak Cipher Number 2: Round function: Very secure against all known attacks on block ciphers, but broken for 1 M rounds!

44 ***3. Another Insecure Cipher 64-bit Feistel cipher, 32-bit round function: Looks very secure Etc. Broken for up to 2 16 rounds! [Courtois AES 4]

45 ****4. Insecure Unbalanced Feistel Networks (e.g. SHA-x) This one again looks very secure: Again, broken for up to 2 16 rounds!

46 AES Structure and Design Nicolas T. Courtois Wide Trail Strategy (WTS): Assures very good diffusion, proposed by the designers of AES. The approximation attacks: Deadly. Forces to approximate great many S-boxes at the same time. AES is very secure against LC/DC. WTS probably kills all these insecure ciphers that are very special The exact algebraic approach: Combine relations true with probability 1. The wide trail strategy still plays a huge role in practice/theory. 46 October 2006

47 *AES Under Attack

48 Controversial Paper [Asiacrypt 02 / eprint] Cryptanalysis of Block Ciphers with Overdefined Systems of Equations Nicolas T. Courtois Advanced Crypto Research, Axalto Smart Cards, France Josef Pieprzyk Center for Advanced Computing - Algorithms and Cryptography, ICS, Macquarie University, Australia

49 Echoes in the Press Bruce Schneier, Cryptogram, [the world s No. 1 crypto/security newsletter]: AES News AES may have been broken [ ], there's no need to panic. Yet. But there might be soon [ ] [ ]These are amazing results. [ ] Many cryptographers who previously felt good about AES are having second thoughts [ ]

50 *Echoes in the Press (worlds largest circulated scientific magazine) 27 Sept. 2002:

51 *Cover Page of New Scientist:

52

53

54 XSL Ciphers K_i X S L

55 A New Frontier in Symmetric Cryptanalysis The so-called XSL Attack and AES not a very efficient attack, a sort of scientific research programme XSL is not an attack, it is a dream Vincent Rijmen, AES designer 55 Courtois, Indocrypt 2008

56 XSL Attacks - Summary Algebraic attacks on block ciphers work in 3 stages: 1. Write good equations overdefined, sparse or both. 2. Expand - to obtain a very overdefined system. 3. Final "in place" elimination method completely solve. Two Versions of Courtois-Pieprzyk paper: The original paper is on eprint.iacr.org/2002/044 (archive, not updated anymore): First XSL attack, Second XSL attack The most powerful versions. Asiacrypt 02: Compact Version of the First XSL Attack The most general, least powerful, simpler and easier to study

57 A New Frontier in Symmetric Cryptanalysis **Reinvent it in 2015: Algebraic attacks on block ciphers today: 1. Write good equations overdefined, sparse or both. LESS TRIVIAL than expected [new tricks: higher degree, add variables, etc.]. 2. Expand - avoid / minimise impact of 3. Final "in place" deduction / inference / elimination method. ElimLin alone and T method. Amazingly powerful. New tools [SAT solvers]. Amazingly powerful. 57 Courtois, Indocrypt 2008

58 Part Find good equations: such that: equations = 1/4 or so.. monomials

59 Part Expand to a very overdefined system, close to saturation: free eqs. = close to 1 monomials

60 Part Final step achieve complete saturation giving the key bits. free eqs. = exactly 1 monomials

61 AES Won 2000 NIST vote. Serpent was second

62 Unbelievable Security Most people think: It is easy to achieve 2 256, Just mix sufficiently many strange functions. Security grows exponentially in the number of rounds.. Our claim: It is hard to achieve the security level of

63 Moore s Law The computing power of will not be available before year Until then, so much higher mathematics and so much better methods of cryptanalysis will be found 63 Guess: all cryptosystems that claim today the security level of will be broken by then

64 Part Find good equations: such that: equations = 1/4 or so.. monomials

65 MQ Problem Find a solution to a system of m quadratic equations with n variables over a field/ring

66 MQ Problem Find a solution (at least one), i.e. find (x 0,...,x n-1 ) such that:

67 Known applications of MQ Multivariate schemes such as UOV, HFE, Quartz and Sflash are based on MQ. In usual applications, nobody is using these new schemes. But: About the only solutions known for specific applications: very short signatures with Quartz, fastest signatures in the world with Sflash [Cf. PKC 2003]. Who cares about MQ?

68 Surprising applications of MQ Claim: 90 % of all applied cryptography is based on MQ. 1. RSA is based on MQ with m=1 and n=2: factoring N solving x 2 =y 2 mod N. 2. Rijndael is based on MQ?

69 Rijndael S-boxes (y 1,,y 8 ) = S (x 1,...,x 8 ). Theorem: For each S-box there are r=39 quadratic equations with 16 variables x i and y i, that are true with probability 1. Overdefined MQ system, 39 >>

70 Origin of the equations (cf. cryptanalysis of Matsumoto-Imai by J. Patarin, Crypto 95) 23 bi-linear quadratic x 0 1 = x y 7 x x = x 2 y 8 x y = y 2 x 8 x x 3 = x 4 y 8 x y 3 = y 4 x

71 Optimal S-boxes? [Anne Canteaut, Marion Videau, Eurocrypt 2002]: Optimal for linear, differential and high-order differential attacks. We do not know any worse S-box in terms of r. Power Equations / S-box r=

72 Reduction Rijndael MQ Rijndael 128 bit: to recover the secret key can be rewritten as MQ: 8000 quadratic equations 1600 variables in GF(2). But how to solve it?

73 Part Expand to a very overdefined system, close to saturation: free eqs. = close to 1 monomials

74 A New Frontier in Symmetric Cryptanalysis Simple Explanation of How XL Algorithm Works 74 Courtois, Indocrypt 2008

75 Part Expand to a very overdefined system, close to saturation: free eqs. = close to 1 monomials

76 How to expand? The XL idea: Multiplying the equations by one or several variables

77 X L means extended Linerisation Multiply (X) and Linearise expansion in the ideal spanned by the equations.. doing things like x_1 * l_3 etc

78 XL Algorithm, F4, F5, etc [Shamir, Patarin, Courtois, Klimov, Eurocrypt 2000] [Courtois, ICISC 2002], [Courtois, Patarin, CT-RSA 2003], [J.M. Chen and Bo-Yin Yang papers] [Old papers by Lazard], [Buchberger algorithm and Gröbner bases], [F4, F5, F5/2 by Faugère] etc [Magali Bardet and Gwenolé Ars work], etc Asiacrypt 2004: [Claus Diem], [Gwenolé Ars, Jean-Charles Faugère, Makoto Sugita, Mitsuru Kawazoe, Hideki Imai]. XL is about the best general attack we know for MQ. Designed for systems that are overdefined. For 128-bit Rijndael:

79 The principle of XL: Multiply the initial equations by low-degree monomials: becomes: (degreee 3 now)

80 The idea of XL: Multiply equations by low-degree monomials. Count new equations: R Count new monomials present: T One term can be obtained in many different ways, T grows slower than R

81 How XL works: Initial system: m equations and n 2 /2 terms. Multiply each equation by a product of any D-2 variables: Equations Terms Idea: One term can be obtained in many different ways, T grows more slowly than R. Necessary condition: R/T > 1 gives and thus D If sufficient, the complexity of XL would be about Sub-exponential? Not true!

82 XL will always work Theorem: Over any small finite field, when D>q and the field equations x iq =x i can be included, XL always do work, for ANY SYSTEM OF EQUATIONS (worst case). See: Jacques Patarin and Nicolas Courtois: About the XL algorithm over GF(2), In CT-RSA 2003, April 2003, San Francisco

83 XL works quite well

84 The behaviour of XL It is possible to predict the exact number of linearly independent equations in XL

85 Applying XL to Rijndael 1. Make little sense, XL is a tool for dense systems of equations Except if there are degree falls : some combinations of unusually low degree, cf. HFE attacks

86 Known attacks on AES 1. Combinatorial attacks: Square attack [Rijmen-Daemen], Multiset attacks [Shamir, Biryukov] - only for a few rounds Approximation attacks: Differential/linear, interpolation attack, etc The security grows exponentially with the number of rounds N r! (and so does the required number of plaintexts)

87 A New Frontier in Symmetric Cryptanalysis From XL to XSL XSL is not an attack, it is a dream Vincent Rijmen, AES designer 87 Courtois, Indocrypt 2008

88 Pure theory? XL: astronomical complexity Remark: Our system of 8000 quadratic equations with 1600 variables is not a general MQ system. It is sparse, there must be a better method!!!

89 The XL idea: Multiplying the equations by one or several variables

90 The XSL variant: Multiplying the equations by one or several monomials (out of monomials present)

91 XSL Algorithm Main idea: In a sparse system R/T at the beginning is already much bigger than in a random system. Step 1: Optimise sparsity: One variable for each input and each output bit for each S- box. Step 2. Multiply by selected monomials: If we multiply by products of existing terms, each resulting term will be obtained several times, thus R/T will be the biggest possible

92 Naive XSL Attack (on block ciphers) Each S-box: r equations, t terms Multiply by P-1 terms for other S-boxes. S = number of S-boxes in the cipher Equations: mainly Terms: Result: R / T P * r/t R / T 1 P t/r

93 The Complexity of the Naive XSL Attack w * (Block size) O(t/r) * (Nb. of rounds) O(t/r) Polynomial with a huge constant = (t/s) t/r depending only on the S-box parameters. For a random S-box, is double-exponential in s. For Rijndael S-box, is simply exponential in s

94 Less Naive XSL Attack Over-counting Problem: It can be shown that an important part of the equations in R are not linearly independent. Only at most R = (t P (t-r) P ) of these equations are linearly independent. Probably a bit less, but not much less. Saturation Problem: Simulations show that the number Free of linearly independent equations is never very close to T, and for P=2 when the number of rounds N r, we have Free % T How to solve the system when T - Free is big?

95 Part Final step achieve complete saturation giving the key bits. free eqs. = exactly 1 monomials

96 The T Method [Courtois 2002]: Let x 1 be a variable. Let T = number of terms that can be multiplied by x 1 and still belong to the set of terms in T. Claim: If Free > T-T then the system can be solved in about T w : Each term in T is expressed as a linear combination of terms only in T. We obtain one or more equations containing only the terms of T. We do the same with respect to x 2 (2 variables are probably enough). Multiply the exceeding equations of the first system by x 1. We obtain new linearly independent equations, the rank grows! Early simulations show that this heuristic works very well. Transfer the new equations to the other system(s), i.e. eliminate all terms that can be multiplied by x 2. After at most T steps we expect to achieve Free = T-1 or so It seems that the complexity of the whole is essentially T w

97 An Example of the T Method: Let n=5 variables; therefore T=16 and T'=10. We start with a random system that has exactly one solution, and with Free > T-T' and with 2 exceeding equations, i.e. Free = T-T'+2. Here is a system in which T' is defined with respect to x 1 :

98 T Method contd. Here is the same system in which T' is defined for x 2 : The two systems allow to transfer an exceeding equation from one representation to another in T 2 operations. Kind of iterative decoding

99 T Method contd. Back to the first system in which T' is defined for x 1 : We have rank=8. Multiply the 2 exceeding equations of the first version by x 1. Miracle: we have rank=10. New linearly independent equations!

100 T Method contd. Now we have 4 exceeding equations (two old and two new). Transfer them to the second system. Then multiply them by x 2 : We are not lucky, the second equation is invariant. Still we get 3 new linearly independent equations and rank=13.

101 T Method contd. We rewrite the 3 new equations with terms that can be multiplied by x 1. Still rank=13. We multiply them by x 1 : We have rank=14, one more linearly independent equation. We rewrite the first equation with terms that can be multiplied by x

102 T Method contd. We have still rank=14. Then we multiply the new equation by x 2. We get another new linearly independent equation. We have rank=15. The rank is the maximum that can be achieved, there are 15 non-zero monomials here, and rank=16 can only be achieved for a system that is contradictory. We expect that the number of additional equations in the T' method grows quickly

103 Remarks on the T Method Theorem: [Coppersmith 2002, never published]: The T method cannot work with only a few special variables. Use all of them! *

104 Remarks on the T Method Even in this case, the complexity is multiplied only by n, a small factor compared to T w. For example n=2 11 and T w =2 87. Moderate increase, AES would still be broken. My simulations show that the T method works very well Which is in fact very surprising!

105 Application of the T trick: If Free > T-T then the system can be solved in about T w. For AES-256 bits, we obtain for P=5: R/(T-T )= Then T = 2 96 and T = Consequence: If Free > 99.4 % T Then AES-256 bits is broken in about Current simulations on a toy cipher give rather Free % T apparently a size-independent constant! Different constant for Rijndael? To be seen. For example when P=7,we have R/(T-T )=1.004, but then XSL gives 2 278, more than the exhaustive search

106 CTC = Courtois Toy Cipher [eprint] 3-bit S-boxes. Diffusion: permuting wires (as DES P-box!). 1,2,4,8, S-boxes per round. 1,2,3,,10,,30, rounds. Key size == Block size. Simple key schedule: bit permutation (as in DES!)

107 Equations From a Real Example 1. Quadratic (for each S-box) X[0][1]*X[0][2]+Z[0][1]+X[0][3]+X[0][2]+X[0][1]+1 X[0][1]*X[0][3]+Z[0][2]+X[0][2]+1 X[0][1]*Z[0][1]+Z[0][2]+X[0][2]+1 X[0][1]*Z[0][2]+Z[0][2]+Z[0][1]+X[0][3] X[0][2]*X[0][3]+Z[0][3]+Z[0][2]+Z[0][1]+X[0][2]+X[0][1]+1 X[0][2]*Z[0][1]+Z[0][3]+Z[0][2]+Z[0][1]+X[0][2]+X[0][1]+1 X[0][2]*Z[0][2]+X[0][1]*Z[0][3]+X[0][1] X[0][2]*Z[0][3]+X[0][1]*Z[0][3]+Z[0][1]+X[0][3]+X[0][2]+1 X[0][3]*Z[0][1]+X[0][1]*Z[0][3]+Z[0][3]+Z[0][1] X[0][3]*Z[0][2]+Z[0][3]+Z[0][1]+X[0][3]+X[0][1] X[0][3]*Z[0][3]+X[0][1]*Z[0][3]+Z[0][2]+X[0][2]+X[0][1]+1 Z[0][1]*Z[0][2]+Z[0][3]+X[0][1] Z[0][1]*Z[0][3]+Z[0][3]+Z[0][2]+X[0][2]+X[0][1]+1 Z[0][2]*Z[0][3]+Z[0][3]+Z[0][2]+Z[0][1]+X[0][3]+X[0][1] X[1][1]*X[1][2]+Z[1][1]+X[1][3]+X[1][2]+X[1][1]+1 X[1][1]*X[1][3]+Z[1][2]+X[1][2]+1 X[1][1]*Z[1][1]+Z[1][2]+X[1][2]+1 X[1][1]*Z[1][2]+Z[1][2]+Z[1][1]+X[1][3] X[1][2]*X[1][3]+Z[1][3]+Z[1][2]+Z[1][1]+X[1][2]+X[1][1] X[1][2]*Z[1][1]+Z[1][3]+Z[1][2]+Z[1][1]+X[1][2]+X[1][1] X[1][2]*Z[1][2]+X[1][1]*Z[1][3]+X[1][1] X[1][2]*Z[1][3]+X[1][1]*Z[1][3]+Z[1][1]+X[1][3]+X[1][2] X[1][3]*Z[1][1]+X[1][1]*Z[1][3]+Z[1][3]+Z[1][1] X[1][3]*Z[1][2]+Z[1][3]+Z[1][1]+X[1][3]+X[1][1] X[1][3]*Z[1][3]+X[1][1]*Z[1][3]+Z[1][2]+X[1][2]+X[1][1] Z[1][1]*Z[1][2]+Z[1][3]+X[1][1] Z[1][1]*Z[1][3]+Z[1][3]+Z[1][2]+X[1][2]+X[1][1]+1 Z[1][2]*Z[1][3]+Z[1][3]+Z[1][2]+Z[1][1]+X[1][3]+X[1][1] 2. Linear (connecting S-boxes via key vars) 1+X[0][1]=k_0 1+X[0][2]=k_1 1+X[0][3]=k_2 1+X[1][1]=k_3 1+X[1][2]=k_4 1+X[1][3]=k_5 Z[0][3]+X[2][1]=k_1 Z[1][1]+X[2][2]=k_2 Z[1][2]+X[2][3]=k_3 Z[1][3]+X[3][1]=k_4 Z[0][1]+X[3][2]=k_5 Z[0][2]+X[3][3]=k_0 Z[2][3]+1=k_2 Z[3][1]+1=k_3 Z[3][2]+1=k_4 Z[3][3]+1=k_5 Z[2][1]+0=k_0 Z[2][2]+1=k_1

108 3. Part R (each S-box * some existing monomial) More Equations: XSL expansion If L1 denotes X[0][1]*X[0][2]+Z[0][1]+X[0][3]+X[0][2]+X[0][1]+1 we have: L1*1 L1*X[1][1] L1*X[1][2] L1*X[1][3] L1*Z[1][1] L1*Z[1][2] L1*Z[1][3] L1*X[1][1]*Z[1][1] L1*X[1][1]*Z[1][2] L1*X[1][1]*Z[1][3] L1*X[1][2]*Z[1][1] L1*X[1][2]*Z[1][2] L1*X[1][2]*Z[1][3] L56*k_0 L56*k_1 L56*k_2 L56*k_3 L56*k_4 L56*k_5 4. Part R (linear * some existing monomial) If L57 denotes 1+X[0][1]=k_0 L57*1 we have: L57*X[0][1] L57*X[0][2] L57*X[0][3] L57*Z[0][1] L57*Z[0][2] L57*Z[0][3] L57*X[0][1]*Z[0][1] L57*X[0][1]*Z[0][2] L57*X[0][1]*Z[0][3] L57*k_1 L57*k_2 L57*k_3 L57*k_4 L57*k_5

109 How to finish? Initial proposal: T method. Works very well in practice, but requires to be run many times (each time the rank increases). Alternatives: use Gröbner bases. better alternatives: SAT solvers, ElimLin

110 5. New Equations: The T method Example of how the rank grows: (4 S-boxes) A unique solution found seconds

111 ***Will the T method suffice? Maybe Free/(T-T ) - XSL expected to work for up to 16 rounds.

112 ****Less Naive XSL Attack Over-counting Problem: Now assume: R = (t P (t-r) P ) Saturation Problem: Use the T method

113 Complexity of the Less Naive XSL Very surprisingly, more realistic formulas give very similar results than the naïve version: w * (Block size) O(t/r) * (Nb. of rounds) O(t/r) Is XSL polynomial with a huge constant? Not sure at all. Simulations show that P will rather increase (slowly) with N r

114 Summary: XSL takes advantage of the fact that the equations are overdefined and sparse. Expected (at least) to work better than XL. For 128-bit Rijndael XSL claimed complexity was at least

115 Is AES 256 bits broken? For AES-256, XSL seems to give (the version on eprint, with cubic equations) Not proven, based on heuristic assumptions:

116 Remark 1 People naively believe that XSL does not work well The truth: nobody knows!

117 Remark 2: We know MUCH BETTER algebraic attacks on block ciphers today

118 Murphy and Robshaw Variant [Murphy, Robshaw, Crypto 2002, see Section 6, added after they read our paper] They write an equivalent system of MQ equations, but over GF(2 8 ). Much more sparse than over GF(2). For AES 128 bits, it seems that XSL could solve such system in as little as 2 100

119 AES-128 broken in 2 88? Gwenolé Ars PhD thesis [June 2005]: The author presents an attack in 2 88 that might maybe work (?????)

120 Papers on XSL and AES The original paper (archive, not updated anymore) is available on eprint.iacr.org /2002/044 : First XSL attack, Second XSL attack The most powerful version. Asiacrypt 2002: the so called Compact Version of the First XSL Attack The most general version of XSL attack, least powerful, simpler and easier to study. Some software and tools: Do check:

121 Algebraic Attacks on Block Ciphers Fast Algebraic Attacks On Block Ciphers 121 Nicolas T. Courtois,

122 Algebraic Attacks on Block Ciphers Fast Algebraic Attacks on Block Ciphers Definition [informal on purpose] Methods to lower the degree of equations that appear throughout the computations [e.g. max deg in F4] (more generally need to substantially lower the memory requirements of algebraic attacks compared to their running time). Very rich galaxy of attacks to be studied in the next 20 years How to lower the degree? by having several P/C pairs (bigger yet much easier!) by CPA, CPCA, etc by fixing internal variables (Guess-then-Algebraic). by finding [approximate] equations on bigger blocks by interpolation [cf. W. Meier s talk] by guessing equations that have strong bias Linear-Algebraic or Bi-Linear-Algebraic Cryptanalysis Differential-Algebraic. by clever choice of representation by introducing new variables (oh yes!) by having a larger key new tricks to be invented? 122 Nicolas T. Courtois, cumulative effect!!!

123 Algebraic Attacks on Block Ciphers How to Evaluate the Quality of Alg. Attacks Compare ONLY to other similar attacks: Straightforward algebraic approach. Write + solve. Other attacks that work given VERY SMALL quantity of plaintexts. NEVER compare to DC/LC etc. Doesn t make sense. Two independent areas of research that have no intersection. Both allow us to write 100s of papers but do not expect to break 3DES or AES tomorrow morning. 123 Nicolas T. Courtois,

124 Algebraic Attacks on Block Ciphers Solving Methods Solver Software 124 Nicolas T. Courtois,

125 Algebraic Attacks on Block Ciphers Fact In huge progress have been made. Up to 510 S-boxes broken on a laptop: Fast Algebraic attacks on block ciphers <= Cumulative effect of improvements in many directions. 125 Nicolas T. Courtois,

126 Algebraic Attacks on Block Ciphers What s New The biggest discoveries in Science are the simplest. 126 Nicolas T. Courtois,

127 Algebraic Attacks on Block Ciphers 3.3. ElimLin The Most Surprising Complete description: Find linear equations in the linear span. Substitute, and repeat. Amazingly powerful, (Surprisingly) VERY HARD TO IMPLEMENT: Heuristics to preserve sparsity. Local optimization. Data Representation and Memory Management vs. Speed. 127 Nicolas T. Courtois,

128 Algebraic Attacks on Block Ciphers In a way it is: 3.3. ElimLin Remark: An ultra-light and super-simplified version of F4 operating at degree 1.05 or 2.01 (makes sense: relatively small number of higherdegree monomials, and certain types of monomials much more likely to ever appear). 128 Nicolas T. Courtois,

129 Algebraic Attacks on Block Ciphers 3.4. ANF-to-CNF - The Outsider Before we did try, we actually never believed it could work Convert MQ to a SAT problem. (both are NP-hard problems) 129 Nicolas T. Courtois,

130 Algebraic Attacks on Block Ciphers 3.4. ANF-to-CNF - The Outsider Principle 1: each monomial = one dummy variable. d+1 clauses for each degree d monomial 130 Nicolas T. Courtois,

131 Algebraic Attacks on Block Ciphers Also Principle 2: Handling XORs Not obvious. Long XORs known to be hard problems for SAT solvers. Split longer XORs in several shorter with more dummy variables. About 4 h clauses for a XOR of size h. 131 Nicolas T. Courtois,

132 Algebraic Attacks on Block Ciphers ANF-to-CNF This description is enough to produce a working version. Space for non-trivial optimisations. See: Gregory V. Bard, Nicolas T. Courtois and Chris Jefferson: Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers. 132 Nicolas T. Courtois,

133 Algebraic Attacks on Block Ciphers Ready Software Several ready programs to perform this conversion are made available on this web page: Nicolas T. Courtois,

134 Algebraic Attacks on Block Ciphers What are SAT solvers? Solving SAT Heuristic algorithms for solving SAT problems. Guess some variables. Examine consequences. If a contradiction found, I can add a new clause saying In this set of constraints one is false. Very advanced area of research. Introduction for dummies : Gregory Bard PhD thesis. 134 Nicolas T. Courtois,

135 Algebraic Attacks on Block Ciphers MiniSat 2.0. Winner of SAT-Race 2006 competition. An open-source SAT solver package, by Niklas Eén, Niklas Sörensson, Later improved A LOT by Mate Soos => CryptoMiniSat 2.9.X 135 Nicolas T. Courtois,

136 Algebraic Attacks on Block Ciphers Ready Software for Windows Several ready programs to solve SAT problems are also available on the same web page: Nicolas T. Courtois,

137 Algebraic Attacks on Block Ciphers ANF-to-CNF + MiniSat 2.0. Gives amazing results in algebraic cryptanalysis of just any (not too complex/not too many rounds) cipher, cf. (VSH). Also for random sparse MQ. Certain VERY large systems solved in seconds on PC (thousands of variables!). Few take a couple hours/days Then infeasible, sharp increase. Jump from 0 to. 137 Nicolas T. Courtois,

138 Algebraic Attacks on Block Ciphers What Are the Limitations of Algebraic Attacks? When the number of rounds grows: complexity jumps from 0 to. With new attacks and new tricks being proposed: some systems are suddenly broken with no effort. => jumps from to nearly 0! 138 Nicolas T. Courtois,

139 Algebraic Attacks on Block Ciphers **What Can Be Done with SAT Solvers? Clearly it is not the size of the system but the nature of it. Sometimes more powerful than GB, sometimes less. Paradoxes: If you guess some variables, can become much slower. Great variability in results (hard to compute an average running time, better to look at 20 % faster timings). Memory: For many cases tiny: 9 Mbytes while Magma hangs at > 2Gbytes for the same system. For some working cases: 1.5 Gbytes and substantial time. Then terminates with the solution as well. 139 Nicolas T. Courtois,

140 Algebraic Attacks on Block Ciphers ***Toy Ciphers 140 Nicolas T. Courtois,

141 Algebraic Attacks on Block Ciphers CTC/CT2 = Courtois Toy Cipher [eprint] 3-bit S-boxes. Diffusion D: permuting wires (as DES P-box!). 1,2,4,8, S-boxes per round. 1,2,3,,10,,30, rounds. Key size == Block size. Simple key schedule: bit permutation (as in DES!) 141 Nicolas T. Courtois,

142 Algebraic Attacks on Block Ciphers *CTC2 more recent variant Virtually no difference Different D-box but difference only at 1 bit position (!). Changes everything w.r.t. linear cryptanalysis. Changes nothing w.r.t. algebraic cryptanalysis. In both cases 6 rounds are broken, 7 rounds maybe this year 142 Nicolas T. Courtois,

143 Algebraic Attacks on Block Ciphers **CTC vs. CTC2 CTC2: Just remove one weak bit: No other difference. Same for 99 % of positions. 143 Nicolas T. Courtois,

144 Algebraic Attacks on Block Ciphers CTC2 S-box: Random on 3 bits without linear equations. Theorem [Courtois]: 14 MQ Equations: 144 Nicolas T. Courtois,

145 Algebraic Attacks on Block Ciphers ToyRijndael and ToySerpent: Basically a 4-bit version of CTC 145 Nicolas T. Courtois,

146 Algebraic Attacks on Block Ciphers ToyRijndael S-box [4 bits] Inv+Affine a in AES, borrowed from Carlos Cid. Theorem [Courtois]: 21 MQ equations. ToySerpent S-box [4 bits] Sbox number 2 [chosen at random] stolen from Serpent [without permission from the authors]. Theorem [Courtois]: 21 MQ equations. 146 Nicolas T. Courtois,

147 Algebraic Attacks on Block Ciphers ToySerpent vs. ToyRijndael: Both cases: 21 MQ equations. Same degree, same number, yet TOTALLY DIFFERENT results (and we can explain why!). Bad news for the idea (IOH) that I/O degree implies the existence of algebraic attacks. For some equations good attacks [for 5 rounds]. For some equations little hope. Rijndael S-box shows unexpected resistance w.r.t. our fast algebraic attack on block ciphers. [ElimLin]. 147 Nicolas T. Courtois,

148 Algebraic Attacks on Block Ciphers Weakness in Serpent S-box 2: 4 / 21 equations of types 2 are Linear+ X 2. 2 are Linear+ Y 2. 0 / 21 such equations for 4-bit Rijndael S-box! 148 Nicolas T. Courtois,

149 Algebraic Attacks on Block Ciphers Combined Effect of These: They allow to avoid / lower the relative rank of the set of higher degree monomials in the x i in algebraic equations that can be written for several rounds. In other words, some quadratic monomials / some linear combinations of monomials can be systematically eliminated: Claim: Will greatly help to compute Gröbner bases at a lower degree! Now we will test the most optimistic version of this claim: Replace F4 by ElimLin, how many linear equations can we generate? 149 Nicolas T. Courtois,

150 Algebraic Attacks on Block Ciphers Interesting and WEIRD Question KPA. How many linear equations true with Pr=1: 0-few more P 1 rounds rounds C 1 0-few more P 2 rounds rounds C 2 0-few more P 3 rounds rounds C Nicolas T. Courtois,

151 Algebraic Attacks on Block Ciphers Very Surprising and Powerful Answer 1: They don t exist (cf. LC). Answer 2: They DO exist when the P i are fixed! Can be recovered by interpolation? I did program this. Some toy examples take ages Most relevant cases => infeasible! Too large matrices. Fact: I have found a method to compute these equations VERY EFFICIENTLY given the set of plaintexts P i. Arbitrary = a KPA. Remark: A whole (big) part of the algebraic attacks that is done for a truncated cipher, i.e. without knowing the ciphertext - pre-computation possible give the spec. of the cipher (Pb. to use: only easy with CPA). 151 Nicolas T. Courtois,

152 Algebraic Attacks on Block Ciphers When the P i are fixed, how many equations? Nb. of linear equations found, 5 rounds x 3 S-boxes, KPA truncated (unknown ciphertext) ToySerpent & ToyRijndael. Equations with rounds 0-5. Some totally avoid the first 2 rounds. Rounds 3-5. More powerful with full cipher (the ciphertexts are known => WORKS FROM both directions!!!! ElimLin even easier! 152 Nicolas T. Courtois,

153 Algebraic Attacks on Block Ciphers Combinatorial Explosion Nb. of new linear equations grows FASTER than LINEAR!!! Nb. of variables grows linearly in K. K Unstoppable force of an asymptotic See our lab: mlin_simon_ctc2.pdf 153 Nicolas T. Courtois,

154 Algebraic Attacks on Block Ciphers Real Life Ciphers? What About 154 Nicolas T. Courtois,

155 Algebraic Attacks on Block Ciphers DES At a first glance, DES seems to be a very poor target: there is (apparently) no strong algebraic structure of any kind in DES 155 Nicolas T. Courtois,

156 Algebraic Attacks on Block Ciphers What s Left? Idea 1: (IOH) Algebraic I/O relations. Theorem [Courtois-Pieprzyk]: Every S-box has a low I/O degree. =>3 for DES. Idea 2: (VSH) DES has been designed to be implemented in hardware. => Very-sparse quadratic equations at the price of adding some 40 new variables per S-box. 156 Nicolas T. Courtois,

157 Algebraic Attacks on Block Ciphers Results? Both Idea 1 (IOH) and Idea 2 (VSH) (and some 20 other I have tried ) can be exploited in working key recovery attacks. 157 Nicolas T. Courtois,

158 Algebraic Attacks on Block Ciphers S-boxes S1-S4 [Matthew Kwan] 158 Nicolas T. Courtois,

159 Algebraic Attacks on Block Ciphers S-boxes S5-S8 [Matthew Kwan] 159 Nicolas T. Courtois,

160 Algebraic Attacks on Block Ciphers I / O Degree A good cipher should use at least some components with high I/O degree. 160 Nicolas T. Courtois,

161 Algebraic Attacks on Block Ciphers Theorem 161 Nicolas T. Courtois,

162 Algebraic Attacks on Block Ciphers Corollary Cubic Equations and DES Exactly 112 for all DES S-boxes. 162 Nicolas T. Courtois,

163 Algebraic Attacks on Block Ciphers 5. Selected Results: Some Successful Attacks 163 Nicolas T. Courtois,

164 Algebraic Attacks on Block Ciphers Nicolas T. Courtois: Results on CTC How Fast can be Algebraic Attacks on Block Ciphers?. eprint.iacr.org/2006/168/ 6 rounds broken: 255-bit key, 510 S-boxes. ElimLin: 80 hours after 210/255 bits are guessed. 64 CP. About 10 times (slightly) faster than exhaustive search 164 Nicolas T. Courtois,

165 Algebraic Attacks on Block Ciphers Results on CTC2 Much more resistant to LC [cf. Orr Dunkelman and Nathan Keller : Linear Cryptanalysis of CTC, eprint.iacr.org/2006/250/]. ElimLin still breaks 6 rounds in the same way (no visible difference). 10 rounds broken if block=96, key= Nicolas T. Courtois,

166 Algebraic Attacks on Block Ciphers Results on ToySerpent ToySerpent, 5 rounds, 32 S-boxes * 4 bits. 84 first key bits guessed, 44 remain unknown. 4 CP => broken in 32 hours by ElimLin. 6 rounds should be feasible for 256-bit version. Work in progress. 166 Nicolas T. Courtois,

167 Algebraic Attacks on Block Ciphers Results on ToyRijndael Unexpectedly strong, the only difference is the S-box: 0/21 Linear+X 2 equations Nicolas T. Courtois,

168 Algebraic Attacks on Block Ciphers Results on DES Nicolas T. Courtois and Gregory V. Bard: Algebraic Cryptanalysis of the D.E.S. In IMA conference 2007, pp , LNCS 4887, Springer. See also: eprint.iacr.org/2006/402/ 168 Nicolas T. Courtois,

169 Algebraic Attacks on Block Ciphers 169 Nicolas T. Courtois, What Can Be Done? Idea 1 (Cubic IOH) + ElimLin: We recover the key of 5-round DES with 3 KP faster than brute force. When 23 variables fixed, takes 173 s. Magma crashes > 2 Gb of RAM. Idea 2 (VSH 40 ) + ANF-to-CNF + MiniSat 2.0.: Key recovery for 6-round DES. Only 1 KP (!). Fix 20 variables takes 68 s. Magma crashes with > 2 Gb.

170 Algebraic Attacks on Block Ciphers What Else Can We Do? Claim: Algebraic Cryptanalysis is an excellent tool TO STUDY block and stream ciphers. For all properties that hold: With probability 1 or close. For 3,4,5,6 rounds.. (already a lot, very complex to analyse by hand). Proposed Application [probably feasible for many ciphers]: Find a 4-round differential that holds with probability 1. Show that there isn t any (unsatisfiable/contradictory system of equations). 170 Nicolas T. Courtois,

171 Algebraic Attacks on Block Ciphers Example: Looking for another special property of DES. An attack with a known key (glass-box). Motivation: educational, study differential cryptanalysis. I present this one because it works on a laptop PC for 12 full rounds of DES (which is the best result I have for now). 171 Nicolas T. Courtois,

172 Algebraic Attacks on Block Ciphers DC example 172 Nicolas T. Courtois,

173 Algebraic Attacks on Block Ciphers What We Can We Do: Given a key, find a plaintext with difference (` ',` ') that carries over 12 rounds. Naïve method (exhaustive search): requires 2 48 trial encryptions 3 CPU years. Idea 2 (SSH 40 ) + MiniSat 2.0: 173 Nicolas T. Courtois, Only 6 hours.

174 Algebraic Attacks on Block Ciphers This Was Easy! Why? Reason: There are many solutions (about 2 16 ). Conclusion: Algebraic attacks with SAT are easier when there are many solutions. => Algebraic cryptanalysis should be a very good tool for breaking hash functions [as shown by Mironov-Zhang, Crypto 2006 Rump Session]. 174 Nicolas T. Courtois,

175 Algebraic Attacks on Block Ciphers Conclusion: Keys and special properties of block ciphers CAN be computed in practice with algebraic attacks, and this with little [human] effort. 175 Nicolas T. Courtois,

176 Back to Bigger Picture

177 Unified view of Algebraic Attacks Algebraic Security Criterion [Courtois 1999]: Non-existence of low-degree/small size multivariate relations between the input bits and the output bits

178 Avoid Algebraic Relations between inputs/outputs. Applies to multivariate public key cryptosystems: Sflash, Quartz Applies to the non-linear part of a stream cipher, even if stateful. Applies to the S-boxes of a block cipher

179 Claim This criterion is necessary for the security of all these ciphers. No proof. A precaution. Many ciphers still secure

180 2. Algebraic Attacks on HFE and Other PKCs Based on Multivariate Polynomials

181 Security of HFE Special case: Matsumoto-Imai cryptosystem [Eurocrypt'88] A power function (as in Rijndael S-box) x->x

182 Attack on Matsumoto-Imai x->x 3 Inverse function gives Boolean functions of very high degree Attack: there are many multivariate bilinear relations that allow to break the cipher in no time [Jacques Patarin, Crypto 95]

183 Attack on HFE x->polynomial of degree d Again multivariate relations, attack in n 3/2 log d. [Nicolas Courtois PhD thesis 1998, published in CT-RSA 2001] New paper about this: [Faugère, Joux, Crypto 2003]. Same attack, but explains the origin of these equations! Forgot to acknowledge 4 previously published papers. [Patarin, Courtois, Shamir-Kipnis, Courtois-Daum-Felke].

184 3. Algebraic Attacks on Stream Ciphers with Linear Feedback (e.g. LFSR-based)

185 Main Problem: Linear Feedback Great many stream ciphers have a linear feedback (e.g. LFSRs) state = multivariate linear function (prev. state) So what?

186 Linear Feedback is Dangerous It preserves the degree of the equations. My claim: If one can relate state bits and outputs bits by only one multivariate equation of low degree without extra variables then: the cipher is broken in polynomial time, hard to find the right equations, mix of insight and experimental results, but such attacks may be surprisingly fast, e.g

187 One I/O Equation => Broken P linear component I memory combiner with memory O

188 Common Opinions on Stream Ciphers Most real life designs centre around LFSRs combined by a non-linear Boolean function. State of the art in generic stream ciphers cryptanalysis can be summarized as follows: correlation and fast correlation attacks. [Eric Filliol, Decimation Attack of Stream Ciphers, eprint.iacr.org, 2000]

189 Common belief: Ciphers with linear feedback (LFSR, etc ) can be made secure using highly non-linear Boolean functions

190 The Tale of Good Boolean Functions.. Good Boolean functions Good S-boxes etc Prevent correlation and other classical attacks. There are other attacks! A Good Boolean function

191 Some Remarks! (no comments) We can strongly affirm that a very consequent theory of stream encryption exists Block ciphers are not secure, one should use stream ciphers instead It is impossible to hide a trapdoor in a stream cipher [Eric Filliol, Plaintext-Dependent Repetition Codes the AES case, eprint.iacr.org, 2003]

192 The Tale of Good Boolean Functions.. Naïve belief that ciphers build out of such components would be secure. In fact this approach fails, sometimes quite miserably, to produce secure ciphers: Algebraic attacks on AES and Serpent [Courtois-Pieprzyk, AsiaCrypt 2002]. Stream ciphers: much worse. [For some ciphers, there is no good Boolean functions!]

193 linear feedback Popular stream ciphers: Linear sequence generator + non-linear filter a stateless combiner state Example: One/several LFSRs + a Boolean function

194 linear feedback s 0 s 1 Notations Initial key k GF(2) n n-bits k 0, k 1, k 2,,k n-1 The state s GF(2) n First s = k, Then s = L(s) etc.. Output bits: Apply f (s ) b i = f( L i (k) ) s n-1 state Given: some of the b i Find: the secret key k

195 Direct Algebraic Attack Approach: Solve this system of equations. Extremely overdefined even for moderate quantity of keystream, e.g. 20 Kbytes

196 Example: Toyocrypt, n=128, d=63. What if the degree d is too big? 1) Find a low degree approximation not today, see Nicolas Courtois: Higher Order Correlation Attacks, XL algorithm and Cryptanalysis of Toyocrypt, ICISC 2002 or eprint.iacr.org 2) Better attacks today

197 Problem: The degree is usually high (even AFTER taking a lower degree approximation) As for HFE and Rijndael S-box, consider multivariate relations instead of equations

198 Solution (the same as usual): Relations instead of equations I/O equations = implicit eqs. Their degree turns out to be much lower!

199 Toyocrypt One of the only two stream ciphers accepted to the second phase of CRYPTREC (for the Japanese government)

200 The design of Toyocrypt A bent function add s to make it balanced

201 Fact: Toyocrypt There is a multivariate relation being of degree 3 in the 128 key bits and involving 1 consecutive output bit. Nicolas Courtois, Willi Meier: Algebraic Attacks on Stream Ciphers with Linear Feedback, Eurocrypt

202 LILI-128 One of the NESSIE candidates, claimed very secure, rejected (all the other stream ciphers were rejected too!)

203 Fact: LILI-128 There is a multivariate relation being of degree 4 in the 89 key bits and involving 1 consecutive output bit. Nicolas Courtois, Willi Meier: Algebraic Attacks on Stream Ciphers with Linear Feedback, Eurocrypt

204 E0 stream cipher used in the wireless interface Bluetooth

205 Fact: E0 There is a multivariate relation being of degree 4 in the 128 key bits and involving 4 consecutive output bits. Matthias Krause, Frederik Armknecht: Algebraic Attacks on Combiners with Memory, Crypto

206 So what? One equation is enough to break all these! Due to the Recursive structure of the cipher Linear feedback (e.g. in LFSRs) preserves the degree, We may generate as many equations as we want

207 So what? One equation is enough to break all these! Given keystream bits - Using bits of memory - The secret key can be recovered in. Verified experimentally