Systematic Construction of Nonlinear Product Attacks on Block Ciphers

  • Nicolas T. CourtoisEmail author
  • Matteo AbbondatiEmail author
  • Hamy Ratoanina
  • Marek Grajek
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11975)


A major open problem in block cipher cryptanalysis is discovery of new invariant properties of complex type. Recent papers show that this can be achieved for SCREAM, Midori64, MANTIS-4, T-310 or for DES with modified S-boxes. Until now such attacks are hard to find and seem to happen by some sort of incredible coincidence. In this paper we abstract the attack from any particular block cipher. We study these attacks in terms of transformations on multivariate polynomials. We shall demonstrate how numerous variables including key variables may sometimes be eliminated and at the end two very complex Boolean polynomials will become equal. We present a general construction of an attack where multiply all the polynomials lying on one or several cycles. Then under suitable conditions the non-linear functions involved will be eliminated totally. We obtain a periodic invariant property holding for any number of rounds. A major difficulty with invariant attacks is that they typically work only for some keys. In T-310 our attack works for any key and also in spite of the presence of round constants.


Block ciphers Boolean functions Feistel ciphers Weak keys DES Generalized linear cryptanalysis Polynomial invariants Multivariate polynomials Annihilator space Algebraic cryptanalysis Polynomial rings Invariant theory 

Supplementary material


  1. 1.
    Bannier, A., Bodin, N., Filiol, E.: Partition-Based Trapdoor Ciphers.
  2. 2.
    Boyar, J., Find, M., Peralta, R.: Four measures of nonlinearity. In: Spirakis, P.G., Serna, M. (eds.) CIAC 2013. LNCS, vol. 7878, pp. 61–72. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  3. 3.
    Beierle, C., Canteaut, A., Leander, G., Rotella, Y.: Proving resistance against invariant attacks: how to choose the round constants. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 647–678. Springer, Cham (2017). Scholar
  4. 4.
    Beyne, T.: Block cipher invariants as eigenvectors of correlation matrices. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 3–31. Springer, Cham (2018). Scholar
  5. 5.
    Coppersmith, D.: The development of DES, Invited Talk, Crypto 2000, August 2000Google Scholar
  6. 6.
    Calderini, M.: A note on some algebraic trapdoors for block ciphers. Accessed 17 May 2018
  7. 7.
    Calik, C., Sonmez Turan, M., Peralta, R.: The multiplicative complexity of 6-variable Boolean functions. Cryptogr. Commun. 11, 93–107 (2019).
  8. 8.
    Charpin, P.: Normal Boolean functions. J. Complex. 20(2–3), 245–265 (2004)MathSciNetCrossRefGoogle Scholar
  9. 9.
    Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000). Scholar
  10. 10.
    Courtois, N., Mourouzis, T., Grocholewska-Czurylo, A., Quisquater, J.-J.: On optimal size in truncated differential attacks. In: CECC 2014, Post-Proceedings in Studia Scientiarum Mathematicarum Hungarica, vol. 52, no. 2, pp. 246–254 (2015)Google Scholar
  11. 11.
    Courtois, N.T., Patrick, A.: Lack of unique factorization as a tool in block cipher cryptanalysis, Preprint, 12 May 2019.
  12. 12.
    Courtois, N.T.: Invariant Hopping Attacks on Block Ciphers, accepted at WCC 2019, Abbaye de Saint-Jacut de la Mer, France, 31 March–5 April 2019Google Scholar
  13. 13.
    Courtois, N.T., Georgiou, M.: Variable elimination strategies and construction of nonlinear polynomial invariant attacks on T-310. Cryptologia (2019).
  14. 14.
    Courtois, N.T., Georgiou, M.: Constructive non-linear polynomial cryptanalysis of a historical block cipher.
  15. 15.
    Courtois, N.T., Meier, W.: Algebraic attacks on stream ciphers with linear feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003). Scholar
  16. 16.
    Courtois, N.T.: Algebraic attacks on combiners with memory and several outputs. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 3–20. Springer, Heidelberg (2005). Extended version available on Scholar
  17. 17.
    Courtois, N.T.: On the existence of non-linear invariants and algebraic polynomial constructive approach to backdoors in block ciphers. Accessed 27 Mar 2019
  18. 18.
    Courtois, N.T.: Structural nonlinear invariant attacks on T-310: attacking arbitrary boolean functions, Accessed 12 Sept 2019
  19. 19.
    Courtois, N.T.: Feistel schemes and bi-linear cryptanalysis. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 23–40. Springer, Heidelberg (2004). Scholar
  20. 20.
    Courtois, N.T., Castagnos, G., Goubin, L.: What do DES S-boxes say to each other? (2003).
  21. 21.
    Courtois, N.T.: An improved differential attack on full GOST. In: Ryan, P.Y.A., Naccache, D., Quisquater, J.-J. (eds.) The New Codebreakers. LNCS, vol. 9100, pp. 282–303. Springer, Heidelberg (2016). Scholar
  22. 22.
    Courtois, N.: An improved differential attack on full GOST. Cryptology ePrint Archive, Report 2012/138, 15 March 2012, December 2015.
  23. 23.
    Courtois, N.T., et al.: Cryptographic security analysis of T-310, monography study on the T-310 block cipher, 132 p., 20 May 2017. Accessed 29 June 2018
  24. 24.
    Courtois, N.T., Oprisanu, M.-B.: Ciphertext-only attacks and weak long-term keys in T-310. Cryptologia 42(4), 316–336 (2018).
  25. 25.
    Courtois, N.T., Oprisanu, M.-B., Schmeh, K.: Linear cryptanalysis and block cipher design in East Germany in the 1970s. Cryptologia (2018).
  26. 26.
    Courtois, N., Drobick, J., Schmeh, K.: Feistel ciphers in East Germany in the communist era. Cryptologia 42(6), 427–444 (2018)CrossRefGoogle Scholar
  27. 27.
    Courtois, N.: Algebraic complexity reduction and cryptanalysis of GOST. Monograph study on GOST cipher, 2010–2014, 224 p.
  28. 28.
    Dobbertin, H.: Construction of bent functions and balanced Boolean functions with high nonlinearity. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 61–74. Springer, Heidelberg (1995). Scholar
  29. 29.
    Harpes, C., Kramer, G.G., Massey, J.L.: A generalization of linear cryptanalysis and the applicability of Matsui’s piling-up lemma. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 24–38. Springer, Heidelberg (1995). Scholar
  30. 30.
    Knudsen, L.R., Robshaw, M.J.B.: Non-linear approximations in linear cryptanalysis. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 224–236. Springer, Heidelberg (1996). Scholar
  31. 31.
    Leander, G., Abdelraheem, M.A., AlKhzaimi, H., Zenner, E.: A cryptanalysis of PRINTcipher: the invariant subspace attack. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 206–221. Springer, Heidelberg (2011). Scholar
  32. 32.
    Lipton, R.J., Regan, K.W.: Nicolas Courtois: the linearization method. In: People, Problems, and Proofs, pp. 259–262. Springer, Heidelberg (2013).
  33. 33.
    De Meyer, L., Vaudenay, S.: DES S-box generator. Cryptologia 41(2), 153–171 (2017). Scholar
  34. 34.
    Kim, K., Lee, S., Park, S., Lee, D.: Securing DES S-boxes against three robust cryptanalysis. In: SAC 1995, vol. 2595, pp. 145–157 (1995)Google Scholar
  35. 35.
    Schmeh, K.: The East German encryption machine T-310 and the algorithm it used. Cryptologia 30(3), 251–257 (2006)Google Scholar
  36. 36.
    Shamir, A.: On the security of DES. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 280–281. Springer, Heidelberg (1986). Scholar
  37. 37.
    Todo, Y., Leander, G., Sasaki, Y.: Nonlinear invariant attack: practical attack on full SCREAM, iSCREAM and Midori 64. J. Cryptol. 32, 1–40 (2018)Google Scholar
  38. 38.
    Wei, Y., Ye, T., Wenling, W., Pasalic, E.: Generalized nonlinear invariant attack and a new design criterion for round constants. IACR Trans. Symmetric Cryptol. 4, 62–79 (2018). Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.University College LondonLondonUK
  2. 2.Independent Maths TeacherLondonUK
  3. 3.Independent Crypto History ExpertGrodzisk MazowieckiPoland

Personalised recommendations