Block Ciphers Sensitive to Gröbner Basis Attacks

  • Johannes Buchmann
  • Andrei Pyshkin
  • Ralf-Philipp Weinmann
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3860)


We construct and analyze Feistel and SPN ciphers that have a sound design strategy against linear and differential attacks but for which the encryption process can be described by very simple polynomial equations. For a block and key size of 128 bits, we present ciphers for which practical Gröbner basis attacks can recover the full cipher key requiring only a minimal number of plaintext/ciphertext pairs. We show how Gröbner bases for a subset of these ciphers can be constructed with neglegible computational effort. This reduces the key–recovery problem to a Gröbner basis conversion problem. By bounding the running time of a Gröbner basis conversion algorithm, FGLM, we demonstrate the existence of block ciphers resistant against differential and linear cryptanalysis but vulnerable against Gröbner basis attacks.


Block Cipher Polynomial System Branch Number Round Function Algebraic Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Becker, T., Weispfenning, V.: Gröbner Bases – A Computational Approach to Commutative Algebra. Springer, Heidelberg (1991)Google Scholar
  2. 2.
    Beth, T., Ding, C.: On Almost Perfect Nonlinear Permutations. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 65–76. Springer, Heidelberg (1994)Google Scholar
  3. 3.
    Biham, E., Shamir, A.: Differential Cryptanalysis of DES-like Cryptosystems. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991)Google Scholar
  4. 4.
    Cheon, J.H., Chee, S., Park, C.: S-boxes with Controllable Nonlinearity. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 286–294. Springer, Heidelberg (1999)Google Scholar
  5. 5.
    Cid, C., Leurent, G.: An Analysis of the XSL Algorithm. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 333–353. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Cid, C., Murphy, S., Robshaw, M.: Small Scale Variants of the AES. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 145–162. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. 7.
    Collart, S., Kalkbrener, M., Mall, D.: Converting Bases with the Gröbner Walk. Journal of Symbolic Computation 24(3/4), 465–469 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Courtois, N.: The Inverse S-box, Non-linear Polynomial Relations and Cryptanalysis of Block Ciphers. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2005. LNCS, vol. 3373, pp. 170–188. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    Courtois, N., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Cox, D.A., Little, J.B., O’Shea, D.: Ideals, Varieties, and Algorithms, 2nd edn., p. 536. Springer, Heidelberg (1996)zbMATHGoogle Scholar
  11. 11.
    Daemen, J., Knudsen, L., Rijmen, V.: The block cipher Square. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  12. 12.
    Daemen, J., Rijmen, V.: The Design of Rijndael: The Wide Trail Strategy. Springer, Heidelberg (2001)Google Scholar
  13. 13.
    Dobbertin, H.: One-to-One Highly Nonlinear Power Functions on GF(2n). Applicable Algebra in Engineering, Communication and Computing 9(2), 139–152 (1998)zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Faugère, J.-C.: A New Efficient Algorithm for Computing Gröbner bases (F4). Journal of Pure and Applied Algebra 139(1-3), 61–88 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  15. 15.
    Faugère, J.-C., Gianni, P., Lazard, D., Mora, T.: Efficient Computation of Zero-Dimensional Gröbner Bases by Change of Ordering. Journal of Symbolic Computation 16(4), 329–344 (1993)zbMATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    Jakobsen, T., Knudsen, L.: The Interpolation Attack on Block Ciphers. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 28–40. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  17. 17.
    Kaltofen, E., Shoup, V.: Subquadratic-time Factoring of Polynomials over Finite FIelds. Mathematics of Computation 67(223), 1179–1197 (1998)zbMATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    Kanda, M.: Practical Security Evaluation against Differential and Linear Cryptanalyses for Feistel Ciphers with SPN Round Function. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 324–338. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  19. 19.
    Knudsen, L.R.: Practically Secure Feistel Ciphers. In: Anderson, R.J. (ed.) FSE 1993. LNCS, vol. 809, pp. 211–221. Springer, Heidelberg (1994)Google Scholar
  20. 20.
    Matsui, M.: Linear Cryptanalysis Method for DES Cipher. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 386–387. Springer, Heidelberg (1994)Google Scholar
  21. 21.
    Murphy, S., Robshaw, M.J.B.: Essential Algebraic Structure within the AES. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 1–16. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  22. 22.
    Nyberg, K.: Differentially Uniform Mappings for Cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994)Google Scholar
  23. 23.
    University of Sydney Computational Algebra Group. The Magma Computational Algebra System (2004),

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Johannes Buchmann
    • 1
  • Andrei Pyshkin
    • 1
  • Ralf-Philipp Weinmann
    • 1
  1. 1.Fachbereich InformatikTechnische Universität DarmstadtDarmstadtGermany

Personalised recommendations