An Enhanced Binary Characteristic Set Algorithm and Its Applications to Algebraic Cryptanalysis

  • Sze Ling Yeo
  • Zhen LiEmail author
  • Khoongming Khoo
  • Yu Bin Low
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10355)


Efficient methods to solve boolean polynomial systems underly the effectiveness of algebraic attacks on cryptographic ciphers and the security of multi-variate cryptosystems. Amongst various polynomial solving algorithms, the binary characteristic set algorithm was recently proposed to solve boolean polynomial systems including those arising from ciphers. In this paper, we propose some novel techniques to enhance the existing characteristic set solver. Specifically, we incorporate the ElimLin procedure and apply basic statistical learning techniques to improve the performance of the characteristic set algorithm. Our experiments show that our enhanced solver EBCSA performs better than existing algebraic methods on some ciphers, including CANFIL and PRESENT ciphers. We also perform the first algebraic cryptanalysis on the PRINCE cipher and an algebraic attack on Toyocrypt in a more practical/realistic setting as compared to previous attacks.


Characteristic set algorithm Algebraic cryptanalysis ElimLin Statistical learning 



We are grateful to Dr. Matt Henricksen, Dr. Yap Wun She, Dr. Lee Hian Kiat and Ms. Ivana Thng for their helpful contributions throughout the project.


  1. 1.
    Patarin, J.: Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 33–48. Springer, Heidelberg (1996). doi: 10.1007/3-540-68339-9_4 Google Scholar
  2. 2.
    Buchberger, B.: Ein algorithmus zum auffinden der basiselemente des restklassenrings nach einem nulldimensionalen polynomideal. Universitat Innsbruck, Austria, Ph.D. thesis (1965)Google Scholar
  3. 3.
    Faugere, J.C.: A new efficient algorithm for computing gröbner bases (f4). J. Pure Appl. Algebra 139(1), 61–88 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Faugere, J.C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: Proceedings of ISSAC, ACM, pp. 75–83 (2002)Google Scholar
  5. 5.
    Faugere, J.C., Gianni, P., Lazard, D., Mora, T.: Efficient computation of zero-dimensional Gröbner bases by change of ordering. J. Symb. Comput. 16(4), 329–344 (1993)CrossRefzbMATHGoogle Scholar
  6. 6.
    Cox, D., Little, J., O’shea, D.: Ideals, Varieties, and Algorithms, vol. 3. Springer, New York (1992)CrossRefzbMATHGoogle Scholar
  7. 7.
    Kipnis, A., Shamir, A.: Cryptanalysis of the HFE public key cryptosystem by relinearization. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 19–30. Springer, Heidelberg (1999). doi: 10.1007/3-540-48405-1_2 Google Scholar
  8. 8.
    Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000). doi: 10.1007/3-540-45539-6_27 CrossRefGoogle Scholar
  9. 9.
    Courtois, N.T., Pieprzyk, J.: Cryptanalysis of block ciphers with overdefined systems of equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002). doi: 10.1007/3-540-36178-2_17 CrossRefGoogle Scholar
  10. 10.
    Courtois, N.T., Patarin, J.: About the XL algorithm over GF(2). In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 141–157. Springer, Heidelberg (2003). doi: 10.1007/3-540-36563-X_10 CrossRefGoogle Scholar
  11. 11.
    Courtois, N.T., Bard, G.V.: Algebraic cryptanalysis of the data encryption standard. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 152–169. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-77272-9_10 CrossRefGoogle Scholar
  12. 12.
    Courtois, N.T., Sepehrdad, P., Sušil, P., Vaudenay, S.: ElimLin algorithm revisited. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 306–325. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34047-5_18 CrossRefGoogle Scholar
  13. 13.
    Indesteege, S., Keller, N., Dunkelman, O., Biham, E., Preneel, B.: A practical attack on KeeLoq. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 1–18. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-78967-3_1 CrossRefGoogle Scholar
  14. 14.
    Nakahara Jr., J., Sepehrdad, P., Zhang, B., Wang, M.: Linear (Hull) and algebraic cryptanalysis of the block cipher PRESENT. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 58–75. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-10433-6_5 CrossRefGoogle Scholar
  15. 15.
    Aubry, P., Lazard, D., Maza, M.M.: On the theories of triangular sets. J. Symb. Comput. 28(1), 105–124 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    Kalkbrener, M.: A generalized euclidean algorithm for computing triangular representations of algebraic varieties. J. Symb. Comput. 15(2), 143–167 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Fengjuan, C., Xiao-Shan, G., Chunming, Y.: A characteristic set method for solving boolean equations and applications in cryptanalysis of stream ciphers. J. Syst. Sci. Complex. 21(2), 191–208 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Huang, Z., Sun, Y., Lin, D.: On the efficiency of solving Boolean polynomial systems with the characteristic set method. arXiv preprint (2014). arXiv:1405.4596
  19. 19.
    Kohavi, R., et al.: A study of cross-validation and bootstrap for accuracy estimation and model selection. Int. Jt. Conf. Artif. Intell. 14(2), 1137–1145 (1995)Google Scholar
  20. 20.
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-74735-2_31 CrossRefGoogle Scholar
  21. 21.
    Sepehrdad, P.: Statistical and algebraic cryptanalysis of lightweight and ultra-lightweight symmetric primitives. Ph.D. thesis, ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE (2012)Google Scholar
  22. 22.
    Borghoff, J., Canteaut, A., Güneysu, T., Kavun, E.B., Knezevic, M., Knudsen, L.R., Leander, G., Nikov, V., Paar, C., Rechberger, C., Rombouts, P., Thomsen, S.S., Yalçın, T.: PRINCE – a low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34961-4_14 CrossRefGoogle Scholar
  23. 23.
    Bochum, R.U.: The PRINCE Challenge. (2014). Accessed 18 Jan 2017
  24. 24.
    Jean, J., Nikolić, I., Peyrin, T., Wang, L., Wu, S.: Security analysis of PRINCE. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 92–111. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-43933-3_6 Google Scholar
  25. 25.
    Dinur, I.: Cryptanalytic time-memory-data tradeoffs for FX-constructions with applications to PRINCE and PRIDE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 231–253. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_10 Google Scholar
  26. 26.
    Derbez, P., Perrin, L.: Meet-in-the-middle attacks and structural analysis of round-reduced PRINCE. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 190–216. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48116-5_10 CrossRefGoogle Scholar
  27. 27.
    Canteaut, A., Fuhr, T., Gilbert, H., Naya-Plasencia, M., Reinhard, J.-R.: Multiple differential cryptanalysis of round-reduced PRINCE. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 591–610. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46706-0_30 Google Scholar
  28. 28.
    Canteaut, A., Naya-Plasencia, M., Vayssière, B.: Sieve-in-the-middle: improved MITM attacks. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 222–240. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40041-4_13 CrossRefGoogle Scholar
  29. 29.
    Mihaljevic, M.J.: Cryptanalysis of toyocrypt-HS1 stream cipher. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 85(1), 66–73 (2002)MathSciNetGoogle Scholar
  30. 30.
    Courtois, N.T., Meier, W.: Algebraic attacks on stream ciphers with linear feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003). doi: 10.1007/3-540-39200-9_21 CrossRefGoogle Scholar
  31. 31.
    Zhang, A., Lim, C.-W., Khoo, K., Wei, L., Pieprzyk, J.: Extensions of the cube attack based on low degree annihilators. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 87–102. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-10433-6_7 CrossRefGoogle Scholar
  32. 32.
    Hawkes, P., Rose, G.G.: Rewriting variables: the complexity of fast algebraic attacks on stream ciphers. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 390–406. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-28628-8_24 CrossRefGoogle Scholar
  33. 33.
    Armknecht, F., Lano, J., Preneel, B.: Extending the resynchronization attack. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 19–38. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30564-4_2 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Sze Ling Yeo
    • 1
  • Zhen Li
    • 1
    Email author
  • Khoongming Khoo
    • 2
  • Yu Bin Low
    • 2
  1. 1.Infocomm Security DepartmentInstitute for Infocomm ResearchSingaporeSingapore
  2. 2.DSO National LaboratoriesSingaporeSingapore

Personalised recommendations