STUDY SPACE
Cryptanalysis of Block Ciphers with Overdefined Systems of Equations

Cryptanalysis of Block Ciphers with Overdefined Systems of Equations

2002 | Nicolas T. Courtois, Josef Pieprzyk
This paper presents an algebraic attack on block ciphers, specifically targeting Rijndael and Serpent. The attack, called XSL (eXtended Sparse Linearization), exploits the algebraic structure of the S-boxes in these ciphers. The S-boxes of Rijndael and Serpent can be described by overdefined systems of quadratic equations, which are true with probability 1. The XSL attack uses the sparsity and structure of these equations to reduce the complexity of solving the system. Unlike traditional cryptanalytic methods that rely on probabilistic characteristics, the XSL attack uses only relations that are true with probability 1, making its complexity grow polynomially (or subexponentially) with the number of rounds. The attack has a parameter P, which is expected to be a constant or grow very slowly with the number of rounds. The complexity of the XSL attack is double-exponential in the size of the S-box. The paper shows that the XSL attack can marginally break 256-bit Serpent, but not Rijndael. The authors suggest that S-boxes in block ciphers should not be describable by a system of polynomial equations that is too small or too overdefined. The paper also discusses the implications of the XSL attack for the design of block ciphers, emphasizing the need for S-boxes with high algebraic complexity.This paper presents an algebraic attack on block ciphers, specifically targeting Rijndael and Serpent. The attack, called XSL (eXtended Sparse Linearization), exploits the algebraic structure of the S-boxes in these ciphers. The S-boxes of Rijndael and Serpent can be described by overdefined systems of quadratic equations, which are true with probability 1. The XSL attack uses the sparsity and structure of these equations to reduce the complexity of solving the system. Unlike traditional cryptanalytic methods that rely on probabilistic characteristics, the XSL attack uses only relations that are true with probability 1, making its complexity grow polynomially (or subexponentially) with the number of rounds. The attack has a parameter P, which is expected to be a constant or grow very slowly with the number of rounds. The complexity of the XSL attack is double-exponential in the size of the S-box. The paper shows that the XSL attack can marginally break 256-bit Serpent, but not Rijndael. The authors suggest that S-boxes in block ciphers should not be describable by a system of polynomial equations that is too small or too overdefined. The paper also discusses the implications of the XSL attack for the design of block ciphers, emphasizing the need for S-boxes with high algebraic complexity.
Terms of Service
Privacy Policy
Reach us at info@futurestudyspace.com