Analysis of the XSL Attack

In this paper, we examine the algebraic XSL attack on the Advanced Encryption Standard (AES). We begin with a brief introduction and we present an overview of AES, then, in Section 3, we present the algebraic attack on ciphers like AES, following with the XL and XSL algorithms in Section 4 and Section 5. Then, we present the XSL first and second attacks, also their aplicability on BES. We see how and if the algorithm has been improved since it firstly appeared. We conclude with Section 10

Matrix Power S-Box Construction

The new symmetric cipher S-box construction based on matrix power function is presented. The matrix consisting of plain data bit strings is combined with three round key matrices using arithmetical addition and exponent operations. The matrix power means the matrix powered by other matrix. The left and right side matrix powers are introduced. This operation is linked with two sound one-way functions: the discrete logarithm problem and decomposition problem. The latter is used in the infinite non-commutative group based public key cryptosystems. It is shown that generic S-box equations are not transferable to the multivariate polynomial equations in respect of input and key variables and hence the algebraic attack to determine the key variables cannot be applied in this case. The mathematical description of proposed S-box in its nature possesses a good ``confusion and diffusion\u27\u27 properties and contains variables ``of a complex type\u27\u27 as was formulated by Shannon. Some comparative simulation results are presented

Performance evaluation of eXtended sparse linearization in GF(2) and GF(28)

XSL (eXtended Sparse Linearization) is a recent algebraic attack aimed at the Advanced Encryption Standard. In order to shed some light into the behavior of the algorithm, which is largely unknown, we have studied XSL on equation systems with variables interpreted either as bits or bytes. The algorithm solves byte-systems much faster than it does bit-systems, which promts us to suggest that if a more compact representation of equation systems can be found, such as one where the variables are 8-byte blocks, or even a more generalized form of 8n-byte blocks, it may be possible to increase the speed of XSL dramatically

On Selection of Samples in Algebraic Attacks and a New Technique to Find Hidden Low Degree Equations

The best way of selecting samples in algebraic attacks against block ciphers is not well explored and understood. We introduce a simple strategy for selecting the plaintexts and demonstrate its strength by breaking reduced-round KATAN32 and LBlock. In both cases, we present a practical attack which outperforms previous attempts of algebraic cryptanalysis whose complexities were close to exhaustive search. The attack is based on the selection of samples using cube attack and ElimLin which was presented at FSE’12, and a new technique called Universal Proning. In the case of LBlock, we break 10 out of 32 rounds. In KATAN32, we break 78 out of 254 rounds. Unlike previous attempts which break smaller number of rounds, we do not guess any bit of the key and we only use structural properties of the cipher to be able to break a higher number of rounds with much lower complexity. We show that cube attacks owe their success to the same properties and therefore, can be used as a heuristic for selecting the samples in an algebraic attack. The performance of ElimLin is further enhanced by the new Universal Proning technique, which allows to discover linear equations that are not found by ElimLin

Algebraic Attack Efficiency versus S-box Representation

Algebraic analysis of block ciphers aims at finding the secret key by solving a collection of polynomial equations that describe the internal structure of a cipher for chosen observations of plaintext/ciphertext pairs. Although algebraic attacks are addressed for cryptanalysis of block and stream ciphers, there is a lack of understanding of the impact of algebraic representation of the cipher on efficiency of solving the resulting collection of equations. The work investigates different S-box representations and their effect on complexity of algebraic attacks. In particular, we observe that a S-box representation defined in the work as \textit{Forward-Backward} (FWBW) leads to a collection of equations that can be solved efficiently. We show that the $SR(10,2,1,4)$ cipher can be broken using standard algebra software \textsc{Singular} and FGb. This is the best result achieved so far. The effect of description of S-boxes for some light-weight block ciphers is investigated. A by-product of this result is that we have achieved some improvements on the algebraic cryptanalysis of LBlock, PRESENT and MIBS light-weight block ciphers. Our study and experiments confirms a counter-intuitive conclusion that algebraic attacks work best for the FWBW S-box representation. This contradicts a common belief that algebraic attacks are more efficient for quadratic S-box representation

Obtaining and solving systems of equations in key variables only for the small variants of AES

This work is devoted to attacking the small scale variants of the Advanced Encryption Standard (AES) via systems that contain only the initial key variables. To this end, we introduce a system of equations that naturally arises in the AES, and then eliminate all the intermediate variables via normal form reductions. The resulting system in key variables only is solved then. We also consider a possibility to apply our method in the meet-in-the-middle scenario especially with several plaintext/ciphertext pairs. We elaborate on the method further by looking for subsystems which contain fewer variables and are overdetermined, thus facilitating solving the large system

Cryptographic Properties and Application of a Generalized Unbalanced Feistel Network Structure (Revised Version)

In this paper, we study GF-NLFSR, a Generalized Unbalanced Feis- tel Network (GUFN) which can be considered as an extension of the outer function FO of the KASUMI block cipher. We show that the differential and linear probabilities of any n + 1 rounds of an n-cell GF-NLFSR are both bounded by p^2, where the corresponding probability of the round function is p. Besides analyzing security against differential and linear cryptanalysis, we provide a frequency distribution for upper bounds on the true differential and linear hull probabilities. From the frequency distribution, we deduce that the proportion of input-output differences/mask values with probability bounded by p^n is close to 1 whereas only a negligible proportion has probability bounded by p^2. We also recall an n^2-round integral attack distinguisher and (n^2+n-2)-round impossible impossible differential distinguisher on the n-cell GF-NLFSR by Li et al. and Wu et al. As an application, we design a new 30-round block cipher Four-Cell+ based on a 4-cell GF-NLFSR. We prove the security of Four-Cell+ against differential, linear, and boomerang attack. Four-Cell+ also resists existing key recovery attacks based on the 16-round integral attack distinguisher and 18-round impossible differential distinguisher. Furthermore, Four-Cell+ can be shown to be secure against other attacks such as higher order differential attack, cube attack, interpolation attack, XSL attack and slide attack

Variable Elimination - a Tool for Algebraic Cryptanalysis

Techniques for eliminating variables from a system of nonlinear equations are used to find solutions of the system. We discuss how these methods can be used to attack certain types of symmetric block ciphers, by solving sets of equations arising from known plain text attacks. The systems of equations corresponding to these block ciphers have the characteristics that the solution is determined by a small subset of the variables (i.e., the secret key), and also that it is known that there always exists at least one solution (again corresponding to the key which is actually used in the encryption). It turns out that some toy ciphers can be solved simpler than anticipated by this method, and that the method can take advantage of overdetermined systems