Variable elimination strategies and construction of nonlinear polynomial invariant attacks on T-310

One of the major open problems in symmetric cryptanalysis is to discover new specific types of invariant properties for block ciphers. In this article, we study nonlinear polynomial invariant attacks. The number of such attacks grows as 22n and systematic exploration is not possible. The main question is HOW do we find such attacks? We have developed a constructive algebraic approach that is about making sure that a certain combination of polynomial equations is zero. We work by progressive elimination of specific variables in polynomial spaces and we show that one can totally eliminate big chunks of the cipher circuit. As an application, we present several new attacks on the historical T-310 block cipher that has particularly large hardware complexity and a very large number of rounds compared with modern ciphers, e.g., AES. However, all this complexity is not that useful if we are able to construct new types of polynomial invariant attacks that work for any number of rounds

Construction of a polynomial invariant annihilation attack of degree 7 for T-310

Cryptographic attacks are typically constructed by black-box methods and combinations of simpler properties, for example in [Generalised] Linear Cryptanalysis. In this article, we work with a more recent white-box algebraic-constructive methodology. Polynomial invariant attacks on a block cipher are constructed explicitly through the study of the space of Boolean polynomials which does not have a unique factorisation and solving the so-called Fundamental Equation (FE). Some recent invariant attacks are quite symmetric and exhibit some sort of clear structure, or work only when the Boolean function is degenerate. As a proof of concept, we construct an attack where a highly irregular product of seven polynomials is an invariant for any number of rounds for T-310 under certain conditions on the long term key and for any key and any IV. A key feature of our attack is that it works for any Boolean function which satisfies a specific annihilation property. We evaluate very precisely the probability that our attack works when the Boolean function is chosen uniformly at random

Slide attacks and LC-weak keys in T-310

T-310 is an important Cold War cipher (Cryptologia 2006). In a recent article (Cryptologia 2018), researchers show that, in spite of specifying numerous very technical requirements, the designers do not protect the cipher against linear cryptanalysis and some 3% of the keys are very weak. However, such a weakness does not necessarily allow breaking the cipher because it is extremely complex and extremely few bits from the internal state are used for the actual encryption. In this article, we finally show a method that allows recovering a part of the secret key for about half of such weak keys in a quasi-realistic setting. For this purpose, we revisit another recent article from Cryptologia from 2018 and introduce a new peculiar variant of the decryption oracle slide attack with d = 0