Abstract
In spite of growing importance of the Advanced Encryption Standard (AES), the Data Encryption Standard (DES) is by no means obsolete. DES has never been broken from the practical point of view. The variant “triple DES” is believed very secure, is widely used, especially in the financial sector, and should remain so for many many years to come. In addition, some doubts have been risen whether its replacement AES is secure, given the extreme level of “algebraic vulnerability” of the AES S-boxes (their low I/O degree and exceptionally large number of quadratic I/O equations).
Is DES secure from the point of view of algebraic cryptanalysis? We do not really hope to break it, but just to advance the field of cryptanalysis. At a first glance, DES seems to be a very poor target — as there is (apparently) no strong algebraic structure of any kind in DES. However in [5] it was shown that “small” S-boxes always have a low I/O degree (cubic for DES as we show below). In addition, due to their low gate count requirements, by introducing additional variables, we can always get an extremely sparse system of quadratic equations.
To assess the algebraic vulnerabilities of DES is the easy part, that may appear unproductive. In this paper we demonstrate that in this way, several interesting attacks on a real-life “industrial” block cipher can be found. One of our attacks is the fastest known algebraic attack on 6 rounds of DES. It requires only one single known plaintext (instead of a very large quantity) which is quite interesting in itself.
Our attacks will recover the key using an ordinary PC, for only six rounds. Furthermore, in a much weaker sense, we can also attack 12 rounds of DES. These results are very interesting because DES is known to be a very robust cipher, and our methods are very generic. We discuss how they can be applied to DES with modified S-boxes, and potentially other reduced-round block ciphers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bard, G.: Algorithms for Solving Linear and Polynomial Systems of Equations over Finite Fields with Applications to Cryptanalysis. PhD Thesis, University of Maryland at College Park (April 30, 2007)
Bard, G.V., Courtois, N.T., Jefferson, C.: Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers, http://eprint.iacr.org/2007/024/
Augot, D., Biryukov, A., Canteaut, A., Cid, C., Courtois, N., Cannière, C.D., Gilbert, H., Lauradoux, C., Parker, M., Preneel, B., Robshaw, M., Seurin, Y.: AES Security Report, D.STVL.2 report, IST-2002-507932 ECRYPT European Network of Excellence in Cryptology, www.ecrypt.eu.org/documents/D.STVL.2-1.0.pdf
Biham, E., Shamir, A.: Differential Cryptanalysis of DES-like Cryptosystems. Journal of Cryptology (IACR) 4, 3–72 (1991)
Chaum, D., Evertse, J.-H.: Cryptanalysis of DES with a Reduced Number of Rounds. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 192–211. Springer, Heidelberg (1986)
Tardy-Corfdir, A., Gilbert, H.: A Known Plaintext Attack of FEAL-4 and FEAL-6. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 172–181. Springer, Heidelberg (1992)
Coppersmith, D.: The development of DES, Invited Talk. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, Springer, Heidelberg (2000)
Courtois, N.: Examples of equations generated for experiments with algebraic cryptanalysis of DES, http://www.cryptosystem.net/aes/toyciphers.html
Courtois, N.: General Principles of Algebraic Attacks and New Design Criteria for Components of Symmetric Ciphers. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2005. LNCS, vol. 3373, pp. 67–83. Springer, Heidelberg (2005)
Courtois, N.T.: How Fast can be Algebraic Attacks on Block Ciphers? In: Biham, E., Handschuh, H., Lucks, S., Rijmen, V. (eds.) Symmetric Cryptography (January 07-12, 2007) http://drops.dagstuhl.de/portals/index.php?semnr=07021
Courtois, N., Bard, G.V., Wagner, D.: Algebraic and Slide Attacks on KeeLoq, (preprint) http://eprint.iacr.org/2007/062/
Courtois, N., Shamir, A., Patarin, J., Klimov, A.: Efficient Algorithms for solving Overdefined Systems of Multivariate Polynomial Equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000)
Courtois, N.: The security of Hidden Field Equations (HFE). In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 266–281. Springer, Heidelberg (2001)
Courtois, N., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002)
Courtois, N., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations, http://eprint.iacr.org/2002/044/
Courtois, N.: The Best Differential Characteristics and Subtleties of the Biham-Shamir Attacks on DES, http://eprint.iacr.org/2005/202
Courtois, N., Meier, W.: Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Biham, E. (ed.) Eurocrypt 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003)
Courtois, N., Castagnos, G., Goubin, L.: What do DES S-boxes Say to Each Other? http://eprint.iacr.org/2003/184/
Courtois, N.: Fast Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 177–194. Springer, Heidelberg (2003)
Courtois, N.: Algebraic Attacks on Combiners with Memory and Several Outputs. In: Park, C.-s., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, Springer, Heidelberg (2005), http://eprint.iacr.org/2003/125/
Courtois, N.: The Inverse S-box, Non-linear Polynomial Relations and Cryptanalysis of Block Ciphers. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 4 Conference, Bonn. LNCS, vol. 3373, pp. 170–188. Springer, Heidelberg (2005)
Courtois, N., Patarin, J.: About the XL Algorithm over GF(2), Cryptographers. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 141–157. Springer, Heidelberg (2003)
Davio, M., Desmedt, Y., Fosseprez, M., Govaerts, R., Hulsbosch, J., Neutjens, P., Piret, P., Quisquater, J.-J., Vandewalle, J., Wouters, P.: Analytical Characteristics of the DES. In: Crypto 1983, pp. 171–202. Plenum Press, New York (1984)
Faugère, J.C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: Workshop on Applications of Commutative Algebra, Catania, Italy, 3-6 April 2002, ACM Press, New York (2002)
Data Encryption Standard (DES), Federal Information Processing Standards Publication (FIPS PUB) 46-3, National Bureau of Standards, Gaithersburg, MD,(1999) http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
Hulsbosch, J.: Analyse van de zwakheden van het DES-algoritme door middel van formele codering, Master thesis, K. U. Leuven, Belgium (1982)
Joux, A., Faugère, J.-C.: Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Gröbner Bases. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 44–60. Springer, Heidelberg (2003)
Jakobsen, T.: Cryptanalysis of Block Ciphers with Probabilistic Non-Linear Relations of Low Degree. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 212–222. Springer, Heidelberg (1998)
Kim, K., Lee, S., Park, S., Lee, D.: Securing DES S-boxes against Three Robust Cryptanalysis. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 145–157. Springer, Heidelberg (2003)
Kwan, M.: Reducing the Gate Count of Bitslice DES, http://eprint.iacr.org/2000/051 , equations: http://www.darkside.com.au/bitslice/nonstd.c
MAGMA, High performance software for Algebra, Number Theory, and Geometry, — a large commercial software package: http://magma.maths.usyd.edu.au/
Massacci, F.: Using Walk-SAT and Rel-SAT for Cryptographic Key Search. In: IJCAI 1999. International Joint Conference on Artifical Intelligence, pp. 290–295 (1999)
Massacci, F., Marraro, L.: Logical cryptanalysis as a SAT-problem: Encoding and analysis of the U.SS. Data Encryption Standard. Journal of Automated Reasoning 24, 165–203 (2000). And In: Gent, J., van Maaren, H., Walsh, T. (eds.) The proceedings of SAT-2000 conference, Highlights of Satisfiability Research at the Year 2000, pp. 343–376. IOS Press, Amsterdam (2000)
Matsui, M.: Linear Cryptanalysis Method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)
Eén, N., Sörensson, N.: MiniSat 2.0. An open-source SAT solver package, http://www.cs.chalmers.se/Cs/Research/FormalMethods/MiniSat/
Mironov, I., Zhang, L.: Applications of SAT Solvers to Cryptanalysis of Hash Functions. In: Biere, A., Gomes, C.P. (eds.) SAT 2006. LNCS, vol. 4121, pp. 102–115. Springer, Heidelberg (2006), http://eprint.iacr.org/2006/254
Murphy, S., Robshaw, M.: Essential Algebraic Structure within the AES. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, Springer, Heidelberg (2002)
Patarin, J.: Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt 1988. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 248–261. Springer, Heidelberg (1995)
Raddum, H., Semaev, I.: New Technique for Solving Sparse Equation Systems, ECRYPT STVL, http://eprint.iacr.org/2006/475/
Raddum, H., Semaev, I.: Solving MRHS linear equations. In: ECRYPT Tools for Cryptanalysis workshop, Kraków, Poland (September 24-25, 2007)(accepted)
Singular: A Free Computer Algebra System for polynomial computations. http://www.singular.uni-kl.de/
Shamir, A.: On the security of DES. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 280–281. Springer, Heidelberg (1986)
Shannon, C.E.: Communication theory of secrecy systems. Bell System Technical Journal 28, 704 (1949)
Schaumuller-Bichl, I.: Cryptanalysis of the Data Encryption Standard by the Method of Formal Coding. In: Beth, T. (ed.) Cryptography. LNCS, vol. 149, Springer, Heidelberg (1983)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Courtois, N.T., Bard, G.V. (2007). Algebraic Cryptanalysis of the Data Encryption Standard. In: Galbraith, S.D. (eds) Cryptography and Coding. Cryptography and Coding 2007. Lecture Notes in Computer Science, vol 4887. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-77272-9_10
Download citation
DOI: https://doi.org/10.1007/978-3-540-77272-9_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-77271-2
Online ISBN: 978-3-540-77272-9
eBook Packages: Computer ScienceComputer Science (R0)