Skip to main content
SpringerLink
Log in

Algebraic Cryptanalysis of the Data Encryption Standard

  • Conference paper
Cryptography and Coding (Cryptography and Coding 2007)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4887))

Included in the following conference series:

Abstract

In spite of growing importance of the Advanced Encryption Standard (AES), the Data Encryption Standard (DES) is by no means obsolete. DES has never been broken from the practical point of view. The variant “triple DES” is believed very secure, is widely used, especially in the financial sector, and should remain so for many many years to come. In addition, some doubts have been risen whether its replacement AES is secure, given the extreme level of “algebraic vulnerability” of the AES S-boxes (their low I/O degree and exceptionally large number of quadratic I/O equations).

Is DES secure from the point of view of algebraic cryptanalysis? We do not really hope to break it, but just to advance the field of cryptanalysis. At a first glance, DES seems to be a very poor target — as there is (apparently) no strong algebraic structure of any kind in DES. However in [5] it was shown that “small” S-boxes always have a low I/O degree (cubic for DES as we show below). In addition, due to their low gate count requirements, by introducing additional variables, we can always get an extremely sparse system of quadratic equations.

To assess the algebraic vulnerabilities of DES is the easy part, that may appear unproductive. In this paper we demonstrate that in this way, several interesting attacks on a real-life “industrial” block cipher can be found. One of our attacks is the fastest known algebraic attack on 6 rounds of DES. It requires only one single known plaintext (instead of a very large quantity) which is quite interesting in itself.

Our attacks will recover the key using an ordinary PC, for only six rounds. Furthermore, in a much weaker sense, we can also attack 12 rounds of DES. These results are very interesting because DES is known to be a very robust cipher, and our methods are very generic. We discuss how they can be applied to DES with modified S-boxes, and potentially other reduced-round block ciphers.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Bard, G.: Algorithms for Solving Linear and Polynomial Systems of Equations over Finite Fields with Applications to Cryptanalysis. PhD Thesis, University of Maryland at College Park (April 30, 2007)

    Google Scholar 

  2. Bard, G.V., Courtois, N.T., Jefferson, C.: Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers, http://eprint.iacr.org/2007/024/

  3. Augot, D., Biryukov, A., Canteaut, A., Cid, C., Courtois, N., Cannière, C.D., Gilbert, H., Lauradoux, C., Parker, M., Preneel, B., Robshaw, M., Seurin, Y.: AES Security Report, D.STVL.2 report, IST-2002-507932 ECRYPT European Network of Excellence in Cryptology, www.ecrypt.eu.org/documents/D.STVL.2-1.0.pdf

  4. Biham, E., Shamir, A.: Differential Cryptanalysis of DES-like Cryptosystems. Journal of Cryptology (IACR) 4, 3–72 (1991)

    Article  MATH  MathSciNet  Google Scholar 

  5. Chaum, D., Evertse, J.-H.: Cryptanalysis of DES with a Reduced Number of Rounds. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 192–211. Springer, Heidelberg (1986)

    Google Scholar 

  6. Tardy-Corfdir, A., Gilbert, H.: A Known Plaintext Attack of FEAL-4 and FEAL-6. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 172–181. Springer, Heidelberg (1992)

    Google Scholar 

  7. Coppersmith, D.: The development of DES, Invited Talk. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  8. Courtois, N.: Examples of equations generated for experiments with algebraic cryptanalysis of DES, http://www.cryptosystem.net/aes/toyciphers.html

  9. Courtois, N.: General Principles of Algebraic Attacks and New Design Criteria for Components of Symmetric Ciphers. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 2005. LNCS, vol. 3373, pp. 67–83. Springer, Heidelberg (2005)

    Google Scholar 

  10. Courtois, N.T.: How Fast can be Algebraic Attacks on Block Ciphers? In: Biham, E., Handschuh, H., Lucks, S., Rijmen, V. (eds.) Symmetric Cryptography (January 07-12, 2007) http://drops.dagstuhl.de/portals/index.php?semnr=07021

  11. Courtois, N., Bard, G.V., Wagner, D.: Algebraic and Slide Attacks on KeeLoq, (preprint) http://eprint.iacr.org/2007/062/

  12. Courtois, N., Shamir, A., Patarin, J., Klimov, A.: Efficient Algorithms for solving Overdefined Systems of Multivariate Polynomial Equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  13. Courtois, N.: The security of Hidden Field Equations (HFE). In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 266–281. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  14. Courtois, N., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  15. Courtois, N., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations, http://eprint.iacr.org/2002/044/

  16. Courtois, N.: The Best Differential Characteristics and Subtleties of the Biham-Shamir Attacks on DES, http://eprint.iacr.org/2005/202

  17. Courtois, N., Meier, W.: Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Biham, E. (ed.) Eurocrypt 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  18. Courtois, N., Castagnos, G., Goubin, L.: What do DES S-boxes Say to Each Other? http://eprint.iacr.org/2003/184/

  19. Courtois, N.: Fast Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 177–194. Springer, Heidelberg (2003)

    Google Scholar 

  20. Courtois, N.: Algebraic Attacks on Combiners with Memory and Several Outputs. In: Park, C.-s., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, Springer, Heidelberg (2005), http://eprint.iacr.org/2003/125/

    Google Scholar 

  21. Courtois, N.: The Inverse S-box, Non-linear Polynomial Relations and Cryptanalysis of Block Ciphers. In: Dobbertin, H., Rijmen, V., Sowa, A. (eds.) AES 4 Conference, Bonn. LNCS, vol. 3373, pp. 170–188. Springer, Heidelberg (2005)

    Google Scholar 

  22. Courtois, N., Patarin, J.: About the XL Algorithm over GF(2), Cryptographers. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 141–157. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  23. Davio, M., Desmedt, Y., Fosseprez, M., Govaerts, R., Hulsbosch, J., Neutjens, P., Piret, P., Quisquater, J.-J., Vandewalle, J., Wouters, P.: Analytical Characteristics of the DES. In: Crypto 1983, pp. 171–202. Plenum Press, New York (1984)

    Google Scholar 

  24. Faugère, J.C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: Workshop on Applications of Commutative Algebra, Catania, Italy, 3-6 April 2002, ACM Press, New York (2002)

    Google Scholar 

  25. Data Encryption Standard (DES), Federal Information Processing Standards Publication (FIPS PUB) 46-3, National Bureau of Standards, Gaithersburg, MD,(1999) http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf

  26. Hulsbosch, J.: Analyse van de zwakheden van het DES-algoritme door middel van formele codering, Master thesis, K. U. Leuven, Belgium (1982)

    Google Scholar 

  27. Joux, A., Faugère, J.-C.: Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Gröbner Bases. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 44–60. Springer, Heidelberg (2003)

    Google Scholar 

  28. Jakobsen, T.: Cryptanalysis of Block Ciphers with Probabilistic Non-Linear Relations of Low Degree. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 212–222. Springer, Heidelberg (1998)

    Google Scholar 

  29. Kim, K., Lee, S., Park, S., Lee, D.: Securing DES S-boxes against Three Robust Cryptanalysis. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 145–157. Springer, Heidelberg (2003)

    Google Scholar 

  30. Kwan, M.: Reducing the Gate Count of Bitslice DES, http://eprint.iacr.org/2000/051 , equations: http://www.darkside.com.au/bitslice/nonstd.c

  31. MAGMA, High performance software for Algebra, Number Theory, and Geometry, — a large commercial software package: http://magma.maths.usyd.edu.au/

  32. Massacci, F.: Using Walk-SAT and Rel-SAT for Cryptographic Key Search. In: IJCAI 1999. International Joint Conference on Artifical Intelligence, pp. 290–295 (1999)

    Google Scholar 

  33. Massacci, F., Marraro, L.: Logical cryptanalysis as a SAT-problem: Encoding and analysis of the U.SS. Data Encryption Standard. Journal of Automated Reasoning 24, 165–203 (2000). And In: Gent, J., van Maaren, H., Walsh, T. (eds.) The proceedings of SAT-2000 conference, Highlights of Satisfiability Research at the Year 2000, pp. 343–376. IOS Press, Amsterdam (2000)

    Google Scholar 

  34. Matsui, M.: Linear Cryptanalysis Method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)

    Chapter  Google Scholar 

  35. Eén, N., Sörensson, N.: MiniSat 2.0. An open-source SAT solver package, http://www.cs.chalmers.se/Cs/Research/FormalMethods/MiniSat/

  36. Mironov, I., Zhang, L.: Applications of SAT Solvers to Cryptanalysis of Hash Functions. In: Biere, A., Gomes, C.P. (eds.) SAT 2006. LNCS, vol. 4121, pp. 102–115. Springer, Heidelberg (2006), http://eprint.iacr.org/2006/254

    Google Scholar 

  37. Murphy, S., Robshaw, M.: Essential Algebraic Structure within the AES. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  38. Patarin, J.: Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt 1988. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 248–261. Springer, Heidelberg (1995)

    Google Scholar 

  39. Raddum, H., Semaev, I.: New Technique for Solving Sparse Equation Systems, ECRYPT STVL, http://eprint.iacr.org/2006/475/

  40. Raddum, H., Semaev, I.: Solving MRHS linear equations. In: ECRYPT Tools for Cryptanalysis workshop, Kraków, Poland (September 24-25, 2007)(accepted)

    Google Scholar 

  41. Singular: A Free Computer Algebra System for polynomial computations. http://www.singular.uni-kl.de/

  42. Shamir, A.: On the security of DES. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 280–281. Springer, Heidelberg (1986)

    Google Scholar 

  43. Shannon, C.E.: Communication theory of secrecy systems. Bell System Technical Journal 28, 704 (1949)

    Google Scholar 

  44. Schaumuller-Bichl, I.: Cryptanalysis of the Data Encryption Standard by the Method of Formal Coding. In: Beth, T. (ed.) Cryptography. LNCS, vol. 149, Springer, Heidelberg (1983)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University College of London, Gower Street, London, UK

    Nicolas T. Courtois

  2. Department of Mathematics, Fordham University, Bronx, NY, 10458, USA

    Gregory V. Bard

Authors
  1. Nicolas T. Courtois
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gregory V. Bard
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Steven D. Galbraith

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Courtois, N.T., Bard, G.V. (2007). Algebraic Cryptanalysis of the Data Encryption Standard. In: Galbraith, S.D. (eds) Cryptography and Coding. Cryptography and Coding 2007. Lecture Notes in Computer Science, vol 4887. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-77272-9_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-77272-9_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-77271-2

  • Online ISBN: 978-3-540-77272-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation