The Inverse S-Box, Non-linear Polynomial Relations and Cryptanalysis of Block Ciphers

Abstract: Abstract. This paper is motivated by the design of AES. We consider a broader question of cryptanalysis of block ciphers having very good non-linearity and diffusion. Can we expect anyway, to attacks such ciphers, clearly designed to render hopeless the main classical attacks ? Recently a lot of attention have been drawn to the existence of multivariate algebraic relations for AES (and other) S-boxes. Then, if the XSL-type algebraic attacks on block ciphers [11] are shown to work well, the answer would be posi… Show more

“…However, as we show below, the set of such transformations generates the symmetric group on F. This leads us to consider the nature of what exactly is meant by "the group generated by a cipher", and we conclude the Section with some comments on this issue. We note that some similar ideas were discussed in [7].…”

“…However, the group we consider, S F , is generated by transformations closer to AES transformations than "inversion" and subkey addition considered separately. Moreover, Theorem 4.3.1 of [7], the analogous result to our Theorem 1, is incorrect.…”

“…The relevant proofs are given in Appendix A. We note that the related group x → x (−1) , x → x + k was discussed in [7]. However, the group we consider, S F , is generated by transformations closer to AES transformations than "inversion" and subkey addition considered separately.…”

“…However, PGL(2, F) is a sharply triply transitive group ( [23], Theorem 4.5.4), so if we know only three plaintextciphertext pairs (with no 0-inversion), then we can identify the unique element of PGL(2, F) corresponding to the encryption transformation. This should enable us to break the block cipher with three such pairs, though it has been stated that four such pairs are needed [14,13,1,7].…”

Projective aspects of the AES inversion

“…However, as we show below, the set of such transformations generates the symmetric group on F. This leads us to consider the nature of what exactly is meant by "the group generated by a cipher", and we conclude the Section with some comments on this issue. We note that some similar ideas were discussed in [7].…”

“…However, the group we consider, S F , is generated by transformations closer to AES transformations than "inversion" and subkey addition considered separately. Moreover, Theorem 4.3.1 of [7], the analogous result to our Theorem 1, is incorrect.…”

“…The relevant proofs are given in Appendix A. We note that the related group x → x (−1) , x → x + k was discussed in [7]. However, the group we consider, S F , is generated by transformations closer to AES transformations than "inversion" and subkey addition considered separately.…”

“…However, PGL(2, F) is a sharply triply transitive group ( [23], Theorem 4.5.4), so if we know only three plaintextciphertext pairs (with no 0-inversion), then we can identify the unique element of PGL(2, F) corresponding to the encryption transformation. This should enable us to break the block cipher with three such pairs, though it has been stated that four such pairs are needed [14,13,1,7].…”

Projective aspects of the AES inversion

“…Another important mode is a so called 'hopping' or 'rolling' method described in [4,33]. In this case 16 bits of the plaintext are permanently fixed on both sides, and the attacker cannot hope get more than 2 16 known plaintexts. More information can be found in [4,5,6].…”

Algebraic and Slide Attacks on KeeLoq

Algebraic Attacks on Combiners with Memory and Several Outputs