Improvements of Linearization-based Algebraic Attacks on Block Ciphers

Algebraic attacks are studied as a potential cryptanalytic procedure for several cryptographic primitives. In an algebraic attack on a cipher, one expresses the encryption function as a system (usually overdefined) of multivariate polynomial equations in the bits of the plaintext, the ciphertext and the key, and subsequently solves the system for the unknown key bits from the knowledge of one or more plaintext/ciphertext pairs. The systems of equations arising from ciphers are typically multivariate polynomial equations over finite fields (usually, GF (2)). Algebraic techniques have been practically applied for solving systems available from some block ciphers, stream ciphers and public-key cryptosystems. However, the general complexity of algebraic attacks is poor—indeed poorer than exhaustive key search. In 2000, eXtended Linearization (XL) was introduced as a tool for solving systems of multivariate polynomial equations. The standard XL algorithm expands the initial system of equations by monomial multiplications. The expanded system is treated as a linear system in the monomials. Linear-algebra techniques are then used to solve for the monomials, and in particular, the unknown variables standing for the key. However, for most block ciphers (including the Advanced Encryption Standard (AES)), the monomial-multiplication phase yields linearized systems, solving which demands more effort than exhaustive key search. In this thesis, we first propose a heuristic strategy XL SGE to reduce the count of linearized equations in the expanded system. This reduction is achieved by decomposing the expansion stage of XL into a sequence of variable-multiplication stages, and applying structured Gaussian elimination (SGE) before each stage of variable multiplication. This first proposal XL SGE suffers from some drawbacks that impair the effectiveness of SGE-based reduction at all multiplication stages except the first. In order to avoid this problem, we propose three improved variants of XL SGE. XL SGE-2 uses a partial monomial-multiplication strategy to curb the generation of linearized equations in a random (but controlled) fashion. We also handle a variant of SGE in which xiv columns of weight two are eliminated without increasing the weight of the coefficient matrix (we call this variant XL SGE). In our third modification XL SGE-3, we use intelligent strategies to identify and remove many redundant equations before each variable-multiplication stage. In short, the key contribution of this thesis is the proposal of using SGE during the expansion phase of XL. (The subsequent linear-algebra phase is naturally expected to exploit SGE, anyway.) All of our modified algorithms have been experimentally verified to be substantially superior to XL SGE. Experimentation on small random systems indicates that the proposed XL SGE family has the potential to significantly improve upon the performance of XL in terms of the size of the final solvable system. We also experimented with a toy version of AES, and noticed significant performance gains achieved by XL SGE variants over XL. A theoretical analysis of the superiority of XL SGE over XL continues to remain an open area of research.