On the Interpolation Attacks on Block Ciphers 111

Home , Interpolation attack, Square (cipher)

On the Interp olation Attacks on Blo ck Ciphers

A.M. Youssef and G. Gong

Center for Applied Cryptographic Research

Department of Combinatorics and Optimization

UniversityofWaterlo o, Waterlo o, ON N2L 3G1

fa2youssef, [email protected] o.ca

Abstract. The complexityofinterp olation attacks on blo ck ciphers de-

p ends on the degree of the p olynomial approximation and/or on the

numb er of terms in the p olynomial approximation expression. In some

situations, the round function or the S-b oxes of the blo ck cipher are

expressed explicitly in terms of algebraic function, yet in many other

o ccasions the S-b oxes are expressed in terms of their Bo olean function

representation. In this case, the cryptanalyst has to evaluate the algebraic

description of the S-b oxes or the round function using the Lagrange in-

terp olation formula. A natural question is what is the e ect of the choice

of the irreducible p olynomial used to construct the nite eld on the

degree of the resulting p olynomial . Another question is whether or not

there exists a simple linear transformation on the input or output bits of

the S-b oxes (or the round function) such that the resulting p olynomial

has a less degree or smaller numb er of non-zero co ecients. In this pap er

we give an answer to these questions. We also present an explicit relation

between the Lagrange interp olation formula and the Galois Field Fourier

Transform.

Keywords: Blo ck cipher, cryptanalysis, interp olation attack, nite elds, Ga-

lois Field Fourier Transform

1 Intro duction

Gong and Golomb[7]intro duced a new criterion for the S-b ox design. Because

many blo ck ciphers can b e viewed as a Non Linear Feedback Shift Register

(NLFSR) with input then the S-b oxes should not b e approximated by a mono-

mial. The reason is that the trace functions Tr( X ) and Tr(X )have the

same linear span. From the view p ointof m-sequences [10], b oth of the sequences

id i n

fTr( )g and fTr( )g are m-sequences of p erio d 2 1. The former

i0 i0

can b e obtained from the later by decimation d. Gong and Golomb showed that

the distance of DES S-b oxes approximated by monomial functions has the same

distribution as for the S-b oxes approximated by linear functions.

In [3] Jakobsen and Knudsen intro duced a new attack on blo ck ciphers. This

attack is useful for attacking ciphers using simple algebraic functions as S-b oxes.

The attack is based on the well known Lagrange interp olation formula. Let R be

B. Schneier (Ed.): FSE 2000, LNCS 1978, pp. 109−120, 2001.  Springer-Verlag Berlin Heidelberg 2001

110 A.M. Youssef and G. Gong

a eld. Given 2n elements x ;:::;x ;y ;:::;y 2 R; where the x s are distinct.

1 n 1 n i

De ne

X Y

x x

: (1) f (x)= y

x x

i j

i=1

1j n;j 6=i

Then f (x) is the only p olynomial over R of degree at most n 1 such that

f (x )= y for i =1;:::;n. The main result in [3] is that for an iterated blo ck

i i

cipher with blo ck size m, if the cipher-text is expressed as a p olynomial with

n 2 co ecients of the plain-text, then there exists an interp olation attack

of time complexity n requiring n known plain-texts encrypted with a secret key

K , which nds an algorithm equivalent to encryption (or decryption) with K .

This attack can also b e extended to a key recovery attack.

In [4] Jakobsen extended this cryptanalysis metho d to attack blo ck ciphers

with probabilistic nonlinear relation of low degree. Using recent results from

co ding theory (Sudan's algorithm for deco ding Reed-Solomon co des b eyond the

error correction parameter[6]), Jakobsen showed how to break ciphers where the

cipher-text is expressible as evaluations of unknown univariate p olynomial of low

degree m with a typically low probability . The known plain-text attack requires

n =2m= plain-text/cipher-text pairs. In the same pap er, Jakobsen also pre-

sented a second attack that needs access to n =(2m=) plain-text/cipher-text

pairs and its running time is p olynomial in n.

It is clear that the complexity of such cryptanalytic attacks dep ends on the

degree of the p olynomial approximation or on the numb er of terms in the p oly-

nomial approximation expression. In some situations, the round function or the

S-b oxes of the blo ck cipher are expressed explicitly in terms of algebraic function

(For example see [8]),yet in many other o ccasions the S-b oxes are expressed in

terms of their Bo olean function representation. In this case, the cryptanalyst has

to evaluate the algebraic description of the S-b oxes or the round function using

the Lagrange interp olation formula. A natural question is what is the e ect of the

choice of the irreducible p olynomial used to construct the nite eld on the de-

gree of the resulting p olynomial. Another question is whether or not there exists

a simple linear transformation on the input or output bits of the S-b oxes (or the

round function) such that the resulting p olynomial has a less degree or smaller

numb er of co ecients. In this pap er we give explicit answer to these questions.

4 4

To illustrate the idea, consider the binary mapping from GF (2) to GF (2)

given in the Table 1. If the Lagrange interp olation formula is applied to GF (2 )

4 4 3

where GF (2 ) is de ned by the irreducible p olynomial X + X + 1 then wehave

2 3 4 5 6 8 9 10 12

F (X )=X + X +7X +15X +5X +14X +14X +2X +7X +9X ;X 2

4 4

GF (2 ). However, if we use the irreducible p olynomial X + X + 1 to de ne

4 3 4

GF (2 ) then wehave F (X )=X ;X 2 GF (2 ) whichisobviously a simpler

description.

An interesting observation follows when applying the Lagrange interp olation

formula to the DES S-b oxes. In this case we consider the DES S-b oxes output

On the Interpolation Attacks on Block Ciphers 111

x 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

f (x) 0 1 8 15 12 10 1 1 10 15 15 12 8 10 8 12

Table 1.

co ordinates as a mapping from GF (2 )toGF (2). Let f b e the Bo olean function

resulting from XORing all the output co ordinates of the DES S-b oxnumber

6 6 5

four. When we de ne GF (2 ) using the irreducible p olynomial X + X +1,

the p olynomial resulting from applying the Lagrange interp olation formula to

f has only 39 nonzero co ecient. The Hamming weight of all the exp onents

corresp onding to the nonzero co ecients was 3. It should b e noted that the

exp ected value of the numb er of nonzero co ecients for a randomly selected

function over GF (2 ) is 63. While this observation do esn't have a cryptanalytic

signi cance, it shows the e ect of changing the irreducible p olynomial when

trying to search for a p olynomial representation for cipher functions.

2 Mathematical background and de nitions

For a background ab out the general theory of nite elds, the reader is referred

to [1] and for a background ab out nite elds of charachteristic 2, the reader is

referred to [2].

Most of the results in this pap er can b e extended in a straightforward way

n n

from GF (2 )toGF (q ). Throughout this pap er, we use integer lab els to present

4 i

nite eld elements. I.e., for any element X 2 GF (2 ), X = x ;x 2

i+1 i

i=0

GF (2) where is a ro ot of the irreducible p olynomial which de nes GF (2 ), we

i n

represent X by x 2 as an integer in the range [0; 2 1]. The asso ciated

i+1

i=0

addition and multiplication op erations of these lab els are de ned by the nite

eld structure and have no resemblance to mo dular integer arithmetic.

De nition 1. A p olynomial having the sp ecial form

L(X )= X (2)

i=0

n n

with co ecients from GF (2 ) is called a linearized p olynomial over GF (2 ).

De nition 2. A cyclotomic coset mo d N that contains an integer s is the set

C = fs;sq;:::;sq g (mo d N ) (3)

where m is the smallest p ositiveinteger such that sq s (mo d N ).

112 A.M. Youssef and G. Gong

n n

Lemma 3. Let A be a linear mapping over GF (2 ), then A(X );X 2 GF (2 )

can be expressed in terms of a linearizedpolynomial over GF (2 ). I.e., we can

express A(X ) as

A(X )= X (4)

i=0

Lemma 4. Let ; ;:::; be elements in GF (2 ). Then

1 2 t

k k k k

2 2 2 2

( + + ::: + ) = + + ::: + (5)

1 2 t

Lemma 5. The number of ways of choosing a basis of GF (2 ) over GF (2) is

n i

(2 2 ) (6)

i=0

3 Lagrange co ecients, Galois Field Fourier Transform

and Bo olean functions

3.1 Relation b etween the Galois Field Fourier Transform and the

Lagrange co ecients

In this section we give an explicit formula for the relation b etween the Lagrange

Interp olation of F and the Galois Field Fourier Transform of its corresp onding

sequence. Besides its theoretical interest, the cryptographic signi cance of this

relation stems from the view p oint of Gong and Golomb [7] where they mo del

many blo ck ciphers as a Non Linear Feedback Shift Register (NLFSR) with

input.

Let v =(v ;v ;:::;v )beavector over GF (q ) whose length l divides

0 1 l1

m m

q 1 for some integer p ositive m. Let b e an element of order l in GF (q ).

The Galois eld Fourier transform (GFFT) [11]ofv is the vector F (v )= V

=(V ;V ;:::;V ) where fV g are computed as follows.

0 1 l1 j

V = v ;j =0; 1;:::;l 1: (7)

j i

i=0

The inverse transform is given by

V ;i =0; 1;:::;l 1: (8) v =

j i

j =0

In the literature, and are swapp ed in the equations ab ove. Since and

have the same order, wemay use the form presented here. We use this form

in order to make it easy to compare with the p olynomial representation. For the

purp ose of our discussion, we will consider the case with q =2 , m = 1 and

l =2 1. For a detailed discussion of the general case relation b etween the

Lagrange Interp olation formula and the GFFT, the reader is referred to [13].

On the Interpolation Attacks on Block Ciphers 113

2 1

i n

b X be a function in GF (2 ) with the corre- Theorem 6. Let F (X )=

i=0

i n

sponding sequence v =(v ;v ;:::;v ) where v = F ( );i =0; 1;:::;2 2

0 1 2 2 i

n n

and 2 GF (2 ) has order 2 1.If F (0) = 0 then we have

0 if i =0

V if 0

b = (9)

V if i =2 1;

Pro of: For functions in GF (2 ), the Lagrange interp olation formula can b e

rewritten as

2 1

X X

i 2 1

F (X )= b X = F ( )(1 + (X + ) ); (10)

i=0

2GF (2 )

where

F (0) if i =0;

b = (11)

i n

F ( ) if 1 i 2 1

2GF (2 )

Equation (7) can b e written as

n n

2 2 2 2

X X X

ij ij j i

V = v = F ( )= F ( ); (12)

i j

j =0 j =0

2GF

n t

where GF = GF (2 ) f0g. With the convention 0 = 1 for anyinteger t,if

F (0) = 0, then

X X

i i

F ( )= F ( ): (13)

2GF

2GF (2 )

From Equation (11) and (12) we get

b = V ; 0

i i

The result for i =2 1 follows by noting that

V = F ( ); (15)

2GF

and

X X

(2 1)

b = F ( ) = F ( )= V (16)

2 1 0

n n

2GF (2 ) 2GF (2 )

which completes the pro of.

If F (0) 6= 0, then we can compute its p olynomial representation by rst

computing the p olynomial representation of the function G, where G(X )=0

2 1

for X = 0 and G(X )=F (X ) otherwise. If we assume that F (X )= d X

i=0

2 1

and G(X )= b X and by noting that we can express F (X )as

i=0

2 1

F (X )=G(X )+F (0)(1 + X ); (17)

then wehave

F (0) if i =0;

d = b if 0

i i

b + F (0) if i =2 1;

2 1

114 A.M. Youssef and G. Gong

3.2 Relation b etween Bo olean functions and its Galois led

p olynomial representation

(n)

Let F = GF (2) and F = fx ;:::;x jx 2 F g. Let f (x ;:::;x ) b e a func-

1 n i 2 1 n 2

(n)

tion from F to F . Then f (x ;:::;x ) can b e written as f (x ;:::;x )=

1 n 1 n

(y ;:::;y ), where y is a Bo olean function in n variables, i.e., y = y (x ;:::;x ).

1 n j j j 1 n

(n)

is isomorphic to GF (2 ), then f (x ;:::;x ) can b e regarded as a Since F

1 n

n n

function F from GF (2 )toGF (2 ).

It is well known that applying a linear transformation to a function f do esn't

change its nonlinear degree. It is also known that the nonlinear degree of the

function f (X )=X is wt(d). The following theorem illustrates the e ect of

applying a linear transformation to the output co ordinates of f on the co ecients

of its corresp onding p olynomial.

d n

Theorem 7. Let F (X )=X be a function of GF (2 ) which corresponds to

(n)

the Boolean mapping f (x ;:::;x )=(f (x);:::;f (x)) over F . Then the

1 n 1 n

function G(X ) corresponding to the Boolean mapping obtained by applying a

linear transformation to the output coordinates of f (x ;:::;x ) can be expressed

1 n

2 1

as G(X )= b X , where b =08i 62 C and C is the cyclotomic coset

i i d d

i=0

(mo d 2 1) .

Pro of: Using Lemma 3, G(X ) can b e expressed as

n1 n1 n1

X X X

i i i i

2 d2 d 2 2

a X : (19) (a X ) = (a F (X )) = G(X )=

i i

i=0 i=0 i=0

i i n

d2 (d2 )mod(2 1)

The Theorem follows directly by noting that X = X for X 2

GF (2 ).

P P

i j

Similarly, one can show that if F (X )= a X , then G(X )= b X

i j

i2I j 2J

where J is the set of cyclotomic cosets mo dulo 2 1 corresp onding to the set

I .

Example 1. Consider the Bo olean mapping f (x) in the Table 2. Assuming GF (2 )

x 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

f (x) 0 1 4 5 9 8 13 12 15 14 11 10 6 7 2 3

g (x) 0 2 4 6 10 8 14 12 15 13 11 9 5 7 1 3

Table 2.

4 3 2

is constructed using the irreducible p olynomial X + X +1, wehave F (X )=X .

Let g (x) b e the function obtained from f (x)byswapping the least signi cant

bits of the output. I.e., g (x ;x ;x ;x )= (f (x);f (x);f (x);f (x)), then we

1 2 3 4 1 2 4 3

2 4 8

have G(X )=2X +10X +6X +12X .

On the Interpolation Attacks on Block Ciphers 115

The following theorem illustrates the e ect of applying a linear transforma-

tion to the input co ordinates of a given Bo olean function on the co ecients of

its corresp onding p olynomial.

d n

Theorem 8. Let F (X )=X be a function of GF (2 ) which corresponds to the

(n)

Boolean mapping f (x ;:::;x )= (f (x);:::;f (x)) over F .Let G(x) be the

1 n 1 n

function which corresponds to the Boolean mapping obtained by applying a linear

transformation to the input coordinates of x ;:::;x while xing f (x ;:::;x ).

1 n 1 n

2 1

b X , b =0 for wt(i) >wt(d), Then G(X ) can be expressedasG(X )=

i i

i=0

where wt(d) denotes the Hamming weight of d.

Pro of: Using Lemma 3, G(X ) can b e expressed as

2 d

c X ) (20) G(X )=(

i=0

Let d = d 2 and let J denote the set fj ;:::;j g;s = wt(d), for which

j 1 s

j =0

d = 1. Then wehave

X Y

i+j

) (21) c X ( G(X )=

i=0

j 2J

n1 n1 n1

X X X

i +j i +j i +j

2 2 1 1 1

2 2 2

) (22) c X c X c X ) :::( =( )(

i i i

1 2 s

i =0 i =0 i =0

2 1 1

i +j i +j i +j

s s

1 1 2 2

2 +2 +:::+2

(23) = c c :::c X

i i i

1 2 s

i ;i ;:::;i

1 2 s

i +j i +j

1 1 s s

The Theorem follows by noting that wt(2 + ::: +2 )=s wt(d).

Let W = max wt(i). Then one can show that if F (X )= a X , then

i2I i

i2I

G(X )= b X where J is the set of elements with Hamming weight W .

j 2J

The following theorem illustrates the e ect of changing the irreducible p oly-

nomial used to construct the nite eld on the co ecients resulting p olynomial.

Theorem 9. Let F (X ) be a function of GF (2 ) which corresponds to the Boolean

(n)

mapping f (x ;:::;x )=(f (x);:::;f (x)) over F using irreducible R . Then

1 n 1 n 1

the function G(x) which corresponds to the boolean mapping f (x ;:::;x ) and

1 n

constructed using a di erent irreducible polynomial R 6= R can be expressedas

2 1

G(X )=L(F (L (X ))); (24)

where L is an invertible linear transformation over GF (2 ).

116 A.M. Youssef and G. Gong

Pro of: Consider the nite eld generated by an irreducible p olynomial R (X ). In

i n

c X jc 2 F g where the multipli- this case, GF (2 )=F [X ]=(R (X )) = f

i i 2 2 1

i=0

cation is p erformed by mo dulus R (X ). Then every element in the eld can b e

expressed as a where a 2 GF (2) and isarootofR (X ). Similarly,

i i 1

i=0

if the eld was generated using an irreducible p olynomial R (X ). In this case,

i n

c X jc 2 F g where the multiplicationis GF (2 )=F [X ]=(R (X )) = f

i i 2 2 2

i=0

p erformed by mo dulus R (X ). In this case, every element in the eld can b e

expressed as b ;b 2 GF (2) where is a ro ot of R (x). However, we can

i i 2

i=0

express as

i j

= a ;a 2 GF (2); 0 i

j j

j =0

This means that we can write G(X )=L(F (L (X )) where L(:) is the linear

transformation used to convert b etween the and the basis.

From the theorem ab ovechanging the irreducible p olynomial is equivalentto

applying a linear transformation to b oth the input and the output co ordinates,

and hence wehave the following corollary

i n

Corollary 10. Let F (X )= a X be a function of GF (2 ) which corre-

i2I

(n)

sponds to the Boolean mapping f (x ;:::;x )=(f (x);:::;f (x)) over F

1 n 1 n

using irreducible R .Let the W = max wt(i). Then the function G(x) cor-

1 i2I

responds to the boolean mapping f (x ;:::;x ) and constructed using a di erent

1 n

irreducible polynomial R 6= R can be expressedas

2 1

G(X )= b X ; (26)

j 2J

where J is the set of elements with Hamming weight W .

Example 2. Consider the Bo olean function describ ed in Table 3.

x 0 1 2 3 4 5 6 7

f (x) 0 1 3 4 5 6 7 2

Table 3.

3 2

Using the irreducible p olynomial X + X + 1 with ro ot ,wehave F (X )=

2 3 4 5 6

2X +2X +3X +4X + X +7X .Now, consider the irreducible p olynomial

3 3

X + X + 1 with ro ot . One can prove that = .Thus wehave the following

linear transformation

1 0 2 3 0 1

1 10 0 1

@ 4 5 @ A A

11 0 (27) =

2 2

10 1

On the Interpolation Attacks on Block Ciphers 117

Applying this linear transformation to b oth the input and the output of the truth

table we get L (x)andL(f (x)) in Table 4. Interp olating the relation b etween

1 1 3

L (x) and L(f (x)), we get L(F (X ))=(L (X )) .

x 0 1 2 3 4 5 6 7

L (x) 0 1 3 2 5 4 6 7

f (x) 0 1 3 4 5 6 7 2

L(f (x)) 0 1 2 5 4 6 7 3

Table 4.

To summarize the results in this section, a linear transformation on the out-

put co ordinates a ects only the co ecients of the exp onents that b elong to the

same cyclotomic cosets of the exp onent in the original function representation.

A linear transformation on the input co ordinates or changing the irreducible

p olynomial a ect only the co ecients of the exp onents with Hamming weight

less than or equal to the maximum Hamming weight of the exp onents in original

function representation.

4 Checking algebraic expressions for trap do ors

In [5] the authors presented a metho d to construct trap do or blo ck ciphers which

contains some hidden structures known only to the cipher designers. The sam-

ple trap do or cipher in [5]was broken [12] and designing practical trap e do or

S-b oxes is still an intersting topic. In this section we discuss howtocheck if the

S-b oxes or the round function has a simple algebraic structure. In particular, we

consider the case where we can represent the round function or the S-b oxes bya

monomial. The numberofinvertible linear transformations grows exp onentially

with n. Using exhaustive searchtocheck if applying an invertible linear trans-

formation to the output and/or the input co ordinates of the Bo olean function

f (x ;:::;x )=(f (x);:::;f (x)) leads to a simpler p olynomial representation

1 n 1 n

b ecomes computationally infeasible even for small values of n. In this section we

showhowtocheck for the existence of such simple description. Note that we only

consider the case of p olynomialsover GF (2 ). S-b oxes with a complex algebraic

expression over GF (2 )mayhave a simpler description over other elds.

4.1 Undoing the e ect of a linear transformation on the output

co ordinates

First, we will consider the case of a function G(X ) obtained by applying a

linear transformation of the output co ordinates of a monomial function X . The

118 A.M. Youssef and G. Gong

algebraic description of such a function will have nonzero co ecients only for

exp onents 2 C (mo d 2 1). Thus G(X ) is expressed as

2 1

2 d

G(X )= b X ; (28)

i=0

b =0 if i=2 C . A linear transformation of the output co ordinates of G(X ) can

i d

b e expressed as

n1 2 1

X X

i j

2 d 2

L(G(X )) = a ( b X ) (29)

j i

j =0 i=0

n1 2 1

X X

i+j

(2 )d

= a b X (30)

j i

j =0 i=0

By equating the co ecients of X to zero except for i = d, the ab ove equation

0 n

forms a system of n n linear equations (with unknowns a s 2 GF (2 ) ) which

can b e checked for the existence of a solution using simple linear algebra.

2 4 8 4

Example 3. Let G(X )=2X +10X +6X +12X ;X 2 GF (2 ) constructed

4 3

using the irreducible p olynomial X + X + 1, Supp ose wewanttocheck if there

exists a linear transformation on the output co ordinates of G(X );L(G(X )) such

that the resulting p olynomial has only one term with degree 2. Using the theorem

ab ove, form the set of 4 4 linear equations over GF (2 )we get:

3 2 0 1 0 1

2 4 8

b b b b a 0

0 0

3 2 1

2 4 8

7 6 B C B C

b b b b a 1

1 1

0 3 2

7 6 B C B C

= ; (31)

2 4 8

5 4 @ A @ A

b b b b a 0

2 2

1 0 3

2 4 8

b b b b a 0

3 3

2 1 0

For G(X )abovewehave b =2;b =10;b =6;b = 12. Thus

0 1 2 3

2 3 0 0 1 1

26711 0 a

6 B C 7 B C

1041312 1 a

6 7 B B C C

(32) =

@ A 4 5 @ A

6119 7 0 a

12 13 10 14 0 a

Solving for a 's we get

1 0 1 0

a 10

C B C B

6 a

C B C B

(33) =

A @ A @

12 a

2 a

2 4 8 2

and L(G(X )) = 10G(X )+6G(X ) +12G(X ) +2G(X ) = X

On the Interpolation Attacks on Block Ciphers 119

4.2 Undoing the e ect of a linear transformation on the input

co ordinates

Consider a function G(X ) obtained by applying a linear transformation to the

input co ordinates of a monomial function X . The algebraic description of such

a function will have zero co ecients for all exp onents with Hamming weight >d.

Thus G(X ) is expressed as

2 1

G(X )= b X ; (34)

i=0

b =0 if wt(i) >d

A linear transformation of the input co ordinates of G(X ) can b e expressed

2 1 n1

X X

2 i

b (a X ) (35) L(G(X )) =

i j

i=0 j =0

If one tries to evaluate the ab ove expression and equate the co ecients to the

co ecients of a monomial, then one has to solve a set of non linear equations

with unknowns a ;j =0; 1;:::;n 1.

Toovercome this problem, we will reduce the problem of undoing the e ect

of a linear transformation on the input co ordinates to undoing the e ect of a

linear transformation on the output co ordinates.

Consider G(X ) obtained by a linear transformation on the input co ordinates

1 1 1

of F (X ). Then G(X )= F (L(X )). Thus wehave G (X )=L (F (X )). If

F (X ) is a monomial, then F (X ) is also a monomial and our problem is reduced

1 1

to nding the linear transformation L on the output co ordinates of F (X )

which is equivalent to solving a system of linear equations in n variables.

2 3 4 5 6

Example 4. Consider the function G(X )=8X +9X + X +11X +14X +

7 8 9 10 11 12 13 14 4

X +12X +2X +9X +4X +11X +14X +14X 2 GF (2 ) where

4 4 3

GF (2 ) is constructed using the irreducible p olynomial X + X + 1. In this

1 7 11 13 14

case, wehave G(X ) =5X +5X +11X +15X . In this case, wehave

60 linear transformations on the output co ordinates of G (X ) that will map

it to a monomial of exp onent with weight 3. Out of these 60 transformations,

1 13 4

wehave 15 linear transformations such that L(G (X )) = aX ;a 2 GF (2 ).

2 4 8

In particular, the linear mapping L(X )=X +14X +9X +14X on the

1 1 13 1 13

output bits of G (X ) reduces G (X )toX , i.e., L(G (X )) = X and

hence G(X )=(L(X )) .

Undoing the e ect of changing the irreducible p olynomial corresp onds to undoing

the e ect of a linear transformation on b oth the input and the output co ordinates

which seems to b e a hard problem. The numb er of irreducible p olynomials of

degree n over a nite eld with q elements is given by

n=d

(d)q ; (36) I =

djn

120 A.M. Youssef and G. Gong

where (d) is de ned by

1 if d =1;

(37) (d)=

(1) if d is the pro duct of k distinct primes;

0 if d is divisible by the square of a prime:

Since the dominant term in I o ccurs for d =1,we get the estimate

I (38)

Thus for typical S-b ox sizes, exhaustive search through all the set of (2 =n)

irreducible p olynomials seems to b e a feasible task.

References

1. R. Lidl and H. Niederreiter, Finite Fields (Encyclopedia of Mathematics and its

Applications) , Addison Wesley. Reading, MA. 1983.

2. R. J. McEliece, Finite Fields For Computer Scientists and Engineers , Kluwer

Academic Publishers. Dordrecht. 1987.

3. T. Jakobsen and L. Knudsen, The Interpolation Attack on Block Ciphers, LNCS

1267,Fast Software Encryption. pp. 28-40. 1997.

4. T. Jakobsen, Cryptanalysis of Block Ciphers with Probabilistic Non-linear Relations

of Low Degree, Pro ceedings of Crypto'99. LNCS 1462. pp. 213-222. 1999.

5. V. Rijmen and B. Preneel, A family of trapdoor ciphers, Pro ceedings of Fast Soft-

ware Encryption. LNCS 1267. pp. 139-148. 1997.

6. M. Sudan, Decoding Reed Solomon Codes beyond the error-correction bound, Jour-

nal of Complexity.Vol. 13. no 1. pp180-193. March, 1997.

7. G. Gong and S. W. Golomb, Transform Domain Analysis of DES, IEEE transac-

tions on Information Theory.Vol. 45. no. 6. pp. 2065-2073. Septemb er, 1999.

8. K. Nyb erg and L. Knudsen, Provable Security Against a Di erential Attack, Jour-

nal of Cryptology.Vol. 8. no. 1. 1995.

9. K. Aoki, Ecient Evaluation of Security against Generalized Interpolation Attack,

Sixth Annual Workshop on Selected Areas in cryptographySAC'99. Workshop

record. pp. 154-165. 1999.

10. S.W. Golomb,Shift Register Sequences, Aegean Park Press. Laguna Hills, Califor-

nia. 1982.

11. R.E. Blahut, Theory and Practice of Error Control Codes, Addison-Wesley. Read-

ing, MA. 1990.

12. H. Wu, F. Bao, R. Deng and Q. Ye Cryptanalysis of Rijmen-Preneel Trapdoor

Ciphers, LNCS 1514, Asiacrypt'98. pp. 126-132. 1998.

13. G. Gong and A.M. Youssef, Lagrange Interpolation Formula and Discrete Fourier

Transform ,Technical Rep ort. Center for Applied Cryptographic Research. Uni-

versityofWaterlo o. 1999.