On the Interp olation Attacks on Blo ck Ciphers
A.M. Youssef and G. Gong
Center for Applied Cryptographic Research
Department of Combinatorics and Optimization
UniversityofWaterlo o, Waterlo o, ON N2L 3G1
fa2youssef, [email protected] o.ca
Abstract. The complexityofinterp olation attacks on blo ck ciphers de-
p ends on the degree of the p olynomial approximation and/or on the
numb er of terms in the p olynomial approximation expression. In some
situations, the round function or the S-b oxes of the blo ck cipher are
expressed explicitly in terms of algebraic function, yet in many other
o ccasions the S-b oxes are expressed in terms of their Bo olean function
representation. In this case, the cryptanalyst has to evaluate the algebraic
description of the S-b oxes or the round function using the Lagrange in-
terp olation formula. A natural question is what is the e ect of the choice
of the irreducible p olynomial used to construct the nite eld on the
degree of the resulting p olynomial . Another question is whether or not
there exists a simple linear transformation on the input or output bits of
the S-b oxes (or the round function) such that the resulting p olynomial
has a less degree or smaller numb er of non-zero co ecients. In this pap er
we give an answer to these questions. We also present an explicit relation
between the Lagrange interp olation formula and the Galois Field Fourier
Transform.
Keywords: Blo ck cipher, cryptanalysis, interp olation attack, nite elds, Ga-
lois Field Fourier Transform
1 Intro duction
Gong and Golomb[7]intro duced a new criterion for the S-b ox design. Because
many blo ck ciphers can b e viewed as a Non Linear Feedback Shift Register
(NLFSR) with input then the S-b oxes should not b e approximated by a mono-
d
mial. The reason is that the trace functions Tr( X ) and Tr(X )have the
j
same linear span. From the view p ointof m-sequences [10], b oth of the sequences
id i n
fTr( )g and fTr( )g are m-sequences of p erio d 2 1. The former
i0 i0
can b e obtained from the later by decimation d. Gong and Golomb showed that
the distance of DES S-b oxes approximated by monomial functions has the same
distribution as for the S-b oxes approximated by linear functions.
In [3] Jakobsen and Knudsen intro duced a new attack on blo ck ciphers. This
attack is useful for attacking ciphers using simple algebraic functions as S-b oxes.
The attack is based on the well known Lagrange interp olation formula. Let R be
B. Schneier (Ed.): FSE 2000, LNCS 1978, pp. 109−120, 2001. Springer-Verlag Berlin Heidelberg 2001
110 A.M. Youssef and G. Gong
a eld. Given 2n elements x ;:::;x ;y ;:::;y 2 R; where the x s are distinct.
1 n 1 n i
De ne
n
X Y
x x
j
: (1) f (x)= y
i
x x
i j
i=1
1j n;j 6=i
Then f (x) is the only p olynomial over R of degree at most n 1 such that
f (x )= y for i =1;:::;n. The main result in [3] is that for an iterated blo ck
i i
cipher with blo ck size m, if the cipher-text is expressed as a p olynomial with
m
n 2 co ecients of the plain-text, then there exists an interp olation attack
of time complexity n requiring n known plain-texts encrypted with a secret key
K , which nds an algorithm equivalent to encryption (or decryption) with K .
This attack can also b e extended to a key recovery attack.
In [4] Jakobsen extended this cryptanalysis metho d to attack blo ck ciphers
with probabilistic nonlinear relation of low degree. Using recent results from
co ding theory (Sudan's algorithm for deco ding Reed-Solomon co des b eyond the
error correction parameter[6]), Jakobsen showed how to break ciphers where the
cipher-text is expressible as evaluations of unknown univariate p olynomial of low
degree m with a typically low probability . The known plain-text attack requires
2
n =2m= plain-text/cipher-text pairs. In the same pap er, Jakobsen also pre-
2
sented a second attack that needs access to n =(2m=) plain-text/cipher-text
pairs and its running time is p olynomial in n.
It is clear that the complexity of such cryptanalytic attacks dep ends on the
degree of the p olynomial approximation or on the numb er of terms in the p oly-
nomial approximation expression. In some situations, the round function or the
S-b oxes of the blo ck cipher are expressed explicitly in terms of algebraic function
(For example see [8]),yet in many other o ccasions the S-b oxes are expressed in
terms of their Bo olean function representation. In this case, the cryptanalyst has
to evaluate the algebraic description of the S-b oxes or the round function using
the Lagrange interp olation formula. A natural question is what is the e ect of the
choice of the irreducible p olynomial used to construct the nite eld on the de-
gree of the resulting p olynomial. Another question is whether or not there exists
a simple linear transformation on the input or output bits of the S-b oxes (or the
round function) such that the resulting p olynomial has a less degree or smaller
numb er of co ecients. In this pap er we give explicit answer to these questions.
4 4
To illustrate the idea, consider the binary mapping from GF (2) to GF (2)
4
given in the Table 1. If the Lagrange interp olation formula is applied to GF (2 )
4 4 3
where GF (2 ) is de ned by the irreducible p olynomial X + X + 1 then wehave
2 3 4 5 6 8 9 10 12
F (X )=X + X +7X +15X +5X +14X +14X +2X +7X +9X ;X 2
4 4
GF (2 ). However, if we use the irreducible p olynomial X + X + 1 to de ne
4 3 4
GF (2 ) then wehave F (X )=X ;X 2 GF (2 ) whichisobviously a simpler
description.
An interesting observation follows when applying the Lagrange interp olation
formula to the DES S-b oxes. In this case we consider the DES S-b oxes output
On the Interpolation Attacks on Block Ciphers 111
x 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
f (x) 0 1 8 15 12 10 1 1 10 15 15 12 8 10 8 12
Table 1.
6
co ordinates as a mapping from GF (2 )toGF (2). Let f b e the Bo olean function
resulting from XORing all the output co ordinates of the DES S-b oxnumber
6 6 5
four. When we de ne GF (2 ) using the irreducible p olynomial X + X +1,
the p olynomial resulting from applying the Lagrange interp olation formula to
f has only 39 nonzero co ecient. The Hamming weight of all the exp onents
corresp onding to the nonzero co ecients was 3. It should b e noted that the
exp ected value of the numb er of nonzero co ecients for a randomly selected
6
function over GF (2 ) is 63. While this observation do esn't have a cryptanalytic
signi cance, it shows the e ect of changing the irreducible p olynomial when
trying to search for a p olynomial representation for cipher functions.
2 Mathematical background and de nitions
For a background ab out the general theory of nite elds, the reader is referred
to [1] and for a background ab out nite elds of charachteristic 2, the reader is
referred to [2].
Most of the results in this pap er can b e extended in a straightforward way
n n
from GF (2 )toGF (q ). Throughout this pap er, we use integer lab els to present
P
n 1
4 i
nite eld elements. I.e., for any element X 2 GF (2 ), X = x ;x 2
i+1 i
i=0
n
GF (2) where is a ro ot of the irreducible p olynomial which de nes GF (2 ), we
P
n 1
i n
represent X by x 2 as an integer in the range [0; 2 1]. The asso ciated
i+1
i=0
addition and multiplication op erations of these lab els are de ned by the nite
eld structure and have no resemblance to mo dular integer arithmetic.
De nition 1. A p olynomial having the sp ecial form
t
X
i
2
L(X )= X (2)
i
i=0
n n
with co ecients from GF (2 ) is called a linearized p olynomial over GF (2 ).
i
De nition 2. A cyclotomic coset mo d N that contains an integer s is the set
m 1
C = fs;sq;:::;sq g (mo d N ) (3)
s
m
where m is the smallest p ositiveinteger such that sq s (mo d N ).
112 A.M. Youssef and G. Gong
n n
Lemma 3. Let A be a linear mapping over GF (2 ), then A(X );X 2 GF (2 )
n
can be expressed in terms of a linearizedpolynomial over GF (2 ). I.e., we can
express A(X ) as
n 1
X
i
2
A(X )= X (4)
i
i=0
n
Lemma 4. Let ; ;:::; be elements in GF (2 ). Then
1 2 t
k k k k
2 2 2 2
( + + ::: + ) = + + ::: + (5)
1 2 t
1 2 t
n
Lemma 5. The number of ways of choosing a basis of GF (2 ) over GF (2) is
n 1
Y
n i
(2 2 ) (6)
i=0
3 Lagrange co ecients, Galois Field Fourier Transform
and Bo olean functions
3.1 Relation b etween the Galois Field Fourier Transform and the
Lagrange co ecients
In this section we give an explicit formula for the relation b etween the Lagrange
Interp olation of F and the Galois Field Fourier Transform of its corresp onding
sequence. Besides its theoretical interest, the cryptographic signi cance of this
relation stems from the view p oint of Gong and Golomb [7] where they mo del
many blo ck ciphers as a Non Linear Feedback Shift Register (NLFSR) with
input.
Let v =(v ;v ;:::;v )beavector over GF (q ) whose length l divides
0 1 l 1
m m
q 1 for some integer p ositive m. Let b e an element of order l in GF (q ).
The Galois eld Fourier transform (GFFT) [11]ofv is the vector F (v )= V
=(V ;V ;:::;V ) where fV g are computed as follows.
0 1 l 1 j
l 1
X