No subject

Paweł Krawczyk kravietz at
Mon Apr 15 10:50:34 EDT 2002

,,Cryptanalysis of Block Ciphers with Overdefined Systems of Equations''
Nicolas Courtois and Josef Pieprzyk

Abstract: Several recently proposed ciphers are built with layers of
small S-boxes, interconnected by linear key-dependent layers. Their
security relies on the fact, that the classical methods of
cryptanalysis (e.g. linear or differential attacks) are based on
probabilistic characteristics, which makes their security grow
exponentially with the number of rounds Nr.

In this paper we study the security of such ciphers under an
additional hypothesis: the S-box can be described by an overdefined
system of algebraic equations (true with probability 1). We show that
this hypothesis is true for both Serpent (due to a small size of
S-boxes) and Rijndael (due to unexpected algebraic properties).

Paweł Krawczyk *
Krakow, Poland *

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list