Abstract. Several recently proposed ciphers, for example Rijndael and Serpent, are built with layers of small S-boxes interconnected by linear key-dependent layers. Their security relies on the fact, that the classical methods of cryptanalysis (e.g. linear or differential attacks) are based on probabilistic characteristics, which makes their security grow exponentially with the number of rounds Nr. In this paper we study the security of such ciphers under an additional hypothesis: the S-box can be described by an overdefined system of algebraic equations (true with probability 1). We show that this is true for both Serpent (due to a small size of S-boxes) and Rijndael (due to unexpected algebraic properties). We study general methods known for solving overdefined systems of equations, such as XL from Eurocrypt’00, and show their inefficiency. Then we introduce a new method called XSL that uses the sparsity of the equations and their specific structure. The XSL attack uses only relations true with probability 1, and thus the security does not have to grow exponentially in the number of rounds. XSL has a parameter P, and from our estimations is seems that P should be a constant or grow very slowly with the number of rounds. The XSL attack would then be polynomial (or subexponential) in Nr, with a huge constant that is double-exponential in the size of the S-box. The exact complexity of such attacks is not known due to the redundant equations. Though the presented version of the XSL attack always gives always more than the exhaustive search for Rijndael, it seems to (marginally) break 256-bit Serpent. We suggest a new criterion for design of S-boxes in block ciphers: they should not be describable by a system of polynomial equations that is too small or too overdefined.

Abstract. Let A be a Feistel scheme with 5 rounds from 2n bits to 2n bits. In the present paper we show that for most such schemes A: 1. It is possible to distinguish A from a random permutation from 2n bits to 2n bits after doing at most O(2 7n 4) computations with O(2 7n 4) random plaintext/ciphertext pairs. 2. It is possible to distinguish A from a random permutation from 2n bits to 2n bits after doing at most O(2 3n 2) computations with O(2 3n 2) chosen plaintexts. Since the complexities are smaller than the number 2 2n of possible inputs, they show that some generic attacks always exist on Feistel schemes with 5 rounds. Therefore we recommend in Cryptography to use Feistel schemes with at least 6 rounds in the design of pseudo-random permutations. We will also show in this paper that it is possible to distinguish most of 6 round Feistel permutations generator from a truly random permutation generator by using a few (i.e. O(1)) permutations of the generator and by using a total number of O(2 2n) queries and a total of O(2 2n) computations. This result is not really useful to attack a single 6 round Feistel permutation, but it shows that when we have to generate several pseudorandom permutations on a small number of bits we recommend to use more than 6 rounds. We also show that it is also possible to extend these results to any number of rounds, however with an even larger complexity.

Abstract. Unbalanced Feistel schemes with expanding functions are used to construct pseudo-random permutations from kn bits to kn bits by using random functions from n bits to (k − 1)n bits. At each round, all the bits except n bits are changed by using a function that depends only on these n bits. C.S.Jutla [6] investigated such schemes, which he denotes by F d k, where d is the number of rounds. In this paper, we describe novel Known Plaintext Attacks (KPA) and Non Adaptive Chosen Plaintext Attacks (CPA-1) against these schemes. With these attacks we will often be able to improve the result of C.S.Jutla. We also give precise formulas for the complexity of our attacks in d, k and n. Key words: Unbalanced Feistel permutations, pseudo-random permutations, generic attacks on encryption schemes, Block ciphers. 1

In this note, it is argued that the Advanced Encryption Standard (AES) should be chosen with a large safety margin. The history of block ciphers shows that the the security levels decrease as a function of the man-years spent in the analysis. Also, we recommend what we think are the candidates best suited for the AES. 1 Security levels and overhead The AES proposals are required to support at least a block size of 128 bits, and three key sizes of 128, 192, and 256 bits. The hope of NIST is that the end result is a block cipher "with a strength equal to or better than that of Triple-DES and significantly improved efficiency." With the minimum requirements for the key sizes it is clear that an exhaustive key search will be infeasible for many years. Also, with a block size of 128 bits the matching-ciphertext attack requires a huge number of about 2 64 ciphertext blocks to come into play. The submitters of most of the algorithms claim a very high level of security. An exhaustive s...

this report. The five finalists will be the subject of further study before the selection of one or more of these algorithms for inclusion in the Advanced Encryption Standard. Key words: Advanced Encryption Standard (AES); cryptography; cryptanalysis; cryptographic algorithms; encryption. Accepted: August 11, 1999 Available online: http://www.nist.gov/jres Contents 1. Overview of the Development Process for the Advanced Encryption Standard and Summary of Round 1 Evaluations ....................................... 436 1.1 Evaluation Criteria ..............................436 1.2 Results From Round 1 ...........................437 1.3 Selection Process Prior to Round 2 .................437 1.4 Round 2 Finalists ...............................438 1.5 Next Steps .....................................438 2. Technical Details of the Round 1 Analysis ...............439 2.1 Abbreviations .............................

The development process of the Advanced Encryption Standard (AES) was launched in 1997 by the US government through NIST. The Decorrelated Fast Cipher (DFC) was the CNRS proposal for the AES, among 14 other candidates in 1998. It was based on the recent decorrelation theory, to obtain certain security proofs covering linear and differential cryptanalysis. DFC received numerous comments. In particular, Coppersmith discovered a weakness in the key schedule. We address this weakness by a slight modification on DFC. This paper presents the specifications and rationales of DFC version 2, and discusses issues raised during the AES process.

Abstract. Generic attacks against classical (balanced) Feistel schemes, unbalanced Feistel schemes with contracting functions and unbalanced Feistel schemes with expanding functions have been studied in [12], [4], [15], [16]. In this paper we study schemes where we use alternatively contracting random functions and expanding random functions. We name these schemes “Alternating Unbalanced Feistel Schemes”. They allow constructing pseudo-random permutations from kn bits to kn bits where k ≥ 3. At each round, we use either a random function from n bits to (k−1)n bits or a random function from (k−1)n bits to n bits. We describe the best generic attacks we have found. We present“known plaintext attacks” (KPA) and “non-adaptive chosen plaintext attacks ” (CPA-1). Let d be the number of rounds. We show that if d ≤ k, there are CPA-1 with 2 messages and KPA with m the number of messages about 2 (d−1)n 4. For d ≥ k + 1 we have to distinguish k even and k odd. For k even, we have m = 2 in CPA-1 and m ≃ 2 kn 4 in KPA. When k is odd, we show that there exist CPA-1 for d ≤ 2k − 1 and KPA for d ≤ 2k + 3 with less than 2 kn messages and computations. Beyond these values, we give KPA against generators of permutations.

This paper is the extended version of the paper with the same title published at Asiacrypt’2001 and we have also included here the cryptanalysis results of the paper “Security of Random Feistel Schemes with 5 or more Rounds” published at Crypto’2004. Let A be a Feistel scheme with 5 rounds from 2n bits to 2n bits. In the present paper we show that for most such schemes A: 1. It is possible to distinguish A from a random permutation from 2n bits to 2n bits after doing at most O(2^n) computations with O(2^n) non-adaptive chosen plaintexts. 2. It is possible to distinguish A from a random permutation from 2n bits to 2n bits after doing at most O(2^(3n/2)) computations with O(2^(3n/2)) random plaintext/ciphertext pairs. Since the complexities are smaller than the number 2^2n of possible inputs, they show that some generic attacks always exist on Feistel schemes with 5 rounds. Therefore we recommend in Cryptography to use Feistel schemes with at least 6 rounds in the design of pseudo-random permutations. We will also show in this paper that it is possible to distinguish most of 6 round Feistel permutations generator from a truly random permutation generator by using a few (i.e. O(1)) permutations of the generator and by using a total number of O(2^2n) queries and a total of O(2^2n) computations. This result is not really useful to attack a single 6 round Feistel permutation, but it shows that when we have to generate several pseudo-random permutations on a small number of bits we recommend to use more than 6 rounds. We also show that it is also possible to extend these results to any number of rounds, however with an even larger complexity. Key words: Feistel permutations, pseudo-random permutations, generic attacks on encryption schemes, Luby-Rackoff theory.