Journal of Electrical and Computer Engineering

Volume 2017 (2017), Article ID 9828967, 9 pages

https://doi.org/10.1155/2017/9828967

## Algebraic Cryptanalysis Scheme of AES-256 Using Gröbner Basis

^{1}Department of Computer Science and Technology, Henan Institute of Technology, Xinxiang 453003, China^{2}School of Computer Science and Technology, Anhui University, Hefei 230039, China

Correspondence should be addressed to Jie Cui; nc.ude.ctsu.liam@eijiuc

Received 22 October 2016; Accepted 22 January 2017; Published 23 February 2017

Academic Editor: Jucheng Yang

Copyright © 2017 Kaixin Zhao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

The zero-dimensional Gröbner basis construction is a crucial step in Gröbner basis cryptanalysis on AES-256. In this paper, after performing an in-depth study on the linear transformation and the system of multivariate polynomial equations of AES-256, the zero-dimensional Gröbner basis construction method is proposed by choosing suitable term order and variable order. After giving a detailed construction process of the zero-dimensional Gröbner basis, the necessary theoretical proof is presented. Based on this, an algebraic cryptanalysis scheme of AES-256 using Gröbner basis is proposed. Analysis shows that the complexity of our scheme is lower than that of the exhaustive attack.

#### 1. Introduction

On October 2, 2000, the Rijndael algorithm, which was designed by Daemen and Rijmen, was determined by the National Institute of Standards and Technology (NIST) for the Advanced Encryption Standard (AES) [1]. It has been of concern to the cryptographic community since the Rijndael algorithm was proposed, and there have been many attack methods. However, there is no successful attack on the full Rijndael algorithm up to now [2, 3].

Cryptanalysis and cryptography not only are mutually antagonistic, but also promote each other. Because of the great advantages of algebraic cryptanalysis technology, it has become a hot research topic in recent years. Algebraic attack is mainly composed of two steps: the first step is to establish a system of algebraic equations to describe the relationship among the plaintext, the ciphertext, and the key in cryptographic algorithm; the second step is to solve the system of equations to obtain the key by some of the known plaintext-ciphertext pairs. The first step has already obtained some research results, and many scholars have proposed many kinds of equation systems of AES algorithm [4, 5]. In the second step, the multivariate equation system is still a problem to be solved. Although solving the multivariate equation system is an NP-hard problem, the complexity of solving a sparse overdetermined system of equations is far lower than that of the NP-hard problem.

At present, the methods of solving the high order multivariate equation system mainly include XL, XSL, and Gröbner basis. Since the algebraic expression of AES algorithm is sparse and structured, it is inefficient to apply XL attacks directly. In 2002, Courtois et al. proposed an XSL attack method and claimed to break the key length of 256-bit AES algorithm in theory. However, the number of linear independent equations generated by XSL attacks in the academic field is disputed, and the validity of the attack is questioned [6, 7]. Gröbner basis is an effective method for solving the high order multivariate equation system, which is proposed by Buchberger. Its essence is to set up a set of arbitrary ideals in polynomial rings, describe and compute a set of generators with good properties, and then study the ideal structure and carry out the ideal computation [3].

Gröbner basis is a standard representation method of polynomial ideals, which has some useful properties [8]. Gröbner basis exists in any ideal, and the Gröbner basis of any ideal can be computed by the Buchberger algorithm or F4 or F5 algorithm [6]. Lexicographic order is a commonly used elimination order. The coefficient matrix of the basis is triangular when using lexicographical Gröbner basis in the computation, and the last row solves single-variable equations. This is the reason why lexicographical Gröbner basis can solve the equation system. But the direct computation of lexicographic Gröbner basis will produce excessive coefficients.

Common practice is to compute the total degree order Gröbner basis of the ideal firstly and then convert the total degree order Gröbner basis to lexicographical Gröbner basis using Gröbner basis conversion algorithm. Gröbner basis conversion algorithms include the Gröbner Walk [7] and the FGLM algorithm [6]. Compared with the Gröbner Walk, FGLM algorithm is simple and efficient, but the FGLM algorithm only works for zero-dimensional ideals [9, 10]. Therefore, constructing the zero-dimensional Gröbner basis of AES algorithm is crucial to implement Gröbner basis cryptanalysis. In 2013, the zero-dimensional Gröbner basis construction method of Rijndael-192 was proposed [11]. However, how to construct the zero-dimensional Gröbner basis of AES-256 and how to apply Gröbner basis cryptanalysis to AES-256 are still open questions. In this paper, the authors perform some particular studies on the linear transformation and the system of multivariate polynomial equations of AES-256 and propose its zero-dimensional Gröbner basis construction method through choosing suitable term order and variable order. After presenting the construction method of the Gröbner basis, the authors give the necessary theoretical proof. Moreover, the authors propose an algebraic cryptanalysis of AES-256 using Gröbner basis. Analysis suggests that the complexity of our scheme is lower than the exhaustive attack. The main contributions are given as follows:(1)The zero-dimensional Gröbner basis construction method is proposed by choosing suitable term order and variable order.(2)The necessary theoretical proof is given, and it shows that the set of polynomials is a zero-dimensional Gröbner basis.(3)The effective algebraic cryptanalysis scheme of AES-256 using Gröbner basis is proposed.

The rest of this paper is formed as follows. The mathematical model of AES-256 is shown in Section 2. Section 3 demonstrates the Gröbner basis theory. The equation system of AES-256 is given in Section 4. In Section 5, the Gröbner basis construction method of AES-256 and the algebraic cryptanalysis scheme of AES-256 are proposed. Finally, the paper is concluded in Section 6.

#### 2. Mathematical Model of AES-256

The block length and key length of AES can be specified independently as 128 bits, 192 bits, or 256 bits, and the corresponding round time is 10, 12, or 14. Each round consists of 4 transformations: the* S*-box substitution (ByteSub), ShiftRow, MixColumn, and AddRoundKey. With AES starting from the AddRoundKey, with 13 rounds of iteration, the final round is equal to the round with the MixColumn step removed. AES is an iterated block cipher with a variable block length and a variable key length. In this paper, both the block length and the key length are specified to 256 bits.

##### 2.1. *S*-Box Substitution

The* S*-box transformation is a nonlinear byte substitution, operating on each of the state bytes independently. The* S*-box is invertible and is constructed by the composition of two transformations:(1)Seeking the inverse operation of multiplication in field, that is, input and output , to meetthen(2)Let element components of in be ; the affine transformations are as follows:

The selection of constant “63” is to ensure the* S*-box is not a fixed point and an opposite fixed point .* S*-box has the ability to resist linear attacks and differential attacks [1].

##### 2.2. ShiftRow and MixColumn Transformations

The 4 × 8-byte matrix is obtained by* S*-box substitution, where is the byte in the th row and the th column, , . SR (ShiftRow) shift bytes to the left for the th row of the matrix:

MC (MixColumn) transforms the independent operation of each column for the purpose of causing confusion. Each byte in each column is mapped to the new value; this value is 4 bytes in the column with the function obtained. Transformation is as follows:where

For mathematical convenience, we use a column vector instead of the original matrix to represent intermediate states and keys. The mapping relationship between the elements in column vector and the elements in the original matrix is as follows:

The finite field is denoted as in this paper. Introducing a 0-1 transformation matrix , the SR transform is equivalent to left multiplication by the matrix . There is only one element in each column and each row of the matrix is 1 and all the others are 0. Similarly, by introducing a new transformation matrix , the MC transform is equivalent to left multiplication by the matrix . The construction principle of is , where denotes tensor product and denotes 8-order identity matrix. The composite transformation of the SR transform and the MC transform is denoted as , and then . It is easy to get

Thus, the linear transformation consisting of the SR transform and the MC transform can be expressed as

##### 2.3. AddRoundKey

In this operation, a round key is applied to the state by a simple bitwise EXOR. The round key is derived from the cipher key by means of the key schedule. It can be denoted as , where is the round key.

##### 2.4. Key Schedule Algorithm

Key schedule consists of two modules: key expansion and round key selection. The block length and key length are denoted as and , respectively, and the unit is a 4-byte word. That is, = block length/32 and = key length/32. The number of rounds is denoted by .

For AES-256, , , and . The key expansion of AES-256 is to extend eight 4-byte key words into 90 4-byte words , where is the cipher key. The expansion algorithm is as shown in Algorithm 1.