Advanced Information Technology Convergence 2017View this Special Issue
Research Article | Open Access
Kaixin Zhao, Jie Cui, Zhiqiang Xie, "Algebraic Cryptanalysis Scheme of AES-256 Using Gröbner Basis", Journal of Electrical and Computer Engineering, vol. 2017, Article ID 9828967, 9 pages, 2017. https://doi.org/10.1155/2017/9828967
Algebraic Cryptanalysis Scheme of AES-256 Using Gröbner Basis
The zero-dimensional Gröbner basis construction is a crucial step in Gröbner basis cryptanalysis on AES-256. In this paper, after performing an in-depth study on the linear transformation and the system of multivariate polynomial equations of AES-256, the zero-dimensional Gröbner basis construction method is proposed by choosing suitable term order and variable order. After giving a detailed construction process of the zero-dimensional Gröbner basis, the necessary theoretical proof is presented. Based on this, an algebraic cryptanalysis scheme of AES-256 using Gröbner basis is proposed. Analysis shows that the complexity of our scheme is lower than that of the exhaustive attack.
On October 2, 2000, the Rijndael algorithm, which was designed by Daemen and Rijmen, was determined by the National Institute of Standards and Technology (NIST) for the Advanced Encryption Standard (AES) . It has been of concern to the cryptographic community since the Rijndael algorithm was proposed, and there have been many attack methods. However, there is no successful attack on the full Rijndael algorithm up to now [2, 3].
Cryptanalysis and cryptography not only are mutually antagonistic, but also promote each other. Because of the great advantages of algebraic cryptanalysis technology, it has become a hot research topic in recent years. Algebraic attack is mainly composed of two steps: the first step is to establish a system of algebraic equations to describe the relationship among the plaintext, the ciphertext, and the key in cryptographic algorithm; the second step is to solve the system of equations to obtain the key by some of the known plaintext-ciphertext pairs. The first step has already obtained some research results, and many scholars have proposed many kinds of equation systems of AES algorithm [4, 5]. In the second step, the multivariate equation system is still a problem to be solved. Although solving the multivariate equation system is an NP-hard problem, the complexity of solving a sparse overdetermined system of equations is far lower than that of the NP-hard problem.
At present, the methods of solving the high order multivariate equation system mainly include XL, XSL, and Gröbner basis. Since the algebraic expression of AES algorithm is sparse and structured, it is inefficient to apply XL attacks directly. In 2002, Courtois et al. proposed an XSL attack method and claimed to break the key length of 256-bit AES algorithm in theory. However, the number of linear independent equations generated by XSL attacks in the academic field is disputed, and the validity of the attack is questioned [6, 7]. Gröbner basis is an effective method for solving the high order multivariate equation system, which is proposed by Buchberger. Its essence is to set up a set of arbitrary ideals in polynomial rings, describe and compute a set of generators with good properties, and then study the ideal structure and carry out the ideal computation .
Gröbner basis is a standard representation method of polynomial ideals, which has some useful properties . Gröbner basis exists in any ideal, and the Gröbner basis of any ideal can be computed by the Buchberger algorithm or F4 or F5 algorithm . Lexicographic order is a commonly used elimination order. The coefficient matrix of the basis is triangular when using lexicographical Gröbner basis in the computation, and the last row solves single-variable equations. This is the reason why lexicographical Gröbner basis can solve the equation system. But the direct computation of lexicographic Gröbner basis will produce excessive coefficients.
Common practice is to compute the total degree order Gröbner basis of the ideal firstly and then convert the total degree order Gröbner basis to lexicographical Gröbner basis using Gröbner basis conversion algorithm. Gröbner basis conversion algorithms include the Gröbner Walk  and the FGLM algorithm . Compared with the Gröbner Walk, FGLM algorithm is simple and efficient, but the FGLM algorithm only works for zero-dimensional ideals [9, 10]. Therefore, constructing the zero-dimensional Gröbner basis of AES algorithm is crucial to implement Gröbner basis cryptanalysis. In 2013, the zero-dimensional Gröbner basis construction method of Rijndael-192 was proposed . However, how to construct the zero-dimensional Gröbner basis of AES-256 and how to apply Gröbner basis cryptanalysis to AES-256 are still open questions. In this paper, the authors perform some particular studies on the linear transformation and the system of multivariate polynomial equations of AES-256 and propose its zero-dimensional Gröbner basis construction method through choosing suitable term order and variable order. After presenting the construction method of the Gröbner basis, the authors give the necessary theoretical proof. Moreover, the authors propose an algebraic cryptanalysis of AES-256 using Gröbner basis. Analysis suggests that the complexity of our scheme is lower than the exhaustive attack. The main contributions are given as follows:(1)The zero-dimensional Gröbner basis construction method is proposed by choosing suitable term order and variable order.(2)The necessary theoretical proof is given, and it shows that the set of polynomials is a zero-dimensional Gröbner basis.(3)The effective algebraic cryptanalysis scheme of AES-256 using Gröbner basis is proposed.
The rest of this paper is formed as follows. The mathematical model of AES-256 is shown in Section 2. Section 3 demonstrates the Gröbner basis theory. The equation system of AES-256 is given in Section 4. In Section 5, the Gröbner basis construction method of AES-256 and the algebraic cryptanalysis scheme of AES-256 are proposed. Finally, the paper is concluded in Section 6.
2. Mathematical Model of AES-256
The block length and key length of AES can be specified independently as 128 bits, 192 bits, or 256 bits, and the corresponding round time is 10, 12, or 14. Each round consists of 4 transformations: the S-box substitution (ByteSub), ShiftRow, MixColumn, and AddRoundKey. With AES starting from the AddRoundKey, with 13 rounds of iteration, the final round is equal to the round with the MixColumn step removed. AES is an iterated block cipher with a variable block length and a variable key length. In this paper, both the block length and the key length are specified to 256 bits.
2.1. S-Box Substitution
The S-box transformation is a nonlinear byte substitution, operating on each of the state bytes independently. The S-box is invertible and is constructed by the composition of two transformations:(1)Seeking the inverse operation of multiplication in field, that is, input and output , to meetthen(2)Let element components of in be ; the affine transformations are as follows:
The selection of constant “63” is to ensure the S-box is not a fixed point and an opposite fixed point . S-box has the ability to resist linear attacks and differential attacks .
2.2. ShiftRow and MixColumn Transformations
The 4 × 8-byte matrix is obtained by S-box substitution, where is the byte in the th row and the th column, , . SR (ShiftRow) shift bytes to the left for the th row of the matrix:
MC (MixColumn) transforms the independent operation of each column for the purpose of causing confusion. Each byte in each column is mapped to the new value; this value is 4 bytes in the column with the function obtained. Transformation is as follows:where
For mathematical convenience, we use a column vector instead of the original matrix to represent intermediate states and keys. The mapping relationship between the elements in column vector and the elements in the original matrix is as follows:
The finite field is denoted as in this paper. Introducing a 0-1 transformation matrix , the SR transform is equivalent to left multiplication by the matrix . There is only one element in each column and each row of the matrix is 1 and all the others are 0. Similarly, by introducing a new transformation matrix , the MC transform is equivalent to left multiplication by the matrix . The construction principle of is , where denotes tensor product and denotes 8-order identity matrix. The composite transformation of the SR transform and the MC transform is denoted as , and then . It is easy to get
Thus, the linear transformation consisting of the SR transform and the MC transform can be expressed as
In this operation, a round key is applied to the state by a simple bitwise EXOR. The round key is derived from the cipher key by means of the key schedule. It can be denoted as , where is the round key.
2.4. Key Schedule Algorithm
Key schedule consists of two modules: key expansion and round key selection. The block length and key length are denoted as and , respectively, and the unit is a 4-byte word. That is, = block length/32 and = key length/32. The number of rounds is denoted by .
For AES-256, , , and . The key expansion of AES-256 is to extend eight 4-byte key words into 90 4-byte words , where is the cipher key. The expansion algorithm is as shown in Algorithm 1.
3. Gröbner Basis Theory
Definition 1. Order on a set is called term order, if and only if is a linear order, and satisfies two properties:(1)For all , .(2)For any , if , then .In a term order , the largest element of a polynomial is called the head term of , denoted as .
The set of natural numbers is , and is a given positive integer, and are variables in ring . Let the set of terms beThat is, is the power product set of variables. The degree of term is denoted as . Let ; then, the definitions of three common term orders will be given below.
Definition 2. on lexicographical order, denoted as , is defined as follows.
For , , then let , and , where .
Definition 3. on degree lexicographical order, denoted as , is defined as follows.
For , , then
Definition 4. on degree reverse lexicographical order, denoted as , is defined as follows.
For , , then
Definition 5. Let be a ring and let be one nonzero ideal in , . is called the Gröbner basis of ideal if and only ifThe Gröbner basis of any nonzero ideal can be obtained by using the Buchberger algorithm . In the implementation of the Buchberger algorithm, the Buchberger rule can be used to eliminate unnecessary polynomials [12, 14]. Based on the Buchberger rule, the following conclusions can be obtained.
Theorem 6. Let be a set of polynomials, ; if all elements in are pairwise prime, then is a Gröbner basis.
Proof. See .
A zero-dimensional ideal is an ideal that has a finite number of solutions over the closure of the field. It usually is advantageous to have this property for Gröbner basis computations. By using Corollary 6.56 of , we can determine whether an ideal is zero-dimensional. Below we state a reduced version of this corollary.
Theorem 7. Let be a Gröbner basis of the ideal ; then, if and only if, for any , there exists a polynomial , so that .
4. Equation System of AES-256
Let be a known pair of plaintext and ciphertext in this paper. We call the th element of the output of the AddRoundKey in the th round transformation. We denote by the th element of the th round key. It is easy to see that denotes the cipher key, . The equation system on consists of the following four parts:(1)Initial round (round 0) equations and the cipher equations:(2)The equations of intermediate rounds, that is, the encryption equation of the th round, :(3)The equations of the final round:(4)Key scheduling equations:where is a round constant.
5. Algebraic Cryptanalysis Scheme of AES-256
Definition 8. Denote the finite domain as ; the multivariate polynomial ring on , is defined asTo construct AES-256 Gröbner basis, the multivariate equation system obtained in Section 4 must be improved to meet the requirements of Gröbner basis; that is, the head terms of the polynomial on the left-hand side of the equation are pairwise prime.
5.1. The Gröbner Basis Construction Method of AES-256
The Gröbner basis of AES-256 is constructed as follows.
Step 1. The purpose of this step is to construct the polynomial set of the S-box and the inverse S-box. In this step, we make use of the algebraic expression of the S-box and the inverse S-box.
AES S-box is constructed based on evident mathematical theory, so it can be written in the form of an algebraic expression. The sparse algebraic expression of the S-box in is as follows: The nonsparse algebraic expression of the inverse S-box contains 255 terms. The coefficients of the algebraic expression of AES inverse S-box are shown in Table 1. The abbreviated form of the algebraic expression of AES inverse S-box can be expressed as follows:where is the coefficient of the term with degree .
Step 2. The purpose of this step is to construct the polynomial set of linear transformations (i.e., ShiftRow and MixColumn). In this step, we use the equation system given in Section 4.
By (14), the plaintext equations, that is, the initial round equation system, can be obtained as (21), and the ciphertext equations can be obtained as (22). Hence,Since and have the same degree, the head term of polynomials in (21) is or . If the selected term order is , then the head term of polynomial is , . For (22), the head term of polynomial is , .
It is needed to improve (15) and (16) to meet the requirements of Gröbner basis. From (15), it is easy to get 24 polynomial equations of round as shown inSimilarly, from (16), the 32 polynomial equations of the final round can be obtained as shown inFor degree lexicographical order, the head term of polynomial in (23) and (24) is , , . It is easy to see that the head term has no nontrivial common factor; that is, the greatest common factor is 1.
Step 3. The purpose of this step is to construct the polynomial set of the key schedule algorithm. In this step, we also use the equation system given in Section 4.
In order to get the polynomial Gröbner basis of the whole encryption algorithm, the equation system of the key schedule algorithm needs to be improved. It is easy to deduce (25) from (17). Hence,In order to ensure that the head terms of key schedule polynomials are pairwise prime, applying the inverse S-box transformation to (25) is needed. The transformation results are shown inAccording to the algebraic expression of the inverse S-box, all the equations included in (26) can be obtained. If the selected term order is where , then the set of polynomial head terms of the key schedule equation (26) isIt is easy to see that the elements of the head term set have no nontrivial common factor.
Step 4. The purpose of this step is the reasonable selection of term order and variable order. If we choose a degree lexicographical order over reasonable variable order, we can make the polynomial head terms of the whole encryption algorithm pairwise prime.
The left-hand sides of (21), (22), (23), (24), and (26) constitute a set of polynomials denoted as , and the degree lexicographical order over the following variable order makes the head terms of polynomials in pairwise prime. Hence,After these four steps, the polynomial set in the term order is a Gröbner basis of the ideal in ring . The following will give the relevant properties and their theoretical proof.
5.2. The Properties of AES-256 Gröbner Basis
Gröbner basis is the standard notation of polynomial ideal, and there are two useful properties: (1) given a Gröbner basis of an ideal, it is effective to determine whether a polynomial belongs to the ideal; (2) for reasonable term order, the ideal type can be calculated effectively, and the polynomial equation systems deduced from these ideals can be solved. The polynomial set contains 720 polynomials, where 384 polynomials are with the degree 254 and 336 are linear polynomials that contain 720 variables . For polynomial set , there are the following conclusions.
Theorem 9. The set of polynomials is a Gröbner basis relative to degree lexicographical order .
Proof. Relative to the term order , the head term set of polynomials in (21) is , the head term set of polynomials in (22) is , the head term set of polynomials in (23) and (24) is , and the head term set of polynomials in (26) is , so the head term set of polynomials is . Since, , elements in are pairwise prime. According to Theorem 6, it can be obtained that the set of polynomials is a Gröbner basis relative to term order .
Theorem 9 indicates that the set of polynomials is a Gröbner basis of ideal in ring . This provides the possibility of carrying out the ideal calculation of AES-256.
Theorem 10. The ideal generated by Gröbner basis of AES-256 is zero-dimensional.
Proof. The variable set of the AES-256 equation system is , so the number of variables is . It can be seen from the proof process of Theorem 9 that the head term set of polynomials set is . , there exists satisfying ; that is, all variables are in the form of a certain number of times in . Based on this, for any variable , there exists a polynomial , so that . According to Theorem 7, it is obvious that ; that is, the ideal generated by the Gröbner basis is zero-dimensional.
Theorem 10 points out that the Gröbner basis constructed by this paper is zero-dimensional. Due to the term order conversion algorithm FGLM can convert any term order Gröbner basis of zero-dimensional ideal into lexicographical Gröbner basis, so the FGLM algorithm can convert degree lexicographical Gröbner basis into lexicographical Gröbner basis. The construction of zero-dimensional Gröbner basis is helpful to simplify Gröbner basis calculation, which makes it possible to reduce the complexity of solving multivariate equation system.
5.3. The Algebraic Cryptanalysis Scheme and Its Complexity
The algebraic cryptanalysis algorithm of AES-256 is shown in Algorithm 2.
The maximum degree when computing the Gröbner basis is no more than , where is the number of the unknown variables in the equation system, so the upper bound of complexity of computing Gröbner basis is . Since the upper bound of the complexity of our scheme depends on the complexity of the Gröbner basis computation, the upper bound of the complexity of our scheme is . It can be seen from  that the complexity of exhaustively solving the equation system is . It is obvious that the complexity of our scheme is less than the complexity of exhaustive attack, which indicates that our scheme is a successful attack scheme. Moreover, taking into account the sparse and overdefined features of AES-256 equation system, the actual complexity will be far less than the exhaustive attack.
Not all equations are always true in the equation system. For an S-box, there is an equation whose true probability is 255/256. For the full AES-256, the true probability of this kind of equation is 1/9. It needs 9 plaintext and ciphertext pairs to conduct computation 9 times in Step 3, and the equation system will have a finite set of solutions.
Based on the characteristics of the round transformation in AES-256, the ShiftRow and MixColumn transformations are merged into left multiplication by a matrix , making it in the form of linear transformation. In further research on AES-256, the linear transformation and multivariate equation system of AES-256 are further studied. The Gröbner basis is proposed and constructed by choosing reasonable term order and variable order. At the same time, we point out and prove that the Gröbner basis is zero-dimensional. Based on this, the Gröbner basis attack scheme is proposed, and the attack complexity is far lower than the brute force attack. Taking into account the fact that the complexity of our scheme is very high, our research results have a theoretical value. However, the discovery of the zero-dimensional Gröbner basis of AES-256 has guiding significance for further study on efficient Gröbner based attack scheme. The complexity of FGLM and the effectiveness of Gröbner basis attack still need to be further studied.
The authors declare that they have no competing interests.
This work was supported by the National Natural Science Foundation of China (no. 61502008), the Key Scientific Research Project of Henan Higher Education (no. 16A520084), the Natural Science Foundation of Anhui Province (no. 1508085QF132), and the Doctoral Research Start-Up Funds Project of Anhui University.
- J. Daemen and V. Rijmen, The Design of Rijndael: AES—The Advanced Encryption Standard, Springer Science & Business Media, 2013.
- A. Hashemi and D. Lazard, “Sharper complexity bounds for zero-dimensional Gröbner bases and polynomial system solving,” International Journal of Algebra and Computation, vol. 21, no. 5, pp. 703–713, 2011.
- M. Bardet, J.-C. Faugère, and B. Salvy, “On the complexity of the F5 Gröbner basis algorithm,” Journal of Symbolic Computation, vol. 70, pp. 49–70, 2015.
- A. Bogdanov and V. Rijmen, “Linear hulls with correlation zero and linear cryptanalysis of block ciphers,” Designs, Codes and Cryptography, vol. 70, no. 3, pp. 369–383, 2014.
- Y. Sasaki, “Known-key attacks on rijndael with large blocks and strengthening shiftrow parameter,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. 95, no. 1, pp. 21–28, 2012.
- C. Cid and G. Leurent, “An Analysis of the XSL Algorithm,” in Advances in cryptology—ASIACRYPT 2005, vol. 3788 of Lecture Notes in Comput. Sci., pp. 333–352, Springer, Berlin, Germany, 2005.
- S. Murphy and M. Robshaw, “Comments on the security of the AES and the XSL technique,” Electronic Letters, vol. 39, no. 1, pp. 36–38, 2003.
- J. Buchmann, A. Pyshkin, and R.-P. Weinmann, “A zero-dimensional Gröbner basis for AES-128,” Lecture Notes in Computer Science, vol. 4047, pp. 78–88, 2006.
- S. Ghosh and A. Das, “An improvement of linearization-based algebraic attacks,” in Security Aspects in Information Technology, vol. 7011 of Lecture Notes in Computer Science, pp. 157–167, Springer, 2011.
- M. R. Z'Aba, K. Wong, E. Dawson, and L. Simpson, “Algebraic analysis of small scale LEX-BES,” in Proceedings of the 2nd International Cryptology Conference: Curve is an Art, Cryptology is a Science (Cryptology '10), pp. 77–82, Universiti Teknikal Malaysia Melaka, Melaka, Malaysia, July 2010.
- J. Cui, L. Huang, H. Zhong, and W. Yang, “Algebraic attack on Rijndael-192 based on Grobner basis,” Acta Electronica Sinica, vol. 41, no. 5, pp. 833–839, 2013.
- S. N. Ahmad and N. Aris, “The Gröbner package in Maple and computer algebra system for solving multivariate polynomial equations,” Academic Journal UiTM Johor, vol. 10, pp. 156–174, 2011.
- M. Bardet, J. C. Faugere, and B. Salvy, “On the complexity of the F5 Gröbner basis algorithm,” Journal of Symbolic Computation, vol. 70, pp. 49–70, 2015.
- V. Gerdt and R. La Scala, “Noetherian quotients of the algebra of partial difference polynomials and Gröbner bases of symmetric ideals,” Journal of Algebra, vol. 423, pp. 1233–1261, 2015.
- J. Buchmann, A. Pyshkin, and R.-P. Weinmann, “Block ciphers sensitive to Gröbner basis attacks,” in Topics in Cryptology—CT-RSA 2006, vol. 3860 of Lecture Notes in Comput. Sci., pp. 313–331, Springer, Berlin, Germany, 2006.
- D.-M. Li, J.-W. Liu, and W.-J. Liu, “W-Gröbner basis and monomial ideals under polynomial composition,” Applied Mathematics A, vol. 26, no. 3, pp. 287–294, 2011.
- J.-C. Faugère and A. Joux, “Algebraic cryptanalysis of Hidden Field Equation (HFE) cryptosystems using Gröbner bases,” in Proceedings of the Annual International Cryptology Conference (CRYPTO '03), vol. 2729 of Lecture Notes in Computer Science LNCS, pp. 44–60, Springer, Santa Barbara, Calif, USA, 2003.
Copyright © 2017 Kaixin Zhao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.