# Nicolas CourtoisUniversity College London | UCL · Department of Computer Science

Nicolas Courtois

PhD

## About

150

Publications

72,828

Reads

**How we measure 'reads'**

A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more

8,246

Citations

Introduction

Additional affiliations

September 2006 - present

## Publications

Publications (150)

This paper provides an overview of how crypto currency and blockchain engineering interacts with the law enforcement. We point out that a large proportion of crypto users are amateur investors and the dominant and the largest segment in crypto crime are simply investment scams (!). We look at various questions of criminal use and misuse of technolo...

Differential cryptanalysis is one of the oldest attacks on block ciphers. Can anything new be discovered on this topic? A related question is that of backdoors and hidden properties. There is substantial amount of research on how Boolean functions affect the security of ciphers, and comparatively, little research, on how block cipher wiring can be...

There are numerous results on nonlinear invariant attacks on T-310. In all such attacks found so far, both the Boolean functions and the cipher wiring were contrived and chosen by the attacker. In this article, we show how to construct an invariant attack with the original Boolean function that was used to encrypt government communications in the 1...

Cryptographic attacks are typically constructed by black-box methods and combinations of simpler properties, for example in [Generalised] Linear Cryptanalysis. In this article, we work with a more recent white-box algebraic-constructive methodology. Polynomial invariant attacks on a block cipher are constructed explicitly through the study of the s...

A major open problem in block cipher cryptanalysis is discovery of new invariant properties of complex type. Recent papers show that this can be achieved for SCREAM, Midori64, MANTIS-4, T-310 or for DES with modified S-boxes. Until now such attacks are hard to find and seem to happen by some sort of incredible coincidence. In this paper we abstract...

A major open problem in block cipher cryptanalysis is discovery of new invariant properties of complex type. Recent papers show that this can be achieved for SCREAM, Midori64, MANTIS-4, T-310 or for DES with modified S-boxes. Until now such attacks are hard to find and seem to happen by some sort of incredible coincidence. In this paper we abstract...

Block ciphers are in widespread use since the 1970s. Their iterated structure is prone to numerous round invariant attacks for example in Linear Cryptanalysis (LC). The next step is to look at non-linear polynomial invariants cf. Eurocrypt'95. Until recently, researchers have found extremely few such attacks, with some impossibility results. Eventu...

One of the major open problems in symmetric cryptanalysis is to discover new specific types of invariant properties for block ciphers. In this article, we study nonlinear polynomial invariant attacks. The number of such attacks grows as 22n and systematic exploration is not possible. The main question is HOW do we find such attacks? We have develop...

T-310 is an important Cold War cipher. The cipher is extremely complex and it outputs extremely few bits from the internal state. A recent paper [Courtois, N. T.: Decryption oracle slide attacks on T-310, Cryptologia, 42 (2018), no. 3, 191–204] shows an example of a highly anomalous key such that T-310 can be broken by a slide attack with a decrypt...

Linear (or differential) cryptanalysis may seem dull topics for a mathematician: they are about super simple invariants characterized by say a word on n=64 bits with very few bits at 1, the space of possible attacks is small, and basic principles are trivial. In contract mathematics offers an infinitely rich world of possibilities. If so, why is th...

T-310 is an important Cold War cipher (Cryptologia 2006). In a recent article (Cryptologia 2018), researchers show that, in spite of specifying numerous very technical requirements, the designers do not protect the cipher against linear cryptanalysis and some 3% of the keys are very weak. However, such a weakness does not necessarily allow breaking...

One of the major open problems in symmetric cryptanalysis is to discover new specif i c types of invariant properties which can hold for a larger number of rounds of a block cipher. We have Generalised Linear Cryptanalysis (GLC) and Partitioning Cryptanalysis (PC). Due to double-exponential combinatorial explosion of the number of possible invarian...

Distributed ledger and blockchain systems are expected to make financial systems easier to audit, reduce counter-party risk and transfer assets seamlessly. The key concept is a token controlled by a cryptographic private key for spending, and represented by a public key for receiving and audit purposes. Ownership transfers are authorized with digit...

Linear cryptanalysis (LC) is an important codebreaking method that became popular in the 1990s and has roots in the earlier research of Shamir in the 1980s. In this article we show evidence that linear cryptanalysis is even older. According to documents from the former East Germany cipher authority ZCO, the systematic study of linear characteristic...

The use of blockchains is growing every day, and their utility has greatly expanded from sending and receiving crypto-coins to smart-contracts and decentralized autonomous organizations. Modern blockchains underpin a variety of applications: from designing a global identity to improving satellite connectivity. In our research we look at the ability...

The use of blockchains is growing every day, and their utility has greatly expanded from sending and receiving crypto-coins to smart-contracts and decentralized autonomous organizations. Modern blockchains underpin a variety of applications: from designing a global identity to improving satellite connectivity. In our research we look at the ability...

Feistel ciphers (balanced and unbalanced) represent the most popular symmetric cipher type in modern cryptography. The invention of Feistel ciphers is usually credited to IBM’s Horst Feistel, who co-created the first publicly known encryption algorithm of this type, Lucifer, in the early 1970s. In this publication, the authors will show that Feiste...

T-310 is an important Cold War cipher (Schmeh 2006 Schmeh, K. 2006. The East German encryption machine T-310 and the algorithm it used. Cryptologia, 30(3):251–257.[Taylor & Francis Online] [Google Scholar]). It was the principal encryption algorithm used to protect various state communication lines in Eastern Germany in the 1980s. The cipher is qui...

T-310 is an important Cold War cipher (Schmeh 2006 Schmeh, K. 2006. The East German encryption machine T-310 and the algorithm it used. Cryptologia 30 (3):251–257.[Taylor & Francis Online] [Google Scholar]). It was the principal encryption algorithm used to protect various state communication lines in Eastern Germany throughout the 1980s. The ciphe...

In this paper we study the Rowhammer sidechannel attack and evaluate its feasibility on practical exploitation scenarios in Linux. Currently, all the implementations released, capable of performing the Rowhammer attack, require elevated privileges. This is a very strong requirement which, in a sense, puts ths attack into the theoretical spectrum. T...

Algebraic Cryptanalysis [45] is concerned with solving of particular systems of multivariate non-linear equations which occur in cryptanalysis. Many different methods for solving such problems have been proposed in cryptanalytic literature: XL and XSL method, Gröbner bases, SAT solvers, as well as many other. In this paper we survey these methods a...

Bitcoin is an open source payment system with a market capitalization of about 15 G$. During the years several key management solutions have been proposed to enhance bitcoin. The common characteristic of these techniques is that they allow to derive public keys independently of the private keys, and that these keys match. In this paper we overview...

In this paper, we study and give the first detailed benchmarks on existing implementations of the secp256k1 elliptic curve used by at least hundreds of thousands of users in Bitcoin and other cryptocurrencies. Our implementation improves the state of the art by a factor of 2.5 with a focus on the cases, where side channel attacks are not a concern...

Bitcoin has a number of features and properties which are sometimes presented as interesting and positive. In fact they are closer to engineering mistakes. Serious problems are programmed in the DNA (the source code) of great majority of crypto currencies. Small details in the source code can make very big difference. In this chapter seven major ‘s...

In this paper, we study and give the first detailed benchmarks on existing implementations of the secp256k1 elliptic curve used by at least hundreds of thousands of users in Bitcoin and other cryptocurrencies. Our implementation improves the state of the art by a factor of 2.5 with a focus on the cases, where side channel attacks are not a concern...

Distinguishing distributions is a major part during cryptanalysis of symmetric block ciphers. The goal of the cryptanalyst is to distinguish two distributions; one that characterizes the number of certain events which occur totally at random and another one that characterizes same type of events but due to propagation inside the cipher. This can be...

There are two major families in cryptanalytic attacks on symmetric ciphers: statistical attacks and algebraic attacks. In this position paper we argue that algebraic cryptanalysis has not yet been developed properly due to the weakness of the theory which has substantial difficulty to prove most basic results on the number of linearly independent e...

GOST 28147-89 is a well-known block cipher. Its large key size of 256 bits and incredibly low implementation cost make it a plausible alternative for AES-256 and triple DES. Until 2010 “despite considerable cryptanalytic efforts spent in the past 20 years”, GOST was not broken see [30]. Accordingly, in 2010 GOST was submitted to ISO 18033 to become...

GOST 28147-89 is a well-known block cipher. Its large key size of 256 bits and incredibly low implementation cost make it a plausible alternative for AES-256 and triple DES. Until 2010 \despite considerable cryptanalytic efforts spent in the past 20 years", GOST was not broken see [30]. Accordingly, in 2010 GOST was submitted to ISO 18033 to become...

GOST block cipher, defined in the GOST 28147-89 standard, is a well-known 256-bit symmetric cipher that operates on 64-bit blocks. The 256-bit level security can be even more increased by keeping the specifications of the S-boxes secret. GOST is implemented in many standard libraries such as OpenSSL and it has extremely low implementation cost and...

Distinguishing distributions is a major part during cryptanalysis of symmetric block ciphers. The goal of the cryptanalyst is to distinguish two distributions; one that characterizes the number of certain events which occur totally at random and another one that characterizes same type of events but due to propagation inside the cipher. This can be...

Differential Cryptanalysis (DC) is one of the oldest known attacks on block ciphers. DC is based on tracking of changes in the differences between two messages as they pass through the consecutive rounds of encryption. However DC remains very poorly understood. In his textbook written in the late 1990s Schneier wrote that against differential crypt...

In this article the author revisits the oldest attack on GOST known, the Kara Reflection attack, and another totally unrelated truncated differential attack by Courtois and Misztal. It is hard to imagine that there could be any relationship between two so remote attacks which have nothing in common. However, there is one: Very surprisingly, both pr...

GOST is a well-known Russian government standard block cipher which was submitted to ISO in 2010 to become an international standard. A number of advanced differential attacks on GOST have been proposed including the best known single-key attack on GOST to date in 2179 [14]. This attack, however, was designed for the oldest known set of GOST S-boxe...

Lightweight cryptography is a rapidly evolving area of research and it has great impact especially on the new computing environment called the Internet of Things (IoT) or the Smart Object networks (Holler et al., 2014), where lots of constrained devices are connected on the Internet and exchange information on a daily basis. Every year there are ma...

GOST is a well-known Russian encryption standard. Until 2010, no researcher found a single-key attack on GOST. In 2010, GOST was submitted to ISO 18033 to become a worldwide industrial encryption standard. Since 2011, many attacks on GOST faster than brute force have been found [3, 4, 5, 10, 12].By default, GOST has 256-bit keys. However, in many a...

Bitcoin is a "crypto currency", a decentralized electronic payment scheme based on cryptography. It implements a particular type of peer-to-peer payment system. Bitcoin depends on well-known cryptographic standards such as SHA-256. In this paper we revisit the cryptographic process which allows one to make money by producing new bitcoins. We reform...

Could Bitcoin Transactions Be 100x Faster?
Bitcoin is decentralized peer to peer currency and payment system. The
Decentralized Markets
In theory bitcoin has nothing to do with stock markets? On second thoughts:
• Markets are decentralized, especially in the UnitedStates. Bitcoin is decentralized peer to peer currency and payment system. The secu...

In this paper we revisit some major orthodoxies which lie at the heart of the
bitcoin crypto currency and its numerous clones. In particular we look at The
Longest Chain Rule, the monetary supply policies and the exact mechanisms which
implement them. We claim that these built-in properties are not as brilliant as
they are sometimes claimed. A clos...

Bitcoin is a "crypto currency", a decentralized electronic payment scheme
based on cryptography. Bitcoin economy grows at an incredibly fast rate and is
now worth some 10 billions of dollars. Bitcoin mining is an activity which
consists of creating (minting) the new coins which are later put into
circulation. Miners spend electricity on solving cry...

Recently, two families of ultra-lightweight block ciphers were proposed, SIMON and SPECK, which come in a variety of block and key sizes (Beaulieu et al., 2013). They are designed to offer excellent performance for hardware and software implementations (Beaulieu et al., 2013; Aysu et al., 2014). In this paper, we study the resistance of SIMON-64/12...

Bitcoin is a crypto currency, a distributed peer-to-peer fi nancial system. Well actually it is an electronic system which manages the provisional ownership of a strictly fixed supply of abstract fungible units which really works as a distributed property register or a digital notary service. This is not so different than managing the ownership of...

GOST 28147-89 is a well-known 256-bit block cipher. In 2010 GOST was submitted to ISO, to become an international standard. Then many academic attacks which allow to break full GOST faster than brute force have been found. The fastest known single-key attack on GOST for 264 of data is 2179 of [the author, “An improved differential attack on full GO...

Bitcoin is a "crypto currency", a decentralized electronic payment scheme
based on cryptography which has recently gained excessive popularity.
Scientific research on bitcoin is less abundant. A paper at Financial
Cryptography 2012 conference explains that it is a system which "uses no fancy
cryptography", and is "by no means perfect". It depends o...

In this paper we study the randomness of some random numbers found in real-life smart card products. We have studied a number of symmetric keys, codes and random nonces in the most prominent contactless smart cards used in buildings, small payments and public transportation used by hundreds of millions of people every day. Furthermore we investigat...

GOST is a well-known Russian government block cipher. Until 2010, there was no attack on GOST used in encryption, cf. [9]. More recently, quite a few distinct key recovery attacks on full GOST have been found: [1-4, 6, 7]. Most of these attacks work by so-called “complexity reduction” [1]; they reduce the problem of breaking the full 32-round GOST...

GOST 28147-89 is a well-known block cipher with 256-bit keys. Its excessively low implementation cost makes it a plausible alternative for major industrial cryptographic algorithms such as 3-DES and AES-256. In 2010, GOST was submitted to ISO to become a part of the international encryption standard ISO/IEC 18033-3. This stimulated intense research...

GOST is a well-known block cipher implemented in standard libraries such as OpenSSL, it has extremely low implementation cost and nothing seemed to threaten its high 256-bit security [CHES 2010]. In 2010 it was submitted to ISO to become a worldwide industrial standard. Then many new attacks on GOST have been found in particular some advanced diffe...

In this paper we look at the security of two block ciphers which were both claimed in the published literature to be secure against differential crypt-analysis (DC). However, a more careful examination shows that none of these ciphers is very secure against... differential cryptanalysis, in particular if we consider attacks with sets of differentia...

GOST is a well-known government standard cipher. Since 2011 several academic attacks on GOST have been found. Most of these attacks start by a so called “Complexity Reduction” step [Courtois Cryptologia 2012] the purpose of which is to reduce the problem of breaking the full 32-round GOST to a low-data complexity attack on a reduced-round GOST. The...

ElimLin is a simple algorithm for solving polynomial systems of multivariate equations over small finite fields. It was initially proposed as a single tool by Courtois to attack DES. It can reveal some hidden linear equations existing in the ideal generated by the system. We report a number of key theorems on ElimLin. Our main result is to characte...

GOST 28147-89 is a well-known 256-bit block cipher that is a plausible alternative for AES-256 and triple DES, which, however, has a much lower implementation cost. GOST is implemented in standard crypto libraries, such as OpenSSL and Crypto++, and is increasingly popular and is used also outside of its country of origin and on the Internet. In 201...

KeeLoq is a lightweight block cipher which is extensively used in the automotive industry [7,8,14,15]. Its periodic structure, and overall simplicity makes it vulnerable to many different attacks. Only certain attacks are considered as really “practical” attacks on KeeLoq: the brute force, and several other attacks which require up to 216 known pla...

KeeLoq is a lightweight cipher that is widely used in car locks. The fastest known attack on KeeLoq is a Slide-Determine attack by Bard, Courtois and Wagner with a complexity of 228 KeeLoq computations [11]. However this attack requires the knowledge of the whole code-book of 232 known plaintexts, which is totally unrealistic. The first attack on K...

RSA cryptosystem (Rivest et al., 1978) is the most widely deployed public-key cryptosystem for both encryption and digital signatures. Since its invention, lots of cryptanalytic efforts have been made which helped us to improve it, especially in the area of key selection. The security of RSA relies on the computational hardness of factoring large i...

GOST 28147-89 is a well-known block cipher and the official encryption standard of the Russian Federation. A 256-bit block cipher considered as an alternative for AES-256 and triple DES, having an amazingly low implementation cost and thus increasingly popular and used [12,15,13,20]. Until 2010 researchers have written that: “despite considerable c...

Secure and reliable authentication is an essential prerequisite for many online systems, yet achieving this in a way which is acceptable to customers remains a challenge. GrIDsure, a one-time PIN scheme using random grids and personal patterns, has been proposed as a way to overcome some of these challenges. We present an analytical study which dem...

Secure and reliable authentication is an essential prerequisite for many online systems, yet achieving this in a way which is acceptable to customers remains a challenge. GrIDsure, a one-time PIN scheme using random grids and personal patterns, has been proposed as a way to overcome some of these challenges. We present an analytical study which dem...

One of the most famous conjectures in computer algebra is that matrix
multiplication might be feasible in not much more than quadratic time. The best
known exponent is 2.376, due to Coppersmith and Winograd. Many attempts to
solve this problems in the literature work by solving, fixed-size problems and
then apply the solution recursively. This lead...

One of the hardest problems in computer science is the problem of gate-efficient implementation. Such optimizations are particularly important in industrial hardware implementations of standard cryptographic algorithms [13, 17, 7, 22]. In this paper we focus on optimizing some small circuits such as S-boxes in cryptographic algorithms. We consider...

The GOST hash function and more precisely GOST 34.11-94 is a cryptographic hash function and the official government standard of the Russian Federation. It is a key component in the national Russian digital signature standard. The GOST hash function is a 256-bit iterated hash function with an additional checksum computed over all input message bloc...

KeeLoq is a lightweight block cipher which is extensively used in the automotive industry. Its periodic structure, and overall simplicity makes it vulnerable to many different attacks. Only certain attacks are considered as really "practical" attacks on KeeLoq: the brute force, and several other attacks which require up to 2p16 known plaintexts and...

Decim-128 is the adaptation example to 128-bit-security of the eSTREAM candidate Decim v2, whose aim is to prove that the Decim v2 design can easily be adapted to different security parameters. This erratum is submitted in order to correct an error in the tap sequence of the filtering function in Decim-128 specifications. 1 Erratum to the Decim-128...

This paper presents the first results on AIDA/cube, algebraic and side-channel attacks on variable number of rounds of all members of the KATAN family of block ciphers. Our cube attacks reach 60, 40 and 30 rounds of KATAN32, KATAN48 and KATAN64, respectively. In our algebraic attacks, we use SAT solvers as a tool to solve the quadratic equations re...

Presentation given at eSmart 2010. -Fault attacks on inner rounds of DES with protected implementation - How to adapt (recent) algebraic attacks DES with too few faulty ciphertexts - A new DFA attack on inner rounds faster than brute force.

Hitag2 is a stream cipher that is widely used in RFID car locks in the automobile industry. It can be seen as a (much) more secure version of the [in]famous Crypto-1 cipher that is used in MiFare Classic RFID products [14,20,15]. Recently, a specification of Hitag2 was circulated on the Internet [29]. Is this cipher secure w.r.t. the recent algebra...

A block cipher is intended to be computationally indistinguishable from a random permutation of appropriate domain and range. But what are the properties of a random permutation? By the aid of exponential and ordinary generating functions, we derive a series of collolaries of interest to the cryptographic community. These follow from the Strong Cyc...

MiFare Classic is the most popular contactless smart card with about 200 millions copies in circulation world- wide. At Esorics 2008 Dutch researchers showed that the underlying cipher Crypto-1 can be cracked in as little as 0.1 seconds if the attacker can access or eavesdrop the RF communications with the (genuine) reader. We discovered that a MiF...

Talk given at eSmart 2010. How to attack the Hitag2 cipher in RFID trannsponders.

Sosemanuk is a new synchronous software-oriented stream cipher, corresponding to Profile 1 of the ECRYPT call for stream cipher primitives. Its key length is variable between 128 and 256 bits. It ac- commodates a 128-bit initial value. Any key length is claimed to achieve 128-bit security. The Sosemanuk cipher uses both some basic design principles...

In this paper we analyse the algebraic properties over the field GF(2) of the addition modulo 2n
. We look at implicit quadratic equations describing this operation, and at probabilistic conditional linear equations. We show that the addition modulo 2n
can be partly or totally linearized when the output is fixed, and this for a large family of outp...

In this paper, we present Decimv2, a stream cipher hardware- oriented selected for the phase 3 of the ECRYPT stream cipher project eSTREAM. As required by the initial call for hardware-oriented stream cipher contribution, Decimv2 manages 80-bit secret keys and 64-bit public initialization vectors. The design of Decimv2 combines two filtering mechan...

Disclaimer: this paper is an early announcement of a research in progress. Abstract. MiFare Crypto 1 is a lightweight stream cipher used in Lon- don's Oyster card, Netherland's OV-Chipcard, US Boston's CharlieCard, and in numerous wireless access control and ticketing systems worldwide. Recently, researchers have been able to recover this algorithm...

KeeLoq is a lightweight block cipher that is massively used in the automobile industry [12, 13, 31, 32]. KeeLoq has two remarkable properties: it is periodic and has a very short block size (32 bits). Many different attacks on KeeLoq have been published in recent years [8, 15, 9, 10, 5]. In this paper we study a unique way of attacking KeeLoq, in w...

In this paper we study algebraic attacks on block ciphers that exploit several (i.e. more than 2) plaintext-ciphertext pairs.
We show that this considerably lowers the maximum degree of polynomials that appear in the attack, which allows much faster
attacks, some of which can actually be handled experimentally. We point out a theoretical reason why...

The cipher CTC (Courtois Toy Cipher) described in (4) has been designed to demonstrate that it is possible to break on a PC a block cipher with good diusion and very small number of known (or chosen) plaintexts. It has however never been designed to withstand all known attacks on block ciphers and Dunkelman and Keller have shown (13) that a few bit...

KeeLoq is a block cipher used in wireless devices that unlock the doors and alarms in cars manufactured by Chrysler, Daewoo, Fiat, GM, Honda, Jaguar, Toyota, Volvo, Volkswagen, etc [8,9,33,34]. KeeLoq is inexpensive to implement and economical in gate count, yet according to Microchip [33] it should have “a level of security comparable to DES”.
In...

The computational hardness of solving large systems of sparse and low-degree multivariate equations is a necessary condition for the security of most modern symmetric cryptographic schemes. Notably, most cryptosystems can be implemented with inexpensive hardware, and have a low gate counts, resulting in a sparse system of equations, which in turn r...

In spite of growing importance of the Advanced Encryption Standard (AES), the Data Encryption Standard (DES) is by no means obsolete. DES has never been broken from the practical point of view. The variant "triple DES" is believed very secure, is widely used, especially in the financial sector, and should remain so for many many years to come. In a...

In my talk I did overwiev the area of algebraic attacks on block ciphers, explain what fast algebraic attacks on block cipher are, and what results can already be achieved. This covers a vast amount of work (several papers, most of them not published) that I cannot include here in totality due to the lack of space. @InProceedings{courtois:DSP:2007:...

In this paper we are interested in algebraic immunity of several well known highly-nonlinear vectorial Boolean functions (or S-boxes), designed for block and stream ciphers. Unfortunately, ciphers that use such S-boxes may still be vulnerable to so called “algebraic attacks” proposed recently by Courtois, Pieprzyk, Meier, Armknecht, et al. These at...

In spite of growing importance of the Advanced Encryption Standard (AES), the Data Encryption Standard (DES) is by no means obsolete. DES has never been broken from the practical point of view. The variant “triple DES” is believed very secure, is widely used, especially in the financial sector, and should remain so for many many years to come. In a...

Decim is a hardware oriented stream cipher with 80-bit key and 64-bit IV which was submitted to the ECRYPT stream cipher project. The design of Decim is based on both a nonlinear filter LFSR and an irregular decimation mechanism called the ABSG. As a consequence, Decim is of low hardware complexity. Recently, Hongjun Wu and Bart Preneel pointed out...

The central question in constructing a secure and ecient masking method for AES is to address the interaction between additive masking and the inverse S-box of Rijndael. All recently proposed meth- ods to protect AES against power attacks try to avoid this problem and work by decomposing the inverse in terms of simpler operations that are more easi...

Sfinks is an LFSR-based stream cipher submitted to ECRYPT call for stream ciphers by Braeken, Lano, Preneel et al. The designers of Sfinks do not to include any protection against algebraic attacks. They rely on the so called "Algebraic Immunity", that relates to the complexity of a simple algebraic attack, and ignores other algebraic attacks. As a...

Algebraic attacks on stream ciphers apply (at least theoretically) to all LFSR-based stream ciphers that are clocked in a
simple and/or easily predictable way. One interesting approach to help resist such attacks is to add a component that de-synchronizes
the output bits of the cipher from the clock of the LFSR. The Bit-search generator, recently p...

In about every book about cryptography, we learn that the plaintext complexity of dierential cryptanalysis on DES is 2 47, as re- ported by Biham and Shamir in (2). Yet few people realise that in a typical setting this estimation is not exact and too optimistic. In this note we show that the two "best" dierentials

This paper is about the design of multivariate public key schemes, as. well as block and stream ciphers, in relation to recent attacks that exploit various types of multivariate algebraic relations. We survey these attacks focusing on their common fundamental principles and on how to avoid them. From this we derive new very general design criteria,...