**How Fast can be Algebraic Attacks on Block Ciphers ?**

*Nicolas T. Courtois*

**Abstract: **In this paper we give a specification of a new block cipher
that can be called the Courtois Toy Cipher (CTC).
It is quite simple, and yet very much like any other known block cipher. If the parameters are large enough, it should evidently be
secure against all known attack methods.
However, we are not proposing a new method for encrypting sensitive data, but rather a research tool that should allow us (and other researchers) to experiment with algebraic attacks on block ciphers
and obtain interesting results using a PC with reasonable quantity of RAM. For this reason the S-box of this cipher has only 3-bits,
which is quite small.
Ciphers with very small S-boxes are believed quite secure,
for example the Serpent S-box has only 4 bits,
and in DES all the S-boxes have 4 output bits.
The AES S-box is not quite as small but can be described
(in many ways) by a very small systems of equations
with only a few monomials (and this fact can also be exploited in algebraic cryptanalysis).
We believe that results on algebraic cryptanalysis of this cipher
will have very deep implications for the security of ciphers in general.

**Category / Keywords: **secret-key cryptography / algebraic cryptanalysis, AES, Serpent, solving systems of sparse multivariate polynomial equations.

**Date: **received 13 May 2006, last revised 18 May 2006

**Contact author: **courtois at minrank org

**Available format(s): **Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

**Note: **Work in progress. To summarize the main results: it is the first time in the history, that a block cipher with no special algebraic structure and with a (very) large number of S-boxes
is being broken in practice by an algebraic attack.

**Version: **20060518:092545 (All versions of this report)

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]