Paper 2007/152

CTC2 and Fast Algebraic Attacks on Block Ciphers Revisited

Nicolas T. Courtois


The cipher CTC (Courtois Toy Cipher) has been designed to demonstrate that it is possible to break on a PC a block cipher with good diffusion and very small number of known (or chosen) plaintexts. It has however never been designed to withstand all known attacks on block ciphers and Dunkelman and Keller have shown that a few bits of the key can be recovered by Linear Cryptanalysis (LC) - which cannot however compromise the security of a large key. This weakness can easily be avoided: in this paper we give a specification of CTC2, a tweaked version of CTC. The new cipher is MUCH more secure than CTC against LC and the key scheduling of CTC has been extended to use any key size, independently from the block size. Otherwise, there is little difference between CTC and CTC2. We will show that up to 10 rounds of CTC2 can be broken by simple algebraic attacks.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
block cipherstoy ciphersalgebraic attacksSAT solversElimLinGröbner basesexperimental cryptanalysis of block ciphers
Contact author(s)
courtois @ minrank org
2007-05-08: revised
2007-04-26: received
See all versions
Short URL
Creative Commons Attribution


      author = {Nicolas T.  Courtois},
      title = {CTC2 and Fast Algebraic Attacks on Block Ciphers Revisited},
      howpublished = {Cryptology ePrint Archive, Paper 2007/152},
      year = {2007},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.