Int. J. Inf. Secur. (2010) 9:127–135 DOI 10.1007/s10207-009-0099-9 REGULAR CONTRIBUTION Counting equations in algebraic attacks on block ciphers Lars R. Knudsen · Charlotte V. Miolane Published online: 15 December 2009 © Springer-Verlag 2009 Abstract This paper is about counting linearly independent equations for so-called algebraic attacks on block ciphers. The basic idea behind many of these approaches, e.g., XL, is to generate a large set of equations from an initial set of equations by multiplication of existing equations by the vari- ables in the system. One of the most difficult tasks is to deter- mine the exact number of linearly independent equations one obtain in the attacks. In this paper, it is shown that by splitting the equations defined over a block cipher (an SP-network) into two sets, one can determine the exact number of linearly independent equations which can be generated in algebraic attacks within each of these sets of a certain degree. While this does not give us a direct formula for the success of algebraic attacks on block ciphers, it gives some interesting bounds on the number of equations one can obtain from a given block cipher. Our results are applied to the AES and to a variant of the AES, and the exact numbers of linearly independent equations in the two sets that one can generate by multiplica- tion of an initial set of equations are given. Our results also indicate, in a novel way, that the AES is not vulnerable to the algebraic attacks as defined here. Keywords Cryptology · Block ciphers · Algebraic attacks · XL · AES 1 Introduction In later years, so-called algebraic attacks on symmetric-key ciphers have received much attention. These attacks have already had great impact in the area of stream ciphers due to L. R. Knudsen (B ) · C. V. Miolane Department of Mathematics, Technical University of Denmark, Kgs. Lyngby, Denmark e-mail: lars.r.knudsen@mat.dtu.dk the discovery of powerful attacks on certain ciphers [5]. The attacks can in principle be applied to (iterated) block ciphers but most results until now suggest that this does not lead to very effective attacks. Although it is possible to establish a set of low-degree equations in the secret key (bits) for many block ciphers, solving these equations efficiently is far from trivial. It is well known that Buchberger’s algorithm can be used to do this [2], however, the exact complexity is unknown and it seems that the memory requirement is the main obstacle in this approach on block ciphers [4]. In the XL method, one multiplies all equations in the set up to some predetermined degree, then uses linearization to solve the equations [6]. One considers all monomials in the system as independent variables and tries to solve the system of equations using techniques from linear algebra, we shall refer to the latter as the multivariate extension of Gaussian elimination. A variant of the XL method is the XSL method, but there are strong indications that this method does not work [3, 11]. The main problem of XL-like methods is to determine exactly how many linearly independent equations one can obtain by multiplication of an initial set of equations. There- fore, it is hard to determine the degree d for which linear- ization will succeed, and some results suggest that d may be large for modern block ciphers. Diem [10] proves upper bounds on the dimensions of the spaces of equations in the XL-algorithm. The results of [10] also proves that the run- ning time of the XL-algorithm is not subexponential in the number of variables contrary to what was claimed in [6]. In this paper, we consider a set of equations over GF(2) for a block cipher. This set is divided into two subsets, one set L consisting of equations from the linear layers and one set S consisting of equations from the nonlinear layers. Let T be the set of all variables (monomials of degree one) in the 123