Algebraic Cryptanalysis of Simplified AES

Simplified AES was developed in 2003 as a teaching tool to help students understand AES. It was designed so that the two primary attacks on symmetric-key block ciphers of that time, differential cryptanalysis and linear cryptanalysis, are not trivial on simplified AES. Algebraic cryptanalysis is a technique that uses modern equation solvers to attack cryptographic algorithms. There have been some claims that AES is threatened by algebraic cryptanalysis. We will use algebraic cryptanalysis to attack simplified AES. In his 1949 paper, “Communication Theory of Secrecy Systems [8],” Claude Shannon asked the question “How can we ever be sure that a [crypto]system which is not ideal ... will require a large amount of work to break with every method of analysis?” [[8], 704] Shannon suggested two approaches to that problem: (1) We can study the possible methods of solution available to the cryptanalyst and attempt to describe them in sufficiently general terms to cover any of the methods he might use. We then construct our system to resist this “general” method of solution. (2) We may construct our cipher in such a way that breaking it is equivalent to (or requires at some point in the process) the solution of some problem known to be laborious. Thus, if we could show that solving a certain system requires at least as much work as solving a system of simultaneous equations in a large number of unknowns, of a complex type, then we would have a lower bound of sorts for the work characteristic. [[8], 704] It is the second approach – in reverse – that is the basis of algebraic cryptanalysis. To do algebraic cryptanalysis, the cryptanalyst models the cryptosystem as a system of polynomial equations and then attempts to solve that system. The cryptanalyst’s success is determined by whether or not it is possible to solve the resulting system. The technique of linear cryptanalysis, which has been known since the mid-1990s, attempts to find “approximately” linear relationships and solve the resulting system of linear equations, which is easy to do. Algebraic cryptanalysis determines exact (probably nonlinear) polynomial models of the cryptosystem, but then it depends on using powerful software and “tricks of the trade” to solve the