Algebraic-Differential Cryptanalysis of DES

Algebraic cryptanalysis is as a general framework that permits to assess the security of a wide range of cryptographic schemes. However, the feasibility of algebraic cryptanalysis against block ciphers remains the source of speculation and especially in targeting modern block ciphers. The main problem is that the size of the corresponding algebraic system is so huge (thousand of variables and equations) that nobody is able to predict correctly the complexity of solving such polynomial systems. To make algebraic attacks efficient it seems clear that new ideas are required. One possible room for improvement is related to the modeling. A new trend in this area is to combine statistical and algebraic attacks. In this paper, we will present an attack against round-reduced version on DES mixing algebraic and differential techniques. The use of differential permits to ease the solving step; whilst algebraic techniques allows to decrease the numbers of pairs required for a classical differential cryptanalysis. In particular, we have reduced the minimum numbers of pairs required for 6, 7 and 8 rounds of DES. On the other hand, the cost of the attack is higher than a standard usual differential cryptanalysis (but remaining at a reasonable level). For instance, for 6 rounds of DES we have reduced the number of pairs to 32 and the cost is 3000 seconds (to be compared with 240 pairs for the original attack of Biham and Shamir).