SQUARE attack on block ciphers with low algebraic degree

Abstract

By using an algebraic method, the mathematical foundation of SQUARE attack is studied in this paper. We point out that a SQUARE distinguisher exists if and only if the degree of the polynomial function between n-bit input which is active and n-bit output which is balanced is ⩽ 2n − 2. And the algebraic method can also be used to determine the property of a balanced set after passed through a nonlinear S-box, by which in some cases we can find a SQUARE distinguisher with more rounds. The validity of SQUARE attack and the influence of the choice of S-box are also studied. If the round function of a Feistel cipher has a low algebraic degree, a SQUARE attack cannot recover the right keys in some special cases. However, SQUARE attack on SPN ciphers always holds. The relations among SQUARE attack and some other cryptanalytic method are studied, showing that if a cipher is breakable by SQUARE attack, then it is also breakable by the interpolation attack.