Generating and Exploring S-Box Multivariate Quadratic Equation Systems with SageMath

A new method to derive Multivariate Quadratic equation systems (MQ) for the input and output bit variables of a cryptographic S-box from its algebraic expressions with the aid of the computer mathematics software system SageMath is presented. We consolidate the deficiency of previously presented MQ metrics, supposed to quantify the resistance of S-boxes against algebraic attacks.

💡 Research Summary

The paper presents a systematic method for automatically deriving multivariate quadratic (MQ) equation systems for cryptographic S‑boxes, focusing on the Rijndael (AES) S‑box and a newly proposed Affine‑Inverse‑Affine (AIA) variant, using the open‑source computer algebra system SageMath. The authors first recap the algebraic definition of the Rijndael S‑box: an 8‑bit input byte x is represented as a polynomial x = ∑_{i=0}^{7}x_i t^i over GF(2), the inverse transformation I(x) = x^{254} mod m(t) (with irreducible m(t)=t⁸+t⁴+t³+t+1) is applied, followed by an affine map A(x)=a·x+b (a=0x1F, b=0x63) to obtain the output byte z = A(I(x)).

The authors then reconstruct the MQ derivation originally described by Cui et al. and Courtois‑Pieprzyk, but implement it entirely in SageMath. They create a Boolean polynomial ring for the coefficient variables, extend it to a multivariate polynomial ring, and finally form a quotient ring “Byte” that implements arithmetic modulo the AES irreducible polynomial. By enforcing the relation x·y = 1 (mod m(t)), where y = I(x), they obtain eight quadratic equations. Substituting the affine transformation yields an additional sixteen equations, for a total of twenty‑four equations; however, one of them holds only with probability 255/256 and is discarded, leaving a system of 23 equations (mq1) that contains 81 distinct monomials.

The paper demonstrates how SageMath’s list and dictionary facilities can automatically extract coefficients, substitute variables, and generate the full MQ without manual transcription errors. The authors then solve the MQ using two approaches: (1) a SAT solver provided by SageMath’s SAT module, and (2) Gröbner basis computation. The SAT solver solves the 23‑equation system in roughly 0.6 seconds on a modest 2.8 GHz machine, while Gröbner basis computation takes about 14 seconds and produces an 8‑equation basis of degree 7 with 263 monomials. Remarkably, the reduced 16‑equation subsystem (mq2) is sufficient to recover the full S‑box table, and its SAT solving time (≈0.7 s) is comparable to that of the larger system, contradicting the claim that more equations automatically imply higher algebraic resistance.

Next, the authors apply the same automated pipeline to the AIA S‑box, which applies an affine map, then the inverse, then another affine map (A ∘ I ∘ A). They model the AIA transformation with 253 intermediate variables y₀…y₂₅₂ and the output z. The polynomial coefficients of the AIA mapping are entered as hexadecimal strings; SageMath converts them into Boolean variables and constructs the full MQ. Despite the dramatic increase in the number of equations and variables, the SAT solver again solves the system in a time comparable to the original Rijndael MQ, indicating that sheer equation count does not translate into practical hardness.

The paper critically examines two previously proposed metrics for resistance against algebraic attacks (RAA): the Cheon‑Lee metric Γ = ⌈(t−r)/n⌉·2^{d(t−r)/n} and the Courtois‑Pieprzyk metric Γ_CP = ⌈t/n⌉·2^{d·t/r}, where r is the number of equations, t the total number of monomials, n the field size, and d the maximal degree. Using the counted values (e.g., for Rijndael: r=23, t=81, d=2, n=8) the authors compute Γ≈2^{22} and Γ_CP≈2^{13}. For the reduced 16‑equation system the metrics explode to Γ≈2^{27} and Γ_CP≈2^{20}, yet the empirical SAT solving time does not reflect such a dramatic increase. The same discrepancy appears for the AIA S‑box, leading the authors to conclude that these metrics severely over‑estimate actual algebraic difficulty and are therefore unsuitable for evaluating S‑box security.

Finally, the authors emphasize the practical benefits of SageMath: it provides a free, reproducible environment where researchers can define Boolean rings, construct quotient rings, generate MQs automatically, and invoke SAT or Gröbner solvers with a few lines of code. This transparency allowed the authors to spot typographical errors and incorrect coefficient tables in the original Cui et al. publications. They argue that SageMath should become a standard tool for S‑box design and algebraic cryptanalysis, enabling rapid verification of claimed security properties and facilitating the exploration of more sophisticated algebraic structures. The paper thus contributes both a concrete methodological framework and a critical perspective on existing algebraic‑resistance metrics.