**Deterministic Differential Properties of the BMW Compression Function**

This tool can be used to demonstrate non-randomness in the Blue Midnight Wish compression function. The implementation of the compression function is taken from the submission to the second round by the design team.

This website contains a collection of tools related to cryptography. See the overview page for a list of all tools. The about page contains more information on this initiative, and instructions for submitting your own tool. Recently added tools are listed below.

**A Fully Symbolic Polynomial System Generator for AES-128**

SYMAES is a software tool that generates a system of polynomials in GF(2), corresponding to the round transformation and key schedule of the block cipher AES-128. Test vectors were added in v1.1.

**Tools for the algebraic cryptanalysis of cryptographic primitives**

Algebraic cryptanalysis of cryptographic primitives such as block ciphers, stream ciphers and hash functions usually proceeds in two steps. (A) The algorithm is expressed as a system of multi-variate equations F over some field (usually F_{2}). (B) The system F is solved using some technique such as Grëbner basis algorithms, SAT solvers or mixed integer programming solvers. We provide scripts and tools for the mathematics software Sage to construct polynomial systems of equations for various block ciphers and conversion routines from algebraic normal form (ANF) to conjunctive normal form (CNF) and mixed integer programmes.

**Hybrid Approach for Solving Multivariate Polynomial Systems over Finite Fields**

The Hybrid Approach is an improved approach to solve multivariate systems over finite fields. Our approach is a tradeoff between exhaustive search and GrÃ¶bner bases Techniques. The efficiency depends on the choice of the tradeoff. Typically, our work permits to refine the parameters to be chosen for multivariate schemes. We present here an implementation of the hybrid approach, and the tools to compute its complexity.

**An automated way to test stream ciphers through SAT solvers**

Grain of Salt is a tool developed to automatically test stream ciphers against standard SAT solver-based attacks. The tool takes as input a set of configuration options and the definition of each filter and feedback function of the stream cipher. It outputs a problem in the language of SAT solvers describing the cipher. The tool can automatically generate SAT problem instances for Crypto-1, HiTag2, Grain, Bivium-B and Trivium. In addition, through a simple text-based interface it can be extended to generate problems for any stream cipher that employs shift registers, feedback and filter functions to carry out its work.

**Free open-source mathematics software system, also containing many modules for cryptography**

Sage is a free open-source mathematics software system licensed under the GPL. It combines the power of many existing open-source packages into a common Python-based interface. It also contains modules to perform both basic and more advanced computations in cryptography and cryptanalysis.

**Tool for cryptanalysis based on coding theory**

The CodingTool library is a new collection of tools to use techniques from coding theory in cryptanalysis. It is completely independent from other libraries and can be used on Unix and Windows platforms. It benefits from the 64-bit architecture in terms of speed. The core part is an implementation of a probabilistic algorithm to search for code words with low Hamming weight. Additional functionalities like shortening and puncturing of a linear code or adding a weight to each bit of a code word are implemented. Furthermore, the library provides data structures to assist the user in creating a linear code for a specific problem. An easy to use interface to the provided algorithms, powerful data structures and a command line parser reduces the implementation work of a cryptanalyst to a minimum.

**Simulating Algebraic Side-Channel Attacks (ASCA)**

ASCAtoCNF is a tool that provides the user with a quick way to simulate an ASCA with a data complexity of 1 to 9. The user specifies the target block cipher (PRESENT or the AES), the plaintext and secret key used. To simulate the side-channel recovery phase, the user chooses which operations of the block cipher are leaking information (for example: all the substitution operations from round 5 to 9). The side-channel recovery phase is assumed to be perfect (all recovered side-channel information is correct), but the user can make the attack harder by reducing the quantity of available side- channel information. The leakage model is the Hamming weight model on 8 bits: the adversary is assumed to recover the Hamming weight values of the data processed by the device during the specified leaking operations. The generated SAT problem can then be solved by a SAT solver like MiniSAT. With this tool, one can easily try various configurations of known leakages and study the impact of these configurations on the time complexity of the ASCA.