observations on the cryptologic properties of the aes
TRANSCRIPT
UWNIVERSITY
OLLONGONGOF
Observations on the CryptologicProperties of the AES Algorithm
A thesis submitted in fulfillment of the
requirements for the award of the degree
Doctor of Philosophy
from
UNIVERSITY OF WOLLONGONG
by
Beomsik Song
School of Information Technology and Computer Science
April 2004
Certification
This is to certify that the work reported in this thesis was done
by the author, unless specified otherwise, and that no part of
it has been submitted in a thesis to any other university or
similar institution.
Beomsik SongApril 5, 2004
iv
Abstract
The AES algorithm is a symmetric block cipher, which will replace DES for the next few
decades. This cipher has been reputed to be secure against conventional cryptanalytic
methods, such as DC (Differential Cryptanalysis) and LC (Linear Cryptanalysis), but
the simple algebraic structure of the cipher has led to some commentators’ concerns
about its security.
The purpose of this study is to observe the cryptologic properties of the AES algorithm
from a new point of view, and to examine the security of this cipher on the basis of
these observations.
Some well-known research studies on the security of the AES algorithm are reviewed
first, classified into four categories. We then discuss the cyclic properties and consis-
tent differential patterns of this cipher using our own observations, which have been
introduced in [7, 8, 9].
In terms of the cyclic properties of the AES algorithm, we have observed that every
function used in the AES algorithm has a very short period, and that each layer has a
short period as well. But we note that although the maximal periods of both the non-
linear layer and the linear layer are short, the maximal period is dramatically increased
when these two layers are combined. However, more importantly, we have observed
that the AES algorithm still has a very unusual cyclic property for certain types of
input blocks even in the combined layer, so that input blocks having short periods have
simple hidden algebraic relations with their corresponding output blocks.
In conjunction with the consistent differential patterns of the AES algorithm, we note
that the AES structure is very well designed to be secure against DC and LC, as has
previously been known. But we have also observed that it leads to some consistent
differential patterns after certain rounds, which can be used for its cryptanalysis.
v
Acknowledgements
First of all, I sincerely and deeply thank Professor Jennifer Seberry, my supervisor.
She has always helped me whenever I was in difficulty. I shall never forget her con-
stant affection towards students. I hope that I will have an opportunity to requite her
kindness some day.
I also cordially acknowledge those who allowed me to do my Ph.D study and who
reserved my position at work during my period of study. Without their help, I would
not have been able to study. I will always remember their support.
I would also like to thank Ken Finlayson for his cordial assistance during my studies.
I do not know how to thank him for his kindness.
Finally, my thanks go to Professor Reihaneh Safavi-Naini, Doctor Yejing Wang, and
Doctor Tianbing Xia as well for the various ways in which they have supported me.
vi
List of Publications
The author has published some papers in this area. The papers are listed below and
show how much work the author did in the preparation of this thesis.
• B. Song, H. Wang, and J. Seberry, “A New Cryptanalytic Method Using the
Distribution Characteristics of Substitution Distances”, Proceedings of ICISC
2001, Lecture Notes In Computer Science Vol.2288, pp.18-31, Springer-Verlag,
Berlin, 2002.
• B. Song and J. Seberry, “Consistent Differential Patterns of Rijndael”, Proceed-
ings of ICISC 2002, Lecture Notes In Computer Science Vol.2587, pp.149-163,
Springer-Verlag, Berlin, 2003.
• B. Song and J. Seberry, “Further Observations on the Structure of the AES Algo-
rithm”, Proceedings of FSE 2003, Lecture Notes In Computer Science Vol.2887,
pp.223-234, Springer-Verlag, Berlin, 2003.
• B. Song, J. Seberry and T. Xia, “Design Concept of a Plaintext-Dependent Block
Cipher” (submitted).
vii
Contents
Abstract v
Acknowledgements vi
List of Publications vii
1 Introduction 1
2 Description of the AES Algorithm 5
2.1 Basic mathematics operations . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Outline of the structure . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3 Specification of the functions . . . . . . . . . . . . . . . . . . . . . . . . 8
2.4 Expansion of the Cipher Key . . . . . . . . . . . . . . . . . . . . . . . 12
2.5 Inverse cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3 Cryptologic Properties of the AES Algorithm 16
3.1 Immunity against DC and LC . . . . . . . . . . . . . . . . . . . . . . . 16
3.2 Distinctive output properties of the structure . . . . . . . . . . . . . . . 19
3.3 Cryptologic properties of the key schedule . . . . . . . . . . . . . . . . 25
3.4 Algebraic properties of the algorithm . . . . . . . . . . . . . . . . . . . 29
4 Cyclic Properties of the AES Algorithm 39
4.1 Cyclic properties of each function . . . . . . . . . . . . . . . . . . . . . 40
4.1.1 Cyclic properties of the SubBytes transformation . . . . . . . . 41
4.1.2 Cyclic properties of the ShiftRows transformation . . . . . . . . 43
4.1.3 Cyclic properties of the MixColumns transformation . . . . . . 43
4.2 Cyclic properties of combined functions . . . . . . . . . . . . . . . . . . 46
4.2.1 Cyclic properties of the linear layer . . . . . . . . . . . . . . . . 46
4.2.2 Cyclic properties of the combined layer . . . . . . . . . . . . . . 48
viii
4.3 Comparison with DES . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5 Security Impact of the Cyclic Property 54
5.1 Cyclic properties of the elementary structure . . . . . . . . . . . . . . . 54
5.2 Cryptologic impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
5.3 Interim conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
6 Distinctive Output Properties of the AES Algorithm 61
6.1 Differential properties of the S-box . . . . . . . . . . . . . . . . . . . . 62
6.1.1 Distribution of output differences . . . . . . . . . . . . . . . . . 62
6.1.2 Relationship between the S-box and the keys . . . . . . . . . . 64
6.1.3 Relationship between the ES-box and the keys . . . . . . . . . 65
6.1.4 Relationship between the elementary structure and the keys . . 66
6.2 Distinctive output properties of MixColumn . . . . . . . . . . . . . . . 67
6.3 Consistent differential patterns of the AES algorithm . . . . . . . . . . 68
6.3.1 Concept of the consistent differential pattern . . . . . . . . . . . 69
6.3.2 Second-round consistent differential patterns . . . . . . . . . . . 69
6.3.3 223rd-round consistent differential patterns . . . . . . . . . . . . 72
6.3.4 Third-round consistent differential pattern . . . . . . . . . . . . 73
6.3.5 Fourth-round consistent differential patterns . . . . . . . . . . . 75
6.3.6 Fifth-round consistent differential pattern . . . . . . . . . . . . 78
7 Security Impact of the Consistent Differential Pattern 81
7.1 Three rounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
7.2 Four rounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
7.3 Five rounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
7.4 Six rounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
7.5 Seven-round extension . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
8 Conclusion 92
A Classifying the substitution values in the ES-box 94
B Distribution of output differences 101
C Implementation results of the five-round cryptanalysis 105
Bibliography 109
ix
List of Figures
1.1 Elementary structure of the SPN structure block cipher . . . . . . . . . 2
2.1 Outline of the AES algorithm . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 Mixing of four bytes in a column . . . . . . . . . . . . . . . . . . . . . 11
2.3 Illustration of the InvShiftRows transformation . . . . . . . . . . . . . 14
2.4 Mixing of four bytes in the InvMixColumns transformation . . . . . . . 15
3.1 Illustration of the third-round balanced property . . . . . . . . . . . . . 20
3.2 Fourth-round collision distinguisher of the AES algorithm . . . . . . . . 23
3.3 Correlations between the bytes of the expanded key . . . . . . . . . . . 28
3.4 Re-grouping of the functions in the elementary structure . . . . . . . . 30
4.1 Elementary structure of the AES algorithm . . . . . . . . . . . . . . . . 40
4.2 Illustration of the ShiftRows transformation . . . . . . . . . . . . . . . 43
4.3 Re-ordering of SubBytes and ShiftRows . . . . . . . . . . . . . . . . . . 50
5.1 Simple plaintext-ciphertext algebraic relationship in the cipher itself . . 58
6.1 Example of the distribution of output differences in the S-box . . . . . 63
6.2 Substitution in the S-box . . . . . . . . . . . . . . . . . . . . . . . . . 64
6.3 Substitution in the composition of the S-box and MixColumn . . . . . 66
6.4 Elementary structure surrounded by round keys . . . . . . . . . . . . . 67
6.5 Second-round consistent differential patterns 1 . . . . . . . . . . . . . . 71
6.6 Second-round consistent differential patterns 2 . . . . . . . . . . . . . . 71
6.7 223rd-round consistent differential patterns . . . . . . . . . . . . . . . . 73
6.8 Third-round consistent differential pattern . . . . . . . . . . . . . . . . 74
7.1 Checking the fourth-round consistent differential pattern . . . . . . . . 88
x
List of Tables
1.1 Fifteen candidates for the Advanced Encryption Standard . . . . . . . 1
2.1 S-box of the AES algorithm . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 S-box−1 of the AES algorithm . . . . . . . . . . . . . . . . . . . . . . . 14
3.1 Complexities of the Square attack against the AES algorithm . . . . . . 21
3.2 Complexities of the IDC against the AES algorithm . . . . . . . . . . . 22
4.1 Classifying the substitution values in the S-box . . . . . . . . . . . . . 41
4.2 ES-box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.3 Classifying the substitution values in the ES-box . . . . . . . . . . . . 51
4.4 P-box of DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
xi
Chapter 1
Introduction
In 1997, the NIST (National Institute of Standards and Technology) initiated an open
call to develop the AES (Advanced Encryption Standard) algorithm to replace DES
(Data Encryption Standard) for the next few decades [60]. Fifteen cipher algorithms
summarised in Table 1.1 were announced as candidates at the first AES Candidate
Conference in August 1998 [61], and then five algorithms were selected as the finalists
in August 1999, after the second AES Candidate Conference [62]. These are MARS
[11], RC6TM [66], Rijndael [28], Serpent [65], and Twofish [3].
Structure (Rounds)
SPN structure (12)
Modified Feistel structure (48)
Feistel structure (6)
Feistel structure (8)
Feistel structure (12)
Costa Rica (8)
Modified Feistel structure (8)
Feistel structure (16)
Modified Feistel structure (32)
Modified Feistel structure (20)
SPN structure (10)
SPN structure (8)
SPN structure (32)
Feistel structure (16)
Algorithm
CRYPTON
CAST-256
DEAL
DFC
E2
FROG
HPC
LOKI97
MARS
RC6
RIJNDAEL
SAFER+
SERPENT
TWOFISH
Korea
Canada
Canada and Norway
France
Japan
Costa Rica
USA
Australia
USA
USA
Belgium
USA
UK, Norway and Israel
USA
Feistel structure (6)MAGENTA Germany
Origin
Table 1.1: Fifteen candidates for the Advanced Encryption Standard
1
2
Then a well-designed SPN (Substitution Permutation Network) structure block cipher,
Rijndael [28] was adopted (26th November 2001) as the AES algorithm (FIPS PUB
197) [63].
Note: As is well known, together with the Feistel structure [3, 39, 43,
59], the SPN structure [12, 27, 34, 65] is the most commonly used block
cipher structure. One round usually consists of two layers: a non-linear
substitution layer and a linear transformation layer as described in Figure
1.1. The non-linear layer takes charge of obscuring the relationship between
the plaintext and the ciphertext (confusion), and the linear layer has the
role of dissipating the redundancy of the plaintext by spreading it over
the ciphertext (diffusion) [4, 5]. These kinds of block ciphers ensure their
security by the repetitions of the elementary structure.
⊕
I 0 I 1 I 2 I 3 · · · · Ip · · · · Iq · · · · · In-1
S(I0) S(I1) S(I2) S(I3) S(Ip) S(I q) S(In-1)
Linear transformation
X X’
⊕ Round key
Y Y’
S-box
Figure 1.1: Elementary structure of the SPN structure block cipher
The AES algorithm (Rijndael) has been reputed to be secure against conventional
cryptanalytic methods [28, 52], such as DC (Differential Cryptanalysis) [19] and LC
(Linear Cryptanalysis) [50], and throughout the AES selection process its security
was examined with considerable cryptanalytic methods [22, 25, 28, 58, 68]. Also, the
designers have stated that the AES algorithm was designed to be secure against some
other known cryptanalytic methods, such as truncated differential cryptanalysis [46, 47],
related key attack [23, 33], and interpolation attack [75]. However, despite the novelty
[29] and advantages [62, 64] of the AES algorithm, the simple algebraic structure of
this cipher has led to some commentators’ concerns about the security of this cipher
3
[48, 57, 67, 69, 70]. In particular, S. Murphy and M.J.B. Robshaw [69, 70] have modified
the original structure of the AES algorithm so that the affine transformation, which is
one of the functions used for generating the S-box (non-linear layer), moves to the linear
layer, and have shown that any input to the modified linear layer of the AES algorithm
is mapped to itself after 16 iterations of the modified linear transformation (- the
maximal period of the modified linear layer is 16) [69, 70]. Based on these observations,
they have noted that the linear layer of the AES algorithm is surprisingly ineffective at
“mixing data” (definition in Chapter 3), contrary to what might have been expected.
They have also remarked that the unusual properties of the linear layer could imply
considerable algebraic weaknesses of the AES algorithm from a cryptanalytic point of
view. However, this research has led to an immediate refutation by the designers of
the AES algorithm [29] due to the fact that their observations have been restricted to
the linear layer, and that they have not shown practical connections between the short
period of the modified linear layer and cryptological weaknesses of this cipher. More
recently, through the proposal of the XSL attack, N. Courtois and J. Pieprzyk have
shown that the AES algorithm has unexpected algebraic properties, and that the AES
algorithm can be described by a system of overdefined and sparse quadratic equations
[55, 56]. They have also noted that the security of the AES algorithm is equivalent to
the difficulty of solving this system. From their observations, they have remarked that
“the security of Rijndael does not grow exponentially with the number of rounds”, and
have commented that “in order to prevent such attacks, at least a few S-boxes in a
cipher should not be described by a small system of overdefined multivariate equations”.
S. Murphy and M.J.B. Robshaw have also supported this idea in [71, 72]. However,
in spite of this significant progress in the cryptanalysis of the AES algorithm, it seems
to be still arguable whether the AES algorithm is seriously weak from a cryptological
point of view. Considering that the AES algorithm is a representative SPN structure
block cipher, and will be used for the next few decades, it is worth analysing the
cryptologic properties of the AES algorithm in further depth. If we understand which
part of the AES algorithm causes weakness from a cryptologic perspective, then it can
be considered in the design of other SPN structure block ciphers.
In this thesis, we introduce our further studies on the cryptologic properties of the
AES algorithm. In Chapter 2, we first describe the structure of the AES algorithm,
which we will study in this thesis. In Chapter 3, we then review some of the cryp-
tologic properties of the AES algorithm which have been observed since Rijndael was
4
proposed for the process of the AES selection. For the review, we classify the previ-
ous observations into four categories: the immunity of the AES algorithm against DC
and LC, distinctive output properties of the AES structure, cryptologic properties of
the key schedule, and algebraic properties of the algorithm. From Chapter 4 on , we
discuss our own observations on the cryptologic properties of the AES algorithm. In
Chapter 4, we study the cyclic properties of the AES algorithm. We observe that every
function used in the AES algorithm has a very short period, and that each layer has a
short period as well. But we note that although the maximal periods of both the non-
linear layer and the linear layer are short, the maximal period is dramatically increased
when these two layers are combined. In Chapter 5, we discuss the impact of the cyclic
properties on the security of the AES algorithm. We find that the AES algorithm has
a very unusual cyclic property for certain types of input blocks. We show that input
blocks with short periods could have relatively simple hidden algebraic relationships
with their corresponding output blocks. In Chapter 6, we observe some distinctive
output properties of the AES algorithm. We first discuss the differential properties of
the S-box used in the non-linear layer. We then find some distinctive output properties
of the matrix multiplication used in the linear layer. After this, we discuss consistent
differential patterns of the AES algorithm. We show that the AES algorithm is very
well designed to be secure against DC (the S-box yields well-distributed output differ-
ences for any input difference), but that it leads to some consistent differential patterns
after certain rounds. Before discussing the consistent differential patterns of the AES
algorithm, we define the concept of the consistent differential pattern. In Chapter 7,
we show the impact of the consistent differential patterns on the security of the AES
algorithm. Finally, in Chapter 8, we summarise our observations.
Chapter 2
Description of the AES Algorithm
In this chapter, we describe the structure of the AES algorithm. We first specify the
basic mathematics operations used in the algorithm: addition and multiplication. We
then explain the outline of the structure, followed by the role of each function. Finally,
we describe the procedures of the key expansion and the inverse cipher. Although the
structure of Rijndael [28] is the same as that of the AES algorithm, we have used the
Standard [63] itself for the basis of our discussion and study. When we refer to the non-
standard part (for example, 192 or 256-bit data blocks), we will use the representation
of Rijndael.
2.1 Basic mathematics operations
All the bytes in the algorithm are interpreted as finite field elements using a polynomial
representation, as described below:
b7x7 + b6x
6 + b5x5 + b4x
4 + b3x3 + b2x
2 + b1x1 + b0 =
7∑
i=0
bixi.
For example, the byte ‘e7′=(11100111) identifies the specific finite field element x7 +
x6 + x5 + x2 + x + 1. Throughout the algorithm, all the input bytes are added and
multiplied as outlined below; that is, the algorithm uses the following mathematical
concepts for addition and multiplication.
Addition
In the polynomial representation, the addition of two elements in a finite field is the
sum modulo 2 of the coefficients for the corresponding powers in the polynomials for
the two elements. That is, the addition is performed with the bitwise XOR (denoted
5
2.1. Basic mathematics operations 6
by ⊕) at the byte level. For example, the addition of ‘57′ and ‘83′ can be described as
(x6 + x4 + x2 + x + 1) + (x7 + x + 1) = x7 + x6 + x4 + x2
in the polynomial notation and as
(01010111) ⊕ (10000011) = (11010100)
in the binary notation, so the result is ‘d4′ in the hexadecimal notation.
Multiplication
In the polynomial representation, the multiplication (denoted by ·) in GF (28) of two
elements is achieved by the multiplication of polynomials modulo an irreducible poly-
nomial of degree 8. For the AES algorithm, this irreducible polynomial is given by
m(x) = x8 + x4 + x3 + x + 1.
For example, ‘57′ · ‘83′ = ‘c1′ due to the following polynomial computations:
(x6 + x4 + x2 + x + 1)(x7 + x + 1) =
x13 + x11 + x9 + x8 + x7 + x7 + x5 + x3 + x2 + x + x6 + x4 + x2 + x + 1 =
x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1
and
x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1 mod x8 + x4 + x3 + x + 1 =
x7 + x6 + 1 = (11000001) = ‘c1′.
The modular reduction by the irreducible polynomial m(x) ensures that the result
will be a binary polynomial of degree less than 8. The multiplication defined above
is associative and there exists a multiplicative identity ‘01′. For any non-zero binary
polynomial b(x) of degree less than 8, the multiplicative inverse, b−1(x), can be found
as follows: the extended Euclidean algorithm [1] can be used to compute polynomials
a(x) and c(x) such that
b(x)a(x) + m(x)c(x) = 1.
Hence, a(x) · b(x) mod m(x) = 1, and
b−1(x) = a(x) mod m(x).
2.2. Outline of the structure 7
2.2 Outline of the structure
The AES algorithm is an SPN structure block cipher that can process data blocks
of 128 bits with variable-length Cipher Keys (128, 192, and 256 bits) [63]. Although
Rijndael, the origin of the AES algorithm, was designed to handle additional block
sizes (192 and 256 bits) [28], these block sizes are not considered as the Standard.
Therefore, following the Standard, we refer to the algorithm as “AES-128”, “AES-
192”, and “AES-256” according to the key sizes.
SB
⊕
RK 0
SR
MC
SB
⊕
SR
MC
RK 1
⊕
RK 2
SB
SR
MC
⊕
RK 9SB
SR
⊕
RK 10
SB: SubBytes transformation
SR: ShiftRows transformation
MC : MixColumns transformation
RKp: pth round key
•
•
•
Input: 16 bytes
Output: 16 bytes
Figure 2.1: Outline of the AES algorithm
2.3. Specification of the functions 8
As shown in Figure 2.1, the elementary structure (one round) of the AES algorithm
consists of two layers: a non-linear layer (SubBytes transformation) and a linear layer
(ShiftRows transformation and MixColumns transformation). Each byte in an input
block is bytewise substituted by the SubBytes transformation using a substitution table
(S-box) described in Table 2.1, and then every byte in each row is cyclicly shifted by
a certain value by the ShiftRows transformation (bytes in row #0: 0, bytes in row
#1: 1, bytes in row #2: 2, bytes in row #3: 3) as illustrated in (2.1). After this,
all four bytes in each column are mixed by the matrix formula in Figure 2.2 through
the MixColumns transformation. After these operations, a 128-bit round key extended
from the Cipher Key is XORed in the last part of each round. The MixColumns
transformation is omitted in the last round (AES-128: 10th round, AES-192: 12th
round, AES-256: 14th round), but before the first round a 128-bit initial round key,
which is actually the same as the Cipher Key, is XORed to the plaintext through the
initial round key addition routine. The decryption is the reverse order of the encryption,
and the inverses of each operation are used, namely the InvSubBytes transformation,
InvShiftRows transformation and InvMixColumns transformation.
2.3 Specification of the functions
As previously mentioned in the outline of the structure, the elementary structure of the
AES algorithm consists of three functions: the SubBytes transformation, the ShiftRows
transformation, and the MixColumns transformation. The SubBytes transformation,
which is the non-linear layer of the algorithm, takes charge of confusion, and the
ShiftRows transformation and MixColumns transformation, which belong to the linear
layer, are used for diffusion.
SubBytes transformation
The SubBytes transformation is a non-linear byte substitution that operates indepen-
dently on each byte of the input block. The core of this operation is the S-box with 256
substitution paths as described in Table 2.1, and this invertible S-box is constructed
from the composition of the following two functions:
1. For any input byte, take a multiplicative inverse in the finite field GF (28), as
described in Section 2.1. The value ‘00′ is mapped to itself.
2.3. Specification of the functions 9
2. Apply an affine transformation over GF(2) defined by:
b′i = bi ⊕ b(i+4) mod 8 ⊕ b(i+5) mod 8 ⊕ b(i+6) mod 8 ⊕ b(i+7) mod 8 ⊕ ci
for 0 ≤ i < 8, where bi is the ith bit of the byte, and ci is the ith bit of a fixed
value ‘63′ = (01100011). This can be expressed as the following matrix form:
b′0
b′1
b′2
b′3
b′4
b′5
b′6
b′7
=
1 0 0 0 1 1 1 1
1 1 0 0 0 1 1 1
1 1 1 0 0 0 1 1
1 1 1 1 0 0 0 1
1 1 1 1 1 0 0 0
0 1 1 1 1 1 0 0
0 0 1 1 1 1 1 0
0 0 0 1 1 1 1 1
b0
b1
b2
b3
b4
b5
b6
b7
+
1
1
0
0
0
1
1
0
.
0 1 2 3 4 5 6 7 8 9 a b c d e f
0
1
2
3
5
4
6
7
8
9
a
c
b
d
e
f
ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0
63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76
b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15
04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75
09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84
53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf
d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8
51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2
cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73
60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db
e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79
e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08
ba 78 25 2e 1c a6 64 c6 e8 dd 74 1f 4b bd 8b 8a
70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e
e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df
8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16
e.g. input value: 0x65 → output value: 0x4d
Table 2.1: S-box of the AES algorithm
It is noted that we will sometimes use the notation SubBytes for the mathematical
representation of the SubBytes transformation. When the SubBytes transformation is
2.3. Specification of the functions 10
applied to just one byte, we use the notation SubByte without an ‘s’. The following
is an example of the SubBytes transformation (Sin is an input block and Sout is the
corresponding output block):
Sin : 26 17 66 f0
10 69 ab 01
63 09 cd 65
03 11 ef 00
−→
Sout : f7 f0 33 8c
ca f9 62 7c
fb 01 bd 4d
7b 82 df 63
ShiftRows transformation
The ShiftRows transformation is one of the two functions constructing the linear layer
of the algorithm. In the ShiftRows transformation, every byte in each row is cyclicly
shifted to the left by a certain offset, as illustrated in (2.1) (bytes in row #0: 0 (no
shift), bytes in row #1: 1, bytes in row #2: 2, bytes in row #3: 3). This has the effect
of moving the bytes to lower positions in the row, and the designers mention that
this operation is used for enhancing resistance against some attacks using truncated
differentials [46].
Sin : b0,0 b0,1 b0,2 b0,3
b1,0 b1,1 b1,2 b1,3
b2,0 b2,1 b2,2 b2,3
b3,0 b3,1 b3,2 b3,3
−→
Sout : b0,0 b0,1 b0,2 b0,3
b1,1 b1,2 b1,3 b1,0
b2,2 b2,3 b2,0 b2,1
b3,3 b3,0 b3,1 b3,2
(2.1)
MixColumns transformation
In the MixColumns transformation, each column in an input block is considered as a
four-term polynomial over GF (28), and multiplied modulo x4 + 1 with a fixed polyno-
mial
f(x) = ‘03′x3 + ‘01′x2 + ‘01′x + ‘02′.
For more detail, let us suppose that a certain column in an input block of the Mix-
Columns transformation is a four-byte word (b0, b1, b2, b3). Then this column is denoted
as
b(x) = b3x3 + b2x
2 + b1x + b0
in a four-term polynomial. If the polynomial b(x) is multiplied with f(x), then
h(x) = h6x6 + h5x
5 + h4x4 + h3x
3 + h2x2 + h1x + h0
2.3. Specification of the functions 11
where
h0 = ‘02′ · b0 h4 = ‘03′ · b1 ⊕ ‘01′ · b2 ⊕ ‘01′ · b3
h1 = ‘01′ · b0 ⊕ ‘02′ · b1 h5 = ‘03′ · b2 ⊕ ‘01′ · b3
h2 = ‘01′ · b0 ⊕ ‘01′ · b1 ⊕ ‘02′ · b2 h6 = ‘03′ · b3
h3 = ‘03′ · b0 ⊕ ‘01′ · b1 ⊕ ‘01′ · b2 ⊕ ‘02′ · b3.
At this stage, h(x) does not represent a four-byte word. Now, if we reduce h(x) modulo
a polynomial x4 + 1 with the property of
xi mod x4 + 1 = xi mod 4,
then the result can be reduced to a polynomial of degree less than 4. The modular
product of f(x) and b(x) is given by the four-term polynomial
d(x) = d3x3 + d2x
2 + d1x + d0 (2.2)
where
d0 = (‘02′ · b0) ⊕ (‘03′ · b1) ⊕ (‘01′ · b2) ⊕ (‘01′ · b3)
d1 = (‘01′ · b0) ⊕ (‘02′ · b1) ⊕ (‘03′ · b2) ⊕ (‘01′ · b3)
d2 = (‘01′ · b0) ⊕ (‘01′ · b1) ⊕ (‘02′ · b2) ⊕ (‘03′ · b3)
d3 = (‘03′ · b0) ⊕ (‘01′ · b1) ⊕ (‘01′ · b2) ⊕ (‘02′ · b3).
If we now express (2.2) as a matrix multiplication, then we see the matrix formula
in Figure 2.2. That is, the MixColumns transformation takes charge of mixing four
bytes in each column with the matrix formula in Figure 2.2. It is noted that we will
sometimes use the notation MixColumns for the mathematical representation of the
MixColumns transformation. When the MixColumns transformation is applied to just
one column, we use the notation MixColumn without an ‘s’.
d0
d1
d2
d3
02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02
=
b0
b1
b2
b3
Figure 2.2: Mixing of four bytes in a column
2.4. Expansion of the Cipher Key 12
2.4 Expansion of the Cipher Key
The AES algorithm takes the Cipher Key, K, and generates Round Keys from the
Cipher Key, performing a Key Expansion routine. Let us denote the number of rounds
of the AES algorithm by Nr, the number of columns in the Cipher Key by Nk, and
the index of each column in the Cipher Key by
Cl0, Cl1, . . . , ClNk−1.
Then the total number of columns for all the round keys, which is required for the
whole round encryption, is
4 × (Nr + 1),
considering that the number of columns in a data block is four, and that there is an
initial round key addition routine before the first round. Now, if we index, in order,
all the columns in the round keys by
Rl0, Rl1, Rl2, . . . , Rln, . . . , Rl4(Nr+1)−1,
then the columns are generated in the following manner:
• if Nk = 4 or 6 (AES-128 or AES-192), then
Rl0 = Cl0, Rl1 = Cl1, . . . , RlNk−1 = ClNk−1
Rln = Rln−Nk ⊕ SubBytes(RotBytes(Rln−1)) ⊕ Rcon[ nNk
] if n mod Nk = 0
Rln = Rln−Nk ⊕ Rln−1 else
• if Nk = 8 (AES-256), then
Rl0 = Cl0, Rl1 = Cl1, . . . , RlNk−1 = ClNk−1
Rln = Rln−Nk ⊕ SubBytes(RotBytes(Rln−1)) ⊕ Rcon[ nNk
] if n mod Nk = 0
Rln = Rln−Nk ⊕ SubBytes(Rln−1) ⊕ Rcon[ nNk
] else if n mod Nk = 4
Rln = Rln−Nk ⊕ Rln−1 else
Here, we note that SubBytes is the byte substitution by the S-box, and that RotBytes
is the rotation of bytes by
RotBytes(b0, b1, b2, b3) −→ (b1, b2, b3, b0).
The round constants are defined by
2.4. Expansion of the Cipher Key 13
Rcon[i] = (xi−1, 0x00, 0x00, 0x00)
with xi−1 being powers of x (=‘02′).
The following shows the round constants obtained from the above concept:
Rcon[1] = (0x01, 0x00, 0x00, 0x00),
Rcon[2] = (0x02, 0x00, 0x00, 0x00),
Rcon[3] = (0x04, 0x00, 0x00, 0x00),
Rcon[4] = (0x08, 0x00, 0x00, 0x00),
Rcon[5] = (0x10, 0x00, 0x00, 0x00),
Rcon[6] = (0x20, 0x00, 0x00, 0x00),
Rcon[7] = (0x40, 0x00, 0x00, 0x00),
for AES-256
Rcon[8] = (0x80, 0x00, 0x00, 0x00),
for AES-192
Rcon[9] = (0x1b, 0x00, 0x00, 0x00),
Rcon[10] = (0x36, 0x00, 0x00, 0x00)
for AES-128.
Finally, the columns generated by the above key expansion routine are allocated to
each round key by four columns, as shown below:
RKi=Rl4×i to Rl4×i+3
The following shows an example of the round key allocation in the case of AES-128
(Nk = 4).
RK0 = (Rl0, Rl1, Rl2, Rl3),
RK1 = (Rl4, Rl5, Rl6, Rl7),
RK2 = (Rl8, Rl9, Rl10, Rl11),
RK3 = (Rl12, Rl13, Rl14, Rl15),
RK4 = (Rl16, Rl17, Rl18, Rl19),
RK5 = (Rl20, Rl21, Rl22, Rl23),
RK6 = (Rl24, Rl25, Rl26, Rl27),
RK7 = (Rl28, Rl29, Rl30, Rl31),
RK8 = (Rl32, Rl33, Rl34, Rl35),
RK9 = (Rl36, Rl37, Rl38, Rl39),
RK10 = (Rl40, Rl41, Rl42, Rl43).
2.5. Inverse cipher 14
2.5 Inverse cipher
Unlike most Feistel structure block ciphers, the AES algorithm, which is a typical SPN
structure block, has the inverse cipher for decryption. Decryption is the reverse order
of the encryption, and the inverse of each function is used in the decryption cipher.
The InvSubBytes transformation, InvShiftRows transformation and InvMixColumns
transformation in the decryption cipher correspond to the SubBytes transformation,
ShiftRows transformation and MixColumns transformation respectively.
0 1 2 3 4 5 6 7 8 9 a b c d e f
0
1
2
3
5
4
6
7
8
9
a
c
b
d
e
f
7c e3 39 82 9b 2f ff 87 34 8e 43 44 c4 de e9 cb
52 09 6a d5 30 36 a5 38 bf 40 a3 9e 81 f3 d7 fb
54 7b 94 32 a6 c2 23 3d ee 4c 95 0b 42 fa c3 4e
08 2e a1 66 28 d9 24 b2 76 5b a2 49 6d 8b d1 25
72 f8 f6 64 86 68 98 16 d4 a4 5c cc 5d 65 b6 92
6c 70 48 50 fd ed b9 da 5e 15 46 57 a7 8d 9d 84
90 d8 ab 00 8c bc d3 0a f7 e4 58 05 b8 b3 45 06
d0 2c 1e 8f ca 3f 0f 02 c1 af bd 03 01 13 8a 6b
3a 91 11 41 4f 67 dc ea 97 f2 cf ce f0 b4 e6 73
96 ac 74 22 e7 ad 35 85 e2 f9 37 e8 1c 75 df 6e
47 f1 1a 71 1d 29 c5 89 6f b7 62 0e aa 18 be 1b
fc 56 3e 4b c6 d2 79 20 9a db c0 fe 78 cd 5a f4
1f dd a8 33 88 07 c7 31 b1 12 10 59 27 80 ec 5f
60 51 7f a9 19 b5 4a 0d 2d e5 7a 9f 93 c9 9c ef
a0 e0 3b 4d ae 2a f5 b0 c8 eb bb 3c 83 53 99 61
17 2b 04 7e ba 77 d6 26 e1 69 14 63 55 21 0c 7d
e.g. input value: 0x4d → output value: 0x65
Table 2.2: S-box−1 of the AES algorithm
InvShiftRowsb00 b01 b02 b03
b13 b10 b11 b12
b22 b23 b20 b21
b31 b32 b33 b30
b00 b01 b02 b03
b10 b11 b12 b13
b20 b21 b22 b23
b30 b31 b32 b33
Figure 2.3: Illustration of the InvShiftRows transformation
2.5. Inverse cipher 15
Table 2.2 is the substitution table (S-box−1) used in the InvSubBytes transformation,
and Figure 2.3 and Figure 2.4 represent the functions of the InvShiftRows transforma-
tion and InvMixColumns transformation respectively.
b0
b1
b2
b3
0e 0b 0d 09
09 0e 0b 0d
0d 09 0e 0b
0b 0d 09 0e
=
d0
d1
d2
d3
Figure 2.4: Mixing of four bytes in the InvMixColumns transformation
Chapter 3
Cryptologic Properties of the AESAlgorithm
In this chapter, we review a large body of previous research studies relating to the
cryptologic properties of the AES algorithm, which have been performed since Rijndael
was proposed for the process of the AES selection. In this review, those research
studies are classified into four fields according to the following research areas: immunity
against DC (Differential Cryptanalysis) and LC (Linear Cryptanalysis), distinctive
output properties of the structure, cryptologic properties of the key schedule, and
algebraic properties of the algorithm. We note that since the purpose of this chapter
is to review the cryptologic properties of the AES algorithm, we shall concentrate
on the cryptologic properties themselves rather than cryptanalytic methods using the
properties. We first discuss the cryptologic immunity of the AES algorithm against
two conventional cryptanalytic methods, DC and LC.
3.1 Immunity against DC and LC
DC [19, 20, 21] and LC [50, 51] have been regarded as the most powerful cryptan-
alytic methods against block ciphers since these cryptanalytic methods theoretically
succeeded in the attack on DES (Data Encryption Standard) [59]. For this reason, it
has been considered as essential in the design of block ciphers to prove their invulner-
ability against these cryptanalytic methods. In the case of the AES algorithm, it has
been proved by some research studies that the AES algorithm is strong enough against
DC and LC. These research studies have shown that the AES algorithm provides a
sufficiently low differential probability and linear probability, each of which has been
considered as a reliable measure to evaluate the strength of block ciphers against DC
and LC. For future reference, we first define some basic concepts.
16
3.1. Immunity against DC and LC 17
Definition 3.1 (DP and LP [73, 74]) For any S-box S with m-bit inputs and out-
puts, the Differential Probability DP S(δx, δy) and the Linear Probability LP S(Γδx, Γδy)
are defined by
DP S(δx, δy) =| x ∈ GF (2m) | S(x) ⊕ S(x ⊕ δx) = δy |
2m
and
LP S(Γδx, Γδy) =
(
| x ∈ GF (2m) | Γδx · x = Γδy · S(x) |
2m−1− 1
)2
respectively. Here δx, δy, Γδx, and Γδy denote an input difference, an output difference,
an input mask value, and an output mask value respectively. x · y denotes the parity (0
or 1) of bitwise product of x and y.
Definition 3.2 (MDP and MLP [73, 74]) Under Definition 3.1, the Maximal Dif-
ferential Probability p and the Maximal Linear Probability q are defined by
p = maxδx 6=0,δy
DP S(δx, δy)
and
q = maxΓδx,Γδy 6=0
LP S(Γδx, Γδy).
Definition 3.3 (Branch number) Let F be a linear function, and Ω(X) be the num-
ber of non-zero bytes in a byte vector X. Then the branch number Bn of the function
F is defined by
Bn = minX 6=0
[Ω(X) + Ω(F (X))].
The strength of the AES algorithm against DC and LC has already been computed
by the designers in the AES proposal [28]. From the fact that the branch number
of MixColumn used in the linear transformation is 5, the designers have shown that
the number of differentially active s-boxes for the four rounds is 25. Based on this
observation, they have proven that the four-round characteristic probability (P ) of the
AES algorithm is bounded by
P ≤ p25 = (2−6)25 = 2−150 (p is the MDP of the S-box).
This means that the differential characteristics having a probability bigger than 2−150
do not exist for the DC attack on the four-round AES [28] algorithm. In terms of
LC, the designers have also shown that there are no four-round linear trails with a
correlation above 2−75 [28].
3.1. Immunity against DC and LC 18
Also, on the basis of the fact that the strength of the block ciphers against DC
and LC depends on the maximal differential probability and the maximal linear hull
probability respectively [40, 41, 44, 45, 73] (the strength is inversely proportional to
the values of these probabilities), some other research studies have shown that the AES
algorithm is sufficiently secure against DC and LC.
In [52], although the authors have premised that a more accurate proof would be
necessary, they have commented, based on the following computation results, that in
probability the AES algorithm is secure against DC with six rounds.
Property 3.1 The maximal average of the differential probability of four rounds of
the AES algorithm is upper bounded by 1.065 × 2−128.
Property 3.2 The maximal average of the differential probability of five rounds of the
AES algorithm is upper bounded by 1.0007 × 2−128.
More recently, several research studies have presented improved methods for upper
bounding the maximal differential probability and the maximal linear hull probabil-
ity for SPN structure block ciphers, and have re-evaluated the strength of the AES
algorithm with their methods. These research studies have proven that the maximal
differential probability and the maximal linear hull probability for the AES algorithm
are bounded by the values below.
Property 3.3 [73] The maximal differential probability for four rounds of the AES
algorithm is approximately bounded by 1.06 × 2−96.
Property 3.4 [74] The maximal differential probability and the maximal linear hull
probability for four rounds of the AES algorithm are approximately bounded by 1.144×
2−111 and 1.075 × 2−106 respectively.
Summing up all the research studies reviewed above, the AES algorithm can be
said to be well designed against DC and LC. In fact, from the fact that the AES
algorithm uses the function MixColumn, whose branch number is five, for the linear
transformation, and that the number of the active S-boxes for four rounds of this cipher
is 25, we can perceive that the AES algorithm was designed to offer enough immunity
against DC and LC. This is because it is known that the maximal differential probability
has a very close relationship with the number of differentially active s-boxes, and that
the maximal linear hull probability is deeply dependent on the number of linearly active
s-boxes. It is generally understood that the greater the number of differentially active
3.2. Distinctive output properties of the structure 19
s-boxes, the lower the maximal differential probability becomes. Similarly, the greater
the number of linearly active s-boxes, the lower the maximal linear hull probability
becomes.
3.2 Distinctive output properties of the structure
While some research studies have shown that the AES algorithm provides enough
resistance against DC and LC, some others have observed that the AES structure yields
some distinctive output properties for a certain set of plaintexts, in a few rounds. In
this section, we review those distinctive output properties of the AES algorithm to
which cryptologists have paid attention. We first examine the third round balanced
property observed by the designers of the AES algorithm.
Third-round balanced property
As previously mentioned in Section 3.1, the branch number of MixColumn is five (if
one byte is changed for an input of the matrix formula in Figure 2.2, then all bytes are
changed in the output). This means that the change of one byte for an input block
of the MixColumns transformation leads to the change of one column (four bytes) in
the output block. Tracing the encryption procedures, and taking into consideration
the above property, the designers of the AES algorithm have observed the following
property.
Property 3.5 Any two plaintexts X and X’, which differ by only one byte in the same
byte position lead to second-round intermediate texts Y and Y’ which are different from
each other in all bytes. That is,
if X 6= X ′ in only one byte, then Y 6= Y ′ in all bytes.
Based on this property, tracing one more round, they have also observed that any set
of 256 chosen plaintexts (Λset) defined below leads to an interesting output property
after the third round (- they call this property the balanced property).
Definition 3.4 (Λset) For the AES algorithm, Λset is defined by a set of 256 plaintexts
which vary in only one byte (and are the same in the other bytes).
Property 3.6 (Third-round balanced property) For any Λset, the XOR of all the
third-round intermediate texts is ‘00’ in all bytes.
3.2. Distinctive output properties of the structure 20
Figure 3.1 illustrates an example of Λset and the third-round balanced property caused
by the set (this property has been called an “integral property” in [49], because it is
caused by the summation of a certain set of output values).
ΛΛΛΛset
** ** **
** ** **
** ** **
** ** **
**
**
**
**
72 00 94
11 6d 19
d3 5a 47
68 11 b2
01
78
2f
7c
⊕⊕⊕⊕
72 00 94
11 6d 19
d3 5a 47
68 11 b2
02
78
2f
7c
72 00 94
11 6d 19
d3 5a 47
68 11 b2
03
78
2f
7c
72 00 94
11 6d 19
d3 5a 47
68 11 b2
f f
78
2f
7c
** ** **
** ** **
** ** **
** ** **
**
**
**
**
** ** **
** ** **
** ** **
** ** **
**
**
**
**
** ** **
** ** **
** ** **
** ** **
**
**
**
**
• • • •
• • • •
00 00 00
00 00 00
00 00 00
00 00 00
00
00
00
00
third-round intermediate texts
Figure 3.1: Illustration of the third-round balanced property
Based on this property, the Square attack was first introduced by the designers
of the AES algorithm (Rijndael). This attack was originally applied to the block
cipher Square [27], which is the basis of Rijndael. But since Rijndael inherited many
basic functions from Square, it has the same balanced property as Square has, thus this
attack is applicable to the AES algorithm as well. We summarise here how the balanced
property has been applied to the cryptanalysis of the AES algorithm. The designers
have used two Λsets for the attack on the AES algorithm reduced to four rounds. We
first use (Λset#1).
1. First, we assume one byte in the fourth-round key. Then, decrypt the corre-
sponding bytes in the 256 ciphertexts (we recall that the fourth round does not
have the MixColumns transformation because the fourth round is the last round
in this case).
2. If the assumption is correct, then the XOR of the corresponding bytes in the 256
third-round intermediate texts must be equal to ‘00′. If the XOR is equal to ‘00′,
then the assumed value is taken for the byte. If not, return to step 1 assuming
another value for the key byte.
3.2. Distinctive output properties of the structure 21
3. If the above two steps are applied to all key bytes, all eligible components for the
fourth round key are obtained.
* Step 2 must be applied to the other set, Λset#2, to avoid the selection of wrong
keys, because wrong keys may satisfy the balanced property by chance with the
probability of 1/256 if only one Λset is considered.
The designers have extended this method up to six rounds, adding one round at the
beginning of the four rounds and one round at the end. Later, this method has been
developed to seven rounds using partial-sum techniques [58, 68]. Table 3.1 shows the
complexity of the Square attack against some reduced rounds of the AES algorithm.
Attack Number of Rounds Chosen Plaintexts Time Complexity
Square 4 29 29 5 211 240 6 232 272
Partial sum 6 6 × 232 244
7 2128 − 2119 2120
Table 3.1: Complexities of the Square attack against the AES algorithm
Fourth-round impossible differentials
While the designers of the AES algorithm have found, from Property 3.5, a third-round
distinguisher (balanced property), which Λset leads to with probability 1, E. Biham and
N. Keller have found, in [22], a fourth-round distinguisher, which a pair of plaintexts
referred to in Property 3.5 leads to with probability 0. That is, E. Biham and N. Keller
have observed impossible differentials [17, 18] of the four rounds of the AES algorithm
(differentials that never appear in the four rounds). Let us consider a pair of plaintexts
which differ by only one byte. Then, we imagine the corresponding intermediate texts
after the fourth-round ShiftRows transformation as described below:
itext a : b#0 b#4 b#8 b#12
b#1 b#5 b#9 b#13
b#2 b#6 b#10 b#14
b#3 b#7 b#11 b#15,
itext b : b′#0 b′#4 b′#8 b′#12
b′#1 b′#5 b′#9 b′#13
b′#2 b′#6 b′#10 b′#14
b′#3 b′#7 b′#11 b′#15
Now, let us suppose that the combination (b#0, b#7, b#10, b#13) in itext a is equal to the
combination (b′#0, b′#7, b′#10, b′#13) in itext b. Then, after the third-round MixColumns
3.2. Distinctive output properties of the structure 22
transformation the data is equal in the first column, and thus after the second-round
MixColumns transformation the data is equal in (byte#0, byte#5, byte#10, byte#15). This
is a contradiction because the pair of plaintexts being considered is different from each
other only in one byte and this plaintext pair must lead to the second-round interme-
diate texts, which are different from each other in all bytes. Taking this contradiction
into account, we can deduce that if a pair of plaintexts differ by only one byte, then the
intermediate texts after the fourth-round ShiftRows transformation cannot be equal in
(0,7,10,13). If we consider the other bytes, then we see the following property.
Property 3.7 (Impossible differentials) If a pair of plaintexts differ by only one
byte, then the intermediate texts after the fourth-round ShiftRows transformation can-
not be equal in any of the following combinations of bytes:
(0,7,10,13), (1,4,11,14), (2,5,8,15) nor (3,6,9,12),
when the byte positions of the text block are described by
byte#0 byte#4 byte#8 byte#12
byte#1 byte#5 byte#9 byte#13
byte#2 byte#6 byte#10 byte#14
byte#3 byte#7 byte#11 byte#15.
Based on this property, E. Biham and N. Keller have proposed an Impossible dif-
ferential cryptanalysis to attack five rounds of the AES algorithm [22]. The main idea
of this attack is to eliminate wrong first-round keys by showing that the impossible
property holds in the last four rounds if these keys are used. This method requires
229.5 chosen plaintexts and 231 time complexity for the attack on five rounds of the
AES algorithm. Later, this attack has been developed to six rounds [26], assuming not
only the first-round key but also the last-round key, although this extension requires
a higher complexity. Table 3.2 shows the complexities of the Impossible differential
cryptanalysis against the AES algorithm.
Number of Rounds Chosen Plaintexts Time Complexity
5 229.5 231
6 291.5 2122
Table 3.2: Complexities of the IDC against the AES algorithm
3.2. Distinctive output properties of the structure 23
Fourth-round collision distinguisher
In [25], H. Gilbert and M. Minier have constructed an efficient fourth-round distin-
guisher of the AES algorithm, by exploiting the existence of collisions between some
partial functions induced by the cipher. They have first observed that the AES algo-
rithm has a partial third-round collision property in which several bytes are involved.
Then, from the relationship between the third round and the fourth round, they have
found the fourth-round distinguisher. Before discussing the fourth-round collision dis-
tinguisher in more detail, we define the concept of collision for future reference as
outlined below.
Definition 3.5 (Collision) For any given function h and messages M and M ′, if
h(M) = h(M ′) when M 6= M ′,
then we say that h(M) and h(M ′) collide.
Next, we discuss the third-round collision property followed by the fourth-round dis-
tinguisher of the AES algorithm. Let us consider a set of the first-round input blocks
(after the initial round key addition) of the AES algorithm, which vary in the first
column (the other bytes are all the same), as shown in Figure 3.2.
y
c0
c1
c2
s t0
t1
t2
t3
1st round input blocks 3rd intermediate texts 4th intermediate texts
• •
y
c’0
c’1
c’2
s’ t’ 0
t’ 1
t’ 2
t’ 3
• •
• • •
Figure 3.2: Fourth-round collision distinguisher of the AES algorithm
Then, 224 triplets of c = (c0, c1, c2) can be considered for each value for y. With the con-
sideration of two arbitrary triplets c and c′, H. Gilbert and M. Minier have constructed
the concept of a partial third-round collision of the AES algorithm. Specifically,
3.2. Distinctive output properties of the structure 24
• they have observed that for any y ∈ 0....255 in a plaintext, s (s′) is entirely
determined by a surprisingly small number of unknown bytes, which either only
depend on the key or depend on both the key and the value of c (c′),
• then, based on the above observation, they have found the following third-round
collision property, taking into account the well-known birthday paradox [15, 38].
Property 3.8 [25] In a given C set of about 216 c triplets (the number of all possible
triplets is actually 224), there exist, with a non negligible probability, c and c′ (c 6= c′)
which leads to
s = s′ for ∀ y ∈ 0....255.
Now, let us consider the relationship between the third round and fourth round of the
AES algorithm: if we consider the matrix formula described in Figure 2.2, we see that
s = S−1(0e · t0 + 0b · t1 + 0d · t2 + 09 · t3) + k#04 ,
where S−1 and k#04 denote the S-box−1 and the first byte of the fourth-round key
respectively. In other words, we see that
0e · t0 + 0b · t1 + 0d · t2 + 09 · t3
is a one to one function of s. If we put this concept and the third-round collision
property together, we find the following property to test the third-round collision with
t0, t1, t2, t3 in the fourth-round intermediate texts.
Property 3.9 [25] c and c′ collide if and only if for ∀y ∈ 0....255,
0e · t0 + 0b · t1 + 0d · t2 + 09 · t3 = 0e · t′0 + 0b · t′1 + 0d · t′2 + 09 · t′3.
This property means that the third-round collision can be tested with the fourth-round
intermediate texts corresponding to c and c′ for any y. So, H. Gilbert and M. Minier
regard this property as a fourth-round distinguisher. They have noted, based on their
experiments, that it is sufficient to check the equality in Property 3.9 on 16 y values in
order to text the collision between c and c′. Therefore, it requires 220 plaintexts (216
values for c triplet × 24 values for y) to test the fourth-round distinguisher.
Based on the above observations, they have suggested a collision attack against
the seven-round AES algorithm which has the initial round and one additional round
before the four-round structure of Figure 3.2, and one additional round and the final
3.3. Cryptologic properties of the key schedule 25
round behind it; in this case, the distinguisher is considered to be between the second
round and the fifth round. Their method is basically an exhaustive search of some key
bytes of the initial round and the two final rounds, in order to check the distinguisher.
They have noted that this attack requires 232 chosen plaintexts, and is faster than
exhaustive key search on seven rounds of AES-192 and AES-256 (complexity: 2140)
and marginally faster on seven rounds of AES-128.
3.3 Cryptologic properties of the key schedule
The designers of the AES algorithm have stated [28] that the key schedule of the AES
algorithm was designed to provide resistance against cryptanalytic methods using the
weakness of the key schedule, such as related key attacks [23, 32, 33]. They have
mentioned that, from the security point of view, the following design criteria have been
applied to the key expansion:
C1. to put the diffusion of Cipher Key differences into the Round Keys,
C2. to guarantee enough non-linearity to prohibit the full determination of Round
Key differences from Cipher Key differences,
C3. to use an invertible transformation, that is, knowledge of any Nk (the number of
columns of the Cipher Key) consecutive columns of the expanded key allows to
regenerate all the Round Keys,
C4. not to allow calculation of many other Round Key bits from knowledge of a part
of the Cipher Key or Round Key bits,
C5. to eliminate symmetry of the inner rounds.
Definition 3.6 [28] If a certain cipher treats all bytes of a state in very much the
same way in the round transformation, then it is said to have symmetry in the round
transformation.
Definition 3.7 [28] If the round transformation is the same for all rounds in a certain
cipher, then it is said to have symmetry between the rounds.
They have also mentioned that the high diffusion and non-linearity of the AES key
schedule makes it very improbable for the AES algorithm to be attacked by these
types of attacks.
3.3. Cryptologic properties of the key schedule 26
However, some of the research studies that have carefully evaluated the security of
the AES key schedule claim that although no serious weaknesses have been found, the
AES key schedule does not live up to the designers’ expectations. Although there is
not a close relationship with the weakness of the AES key schedule, E. Biham and N.
Keller have shown, in [22], that if the key schedule of the AES algorithm were reversed,
the complexity of the Square attack would be reduced by a factor of 28. G. Cater, E.
Dawson and L. Nielsen have confirmed that in the AES key schedule all the Round
Keys (and the Cipher Key) are regenerated with any Nk consecutive columns of the
expanded key [24], as the designers of the AES algorithm have mentioned in the design
criteria of the key schedule. As well as these observations, S. Lucks has observed the
reverse order of the AES key expansion procedures, and has noted the following two
properties of the AES key schedule [68].
Property 3.10 If all four columns in the seventh-round key of AES-256 are known,
then three columns (Columns 1, 2, and 3) in the fifth-round key can be generated.
Property 3.11 If all four columns in the seventh-round key of AES-192 are known,
then two columns (Columns 0 and 1) in the sixth-round key and one column (Column
3) in the fifth-round key can be generated.
Based on these observations, he has presented, in the same paper, a modified Square
attack to reduce the number of key assumptions for the cryptanalysis of seven rounds
of AES-192 and AES-256. He has newly computed the complexity of the Square attack,
and has shown with his calculation that the Square attack requires 280 basic operations
to attack six rounds of the AES algorithm. If all possible seventh-round keys are
additionally assumed, then the seventh-round attack will require 2208 basic operations.
(Note: in his calculation, one basic operation means five executions of byte-wise XOR,
five executions of S-box−1 and one execution of MixColunm). However, noting the
above properties of the key schedule, he reduced the amount of computations (the
number of key assumptions) for AES-192 and AES-256 by 224 and 28 basic operations
respectively. As a consequence, he has noted that attacking seven rounds of AES-
192 and AES-256 requires 2184 and 2200 basic operations respectively, with 232 chosen
plaintexts.
More importantly, N. Ferguson, J. Kelsey, S. Lucks, B. Schneier, M. Stay, D. Wag-
ner, and D. Whiting have noted in [58] that the key schedule of the AES algorithm
does not achieve its stated design criteria. In other words, they have claimed that
the key schedule of the AES algorithm has several unexpected properties that seem to
3.3. Cryptologic properties of the key schedule 27
violate the published design criteria. First, they have pointed out, with an example of
the key expansion of AES-256, that the AES key schedule does not achieve Criterion 4
described above, based on the following observations. Let us look at Figure 3.3, taking
into account the key expansion routine described in Section 2.4.
1. If the values of seven bytes indicated by ♠ (seven bytes on (row#i=3, column#7)
in each expanded block) are known (or assumed), then the values of 21 bytes
indicated by @ are known as well (the value of i is variable although the case of
i=3 is considered here) because
Rln = Rln−Nk ⊕ Rln−1,
where the number of columns in the Cipher Key, and the index of each column
in the round keys, are denoted by Nk = 8 and Rln respectively. In other words,
if seven bytes on (row#i=3, column#7) in each expanded block are known, then
we learn 28 (7+21) bytes of the expanded key.
2. Now, let us assume that the values of eight bytes indicated by ♣ are additionally
known (eight bytes in row#(i−1 mod 4) in the first expanded block (this block is
actually the Cipher Key)). Then, if we consider
Rln = Rln−Nk ⊕ SubBytes(RotBytes(Rln−1)),
we additionally see 52 bytes indicated by % in row#(i−1 mod 4) in the other ex-
panded blocks. That is, we learn 60 (8+52) bytes of the expanded key from the
eight additionally known bytes.
3. Summing up, we see that if 15 (7+8) bytes of the round keys are known, then 88
bytes are revealed in all.
4. If this idea is extended further, that is, if 16 more bytes in row#(i−2 mod 4) and
row#(i−3 mod 4) of the first expanded block are known in step 2, then we see that
120 bytes are additionally revealed.
5. All in all, if 31 (7+8+8+8) bytes are known in the round keys, then 208 (28+60+
60+60) bytes are found.
They have also remarked, with the observation below, that the AES key schedule does
not provide a high level of diffusion, contrary to the designers’ statement that “the key
schedule of Rijndael, with its high diffusion and non-linearity, makes it very improbable
that related-key attacks can be successful for Rijndael” [28].
3.3. Cryptologic properties of the key schedule 28
♣ ♣ ♣♣
RK0 RK1
♣ ♣ ♣
♠
♣ % % %
@
% % % %
@ @ ♠
%
@
RK8 RK9
% % %% % % %
@ ♠
%
RK2 RK3
% % %
@ @
% % % %
@ @ ♠
%
@
RK10 RK11
% % %% % % %
@ @ ♠
%
RK4 RK5
% % %
@ @ @
% % % %
@ @ ♠
%
@
RK12 RK13
% % %% % % %
@ @ ♠
%
@
RK6 RK7
% % %%
RK14 Bytes not used
Figure 3.3: Correlations between the bytes of the expanded key
Property 3.12 [58] The AES key schedule takes many cycles before a low-weight dif-
ference starts to affect a significant number of other bytes.
For example, these authors have observed that “if the key schedule runs backwards,
then each byte affects two other bytes that are (almost) a full cycle further back”
[58]. Based on this observation, they have claimed that it is more probable than the
designers’ expectation that an attack on the AES algorithm can be mounted with a
kind of related key attack. Indeed, they have presented a related-key attack applicable
to nine rounds of AES-256 (AES-256 originally consists of 14 rounds), although this
attack is basically a variant of the Square attack. This attack requires 277 chosen
plaintexts under 256 related keys (total: 285 plaintexts) and a complexity of 2224.
Throughout this section, we have reviewed some research studies relating to the key
schedule of the AES algorithm. We observe that not many research studies have been
performed on the key schedule of the AES algorithm, and no critical weakness of the
3.4. Algebraic properties of the algorithm 29
key schedule has been found so far. In addition, most detected properties have been
used for reducing the complexities of previously known cryptanalytic methods. For
this reason, we could say that although the AES key schedule has minor weaknesses
from the cryptologic point of view, it does not have critical problems.
3.4 Algebraic properties of the algorithm
Despite the novelty of the AES algorithm, the simple algebraic structure of this cipher
has led to some concerns about its security. In particular, some commentators have
pointed out that the AES algorithm could be vulnerable to what is known as alge-
braic attacks [57], which recover the Cipher Key from formulating algebraic equations
between plaintexts and ciphertexts. In this section, we discuss the research studies
that have observed the algebraic properties of the AES algorithm. We first review two
papers whose findings are contrary to each other on the security of the elementary
structure of the AES algorithm.
Simplicity of the linear layer
As previously mentioned, some research studies have concentrated on examining the
simplicity of the AES algorithm. Among these research studies, S. Murphy and M.
Robshaw have found that the linear layer of the AES algorithm has short periods
[69, 70]. They first found that the affine transformation, which is one of the two
functions used for generating the S-box (non-linear layer), can be separated from the
non-linear layer and moved into the linear layer, as illustrated in Figure 3.4. In this
modified structure, they have found that the maximal period of the modified linear
layer is 16, with the following observations:
1. Since the entirety of the modified linear layer is a GF (2)-linear map, its action
can be represented by a 128 × 128 binary matrix, M .
2. In this case, the characteristic polynomial c(x) (Det(M +xI)) and minimal poly-
nomial m(x) (the polynomial of smallest degree such that m(M) = 0) of M are
represented by
c(x) = (x + 1)128 = x128 + 1 and
m(x) = (x + 1)15.
3. Since m(M) = 0 and x16 + 1 = (x + 1) × m(x),
M16 = I.
3.4. Algebraic properties of the algorithm 30
4. As a consequence, 16 iterations of the modified linear transformation (M) give
the identity mapping, which means that any 128-bit input of this transformation
is mapped to itself after 16 repeated applications.
Multiplicative inverse in GF(28)
Affine transformation over GF(2)8
ShiftRows transformation
SubBytes transformation(S-box)
Non-linear layer
Linear layer
Multiplicative inverse in GF(28)
ShiftRows transformation
MixColumns transformation
Non-linear layer
Linear layer
Affine transformation over GF(2)8
MixColumns transformation
< Functions in the elementary structure > < Re-grouping of the functions >
Figure 3.4: Re-grouping of the functions in the elementary structure
Also, from further observations on the matrix M of the modified linear layer, they
have found that there are inputs of the modified layer which are fixed over a very small
number of iterations of the linear transformation:
• 216 inputs are fixed over one modified linear layer.
• 230 inputs are fixed over two iterations of the modified linear layer.
• 258 inputs are fixed over four iterations of the modified linear layer.
• 296 inputs are fixed over eight iterations of the modified linear layer.
Based on this observation, they have remarked that the linear diffusion layer of the AES
algorithm may not be so effective at mixing data, and that there may be considerable
inner structure within the diffusion layer. At this stage, to make the concept of “mixing
data” clear, we briefly define the effect of mixing data, which Murphy and Robshaw
considered, although they have used the concept of “mixing data” without definition.
We note that the following definitions are also valid in other chapters of this thesis.
Definition 3.8 (Period) In a set K consisting of n elements, if an input I(∈ K) of
a function F is mapped to itself after p iterations of F, then the period of F is p for I.
3.4. Algebraic properties of the algorithm 31
Definition 3.9 (Effect of mixing data) In a set K consisting of n elements, if the
period of F is p for a certain input I, then the effect of mixing data of F, for I, is
defined by e = p
n.
They have also mentioned that “someone may find a more novel way to combine the
rich structure in the diffusion layer of Rijndael with the highly structured inverse
map”. However, despite the novelty of these observations, the designers of the AES
algorithm counter-argued, with the following comments, that these observations do
not sufficiently examine the security of the AES algorithm [29]. They have pointed out
that
• these observations have been restricted to only the linear layer.
• these observations have not shown the substantial impact of the cyclic properties
on the cryptologic weakness of the AES algorithm.
While the designers have defended the AES algorithm, other research studies have
been undertaken that have made significant progress in exposing the algebraic weak-
nesses caused by the simple structure of the AES algorithm.
Simple algebraic representation
N. Ferguson, R. Schroeppel, and D. Whiting have observed [57] that there is a very
straightforward closed algebraic formula for the AES algorithm, and have remarked
that it is highly structured and much simpler than algebraic formulations of any other
block ciphers. Tracing the input-output relation of each basic function, they have
initially derived a fairly simple algebraic expression for a single round of the AES
algorithm, that is
b(r+1)i,j = k
(r)i,j +
∑
er∈E,dr∈D
wi,er,dr
(b(r)er ,er+j)
2dr. (3.1)
where the variables are denoted by the following:
b(r)i,j : the byte on (row #i, column #j) in the input of round r.
k(r)i,j : the byte on (row #i, column #j) in the rth round key.
r: certain rounds
w: certain constants.
E: the range 0,. . .,3.
D: the range 0,1,. . .,7.
⋆ all coordinates are reduced modulo 4 so that for example b(r)8,4 = b
(r)0,0.
3.4. Algebraic properties of the algorithm 32
Then, applying an actual value r=2 to (3.1), they have shown that any byte of the
third-round input block can be expressed by
b(3)i,j = k
(2)i,j +
∑
e2∈E, d2∈D
wi,e2,d2
(b(2)e2,e2+j)
2d2(3.2)
= k(2)i,j +
∑
e2∈E, d2∈D
wi,e2,d2
(k(1)e2,e2+j)
2d2 +∑
e1∈E,d1∈D
w2d2e2,e1,d1
(b(1)e1,e1+e2+j
)2d1+d2
.
(3.3)
Also, using the fact that all subscripts and exponents are known and are independent of
the key or plaintext, they have simplified equation (3.3) to a somewhat casual notation
which clarifies the structure, taking into account that b(1)i,j = pi,j + k
(0)i,j where pi,j is a
plaintext byte. As a consequence, they have derived equation (3.4) for two rounds of
the AES algorithm followed by equation (3.5) for five rounds:
b(3)i,j = K +
∑
e2∈E, d2∈D
C2
K∗ +∑
e1∈E,d1∈DC1
K∗+p∗∗
(3.4)
b(6)i,j = K +
∑ C5
K∗ +∑ C4
K∗+∑ C3
K∗+∑ C2
K∗+∑ C1
K∗+p∗∗
(3.5)
where K, Ci, and ∗ denote an expanded key byte, a known constant, and known ex-
ponents or subscripts respectively (although these values depend on the summation
variables that enclose the symbol). Following the same idea, they have also considered
another nearly identical algebraic formula, which expresses any byte in the fifth-round
intermediate text with the cipher text (not plaintext) and the expanded key. Consid-
ering that these two values must agree, the expanded key could be found if the two
equations were considered together. To break AES-128, which consists of ten rounds,
these kinds of pairs of equations could be applied to each byte in the fifth-round inter-
mediate text. The first equation would express each byte in the fifth-round intermediate
text as the function of the plaintext bytes (this equation covers rounds 1 to 5), and
the other equation would express the same byte as the function of the ciphertext bytes
(this equation covers rounds 6 to 10). Here, considering that each summation symbol
covers 32 (25) terms, a fully expanded version of equation (3.1) has 225 terms (as there
are five summations in the equation) if the equation is described without summation
symbols. So, combining two equations would lead to an equation with 226 unknowns.
They have remarked from a purely information-theoretical standpoint that this merged
equation may be computable if at least 222 (226
16) known plaintext-ciphertext pairs are
3.4. Algebraic properties of the algorithm 33
given. However, they have not suggested a practical method to solve these kinds of
equations. They have left solving these kinds of equations as an open problem, expect-
ing that “there might very well exist techniques for handling this type of formula that
we are unaware of, or somebody might develop them in the next 20 years or so”.
They have finally commented that adding more rounds to the AES algorithm does not
help improve security much in solving these kinds of equations, because each extra
round adds a factor of 25 to the size of the fully expanded equation. Indeed, consider-
ing that one summation symbol consists of 32 (25) terms in (3.1), we see the following
extension, as they have commented:
• the full ten rounds of AES-128 could be represented by an equation with 250
terms (as ten rounds consist of ten summation symbols).
• the full 14 rounds of AES-256 could be represented by an equation with 270 terms
(seven-round equation has 235 terms).
Overdefined system of quadratic equations
N. Courtois and J. Pieprzyk have observed in [55, 56] that the S-box of the AES
algorithm can be described by an overdefined system of algebraic equations, and have
presented XSL (eXtended Sparse Linearization) attack, which is a new method more
efficient in solving the overdefined system than previously known general methods.
They have first observed that the S-box can be described by a number of implicit
quadratic Boolean equations. Let the input bits and output bits of the S-box be
denoted by x = (x1, ...., xs=8) and z = (z1, ...., zs=8). Then, there exist equations of the
form P(x1, ...., xs=8, z1, ...., zs=8), where the algebraic degree d is equal to two (d = 2).
In principle, eight equations of the above form are (approximately) sufficient to fully
describe the S-box. However, they have observed that more quadratic equations of
this type can be constructed (this is the concept of “overdefined”, that is, r ≫ s (r is
the actual number of such equations in the above form)). They have first obtained 7
quadratic equations (8 if 0 is not considered for x) from the following steps:
• Let us consider the multiplicative-inverse function (non-linear function) used for
generating the S-box. Then, from the definition that
∀x 6= 0, 1 = xy, (3.6)
3.4. Algebraic properties of the algorithm 34
we see that
x · y = (x7 · X7 + · · ·+ x0) · (y7 · X
7 + · · · + y0)
= (0, 0, 0, 0, 0, 0, 0, 1)
where the input of the function is denoted by x = (x7, ...., x0) and the corre-
sponding output by y = (y7, ...., y0).
• Given that the equation in connection with the least significant bit is true if, and
only if, x 6= 0, we see that there exist 7 equations that are true with probability
1 (8 if 0 is not considered for x).
• The above property remains even after the affine transformation, which is the
linear function used for generating the S-box.
Then, they have observed that
∀x ∈ GF (28), x = x2 · y (3.7)
and that this equation gives 8 additional quadratic equations. Equation (3.7) is sym-
metric with respect to the exchange of x and y, so y = y2 · x which provides another
8 additional quadratic equations. They have also noted that another 16 equations can
be obtained from the two equations below for the same reason:
x3 = x4 · y (3.8)
y3 = y4 · x. (3.9)
All in all they have observed that 39 quadratic equations (40 if 0 is not considered for
x) which are true with probability 1, can be obtained for the AES S-box, and that
these equations are all linearly independent.
Based on the above observations, deriving the following formulas, they have shown
that the whole round of AES-128 can be described as a system of 8000 quadratic
equations with 1600 variables, and that the whole round of the 256-bit Rijndael with
256-bit key provides 22400 quadratic equations with 4480 variables.
m = 4 × r × Nb × Nr + r(Lk − Hk)/s
n = 4 × s × (Nr − 1) × Nb + Lk.
where the variables are denoted by the following:
3.4. Algebraic properties of the algorithm 35
m: the number of quadratic equations for a full round.
n: the number of variables in the equations.
r: the number of quadratic equations obtained from the S-box.
s: the input-output size of the S-box (8 bits).
Nb: the number of columns (or words) for the input block.
Nr: the number of rounds.
Hk: the number of bits of the cipher key.
Lk: the number of true key variables (448 for AES-128. 1152 for AES-256).
They have noted that the problem of recovering the cipher key of the AES algorithm
is the same as solving the overdefined system of the quadratic equations, as those
kinds of overdefined systems of multivariate equations have already been used for the
cryptanalysis of some asymmetric cryptosystems [2, 37, 53, 54]. Indeed, they have
observed that the system for AES-128 can be solved with the complexity of 2330 by
the XL (eXtended Linearization) algorithm [53]; the complexity is so high. However,
presenting the XSL algorithm, they have also shown that the system for AES-128 can
be solved with the complexity of 2230, and that AES-256 key can be broken with the
complexity of 2255. In addition, they have noted that if cubic equations are considered
with the AES S-box, the complexity is about 2203 at best case. Finally, they have
concluded that the AES algorithm can be described as a system of overdefined and
sparse quadratic equations over GF (2), and that the security of the AES algorithm
does not grow exponentially with the number of rounds, according to their method of
solving the system of overdefined equations. Although there are some concerns about
the accuracy of this observation [13, 72, 76] (- for example, the correctness of counting
the number of linearly independent equations), it seems certain that they have made
a great achievement in the design and cryptanalysis of block ciphers, as referred to in
[6] as well. The research study reviewed next shows that the complexity of the XSL
attack would drop even more in GF (28).
Single field description
The conflict between operations in the two fields, GF (28) and GF (2), is one of the
factors that leads to difficulty in the cryptanalysis of the AES algorithm. However,
simplifying the linear layer described in Figure 3.4 into a single matrix multiplication
M in GF (28), S. Murphy and M. Robshaw have recently defined a block cipher, BES
(Big Encryption System) [71], in which data blocks of 128 bytes are operated, all of
the operations are entirely described in GF (28) only, and the AES algorithm can be
3.4. Algebraic properties of the algorithm 36
embedded:
R(B, K) = M · (B(−1)) + K
where R, B, and K denote the round function, a plaintext, and a round key respectively.
The inversion is the same as that used in the AES algorithm. That is, they have shown
that the AES algorithm can be described with more simple algebraic operations in a
single field, GF (28). In addition, from observations of the BES algorithm, they have
found that the AES encryption can be described by an extremely sparse overdefined
multivariate quadratic system over GF (28), and have noted that breaking the AES
algorithm is equivalent to solving this system. We outline the main frame of their
work below:
• They have first described a state vector A of the AES algorithm as a column
vector:
a00 a01 a02 a03
A = a10 a11 a12 a13 = (a00, a10, a20, a30, a01, a11, a21, a31, . . . , a33)T
a20 a21 a22 a23
a30 a31 a32 a33.
• Then they have defined the BES algorithm, which has the following relationship
with the AES algorithm:
AES(A, K) = φ−1(BES(φ(A), φ(K)))
where A and K denote the plaintext and the cipher key respectively. Here, we
note that a state vector B of the BES algorithm is described by a column vector
B = (b000, ...., b007, b100, ...., b107, ......, b330, ...., b337)T
and the map φ means a vector conjugate,
φ(aij) = (bij0, ...., bij7).
• With the AES encryption embedded in the BES framework, they have found that
the AES algorithm can be expressed as a system of extremely sparse multivariate
quadratic equations. Specifically, they have observed that the encryption of the
AES algorithm can be described as an overdefined multivariate quadratic system
consisting of 5248 equations over GF (28), and that 3840 of these are extremely
sparse quadratic equations and 1408 are linear equations. These equations consist
of 7808 terms, made from 2560 state variables and 1408 key variables.
3.4. Algebraic properties of the algorithm 37
Based on these observations, they have noted that if the XSL algorithm is applied
to the above system, then the complexity could be much lower (about 2100) than if the
XSL algorithm is directly applied to the GF (2) system, which is the one that the N.
Courtois and J. Pieprzyk have considered. They have also commented that “it is clear
that many aspects of the AES representation over GF (28) remain to be investigated”.
Some other observations
As well as the significant observations on the AES algorithm referred to above, some
other research studies have also made considerable progress in examining the algebraic
properties of the AES algorithm.
Among them, J. Fuller and W. Millan have observed a linear redundancy of the
S-box [30, 31]. Specifically, they have noted that “all the output functions of the AES
S-box can be mapped to each other using affine transformations, and hence they are
all in the same affine equivalence class” [30]. They have shown that there exist a
non-singular matrix Dij and binary constant cij which lead to
bj(x) = bi(Dijx) ⊕ cij
where bi(x) and bj(x) denote two distinct outputs (bits) from the AES S-box (b1 is
the least significant bit). The following is an example of the AES S-box equivalence
relationships that they have have demonstrated:
b2(x) = b1(D12x)
b3(x) = b1(D13x) ⊕ 1
b4(x) = b1(D14x) ⊕ 1
b5(x) = b1(D15x) ⊕ 1
b6(x) = b1(D16x)
b7(x) = b1(D17x)
b8(x) = b1(D18x) ⊕ 1.
Here, each of D12, ..., D18 represents an affine transformation using 8 × 8 matrix over
3.4. Algebraic properties of the algorithm 38
GF (2). For example,
D12 =
1 0 1 1 0 0 1 0
0 1 0 1 0 1 1 0
0 0 0 1 0 0 1 0
1 0 0 1 1 0 0 0
0 1 0 1 1 1 0 0
1 0 0 0 1 1 1 0
1 1 0 1 0 0 0 0
1 0 0 0 1 1 0 1
.
Based on these observations, they have mentioned that this equivalence property may
lead to new attacks on the AES algorithm, although they have not suggested a practical
cryptanalytic method. In addition, they have suggested a non-redundant S-box to
replace the original S-box in the AES algorithm [31].
E. Barkan and E. Biham have shown that there exist dual ciphers for the AES
algorithm [16]. They have first defined the concept of dual ciphers by saying that if
two ciphers E and E ′ are isomorphic, that is, if there exist invertible transformations
f(·), g(·), and h(·) such that
∀ P ,K f(EK(P )) = E ′g(K)(h(P )),
where P and K denote the plaintext and the cipher key respectively, then they are
called Dual ciphers. From this concept, they have observed that the AES algorithm
has dual ciphers that are equivalent to the original cipher in all aspects. For the AES
algorithm, these dual ciphers can produce the same cipher text for a given plaintext
and a given key by the following equation:
∀ P ,K AESK(P ) = f−1DUALg(K)(h(P )).
Indeed, they have shown in [16] that hundreds of dual ciphers can be described for
the AES algorithm, replacing the irreducible polynomial, the coefficients of the Mix-
Columns transformation, and the affine transformation used for generating the S-box.
Based on their observations, they have concluded that “the irreducible polynomial of
Rijndael is chosen arbitrarily, and that it is possible to replace the irreducible poly-
nomial of Rijndael by any other irreducible or primitive polynomial without changing
the strength of cipher, and even without changing the cipher itself”.
Chapter 4
Cyclic Properties of the AES Algorithm
From this chapter on, we present our further observations on the cryptologic properties
of the AES algorithm. In this chapter, we discuss the algebraic properties of the AES
algorithm, focusing on the cyclic properties, which have been considered mainly just
for the stream cipher. We examine the cyclic properties of the AES algorithm via each
function in the original structure. We first observe, in Section 4.1, the cyclic properties
of each function used in the AES algorithm. Then, the cyclic properties of combined
functions are considered in Section 4.2. We show that the AES algorithm consists of
functions having very short periods, and that these short periods are not improved in
the linear layer. We note, however, that when the non-linear layer and the linear layer
are combined, the period is dramatically increased.
In terms of the cyclic properties of each function, we have found that:
• any input data block of the SubBytes transformation (non-linear layer) returns
to the initial state after 277182 (≈ 218) repeated applications of the SubBytes
transformation; that is, the maximal period of the SubBytes transformation is
277182.
• any input data block of the ShiftRows transformation returns to the initial state
after four repeated applications of the operation; that is, the maximal period of
the ShiftRows transformation is four.
• any input data block of the MixColumns transformation maps to itself after four
repeated applications of the operation. In other words, the maximal period of
the MixColumns transformation is four.
In connection with the cyclic properties of combined functions, we have found that:
• when the ShiftRows transformation and MixColumns transformation in the linear
layer are considered together, the maximal period is eight; that is, the maximal
period of the linear layer is eight.
39
4.1. Cyclic properties of each function 40
• when the SubBytes transformation (non-linear layer) and the ShiftRows trans-
formation (in the linear layer) are considered together, the maximal period is
554364 (≈ 219).
• more importantly, the maximal period of the composition of the SubBytes trans-
formation (non-linear layer) and the MixColumns transformation (in the linear
layer) is 1,440,607,416,177,321,097,705,832,170,004,940 (≈ 2110), which indicates
that although the maximal periods of both the non-linear layer and the linear
layer are short, the combination of these two layers brings huge synergy effects
in the maximal period.
We advise that this chapter is based on the paper [9] published by B. Song and J.
Seberry. For future reference, we define fn(I) = f f f · · · f(I).
i00 i01 i02 i03
i10 i11 i12 i13
i20 i21 i22 i23
i30 i31 i32 i33
O00 O01 O02 O03
O10 O11 O12 O13
O20 O21 O22 O23
O30 O31 O32 O33
MixColumns
ShiftRows
SubBytes
Round Key
⊕
Non-linear layer
Linear layer
Figure 4.1: Elementary structure of the AES algorithm
4.1 Cyclic properties of each function
As previously mentioned, the non-linear layer of the AES algorithm is the SubBytes
transformation (S-box), whilst the linear layer consists of two functions, the Mix-
Columns transformation and the ShiftRows transformation. In this section, we ob-
serve the maximal period and minimal period of each transformation. We first present
a technical method to find the maximal and minimal period of the non-linear layer.
This method could also be applicable to other block ciphers if they have byte-oriented
non-linear layers.
4.1. Cyclic properties of each function 41
4.1.1 Cyclic properties of the SubBytes transformation
To obtain the cyclic properties of the non-linear layer of the AES algorithm, we first
classify the 256 possible input values of the S-box into five small groups, in each of
which every element consecutively maps to another.
f2, 89, a7, 5c, 4a, d6, f6, 42, 2c, 71, a3, 0a, 67, 85, 97, 88, c4, 1c, 9c, de,1d, a4, 49, 3b, e2, 98, 46, 5a, be, ae, e4, 69, f9, 99, ee, 28, 34, 18, ad, 95,2a, e5, d9, 35, 96, 90, 60, d0, 70, 51, d1, 3e, b2, 37, 9a, b8, 6c, 50, 53, ed,55, fc, b0, e7, 94, 22, 93, dc, 86, 44, 1b, af, 79, b6, 4e, 2f, 15, 59, cb, 1f,c0, ba, f4, bf, 08, 30, 04
7c, 10, ca, 74, 92, 4f, 84, 5f, cf, 8a, 7e, f3, 0d, d7, 0e, ab, 62, aa, ac, 91,81, 0c, fe, bb, ea, 87, 17, f0, 8c, 64, 43, 1a, a2, 3a, 80, cd, bd, 7a, da, 57,5b, 39, 12, c9, dd, c1, 78, bc, 65, 4d, e3, 11, 82, 13, 7d, ff, 16, 47, a0, e0,e1, f8, 41, 83, ec, ce, 8b, 3d, 27, cc, 4b, b3, 6d, 3c, eb, e9, 1e, 72, 40, 09,01
00, 63, fb, 0f, 76, 38, 07, c5, a6, 24, 36, 05, 6b, 7f, d2, b5, d5, 03, 7b, 21,fd, 54, 20, b7, a9, d3, 66, 33, c3, 2e, 31, c7, c6, b4, 8d, 5d, 4c, 29, a5, 06,6f, a8, c2, 25, 3f, 75, 9d, 5e, 58, 6a, 02, 77, f5, e6, 8e, 19, d4, 48, 52
ef, df, 9e, 0b, 2b, f1, a1, 32, 23, 26, f7, 68, 45, 6e, 9f, db, b9, 56, b1, c8, e8,9b, 14, fa, 2d, d8, 61
73, 8f
Group #1 (maximal period: 87)
Group #2 (maximal period: 81)
Group #3 (maximal period: 59)
Group #4 (maximal period: 27)
Group #5 (maximal period: 2)
* Each value in each table is followed by its substitution value
Table 4.1: Classifying the substitution values in the S-box
Property 4.1 Every input of the S-box returns to the initial value after some t repeated
applications of the substitution. In other words, for any input p of the S-box=S,
St(p) = p.
Property 4.2 In Property 4.1, the 256 possible input values of the S-box can be clas-
sified into five small groups, as in Table 4.1, according to the values of t. The values
of t (the periods of each group) are 87, 81, 59, 27, and 2 respectively.
In Table 4.1, each value in each group is mapped to the value next to it. For example
‘f2’ → ‘89’ → ‘a7’ → · · · → ‘04’ → ‘f2’, and ‘73’ → ‘8f’ → ‘73’. From Properties
4.1. Cyclic properties of each function 42
4.1 and 4.2, we now expect that although the SubBytes transformation is a non-linear
operation, every input block of the SubBytes transformation is mapped to itself after
some repeated applications. From Property 4.2, if we consider the L.C.M (Least Com-
mon Multiple) of 87, 81, 59, 27, and 2, we then find the following cyclic properties of
the SubBytes transformation.
Property 4.3 For any input block I of the SubBytes transformation,
SubBytes277182(I) = I.
That is, the maximal period of the SubBytes transformation is 277182.
Property 4.4 For any input block I of the SubBytes transformation, if each byte of I
is ‘8f ’ or ‘73’, then
SubBytes2(I) = I.
In other words, the minimal period of the SubBytes transformation is two when each
byte in the input block I is ‘8f ’ or ‘73’.
Indeed, we see that an input block of the SubBytes transformation,
state0 : f2 71 00 ef
89 10 63 df
a7 ca fb 73
5c 74 0f 8f
returns to the initial state after 277182 iterations of the SubBytes transformation, and
that if each byte in an input block is ‘8f’ or ‘73’ (in group 5) like
state0 : 73 8f 8f 8f
8f 8f 73 8f
8f 73 73 8f
73 8f 73 73,
then this block returns to the initial state after just two iterations of the SubBytes trans-
formation. At this stage we present another property which is immediately obtained
from Property 4.3. The following property shows an algebraic relationship between
the SubBytes transformation in the encryption procedures and its inverse used in the
decryption procedures.
Property 4.5 For any input block I of the SubBytes transformation,
SubBytes−1(I) = SubBytes277181(I).
4.1. Cyclic properties of each function 43
4.1.2 Cyclic properties of the ShiftRows transformation
If we consider the shift value (row #0: 0, row #1: 1, row #2: 2, row #3: 3) of each
row, as described in Figure 4.2, the maximal period of the ShiftRows transformation
is immediately found.
♣
♣
♣
♣
♦
♦
♦
♦
♥
♥
♥
♥
♠
♠
♠
♠
♣
♣
♣
♣
♦
♦
♦
♦
♥
♥
♥
♥
♠
♠
♠
♠
ShiftRows
Figure 4.2: Illustration of the ShiftRows transformation
Property 4.6 For any input block I of the ShiftRows transformation,
ShiftRows(ShiftRows(ShiftRows(ShiftRows(I))))=I.
In other words, the maximal period of the ShiftRows transformation is four.
Property 4.7 The minimal period of the ShiftRows transformation is one when all
bytes in an input block I are the same.
Property 4.6 instantly leads to an algebraic relationship between the ShiftRows trans-
formation in the encryption process and its inverse used in the decryption process.
Property 4.8 For any input block I of the ShiftRows transformation,
ShiftRows−1(I) = ShiftRows3(I).
4.1.3 Cyclic properties of the MixColumns transformation
In terms of the MixColumns transformation, we have found that the maximal period
of this function is 4, and that this function does not affect the data transformation
for certain types of input blocks. Let us look once again at the algebraic structure of
the MixColumns transformation described in Chapter 2. As previously described, each
input column Ic (four bytes) is considered as a polynomial over GF (28) and multiplied
modulo x4 + 1 with a fixed polynomial
f(x) = 03 · x3 + 01 · x2 + 01 · x + 02.
4.1. Cyclic properties of each function 44
This can be written as a matrix function (matrix multiplication)
MixColumn(Ic) = M(Ic) =
02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02
·
b0
b1
b2
b3
(4.1)
where
Ic =
b0
b1
b2
b3
.
Here, if we look carefully at the matrix M in equation (4.1), we see that
M(M) =
05 00 04 00
00 05 00 04
04 00 05 00
00 04 00 05
M(M(M)) =
0e 0b 0d 09
09 0e 0b 0d
0d 09 0e 0b
0b 0d 09 0e
and
M(M(M(M))) =
01 00 00 00
00 01 00 00
00 00 01 00
00 00 00 01
.
As a consequence we see that for any Ic
M(M(M(M(Ic)))) = Ic. (4.2)
If we now consider equation (4.2) for all four columns in an input block of the Mix-
Columns transformation, then we finally find the following two properties.
Property 4.9 For any input block I (16 bytes) of the MixColumns transformation,
MixColumns(MixColumns(MixColumns(MixColumns(I)))) = I.
In other words, the maximal period of the MixColumns transformation is four.
4.1. Cyclic properties of each function 45
Indeed, from a randomly chosen example below, we see that the initial state (state0)
of the MixColumns transformation is mapped to itself after four iterations of the Mix-
Columns transformation. In the following example, stater denotes the state after r
iterations of the MixColumns transformation:
state0 : 26 17 66 f0
10 69 ab 01
63 09 cd 65
03 11 ef 00
state1 : 1c 8d 08 9d
a0 cf 88 5d
f5 5f 66 3b
1f 7b 09 6f
state2 : 29 6f fc 92
5c 92 a0 05
6c 71 57 07
4f ea e4 04
state3 : 95 e8 ab 33
6a 29 ba 95
7c 3a c5 95
d5 9d 3b a7
state4 : 26 17 66 f0
10 69 ab 01
63 09 cd 65
03 11 ef 00.
From equation (4.1), we also note the somewhat surprising property that if all four
bytes of Ic are the same, that is, b0 = b1 = b2 = b3, then the matrix multiplication does
not influence the data transformation; that is,
M(Ic) =
02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02
·
b0
b1
b2
b3
=
b0
b1
b2
b3
= Ic. (4.3)
This means that if we consider equation (4.3) for all four columns in an input block of
the MixColumns transformation, then we see the following property.
4.2. Cyclic properties of combined functions 46
Property 4.10 The minimal period of the MixColumns transformation is one when
the bytes are the same in each column.
For example, if an input block of the MixColumns transformation is
state0 : 26 10 ab de
26 10 ab de
26 10 ab de
26 10 ab de,
then we see that the state after the MixColumns transformation is also
state1 : 26 10 ab de
26 10 ab de
26 10 ab de
26 10 ab de.
Property 4.10 includes the fact that if all bytes in an input block of the MixColumns
transformation are the same, then the MixColumns transformation does not affect
the data transformation. From Property 4.9, we also immediately find an algebraic
relationship between the MixColumns transformation in the encryption process and its
inverse used in the decryption process.
Property 4.11 For any input block I of the MixColumns transformation,
MixColumns−1(I) = MixColumns3(I).
4.2 Cyclic properties of combined functions
We now observe the cyclic properties when the above functions are combined. We first
observe the cyclic properties of the linear layer. Then we discuss the cyclic properties
when the linear layer and the non-linear layer are combined.
4.2.1 Cyclic properties of the linear layer
The cyclic properties of the linear layer are observed when the ShiftRows transforma-
tion and the MixColumns transformation are considered together. Considering that the
maximal period of the ShiftRows transformation is four, and the maximal period of the
MixColumns transformation is also four, we obtain the following property concerning
the maximal period of the linear layer.
4.2. Cyclic properties of combined functions 47
Property 4.12 Any input block I of the linear layer is mapped to itself after eight
repeated applications of the linear layer. In other words, the maximal period of the
linear layer is eight.
In this case, we note that the maximal period of the linear layer is the addition of the
maximal period of the ShiftRows transformation and that of the MixColumns transfor-
mation. This is because every byte in each row returns to the initial position after four
iterations of the ShiftRows transformation, without change in value by the ShiftRows
transformation itself. Property 4.12 has also been verified by our implementation, and
the following is a randomly chosen example of this property. In the following example,
state0 denotes the initial state of the linear transformation, and stater denotes the state
after r iterations of the linear transformation.
state0 : 26 17 66 f0
10 69 ab 01
63 09 cd 65
03 11 ef 00
state1 : 3a ae bd 2d
b8 f6 d0 24
ce 73 92 d8
ce f1 ea d7
state2 : 30 3a 32 10
b7 a8 4d 39
91 9c 16 56
9f 66 cf 73
state3 : e6 6a d8 b1
32 c5 8e 15
21 61 98 ce
08 70 32 9e
state4 : 85 9b c5 7c
5a 2c e1 44
b1 7b 1f 17
4b ee a7 ff
4.2. Cyclic properties of combined functions 48
state5 : 85 49 02 ca
03 30 6b e2
8d 89 d1 22
42 d6 66 f0
state6 : 60 4f 62 65
7d bb 87 2a
07 a0 80 6a
8e 16 de 03
state7 : 95 e8 ab 33
95 6a 29 ba
c5 95 7c 3a
9d 3b a7 d5
state8 : 26 17 66 f0
10 69 ab 01
63 09 cd 65
03 11 ef 00
Now, looking at the minimal periods of the ShiftRows transformation and the Mix-
Columns transformation together, we also see the following property, which shows the
minimal period of the linear layer.
Property 4.13 Any input block I of the linear layer, in which all bytes are the same,
is mapped to itself after one application of the linear layer. That is, the minimal period
of the linear layer is one.
This property means that if all bytes in the input block are the same, then the linear
layer does not affect the data transformation at all.
4.2.2 Cyclic properties of the combined layer
When the SubBytes transformation (non-linear layer) and the ShiftRows transforma-
tion (in the linear layer) are combined, we obtain the following cyclic property from
the L.C.M of the two maximal periods.
4.2. Cyclic properties of combined functions 49
Property 4.14 Any input block I of the composition of the SubBytes transformation
and the ShiftRows transformation is mapped to itself after 554364 repeated applications
of the composition. In other words, the maximal period of the composition of the
SubBytes transformation and the ShiftRows transformation is 554364.
If we consider the minimal periods of these two operations, then we also find the
following property.
Property 4.15 For any input block I of the composition of the SubBytes transforma-
tion and the ShiftRows transformation, if all bytes in the input block I are the same and
are either ‘73’ or ‘8f ’, then this block is mapped to itself after two repeated applications
of the composition. That is, the minimal period of the composition of the SubBytes
transformation and the ShiftRows transformation is two.
At this stage, we realise that the short periods of the AES functions are not im-
proved even in the compositions which we have considered up until now. But, more
importantly, we now show that although the maximal periods of both the non-linear
layer and the linear layer are short as previously shown, the maximal period is dra-
matically increased when the non-linear layer and the MixColumns transformation in
the linear layer are considered together. To do this, we first change the order of the
SubBytes transformation and the ShiftRows transformation, as shown in Figure 4.3
(b) (the order of these two functions is changeable).
We then consider the S-box and the MixColumns transformation together. As a result,
we obtain an extended S-box, ES-box, which consists of 232 non-linear substitution
paths, as shown in Figure 4.3 (c) and Table 4.2.
0x00000000 0x00000001 • • • • 0xabcdef12 • • • 0xffffffff
↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓
0x63636363 0x7c7c425d • • • • 0x0eb03a4d • • • 0x16161616
x
ES(x)
Table 4.2: ES-box
Now, using the same concept as was used to obtain Property 4.2, we classify the 232
four-byte input values of the ES-box into 52 small groups according to their periods.
Table 4.3 shows the classification of all substitution values in the ES-box, which has
been obtained from our analysis (see Appendix A for more details).
4.2. Cyclic properties of combined functions 50
i00 i01 i02 i03
i10 i11 i12 i13
i20 i21 i22 i23
i30 i31 i32 i33
O00 O01 O02 O03
O10 O11 O12 O13
O20 O21 O22 O23
O30 O31 O32 O33
S-box
⊕
MixColumns
ShiftRows
i00 i01 i02 i03
i10 i11 i12 i13
i20 i21 i22 i23
i30 i31 i32 i33
O00 O01 O02 O03
O10 O11 O12 O13
O20 O21 O22 O23
O30 O31 O32 O33
S-box
⊕
MixColumns
ShiftRows
i00 i01 i02 i03
i10 i11 i12 i13
i20 i21 i22 i23
i30 i31 i32 i33
O00 O01 O02 O03
O10 O11 O12 O13
O20 O21 O22 O23
O30 O31 O32 O33
ES-box
⊕
ShiftRows
(a) (b) (c)
Figure 4.3: Re-ordering of SubBytes and ShiftRows
The number of values in each group (the period of each group) is 1,088,297,796 (≈ 230),
637,481,159 (≈ 229), 129,021,490 (≈ 227), 64,376,666 (≈ 226), and so on. From these
values we finally find the following property.
Property 4.16 The maximal period of the composition of the SubBytes transforma-
tion (non-linear layer) and the MixColumns transformation (in the linear layer) is
1,440,607,416,177,321,097,705,832,170,004,940 (≈ 2110).
Here, we note that the maximal period of this composition is the largest L.C.M of any
four values in Table 4.3. This is because one input block consists of four columns.
In very rare cases, where each column in an input block I is ‘73737373’, ‘8f8f8f8f’,
‘5da35da3’, ‘c086c086’, ‘a35da35d’ or ‘86c086c0’ (each of these values is mapped to
itself after two iterations of ES-box: see Appendix A), for example,
state0 : 8f c0 73 5d
8f 86 73 a3
8f c0 73 5d
8f 86 73 a3,
the period of the composition of the SubBytes transformation and the MixColumns
transformation is two (this is the minimal period of the composition of the non-linear
4.3. Comparison with DES 51
1088297796, 637481159, 637481159, 637481159, 637481159, 129021490,
129021490, 129021490, 129021490, 64376666, 64376666, 11782972, 39488,
16934, 13548, 13548, 10756, 7582, 5640, 5640, 3560, 1902, 1902, 548, 548,
136, 90, 90, 87, 81, 59, 47, 47, 47, 47, 40, 36, 36, 27, 24, 21, 21, 15,
15, 12, 8, 4, 4, 4, 2, 2, 2
e.g. Period of group #1 : 1088297796, Period of group #2 : 637481159,
Period of group #6 : 129021490, Period of group #12 : 11782972.
Table 4.3: Classifying the substitution values in the ES-box
layer and the MixColumns transformation in the linear layer). If all bytes in an input
block I of the composition of the SubBytes transformation and the MixColumns trans-
formation are the same, then we find the following property, because this block leads
to an output block in which all bytes are the same.
Property 4.17 For any input block I of the composition of the SubBytes transforma-
tion and the MixColumns transformation, if all bytes in I are the same, then the period
of this composition is the same as the period of the S-box.
For example, if the bytes in an input block I of the combined function of the SubBytes
transformation and the MixColumns transformation are all ‘f2’, then this block is
mapped to itself after 87 iterations of this combined function, because the MixColumns
transformation does not affect the data transformation (see Group #1 in Table 4.1 and
Period 87 in Appendix A). If all the bytes in an input block I of the combined function
of the SubBytes transformation and the MixColumns transformation are ‘8f’, then this
block is mapped to itself after two repeated applications of this combined function.
4.3 Comparison with DES
Although the cryptographic structure of the AES algorithm is different from that of
DES, we can make the comparison of cyclic properties between these two algorithms.
Among several research studies on the cyclic properties of DES [10, 14, 35, 36, 69,
70], we first refer to the following observations on the linear diffusion layer (32-bit
permutation by Table 4.4 at the end of each round) , which is observed by S.Murphy
and M. Robshaw [69, 70]:
4.3. Comparison with DES 52
• the minimal polynomial of the linear diffusion layer of DES has 56 degree, that
is
m(x) = (1 + x + x2)4(1 + x + x2 + x3 + x4)4(1 + x + x2 + x4 + x6 + x7 + x8)4.
• the minimal period of the linear diffusion layer of DES is 1020.
Comparing the above properties with Property 4.12, we see that the linear diffusion
layer of the AES algorithm has much shorter period than that of DES. From the view
point of data mixing effect (recall Definition 3.9), we also see that the AES linear layer
( 23
2128 = 12123 ) is worse than the DES linear layer (1020
232 ≈ 1221 ).
16 7 20 21 29 12 28 171 15 23 26 5 18 31 102 8 24 14 32 27 3 9
19 13 30 6 22 11 4 25
Table 4.4: P-box of DES
We now refer to the cyclic property of the whole structure of DES, discussed in
[14, 35]. In terms of the cyclic structure of DES, B. Kaliski, R.L. Rivest and A.
Sherman announced that a small cycle had been found when alternately encrypting
with the all zeroes and the all ones key. Specifically, they showed that when a 64-bit
input is alternately encrypted with the all-zeroes key and the all-ones key, the input is
reproduced after about 233 iterations [14]. Motivated by this observation, J.H. Moore
and G.J Simmons did further studies on the cyclic structure of DES, using weak and
semi-weak keys [35, 36] . Indeed, they presented some more weak keys which cause the
DES structure to have the cycle of 232 . The following is two examples of the weak key
disclosed by their observations:
00000001 00000001 00000001 00000001
00000001 00000001 00000001 00000001
11111110 11111110 11111110 11111110
11111110 11111110 11111110 11111110
At this stage, we note in advance that the AES structure has much shorter cycle than
DES if the AES key schedule has weakness. We discuss the short period of the AES
structure in more details in the next chapter.
4.3. Comparison with DES 53
In this chapter, we have discussed the cyclic properties of the AES algorithm. We
have shown that the functions used in the AES algorithm have short periods and these
short periods are not improved even in the linear layer. However, we have also shown
that when the non-linear layer and the linear layer are combined, the composition
brings remarkable synergy effects in increasing the maximal period. In the next chapter,
we discuss the impact of the cyclic properties on the security of the AES algorithm,
focussing more on the data blocks which cause the AES functions to have the minimal
periods.
Chapter 5
Security Impact of the Cyclic Property
In this chapter, we discuss the impact of the cyclic properties on the security of the
AES algorithm. We show that in the AES algorithm, data blocks for which the elemen-
tary structure (the whole composition of the SubBytes transformation, the ShiftRows
transformation, and the MixColumns transformation) has short periods are apt to have
a hidden simple algebraic relationship with their corresponding output blocks. To do
this, we first find the input blocks for which the elementary structure has the short-
est periods. As outlined in the previous chapter, the composition of the non-linear
layer and the linear layer brings huge synergy effects in improving the periods, but
the elementary structure has very short periods for certain types of input blocks. We
then show that there are simple algebraic relationship, which must be unusual and
undesirable from the cryptologic point of view, between those input blocks and their
corresponding output blocks. We have found that:
• any input block of the elementary structure of the AES algorithm in which all
the bytes are the same always leads to an output block in which all the bytes are
the same.
• in this case, the ShiftRows transformation and the MixColumns transformation
do not affect the data transformation, and so the effect of mixing data (see
Definition 3.9) depends on only the S-box.
We advise that this chapter is based on the paper [9] published by B. Song and J.
Seberry.
5.1 Cyclic properties of the elementary structure
We first discuss the cyclic properties in the whole composition of the non-linear layer
and the linear layer. Summing up the previous observations, we find some consider-
able cyclic properties in the entirely combined layer, which may reveal that the AES
54
5.1. Cyclic properties of the elementary structure 55
algorithm has some undesirable weaknesses in its algebraic structure. At this stage,
we recall in more detail the concept of the effect of mixing data, defined in Definition
3.9 with an example. Let us consider a primitive polynomial
f(x) = xn + cn−1xn−1 + cn−2x
n−2 + . . . . . . + c2x2 + c1x + 1.
over GF (2). The number of possible states of the LFSR (Linear Feed Back Shift
Register) generated by f(x) is 2n-1 (except the state of all 0), and the maximal period
of this LFSR is 2n-1. This means that every state returns to the initial state after
2n-1 repeated actions of LFSR. If f(x) is not a primitive polynomial, then the maximal
period of LFSR will never be 2n-1. In other words, all possible states of LFSR cannot
appear, and some states are always missed. If the state of LFSR returns to the initial
state after n iterations, then 2n-1-n states do not appear among all 2n-1 possible states.
In this case we say that the effect of mixing data is n2n−1
. We have just briefly connected
the cyclic property to the effect of mixing data.
We now observe the cyclic property (and so the effect of mixing data) in the elemen-
tary structure of the AES algorithm, taking into account that the number of possible
block states of the AES algorithm is 2128.
Property 5.1 For any input block I of the whole composition of the non-linear layer
and the linear layer (the SubBytes transformation, the ShiftRows transformation and
the MixColumns transformation), if all bytes in I are the same, then all bytes in the
output block are also the same.
In the case above, the whole composition of the non-linear layer and the linear layer is
equivalent to a single active s-box (substitution path) in the effect on the data trans-
formation, because the ShiftRows transformation and the MixColumns transformation
do not contribute to the data transformation. For example, if an input block is
state0 : d2 d2 d2 d2
d2 d2 d2 d2
d2 d2 d2 d2
d2 d2 d2 d2,
then the output block of the entire layer is
state1 : b5 b5 b5 b5
b5 b5 b5 b5
b5 b5 b5 b5
b5 b5 b5 b5.
5.2. Cryptologic impact 56
Property 5.2 For any input block I of the whole composition of the non-linear layer
and the linear layer, if all bytes in I are equal to i (any value), then the period of the
whole composition for this input block is the same as the period of the S-box for i.
For example, if the bytes in an input block I of the whole composition of the non-linear
layer and the linear layer are all ‘ef’, then this input block is mapped to itself after
27 iterations of the composition. This means that the effect of mixing data in the
composition is e = 272128 (2128 is the number of all possible blocks presented by 128 bits),
and means that this effect depends on only the S-box (the period of the S-box for ‘ef’
is 27 as shown in Table 4.1).
Property 5.3 For any input block I of the whole composition of the non-linear layer
and the linear layer, if all bytes in I are the same and are either ‘73’ or ‘8f ’, then I is
mapped to itself after two iterations of the composition. In other words, the minimal
period of the whole composition of the non-linear layer and the linear layer is two (and
so the minimal effect of mixing data is e = 22128 ).
5.2 Cryptologic impact
Given the above properties, we can see that the elementary structure of the AES
algorithm has unusual cryptologic properties for the input blocks in which all bytes are
the same. We now see that the AES algorithm may have considerable weaknesses in
the cipher itself for the plaintexts in which all bytes are the same. We discuss AES-128
here because the result is the same in the other cases. Let us assume that the AES key
expansion routine has the same property as the cipher part (data processing part) of
the AES algorithm. That is, let us assume that contrary to the original key schedule
of the AES algorithm, for a Cipher Key in which all bytes are the same, the AES key
expansion routine generates the Round Keys in which each round key has all its bytes
the same; this does not actually appear in the original key schedule. For example, as
illustrated in Figure 5.1, suppose that the initial Round Key consists of all ‘26′, that
the first Round Key consists of all ‘10′, . . . . . . , and that the tenth Round Key consists
of all ‘bd′. Then, if we consider the encryption procedure, we see that, regardless of the
number of rounds, any plaintext in which all bytes are the same leads to a ciphertext
5.2. Cryptologic impact 57
in which all bytes are the same. That is, in Figure 5.1, if the plaintext
P : 6b 6b 6b 6b
6b 6b 6b 6b
6b 6b 6b 6b
6b 6b 6b 6b
is encrypted with the above Round Keys, then this plaintext leads to a ciphertext in
which all bytes are the same:
C : 11 11 11 11
11 11 11 11
11 11 11 11
11 11 11 11
This means that if anyone uses, for encryption, a Cipher Key in which all bytes are
the same, then attackers will easily become aware of this fact, with a chosen plaintext
in which all bytes are the same. As long as the attackers realise this fact, it will be
easy to find the Cipher Key. In this case, the effect of the whole encryption is the
same as the effect of only 10 (the number of rounds) active s-boxes. However, we note
that this scenario does not occur with the original key schedule of the AES algorithm
because plaintexts having short periods are not able to keep up the short periods with
the original key schedule. For example, let us consider the most simple case in which a
plaintext, in which all bytes are ‘8f’, is encrypted with a Cipher Key in which all bytes
are ‘00’. In this case, as is shown in Property 5.3, the period of the whole composition
of the SubBytes transformation, the ShiftRows transformation and the MixColumns
transformation is two for the intermediate text
Int0 : 73 73 73 73
73 73 73 73
73 73 73 73
73 73 73 73
after the initial round key addition. However, we have observed that the period of
the composition of the SubBytes transformation and the MixColumns transformation
becomes 1,088,297,796 (≈ 230) for the intermediate text
Int1 : ed ed ed ed
ec ec ec ec
ec ec ec ec
ec ec ec ec
5.2. Cryptologic impact 58
after the first round key addition. From these observations, we see that for certain
types of data blocks, the AES algorithm has algebraic weaknesses in the cipher itself,
but that the key schedule covers these weaknesses.
6b 6b 6b
6b 6b 6b
6b 6b 6b
6b 6b 6b
6b
6b
6b
6b
4d 4d 4d
4d 4d 4d
4d 4d 4d
4d 4d 4d
4d
4d
4d
4d
26 26 26
26 26 26
26 26 26
26 26 26
26
26
26
26
f3 f3 f3
f3 f3 f3
f3 f3 f3
f3 f3 f3
f3
f3
f3
f3
10 10 10
10 10 10
10 10 10
10 10 10
10
10
10
10
Ciphertext
80 80 80
80 80 80
80 80 80
80 80 80
80
80
80
80
aa aa aa
aa aa aa
aa aa aa
aa aa aa
aa
aa
aa
aa
11 11 11
11 11 11
11 11 11
11 11 11
11
11
11
11
bd bd bd
bd bd bd
bd bd bd
bd bd bd
bd
bd
bd
bd
67 67 67
67 67 67
67 67 67
67 67 67
67
67
67
67
Plaintext
•
•
•
•
•
•
•
•
RK 0
RK 1
RK 9
RK 10
Figure 5.1: Simple plaintext-ciphertext algebraic relationship in the cipher itself
5.3. Interim conclusion 59
5.3 Interim conclusion
Until now, we have summarised our further observations on the the cyclic properties
of the AES algorithm and the impact on its security. Specifically, we have shown that
the maximal period of each function used in the AES algorithm is short (the effect
of mixing data is very small), and that the maximal period of the composition of
the functions in the linear layer is short as well. However, we have also shown that
the composition of the non-linear layer and the linear layer brings remarkable synergy
effects in raising the maximal period. This means that although the functions used
in the AES algorithm are mathematically simple and ineffective in mixing data, this
cipher is much more complicated when all the functions are combined. But we have
also observed that for some data blocks, which cause the AES elementary structure
to have the shortest periods, the AES algorithm has considerable weaknesses in the
cipher itself: input blocks in which all bytes are the same always lead to output blocks
in which all bytes are the same. Summing up our observations, we see that in the AES
structure
• the composition of the non-linear layer and the linear layer has extremely long
periods for most data blocks, so this structure yields a complicated algebraic
relationship between the input blocks and the output blocks.
• but even this composition has short periods for some data blocks, so this structure
causes a very simple algebraic relationship between the input blocks and their
corresponding output blocks.
We summarise here why some data blocks (the data blocks in which all bytes are the
same) are obliged to have such a simple relationship with their corresponding output
blocks even in the whole composition of the non-linear layer and the linear layer. Let
us look at the matrix function MixColumn used in the MixColumns transformation
once again. The branch number of this function is five, so this function leads to 225
active s-boxes for the four rounds of the AES algorithm, for an one-non-zero-byte input
difference. This property makes the four-round characteristics probability of the AES
algorithm P become 2−150. If the branch number of the function MixColumn were
four, then the number of the active s-boxes after the fourth round would be 20 at
most, and the four-round characteristics probability would be P = 2−120. From the
above, we see that the function MixColumn has admirable advantages over Differential
Cryptanalysis. However, from the stream cipher point of view, this function has such a
short period that it can provide a simple algebraic relationship between an input state
5.3. Interim conclusion 60
and the corresponding output state. Let us recall Section 4.1.3. The maximal period of
MixColumn is four, so the effect of mixing data is 4232 . Given that the maximal period
of a 32-degree LFSR (Linear Feedback Shift Register) is 232-1, we see that this period
of MixColumn is very short. As previously shown, this function does not influence the
data transformation for the inputs in which all bytes are the same, and so the outputs
are the same as the inputs. As a result, this property of MixColumn makes the data
blocks in which all bytes are the same lead to output blocks in which all bytes are the
same, even in the whole composition of the non-linear layer and the linear layer. In
this case, the data transformation is dependent just on a single active s-box, because
the ShiftRows transformation does not affect the data transformation either. From
our observations, we see that the function MixColumn enables the AES algorithm to
be secure against DC, as previously known; but, at the same time, the fact that this
function does not affect the data transformation for the input in which all bytes are
the same, leads the AES algorithm to have an unusual property in the cipher itself for
the input blocks in which all bytes are the same.
Chapter 6
Distinctive Output Properties of the AESAlgorithm
In this chapter, we discuss our observations on distinctive output properties of the AES
algorithm. We first observe some differential properties of the AES S-box. We then find
some distinctive output properties of the matrix multiplication, MixColumn. Finally,
we discuss consistent differential patterns of the AES algorithm. Before discussing the
consistent differential patterns of the AES algorithm, we first define the concept of the
consistent differential pattern of the block cipher. In terms of the consistent differential
patterns of the AES algorithm, we have found that
• if two plaintexts of this cipher differ by only one byte, then there are always four
pairs of bytes in the second-round output difference, with each pair having the
same value (this pattern is consistent as long as the two plaintexts differ by only
one byte).
• if two plaintexts of this cipher differ by up to four bytes in certain positions, then
the above pattern appears in the second-round output difference as well.
• for any 28n plaintexts which vary in certain n bytes, if one of these plaintexts is
paired with each of the other plaintexts, then any output difference is equal to
the XOR of the other output differences after the third round.
• for any 232 plaintexts, which vary in certain four bytes and are the same in the
other bytes, there exist some consistent differential patterns between the fourth-
round intermediate texts.
• for any set of 232 plaintexts considered above, there exists a consistent differential
pattern between the fifth-round intermediate texts.
61
6.1. Differential properties of the S-box 62
This chapter is organised as follows: some differential properties of the S-box are ob-
served in Section 6.1; then some distinctive output properties of MixColumn (the ma-
trix multiplication used in the MixColumns transformation) are considered in Section
6.2; and finally the consistent differential patterns of the AES algorithm are discussed
in Section 6.3.
We advise that this chapter is based on the papers [7] published by B. Song, H.
Wang and J. Seberry, and [8] published by B. Song and J. Seberry.
6.1 Differential properties of the S-box
We now discuss our further observations on the differential properties of the AES S-
box. As mentioned in Section 2.3, the AES S-box, which is the non-linear operation
consisting of 256 substitution paths, is generated by two functions, a function f(x) =
x−1 in GF (28) (‘00’ is mapped onto itself) and an affine transformation over GF (2).
Given that this kind of function f(x) = x−1 in GF (2n), where f(x) = 0 for x = 0, is
differentially 2 uniform for odd n and differentially 4 uniform for even n (the highest
probability of non-trivial one round differential is 22n and 4
2n respectively) [42], we can
expect that the AES S-box has uniform differential characteristics.
6.1.1 Distribution of output differences
We first discuss some distinctive output properties of the AES S-box observed from
our exhaustive computer search. The following property proves that the AES S-box
yields well-distributed output differences for any input difference.
Property 6.1 For any input difference ∆x of the AES S-box, a certain output differ-
ence ∆y always appears twice while the other output differences appear just once.
The following data shows the output differences which appear twice for each input
difference. For example, for the input difference ‘01’, the value ‘1f’ (in bold) appears
twice in the output differences; and for the input difference ‘ff’, the value ‘75’ appears
twice in the output differences (see also Figure 6.1 in which an example of Property
6.1 is illustrated in the case of ∆x = ‘ff’).
01:1f, 02:14, 03:18, 04:91, 05:08, 06:0c, 07:a6, 08:53, 09:62, 0a:04,
0b:48, 0c:9d, 0d:b4, 0e:c8, 0f:15, 10:a9, 11:e1, 12:aa, 13:1e, 14:99,
15:3a, 16:24, 17:93, 18:ce, 19:b7, 1a:c1, 1b:cc, 1c:ff, 1d:c7, 1e:11,
6.1. Differential properties of the S-box 63
1f:a3, 20:d4, 21:9e, 22:f0, 23:45, 24:55, 25:5c, 26:94, 27:af, 28:57,
29:c6, 2a:86, 2b:92, 2c:12, 2d:bb, 2e:52, 2f:76, 30:67, 31:a4, 32:40,
33:a0, 34:7b, 35:f5, 36:66, 37:f9, 38:64, 39:71, 3a:e3, 3b:81, 3c:88,
3d:44, 3e:d1, 3f:16, 40:6a, 41:e0, 42:4f, 43:79, 44:78, 45:0d, 46:39,
47:c3, 48:31, 49:58, 4a:b5, 4b:d0, 4c:4a, 4d:80, 4e:4c, 4f:e7, 50:30,
51:b2, 52:63, 53:8e, 54:43, 55:9f, 56:d2, 57:38, 58:09, 59:a8, 5a:dd,
5b:5a, 5c:29, 5d:2f, 5e:3b, 5f:ac, 60:b3, 61:8c, 62:c9, 63:98, 64:20,
65:2e, 66:50, 67:e6, 68:26, 69:9a, 6a:61, 6b:1c, 6c:33, 6d:5f, 6e:fc,
6f:cb, 70:32, 71:c0, 72:23, 73:ec, 74:f1, 75:fe, 76:5b, 77:96, 78:df,
79:d5, 7a:b9, 7b:42, 7c:73, 7d:9c, 7e:90, 7f:b1, 80:ae, 81:6f, 82:70,
83:8f, 84:3c, 85:f4, 86:27, 87:74, 88:a7, 89:c4, 8a:1d, 8b:5e, 8c:07,
8d:3e, 8e:7a, 8f:10, 90:03, 91:e2, 92:2c, 93:bf, 94:41, 95:49, 96:f3,
97:eb, 98:25, 99:8d, 9a:db, 9b:77, 9c:bd, 9d:3d, 9e:68, 9f:b8, a0:83,
a1:51, a2:59, a3:69, a4:2a, a5:65, a6:47, a7:3f, a8:a1, a9:b0, aa:cf,
ab:01, ac:f2, ad:f6, ae:87, af:1a, b0:84, b1:ab, b2:54, b3:0e, b4:ee,
b5:b6, b6:2d, b7:ca, b8:0f, b9:35, ba:97, bb:89, bc:06, bd:19,
be:cd, bf:6b, c0:d9, c1:1b, c2:46, c3:4d, c4:7f, c5:c5, c6:d7, c7:a5,
c8:8b, c9:be, ca:17, cb:7c, cc:28, cd:de, ce:e8, cf:e9, d0:13, d1:5d,
d2:d6, d3:05, d4:2b, d5:60, d6:95, d7:6d, d8:02, d9:56, da:34,
db:da, dc:e5, dd:a2, de:7e, df:fd, e0:82, e1:9b, e2:fb, e3:72, e4:0a,
e5:ba, e6:ed, e7:f7, e8:f8, e9:7d, ea:e4, eb:8a, ec:ad, ed:36, ee:4b,
ef:bc, f0:ef, f1:c2, f2:ea, f3:6e, f4:dc, f5:85, f6:21, f7:0b, f8:22, f9:fa,
fa:4e, fb:6c, fc:d3, fd:37, fe:d8, ff:75.
0x00 0x01 0x02 • • 0x49 • • • • 0xb6 • • • 0xfd 0xfe 0xff
↓ ↓ ↓ ↓ ↓ ↓
0x63 0x7c 0x77 • • 0x3b • • • • 0x4e • • • 0x54 0xbb 0x16
∆x : ‘ff ’
∆y : ‘75’ ‘c7’ ‘23’ ‘75’ • • •
• • •
Figure 6.1: Example of the distribution of output differences in the S-box
From Property 6.1, we also see the following property, which shows that in the AES S-
box the number of possible output differences is fixed regardless of the input difference
(see Appendix B for examples).
6.1. Differential properties of the S-box 64
Property 6.2 For any input difference ∆x of the AES S-box, the number of possible
output differences is always 127.
6.1.2 Relationship between the S-box and the keys
We now discuss some correlations between the S-box and the keys. Let us consider
two inputs x and x′ of the Sbox-alone structure, as described in Figure 6.2. If these
two inputs pass through the S-box XORed with a certain key, then the corresponding
output difference ∆y is obtained, followed by two outputs y and y′. Taking into account
Property 6.1, that for any input difference of the S-box, the same value appears at most
twice in the output differences, we see that at most four keys (two keys for one output
difference) can make the same output difference for these two inputs x and x′. From
our computer search, we have found that if we consider five inputs (that is, four input
differences: pairing one of the five inputs with each of the other inputs), then each key
yields a unique combination of four output differences. For example, let us suppose that
five inputs ‘00′, ‘ff′, ‘26′, ‘66′, and ‘bb′ are encrypted with a key ‘00′ in this structure.
We then see five corresponding outputs ‘63′, ‘16′, ‘f7′, ‘33′ and ‘ea′. If we pair the first
input ‘00′ with the other four inputs, then we see four input differences ‘ff′, ‘26′, ‘66′,
and ‘bb′. In this case, the corresponding four output differences are ‘75′, ‘94′, ‘50′ and
‘89′, and no other keys yield these four output differences for the five inputs (note: if
we consider only the first two inputs ‘00′ and ‘ff′, then we see that another three keys
‘ff′, ‘49′, and ‘b6′ also yield the same output difference ‘75′).
0x00 0x01 0x02 0x03 0x04 0x05 0x06 • • • • • • • 0xff
↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓
0x63 0x7c 0x77 0x7b 0xf2 0x6b 0x6f • • • • • • • 0x16
⊕ key
x’x
y’y
⊕
output difference (∆y)
input difference (∆x)
⊕
Figure 6.2: Substitution in the S-box
6.1. Differential properties of the S-box 65
6.1.3 Relationship between the ES-box and the keys
The differential properties of the S-box observed in the previous section still remain
even in the composition of the S-box and MixColumn because MixColumn is a linear
function. To look into the differential properties of the composition, we consider the
ES-box described in Table 4.2. If we consider the ES-box instead of the S-box in the
structure of Figure 6.2, then we see that for any input difference ∆x (four bytes), 256
(4× 4× 4× 4) keys at most lead to the same output difference (16 (2× 2× 2× 2) keys
at least make the same output difference). Of course, even in this structure, each key
yields a unique combination of four output differences for any five inputs. This means
that in the structure of Figure 6.3, if five input-output pairs are known, then only one
pair of key0 and key1 is determined. The following is a randomly chosen example:
1. Let us suppose that a pair, input x and output y, is known for the structure of
Figure 6.3. That is, x=(32 5a 98 34) and y=(a4 9c 7f f2).
2. To find the key pair of key0 and key1 used for the encryption, if we assume all
the substitution paths in the ES-box, then we find 232 possible key pairs.
3. Now, let us consider another input-output pair of x′=(25 b5 ae 79) and y′=(83
5f 87 68) (∆x = (17 ef 36 4d), ∆y = (27 c3 f8 9a)). If we apply step 2 to this
input-output pair, then we also see another 232 possible key pairs.
4. If we select the key pairs overlapped in step 2 and step 3, then one of these key
pairs will be the key pair actually used. At this stage, there remain 16 key pairs
of key0 and key1, which are
(3c41153c, 6ea59186), (2b41153c, 90daee07),
(3cae153c, 5e858196), (2bae153c, a0fafe17),
(3c41233c, d967e431), (2b41233c, 27189bb0),
(3cae233c, e947f421), (2bae233c, 17388ba0),
(3c411571, 30fb733a), (2b411571, ce840cbb),
(3cae1571, 00db632a), (2bae1571, fea41cab),
(3c412371, 8739068d), (2b412371, 7946790c),
(3cae2371, b719169d), (2bae2371, 4966691c).
5. Finally, if one more input-output pair of x′′=(14 66 f2 24) and y′′=(50 4e bc b5)
is considered, then a single pair of key0=(2b ae 15 3c) and key1=(a0 fa fe 17)
remains in the end. This key pair is the key pair actually used.
6.1. Differential properties of the S-box 66
In this example, the key pair of key0 and key1 actually used is determined by three
input-output pairs. This example shows a general case. We note once again that in
any case, at most five input-output pairs determine the key pair of key0 and key1 in
the structure of Figure 6.3.
⊕ key 0
x’x
y’y
⊕
output difference (∆y)
input difference (∆x)
⊕
0x00000000 0x00000001 • • • • 0xabcdef12 • • • 0xffffffff
↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ 0x63636363 0x7c7c425d • • • • 0x0eb03a4d • • • 0x16161616
⊕ key 1
ES-box: S-box + MixColumn
Figure 6.3: Substitution in the composition of the S-box and MixColumn
6.1.4 Relationship between the elementary structure and the
keys
Based on the above observations, if we now additionally consider the ShiftRows trans-
formation, then we finally see the relationship between the AES elementary structure
and the round keys. In the following property, the shift values of the ShiftRows trans-
formation are considered for each row in the input block.
Property 6.3 For the AES elementary structure surrounded by the round keys, as
described in Figure 6.4, if five input-output pairs are known and the inputs are different
from each other in each of the four-byte combinations
(byte#0, byte#5, byte#10, byte#15),
(byte#3, byte#4, byte#9, byte#14),
(byte#2, byte#7, byte#8, byte#13),
and
(byte#1, byte#6, byte#11, byte#12),
6.2. Distinctive output properties of MixColumn 67
then only one key pair of Key0 and Key1 is determined in any case. That is, in the
structure of Figure 6.4, if five chosen plaintexts are given, then the round key pair
(Key0, Key1) used for the encryption is found in any case.
b0 b4 b8 b12
b1 b5 b9 b13
b2 b6 b10 b14
b3 b7 b11 b15
MixColumns
ShiftRows
SubBytes
Key 1
⊕
Key 0
c0 c4 c8 c12
c1 c5 c9 c13
c2 c6 c10 c14
c3 c7 c11 c15
⊕
Figure 6.4: Elementary structure surrounded by round keys
6.2 Distinctive output properties of MixColumn
Here we discuss some distinctive output properties of the function MixColumn used
for the MixColumns transformation. We instantly obtain Property 6.4 from the fact
that MixColumn is a linear function on the operation XOR. Although Property 6.4
(actually this can be the definition of the linear function on the operation XOR) looks
very simple, this property is useful for finding consistent patterns in the difference
between two chosen plaintexts.
Property 6.4 Let Ic = (b0, b1, b2, b3) and I ′c = (b′0, b
′1, b
′2, b
′3) be any two inputs of
MixColumn, and ∆Ic be the input difference between these two inputs. Then the
output difference between the two corresponding outputs is equal to the MixColumn of
the input difference. That is
MixColumn(Ic) ⊕ MixColumn(I ′c) = MixColumn(∆Ic = Ic ⊕ I ′
c).
While the designers of the AES algorithm have noted that changing one byte in the
input of MixColumn leads to all bytes in the output of MixColumn changing [28],
we have found the following property.
6.3. Consistent differential patterns of the AES algorithm 68
Property 6.5 For any four-byte input of MixColumn, if the value of a certain byte
is α and the other three bytes are all β (α 6= β), then the value α appears in two
bytes of the output of MixColumn. In other words, if the inputs of MixColumn are
Ic = (α, β, β, β), I ′c = (β, α, β, β), I ′′
c = (β, β, α, β), or I ′′′c = (β, β, β, α), then
MixColumn(Ic) = (γ, α, α, δ),
MixColumn(I ′c) = (δ, γ, α, α),
MixColumn(I ′′c ) = (α, δ, γ, α),
MixColumn(I ′′′c ) = (α, α, δ, γ),
γ ⊕ δ = α ⊕ β.
In Property 6.5, if the value of β is ‘00’, then we immediately find Property 6.6.
Property 6.6 is a special case of Property 6.5. Property 6.6 will be used to find some
consistent differential patterns of the AES algorithm.
Property 6.6 For any four-byte input of MixColumn, if the value of a certain byte
is α and the other three bytes are all ‘00’, then the value α appears in two bytes of the
output of MixColumn and the XOR of the other two bytes of the output is α. That
is, if the inputs of MixColumn are Ic = (α, ‘00′, ‘00′, ‘00′), I ′c = (‘00′, α, ‘00′, ‘00′),
I ′′c = (‘00′, ‘00′, α, ‘00′), or I ′′′
c = (‘00′, ‘00′, ‘00′, α), then
MixColumn(Ic) = (γ, α, α, δ),
MixColumn(I ′c) = (δ, γ, α, α),
MixColumn(I ′′c ) = (α, δ, γ, α),
MixColumn(I ′′′c ) = (α, α, δ, γ),
γ ⊕ δ = α.
We note that Properties 6.5 and 6.6 are satisfied for the difference between two inputs
as well, because of the linear property (Property 6.4) of the function MixColumn.
6.3 Consistent differential patterns of the AES al-
gorithm
In this section, we observe some consistent differential patterns of the AES algorithm.
We discuss how the AES algorithm tends to yield some differential patterns with prob-
ability 1 after several rounds, although this cipher is probably secure against DC and
LC as outlined in Chapter 3. For future reference, we first define the concept of con-
sistent differential pattern in more detail before discussing the consistent differential
patterns of the AES algorithm.
6.3. Consistent differential patterns of the AES algorithm 69
6.3.1 Concept of the consistent differential pattern
Let us consider an input difference and the corresponding possible output differences for
a certain S-box used in a certain cipher algorithm. From the Differential-Cryptanalysis
point of view, it has been considered very important to make the possible output
differences well distributed for any input difference. This is because a cryptanalyst
can find clues for a DC attack from the biased distribution of the output differences.
Therefore, in the design of the block cipher, designers have made efforts to make the
output differences as uniformly distributed as possible. However, there may be some
hidden patterns in the output differences of the cipher, even in a case where the S-box
has a uniform distribution. Let us suppose that for a certain type of input difference
a certain function always leads to an output difference with a certain pattern. That
is, for a certain function, there always appears a fixed pattern in the output difference
for a certain type of input difference. This pattern may then influence the output
difference even after a few rounds of this cipher, if the mathematical structure of the
cipher is not very complicated. These kinds of patterns could appear not only in an
output difference itself, but also in the relationship between several or more outputs.
So, we define the consistent differential pattern as any kind of pattern which always
appears (probability 1) in an output difference or in the relationship between several
outputs. If a certain consistent differential pattern appears after t rounds of a certain
cipher algorithm, then we call this differential pattern tth-round consistent differential
pattern. Given that the concept of the consistent differential pattern includes byte
or bit patterns existing in the output difference itself, we can say that the consistent
differential pattern includes the concept of the truncated differentials [46].
6.3.2 Second-round consistent differential patterns
Let us first consider two plaintexts in which only the values of the first bytes (byte#0)
are different from each other. The input difference is then
row #0: (p, 00, 00, 00),
row #1: (00, 00, 00, 00),
row #2: (00, 00, 00, 00),
row #3: (00, 00, 00, 00).
Because the round key addition does not affect the difference, this pattern still remains
even with the difference after the first-round SubBytes transformation (only the value
of the first byte is changed: p → q, p and q are any hexadecimal values). After the
6.3. Consistent differential patterns of the AES algorithm 70
ShiftRows transformation of the first round, each byte maintains the same value in the
difference. However, the first-round MixColumns transformation leads to a change in
the value of the first byte in each row. The result, according to Property 6.6, is
(r, 00, 00, 00),
(q, 00, 00, 00),
(q, 00, 00, 00),
(s, 00, 00, 00).
(Since MixColumn is a linear function, Property 6.6 is applicable to the difference.)
As the round key addition does not affect the difference, the data is unchanged after the
first round key addition. However, after the second-round SubBytes transformation,
the value of the first byte in each row is changed to
(α, 00, 00, 00),
(δ, 00, 00, 00),
(γ, 00, 00, 00),
(β, 00, 00, 00).
After this, the second-round ShiftRows transformation leads to
(α, 00, 00, 00),
(00, 00, 00, δ),
(00, 00, γ, 00),
(00, β, 00, 00).
Here, the second-round MixColumns transformation causes, according to Property 6.6,
a particular differential pattern in the output difference, such as (a) in Figure 6.5. This
pattern remains after the second-round key addition, because the round key addition
does not affect the difference. Therefore, we finally find a particular output pattern in
the second round output difference
byte#1 = byte#2 = byte#0 ⊕ byte#3,
byte#4 = byte#5 = byte#6 ⊕ byte#7,
byte#8 = byte#11 = byte#9 ⊕ byte#10,
byte#14 = byte#15 = byte#12 ⊕ byte#13.
This pattern is consistent provided only the values of the first bytes in the two plaintexts
are different from each other. So we call this property the consistent differential pattern
of the second round. If the byte having the different values between the two plaintexts
6.3. Consistent differential patterns of the AES algorithm 71
α
α
β
β
γ
γ
δ
δ
α
α
β
β
γ
γ
δ
δ
α
α
β
β
γ
γ
δ
δ
α
α
β
β
γ
γ
δ
δ
(a) (c)(b) (d)
input differences
00 00 00
00 00 00
00 00 00
00 00 00
p
00
00
00
p 00 00
00 00 00
00 00 00
00 00 00
00
00
00
00
00 p 00
00 00 00
00 00 00
00 00 00
00
00
00
00
00 00 p
00 00 00
00 00 00
00 00 00
00
00
00
00
output differences⊕ = δ
Figure 6.5: Second-round consistent differential patterns 1
is moved, then the consistent differential pattern appears in other positions such as
(b), (c), and (d) in Figure 6.5.
Let us now consider two plaintexts which are different from each other by up to
four bytes in the circled positions, as described in (a), (b), (c) or (d) of Figure 6.6.
00 00 00
00 00 00
00 00 00
00 00 00
00
00
00
00
00 00 00
00 00 00
00 00 00
00 00 00
00
00
00
00
00 00
00 00
00 00
00 00 00
00
00
00
00 00 00
00 00
00 00
00 00
00
00
00
input differences
α
α
β
β
γ
γ
δ
δ
α
α
β
β
γ
γ
δ
δ
α
α
β
β
γ
γ
δ
δ
α
α
β
β
γ
γ
δ
δ
(a) (c)(b) (d)
output differences⊕ = δ
Figure 6.6: Second-round consistent differential patterns 2
If we apply the above steps to any pair of two plaintexts that one of the input differences
in Figure 6.6, then we realise that this pair of plaintexts also produces, after the second
round, one of the same consistent differential patterns as in Figure 6.5. The consistent
differential patterns after the second round are described in Figure 6.6 for two plaintexts
which differ by up to four bytes. Here, we note that unless the circled bytes in an input
6.3. Consistent differential patterns of the AES algorithm 72
difference are all equal to ‘00′ at the same time, the differential pattern always appears
in the second-round output difference.
6.3.3 223rd-round consistent differential patterns
Although it is a little more complicated, some consistent differential patterns after the
third-round ShiftRows transformation can be found from the second-round consistent
differential patterns and Property 6.2. To clarify this, we use an example of how to find
the consistent differential patterns after the third-round ShiftRows transformation. Let
us consider any two plaintexts which differ by only the first byte, as illustrated in Figure
6.5 (a), and apply the third-round SubBytes transformation to byte#1 and byte#2 in
the second-round output difference, with the assumption that byte#1 = byte#2 = ‘ff′
(byte#1 and byte#2 must be the same according to the property of the second-round
consistent differential patterns 1 (a)). We then see that according to Property 6.2, both
values of byte#1 and byte#2 in the output difference, after the third-round SubBytes
transformation, belong to the following set of 127 possible output differences caused
by the input difference ‘ff′. We call this kind of set a differential set; see Appendix B
to find the differential sets for other input differences. For example, from the following
set we see that if the value of byte#1 in the output difference after the third-round
SubBytes transformation is ‘26′, then ‘27′ is not able to appear on byte#2.
01, 02, 03, 07, 0a, 0b, 0c, 0f, 13, 15, 17, 1d, 1e, 1f, 21, 22, 23, 25, 26, 28,
29, 2a, 2d, 2f, 31, 35, 36, 39, 3a, 3c, 3e, 40, 42, 43, 44, 46, 4c, 4d, 50, 52,
53, 56, 57, 58, 59, 5a, 5d, 5e, 62, 63, 65, 68, 69, 6a, 6b, 6d, 70, 72, 73, 75,
76, 7b, 7c, 7e, 7f, 81, 84, 88, 8a, 8c, 8d, 8e, 8f, 94, 95, 99, 9a, 9c, 9e, 9f, a0,
a6, aa, ab, ad, af, b3, b8, b9, ba, c1, c2, c3, c5, c6, c7, c8, ca, cb, cc, cd, cf,
d4, d8, dd, de, e0, e2, e3, e4, e6, e7, eb, ec, ef, f1, f2, f3, f4, f5, f6, fa, fb, fc,
fd, fe, ff.
If we now consider the third-round ShiftRows transformation, we see that both values
of byte#10 and byte#13 in the output difference after this operation are obliged to
belong to the above set. Similarly, if we apply the above idea to other byte pairs
in the second-round output difference, namely (byte#4,byte#5), (byte#8,byte#11) and
(byte#14,byte#15), then we finally find the following consistent differential pattern which
appears in the output difference after the third-round ShiftRows transformation: if
two plaintexts differ by only the first byte, then there are always four pairs of bytes in
the output difference after the third-round ShiftRows transformation, with each pair
6.3. Consistent differential patterns of the AES algorithm 73
belonging to the same differential set, as illustrated in Figure 6.7 (a). Here we note
that any pair of two plaintexts described in Figure 6.5 and Figure 6.6 leads to the
same sorts of consistent differential patterns for the same reason. Figure 6.7 shows
the correspondence between an input difference and the consistent differential pattern
appearing in the output difference after the third-round ShiftRows transformation. In
Figure 6.7, the values on the same mark belong to the same differential set.
♦
♠
♦
♠
♥
♣
♣
♥
♦
♠
♥
♣
♥
♣
♠
♦
♣
♥
♥
♣
♠
♦
♠
♦
♣
♥
♦
♠
♠
♦
♣
♥
(a) (c)(b) (d)
input differences
00 00 00
00 00 00
00 00 00
00 00 00
p
00
00
00
p 00 00
00 00 00
00 00 00
00 00 00
00
00
00
00
00 p 00
00 00 00
00 00 00
00 00 00
00
00
00
00
00 00 p
00 00 00
00 00 00
00 00 00
00
00
00
00
output differences
00 00 00
00 00 00
00 00 00
00 00 00
00
00
00
00
00 00 00
00 00 00
00 00 00
00 00 00
00
00
00
00
00 00
00 00
00 00
00 00 00
00
00
00
00 00 00
00 00
00 00
00 00
00
00
00
or
Figure 6.7: 223rd-round consistent differential patterns
6.3.4 Third-round consistent differential pattern
A third-round consistent differential pattern exists in the relationship between the
third-round intermediate texts caused by more plaintexts. This third-round consistent
differential pattern could be regarded as the generalisation of the third-round balanced
property referred to in Section 3.2. Let us consider a group of 28n plaintexts that vary
in n bytes and are the same in the other bytes. This group of plaintexts can then be
divided into 28(n−1) small sets of 28 plaintexts that vary in only one byte. In other
words, 28(n−1) small sets of 28 plaintexts exist in the group, and the plaintexts in each
6.3. Consistent differential patterns of the AES algorithm 74
small set are different from each other in only one byte. Given that the XOR of all the
third-round intermediate texts for each small set is ‘00′ in all bytes (balanced property),
we see that the XOR of all the third-round intermediate texts for the above group of
28n plaintexts is also ‘00’ in all bytes. That is, we see that
28n−1⊕
t=0
Ct =
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
(6.1)
when each of the third-round intermediate texts is denoted by Ct.
** ** **
** ** **
** ** **
** ** **
**
**
**
**
** ** **
** ** **
** ** **
** ** **
**
**
**
**
** ** **
** ** **
** ** **
** ** **
**
**
**
**
** ** **
** ** **
** ** **
** ** **
**
**
**
**
• • • •
28n plaintexts variable in n bytes
** ** **
** ** **
** ** **
** ** **
**
**
**
**
** ** **
** ** **
** ** **
** ** **
**
**
**
**
** ** **
** ** **
** ** **
** ** **
**
**
**
**
** ** **
** ** **
** ** **
** ** **
**
**
**
**
• • • •
third-round intermediate texts
D1
D2 D28n-1• • • •D3
C0 C1 C2
D_ : differenceD1 = D2 ⊕ D3 ⊕ D4 ⊕ ⋅ ⋅ ⋅ ⋅ ⋅ ⊕ D28n-1
C28n-1
D2 = D1 ⊕ D3 ⊕ D4 ⊕ ⋅ ⋅ ⋅ ⋅ ⋅ ⊕ D28n-1
D3 = D1 ⊕ D2 ⊕ D4 ⊕ ⋅ ⋅ ⋅ ⋅ ⋅ ⊕ D28n-1
D = D1 ⊕ D2 ⊕ D3 ⊕ ⋅ ⋅ ⋅ ⋅ ⋅ ⊕ D28n-1 28n-2
•
•
•
Figure 6.8: Third-round consistent differential pattern
Now, if we pair any of these 28n third-round intermediate texts with each of the other
intermediate texts, as shown in Figure 6.8, then we can obtain 28n-1 third-round output
differences and we see that any of these differences is equal to the XOR of the other
6.3. Consistent differential patterns of the AES algorithm 75
differences in all bytes. More visually, we see that
28n−1⊕
t=1
Dt =
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
,
(6.2)
and that
Dr =28n−1⊕
t=1,t6=r
Dt, (6.3)
where Dr denotes any of the third-round intermediate differences.
6.3.5 Fourth-round consistent differential patterns
Fourth-round consistent differential pattern 1
We now find a fourth-round consistent differential pattern from the third-round con-
sistent differential pattern. Of the groups of plaintexts that lead to the third-round
consistent differential pattern, let us consider a group of 232 plaintexts that vary in
the first column (four bytes). If we imagine that these plaintexts are decrypted by one
round with any round key, then we see that the decrypted texts vary in
(byte#0, byte#5, byte#10, byte#15).
That is, the 232 decrypted texts are different from each other in the circled bytes
described in Figure 6.6 (a). This means that any 232 plaintexts that vary in
(byte#0, byte#5, byte#10, byte#15)
lead, after one round, to the intermediate texts varying in the first column, and that
if one of these plaintexts is paired with each of the other plaintexts, then after the
fourth round, any of the 232-1 intermediate differences is equal to the XOR of the other
intermediate differences. That is,
Dr =232−1⊕
t=1,t6=r
Dt, (6.4)
where Dr denotes any of the fourth-round intermediate differences. This concept is
also applicable to the other three columns, and we see the following the fourth-round
consistent differential pattern. That is, for any 232 plaintexts that vary in either
6.3. Consistent differential patterns of the AES algorithm 76
(byte#0, byte#5, byte#10, byte#15),
(byte#3, byte#4, byte#9, byte#14),
(byte#2, byte#7, byte#8, byte#13),
or
(byte#1, byte#6, byte#11, byte#12)
as illustrated in Figure 6.6, if one of these plaintexts is paired with each of the other
plaintexts, then after the fourth round, any of the 232-1 intermediate differences is
equal to the XOR of the other intermediate differences.
Fourth-round consistent differential pattern 2
We now simplify the fourth-round consistent differential pattern 1 so that fewer in-
termediate texts are involved. In fact, the above fourth-round consistent differential
pattern 1 can be said to be caused by this property. Let us once again consider 232
plaintexts that vary in
(byte#0, byte#5, byte#10, byte#15).
The first-round intermediate texts for these plaintexts then vary in the first column.
Therefore, if we consider three more rounds, we then see, according to (6.1), that
232−1⊕
t=0
Ct =
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
(6.5)
where each of the fourth-round intermediate texts is denoted by Ct. In (6.5), if we just
consider the values on a certain byte position k, then we see that
‘00′ =232−1⊕
t=0
byte#kt (6.6)
where byte#kt denotes the kth byte in the intermediate text Ct. Let us pay more careful
attention to the values that appear on byte#k. If a certain value appears an even
number of times, then this value does not affect (6.6). We realise, therefore, that only
the values that appear an odd number of times are involved in (6.6), and we see that
‘00′ =⊕
valuep (6.7)
where valuep denotes each of the values that appears an odd number of times on the
byte position k in the fourth-round intermediate texts. As a consequence, we find that
6.3. Consistent differential patterns of the AES algorithm 77
the plaintexts considered above lead to the fourth-round intermediate texts, which have
the following consistent differential pattern on every byte position, such that
valuer =⊕
p 6=r
valuep (6.8)
where valuer is any of the values that appear an odd number of times. We recall that
all other sets of 232 plaintexts that vary in either
(byte#3, byte#4, byte#9, byte#14),
(byte#2, byte#7, byte#8, byte#13),
or
(byte#1, byte#6, byte#11, byte#12)
also bring the same differential pattern.
Fourth-round consistent differential pattern 3
We now generalise the fourth-round consistent differential pattern 2. Let us consider
any set of 232 plaintexts that vary in either
(byte#0, byte#5, byte#10, byte#15),
(byte#3, byte#4, byte#9, byte#14),
(byte#2, byte#7, byte#8, byte#13),
or
(byte#1, byte#6, byte#11, byte#12)
and their corresponding fourth-round intermediate texts. Then, as previously estab-
lished, we see that
232−1⊕
t=0
Ct =
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
(6.9)
where Ct denotes each of the fourth-round intermediate texts. Here, let us consider
the values for a certain combination of n bytes in the fourth-round intermediate texts.
If n < 4 (4 is the number of bytes that vary in the plaintexts), then there must be
some values that appear more than once in the combination of n bytes. For example,
if n = 3, then the total number of possible values for the combination of three bytes
is 224. So, most values may appear more than once in the combination, because the
6.3. Consistent differential patterns of the AES algorithm 78
number of the fourth-round intermediate texts is 232. Even in the case of n = 4, there
will be some values which appear more than once in the combination of four bytes,
unless every value for the combination appears just once. Now let us look at (6.9). As
long as the plaintexts vary in either
(byte#0, byte#5, byte#10, byte#15),
(byte#3, byte#4, byte#9, byte#14),
(byte#2, byte#7, byte#8, byte#13),
or
(byte#1, byte#6, byte#11, byte#12),
the fourth-round intermediate texts always satisfy (6.9). This means that the XOR of
the values that appear an odd number of times in the combination of n bytes must be 0
for the fourth-round intermediate texts. Otherwise the fourth-round intermediate texts
cannot satisfy (6.9). As a consequence, we see the following fourth-round consistent
differential patter 3: the XOR of the values that appear an odd number of times in
the combination of n bytes is 0 for the fourth-round intermediate texts, caused by the
plaintexts that vary in either
(byte#0, byte#5, byte#10, byte#15),
(byte#3, byte#4, byte#9, byte#14),
(byte#2, byte#7, byte#8, byte#13),
or
(byte#1, byte#6, byte#11, byte#12).
6.3.6 Fifth-round consistent differential pattern
We now discuss a fifth-round consistent differential pattern of the AES algorithm. In
fact, this pattern is not a pattern that directly appears in fifth-round intermediate
texts, but a pattern existing in the relationship between fourth-round intermediate
texts and fifth-round intermediate texts. This pattern is also caused by the sets of 232
plaintexts that have been referred to in the fourth-round consistent differential patterns
1, 2 and 3. Let us recall any set of plaintexts that have been considered for the fourth-
round consistent differential pattern 3. As mentioned in the fourth-round consistent
differential pattern 3, the XOR of the values that appear an odd number of times in
the combination of n bytes is 0 for the 232 corresponding fourth-round intermediate
texts. Next, let us consider the four-byte combination
6.3. Consistent differential patterns of the AES algorithm 79
(byte#0, byte#5, byte#10, byte#15)
in the fourth-round intermediate texts which moves to the first column in the fifth-
round intermediate texts. As previously shown in the fourth-round consistent differ-
ential pattern 3, the XOR of the values which appear an odd number of times in this
combination must be ‘00000000′. Given that the bytes in this combination move to the
first column in the fifth-round intermediate texts, we see that
‘00000000′ =⊕
p
SubBytes−1(ShiftRows−1(MixColumn−1(RK5(Ip)))) (6.10)
where Ip is a value that appears an odd number of times in the first column of the fifth-
round intermediate texts, and RK5 is (the corresponding column of) the fifth round
key. Also, if we change the order of SubBytes and ShiftRows, and combine SubBytes
and MixColumns, then we can simplify (6.10) to (6.11) using the ES-box in Table
4.2 (ShiftRows is ommitable because it does not influence byte values):
‘00000000′ =⊕
p
ES−box−1(RK5(Ip)). (6.11)
If we now apply the above concept to some other four-byte combinations in the fourth-
round intermediate texts, each of which is either
(byte#3, byte#4, byte#9, byte#14),
(byte#2, byte#7, byte#8, byte#13),
or
(byte#1, byte#6, byte#11, byte#12),
then we see that (6.10) and (6.11) also hold for the other three columns in the fifth-
round intermediate texts. So, we call this property a fifth-round consistent differential
pattern. We note that any 232 plaintexts that vary in either
(byte#0, byte#5, byte#10, byte#15),
(byte#3, byte#4, byte#9, byte#14),
(byte#2, byte#7, byte#8, byte#13),
or
(byte#1, byte#6, byte#11, byte#12)
lead to the fifth-round consistent differential pattern above.
6.3. Consistent differential patterns of the AES algorithm 80
In this chapter, we have observed some distinctive output properties of the AES
algorithm: some differential properties of the S-box used in the non-linear layer; some
distinctive output properties of the matrix multiplication MixColumn used in the
linear layer; and some consistent differential patterns existing in the partial rounds
of the AES algorithm. In the next chapter, we discuss the impact of the consistent
differential patterns on the security of the AES algorithm.
Chapter 7
Security Impact of the ConsistentDifferential Pattern
In this chapter, we discuss the impact of the consistent differential patterns on the se-
curity of the AES algorithm. We show that the consistent differential patterns observed
in Chapter 6 can be used for the cryptanalysis of the reduced-round AES algorithm,
independently or cooperatively with others. The cryptanalytic methods introduced in
this chapter are not much more powerful, in the number of rounds, than other crypt-
analytic methods previously proposed, but have some advantages in the requirements
of the methods, such as the number of plaintexts and the complexity. We note that the
purpose of proposing these cryptanalytic methods is to show that consistent differential
patterns of a block cipher are directly related to its security. In discussing the cryptan-
alytic methods, we consider AES-128, although the methods are applicable to AES-192
and AES-256 as well. We note that the last rounds of the AES structures discussed
here do not include the MixColumns transformation, just as the original structure does
not. We advise that this chapter is based on the paper [8] published by B. Song and
J. Seberry.
7.1 Three rounds
We use two sets of five chosen plaintexts for the cryptanalysis of three rounds. One set
(Set #1) consists of five plaintexts, which are different from each other only in the first
byte (byte#0) as illustrated in Figure 6.5 (a). The other set (Set #2) consists of five
plaintexts, which are different from each other only in the ninth byte (byte#8) as illus-
trated in Figure 6.5 (c). We first use Set #1 to find half (8 bytes) of the third round
key. Let us now pair any of the five ciphertexts with each of the other ciphertexts.
Then we will obtain four pairs of ciphertexts. If these pairs of ciphertexts are decrypted
with the correct third round key, then the second-round consistent differential pattern
81
7.1. Three rounds 82
illustrated in Figure 6.5 (a) must appear in the four corresponding second-round in-
termediate differences, because the plaintexts are different from each other only in the
first byte. That is,
byte#1=byte#2,
byte#4=byte#5,
byte#8=byte#11,
byte#14=byte#15
in all the four second-round intermediate differences. Based on this concept, we find
(byte#13, byte#10),
(byte#4, byte#1),
(byte#8, byte#15),
(byte#6, byte#3)
of the third round key using the following steps.
1. We first find byte#13 and byte#10 of the third round key from the fact that
byte#1=byte#2 in the second-round intermediate differences. Let us decrypt each
byte#13 in a pair of the ciphertexts with all 28 possible values for byte#13 of the
third round key, considering ShiftRows−1 and SubBytes−1. Then, according to
Property 6.2, 127 values will appear for byte#1 in the second-round intermediate
difference. Now, let us decrypt each byte#10 in the same pair of ciphertexts with
all 28 possible values for byte#10 of the third round key. Then, for the same
reason, 127 values will appear for byte#2 in the second-round intermediate dif-
ference. Here, if we select the values for (byte#13, byte#10) which make byte#1
equal to byte#2 in the second-round intermediate difference, then those values
are candidates for (byte#13, byte#10) of the third round key.
2. Now, if we decrypt each (byte#13, byte#10) in another pair of ciphertexts with
those candidates for (byte#13, byte#10) of the third round key, and check whether
byte#1 is equal to byte#2 in the second-round intermediate difference, then fewer
candidates will remain for (byte#13, byte#10) of the third round key. If we apply
this step to the remaining two pairs of ciphertexts, then a single pair of values will
remain for (byte#13, byte#10) at the end, due to the differential property referred
to in Section 6.1.2. This pair, byte#13 and byte#10, are the components of the
third round key.
7.2. Four rounds 83
3. With the same principle, if we consider the other byte relations in the second-
round intermediate differences, that is,
byte#4=byte#5,
byte#8=byte#11,
byte#14=byte#15,
then we can obtain
(byte#4, byte#1),
(byte#8, byte#15),
(byte#6, byte#3)
of the third round key.
Now, using the other set of five plaintexts (Set #2), which are different from each other
only in the ninth byte (byte#8), we can find the rest of the third round key, which is
(byte#0, byte#7),
(byte#2, byte#5),
(byte#9, byte#12),
(byte#11, byte#14)
In summary, if we have 10 chosen plaintexts, we can find the Cipher Key for the
three-round AES algorithm. The time complexity of this method is about 28.
7.2 Four rounds
We now present a cryptanalytic method for the four-round AES algorithm, based on the
third-round consistent differential pattern. We use one set of 28 chosen plaintexts which
vary in byte#0 as illustrated in Figure 6.5 (a). This method is similar to the Square
attack, given that the Square attack is based on the third-round balanced property.
While the Square attack uses two sets of 28 chosen plaintexts, however, we use just one
set, with the help of the second-round consistent differential patterns.
Basic concept
Let us suppose that a set of 28 chosen plaintexts, which differ by only one byte, is given.
If these plaintexts are encrypted, then (6.1) or (6.2) will appear for the third-round
7.2. Four rounds 84
intermediate texts. This means that if the corresponding 28 fourth-round ciphertexts
are decrypted with the correct fourth round key, then the third-round consistent differ-
ential pattern ((6.1) or (6.2)) will appear for the third-round intermediate texts. Based
on this idea, we first find all the possible fourth round keys. Then using the property
of a second-round consistent differential pattern, we select the key actually used from
those possible keys.
Finding possible keys
We first find the first byte (byte#0) of the fourth round key, taking into account the
decryption procedures. Let us assume a value for the first byte of the fourth round key.
If we decrypt (actually S-box−1) the corresponding bytes in the 28 ciphertexts with
this assumed value, then we can obtain 28 first bytes in the third-round intermediate
texts. If these values satisfy the third-round consistent differential pattern on byte#0
(check (6.1) or (6.2)), then the value initially assumed for byte#0 is eligible for the first
byte of the fourth round key. If not, then the assumption is wrong, so another value
is assumed for the first key byte. The probability that a wrong key will satisfy the
third-round consistent differential pattern on byte#0 is 1/28, so one wrong key may be
chosen. If we apply the above steps to the other 15 bytes of the fourth round key,
considering the ShiftRows transformation (the MixColumns transformation does not
exist in the last round), then we can obtain all eligible values for each byte of the fourth
round key. At this stage, in probability, two values may be selected for each key byte,
so the number of possible fourth round keys will be about 216 (16 is the number of the
bytes in the round key) in probability.
Selecting the key actually used
Next, we select the fourth round key actually used from the above possible keys. In-
stead of using another set of 28 chosen plaintexts, we use the second-round consistent
differential pattern 1 (a) illustrated in Figure 6.5 (a). We first randomly choose two
ciphertexts from the 28 ciphertexts. If we decrypt them with a possible fourth round
key and the corresponding third round key (this third round key can be obtained from
the key schedule if a possible fourth-round key is given), we will see the second-round
intermediate difference followed by two second-round intermediate texts. We now check
the second-round consistent differential pattern 1 (a) for the second-round intermedi-
ate difference. If the second-round consistent differential pattern 1 (a) appears in the
intermediate difference, then the possible key is the fourth round key actually used.
7.3. Five rounds 85
This is because the probability that the second-round consistent differential pattern
1 (a) appears by chance in one second-round intermediate difference is 1/232 unless
the possible fourth round key is the key actually used. At this stage, since the num-
ber of possible fourth round keys we must consider is about 216 in probability, it is
good enough to check the second-round consistent differential pattern 1 (a) for just
one second-round intermediate difference.
Complexity
For this method, we must assume 28 values for each key byte of the fourth round
key, and look up S-box−1 28 times (the number of ciphertexts) for each assumed key
value. Given that the round key block consists of 16 bytes, this task must be done
16 times during the process of finding possible keys. So, we must look up S-box 220
times. Also, during the process of selecting the key actually used, we must decrypt
two ciphertexts for two rounds with each of 216 possible keys. This step requires 216×4
one-round decryptions. Considering the amount of the computation, the complexity of
this method is not greater than 217 full encryptions of the four-round AES algorithm.
7.3 Five rounds
The cryptanalytic method which we present for the five-round AES algorithm is based
on the fourth-round consistent differential pattern 2. For this method, we use a set
of 232 chosen plaintexts that vary in (byte#0, byte#5, byte#10, byte#15) as described in
Figure 6.6 (a).
Basic concept
Let us consider any set of 232 plaintexts that have been outlined in the consistent
differential pattern 2. As previously shown, these plaintexts lead to the fourth-round
intermediate texts, between which the fourth-round consistent differential pattern 2
appears. This means that if the corresponding ciphertexts are decrypted for one round
with the correct fifth round key, then the consistent differential pattern 2 appears
between the decrypted texts. Based on this concept, the fifth round key is found.
Finding possible keys
We first find all possible values for the first byte (byte#0) of the fifth round key, taking
into account the decryption procedures.
7.3. Five rounds 86
1. We first count byte#0 in the 232 ciphertexts according to values. For exam-
ple, ‘00′:16,777,217, ‘01′:16,002,912, ‘02′:16,725,365, . . . , ‘fd′: 16,865,401, ‘fe′:
16,643,202, ‘ff′: 16,763,202. Then, we observe the values which appear an odd
number of times. (We are not interested in the values which appear an even num-
ber of times). On average, the number of values which appear an odd number
of times will be 128. Although we are using 232 chosen plaintexts, the number
of values we have to consider now is just 128 on average. For example, ‘00′, ‘02′,
. . . , ‘fd′. In fact, this task of counting values can be done at the same time as
collecting the ciphertexts. This step will then not require any extra cost for the
cryptanalysis.
2. Next, we assume a value for byte#0 of the fifth round key. If we decrypt (actually
S-box−1) the values which appear an odd number of times in step 1 with this
assumed key value, then we will see the corresponding fourth round values. If the
assumed key value is correct, then the XOR of these values in the fourth-round
intermediate texts will be ‘00’. If the XOR of these values is ‘00’, then we keep the
assumed key value for byte#0 of the fifth round key. Otherwise, the assumption is
wrong, so we assume another value for byte#0 of the fifth round key. Given that
one wrong key may be chosen by chance, two values will be chosen for byte#0 of
the fifth round key.
3. Now, we apply steps 1 and 2 to the other 15 bytes of the fifth round key, taking
into account the ShiftRows transformation (the MixColumns transformation does
not exist in the last round). Finally, two values for each key byte will be chosen,
so the number of possible fifth-round keys will be about 216.
Selecting the key actually used
We now select the fifth round key actually used from the above possible keys. At
this stage, we use the second-round consistent differential pattern 2 (a) illustrated
in Figure 6.6 (a). We randomly choose two plaintexts from the 232 plaintexts, and
decrypt the corresponding two ciphertexts with a possible fifth round key and the
corresponding fourth and third round keys (these fourth and third round keys can
be obtained from the key schedule if a possible fifth-round key is given). Then, we
can check the second-round consistent differential pattern 2 (a) for the second-round
intermediate difference. Finally, only one fifth round key will remain for the same
reason outlined in the cryptanalysis of four rounds.
7.4. Six rounds 87
Complexity
For this method, encryption or decryption is not actually done in the process of finding
possible keys. All we have to do is to assume 256 values for each fifth-round key byte,
and look up S-box−1 128 times (the number of values which appear an odd number
of times in the fifth-round intermediate texts) for each assumed key value. Given that
the round key block consists of 16 bytes, this task must be done 16 times in the process
of finding possible keys. So, we must look up S-box−1 219 (28 × 27 × 24) times on
average. Also, in the process of selecting the key actually used, we must decrypt two
ciphertexts for three rounds with 216 possible keys. This step requires 216×6 one-
round decryptions. Considering the volume of the computation, the complexity of this
method is about the same as 217 full encryptions of the five-round AES algorithm.
We have implemented this method, and have practically applied it to finding the
Cipher Key, which has been presented as a data example in FIPS 197 (Announcing
the Advanced Encryption Standard) [63]. Appendix C shows the result. The results
of our implementation have shown that if a set of 232 plaintexts is given, so we know
the values which appear an odd number of times on each byte, then the Cipher Key
of the five-round AES algorithm can be found in a few seconds. Another test result of
our implementation is shown in Appendix C.
7.4 Six rounds
Here we describe a cryptanalytic method for the six-round AES algorithm, which is
based on the fifth-round consistent differential pattern and the fourth-round consistent
differential pattern 2. We use two sets of 232 chosen plaintexts that vary in (byte#0,
byte#5, byte#10, byte#15). We slightly change the original structure of the six-round
AES algorithm to Figure 7.1, so as to reduce the number of key assumptions. In the
structure of Figure 7.1, we find RK ′5 and RK6. RK ′
5 in Figure 7.1 and RK5 in the
original six-round AES algorithm has the relationship
MixColumns(RK ′5) = RK5.
But, RK6 in Figure 7.1 is the same as the RK6 in the original six-round AES algorithm.
Therefore, we can use the structure of Figure 7.1 to find the Cipher Key of the original
structure of the six-round AES algorithm, because we will find the Cipher Key from
RK6.
7.4. Six rounds 88
SB
SB
SR
MC
SB
SR
SR
MC
232 chosen plaintexts
•
•
•
intermediate texts
RK6
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
13
10
7
0
RK’5
RK4
13
10
7
0
13
10
7
0
13
10
7
0
13
10
7
0
1
2
3
0
1
2
3
0
1
2
3
0
1
2
3
0
• • •
• • •
5
10
15
0
• • •5
10
15
0
5
10
15
0
5
10
15
0
5
10
15
0
5
10
15
0
5
10
15
0
5
10
15
0
5
10
15
0
• • •
SB : SubBytes
SR : ShiftRows
MC : MixColumns
⊕
⊕
⊕
intermediate texts
Figure 7.1: Checking the fourth-round consistent differential pattern
7.4. Six rounds 89
Finding possible key components
We first find (byte#0, byte#7, byte#10, byte#13) in RK6 using the following steps.
1. We first select the values which appear an odd number of times in the combination
of (byte#0, byte#7, byte#10, byte#13) in a set of the ciphertexts (on average, there
are 231 values, which appear an odd number of times, in the combination).
2. We now assume a value for the combination of (byte#0, byte#7, byte#10, byte#13) in
RK6. If the values selected in step 1 are decrypted for one round with the assumed
four-byte key, then the corresponding values are placed in the first column of the
fifth-round intermediate texts (see Figure 7.1) and each value for the first column
naturally appears an odd number of times (when we decrypt, we also count the
values according to each byte). These values for the first column must satisfy
the fifth-round consistent differential pattern if the assumed key value is correct;
that is, these values must satisfy the fourth-round consistent differential pattern
2 after ShiftRows−1 and S-box−1 in Figure 7.1. We now check whether the
values in the first column satisfy the fourth-round consistent differential pattern
2 after ShiftRows−1 and S-box−1.
3. This process is the same as the process of Finding Possible Keys in the cryptanal-
ysis of five rounds. We select the values which appear an odd number of times
on byte#0 in the fifth-round intermediate texts (we already know these values
from step 2; we are not interested in the values which appear an even number
of times). If we decrypt (actually S-box−1) these values with a value assumed
for byte#0 of RK ′5, then we will obtain the the corresponding values on byte#0
in the fourth-round intermediate texts. If the assumed key value is correct, then
the XOR of these corresponding values will be ‘00′. If the XOR of these values
is ‘00′, then we keep the assumed key value for byte#0 of RK ′5. Otherwise, the
assumption is wrong, so we return to the beginning of step 3 for another value
assumed for byte#0 of RK ′5. If the four-byte key initially assumed for RK6 in
step 2 is correct, then two values for byte#0 of RK ′5 will be chosen, including one
wrong value which may be chosen by chance. Step 3 is also applied to the other
three bytes of RK ′5, which are byte#1, byte#2 and byte#3. We can then check the
fourth-round consistent differential pattern 2 for byte#5, byte#10 and byte#15 in
the fourth-round intermediate texts as well.
4. Now, we check whether the above values for (byte#0, byte#7, byte#10, byte#13) of
7.4. Six rounds 90
RK6 and for (byte#0, byte#1, byte#2, byte#3) of RK ′5 are really eligible for the
the components of each round key. To do this, we use the other set of chosen
plaintexts. With the key components we have just found, we decrypt the values
which appear an odd number of times in the combination of (byte#0, byte#7,
byte#10, byte#13) in a new set of the ciphertexts. If any values for (byte#0, byte#7,
byte#10, byte#13) of RK6 and for (byte#0, byte#1, byte#2, byte#3) of RK ′5 satisfy
the fourth-round consistent differential pattern 2 on byte#0, byte#5, byte#10 and
byte#15 in the fourth-round intermediate texts, then those values are really eligible
for the key components of RK6 and RK ′5. This is because the probability that
this event occurs by chance is 1/232 (the probability is 1/256 for each byte). At
this stage the number of key combinations we may consider is 24 on average. If
the key components which have been found in steps 2 and 3 pass this step, we
keep the value initially assumed for (byte#0, byte#7, byte#10, byte#13) of RK6 (we
do not keep the components of RK ′5). Otherwise, we return to the beginning of
step 2.
5. Using the same concept, if we apply steps 1 to 4 to the other bytes in the cipher-
texts, then we can find the other components of RK6, which are
(byte#1, byte#4, byte#11, byte#14),
(byte#2, byte#5, byte#8, byte#15),
(byte#3, byte#6, byte#9, byte#12).
Selecting the key actually used
Now, we finally check, in order to be certain, whether the key components are all
correct. Using the key schedule, we obtain the fifth, fourth, and third round keys from
the sixth round key. Then we decrypt two ciphertexts with the original structure of the
six-round AES algorithm (not the structure in Figure 7.1). As a consequence, we will
check the second-round consistent differential pattern 2 (a). In fact, this step requires,
if anything, only a small amount of computation, because wrong key components hardly
ever pass step 4.
Complexity
For this method, we must consider four key bytes together in assuming the sixth round
key. In step 2, for each assumption of the four-byte keys, we may decrypt, on average,
231 corresponding four-byte words for one round. Then, in step 3, we may look up
7.5. Seven-round extension 91
S-box−1 217 (28 × 27 × 4) times on average. After this, in step 4, we decrypt 231 four-
byte words for one round, and look up S-box−1 210 (27 × 8) times to check whether
the assumed key components of the sixth round key can coexist with the obtained
key components of the fifth round key. These operations must be done 232 × 4 times,
because the number of possible values for the four-byte key combination is 232 and
the round-key block consists of 16 bytes (four columns). For this reason, this method
requires 232 × 232 × 4 one-round decryptions of four bytes and (217 + 210) × 232 ×
4 S-box−1 lookups. That is, 264 one-round decryptions of a ciphertext block and 251
+ 244 S-box−1 lookups are needed to find the sixth round key. As well as all this,
some more operations are required to count values in step 1 (step 1 must be done
8 times). However, these operations do not require as much computation as some
others. Considering the volume of the computation, the complexity of this method is
not greater than 262 full encryptions of the six-round AES algorithm, even in the worst
case.
7.5 Seven-round extension
The cryptanalytic method for the six-round AES algorithm can be extended to seven
rounds. We simply assume all the components (16 bytes) of the seventh round key.
If we naively assume all the possible values for the seventh-round key, then it adds
128 bits to the key assumption. So, the complexity will be about 2190. Given this
level of complexity, we see that this method is faster than an exhaustive key search for
seven rounds of AES-192 and AES-256. But, for AES-128, this method requires more
complexity than an exhaustive key search does.
In this chapter we have discussed the impact of the consistent differential pattern
on the security of the AES algorithm. We have shown that the consistent differential
patterns observed in Chapter 6 can be used for the cryptanalysis of the AES algorithm,
independently or cooperatively with others. Judging by the AES algorithm, we can say
that the block cipher whose structure is very mathematical, statistical, and so rather
uniform, is apt to have consistent differential patterns.
Chapter 8
Conclusion
In this thesis, we have discussed our further studies on the cryptologic properties of the
AES algorithm. In the preceding chapters, we have studied some algebraic properties of
the AES algorithm. In particular, we have devoted much space to the cyclic properties
and the distinctive output properties of this cipher. In terms of the the cyclic properties
of the AES algorithm we have found that
• every function used in the AES algorithm has a very short period and these short
periods are not increased in the linear layer;
• when the non-linear layer and the linear layer are combined, the period is dra-
matically increased; and
• the combination of the non-linear layer and linear layer nevertheless still has short
periods for certain types of input blocks, and causes the AES elementary structure
to have an unusual algebraic property: input blocks in which all bytes are the
same always lead to output blocks in which all bytes are the same. This property
is mainly caused by the fact that the matrix multiplication, MixColumn, does
not influence the data transformation for the inputs in which all bytes are the
same.
Summing up our observations on the cyclic properties of the AES algorithm, we can
say that the unusual property of the matrix multiplication MixColumn used in the
MixColumns transformation causes the AES algorithm to have an undesirable crypto-
logic property in the cipher part itself. However, the round key addition covers these
weaknesses, as previously shown.
In conjunction with the distinctive output properties of the AES algorithm, we have
observed that the AES algorithm has the S-box, which provides uniformly distributed
output differentials, and which enables the AES algorithm to be strong against con-
ventional cryptanalytic methods, such as DC and LC. We have also observed, however,
92
93
that there are some consistent differential patterns in the AES structure:
• any two plaintexts that differ by only one byte cause a second-round consistent
differential pattern; any two plaintexts that differ by up to four bytes in certain
positions also cause a second-round consistent differential pattern;
• any two plaintexts referred to above lead to a 223rd-round consistent differential
pattern;
• any 28n plaintexts that vary in certain n bytes lead to a third-round consistent
differential pattern;
• any 232 plaintexts that vary in four of the bytes cause some fourth-round consis-
tent differential patterns; and
• any 232 plaintexts that vary in four of the bytes cause a fifth-round consistent
differential pattern.
Summing up all our observations on the distinctive output properties of the AES
algorithm, we note that the AES algorithm is very well designed to provide uniformly-
distributed differentials in statistics, but that at the same time the structure also yields
some undesirable consistent differential patterns.
At the moment, we do not claim that the AES algorithm is not good enough as
the standard algorithm for the next few decades. Rather, we believe that the AES
algorithm is a well-designed block cipher that has many advantages over conventional
cryptanalytic methods. It is also true, however, as shown in this thesis, that there are
some unusual hidden cryptologic properties in the AES algorithm. These properties
are related to both the functions used in the algorithm and the structure of the cipher.
We believe that the cryptologic properties we have observed in the AES algorithm
should even be considered in the design of other block ciphers.
Appendix A
Classifying the substitution values in theES-box
Elements in a period of 1088297796:
00000003, 7b7b4b53, 7f405130, 71ac6ebd, 105a9904, 4a76beea, d6c83be2,
ae987220, ee1fe044, f1901c6f, cd76014f, d1cdea8b, 1af0d102, 9994cba1,
8cb9a470, 2a425311, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 4487de39, 00000003.
Elements in a period of 637481159:
00000002, 77775f4b, 89fd4b43, 00dba021, 0bcc1d1d, 8beec4c1, 6631a583,
de40d757, 7446e596, 98c6ca15, 66f0f1b8, 24a452a0, 574444c8, 68a85526,
dc326604, b367ce7e, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 3943ffc4, 00000002.
Elements in a period of 637481159:
00000004, f2f2cb5a, 281fe771, 04ab3955, b7fcab9e, eb7fc024, 28b50e24,
9155f64e, 6b8b8878, c1ee0e1b, 8c61f74e, a5362a75, 7ba56ecb, c88823c4,
a60d44f9, a8257589, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , a6284276, 00000004.
Elements in a period of 637481159:
00000006, 6f6f777b, 7cc692fc, 1802f1b0, 9e5cb1ef, df03b03a, cddaab3e,
4807e396, 71601e19, 905af0ef, 4a57a737, 9c1e8049, c74d60b0, 9e97acb7,
ad015a4d, e857b0bb, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ., 24c3a2a6, 00000006.
Elements in a period of 637481159:
00000008, 303096c5, 3201cacf, 3ccd3262, 9845f5f7, b0c34792, 480f4322,
b703bea7, 36ea718d, 66b33891, 5761c826, 834a7d1f, 9d81849d, a9f90e0d,
71cb65e9, 2f540490, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , d4f75ed0, 00000008.
Elements in a period of 129021490:
00000001, 7c7c425d, 70088c94, b4bfcfe3, 8209b92c, 029a2d80, 28a22878,
aea0b931, 7902fa14, 39d58e74, aaad8e13, 83cb8c99, 68901293, 3f19d3c5,
4dca9c7a, 45a8453b, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 40f39ed7, 00000001.
94
95
Elements in a period of 129021490:
00000007, c5c59234, f138b628, 2a4966d9, 9af3e756, 59b44e33, ed784679,
996e9c6e, 3c2d6c4d, 0d53ad73, 833d811f, 6676889f, 31cfee04, ca42100f,
201f4d96, 5d8201da, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 25322e95, 00000007.
Elements in a period of 129021490:
00000009, 0101c5a7, 8629b3e6, 9f2cb203, 721b49c6, e5fc5e27, f686961b,
77ced757, 22b18f37, 9717083a, b0a38358, 4db69000, 0cbcc8d6, 56e15163,
40c9e60c, 1edfcaaf, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , f8bc508a, 00000009.
Elements in a period of 129021490:
00000010, caca832a, 7d56f7d5, 463d9bc5, 6f8ea48a, 573fa14f, 9f63ddb9,
2c3843e0, 10b07a57, 3c316fce, bc16e144, e0e3e426, 748f20b5, c863f0d8,
30ebb396, d5ea9cb3, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 9660fca0, 00000010.
Elements in a period of 64376666:
00000016, 47470f2b, 2790e4d4, 02ffa6d6, 06c1285c, 2889a169, 51cee720,
1cccab02, ebdb8a78, dbbe7384, 502bf34f, 27392f1a, 02750917, a3a5e3fe,
b48ef864, 283fd352, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , c50ccf88, 00000016.
Elements in a period of 64376666:
00000142, 330d8ce2, 03426fc6, 9e74db7a, d83e8599, 7652cf41, 793ea9df,
f7390087, 92fe85e7, 4b1466ce, d082a90a, 615f779e, 7165cc06, ae8bc926,
be157a22, e5faf657, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , e401999a, 00000142.
Elements in a period of 11782972:
000000ea, 878754b0, d0be72db, f04e8e17, 9b099a42, bfe90add, 945c80f8,
16bb2a63, b5476a2b, b979793f, ae950810, 572aeba2, 51903995, 210deb4e,
4547927c, 78f4607d, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 638a2857, 000000ea.
Elements in a period of 39488:
00020002, 4b5f4b5f, 4b374b37, e1c8e1c8, d8c8d8c8, 68e168e1, 24992499,
9d459d45, 3e0e3e0e, 80998099, 8ba88ba8, d827d827, 208d208d, 78927892,
41b241b2, f044f044, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ., 30a530a5, 00020002.
Elements in a period of 16934:
00010001, 5d425d42, 8cec8cec, 2b812b81, 10ed10ed, ef70ef70, d856d856,
da0ada0a, 37073707, 247b247b, 180f180f, 00db00db, cc16cc16, 535f535f,
a98ba98b, 14fa14fa, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 6ad56ad5, 00010001.
96
Elements in a period of 13548:
00023af9, 468fbf7b, 08855ad7, 72d2d265, bcb8535a, 2d2f1149, 2d549f92,
5fa18416, cb0d8aa9, f1fb5a35, 60f0687e, 82efd85f, f2da440e, 40a10e81,
e387629a, 09629ae5, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 6b5493f6, 00023af9.
Elements in a period of 13548:
0005fde6, a1c7299d, ce0f4789, 903b5405, b6b47fb4, 4faff08c, 709d52aa,
ec41e0ee, d0c3ec7b, 7d44ba32, 1fed72b3, 49c7a294, 3fc0eff5, 06865b2d,
f3742a67, d783da71, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 8bf1558a, 0005fde6.
Elements in a period of 10756:
001004ad, e474f2ac, 67475a99, bae96b4d, 4daa2abb, 3d7ebbb8, c693afa8,
b75ec7fd, 331c9ad6, 6cc5358d, 9afb267a, 577e3784, 7d4c663a, 2d782b1b,
2a1c777b, bae3eb1f, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 245557ee, 001004ad.
Elements in a period of 7582:
00070007, 34923492, b6e1b6e1, 398f398f, d0b1d0b1, 1ba31ba3, fe5bfe5b,
a426a426, 2e902e90, 93c293c2, 35cc35cc, 37ea37ea, a0bda0bd, cf55cf55,
66106610, da23da23, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , d740d740, 00070007.
Elements in a period of 5640:
00022db0, 60198ddf, 1f1a07c5, 056d026b, 9af53808, 6d560052, d3e04b96,
d7e151c3, f0a33d67, bf745cb3, 9a84b91a, 7e5eb685, cc06952d, d5330333,
e0d06820, bb79d978, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , feb74bd1, 00022db0.
Elements in a period of 5640:
0015e186, 91861d8c, 159a3ab0, 064ec806, 287d3aa8, 30888dbc, 6715d55f,
36fd904b, 25be5f46, 0268fa94, 2ea80eb5, 419dda8b, 95fb34ed, 0849eac3,
84fa6cb0, 7e12e049, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 5d50a4a6, 0015e186.
Elements in a period of 3560:
00094090, ac1ad06d, 88629702, 897ffc9b, 9cc732b8, b940ea44, 2bcd6742,
8c282968, 74bdceb7, 93490515, dc4eda9d, 6f7fe555, 039bcc0b, aaa58484,
491ef508, 36deceb9, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , f6110e3e, 00094090.
Elements in a period of 1902:
0000c22b, b73b421a, faa0ee71, ea2d63e2, 05a2019a, 5c237a90, 441363e2,
d26f3880, 583a5fea, 07bcfde4, 039ab3b7, e10ef911, 1687e73e, 917cae35,
5b00e35b, fff5334b, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 07a9ec2e, 0000c22b.
97
Elements in a period of 1902:
0021e4f9, 2aa0fc18, f7589225, 1e52dde3, 343bd875, f1f9848a, c81704c2,
173b886b, 7d0700d3, b4ad5670, 4525920a, b5a6660c, 10368e94, bbc99b1d,
03d3e8bf, cf092860, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 76a21d37, 0021e4f9.
Elements in a period of 548:
00b800b8, 7d727d72, 9a259a25, ad2aad2a, 75057505, 6a9c6a9c, a17da17d,
b37eb37e, 4ad44ad4, f16ff16f, b3bab3ba, 44dd44dd, b46eb46e, a9bba9bb,
a198a198, daaedaae, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 05a905a9, 00b800b8.
Elements in a period of 548:
00c600c6, d601d601, f973f973, b5a3b5a3, 70af70af, 01290129, d50cd50c,
e21fe21f, 28702870, fe9bfe9b, fe51fe51, 6f056f05, 35f635f6, 25f125f1,
18861886, 648d648d, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 85708570, 00c600c6.
Elements in a period of 136:
01d266c5, a9fe5e55, cfaac76e, b9070bca, a7ce59fc, 45a791df, 27d09248,
0eafd4d4, c6c99a47, 1766f9f9, aebf5a88, b1e9dc12, e6ac8152, a3a30714,
35b0843e, e8100266, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , f554d80d, 01d266c5.
Elements in a period of 90:
02338d7f, 3fdf63b8, c428b222, c0bee81a, bfe9c4bf, 2618360a, 7bdef964,
bfe8d061, 395a5936, 33362e49, 98a1e91c, 589cf7c5, 63d3955f, a28683df,
ca0304c1, eff778e5, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 3c0c694e, 02338d7f.
Elements in a period of 90:
0304c1ca, f778e5ef, 09a40778, a07b06ec, 19dd56f2, d30cec1e, 69ba897e,
ba0b56be, 91c44fda, ee7977ae, 80bf58e8, 68f8a703, 6e583124, 6a2f3a7b,
9a926fd1, 2cfbfe48, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 8683dfa2, 0304c1ca.
Elements in a period of 87:
f2f2f2f2, 89898989, a7a7a7a7, 5c5c5c5c, 4a4a4a4a, d6d6d6d6, f6f6f6f6,
42424242, 2c2c2c2c, 71717171, a3a3a3a3, 0a0a0a0a, 67676767, 85858585,
97979797, 88888888, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 04040404, f2f2f2f2.
Elements in a period of 81:
7c7c7c7c, 10101010, cacacaca, 74747474, 92929292, 4f4f4f4f, 84848484,
5f5f5f5f, cfcfcfcf, 8a8a8a8a, 7e7e7e7e, f3f3f3f3, 0d0d0d0d, d7d7d7d7,
0e0e0e0e, abababab, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 01010101, 7c7c7c7c.
98
Elements in a period of 59:
00000000, 63636363, fbfbfbfb, 0f0f0f0f, 76767676, 38383838, 07070707,
c5c5c5c5, a6a6a6a6, 24242424, 36363636, 05050505, 6b6b6b6b, 7f7f7f7f,
d2d2d2d2, b5b5b5b5, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 52525252, 00000000.
Elements in a period of 47:
0112dc34, 267c8afb, b45a0a72, ff033dd5, 858a2660, 90b97790, afa867c3,
045cd890, 20a5dae6, a6cc9694, 273b32f3, 907b7f94, 536d9817, 33af56ad,
326c67a7, 6f4b8608, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , c406421d, 0112dc34.
Elements in a period of 47:
018b9ded, b4b1024d, d67c95ee, c580ca6b, 10c402b6, 9225eab2, 6f943c07,
030f13bb, fbfad249, e7aa1eff, b857e655, 47af2f82, d67ec6b1, 850435cd,
13748ea7, 123539b4, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 32926cc7, 018b9ded.
Elements in a period of 47:
03c975a2, 2d5cc9b9, fe66c948, b7f3df9c, 1ed4fad4, 59ddb863, 421dc406,
dc340112, 8afb267c, 0a72b45a, 3dd5ff03, 2660858a, 779090b9, 67c3afa8,
d890045c, dae620a5, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , c0c8d6db, 03c975a2.
Elements in a period of 40:
0aff4adf, bcb47f4e, bb2626ae, def9dff6, 56cf65a4, f8207a9d, c41fbb12,
406b5387, 69cc8ea7, 711864fa, df0aff4a, 4ebcb47f, aebb2626, f6def9df,
a456cf65, 9df8207a, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 1864fa71, 0aff4adf.
Elements in a period of 36:
03d603d6, 7af77af7, a517a517, f107f107, 690d690d, a58ba58b, 704b704b,
8e6c8e6c, 8bc28bc2, 0d150d15, d05ed05e, 20082008, a225a225, 30353035,
3ba93ba9, 80b180b1, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 3e0a3e0a, 03d603d6.
Elements in a period of 36:
07f107f1, 0d690d69, 8ba58ba5, 4b704b70, 6c8e6c8e, c28bc28b, 150d150d,
5ed05ed0, 08200820, 25a225a2, 35303530, a93ba93b, b180b180, c2c7c2c7,
f81bf81b, 86688668, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 17a517a5, 07f107f1.
Elements in a period of 27:
efefefef, dfdfdfdf, 9e9e9e9e, 0b0b0b0b, 2b2b2b2b, f1f1f1f1, a1a1a1a1,
32323232, 23232323, 26262626, f7f7f7f7, 68686868, 45454545, 6e6e6e6e,
9f9f9f9f, dbdbdbdb, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 61616161, efefefef.
99
Elements in a period of 24:
03d503d5, 8bf38bf3, 5d6d5d6d, acdcacdc, bfa8bfa8, 874d874d, e410e410,
34973497, 23b323b3, b0fbb0fb, 2cc42cc4, abc6abc6, d503d503, f38bf38b,
6d5d6d5d, dcacdcac, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , c6abc6ab, 03d503d5.
Elements in a period of 21:
050f050f, 514c514c, 3ac23ac2, d174d174, 7dd17dd1, 66a766a7, ed82ed82,
d99fd99f, f21cf21c, a3b6a3b6, 82c682c6, 46e146e1, 05a705a7, 05320532,
fbb3fbb3, cba9cba9, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , e344e344, 050f050f.
Elements in a period of 21:
0f050f05, 4c514c51, c23ac23a, 74d174d1, d17dd17d, a766a766, 82ed82ed,
9fd99fd9, 1cf21cf2, b6a3b6a3, c682c682, e146e146, a705a705, 32053205,
b3fbb3fb, a9cba9cb, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 44e344e3, 0f050f05.
Elements in a period of 15:
0e6e0e6e, c3f7c3f7, a2e4a2e4, 9ccf9ccf, 76227622, 75de75de, 86068606,
12391239, 64bf64bf, d59ed59e, 131b131b, c210c210, e00fe00f, d443d443,
ecbeecbe, 0e6e0e6e.
Elements in a period of 15:
6e0e6e0e, f7c3f7c3, e4a2e4a2, cf9ccf9c, 22762276, de75de75, 06860686,
39123912, bf64bf64, 9ed59ed5, 1b131b13, 10c210c2, 0fe00fe0, 43d443d4,
beecbeec, 6e0e6e0e.
Elements in a period of 12:
0327266c, 1eaab216, 7b2f7983, 27266c03, aab2161e, 2f79837b, 266c0327,
b2161eaa, 79837b2f, 6c032726, 161eaab2, 837b2f79, 0327266c.
Elements in a period of 8:
cac4cac4, a4cca4cc, 4d4f4d4f, 2d4a2d4a, c4cac4ca, cca4cca4, 4f4d4f4d,
4a2d4a2d, cac4cac4.
Elements in a period of 4:
01828fc8, 5627aa2f, 8fc80182, aa2f5627, 01828fc8.
Elements in a period of 4:
27aa2f56, c801828f, 2f5627aa, 828fc801, 27aa2f56.
100
Elements in a period of 4:
a37dadf5, 7dadf5a3, adf5a37d, f5a37dad, a37dadf5.
Elements in a period of 2:
5da35da3, c086c086, 5da35da3.
Elements in a period of 2:
a35da35d, 86c086c0, a35da35d.
Elements in a period of 2:
73737373, 8f8f8f8f, 73737373.
Appendix B
Distribution of output differences
Output differences for an input difference 01:
01, 04, 06, 08, 09, 0a, 0b, 0c, 0d, 0e, 0f, 11, 14, 15, 18, 19, 1a, 1e, 1f, 21, 22, 24,
29, 2a, 2d, 2f, 30, 31, 35, 36, 37, 38, 39, 3a, 3b, 3f, 43, 47, 48, 4a, 4b, 4c, 4e, 4f,
51, 53, 54, 58, 59, 5a, 62, 63, 65, 69, 6a, 6b, 6c, 6e, 72, 75, 78, 79, 7d, 80, 82, 83,
84, 85, 87, 89, 8a, 8e, 91, 93, 97, 99, 9b, 9d, 9f, a1, a3, a6, a8, a9, aa, ab, ac, ad,
b0, b2, b4, b5, b6, b7, ba, bc, c1, c2, c3, c7, c8, ca, cc, cd, ce, cf, d0, d2, d3, d8,
dc, dd, e0, e1, e4, e7, ea, ed, ee, ef, f2, f6, f7, f8, fa, fb, ff.
Output differences for an input difference 02:
03, 04, 05, 06, 07, 0b, 0c, 0d, 0f, 11, 12, 14, 1b, 1c, 1d, 24, 25, 27, 2a, 2c, 2d, 2e,
2f, 36, 37, 38, 3c, 40, 41, 42, 47, 4d, 52, 53, 54, 55, 56, 57, 58, 59, 5a, 5d, 5f, 60,
64, 66, 67, 68, 6c, 6d, 6e, 70, 72, 75, 79, 7a, 7b, 7c, 7d, 80, 83, 84, 85, 86, 87, 88,
8a, 8c, 8e, 91, 94, 96, 97, 98, 99, 9a, 9b, 9c, 9d, 9f, a1, a2, a5, a7, a8, a9, aa, ac,
ae, b1, b2, ba, bc, bd, be, c0, c1, c2, c3, c5, c8, cb, cd, ce, cf, d0, d1, d4, d5, da,
db, de, e0, e3, e6, e7, e9, ec, ee, f0, f2, f3, f7, fa, fd, fe, ff.
Output differences for an input difference 03:
02, 04, 05, 08, 0a, 0b, 0c, 11, 12, 13, 14, 15, 16, 17, 18, 1b, 1e, 1f, 21, 22, 24, 28,
2b, 34, 36, 37, 3a, 40, 44, 45, 46, 48, 4b, 4d, 4e, 52, 53, 55, 56, 57, 5c, 5d, 60, 62,
64, 66, 67, 6c, 6d, 6e, 71, 72, 75, 76, 7b, 7c, 7d, 7e, 7f, 81, 82, 85, 86, 88, 8a, 8b,
91, 92, 93, 94, 95, 99, 9b, 9d, 9e, a0, a2, a3, a4, a5, a6, a9, aa, ad, af, b4, b7, ba,
bb, bc, be, c1, c2, c5, c6, c7, c8, cc, ce, d1, d3, d4, d6, d7, d8, d9, da, dc, de, e1,
e3, e4, e5, e8, e9, ea, ed, ef, f0, f5, f7, f8, f9, fa, fb, fd, ff.
Output differences for an input difference 04:
09, 12, 15, 16, 17, 18, 19, 1b, 1c, 1d, 1e, 20, 21, 26, 27, 29, 2c, 2d, 30, 31, 32, 33,
34, 35, 36, 37, 38, 3d, 3e, 42, 43, 45, 46, 47, 48, 49, 4a, 4b, 4e, 51, 53, 54, 55, 56,
57, 59, 5a, 5d, 60, 64, 65, 67, 68, 6a, 6f, 70, 73, 76, 78, 79, 7a, 7b, 7d, 7e, 81, 85,
101
102
87, 88, 8d, 8e, 91, 92, 93, 95, 96, 97, 98, 99, 9b, 9d, a0, a2, a3, a6, a9, ab, ac, af,
b0, b1, b3, b6, ba, be, c2, c3, c4, c5, cb, cc, cd, ce, cf, d0, d4, d6, d7, d8, db, de,
df, e2, e4, e6, e7, e8, ea, ec, ed, f1, f3, f4, f6, f9, fa, fb, ff.
Output differences for an input difference 05:
04, 08, 09, 0c, 0d, 11, 12, 14, 15, 16, 18, 1c, 1e, 1f, 20, 23, 24, 26, 29, 2e, 2f, 30,
31, 32, 33, 38, 39, 3a, 3b, 40, 42, 43, 44, 45, 48, 4a, 4c, 4f, 50, 52, 53, 55, 57, 58,
5a, 5b, 5c, 5f, 61, 62, 63, 64, 66, 67, 6a, 71, 73, 76, 78, 79, 7b, 80, 81, 86, 88, 8c,
8e, 90, 91, 92, 93, 94, 96, 98, 99, 9a, 9c, 9d, 9e, 9f, a0, a3, a4, a6, a8, a9, aa, ac,
af, b1, b2, b3, b4, b5, b7, b9, bb, c0, c1, c3, c6, c7, c8, c9, cb, cc, ce, d0, d1, d2,
d4, d5, dd, df, e0, e1, e3, e6, e7, ec, f0, f1, f5, f9, fc, fe, ff.
Output differences for an input difference 06:
01, 04, 05, 09, 0b, 0c, 0e, 10, 11, 12, 14, 19, 1a, 1b, 20, 23, 24, 26, 29, 30, 31, 32,
33, 35, 36, 37, 39, 3b, 3d, 3e, 3f, 40, 43, 49, 4a, 4c, 4d, 4f, 50, 51, 52, 53, 55, 56,
57, 5b, 5d, 5e, 60, 61, 63, 64, 65, 66, 67, 69, 6a, 6b, 6c, 6d, 6e, 6f, 72, 73, 74, 75,
77, 78, 7b, 7c, 7d, 85, 86, 88, 89, 8a, 8d, 8f, 90, 91, 94, 99, 9b, 9d, a2, a5, a9, aa,
ab, b0, b3, b5, b6, b8, b9, ba, bc, be, bf, c1, c2, c4, c5, c8, c9, ca, ce, d1, d2, d4,
da, dd, de, df, e2, e3, e9, eb, f0, f1, f4, f6, f7, fa, fc, fd, ff.
Output differences for an input difference 07:
01, 06, 08, 09, 0a, 10, 11, 13, 14, 16, 1c, 1d, 21, 22, 23, 25, 27, 28, 2e, 2f, 31, 32,
33, 35, 36, 37, 39, 3a, 3c, 3d, 3e, 3f, 41, 42, 43, 44, 45, 46, 48, 4e, 54, 55, 56, 57,
59, 60, 62, 64, 65, 66, 6d, 6e, 6f, 72, 73, 75, 76, 78, 79, 7b, 7c, 7e, 80, 83, 84, 86,
87, 89, 8e, 8f, 90, 93, 94, 96, 9a, 9b, 9d, 9e, a0, a4, a5, a6, a7, a9, aa, ac, b0, b2,
b3, b5, b6, b7, b8, bb, bc, be, bf, c2, c5, c8, c9, ca, cc, cd, d2, d5, d6, d9, da, db,
dc, dd, e0, e2, e3, e4, e5, e6, e7, e8, ed, f2, f3, f8, fc, fe, ff.
Output differences for an input difference 08:
02, 03, 09, 0b, 0c, 0f, 10, 11, 13, 15, 16, 1a, 1b, 1f, 21, 22, 24, 25, 26, 27, 2d, 30,
31, 32, 35, 38, 39, 3b, 3f, 47, 4b, 4c, 50, 51, 52, 53, 56, 57, 58, 5b, 5d, 62, 64, 66,
67, 68, 6a, 6b, 6d, 6f, 71, 74, 75, 76, 7a, 7d, 7e, 82, 83, 84, 87, 8b, 8c, 8d, 90, 93,
94, 95, 96, 9a, 9b, 9e, a1, a3, a4, a5, a6, a7, a8, a9, ab, ac, ae, af, b0, b1, b2, b3,
b7, b8, bc, be, c0, c2, c3, c4, c6, c8, ca, cb, cd, ce, d1, d2, d4, d5, d7, d8, d9, df,
e0, e1, e2, e6, e7, e8, e9, eb, ed, ef, f3, f7, f8, f9, fa, fc, fd.
Output differences for an input difference 09:
02, 03, 06, 07, 0c, 0e, 12, 13, 15, 16, 17, 19, 1a, 1c, 1d, 1e, 1f, 20, 25, 28, 29, 2e,
103
2f, 31, 32, 33, 37, 39, 3a, 3c, 3e, 3f, 43, 45, 46, 47, 4b, 4c, 4d, 4e, 51, 53, 54, 55,
56, 58, 5a, 5b, 5c, 5d, 5e, 5f, 61, 62, 63, 64, 66, 67, 68, 6a, 6c, 6d, 6e, 70, 71, 7c,
7d, 7e, 7f, 82, 83, 85, 86, 87, 89, 8d, 8e, 8f, 90, 92, 95, 96, 97, 98, 99, 9b, 9f, a1,
a4, a6, aa, b0, b1, b6, b8, bb, bc, c0, c1, c3, c5, c7, c8, c9, cc, d1, d3, d5, dc, dd,
de, df, e0, e2, e7, ea, eb, ed, ee, f0, f3, f4, f7, f8, f9, fd, ff.
Output differences for an input difference 0a:
02, 03, 04, 06, 07, 09, 0a, 0c, 0f, 11, 12, 13, 14, 17, 1d, 20, 21, 22, 23, 24, 25, 26,
27, 28, 29, 2a, 2b, 2c, 2d, 30, 31, 32, 33, 34, 39, 3b, 3c, 40, 41, 43, 46, 47, 4a, 4b,
4c, 4e, 4f, 50, 52, 53, 54, 55, 57, 59, 5b, 61, 63, 64, 66, 67, 68, 6a, 70, 73, 78, 7a,
7b, 7e, 7f, 82, 83, 84, 86, 87, 88, 8b, 90, 91, 94, 95, 97, 99, 9d, a1, a7, a9, aa, ad,
ae, b3, b5, b9, bd, c1, c8, c9, cd, ce, cf, d1, d2, d3, d4, d6, d7, d8, d9, db, dc,
dd, df, e3, e4, e5, e8, ea, ed, ee, ef, f0, f1, f2, f3, f8, fb, fc, ff.
Output differences for an input difference 0b:
01, 07, 08, 09, 0c, 0d, 0e, 0f, 10, 11, 12, 16, 17, 18, 19, 1b, 1d, 1e, 20, 21, 22, 23,
24, 28, 2b, 2c, 2d, 2f, 30, 31, 33, 34, 36, 37, 39, 3a, 3b, 3c, 40, 41, 46, 47, 48, 4b,
4c, 53, 55, 56, 5a, 5d, 61, 65, 69, 6a, 6c, 6d, 6e, 6f, 70, 71, 72, 73, 74, 76, 79, 7b,
7f, 80, 82, 83, 84, 85, 86, 87, 88, 89, 8a, 8c, 8d, 8e, 96, 9a, 9e, 9f, a1, a4, a5, a9,
af, b1, b4, b6, b8, b9, ba, bd, be, c0, c4, c6, c7, c8, c9, cb, cc, cd, ce, d0, d2, d5,
d6, d8, db, e2, e3, e5, e6, e9, eb, ed, ef, f0, f1, f6, f8, f9, fd.
Output differences for an input difference 0c:
02, 03, 06, 07, 08, 09, 0a, 0d, 0f, 12, 13, 19, 1b, 1f, 20, 22, 25, 26, 28, 29, 2a, 2b,
2e, 2f, 30, 31, 32, 33, 35, 36, 37, 3a, 3c, 3d, 3e, 41, 43, 44, 49, 4a, 51, 53, 55, 56,
57, 58, 5c, 5d, 5f, 60, 62, 64, 65, 67, 6a, 6f, 71, 73, 78, 7b, 7d, 7f, 80, 82, 83, 84,
85, 88, 8b, 8c, 8d, 91, 99, 9a, 9b, 9c, 9d, 9e, 9f, a1, a2, a4, a7, a8, a9, ab, ad, ae,
b0, b2, b3, b4, b6, b7, ba, bb, bd, be, c0, c2, c4, c5, c6, c7, ce, d3, d4, d5, d9,
dc, de, df, e0, e1, e2, e5, ee, ef, f1, f2, f4, f5, f6, f8, fa, fe, ff.
Output differences for an input difference 0d:
01, 02, 06, 07, 08, 09, 0a, 0b, 0f, 11, 13, 17, 19, 1a, 1e, 1f, 20, 21, 23, 24, 26, 29,
2b, 2c, 2e, 2f, 30, 33, 35, 36, 39, 3c, 3e, 3f, 42, 43, 44, 45, 46, 47, 4c, 4d, 4e, 4f,
52, 53, 56, 59, 5b, 5d, 5f, 60, 62, 64, 67, 68, 69, 6c, 6e, 6f, 71, 75, 76, 77, 79, 7b,
7c, 7d, 82, 84, 86, 87, 88, 8c, 90, 91, 92, 93, 94, 96, 9a, 9b, 9d, 9f, a2, a3, a4, a5,
a7, a8, aa, ab, ad, ae, af, b1, b2, b3, b4, b5, b6, b8, b9, ba, bf, c1, c3, c4, cc, cf,
d0, d7, d8, db, e5, e7, e8, e9, ea, eb, ec, ee, f0, f3, f4, f5, f8.
104
Output differences for an input difference 0e:
02, 03, 04, 05, 07, 08, 0a, 0b, 15, 17, 1b, 1e, 1f, 21, 22, 24, 26, 27, 30, 31, 32, 33,
37, 39, 3b, 3e, 3f, 40, 41, 42, 43, 44, 47, 48, 49, 4a, 4b, 4f, 50, 52, 55, 56, 58, 59,
5a, 5c, 5f, 64, 66, 68, 69, 6b, 6d, 6e, 70, 71, 74, 76, 77, 79, 7c, 7f, 80, 82, 84, 86,
88, 89, 8a, 8f, 90, 91, 92, 93, 95, 97, 98, 9a, 9b, 9e, 9f, a0, a1, a2, a7, aa, ab, ac,
b0, b1, b2, b6, b7, b8, b9, ba, bc, c0, c3, c4, c5, c7, c8, c9, cd, ce, d3, d4, d6, d9,
db, dd, e2, e4, e5, e6, e8, e9, ea, ee, f1, f2, f6, f9, fa, fe, ff.
Output differences for an input difference 0f:
02, 03, 04, 08, 0a, 0c, 0f, 11, 15, 16, 17, 18, 19, 1a, 21, 23, 28, 29, 2b, 2e, 30, 31,
33, 36, 3c, 3e, 42, 47, 49, 4b, 4c, 4d, 4e, 4f, 50, 52, 54, 55, 57, 5d, 5e, 61, 62, 65,
66, 67, 69, 6d, 6e, 6f, 70, 71, 74, 75, 78, 7a, 7e, 80, 83, 85, 88, 89, 8a, 8d, 8e, 90,
92, 93, 96, 98, 99, 9a, 9b, 9c, 9d, 9e, 9f, a0, a2, a7, a8, aa, ab, ac, af, b0, b3, b8,
bb, bd, be, bf, c0, c3, c5, c7, ca, cb, cc, cd, ce, cf, d0, d2, d3, d6, d7, d9, da, db,
dd, df, e0, e1, e3, e9, ee, ef, f0, f1, f2, f3, f5, f7, f8, fa, fb.
...
...
Output differences for an input difference fe:
03, 04, 07, 08, 09, 0d, 13, 15, 1c, 1e, 1f, 20, 23, 24, 27, 28, 29, 2b, 2e, 2f, 34, 36,
38, 3e, 3f, 40, 41, 44, 46, 47, 48, 49, 4c, 4d, 4e, 52, 55, 59, 5b, 5c, 5d, 60, 61, 63,
64, 66, 68, 69, 6a, 6b, 6c, 70, 71, 72, 73, 74, 75, 76, 77, 78, 7d, 7e, 84, 85, 86, 88,
89, 8b, 8c, 8e, 8f, 91, 92, 93, 96, 97, 9c, 9e, a0, a1, a5, a7, a8, aa, ab, ad, b0, b3,
b5, b6, b7, b8, be, c2, c4, c7, c8, cb, cd, ce, d0, d2, d4, d5, d7, d8, da, db, dc,
de, df, e0, e2, e7, ec, ed, ee, ef, f2, f6, f7, f8, f9, fb, fc, fd, ff.
Output differences for an input difference ff:
01, 02, 03, 07, 0a, 0b, 0c, 0f, 13, 15, 17, 1d, 1e, 1f, 21, 22, 23, 25, 26, 28, 29, 2a,
2d, 2f, 31, 35, 36, 39, 3a, 3c, 3e, 40, 42, 43, 44, 46, 4c, 4d, 50, 52, 53, 56, 57, 58,
59, 5a, 5d, 5e, 62, 63, 65, 68, 69, 6a, 6b, 6d, 70, 72, 73, 75, 76, 7b, 7c, 7e, 7f, 81,
84, 88, 8a, 8c, 8d, 8e, 8f, 94, 95, 99, 9a, 9c, 9e, 9f, a0, a6, aa, ab, ad, af, b3, b8,
b9, ba, c1, c2, c3, c5, c6, c7, c8, ca, cb, cc, cd, cf, d4, d8, dd, de, e0, e2, e3, e4,
e6, e7, eb, ec, ef, f1, f2, f3, f4, f5, f6, fa, fb, fc, fd, fe, ff.
Appendix C
Implementation results of the five-roundcryptanalysis
Test Result #1
1.1 A set of 232 chosen plaintexts
232 plaintexts
43 00 31 37
f6 30 00 07
a8 8d a2 00
00 88 31 e0
• • •43 00 31 37
f6 30 00 07
a8 8d a2 03
00 88 31 e0
43 00 31 37
f6 30 00 07
a8 8d a2 01
00 88 31 e0
43 00 31 37
f6 30 00 07
a8 8d a2 02
00 88 31 e0
43 ff 31 37
f6 30 ff 07
a8 8d a2 ff
ff 88 31 e0
232 ciphertexts
• • •49 b8 2a 64
de 63 f9 10
ea b8 4b fa
f0 bb dd 4e
c3 30 b8 4d
91 0d 91 37
40 55 bc 26
b5 c2 ba 1a
b8 1b 7e 15
45 5c 57 e8
d1 b3 c3 fe
7b af d8 82
d1 ae d6 1e
8b 8e 00 57
34 4f ee 57
68 83 58 ca
98 37 0d db
50 b5 3c 6a
92 3d fd 36
66 08 92 8a
1.2 Result of Finding Possible Keys
Eligible components for the fifth round key (RK5) :
byte #0 : 11, d4
byte #1 : d1, d3
byte #2 : 16, 6b, c6 ca
byte #3 : 4a, f8
byte #4 : 7c, ab
byte #5 : 80, 83
byte #6 : 7a, 9a, 9d, b6, b9, cd
105
106
byte #7 : 57, 87
byte #8 : ca, cf
byte #9 : 06, f2
byte #10 : 8e, a0, b8
byte #11 : bc
byte #12 : 11, 7b
byte #13 : d4, f9
byte #14 : 15
byte #15 : 52, bc
1.3 Result of Selecting the Key Actually Used
RK5 : d4 d1 c6 f8 7c 83 9d 87 ca f2 b8 bc 11 f9 15 bc
RK4 : ef 44 a5 41 a8 52 5b 7f b6 71 25 3b db 0b ad 00
RK3 : 3d 80 47 7d 47 16 fe 3e 1e 23 7e 44 6d 7a 88 3b
RK2 : f2 c2 95 f2 7a 96 b9 43 59 35 80 7a 73 59 f6 7f
RK1 : a0 fa fe 17 88 54 2c b1 23 a3 39 39 2a 6c 76 05
RK0 : 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c
Cipher Key : 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c
107
Test Result #2
2.1 A set of 232 chosen plaintexts
232 plaintexts
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
• • •
232 ciphertexts
• • •6f 5f 56 69
45 99 7c 73
89 31 d8 21
bb 0f 74 5a
9d c7 99 82
f1 a8 86 96
bd d3 50 99
5e d9 a6 1a
83 f4 a9 d6
36 36 1a 76
53 49 97 09
e7 9d a4 17
93 9d fa 72
48 cc cd bf
6d 44 9d 59
aa 78 8d 1c
10 1e 58 c2
9d fa 6d 75
aa 2e 7a fe
38 9e 84 cd
00 00 00 00
00 00 00 00
00 00 00 01
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 02
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 03
00 00 00 00
00 ff 00 00
00 00 ff 00
00 00 00 ff
ff 00 00 00
2.2 Result of Finding Possible Keys
Eligible components for the fifth round key (RK5) :
byte #0 : 8e
byte #1 : 18, 63, b0
byte #2 : 49
byte #3 : 2a, 86
byte #4 : 39
byte #5 : 40, a7, ab
byte #6 : 38, 46
byte #7 : 1d
byte #8 : d9
byte #9 : 70
byte #10 : 10
byte #11 : 34, ad
byte #12 : 64, 8f
byte #13 : 67
byte #14 : 3d
byte #15 : 49, e3
108
2.3 Result of Selecting the Key Actually Used
RK5 : 8e b0 49 86 39 40 38 1d d9 70 10 ad 8f 67 3d e3
RK4 : 6e 68 66 37 b7 f0 71 9b e0 30 28 b0 56 17 2d 4e
RK3 : aa 03 dd 79 d9 98 17 ac 57 c0 59 2b b6 27 05 fe
RK2 : 3a 49 de 81 73 9b ca d5 8e 58 4e 87 e1 e7 5c d5
RK1 : 30 80 de 29 49 d2 14 54 fd c3 84 52 6f bf 12 52
RK0 : 21 10 bd 66 79 52 ca 7d b4 11 90 06 92 7c 96 00
Cipher Key : 21 10 bd 66 79 52 ca 7d b4 11 90 06 92 7c 96 00
Bibliography
[1] A. Menezes, P. Orschot, and S. Vanstone, “Handbook of Applied Cryptography”,
pp.81-83, CRC Press, Boca Raton, 1997.
[2] A. Shamir and A. Kipnis, “Cryptanalysis of the HFE Public Key Cryptosystem”,
Proceedings of CRYPTO ’99, Lecture Notes In Computer Science Vol.1666, pp.19-
30, Springer-Verlag, Berlin, 1999.
[3] B. Schneier, J. Kelsey, D. Whiting, D. Wagner, and C. Hall, “Twofish: A 128-
Bit Block Cipher”, 1st AES Candidate Conference, http://www.counterpane.
com/twofish-paper.html, 1998.
[4] B. Schneier, “Applied Cryptography”, pp.193, John Wiley & Sons, Inc, New York,
1994.
[5] B. Schneier, “Applied Cryptography (Second Edition)”, pp.346-347, John Wiley
& Sons, Inc, New York, 1996.
[6] B. Schneier, “Crypto-Gram Newsletter”, Counterpane Internet Security,
http://www.counterpane.com/crypto-gram.htm, September 2002.
[7] B. Song, H. Wang, and J. Seberry, “A New Cryptanalytic Method Using the Dis-
tribution Characteristics of Substitution Distances”, Proceedings of ICISC 2001,
Lecture Notes In Computer Science Vol.2288, pp.18-31, Springer-Verlag, Berlin,
2002.
[8] B. Song and J. Seberry, “Consistent Differential Patterns of Rijndael”, Proceed-
ings of ICISC 2002, Lecture Notes In Computer Science Vol.2587, pp.149-163,
Springer-Verlag, Berlin, 2003.
[9] B. Song and J. Seberry, “Further Observations on the Structure of the AES Algo-
rithm”, Proceedings of FSE 2003, Lecture Notes In Computer Science Vol.2887,
pp.223-234, Springer-Verlag, Berlin, 2003.
109
BIBLIOGRAPHY 110
[10] B.S. Kaliski, R.L. Rivest and A.T. Sherman, “Is DES a Pure Cipher ? (Results of
More Cycling Experiments on DES)”, Proceedings of CRYPTO ’85, pp.212-222,
1986.
[11] C. Burwick, D. Coppersmith, E. D’Avignon, R. Gennaro, S. Halevi, C.
Jutla, S. M.Matyas Jr, L. O’Connor, M. Peyravian, D. Safford, and
N.Zunic, “MARS-a candidate cipher for AES”, 1st AES Candidate Conference,
http://www.research.ibm.com/security/mars.html, 1999.
[12] C. Lim, “CRYPTON: A New 128-bit Block Cipher”, 1st AES Candidate Confer-
ence, http://dasan.sejong.ac.kr/∼chlim/english pub.html, 1998.
[13] D. Coppersmith, “Impact of Courtois and Piepryzk Results”, NIST AES Discus-
sion Forum, http://www.nist.gov/aes.
[14] D. Coppersmith, “The Real Reason for Rivest’s Phenomenon”, Proceedings of
CRYPTO ’85, pp.535-536, 1986.
[15] D. Stinson, “Cryptography (Theory and Practice)”, CRC Press, Boca Raton,
1995.
[16] E. Barkan and E. Biham, “In How Many Ways Can You Write Rijndael”, Proceed-
ings of ASIACRYPT 2002, Lecture Notes In Computer Science Vol.2501, pp.160-
175, Springer-Verlag, Berlin, 2002.
[17] E. Biham, A. Biryukov, and A. Shamir, “Cryptanalysis of Skipjack Reduced to 31
Rounds Using Impossible Differentials”, Proceedings of EUROCRYPT ’99, Lecture
Notes In Computer Science Vol.1592, pp.12-23, Springer-Verlag, Berlin, 1999.
[18] E. Biham, A. Biryukov, and A. Shamir, “Miss in the Middle Attacks on IDEA
and Khufu”, Proceedings of FSE ’99, Lecture Notes In Computer Science Vol.1636,
pp.124-138, Springer-Verlag, Berlin, 1999.
[19] E. Biham and A. Shamir, “Differential cryptanalysis of DES-like Cryptosystems”,
J. Cryptology, Vol.4, 1991.
[20] E. Biham and A. Shamir, “Differential cryptanalysis of the Data Encryption Stan-
dard”, Springer-Verlag, Berlin, 1993.
[21] E. Biham and A. Shamir, “Differential cryptanalysis of the full 16-round DES”,
Proceedings of CRYPTO ’92, Lecture Notes In Computer Science Vol.740, pp.494-
502, Springer-Verlag, Berlin, 1993.
BIBLIOGRAPHY 111
[22] E. Biham and N. Keller, “Cryptanalysis of Reduced Variants of Rijndael”,
http://csrc.nist.gov/CryptoToolkit/aes/round2/conf3/aes3papers.html, 2000.
[23] E. Biham, “New Types of Cryptanalytic Attacks Using Related Keys”, Proceedings
of EUROCRYPT ’93, Lecture Notes In Computer Science Vol.765, pp.398-409,
Springer-Verlag, Berlin, 1993.
[24] G. Carter, E. Dawson, and L. Nielsen, “Key Schedule Classification of the AES
Candidates”,
http://csrc.nist.gov/CryptoToolkit/aes/round1/conf2/aes2conf.htm, 2000.
[25] H. Gilbert and M. Minier, “A Collision Attack on 7 Rounds of Rijndael”, Pro-
ceedings of the Third Advanced Encryption Standard Candidate Conference, NIST,
pp.230-241, 2000.
[26] J. Cheon, M. Kim, K. Kim, J. Lee, and S. Kang, “Improved Impossible Differen-
tial Cryptanalysis of Rijndael and Crypton”, Proceedings of ICISC 2001, Lecture
Notes In Computer Science Vol.2288, pp.39-49, Springer-Verlag, Berlin, 2001.
[27] J. Daemen, L. Knudsen, and V. Rijmen, “The Block Cipher Square”, Proceedings
of FSE ’97, Lecture Notes In Computer Science Vol.1267, pp.149-165, Springer-
Verlag, Berlin, 1997.
[28] J. Daemen and V. Rijmen, “AES Proposal: Rijndael”, 1st AES Candidate Con-
ference, http://csrc.nist.gov/encryption/aes/rijndael/, 1999.
[29] J. Daemen and V. Rijmen, “Answer to New Observations on Rijndael”, AES Fo-
rum comment, August 2000, http://www.esat.kuleuven.ac.be/∼rijmen/rijndael/.
[30] J. Fuller and W. Millan, “Linear Redundancy in the AES S-Box”, IACR eprint,
August 2002, http://eprint.iacr.org/.
[31] J. Fuller and W. Millan, “Linear Redundancy in S-Boxes”, Proceedings of FSE
2003, Lecture Notes In Computer Science Vol.2887, pp.74-86, Springer-Verlag,
Berlin, 2003.
[32] J. Kelsey, B. Schneier and D. Wagner, “Key-schedule Cryptanalysis of IDEA,
GDES, GOST, SAFER, and Triple-DES”, Proceedings of CRYPTO ’96, Lecture
Notes In Computer Science Vol.1109, pp.237-252, Springer-Verlag, Berlin, 1996.
BIBLIOGRAPHY 112
[33] J. Kelsey, B. Schneier and D. Wagner, “Related-key Cryptanalysis of 3-WAY,
Biham-DES, CAST, DES-X, NewDES, RC2, and TEA”, Proceedings of ICICS
’97, pp.203-207, Springer-Verlag, Berlin, 1997.
[34] J. Massey, G. Khachatrian, and M. Kuregian, “Nomination of SAFER+ as Can-
didate Algorithm for the Advanced Encryption Standard (AES)”, 1st AES Can-
didate Conference, http://www.cryptosoft.de/docs/Saferpls.pdf
[35] J.H. Moore and G.J. Simmons, “Cycle Structure of the DES With Weak and
Semiweak Keys”, Proceedings of CRYPTO ’86, pp.3-32, 1986.
[36] J.H. Moore and G.J. Simmons, “Cycle Structure of the DES for Keys Having
Palindromic (or Antipalindromic) Sequences of Round Keys”, IEEE Trans on
Software Eng Vol.13, No 2, pp.262-273, 1987.
[37] J. Patarin, “Cryptanalysis of the Matsumoto and Imai Public Key Scheme of EU-
ROCRYPT’88”, Proceedings of CRYPTO ’95, Lecture Notes In Computer Science
Vol.0963, pp.248-261, Springer-Verlag, Berlin, 1995.
[38] J. Pieprzyk, T. Hardjono, and J. Seberry, “Fundamentals of Computer Security”,
pp.244-245, Springer-Verlag, Berlin, 2003.
[39] K. Aoki, T. Ichikawa, M. Kanda, M Matsui, S. Moriai, J. Nakajima, and
T. Tokita, “Camellia: A 128-bit Block Cipher Suitable for Multiple Plat-
form”, Submission Documents to NESSIE project, algorithm available at
http://info.isl.ntt.co.jp/camellia/.
[40] K. Nyberg and L. Knudsen, “Provable Security against a Differential Attack”, J.
Cryptology, Vol.8, No.1, pp.27-37, 1995.
[41] K. Nyberg, “Linear Approximation of Block Ciphers”, Proceedings of EURO-
CRYPT ’94, Lecture Notes in Computer Science Vol. 950, pp.439-444, Springer-
Verlag, Berlin, 1995.
[42] K. Nyberg, “Differentially Uniform Mappings for Cryptography”, Proceedings
of EUROCRYPT ’93, Lecture Notes in Computer Science Vol.765, pp.55-64,
Springer-Verlag, Berlin, 1994.
[43] L. Brown, and J. Pieprzyk, “Introducing the New LOKI97 Block Cipher”, 1st
AES Candidate Conference, http://www.unsw.adfa.edu.au/∼lpb/research/loki97,
1998.
BIBLIOGRAPHY 113
[44] L. Keliher, H. Meijer, and S. Tavares, “New Methods for Upper Bounding the Max-
imum Average Linear Hull Probability for SPNs”, Proceedings of EUROCRYPT
2001, Lecture Notes In Computer Science Vol.2045, pp.420-436, Springer-Verlag,
Berlin, 2001.
[45] L. Keliher, H. Meijer, and S. Tavares, “Improving the Upper Bound on the Max-
imum Average Linear Hull Probability for Rijndael”, Proceedings of SAC 2001,
Lecture Notes In Computer Science Vol.2259, pp.112-128, Springer-Verlag, Berlin,
2001.
[46] L. Knudsen, “Truncated and Higher Order Differentials”, Proceedings of FSE ’94,
Lecture Notes In Computer Science Vol.1008, pp.196-211, Springer-Verlag, Berlin,
1994.
[47] L. Knudsen and T. Berson, “Truncated Differentials of SAFER”, Proceedings of
FSE ’96, Lecture Notes In Computer Science Vol.1039, pp.15-26, Springer-Verlag,
Berlin, 1996.
[48] L. Knudsen and H. Raddum, “Recommendation to NIST for the AES”,
Second round comments to NIST, May 2000, http://csrc.nist.gov/encryption/
aes/round2/comments/.
[49] L. Knudsen and D. Wagner, “Integral Cryptanalysis”, Proceedings of FSE 2002,
Lecture Notes In Computer Science Vol.2365, pp.112-127, Springer-Verlag, Berlin,
2002.
[50] M. Matsui, “Linear cryptanalysis method for DES cipher”, Proceedings of EURO-
CRYPT ’93, Lecture Notes in Computer Science Vol.765, pp.386-397, Springer-
Verlag, Berlin, 1994.
[51] M. Matsui, “The First Experimental Cryptanalysis of the Data Encryption
Standard”, CRYPTO’94, Lecture Notes in Computer Science Vol.839, pp.1-11,
Springer-Verlag, Berlin, 1994.
[52] M. Sugita, K. Kobara, K. Uehara, S. Kubota, and H. Imai, “Relationships among
Differential, Truncated Differential, Impossible Differential Cryptanalyses against
Word-oriented Block Ciphers like Rijndael, E2”, Proceedings of the Third AES
Candidate Conference, 2000.
BIBLIOGRAPHY 114
[53] N. Courtois, A. Klimov, J. Patarin, and A. Shamir, “Efficient Algorithms for
Solving Overdefined Systems of Multivariate Polynomial Equations”, Proceedings
of EUROCRYPT 2000, Lecture Notes In Computer Science Vol.1807, pp.392-407,
Springer-Verlag, Berlin, 2000.
[54] N. Courtois, “The Security of Hidden Field Equations (HFE)”, Proceedings of
Cryptographer’ Track RSA Conference 2001, Lecture Notes In Computer Science
Vol.2020, pp.266-281, Springer-Verlag, Berlin, 2001.
[55] N. Courtois and J. Pieprzyk, “Cryptanalysis of Block Ciphers with Overdefined
Systems of Equations”, IACR eprint 2002/044, 2002, http://eprint.iacr.org/.
[56] N. Courtois and J. Pieprzyk, “Cryptanalysis of Block Ciphers with Overdefined
Systems of Equations”, Proceedings of ASIACRYPT 2002, Lecture Notes In Com-
puter Science Vol.2501, pp.267-287, Springer-Verlag, Berlin, 2002.
[57] N. Ferguson, R. Schroeppel, and D. Whiting, “A Simple Algebraic Representa-
tion of Rijndael”, Proceedings of SAC 2001, Lecture Notes In Computer Science
Vol.2259, pp.103-111, Springer-Verlag, Berlin, 2001.
[58] N. Ferguson, J. Kelsey, S. Lucks, B. Schneier, M. Stay, D. Wagner, and D. Whiting,
“Improved Cryptanalysis of Rijndael”, Proceedings of FSE 2000, Lecture Notes In
Computer Science Vol.1978, pp.213-230, Springer-Verlag, Berlin, 2000.
[59] NIST, “Data Encryption Standard”, FIPS 46-2, 1993.
[60] NIST, “Announcing Request for Candidate Algorithm Nominations for the Ad-
vanced Encryption Standard (AES)”, Federal Register Vol.62, Num.177, pp.48051-
48058, 1997.
[61] NIST (E. Roback and M. Dworkin), “Conference Report”, Journal of Research of
the National Institute of Standards and Technology, Vol.104, Num.1, pp.97-105,
1999.
[62] NIST (J. Nectvatal, E. Barker, L. Bassham, W.Burr, M. Dworkin, J. Foti, and
E. Roback), “Report on the Development of the Advanced Encryption Standard
(AES)”, NIST, http://csrc.nist.gov/CryptoToolkit/aes/round2/r2report.pdf,
2000.
[63] NIST, “Advanced Encryption Standard (AES)”, FIPS 197, 2001.
BIBLIOGRAPHY 115
[64] NIST, “Advanced Encryption Standard (AES) Questions and Answers”, http://
www.nist.gov/public affairs/releases/aesq&a.htm.
[65] R. Anderson, E. Biham, and L. Knudsen, “Serpent: A Proposal for the Ad-
vanced Encryption Standard”, 1st AES Candidate Conference, http://www.ftp.cl.
cam.ac.uk/ftp/users/rja14/serpent.pdf, 1998.
[66] R. Rivest, M.J.B. Robshaw, R. Sidney, and Y.L. Yin, “The RC6TM Block Cipher”,
1st AES Candidate Conference, http://www.rsasecurity.com/rsalabs/rc6/, 1998.
[67] R. Schroeppel, “Second Round Comments to NIST”, Public Comments Re-
garding the Advanced Encryption Standard (AES) Development Effort (Round
2 Comments), NIST, pp.128-149, 2000. http://csrc.nist.gov/CryptoToolkit/aes/
round2/comments/R2comments.pdf.
[68] S. Lucks, “Attacking Seven Rounds of Rijndael under 192-Bit and 256-Bit Keys”,
Proceedings of the Third Advanced Encryption Standard Candidate Conference,
NIST, pp.215-229, 2000.
[69] S. Murphy and M.J.B Robshaw, “New Observations on Rijndael”, AES Forum
comment, August 2000, http://www.isg.rhul.ac.uk/∼sean/.
[70] S. Murphy and M.J.B Robshaw, “Further Comments on the Structure of Rijn-
dael”, AES Forum comment, August 2000, http://www.isg.rhul.ac.uk/∼sean/.
[71] S. Murphy and M.J.B Robshaw, “Essential Algebraic Structure Within the AES”,
Proceedings of CRYPTO 2002, Lecture Notes In Computer Science Vol.2442, pp.1-
16, Springer-Verlag, Berlin, 2002.
[72] S. Murphy and M.J.B Robshaw, “Comments on the Security of the AES and
the XSL Technique”, Public Reports of the NESSIE Project, September 2002,
http://www.cosic.esat.kuleuven.ac.be/nessie/reports/.
[73] S. Park, S. Sung, S. Chee, E. Yoon, and J. Lim, “On the Security of Rijndael-
Like Structures against Differential and Linear Cryptanalysis”, Proceedings of
ASIACRYPT 2002, Lecture Notes In Computer Science Vol.2501, pp.176-191,
Springer-Verlag, Berlin, 2002.
[74] S. Park, S. Sung, S. Lee, and J. Lim, “Improving the Upper Bound on the Max-
imum Differential and the Maximum Linear Hull Probability for SPN Structures
BIBLIOGRAPHY 116
and AES”, Proceedings of FSE 2003, Lecture Notes In Computer Science Vol.2887,
pp.247-260, Springer-Verlag, Berlin, 2003.
[75] T. Jakobsen and L. Knudsen, “The interpolation attack on block ciphers”, Proceed-
ings of FSE ’97, Lecture Notes In Computer Science Vol.1267, pp.24-40, Springer-
Verlag, Berlin, 1997.
[76] T. Moh, “On the Courtois-Pieprzyk’s attack on Rijndael”, http://www.usdsi.com
/aes.html, September 2002.