On the Internal Structure of the Advanced Encryption Standard and Two AES-Based Cryptographic Constructions Jianyong Huang University of Wollongong

University of Wollongong Research Online

University of Wollongong Thesis Collection University of Wollongong Thesis Collections

2012 On the internal structure of the advanced encryption standard and two AES-based cryptographic constructions Jianyong Huang University of Wollongong

Recommended Citation Huang, Jianyong, On the internal structure of the advanced encryption standard and two AES-based cryptographic constructions, Doctor of Philosophy thesis, School of Computer Science and Software Engineering, University of Wollongong, 2012. http://ro.uow.edu.au/theses/3517

Research Online is the open access institutional repository for the University of Wollongong. For further information contact Manager Repository Services: [email protected].

NIVERSITY U OF WOLLONGONG

On the Internal Structure of the Advanced Encryption Standard and Two AES-Based Cryptographic Constructions

A thesis submitted in fulﬁlment of the requirements for the award of the degree

Doctor of Philosophy

from

UNIVERSITY OF WOLLONGONG

Jianyong Huang

ii Dedicated to My Family

iii Declaration

This is to certify that the work reported in this thesis was done by the author, unless speciﬁed otherwise, and that no part of it has been submitted in a thesis to any other university or similar institution.

Jianyong Huang May 7, 2012

iv Abstract

The Advanced Encryption Standard (AES) is a symmetric-key encryption standard adopted by the U.S. government in 2000. It is one of the most popular algorithms used in symmetric key cryptography nowadays. In this thesis, we study the internal structure of the AES algorithm and two AES-based cryptographic primitives: the ALPHA-MAC message authentication code and the LEX stream cipher. In the analysis of the AES internal structure, we focus on two areas: the internal algebraic properties and the key schedule of the AES algorithm. This thesis makes the following four contributions. First, we ask the question what happens if we change the values of some bytes of some intermediate results during an AES encryption. We aim to investigate the impact of these changes on the output of the encryption, and study the feasibility of cancelling out the effects of such changes. By using the structural features of the AES round transformation, we propose a five-round algebraic property which shows that if one carries out four extra exclusive or operations on four fixed-position bytes in some round, five consecutive rounds of such operations will cancel out all changes made to the intermediate results and, consequently, the final output of the encryption will not be affected by these changes. Second, we use the proposed five-round algebraic property of the AES cipher to study the construction of the ALPHA-MAC. We introduce two methods: the Backwards-aNd-Backwards search algorithm and the Backwards-aNd-Forwards search algorithm. By combining these two methods, one can find second preimages of the ALPHA-MAC, given an intermediate value. In addition, we demonstrate that the second-preimage search algorithm can also be used to generate internal collisions for the ALPHA-MAC if an intermediate value is known. Third, we carry out further investigations on the key schedule of the AES cipher, and our research identifies some repeated differential properties in the AES-128 and AES-256 key schedules. In the case of AES-128, if the difference of two secret keys has a special pattern, which we call repeated differential pattern, the propagation of the difference via the key schedule will produce at least seven zero differences in each round, and the same pattern repeats every four rounds. In the case of AES-256, we

v show that two secret keys with a double-sized repeated diﬀerential pattern generate similar repeated features in the resultant subkeys. Fourth, we describe a diﬀerential fault analysis of the LEX stream cipher. The attack exploits computational errors during keystream generation to recover secret keys of the cipher. In our analysis, the cipher is assumed to have random faults in its states and typically, there is one random faulty bit injected during each computation. In the proposed attack, the adversary can extract the secret key of LEX by analysing the output keystream generated by 40 faults.

vi Acknowledgements

The road to my doctoral degree has been a long but rewarding journey. I would like to thank the following people and organisations. Without their help and support, this thesis would not have been possible. I am grateful to my principal supervisor, Professor Jennifer Seberry, for her guidance and suggestions throughout this thesis. I am especially thankful for her kindness and patience over the past few years. It has been a pleasure to study under her supervision. Her knowledge and academic experience have been invaluable to me. I wish to express my sincere gratitude to my co-supervisor, Professor Willy Susilo, who has supervised me with his knowledge and patience while giving me the freedom to work in my own way. I appreciate all his contributions of time and ideas to make my research experience productive and stimulating. I specially want to thank him for offering many helpful opinions and lots of administrative support. I am thankful to Professor Eli Biham for many fruitful and interesting discussions during his visit to University of Wollongong in 2004. During his three-month stay in Wollongong, I was able to learn how he approached and solved problems, which helped me to develop the capability to carry out independent research. I thank the Centre for Computer and Information Security Research (CCISR) for organising regular research seminars, which gave me the opportunity to hear presenta- tions and to converse with other researchers. I also thank the Research Student Centre for allowing me to take a long leave of absence. I would like to acknowledge the generous financial support of the University Post- graduate Award, funded by University of Wollongong. I thank the School of Computer Science and Software Engineering, and CCISR for sponsoring me to attend research conferences. Finally, I am grateful to Zhen Luo for always being the first person to discuss my undeveloped thoughts with, and for constantly providing support when needed. Last but not least, I would like to thank my parents, Yulan Zhao and Xinmin Huang, for continually encouraging me to complete the doctoral degree.

vii Publications

During my PhD studies, I have published the following papers. Please note that the contributions of Paper 6 and Paper 7 are not included in this thesis in order to maintain content consistency.

1. Jianyong Huang, Willy Susilo, and Jennifer Seberry. Repeated diﬀerential properties of the AES-128 and AES-256 key schedules. In Huaimin Wang, Stephen R. Tate, and Yang Xiang, editors, the 10th IEEE International Conference on Trust, Security and Privacy in Computing and Communications - IEEE TrustCom 2011, Changsha, China, November 16-18, 2011, Proceedings, 2011, to appear.

2. Jianyong Huang, Willy Susilo, and Jennifer Seberry. Diﬀerential fault analysis of LEX. In Juan A. Garay and Roberto De Prisco, editors, Security and Cryptog- raphy for Networks, the 7th International Conference, SCN 2010, Amalﬁ, Italy, September 13-15, 2010, Proceedings, Lecture Notes in Computer Science volume 6280, pages 55-72. Springer, Heidelberg, 2010.

3. Jianyong Huang, Jennifer Seberry, and Willy Susilo. A ﬁve-round algebraic property of AES and its application to the ALPHA-MAC. International Journal of Applied Cryptography (IJACT), volume 1, number 4, pages 264-289, 2009.

4. Jianyong Huang, Jennifer Seberry, and Willy Susilo. A ﬁve-round algebraic property of the Advanced Encryption Standard. In Tzong-Chen Wu, Chin-Laung Lei, Vincent Rijmen, and Der-Tsai Lee, editors, Information Security, the 11th Inter- national Conference, ISC 2008, Taipei, Taiwan, September 15-18, 2008, Proceed- ings, Lecture Notes in Computer Science volume 5222, pages 316-330. Springer, Heidelberg, 2008.

5. Jianyong Huang, Jennifer Seberry, and Willy Susilo. On the internal structure of ALPHA-MAC. In Phong Q. Nguyen, editor, Progress in Cryptology - VI- ETCRYPT 2006, the First International Conference on Cryptology in Vietnam, Hanoi, Vietnam, September 25-28, 2006, Proceedings, Lecture Notes in Com- puter Science volume 4341, pages 271-285. Springer, Heidelberg, 2006.

viii 6. Jianyong Huang, Jennifer Seberry, Willy Susilo, and Martin W. Bunder. Secu- rity analysis of Michael: the IEEE 802.11i message integrity code. In Tomoya Enokido, Lu Yan, Bin Xiao, Daeyoung Kim, Yuan-Shun Dai, and Laurence Tian- ruo Yang, editors, Embedded and Ubiquitous Computing - EUC 2005 Workshops, Nagasaki, Japan, December 6-9, 2005, Proceedings, Lecture Notes in Computer Science volume 3823, pages 423-432. Springer, Heidelberg, 2005.

7. Jianyong Huang, Willy Susilo, and Jennifer Seberry. Observations on the message integrity code in IEEE802.11 wireless LANs. In Tadeusz Wysocki, editor, the 3rd Workshop on the Internet, Telecommunications and Signal Processing - WITSP 2004, Adelaide, Australia, 20-22 December 2004, Proceedings, pages 328- 332, CD-ROM, 2004.

ix Contents

Abstract v

Acknowledgements vii

Publications viii

1 Introduction 1 1.1 TheDevelopmentofAES ...... 3 1.2 MotivationsandObjectives ...... 3 1.3 Contributions ...... 5 1.4 ThesisStructure...... 6

2 A Description of AES 8 2.1 Encryption ...... 9 2.1.1 TheSubBytesTransformation ...... 9 2.1.2 TheShiftRowsTransformation ...... 10 2.1.3 TheMixColumnsTransformation ...... 11 2.1.4 TheAddRoundKeyTransformation ...... 12 2.2 Decryption...... 12 2.2.1 TheInvSubBytesTransformation ...... 13 2.2.2 TheInvShiftRowsTransformation...... 13 2.2.3 TheInvMixColumnsTransformation ...... 14 2.2.4 The Inverse of the AddRoundKey Transformation ...... 15 2.3 TheKeySchedule...... 15 2.3.1 TheAES-128KeySchedule ...... 17 2.3.2 TheAES-192KeySchedule ...... 18 2.3.3 TheAES-256KeySchedule ...... 19

3 Cryptanalysis of AES 21 3.1 ABriefDescriptionofDES ...... 22

x 3.2 DifferentialCryptanalysis ...... 23 3.3 LinearCryptanalysis ...... 26 3.4 Security of AES against Differential and Linear Cryptanalysis . . . .. 27 3.5 SquareAttack...... 28 3.6 CollisionAttacks ...... 29 3.7 BoomerangAttacks...... 31 3.7.1 AmplifiedBoomerangAttack ...... 33 3.7.2 RectangleAttack ...... 33 3.8 Impossible Differential Cryptanalysis ...... 34 3.9 DualCiphers ...... 35 3.10AlgebraicAttacks...... 36 3.11Related-KeyAttacks ...... 36 3.12 Biclique Cryptanalysis ...... 39 3.13 SummaryofAESCryptanalysis ...... 40

4 A Five-Round Algebraic Property of AES 42 4.1 TheFive-RoundProperty ...... 42 4.2 The δ Algorithm ...... 43 ′ ′ ′ ′ 4.2.1 Deciding M0, M2, M8 and M10 ...... 45 ′ ′ ′ ′ 4.2.2 Computing R0, R2, R8 and R10 ...... 48 ′ ′ ′ ′ 4.2.3 Calculating V0 ,V2 ,V8 and V10 ...... 50 ′ ′ ′ ′ 4.2.4 Determining Z0,Z2,Z8 and Z10 ...... 52 4.2.5 Variants of Algorithm δ ...... 53 4.3 Summary ...... 54

5 On the Internal Structure of ALPHA-MAC 55 5.1 DescriptionoftheALPHA-MAC ...... 55 5.2 Applying the Five-Round Algebraic Property to the ALPHA-MAC . . 56 5.2.1 TheSecond-PreimageSearchAlgorithm ...... 57 5.2.2 The Collision Search Algorithm ...... 69 5.3 RelatedWork ...... 69 5.4 Summary ...... 70

6 Repeated Differential Properties of the AES-128 and AES-256 Key Schedules 71 6.1 Repeated Differential Properties of the AES-128 Key Schedule . .... 72 6.2 Repeated Differential Properties of the AES-256 Key Schedule . .... 75 6.3 Summary ...... 82

xi 7 Diﬀerential Fault Analysis of LEX 83 7.1 TheLEXStreamCipher ...... 84 7.2 The Diﬀerential Fault Analysis ...... 85 7.2.1 The Fault Position Determination Method ...... 86 7.2.2 Recovering 4 Key Bytes of Round i +2...... 89 7.2.3 Retrieving 16 Key Bytes in Round i − 1, i, i + 1 and i +3 ... 96 7.2.4 Deducing 10 more Key Bytes in Round i +2...... 99 7.3 DiscussionandRelatedWork ...... 102 7.4 Summary ...... 102

8 Conclusions and Future Work 103 8.1 OurContributions ...... 103 8.2 FutureWork...... 104

Bibliography 106

A The Computation from Round 5 to Round 10 in Theorem 6.1.1 121

xii List of Tables

1.1 TheﬁfteenAEScandidatealgorithms...... 4 1.2 Structureofthethesis ...... 6

2.1 Theblock-key-roundparameters...... 8 2.2 The substitution table of the AES algorithm ...... 11 2.3 TheinverseS-Box...... 15

3.1 SummaryofAES-128cryptanalysis ...... 40 3.2 Summary of AES-192 and AES-256 cryptanalysis ...... 41

5.1 Second-preimage search = BNB search + BNF search ...... 68 5.2 Theresultsofthesearchalgorithm ...... 69

7.1 Fourgroupsofthefaultpositions ...... 88 7.2 Threegroupsoffaultpositions...... 89

xiii List of Figures

2.1 TheAESencryption ...... 10 2.2 TheShiftRowsfunction...... 11 2.3 TheAddRoundKeyoperation ...... 12 2.4 TheAESdecryption ...... 14 2.5 TheInvShiftRowstransformation ...... 14 2.6 TheRotWordtransformation ...... 16 2.7 TheSubWordoperation ...... 16 2.8 TheAES-128keyschedule ...... 17 2.9 TheAES-192keyschedule ...... 18 2.10 TheAES-256keyschedule ...... 19

3.1 TheFeistelstructureofDES...... 22 3.2 The F -functionofDES...... 23 3.3 TheevolutionofaΛ-setin3roundsofAES ...... 29 3.4 Afour-rounddistinguisherofAES...... 30 3.5 A pictorial illustration of the boomerang attack ...... 32 3.6 The depiction of a local collision ...... 38 3.7 The biclique cryptanalysis with the meet-in-the-middle attack . . . .. 40

4.1 Thetwentybytes ...... 43 4.2 TheintermediatevaluesofAES-128...... 44 4.3 The intermediate values of AES-128 with 20 extra XOR operations .. 45 4.4 Diﬀerentlocationsofthetwentybytes ...... 54

5.1 ALPHA-MACconstruction ...... 56 5.2 The ﬁve-block collisions ...... 59 5.3 Thesecond-preimagesearch ...... 68

6.1 The 10-round R diﬀerentialpattern ...... 76 6.2 The 14-round R diﬀerentialpattern ...... 77

xiv 7.1 Initialisation and stream generation ...... 85 7.2 The leak positions in the even and odd rounds ...... 85 7.3 Thethree-rounddiagram...... 86

7.4 Computing the values of ∆l1,3, ∆l3,3, ∆q1,2 and ∆q3,0 ...... 91

7.5 Deducing the actual values of q1,2 and q3,0 ...... 92 7.6 Recovering4keybytes ...... 96 7.7 Therecoveredkeybytes ...... 97 7.8 Theseven-rounddiagram...... 98 7.9 Thededucedkeybytes ...... 99

xv Chapter 1

Introduction

Symmetric-key cryptography is an important area of study in modern cryptography. In symmetric-key ciphers, the encryption of plaintext and decryption of ciphertext use the same key (or, less commonly, the encryption key is diﬀerent from the decryption key, but there is a simple transformation between these two keys). Block ciphers and stream ciphers are two fundamental primitives of the symmetric-key ciphers. A block cipher is an algorithm which maps ﬁxed-length plaintext blocks to same- length ciphertext blocks by using a key-dependent transformation [82]. A block cipher contains two functions: the encryption function E and the decryption function E−1. The encryption function E takes a plaintext P and a key K as the inputs and generates the corresponding ciphertext C as the output, written as C = EK (P ). The decryption function E−1 accepts two parameters: a ciphertext C and a key K, and outputs the −1 corresponding plaintext P , represented as P = EK (C). The length of a plaintext and its corresponding ciphertext is called block size. For example, if a block cipher maps n-bit plaintext blocks to n-bit ciphertext blocks, the block size is n bits. The key size of a block cipher is the bit-string length of the key. Stream ciphers are a set of algorithms that use a time-vary transformation to encrypt individual units (usually bits) of a plaintext one at a time [82]. Synchronous stream ciphers and self-synchronising (or asynchronous) stream ciphers are two major types of stream ciphers. In addition, some stream ciphers (for example, the stream cipher Phelix [99]) are neither synchronous nor self-synchronising. In a synchronous stream cipher, the generation of the keystream is independent of the plaintext and ciphertext. The encryption process is carried out by combining the keystream with the plaintext while the decryption process is accomplished by combining the keystream with the ciphertext. Let k, σi, zi, pi and ci denote the key, internal state at time i, keystream, plaintext and ciphertext, respectively. The encryption function of a synchronous stream cipher can be represented by three equations: σi+1 = f(σi,k), zi = g(σi,k) and ci = h(zi,pi), where σ0 is the initial state, f is the next-state function, g is the function used to generate the keystream zi, and h is output function that

1 2

combines zi and pi to produce ciphertext ci. In a self-synchronising stream cipher, the keystream is produced as a function of the key and a fixed number of previous ciphertext bits. Let k, σi, zi, pi and ci represent the key, internal state at time i, keystream, plaintext and ciphertext, respectively. The encryption process of a self-synchronising stream cipher can be denoted by equations: σi = (ci−t,ci−t+1, ,ci−1), zi = g(σi,k) and ci = h(zi,pi), where σ0 is the initial state, g is the function employed to produce the keystream zi, and h is output function that combines zi and pi to produce ciphertext ci. Hash functions play a significant role in the field of cryptography and can be divided into two types: unkeyed hash functions and keyed hash functions. An unkeyed hash function takes an arbitrary-length input, known as the message, and generates a fixed- length output called hash value. Let h be a hash function (hash function implies an unkeyed hash function in this thesis), and as a minimum requirement [82], h should have the following four properties: 1) ease of computation: given h and an input x, h(x) is easy to compute; 2) preimage resistance: given a hash value x, it should be computationally infeasible to find any message m such that x = h(m); 3) second- preimage resistance: given an input m1, it should be computationally infeasible to find another input m2, where m2 = m1, such that h(m1)= h(m2); 4) collision resistance: it should be computationally infeasible to find two distinct messages m1 and m2 such that h(m1)= h(m2). Keyed hash functions accepts two inputs: an arbitrary-length message and a secret key, and produces an output, the hash value. Message authentication codes (MACs) are a subclass of keyed hash functions. One important usage of message authentication codes is to protect data integrity and authenticity of a message. The sender of a message uses a MAC algorithm to generate a MAC value, appends the MAC to the message and transmits the message together with the MAC to the receiver. The receiver calculates the MAC again and compares it with the received one. If these two values are equal, the receiver will assume that the integrity of the information was not compromised, and therefore will accept the message as authentic. There are various ways to create MAC algorithms, and one possible approach is to construct MACs from other cryptographic primitives, such as block ciphers or hash functions. Since block ciphers are well studied and are the most scrutinised cryptographic primitive, they are normally used as the underlying building block in the constructions of other cryptographic algorithms. One of such applications is building message authentication codes based on block ciphers. Another application is using block ciphers as the underlying tool to design stream ciphers. These two approaches have been popular as they reduce the design and evaluation effort of creating new cryptographic primitives. In this thesis, we study the internal structure of the Advanced Encryption 1.1. The Development of AES 3

Standard (AES) [88], which is a widely used block cipher today, and we also analyse the constructions of two AES-based cryptographic primitives: the ALPHA-MAC message authentication code [38] and the LEX stream cipher [19]. The rest of this chapter is organised as follows. Section 1.1 outlines the development of the Advanced Encryption Standard. Section 1.2 describes the motivations and objectives of this thesis. The contributions of this thesis are presented in Section 1.3. Section 1.4 describes the structure of this thesis.

1.1 The Development of AES

The Data Encryption Standard (DES) [86] is a block cipher designed by a team from IBM in the 1970s, and later the algorithm was adopted as a federal standard by the U.S. National Bureau of Standards. The standard was used to provide a method for protecting sensitive commercial and unclassified data. After DES became a national standard in 1977, it was widely used to encrypt government and commercial data. Nowadays, DES is considered to be insecure for many applications because it has a short key size, which is only 56 bits. For example, in the DES Challenge III, which was one of the series of brute force attack contests organised by RSA Security, the secret key of DES was recovered in 22 hours 15 minutes in January 1999 [95]. The U.S. National Institute of Standards and Technology (NIST), which was previously known as the National Bureau of Standards, made a call for new algorithms to develop the Advanced Encryption Standard to replace DES in 1997. During the world- wide competition, cryptographers from twelve different countries worked on developing the new standard. In August 1998, fifteen algorithms were selected by NIST as candidates at the First AES Candidate Conference. The fifteen candidate algorithms and their corresponding details are listed in alphabetical order in Table 1.1 In August 1999, NIST announced that the five finalist algorithms, selected from the fifteen candidates, were MARS, RC6, Rijndael, Serpent and Twofish. On 2 October 2000, Rijndael was selected as the winner of the AES competition and became the proposed AES [87]. AES was published by NIST as US Federal Information Processing Standards Publication 197 (FIPS PUB 197) on 26 November 2001 [88].

1.2 Motivations and Objectives

The five finalist algorithms of the AES competition were evaluated by NIST with the assistance from the international cryptographic community. The primary concern in evaluating the five candidates was security. In addition, factors such as speed and 1.2. Motivations and Objectives 4

Algorithm Submitted by Country Reference CAST-256 Entrust Canada [1] CRYPTON Future Systems Korea [75] DEAL Outerbridge and Knudsen Canada and Norway [70] DFC CNRS France [49] E2 NTT Japan [62] FROG TecApro Costa Rica [48] HPC Schroeppel USA [94] LOKI97 Brown, Seberry and Pieprzyk Australia [27] MAGENTA Deutsche Telekom Germany [61] MARS IBM USA [28] RC6 RSA USA [92] Rijndael Daemen and Rijmen Belgium [36] SAFER+ Cylink USA [79] Serpent Anderson, Biham and Knudsen UK, Israel and Norway [2] Twoﬁsh Counterpane USA [93]

Table 1.1: The fifteen AES candidate algorithms versatility were also taken into consideration. The winning algorithm must be able to run securely and efficiently on a variety of computer platforms, which include large computers, desktop computers and even small devices such as smart cards. Rijndael was selected as the winner because it had the best combination of security, performance, efficiency, implementability and flexibility [87]. No security attacks on the full versions of Rijndael were reported when it was selected as the AES. There was some criticism on Rijndael during the AES competition, and the concern was that its mathematical structure may lead to attacks. Some attacks against reduced versions of Rijndael were published during the evaluation process. However, it is hard to evaluate the impact of these attacks since reduced-round variants are different algorithms from the original full-round algorithm. Attacks on reduced- round variants do not indicate any flaw of the original cipher because a cipher could be secure with n rounds even if it were vulnerable with n−1 rounds. Many researchers have been working on the cryptanalysis of the AES by using different techniques since 2000. However, all of the attacks on AES, reported before 2009, are against the reduced-round variants. A recent breakthrough in AES cryptanalysis was the distinguishers and related- key attacks on the full 14-round AES-256 proposed by Biryukov, Khovratovich and Ivica [22] in 2009. In the same year, Biryukov and Khovratovich [21] published the first related-key cryptanalysis on the full AES-192 and improved the attacks on the full AES-256. In 2011, Bogdanov, Khovratovich and Rechberger [24] reported the first key-recovery attacks on the full-round AES-128, AES-192 and AES-256. Without any 1.3. Contributions 5 doubt, the results and techniques presented in [24], [22] and [21] will inspire future research in the cryptanalysis of the AES. Also, since Rijndael became the AES, the design rationale of Rijndael has inspired many cryptographic constructions, which include the construction of the ALPHA-MAC and the design of the stream cipher LEX. The reason AES was chosen as the underlying block cipher of the ALPHA-MAC is that it has withstood intense public scrutiny since it became a standard. In the LEX construction, the AES round transformation is used to generate the key stream. Investigating the properties of these AES-based cryptographic constructions is a non-trivial task. In this thesis, we are interested at investigating the internal properties of AES, and its applications to the constructions of AES-based primitives. To be more precise, we would like to 1) understand whether there exists an algebraic property of AES which also can be applied to an AES-based primitive; 2) know whether there exists undiscovered properties of the AES key schedule; and 3) find out whether the algebraic properties and structural features of the AES round transformation can be used to carry out security analysis of AES-based constructions. To address these issues, this thesis has two main objectives. The first objective is to study the internal algebraic properties and the key schedule of the AES algorithm. The second objective is to analyse the constructions of two AES-based primitives: the ALPHA-MAC message authentication code and the LEX stream cipher.

1.3 Contributions

This dissertation makes four main contributions whose details are provided as follows. In the first contribution, we present a five-round algebraic property of the AES algorithm. The proposed property shows that it is possible to replace twenty bytes’ values at some fixed locations in five consecutive rounds without changing the output of an AES encryption/decryption. We develop a method called δ to identify the twenty bytes required in the property. Our research reveals that the δ algorithm has 20 variants for AES-128. In the second contribution, we extend the application of the five-round algebraic property, and develop techniques based on this property to analyse the construction of the ALPHA-MAC. We aim to answer the question “given an intermediate value, what is the minimum number of message blocks needed by a second preimage”. Our results demonstrate that the minimum number of message blocks needed by a second preimage is five, and one can find a second preimage of the ALPHA-MAC by solving eight groups of linear functions. Moreover, we show that the second preimage search 1.4. Thesis Structure 6 algorithm can also be used to produce internal collisions under the same condition. In the third contribution, we utilise the related-key model to analyse the key schedule of the AES algorithm, and define two concepts: repeated differential pattern and double-sized repeated differential pattern. Our observations show that two related 128- bit keys, whose difference contains the repeated differential pattern, generate at least seven identical bytes in each subkey and the difference pattern has strong repeated features. If the difference of two 256-bit keys has the double-sized repeated differential pattern, similar results can be found in the subkeys. In the fourth contribution, we employ the approach of fault analysis to investigate the construction of the LEX stream cipher. In our fault model, the adversary is allowed to inject a random-bit fault into the internal state of the cipher, without having the control of the location of the induced fault. A fault position determination algorithm is provided to identify the locations of injected faults. The attacker can recover the secret key of LEX with 216 time complexity and 40 faults.

1.4 Thesis Structure

This thesis is organised into eight chapters, and the thesis structure is illustrated in Table 1.2. The contents of each chapter are described below.

Chapter 1 Introduction Chapter 2 A Description of AES Background Knowledge Chapter 3 Cryptanalysis of AES Chapter 4 A Five-Round Algebraic Property of AES Chapter 5 On the Internal Structure of ALPHA-MAC Our Contributions Chapter 6 Repeated Diﬀerential Properties of the AES-128 and AES-256 Key Schedules Chapter 7 Diﬀerential Fault Analysis of LEX Chapter 8 Conclusions and Future Work

Table 1.2: Structure of the thesis

This chapter provides readers with the introduction of this thesis and addresses the motivation of this dissertation. Also, this chapter highlights the contributions of this thesis, and describes the thesis structure. Chapter 2 presents a detailed description of the Advanced Encryption Standard. The encryption and decryption of the AES algorithm are described in details. The mathematical descriptions of the transformations used in the round function are also provided. Moreover, this chapter describes and illustrates the key schedule used in the 1.4. Thesis Structure 7

AES algorithm. Chapter 3 provides an overview of the cryptanalysis of AES. There have been many publications produced by different researchers since Rijndael was adopted as the Advanced Encryption Standard. This chapter provides a brief summary of AES cryptanalysis. Chapter 4, 5, 6 and 7 present the contributions of this thesis. Chapter 4 focuses on the algebraic properties of the AES round transformation, and describes a five-round property of this cipher. Chapter 5 uses the five-round algebraic property of AES described in Chapter4to analyse the internal structure of ALPHA-MAC. This chapter introduces two approaches which can be used to find second preimages and internal collisions of ALPHA-MAC, given an intermediate value. Chapter 6 studies the key schedule of the AES algorithm and presents some repeated differential properties of the AES-128 and AES-256 key schedules. Chapter 7 provides a differential fault analysis of the stream cipher LEX whose underlying block cipher is AES. Chapter 8 summarises the contributions of this thesis and discusses directions for future work. Chapter 2

A Description of AES

This chapter provides a description of the AES algorithm, and the complete details of the standard can be found in [37]. The Advanced Encryption Standard is a block cipher whose design principle is known as a substitution permutation network. The cipher supports three key sizes: 128, 192 and 256 bits. The AES algorithms with 128- bit, 192-bit and 256-bit keys are usually referred to as AES-128, AES-192 and AES-256 respectively. The key length is denoted by Nk, which represents the number of 32-bit words in the key, and thus is equal to 4, 6 or 8 in this standard. The input block, the output block and the intermediate cipher result all have the same length of 128 bits. The block size is represented by Nb, which reﬂects the number of 32-bit words in the block. The number of AES rounds is denoted by Nr, and is determined by the key size: 10 rounds for AES-128, 12 rounds for AES-192, and 14 rounds for AES-256. The combinations of the block size, key length and number of rounds are illustrated in Table 2.1.

Variants Block Size Key Length Number of Rounds (Nb Words) (Nk Words) (Nr) AES-128 4 4 10 AES-192 4 6 12 AES-256 4 8 14

Table 2.1: The block-key-round parameters

This chapter is organised as follows. The encryption of the cipher and the descriptions of the SubBytes, ShiftRows, MixColumns and AddRoundKey transformations are provided in Section 2.1. The decryption of the cipher and the descriptions of the InvSubBytes, InvShiftRows and InvMixColumns transformations are demonstrated in Section 2.2. The details of the key schedule are shown in Section 2.3.

8 2.1. Encryption 9 2.1 Encryption

For encryption, the cipher takes a plaintext and a key as input and outputs a ciphertext. The plaintext is represented as a byte matrix with 4 rows and 4 columns. The intermediate cipher result is called the state. After an initial round key addition, the state is transformed by implementing a round function 10, 12, or 14 times for 128- bit, 192-bit or 256-bit keys, respectively. Each round function, except the final round, contains four transformations which are SubBytes (SB), ShiftRows (SR), MixColumns (MC) and AddRoundKey (ARK). The final round is slightly different from the first Nr − 1 rounds as it does not include the MixColumns operation. The encryption process is described in pseudo code in Procedure 2.1 [88] below. The encryption routine is illustrated in Figure 2.1.

Procedure 2.1 [88] Cipher(byte in[4 ∗ Nb], byte out[4 ∗ Nb], word w[Nb ∗ (Nr + 1)]) 1: byte s[4, Nb] 2: s = in 3: AddRoundKey(s,w[0, Nb − 1]) 4: for round =1 to Nr − 1 do 5: SubBytes(s) 6: ShiftRows(s) 7: MixColumns(s) 8: AddRoundKey(s,w[round ∗ Nb, (round + 1) ∗ Nb − 1]) 9: end for 10: SubBytes(s) 11: ShiftRows(s) 12: AddRoundKey(s,w[Nr ∗ Nb, (Nr + 1) ∗ Nb − 1]) 13: out = s

2.1.1 The SubBytes Transformation

The SubBytes transformation uses a substitution table (S-box) to provide the non- linear byte substitution. To meet the non-linearity requirement, the S-box is constructed by combining two transformations which include an inverse function and an invertible affine transformation. In the first transformation, the elements of GF(28) are represented as polynomials which have degrees less than eight, with coefficients in GF(2). Multiplications are carried out modulo the irreducible polynomial x8 + x4 + x3 + x + 1, and the multiplicative inverses are defined accordingly. The element {00} is mapped to itself. As the first transformation has a simple algebraic expression, which may lead to attacks such as algebraic attacks, it is essential to apply the second transformation to the construction. The second transformation is an affine transformation 2.1. Encryption 10

Plaintext Cipher Key ? AddRoundKey RoundKey[0] ? SubBytes ? ShiftRows ? MixColumns ? ? AddRoundKey RoundKey[i] Key Schedule ? No Final Round?

Yes ? SubBytes ? ShiftRows ? AddRoundKey RoundKey[Nr] ? Ciphertext

Figure 2.1: The AES encryption

(over GF(2)), which can be expressed in the following matrix form:

b7 11111000 a7 0         b6 01111100 a6 1                  b5   00111110   a5   1                   b     a     4   00011111   4   0    =     +   . (2.1)          b3   10001111   a3   0                           b2   11000111   a2   0                   b   11100011   a   1   1     1                     b0   11110001   a0   1                  The substitution table is shown in Table 2.2 [37], with all elements in hexadecimal form. For example, if the input to the SubBytes transformation is {6f}, the output would be {a8}.

2.1.2 The ShiftRows Transformation

In the ShiftRows transformation, the bytes of each row in the state are cyclically shifted over different numbers of offsets. The design criteria for the offsets include optimal diffusion and other diffusion effects. The optimal diffusion is essential to provide resistance 2.1. Encryption 11

y 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 1 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0 2 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15 3 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75 4 09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84 5 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 6 d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8 7 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2 x 8 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73 9 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db a e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79 b e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 c ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a d 70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e e e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df f 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16 Table 2.2: The substitution table of the AES algorithm against attacks like linear and differential cryptanalysis. Other diffusion effects such as resistance against truncated differential attacks and saturation attacks also need to be taken into consideration. The designers set the offsets to 0, 1, 2 and 3 for the first, second, third and fourth row respectively. As a result, the first row is unchanged, and row i is shifted to the left i byte(s) cyclicly, where i = 1, 2, or 3. The effect of the ShiftRows transformation on the state is shown in Figure 2.2.

0 b0,0 b0,1 b0,2 b0,3 −→ b0,0 b0,1 b0,2 b0,3 1 b1,0 b1,1 b1,2 b1,3 −→ b1,1 b1,2 b1,3 b1,0 2 b2,0 b2,1 b2,2 b2,3 −→ b2,2 b2,3 b2,0 b2,1 3 b3,0 b3,1 b3,2 b3,3 −→ b3,3 b3,0 b3,1 b3,2

Figure 2.2: The ShiftRows function

2.1.3 The MixColumns Transformation

The MixColumns function applies a linear transformation to the state, and it operates on the matrix column by column. Each column is treated as a polynomial over GF(28) and multiplied modulo x4 + 1 with a ﬁxed polynomial a(x), which is expressed as:

c(x)= {03}x3 + {01}x2 + {01}x + {02}. (2.2) 2.2. Decryption 12

A matrix multiplication can be used to represent the modular multiplication with a ﬁxed polynomial. Let b(x)= c(x) a(x):

b0 02 03 01 01 a0       b1 01 02 03 01 a1   =   ×   (2.3)        b2   01 01 02 03   a2               b   03 01 01 02   a   3     3        To ensure good performance, the multiplication operation is implemented as: multiplication with the value 01 means no change, multiplication with the value 02 is handled as shifting byte to the left, and multiplication with the value 03 is treated as multiplication with 02 then performing an additional XOR operation with the operand.

2.1.4 The AddRoundKey Transformation

The AddRoundKey transformation adds a round key to the state by using a simple bitwise XOR operation. Each round key used in this transformation is derived from the secret key by employing the key schedule which is described in Section 2.3. Each round key has the same size as the state. Figure 2.3 depicts the eﬀect of the AddRoundKey operation on the state.

a0,0 a0,1 a0,2 a0,3 k0,0 k0,1 k0,2 k0,3 b0,0 b0,1 b0,2 b0,3

a1,0 a1,1 a1,2 a1,3 k1,0 k1,1 k1,2 k1,3 b1,0 b1,1 b1,2 b1,3 ⊕ = a2,0 a2,1 a2,2 a2,3 k2,0 k2,1 k2,2 k2,3 b2,0 b2,1 b2,2 b2,3

a3,0 a3,1 a3,2 a3,3 k3,0 k3,1 k3,2 k3,3 b3,0 b3,1 b3,2 b3,3

Figure 2.3: The AddRoundKey operation

2.2 Decryption

For decryption, the cipher takes a ciphertext and a key as two input parameters and outputs the corresponding plaintext. The four transformations: SubBytes, ShiftRows, MixColumns and AddRoundKey, can be inverted in reverse order to provide the decryption of the cipher. The decryption algorithm is expressed in pseudo code in Pro- cedure 2.2 [88]. The decryption process is depicted in Figure 2.4. The inverse operations of SubBytes, ShiftRows and MixColumns are represented as InvShiftRows, InvSubBytes and InvMixColumns, respectively. Note that the inverse function of AddRoundKey is itself. The four inverse transformations are described as follows. 2.2. Decryption 13

Procedure 2.2 [88] InvCipher(byte in[4∗Nb], byte out[4∗Nb], word w[Nb∗(Nr+1)]) 1: byte s[4, Nb] 2: s = in 3: AddRoundKey(s,w[Nr ∗ Nb, (Nr + 1) ∗ Nb − 1]) 4: InvShiftRows(s) 5: InvSubBytes(s) 6: for round = Nr − 1 to 1 do 7: InvShiftRows(s) 8: InvSubBytes(s) 9: AddRoundKey(s,w[round ∗ Nb, (round + 1) ∗ Nb − 1]) 10: InvMixColumns(s) 11: end for 12: AddRoundKey(s,w[0, Nb − 1]) 13: out = s

2.2.1 The InvSubBytes Transformation

The InvSubBytes function applies the inverse S-box to each byte of the state. The operation is carried out by inverting the affine transformation defined in Equation (2.1) and then taking the multiplicative inverse in GF(28). The inverse of Equation (2.1) is defined in Equation (2.4). The inverse S-box is shown in Table 2.3 [37].

y7 01010010 x7 0         y6 00101001 x6 0                  y5   10010100   x5   0                   y4   01001010   x4   0            =     +   . (2.4)          y3   00100101   x3   0                   y2   10010010   x2   1                   y   01001001   x   0   1     1                     y0   10100100   x0   1                 

2.2.2 The InvShiftRows Transformation

In the InvShiftRows operation, the ﬁrst row is unchanged, and row i is shifted to the right i byte(s) cyclicly, where i = 1, 2, or 3. The eﬀect of the InvShiftRows function on the state is depicted in Figure 2.5. 2.2. Decryption 14

Ciphertext Cipher Key ? AddRoundKey RoundKey[Nr] ? InvShiftRows ? InvSubBytes ? AddRoundKey ? ? InvMixColumns RoundKey[i] Key Schedule ? InvShiftRows ? InvSubBytes ? No Nr − 1 Times Repeated?

Yes ? AddRoundKey RoundKey[0] ? Plaintext

Figure 2.4: The AES decryption

0 b0,0 b0,1 b0,2 b0,3 −→ b0,0 b0,1 b0,2 b0,3 1 b1,0 b1,1 b1,2 b1,3 −→ b1,3 b1,0 b1,1 b1,2 2 b2,0 b2,1 b2,2 b2,3 −→ b2,2 b2,3 b2,0 b2,1 3 b3,0 b3,1 b3,2 b3,3 −→ b3,1 b3,2 b3,3 b3,0

Figure 2.5: The InvShiftRows transformation

2.2.3 The InvMixColumns Transformation

The InvMixColumns transformation is the inverse of the MixColumns operation. Each column of the state is multiplied modulo x4 +1 with a ﬁxed polynomial d(x), deﬁned as:

d(x)= {0b}x3 + {0d}x2 + {09}x + {0e}. (2.5)

The modular multiplication with the ﬁxed polynomial can be represented by a matrix multiplication. Let b(x)= d(x) a(x): b0 0e 0b 0d 09 a0       b1 09 0e 0b 0d a1   =   ×   . (2.6)        b2   0d 09 0e 0b   a2               b3   0b 0d 09 0e   a3              2.3. The Key Schedule 15

y 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 52 09 6a d5 30 36 a5 38 bf 40 a3 9e 81 f3 d7 fb 1 7c e3 39 82 9b 2f ﬀ 87 34 8e 43 44 c4 de e9 cb 2 54 7b 94 32 a6 c2 23 3d ee 4c 95 0b 42 fa c3 4e 3 08 2e a1 66 28 d9 24 b2 76 5b a2 49 6d 8b d1 25 4 72 f8 f6 64 86 68 98 16 d4 a4 5c cc 5d 65 b6 92 5 6c 70 48 50 fd ed b9 da 5e 15 46 57 a7 8d 9d 84 6 90 d8 ab 00 8c bc d3 0a f7 e4 58 05 b8 b3 45 06 7 d0 2c 1e 8f ca 3f 0f 02 c1 af bd 03 01 13 8a 6b x 8 3a 91 11 41 4f 67 dc ea 97 f2 cf ce f0 b4 e6 73 9 96 ac 74 22 e7 ad 35 85 e2 f9 37 e8 1c 75 df 6e a 47 f1 1a 71 1d 29 c5 89 6f b7 62 0e aa 18 be 1b b fc 56 3e 4b c6 d2 79 20 9a db c0 fe 78 cd 5a f4 c 1f dd a8 33 88 07 c7 31 b1 12 10 59 27 80 ec 5f d 60 51 7f a9 19 b5 4a 0d 2d e5 7a 9f 93 c9 9c ef e a0 e0 3b 4d ae 2a f5 b0 c8 eb bb 3c 83 53 99 61 f 17 2b 04 7e ba 77 d6 26 e1 69 14 63 55 21 0c 7d Table 2.3: The inverse S-Box

2.2.4 The Inverse of the AddRoundKey Transformation

The AddRoundKey transformation is its own inverse as it only involves the XOR operation.

2.3 The Key Schedule

The AES algorithm uses the key schedule to expand the cipher key into the round keys. The total number of words in the round keys generated by the key schedule is equal to Nb ∗ (Nr + 1) since the algorithm requires a block of Nb words for the initial key addition, and each of the Nr rounds needs Nb words of key data. The round keys are represented as a linear array of 4-byte words, denoted by W [i], with i in the range 0 ≤ i

[b1, b2, b3, b0]. SubWord (SW) is a transformation that takes a word as input, and uses the SubBytes operation described in Section 2.1.1 to substitute each byte of the input. The SubWord operation is depicted in Figure 2.7. Rcon[i] is a word array that contains the round constants. The constants are values given by [xi−1, 00, 00, 00] with xi−1 being 2.3. The Key Schedule 16

Procedure 2.3 [88] KeyExpansion(byte key[4 ∗ Nk], word W [Nb ∗ (Nr + 1)], Nk) 1: word temp 2: i = 0 3: while (i 6 and i mod Nk = 4) then 13: temp = SubWord(temp) 14: end if 15: W [i]= W [i − Nk] xor temp 16: i = i +1 17: end while powers of x (x is denoted as {02}) in the ﬁeld GF(28). Note that i begins with 1, not 0.

b0 b1

b1 RotWord b2 −→ b2 b3

b3 b0

Figure 2.6: The RotWord transformation

b0 SB(b0)

b1 SubWord SB(b1) −→ b2 SB(b2)

b3 SB(b3)

Figure 2.7: The SubWord operation

It is demonstrated in Procedure 2.3 that the cipher key is copied to the ﬁrst Nk words of the array W . The calculation of every following word, W [i], is carried out by XORing the previous word, W [i−1], with the word Nk positions earlier, W [i−Nk]. For words in positions that are a multiple of Nk, the key schedule ﬁrst applies the RotWord and SubWord transformation to W [i − 1], and then XORs the resulting W [i − 1] with W [i − Nk] and a round constant, Rcon[i]. 2.3. The Key Schedule 17

2.3.1 The AES-128 Key Schedule

Key (128 bits) ? ? ? ? ? - W [0] W [1] W [2] W [3] RW ? - ? Rcon[1] SW ? ? ? ? - W [4]- - W [5]- - W [6]- - W [7] RW ? - ? Rcon[2] SW ? ? ? ? - W [8]- - W [9]- - W [10]- - W [11] RW ? - ? Rcon[3] SW ? ? ? ? - W [12]- - W [13]- - W [14]- - W [15] RW ? - ? Rcon[4] SW ? ? ? ? - W [16]- - W [17]- - W [18]- - W [19] RW ? - ? Rcon[5] SW ? ? ? ? - W [20]- - W [21]- - W [22]- - W [23] RW ? - ? Rcon[6] SW ? ? ? ? - W [24]- - W [25]- - W [26]- - W [27] RW ? - ? Rcon[7] SW ? ? ? ? - W [28]- - W [29]- - W [30]- - W [31] RW ? - ? Rcon[8] SW ? ? ? ? - W [32]- - W [33]- - W [34]- - W [35] RW ? - ? Rcon[9] SW ? ? ? ? - W [36]- - W [37]- - W [38]- - W [39] RW ? - ? Rcon[10] SW ? W [40]- -? W [41]- -? W [42]- -? W [43]

Figure 2.8: The AES-128 key schedule

Let K be a 128-bit secret key, and it is denoted by four words: K =(K0,K1,K2,K3), where Ki is a four-byte word. The expanded round keys are contained in a four-byte word array W [i], 0 ≤ i ≤ 43. In the key schedule of AES-128, W [i] is deﬁned by the following method:

Ki, 0 ≤ i< 4; W [i]=  W [i − 4] ⊕ W [i − 1], 4 ≤ i ≤ 43 and i mod 4 = 0;   W [i − 4] ⊕ f(W [i − 1]), 4 ≤ i ≤ 43 and i mod 4 = 0;   2.3. The Key Schedule 18 where f(W [i − 1]) = SubWord(RotWord(W [i − 1])) ⊕ Rcon[i/4]. Figure 2.8 gives a diagrammatic representation of the AES-128 key schedule.

2.3.2 The AES-192 Key Schedule

Key (192 bits) ? ? ? ? ? ? ? - W [0] W [1] W [2] W [3] W [4] W [5] RW ? - ? Rcon[1] SW ? ? ? ? ? ? - W [6]- - W [7]- - W [8]- - W [9]- - W [10]- - W [11] RW ? - ? Rcon[2] SW ? ? ? ? ? ? - W [12]- - W [13]- - W [14]- - W [15]- - W [16]- - W [17] RW ? - ? Rcon[3] SW ? ? ? ? ? ? - W [18]- - W [19]- - W [20]- - W [21]- - W [22]- - W [23] RW ? - ? Rcon[4] SW ? ? ? ? ? ? - W [24]- - W [25]- - W [26]- - W [27]- - W [28]- - W [29] RW ? - ? Rcon[5] SW ? ? ? ? ? ? - W [30]- - W [31]- - W [32]- - W [33]- - W [34]- - W [35] RW ? - ? Rcon[6] SW ? ? ? ? ? ? - W [36]- - W [37]- - W [38]- - W [39]- - W [40]- - W [41] RW ? - ? Rcon[7] SW ? ? ? ? ? ? - W [42]- - W [43]- - W [44]- - W [45]- - W [46]- - W [47] RW ? - ? Rcon[8] SW ? W [48]- -? W [49]- -? W [50]- -? W [51]

Figure 2.9: The AES-192 key schedule

We represent a 192-bit cipher key K as 6 four-byte words: K =(K0,K1,K2,K3,K4,K5), where Ki is a four-byte word. A four-byte word array W [i], 0 ≤ i ≤ 51, is used to store the expanded round keys. The key schedule of AES-192 employs the following formula to calculate W [i]:

Ki, 0 ≤ i< 6; W [i]=  W [i − 6] ⊕ W [i − 1], 6 ≤ i ≤ 51 and i mod 6 = 0;   W [i − 6] ⊕ f(W [i − 1]), 6 ≤ i ≤ 51 and i mod 6 = 0;  where f(W [i − 1]) = SubWord(RotWord(W [i − 1])) ⊕ Rcon[i/6]. The AES-192 key schedule is illustrated in Figure 2.9, which was presented in [42]. 2.3. The Key Schedule 19

2.3.3 The AES-256 Key Schedule

Key (256 bits) ? ? ? ? ? ? ? ? ? - W [0] W [1] W [2] W [3] W [4] W [5] W [6] W [7] RW ? - ? Rcon[1] SW ? ? ? ? ? ? ? ? - W [8] - - W [9] - - W [10]- - W [11]-SW- - W [12]- - W [13]- - W [14]- - W [15] RW ? - ? Rcon[2] SW ? ? ? ? ? ? ? ? - W [16]- - W [17]- - W [18]- - W [19]-SW- - W [20]- - W [21]- - W [22]- - W [23] RW ? - ? Rcon[3] SW ? ? ? ? ? ? ? ? - W [24]- - W [25]- - W [26]- - W [27]-SW- - W [28]- - W [29]- - W [30]- - W [31] RW ? - ? Rcon[4] SW ? ? ? ? ? ? ? ? - W [32]- - W [33]- - W [34]- - W [35]-SW- - W [36]- - W [37]- - W [38]- - W [39] RW ? - ? Rcon[5] SW ? ? ? ? ? ? ? ? - W [40]- - W [41]- - W [42]- - W [43]-SW- - W [44]- - W [45]- - W [46]- - W [47] RW ? - ? Rcon[6] SW ? ? ? ? ? ? ? ? - W [48]- - W [49]- - W [50]- - W [51]-SW- - W [52]- - W [53]- - W [54]- - W [55] RW ? - ? Rcon[7] SW ? ? ? ? W [56]- - W [57]- - W [58]- - W [59]

Figure 2.10: The AES-256 key schedule

Assume that K is a 256-bit secret key, and it is expressed as 8 four-byte words: K =

(K0,K1, ,K7), where Ki is a four-byte word. The resultant round keys are contained in a four-byte word array W [i], 0 ≤ i ≤ 59. In the key schedule of AES-256, the calculation of W [i] is determined by the following routine:

Ki, 0 ≤ i< 8;  W [i − 8] ⊕ W [i − 1], 8 ≤ i ≤ 59 and i mod 8 ∈{/ 0, 4}; W [i]=   W [i − 8] ⊕ f(W [i − 1]), 8 ≤ i ≤ 59 and i mod 8 = 0;  W [i − 8] ⊕ g(W [i − 1]), 8 ≤ i ≤ 59 and i mod 8 = 4;   where f(W [i − 1]) and g(W [i − 1]) are deﬁned as follows:

f(W [i − 1]) = SubWord(RotWord(W [i − 1])) ⊕ Rcon[i/8], g(W [i − 1]) = SubWord(W [i − 1]).

The AES-256 key schedule is demonstrated in Figure 2.10. The AES-256 key schedule (Nk = 8) is slightly diﬀerent from the AES-128 and AES-192 key schedules. If 2.3. The Key Schedule 20

Nk = 8 and i − 4 is a multiple of Nk, an extra SubWord operation is applied to W [i−1] prior to the XOR operation. For instance, if i = 12, the AES-256 key schedule carries out an extra SubWord operation on W [11] before XORing it with W [4] (see Figure 2.10). Chapter 3

Cryptanalysis of AES

Rijndael has a simple, elegant and efficient design. It was designed to resist all known attacks, which include two classic cryptanalytic methods: differential cryptanalysis [16] and linear cryptanalysis [80]. Linear cryptanalysis and differential cryptanalysis are two powerful techniques in block cipher cryptanalysis. These two attacks need to be taken into account when designing any new cipher. Resistance against differential and linear cryptanalysis are the most important criteria in the design of Rijndael. The designers of Rijndael, Joan Daemen and Vincent Rijmen, provided justification with the belief that Rijndael is secure against differential and linear cryptanalysis in [37]. On the other hand, cryptanalysis of AES has been a hot research topic since Rijndael was selected as the standard. Since 2000, there have been many research efforts aiming to find weaknesses in this cipher and exploit potential vulnerabilities to attack this cryptographic algorithm. This chapter provides a brief overview of the cryptanalysis of AES. While some techniques described in this chapter were already used to attack reduced rounds or full rounds of AES, others are only ideas and observations, which have not led to any attack so far. This chapter is organised as follows. In order to describe the ideas of differential cryptanalysis and linear cryptanalysis in details, we start with a short description of the Data Encryption Standard (DES) in Section 3.1. Then, we outline the technique of differential cryptanalysis in Section 3.2, and highlight the main idea of linear cryptanalysis in Section 3.3. Section 3.4 demonstrates the resistance of AES against differential and linear cryptanalysis. Section 3.5 presents the square attack, and Sec- tion 3.6 outlines the collision attack. In Section 3.7, we describe the boomerang attack together with the amplified boomerang attack and the rectangle attack. In Section 3.8, we provide a description of impossible differential cryptanalysis. We explain the concept of dual cipher in Section 3.9, and provide a sketch of the algebraic attacks in Section 3.10. Section 3.11 presents the idea of related-key attacks, and some recent results of related-key cryptanalysis of AES. Section 3.12 describes the technique of biclique cryptanalysis, and demonstrates how this cryptanalytic tool is united with the

21 3.1. A Brief Description of DES 22 approach of meet-in-the-middle attack to carry out key recover attacks on full versions of AES. Section 3.13 provides a brief summary of the attacks described in this chapter.

3.1 A Brief Description of DES

The DES [86] algorithm was designed to encrypt blocks of data containing 64 bits under control of a 56-bit key. DES is considered as the successor of the Lucifer [45] cipher, which was developed by Horst Feistel and his colleagues at IBM in 1970s. DES consists of 16 iterations of a round function, which is named F -function, and an initial permutation (IP) and a ﬁnal permutation (FP). The sketch of the DES encryption is given in Figure 3.1, where K1,K2, ,K16 are subkeys. Note that the subkeys are derived from the 56-bit secret key by the key scheduling algorithm.

Plaintext ? IP 1 ? ? K F

2 ? ? K F

16 rounds 15 ? ? K F

16 ? ? K F ? ? FP ? Ciphertext

Figure 3.1: The Feistel structure of DES

The F -function of DES is illustrated in Figure 3.2. In each round, the block is divided into two 32-bit halves: the left half L and the right half R. The F -function accepts R and subkey Ki as its inputs, uses expansion E to expand R from 32 bits to 48 bits, and XORs the result with the 48-bit Ki. The result of the XOR operation is substituted by employing eight s-boxes. Each S-box accepts a 6-bit input and generates a 4-bit output. The Permutation P is used to permute the 32-bit result of the S-box operation. The output of the F -function, denoted by F (R,Ki), is XORed with the left 3.2. Diﬀerential Cryptanalysis 23 half L, and then the left and right halves are interchanged. The complete speciﬁcation of the DES cipher can be found in [86].

Input (32 bits) ? E ? 48 bits Subkey (48 bits)

S1 S2 S3 S4 S5 S6 S7 S8

? P

? Output (32 bits)

Figure 3.2: The F -function of DES

3.2 Diﬀerential Cryptanalysis

Differential cryptanalysis, proposed by Biham and Shamir [16] in 1990, is a chosen- plaintext attack. The basic idea is to analyse the relations between the differences of plaintext pairs and the differences of the resultant ciphertext pairs, which are the results of the encryptions under the same secret key. These differences are used to assign probabilities to the possible keys and to identify the most probable one. The difference used in the attack is usually the eXclusive OR (XOR) of two plaintexts. As long as the plaintext pairs satisfy the difference condition, they can be chosen at random, and the adversary does not need to know their values. In differential cryptanalysis, one important step is to find a characteristic, which holds for n − 1 rounds with non-trivial probability. The definition of a characteristic is provided in Definition 3.2.1. The attacker encrypts a large number of plaintext pairs with the same specific difference and collects the resultant ciphertext pairs. The difference between two inputs of the n-th round, the difference of the two corresponding ciphertexts, and the two ciphertexts can be used to create a simple equation. Since the subkey of the n-th round contained in this equation is an unknown parameter, it is possible for the adversary to deduce the subkey of the n-th round by solving one or several such equations. 3.2. Differential Cryptanalysis 24

Deﬁnition 3.2.1 [16] Associated with any pair of encryptions are the XOR value of its two plaintexts, the XOR of its ciphertexts, the XORs of the inputs of each round in the two executions, and the XORs of the outputs of the each round in the two executions. These XOR values form an n-round characteristic. A characteristic has a probability, which is the probability that a random pair with the chosen plaintext XOR has the round and ciphertext XORs speciﬁed in the characteristic.

Lai and Massey [74] emphasised the difference between a characteristic and a differential, whose definition is provided in Definition 3.2.2. A differential is a difference propagation from an input difference pattern to an output difference pattern while a characteristic is a series of differences between the round inputs in the encryption of two plaintexts with a given difference. It was shown in [74] that the most probable differential will have in general a probability higher than that of the most probable characteristic (although the two probabilities are roughly the same for DES with small number of rounds).

Definition 3.2.2 [74] An n-round differential is a pair (α, β), where α is the difference of two distinct plaintexts X and X∗, and β is a possible difference of the resultant n- th round outputs Y (i) and Y ∗(i). The probability of an n-round differential (α, β) is the conditional probability that β is the difference ∆Y (i) of the ciphertext pair after n rounds given that the plaintext pair (X,X∗) has difference ∆X = α when the plaintext X and the subkeys Z(1),Z(2), ,Z(n) are independent and uniformly random.

Diﬀerential cryptanalysis is a powerful tool which was ﬁrst used to attack the DES cipher. It makes use of the fact that most transformations in DES are linear with respect to the XOR operation. The F -function contains four operations, which are the E expansion, the P permutation, the key mixing operation and the substitution, and three out of these four transformations are linear:

E(X) ⊕ E(X∗)= E(X ⊕ X∗), (3.1) (X ⊕ K) ⊕ (X∗ ⊕ K)= X ⊕ X∗, (3.2) P (X) ⊕ P (X∗)= P (X ⊕ X∗). (3.3)

The substitution is the only non-linear operation in the F -function, and therefore the following equation does not hold:

S(X) ⊕ S(X∗)= S(X ⊕ X∗). (3.4)

In the DES algorithm, there are 64 64 possible input pairs for an S-box, but there are only 64 16 possible tuples of input and output XORs. However, not all tuples exist for 3.2. Differential Cryptanalysis 25 every possible input XOR, and the existing ones are not uniformly distributed. Based on these facts, the difference distribution of an S-box is defined in Definition 3.2.3 below:

Deﬁnition 3.2.3 [16] A table that shows the distribution of the input XORs and output XORs of all the possible pairs of an S-box is called the diﬀerence distribution table of the S-box. In this table, each row corresponds to a particular input XOR, each column corresponds to a particular output XOR and the entries themselves count the number of possible pairs with such an input XOR and an output XOR.

In addition, the deﬁnition of a right pair with respect to an n-round characteristic is provided in the following Deﬁnition 3.2.4.

Deﬁnition 3.2.4 [16] A right pair with respect to an n-round characteristic Ω = ′ (ΩP , ΩΛ, ΩT ) and an independent key K is a pair for which P = ΩP and for the ﬁrst n rounds of the encryption of the pair using the independent key K the input XOR th i i of the i round equals λI and the output XOR of the F function equals λO. Every pair which is not a right pair with respect to the characteristic and the independent key is called a wrong pair with respect to the characteristic and the independent key.

By using the ideas described above, the attack works as follows. Given a characteristic of the cipher, each pair suggests a pool of candidates for the last round key. If a pair is wrong, the subkey value suggested by this pair is usually wrong. Right pairs suggest not only the correct subkey value but also a number of wrong subkey values. However, the correct key value should result from all the right pairs which occur approximately with the probability of the characteristic. In order to find the key, the adversary need to count the number of occurrences of all suggested keys. The key value that occurs most often is considered as the correct key. In differential cryptanalysis, it is essential to compute the so-called signal-to-noise ratio (denoted by S/N ratio), which is the ratio between the number of right pairs and the average count in a counting scheme. It was observed experimentally in [16] that about 20-40 occurrences of right pairs are enough for a ratio of 1-2. For higher ratios, even 3-4 right pairs are sufficient. Other methods for the estimation of the success rate of differential cryptanalysis have been developed over the years as the S/N ratio gives false results when there are either very few candidate keys (when the S/N ratio suggests the need of too much data) or many candidate keys (when the S/N ratio suggests too little data to actually allow the attack to work). The most notable of these methods is the work by Sel¸cuk [96] in which an analytical calculation of the success probability of the differential cryptanalysis was presented. It was shown in [96] that for large S/N ratio, the results of [96] are 3.3. Linear Cryptanalysis 26 very similar to the observations of [16], and for small S/N ratio, the 20-40 right pairs suggested in [16] give a good success rate only for a < 20, where a is the number of key bits the adversary targets to recover. To have a good success rate for larger values of a, 80 or more right pairs may be needed.

3.3 Linear Cryptanalysis

Linear cryptanalysis is a known-plaintext attack and it was discovered by Matsui [80] in 1993. In linear cryptanalysis, the adversary studies the linear approximation of the plaintext, ciphertext and key bits to recover the secret key. In general, a large amount of plaintext-ciphertext pairs are used in the attack to determine the cipher key. To carry out linear cryptanalysis on a block cipher, the attacker needs to ﬁnd eﬀective linear expressions for the cipher. Assume that A[i] is the i-th bit of A, and the bitwise XOR sum of all bits of A is denoted by A[i1, i2, , in], namely,

A[i1, i2, , in]= A[i1] ⊕ A[i2] ⊕⊕ A[in]. (3.5)

Let P denote a random plaintext, C represent the corresponding ciphertext and K denote the ﬁxed secret key K. The following linear expression becomes useful if it holds with probability p =1 /2:

P [i1, i2, , ia] ⊕ C[j1, j2, , jb]= K[k1,k2, ,kc] (3.6) where i1, i2, , ia, j1, j2, , jb and k1,k2, ,kc are ﬁxed bit locations. The eﬀec- tiveness of this linear expression is represented by |p − 1/2|, which is known as the bias.

After the linear expression is found, we can deduce one single key bit K[k1,k2, ,kc] of the secret key by using the following algorithm, which is called Algorithm 1 in [80].

1. Let T be the number of plaintexts such that the left side of Equation (3.6) is equal to zero.

2. If T >N/2 (N is the number of plaintexts),

then guess K[k1,k2, ,kc] = 0 (when p> 1/2) or 1 (when p< 1/2),

else guess K[k1,k2, ,kc] = 1 (when p> 1/2) or 0 (when p< 1/2). Matsui [80] introduced another algorithm, called Algorithm 2, to extract one or both of the outermost subkeys. This algorithm uses the following expression, which holds with the best probability of (n − 1)-round DES cipher.

P [i1, i2, , ia] ⊕ C[j1, j2, , jb] ⊕ Fn(CL,Kn)[l1,l2, ,ld]= K[k1,k2, ,kc], (3.7) where Fn is the F-function. The steps of Algorithm 2 are described as follows: 3.4. Security of AES against Diﬀerential and Linear Cryptanalysis 27

(i) 1. For each candidate Kn (i = 1, 2, ) of Kn, let Ti be the number of plaintexts such that the left side of Equation (3.7) is equal to zero.

, 2. Let Tmax be the maximal value and Tmin be the minimal value of all Ti s.

• If |Tmax − N/2| > |Tmin − N/2|, then adopt the key candidate corresponding

to Tmax and guess K[k1,k2, ,kc] = 0 (when p> 1/2) or 1 (when p< 1/2).

• If |Tmax − N/2| < |Tmin − N/2|, then adopt the key candidate corresponding

to Tmin and guess K[k1,k2, ,kc] = 1 (when p> 1/2) or 0 (when p< 1/2).

3.4 Security of AES against Diﬀerential and Linear Cryptanalysis

Since differential and linear cryptanalysis are the most important methods for attack- ing block ciphers, a new cipher will not be considered serious without a comprehensive analysis of the security of the algorithm against at least linear and differential cryptanalysis. To address this issue, Daemen and Rijmen, the inventors of the AES algorithm, proved that AES is secure against differential and linear cryptanalysis in [37]. To apply differential cryptanalysis to a block cipher, the adversary needs to know the propagation from the input difference pattern to the output difference pattern over r rounds of the cipher, with a probability that is significantly greater than 21−n, where n is the block size. In the case of the AES algorithm, it was demonstrated in [37] that there are no 4-round differential characteristics with a probability larger than 2−150, and there are no 8-round characteristics with a probability greater than 2−300. The probability of a differential characteristic is the relative amount of all input pairs that produce the output difference for the given input difference. The probability can be approximately represented as the product of the probabilities of its active S- boxes [34]. Keliher and Sui [63] used a pruning search algorithm to show that the upper bound on the maximum expected differential probability of the AES is approximately 1.881 × 2−114 for 4 or more rounds. In linear cryptanalysis, the cryptanalyst needs to find input-output biases over r rounds of the cipher with a probability that is significantly larger than 2n/2. The bias of a linear approximation can be approximately expressed as the product of input- output biases of its active S-boxes [34]. The design principle of the AES guarantees that the number of active S-boxes in any 4-round differential or linear approximation is lower bounded by 25. For the AES cipher, it was proven in [37] that there are no 4-round linear approximations with a bias greater than 2−75, and there are no 8-round 3.5. Square Attack 28 approximations with a bias greater than 2−150. Keliher and Sui [63] proved that the upper bound on the maximum expected linear probability of the AES is approximately 1.802 × 2−110 for 4 or more rounds.

3.5 Square Attack

The Square attack, discovered by Daemen, Knudsen and Rijmen [35], is a dedicated attack which makes use of the structural features of the cipher. It was ﬁrst used to attack the block cipher Square [35], the predecessor of Rijndael, and consequently the attack is named “Square”. The attack is also applicable to Rijndael and can break reduced variants of Rijndael faster than exhaustive search since Square and Rijndael share many common properties. This type of attack has several other names. Lucks [77] generalised the attack and used the name saturation attack. Biryukov and Shamir [23] called these attacks structural attacks. Knudsen and Wagner [71] summarised previous work and proposed the name integral cryptanalysis. The Square attack is a chosen-plaintext attack, and is based on a three-round distinguishing property of the AES algorithm. A Λ-set is a set of 256 plaintexts that take all 256 possible values of one byte (which is called the active byte) and constant values for the other ﬁfteen bytes (which are called the passive bytes). The three-round distinguishing property is described in the following Property 3.5.1.

Property 3.5.1 [37] Encrypt a Λ-set through three AES rounds under the same key. At the end of the second round, the states take all 256 values in all sixteen bytes, and at the end of the third round, the sum of all these 256 values at each position is zero.

The development of all bytes in this Λ-set in three AES rounds is illustrated in Fig- ure 3.3, where α represents an active byte, β denotes a passive byte and π stands for a balanced byte (a byte is considered balanced if the XOR sum of the 256 values of this byte is zero). This property is destroyed by the byte substitution operation in the fourth round. This three-round property can be used to break 4 rounds of Rijndael. The attacker simply guesses a key byte in the fourth round, and goes backwards to check whether the guess is right or wrong. If the guessed value is correct, the sum of the corresponding 256 values should be zero. If the guessed value is wrong, with a high probability, the sum of the corresponding 256 values is not zero (note that for a wrong key guess, this sum is a random variable that can take 0 as a value, with the same probability as any other values between 0 and 255). The adversary can use this approach to eliminate all wrong key bytes until the correct one is identiﬁed. Similarly, 3.6. Collision Attacks 29

K0 α β β β α β β β α β β β

β β β β ◦ β β β β α β β β ? SB−→SR −→MC - - β β β β β β β β α β β β ARK β β β β β β β β α β β β K1 α β β β α β β β α α α α

α β β β ◦ β β β α α α α α ? SB−→SR −→MC - - α β β β β β α β α α α α ARK α β β β β α β β α α α α K2 α α α α α α α α π π π π π π π π

α α α α ◦ α α α α π π π π ? π π π π SB−→SR −→MC - - α α α α α α α α π π π π π π π π ARK α α α α α α α α π π π π π π π π

Figure 3.3: The evolution of a Λ-set in 3 rounds of AES the attacker can recover the other ﬁfteen key bytes by using the same idea. The Square property used in the attacks on AES is a 4-round extension of Property 3.5.1. Daemen and Rijmen [36] extended the 4-round attack to a 5-round attack on AES by adding an additional round to the end of the 4-round attack. In the 5-round attack, 240 key values must be tested, and this process needs to be repeated 4 times. The cipher key can be identiﬁed with overwhelming probability with only 5 Λ-sets. It was shown in [36] that by adding an additional round at the beginning and at the end, the 4-round attack can be extended to a 6-round attack on AES. The work factor can be estimated at 270 six-round AES executions. Ferguson, Kelsey, Lucks, Schneier, Stay, Wagner and Whiting [46] presented the partial sum technique that can further reduce the complexity of the attacks on 6- round AES. This technique was used to attack 7 rounds of Rijndael for all key sizes, and 8 rounds of Rijndael for 192-bit and 256-bit key sizes. The attacks against 7- round Rijndael with 128-bit keys and 8-round Rijndael with 192-bit and 256-bit keys require nearly the entire Rijndael codebook and therefore they are not very practical. Compared with the square attack, the partial sum technique reduces the work factor of the attack, but recovers less key bits.

3.6 Collision Attacks

Gilbert and Minier [50] described a 4-round distinguisher of the AES and used the distinguishing property to attack reduced variants of the AES algorithm. Figure 3.4 represents 4 rounds of AES. Let Y , Z, R and S be the inputs of these four rounds, and T be the output of the fourth round. Note that y = Y0,0, c0 = Y1,0, c1 = Y2,0, c3 = Y3,0, c = (c0,c1,c2), z0 = Z0,0, z1 = Z1,0, z2 = Z2,0, z3 = Z3,0 and so on. The 3.6. Collision Attacks 30

y z0 r0 s t0 c0 z1 r1 t1 c1 z2 r2 t2 c2 z3 r3 t3

Figure 3.4: A four-round distinguisher of AES

4-round distinguisher is based on Property 3.6.1 and Property 3.6.2.

Property 3.6.1 [50] Consider a set of 256 plaintexts, which contains one active byte (byte y) and ﬁfteen passive bytes. Encrypt this set of plaintexts with three AES rounds. The function that maps the active byte (byte y) to its corresponding resultant byte (byte s) is entirely determined by 9 bytes, which contain 4 key-dependent and c-dependent constants and 5 c-independent and key-dependent constants.

Property 3.6.2 [50] Consider a set of 256 plaintexts, which contains one active byte (byte y) and ﬁfteen passive bytes. Encrypt this set of plaintexts with four AES rounds. Let p−1 denote the inverse of the S-box operation. The s byte can be represented as −1 4 s = p [(0E t0 +0B t1 +0D t2 +09t3)+k0,0]. Namely, 0E t0 +0B t1 +0D t2 +09t3 4 is a one-to-one function of s, which is fully determined by one single key byte k0,0.

Therefore, 0E t0 +0B t1 +0D t2 +09 t3 is a function of y that is entirely determined by 6 unknown bytes which only depend on the key and 4 extra unknown bytes which depend on the key and c.

Gilbert and Minier [50] proposed an attack against 7 rounds of AES-192 and AES- 256 which requires 232 chosen plaintexts and a complexity of 2140. The same approach can be used to attack 7 rounds of AES-128 with 232 chosen plaintexts, and the complexity is marginally faster than exhaustive search. The method is a combination of the 4-round distinguisher and an exhaustive search of combinations of keybytes of the initial and the two final rounds. Demirci and Sel¸cuk [39] described a 5-round distinguisher of the AES, which relates a table entry of the fifth round to a table entry of the first round using 25 parameters that remain unchanged throughout the attack. The 5-round distinguisher can be used to mount meet-in-the-middle attacks on 7 rounds of AES-192 and 8 rounds of AES-256. Dunkelman, Keller and Shamir [41] extended the work of [50] and [39], and introduced three techniques, which are multiset tabulation, differential enumeration and key bridging technique. These three techniques can be used to attack 8-round AES-192 and AES-256. 3.7. Boomerang Attacks 31 3.7 Boomerang Attacks

The boomerang attack, introduced by Wagner [98], is a cryptanalytic method that is based on differential cryptanalysis. It is an adaptive chosen plaintext and ciphertext attack, and the attack aims to produce a quartet structure at a point halfway through the cipher. Assume that E() is the encryption operation of the cipher and E can be divided into two operations: E0 and E1, namely, E = E1 ◦E0. The attack considers high probability differentials in each half of the cipher rather than high probability differentials in the entire cipher. The reason for this is that it is normally easier for the attacker to find short differentials with high probabilities than to find a long differential with a reasonable high probability in many block ciphers. Suppose we have two differential ∗ ∗ characteristics, ∆ → ∆ for E0 with probability p and ∇→∇ for E1 with probability q. The attack works as follows.

1. Generate a pair of plaintexts (P , P ′ = P ⊕ ∆).

2. Ask for the encryptions of (P , P ′) to get the corresponding ciphertexts (C = E(P ), C′ = E(P ′)), by making two chosen-plaintext queries.

3. Generate a new pair of ciphertexts (D = C ⊕∇, D′ = C′ ⊕∇).

4. Ask for the decryptions of (D, D′) to get the corresponding plaintexts (Q = E−1(D), Q′ = E−1(D′)), by making two adaptive chosen-ciphertext queries.

5. Check whether the following equation holds:

Q ⊕ Q′ = ∆. (3.8)

Next, we will find out what is the probability that Q ⊕ Q′ is equal to ∆. The ′ ∗ −1 −1 difference E0(P )⊕E0(P ) is ∆ with probability p. The difference E1 (C)⊕E1 (D) is ∗ −1 ′ −1 ′ ∗ ∇ , and the difference E1 (C )⊕E1 (D ) is ∇ , both with probability q. If the previous ′ ∗ 2 three characteristics hold, the difference E0(Q) ⊕ E0(Q ) is ∆ with probability pq as

′ ′ ′ ′ E0(Q) ⊕ E0(Q ) = E0(P ) ⊕ E0(P ) ⊕ E0(P ) ⊕ E0(Q) ⊕ E0(P ) ⊕ E0(Q ) ′ −1 −1 −1 ′ −1 ′ = E0(P ) ⊕ E0(P ) ⊕ E1 (C) ⊕ E1 (D) ⊕ E1 (C ) ⊕ E1 (D ) = ∆∗ ⊕∇∗ ⊕∇∗ = ∆∗.

−1 −1 ′ Since the diﬀerence E0 (Q) ⊕ E0 (Q ) is ∆ with probability q, the overall probability that equation Q⊕Q′ = ∆ holds is p2q2. For a random permutation, equation Q⊕Q′ = ∆ holds with probability 2−n, where n is the bit number of the block size. Thus, if the 3.7. Boomerang Attacks 32 quartet of plaintexts and ciphertexts are the right boomerang pairs, we can distinguish the cipher from a random permutation. Figure 3.5 provides a schematic representation of the boomerang attack.

′ ′ Q E0 E1 D

∆ ∆∗ ∇∗ ∇

′ ′ P E0 E1 C ∆ ∆∗

Q E0 E1 D

∇∗ ∇

P E0 E1 C

Figure 3.5: A pictorial illustration of the boomerang attack

The attack can be carried out for all possible ∆∗ and ∇ under the condition that ∗ 2 2 ∆ = ∇. The probability of ﬁnding a right quartet for E is no less than p1q1, where p1 and q1 are deﬁned as follows:

2 ∗ p1 = Pr [∆ → ∆ ], (3.9) ∆∗ and 2 ∗ q1 = Pr [∇→∇ ]. (3.10) ∇ Biryukov [18] described a generic method which employs a boomerang distinguisher to attack five and six round substitution-permutation networks (SPNs), and used this idea to present boomerang attacks on 5 and 6 rounds of AES-128. It was mentioned that one can find many truncated differentials with probability 1 for three rounds of the AES, but they are expensive in the sense of probability when trying to extend them at either end of the boomerang distinguisher. The overall complexity of the 5-round attack is 238 chosen plaintext/adaptive chosen ciphertext queries, 238 time complexity and 232 blocks of memory. The 6-round attack requires 239 chosen plaintexts, 271 adaptively chosen ciphertexts, 271 time complexity and 237 blocks of memory. 3.7. Boomerang Attacks 33

3.7.1 Ampliﬁed Boomerang Attack

The amplified boomerang attack was proposed by Kelsey, Kohno and Schneier [64]. Compared with the original boomerang attack, the amplified variant is a chosen plaintext attack, and it does not require adaptive chosen-ciphertext queries. The amplifier- boomerang approach uses the birthday paradox techniques to remove the adaptive constraint in the boomerang attack. The attack first encrypts many plaintext pairs with input difference ∆, and then searches for quartets that conform to the requirements of the boomerang process. Two pairs of plaintexts (P,P ′ = P ⊕ ∆) and (Q, Q′ = Q ⊕ ∆), whose corresponding ciphertext pairs are (C,C′) and (D,D′), are called a right quartet if the following three requirements are met.

′ ∗ ′ 1. E0(P ) ⊕ E0(P ) = ∆ = E0(Q) ⊕ E0(Q ).

2. E0(P ) ⊕ E0(Q)= ∇. If this condition and the previous one are satisﬁed, we have ′ ′ E0(P ) ⊕ E0(Q )= ∇.

3. C ⊕ D = ∇∗ = C′ ⊕ D′.

It was shown in [64] that out of N plaintext pairs, we can expect that the number of correct quartets is N 22−(n+1)p2q2.

3.7.2 Rectangle Attack

The amplified boomerang attack was later extended to the rectangle attack by Biham, Dunkelman and Keller [12]. The boomerang-amplifier attack transfers the boomerang attack to a chosen plaintext attack at the cost of a higher data complexity since the boomerang amplifiers require more queries than the boomerangs. In the amplified boomerang attack, we have to encrypt many plaintext pairs with input difference ∆, and then search for a quartet such that C ⊕ D = C′ ⊕ D′ = ∇∗ when P ⊕ P ′ = Q ⊕ Q′ = ∆. The resultant quartet is a correct quartet with probability 2−(n+1)/2pq, if ∗ ∗ the differential ∆ → ∆ for E0 holds with probability p, and the differential ∇→∇ for E1 holds with probability q. The low probability comes from the fact that it is hard to guarantee that we always obtain the ∇ difference in the attack progress. The low probability issue of the boomerang-amplifier technique introduces a problem of identifying the correct quartets. In the boomerang attack, we know that the plaintext pair we need to check is (Q, Q′) while in the amplified boomerang variant, we have no idea which quartets we should check and thus we have to search all possible quartets for the correct ones. 3.8. Impossible Differential Cryptanalysis 34

The rectangle attack improves the boomerang-amplifier attack by using a better mechanism. Three improvements were made to the amplified boomerang attack to improve the attack [12]. These improvements show that it is possible to increase the probability of a quartet to be a right quartet, and consequently we can expect that on 2 −n 2 2 average, N plaintext pairs with input difference ∆ will generate (N /2)2 p1q1 right quartets, where p1 and q1 are as defined in Equation (3.9) and (3.10). Wagner described in [98] the technique of considering multiple differentials, which is essentially how the rectangle attack improves on the amplified boomerang attack. Murphy [84] raised the question concerning the probability of a boomerang return- ing by giving counterexamples based on the two most important block ciphers, the DES and the AES. It was concluded in [84] that “we have given counterexamples that clearly demonstrate that the justification for the boomerang analysis given by [98] is highly questionable such counterexamples can also be adapted to show that the jus- tifications for derived analyses, such as the amplified boomerang analysis [64] and the rectangle analysis [12], are also highly questionable”. The answer to the question raised in [84] can be found in [68].

3.8 Impossible Diﬀerential Cryptanalysis

Impossible differential cryptanalysis is a variant of differential cryptanalysis. In 1998, Knudsen [70] described a form of this attack in a technical report where the design of block cipher DEAL was released. Later, Biham, Biryukov and Shamir [10] used this technique to attack 31 rounds of the Skipjack block cipher. In differential cryptanalysis, the adversary usually exploits differential characteristics with high probabilities and uses them to distinguish the cipher from a random permutation. In impossible differential cryptanalysis, the attacker considers differential characteristics that occur with probability zero. Based on the fact that impossible events will never happen, the decryption of a pair of ciphertexts under the correct key should not generate any impossible difference. In other words, if we use a candidate key to decrypt a pair of ciphertexts and obtain an impossible difference, the candidate key must not be the correct key. By using this technique, the attacker can eliminate those wrong keys until finding the correct ones. To construct impossible differential distinguishers, one needs to combine truncated differentials with the miss-in-the-middle technique [11]. Biham and Keller [15] presented an impossible differential attack on AES-128 up to 5 rounds and the attack requires 229.5 chosen plaintexts and 231 encryptions. In [15] a four-round impossible differential property of the AES was described which has been used in the subsequent impossible differential attacks on the AES. Cheon, Kim, Kim, 3.9. Dual Ciphers 35

Lee and Kang [30] extended the attack in [15] to 6 rounds of AES-128 with 291.5 chosen plaintexts and 2122 encryptions. Phan [89] used the impossible differential approach to attack 7 rounds of AES-192 and AES-256. Bahrak and Aref [5] proposed a new 7-round impossible differential attack on AES-128 which requires 2117.5 chosen plaintexts and 2121 encryptions. Zhang, Wu and Feng [103] improved previous results and described impossible differential attacks on 7-round AES-128 and AES-192, and 8-round AES- 256. Lu, Dunkelman, Keller and Kim [76] improved previous work and presented attacks on three variants of AES up to 7 rounds, and demonstrated an attack on AES- 256 up to 8 rounds. Mala, Dakhilalian, Rijmen and Modarres-Hashemi [78] used a 4-round impossible differential of AES to propose an attack on 7-round AES-128. In order to reduce the size of the target key space, the attack described in [78] changes the order of the two linear transformations MixColumns and AddRoundKey in the 6th round, and a combination of previously known techniques were used to reduce the complexity of the attack.

3.9 Dual Ciphers

The concept of dual ciphers was introduced by Barkan and Biham [6]. It was shown that the replacements of the constants in the AES algorithm (including the replacement of the irreducible polynomial, the coefficients of the MixColumns operation, the affine transformation in the S-box, etc) can create new dual ciphers. The dual cipher is equivalent to the original cipher in the sense that it generates the same ciphertext for a given plaintext and a given key, although its intermediate values during encryption are different from the original ones. The definition of a dual cipher is given below.

Deﬁnition 3.9.1 [6] Two ciphers E and E′ are called Dual Ciphers if there exist invertible transformations f, g and h such that

′ ∀P,K f(EK(P )) = Eg(K)(h(P )).

The irreducible polynomial used in the AES to construct GF (28) is x8+x4+x3+x+1. Since there are 30 irreducible polynomials of degree 8 over GF (2), we can therefore deﬁne 240 dual ciphers for the AES algorithm. Raddum [91] presented 9120 other representations of GF (28), and thus increased the number of dual ciphers of the AES from 240 to 9360. However, no weaknesses of these dual ciphers have been found. 3.10. Algebraic Attacks 36 3.10 Algebraic Attacks

In algebraic attacks, the attacker exploits the algebraic structure of a cipher and ex- presses the cipher as a set of algebraic equations with a number of variables. Normally, these variables include the bits (or bytes) from the plaintext, ciphertext and the secret key. By accepting enough plaintext/ciphertext pairs as the data input, the attacker tries to solve the algebraic equations to recover the unknown secret key of the cipher. The most challenging part of the algebraic attacks is that the attacker must be able to solve the algebraic equations based on the known plaintext/ciphertext pairs. It is well known that solving multivariate quadratic equations over a finite set of numbers is an NP-hard problem. In 2002, Courtois and Pieprzyk [33] showed that the S-Box used in the AES can be described by an overdefined system of algebraic equations. It was stated that the cipher can be represented as a system of overdefined and sparse quadratic equations over GF (2), and in the case of 128-bit key size, AES can be expressed as a system of 8000 quadratic equations with 1600 variables. An algorithm named XSL (which stands for eXtended Sparse Linearisation) was introduced to attack block ciphers like AES and Serpent. As mentioned in [33], the complexity of the XSL attack is difficult to estimate due to the redundant equations. However, some cryptographers doubted the correctness of the XSL attack. For example, Cid and Leurent [31] published a paper and claimed that the XSL attack could not succeed. The XSL algorithm is derived from the XL [32] (eXtended Linearisation) algorithm, which can be considered as a combination of bounded degree Gröbner bases and linearisation. Murphy and Robshaw [85] described an approach which can be used to avoid the conflict between the operations in the two fields of GF (28) and GF (2) used in the AES. They defined a new block cipher, named BES, which uses only simple algebraic operations in GF (28). By following the BES approach, Toli and Zanoni [97] provided further observations on the algebraic representation of the AES as a system of polynomial equations.

3.11 Related-Key Attacks

Related-key attacks were first introduced by Biham [9] and independently by Knud- sen [69]. Kelsey, Schneier and Wagner presented related-key differential attacks in [65]. Related-key cryptanalysis assumes that the attacker can choose relations between pairs of unknown keys, and learns the encryptions of plaintexts under these keys. The target of the attacker is to recover the keys. Since the attacks exploit the weaknesses of key 3.11. Related-Key Attacks 37 schedules, a cipher with a weak key scheduling algorithm may be vulnerable to these attacks. In 2009, Biryukov, Khovratovich and Nikolić[22] published the first related-key attack on the full 14-round AES-256. They introduced the notion of differential q- multicollision, whose definition is provided as follows.

Deﬁnition 3.11.1 [22] A set of two diﬀerences and q pairs

{∆K, ∆P ;(P1,K1), (P2,K2), ..., (Pq,Kq)} is called a diﬀerential q-multicollision for a cipher EK() if

EK1(P1) ⊕ EK1⊕∆K (P1 ⊕ ∆P ) = EK2(P2) ⊕ EK2⊕∆K (P2 ⊕ ∆P ) = =

EKq(Pq) ⊕ EKq⊕∆K (Pq ⊕ ∆P ).

A differential q-multicollision can be also viewed as a set of q right pairs with respect to the related-key differential, where the key is not fixed.

It was showed that the q-multicollisions can be constructed in time q 267 for AES-256, and in contrast, the time complexity of constructing the q-multicollisions for an ideal q−1 128 cipher of the same block size is at least O(q 2 q+1 ). The q-pseudo collisions for AES- 256 can be constructed with the same complexity in Davies-Meyer mode. Davies-Meyer construction, whose description can be found in [82], is widely used in the design of hash functions, and the security of this construction in the ideal cipher model was proved in [100]. The results of [22] revealed that AES-256 can not be used as an ideal cipher in Davies-Meyer construction. The slow diffusion of the AES key schedule in backward direction allows the attacker to generate a local collision (see Figure 3.6) and eventually produce a differential trail. In addition, it was demonstrated that an adversary is able to construct a related-key distinguisher which works for one out of every 235 keys with 2120 data and time complexity and negligible memory. The distinguisher can be used to mount a key-recovery attack against AES-256 with 2131 time complexity and 265 memory. Biryukov and Khovratovich [21] presented two related-key attacks on the full AES- 192 and AES-256, and the attack on AES-192 is the first cryptanalysis of the full 12- round AES-192. For AES-256, the attack published in [22] was further improved, and a key recovery attack, which works for all keys and has 299.5 time and data complexity, was proposed. Both attacks are boomerang attacks, which are based on the recent idea of finding local collisions in block ciphers and enhanced with the boomerang switching techniques to gain free rounds in the middle. Biryukov, Dunkelman, Keller, Khovratovich and Shamir [20] proposed attacks on reduced-round variants of AES-256 up to 10 rounds with practical complexity. One of 3.11. Related-Key Attacks 38

Key schedule round ?

? ? Key schedule round

- ?SB ◦ SR- MC- - ?- ARK ARK

Figure 3.6: The depiction of a local collision these attacks uses only two related keys and 239 time complexity to recover the complete 256-bit key of a 9-round version of AES-256. Another attack, shown in [20], can break a 10-round version of AES-256 with 245 time complexity, but it uses a stronger type of related subkey attack. Other previous related-key attacks on the AES are briefly described as follows. Ferguson, Kelsey, Lucks, Schneier, Stay, Wagner and Whiting [46] described a related- key attack on nine rounds of AES-256 with 285 chosen plaintexts and 5 2224 time complexity, under 256 keys. Jakimoski and Desmedt [60] used impossible related-key differentials to attack seven rounds of AES-192 with 2111 plaintext/ciphertext pairs and 2116 computational complexity , and to break eight rounds of AES-192 with 288 plaintext/ciphertext pairs and 2183 time complexity. Biham, Dunkelman and Keller [13] presented a related-key rectangle attack on 9-round AES-192 with data complexity of 287 chosen plaintexts and time complexity of 2125 encryptions, and the attack was applied to 10-round AES-256 with 2114.9 related-key chosen plaintexts (encrypted under 256 related keys) and 2171.8 time complexity. Hong, Kim, Lee and Preneel [55] employed four related keys to propose related-key rectangle attack on eight rounds of AES- 192 with 286.5 data complexity and about 286.5 AES encryptions. Biham, Dunkelman and Keller [14] improved the attacks described in [60], and presented four related-key impossible differential attacks on 7-round and 8-round AES-192, whose data and time complexities are provided in Table 3.2. Kim, Hong and Preneel [67] exploited the slow difference propagations of the AES-192 and AES-256 key schedules to present related- key rectangle attacks on 8-round AES-192 with 2 related keys, 10-round AES-192 with 64 or 256 related keys and 9-round AES-256 with 4 related keys. 3.12. Biclique Cryptanalysis 39 3.12 Biclique Cryptanalysis

In 2011, Bogdanov, Khovratovich and Rechberger [24] presented a cryptanalytic technique called bicliques, and combined this technique with the approach of meet-in-the- middle attacks to carry out the ﬁrst key recovery attacks on the full rounds of AES-128, AES-192 and AES-256. The proposed attacks use the single-key model, which is more practical than the related-key model used in the results of [22], [21] and [20]. The biclique concept was introduced by Khovratovich, Rechberger and Savelieva [66] for hash function cryptanalysis, and it is derived from the so-called splice-and-cut technique [4, 3, 53]. The deﬁnition of a biclique is given below:

Deﬁnition 3.12.1 [24] Let f be a subcipher that maps an internal state S to the d d ciphertext C: fK (S) = C. f connects 2 internal states {Sj} to 2 ciphertexts {Ci} with 22d keys {K[i, j]}:

K[0, 0] K[0, 1] K[0, 22d−1] {K[i, j]} =   . − − − −  K[22d 1, 0] K[22d 1, 1] K[22d 1, 22d 1]      The 3-tuple [{Ci}, {Sj}, {K[i, j]}] is called a d-dimensional biclique, if

d Ci = fK[i,j](Sj) for all i, j ∈{0, , 2 − 1}.

Two distinct methods, both employing the biclique properties, were proposed in [24] for key recovery attacks. Assume that there exists an i-round meet-in-the-middle attack on the n-round cipher. In the first method, known as the long-biclique technique, the attacker targets to establish a biclique for the rest n − i rounds of the cipher. One can establish small-dimension bicliques by using various tools derived from differential cryptanalysis, such as rebound attacks [81] and local collisions [29]. The main computational cost of this method comes from the construction of the bicliques. In the second method, which is known as the independent-biclique technique, the adversary attempts to establish high-dimension bicliques for smaller number of rounds and use the idea of matching with precomputations to process the rest rounds of the cipher. Compared with the first method described above, it is easier for the adversary to construct bicliques in this approach, and therefore the primary computational cost of this method is from the matching computation. Figure 3.7 illustrates the effect of the combination of the biclique technique with the meet-in-the-middle attack. The biclique cryptanalysis can be used to attack 10-round AES-128, 12-round AES-192 and 14-round AES-256, with time complexity of 2126.18, 2189.74 and 2254.42, respectively. 3.13. Summary of AES Cryptanalysis 40

Plaintext

Meet-in- the-middle attack Key

Ciphertext

Figure 3.7: The biclique cryptanalysis with the meet-in-the-middle attack

3.13 Summary of AES Cryptanalysis

Previous results of AES cryptanalysis are summarised in Table 3.1 and Table 3.2. The entries of these tables are sorted by the number of rounds to which the attacks are applicable, and if two attacks are applicable to the same number of rounds of the AES, the corresponding entries are further sorted by publication date.

KS RD Data Time Memory Attack Type Ref 128 5 211 240 211 Square [36] 128 5 229.5 231 238 Impossible Differential [15] 128 5 239 239 233 Boomerang [18] 128 6 232 272 232 Square [36] 128 6 234.6 244 232 Partial Sum [46] 128 6 291.5 2122 289 Impossible Differential [30] 128 6 271 271 233 Boomerang [18] 128 7 2128 − 2119 2120 264 Partial Sum [46] 128 7 232 2128 280 Collision [50] 128 7 2115.5 2119 245 Impossible Differential [103] 128 7 2117.5 2123 2109 Impossible Differential [5] 128 7 2106.2 2110.2 294.2 Impossible Differential [78] 128 7 2103+n 2103−n 2129−n Square [41] 128 8 2112.2 2117.2 2112.2 Impossible Differential [76] 128 10 288 2126.18 28 Biclique Attack [24] KS - Key Size, RD - Rounds, Ref - Reference Table 3.1: Summary of AES-128 cryptanalysis 3.13. Summary of AES Cryptanalysis 41

KS RD Data Time Memory Attack Type Ref 192 7 232 2140 280 Collision Attack [50] 192 7 2111 2116 Related-Key Impossible [60] 192 7 292 2186 2153 Impossible Differential [89] 192 7 292 2162 2153 Impossible Differential [103] 192 7 256 294 269 Related-Key Impossible [14] 192 7 246+n 294+n 2192−n Meet in the Middle [39] 192 7 2103+n 2103−n 2129−n Square [41] 192 8 2128 − 2119 2188 2127.997 Partial Sum [46] 192 8 288 2183 Related-Key Impossible [60] 192 8 286.5 286.5 290.83 Related-Key Rectangle [55] 192 8 2116 2134 Related-Key Impossible [14] 192 8 292 2159 Related-Key Impossible [14] 192 8 268.5 2184 269 Related-Key Impossible [14] 192 8 294 2120 Related-Key Rectangle [67] 192 8 2113.8 2118.8 2113.8 Impossible Differential [76] 192 8 2113+n 2172+n 2129−n Square [41] 192 9 287 2125 Related-Key Rectangle [13] 192 9 285 2182 Related-Key Rectangle [67] 192 10 2125 2182 Related-Key Rectangle [67] 192 10 2124 2183 Related-Key Rectangle [67] 192 12 2123 2176 2152 Related-Key Amp. Boomerang [21] 192 12 280 2189.74 28 Biclique Attack [24] 256 7 232 2140 280 Collision Attack [50] 256 7 292.5 2250.5 2153 Impossible Differential [89] 256 7 234+n 282+n 2204−n Meet in the Middle [39] 256 7 2103+n 2103−n 2129−n Square [41] 256 8 2128 − 2119 2204 2127.997 Partial Sum [46] 256 8 2116.5 2247.5 245 Impossible Differential [103] 256 8 234+n 2205.6+n 2206−n Meet in the Middle [39] 256 8 289.1 2229.7 2101 Impossible Differential [76] 256 8 2113+n 2196+n 2129−n Square [41] 256 9 285 2226 232 Partial Sum [46] 256 9 299 2120 Related-Key Rectangle [67] 256 9 238 239 232 Related-Key Differential [20] 256 10 2114.9 2171.8 Related-Key Rectangle [13] 256 10 2113.9 2172.8 Related-Key Rectangle [67] 256 10 244 245 233 Related Subkey Attack [20] 256 14 2131 2131 265 Related-Key Differential [22] 256 14 299.5 299.5 277 Related-Key Boomerang [21] 256 14 240 2254.42 28 Biclique Attack [24] KS - Key Size, RD - Rounds, Ref - Reference, Amp. - Amplified Table 3.2: Summary of AES-192 and AES-256 cryptanalysis Chapter 4

A Five-Round Algebraic Property of AES

In this chapter, we describe a five-round algebraic property of the Advanced Encryption Standard. The results of this chapter were published in [56] and [57]. The round transformation of AES was carefully designed, and it was shown in [37] that two rounds of operations provide a full diffusion. Therefore, if a byte is changed at the beginning of a round, the change will affect all bytes of the state after two rounds. We ask the question what happens if we modify a few (say X ) bytes of the state in several (say N ) consecutive rounds simultaneously during the encryption/decryption process, where X and N are integers, 0

4.1 The Five-Round Property

To address the question mentioned above, we show that if X = 4, N = 5, and the modifications are carried out by performing four extra XOR operations at the end of each round (i.e., after the ARK transformation), these modifications do not change the result of the computation when the values of the modified bytes are chosen correctly. In this property, each of these five rounds contains SB, SR, MC and ARK transformations. Figure 4.1, Figure 4.2 and Figure 4.3 are used to describe this five-round property. The layout of the twenty bytes in the five intermediate values is shown in Figure 4.1, and ′ ′ ′ ′ ′ ′ ′ ′ ′ ′ ′ ′ ′ ′ ′ ′ the twenty bytes are G0, G2, G8, G10, M0, M2, M8, M10, R0, R2, R8, R10, V0 , V2 , V8 , V10, ′ ′ ′ ′ Z0, Z2, Z8, and Z10. In Figure 4.1, a zero occupied byte means that there is no change in that byte, and a variable occupied byte indicates that there is a modification in that

42 4.2. The δ Algorithm 43 byte. In Figure 4.2, all intermediate values are listed when using the AES algorithm to encrypt a plaintext P under a 128-bit key K , and all bytes of the intermediate values are denoted by plain variables. Correspondingly, Figure 4.3 enumerates all intermediate values of the AES with 20 extra XOR operations. The twenty-byte modifications take place in Round 1, 2, 3, 4 and 5, and after ARK transformation in each of these five rounds, we perform XOR operations on Bytes 0, 2, 8 and 10. We show that the twenty- byte modifications do not change the input to Round 6, i.e., both the AES and the AES with 20 extra XOR operations generate the same input to Round 6. In Figure 4.3, a variable marked by a asterisk indicates that the value at that location has been affected by the twenty-byte modifications, and a plain variable shows that the value at that location is not affected by the twenty-byte modifications. For example, after ARK in ′ Round 1 in Figure 4.3, Byte Gi is XORed with Byte Gi, and after SB, we have four ∗ modified bytes Hi , i ∈{0, 2, 8, 10}, and twelve unchanged bytes: H1, H3, H4, H5, H6,

H7, H9, H11, H12, H13, H14, and H15.

′ ′ G0 0 G8 0 0 0 0 0 ′ ′ G2 0 G10 0 0 0 0 0 ′ ′ M0 0 M8 0 0 0 0 0 ′ ′ M2 0 M10 0 0 0 0 0 ′ ′ R0 0 R8 0 0 0 0 0 ′ ′ R2 0 R10 0 0 0 0 0 ′ ′ V0 0 V8 0 0 0 0 0 ′ ′ V2 0 V10 0 0 0 0 0 ′ ′ Z0 0 Z8 0 0 0 0 0 ′ ′ Z2 0 Z10 0 0 0 0 0 Figure 4.1: The twenty bytes

4.2 The δ Algorithm

′ ′ We introduce an algorithm named δ to decide the values of the twenty bytes: Gi, Mi , ′ ′ ′ Ri, Vi and Zi, i ∈ {0, 2, 8, 10}. For any plaintext P and any key K used in the AES algorithm, the δ algorithm accepts P and K as two inputs, and generates an output which contains the twenty bytes required in the ﬁve-round property. The δ algorithm contains the following seven steps:

1. Process the ﬁrst ﬁve rounds of the AES algorithm by taking the plaintext P and 4.2. The δ Algorithm 44

P0 P4 P8 P12 A0 A4 A8 A12

P1 P5 P9 P13 ARK A1 A5 A9 A13 Initial Round Plaintext P −→ P2 P6 P10 P14 A2 A6 A10 A14

P3 P7 P11 P15 A3 A7 A11 A15

B0 B4 B8 B12 D0 D4 D8 D12 F0 F4 F8 F12 G0 G4 G8 G12 B B B B D D D D F F F F G G G G SB 1 5 9 13 SR 1 5 9 13 MC 1 5 9 13 ARK 1 5 9 13 1 −→ −→ −→ −→ B2 B6 B10 B14 D2 D6 D10 D14 F2 F6 F10 F14 G2 G6 G10 G14

B3 B7 B11 B15 D3 D7 D11 D15 F3 F7 F11 F15 G3 G7 G11 G15

H0 H4 H8 H12 J0 J4 J8 J12 L0 L4 L8 L12 M0 M4 M8 M12 H H H H J J J J L L L L M M M M SB 1 5 9 13 SR 1 5 9 13 MC 1 5 9 13 ARK 1 5 9 13 2 −→ −→ −→ −→ H2 H6 H10 H14 J2 J6 J10 J14 L2 L6 L10 L14 M2 M6 M10 M14

H3 H7 H11 H15 J3 J7 J11 J15 L3 L7 L11 L15 M3 M7 M11 M15

N0 N4 N8 N12 O0 O4 O8 O12 Q0 Q4 Q8 Q12 R0 R4 R8 R12 N N N N O O O O Q Q Q Q R R R R SB 1 5 9 13 SR 1 5 9 13 MC 1 5 9 13 ARK 1 5 9 13 3 −→ −→ −→ −→ N2 N6 N10 N14 O2 O6 O10 O14 Q2 Q6 Q10 Q14 R2 R6 R10 R14 N3 N7 N11 N15 O3 O7 O11 O15 Q3 Q7 Q11 Q15 R3 R7 R11 R15

S0 S4 S8 S12 T0 T4 T8 T12 U0 U4 U8 U12 V0 V4 V8 V12 S S S S T T T T U U U U V V V V SB 1 5 9 13 SR 1 5 9 13 MC 1 5 9 13 ARK 1 5 9 13 4 −→ −→ −→ −→ S2 S6 S10 S14 T2 T6 T10 T14 U2 U6 U10 U14 V2 V6 V10 V14 S3 S7 S11 S15 T3 T7 T11 T15 U3 U7 U11 U15 V3 V7 V11 V15

W0 W4 W8 W12 X0 X4 X8 X12 Y0 Y4 Y8 Y12 Z0 Z4 Z8 Z12 W W W W X X X X Y Y Y Y Z Z Z Z SB 1 5 9 13 SR 1 5 9 13 MC 1 5 9 13 ARK 1 5 9 13 5 −→ −→ −→ −→ W2 W6 W10 W14 X2 X6 X10 X14 Y2 Y6 Y10 Y14 Z2 Z6 Z10 Z14 W3 W7 W11 W15 X3 X7 X11 X15 Y3 Y7 Y11 Y15 Z3 Z7 Z11 Z15

Figure 4.2: The intermediate values of AES-128

the key K as the inputs, i.e., start with the initial round, and process Round 1, 2, 3, 4 and 5 of the AES. Therefore, we know all intermediate values in Figure 4.2, from initial round to Round 5.

′ ′ ′ ′ ′ 2. Initialise Gi, Mi , Ri, Vi and Zi to zero, i ∈{0, 2, 8, 10}.

′ ′ ′ ′ 3. Choose G0,G2,G8 and G10 freely. The only requirement is that at least one of ′ ′ ′ ′ these four bytes is not equal to zero, namely, G0,G2,G8 and G10 cannot be all ′ ′ ′ ′ zeros. If G0,G2,G8 and G10 are all zeros, the δ algorithm outputs twenty zero ′ ′ ′ ′ bytes. Once G0,G2,G8 and G10 are decided, the remaining 16 bytes will be computed by the procedures described in Section 4.2.1, Section 4.2.2, Section 4.2.3 and Section 4.2.4.

′ ′ ′ ′ 4. Compute M0, M2, M8 and M10.

′ ′ ′ ′ 5. Calculate R0, R2, R8 and R10.

′ ′ ′ ′ 6. Decide V0 ,V2 ,V8 and V10.

′ ′ ′ ′ 7. Determine Z0,Z2,Z8 and Z10.

32 ′ ′ ′ ′ Remark 1. There are 2 − 1 combinations of {G0,G2,G8,G10} because each byte can have 28 possible values. 4.2. The δ Algorithm 45

P0 P4 P8 P12 A0 A4 A8 A12

P1 P5 P9 P13 ARK A1 A5 A9 A13 Initial Round Plaintext P −→ P2 P6 P10 P14 A2 A6 A10 A14 P3 P7 P11 P15 A3 A7 A11 A15 ′ ′ B0 B4 B8 B12 D0 D4 D8 D12 F0 F4 F8 F12 G0 G4 G8 G12 G0 0 G8 0

SB B1 B5 B9 B13 SR D1 D5 D9 D13 MC F1 F5 F9 F13 ARK G1 G5 G9 G13 0 0 0 0 1 −→ −→ −→ −→ ⊕ ′ ′ → B2 B6 B10 B14 D2 D6 D10 D14 F2 F6 F10 F14 G2 G6 G10 G14 G2 0 G10 0 B3 B7 B11 B15 D3 D7 D11 D15 F3 F7 F11 F15 G3 G7 G11 G15 0 0 0 0 ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ′ ′ H0 H4 H8 H12 J0 J4 J8 J12 L0 L4 L8 L12 M0 M4 M8 M12 M0 0 M8 0 ∗ ∗ ∗ ∗ L L M M SB H1 H5 H9 H13 SR J1 J5 J9 J13 MC 1 L5 9 L13 ARK 1 M5 9 M13 0 0 0 0 2 −→ ∗ ∗ −→ ∗ ∗ −→ ∗ ∗ −→ ∗ ∗ ⊕ ′ ′ → H2 H6 H10 H14 J2 J6 J10 J14 L2 L6 L10 L14 M2 M6 M10M14 M2 0 M10 0 ∗ ∗ ∗ ∗ H3 H7 H11 H15 J3 J7 J11 J15 L3 L7 L11 L15 M3 M7 M11M15 0 0 0 0 ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ′ ′ N0 N4 N8 N12 O0 O4 O8 O12 Q0 Q4 Q8 Q12 R0 R4 R8 R12 R0 0 R8 0 ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ SB N1 N5 N9 N13 SR O1 O5 O9 O13 MC Q1 Q5 Q9 Q13 ARK R1 R5 R9 R13 0 0 0 0 3 −→ ∗ ∗ −→ ∗ ∗ −→ ∗ ∗ ∗ ∗ −→ ∗ ∗ ∗ ∗ ⊕ ′ ′ → N2 N6 N10 N14 O2 O6 O10 O14 Q2 Q6 Q10 Q14 R2 R6 R10 R14 R2 0 R10 0 ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ N3 N7 N11 N15 O3 O7 O11 O15 Q3 Q7 Q11 Q15 R3 R7 R11 R15 0 0 0 0 ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ′ ′ S0 S4 S8 S12 T0 T4 T8 T12 U0 U4 U8 U12 V0 V4 V8 V12 V0 0 V8 0 ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ SB S1 S5 S9 S13 SR T1 T5 T9 T13 MC U1 U5 U9 U13 ARK V1 V5 V9 V13 0 0 0 0 4 −→ ∗ ∗ ∗ ∗ −→ ∗ ∗ ∗ ∗ −→ ∗ ∗ −→ ∗ ∗ ⊕ ′ ′ → S2 S6 S10 S14 T2 T6 T10 T14 U2 U6 U10 U14 V2 V6 V10 V14 V2 0 V10 0 ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ S3 S7 S11 S15 T3 T7 T11 T15 U3 U7 U11 U15 V3 V7 V11 V15 0 0 0 0 ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ′ ′ W0 W4 W8 W12 X0 X4 X8 X12 Y0 Y4 Y8 Y12 Z0 Z4 Z8 Z12 Z0 0 Z8 0 ∗ ∗ ∗ ∗ W W X X SB W1 5 W9 13 SR 1 X5 9 X13 MC Y1 Y5 Y9 Y13 ARK Z1 Z5 Z9 Z13 0 0 0 0 5 −→ ∗ ∗ −→ ∗ ∗ −→ ∗ ∗ −→ ∗ ∗ ⊕ ′ ′ → W2 W6 W10W14 X2 X6 X10 X14 Y2 Y6 Y10 Y14 Z2 Z6 Z10 Z14 Z2 0 Z10 0 ∗ ∗ ∗ ∗ W3 W7 W11W15 X3 X7 X11 X15 Y3 Y7 Y11 Y15 Z3 Z7 Z11 Z15 0 0 0 0

Figure 4.3: The intermediate values of AES-128 with 20 extra XOR operations

′ ′ ′ ′ 4.2.1 Deciding M0, M2, M8 and M10

′ ′ ′ ′ After we have decided the values of G0,G2,G8 and G10, we carry out a four-round computation (of the AES with extra 12 XOR operations), called Routine Computation One, which starts with the initial round and ends with MC in Round 4 (see Figure 4.3).

Routine Computation One Initial round : ARK−→ ⊕ Round 1 : −→SB −→SR −→MC ARK−→ −→ ⊕ Round 2 : −→SB −→SR −→MC ARK−→ −→ ⊕ Round 3 : −→SB −→SR −→MC ARK−→ −→ Round 4 : −→SB −→SR −→MC .

All intermediate values from the computation of this time are stored in array called Buﬀer One (note that Routine Computation One produces 19 intermediate values). We denote the input and output of MC in Round 4 by

∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ T0 T4 T8 T12 U0 U4 U8 U12  T ∗ T ∗ T ∗ T ∗   U ∗ U ∗ U ∗ U ∗  1 5 9 13 MC 1 5 9 13   −→   .  ∗ ∗ ∗ ∗   ∗ ∗ ∗ ∗   T2 T6 T10 T14   U2 U6 U10 U14           T ∗ T ∗ T ∗ T ∗   U ∗ U ∗ U ∗ U ∗   3 7 11 15   3 7 11 15      4.2. The δ Algorithm 46

′ ′ ′ Next, we will show that there is an algebraic relation between Bytes {M0, M2, M8, ′ ∗ ∗ ∗ ∗ M10} and Bytes {U4 , U6 , U12, U14}. Based on this relationship, we can change the ∗ ∗ ∗ ∗ values of {U4 , U6 , U12, U14} to the values of {U4, U6, U12, U14} by setting the values ′ ′ ′ ′ ′ ′ ′ ′ of {M0, M2, M8, M10}. After we have decided the values of {M0, M2, M8, M10}, we aim to have an intermediate value after MC in Round 4 in the format of

∗ ∗ U0 U4 U8 U12  ∗ ∗ ∗ ∗  U1 U5 U9 U13   .  ∗ ∗   U2 U6 U10 U14       U ∗ U ∗ U ∗ U ∗   3 7 11 15    ′ ′ ′ ′ The steps of deciding {M0, M2, M8, M10} are listed as follows:

′ ′ ′ ′ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ {M0, M2, M8, M10} ← {N0 ,N2 ,N8 ,N10} ← {O0, O2, O8, O10}

∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ← {Q1,Q3,Q9,Q11} ← {R1,R3,R9,R11} ← {S1 ,S3 ,S9 ,S11}

∗ ∗ ∗ ∗ ← {T5 , T7 , T13, T15} ← {U4,U6,U12,U14}.

∗ ∗ ∗ ∗ After we change the values of {U4 , U6 , U12, U14} to the values of {U4, U6, U12, U14}, the input and output of MC in Round 4 become

∗ ∗ ∗ ∗ ∗ ∗ T0 T4 T8 T12 U0 U4 U8 U12  T ∗ T ∗ T ∗ T ∗   U ∗ U ∗ U ∗ U ∗  1 5 9 13 MC 1 5 9 13   −→   .  ∗ ∗ ∗ ∗   ∗ ∗   T2 T6 T10 T14   U2 U6 U10 U14           T ∗ T ∗ T ∗ T ∗   U ∗ U ∗ U ∗ U ∗   3 7 11 15   3 7 11 15      ∗ ∗ ∗ ∗ Our next target is to modify the values of {T5 , T7 , T13, T15} according to the values of

{U4, U6, U12, U14}. From the MC transformation, we have the following formula:

∗ ∗ ∗ ∗ ∗ ∗ U0 U4 U8 U12 02 03 01 01 T0 T4 T8 T12  ∗ ∗ ∗ ∗     ∗ ∗ ∗ ∗  U1 U5 U9 U13 01 02 03 01 T1 T5 T9 T13   =     .  ∗ ∗     ∗ ∗ ∗ ∗   U2 U6 U10 U14   01 01 02 03   T2 T6 T10 T14               U ∗ U ∗ U ∗ U ∗   03 01 01 02   T ∗ T ∗ T ∗ T ∗   3 7 11 15     3 7 11 15        ∗ ∗ ∗ ∗ To ﬁnd out the values of {T5 , T7 , T13, T15}, we need to solve the following two groups of linear functions, which are marked by (4.1) and (4.2). 4.2. The δ Algorithm 47

∗   T4     ∗    T    5   02 03 01 01   = U4      T ∗    6          ∗    T7   (4.1)  ∗  T4      ∗    T5      01 01 02 03   = U6   ∗    T    6          T ∗    7   ∗   T12     ∗    T    13   02 03 01 01   = U12      T ∗    14          ∗    T15   (4.2)  ∗  T12      ∗    T13      01 01 02 03   = U14   ∗    T    14          T ∗    15   ∗ ∗ In (4.1), there are two linear equations with two unknown variables T5 and T7 , and ∗ ∗1 our idea is to solve (4.1) to obtain the values of T5 and T7 . Similarly, we can solve ∗ ∗ ∗ ∗ (4.2) with two unknown variables T13 and T15 to get the values of T13 and T15. ∗ ∗ ∗ ∗ −1 −1 After having T5 , T7 , T13 and T15, we perform SR (inverse ShiftRows) and SB ∗ ∗ ∗ ∗ (inverse SubBytes), and obtain the values of R1, R3, R9 and R11 after ARK in Round ∗ ∗ ∗ ∗ 3. Apply the ARK transformation to R1, R3, R9 and R11, and we have the values of ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ Q1, Q3, Q9 and Q11. Our next task is to modify the values of O0, O2, O8 and O10. In Round 3, the input and output of MC are as follows:

∗ ∗ ∗ ∗ ∗ ∗ Q0 Q4 Q8 Q12 02 03 01 01 O0 O4 O8 O12  ∗ ∗ ∗ ∗     ∗ ∗  Q1 Q5 Q9 Q13 01 02 03 01 O1 O5 O9 O13   =     .  ∗ ∗ ∗ ∗     ∗ ∗   Q2 Q6 Q10 Q14   01 01 02 03   O2 O6 O10 O14               Q∗ Q∗ Q∗ Q∗   03 01 01 02   O O∗ O O∗   3 7 11 15     3 7 11 15        We can form two groups of linear equations, which are named (4.3) and (4.4), and ∗ ∗ ∗ ∗ solve them to decide O0, O2, O8 and O10. Namely, we solve (4.3) with two unknown ∗ ∗ ∗ ∗ variables O0 and O2 to get the values of O0 and O2, and solve (4.4) with two unknown ∗ ∗ ∗ ∗ variables O8 and O10 to obtain O8 and O10. 1Note that not any set of two equations with two unknowns variables has a single solution. Some sets have none and some have more than one solution. In the case of the problems discussed in the chapter, the number of solutions is indeed 1. 4.2. The δ Algorithm 48

∗   O0        O1     ∗  01 02 03 01   = Q    1   O∗    2             O3   (4.3)  ∗  O0         O1     ∗  03 01 01 02   = Q3   ∗    O    2          O    3   ∗   O8        O9     ∗  01 02 03 01   = Q    9   O∗    10             O11   (4.4)  ∗  O8         O9     ∗  03 01 01 02   = Q11   ∗    O    10          O    11   ∗ ∗ ∗ ∗ −1 Once knowing the values of O0, O2, O8 and O10, we perform SR and thus we get ∗ ∗ ∗ ∗ ′ ′ ′ ′ Bytes N0 , N2 , N8 and N10 after SB in Round 3. Finally, Bytes M0, M2, M8 and M10 ∗ ∗ ∗ ∗ are decided by the following computations (M0 , M2 , M8 and M10 are obtained from Buﬀer One): ′ ∗ −1 ∗ ′ ∗ −1 ∗ M0 = M0 ⊕ SB (N0 ), M2 = M2 ⊕ SB (N2 ),

′ ∗ −1 ∗ ′ ∗ −1 ∗ M8 = M8 ⊕ SB (N8 ), M10 = M10 ⊕ SB (N10).

′ ′ ′ ′ ′ At this stage, we have decided the values of {Gi, Mi }, and {Ri,Vi ,Zi} are not yet decided (i.e., they are still initialised to zero), i ∈{0, 2, 8, 10}.

′ ′ ′ ′ 4.2.2 Computing R0, R2, R8 and R10 Perform Routine Computation One second time, and all intermediate values from the computation of this time are stored in an array called Buﬀer Two. The intermediate value after MC in Round 4 is

∗ ∗ U0 U4 U8 U12  ∗ ∗ ∗ ∗  U1 U5 U9 U13   .  ∗ ∗   U2 U6 U10 U14       U ∗ U ∗ U ∗ U ∗   3 7 11 15    4.2. The δ Algorithm 49

′ ′ ′ We will demonstrate that there is an algebraic relation between Bytes {R0, R2, R8, ′ ∗ ∗ ∗ ∗ R10} and Bytes {U1 , U3 , U9 , U11}. By employing this relationship, we are able to ∗ ∗ ∗ ∗ change the values of {U1 , U3 , U9 , U11} to the values of {U1, U3, U9, U11} by choosing ′ ′ ′ ′ ′ ′ the values of {R0, R2, R8, R10}. After we have determined the values of {R0, R2, ′ ′ R8, R10} and perform Routine Computation One second time, our target is that the intermediate value after MC in Round 4 is

∗ ∗ U0 U4 U8 U12  ∗ ∗  U1 U5 U9 U13   .  ∗ ∗   U2 U6 U10 U14       U U ∗ U U ∗   3 7 11 15    ′ ′ ′ ′ The moves of determining the values of {R0, R2, R8, R10} are shown below:

′ ′ ′ ′ ∗ ∗ ∗ ∗ {R0,R2,R8,R10} ← {S0 ,S2 ,S8 ,S10}

∗ ∗ ∗ ∗ ← {T0 , T2 , T8 , T10} ← {U1,U3,U9,U11}.

∗ ∗ ∗ ∗ After we replace the values of {U1 , U3 , U9 , U11} with the values of {U1, U3, U9, U11}, the input and output of MC in Round 4 are

∗ ∗ ∗ ∗ ∗ ∗ T0 T4 T8 T12 U0 U4 U8 U12  T ∗ T ∗ T ∗ T ∗   U U ∗ U U ∗  1 5 9 13 MC 1 5 9 13   −→   .  ∗ ∗ ∗ ∗   ∗ ∗   T2 T6 T10 T14   U2 U6 U10 U14           T ∗ T ∗ T ∗ T ∗   U U ∗ U U ∗   3 7 11 15   3 7 11 15      ∗ ∗ ∗ ∗ We need to modify the values of {T0 , T2 , T8 , T10} according to the values of {U1, U3,

U9, U11}. We can form two groups of linear equations, which are named (4.5) and (4.6). ∗ ∗ We can solve (4.5) to get the values of T0 and T2 , and solve (4.6) to obtain the values ∗ ∗ of T8 and T10.

∗   T0     ∗    T    1   01 02 03 01   = U1      T ∗    2          ∗    T3   (4.5)  ∗  T0      ∗    T1      03 01 01 02   = U3   ∗    T    2          T ∗    3   4.2. The δ Algorithm 50

∗   T8     ∗    T    9   01 02 03 01   = U9      T ∗    10          ∗    T11   (4.6)  ∗  T8      ∗    T9      03 01 01 02   = U11   ∗    T    10          T ∗    11   ∗ ∗ ∗ ∗ −1 After knowing the values of {T0 , T2 , T8 , T10}, we perform SR and have four corre- ∗ ∗ ∗ ∗ ′ ′ ′ ′ sponding values {S0 ,S2 ,S8 ,S10} after SB in Round 4. Bytes R0, R2, R8 and R10 are ∗ ∗ ∗ ∗ computed as follows: (R0, R2, R8 and R10 are obtained from Buﬀer Two):

′ ∗ −1 ∗ ′ ∗ −1 ∗ R0 = R0 ⊕ SB (S0 ), R2 = R2 ⊕ SB (S2 ),

′ ∗ −1 ∗ ′ ∗ −1 ∗ R8 = R8 ⊕ SB (S8 ), R10 = R10 ⊕ SB (S10).

′ ′ ′ ′ ′ At this moment, we have decided the values of {Gi, Mi , Ri}, and {Vi ,Zi} are not determined and they are still equal to their initial values, i ∈{0, 2, 8, 10}.

′ ′ ′ ′ 4.2.3 Calculating V0 , V2 , V8 and V10

′ ′ ′ ′ After having the values of R0, R2, R8 and R10, we carry out a ﬁve-round computation of the AES with 16 extra XOR operations, called Routine Computation Two, which begins with the initial round and ends with MC in Round 5 (See Figure 4.3). All intermediate values from the computation of this time are stored in an array named Buﬀer Three (note that Routine Computation Two generates 24 intermediate values).

Routine Computation Two Initial round : ARK−→ ⊕ Round 1 : −→SB −→SR −→MC ARK−→ −→ ⊕ Round 2 : −→SB −→SR −→MC ARK−→ −→ ⊕ Round 3 : −→SB −→SR −→MC ARK−→ −→ ⊕ Round 4 : −→SB −→SR −→MC ARK−→ −→ Round 5 : −→SB −→SR −→MC . 4.2. The δ Algorithm 51

After MC in Round 5, we will have an intermediate value in the following format:

∗ ∗ Y0 Y4 Y8 Y12  ∗ ∗  Y1 Y5 Y9 Y13   .  ∗ ∗   Y2 Y6 Y10 Y14       Y ∗ Y Y ∗ Y   3 7 11 15    ′ ′ ′ ′ ∗ ∗ ∗ There is an algebraic relation between Bytes {V0 , V2 , V8 , V10} and Bytes {Y1 , Y3 , Y9 , ∗ ∗ ∗ ∗ ∗ Y11}, and we can change the values of {Y1 , Y3 , Y9 , Y11} to the values of {Y1, Y3, Y9, ′ ′ ′ ′ Y11} by setting the values of {V0 , V2 , V8 , V10}. The steps of determining the values of ′ ′ ′ ′ {V0 , V2 , V8 , V10} are shown below:

′ ′ ′ ′ ∗ ∗ ∗ ∗ {V0 ,V2,V8 ,V10} ← {W0 ,W2 ,W8 ,W10}

∗ ∗ ∗ ∗ ← {X0 , X2 , X8 , X10} ← {Y1,Y3,Y9,Y11}.

∗ ∗ ∗ ∗ We replace Bytes {Y1 , Y3 , Y9 , Y11} with Bytes {Y1, Y3, Y9, Y11}, and the input and output of MC in Round 5 are

∗ ∗ ∗ ∗ X0 X4 X8 X12 Y0 Y4 Y8 Y12  X∗ X X∗ X   Y Y Y Y  1 5 9 13 MC 1 5 9 13   −→   .  ∗ ∗   ∗ ∗   X2 X6 X10 X14   Y2 Y6 Y10 Y14           X∗ X X∗ X   Y Y Y Y   3 7 11 15   3 7 11 15      We form two groups of linear functions, marked by (4.7) and (4.8). Next, we will solve ∗ ∗ ∗ (4.7) to get the values of X0 and X2 , and solve (4.8) to obtain the values of X8 and ∗ X10.

∗   X0     ∗    X    1   01 02 03 01   = Y1      X∗    2          ∗    X3   (4.7)  ∗  X0      ∗    X1      03 01 01 02   = Y3   ∗    X    2          X∗    3   4.2. The δ Algorithm 52

∗   X8     ∗    X    9   01 02 03 01   = Y9      X∗    10          ∗    X11   (4.8)  ∗  X8      ∗    X9      03 01 01 02   = Y11   ∗    X    10          X∗    11   ∗ ∗ ∗ ∗ −1 After deciding the values of {X0 ,X2 ,X8 ,X10}, we perform SR and have four cor- ∗ ∗ ∗ ∗ ′ ′ ′ ′ responding values {W0 , W2 , W8 , W10} after SB in Round 5. Bytes V0 , V2 , V8 and V10 ∗ ∗ ∗ ∗ are computed as follows: (V0 , V2 , V8 and V10 are obtained from Buﬀer Three):

′ ∗ −1 ∗ ′ ∗ −1 ∗ V0 = V0 ⊕ SB (W0 ), V2 = V2 ⊕ SB (W2 ),

′ ∗ −1 ∗ ′ ∗ −1 ∗ V8 = V8 ⊕ SB (W8 ), V10 = V10 ⊕ SB (W10).

′ ′ ′ ′ ′ At this stage, we have decided the values of {Gi, Mi , Ri,Vi }, and Zi is not determined and it is equal to the initial value, i ∈{0, 2, 8, 10}.

′ ′ ′ ′ 4.2.4 Determining Z0, Z2, Z8 and Z10 Perform Routine Computation Two second time, and the intermediate value after MC in Round 5 is ∗ ∗ Y0 Y4 Y8 Y12   Y1 Y5 Y9 Y13   .  ∗ ∗   Y2 Y6 Y10 Y14       Y Y Y Y   3 7 11 15  Apply ARK to the intermediate value above, we have

∗ ∗ Z0 Z4 Z8 Z12   Z1 Z5 Z9 Z13   .  ∗ ∗   Z2 Z6 Z10 Z14       Z Z Z Z   3 7 11 15    ′ ′ ′ ′ Bytes Z0, Z2, Z8 and Z10 are computed as follows: (Z0, Z2, Z8 and Z10 are obtained from the computation in which the AES algorithm is used to encrypt the plaintext P under the key K (see Round 5 in Figure 4.2)):

′ ∗ ′ ∗ Z0 = Z0 ⊕ Z0, Z2 = Z2 ⊕ Z2, 4.2. The δ Algorithm 53

′ ∗ ′ ∗ Z8 = Z8 ⊕ Z8, Z10 = Z10 ⊕ Z10. ′ ′ ′ ′ ′ Finally, we have decided all values of {Gi, Mi , Ri,Vi ,Zi}, i ∈ {0, 2, 8, 10}. Now, we carry out a ﬁve-round computation of the AES with extra 20 XOR operations, called ′ ′ ′ ′ ′ ′ ′ ′ ′ Routine Computation Three, by using Bytes G0, G2, G8, G10, M0, M2, M8, M10, R0, ′ ′ ′ ′ ′ ′ ′ ′ ′ ′ ′ R2, R8, R10, V0 , V2 , V8 , V10, Z0, Z2, Z8, and Z10, and we will get the same input to Round 6 as the AES algorithm. Routine Computation Three Initial round : ARK−→ ⊕ Round 1 : −→SB −→SR −→MC ARK−→ −→ ⊕ Round 2 : −→SB −→SR −→MC ARK−→ −→ ⊕ Round 3 : −→SB −→SR −→MC ARK−→ −→ ⊕ Round 4 : −→SB −→SR −→MC ARK−→ −→ ⊕ Round 5 : −→SB −→SR −→MC ARK−→ −→ .

Remark 2. The most important part of the δ algorithm is solving those eight groups of linear equations: (4.1), (4.2), (4.3), (4.4), (4.5), (4.6), (4.7) and (4.8). There is one question needs to be answered. The question is: are these eight groups of linear equations independent? The answer to this question is choosing diﬀerent values of Bytes ′ ′ ′ ′ ′ ′ G0, G2, G8, G10 if we encounter such situations. Among the twenty bytes: G0, G2, ′ ′ ′ ′ ′ ′ ′ ′ ′ ′ ′ ′ ′ ′ ′ ′ ′ ′ G8, G10, M0, M2, M8, M10, R0, R2, R8, R10, V0 , V2 , V8 , V10, Z0, Z2, Z8, and Z10, we ′ ′ ′ ′ can select the values of G0, G2, G8 and G10 freely. As we showed in Remark 1, there are 232 − 1 combinations of these four bytes, and correspondingly, we can have 232 − 1 intermediate values in Figure 4.3, starting with SB in Round 2 and ending with ARK in Round 10. We carried out experiments with large random samples and have not met any dependent equations in these experiments.

Remark 3. From Remark 1, we note that there is more than one combination of the twenty output bytes of Algorithm δ for a given pair of (P,K).

Remark 4. For distinct plaintext and cipher key pairs (P,K), Algorithm δ needs to perform individual computations to decide the values of the twenty bytes.

4.2.5 Variants of Algorithm δ

We show that there are other variants of the δ algorithm. In section 4.2, the locations of the twenty bytes are {0, 2, 8, 10}, and there are three other combinations, which are 4.3. Summary 54

′ ′ 0 0 0 0 0 G4 0 G12 0 0 0 0 ′ ′ ′ ′ G1 0 G9 0 0 0 0 0 0 G5 0 G13 ′ ′ 0 0 0 0 0 G6 0 G14 0 0 0 0 ′ ′ ′ ′ G3 0 G11 0 0 0 0 0 0 G7 0 G15 ′ ′ 0 0 0 0 0 M4 0 M12 0 0 0 0 ′ ′ ′ ′ 0 M5 0 M13 0 0 0 0 M1 0 M9 0 ′ ′ 0 0 0 0 0 M6 0 M14 0 0 0 0 ′ ′ ′ ′ 0 M7 0 M15 0 0 0 0 M3 0 M11 0 ′ ′ 0 0 0 0 0 R4 0 R12 0 0 0 0 ′ ′ ′ ′ R1 0 R9 0 0 0 0 0 0 R5 0 R13 ′ ′ 0 0 0 0 0 R6 0 R14 0 0 0 0 ′ ′ ′ ′ R3 0 R11 0 0 0 0 0 0 R7 0 R15 ′ ′ 0 0 0 0 0 V4 0 V12 0 0 0 0 ′ ′ ′ ′ 0 V5 0 V13 0 0 0 0 V1 0 V9 0 ′ ′ 0 0 0 0 0 V6 0 V14 0 0 0 0 ′ ′ ′ ′ 0 V7 0 V15 0 0 0 0 V3 0 V11 0 ′ ′ 0 0 0 0 0 Z4 0 Z12 0 0 0 0 ′ ′ ′ ′ Z1 0 Z9 0 0 0 0 0 0 Z5 0 Z13 ′ ′ 0 0 0 0 0 Z6 0 Z14 0 0 0 0 ′ ′ ′ ′ Z3 0 Z11 0 0 0 0 0 0 Z7 0 Z15 Figure 4.4: Diﬀerent locations of the twenty bytes

{1, 3, 9, 11}, {4, 6, 12, 14} and {5, 7, 13, 15}. Figure 4.4 illustrates different locations of ′ ′ ′ ′ ′ the twenty bytes. In Figure 4.3, {Gi, Mi , Ri,Vi ,Zi} operate in Round {1, 2, 3, 4, 5}, and they can also operate in Round {2, 3, 4, 5, 6}, {3, 4, 5, 6, 7}, {4, 5, 6, 7, 8}, or Round {5, 6, 7, 8, 9}. Therefore, there are 4 different combinations for the byte locations, and there are 5 different combinations for the round numbers in AES-128. In total, there are 20 (= 4 × 5) variants of the δ algorithm for AES-128.

4.3 Summary

We defined an algorithm called δ which generates twenty output bytes by taking a plaintext and a key of the AES algorithm as two inputs. By using these twenty bytes, we proposed a five-round algebraic property of the Advanced Encryption Standard. It was shown in the presented property that the replacements of twenty bytes at some fixed locations in five consecutive rounds do not change the output of the computation. Chapter 5

On the Internal Structure of ALPHA-MAC

In this chapter, we use the five-round algebraic property presented in Chapter 4 to analyse the internal structure of ALPHA-MAC [38] whose underlying block cipher is AES. We provide a method to find second preimages of the ALPHA-MAC based on the assumption that an intermediate value is known. We show that our idea can also be used to find internal collisions of the ALPHA-MAC under the same assumption. Parts of this chapter were presented in [56] and [57].

5.1 Description of the ALPHA-MAC

ALPHA-MAC is a MAC function which uses the building blocks of the AES. Similarly to AES, ALPHA-MAC supports keys of 128, 192 and 256 bits. The word length is 32 bits, and the injection layout places the 4 bytes of each message word [m0, m1, m2, m3] into a 4 × 4 array. The format of the injection layout is shown as follows:

m0 0 m1 0  0 0 0 0  .  m 0 m 0   2 3     0 0 0 0      Like AES, the ALPHA-MAC round function contains SubBytes, ShiftRows, Mix- Columns and AddRoundKey transformations, and the output of each injection layout acts as the corresponding 128-bit round key. The message padding method appends a single 1 followed by the minimum number of 0 bits such that the length of the result is a multiple of 32. In the initialisation, the state is set to all zeros and the full AES encryption is applied to the state. For every message word, the chaining method carries out an iteration, and each iteration maps the bits of the message word to an injection input. After that, a sequence of AES round functions are applied to the state, with the round keys replaced by the injection input. In the final transformation, apply the full AES encryption to the state. The MAC tag is the first lm bits of the resulting final

55 5.2. Applying the Five-Round Algebraic Property to the ALPHA-MAC 56

state. The length of lm may have any value less than or equal to 128. The construction of the ALPHA-MAC is illustrated in Figure 5.1.

0 ? key - AES ? Round ? Injection Layout M1 ? Round ? Injection Layout M2 ? ? Round ? Injection Layout Msize ? - AES ? Truncation ? Tag Figure 5.1: ALPHA-MAC construction

5.2 Applying the Five-Round Algebraic Property to the ALPHA-MAC

To facilitate further discussions, three basic properties of MAC functions are listed below (the MAC function is represented as H(K, M), where K is the key and M is the message).

• Preimage resistance: given a MAC value V , it is computationally infeasible to ﬁnd any message M such that V = H(M,K).

• Second-preimage resistance: for any message M, it is computationally infeasible to ﬁnd another message M˜ such that H(K, M˜ )= H(K, M).

• Collision resistance: it is computationally infeasible to ﬁnd any two distinct messages M and M˜ which generate the same MAC value under the same key K, i.e., H(K, M˜ )= H(K, M).

In this chapter, we study the internal structure of the ALPHA-MAC by employing the proposed five-round algebraic property of the AES, which is described in Chapter 4. First, we present a method to find second preimages of the ALPHA-MAC by solving 5.2. Applying the Five-Round Algebraic Property to the ALPHA-MAC 57 eight groups of linear functions, based on the assumption that an intermediate value of this MAC is known. Each of these eight groups of linear functions contains two equations. The second-preimage search algorithm is divided into two steps: the Backwards- aNd-Forwards (BNF) search and the Backwards-aNd-Backwards (BNB) search. The BNF search provides an idea for extending 32-bit collisions to 128-bit collisions1 by solving four groups of linear functions. Given an intermediate value and one four-block message, the BNB search can generate another four-block message such that these two messages produce 32-bit collisions, which are a prerequisite for the BNF search. To carry out the BNB search, we need to solve another four groups of linear functions. By combining the BNB search with the BNF search, one can find second preimages of the ALPHA-MAC. Second, we show that the second-preimage finding method can also be used to generate internal collisions. The proposed collision search method can find two five-block messages such that they produce 128-bit collisions under a selected intermediate value. The second-preimage search algorithm and the collision search algorithm are motivated by a theorem presented in [38], and the details of the theorem are described below.

Theorem 5.2.1 [38] An extinguishing diﬀerential in ALPHA-MAC spans at least 5 message words.

Theorem 5.2.1 shows that the minimum length of the message blocks required by an extinguishing differential in the ALPHA-MAC is five. The results of the proposed second-preimage search algorithm and the collision search algorithm demonstrate that one can use exact five message blocks to generate an extinguishing differential of the ALPHA-MAC.

5.2.1 The Second-Preimage Search Algorithm

The second-preimage search algorithm aims to find a five-block second-preimage M˜ for a selected five-block message M, under a selected intermediate value. This search algorithm assumes that two values are known: a selected intermediate value and a selected five-block message M. The result of the search is that M and M˜ generate the same 128-bit value after five rounds of ALPHA-MAC iterations, under the selected intermediate value. The second-preimage search algorithm is based on the idea used in the δ algorithm described in Chapter 4.2. Figure 5.2 illustrates the second-preimage search, and it depicts five consecutive rounds of the ALPHA-MAC for two different five-block messages M and M˜ . We 1Here and in the rest of this chapter “collisions” stands for “internal collisions” 5.2. Applying the Five-Round Algebraic Property to the ALPHA-MAC 58 assume that we are able to select an intermediate value of the round functions in some round (e.g., in Round y − 3), and select five consecutive message blocks M(My−3, My−2,

My−1, My, My+1). Then we can ﬁnd another ﬁve-block message M˜ (M˜ y−3, M˜ y−2, M˜ y−1,

M˜y, M˜ y+1) such that these two ﬁve-block messages collide on 128 bits in Round y +1 after the ARK operation. Note that the intermediate value for message M in the beginning of Round y − 3 is:

a0 a4 a8 a12 a a a a  1 5 9 13  .  a2 a6 a10 a14     a a a a   3 7 11 15    In Figure 5.2, after the ARK operation in each round, those four bytes marked by ∗ are the bytes whose values are changed by the injection layout (for example, Bytes ∗ ∗ ∗ ∗ d0, d2, d8 and d10 in Round y − 3). The second-preimage search algorithm has the following form.

The second-preimage search algorithm Input: 1. A selected intermediate value

2. A selected ﬁve-block message M(My−3, My−2, My−1, My, My+1)

Output: Another ﬁve-block message M˜ (M˜ y−3, M˜ y−2, M˜ y−1, M˜ y, M˜ y+1) such that M and M˜ collide on 128 bits after ARK in Round y +1 Method: Solve eight groups of linear functions, named (5.1), (5.2), (5.3), (5.4), (5.5), (5.6), (5.7) and (5.8) in this section

The second-preimage search algorithm consists of two steps: the Backwards-aNd- Forwards search and the Backwards-aNd-Backwards search. The BNF search can extend 32-bit collisions to 128-bit collisions, given two messages M and M˜ which collide on 32 bits, namely Bytes s4, s12, s6 and s14, after MC in round y (see Figure 5.2). Given an intermediate value and one four-block message, the BNB search is able to

ﬁnd another four-block message such that these two messages collide on Bytes s4, s12, s6 and s14 after MC in Round y. The BNB search generates those 32-bit collisions which are required for the BNF search. By merging the BNB search with the BNF search, we can ﬁnd second preimages of the ALPHA-MAC.

5.2.1.1 The Backwards-aNd-Forwards Search

The Backwards-aNd-Forwards search algorithm assumes that we are able to ﬁnd two messages M and M˜ , which collide on Bytes s4, s12, s6 and s14 after MC in round y. Based on the algebraic property of the MixColumns transformation and the structure 5.2. Applying the Five-Round Algebraic Property to the ALPHA-MAC 59

Round y − 3: ∗ ∗ a0 a4 a8 a12 b0 b4 b8 b12 d0 d4 d8 d12 d0 d4 d8 d12 (My−3) a1 a5 a9 a13 b b b b d d d d d d d d SB◦SR 1 5 9 13 MC 1 5 9 13 ARK 1 5 9 13 −→ −→ −→ ∗ ∗ a2 a6 a10 a14 b2 b6 b10 b14 d2 d6 d10 d14 d2 d6 d10 d14 a3 a7 a11 a15 b3 b7 b11 b15 d3 d7 d11 d15 d3 d7 d11 d15 ˜ ˜ ˜ ˜ ˜ ˜ ˜ ˜ ˜∗ ˜ ˜∗ ˜ a˜0 a˜4 a˜8 a˜12 b0 b4 b8 b12 d0 d4 d8 d12 d0 d4 d8 d12 (M˜ y−3) a a a a ˜ ˜ ˜ ˜ ˜ ˜ ˜ ˜ ˜ ˜ ˜ ˜ ˜1 ˜5 ˜9 ˜13 SB◦SR b1 b5 b9 b13 MC d1 d5 d9 d13 ARK d1 d5 d9 d13 −→ −→ −→ ˜∗ ˜∗ a˜2 a˜6 a˜10 a˜14 ˜b2 ˜b6 ˜b10 ˜b14 d˜2 d˜6 d˜10 d˜14 d2 d˜6 d10 d˜14 a˜3 a˜7 a˜11 a˜15 ˜b3 ˜b7 ˜b11 ˜b15 d˜3 d˜7 d˜11 d˜15 d˜3 d˜7 d˜11 d˜15 Round y − 2: ∗ ∗ ∗ ∗ d0 d4 d8 d12 f0 f4 f8 f12 g0 g4 g8 g12 g0 g4 g8 g12 (My−2) d d d d f f f f g1 g5 g9 g13 g1 g5 g9 g13 1 5 9 13 SB◦SR 1 5 9 13 MC ARK ∗ ∗ −→ −→ −→ ∗ ∗ d2 d6 d10 d14 f2 f6 f10 f14 g2 g6 g10 g14 g2 g6 g10 g14 d3 d7 d11 d15 f3 f7 f11 f15 g3 g7 g11 g15 g3 g7 g11 g15 ˜∗ ˜∗ ∗ ∗ d0 d˜4 d8 d˜12 f˜0 f˜4 f˜8 f˜12 g˜0 g˜4 g˜8 g˜12 g˜0 g˜4 g˜8 g˜12 (M˜ y−2) ˜ ˜ ˜ ˜ ˜ ˜ ˜ ˜ g g g g g g g g d1 d5 d9 d13 SB◦SR f1 f5 f9 f13 MC ˜1 ˜5 ˜9 ˜13 ARK ˜1 ˜5 ˜9 ˜13 ˜∗ ˜∗ −→ −→ −→ ∗ ∗ d2 d˜6 d10 d˜14 f˜2 f˜6 f˜10 f˜14 g˜2 g˜6 g˜10 g˜14 g˜2 g˜6 g˜10 g˜14 d˜3 d˜7 d˜11 d˜15 f˜3 f˜7 f˜11 f˜15 g˜3 g˜7 g˜11 g˜15 g˜3 g˜7 g˜11 g˜15 Round y − 1: ∗ ∗ ∗ ∗ g0 g4 g8 g12 h0 h4 h8 h12 i0 i4 i8 i12 i0 i4 i8 i12 (My−1) g1 g5 g9 g13 h h h h i i i i i i i i SB◦SR 1 5 9 13 MC 1 5 9 13 ARK 1 5 9 13 ∗ ∗ −→ −→ −→ ∗ ∗ g2 g6 g10 g14 h2 h6 h10 h14 i2 i6 i10 i14 i2 i6 i10 i14 g3 g7 g11 g15 h3 h7 h11 h15 i3 i7 i11 i15 i3 i7 i11 i15 ∗ ∗ ˜∗ ˜∗ g˜0 g˜4 g˜8 g˜12 h˜0 h˜4 h˜8 h˜12 ˜i0 ˜i4 ˜i8 ˜i12 i0 ˜i4 i8 ˜i12 (M˜ y−1) g˜1 g˜5 g˜9 g˜13 ◦ h˜1 h˜5 h˜9 h˜13 ˜i1 ˜i5 ˜i9 ˜i13 ˜i1 ˜i5 ˜i9 ˜i13 SB−→SR MC−→ ARK−→ ∗ ∗ ˜∗ ˜∗ g˜2 g˜6 g˜10 g˜14 h˜2 h˜6 h˜10 h˜14 ˜i2 ˜i6 ˜i10 ˜i14 i2 ˜i6 i10 ˜i14 g˜3 g˜7 g˜11 g˜15 h˜3 h˜7 h˜11 h˜15 ˜i3 ˜i7 ˜i11 ˜i15 ˜i3 ˜i7 ˜i11 ˜i15 Round y: ∗ ∗ ∗ ∗ i0 i4 i8 i12 j0 j4 j8 j12 s0 s4 s8 s12 s0 s4 s8 s12 (My ) i i i i j j j j s s s s s s s s 1 5 9 13 SB◦SR 1 5 9 13 MC 1 5 9 13 ARK 1 5 9 13 ∗ ∗ −→ −→ −→ ∗ ∗ i2 i6 i10 i14 j2 j6 j10 j14 s2 s6 s10 s14 s2 s6 s10 s14 i3 i7 i11 i15 j3 j7 j11 j15 s3 s7 s11 s15 s3 s7 s11 s15 ˜∗ ˜∗ ∗ ∗ i0 ˜i4 i8 ˜i12 ˜j0 ˜j4 ˜j8 ˜j12 s˜0 s˜4 s˜8 s˜12 s˜0 s˜4 s˜8 s˜12 (M˜ y ) ˜i1 ˜i5 ˜i9 ˜i13 ◦ ˜j1 ˜j5 ˜j9 ˜j13 s˜1 s˜5 s˜9 s˜13 s˜1 s˜5 s˜9 s˜13 SB−→SR MC−→ ARK−→ ˜∗ ˜∗ ∗ ∗ i2 ˜i6 i10 ˜i14 ˜j2 ˜j6 ˜j10 ˜j14 s˜2 s˜6 s˜10 s˜14 s˜2 s˜6 s˜10 s˜14 ˜i3 ˜i7 ˜i11 ˜i15 ˜j3 ˜j7 ˜j11 ˜j15 s˜3 s˜7 s˜11 s˜15 s˜3 s˜7 s˜11 s˜15 Round y + 1: ∗ ∗ ∗ ∗ s0 s4 s8 s12 n0 n4 n8 n12 w0 w4 w8 w12 w0 w4 w8 w12 (M ) s s s s n n n n w w w w y+1 w w w w 1 5 9 13 SB◦SR 1 5 9 13 MC 1 5 9 13 ARK 1 5 9 13 ∗ ∗ −→ −→ −→ ∗ ∗ s2 s6 s10 s14 n2 n6 n10 n14 w2 w6 w10 w14 w2 w6 w10 w14 s3 s7 s11 s15 n3 n7 n11 n15 w3 w7 w11 w15 w3 w7 w11 w15 ∗ ∗ ∗ ∗ s˜0 s˜4 s˜8 s˜12 n˜0 n˜4 n˜8 n˜12 w˜0 w˜4 w˜8 w˜12 w˜0 w˜4 w˜8 w˜12 (M˜ y+1) s s s s n n n n w w w w w w w w ˜1 ˜5 ˜9 ˜13 SB◦SR ˜1 ˜5 ˜9 ˜13 MC ˜1 ˜5 ˜9 ˜13 ARK ˜1 ˜5 ˜9 ˜13 ∗ ∗ −→ −→ −→ ∗ ∗ s˜2 s˜6 s˜10 s˜14 n˜2 n˜6 n˜10 n˜14 w˜2 w˜6 w˜10 w˜14 w˜2 w˜6 w˜10 w˜14 s˜3 s˜7 s˜11 s˜15 n˜3 n˜7 n˜11 n˜15 w˜3 w˜7 w˜11 w˜15 w˜3 w˜7 w˜11 w˜15

Figure 5.2: The ﬁve-block collisions 5.2. Applying the Five-Round Algebraic Property to the ALPHA-MAC 60 of the ALPHA-MAC, we can extend these 32-bit collisions to 128-bit collisions within three rounds by solving four groups of linear equations. The routine of the BNF search method is provided as follows.

The BNF search algorithm Input: 1. A selected intermediate value

2. Two four-block messages M(My−3, My−2, My−1, My) and M˜ (M˜ y−3,

M˜ y−2, M˜ y−1, M˜ y) colliding on 32 bits (Bytes s4, s12, s6 and s14) after MC in Round y Output: 128-bit collisions in Round y +1 Method: Solve four groups of linear functions, named (5.1), (5.2), (5.3) and (5.4)

5.2.1.2 Extending 32-bit Collisions to 64-bit Collisions

This approach uses the diﬀerential XOR property before and after the MixColumns transformation. In Round y before MC, by XORing those two intermediate values, we get the following result:

j˜0 ⊕ j0 j˜4 ⊕ j4 j˜8 ⊕ j8 ˜j12 ⊕ j12 ? 0 ? 0

 j˜ ⊕ j j˜ ⊕ j j˜ ⊕ j ˜j ⊕ j   0s ˜ ⊕ s 0s ˜ ⊕ s  1 1 5 5 9 9 13 13 MC 5 5 13 13   −→   .  ˜ ˜ ˜ ˜     j2 ⊕ j2 j6 ⊕ j6 j10 ⊕ j10 j14 ⊕ j14   ? 0 ? 0           j˜ ⊕ j j˜ ⊕ j ˜j ⊕ j ˜j ⊕ j   0s ˜ ⊕ s 0s ˜ ⊕ s   3 3 7 7 11 11 15 15   7 7 15 15      Here, we use R (to replace ˜j0 ⊕ j0), S (to replace ˜j8 ⊕ j8), T (to replace ˜j2 ⊕ j2) and U (to replace ˜j10 ⊕ j10) so that after the MC transformation in Round y, Bytes s˜1 ⊕ s1,s ˜3 ⊕ s3,s ˜9 ⊕ s9 ands ˜11 ⊕ s11 become zero. Now the question is “how to decide R, S, T and U”. From the information we have collected, the answer to this question is provided below.

• There exists one and only one pair of (R, T ) such that after MC, Bytess ˜1 ⊕ s1

ands ˜3 ⊕ s3 are both zero.

• There exists one and only one pair of (S, U) such that after MC, Bytess ˜9 ⊕ s9

ands ˜11 ⊕ s11 are both zero.

According to the MC transformation, we have the following formula:

R ˜j4 ⊕ j4 S ˜j12 ⊕ j12 ? 0 ? 0

 ˜j ⊕ j ˜j ⊕ j ˜j ⊕ j ˜j ⊕ j   0s ˜ ⊕ s 0s ˜ ⊕ s  1 1 5 5 9 9 13 13 MC 5 5 13 13   −→   .  ˜ ˜     T j6 ⊕ j6 U j14 ⊕ j14   ? 0 ? 0           ˜j ⊕ j ˜j ⊕ j ˜j ⊕ j ˜j ⊕ j   0s ˜ ⊕ s 0s ˜ ⊕ s   3 3 7 7 11 11 15 15   7 7 15 15      5.2. Applying the Five-Round Algebraic Property to the ALPHA-MAC 61

To ﬁnd out the values of (R, T ) and (S, U), we need to solve the following two groups of equations.

  R      ˜    j1 ⊕ j1      01 02 03 01   = 0      T             ˜j ⊕ j    3 3   (5.1)  R      ˜    j1 ⊕ j1      03 01 01 02   = 0      T             ˜j ⊕ j    3 3     S      ˜    j9 ⊕ j9      01 02 03 01   = 0      U             ˜j ⊕ j    11 11   (5.2)  S      ˜    j9 ⊕ j9      03 01 01 02   = 0      U             ˜j ⊕ j    11 11   In the two equations in (5.1), there are two variables R and T , and therefore there exists one and only one pair of (R, T ) to make these two equations hold simultaneously. Similarly, we can decide the values of S and U by solving the two equations in (5.2).

Once the values of R, S, T and U are decided, message block M˜ y−1 can be constructed as follows.

ñew ñew ñew ñew ñew ñew 1. Set the values of j0 , j8 , j2 and j10 as follows: j0 = j0 ⊕R, j8 = j8 ⊕S, ñew ñew ñew ˜ ñew ˜ ñew j2 = j2 ⊕ T , and j10 = j10 ⊕ U. Use j0 to replace j0, j8 to replace j8, j2 ˜ ñew ˜ to replace j2, and j10 to replace j10.

2. Perform SR−1 (inverse ShiftRows) and SB−1 (inverse SubBytes). As SR−1 and SB−1 are permutation and substitution, they do not change the properties we have found. Now we have the outputs of ARK in Round y − 1.

˜ new 3. Compute the value of My−1 as follows: ˜ new ñew ˜ ñew ˜ ñew ˜ ñew ˜ My−1 = (j0 ⊕ i0)||(j8 ⊕ i8)||(j10 ⊕ i2)||(j2 ⊕ i10). ˜ new ˜ Use My−1 to replace My−1. ˜ ˜ ˜ new At this stage, two messages (My−3, My−2, My−1) and (My−3, My−2, My−1 ) collide on

64 bits (Bytes s4, s12, s6, s14, s1, s9, s3 and s11) in Round y after MC. 5.2. Applying the Five-Round Algebraic Property to the ALPHA-MAC 62

5.2.1.3 Extending 64-bit Collisions to 96-bit Collisions

We only need to focus on Round y and Round y + 1 to extend 64-bit collisions to

96-bit collisions. The idea is to choose message block M˜y to cancel out the diﬀerences between Bytes (s5, s13, s7, s15) and Bytes (˜s5,s ˜13,s ˜7,s ˜15) in Round y. The method of choosing M˜ y is exactly same as the method for constructing M˜ y−1 in Section 5.2.1.2. By taking the outputs of ARK in Round y, we perform the SB and SR operations, and then XOR the results after SB and SR:

n0 n4 n8 n12 n˜0 n4 n˜8 n12     n1 n5 n9 n13 n˜1 n5 n˜9 n13   ⊕   =      n2 n6 n10 n14   n˜2 n6 n˜10 n14           n n n n   n˜ n n˜ n   3 7 11 15   3 7 11 15     

n0 ⊕ n˜0 0 n8 ⊕ n˜8 0 ?0 ?0

 n ⊕ n˜ 0 n ⊕ n˜ 0   000 0  1 1 9 9 MC   −→   .      n2 ⊕ n˜2 0 n10 ⊕ n˜10 0   ?0 ?0           n ⊕ n˜ 0 n ⊕ n˜ 0   000 0   3 3 11 11        Here we use π to replace n0 ⊕ n˜0, ρ to replace n8 ⊕ n˜8, φ to replace n2 ⊕ n˜2 and ω to replace n10 ⊕ n˜10 so that after MixColumns in Round y + 1, Bytes w1 ⊕ w˜1, w9 ⊕ w˜9, w3 ⊕ w˜3 and w11 ⊕ w˜11 are zero:

π 0 ρ 0 ?0 ?0

 n ⊕ n˜ 0 n ⊕ n˜ 0   000 0  1 1 9 9 MC   −→   .      φ 0 ω 0   ?0 ?0           n ⊕ n˜ 0 n ⊕ n˜ 0   000 0   3 3 11 11        Now the question is “how to decide π, ρ, φ and ω”. The solution is provided below.

• There exists one and only one pair of (π, φ) such that after MC, Bytes w1 ⊕ w˜1

and w3 ⊕ w˜3 are both zero. The values of (π, φ) can be decided by solving (5.3).

• There exists one and only one pair of (ρ, ω) such that after MC, Bytes w9 ⊕ w˜9

and w11 ⊕ w˜11 are both zero. By solving (5.4), we get the values of (ρ, ω). 5.2. Applying the Five-Round Algebraic Property to the ALPHA-MAC 63

  π         n1 ⊕ n˜1      01 02 03 01   = 0      φ             n ⊕ n˜    3 3   (5.3)  π         n1 ⊕ n˜1      03 01 01 02   = 0      φ             n ⊕ n˜    3 3  

  ρ         n9 ⊕ n˜9      01 02 03 01   = 0      ω             n ⊕ n˜    11 11   (5.4)  ρ         n9 ⊕ n˜9      03 01 01 02   = 0      ω             n ⊕ n˜    11 11   After the values of π, φ, ρ and ω are determined, message block M˜y can be chosen as follows.

new new new new new new 1. Set the values ofn ˜0 ,n ˜8 ,n ˜2 andn ˜10 as follows:n ˜0 = n0 ⊕ π,n ˜8 = new new new new n8 ⊕ρ,n ˜2 = n2 ⊕φ, andn ˜10 = n10 ⊕ω. Usen ˜0 to replacen ˜0,n ˜8 to replace new new n˜8,n ˜2 to replacen ˜2, andn ˜10 to replacen ˜10.

2. Perform SR−1 and SB−1. Since SR−1 and SB−1 are permutation and substitution, they do not aﬀect the properties we have found. Now we have the outputs of ARK in Round y.

3. Compute the value of M˜ y as follows:

˜ new new My = (ñ0 ⊕ s˜0)||(ñ8 ⊕ s˜8) new new ||(ñ10 ⊕ s˜2)||(ñ2 ⊕ s˜10).

˜ ˜ ˜ new ˜ So far, two messages (My−3, My−2, My−1, My) and (My−3, My−2, My−1 , My) collide on 96 bits (i.e., Bytes w1, w3, w4, w5, w6, w7, w9, w11, w12, w13, w14 and w15) in Round y + 1 after MC transformation. 5.2. Applying the Five-Round Algebraic Property to the ALPHA-MAC 64

5.2.1.4 Extending 96-bit Collisions to 128-bit Collisions

This step is straightforward as we can select message My+1 arbitrarily, and construct message M˜ y+1 to cancel the diﬀerences between Bytes w0, w8, w2 and w10. The construction is provided as follows:

M˜ y+1 = ((w0 ⊕ w˜0)||(w8 ⊕ w˜8)||(w2 ⊕ w˜2)||(w10 ⊕ w˜10)) ⊕ My+1.

5.2.1.5 The Backwards-aNd-Backwards Search

We propose a method to ﬁnd 32-bit collisions on Bytes s4, s12, s6 and s14 (see Figure 5.2) by solving four groups of linear functions. This search method assumes that for a selected intermediate value and a selected four-block message (My−3, My−2, My−1,

My), one can generate another four-block message (M˜ y−3, M˜ y−2, M˜y−1, M˜ y) such that these two messages collide on Bytes s4, s12, s6 and s14 after MC in Round y. The method used by the BNB search is similar to the idea employed by the BNF search, but works only in one direction (i.e., only backwards). The Backwards-aNd-Backwards search algorithm has the following format.

The BNB search algorithm Input: 1. A selected intermediate value

2. One selected four-block message M(My−3, My−2, My−1, My)

Output: Another four-block message M˜ (M˜ y−3, M˜ y−2, M˜ y−1, M˜ y) such that M and

M˜ collide on 32 bits (Bytes s4, s12, s6 and s14) after MC in Round y Method: Solve four groups of linear functions, named (5.5), (5.6), (5.7) and (5.8)

5.2.1.6 Deciding Four Values (˜j5, ˜j7, ˜j13 and ˜j15)

In the beginning, (M˜ y−3, M˜ y−2, M˜ y−1, M˜ y) are chosen randomly. Assume that the input and the output of MC in Round y are listed as follows:

˜j0 ˜j4 ˜j8 ˜j12 s˜0 s˜4 s˜8 s˜12

 ˜j ˜jold ˜j ˜jold   s˜ s˜ s˜ s˜  1 5 9 13 MC 1 5 9 13   −→   .  ˜ ˜ ˜ ˜     j2 j6 j10 j14   s˜2 s˜6 s˜10 s˜14           ˜j ˜jold ˜j ˜jold   s˜ s˜ s˜ s˜   3 7 11 15   3 7 11 15      õld õld õld õld ˜ Now we do not use the values of j5 , j7 , j13 or j15 . Instead, we use j5 (to replace õld ˜ õld ˜ õld ˜ õld j5 ), j7 (to replace j7 ), j13 (to replace j13 ), and j15 (to replace j15 ) such that we get values s4, s12, s6, and s14 on Bytess ˜4,s ˜12,s ˜6, ands ˜14, respectively (illustrated as 5.2. Applying the Five-Round Algebraic Property to the ALPHA-MAC 65 follows):

˜j0 ˜j4 ˜j8 ˜j12 s˜0 s4 s˜8 s12

 ˜j ˜j ˜j ˜j   s˜ s˜ s˜ s˜  1 5 9 13 MC 1 5 9 13   −→   .  ˜ ˜ ˜ ˜     j2 j6 j10 j14   s˜2 s6 s˜10 s14           ˜j ˜j ˜j ˜j   s˜ s˜ s˜ s˜   3 7 11 15   3 7 11 15      Now the question is “how can we make this happen”. Our answer is to solve two groups of linear functions. For the values of s4 and s6, there are two linear equations in (5.5) with only two unknown variables (˜j5 and ˜j7). Therefore, we can solve (5.5) to obtain the values of ˜j5 and ˜j7.

˜   j4        ˜j5      02 03 01 01   = s4      ˜j    6          ˜    j7   (5.5)  ˜  j4      ˜    j5      01 01 02 03   = s6      ˜j6             ˜j    7   ˜   j12        ˜j13      02 03 01 01   = s12      ˜j    14          ˜    j15   (5.6)  ˜  j12      ˜    j13      01 01 02 03   = s14      ˜j14             ˜j    15   Similarly, for the values of s12 and s14, there are two linear functions in (5.6) with two unknown variables (˜j13 and ˜j15). We can solve (5.6) to decide the values of ˜j13 and −1 ˜j15. After getting four values (˜j5, ˜j7, ˜j13, and ˜j15) decided, we perform the SR and −1 −1 −1 SB transformations. As SR is permutation and SB is substitution, ˜j5, ˜j7, ˜j13, and ˜j15 are ﬁrst relocated then substituted by another four values ˜i9, ˜i3, ˜i1, and ˜i11, respectively. As the message injection layout does not change the values of ˜i9, ˜i3, ˜i1, and ˜i11, these four values are not changed after we do ARK. So, we get four known values (˜i9, ˜i3, ˜i1, and ˜i11) after MC in Round y − 1. Our next target is to modify message block M˜ y−2 so that we get those four values ˜i9, ˜i3, ˜i1, and ˜i11 after MC in Round y − 1. 5.2. Applying the Five-Round Algebraic Property to the ALPHA-MAC 66

5.2.1.7 Modifying Message Block M˜ y−2

Suppose by using the original message block M˜ y−2, we have the following states in Round y − 1:

∗old ∗old õld ˜ õld ˜ ˜ ˜ g˜0 g˜4 g˜8 g˜12 h0 h4 h8 h12 ? i4 ? i12  g˜ g˜ g˜ g˜   h˜ h˜ h˜ h˜   ? ˜i ? ˜i  1 5 9 13 SB◦SR 1 5 9 13 MC 5 13   −→   −→   .  ∗old ∗old   õld ˜ õld ˜   ˜ ˜   g˜2 g˜6 g˜10 g˜14   h2 h6 h10 h14   ? i6 ? i14               g˜ g˜ g˜ g˜   h˜ h˜ h˜ h˜   ? ˜i ? ˜i   3 7 11 15   3 7 11 15   7 15        õld õld õld õld ˜ ˜ ˜ ˜ Now we replace values (h0 , h2 , h8 , h10 ) with (h0, h2, h8, h10) and then we get those four values (˜i9, ˜i3, ˜i1, and ˜i11) located as follows:

∗ ∗ ˜ ˜ ˜ ˜ ˜ ˜ g˜0 g˜4 g˜8 g˜12 h0 h4 h8 h12 ? i4 ? i12  g˜ g˜ g˜ g˜   h˜ h˜ h˜ h˜   ˜i ˜i ˜i ˜i  1 5 9 13 SB◦SR 1 5 9 13 MC 1 5 9 13   −→   −→   .  ∗ ∗   ˜ ˜ ˜ ˜   ˜ ˜   g˜2 g˜6 g˜10 g˜14   h2 h6 h10 h14   ? i6 ? i14               g˜ g˜ g˜ g˜   h˜ h˜ h˜ h˜   ˜i ˜i ˜i ˜i   3 7 11 15   3 7 11 15   3 7 11 15        Based on the property of MC transformation, we can form the following two groups of linear functions.

˜   h0     ˜    h1        = ˜i  01 02 03 01   1   h˜    2          ˜    h3      (5.7)  ˜  h0      ˜    h1        = ˜i  03 01 01 02   3   h˜2             h˜    3      ˜   h8     ˜    h9        = ˜i  01 02 03 01   9   h˜    10          ˜    h11      (5.8)  ˜  h8      h˜    9      03 01 01 02   = ˜i11   ˜    h10             h˜    11      5.2. Applying the Five-Round Algebraic Property to the ALPHA-MAC 67

˜ ˜ ˜ ˜ The values of h1, h3, h9 and h11 are known from the original message block M˜ y−2.

We can get the values of (h˜0, h˜2) by solving (5.7), and get the values of (h˜8, h˜10) by ˜ ˜ ˜ ˜ −1 −1 solving (5.8). After ﬁnding the values of (h0, h2, h8, h10), we perform SR and SB , ∗ ∗ ∗ ∗ ∗ ∗ and obtain the corresponding four values (˜g0,g ˜2,g ˜8,g ˜10). Once the values of (˜g0,g ˜2, ∗ ∗ ˜ ˜ new ˜ new g˜8,g ˜10) have been decided, we replace My−2 with My−2 . My−2 is constructed as follows

(˜g0, g˜8, g˜2 andg ˜10 are known from the message block M˜ y−3 in Round y − 3):

˜ new ∗ ∗ ∗ ∗ My−2 = (˜g0 ⊕ g˜0)||(˜g8 ⊕ g˜8)||(˜g2 ⊕ g˜2)||(˜g10 ⊕ g˜10).

5.2.1.8 Combining the BNB Search with the BNF Search

The second-preimage search algorithm combines the BNB search with the BNF search. To search for a second preimage of the ALPHA-MAC, we perform the following steps.

1. Select an intermediate value.

2. Select a ﬁve-block message M(My−3, My−2, My−1, My, My+1).

3. Generate the message M˜ (M˜ y−3, M˜ y−2, M˜ y−1, M˜ y, M˜ y+1) randomly. We need to

guarantee that M˜ y−3 is not equal to My−3.

4. Perform the BNB search to generate 32-bit collisions. The BNB search is done

by modifying message block M˜ y−2.

5. Use the BNF search to extend those 32-bit collisions to 128-bit collisions. The

BNF search is carried out by modifying the values of M˜ y−1, M˜ y, and M˜ y+1. Mes-

sage M˜ (M˜ y−3, M˜ y−2, M˜ y−1, M˜ y, M˜y+1) is a second preimage of message M(My−3,

My−2, My−1, My, My+1) under the selected intermediate value.

The steps of finding second preimages are shown in Table 5.1, and Figure 5.3 illustrates the effect of this search algorithm. The name of the backwards-and-backwards search comes from the fact that searching for M˜ y−2 is carried out by starting in Round y, then moving backwards to Round y − 1 and again moving backwards to Round y − 2 (see Table 5.1). Similarly, the backwards-and-forwards search gets its name from the fact that searching for M˜ y−1, M˜ y and M˜ y+1 is performed by starting in Round y, moving backwards to Round y − 1, then moving forwards to Round y and again moving forwards to Round y + 1 (see Table 5.1). A personal computer takes about 1 second to find a second preimage of the ALPHA-MAC, given a selected intermediate value and a selected five-block message. For example, for a selected intermediate value X and a selected five-block message M, the second-preimage search algorithm outputs a five-block message M˜ (see Table 5.2). The 128-bit colliding value is also provided in Table 5.2 (these two messages are listed after the injection layout). 5.2. Applying the Five-Round Algebraic Property to the ALPHA-MAC 68

Search St Round y − 2 Di Round y − 1 Di Round y

BNB 1 ⇐ s˜4 → s4,s ˜12 → s12, s˜6 → s6,s ˜14 → s14 õld ˜ õld ˜ 2 ⇐ h0 → h0, h2 → h2, õld ˜ õld ˜ h8 → h8, h10 → h10 ˜ ˜ new 3 My−2 → My−2 Round y − 1 Di Round y Di Round y + 1

BNF 4 modify M˜ y−1 ⇐ collisions on s4, s12, s6 and s14

5 ⇒ collisions on s4, s12, s6, s14, s1, s9, s3 and s11

6 modify M˜ y ⇒ 96-bit collisions

7 modify M˜ y+1 to get 128-bit collisions Di - Direction, St - Step, ⇐ - Backwards, ⇒ - Forwards

Table 5.1: Second-preimage search = BNB search + BNF search

? Intermediate value ? Round ? Injection Layout My−3 (M˜ y−3) ? Round ? Injection Layout My−2 (M˜ y−2) ? Round ? Injection Layout My−1 (M˜ y−1) ? Round ? Injection Layout My (M˜ y) ? Round ? Injection Layout My+1 (M˜ y+1) ? Collisions ? Figure 5.3: The second-preimage search 5.3. Related Work 69

The selected intermediate value X 83 55 2d 81 88 2c 05 67 c1 63 be c2 2a a2 52 a4 M (the selected message) My−3 My−2 My−1 My My+1 c4 0 8c 0 e6 0 2a 0 77 0 fd 0 ef 0 a1 0 81 0 9f 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 94 0 f3 0 95 0 04 0 4c 0 37 0 68 0 09 0 25 0 2c 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 M˜ (the found second preimage) M˜ y−3 M˜ y−2 M˜ y−1 M˜ y M˜ y+1 1d 0 43 0 22 0 04 0 e4 0 83 0 2f 0 e5 0 69 0 06 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1c 0 0d 0 2f 0 30 0 2f 0 9b 0 d4 0 30 0 f4 0 3a 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 The 128-bit collisions 7d 69 88 d7 02 cb 1f af b9 d8 7b 5e 0e 10 79 21 Table 5.2: The results of the search algorithm

5.2.2 The Collision Search Algorithm

In the second-preimage search, the first five-block message is chosen arbitrarily, and once it has been decided, it will not be changed. All we need to do is modify the second five-block message so that 128-bit collisions happen. Therefore, the second-preimage search method can also be used to find two colliding five-block messages under a selected intermediate value. The details of the search algorithm are listed below.

The Collision Search Algorithm Input: A selected intermediate value Output: Two ﬁve-block messages M and M˜ such that they collide under the selected intermediate value Method: Employ the second-preimage search algorithm

5.3 Related Work

The rebound attack proposed by Mendel, Rechberger, Schläffer and Thomsen [81] is a technique for the cryptanalysis of hash functions. The rebound approach uses the available degrees of freedom in the internal state to efficiently fulfill the low probability parts in the middle of a differential characteristic. The rebound attack consists of two phases: the inbound phase and the outbound phase. The inbound phase employs the meet-in-the-middle approach, which exploits the available degrees of freedom in the 5.4. Summary 70 middle of a differential path. The outbound phase uses truncated differentials with high probabilities in both forward and backward directions to obtain desired collisions or near-collisions. The rebound attack can be applied to both permutation based and block cipher based constructions, especially AES-based hash functions. In [81], the rebound attack was applied to the cryptanalysis of the reduced versions of Whirlpool [7] and Grøstl [47]. The Super-Sbox cryptanalysis presented by Gilbert and Peyrin [51] considers two consecutive rounds of an AES-like permutation as a layer of big Sboxes preceded and followed by simple affine transformations. Instead of using the original 8-bit AES Sboxes, the proposed technique considers 32-bit Sboxes, each of which comprises two AES Sbox layers surrounding one MixColumns and one AddConstant transformation. The big Sboxes used in this alternative representation are called Super-Sboxes. The main idea of the Super-Sbox cryptanalysis is the same as the one in the rebound attacks since the cryptanalyst aims to find a pair of internal state values in the middle of a carefully chosen truncated differential path such that the path is verified for as many possible rounds as possible backward and forward. It was shown in [51] that the Super- Sbox technique can be applied to the AES block cipher and two SHA-3 candidates: Grøstl [47] and ECHO [8].

5.4 Summary

In this chapter, we employed the ﬁve-round algebraic property of the AES, described in Chapter 4, to analyse the internal structure of the ALPHA-MAC, an AES-based MAC function. We presented a second-preimage search algorithm which is used to ﬁnd second preimages of the ALPHA-MAC, given a selected intermediate value. The second-preimage search algorithm also can be used to generate internal collisions for the ALPHA-MAC under the same condition. Chapter 6

Repeated Diﬀerential Properties of the AES-128 and AES-256 Key Schedules

The key schedule algorithm is an important part of a block cipher. In this chapter, we study the key schedule in the AES algorithm and present some repeated differential properties of the AES-128 and AES-256 key schedules. The results of this chapter appeared in [59]. We define the concept of repeated differential pattern for the AES-128 key schedule, and the notion of double-sized repeated differential pattern for the AES-256 key schedule. We show that if the key schedule is used to expand two 128-bit (or 256-bit) secret keys with the repeated differential pattern (or double-sized repeated differential pattern), the resultant 10-round (or 14-round) subkeys have a large number of bytes in common and the differential pattern has strong repeated features. The contributions of this part are motivated by the work of [22] as searching for useful related-key patterns of the key schedule is an important step in the related-key cryptanalysis of the AES cipher.

Notations in this chapter. An AES intermediate state, as well as an AES round key, is represented as a four-by-four array of bytes. A byte of an intermediate state is written as ai,j, where i is the row index and j is the column index, 0 ≤ i, j ≤ 3. ′ The diﬀerence of two intermediate bytes, ai,j and ai,j, is denoted by ∆ai,j. A secret key is represented by K (in uppercase), a byte of the secret key K is written as ki,j n (in lowercase), and a subkey byte of K in Round n is denoted by ki,j (in lowercase), where i is the row index and j is the column index. The diﬀerence of two key bytes in n ′n n Round n, ki,j and ki,j, is represented as ∆ki,j.

71 6.1. Repeated Diﬀerential Properties of the AES-128 Key Schedule 72 6.1 Repeated Diﬀerential Properties of the AES- 128 Key Schedule

In this section we show some repeated differential properties of the AES-128 key schedule. If two different keys start with a special difference pattern, the propagation of the difference generates at least seven identical round key bytes in each round.

Definition 6.1.1 A difference of two 128-bit keys is called an R differential pattern if the difference has the format x 0 x 0  y y 0 0  ,  z 0 0 0       v v v v    where x is an integer between 1 and 255, and y, z and v are integers between 0 and 255.

Definition 6.1.2 A difference of two expanded 10-round subkeys is called a 10-round R differential pattern (whose format is shown in Figure 6.1) if the difference of the two 128-bit secret keys has the R differential pattern, where x is an integer between 1 and 255, and y, z, v, u, λ, φ, β, γ, α, t, d, w and q are integers between 0 and 255.

In Figure 6.1, the leftmost part contains all bytes of K and its subkeys, the middle part lists all bytes of K′ and its subkeys, and the rightmost part depicts the byte diﬀerences of K and K′ and their subkeys.

Theorem 6.1.1 For every 128-bit secret key K, there exist 255 × 2563 different keys, K′, such that the difference of K and K′ has the R differential pattern, and the difference of the expanded 10-round subkeys has the 10-round R differential pattern with probability 1.

Proof: Suppose two 128-bit secret keys, K and K′, have the R differential pattern. We start with the difference of these two secret keys in Round 0, and analyse the propagation of the difference from Round 1 to Round 10 (see Figure 6.1 for the details of the differential pattern).

• Round 0.

k0,0 k0,1 k0,2 k0,3 k0,0 ⊕ x k0,1 k0,2 ⊕ x k0,3

 k1,0 k1,1 k1,2 k1,3   k1,0 ⊕ y k1,1 ⊕ y k1,2 k1,3  K = , K′ = ,  k k k k   k ⊕ z k k k   2,0 2,1 2,2 2,3   2,0 2,1 2,2 2,3       k3,0 k3,1 k3,2 k3,3   k3,0 ⊕ v k3,1 ⊕ v k3,2 ⊕ v k3,3 ⊕ v          6.1. Repeated Diﬀerential Properties of the AES-128 Key Schedule 73

x 0 x 0  y y 0 0  K ⊕ K′ = .  z 0 0 0       v v v v      • Round 1. Let u = SB(k3,3) ⊕ z ⊕ SB(k3,3 ⊕ v), each byte diﬀerence is calculated as follows:

1 ′1 1 ′1 1 ′1 1 ′1 k0,0 ⊕ k0,0 = x, k1,0 ⊕ k1,0 = y, k2,0 ⊕ k2,0 = u, k3,0 ⊕ k3,0 = v, 1 ′1 1 ′1 1 ′1 1 ′1 k0,1 ⊕ k0,1 = x, k1,1 ⊕ k1,1 =0, k2,1 ⊕ k2,1 = u, k3,1 ⊕ k3,1 =0, 1 ′1 1 ′1 1 ′1 1 ′1 k0,2 ⊕ k0,2 =0, k1,2 ⊕ k1,2 =0, k2,2 ⊕ k2,2 = u, k3,2 ⊕ k3,2 = v, 1 ′1 1 ′1 1 ′1 1 ′1 k0,3 ⊕ k0,3 =0, k1,3 ⊕ k1,3 =0, k2,3 ⊕ k2,3 = u, k3,3 ⊕ k3,3 =0.

• Round 2. Let

2 Ω0 = SB(k1,3 ⊕ k1,2 ⊕ k1,1 ⊕ k1,0 ⊕ SB(k2,3)) ⊕ Rcon[2], 2 Ω1 = SB(k2,3 ⊕ k2,2 ⊕ k2,1 ⊕ k2,0 ⊕ SB(k3,3)), 2 Ω2 = SB(k3,3 ⊕ k3,2 ⊕ k3,1 ⊕ k3,0 ⊕ SB(k0,3)), and 2 Ω3 = SB(k0,3 ⊕ k0,2 ⊕ k0,1 ⊕ k0,0 ⊕ SB(k1,3) ⊕ Rcon[1]).

i ′2 Ωj is a variable used in Row j of Round i of K. Let Ω1 = SB(k2,3 ⊕ k2,2 ⊕ k2,1 ⊕ ′i ′ k2,0 ⊕ z ⊕ SB(k3,3 ⊕ v)). Ωj is a variable used in Row j of Round i of K . We i ′i 2 ′2 use Ωj and Ωj to avoid long expressions in our proof. Let λ = Ω1 ⊕ y ⊕ Ω1 , the key byte diﬀerences are listed below:

2 ′2 2 ′2 2 ′2 2 ′2 k0,0 ⊕ k0,0 = x, k1,0 ⊕ k1,0 = λ, k2,0 ⊕ k2,0 = u, k3,0 ⊕ k3,0 = v. 2 ′2 2 ′2 2 ′2 2 ′2 k0,1 ⊕ k0,1 =0, k1,1 ⊕ k1,1 = λ, k2,1 ⊕ k2,1 =0, k3,1 ⊕ k3,1 = v, 2 ′2 2 ′2 2 ′2 2 ′2 k0,2 ⊕ k0,2 =0, k1,2 ⊕ k1,2 = λ, k2,2 ⊕ k2,2 = u, k3,2 ⊕ k3,2 =0, 2 ′2 2 ′2 2 ′2 2 ′2 k0,3 ⊕ k0,3 =0, k1,3 ⊕ k1,3 = λ, k2,3 ⊕ k2,3 =0, k3,3 ⊕ k3,3 =0.

• Round 3. Let

3 2 Ω0 = SB(k1,3 ⊕ k1,1 ⊕ Ω1) ⊕ Rcon[3], 3 2 Ω1 = SB(k2,3 ⊕ k2,1 ⊕ Ω2), 3 2 Ω2 = SB(k3,3 ⊕ k3,1 ⊕ Ω3), and 3 2 Ω3 = SB(k0,3 ⊕ k0,1 ⊕ Ω0). 6.1. Repeated Diﬀerential Properties of the AES-128 Key Schedule 74

′3 ′2 3 ′3 Let Ω0 = SB(k1,3 ⊕ k1,1 ⊕ y ⊕ Ω1 ) ⊕ Rcon[3], and φ = Ω0 ⊕ x ⊕ Ω0 . The byte diﬀerences are represented as:

3 ′3 3 ′3 3 ′3 3 ′3 k0,0 ⊕ k0,0 = φ, k1,0 ⊕ k1,0 = λ, k2,0 ⊕ k2,0 = u, k3,0 ⊕ k3,0 = v, 3 ′3 3 ′3 3 ′3 3 ′3 k0,1 ⊕ k0,1 = φ, k1,1 ⊕ k1,1 =0, k2,1 ⊕ k2,1 = u, k3,1 ⊕ k3,1 =0, 3 ′3 3 ′3 3 ′3 3 ′3 k0,2 ⊕ k0,2 = φ, k1,2 ⊕ k1,2 = λ, k2,2 ⊕ k2,2 =0, k3,2 ⊕ k3,2 =0, 3 ′3 3 ′3 3 ′3 3 ′3 k0,3 ⊕ k0,3 = φ, k1,3 ⊕ k1,3 =0, k2,3 ⊕ k2,3 =0, k3,3 ⊕ k3,3 =0.

• Round 4. Let

4 3 Ω0 = SB(k1,3 ⊕ k1,2 ⊕ Ω1) ⊕ Rcon[4], 4 3 Ω1 = SB(k2,3 ⊕ k2,2 ⊕ Ω2), 4 3 Ω2 = SB(k3,3 ⊕ k3,2 ⊕ Ω3), and 4 3 Ω3 = SB(k0,3 ⊕ k0,2 ⊕ Ω0).

′4 ′3 4 ′4 Let Ω3 = SB(k0,3 ⊕ k0,2 ⊕ x ⊕ Ω0 ), and β = Ω3 ⊕ v ⊕ Ω3 , the key byte diﬀerences are computed as follows:

4 ′4 4 ′4 4 ′4 4 ′4 k0,0 ⊕ k0,0 = φ, k1,0 ⊕ k1,0 = λ, k2,0 ⊕ k2,0 = u, k3,0 ⊕ k3,0 = β, 4 ′4 4 ′4 4 ′4 4 ′4 k0,1 ⊕ k0,1 =0, k1,1 ⊕ k1,1 = λ, k2,1 ⊕ k2,1 =0, k3,1 ⊕ k3,1 = β, 4 ′4 4 ′4 4 ′4 4 ′4 k0,2 ⊕ k0,2 = φ, k1,2 ⊕ k1,2 =0, k2,2 ⊕ k2,2 =0, k3,2 ⊕ k3,2 = β, 4 ′4 4 ′4 4 ′4 4 ′4 k0,3 ⊕ k0,3 =0, k1,3 ⊕ k1,3 =0, k2,3 ⊕ k2,3 =0, k3,3 ⊕ k3,3 = β.

• From Round 5 to Round 10. Since the pattern repeats itself after four rounds, we do not provide the full computation from Round 5 to Round 10 here, and the details can be found in Appendix A.

• The number of diﬀerent keys. Since there is no constraint on choosing the values of x, y, z, and v, we can choose 255 possible values for x, 256 possible values for y, 256 possible values for z, and 256 possible values for v. Therefore, for any secret key K, there exist 255 × 2563 possible values for K′. ⋄

We would like to emphasise that the 10-round R diﬀerential pattern has the following interesting features (see Figure 6.1).

1. The same differential pattern repeats every 4 rounds. The differential pattern includes the byte positions and the values of the differences. For instance, we consider the differential pattern of Round 1 is same as the differential pattern of Round 5. 6.2. Repeated Differential Properties of the AES-256 Key Schedule 75

2. There are (at least) 7 zero differences in each round. For example, in Round 2, there are 3 zero differences in the first row, 2 zero differences in the third row, and 2 zero differences in the fourth row.

3. There are 4 character variables in each round, and these 4 variables appear in 9 diﬀerent locations. For example, in Round 1, x appears twice in the ﬁrst row, y appears once in the second row, u appears four times in the third row and v appears twice in the fourth row.

4. The differences, denoted by character variables, are identical in each row. For example, in the second row of Round 2, the differences denoted by character variables are all equal to λ, and in the third row of Round 2, the differences denoted by character variables are equal to u.

5. The key schedule introduces a new diﬀerence value in each round. For instance, there are four character variables in Round 3 (φ, λ, u and v), and a new diﬀerence value, β, is introduced to Round 4.

6.2 Repeated Diﬀerential Properties of the AES- 256 Key Schedule

Definition 6.2.1 A difference of two 256-bit keys is called a double-sized R differential pattern if the difference has the format

X 0 X 0 0000  Y Y 0 00000  ,  Z 0 0 00000       VVVV 0 00 0    where X is an integer between 1 and 255, and Y , Z andV are integers between 0 and 255.

Definition 6.2.2 A difference of two expanded 14-round subkeys is called a 14-round R differential pattern (whose format is shown in Figure 6.2) if the difference of the two 256-bit secret keys has the double-sized R differential pattern, where X is an integer between 1 and 255, and Y , Z, V , U, Λ, Φ, Γ, Θ, Ψ, Υ, T , D, S, Q and J are integers between 0 and 255.

In Figure 6.2, the leftmost part shows all bytes of K and its expanded subkeys, the middle part holds all bytes of K′ and its expanded subkeys, and the rightmost part contains the byte diﬀerences of K and K′ and their subkeys. 6.2. Repeated Diﬀerential Properties of the AES-256 Key Schedule 76

′ ′ K K K ⊕ K

k0,0 k0,1 k0,2 k0,3 k0,0 ⊕ x k0,1 k0,2 ⊕ x k0,3 x 0 x 0

k1,0 k1,1 k1,2 k1,3 k1,0 ⊕ y k1,1 ⊕ y k1,2 k1,3 y y 0 0 0 k2,0 k2,1 k2,2 k2,3 k2,0 ⊕ z k2,1 k2,2 k2,3 z 0 0 0

k3,0 k3,1 k3,2 k3,3 k3,0 ⊕ v k3,1 ⊕ v k3,2 ⊕ v k3,3 ⊕ v v v v v

1 1 1 1 ′1 ′1 ′1 ′1 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 x x 0 0 1 1 1 1 ′1 ′1 ′1 ′1 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 y 0 0 0 1 1 1 1 1 ′1 ′1 ′1 ′1 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 u u u u 1 1 1 1 ′1 ′1 ′1 ′1 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 v 0 v 0

2 2 2 2 ′2 ′2 ′2 ′2 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 x 0 0 0 2 2 2 2 ′2 ′2 ′2 ′2 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 λ λ λ λ 2 2 2 2 2 ′2 ′2 ′2 ′2 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 u 0 u 0 2 2 2 2 ′2 ′2 ′2 ′2 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 v v 0 0

3 3 3 3 ′3 ′3 ′3 ′3 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 φ φ φ φ 3 3 3 3 ′3 ′3 ′3 ′3 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 λ 0 λ 0 3 3 3 3 3 ′3 ′3 ′3 ′3 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 u u 0 0 3 3 3 3 ′3 ′3 ′3 ′3 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 v 0 0 0

4 4 4 4 ′4 ′4 ′4 ′4 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 φ 0 φ 0 4 4 4 4 ′4 ′4 ′4 ′4 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 λ λ 0 0 4 4 4 4 4 ′4 ′4 ′4 ′4 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 u 0 0 0 4 4 4 4 ′4 ′4 ′4 ′4 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 β β β β

5 5 5 5 ′5 ′5 ′5 ′5 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 φ φ 0 0 5 5 5 5 ′5 ′5 ′5 ′5 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 λ 0 0 0 5 5 5 5 5 ′5 ′5 ′5 ′5 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 γ γ γ γ 5 5 5 5 ′5 ′5 ′5 ′5 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 β 0 β 0

6 6 6 6 ′6 ′6 ′6 ′6 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 φ 0 0 0 6 6 6 6 ′6 ′6 ′6 ′6 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 α α α α 6 6 6 6 6 ′6 ′6 ′6 ′6 γ γ k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 0 0 6 6 6 6 ′6 ′6 ′6 ′6 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 β β 0 0

7 7 7 7 ′7 ′7 ′7 ′7 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 t t t t 7 7 7 7 ′7 ′7 ′7 ′7 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 α 0 α 0 7 7 7 7 7 ′7 ′7 ′7 ′7 γ γ k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 0 0 7 7 7 7 ′7 ′7 ′7 ′7 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 β 0 0 0

8 8 8 8 ′8 ′8 ′8 ′8 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 t 0 t 0 8 8 8 8 ′8 ′8 ′8 ′8 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 α α 0 0 8 8 8 8 8 ′8 ′8 ′8 ′8 γ k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 0 0 0 8 8 8 8 ′8 ′8 ′8 ′8 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 d d d d

9 9 9 9 ′9 ′9 ′9 ′9 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 t t 0 0 9 9 9 9 ′9 ′9 ′9 ′9 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 α 0 0 0 9 9 9 9 9 ′9 ′9 ′9 ′9 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 w w w w 9 9 9 9 ′9 ′9 ′9 ′9 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 d 0 d 0

10 10 10 10 ′10 ′10 ′10 ′10 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 t 0 0 0 10 10 10 10 ′10 ′10 ′10 ′10 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 q q q q 10 10 10 10 10 ′10 ′10 ′10 ′10 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 w 0 w 0 10 10 10 10 ′10 ′10 ′10 ′10 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 d d 0 0 Figure 6.1: The 10-round R diﬀerential pattern 6.2. Repeated Diﬀerential Properties of the AES-256 Key Schedule 77

′ ′ K K K ⊕ K

1 1 1 1 ′ ′ ′ ′ ′1 ′1 ′1 ′1 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 X 0 X 0 0 0 0 0 1 1 1 1 ′ ′ ′ ′ ′1 ′1 ′1 ′1 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 Y Y 0 0 0 0 0 0 1 1 1 1 ′ ′ ′ ′ ′1 ′1 ′1 ′1 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 Z 0 0 0 0 0 0 0 1 1 1 1 ′ ′ ′ ′ ′1 ′1 ′1 ′1 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 V V V V 0 0 0 0 0 1 0 1 0 1

2 2 2 2 3 3 3 3 ′2 ′2 ′2 ′2 ′3 ′3 ′3 ′3 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 X X 0 0 0 0 0 0 2 2 2 2 3 3 3 3 ′2 ′2 ′2 ′2 ′3 ′3 ′3 ′3 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 Y 0 0 0 0 0 0 0 2 2 2 2 3 3 3 3 ′2 ′2 ′2 ′2 ′3 ′3 ′3 ′3 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 Z Z Z Z U U U U 2 2 2 2 3 3 3 3 ′2 ′2 ′2 ′2 ′3 ′3 ′3 ′3 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 V 0 V 0 0 0 0 0 2 3 2 3 2 3

4 4 4 4 5 5 5 5 ′4 ′4 ′4 ′4 ′5 ′5 ′5 ′5 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 X 0 0 0 0 0 0 0 4 4 4 4 5 5 5 5 ′4 ′4 ′4 ′4 ′5 ′5 ′5 ′5 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 Λ Λ Λ Λ Φ Φ Φ Φ 4 4 4 4 5 5 5 5 ′4 ′4 ′4 ′4 ′5 ′5 ′5 ′5 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 Z 0 Z 0 U 0 U 0 4 4 4 4 5 5 5 5 ′4 ′4 ′4 ′4 ′5 ′5 ′5 ′5 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 V V 0 0 0 0 0 0 4 5 4 5 4 5

6 6 6 6 7 7 7 7 ′6 ′6 ′6 ′6 ′7 ′7 ′7 ′7 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 Γ Γ Γ Γ Θ Θ Θ Θ 6 6 6 6 7 7 7 7 ′6 ′6 ′6 ′6 ′7 ′7 ′7 ′7 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 Λ 0 Λ 0 Φ 0 Φ 0 6 6 6 6 7 7 7 7 ′6 ′6 ′6 ′6 ′7 ′7 ′7 ′7 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 Z Z 0 0 U U 0 0 6 6 6 6 7 7 7 7 ′6 ′6 ′6 ′6 ′7 ′7 ′7 ′7 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 V 0 0 0 0 0 0 0 6 7 6 7 6 7

8 8 8 8 9 9 9 9 ′8 ′8 ′8 ′8 ′9 ′9 ′9 ′9 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 Γ 0 Γ 0 Θ 0 Θ 0 8 8 8 8 9 9 9 9 ′8 ′8 ′8 ′8 ′9 ′9 ′9 ′9 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 Λ Λ 0 0 Φ Φ 0 0 8 8 8 8 9 9 9 9 ′8 ′8 ′8 ′8 ′9 ′9 ′9 ′9 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 Z 0 0 0 U 0 0 0 8 8 8 8 9 9 9 9 ′8 ′8 ′8 ′8 ′9 ′9 ′9 ′9 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 Ψ Ψ Ψ Ψ Υ Υ Υ Υ 8 9 8 9 8 9

10 10 10 10 11 11 11 11 ′10 ′10 ′10 ′10 ′11 ′11 ′11 ′11 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 Γ Γ 0 0 Θ Θ 0 0 10 10 10 10 11 11 11 11 ′10 ′10 ′10 ′10 ′11 ′11 ′11 ′11 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 Λ 0 0 0 Φ 0 0 0 10 10 10 10 11 11 11 11 ′10 ′10 ′10 ′10 ′11 ′11 ′11 ′11 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 T T T T D D D D 10 10 10 10 11 11 11 11 ′10 ′10 ′10 ′10 ′11 ′11 ′11 ′11 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 Ψ 0 Ψ 0 Υ 0 Υ 0 10 11 10 11 10 11

12 12 12 12 13 13 13 13 ′12 ′12 ′12 ′12 ′13 ′13 ′13 ′13 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 Γ 0 0 0 Θ 0 0 0 12 12 12 12 13 13 13 13 ′12 ′12 ′12 ′12 ′13 ′13 ′13 ′13 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 S S S S Q Q Q Q 12 12 12 12 13 13 13 13 ′12 ′12 ′12 ′12 ′13 ′13 ′13 ′13 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 T 0 T 0 D 0 D 0 12 12 12 12 13 13 13 13 ′12 ′12 ′12 ′12 ′13 ′13 ′13 ′13 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 Ψ Ψ 0 0 Υ Υ 0 0 12 13 12 13 12 13

14 14 14 14 ′14 ′14 ′14 ′14 k0,0 k0,1 k0,2 k0,3 k0,0 k0,1 k0,2 k0,3 J J J J 14 14 14 14 ′14 ′14 ′14 ′14 k1,0 k1,1 k1,2 k1,3 k1,0 k1,1 k1,2 k1,3 S 0 S 0 14 14 14 14 ′14 ′14 ′14 ′14 k2,0 k2,1 k2,2 k2,3 k2,0 k2,1 k2,2 k2,3 T T 0 0 14 14 14 14 ′14 ′14 ′14 ′14 k3,0 k3,1 k3,2 k3,3 k3,0 k3,1 k3,2 k3,3 Ψ 0 0 0 14 14 14

Figure 6.2: The 14-round R diﬀerential pattern 6.2. Repeated Diﬀerential Properties of the AES-256 Key Schedule 78

Theorem 6.2.1 For every 256-bit secret key K, there exist 255 × 2563 different keys, K′, such that the difference of K and K′ has the double-sized R differential pattern, and the difference of the two expanded 14-round subkeys has the 14-round R differential pattern with probability 1.

Proof: Assume that two 256-bit secret keys, K and K′, have the double-sized R differential pattern. We begin with the difference of these two keys in Round 0 and 1, and trace the propagation of the difference from Round 2 to Round 14.

• Round 0 and 1. We have the following equations:

k0,0 k0,1 k0,2 k0,3 k0,4 k0,5 k0,6 k0,7

 k1,0 k1,1 k1,2 k1,3 k1,4 k1,5 k1,6 k1,7  K = ,  k k k k k k k k   2,0 2,1 2,2 2,3 2,4 2,5 2,6 2,7     k3,0 k3,1 k3,2 k3,3 k3,4 k3,5 k3,6 k3,7      k0,0 ⊕ X k0,1 k0,2 ⊕ X k0,3 k0,4 k0,5 k0,6 k0,7

 k1,0 ⊕ Y k1,1 ⊕ Y k1,2 k1,3 k1,4 k1,5 k1,6 k1,7  ′ K =  k2,0 ⊕ Z k2,1 k2,2 k2,3 k2,4 k2,5 k2,6 k2,7  ,          k ⊕ V k ⊕ V k ⊕ V k ⊕ V k k k k   3,0 3,1 3,2 3,3 3,4 3,5 3,6 3,7    X 0 X 0 0000  Y Y 0 00000  K ⊕ K′ = .  Z 0 0 00000       VVVV 00 00      • Round 2. The byte diﬀerences are computed as follows:

2 ′2 2 ′2 2 ′2 2 ′2 k0,0 ⊕ k0,0 = X, k1,0 ⊕ k1,0 = Y, k2,0 ⊕ k2,0 = Z, k3,0 ⊕ k3,0 = V, 2 ′2 2 ′2 2 ′2 2 ′2 k0,1 ⊕ k0,1 = X, k1,1 ⊕ k1,1 =0, k2,1 ⊕ k2,1 = Z, k3,1 ⊕ k3,1 =0, 2 ′2 2 ′2 2 ′2 2 ′2 k0,2 ⊕ k0,2 =0, k1,2 ⊕ k1,2 =0, k2,2 ⊕ k2,2 = Z, k3,2 ⊕ k3,2 = V, 2 ′2 2 ′2 2 ′2 2 ′2 k0,3 ⊕ k0,3 =0, k1,3 ⊕ k1,3 =0, k2,3 ⊕ k2,3 = Z, k3,3 ⊕ k3,3 =0.

2 ′2 • Round 3. Let U = SB(k2,3) ⊕ SB(k2,3), the byte diﬀerences are listed below:

3 ′3 3 ′3 3 ′3 3 ′3 k0,0 ⊕ k0,0 =0, k1,0 ⊕ k1,0 =0, k2,0 ⊕ k2,0 = U, k3,0 ⊕ k3,0 =0, 3 ′3 3 ′3 3 ′3 3 ′3 k0,1 ⊕ k0,1 =0, k1,1 ⊕ k1,1 =0, k2,1 ⊕ k2,1 = U, k3,1 ⊕ k3,1 =0, 3 ′3 3 ′3 3 ′3 3 ′3 k0,2 ⊕ k0,2 =0, k1,2 ⊕ k1,2 =0, k2,2 ⊕ k2,2 = U, k3,2 ⊕ k3,2 =0, 3 ′3 3 ′3 3 ′3 3 ′3 k0,3 ⊕ k0,3 =0, k1,3 ⊕ k1,3 =0, k2,3 ⊕ k2,3 = U, k3,3 ⊕ k3,3 =0. 6.2. Repeated Diﬀerential Properties of the AES-256 Key Schedule 79

2 3 ′2 ′3 • Round 4. Let Λ = k1,0 ⊕ SB(k2,3) ⊕ k1,0 ⊕ SB(k2,3), all byte diﬀerences are provided below.

4 ′4 4 ′4 4 ′4 4 ′4 k0,0 ⊕ k0,0 = X, k1,0 ⊕ k1,0 =Λ, k2,0 ⊕ k2,0 = Z, k3,0 ⊕ k3,0 = V, 4 ′4 4 ′4 4 ′4 4 ′4 k0,1 ⊕ k0,1 =0, k1,1 ⊕ k1,1 =Λ, k2,1 ⊕ k2,1 =0, k3,1 ⊕ k3,1 = V, 4 ′4 4 ′4 4 ′4 4 ′4 k0,2 ⊕ k0,2 =0, k1,2 ⊕ k1,2 =Λ, k2,2 ⊕ k2,2 = Z, k3,2 ⊕ k3,2 =0, 4 ′4 4 ′4 4 ′4 4 ′4 k0,3 ⊕ k0,3 =0, k1,3 ⊕ k1,3 =Λ, k2,3 ⊕ k2,3 =0, k3,3 ⊕ k3,3 =0.

4 ′4 • Round 5. Let Φ = SB(k1,3) ⊕ SB(k1,3), the byte diﬀerences can be represented as:

5 ′5 5 ′5 5 ′5 5 ′5 k0,0 ⊕ k0,0 =0, k1,0 ⊕ k1,0 = Φ, k2,0 ⊕ k2,0 = U, k3,0 ⊕ k3,0 =0, 5 ′5 5 ′5 5 ′5 5 ′5 k0,1 ⊕ k0,1 =0, k1,1 ⊕ k1,1 = Φ, k2,1 ⊕ k2,1 =0, k3,1 ⊕ k3,1 =0, 5 ′5 5 ′5 5 ′5 5 ′5 k0,2 ⊕ k0,2 =0, k1,2 ⊕ k1,2 = Φ, k2,2 ⊕ k2,2 = U, k3,2 ⊕ k3,2 =0, 5 ′5 5 ′5 5 ′5 5 ′5 k0,3 ⊕ k0,3 =0, k1,3 ⊕ k1,3 = Φ, k2,3 ⊕ k2,3 =0, k3,3 ⊕ k3,3 =0.

4 5 ′4 ′5 • Round 6. Let Γ = k0,0 ⊕SB(k1,3)⊕k0,0 ⊕SB(k1,3), the byte diﬀerences are shown below:

6 ′6 6 ′6 6 ′6 6 ′6 k0,0 ⊕ k0,0 =Γ, k1,0 ⊕ k1,0 =Λ, k2,0 ⊕ k2,0 = Z, k3,0 ⊕ k3,0 = V, 6 ′6 6 ′6 6 ′6 6 ′6 k0,1 ⊕ k0,1 =Γ, k1,1 ⊕ k1,1 =0, k2,1 ⊕ k2,1 = Z, k3,1 ⊕ k3,1 =0, 6 ′6 6 ′6 6 ′6 6 ′6 k0,2 ⊕ k0,2 =Γ, k1,2 ⊕ k1,2 =Λ, k2,2 ⊕ k2,2 =0, k3,2 ⊕ k3,2 =0, 6 ′6 6 ′6 6 ′6 6 ′6 k0,3 ⊕ k0,3 =Γ, k1,3 ⊕ k1,3 =0, k2,3 ⊕ k2,3 =0, k3,3 ⊕ k3,3 =0.

6 5 ′6 ′5 • Round 7. Let Θ = SB(k0,3) ⊕ k0,0 ⊕ SB(k0,3) ⊕ k0,0, the byte diﬀerences are calculated as follows:

7 ′7 7 ′7 7 ′7 7 ′7 k0,0 ⊕ k0,0 =Θ, k1,0 ⊕ k1,0 = Φ, k2,0 ⊕ k2,0 = U, k3,0 ⊕ k3,0 =0, 7 ′7 7 ′7 7 ′7 7 ′7 k0,1 ⊕ k0,1 =Θ, k1,1 ⊕ k1,1 =0, k2,1 ⊕ k2,1 = U, k3,1 ⊕ k3,1 =0, 7 ′7 7 ′7 7 ′7 7 ′7 k0,2 ⊕ k0,2 =Θ, k1,2 ⊕ k1,2 = Φ, k2,2 ⊕ k2,2 =0, k3,2 ⊕ k3,2 =0, 7 ′7 7 ′7 7 ′7 7 ′7 k0,3 ⊕ k0,3 =Θ, k1,3 ⊕ k1,3 =0, k2,3 ⊕ k2,3 =0, k3,3 ⊕ k3,3 =0.

6 7 ′6 ′7 • Round 8. Let Ψ = k3,0 ⊕SB(k0,3)⊕k3,0 ⊕SB(k0,3), the byte diﬀerences are listed below:

8 ′8 8 ′8 8 ′8 8 ′8 k0,0 ⊕ k0,0 =Γ, k1,0 ⊕ k1,0 =Λ, k2,0 ⊕ k2,0 = Z, k3,0 ⊕ k3,0 =Ψ, 8 ′8 8 ′8 8 ′8 8 ′8 k0,1 ⊕ k0,1 =0, k1,1 ⊕ k1,1 =Λ, k2,1 ⊕ k2,1 =0, k3,1 ⊕ k3,1 =Ψ, 8 ′8 8 ′8 8 ′8 8 ′8 k0,2 ⊕ k0,2 =Γ, k1,2 ⊕ k1,2 =0, k2,2 ⊕ k2,2 =0, k3,2 ⊕ k3,2 =Ψ, 8 ′8 8 ′8 8 ′8 8 ′8 k0,3 ⊕ k0,3 =0, k1,3 ⊕ k1,3 =0, k2,3 ⊕ k2,3 =0, k3,3 ⊕ k3,3 =Ψ. 6.2. Repeated Diﬀerential Properties of the AES-256 Key Schedule 80

8 7 ′8 ′7 • Round 9. Let Υ = SB(k3,3) ⊕ k3,0 ⊕ SB(k3,3) ⊕ k3,0, the byte diﬀerences are represented as:

9 ′9 9 ′9 9 ′9 9 ′9 k0,0 ⊕ k0,0 =Θ, k1,0 ⊕ k1,0 = Φ, k2,0 ⊕ k2,0 = U, k3,0 ⊕ k3,0 =Υ, 9 ′9 9 ′9 9 ′9 9 ′9 k0,1 ⊕ k0,1 =0, k1,1 ⊕ k1,1 = Φ, k2,1 ⊕ k2,1 =0, k3,1 ⊕ k3,1 =Υ, 9 ′9 9 ′9 9 ′9 9 ′9 k0,2 ⊕ k0,2 =Θ, k1,2 ⊕ k1,2 =0, k2,2 ⊕ k2,2 =0, k3,2 ⊕ k3,2 =Υ, 9 ′9 9 ′9 9 ′9 8 ′9 k0,3 ⊕ k0,3 =0, k1,3 ⊕ k1,3 =0, k2,3 ⊕ k2,3 =0, k3,3 ⊕ k3,3 =Υ.

8 9 ′8 ′9 • Round 10. Let T = k2,0 ⊕ SB(k3,3) ⊕ k2,0 ⊕ SB(k3,3), the byte diﬀerences are listed below:

10 ′10 10 ′10 10 ′10 10 ′10 k0,0 ⊕ k0,0 =Γ, k1,0 ⊕ k1,0 =Λ, k2,0 ⊕ k2,0 = T, k3,0 ⊕ k3,0 =Ψ, 10 ′10 10 ′10 10 ′10 10 ′10 k0,1 ⊕ k0,1 =Γ, k1,1 ⊕ k1,1 =0, k2,1 ⊕ k2,1 = T, k3,1 ⊕ k3,1 =0, 10 ′10 10 ′10 10 ′10 10 ′10 k0,2 ⊕ k0,2 =0, k1,2 ⊕ k1,2 =0, k2,2 ⊕ k2,2 = T, k3,2 ⊕ k3,2 =Ψ, 10 ′10 10 ′10 10 ′10 10 ′10 k0,3 ⊕ k0,3 =0, k1,3 ⊕ k1,3 =0, k2,3 ⊕ k2,3 = T, k3,3 ⊕ k3,3 =0.

10 9 ′10 ′9 • Round 11. Let D = SB(k2,3) ⊕ k2,0 ⊕ SB(k2,3) ⊕ k2,0, we have:

11 ′11 11 ′11 11 ′11 11 ′11 k0,0 ⊕ k0,0 =Θ, k1,0 ⊕ k1,0 = Φ, k2,0 ⊕ k2,0 = D, k3,0 ⊕ k3,0 =Υ, 11 ′11 11 ′11 11 ′11 11 ′11 k0,1 ⊕ k0,1 =Θ, k1,1 ⊕ k1,1 =0, k2,1 ⊕ k2,1 = D, k3,1 ⊕ k3,1 =0, 11 ′11 11 ′11 11 ′11 11 ′11 k0,2 ⊕ k0,2 =0, k1,2 ⊕ k1,2 =0, k2,2 ⊕ k2,2 = D, k3,2 ⊕ k3,2 =Υ, 11 ′11 11 ′11 11 ′11 11 ′11 k0,3 ⊕ k0,3 =0, k1,3 ⊕ k1,3 =0, k2,3 ⊕ k2,3 = D, k3,3 ⊕ k3,3 =0.

10 11 ′10 ′11 • Round 12. Let S = k1,0 ⊕ SB(k2,3) ⊕ k1,0 ⊕ SB(k2,3), the byte diﬀerences are provided below:

12 ′12 12 ′12 12 ′12 12 ′12 k0,0 ⊕ k0,0 =Γ, k1,0 ⊕ k1,0 = S, k2,0 ⊕ k2,0 = T, k3,0 ⊕ k3,0 =Ψ, 12 ′12 12 ′12 12 ′12 12 ′12 k0,1 ⊕ k0,1 =0, k1,1 ⊕ k1,1 = S, k2,1 ⊕ k2,1 =0, k3,1 ⊕ k3,1 =Ψ, 12 ′12 12 ′12 12 ′12 12 ′12 k0,2 ⊕ k0,2 =0, k1,2 ⊕ k1,2 = S, k2,2 ⊕ k2,2 = T, k3,2 ⊕ k3,2 =0, 12 ′12 12 ′12 12 ′12 12 ′12 k0,3 ⊕ k0,3 =0, k1,3 ⊕ k1,3 = S, k2,3 ⊕ k2,3 =0, k3,3 ⊕ k3,3 =0.

12 11 ′12 ′11 • Round 13. Let Q = SB(k1,3) ⊕ k1,0 ⊕ SB(k1,3) ⊕ k1,0, the byte diﬀerences are represented as:

13 ′13 13 ′13 13 ′13 13 ′13 k0,0 ⊕ k0,0 =Θ, k1,0 ⊕ k1,0 = Q, k2,0 ⊕ k2,0 = D, k3,0 ⊕ k3,0 =Υ, 13 ′13 13 ′13 13 ′13 13 ′13 k0,1 ⊕ k0,1 =0, k1,1 ⊕ k1,1 = Q, k2,1 ⊕ k2,1 =0, k3,1 ⊕ k3,1 =Υ, 13 ′13 13 ′13 13 ′13 13 ′13 k0,2 ⊕ k0,2 =0, k1,2 ⊕ k1,2 = Q, k2,2 ⊕ k2,2 = D, k3,2 ⊕ k3,2 =0, 13 ′13 13 ′13 13 ′13 13 ′13 k0,3 ⊕ k0,3 =0, k1,3 ⊕ k1,3 = Q, k2,3 ⊕ k2,3 =0, k3,3 ⊕ k3,3 =0. 6.2. Repeated Diﬀerential Properties of the AES-256 Key Schedule 81

12 13 ′12 ′13 • Round 14. Let J = k0,0 ⊕ SB(k1,3) ⊕ k0,0 ⊕ SB(k1,3), the byte diﬀerences are computed as follows:

14 ′14 14 ′14 14 ′14 14 ′14 k0,0 ⊕ k0,0 = J, k1,0 ⊕ k1,0 = S, k2,0 ⊕ k2,0 = T, k3,0 ⊕ k3,0 =Ψ, 14 ′14 14 ′14 14 ′14 14 ′14 k0,1 ⊕ k0,1 = J, k1,1 ⊕ k1,1 =0, k2,1 ⊕ k2,1 = T, k3,1 ⊕ k3,1 =0, 14 ′14 14 ′14 14 ′14 14 ′14 k0,2 ⊕ k0,2 = J, k1,2 ⊕ k1,2 = S, k2,2 ⊕ k2,2 =0, k3,2 ⊕ k3,2 =0, 14 ′14 14 ′14 14 ′14 14 ′14 k0,3 ⊕ k0,3 = J, k1,3 ⊕ k1,3 =0, k2,3 ⊕ k2,3 =0, k3,3 ⊕ k3,3 =0.

• Since there is no limit on choosing X, Y , Z, and V , we can choose 255 possible values for X, 256 possible values for Y , 256 possible values for Z, and 256 possible values for V . Thus, for any 256-bit secret key K, there exist 255 × 2563 possible values for K′.

⋄

The 14-round R diﬀerential pattern has some repeated features, which are described below.

1. The layout of the left half 16 bytes of the double-sized R differential is same as the layout of the 16 bytes of the R differential defined in Section 6.1, and the right half 16 bytes of the double-sized R differential are all equal to zero.

2. The differential patterns of Round 2, 4, 6, 8, 10, 12 and 14 in the 14-round R differential pattern are same as the differential patterns of Round 1, 2, 3, 4, 5, 6 and 7 in the 10-round R differential pattern, respectively.

3. There are (at least) 7 zero differences in Round 0, 2, 4, 6, 8, 9, 10, 11, 12, 13 and 14. Round 1 has 16 zero differences, and Round 3 contains (at least) 12 zero differences. There are (at least) 10 zero differences in Round 5, and (at least) 8 zero differences in Round 7.

Discussion. We presented the repeated diﬀerential pattern of the AES-128 key schedule in Section 6.1 and the double-sized repeated diﬀerential pattern of the AES-256 key schedule in Section 6.2. As the AES-192 key schedule applies the non-linear SubWord() transformation once every six words (see Figure 2.9) while the AES-128 and AES-256 key schedules apply the non-linear SubWord() operation once every four words (see Figure 2.8 and Figure 2.10), we have not found any similar repeated patterns in the AES-192 key schedule so far. 6.3. Summary 82 6.3 Summary

We described some repeated differential patterns of the AES-128 and AES-256 key schedules in this chapter. The Rijndael submission document (Section 7.5, Page 28) [36] states that “A necessary condition for resistance against related-key attacks is that there should not be two different cipher keys that have a large set of round keys in common”. The presented properties show that the AES-128 and AES-256 key schedules are not ideal because when two different cipher keys with a special differential pattern are expanded, the resultant round keys contain a large number of identical bytes. Since the proposed properties are only concerning the key schedule of the AES cipher, the observations of this chapter has no real-life implications at this moment. Chapter 7

Diﬀerential Fault Analysis of LEX

In this chapter, we present a differential fault attack on the stream cipher LEX [19]. The results of this chapter were published in [58]. To identify new stream ciphers suitable for widespread adoption, the eSTREAM project released its call for primitives in November 2004. The project originally received 34 submissions and the competition was completed in April 2008. After a multi-year evaluation, seven ciphers were selected in the eSTREAM portfolio. LEX was one of the candidates of the eSTREAM final phase evaluation. LEX is a stream cipher which is based on a design principle known as a leak extraction from a block cipher. In this construction, the output key stream is extracted from parts of the internal state of a block cipher at certain rounds (possibly after passing an additional filter function). The extracted parts of the internal state need to be selected carefully because leaking the wrong part of the state may endanger the security of the cipher. The underlying block cipher of LEX is AES, and the key stream is generated by extracting 32 bits from each round of AES in the Output Feedback (OFB) mode. Cryptanalysis is the art of breaking a cryptosystem and gaining access to encrypted information without knowing the key. Cryptanalysis of cryptosystems can be divided into two main categories. In the first category, the cryptanalyst focuses on mathematical analysis of the cryptographic algorithm and targets to exploit theoretical weaknesses in the algorithm. Examples of this category include differential cryptanalysis [16] and linear cryptanalysis [80]. In the second category, the cryptanalyst aims to exploit weaknesses in physical implementation of the cryptosystem and targets to break the system by making use of the gained information. The attacks of the second category are usually referred to as side channel attacks. Instances of this category include timing attacks [72], power attacks [73] and fault attacks [25]. The concept of fault analysis was first introduced by Boneh, DeMillo and Lipton [25] in 1996, and the attack was used to target certain implementations of RSA and Rabin signatures by taking advantage of hardware faults. Differential fault analysis on block ciphers was first introduced by

83 7.1. The LEX Stream Cipher 84

Biham and Shamir [17] to attack DES. It was presented by Hoch and Shamir [54] that fault analysis is a powerful cryptanalytic tool which can be employed to attack stream ciphers as well. After LEX was submitted to the eSTREAM project, a few attacks against this cipher have been proposed. Wu and Preneel [101] showed that the resynchronisation of LEX is vulnerable to a slide attack, which needs 260.8 random IVs and 20,000 keystream bytes generated from each IV. A generic attack, which requires 265.7 resynchronisations, was published by Englund, Hell and Johansson [44]. Dunkelman and Keller [40] presented a differential attack that can recover the secret key of LEX in time of 2112 operations by using 236.3 bytes of key stream produced by the same key (possibly under many different IVs). Mondal and Mukhopadhyay [83] proposed a related key attack on LEX with 254.3 keystream bytes and 2102 operations. Z’aba, Raddum, Simp- son, Dawson, Henricksen and Wong [102] described an algebraic analysis of LEX and demonstrated that LEX can be represented by a system of 21 equations with 17 variables. Bouillaguet, Derbez and Fouque [26] presented a key-recovery attack against LEX with 250 data and 280 time complexity. We describe a differential fault analysis of LEX in this chapter. The fault model assumes that the attacker can flip a random bit of the internal state of the cipher, and also can carry out the operation many times for the same internal state. However, the attacker is not supposed to know the exact location of the flipped bit. The proposed attack requires 40 faults and recovers the secret key of LEX with 216 operations. This chapter is organised as follows. Section 7.1 describes the LEX stream cipher. Section 7.2 presents the details of the differential fault analysis of LEX. Section 7.3 provides the discussion and related work, and Section 7.4 summarises this chapter.

7.1 The LEX Stream Cipher

LEX employs the design rationale of the AES to generate the key stream. First, a standard AES key schedule for a secret 128-bit key K is performed. Then, a given

128-bit IV is encrypted by a single AES encryption, denoted by S = AESK(IV ). The 128-bit result S and the secret key K comprise a 256-bit secret state of the stream cipher. Under the key K, S is repeatedly encrypted in the OFB mode. Figure 7.1 [19] illustrates how AES is used in the keystream generation. In each round of the encryption, 32 bits are extracted from the intermediate state to form the key stream. The positions of the extracted 32 bits are shown in Figure 7.2. The IV is replaced after 500 encryptions and the secret key is changed after 232 diﬀerent IVs are used. 7.2. The Diﬀerential Fault Analysis 85

128-bit 128-bit 128-bit 128-bit K K K K

? ? ? ? IV - AES - AES - AES - AES - 128-bit

????? ????? ????? 320-bit 320-bit 320-bit Output stream

Figure 7.1: Initialisation and stream generation

b0,0 b0,1 b0,2 b0,3 b0,0 b0,1 b0,2 b0,3 b0,0 b0,1 b0,2 b0,3

b1,0 b1,1 b1,2 b1,3 b1,0 b1,1 b1,2 b1,3 b1,0 b1,1 b1,2 b1,3

b2,0 b2,1 b2,2 b2,3 b2,0 b2,1 b2,2 b2,3 b2,0 b2,1 b2,2 b2,3

b3,0 b3,1 b3,2 b3,3 b3,0 b3,1 b3,2 b3,3 b3,0 b3,1 b3,2 b3,3

Odd Round Even Round

Figure 7.2: The leak positions in the even and odd rounds

Notations. An AES intermediate state, as well as an AES round key, is represented as a four-by-four array of bytes. A byte of an intermediate state is written as bi,j, the ′ ′ corresponding faulty byte is denoted by bi,j, and the diﬀerence of bi,j and bi,j is repre- x sented as ∆bi,j, 0 ≤ i, j ≤ 3. A key byte of Round x is denoted by Ki,j, 0 ≤ i, j ≤ 3. The symbol ? stands for an unknown byte. In all ﬁgures, a keystream byte of LEX is surrounded by a circle.

7.2 The Diﬀerential Fault Analysis

The fault model assumes that the attacker can flip a random bit of the internal state of the cipher during the keystream generation and obtain the corresponding faulty key stream. Another assumption is that the adversary can reset the state back to its original status and repeat the fault injection process many times (we consider this assumption is reasonable as it was used in many previous attacks [54]). However, the attacker is not supposed to know the exact location of the injected fault. Based on the fault model, we first describe a method to determine the fault position and then we show that the attacker can recover the secret key of LEX by analysing the original and faulty key stream. 7.2. The Differential Fault Analysis 86

7.2.1 The Fault Position Determination Method

Since the attacker does not know the exact fault position in our fault model, we need to determine the fault location first. The idea is that it is possible to find out the fault position by observing the changes of the key stream after the fault is injected. We show that we can identify into which byte the random bit fault is injected. All possible cases are divided into two categories. In the first category, the fault is injected into the state after the MC or ARK transformation, and in the second category, the fault is injected into the state after the SB or SR transformation. We analyse the keystream generation in three consecutive rounds, and use Figure 7.3 to describe the position determination method. Suppose the three-round diagram starts with an odd round, i.e., i is an odd number (we can also do the analysis by using the same idea if i is an even number). The keystream bytes are g0,0, g0,2, g2,0 and g2,2 in

Round i, l0,1, l0,3, l2,1 and l2,3 in Round i + 1, and s0,0, s0,2, s2,0 and s2,2 in Round i + 2.

d0,0 d0,1 d0,2 d0,3 e0,0 e0,1 e0,2 e0,3 f0,0 f0,1 f0,2 f0,3 g0,0 g0,1 g0,2 g0,3

e1,0 e1,1 e1,2 e1,3 g1,0 g1,1 g1,2 g1,3 SB d1,0 d1,1 d1,2 d1,3 SR MC f1,0 f1,1 f1,2 f1,3 ARK → → → → d2,0 d2,1 d2,2 d2,3 e2,0 e2,1 e2,2 e2,3 f2,0 f2,1 f2,2 f2,3 g2,0 g2,1 g2,2 g2,3

d3,0 d3,1 d3,2 d3,3 e3,0 e3,1 e3,2 e3,3 f3,0 f3,1 f3,2 f3,3 g3,0 g3,1 g3,2 g3,3 Round i

h0,0h0,1 h0,2 h0,3 y0,0 y0,1 y0,2 y0,3 j0,0 j0,1 j0,2 j0,3 l0,0 l0,1 l0,2 l0,3

y1,0 y1,1 y1,2 y1,3 SB h1,0h1,1 h1,2 h1,3 SR MC j1,0 j1,1 j1,2 j1,3 ARK l1,0 l1,1 l1,2 l1,3 → → → → h2,0h2,1 h2,2 h2,3 y2,0 y2,1 y2,2 y2,3 j2,0 j2,1 j2,2 j2,3 l2,0 l2,1 l2,2 l2,3

h3,0h3,1 h3,2 h3,3 y3,0 y3,1 y3,2 y3,3 j3,0 j3,1 j3,2 j3,3 l3,0 l3,1 l3,2 l3,3 Round i +1

o0,0 o0,1 o0,2 o0,3 q0,0 q0,1 q0,2 q0,3 r0,0 r0,1 r0,2 r0,3 s0,0 s0,1 s0,2 s0,3

o1 0 o1 1 o1 2 o1 3 q1 0 q1 1 q1 2 q1 3 r1 0 r1 1 r1 2 r1 3 s1 0 s1 1 s1 2 s1 3 SB , , , , SR , , , , MC , , , , ARK , , , , → → → → o2,0 o2,1 o2,2 o2,3 q2,0 q2,1 q2,2 q2,3 r2,0 r2,1 r2,2 r2,3 s2,0 s2,1 s2,2 s2,3

o3,0 o3,1 o3,2 o3,3 q3,0 q3,1 q3,2 q3,3 r3,0 r3,1 r3,2 r3,3 s3,0 s3,1 s3,2 s3,3 Round i +2 Figure 7.3: The three-round diagram

1. Category 1. The fault is injected into the state after the MC or ARK transformation. We only focus on cases where the fault is injected into the state after the MC transformation, and the same idea can be used to analyse cases where the fault is injected into the state after the ARK operation. Suppose the fault is induced to the state after the MC transformation in Round i. We further divide all possible cases of this category into four groups and each group contains four 7.2. The Diﬀerential Fault Analysis 87

bytes.

• Group 1. This group includes four bytes: f0,0, f2,0, f0,2 and f2,2.

• Group 2. This group has four bytes: f1,0, f2,1, f3,2 and f0,3.

• Group 3. This group comprises four bytes: f3,0, f0,1, f1,2 and f2,3.

• Group 4. This group consists of four bytes: f1,1, f3,1, f1,3 and f3,3.

The relation between the fault position and the changes of the keystream bytes

is summarised in Table 7.1. For example, if a fault is induced to f0,0 (see the ﬁrst

entry of Group 1 in Table 7.1) in Figure 7.3, we can see the change of g0,0 from

the key stream in Round i. Since g0,0 is changed, h0,0, y0,0, j0,0, j1,0, j2,0, j3,0, l0,0,

l1,0, l2,0, l3,0 are changed in Round i + 1. However, we cannot see the changes from the key stream in Round i + 1 because the keystream bytes of this round

are l0,1, l0,3, l2,1 and l2,3. In Round i + 2, all 16 bytes are changed after the MC

transformation and we can see that all four keystream bytes s0,0, s0,2, s2,0 and

s2,2 are changed. The diﬀerence among Group 1, Group 2, Group 3 and Group 4 is that the changes of the keystream bytes in Round i and Round i + 1 take place at diﬀerent positions.

2. Category 2. The fault is injected into the state after the SB or SR transformation. We only concentrate on cases where the fault is injected into the state after the SR transformation, and we can use the same idea to analyse cases where the fault is injected into the state after the SB transformation. Assume that the fault is induced to the state after the SR transformation in Round i. We split all possible cases of this category into three groups.

• Group 5. This group has four bytes: e0,0, e1,0, e2,0 and e3,0.

• Group 6. This group is made up of four bytes: e0,2, e1,2, e2,2 and e3,2.

• Group 7. This group contains eight bytes: e0,1, e1,1, e2,1, e3,1, e0,3, e1,3, e2,3

and e3,3.

The relation between the fault position and the changes of the keystream bytes

is described in Table 7.2. For instance, if a fault is injected into byte e0,0 (see

the ﬁrst entry of Group 5 in Table 7.2) in Figure 7.3, g0,0, g1,0, g2,0 and g3,0 are

changed and we can observe the changes of g0,0 and g2,0 from the key stream in Round i. In Round i + 1, all 16 bytes are changed after the MC transformation

and the changes of l0,1, l0,3, l2,1 and l2,3 can be observed from the key stream. Similarly, all 16 bytes are changed starting from the SB operation in Round i+2,

and we can see the changes of s0,0, s0,2, s2,0 and s2,2 from the key stream. 7.2. The Diﬀerential Fault Analysis 88

Group 1 Fault i i +1 f0,0 g0,0 None f2,0 g2,0 None f0,2 g0,2 None f2,2 g2,2 None

Group 2 Fault i i +1 f1,0 None l0,3, l2,3 f2,1 None l0,3, l2,3 f3,2 None l0,3, l2,3 f0,3 None l0,3, l2,3

Group 3 Fault i i +1 f3,0 None l0,1, l2,1 f0,1 None l0,1, l2,1 f1,2 None l0,1, l2,1 f2,3 None l0,1, l2,1

Group 4 Fault i i +1 f1,1 None None f3,1 None None f1,3 None None f3,3 None None

Table 7.1: Four groups of the fault positions

The proposed method makes use of the fact that one can observe the differences between faulty and original keystream bytes from the output keystream. Therefore, we are able to identify the fault position by watching the changes of the keystream bytes caused by the injected fault from Table 7.1 and Table 7.2. As discussed in this subsection, all possible cases of fault positions are divided into two categories. For the sake of simplicity, in this thesis we only focus on cases where a fault is injected into a byte which belongs to the first category, i.e., a byte is listed in Table 7.1 (this is reasonable since we assume that the fault injection process can be repeated many times as the adversary wishes). 7.2. The Differential Fault Analysis 89

Group 5 Fault i i +1 e0,0 g0,0, g2,0 l0,1, l0,3, l2,1, l2,3 e1,0 g0,0, g2,0 l0,1, l0,3, l2,1, l2,3 e2,0 g0,0, g2,0 l0,1, l0,3, l2,1, l2,3 e3,0 g0,0, g2,0 l0,1, l0,3, l2,1, l2,3

Group 6 Fault i i +1 e0,2 g0,2, g2,2 l0,1, l0,3, l2,1, l2,3 e1,2 g0,2, g2,2 l0,1, l0,3, l2,1, l2,3 e2,2 g0,2, g2,2 l0,1, l0,3, l2,1, l2,3 e3,2 g0,2, g2,2 l0,1, l0,3, l2,1, l2,3

Group 7 Fault i i +1 e0,1 None l0,1, l0,3, l2,1, l2,3 e1,1 None l0,1, l0,3, l2,1, l2,3 e2,1 None l0,1, l0,3, l2,1, l2,3 e3,1 None l0,1, l0,3, l2,1, l2,3 e0,3 None l0,1, l0,3, l2,1, l2,3 e1,3 None l0,1, l0,3, l2,1, l2,3 e2,3 None l0,1, l0,3, l2,1, l2,3 e3,3 None l0,1, l0,3, l2,1, l2,3

Table 7.2: Three groups of fault positions

7.2.2 Recovering 4 Key Bytes of Round i +2

We ﬁrst show that we are able to recover the actual values of 12 bytes after the SR transformation in Round i+2 by using 8 faults. Then, we describe the idea of recovering 4 key bytes of Round i + 2 by using the 12 known values. We provide an observation which is used to identify the position of a faulty byte in the MC transformation.

Observation 7.2.1 In the MixColumns transformation, for each 0 ≤ i ≤ 3, if we know three out of four input differences (∆y0,i, ∆y1,i, ∆y2,i and ∆y3,i) are zero and one input difference is non-zero and we also know two output differences (∆j0,i and

∆j2,i), the two unknown output differences (∆j1,i and ∆j3,i) and the position and the 7.2. The Differential Fault Analysis 90 difference of the non-zero input can be uniquely determined.

∆y0,i ∆j0,i     ∆y1,i MC ∆j1,i   −→   .      ∆y2,i   ∆j2,i           ∆y3,i   ∆j3,i          Suppose a fault is injected into a byte which is f0,3, f1,0, f2,1 or f3,2 (Group 2 in Table 7.1). We use Figure 7.4 to demonstrate the progress. We establish a formula, Formula (7.1), by using the input and out diﬀerences of the MC operation in Round i + 1. Note that in Formula (7.1), one byte of ∆y0,3, ∆y1,3, ∆y2,3 and ∆y3,3 is non- zero (although we do not know which one is non-zero at this moment), and the other three bytes are zero as we assume that the faulty byte is f0,3, f1,0, f2,1 or f3,2. We create another formula, Formula (7.2), with the input and out diﬀerences of the MC transformation in Round i + 2.

000∆y0,3 000∆j0,3     000∆y1,3 MC 000∆j1,3   −→   (7.1)      000∆y2,3   000∆j2,3           000∆y3,3   000∆j3,3          0 0 0∆q0,3 ∆r0,0 ∆r0,1 ∆r0,2 ∆r0,3     0 0 ∆q1,2 0 MC ∆r1,0 ∆r1,1 ∆r1,2 ∆r1,3   −→   (7.2)      0 ∆q2,1 0 0   ∆r2,0 ∆r2,1 ∆r2,2 ∆r2,3           ∆q3,0 0 0 0   ∆r3,0 ∆r3,1 ∆r3,2 ∆r3,3          1. We use Formula (7.1) to decide the values of ∆l1,3 and ∆l3,3 by performing the

following steps. Since ∆j0,3 is equal to ∆l0,3 and ∆j2,3 is equal to ∆l2,3 (∆l0,3 and

∆l2,3 can be calculated from the key stream), we know the values of ∆j0,3 and

∆j2,3. In the fourth columns of the input and output, there are 5 known bytes (3

zero bytes, ∆j0,3 and ∆j2,3) and 3 unknown bytes (the non-zero input byte, ∆j1,3

and ∆j3,3). Although we know that there are three zero inputs and one non-zero input, we do not know the exact layout of the four input bytes. We can determine

the 2 unknown output bytes (∆j1,3 and ∆j3,3) and the position and the diﬀerence of the non-zero input byte by using Observation 7.2.1. In Figure 7.4, we assume

the faulty byte is f1,0. As ∆l1,3 is equal to ∆j1,3 and ∆l3,3 is equal to ∆j3,3, and

we know the values of ∆l1,3 and ∆l3,3. The time complexity of this step is O(1), i.e., constant time, as we use Observation 7.2.1 to ﬁnd the solutions. 7.2. The Diﬀerential Fault Analysis 91

2. We employ Formula (7.2) to deduce ∆q3,0 and ∆q1,2 and the steps are as follows.

(a) Because ∆r0,0 is equal to ∆s0,0 and ∆r2,0 is equal to ∆s2,0 (∆s0,0 and ∆s2,0

can be computed from the key stream), we know the values of ∆r0,0 and

∆r2,0. In the ﬁrst columns of the input and output, there are 5 known

bytes (3 zero bytes, ∆r0,0 and ∆r2,0) and 3 unknown bytes (∆q3,0, ∆r1,0 and

∆r3,0). Here we know the positions of the three zero inputs and the non-zero input (see the ﬁrst column of the input in Formula (7.2)). The 3 unknown bytes can be deduced from the 5 known bytes.

(b) Similarly, there are 5 known bytes (3 zero bytes, ∆r0,2 and ∆r2,2) and 3

unknown bytes (∆q1,2, ∆r1,2 and ∆r3,2) in the third columns of the input and output. The values of 3 unknown bytes can be computed by making use of the 5 known bytes.

d0,0 d0,1 d0,2 d0,3 e0,0 e0,1 e0,2 e0,3 f0,0 f0,1 f0,2 f0,3 g0,0 g0,1 g0,2 g0,3

′ ′ d1,0 d1,1 d1,2 d1,3 e1,0 e1,1 e1,2 e1,3 f1,0 f1,1 f1,2 f1,3 g1,0 g1,1 g1,2 g1,3 SB→ SR→ MC→ ARK→ d2,0 d2,1 d2,2 d2,3 e2,0 e2,1 e2,2 e2,3 f2,0 f2,1 f2,2 f2,3 g2,0 g2,1 g2,2 g2,3

d3,0 d3,1 d3,2 d3,3 e3,0 e3,1 e3,2 e3,3 f3,0 f3,1 f3,2 f3,3 g3,0 g3,1 g3,2 g3,3

Round i ′ ′ h0,0 h0,1 h0,2 h0,3 y0,0 y0,1 y0,2 y0,3 j0,0 j0,1 j0,2 j0,3 l0,0 l0,1 l0,2 l0,3 ′ ′ ′ ′ h1,0 h1,1 h1,2 h1,3 y1,0 y1,1 y1,2 y1,3 j1,0 j1,1 j1,2 j1,3 l1,0 l1,1 l1,2 l1,3 SB→ SR→ MC→ ARK→ ′ ′ h2,0 h2,1 h2,2 h2,3 y2,0 y2,1 y2,2 y2,3 j2,0 j2,1 j2,2 j2,3 l2,0 l2,1 l2,2 l2,3 ′ ′ h3,0 h3,1 h3,2 h3,3 y3,0 y3,1 y3,2 y3,3 j3,0 j3,1 j3,2 j3,3 l3,0 l3,1 l3,2 l3,3

Round i + 1 ′ ′ ′ ′ ′ ′ ′ ′ ′ ′ o0,0 o0,1 o0,2 o0,3 q0,0 q0,1 q0,2 q0,3 r0,0 r0,1 r0,2 r0,3 s0,0 s0,1 s0,2 s0,3 ′ ′ ′ ′ ′ ′ ′ ′ ′ ′ o1,0 o1,1 o1,2 o1,3 q1,0 q1,1 q1,2 q1,3 r1,0 r1,1 r1,2 r1,3 s1,0 s1,1 s1,2 s1,3 SB→ SR→ MC→ ARK→ ′ ′ ′ ′ ′ ′ ′ ′ ′ ′ o2,0 o2,1 o2,2 o2,3 q2,0 q2,1 q2,2 q2,3 r2,0 r2,1 r2,2 r2,3 s2,0 s2,1 s2,2 s2,3 ′ ′ ′ ′ ′ ′ ′ ′ ′ ′ o3,0 o3,1 o3,2 o3,3 q3,0 q3,1 q3,2 q3,3 r3,0 r3,1 r3,2 r3,3 s3,0 s3,1 s3,2 s3,3

Round i + 2

Figure 7.4: Computing the values of ∆l1,3, ∆l3,3, ∆q1,2 and ∆q3,0

In Figure 7.5, we know the values of ∆o1,3 and ∆o3,3 since we know ∆q1,2 and ∆q3,0 and the SR operation is just a permutation. Now we know the input diﬀerences (∆l1,3,

∆l3,3) and the corresponding output differences (∆o1,3, ∆o3,3) to the SB operation, and ′ ′ we can deduce 4 actual values for o1,3, o1,3, o3,3 and o3,3 by using a lookup table, which contains all possible input differences and their corresponding output differences of the SB operation. Here we encounter a 1-in-2 situation: although we already have 4 actual ′ ′ values for o1,3, o1,3, o3,3 and o3,3, we cannot distinguish the correct values (o1,3 and o3,3) ′ ′ from the faulty ones (o1,3 and o3,3). To address this problem, we need one more fault 7.2. The Differential Fault Analysis 92

injected into f1,0 and repeat the above steps since the correct values will appear twice ′ ′ in both keystream processing. After getting the actual values of o1,3, o1,3, o3,3 and o3,3, ′ ′ we know the actual values of q1,2, q1,2, q3,0 and q3,0 after the SR operation. As the actual values of l0,1, l0,3, l2,1 and l2,3 are known from the key stream, we get the actual values of q0,1, q0,3, q2,1 and q2,3 after the SB and SR operations. So far, we have the actual values of 6 bytes, q1,2, q3,0, q0,1, q0,3, q2,1 and q2,3, after the SR transformation in Round i + 2: ? q0,1 ? q0,3   ? ? q1,2 ?   .    ? q2,1 ? q2,3       q3,0 ? ? ?     

∆l1,3 ∆o1,3 ∆q1,2 ARK−→ −→SB −→SR

∆l3,3 ∆o3,3 ∆q3,0

Round i + 1 Round i + 2 Round i + 2

Figure 7.5: Deducing the actual values of q1,2 and q3,0

The same idea can be used to recover the actual values of q0,0, q2,2, q1,0, q3,2, q2,0 and q0,2. The details are listed as follows.

1. We are able to obtain the actual values of q0,0 and q2,2 by using 2 faults which

are injected into f0,0, or f2,2. The procedure is shown in Section 7.2.2.1.

2. We can recover the actual values of q1,0 and q3,2 by using 2 faults which are

induced on f0,1, f1,2, f2,3 or f3,0. The steps are described in Section 7.2.2.2.

3. We can get the actual values of q2,0 and q0,2 by using 2 faults which are injected

into f0,2 or f2,0. The details are presented in Section 7.2.2.3.

7.2.2.1 Calculating the Actual Values of q0,0 and q2,2

Assume a fault is induced on f0,0 or f2,2 (Group 1 in Table 7.1), and suppose the faulty byte is f0,0. We create a formula, Formula (7.3), by employing the input and output diﬀerences of the MC operation in Round i + 1. We build another formula, Formula 7.2. The Diﬀerential Fault Analysis 93

(7.4), with the input and out diﬀerences of the MC transformation in Round i + 2.

∆y0,0 0 0 0 ∆j0,0 0 0 0     0 000 MC ∆j1,0 0 0 0   −→   (7.3)      0 000   ∆j2,0 0 0 0           0 000   ∆j3,0 0 0 0          ∆q0,0 0 0 0 ∆r0,0 ∆r0,1 ∆r0,2 ∆r0,3     0 0 0∆q1,3 MC ∆r1,0 ∆r1,1 ∆r1,2 ∆r1,3   −→   (7.4)      0 0 ∆q2,2 0   ∆r2,0 ∆r2,1 ∆r2,2 ∆r2,3           0 ∆q3,1 0 0   ∆r3,0 ∆r3,1 ∆r3,2 ∆r3,3          1. In Formula (7.3), ∆y0,0 can be computed from the key stream of Round i by ′ using the values of g0,0 and g0,0. In the ﬁrst columns of the input and output,

there are 4 known bytes (∆y0,0 and 3 zero bytes) and 4 unknown bytes (∆j0,0,

∆j1,0, ∆j2,0 and ∆j3,0). The 4 unknown bytes can be decided by using the 4

known bytes. After ∆j0,0, ∆j1,0, ∆j2,0 and ∆j3,0 are decided, we know the values

of ∆l0,0, ∆l1,0, ∆l2,0 and ∆l3,0.

2. In Formula (7.4), ∆r0,0 can be computed from the key stream of Round i + 2 by ′ using the values of s0,0 and s0,0. Similarly, we get the value of ∆r2,0. In the ﬁrst

columns of the input and output, there are 5 known bytes (∆r0,0, ∆r2,0 and 3

zero bytes) and 3 unknown bytes (∆q0,0, ∆r1,0 and ∆r3,0). We have the values of

∆q0,0, ∆r1,0 and ∆r3,0 by using the 5 known bytes. By using the same method to analyse the third columns of the input and output, we can deduce the values of

∆q2,2, ∆r1,2 and ∆r3,2 by employing the 5 known bytes (∆r0,2, ∆r2,2 and 3 zero bytes).

3. We get the values of ∆o0,0 and ∆o2,0 from the fact that ∆q0,0 is equal to ∆o0,0

and ∆q2,2 is equal to ∆o2,0. Once knowing the input diﬀerences (∆l0,0, ∆l2,0)

and the corresponding output diﬀerences (∆o0,0, ∆o2,0) to the SB operation, we ′ ′ can deduce 4 actual values for o0,0, o0,0, o2,0 and o2,0. Although we have 4 actual ′ ′ values for o0,0, o0,0, o2,0 and o2,0, we are not able to separate the correct values ′ ′ (o0,0 and o2,0) from the faulty ones (o0,0 and o2,0). To overcome this problem,

we need one more fault induced on f0,0 and repeat the steps mentioned above to

make the correct values emerge twice. After knowing the actual values of o0,0, ′ ′ ′ ′ o0,0, o2,0 and o2,0, we obtain the actual values of q0,0, q0,0, q2,2 and q2,2 after the SR operation. 7.2. The Diﬀerential Fault Analysis 94

7.2.2.2 Computing the Actual Values of q1,0 and q3,2

Suppose a fault is induced on a byte which is f0,1, f1,2, f2,3 or f3,0 (Group 3 in Table 7.1). By using the input and output diﬀerences of the MC operation in Round i + 1, we establish a formula, Formula (7.5). By employing the input and out diﬀerences of the MC transformation in Round i + 2, we build another formula, Formula (7.6).

0 ∆y0,1 0 0 0 ∆j0,1 0 0     0 ∆y1,1 0 0 MC 0 ∆j1,1 0 0   −→   (7.5)      0 ∆y2,1 0 0   0 ∆j2,1 0 0           0 ∆y3,1 0 0   0 ∆j3,1 0 0          0 ∆q0,1 0 0 ∆r0,0 ∆r0,1 ∆r0,2 ∆r0,3     ∆q1,0 0 0 0 MC ∆r1,0 ∆r1,1 ∆r1,2 ∆r1,3   −→   (7.6)      0 0 0∆q2,3   ∆r2,0 ∆r2,1 ∆r2,2 ∆r2,3           0 0 ∆q3,2 0   ∆r3,0 ∆r3,1 ∆r3,2 ∆r3,3          1. In Formula (7.5), ∆j0,1 can be computed from the key stream of Round i + 1 by ′ using the values of l0,1 and l0,1, and ∆j2,1 can be computed from the key stream ′ of Round i + 1 by using the values of l2,1 and l2,1. In the second columns of the

input and output, we employ Observation 7.2.1 and use the 5 known bytes (∆j0,1,

∆j2,1 and 3 zero input bytes) to decide the 2 unknown output bytes (∆j1,1 and

∆j3,1) and the position and the diﬀerence of the non-zero input byte. Assume

the recovered non-zero input byte is ∆y2,1.

2. In Formula (7.6), ∆r0,0 can be computed from the key stream of Round i +2 ′ by using the values of s0,0 and s0,0. Similarly, we get the value of ∆r2,0. In the

ﬁrst columns of the input and output, the 5 known bytes (∆r0,0, ∆r2,0 and 3 zero

bytes) are used to decide the 3 unknown bytes (∆q1,0, ∆r1,0 and ∆r3,0). By using the same method to analyse the third columns of the input and output, we can

deduce the values of 3 unknown bytes (∆q3,2, ∆r1,2 and ∆r3,2) by employing the

5 known bytes (∆r0,2, ∆r2,2 and 3 zero bytes).

3. We have the values of ∆o1,1 and ∆o3,1 since ∆q1,0 is equal to ∆o1,1 and ∆q3,2 is

equal to ∆o3,1. After knowing the input diﬀerences (∆l1,1, ∆l3,1) and the corre-

sponding output diﬀerences (∆o1,1, ∆o3,1) to the SB operation, we can deduce 4 ′ ′ actual values for o1,1, o1,1, o3,1 and o3,1. Although we have 4 actual values for o1,1, ′ ′ o1,1, o3,1 and o3,1, we cannot distinguish the correct values (o1,1 and o3,1) from the 7.2. The Diﬀerential Fault Analysis 95

′ ′ faulty ones (o1,1 and o3,1). To address this issue, we need one more fault injected

into f2,3 and repeat the above steps to make the correct values appear twice in ′ both keystream processing. After knowing the actual values of o1,1, o1,1, o3,1 and ′ ′ ′ o3,1, we know the actual values of q1,0, q1,0, q3,2 and q3,2 after the SR operation.

7.2.2.3 Deducing the Actual Values of q2,0 and q0,2

Assume a fault is injected into a byte which is f0,2 or f2,0 (Group 1 in Table 7.1), and assume the faulty byte is f2,0. We create a formula, Formula (7.7), with the input and output diﬀerences of the MC operation in Round i + 1. We establish another formula, Formula (7.8), by employing the input and output diﬀerences of the MC transformation in Round i + 2.

00 0 0 0 0 ∆j0,2 0     00 0 0 MC 0 0 ∆j1,2 0   −→   (7.7)      0 0 ∆y2,2 0   0 0 ∆j2,2 0           00 0 0   0 0 ∆j3,2 0          0 0 ∆q0,2 0 ∆r0,0 ∆r0,1 ∆r0,2 ∆r0,3     0 ∆q1,1 0 0 MC ∆r1,0 ∆r1,1 ∆r1,2 ∆r1,3   −→   (7.8)      ∆q2,0 0 0 0   ∆r2,0 ∆r2,1 ∆r2,2 ∆r2,3           0 0 0∆q3,3   ∆r3,0 ∆r3,1 ∆r3,2 ∆r3,3          1. In Formula (7.7), ∆y2,2 can be computed from the key stream of Round i by using ′ the values of g2,0 and g2,0. In the third columns of the input and output, we use

4 known bytes (∆y2,2 and 3 zero bytes) to decide 4 unknown bytes (∆j0,2, ∆j1,2,

∆j2,2 and ∆j3,2). The values of ∆l0,2, ∆l1,2, ∆l2,2 and ∆l3,2 are also decided.

2. In Formula (7.8), ∆r0,0 can be computed from the key stream of Round i + 2 by ′ using the values of s0,0 and s0,0. Similarly, we get the value of ∆r2,0 by using the ′ values of ∆s2,0 and ∆s2,0. In the ﬁrst columns of the input and output, we can

use the 5 known bytes (∆r0,0, ∆r2,0 and 3 zero bytes) to decide the 3 unknown

bytes (∆q2,0, ∆r1,0 and ∆r3,0). Similarly, we can use the 5 known bytes (∆r0,2,

∆r2,2 and 3 zero bytes) to decide the 3 unknown bytes (∆q0,2, ∆r1,2 and ∆r3,2) in the third columns of the input and output.

3. We know ∆o0,2 and ∆o2,2 from the fact that ∆q0,2 is equal to ∆o0,2 and ∆q2,0

is equal to ∆o2,2. We now know the input diﬀerences (∆l0,2, ∆l2,2) and the 7.2. The Diﬀerential Fault Analysis 96

corresponding output diﬀerences (∆o0,2, ∆o2,2) to the SB operation, and we can ′ ′ deduce 4 actual values for o0,2, o0,2, o2,2 and o2,2. Although we have 4 actual ′ ′ values for o0,2, o0,2, o2,2 and o2,2, we cannot separate the correct values (o0,2 and ′ ′ o2,2) from the faulty ones (o0,2 and o2,2). To overcome this obstacle, we need one

more fault injected into f2,0 and repeat the above steps because the correct values will emerge twice in both keystream processing. After knowing the actual values ′ ′ ′ ′ of o0,2, o0,2, o2,2 and o2,2, we know the actual values of q0,2, q0,2, q2,0 and q2,0 after the SR operation.

q0,0 q0,1 q0,2 q0,3 r0,0 ? r0,2 ? s0,0 ? s0,2 ?

q1,0 ? q1,2 ? r1,0 ? r1,2 ? ? ? ? ? −→SR −→MC ARK−→ q2,0 q2,1 q2,2 q2,3 r2,0 ? r2,2 ? s2,0 ? s2,2 ?

q3,0 ? q3,2 ? r3,0 ? r3,2 ? ? ? ? ?

i+2 i+2 K0,0 K0,2

i+2 i+2 K2,0 K2,2

Round i + 2 Figure 7.6: Recovering 4 key bytes

Since we now know the actual values of the 12 bytes after the SR transformation in

Round i + 2 in Figure 7.6, we can compute the actual values of the ﬁrst column (r0,0, r1,0, r2,0 and r3,0) and third column (r0,2, r1,2, r2,2 and r3,2) of the MC transformation.

By XORing (r0,0, r0,2, r2,0, r2,2) with (s0,0, s0,2, s2,0, s2,2), we ﬁnally recover 4 round i+2 i+2 i+2 i+2 key bytes: K0,0 , K0,2 , K2,0 and K2,2 .

7.2.3 Retrieving 16 Key Bytes in Round i − 1, i, i +1 and i +3

i−1 By using the same techniques as described in Section 7.2.2, we can recover 16 (K0,1 , i−1 i−1 i−1 i i i i i+1 i+1 i+1 i+1 i+3 i+3 i+3 K0,3 , K2,1 , K2,3 , K0,0, K0,2, K2,0, K2,2, K0,1 , K0,3 , K2,1 , K2,3 , K0,1 , K0,3 , K2,1 i+3 and K2,3 ) more key bytes in Round i − 1, i, i + 1 and i + 3 (see Figure 7.7) with 32 faults. The details of recovering these 16 key bytes are provided as follows. Figure 7.8 illustrates the complete details.

i−1 i−1 i−1 i−1 7.2.3.1 Computing K0,1 , K0,3 , K2,1 and K2,3

1. Inject 2 faults into θ0,1 or θ2,3, and use these 2 faulty bytes to determine the

actual values of z0,1 and z2,3. 7.2. The Diﬀerential Fault Analysis 97

i−1 i−1 i i i+1 i+1 i+2 i+2 i+3 i+3 K0,1 K0,3 K0,0 K0,2 K0,1 K0,3 K0,0 K0,2 K0,1 K0,3

i−1 i−1 i i i+1 i+1 i+2 i+2 i+3 i+3 K2,1 K2,3 K2,0 K2,2 K2,1 K2,3 K2,0 K2,2 K2,1 K2,3

Round i − 1 Round i Round i + 1 Round i + 2 Round i + 3 Figure 7.7: The recovered key bytes

2. Induce 2 faults on θ0,2 or θ2,1, and employ these 2 faulty values to calculate the

actual values of z0,3 and z2,1.

3. Inject 2 faults into θ0,0, θ1,1, θ2,2 or θ3,3, and use these 2 faulty bytes to decide

the actual values of z1,3 and z3,1.

4. Induce 2 faults on θ0,2, θ1,3, θ2,0 or θ3,1, and employ these 2 faulty values to ﬁnd

out the actual values of z1,1 and z3,3.

5. Apply the MC operation to (z0,1, z1,1, z2,1, z3,1) and (z0,3, z1,3, z2,3, z3,3) to get

the actual values of β0,1, β1,1, β2,1, β3,1, β0,3, β1,3, β2,3 and β3,3. XOR β0,1 with i−1 i−1 i−1 λ0,1, β0,3 with λ0,3, β2,1 with λ2,1, and β2,3 with λ2,3 to recover K0,1 , K0,3 , K2,1 i−1 and K2,3 .

i i i i 7.2.3.2 Determining K0,0, K0,2, K2,0 and K2,2

1. Induce 2 faults on φ0,0 or φ2,2, and employ these 2 faulty values to compute the

actual values of e0,0 and e2,2.

2. Inject 2 faults into φ0,2 or φ2,0, and use these 2 faulty values to calculate the

actual values of e0,2 and e2,0.

3. Induce 2 faults on φ0,3, φ1,0, φ2,1 or φ3,2, and use these 2 faulty values to decide

the actual values of e1,2 and e3,0.

4. Inject 2 faults into φ0,1, φ1,2, φ2,3 or φ3,0, and employ these 2 faulty bytes to

determine the actual values of e1,0 and e3,2.

5. Apply the MC operation to (e0,0, e1,0, e2,0, e3,0) and (e0,2, e1,2, e2,2, e3,2) to get

the actual values of f0,0, f1,0, f2,0, f3,0, f0,2, f1,2, f2,2 and f3,2. XOR f0,0 with g0,0, i f0,2 with g0,2, f2,0 with g2,0, and f2,2 with g2,2 to retrieve the actual values of K0,0, i i i K0,2, K2,0 and K2,2. 7.2. The Diﬀerential Fault Analysis 98

σ0,0 σ0,1 σ0,2 σ0,3 η0,0 η0,1 η0,2 η0,3 θ0,0 θ0,1 θ0,2 θ0,3 µ0,0 µ0,1 µ0,2 µ0,3

σ1,0 σ1,1 σ1,2 σ1,3 η1,0 η1,1 η1,2 η1,3 θ1,0 θ1,1 θ1,2 θ1,3 µ1,0 µ1,1 µ1,2 µ1,3 SB→ SR→ MC→ ARK→ i − 3 σ2,0 σ2,1 σ2,2 σ2,3 η2,0 η2,1 η2,2 η2,3 θ2,0 θ2,1 θ2,2 θ2,3 µ2,0 µ2,1 µ2,2 µ2,3

σ3,0 σ3,1 σ3,2 σ3,3 η3,0 η3,1 η3,2 η3,3 θ3,0 θ3,1 θ3,2 θ3,3 µ3,0 µ3,1 µ3,2 µ3,3

ρ0,0 ρ0,1 ρ0,2 ρ0,3 α0,0 α0,1α0,2 α0,3 φ0,0 φ0,1 φ0,2 φ0,3 ψ0,0ψ0,1ψ0,2ψ0,3

ρ1,0 ρ1,1 ρ1,2 ρ1,3 α1,0 α1,1α1,2 α1,3 φ1,0 φ1,1 φ1,2 φ1,3 ψ1,0ψ1,1ψ1,2ψ1,3 SB→ SR→ MC→ ARK→ i − 2 ρ2,0 ρ2,1 ρ2,2 ρ2,3 α2,0 α2,1α2,2 α2,3 φ2,0 φ2,1 φ2,2 φ2,3 ψ2,0ψ2,1ψ2,2ψ2,3

ρ3,0 ρ3,1 ρ3,2 ρ3,3 α3,0 α3,1α3,2 α3,3 φ3,0 φ3,1 φ3,2 φ3,3 ψ3,0ψ3,1ψ3,2ψ3,3

a0,0 a0,1 a0,2 a0,3 z0,0 z0,1 z0,2 z0,3 β0,0 β0,1 β0,2 β0,3 λ0,0 λ0,1 λ0,2 λ0,3

a1,0 a1,1 a1,2 a1,3 z1,0 z1,1 z1,2 z1,3 β1,0 β1,1 β1,2 β1,3 λ1,0 λ1,1 λ1,2 λ1,3 SB→ SR→ MC→ ARK→ i − 1 a2,0 a2,1 a2,2 a2,3 z2,0 z2,1 z2,2 z2,3 β2,0 β2,1 β2,2 β2,3 λ2,0 λ2,1 λ2,2 λ2,3

a3,0 a3,1 a3,2 a3,3 z3,0 z3,1 z3,2 z3,3 β3,0 β3,1 β3,2 β3,3 λ3,0 λ3,1 λ3,2 λ3,3

d0,0 d0,1 d0,2 d0,3 e0,0 e0,1 e0,2 e0,3 f0,0 f0,1 f0,2 f0,3 g0,0 g0,1 g0,2 g0,3

d1,0 d1,1 d1,2 d1,3 e1,0 e1,1 e1,2 e1,3 f1,0 f1,1 f1,2 f1,3 g1,0 g1,1 g1,2 g1,3 SB SR MC ARK → → → → i d2,0 d2,1 d2,2 d2,3 e2,0 e2,1 e2,2 e2,3 f2,0 f2,1 f2,2 f2,3 g2,0 g2,1 g2,2 g2,3

d3,0 d3,1 d3,2 d3,3 e3,0 e3,1 e3,2 e3,3 f3,0 f3,1 f3,2 f3,3 g3,0 g3,1 g3,2 g3,3

h0,0 h0,1 h0,2 h0,3 y0,0 y0,1 y0,2 y0,3 j0,0 j0,1 j0,2 j0,3 l0,0 l0,1 l0,2 l0,3

h1,0 h1,1 h1,2 h1,3 y1,0 y1,1 y1,2 y1,3 j1,0 j1,1 j1,2 j1,3 l1,0 l1,1 l1,2 l1,3 SB→ SR→ MC→ ARK→ i + 1 h2,0 h2,1 h2,2 h2,3 y2,0 y2,1 y2,2 y2,3 j2,0 j2,1 j2,2 j2,3 l2,0 l2,1 l2,2 l2,3

h3,0 h3,1 h3,2 h3,3 y3,0 y3,1 y3,2 y3,3 j3,0 j3,1 j3,2 j3,3 l3,0 l3,1 l3,2 l3,3

o0,0 o0,1 o0,2 o0,3 q0,0 q0,1 q0,2 q0,3 r0,0 r0,1 r0,2 r0,3 s0,0 s0,1 s0,2 s0,3

o1,0 o1,1 o1,2 o1,3 q1,0 q1,1 q1,2 q1,3 r1,0 r1,1 r1,2 r1,3 s1,0 s1,1 s1,2 s1,3 SB→ SR→ MC→ ARK→ i + 2 o2,0 o2,1 o2,2 o2,3 q2,0 q2,1 q2,2 q2,3 r2,0 r2,1 r2,2 r2,3 s2,0 s2,1 s2,2 s2,3

o3,0 o3,1 o3,2 o3,3 q3,0 q3,1 q3,2 q3,3 r3,0 r3,1 r3,2 r3,3 s3,0 s3,1 s3,2 s3,3

t0,0 t0,1 t0,2 t0,3 u0,0 u0,1 u0,2 u0,3 v0,0 v0,1 v0,2 v0,3 γ0,0 γ0,1 γ0,2 γ0,3

t1,0 t1,1 t1,2 t1,3 u1,0 u1,1 u1,2 u1,3 v1,0 v1,1 v1,2 v1,3 γ1,0 γ1,1 γ1,2 γ1,3 SB→ SR→ MC→ ARK→ i + 3 t2,0 t2,1 t2,2 t2,3 u2,0 u2,1 u2,2 u2,3 v2,0 v2,1 v2,2 v2,3 γ2,0 γ2,1 γ2,2 γ2,3

t3,0 t3,1 t3,2 t3,3 u3,0 u3,1 u3,2 u3,3 v3,0 v3,1 v3,2 v3,3 γ3,0 γ3,1 γ3,2 γ3,3

Figure 7.8: The seven-round diagram

i+1 i+1 i+1 i+1 7.2.3.3 Calculating K0,1 , K0,3 , K2,1 and K2,3

1. Inject 2 faults into β0,1 or β2,3, and use these 2 faulty bytes to decide the actual

values of y0,1 and y2,3.

2. Induce 2 faults on β0,3 or β2,1, and employ these 2 faulty bytes to compute the

actual values of y0,3 and y2,1.

3. Inject 2 faults into β0,0, β1,1, β2,2 or β3,3 and use these 2 faulty bytes to determine

the actual values of y1,3 and y3,1.

4. Induce 2 faults on β0,2, β1,3, β2,0 or β3,1, and employ these 2 faulty bytes to

calculate the actual values of y1,1 and y3,3.

5. Apply the MC transformation to (y0,1, y1,1, y2,1, y3,1) and (y0,3, y1,3, y2,3, y3,3) to 7.2. The Diﬀerential Fault Analysis 99

i−1 i−1 i i i+1 i+1 i+2 i+2 i+3 i+3 K0,1 K0,3 K0,0 K0,2 K0,1 K0,3 K0,0 K0,2 K0,1 K0,3

i−1 i−1 i i i+1 i+1 i+2 i+2 i+3 i+3 K2,1 K2,3 K2,0 K2,2 K2,1 K2,3 K2,0 K2,2 K2,1 K2,3

Round i − 1 Round i Round i + 1 Round i + 2 Round i + 3 ⇓

i i i+2 i+2 K0,1 K0,3 K0,1 K0,3

i i+1 i+2 i+2 i+2 K1,3 K1,3 ? K1,1 K1,2 K1,3

i i i+2 i+2 K2,1 K2,3 K2,1 K2,3

i i+1 i+2 i+2 i+2 K3,3 K3,3 ? K3,1 K3,2 K3,3

Round i Round i + 1 Round i + 2 Figure 7.9: The deduced key bytes

obtain the actual values of j0,1, j1,1, j2,1, j3,1, j0,3, j1,3, j2,3 and j3,3. XOR j0,1 with i+1 i+1 i+1 l0,1, j0,3 with l0,3, j2,1 with l2,1, and j2,3 with l2,3 to recover K0,1 , K0,3 , K2,1 and i+1 K2,3 .

i+3 i+3 i+3 i+3 7.2.3.4 Recovering K0,1 , K0,3 , K2,1 and K2,3

1. Use 2 faulty bytes which are j0,1 or j2,3 to determine the actual values of u0,1 and

u2,3.

2. Employ 2 faulty bytes which are j0,3 or j2,1 to retrieve the actual values of u0,3

and u2,1.

3. Make use of 2 faulty bytes which are j0,0, j1,1, j2,2 or j3,3 to calculate the actual

values of u1,3 and u3,1.

4. Employ 2 faulty bytes which are j0,2, j1,3, j2,0 or j3,1 to compute the actual values

of u1,1 and u3,3.

5. Apply the MC operation to (u0,1,u1,1,u2,1,u3,1) and (u0,3,u1,3,u2,3,u3,3) to get

the actual values of v0,1, v1,1, v2,1, v3,1, v0,3, v1,3, v2,3 and v3,3. We can retrieve i+3 i+3 i+3 i+3 K0,1 , K0,3 , K2,1 and K2,3 (see Figure 7.7) by XORing v0,1 with γ0,1, v0,3 with

γ0,3, v2,1 with γ2,1, and v2,3 with γ2,3.

7.2.4 Deducing 10 more Key Bytes in Round i +2

To carry out the computations in this subsection, we use the following observation on the AES key schedule presented in [40] (this observation was also described in [46]). 7.2. The Diﬀerential Fault Analysis 100

Observation 7.2.2 [40] For each 0 ≤ i ≤ 3, the subkeys of AES satisfy the relations:

r+2 r+2 r Ki,0 ⊕ Ki,2 = Ki,2, r+2 r+2 r Ki,1 ⊕ Ki,3 = Ki,3.

By employing the deﬁnition of the AES key schedule and Observation 7.2.2, we can use the 20 recovered key bytes to deduce 10 more key bytes in Round i+2 (see Figure 7.9). The steps of deducing these 10 key bytes are listed as follows, where SB−1 is the inverse of the byte substitution transformation and Rconi represents the round constant used to generate round key Ki.

i+2 i+2 i+2 i+2 1. Deduce K0,1 , K2,1 , K0,3 and K2,3 .

i+2 i+1 i+2 K0,1 = K0,1 ⊕ K0,0 , (7.9) i+2 i+1 i+2 K2,1 = K2,1 ⊕ K2,0 , (7.10) i+2 i+1 i+2 K0,3 = K0,3 ⊕ K0,2 , (7.11) i+2 i+1 i+2 K2,3 = K2,3 ⊕ K2,2 . (7.12)

The four equations above are derived directly from the deﬁnition of the AES key schedule.

i+2 i+2 2. Calculate K3,3 and K1,3 .

i+3 i+3 i+2 i+2 i+3 i+2 i+2 K2,1 = K2,0 ⊕ K2,1 = SB(K3,3 ) ⊕ RCON (2) ⊕ K2,0 ⊕ K2,1 i+2 i+3 i+1 = SB(K3,3 ) ⊕ Rcon (2) ⊕ K2,1 , (7.13) i+2 −1 i+3 i+3 i+1 K3,3 = SB (K2,1 ⊕ Rcon (2) ⊕ K2,1 ), (7.14) i+3 i+3 i+2 i+2 i+3 i+2 i+2 K0,1 = K0,0 ⊕ K0,1 = SB(K1,3 ) ⊕ Rcon (0) ⊕ K0,0 ⊕ K0,1 i+2 i+3 i+1 = SB(K1,3 ) ⊕ Rcon (0) ⊕ K0,1 , (7.15) i+2 −1 i+3 i+3 i+1 K1,3 = SB (K0,1 ⊕ Rcon (0) ⊕ K0,1 ). (7.16)

Equations (7.13) and (7.15) are obtained directly from the deﬁnition of the AES key schedule. Then, we apply the inverse SubBytes transformation on Equa- tion (7.13) to get Equation (7.14), and apply the inverse SubBytes operation on Equation (7.15) to obtain Equation (7.16). 7.2. The Diﬀerential Fault Analysis 101

i+2 i+2 3. Determine K3,1 and K1,1 .

i i−1 i K0,3 = K0,3 ⊕ K0,2, (7.17) i i−1 i K2,3 = K2,3 ⊕ K2,2, (7.18) i+1 i+1 i i i+1 i i K2,1 = K2,0 ⊕ K2,1 = SB(K3,3) ⊕ Rcon (2) ⊕ K2,0 ⊕ K2,1 i i+1 i i i−1 = SB(K3,3) ⊕ Rcon (2) ⊕ K2,0 ⊕ K2,0 ⊕ K2,1 i i+1 i−1 = SB(K3,3) ⊕ Rcon (2) ⊕ K2,1 , (7.19) i −1 i+1 i+1 i−1 K3,3 = SB (K2,1 ⊕ Rcon (2) ⊕ K2,1 ), (7.20) i+2 i i+2 K3,1 = K3,3 ⊕ K3,3 , (7.21) i+1 i+1 i i i+1 i i K0,1 = K0,0 ⊕ K0,1 = SB(K1,3) ⊕ Rcon (0) ⊕ K0,0 ⊕ K0,1 i i+1 i−1 = SB(K1,3) ⊕ Rcon (0) ⊕ K0,1 , (7.22) i −1 i+1 i+1 i−1 K1,3 = SB (K0,1 ⊕ Rcon (0) ⊕ K0,1 ), (7.23) i+2 i i+2 K1,1 = K1,3 ⊕ K1,3 . (7.24)

Equations (7.17), (7.18), (7.19) and (7.22) are obtained from the AES key schedule deﬁnition. We apply the inverse SubBytes transformation on Equations (7.19) and (7.22) to get Equations (7.20) and (7.23), respectively. Equations (7.21) and (7.24) are based on Observation 7.2.2.

i+2 i+2 4. Decide K3,2 and K1,2 .

i i−1 i K0,1 = K0,1 ⊕ K0,0, (7.25) i i−1 i K2,1 = K2,1 ⊕ K2,0, (7.26) i+2 i+2 i+1 i+1 i+2 i+1 i+1 K2,1 = K2,0 ⊕ K2,1 = SB(K3,3 ) ⊕ Rcon (2) ⊕ K2,0 ⊕ K2,1 i+1 i+2 i = SB(K3,3 ) ⊕ Rcon (2) ⊕ K2,1, (7.27) i+1 −1 i+2 i+2 i K3,3 = SB (K2,1 ⊕ Rcon (2) ⊕ K2,1), (7.28) i+2 i+1 i+2 K3,2 = K3,3 ⊕ K3,3 , (7.29) i+2 i+2 i+1 i+1 i+2 i+1 i+1 K0,1 = K0,0 ⊕ K0,1 = SB(K1,3 ) ⊕ Rcon (0) ⊕ K0,0 ⊕ K0,1 i+1 i+2 i = SB(K1,3 ) ⊕ Rcon (0) ⊕ K0,1, (7.30) i+1 −1 i+2 i+2 i K1,3 = SB (K0,1 ⊕ Rcon (0) ⊕ K0,1), (7.31) i+2 i+1 i+2 K1,2 = K1,3 ⊕ K1,3 . (7.32)

Equations (7.25), (7.26), (7.27), (7.29), (7.30) and (7.32) are derived from the AES key schedule deﬁnition. We apply the inverse SubBytes operation on Equa- tions (7.27) and (7.30) to have Equations (7.28) and (7.31), respectively.

In summary, we recover 14 key bytes of Round i + 2, and the 2 unknown key bytes i+2 i+2 (K1,0 and K3,0 , represented by a question mark) can be determined by exhaustive 7.3. Discussion and Related Work 102 search with 216 operations.

7.3 Discussion and Related Work

In this chapter, we use the model in which the faults are injected into the internal state during the keystream generation. There exist other fault models, for example, one may consider injecting faults into the secret key part of LEX. Some previous differential fault attacks against the AES include [43], [52] and [90]. Dusart, Letourneux and Vivolo [43] carried out a differential fault analysis on the AES, based on a fault model in which byte faults occur after the ShiftRows layer of the 9th round. The idea is to use the particular form of the MixColumns operation and of the AES S-box to establish and then solve a system of equations in which the unknown value is the byte difference affected by the fault. Giraud [52] described two differential fault attacks on the AES. The first attack uses a fault model that induces a fault on only one bit of an intermediate result, and requires 50 faulty ciphertexts to find the key of the AES-128. The second attack assumes that the attacker can induce a fault on a whole byte, and requires less than 250 faulty ciphertexts to obtain the key of the AES-128. Piret and Quisquater [90] presented a fault attack to break AES-128 with only 2 faulty ciphertexts, assuming random faults are injected into bytes and the faults occur between the antepenultimate and the penultimate MixColumns.

7.4 Summary

We described a diﬀerential fault attack on LEX in this chapter. We presented a method to decide the fault position by observing the changes of the keystream after a fault is injected. The attack makes use of the structural features of the leak positions of LEX, the diﬀerential properties of the AES round transformation and the properties of the AES key schedule, especially the relationships between consecutive round keys. The proposed attack needs 40 faults and recovers the secret key of LEX with 216 time complexity. Chapter 8

Conclusions and Future Work

This chapter reviews the objectives of this dissertation, summarises the contributions, and provides directions for future work. Block ciphers play a crucial role in cryptology, and researchers from cryptographic community have spent, and are still spending a great deal of effort on designing and analysing block ciphers. Meanwhile, many cryptographic constructions, such as message authentication codes and stream ciphers, are built from block ciphers and therefore the security of the underlying block ciphers has a significant impact on the security of these primitives. As presented in Chapter 1, this thesis has two objectives. The first objective is to study the internal structure of AES since it is one of the most popular cryptographic algorithms. We aim to extend our knowledge of the internal structure of this standard. The second objective is to analyse the constructions of AES-based cryptographic primitives. The analysis of these constructions may further improve our understanding of the underlying block cipher. Section 8.1 below summarises the contributions of this dissertation, and shows how these contributions meet the thesis objectives.

8.1 Our Contributions

In Chapter 4, we introduced a five-round algebraic property of the AES algorithm. It is well known that if a byte of an intermediate state is changed before the MixColumns operation during an AES encryption/decryption, all sixteen bytes of the state are changed after two full rounds of operations. The presented property showed that if twenty bytes at some predefined locations in five continuous rounds are changed, the effects of these changes can be counteracted in the sense of generating the same output. We defined an algorithm called δ to produce the twenty bytes by taking a plaintext and a key as the inputs. We showed that the δ algorithm has 20 variants for AES-128.

103 8.2. Future Work 104

In Chapter 5, the five-round algebraic property described in Chapter 4 was employed to analyse the construction of the ALPHA-MAC, which is a message authentication code built from the AES block cipher. We utilised the structural features of the construction and the algebraic properties of the underlying AES cipher to design two algorithms: the second-preimage search algorithm and the collision search algorithm, for a given intermediate value. In Chapter 6, the key schedule of the AES algorithm was further studied. We introduced the concepts of repeated differential pattern and double-sized repeated differential pattern. Our results showed that for two 128-bit keys, whose difference has the repeated differential pattern, there are at least seven identical bytes in each round of the resultant 10-round subkeys and the same pattern repeats every four rounds. If the difference of two 256-bit keys has the double-sized repeated differential pattern, the differential pattern of the 14-round subkeys is very similar to the one which appears in the 10-round subkeys of the AES-128. In Chapter 7, we presented a differential fault analysis on the LEX stream cipher, which uses the AES algorithm as the underlying building block. Our analysis showed that the secret key of LEX can be recovered if an adversary is allowed to inject a random fault into the internal state of the cipher, and to perform this operation as many times as needed. A fault position determination algorithm was provided to detect the locations of the injected faults. The proposed attack requires 40 faults and 216 time complexity. The five-round algebraic property described in Chapter 4 and the repeated differential properties presented in Chapter 6 are the outcomes of the investigations on the internal structure of the AES algorithm, and therefore the contributions of these two chapters meet the first objective of the thesis. The techniques and algorithms provided in Chapter 5 and the differential fault analysis on LEX proposed in Chapter 7 are the results of the investigations on the constructions of AES-based cryptographic primitives, and thus the contributions of these two chapters meet the second objective of this dissertation.

8.2 Future Work

There are two potential applications of the repeated differential properties which were described in Chapter 6. The first possible direction is to propose related-key attacks by employing the repeated differential properties. Related-key cryptanalysis assumes that the adversary can choose two (or even several) keys with certain relationship, and obtain the encryptions of some plaintexts under these keys. A cipher with a weak key 8.2. Future Work 105 scheduling algorithm may be vulnerable to related-key attacks. Although related-key attacks against full AES-192 and AES-256 were recently reported in [22] and [21], and biclique cryptanalysis of the full AES was presented in [24], related-key cryptanalysis of full AES-128 has not been published yet. This seems to be an interesting area for future research. The second possible direction is to generate collisions for AES-based hash functions. It was shown in [22] that AES-256 cannot be used as an ideal cipher in the well known Davies-Meyer construction. Pseudo collisions of the AES-256 based hash function in Davies-Meyer mode were presented in [22]. However, collisions of the AES-128 based hash function in Davies-Meyer mode have not be found yet. This seems to be another interesting area for future research. In the presented differential fault analysis of LEX in Chapter 7, one may consider injecting faults into the secret key part of LEX as in our model the faults are injected into the internal state during the keystream generation. In addition, it can be beneficial to run simulations concerning the success rate of the proposed fault analysis on LEX. Bibliography

[1] Carlisle Adams, Staﬀord Tavares, Howard Heys, and Michael Wiener. CAST- 256 - A submission for the Advanced Encryption Standard. The First Advanced Encryption Standard (AES) Candidate Conference, Ventura, CA, USA, August 20-22, 1998, National Institute of Standards and Technology, US Department of Commerce, 1998.

[2] Ross Anderson, Eli Biham, and Lars R. Knudsen. Serpent: A proposal for the Advanced Encryption Standard. The First Advanced Encryption Standard (AES) Candidate Conference, Ventura, CA, USA, August 20-22, 1998, National Institute of Standards and Technology, US Department of Commerce, 1998.

[3] Kazumaro Aoki and Yu Sasaki. Meet-in-the-middle preimage attacks against reduced SHA-0 and SHA-1. In Shai Halevi, editor, Advances in Cryptology - CRYPTO 2009, the 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2009, Proceedings, Lecture Notes in Computer Science volume 5677, pages 70-89. Springer, Heidelberg, 2009.

[4] Kazumaro Aoki and Yu Sasaki. Preimage attacks on one-block MD4, 63-step MD5 and more. In Roberto Maria Avanzi, Liam Keliher, and Francesco Sica, editors, Selected Areas in Cryptography, the 15th International Workshop, SAC 2008, Sackville, New Brunswick, Canada, August 14-15, 2009, Proceedings, Lec- ture Notes in Computer Science volume 5381, pages 103-119. Springer, Heidel- berg, 2009.

[5] Behnam Bahrak and Mohammad Reza Aref. A novel impossible diﬀerential cryptanalysis of AES. In Stefan Lucks, Ahmad-Reza Sadeghi, and Christopher Wolf, editors, Research in Cryptology, Second Western European Workshop, WE- WoRC 2007, Bochum, Germany, July 4-6, 2007, Lecture Notes in Computer Science volume 4945, pages 152-156. Springer, Heidelberg, 2007.

106 BIBLIOGRAPHY 107

[6] Elad Barkan and Eli Biham. In how many ways can you write Rijndael? In Yuliang Zheng, editor, Advances in Cryptology - ASIACRYPT 2002, the 8th In- ternational Conference on the Theory and Application of Cryptology and Infor- mation Security, Queenstown, New Zealand, December 1-5, 2002, Lecture Notes in Computer Science volume 2501, pages 160-175. Springer, Heidelberg, 2002.

[7] Paulo S. L. M. Barreto and Vincent Rijmen. The Whirlpool hashing function. Submitted to NESSIE (September 2000) (Revised May 2003). Available at http: //www.larc.usp.br/~pbarreto/WhirlpoolPage.html, 11 December 2008.

[8] Ryad Benadjila, Olivier Billet, Henri Gilbert, Gilles Macario-Rat, Thomas Peyrin, Matt Robshaw, and Yannick Seurin. SHA-3 proposal: ECHO. Sub- mission to NIST. Available at http://crypto.rd.francetelecom.com/echo/, 2008.

[9] Eli Biham. New types of cryptoanalytic attacks using related keys (extended abstract). In Tor Helleseth, editor, Advances in Cryptology - EURO- CRYPT’93, Workshop on the Theory and Application of of Cryptographic Tech- niques, Lofthus, Norway, May 23-27, 1993, Proceedings, Lecture Notes in Com- puter Science volume 765, pages 398-409. Springer, Heidelberg, 1994.

[10] Eli Biham, Alex Biryukov, and Adi Shamir. Cryptanalysis of Skipjack reduced to 31 rounds using impossible diﬀerentials. In Jacques Stern, editor, Ad- vances in Cryptology - EUROCRYPT’99, International Conference on the Theory and Application of Cryptographic Techniques, Prague, Czech Republic, May 2-6, 1999, Proceeding, Lecture Notes in Computer Science volume 1592, pages 12-23. Springer, Heidelberg, 1999.

[11] Eli Biham, Alex Biryukov, and Adi Shamir. Miss in the middle attacks on IDEA and Khufu. In Lars R. Knudsen, editor, Fast Software Encryption, the 6th In- ternational Workshop, FSE’99, Rome, Italy, March 24-26, 1999, Proceedings, Lecture Notes in Computer Science volume 1636, pages 124-138. Springer, Hei- delberg, 1999.

[12] Eli Biham, Orr Dunkelman, and Nathan Keller. The rectangle attack - rectan- gling the Serpent. In Birgit Pﬁtzmann, editor, Advances in Cryptology - EURO- CRYPT 2001, International Conference on the Theory and Application of Cryp- tographic Techniques, Innsbruck, Austria, May 6-10, 2001, Proceeding, Lecture Notes in Computer Science volume 2045, pages 340-357. Springer, Heidelberg, 2001. BIBLIOGRAPHY 108

[13] Eli Biham, Orr Dunkelman, and Nathan Keller. Related-key boomerang and rectangle attacks. In Ronald Cramer, editor, Advances in Cryptology - EU- ROCRYPT 2005, the 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings, Lecture Notes in Computer Science volume 3494, pages 507-525. Springer, Heidelberg, 2005.

[14] Eli Biham, Orr Dunkelman, and Nathan Keller. Related-key impossible differential attacks on 8-round AES-192. In David Pointcheval, editor, Topics in Cryptology - CT-RSA 2006, The Cryptographers’ Track at the RSA Conference 2006, San Jose, CA, USA, February 13-17, 2006, Proceedings, Lecture Notes in Computer Science volume 3860, pages 21-33. Springer, Heidelberg, 2006.

[15] Eli Biham and Nathan Keller. Cryptanalysis of reduced variants of Rijndael. The Third Advanced Encryption Standard Candidate Conference, New York, NY, USA, April 13-14, 2000, National Institute of Standards and Technology, US Department of Commerce. Available at http://csrc.nist.gov/archive/aes/ round2/conf3/aes3papers.html.

[16] Eli Biham and Adi Shamir. Diﬀerential cryptanalysis of the data encryption standard. Springer, Heidelberg, 1993.

[17] Eli Biham and Adi Shamir. Diﬀerential fault analysis of secret key cryptosystems. In Burton S. Kaliski Jr., editor, Advances in Cryptology - CRYPTO’97, the 17th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 17-21, 1997, Proceedings, Lecture Notes in Computer Science volume 1294, pages 513-525. Springer, Heidelberg, 1997.

[18] Alex Biryukov. The boomerang attack on 5 and 6-round reduced AES. In Hans Dobbertin, Vincent Rijmen, and Aleksandra Sowa, editors, Advanced Encryption Standard - AES, the 4th International Conference, AES 2004, Bonn, Germany, May 10-12, 2004, Proceedings, Lecture Notes in Computer Science volume 3373, pages 11-15. Springer, Heidelberg, 2005.

[19] Alex Biryukov. The design of a stream cipher LEX. In Eli Biham and Amr M. Youssef, editors, Selected Areas in Cryptography, the 13th International Work- shop, SAC 2006, Montreal, Canada, August 17-18, 2006, Proceedings, Lecture Notes in Computer Science volume 4356, pages 67-75. Springer, Heidelberg, 2006.

[20] Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, and Adi Shamir. Key recovery attacks of practical complexity on AES-256 variants with BIBLIOGRAPHY 109

up to 10 rounds. In Henri Gilbert, editor, Advances in Cryptology - EUROCRYPT 2010, the 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May 30 - June 3, 2010, Proceed- ings, Lecture Notes in Computer Science volume 6110, pages 299-319. Springer, Heidelberg, 2010.

[21] Alex Biryukov and Dmitry Khovratovich. Related-key cryptanalysis of the full AES-192 and AES-256. In Mitsuru Matsui, editor, Advances in Cryptology - ASIACRYPT 2009, the 15th International Conference on the Theory and Ap- plication of Cryptology and Information Security, Tokyo, Japan, December 6-10, 2009, Proceedings, Lecture Notes in Computer Science volume 5912, pages 1-18. Springer, Heidelberg, 2009.

[22] Alex Biryukov, Dmitry Khovratovich, and Ivica Nikoli´c. Distinguisher and related-key attack on the full AES-256. In Shai Halevi, editor, Advances in Cryptology - CRYPTO 2009, the 29th Annual International Cryptology Confer- ence, Santa Barbara, CA, USA, August 16-20, 2009, Proceedings, Lecture Notes in Computer Science volume 5677, pages 231-249. Springer, Heidelberg, 2009.

[23] Alex Biryukov and Adi Shamir. Structural cryptanalysis of SASAS. In Birgit Pﬁtzmann, editor, Advances in Cryptology - EUROCRYPT 2001, International Conference on the Theory and Application of Cryptographic Techniques, Inns- bruck, Austria, May 6-10, 2001, Proceeding, Lecture Notes in Computer Science volume 2045, pages 394-405. Springer, Heidelberg, 2001.

[24] Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger. Biclique cryptanalysis of the full AES. In Dong Hoon Lee and Xiaoyun Wang, editors, Advances in Cryptology - ASIACRYPT 2011, the 17th International Conference on Theory and Application of Cryptology and Information Security, Seoul, Korea, December 4-8, 2011, Proceedings, Lecture Notes in Computer Science. Springer, Heidelberg, 2011, to appear.

[25] Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. On the importance of checking cryptographic protocols for faults (extended abstract). In Walter Fumy, editor, Advances in Cryptology - EUROCRYPT’97, International Conference on the Theory and Application of Cryptographic Techniques, Konstanz, Germany, May 11-15, 1997, Proceeding, Lecture Notes in Computer Science volume 1233, pages 37-51. Springer, Heidelberg, 1997. BIBLIOGRAPHY 110

[26] Charles Bouillaguet, Patrick Derbez, and Pierre-Alain Fouque. Automatic search of attacks on round-reduced AES and applications. In Phillip Rogaway, editor, Advances in Cryptology - CRYPTO 2011, the 31st Annual International Cryp- tology Conference, Santa Barbara, CA, USA, August 14-18, 2011, Proceedings, Lecture Notes in Computer Science volume 6841, pages 169-187. Springer, Hei- delberg, 2011.

[27] Lawrie Brown and Josef Pieprzyk. Introducing the new LOKI97 block cipher. Technical Report No. CS02/98, Australian Defence Force Academy, Australia. Available at http://www.unsw.adfa.edu.au/~lpb/research/loki97/, 1998.

[28] Carolynn Burwick, Don Coppersmith, Edward D’Avignon, Rosario Gennaro, Shai Halevi, Charanjit Jutla, Stephen M. Matyas Jr., Luke O’Connor, Moham- mad Peyravian, David Saﬀord, and Nevenko Zunic. MARS - a candidate cipher for AES. The First Advanced Encryption Standard (AES) Candidate Confer- ence, Ventura, CA, USA, August 20-22, 1998, National Institute of Standards and Technology, US Department of Commerce, 1998.

[29] Florent Chabaud and Antoine Joux. Diﬀerential collisions in SHA-0. In Hugo Krawczyk, editor, Advances in Cryptology - CRYPTO’98, the 18th Annual Inter- national Cryptology Conference, Santa Barbara, California, USA, August 23-27, 1998, Proceedings, Lecture Notes in Computer Science volume 1462, pages 56-71. Springer, Heidelberg, 1998.

[30] Jung Hee Cheon, MunJu Kim, Kwangjo Kim, Jung-Yeun Lee, and SungWoo Kang. Improved impossible diﬀerential cryptanalysis of Rijndael and Crypton. In Kwangjo Kim, editor, Information Security and Cryptology - ICISC 2001, the 4th International Conference Seoul, Korea, December 6-7, 2001, Proceedings, Lecture Notes in Computer Science volume 2288, pages 39-49. Springer, Heidelberg, 2002.

[31] Carlos Cid and Ga¨etan Leurent. An analysis of the XSL algorithm. In Bimal K. Roy, editor, Advances in Cryptology - ASIACRYPT 2005, the 11th International Conference on the Theory and Application of Cryptology and Information Secu- rity, Chennai, India, December 4-8, 2005, Proceedings, Lecture Notes in Com- puter Science volume 3788, pages 333-352. Springer, Heidelberg, 2005.

[32] Nicolas Courtois, Alexander Klimov, Jacques Patarin, and Adi Shamir. Eﬃcient algorithms for solving overdeﬁned systems of multivariate polynomial equations. In Bart Preneel, editor, Advances in Cryptology - EUROCRYPT 2000, Interna- tional Conference on the Theory and Application of Cryptographic Techniques, BIBLIOGRAPHY 111

Bruges, Belgium, May 14-18, 2000, Proceeding, Lecture Notes in Computer Sci- ence volume 1807, pages 392-407. Springer, Heidelberg, 2000.

[33] Nicolas Courtois and Josef Pieprzyk. Cryptanalysis of block ciphers with overde- ﬁned systems of equations. In Yuliang Zheng, editor, Advances in Cryptology - ASIACRYPT 2002, the 8th International Conference on the Theory and Applica- tion of Cryptology and Information Security, Queenstown, New Zealand, Decem- ber 1-5, 2002, Lecture Notes in Computer Science volume 2501, pages 267-287. Springer, Heidelberg, 2002.

[34] Joan Daemen. Cipher and hash function design strategies based on linear and diﬀerential cryptanalysis. Doctoral Dissertation, Katholieke Universiteit Leuven, Belgium, 1995.

[35] Joan Daemen, Lars R. Knudsen, and Vincent Rijmen. The block cipher Square. In Eli Biham, editor, Fast Software Encryption, the 4th International Workshop, FSE’97, Haifa, Israel, January 20-22, 1997, Proceedings, Lecture Notes in Com- puter Science volume 1267, pages 149-165. Springer, Heidelberg, 1997.

[36] Joan Daemen and Vincent Rijmen. AES proposal: Rijndael. The First Advanced Encryption Standard (AES) Candidate Conference, Ventura, CA, USA, August 20-22, 1998, National Institute of Standards and Technology, US Department of Commerce, 1998.

[37] Joan Daemen and Vincent Rijmen. The design of Rijndael: AES - the Advanced Encryption Standard. Springer, Heidelberg, 2002.

[38] Joan Daemen and Vincent Rijmen. A new MAC construction ALRED and a speciﬁc instance ALPHA-MAC. In Henri Gilbert and Helena Handschuh, editors, Fast Software Encryption: 12th International Workshop, FSE 2005, Paris, France, February 21-23, 2005, Proceedings, Lecture Notes in Computer Science volume 3557 , pages 1-17. Springer, Heidelberg, 2005.

[39] H¨useyin Demirci and Ali Aydin Sel¸cuk. A meet-in-the-middle attack on 8-round AES. In Kaisa Nyberg, editor, Fast Software Encryption, the 15th International Workshop, FSE 2008, Lausanne, Switzerland, February 10-13, 2008, Proceed- ings, Lecture Notes in Computer Science volume 5086, pages 116-126. Springer, Heidelberg, 2008.

[40] Orr Dunkelman and Nathan Keller. A new attack on the LEX stream cipher. In Josef Pieprzyk, editor, Advances in Cryptology - ASIACRYPT 2008, the 14th BIBLIOGRAPHY 112

International Conference on the Theory and Application of Cryptology and Infor- mation Security, Melbourne, Australia, December 7-11, 2008, Proceedings, Lec- ture Notes in Computer Science volume 5350, pages 539-556. Springer, Heidel- berg, 2008.

[41] Orr Dunkelman, Nathan Keller, and Adi Shamir. Improved single-key attacks on 8-round AES-192 and AES-256. In Masayuki Abe, editor, Advances in Cryp- tology - ASIACRYPT 2010, the 16th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 5-9, 2010, Proceedings, Lecture Notes in Computer Science volume 6477, pages 158-176. Springer, Heidelberg, 2010.

[42] Orr Dunkelman, Nathan Keller, and Adi Shamir. Improved single-key attacks on 8-round AES-192 and AES-256. International Association for Cryptologic Research. Cryptology ePrint Archive. Available at http://eprint.iacr.org/ 2010/322.pdf, 31 May 2010.

[43] Pierre Dusart, Gilles Letourneux, and Olivier Vivolo. Diﬀerential Fault Anal- ysis on A.E.S. International Association for Cryptologic Research. Cryptology ePrint Archive. Available at http://eprint.iacr.org/2003/010.pdf, 20 Jan- uary 2003.

[44] H˚akan Englund, Martin Hell, and Thomas Johansson. A note on distinguishing attacks. In Thomas Johansson, editor, State of the Art of Stream Ciphers Work- shop - SASC 2007, Ruhr University Bochum, Germany, January 31 - February 1, 2007, Proceedings, pages 73-78, 2007.

[45] Horst Feistel. Cryptography and computer privacy. Scientiﬁc American, volume 228, number 5, pages 15-23, 1973.

[46] Niels Ferguson, John Kelsey, Stefan Lucks, Bruce Schneier, Michael Stay, David Wagner, and Doug Whiting. Improved cryptanalysis of Rijndael. In Bruce Schneier, editor, Fast Software Encryption, the 7th International Workshop, FSE 2000, New York, NY, USA, April 10-12, 2000, Proceedings, Lecture Notes in Computer Science volume 1978, pages 213-230. Springer, Heidelberg, 2001.

[47] Praveen Gauravaram, Lars Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schl¨aﬀer, and Søren S. Thomsen. Grøstl − a SHA-3 candidate. Available at http://www.groestl.info/, 2008. BIBLIOGRAPHY 113

[48] Dianelos Georgoudis, Damian Leroux, and Billy Sim´on Chaves. The FROG encryption algorithm. The First Advanced Encryption Standard (AES) Candidate Conference, Ventura, CA, USA, August 20-22, 1998, National Institute of Stan- dards and Technology, US Department of Commerce, 1998.

[49] Henri Gilbert, Marc Girault, Philippe Hoogvorst, Fabrice Noilhan, Thomas Pornin, Guillaume Poupard, Jacques Stern, and Serge Vaudenay. Decorrelated Fast Cipher: an AES candidate. The First Advanced Encryption Standard (AES) Candidate Conference, Ventura, CA, USA, August 20-22, 1998, National Insti- tute of Standards and Technology, US Department of Commerce, 1998.

[50] Henri Gilbert and Marine Minier. A collision attack on 7 rounds of Rijndael. In the Third Advanced Encryption Standard Candidate Conference, New York, NY, USA, April 13-14, 2000, Proceedings, pages 230-241. National Institute of Standards and Technology, US Department of Commerce, 2000.

[51] Henri Gilbert and Thomas Peyrin. Super-Sbox cryptanalysis: improved attacks for AES-like permutations. In Seokhie Hong and Tetsu Iwata, editors, Fast Soft- ware Encryption, the 17th International Workshop, FSE 2010, Seoul, Korea, February 7-10, 2010, Proceedings, Lecture Notes in Computer Science volume 6147, pages 365-383. Springer, Heidelberg, 2010.

[52] Christophe Giraud. DFA on AES. In Hans Dobbertin, Vincent Rijmen, and Aleksandra Sowa, editors, Advanced Encryption Standard - AES, the 4th Inter- national Conference, AES 2004, Bonn, Germany, May 10-12, 2004, Proceedings, Lecture Notes in Computer Science volume 3373, pages 27-41. Springer, Heidel- berg, 2004.

[53] Jian Guo, San Ling, Christian Rechberger, and Huaxiong Wang. Advanced meet- in-the-middle preimage attacks: ﬁrst results on full Tiger, and improved results on MD4 and SHA-2. In Masayuki Abe, editor, Advances in Cryptology - ASI- ACRYPT 2010, the 16th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 5-9, 2010, Proceed- ings, Lecture Notes in Computer Science volume 6477, pages 56-75. Springer, Heidelberg, 2010.

[54] Jonathan J. Hoch and Adi Shamir. Fault analysis of stream ciphers. In Marc Joye and Jean-Jacques Quisquater, editors, Cryptographic Hardware and Embedded Systems - CHES 2004, the 6th International Workshop, Cambridge, MA, USA, BIBLIOGRAPHY 114

August 11-13, 2004, Proceedings, Lecture Notes in Computer Science volume 3156, pages 240-253. Springer, Heidelberg, 2004.

[55] Seokhie Hong, Jongsung Kim, Sangjin Lee, and Bart Preneel. Related-key rectangle attacks on reduced versions of SHACAL-1 and AES-192. In Henri Gilbert and Helena Handschuh, editors, Fast Software Encryption, the 12th International Workshop, FSE 2005, Paris, France, February 21-23, 2005, Proceedings, Lecture Notes in Computer Science volume 3557, pages 368-383. Springer, Heidelberg, 2005.

[56] Jianyong Huang, Jennifer Seberry, and Willy Susilo. A ﬁve-round algebraic property of the Advanced Encryption Standard. In Tzong-Chen Wu, Chin-Laung Lei, Vincent Rijmen, and Der-Tsai Lee, editors, Information Security, the 11th Inter- national Conference, ISC 2008, Taipei, Taiwan, September 15-18, 2008, Proceed- ings, Lecture Notes in Computer Science volume 5222, pages 316-330. Springer, Heidelberg, 2008.

[57] Jianyong Huang, Jennifer Seberry, and Willy Susilo. A ﬁve-round algebraic property of AES and its application to the ALPHA-MAC. International Journal of Applied Cryptography (IJACT), volume 1, number 4, pages 264-289, 2009.

[58] Jianyong Huang, Willy Susilo, and Jennifer Seberry. Diﬀerential fault analysis of LEX. In Juan A. Garay and Roberto De Prisco, editors, Security and Cryptog- raphy for Networks, the 7th International Conference, SCN 2010, Amalﬁ, Italy, September 13-15, 2010, Proceedings, Lecture Notes in Computer Science volume 6280, pages 55-72. Springer, Heidelberg, 2010.

[59] Jianyong Huang, Willy Susilo, and Jennifer Seberry. Repeated diﬀerential properties of the AES-128 and AES-256 key schedules. In Huaimin Wang, Stephen R. Tate, and Yang Xiang, editors, the 10th IEEE International Conference on Trust, Security and Privacy in Computing and Communications - IEEE TrustCom 2011, Changsha, China, November 16-18, 2011, Proceedings, 2011, to appear.

[60] Goce Jakimoski and Yvo Desmedt. Related-key diﬀerential cryptanalysis of 192- bit key AES variants. In Mitsuru Matsui and Robert J. Zuccherato, editors, Selected Areas in Cryptography, the 10th Annual International Workshop, SAC 2003, Ottawa, Canada, August 14-15, 2003, Proceedings, Lecture Notes in Com- puter Science volume 3006, pages 208-221. Springer, Heidelberg, 2004.

[61] Michael Jacobson Jr. and Klaus Huber. The MAGENTA block cipher algorithm. The First Advanced Encryption Standard (AES) Candidate Conference, Ventura, BIBLIOGRAPHY 115

CA, USA, August 20-22, 1998, National Institute of Standards and Technology, US Department of Commerce, 1998.

[62] Masayuki Kanda, Shiho Moriai, Kazumaro Aoki, Hiroki Ueda, Miyako Ohkubo, Youichi Takashima, Kazuo Ohta, and Tsutomu Matsumoto. E2 - A candidate cipher for AES. The First Advanced Encryption Standard (AES) Candidate Con- ference, Ventura, CA, USA, August 20-22, 1998, National Institute of Standards and Technology, US Department of Commerce, 1998.

[63] Liam Keliher and Jiayuan Sui. Exact maximum expected diﬀerential and linear probability for 2-round Advanced Encryption Standard (AES). International Association for Cryptologic Research. Cryptology ePrint Archive. Available at http://eprint.iacr.org/2005/321.pdf, 10 September 2005.

[64] John Kelsey, Tadayoshi Kohno, and Bruce Schneier. Ampliﬁed boomerang attacks against reduced-round MARS and Serpent. In Bruce Schneier, editor, Fast Software Encryption, the 7th International Workshop, FSE 2000, New York, NY, USA, April 10-12, 2000, Proceedings, Lecture Notes in Computer Science volume 1978, pages 75-93. Springer, Heidelberg, 2001.

[65] John Kelsey, Bruce Schneier, and David Wagner. Key-schedule cryptoanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. In Neal Koblitz, editor, Advances in Cryptology - CRYPTO’96, the 16th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 1996, Proceedings, Lecture Notes in Computer Science volume 1109, pages 237-251. Springer, Heidelberg, 1996.

[66] Dmitry Khovratovich, Christian Rechberger, and Alexandra Savelieva. Bicliques for preimages: attacks on Skein-512 and the SHA-2 family. International As- sociation for Cryptologic Research. Cryptology ePrint Archive. Available at http://eprint.iacr.org/2011/286.pdf, 31 May 2011.

[67] Jongsung Kim, Seokhie Hong, and Bart Preneel. Related-key rectangle attacks on reduced AES-192 and AES-256. In Alex Biryukov, editor, Fast Software En- cryption, the 14th International Workshop, FSE 2007, Luxembourg, Luxembourg, March 26-28, 2007, Proceedings, Lecture Notes in Computer Science volume 4593, pages 225-241. Springer, Heidelberg, 2007.

[68] Jongsung Kim, Seokhie Hong, Bart Preneel, Eli Biham, Orr Dunkelman, and Nathan Keller. Related-key boomerang and rectangle attacks. International BIBLIOGRAPHY 116

Association for Cryptologic Research. Cryptology ePrint Archive. Available at http://eprint.iacr.org/2010/019.pdf, 12 January 2010.

[69] Lars R. Knudsen. Cryptanalysis of LOKI91. In Jennifer Seberry and Yuliang Zheng, editors, Advances in Cryptology - AUSCRYPT’92, Workshop on the The- ory and Application of Cryptographic Techniques, Gold Coast, Queensland, Aus- tralia, December 13-16, 1992, Proceedings, Lecture Notes in Computer Science volume 718, pages 196-208. Springer, Heidelberg, 1993.

[70] Lars R. Knudsen. DEAL - A 128-bit block cipher. Technical Report No. 151, Department of Informatics, University of Bergen, Norway. Available at http: //www2.mat.dtu.dk/people/Lars.R.Knudsen/newblock.html, 1998.

[71] Lars R. Knudsen and David Wagner. Integral cryptanalysis. In Joan Daemen and Vincent Rijmen, editors, Fast Software Encryption, the 9th International Workshop, FSE 2002, Leuven, Belgium, February 4-6, 2002, Proceedings, Lecture Notes in Computer Science volume 2365, pages 112-127. Springer, Heidelberg, 2002.

[72] Paul C. Kocher. Timing attacks on implementations of Diﬃe-Hellman. In Neal Koblitz, editor, Advances in Cryptology - CRYPTO’96, the 16th Annual Inter- national Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 1996, Proceedings, Lecture Notes in Computer Science volume 1109, pages 104-113. Springer, Heidelberg, 1996.

[73] Paul C. Kocher, Joshua Jaﬀe, and Benjamin Jun. Diﬀerential power analysis. In Michael J. Wiener, editor, Advances in Cryptology - CRYPTO’99, the 19th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 15-19, 1999, Proceedings, Lecture Notes in Computer Science volume 1666, pages 388-397. Springer, Heidelberg, 1999.

[74] Xuejia Lai and James L. Massey. Markov ciphers and diﬀerentail cryptanalysis. In Donald W. Davies, editor, Advances in Cryptology - EUROCRYPT’91, Workshop on the Theory and Application of of Cryptographic Techniques, Brighton, UK, April 8-11, 1991, Proceedings, Lecture Notes in Computer Science volume 547, pages 17-38. Springer, Heidelberg, 1991.

[75] Chae Hoon Lim. CRYPTON: A new 128-bit block cipher. The First Advanced Encryption Standard (AES) Candidate Conference, Ventura, CA, USA, August 20-22, 1998, National Institute of Standards and Technology, US Department of Commerce, 1998. BIBLIOGRAPHY 117

[76] Jiqiang Lu, Orr Dunkelman, Nathan Keller, and Jongsung Kim. New impossible diﬀerential attacks on AES. In Dipanwita Roy Chowdhury, Vincent Rijmen, and Abhijit Das, editors, Progress in Cryptology - INDOCRYPT 2008, the 9th International Conference on Cryptology in India, Kharagpur, India, December 14-17, 2008, Proceedings, Lecture Notes in Computer Science volume 5365, pages 279-293. Springer, Heidelberg, 2008.

[77] Stefan Lucks. The saturation attack - a bait for Twoﬁsh. In Mitsuru Matsui, editor, Fast Software Encryption, the 8th International Workshop, FSE 2001 Yokohama, Japan, April 2-4, 2001, Proceedings, Lecture Notes in Computer Sci- ence volume 2355, pages 1-15. Springer, Heidelberg, 2002.

[78] Hamid Mala, Mohammad Dakhilalian, Vincent Rijmen, and Mahmoud Modarres-Hashemi. Improved impossible diﬀerential cryptanalysis of 7-Round AES-128. In Guang Gong and Kishan Chand Gupta, editors, Progress in Cryp- tology - INDOCRYPT 2010, the 11th International Conference on Cryptology in India, Hyderabad, India, December 12-15, 2010, Proceedings, Lecture Notes in Computer Science volume 6498, pages 282-29. Springer, Heidelberg, 2010.

[79] James Massey, Gurgen Khachatrian, and Melsik Kuregian. Nomination of SAFER+ as candidate algorithm for the Advanced Encryption Standard (AES). The First Advanced Encryption Standard (AES) Candidate Conference, Ventura, CA, USA, August 20-22, 1998, National Institute of Standards and Technology, US Department of Commerce, 1998.

[80] Mitsuru Matsui. Linear cryptoanalysis method for DES cipher. In Tor Helleseth, editor, Advances in Cryptology - EUROCRYPT’93, Workshop on the Theory and Application of of Cryptographic Techniques, Lofthus, Norway, May 23-27, 1993, Proceedings, Lecture Notes in Computer Science volume 765, pages 386- 397. Springer, Heidelberg, 1994.

[81] Florian Mendel, Christian Rechberger, Martin Schl¨aﬀer, and Søren S. Thomsen. The rebound attack: cryptanalysis of reduced Whirlpool and Grøstl. In Orr Dunkelman, editor, Fast Software Encryption, the 16th International Workshop, FSE 2009, Leuven, Belgium, February 22-25, 2009, Proceedings, Lecture Notes in Computer Science volume 5665, pages 260-276. Springer, Heidelberg, 2009.

[82] Alfred J. Menezes, Scott A. Vanstone, and Paul C. Van Oorschot. Handbook of Applied Cryptography. CRC Press, Boca Raton, FL, USA, 1996. BIBLIOGRAPHY 118

[83] Mainack Mondal and Debdeep Mukhopadhyay. Related key cryptanalysis of the LEX stream cipher. International Association for Cryptologic Research. Cryptol- ogy ePrint Archive. Available at http://eprint.iacr.org/2010/011, 10 Jan- uary 2010.

[84] Sean Murphy. The return of the cryptographic boomerang. IEEE Transactions on Information Theory, volume 57, number 4, pages 2517-2521, 2011.

[85] Sean Murphy and Matthew J. B. Robshaw. Essential algebraic structure within the AES. In Moti Yung, editor, Advances in Cryptology - CRYPTO 2002, the 22nd Annual International Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2002, Proceedings, Lecture Notes in Computer Science volume 2442, pages 1-16. Springer, Heidelberg, 2002.

[86] National Bureau of Standards, Data Encryption Standard (DES), US Depart- ment of Commerce. Federal Information Processing Standards Publication 46 (FIPS PUB 46), 15 January 1977.

[87] National Institute of Standards and Technology, US Department of Com- merce. Commerce Department Announces Winner of Global Information Security Competition. Available at http://www.nist.gov/public_affairs/releases/ g00-176.cfm, 2 October 2000.

[88] National Institute of Standards and Technology, US Department of Commerce. Federal Information Processing Standards Publication 197 (FIPS PUB 197). Available at http://csrc.nist.gov/publications/fips/fips197/fips-197. pdf, 26 November 2001.

[89] Raphael Chung-Wei Phan. Impossible diﬀerential cryptanalysis of 7-round Ad- vanced Encryption Standard (AES). Information Processing Letters, volume 91, number 1, pages 33-38, 2004.

[90] Gilles Piret and Jean-Jacques Quisquater. A diﬀerential fault attack technique against SPN structures, with application to the AES and KHAZAD. In Colin D. Walter, C¸etin Kaya Ko¸c, and Christof Paar, editors, Cryptographic Hardware and Embedded Systems - CHES 2003, the 5th International Workshop, Cologne, Germany, September 8-10, 2003, Proceedings, Lecture Notes in Computer Science volume 2779, pages 77-88. Springer, Heidelberg, 2003. BIBLIOGRAPHY 119

[91] H˚avard Raddum. More dual Rijndaels. In Hans Dobbertin, Vincent Rijmen, and Aleksandra Sowa, editors, Advanced Encryption Standard - AES, the 4th Inter- national Conference, AES 2004, Bonn, Germany, May 10-12, 2004, Proceedings, Lecture Notes in Computer Science volume 3373, pages 142-147. Springer, Hei- delberg, 2005.

[92] Ron Rivest, Matt Robshaw, Ray Sidney, and Yiqun Lisa Yin. The RC6TM block cipher. The First Advanced Encryption Standard (AES) Candidate Conference, Ventura, CA, USA, August 20-22, 1998, National Institute of Standards and Technology, US Department of Commerce, 1998.

[93] Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson. Twoﬁsh: A 128-bit block cipher. The First Advanced Encryption Standard (AES) Candidate Conference, Ventura, CA, USA, August 20-22, 1998, National Institute of Standards and Technology, US Department of Commerce, 1998.

[94] Richard Schroeppel. An overview of the Hasty Pudding Cipher. The First Ad- vanced Encryption Standard (AES) Candidate Conference, Ventura, CA, USA, August 20-22, 1998, National Institute of Standards and Technology, US Depart- ment of Commerce, 1998.

[95] RSA Security. RSA’s DES Challenge III is solved in record time. Available at http://www.rsa.com/rsalabs/node.asp?id=2108, 18 January 1999.

[96] Ali Aydin Sel¸cuk. On probability of success in linear and diﬀerential cryptanalysis. Journal of Cryptology, volume 21, number 1, pages 131-147. Springer, Heidelberg, 2008.

[97] Ilia Toli and Alberto Zanoni. An algebraic interpretation of AES-128. In Hans Dobbertin, Vincent Rijmen, and Aleksandra Sowa, editors, Advanced Encryption Standard - AES, the 4th International Conference, AES 2004, Bonn, Germany, May 10-12, 2004, Proceedings, Lecture Notes in Computer Science volume 3373, pages 84-97. Springer, Heidelberg, 2005.

[98] David Wagner. The boomerang attack. In Lars R. Knudsen, editor, Fast Software Encryption, the 6th International Workshop, FSE’99, Rome, Italy, March 24-26, 1999, Proceedings, Lecture Notes in Computer Science volume 1636, pages 156- 170. Springer, Heidelberg, 1999. BIBLIOGRAPHY 120

[99] Doug Whiting, Bruce Schneier, Stephan Lucks, and Fr´ed´eric Muller. Phelix - fast encryption and authentication in a single cryptographic primitive. ECRYPT stream cipher project report 2005/020. Available at http://www.ecrypt.eu. org/stream, 2005.

[100] Robert S. Winternitz. A secure one-way hash function built from DES. In the IEEE Symposium on Security and Privacy, Oakland, California, USA, April 1984, Proceedings, pages 88-90. IEEE Computer Society Press, 1984.

[101] Hongjun Wu and Bart Preneel. Resynchronization attacks on WG and LEX. In Matthew J. B. Robshaw, editor, Fast Software Encryption, the 13th International Workshop, FSE 2006, Graz, Austria, March 15-17, 2006, Proceedings, Lecture Notes in Computer Science volume 4047, pages 422-432. Springer, Heidelberg, 2006.

[102] Muhammad Reza Z’aba, H˚avard Raddum, Leonie Simpson, Ed Dawson, Matt Henricksen, and Kenneth Wong. Algebraic analysis of LEX. In Ljiljana Brankovic and Willy Susilo, editors, The Seventh Australasian Information Security Con- ference (AISC 2009), Wellington, New Zealand, Conferences in Research and Practice in Information Technology (CRPIT) volume 98, pages 33-45. Australian Computer Society, 2009.

[103] Wentao Zhang, Wenling Wu, and Dengguo Feng. New results on impossible differential cryptanalysis of reduced AES. In Kil-Hyun Nam and Gwangsoo Rhee, editors, Information Security and Cryptology - ICISC 2007, the 10th Interna- tional Conference, Seoul, Korea, November 29-30, 2007, Proceedings, Lecture Notes in Computer Science volume 4817, pages 239-250. Springer, Heidelberg, 2007. Appendix A

The Computation from Round 5 to Round 10 in Theorem 6.1.1

• Round 5. Let

5 4 Ω0 = SB(k1,3 ⊕ Ω1) ⊕ Rcon[5], 5 4 Ω1 = SB(k2,3 ⊕ Ω2), 5 4 Ω2 = SB(k3,3 ⊕ Ω3), and 5 4 Ω3 = SB(k0,3 ⊕ Ω0).

′5 ′4 5 ′5 Let Ω2 = SB(k3,3 ⊕ v ⊕ Ω3 ), and γ = Ω2 ⊕ u ⊕ Ω2 , the key byte diﬀerences are provided below:

5 ′5 5 ′5 5 ′5 5 ′5 k0,0 ⊕ k0,0 = φ, k1,0 ⊕ k1,0 = λ, k2,0 ⊕ k2,0 = γ, k3,0 ⊕ k3,0 = β, 5 ′5 5 ′5 5 ′5 5 ′5 k0,1 ⊕ k0,1 = φ, k1,1 ⊕ k1,1 =0, k2,1 ⊕ k2,1 = γ, k3,1 ⊕ k3,1 =0, 5 ′5 5 ′5 5 ′5 5 ′5 k0,2 ⊕ k0,2 =0, k1,2 ⊕ k1,2 =0, k2,2 ⊕ k2,2 = γ, k3,2 ⊕ k3,2 = β, 5 ′5 5 ′5 5 ′5 5 ′5 k0,3 ⊕ k0,3 =0, k1,3 ⊕ k1,3 =0, k2,3 ⊕ k2,3 = γ, k3,3 ⊕ k3,3 =0.

• Round 6. Let

6 5 Ω0 = SB(k1,3 ⊕ k1,2 ⊕ k1,1 ⊕ k1,0 ⊕ SB(k2,3) ⊕ Ω1) ⊕ Rcon[6], 6 5 Ω1 = SB(k2,3 ⊕ k2,2 ⊕ k2,1 ⊕ k2,0 ⊕ SB(k3,3) ⊕ Ω2), 6 5 Ω2 = SB(k3,3 ⊕ k3,2 ⊕ k3,1 ⊕ k3,0 ⊕ SB(k0,3) ⊕ Ω3), and 6 5 Ω3 = SB(k0,3 ⊕ k0,2 ⊕ k0,1 ⊕ k0,0 ⊕ SB(k1,3) ⊕ Rcon[1] ⊕ Ω0).

′6 ′5 6 ′6 Let Ω1 = SB(k2,3 ⊕k2,2 ⊕k2,1 ⊕k2,0 ⊕z⊕SB(k3,3 ⊕v)⊕Ω2 ), and α = Ω1 ⊕λ⊕Ω1 , we have the following byte diﬀerences:

6 ′6 6 ′6 6 ′6 6 ′6 k0,0 ⊕ k0,0 = φ, k1,0 ⊕ k1,0 = α, k2,0 ⊕ k2,0 = γ, k3,0 ⊕ k3,0 = β, 6 ′6 6 ′6 6 ′6 6 ′6 k0,1 ⊕ k0,1 =0, k1,1 ⊕ k1,1 = α, k2,1 ⊕ k2,1 =0, k3,1 ⊕ k3,1 = β, 6 ′6 6 ′6 6 ′6 6 ′6 k0,2 ⊕ k0,2 =0, k1,2 ⊕ k1,2 = α, k2,2 ⊕ k2,2 = γ, k3,2 ⊕ k3,2 =0, 6 ′6 6 ′6 6 ′6 6 ′6 k0,3 ⊕ k0,3 =0, k1,3 ⊕ k1,3 = α, k2,3 ⊕ k2,3 =0, k3,3 ⊕ k3,3 =0.

121 122

• Round 7. Let

7 2 6 Ω0 = SB(k1,3 ⊕ k1,1 ⊕ Ω1 ⊕ Ω1) ⊕ Rcon[7], 7 2 6 Ω1 = SB(k2,3 ⊕ k2,1 ⊕ Ω2 ⊕ Ω2), 7 2 6 Ω2 = SB(k3,3 ⊕ k3,1 ⊕ Ω3 ⊕ Ω3), and 7 2 6 Ω3 = SB(k0,3 ⊕ k0,1 ⊕ Ω0 ⊕ Ω0).

′7 ′2 ′6 7 ′7 Let Ω0 = SB(k1,3 ⊕ k1,1 ⊕ y ⊕ Ω1 ⊕ Ω1 ) ⊕ Rcon[7], and t = Ω0 ⊕ φ ⊕ Ω0 , the byte diﬀerences are calculated as follows:

7 ′7 7 ′7 7 ′7 7 ′7 k0,0 ⊕ k0,0 = t, k1,0 ⊕ k1,0 = α, k2,0 ⊕ k2,0 = γ, k3,0 ⊕ k3,0 = β. 7 ′7 7 ′7 7 ′7 7 ′7 k0,1 ⊕ k0,1 = t, k1,1 ⊕ k1,1 =0, k2,1 ⊕ k2,1 = γ, k3,1 ⊕ k3,1 =0, 7 ′7 7 ′7 7 ′7 7 ′7 k0,2 ⊕ k0,2 = t, k1,2 ⊕ k1,2 = α, k2,2 ⊕ k2,2 =0, k3,2 ⊕ k3,2 =0, 7 ′7 7 ′7 7 ′7 7 ′7 k0,3 ⊕ k0,3 = t, k1,3 ⊕ k1,3 =0, k2,3 ⊕ k2,3 =0, k3,3 ⊕ k3,3 =0.

• Round 8. Let

8 3 7 Ω0 = SB(k1,3 ⊕ k1,2 ⊕ Ω1 ⊕ Ω1) ⊕ Rcon[8], 8 3 7 Ω1 = SB(k2,3 ⊕ k2,2 ⊕ Ω2 ⊕ Ω2), 8 3 7 Ω2 = SB(k3,3 ⊕ k3,2 ⊕ Ω3 ⊕ Ω3), and 8 3 7 Ω3 = SB(k0,3 ⊕ k0,2 ⊕ Ω0 ⊕ Ω0).

′8 ′3 ′7 8 ′8 Let Ω3 = SB(k0,3 ⊕k0,2 ⊕x⊕Ω0 ⊕Ω0 ), and d = Ω3 ⊕β ⊕Ω3 , the byte diﬀerences are listed below:

8 ′8 8 ′8 8 ′8 8 ′8 k0,0 ⊕ k0,0 = t, k1,0 ⊕ k1,0 = α, k2,0 ⊕ k2,0 = γ, k3,0 ⊕ k3,0 = d, 8 ′8 8 ′8 8 ′8 8 ′8 k0,1 ⊕ k0,1 =0, k1,1 ⊕ k1,1 = α, k2,1 ⊕ k2,1 =0, k3,1 ⊕ k3,1 = d, 8 ′8 8 ′8 8 ′8 8 ′8 k0,2 ⊕ k0,2 = t, k1,2 ⊕ k1,2 =0, k2,2 ⊕ k2,2 =0, k3,2 ⊕ k3,2 = d, 8 ′8 8 ′8 8 ′8 8 ′8 k0,3 ⊕ k0,3 =0, k1,3 ⊕ k1,3 =0, k2,3 ⊕ k2,3 =0, k3,3 ⊕ k3,3 = d.

• Round 9. Let

9 4 8 Ω0 = SB(k1,3 ⊕ Ω1 ⊕ Ω1) ⊕ Rcon[9], 9 4 8 Ω1 = SB(k2,3 ⊕ Ω2 ⊕ Ω2), 9 4 8 Ω2 = SB(k3,3 ⊕ Ω3 ⊕ Ω3), and 9 4 8 Ω3 = SB(k0,3 ⊕ Ω0 ⊕ Ω0). 123

′9 ′4 ′8 9 ′9 Let Ω2 = SB(k3,3 ⊕ v ⊕ Ω3 ⊕ Ω3 ), and w = Ω2 ⊕ γ ⊕ Ω2 , each byte diﬀerence can be computed as:

9 ′9 9 ′9 9 ′9 9 ′9 k0,0 ⊕ k0,0 = t, k1,0 ⊕ k1,0 = α, k2,0 ⊕ k2,0 = w, k3,0 ⊕ k3,0 = d. 9 ′9 9 ′9 9 ′9 9 ′9 k0,1 ⊕ k0,1 = t, k1,1 ⊕ k1,1 =0, k2,1 ⊕ k2,1 = w, k3,1 ⊕ k3,1 =0, 9 ′9 9 ′9 9 ′9 9 ′9 k0,2 ⊕ k0,2 =0, k1,2 ⊕ k1,2 =0, k2,2 ⊕ k2,2 = w, k3,2 ⊕ k3,2 = d, 9 ′9 9 ′9 9 ′9 8 ′9 k0,3 ⊕ k0,3 =0, k1,3 ⊕ k1,3 =0, k2,3 ⊕ k2,3 = w, k3,3 ⊕ k3,3 =0.

• Round 10. Let

10 5 9 Ω0 = SB(k1,3 ⊕ k1,2 ⊕ k1,1 ⊕ k1,0 ⊕ SB(k2,3) ⊕ Ω1 ⊕ Ω1) ⊕ Rcon[10], 10 5 9 Ω1 = SB(k2,3 ⊕ k2,2 ⊕ k2,1 ⊕ k2,0 ⊕ SB(k3,3) ⊕ Ω2 ⊕ Ω2), 10 5 9 Ω2 = SB(k3,3 ⊕ k3,2 ⊕ k3,1 ⊕ k3,0 ⊕ SB(k0,3) ⊕ Ω3 ⊕ Ω3), and 10 5 9 Ω3 = SB(k0,3 ⊕ k0,2 ⊕ k0,1 ⊕ k0,0 ⊕ SB(k1,3) ⊕ Rcon[1] ⊕ Ω0 ⊕ Ω0).

′10 ′5 ′9 Let Ω1 = SB(k2,3 ⊕ k2,2 ⊕ k2,1 ⊕ k2,0 ⊕ z ⊕ SB(k3,3 ⊕ v) ⊕ Ω2 ⊕ Ω2 ), and 10 ′10 q = Ω1 ⊕ α ⊕ Ω1 , the byte diﬀerences are shown below:

10 ′10 10 ′10 10 ′10 10 ′10 k0,0 ⊕ k0,0 = t, k1,0 ⊕ k1,0 = q, k2,0 ⊕ k2,0 = w, k3,0 ⊕ k3,0 = d. 10 ′10 10 ′10 10 ′10 10 ′10 k0,1 ⊕ k0,1 =0, k1,1 ⊕ k1,1 = q, k2,1 ⊕ k2,1 =0, k3,1 ⊕ k3,1 = d, 10 ′10 10 ′10 10 ′10 10 ′10 k0,2 ⊕ k0,2 =0, k1,2 ⊕ k1,2 = q, k2,2 ⊕ k2,2 = w, k3,2 ⊕ k3,2 =0, 10 ′10 10 ′10 10 ′10 10 ′10 k0,3 ⊕ k0,3 =0, k1,3 ⊕ k1,3 = q, k2,3 ⊕ k2,3 =0, k3,3 ⊕ k3,3 =0.