On the Internal Structure of the Advanced Encryption Standard and Two AES-Based Cryptographic Constructions Jianyong Huang University of Wollongong
University of Wollongong Research Online
University of Wollongong Thesis Collection University of Wollongong Thesis Collections
2012 On the internal structure of the advanced encryption standard and two AES-based cryptographic constructions Jianyong Huang University of Wollongong
Recommended Citation Huang, Jianyong, On the internal structure of the advanced encryption standard and two AES-based cryptographic constructions, Doctor of Philosophy thesis, School of Computer Science and Software Engineering, University of Wollongong, 2012. http://ro.uow.edu.au/theses/3517
Research Online is the open access institutional repository for the University of Wollongong. For further information contact Manager Repository Services: [email protected].
NIVERSITY U OF WOLLONGONG
On the Internal Structure of the Advanced Encryption Standard and Two AES-Based Cryptographic Constructions
A thesis submitted in fulfilment of the requirements for the award of the degree
Doctor of Philosophy
from
UNIVERSITY OF WOLLONGONG
by
Jianyong Huang
School of Computer Science and Software Engineering May 2012 c Copyright 2012
by
Jianyong Huang
All Rights Reserved
ii Dedicated to My Family
iii Declaration
This is to certify that the work reported in this thesis was done by the author, unless specified otherwise, and that no part of it has been submitted in a thesis to any other university or similar institution.
Jianyong Huang May 7, 2012
iv Abstract
The Advanced Encryption Standard (AES) is a symmetric-key encryption standard adopted by the U.S. government in 2000. It is one of the most popular algorithms used in symmetric key cryptography nowadays. In this thesis, we study the internal structure of the AES algorithm and two AES-based cryptographic primitives: the ALPHA-MAC message authentication code and the LEX stream cipher. In the analysis of the AES internal structure, we focus on two areas: the internal algebraic properties and the key schedule of the AES algorithm. This thesis makes the following four contributions. First, we ask the question what happens if we change the values of some bytes of some intermediate results during an AES encryption. We aim to investigate the impact of these changes on the output of the encryption, and study the feasibility of cancelling out the effects of such changes. By using the structural features of the AES round transformation, we propose a five-round algebraic property which shows that if one carries out four extra exclusive or operations on four fixed-position bytes in some round, five consecutive rounds of such operations will cancel out all changes made to the intermediate results and, consequently, the final output of the encryption will not be affected by these changes. Second, we use the proposed five-round algebraic property of the AES cipher to study the construction of the ALPHA-MAC. We introduce two methods: the Backwards-aNd-Backwards search algorithm and the Backwards-aNd-Forwards search algorithm. By combining these two methods, one can find second preimages of the ALPHA-MAC, given an intermediate value. In addition, we demonstrate that the second-preimage search algorithm can also be used to generate internal collisions for the ALPHA-MAC if an intermediate value is known. Third, we carry out further investigations on the key schedule of the AES cipher, and our research identifies some repeated differential properties in the AES-128 and AES-256 key schedules. In the case of AES-128, if the difference of two secret keys has a special pattern, which we call repeated differential pattern, the propagation of the difference via the key schedule will produce at least seven zero differences in each round, and the same pattern repeats every four rounds. In the case of AES-256, we
v show that two secret keys with a double-sized repeated differential pattern generate similar repeated features in the resultant subkeys. Fourth, we describe a differential fault analysis of the LEX stream cipher. The attack exploits computational errors during keystream generation to recover secret keys of the cipher. In our analysis, the cipher is assumed to have random faults in its states and typically, there is one random faulty bit injected during each computation. In the proposed attack, the adversary can extract the secret key of LEX by analysing the output keystream generated by 40 faults.
vi Acknowledgements
The road to my doctoral degree has been a long but rewarding journey. I would like to thank the following people and organisations. Without their help and support, this thesis would not have been possible. I am grateful to my principal supervisor, Professor Jennifer Seberry, for her guidance and suggestions throughout this thesis. I am especially thankful for her kindness and patience over the past few years. It has been a pleasure to study under her supervision. Her knowledge and academic experience have been invaluable to me. I wish to express my sincere gratitude to my co-supervisor, Professor Willy Susilo, who has supervised me with his knowledge and patience while giving me the freedom to work in my own way. I appreciate all his contributions of time and ideas to make my research experience productive and stimulating. I specially want to thank him for offering many helpful opinions and lots of administrative support. I am thankful to Professor Eli Biham for many fruitful and interesting discussions during his visit to University of Wollongong in 2004. During his three-month stay in Wollongong, I was able to learn how he approached and solved problems, which helped me to develop the capability to carry out independent research. I thank the Centre for Computer and Information Security Research (CCISR) for organising regular research seminars, which gave me the opportunity to hear presenta- tions and to converse with other researchers. I also thank the Research Student Centre for allowing me to take a long leave of absence. I would like to acknowledge the generous financial support of the University Post- graduate Award, funded by University of Wollongong. I thank the School of Computer Science and Software Engineering, and CCISR for sponsoring me to attend research conferences. Finally, I am grateful to Zhen Luo for always being the first person to discuss my undeveloped thoughts with, and for constantly providing support when needed. Last but not least, I would like to thank my parents, Yulan Zhao and Xinmin Huang, for continually encouraging me to complete the doctoral degree.
vii Publications
During my PhD studies, I have published the following papers. Please note that the contributions of Paper 6 and Paper 7 are not included in this thesis in order to maintain content consistency.
1. Jianyong Huang, Willy Susilo, and Jennifer Seberry. Repeated differential prop- erties of the AES-128 and AES-256 key schedules. In Huaimin Wang, Stephen R. Tate, and Yang Xiang, editors, the 10th IEEE International Conference on Trust, Security and Privacy in Computing and Communications - IEEE TrustCom 2011, Changsha, China, November 16-18, 2011, Proceedings, 2011, to appear.
2. Jianyong Huang, Willy Susilo, and Jennifer Seberry. Differential fault analysis of LEX. In Juan A. Garay and Roberto De Prisco, editors, Security and Cryptog- raphy for Networks, the 7th International Conference, SCN 2010, Amalfi, Italy, September 13-15, 2010, Proceedings, Lecture Notes in Computer Science volume 6280, pages 55-72. Springer, Heidelberg, 2010.
3. Jianyong Huang, Jennifer Seberry, and Willy Susilo. A five-round algebraic prop- erty of AES and its application to the ALPHA-MAC. International Journal of Applied Cryptography (IJACT), volume 1, number 4, pages 264-289, 2009.
4. Jianyong Huang, Jennifer Seberry, and Willy Susilo. A five-round algebraic prop- erty of the Advanced Encryption Standard. In Tzong-Chen Wu, Chin-Laung Lei, Vincent Rijmen, and Der-Tsai Lee, editors, Information Security, the 11th Inter- national Conference, ISC 2008, Taipei, Taiwan, September 15-18, 2008, Proceed- ings, Lecture Notes in Computer Science volume 5222, pages 316-330. Springer, Heidelberg, 2008.
5. Jianyong Huang, Jennifer Seberry, and Willy Susilo. On the internal structure of ALPHA-MAC. In Phong Q. Nguyen, editor, Progress in Cryptology - VI- ETCRYPT 2006, the First International Conference on Cryptology in Vietnam, Hanoi, Vietnam, September 25-28, 2006, Proceedings, Lecture Notes in Com- puter Science volume 4341, pages 271-285. Springer, Heidelberg, 2006.
viii 6. Jianyong Huang, Jennifer Seberry, Willy Susilo, and Martin W. Bunder. Secu- rity analysis of Michael: the IEEE 802.11i message integrity code. In Tomoya Enokido, Lu Yan, Bin Xiao, Daeyoung Kim, Yuan-Shun Dai, and Laurence Tian- ruo Yang, editors, Embedded and Ubiquitous Computing - EUC 2005 Workshops, Nagasaki, Japan, December 6-9, 2005, Proceedings, Lecture Notes in Computer Science volume 3823, pages 423-432. Springer, Heidelberg, 2005.
7. Jianyong Huang, Willy Susilo, and Jennifer Seberry. Observations on the mes- sage integrity code in IEEE802.11 wireless LANs. In Tadeusz Wysocki, editor, the 3rd Workshop on the Internet, Telecommunications and Signal Processing - WITSP 2004, Adelaide, Australia, 20-22 December 2004, Proceedings, pages 328- 332, CD-ROM, 2004.
ix Contents
Abstract v
Acknowledgements vii
Publications viii
1 Introduction 1 1.1 TheDevelopmentofAES ...... 3 1.2 MotivationsandObjectives ...... 3 1.3 Contributions ...... 5 1.4 ThesisStructure...... 6
2 A Description of AES 8 2.1 Encryption ...... 9 2.1.1 TheSubBytesTransformation ...... 9 2.1.2 TheShiftRowsTransformation ...... 10 2.1.3 TheMixColumnsTransformation ...... 11 2.1.4 TheAddRoundKeyTransformation ...... 12 2.2 Decryption...... 12 2.2.1 TheInvSubBytesTransformation ...... 13 2.2.2 TheInvShiftRowsTransformation...... 13 2.2.3 TheInvMixColumnsTransformation ...... 14 2.2.4 The Inverse of the AddRoundKey Transformation ...... 15 2.3 TheKeySchedule...... 15 2.3.1 TheAES-128KeySchedule ...... 17 2.3.2 TheAES-192KeySchedule ...... 18 2.3.3 TheAES-256KeySchedule ...... 19
3 Cryptanalysis of AES 21 3.1 ABriefDescriptionofDES ...... 22
x 3.2 DifferentialCryptanalysis ...... 23 3.3 LinearCryptanalysis ...... 26 3.4 Security of AES against Differential and Linear Cryptanalysis . . . .. 27 3.5 SquareAttack...... 28 3.6 CollisionAttacks ...... 29 3.7 BoomerangAttacks...... 31 3.7.1 AmplifiedBoomerangAttack ...... 33 3.7.2 RectangleAttack ...... 33 3.8 Impossible Differential Cryptanalysis ...... 34 3.9 DualCiphers ...... 35 3.10AlgebraicAttacks...... 36 3.11Related-KeyAttacks ...... 36 3.12 Biclique Cryptanalysis ...... 39 3.13 SummaryofAESCryptanalysis ...... 40
4 A Five-Round Algebraic Property of AES 42 4.1 TheFive-RoundProperty ...... 42 4.2 The δ Algorithm ...... 43 ′ ′ ′ ′ 4.2.1 Deciding M0, M2, M8 and M10 ...... 45 ′ ′ ′ ′ 4.2.2 Computing R0, R2, R8 and R10 ...... 48 ′ ′ ′ ′ 4.2.3 Calculating V0 ,V2 ,V8 and V10 ...... 50 ′ ′ ′ ′ 4.2.4 Determining Z0,Z2,Z8 and Z10 ...... 52 4.2.5 Variants of Algorithm δ ...... 53 4.3 Summary ...... 54
5 On the Internal Structure of ALPHA-MAC 55 5.1 DescriptionoftheALPHA-MAC ...... 55 5.2 Applying the Five-Round Algebraic Property to the ALPHA-MAC . . 56 5.2.1 TheSecond-PreimageSearchAlgorithm ...... 57 5.2.2 The Collision Search Algorithm ...... 69 5.3 RelatedWork ...... 69 5.4 Summary ...... 70
6 Repeated Differential Properties of the AES-128 and AES-256 Key Schedules 71 6.1 Repeated Differential Properties of the AES-128 Key Schedule . .... 72 6.2 Repeated Differential Properties of the AES-256 Key Schedule . .... 75 6.3 Summary ...... 82
xi 7 Differential Fault Analysis of LEX 83 7.1 TheLEXStreamCipher ...... 84 7.2 The Differential Fault Analysis ...... 85 7.2.1 The Fault Position Determination Method ...... 86 7.2.2 Recovering 4 Key Bytes of Round i +2...... 89 7.2.3 Retrieving 16 Key Bytes in Round i − 1, i, i + 1 and i +3 ... 96 7.2.4 Deducing 10 more Key Bytes in Round i +2...... 99 7.3 DiscussionandRelatedWork ...... 102 7.4 Summary ...... 102
8 Conclusions and Future Work 103 8.1 OurContributions ...... 103 8.2 FutureWork...... 104
Bibliography 106
A The Computation from Round 5 to Round 10 in Theorem 6.1.1 121
xii List of Tables
1.1 ThefifteenAEScandidatealgorithms...... 4 1.2 Structureofthethesis ...... 6
2.1 Theblock-key-roundparameters...... 8 2.2 The substitution table of the AES algorithm ...... 11 2.3 TheinverseS-Box...... 15
3.1 SummaryofAES-128cryptanalysis ...... 40 3.2 Summary of AES-192 and AES-256 cryptanalysis ...... 41
5.1 Second-preimage search = BNB search + BNF search ...... 68 5.2 Theresultsofthesearchalgorithm ...... 69
7.1 Fourgroupsofthefaultpositions ...... 88 7.2 Threegroupsoffaultpositions...... 89
xiii List of Figures
2.1 TheAESencryption ...... 10 2.2 TheShiftRowsfunction...... 11 2.3 TheAddRoundKeyoperation ...... 12 2.4 TheAESdecryption ...... 14 2.5 TheInvShiftRowstransformation ...... 14 2.6 TheRotWordtransformation ...... 16 2.7 TheSubWordoperation ...... 16 2.8 TheAES-128keyschedule ...... 17 2.9 TheAES-192keyschedule ...... 18 2.10 TheAES-256keyschedule ...... 19
3.1 TheFeistelstructureofDES...... 22 3.2 The F -functionofDES...... 23 3.3 TheevolutionofaΛ-setin3roundsofAES ...... 29 3.4 Afour-rounddistinguisherofAES...... 30 3.5 A pictorial illustration of the boomerang attack ...... 32 3.6 The depiction of a local collision ...... 38 3.7 The biclique cryptanalysis with the meet-in-the-middle attack . . . .. 40
4.1 Thetwentybytes ...... 43 4.2 TheintermediatevaluesofAES-128...... 44 4.3 The intermediate values of AES-128 with 20 extra XOR operations .. 45 4.4 Differentlocationsofthetwentybytes ...... 54
5.1 ALPHA-MACconstruction ...... 56 5.2 The five-block collisions ...... 59 5.3 Thesecond-preimagesearch ...... 68
6.1 The 10-round R differentialpattern ...... 76 6.2 The 14-round R differentialpattern ...... 77
xiv 7.1 Initialisation and stream generation ...... 85 7.2 The leak positions in the even and odd rounds ...... 85 7.3 Thethree-rounddiagram...... 86
7.4 Computing the values of ∆l1,3, ∆l3,3, ∆q1,2 and ∆q3,0 ...... 91
7.5 Deducing the actual values of q1,2 and q3,0 ...... 92 7.6 Recovering4keybytes ...... 96 7.7 Therecoveredkeybytes ...... 97 7.8 Theseven-rounddiagram...... 98 7.9 Thededucedkeybytes ...... 99
xv Chapter 1
Introduction
Symmetric-key cryptography is an important area of study in modern cryptography. In symmetric-key ciphers, the encryption of plaintext and decryption of ciphertext use the same key (or, less commonly, the encryption key is different from the decryption key, but there is a simple transformation between these two keys). Block ciphers and stream ciphers are two fundamental primitives of the symmetric-key ciphers. A block cipher is an algorithm which maps fixed-length plaintext blocks to same- length ciphertext blocks by using a key-dependent transformation [82]. A block cipher contains two functions: the encryption function E and the decryption function E−1. The encryption function E takes a plaintext P and a key K as the inputs and generates the corresponding ciphertext C as the output, written as C = EK (P ). The decryption function E−1 accepts two parameters: a ciphertext C and a key K, and outputs the −1 corresponding plaintext P , represented as P = EK (C). The length of a plaintext and its corresponding ciphertext is called block size. For example, if a block cipher maps n-bit plaintext blocks to n-bit ciphertext blocks, the block size is n bits. The key size of a block cipher is the bit-string length of the key. Stream ciphers are a set of algorithms that use a time-vary transformation to en- crypt individual units (usually bits) of a plaintext one at a time [82]. Synchronous stream ciphers and self-synchronising (or asynchronous) stream ciphers are two major types of stream ciphers. In addition, some stream ciphers (for example, the stream cipher Phelix [99]) are neither synchronous nor self-synchronising. In a synchronous stream cipher, the generation of the keystream is independent of the plaintext and ciphertext. The encryption process is carried out by combining the keystream with the plaintext while the decryption process is accomplished by combining the keystream with the ciphertext. Let k, σi, zi, pi and ci denote the key, internal state at time i, keystream, plaintext and ciphertext, respectively. The encryption function of a synchronous stream cipher can be represented by three equations: σi+1 = f(σi,k), zi = g(σi,k) and ci = h(zi,pi), where σ0 is the initial state, f is the next-state func- tion, g is the function used to generate the keystream zi, and h is output function that
1 2
combines zi and pi to produce ciphertext ci. In a self-synchronising stream cipher, the keystream is produced as a function of the key and a fixed number of previous cipher- text bits. Let k, σi, zi, pi and ci represent the key, internal state at time i, keystream, plaintext and ciphertext, respectively. The encryption process of a self-synchronising stream cipher can be denoted by equations: σi = (ci−t,ci−t+1, ,ci−1), zi = g(σi,k) and ci = h(zi,pi), where σ0 is the initial state, g is the function employed to pro- duce the keystream zi, and h is output function that combines zi and pi to produce ciphertext ci. Hash functions play a significant role in the field of cryptography and can be divided into two types: unkeyed hash functions and keyed hash functions. An unkeyed hash function takes an arbitrary-length input, known as the message, and generates a fixed- length output called hash value. Let h be a hash function (hash function implies an unkeyed hash function in this thesis), and as a minimum requirement [82], h should have the following four properties: 1) ease of computation: given h and an input x, h(x) is easy to compute; 2) preimage resistance: given a hash value x, it should be computationally infeasible to find any message m such that x = h(m); 3) second- preimage resistance: given an input m1, it should be computationally infeasible to find another input m2, where m2 = m1, such that h(m1)= h(m2); 4) collision resistance: it should be computationally infeasible to find two distinct messages m1 and m2 such that h(m1)= h(m2). Keyed hash functions accepts two inputs: an arbitrary-length message and a secret key, and produces an output, the hash value. Message authentication codes (MACs) are a subclass of keyed hash functions. One important usage of message authentication codes is to protect data integrity and authenticity of a message. The sender of a message uses a MAC algorithm to generate a MAC value, appends the MAC to the message and transmits the message together with the MAC to the receiver. The receiver calculates the MAC again and compares it with the received one. If these two values are equal, the receiver will assume that the integrity of the information was not compromised, and therefore will accept the message as authentic. There are various ways to create MAC algorithms, and one possible approach is to construct MACs from other cryptographic primitives, such as block ciphers or hash functions. Since block ciphers are well studied and are the most scrutinised cryptographic primitive, they are normally used as the underlying building block in the constructions of other cryptographic algorithms. One of such applications is building message au- thentication codes based on block ciphers. Another application is using block ciphers as the underlying tool to design stream ciphers. These two approaches have been popular as they reduce the design and evaluation effort of creating new cryptographic primitives. In this thesis, we study the internal structure of the Advanced Encryption 1.1. The Development of AES 3
Standard (AES) [88], which is a widely used block cipher today, and we also analyse the constructions of two AES-based cryptographic primitives: the ALPHA-MAC message authentication code [38] and the LEX stream cipher [19]. The rest of this chapter is organised as follows. Section 1.1 outlines the development of the Advanced Encryption Standard. Section 1.2 describes the motivations and objectives of this thesis. The contributions of this thesis are presented in Section 1.3. Section 1.4 describes the structure of this thesis.
1.1 The Development of AES
The Data Encryption Standard (DES) [86] is a block cipher designed by a team from IBM in the 1970s, and later the algorithm was adopted as a federal standard by the U.S. National Bureau of Standards. The standard was used to provide a method for protecting sensitive commercial and unclassified data. After DES became a national standard in 1977, it was widely used to encrypt government and commercial data. Nowadays, DES is considered to be insecure for many applications because it has a short key size, which is only 56 bits. For example, in the DES Challenge III, which was one of the series of brute force attack contests organised by RSA Security, the secret key of DES was recovered in 22 hours 15 minutes in January 1999 [95]. The U.S. National Institute of Standards and Technology (NIST), which was pre- viously known as the National Bureau of Standards, made a call for new algorithms to develop the Advanced Encryption Standard to replace DES in 1997. During the world- wide competition, cryptographers from twelve different countries worked on developing the new standard. In August 1998, fifteen algorithms were selected by NIST as can- didates at the First AES Candidate Conference. The fifteen candidate algorithms and their corresponding details are listed in alphabetical order in Table 1.1 In August 1999, NIST announced that the five finalist algorithms, selected from the fifteen candidates, were MARS, RC6, Rijndael, Serpent and Twofish. On 2 October 2000, Rijndael was selected as the winner of the AES competition and became the proposed AES [87]. AES was published by NIST as US Federal Information Processing Standards Publication 197 (FIPS PUB 197) on 26 November 2001 [88].
1.2 Motivations and Objectives
The five finalist algorithms of the AES competition were evaluated by NIST with the assistance from the international cryptographic community. The primary concern in evaluating the five candidates was security. In addition, factors such as speed and 1.2. Motivations and Objectives 4
Algorithm Submitted by Country Reference CAST-256 Entrust Canada [1] CRYPTON Future Systems Korea [75] DEAL Outerbridge and Knudsen Canada and Norway [70] DFC CNRS France [49] E2 NTT Japan [62] FROG TecApro Costa Rica [48] HPC Schroeppel USA [94] LOKI97 Brown, Seberry and Pieprzyk Australia [27] MAGENTA Deutsche Telekom Germany [61] MARS IBM USA [28] RC6 RSA USA [92] Rijndael Daemen and Rijmen Belgium [36] SAFER+ Cylink USA [79] Serpent Anderson, Biham and Knudsen UK, Israel and Norway [2] Twofish Counterpane USA [93]
Table 1.1: The fifteen AES candidate algorithms versatility were also taken into consideration. The winning algorithm must be able to run securely and efficiently on a variety of computer platforms, which include large computers, desktop computers and even small devices such as smart cards. Rijndael was selected as the winner because it had the best combination of security, performance, efficiency, implementability and flexibility [87]. No security attacks on the full versions of Rijndael were reported when it was selected as the AES. There was some criticism on Rijndael during the AES competition, and the concern was that its mathematical structure may lead to attacks. Some attacks against reduced versions of Rijndael were published during the evaluation process. However, it is hard to evaluate the impact of these attacks since reduced-round variants are different algorithms from the original full-round algorithm. Attacks on reduced- round variants do not indicate any flaw of the original cipher because a cipher could be secure with n rounds even if it were vulnerable with n−1 rounds. Many researchers have been working on the cryptanalysis of the AES by using different techniques since 2000. However, all of the attacks on AES, reported before 2009, are against the reduced-round variants. A recent breakthrough in AES cryptanalysis was the distinguishers and related- key attacks on the full 14-round AES-256 proposed by Biryukov, Khovratovich and Ivica [22] in 2009. In the same year, Biryukov and Khovratovich [21] published the first related-key cryptanalysis on the full AES-192 and improved the attacks on the full AES-256. In 2011, Bogdanov, Khovratovich and Rechberger [24] reported the first key-recovery attacks on the full-round AES-128, AES-192 and AES-256. Without any 1.3. Contributions 5 doubt, the results and techniques presented in [24], [22] and [21] will inspire future research in the cryptanalysis of the AES. Also, since Rijndael became the AES, the design rationale of Rijndael has inspired many cryptographic constructions, which include the construction of the ALPHA-MAC and the design of the stream cipher LEX. The reason AES was chosen as the underlying block cipher of the ALPHA-MAC is that it has withstood intense public scrutiny since it became a standard. In the LEX construction, the AES round transformation is used to generate the key stream. Investigating the properties of these AES-based cryptographic constructions is a non-trivial task. In this thesis, we are interested at investigating the internal properties of AES, and its applications to the constructions of AES-based primitives. To be more precise, we would like to 1) understand whether there exists an algebraic property of AES which also can be applied to an AES-based primitive; 2) know whether there exists undiscovered properties of the AES key schedule; and 3) find out whether the algebraic properties and structural features of the AES round transformation can be used to carry out security analysis of AES-based constructions. To address these issues, this thesis has two main objectives. The first objective is to study the internal algebraic properties and the key schedule of the AES algorithm. The second objective is to analyse the constructions of two AES-based primitives: the ALPHA-MAC message authentication code and the LEX stream cipher.
1.3 Contributions
This dissertation makes four main contributions whose details are provided as follows. In the first contribution, we present a five-round algebraic property of the AES algorithm. The proposed property shows that it is possible to replace twenty bytes’ values at some fixed locations in five consecutive rounds without changing the output of an AES encryption/decryption. We develop a method called δ to identify the twenty bytes required in the property. Our research reveals that the δ algorithm has 20 variants for AES-128. In the second contribution, we extend the application of the five-round algebraic property, and develop techniques based on this property to analyse the construction of the ALPHA-MAC. We aim to answer the question “given an intermediate value, what is the minimum number of message blocks needed by a second preimage”. Our results demonstrate that the minimum number of message blocks needed by a second preimage is five, and one can find a second preimage of the ALPHA-MAC by solving eight groups of linear functions. Moreover, we show that the second preimage search 1.4. Thesis Structure 6 algorithm can also be used to produce internal collisions under the same condition. In the third contribution, we utilise the related-key model to analyse the key sched- ule of the AES algorithm, and define two concepts: repeated differential pattern and double-sized repeated differential pattern. Our observations show that two related 128- bit keys, whose difference contains the repeated differential pattern, generate at least seven identical bytes in each subkey and the difference pattern has strong repeated features. If the difference of two 256-bit keys has the double-sized repeated differential pattern, similar results can be found in the subkeys. In the fourth contribution, we employ the approach of fault analysis to investigate the construction of the LEX stream cipher. In our fault model, the adversary is allowed to inject a random-bit fault into the internal state of the cipher, without having the control of the location of the induced fault. A fault position determination algorithm is provided to identify the locations of injected faults. The attacker can recover the secret key of LEX with 216 time complexity and 40 faults.
1.4 Thesis Structure
This thesis is organised into eight chapters, and the thesis structure is illustrated in Table 1.2. The contents of each chapter are described below.
Chapter 1 Introduction Chapter 2 A Description of AES Background Knowledge Chapter 3 Cryptanalysis of AES Chapter 4 A Five-Round Algebraic Property of AES Chapter 5 On the Internal Structure of ALPHA-MAC Our Contributions Chapter 6 Repeated Differential Properties of the AES-128 and AES-256 Key Schedules Chapter 7 Differential Fault Analysis of LEX Chapter 8 Conclusions and Future Work
Table 1.2: Structure of the thesis
This chapter provides readers with the introduction of this thesis and addresses the motivation of this dissertation. Also, this chapter highlights the contributions of this thesis, and describes the thesis structure. Chapter 2 presents a detailed description of the Advanced Encryption Standard. The encryption and decryption of the AES algorithm are described in details. The mathematical descriptions of the transformations used in the round function are also provided. Moreover, this chapter describes and illustrates the key schedule used in the 1.4. Thesis Structure 7
AES algorithm. Chapter 3 provides an overview of the cryptanalysis of AES. There have been many publications produced by different researchers since Rijndael was adopted as the Advanced Encryption Standard. This chapter provides a brief summary of AES cryptanalysis. Chapter 4, 5, 6 and 7 present the contributions of this thesis. Chapter 4 focuses on the algebraic properties of the AES round transformation, and describes a five-round property of this cipher. Chapter 5 uses the five-round algebraic property of AES described in Chapter4to analyse the internal structure of ALPHA-MAC. This chapter introduces two approaches which can be used to find second preimages and internal collisions of ALPHA-MAC, given an intermediate value. Chapter 6 studies the key schedule of the AES algorithm and presents some re- peated differential properties of the AES-128 and AES-256 key schedules. Chapter 7 provides a differential fault analysis of the stream cipher LEX whose underlying block cipher is AES. Chapter 8 summarises the contributions of this thesis and discusses directions for future work. Chapter 2
A Description of AES
This chapter provides a description of the AES algorithm, and the complete details of the standard can be found in [37]. The Advanced Encryption Standard is a block cipher whose design principle is known as a substitution permutation network. The cipher supports three key sizes: 128, 192 and 256 bits. The AES algorithms with 128- bit, 192-bit and 256-bit keys are usually referred to as AES-128, AES-192 and AES-256 respectively. The key length is denoted by Nk, which represents the number of 32-bit words in the key, and thus is equal to 4, 6 or 8 in this standard. The input block, the output block and the intermediate cipher result all have the same length of 128 bits. The block size is represented by Nb, which reflects the number of 32-bit words in the block. The number of AES rounds is denoted by Nr, and is determined by the key size: 10 rounds for AES-128, 12 rounds for AES-192, and 14 rounds for AES-256. The combinations of the block size, key length and number of rounds are illustrated in Table 2.1.
Variants Block Size Key Length Number of Rounds (Nb Words) (Nk Words) (Nr) AES-128 4 4 10 AES-192 4 6 12 AES-256 4 8 14
Table 2.1: The block-key-round parameters
This chapter is organised as follows. The encryption of the cipher and the descrip- tions of the SubBytes, ShiftRows, MixColumns and AddRoundKey transformations are provided in Section 2.1. The decryption of the cipher and the descriptions of the InvSubBytes, InvShiftRows and InvMixColumns transformations are demonstrated in Section 2.2. The details of the key schedule are shown in Section 2.3.
8 2.1. Encryption 9 2.1 Encryption
For encryption, the cipher takes a plaintext and a key as input and outputs a cipher- text. The plaintext is represented as a byte matrix with 4 rows and 4 columns. The intermediate cipher result is called the state. After an initial round key addition, the state is transformed by implementing a round function 10, 12, or 14 times for 128- bit, 192-bit or 256-bit keys, respectively. Each round function, except the final round, contains four transformations which are SubBytes (SB), ShiftRows (SR), MixColumns (MC) and AddRoundKey (ARK). The final round is slightly different from the first Nr − 1 rounds as it does not include the MixColumns operation. The encryption pro- cess is described in pseudo code in Procedure 2.1 [88] below. The encryption routine is illustrated in Figure 2.1.
Procedure 2.1 [88] Cipher(byte in[4 ∗ Nb], byte out[4 ∗ Nb], word w[Nb ∗ (Nr + 1)]) 1: byte s[4, Nb] 2: s = in 3: AddRoundKey(s,w[0, Nb − 1]) 4: for round =1 to Nr − 1 do 5: SubBytes(s) 6: ShiftRows(s) 7: MixColumns(s) 8: AddRoundKey(s,w[round ∗ Nb, (round + 1) ∗ Nb − 1]) 9: end for 10: SubBytes(s) 11: ShiftRows(s) 12: AddRoundKey(s,w[Nr ∗ Nb, (Nr + 1) ∗ Nb − 1]) 13: out = s
2.1.1 The SubBytes Transformation
The SubBytes transformation uses a substitution table (S-box) to provide the non- linear byte substitution. To meet the non-linearity requirement, the S-box is con- structed by combining two transformations which include an inverse function and an invertible affine transformation. In the first transformation, the elements of GF(28) are represented as polynomials which have degrees less than eight, with coefficients in GF(2). Multiplications are carried out modulo the irreducible polynomial x8 + x4 + x3 + x + 1, and the multiplicative inverses are defined accordingly. The element {00} is mapped to itself. As the first transformation has a simple algebraic expression, which may lead to attacks such as algebraic attacks, it is essential to apply the second trans- formation to the construction. The second transformation is an affine transformation 2.1. Encryption 10
Plaintext Cipher Key ? AddRoundKey RoundKey[0] ? SubBytes ? ShiftRows ? MixColumns ? ? AddRoundKey RoundKey[i] Key Schedule ? No Final Round?
Yes ? SubBytes ? ShiftRows ? AddRoundKey RoundKey[Nr] ? Ciphertext
Figure 2.1: The AES encryption
(over GF(2)), which can be expressed in the following matrix form:
b7 11111000 a7 0 b6 01111100 a6 1 b5 00111110 a5 1 b a 4 00011111 4 0 = + . (2.1) b3 10001111 a3 0 b2 11000111 a2 0 b 11100011 a 1 1 1 b0 11110001 a0 1 The substitution table is shown in Table 2.2 [37], with all elements in hexadecimal form. For example, if the input to the SubBytes transformation is {6f}, the output would be {a8}.
2.1.2 The ShiftRows Transformation
In the ShiftRows transformation, the bytes of each row in the state are cyclically shifted over different numbers of offsets. The design criteria for the offsets include optimal dif- fusion and other diffusion effects. The optimal diffusion is essential to provide resistance 2.1. Encryption 11
y 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 1 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0 2 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15 3 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75 4 09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84 5 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf 6 d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8 7 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2 x 8 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73 9 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db a e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79 b e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 c ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a d 70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e e e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df f 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16 Table 2.2: The substitution table of the AES algorithm against attacks like linear and differential cryptanalysis. Other diffusion effects such as resistance against truncated differential attacks and saturation attacks also need to be taken into consideration. The designers set the offsets to 0, 1, 2 and 3 for the first, second, third and fourth row respectively. As a result, the first row is unchanged, and row i is shifted to the left i byte(s) cyclicly, where i = 1, 2, or 3. The effect of the ShiftRows transformation on the state is shown in Figure 2.2.
0 b0,0 b0,1 b0,2 b0,3 −→ b0,0 b0,1 b0,2 b0,3 1 b1,0 b1,1 b1,2 b1,3 −→ b1,1 b1,2 b1,3 b1,0 2 b2,0 b2,1 b2,2 b2,3 −→ b2,2 b2,3 b2,0 b2,1 3 b3,0 b3,1 b3,2 b3,3 −→ b3,3 b3,0 b3,1 b3,2
Figure 2.2: The ShiftRows function
2.1.3 The MixColumns Transformation
The MixColumns function applies a linear transformation to the state, and it operates on the matrix column by column. Each column is treated as a polynomial over GF(28) and multiplied modulo x4 + 1 with a fixed polynomial a(x), which is expressed as:
c(x)= {03}x3 + {01}x2 + {01}x + {02}. (2.2) 2.2. Decryption 12
A matrix multiplication can be used to represent the modular multiplication with a fixed polynomial. Let b(x)= c(x) a(x):
b0 02 03 01 01 a0 b1 01 02 03 01 a1 = × (2.3) b2 01 01 02 03 a2 b 03 01 01 02 a 3 3 To ensure good performance, the multiplication operation is implemented as: multipli- cation with the value 01 means no change, multiplication with the value 02 is handled as shifting byte to the left, and multiplication with the value 03 is treated as multipli- cation with 02 then performing an additional XOR operation with the operand.
2.1.4 The AddRoundKey Transformation
The AddRoundKey transformation adds a round key to the state by using a simple bitwise XOR operation. Each round key used in this transformation is derived from the secret key by employing the key schedule which is described in Section 2.3. Each round key has the same size as the state. Figure 2.3 depicts the effect of the AddRoundKey operation on the state.
a0,0 a0,1 a0,2 a0,3 k0,0 k0,1 k0,2 k0,3 b0,0 b0,1 b0,2 b0,3
a1,0 a1,1 a1,2 a1,3 k1,0 k1,1 k1,2 k1,3 b1,0 b1,1 b1,2 b1,3 ⊕ = a2,0 a2,1 a2,2 a2,3 k2,0 k2,1 k2,2 k2,3 b2,0 b2,1 b2,2 b2,3
a3,0 a3,1 a3,2 a3,3 k3,0 k3,1 k3,2 k3,3 b3,0 b3,1 b3,2 b3,3
Figure 2.3: The AddRoundKey operation
2.2 Decryption
For decryption, the cipher takes a ciphertext and a key as two input parameters and outputs the corresponding plaintext. The four transformations: SubBytes, ShiftRows, MixColumns and AddRoundKey, can be inverted in reverse order to provide the de- cryption of the cipher. The decryption algorithm is expressed in pseudo code in Pro- cedure 2.2 [88]. The decryption process is depicted in Figure 2.4. The inverse operations of SubBytes, ShiftRows and MixColumns are represented as InvShiftRows, InvSubBytes and InvMixColumns, respectively. Note that the inverse function of AddRoundKey is itself. The four inverse transformations are described as follows. 2.2. Decryption 13
Procedure 2.2 [88] InvCipher(byte in[4∗Nb], byte out[4∗Nb], word w[Nb∗(Nr+1)]) 1: byte s[4, Nb] 2: s = in 3: AddRoundKey(s,w[Nr ∗ Nb, (Nr + 1) ∗ Nb − 1]) 4: InvShiftRows(s) 5: InvSubBytes(s) 6: for round = Nr − 1 to 1 do 7: InvShiftRows(s) 8: InvSubBytes(s) 9: AddRoundKey(s,w[round ∗ Nb, (round + 1) ∗ Nb − 1]) 10: InvMixColumns(s) 11: end for 12: AddRoundKey(s,w[0, Nb − 1]) 13: out = s
2.2.1 The InvSubBytes Transformation
The InvSubBytes function applies the inverse S-box to each byte of the state. The operation is carried out by inverting the affine transformation defined in Equation (2.1) and then taking the multiplicative inverse in GF(28). The inverse of Equation (2.1) is defined in Equation (2.4). The inverse S-box is shown in Table 2.3 [37].
y7 01010010 x7 0 y6 00101001 x6 0 y5 10010100 x5 0 y4 01001010 x4 0 = + . (2.4) y3 00100101 x3 0 y2 10010010 x2 1 y 01001001 x 0 1 1 y0 10100100 x0 1
2.2.2 The InvShiftRows Transformation
In the InvShiftRows operation, the first row is unchanged, and row i is shifted to the right i byte(s) cyclicly, where i = 1, 2, or 3. The effect of the InvShiftRows function on the state is depicted in Figure 2.5. 2.2. Decryption 14
Ciphertext Cipher Key ? AddRoundKey RoundKey[Nr] ? InvShiftRows ? InvSubBytes ? AddRoundKey ? ? InvMixColumns RoundKey[i] Key Schedule ? InvShiftRows ? InvSubBytes ? No Nr − 1 Times Repeated?
Yes ? AddRoundKey RoundKey[0] ? Plaintext
Figure 2.4: The AES decryption
0 b0,0 b0,1 b0,2 b0,3 −→ b0,0 b0,1 b0,2 b0,3 1 b1,0 b1,1 b1,2 b1,3 −→ b1,3 b1,0 b1,1 b1,2 2 b2,0 b2,1 b2,2 b2,3 −→ b2,2 b2,3 b2,0 b2,1 3 b3,0 b3,1 b3,2 b3,3 −→ b3,1 b3,2 b3,3 b3,0
Figure 2.5: The InvShiftRows transformation
2.2.3 The InvMixColumns Transformation
The InvMixColumns transformation is the inverse of the MixColumns operation. Each column of the state is multiplied modulo x4 +1 with a fixed polynomial d(x), defined as:
d(x)= {0b}x3 + {0d}x2 + {09}x + {0e}. (2.5)
The modular multiplication with the fixed polynomial can be represented by a matrix multiplication. Let b(x)= d(x) a(x): b0 0e 0b 0d 09 a0 b1 09 0e 0b 0d a1 = × . (2.6) b2 0d 09 0e 0b a2 b3 0b 0d 09 0e a3 2.3. The Key Schedule 15
y 0 1 2 3 4 5 6 7 8 9 a b c d e f 0 52 09 6a d5 30 36 a5 38 bf 40 a3 9e 81 f3 d7 fb 1 7c e3 39 82 9b 2f ff 87 34 8e 43 44 c4 de e9 cb 2 54 7b 94 32 a6 c2 23 3d ee 4c 95 0b 42 fa c3 4e 3 08 2e a1 66 28 d9 24 b2 76 5b a2 49 6d 8b d1 25 4 72 f8 f6 64 86 68 98 16 d4 a4 5c cc 5d 65 b6 92 5 6c 70 48 50 fd ed b9 da 5e 15 46 57 a7 8d 9d 84 6 90 d8 ab 00 8c bc d3 0a f7 e4 58 05 b8 b3 45 06 7 d0 2c 1e 8f ca 3f 0f 02 c1 af bd 03 01 13 8a 6b x 8 3a 91 11 41 4f 67 dc ea 97 f2 cf ce f0 b4 e6 73 9 96 ac 74 22 e7 ad 35 85 e2 f9 37 e8 1c 75 df 6e a 47 f1 1a 71 1d 29 c5 89 6f b7 62 0e aa 18 be 1b b fc 56 3e 4b c6 d2 79 20 9a db c0 fe 78 cd 5a f4 c 1f dd a8 33 88 07 c7 31 b1 12 10 59 27 80 ec 5f d 60 51 7f a9 19 b5 4a 0d 2d e5 7a 9f 93 c9 9c ef e a0 e0 3b 4d ae 2a f5 b0 c8 eb bb 3c 83 53 99 61 f 17 2b 04 7e ba 77 d6 26 e1 69 14 63 55 21 0c 7d Table 2.3: The inverse S-Box
2.2.4 The Inverse of the AddRoundKey Transformation
The AddRoundKey transformation is its own inverse as it only involves the XOR operation.
2.3 The Key Schedule
The AES algorithm uses the key schedule to expand the cipher key into the round keys. The total number of words in the round keys generated by the key schedule is equal to Nb ∗ (Nr + 1) since the algorithm requires a block of Nb words for the initial key addition, and each of the Nr rounds needs Nb words of key data. The round keys are represented as a linear array of 4-byte words, denoted by W [i], with i in the range 0 ≤ i [b1, b2, b3, b0]. SubWord (SW) is a transformation that takes a word as input, and uses the SubBytes operation described in Section 2.1.1 to substitute each byte of the input. The SubWord operation is depicted in Figure 2.7. Rcon[i] is a word array that contains the round constants. The constants are values given by [xi−1, 00, 00, 00] with xi−1 being 2.3. The Key Schedule 16 Procedure 2.3 [88] KeyExpansion(byte key[4 ∗ Nk], word W [Nb ∗ (Nr + 1)], Nk) 1: word temp 2: i = 0 3: while (i b0 b1 b1 RotWord b2 −→ b2 b3 b3 b0 Figure 2.6: The RotWord transformation b0 SB(b0) b1 SubWord SB(b1) −→ b2 SB(b2) b3 SB(b3) Figure 2.7: The SubWord operation It is demonstrated in Procedure 2.3 that the cipher key is copied to the first Nk words of the array W . The calculation of every following word, W [i], is carried out by XORing the previous word, W [i−1], with the word Nk positions earlier, W [i−Nk]. For words in positions that are a multiple of Nk, the key schedule first applies the RotWord and SubWord transformation to W [i − 1], and then XORs the resulting W [i − 1] with W [i − Nk] and a round constant, Rcon[i]. 2.3. The Key Schedule 17 2.3.1 The AES-128 Key Schedule Key (128 bits) ? ? ? ? ? - W [0] W [1] W [2] W [3] RW ? - ? Rcon[1] SW ? ? ? ? - W [4]- - W [5]- - W [6]- - W [7] RW ? - ? Rcon[2] SW ? ? ? ? - W [8]- - W [9]- - W [10]- - W [11] RW ? - ? Rcon[3] SW ? ? ? ? - W [12]- - W [13]- - W [14]- - W [15] RW ? - ? Rcon[4] SW ? ? ? ? - W [16]- - W [17]- - W [18]- - W [19] RW ? - ? Rcon[5] SW ? ? ? ? - W [20]- - W [21]- - W [22]- - W [23] RW ? - ? Rcon[6] SW ? ? ? ? - W [24]- - W [25]- - W [26]- - W [27] RW ? - ? Rcon[7] SW ? ? ? ? - W [28]- - W [29]- - W [30]- - W [31] RW ? - ? Rcon[8] SW ? ? ? ? - W [32]- - W [33]- - W [34]- - W [35] RW ? - ? Rcon[9] SW ? ? ? ? - W [36]- - W [37]- - W [38]- - W [39] RW ? - ? Rcon[10] SW ? W [40]- -? W [41]- -? W [42]- -? W [43] Figure 2.8: The AES-128 key schedule Let K be a 128-bit secret key, and it is denoted by four words: K =(K0,K1,K2,K3), where Ki is a four-byte word. The expanded round keys are contained in a four-byte word array W [i], 0 ≤ i ≤ 43. In the key schedule of AES-128, W [i] is defined by the following method: Ki, 0 ≤ i< 4; W [i]= W [i − 4] ⊕ W [i − 1], 4 ≤ i ≤ 43 and i mod 4 = 0; W [i − 4] ⊕ f(W [i − 1]), 4 ≤ i ≤ 43 and i mod 4 = 0; 2.3. The Key Schedule 18 where f(W [i − 1]) = SubWord(RotWord(W [i − 1])) ⊕ Rcon[i/4]. Figure 2.8 gives a diagrammatic representation of the AES-128 key schedule. 2.3.2 The AES-192 Key Schedule Key (192 bits) ? ? ? ? ? ? ? - W [0] W [1] W [2] W [3] W [4] W [5] RW ? - ? Rcon[1] SW ? ? ? ? ? ? - W [6]- - W [7]- - W [8]- - W [9]- - W [10]- - W [11] RW ? - ? Rcon[2] SW ? ? ? ? ? ? - W [12]- - W [13]- - W [14]- - W [15]- - W [16]- - W [17] RW ? - ? Rcon[3] SW ? ? ? ? ? ? - W [18]- - W [19]- - W [20]- - W [21]- - W [22]- - W [23] RW ? - ? Rcon[4] SW ? ? ? ? ? ? - W [24]- - W [25]- - W [26]- - W [27]- - W [28]- - W [29] RW ? - ? Rcon[5] SW ? ? ? ? ? ? - W [30]- - W [31]- - W [32]- - W [33]- - W [34]- - W [35] RW ? - ? Rcon[6] SW ? ? ? ? ? ? - W [36]- - W [37]- - W [38]- - W [39]- - W [40]- - W [41] RW ? - ? Rcon[7] SW ? ? ? ? ? ? - W [42]- - W [43]- - W [44]- - W [45]- - W [46]- - W [47] RW ? - ? Rcon[8] SW ? W [48]- -? W [49]- -? W [50]- -? W [51] Figure 2.9: The AES-192 key schedule We represent a 192-bit cipher key K as 6 four-byte words: K =(K0,K1,K2,K3,K4,K5), where Ki is a four-byte word. A four-byte word array W [i], 0 ≤ i ≤ 51, is used to store the expanded round keys. The key schedule of AES-192 employs the following formula to calculate W [i]: Ki, 0 ≤ i< 6; W [i]= W [i − 6] ⊕ W [i − 1], 6 ≤ i ≤ 51 and i mod 6 = 0; W [i − 6] ⊕ f(W [i − 1]), 6 ≤ i ≤ 51 and i mod 6 = 0; where f(W [i − 1]) = SubWord(RotWord(W [i − 1])) ⊕ Rcon[i/6]. The AES-192 key schedule is illustrated in Figure 2.9, which was presented in [42]. 2.3. The Key Schedule 19 2.3.3 The AES-256 Key Schedule Key (256 bits) ? ? ? ? ? ? ? ? ? - W [0] W [1] W [2] W [3] W [4] W [5] W [6] W [7] RW ? - ? Rcon[1] SW ? ? ? ? ? ? ? ? - W [8] - - W [9] - - W [10]- - W [11]-SW- - W [12]- - W [13]- - W [14]- - W [15] RW ? - ? Rcon[2] SW ? ? ? ? ? ? ? ? - W [16]- - W [17]- - W [18]- - W [19]-SW- - W [20]- - W [21]- - W [22]- - W [23] RW ? - ? Rcon[3] SW ? ? ? ? ? ? ? ? - W [24]- - W [25]- - W [26]- - W [27]-SW- - W [28]- - W [29]- - W [30]- - W [31] RW ? - ? Rcon[4] SW ? ? ? ? ? ? ? ? - W [32]- - W [33]- - W [34]- - W [35]-SW- - W [36]- - W [37]- - W [38]- - W [39] RW ? - ? Rcon[5] SW ? ? ? ? ? ? ? ? - W [40]- - W [41]- - W [42]- - W [43]-SW- - W [44]- - W [45]- - W [46]- - W [47] RW ? - ? Rcon[6] SW ? ? ? ? ? ? ? ? - W [48]- - W [49]- - W [50]- - W [51]-SW- - W [52]- - W [53]- - W [54]- - W [55] RW ? - ? Rcon[7] SW ? ? ? ? W [56]- - W [57]- - W [58]- - W [59] Figure 2.10: The AES-256 key schedule Assume that K is a 256-bit secret key, and it is expressed as 8 four-byte words: K = (K0,K1, ,K7), where Ki is a four-byte word. The resultant round keys are contained in a four-byte word array W [i], 0 ≤ i ≤ 59. In the key schedule of AES-256, the calculation of W [i] is determined by the following routine: Ki, 0 ≤ i< 8; W [i − 8] ⊕ W [i − 1], 8 ≤ i ≤ 59 and i mod 8 ∈{/ 0, 4}; W [i]= W [i − 8] ⊕ f(W [i − 1]), 8 ≤ i ≤ 59 and i mod 8 = 0; W [i − 8] ⊕ g(W [i − 1]), 8 ≤ i ≤ 59 and i mod 8 = 4; where f(W [i − 1]) and g(W [i − 1]) are defined as follows: f(W [i − 1]) = SubWord(RotWord(W [i − 1])) ⊕ Rcon[i/8], g(W [i − 1]) = SubWord(W [i − 1]). The AES-256 key schedule is demonstrated in Figure 2.10. The AES-256 key sched- ule (Nk = 8) is slightly different from the AES-128 and AES-192 key schedules. If 2.3. The Key Schedule 20 Nk = 8 and i − 4 is a multiple of Nk, an extra SubWord operation is applied to W [i−1] prior to the XOR operation. For instance, if i = 12, the AES-256 key schedule carries out an extra SubWord operation on W [11] before XORing it with W [4] (see Figure 2.10). Chapter 3 Cryptanalysis of AES Rijndael has a simple, elegant and efficient design. It was designed to resist all known attacks, which include two classic cryptanalytic methods: differential cryptanalysis [16] and linear cryptanalysis [80]. Linear cryptanalysis and differential cryptanalysis are two powerful techniques in block cipher cryptanalysis. These two attacks need to be taken into account when designing any new cipher. Resistance against differential and linear cryptanalysis are the most important criteria in the design of Rijndael. The designers of Rijndael, Joan Daemen and Vincent Rijmen, provided justification with the belief that Rijndael is secure against differential and linear cryptanalysis in [37]. On the other hand, cryptanalysis of AES has been a hot research topic since Rijndael was selected as the standard. Since 2000, there have been many research efforts aiming to find weaknesses in this cipher and exploit potential vulnerabilities to attack this cryptographic algorithm. This chapter provides a brief overview of the cryptanalysis of AES. While some techniques described in this chapter were already used to attack reduced rounds or full rounds of AES, others are only ideas and observations, which have not led to any attack so far. This chapter is organised as follows. In order to describe the ideas of differen- tial cryptanalysis and linear cryptanalysis in details, we start with a short description of the Data Encryption Standard (DES) in Section 3.1. Then, we outline the tech- nique of differential cryptanalysis in Section 3.2, and highlight the main idea of linear cryptanalysis in Section 3.3. Section 3.4 demonstrates the resistance of AES against differential and linear cryptanalysis. Section 3.5 presents the square attack, and Sec- tion 3.6 outlines the collision attack. In Section 3.7, we describe the boomerang attack together with the amplified boomerang attack and the rectangle attack. In Section 3.8, we provide a description of impossible differential cryptanalysis. We explain the con- cept of dual cipher in Section 3.9, and provide a sketch of the algebraic attacks in Section 3.10. Section 3.11 presents the idea of related-key attacks, and some recent results of related-key cryptanalysis of AES. Section 3.12 describes the technique of bi- clique cryptanalysis, and demonstrates how this cryptanalytic tool is united with the 21 3.1. A Brief Description of DES 22 approach of meet-in-the-middle attack to carry out key recover attacks on full versions of AES. Section 3.13 provides a brief summary of the attacks described in this chapter. 3.1 A Brief Description of DES The DES [86] algorithm was designed to encrypt blocks of data containing 64 bits under control of a 56-bit key. DES is considered as the successor of the Lucifer [45] cipher, which was developed by Horst Feistel and his colleagues at IBM in 1970s. DES consists of 16 iterations of a round function, which is named F -function, and an initial permutation (IP) and a final permutation (FP). The sketch of the DES encryption is given in Figure 3.1, where K1,K2, ,K16 are subkeys. Note that the subkeys are derived from the 56-bit secret key by the key scheduling algorithm. Plaintext ? IP 1 ? ? K F 2 ? ? K F