NIVERSITY U OF WOLLONGONG
Observations on the Cryptologic Properties of the AES Algorithm
A thesis submitted in fulfillment of the requirements for the award of the degree
Doctor of Philosophy
from
UNIVERSITY OF WOLLONGONG
by
Beomsik Song
School of Information Technology and Computer Science April 2004 c Copyright 2004
by
Beomsik Song
All Rights Reserved
ii Dedicated to my mother, father, daughter, son and wife
iii Certification
This is to certify that the work reported in this thesis was done by the author, unless specified otherwise, and that no part of it has been submitted in a thesis to any other university or similar institution.
Beomsik Song April 5, 2004
iv Abstract
The AES algorithm is a symmetric block cipher, which will replace DES for the next few decades. This cipher has been reputed to be secure against conventional cryptanalytic methods, such as DC (Differential Cryptanalysis) and LC (Linear Cryptanalysis), but the simple algebraic structure of the cipher has led to some commentators’ concerns about its security. The purpose of this study is to observe the cryptologic properties of the AES algorithm from a new point of view, and to examine the security of this cipher on the basis of these observations. Some well-known research studies on the security of the AES algorithm are reviewed first, classified into four categories. We then discuss the cyclic properties and consis- tent differential patterns of this cipher using our own observations, which have been introduced in [7, 8, 9]. In terms of the cyclic properties of the AES algorithm, we have observed that every function used in the AES algorithm has a very short period, and that each layer has a short period as well. But we note that although the maximal periods of both the non- linear layer and the linear layer are short, the maximal period is dramatically increased when these two layers are combined. However, more importantly, we have observed that the AES algorithm still has a very unusual cyclic property for certain types of input blocks even in the combined layer, so that input blocks having short periods have simple hidden algebraic relations with their corresponding output blocks. In conjunction with the consistent differential patterns of the AES algorithm, we note that the AES structure is very well designed to be secure against DC and LC, as has previously been known. But we have also observed that it leads to some consistent differential patterns after certain rounds, which can be used for its cryptanalysis.
v Acknowledgements
First of all, I sincerely and deeply thank Professor Jennifer Seberry, my supervisor. She has always helped me whenever I was in difficulty. I shall never forget her con- stant affection towards students. I hope that I will have an opportunity to requite her kindness some day.
I also cordially acknowledge those who allowed me to do my Ph.D study and who reserved my position at work during my period of study. Without their help, I would not have been able to study. I will always remember their support.
I would also like to thank Ken Finlayson for his cordial assistance during my studies. I do not know how to thank him for his kindness.
Finally, my thanks go to Professor Reihaneh Safavi-Naini, Doctor Yejing Wang, and Doctor Tianbing Xia as well for the various ways in which they have supported me.
vi List of Publications
The author has published some papers in this area. The papers are listed below and show how much work the author did in the preparation of this thesis.
• B. Song, H. Wang, and J. Seberry, “A New Cryptanalytic Method Using the Distribution Characteristics of Substitution Distances”, Proceedings of ICISC 2001, Lecture Notes In Computer Science Vol.2288, pp.18-31, Springer-Verlag, Berlin, 2002.
• B. Song and J. Seberry, “Consistent Differential Patterns of Rijndael”, Proceed- ings of ICISC 2002, Lecture Notes In Computer Science Vol.2587, pp.149-163, Springer-Verlag, Berlin, 2003.
• B. Song and J. Seberry, “Further Observations on the Structure of the AES Algo- rithm”, Proceedings of FSE 2003, Lecture Notes In Computer Science Vol.2887, pp.223-234, Springer-Verlag, Berlin, 2003.
• B. Song, J. Seberry and T. Xia, “Design Concept of a Plaintext-Dependent Block Cipher” (submitted).
vii Contents
Abstract v
Acknowledgements vi
List of Publications vii
1 Introduction 1
2 Description of the AES Algorithm 5 2.1 Basicmathematicsoperations ...... 5 2.2 Outlineofthestructure ...... 7 2.3 Specificationofthefunctions...... 8 2.4 ExpansionoftheCipherKey ...... 12 2.5 Inversecipher ...... 14
3 Cryptologic Properties of the AES Algorithm 16 3.1 ImmunityagainstDCandLC ...... 16 3.2 Distinctive output properties of the structure ...... 19 3.3 Cryptologic properties of the key schedule ...... 25 3.4 Algebraicpropertiesofthealgorithm ...... 29
4 Cyclic Properties of the AES Algorithm 39 4.1 Cyclicpropertiesofeachfunction ...... 40 4.1.1 Cyclic properties of the SubBytes transformation ...... 41 4.1.2 Cyclic properties of the ShiftRows transformation ...... 43 4.1.3 Cyclic properties of the MixColumns transformation ...... 43 4.2 Cyclic properties of combined functions ...... 46 4.2.1 Cyclic properties of the linear layer ...... 46 4.2.2 Cyclic properties of the combined layer ...... 48
viii 4.3 ComparisonwithDES ...... 51
5 Security Impact of the Cyclic Property 54 5.1 Cyclic properties of the elementary structure ...... 54 5.2 Cryptologicimpact ...... 56 5.3 Interimconclusion ...... 59
6 Distinctive Output Properties of the AES Algorithm 61 6.1 DifferentialpropertiesoftheS-box ...... 62 6.1.1 Distribution of output differences ...... 62 6.1.2 Relationship between the S-boxandthekeys ...... 64 6.1.3 Relationship between the ES-boxandthekeys ...... 65 6.1.4 Relationship between the elementary structure and the keys . . 66 6.2 Distinctive output properties of MixColumn ...... 67 6.3 Consistent differential patterns of the AES algorithm ...... 68 6.3.1 Concept of the consistent differential pattern ...... 69 6.3.2 Second-round consistent differential patterns ...... 69 2 6.3.3 2 3 rd-round consistent differential patterns ...... 72 6.3.4 Third-round consistent differential pattern ...... 73 6.3.5 Fourth-round consistent differential patterns ...... 75 6.3.6 Fifth-round consistent differential pattern ...... 78
7 Security Impact of the Consistent Differential Pattern 81 7.1 Threerounds ...... 81 7.2 Fourrounds ...... 83 7.3 Fiverounds ...... 85 7.4 Sixrounds...... 87 7.5 Seven-roundextension ...... 91
8 Conclusion 92
A Classifying the substitution values in the ES-box 94
B Distribution of output differences 101
C Implementation results of the five-round cryptanalysis 105
Bibliography 109
ix List of Figures
1.1 Elementary structure of the SPN structure block cipher ...... 2
2.1 Outline of the AES algorithm ...... 7 2.2 Mixingoffourbytesinacolumn ...... 11 2.3 Illustration of the InvShiftRows transformation ...... 14 2.4 Mixing of four bytes in the InvMixColumns transformation...... 15
3.1 Illustration of the third-round balanced property ...... 20 3.2 Fourth-round collision distinguisher of the AES algorithm...... 23 3.3 Correlations between the bytes of the expanded key ...... 28 3.4 Re-grouping of the functions in the elementary structure ...... 30
4.1 Elementary structure of the AES algorithm ...... 40 4.2 Illustration of the ShiftRows transformation ...... 43 4.3 Re-ordering of SubBytes and ShiftRows ...... 50
5.1 Simple plaintext-ciphertext algebraic relationship in the cipher itself . . 58
6.1 Example of the distribution of output differences in the S-box ..... 63 6.2 Substitution in the S-box ...... 64 6.3 Substitution in the composition of the S-box and MixColumn ..... 66 6.4 Elementary structure surrounded by round keys ...... 67 6.5 Second-round consistent differential patterns 1 ...... 71 6.6 Second-round consistent differential patterns 2 ...... 71 2 6.7 2 3 rd-round consistent differential patterns ...... 73 6.8 Third-round consistent differential pattern ...... 74
7.1 Checking the fourth-round consistent differential pattern ...... 88
x List of Tables
1.1 Fifteen candidates for the Advanced Encryption Standard ...... 1
2.1 S-boxoftheAESalgorithm ...... 9 2.2 S-box−1 oftheAESalgorithm...... 14
3.1 Complexities of the Square attack against the AES algorithm...... 21 3.2 Complexities of the IDC against the AES algorithm ...... 22
4.1 Classifying the substitution values in the S-box ...... 41 4.2 ES-box ...... 49 4.3 Classifying the substitution values in the ES-box ...... 51 4.4 P-boxofDES ...... 52
xi Chapter 1
Introduction
In 1997, the NIST (National Institute of Standards and Technology) initiated an open call to develop the AES (Advanced Encryption Standard) algorithm to replace DES (Data Encryption Standard) for the next few decades [60]. Fifteen cipher algorithms summarised in Table 1.1 were announced as candidates at the first AES Candidate Conference in August 1998 [61], and then five algorithms were selected as the finalists in August 1999, after the second AES Candidate Conference [62]. These are MARS [11], RC6TM [66], Rijndael [28], Serpent [65], and Twofish [3].
�Algorithm Origin Structure�(Rounds)
CRYPTON Korea SPN�structure�(12)
CAST-256 Canada Modified�Feistel�structure�(48)
DEAL Canada�and�Norway Feistel�structure�(6)
DFC France Feistel�structure�(8)
E2 Japan Feistel�structure�(12)
FROG Costa�Rica Costa�Rica�(8)
HPC USA Modified�Feistel�structure�(8)
LOKI97 Australia Feistel�structure�(16)
MAGENTA Germany Feistel�structure�(6)
MARS USA Modified�Feistel�structure�(32)
RC6 USA Modified�Feistel�structure�(20)
RIJNDAEL Belgium SPN�structure�(10)
SAFER+ USA SPN�structure�(8)
SERPENT UK,�Norway�and�Israel SPN�structure�(32)
TWOFISH USA Feistel�structure�(16)
Table 1.1: Fifteen candidates for the Advanced Encryption Standard
1 2
Then a well-designed SPN (Substitution Permutation Network) structure block cipher, Rijndael [28] was adopted (26th November 2001) as the AES algorithm (FIPS PUB 197) [63].
Note: As is well known, together with the Feistel structure [3, 39, 43, 59], the SPN structure [12, 27, 34, 65] is the most commonly used block cipher structure. One round usually consists of two layers: a non-linear substitution layer and a linear transformation layer as described in Figure 1.1. The non-linear layer takes charge of obscuring the relationship between the plaintext and the ciphertext (confusion), and the linear layer has the role of dissipating the redundancy of the plaintext by spreading it over the ciphertext (diffusion) [4, 5]. These kinds of block ciphers ensure their security by the repetitions of the elementary structure.
X X’
�� ⊕ �⊕ Round�key S-box
I0������� ������I 1�����������I 2�����������I 3���� ·� ��·��·��·��Ip�·��·��·��·���Iq��·��·��·��·��·��I n-1
S(I 0)������S(I 1)������S(I 2)������S(I 3)����������S(Ip)���������S(I� q)�����������S(I n-1 )
Linear��transformation
Y Y’
Figure 1.1: Elementary structure of the SPN structure block cipher
The AES algorithm (Rijndael) has been reputed to be secure against conventional cryptanalytic methods [28, 52], such as DC (Differential Cryptanalysis) [19] and LC (Linear Cryptanalysis) [50], and throughout the AES selection process its security was examined with considerable cryptanalytic methods [22, 25, 28, 58, 68]. Also, the designers have stated that the AES algorithm was designed to be secure against some other known cryptanalytic methods, such as truncated differential cryptanalysis [46, 47], related key attack [23, 33], and interpolation attack [75]. However, despite the novelty [29] and advantages [62, 64] of the AES algorithm, the simple algebraic structure of this cipher has led to some commentators’ concerns about the security of this cipher 3
[48, 57, 67, 69, 70]. In particular, S. Murphy and M.J.B. Robshaw [69, 70] have modified the original structure of the AES algorithm so that the affine transformation, which is one of the functions used for generating the S-box (non-linear layer), moves to the linear layer, and have shown that any input to the modified linear layer of the AES algorithm is mapped to itself after 16 iterations of the modified linear transformation (- the maximal period of the modified linear layer is 16) [69, 70]. Based on these observations, they have noted that the linear layer of the AES algorithm is surprisingly ineffective at “mixing data” (definition in Chapter 3), contrary to what might have been expected. They have also remarked that the unusual properties of the linear layer could imply considerable algebraic weaknesses of the AES algorithm from a cryptanalytic point of view. However, this research has led to an immediate refutation by the designers of the AES algorithm [29] due to the fact that their observations have been restricted to the linear layer, and that they have not shown practical connections between the short period of the modified linear layer and cryptological weaknesses of this cipher. More recently, through the proposal of the XSL attack, N. Courtois and J. Pieprzyk have shown that the AES algorithm has unexpected algebraic properties, and that the AES algorithm can be described by a system of overdefined and sparse quadratic equations [55, 56]. They have also noted that the security of the AES algorithm is equivalent to the difficulty of solving this system. From their observations, they have remarked that “the security of Rijndael does not grow exponentially with the number of rounds”, and have commented that “in order to prevent such attacks, at least a few S-boxes in a cipher should not be described by a small system of overdefined multivariate equations”. S. Murphy and M.J.B. Robshaw have also supported this idea in [71, 72]. However, in spite of this significant progress in the cryptanalysis of the AES algorithm, it seems to be still arguable whether the AES algorithm is seriously weak from a cryptological point of view. Considering that the AES algorithm is a representative SPN structure block cipher, and will be used for the next few decades, it is worth analysing the cryptologic properties of the AES algorithm in further depth. If we understand which part of the AES algorithm causes weakness from a cryptologic perspective, then it can be considered in the design of other SPN structure block ciphers. In this thesis, we introduce our further studies on the cryptologic properties of the AES algorithm. In Chapter 2, we first describe the structure of the AES algorithm, which we will study in this thesis. In Chapter 3, we then review some of the cryp- tologic properties of the AES algorithm which have been observed since Rijndael was 4 proposed for the process of the AES selection. For the review, we classify the previ- ous observations into four categories: the immunity of the AES algorithm against DC and LC, distinctive output properties of the AES structure, cryptologic properties of the key schedule, and algebraic properties of the algorithm. From Chapter 4 on , we discuss our own observations on the cryptologic properties of the AES algorithm. In Chapter 4, we study the cyclic properties of the AES algorithm. We observe that every function used in the AES algorithm has a very short period, and that each layer has a short period as well. But we note that although the maximal periods of both the non- linear layer and the linear layer are short, the maximal period is dramatically increased when these two layers are combined. In Chapter 5, we discuss the impact of the cyclic properties on the security of the AES algorithm. We find that the AES algorithm has a very unusual cyclic property for certain types of input blocks. We show that input blocks with short periods could have relatively simple hidden algebraic relationships with their corresponding output blocks. In Chapter 6, we observe some distinctive output properties of the AES algorithm. We first discuss the differential properties of the S-box used in the non-linear layer. We then find some distinctive output properties of the matrix multiplication used in the linear layer. After this, we discuss consistent differential patterns of the AES algorithm. We show that the AES algorithm is very well designed to be secure against DC (the S-box yields well-distributed output differ- ences for any input difference), but that it leads to some consistent differential patterns after certain rounds. Before discussing the consistent differential patterns of the AES algorithm, we define the concept of the consistent differential pattern. In Chapter 7, we show the impact of the consistent differential patterns on the security of the AES algorithm. Finally, in Chapter 8, we summarise our observations. Chapter 2
Description of the AES Algorithm
In this chapter, we describe the structure of the AES algorithm. We first specify the basic mathematics operations used in the algorithm: addition and multiplication. We then explain the outline of the structure, followed by the role of each function. Finally, we describe the procedures of the key expansion and the inverse cipher. Although the structure of Rijndael [28] is the same as that of the AES algorithm, we have used the Standard [63] itself for the basis of our discussion and study. When we refer to the non- standard part (for example, 192 or 256-bit data blocks), we will use the representation of Rijndael.
2.1 Basic mathematics operations
All the bytes in the algorithm are interpreted as finite field elements using a polynomial representation, as described below:
7 7 6 5 4 3 2 1 i b7x + b6x + b5x + b4x + b3x + b2x + b1x + b0 = bix . Xi=0 For example, the byte ‘e7′=(11100111) identifies the specific finite field element x7 + x6 + x5 + x2 + x + 1. Throughout the algorithm, all the input bytes are added and multiplied as outlined below; that is, the algorithm uses the following mathematical concepts for addition and multiplication.
Addition
In the polynomial representation, the addition of two elements in a finite field is the sum modulo 2 of the coefficients for the corresponding powers in the polynomials for the two elements. That is, the addition is performed with the bitwise XOR (denoted
5 2.1. Basic mathematics operations 6 by ⊕) at the byte level. For example, the addition of ‘57′ and ‘83′ can be described as
(x6 + x4 + x2 + x +1)+(x7 + x +1)= x7 + x6 + x4 + x2 in the polynomial notation and as
(01010111) ⊕ (10000011) = (11010100) in the binary notation, so the result is ‘d4′ in the hexadecimal notation.
Multiplication
In the polynomial representation, the multiplication (denoted by ·) in GF (28) of two elements is achieved by the multiplication of polynomials modulo an irreducible poly- nomial of degree 8. For the AES algorithm, this irreducible polynomial is given by
m(x)= x8 + x4 + x3 + x +1.
For example, ‘57′ · ‘83′ = ‘c1′ due to the following polynomial computations:
(x6 + x4 + x2 + x + 1)(x7 + x +1) = x13 + x11 + x9 + x8 + x7 + x7 + x5 + x3 + x2 + x + x6 + x4 + x2 + x +1= x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 +1 and x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1 mod x8 + x4 + x3 + x +1= x7 + x6 +1 = (11000001) = ‘c1′.
The modular reduction by the irreducible polynomial m(x) ensures that the result will be a binary polynomial of degree less than 8. The multiplication defined above is associative and there exists a multiplicative identity ‘01′. For any non-zero binary polynomial b(x) of degree less than 8, the multiplicative inverse, b−1(x), can be found as follows: the extended Euclidean algorithm [1] can be used to compute polynomials a(x) and c(x) such that
b(x)a(x) + m(x)c(x) = 1.
Hence, a(x) · b(x) mod m(x) = 1, and
b−1(x) = a(x) mod m(x). 2.2. Outline of the structure 7
2.2 Outline of the structure
The AES algorithm is an SPN structure block cipher that can process data blocks of 128 bits with variable-length Cipher Keys (128, 192, and 256 bits) [63]. Although Rijndael, the origin of the AES algorithm, was designed to handle additional block sizes (192 and 256 bits) [28], these block sizes are not considered as the Standard. Therefore, following the Standard, we refer to the algorithm as “AES-128”, “AES- 192”, and “AES-256” according to the key sizes.
⊕ Input:�16�bytes
SB RK 0
SR
MC ⊕
SB RK 1
SR
MC SB :�SubBytes�transformation ⊕ SR :�ShiftRows�transformation • MC :�MixColumns�transformation • RK 2 • RK p:� pth�round�key
SB
SR
MC ⊕
SB RK 9
SR Output:�16�bytes ⊕
RK 10
Figure 2.1: Outline of the AES algorithm 2.3. Specification of the functions 8
As shown in Figure 2.1, the elementary structure (one round) of the AES algorithm consists of two layers: a non-linear layer (SubBytes transformation) and a linear layer (ShiftRows transformation and MixColumns transformation). Each byte in an input block is bytewise substituted by the SubBytes transformation using a substitution table (S-box) described in Table 2.1, and then every byte in each row is cyclicly shifted by a certain value by the ShiftRows transformation (bytes in row #0: 0, bytes in row #1: 1, bytes in row #2: 2, bytes in row #3: 3) as illustrated in (2.1). After this, all four bytes in each column are mixed by the matrix formula in Figure 2.2 through the MixColumns transformation. After these operations, a 128-bit round key extended from the Cipher Key is XORed in the last part of each round. The MixColumns transformation is omitted in the last round (AES-128: 10th round, AES-192: 12th round, AES-256: 14th round), but before the first round a 128-bit initial round key, which is actually the same as the Cipher Key, is XORed to the plaintext through the initial round key addition routine. The decryption is the reverse order of the encryption, and the inverses of each operation are used, namely the InvSubBytes transformation, InvShiftRows transformation and InvMixColumns transformation.
2.3 Specification of the functions
As previously mentioned in the outline of the structure, the elementary structure of the AES algorithm consists of three functions: the SubBytes transformation, the ShiftRows transformation, and the MixColumns transformation. The SubBytes transformation, which is the non-linear layer of the algorithm, takes charge of confusion, and the ShiftRows transformation and MixColumns transformation, which belong to the linear layer, are used for diffusion.
SubBytes transformation
The SubBytes transformation is a non-linear byte substitution that operates indepen- dently on each byte of the input block. The core of this operation is the S-box with 256 substitution paths as described in Table 2.1, and this invertible S-box is constructed from the composition of the following two functions:
1. For any input byte, take a multiplicative inverse in the finite field GF (28), as described in Section 2.1. The value ‘00′ is mapped to itself. 2.3. Specification of the functions 9
2. Apply an affine transformation over GF(2) defined by:
′ bi = bi ⊕ b(i+4) mod 8 ⊕ b(i+5) mod 8 ⊕ b(i+6) mod 8 ⊕ b(i+7) mod 8 ⊕ ci
th th for 0 ≤ i < 8, where bi is the i bit of the byte, and ci is the i bit of a fixed value ‘63′ = (01100011). This can be expressed as the following matrix form:
′ b0 10001111 b0 1 ′ b1 11000111 b1 1 b′ 11100011 b 0 2 2 b′ 11110001 b 0 3 3 = + ′ b4 11111000 b4 0 ′ b5 01111100 b5 1 ′ b6 00111110 b6 1 ′ b 00011111 b7 0 7 .
0 1 2 3 4 5 6 7 8 9 a b c d e f 0 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76
1 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0
2 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15
3 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75
4 09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84
5 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf
6 d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8 7 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2
8 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73
9 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db
a e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79
b e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08
c ba 78 25 2e 1c a6 64 c6 e8 dd 74 1f 4b bd 8b 8a
d 70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e
e e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df
f 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16
e.g.��input�value:�0x65�� →�output�value:�0x4d
Table 2.1: S-box of the AES algorithm
It is noted that we will sometimes use the notation SubBytes for the mathematical representation of the SubBytes transformation. When the SubBytes transformation is 2.3. Specification of the functions 10 applied to just one byte, we use the notation SubByte without an ‘s’. The following is an example of the SubBytes transformation (Sin is an input block and Sout is the corresponding output block):
Sin : 26 17 66 f0 Sout : f7 f0 33 8c 10 69 ab 01 ca f9 62 7c −→ 63 09 cd 65 fb 01 bd 4d 03 11 ef 00 7b 82 df 63
ShiftRows transformation
The ShiftRows transformation is one of the two functions constructing the linear layer of the algorithm. In the ShiftRows transformation, every byte in each row is cyclicly shifted to the left by a certain offset, as illustrated in (2.1) (bytes in row #0: 0 (no shift), bytes in row #1: 1, bytes in row #2: 2, bytes in row #3: 3). This has the effect of moving the bytes to lower positions in the row, and the designers mention that this operation is used for enhancing resistance against some attacks using truncated differentials [46].
Sin : b0,0 b0,1 b0,2 b0,3 Sout : b0,0 b0,1 b0,2 b0,3
b , b , b , b , b , b , b , b , 1 0 1 1 1 2 1 3 −→ 1 1 1 2 1 3 1 0 (2.1) b2,0 b2,1 b2,2 b2,3 b2,2 b2,3 b2,0 b2,1
b3,0 b3,1 b3,2 b3,3 b3,3 b3,0 b3,1 b3,2
MixColumns transformation
In the MixColumns transformation, each column in an input block is considered as a four-term polynomial over GF (28), and multiplied modulo x4 + 1 with a fixed polyno- mial
f(x) = ‘03′x3 + ‘01′x2 + ‘01′x + ‘02′.
For more detail, let us suppose that a certain column in an input block of the Mix-
Columns transformation is a four-byte word (b0, b1, b2, b3). Then this column is denoted as
3 2 b(x) = b3x + b2x + b1x + b0 in a four-term polynomial. If the polynomial b(x) is multiplied with f(x), then
6 5 4 3 2 h(x) = h6x + h5x + h4x + h3x + h2x + h1x + h0 2.3. Specification of the functions 11 where
′ ′ ′ ′ h0 = ‘02 · b0 h4 = ‘03 · b1 ⊕ ‘01 · b2 ⊕ ‘01 · b3 ′ ′ ′ ′ h1 = ‘01 · b0 ⊕ ‘02 · b1 h5 = ‘03 · b2 ⊕ ‘01 · b3 ′ ′ ′ ′ h2 = ‘01 · b0 ⊕ ‘01 · b1 ⊕ ‘02 · b2 h6 = ‘03 · b3 ′ ′ ′ ′ h3 = ‘03 · b0 ⊕ ‘01 · b1 ⊕ ‘01 · b2 ⊕ ‘02 · b3.
At this stage, h(x) does not represent a four-byte word. Now, if we reduce h(x) modulo a polynomial x4 +1 with the property of
xi mod x4 +1= xi mod 4, then the result can be reduced to a polynomial of degree less than 4. The modular product of f(x) and b(x) is given by the four-term polynomial
3 2 d(x)= d3x + d2x + d1x + d0 (2.2) where
′ ′ ′ ′ d0 = (‘02 · b0) ⊕ (‘03 · b1) ⊕ (‘01 · b2) ⊕ (‘01 · b3) ′ ′ ′ ′ d1 = (‘01 · b0) ⊕ (‘02 · b1) ⊕ (‘03 · b2) ⊕ (‘01 · b3) ′ ′ ′ ′ d2 = (‘01 · b0) ⊕ (‘01 · b1) ⊕ (‘02 · b2) ⊕ (‘03 · b3) ′ ′ ′ ′ d3 = (‘03 · b0) ⊕ (‘01 · b1) ⊕ (‘01 · b2) ⊕ (‘02 · b3).
If we now express (2.2) as a matrix multiplication, then we see the matrix formula in Figure 2.2. That is, the MixColumns transformation takes charge of mixing four bytes in each column with the matrix formula in Figure 2.2. It is noted that we will sometimes use the notation MixColumns for the mathematical representation of the MixColumns transformation. When the MixColumns transformation is applied to just one column, we use the notation MixColumn without an ‘s’.
d0 02���03���01���01 ��� b0
d1 01���02���03���01 �b1 =
d2 01���01���02���03 �b2
d3 03���01���01���02 �b3
Figure 2.2: Mixing of four bytes in a column 2.4. Expansion of the Cipher Key 12
2.4 Expansion of the Cipher Key
The AES algorithm takes the Cipher Key, K, and generates Round Keys from the Cipher Key, performing a Key Expansion routine. Let us denote the number of rounds of the AES algorithm by Nr, the number of columns in the Cipher Key by Nk, and the index of each column in the Cipher Key by
Cl0, Cl1, . . . , ClNk−1.
Then the total number of columns for all the round keys, which is required for the whole round encryption, is
4 × (Nr + 1), considering that the number of columns in a data block is four, and that there is an initial round key addition routine before the first round. Now, if we index, in order, all the columns in the round keys by
Rl0, Rl1, Rl2, . . . , Rln, . . . , Rl4(Nr+1)−1, then the columns are generated in the following manner:
• if Nk = 4 or 6 (AES-128 or AES-192), then
Rl0 = Cl0, Rl1 = Cl1,...,RlNk−1 = ClNk−1 n Rln = Rln−Nk ⊕ SubBytes(RotBytes(Rln−1)) ⊕ Rcon[ ] ifnmodNk=0 Nk Rln = Rln−Nk ⊕ Rln−1 else • ifNk = 8 (AES-256), then
Rl0 = Cl0, Rl1 = Cl1,...,RlNk−1 = ClNk−1 Rl = Rl ⊕ SubBytes(RotBytes(Rl )) ⊕ Rcon[ n ] ifnmodNk=0 n n−Nk n−1 Nk n Rln = Rln−Nk ⊕ SubBytes(Rln−1) ⊕ Rcon[ Nk ] else if n mod Nk = 4 Rln = Rln−Nk ⊕ Rln− else 1 Here, we note that SubBytes is the byte substitution by the S-box, and that RotBytes is the rotation of bytes by
RotBytes(b0, b1, b2, b3) −→ (b1, b2, b3, b0).
The round constants are defined by 2.4. Expansion of the Cipher Key 13
Rcon[i]=(xi−1, 0x00, 0x00, 0x00) with xi−1 being powers of x (=‘02′). The following shows the round constants obtained from the above concept:
Rcon[1] = (0x01, 0x00, 0x00, 0x00), Rcon[2] = (0x02, 0x00, 0x00, 0x00), Rcon[3] = (0x04, 0x00, 0x00, 0x00), Rcon[4] = (0x08, 0x00, 0x00, 0x00), Rcon[5] = (0x10, 0x00, 0x00, 0x00), Rcon[6] = (0x20, 0x00, 0x00, 0x00), Rcon[7] = (0x40, 0x00, 0x00, 0x00), for AES-256
Rcon[8] = (0x80, 0x00, 0x00, 0x00), for AES-192
Rcon[9] = (0x1b, 0x00, 0x00, 0x00), Rcon[10] = (0x36, 0x00, 0x00, 0x00) for AES-128.
Finally, the columns generated by the above key expansion routine are allocated to each round key by four columns, as shown below:
RKi=Rl4×i to Rl4×i+3
The following shows an example of the round key allocation in the case of AES-128 (Nk = 4).
RK0 = (Rl0, Rl1, Rl2, Rl3),
RK1 = (Rl4, Rl5, Rl6, Rl7),
RK2 = (Rl8, Rl9, Rl10, Rl11),
RK3 = (Rl12, Rl13, Rl14, Rl15),
RK4 = (Rl16, Rl17, Rl18, Rl19),
RK5 = (Rl20, Rl21, Rl22, Rl23),
RK6 = (Rl24, Rl25, Rl26, Rl27),
RK7 = (Rl28, Rl29, Rl30, Rl31),
RK8 = (Rl32, Rl33, Rl34, Rl35),
RK9 = (Rl36, Rl37, Rl38, Rl39),
RK10 = (Rl40, Rl41, Rl42, Rl43). 2.5. Inverse cipher 14
2.5 Inverse cipher
Unlike most Feistel structure block ciphers, the AES algorithm, which is a typical SPN structure block, has the inverse cipher for decryption. Decryption is the reverse order of the encryption, and the inverse of each function is used in the decryption cipher. The InvSubBytes transformation, InvShiftRows transformation and InvMixColumns transformation in the decryption cipher correspond to the SubBytes transformation, ShiftRows transformation and MixColumns transformation respectively.
0 1 2 3 4 5 6 7 8 9 a b c d e f
0 52 09 6a d5 30 36 a5 38 bf 40 a3 9e 81 f3 d7 fb
1 7c e3 39 82 9b 2f ff 87 34 8e 43 44 c4 de e9 cb
2 54 7b 94 32 a6 c2 23 3d ee 4c 95 0b 42 fa c3 4e
3 08 2e a1 66 28 d9 24 b2 76 5b a2 49 6d 8b d1 25
4 72 f8 f6 64 86 68 98 16 d4 a4 5c cc 5d 65 b6 92
5 6c 70 48 50 fd ed b9 da 5e 15 46 57 a7 8d 9d 84
6 90 d8 ab 00 8c bc d3 0a f7 e4 58 05 b8 b3 45 06
7 d0 2c 1e 8f ca 3f 0f 02 c1 af bd 03 01 13 8a 6b
8 3a 91 11 41 4f 67 dc ea 97 f2 cf ce f0 b4 e6 73
9 96 ac 74 22 e7 ad 35 85 e2 f9 37 e8 1c 75 df 6e
a 47 f1 1a 71 1d 29 c5 89 6f b7 62 0e aa 18 be 1b
b fc 56 3e 4b c6 d2 79 20 9a db c0 fe 78 cd 5a f4
c 1f dd a8 33 88 07 c7 31 b1 12 10 59 27 80 ec 5f
d 60 51 7f a9 19 b5 4a 0d 2d e5 7a 9f 93 c9 9c ef
e a0 e0 3b 4d ae 2a f5 b0 c8 eb bb 3c 83 53 99 61
f 17 2b 04 7e ba 77 d6 26 e1 69 14 63 55 21 0c 7d
e.g.��input�value:�0x4d�� →�output�value:�0x65
Table 2.2: S-box−1 of the AES algorithm
b00 �b01 b02 b03 b00 �b01 b02 b03 InvShiftRows b10 b11 b12 b13 b13 b10 b11 b12
b20 b21 b22 b23 b22 b23 b20 b21
b30 b31 b32 b33 b31 b32 b33 b30
Figure 2.3: Illustration of the InvShiftRows transformation 2.5. Inverse cipher 15
Table 2.2 is the substitution table (S-box−1) used in the InvSubBytes transformation, and Figure 2.3 and Figure 2.4 represent the functions of the InvShiftRows transforma- tion and InvMixColumns transformation respectively.
b0 0e���0b���0d���09 ��� d0
b1 09���0e���0b���0d �d1 =
b2 0d���09���0e���0b �d2
b3 0b���0d���09���0e �d3
Figure 2.4: Mixing of four bytes in the InvMixColumns transformation Chapter 3
Cryptologic Properties of the AES Algorithm
In this chapter, we review a large body of previous research studies relating to the cryptologic properties of the AES algorithm, which have been performed since Rijndael was proposed for the process of the AES selection. In this review, those research studies are classified into four fields according to the following research areas: immunity against DC (Differential Cryptanalysis) and LC (Linear Cryptanalysis), distinctive output properties of the structure, cryptologic properties of the key schedule, and algebraic properties of the algorithm. We note that since the purpose of this chapter is to review the cryptologic properties of the AES algorithm, we shall concentrate on the cryptologic properties themselves rather than cryptanalytic methods using the properties. We first discuss the cryptologic immunity of the AES algorithm against two conventional cryptanalytic methods, DC and LC.
3.1 Immunity against DC and LC
DC [19, 20, 21] and LC [50, 51] have been regarded as the most powerful cryptan- alytic methods against block ciphers since these cryptanalytic methods theoretically succeeded in the attack on DES (Data Encryption Standard) [59]. For this reason, it has been considered as essential in the design of block ciphers to prove their invulner- ability against these cryptanalytic methods. In the case of the AES algorithm, it has been proved by some research studies that the AES algorithm is strong enough against DC and LC. These research studies have shown that the AES algorithm provides a sufficiently low differential probability and linear probability, each of which has been considered as a reliable measure to evaluate the strength of block ciphers against DC and LC. For future reference, we first define some basic concepts.
16 3.1. Immunity against DC and LC 17
Definition 3.1 (DP and LP [73, 74]) For any S-box S with m-bit inputs and out- S S puts, the Differential Probability DP (δx,δy) and the Linear Probability LP (Γδx, Γδy) are defined by |{x ∈ GF (2m) | S(x) ⊕ S(x ⊕ δx)= δy}| DP S(δx,δy)= 2m and m 2 S |{x ∈ GF (2 ) | Γδx · x =Γδy · S(x)}| LP (Γδx, Γδy)= − 1 2m−1 ! respectively. Here δx, δy, Γδx, and Γδy denote an input difference, an output difference, an input mask value, and an output mask value respectively. x · y denotes the parity (0 or 1) of bitwise product of x and y.
Definition 3.2 (MDP and MLP [73, 74]) Under Definition 3.1, the Maximal Dif- ferential Probability p and the Maximal Linear Probability q are defined by
p = max DP S(δx,δy) δx6=0,δy
and
S q = max LP (Γδx, Γδy). Γδx,Γδy=06
Definition 3.3 (Branch number) Let F be a linear function, and Ω(X) be the num- ber of non-zero bytes in a byte vector X. Then the branch number Bn of the function F is defined by
Bn = min [Ω(X)+Ω(F (X))]. X=06
The strength of the AES algorithm against DC and LC has already been computed by the designers in the AES proposal [28]. From the fact that the branch number of MixColumn used in the linear transformation is 5, the designers have shown that the number of differentially active s-boxes for the four rounds is 25. Based on this observation, they have proven that the four-round characteristic probability (P ) of the AES algorithm is bounded by
P ≤ p25 = (2−6)25 =2−150 (p is the MDP of the S-box).
This means that the differential characteristics having a probability bigger than 2−150 do not exist for the DC attack on the four-round AES [28] algorithm. In terms of LC, the designers have also shown that there are no four-round linear trails with a correlation above 2−75 [28]. 3.1. Immunity against DC and LC 18
Also, on the basis of the fact that the strength of the block ciphers against DC and LC depends on the maximal differential probability and the maximal linear hull probability respectively [40, 41, 44, 45, 73] (the strength is inversely proportional to the values of these probabilities), some other research studies have shown that the AES algorithm is sufficiently secure against DC and LC. In [52], although the authors have premised that a more accurate proof would be necessary, they have commented, based on the following computation results, that in probability the AES algorithm is secure against DC with six rounds.
Property 3.1 The maximal average of the differential probability of four rounds of the AES algorithm is upper bounded by 1.065 × 2−128.
Property 3.2 The maximal average of the differential probability of five rounds of the AES algorithm is upper bounded by 1.0007 × 2−128.
More recently, several research studies have presented improved methods for upper bounding the maximal differential probability and the maximal linear hull probabil- ity for SPN structure block ciphers, and have re-evaluated the strength of the AES algorithm with their methods. These research studies have proven that the maximal differential probability and the maximal linear hull probability for the AES algorithm are bounded by the values below.
Property 3.3 [73] The maximal differential probability for four rounds of the AES algorithm is approximately bounded by 1.06 × 2−96.
Property 3.4 [74] The maximal differential probability and the maximal linear hull probability for four rounds of the AES algorithm are approximately bounded by 1.144 × 2−111 and 1.075 × 2−106 respectively.
Summing up all the research studies reviewed above, the AES algorithm can be said to be well designed against DC and LC. In fact, from the fact that the AES algorithm uses the function MixColumn, whose branch number is five, for the linear transformation, and that the number of the active S-boxes for four rounds of this cipher is 25, we can perceive that the AES algorithm was designed to offer enough immunity against DC and LC. This is because it is known that the maximal differential probability has a very close relationship with the number of differentially active s-boxes, and that the maximal linear hull probability is deeply dependent on the number of linearly active s-boxes. It is generally understood that the greater the number of differentially active 3.2. Distinctive output properties of the structure 19 s-boxes, the lower the maximal differential probability becomes. Similarly, the greater the number of linearly active s-boxes, the lower the maximal linear hull probability becomes.
3.2 Distinctive output properties of the structure
While some research studies have shown that the AES algorithm provides enough resistance against DC and LC, some others have observed that the AES structure yields some distinctive output properties for a certain set of plaintexts, in a few rounds. In this section, we review those distinctive output properties of the AES algorithm to which cryptologists have paid attention. We first examine the third round balanced property observed by the designers of the AES algorithm.
Third-round balanced property
As previously mentioned in Section 3.1, the branch number of MixColumn is five (if one byte is changed for an input of the matrix formula in Figure 2.2, then all bytes are changed in the output). This means that the change of one byte for an input block of the MixColumns transformation leads to the change of one column (four bytes) in the output block. Tracing the encryption procedures, and taking into consideration the above property, the designers of the AES algorithm have observed the following property.
Property 3.5 Any two plaintexts X and X’, which differ by only one byte in the same byte position lead to second-round intermediate texts Y and Y’ which are different from each other in all bytes. That is,
if X =6 X′ in only one byte, then Y =6 Y ′ in all bytes.
Based on this property, tracing one more round, they have also observed that any set of 256 chosen plaintexts (Λset) defined below leads to an interesting output property after the third round (- they call this property the balanced property).
Definition 3.4 (Λset) For the AES algorithm, Λset is defined by a set of 256 plaintexts which vary in only one byte (and are the same in the other bytes).
Property 3.6 (Third-round balanced property) For any Λset, the XOR of all the third-round intermediate texts is ‘00’ in all bytes. 3.2. Distinctive output properties of the structure 20
Figure 3.1 illustrates an example of Λset and the third-round balanced property caused by the set (this property has been called an “integral property” in [49], because it is caused by the summation of a certain set of output values).
ΛΛΛset
01 72 00 94 02 72 00 94 03 72 00 94 f� f 72 00 94 78 11 6d 19 78 11 6d 19 78 11 6d 19 78 11 6d 19 •�� •�� •�� • 2f d3 5a 47 2f d3 5a 47 2f d3 5a 47 2f d3 5a 47 7c 68 11 b2 7c 68 11 b2 7c 68 11 b2 7c 68 11 b2
�third-round�intermediate�texts ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** •�� •�� •�� • ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **
⊕⊕⊕
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Figure 3.1: Illustration of the third-round balanced property
Based on this property, the Square attack was first introduced by the designers of the AES algorithm (Rijndael). This attack was originally applied to the block cipher Square [27], which is the basis of Rijndael. But since Rijndael inherited many basic functions from Square, it has the same balanced property as Square has, thus this attack is applicable to the AES algorithm as well. We summarise here how the balanced property has been applied to the cryptanalysis of the AES algorithm. The designers have used two Λsets for the attack on the AES algorithm reduced to four rounds. We
first use (Λset#1). 1. First, we assume one byte in the fourth-round key. Then, decrypt the corre- sponding bytes in the 256 ciphertexts (we recall that the fourth round does not have the MixColumns transformation because the fourth round is the last round in this case).
2. If the assumption is correct, then the XOR of the corresponding bytes in the 256 third-round intermediate texts must be equal to ‘00′. If the XOR is equal to ‘00′, then the assumed value is taken for the byte. If not, return to step 1 assuming another value for the key byte. 3.2. Distinctive output properties of the structure 21
3. If the above two steps are applied to all key bytes, all eligible components for the fourth round key are obtained.
* Step 2 must be applied to the other set, Λset#2, to avoid the selection of wrong keys, because wrong keys may satisfy the balanced property by chance with the
probability of 1/256 if only one Λset is considered.
The designers have extended this method up to six rounds, adding one round at the beginning of the four rounds and one round at the end. Later, this method has been developed to seven rounds using partial-sum techniques [58, 68]. Table 3.1 shows the complexity of the Square attack against some reduced rounds of the AES algorithm.
����Attack������Number�of�Rounds����Chosen�Plaintexts����Time�Complexity
9��������������������������������������������� 9 ����Square�������������������4����������������������������� ���2 2 ������������������ 11 40 � ����������������������������������5��������������������������������2 ����������������������������2 ����� ����� ����������������������������������6��������������������������������2 32 ����������������������������2 72 ��������������
32������������������������������� ��� ��� 44 � ���Partial�sum����������� �� 6�����������������������������6� ×�2 � 2 �� 128� 119���������������������� ��� ������ �� 120 ��� ��� � �� � ������������������������������� ���7��������������������������2 −�2 � 2 � �
Table 3.1: Complexities of the Square attack against the AES algorithm
Fourth-round impossible differentials
While the designers of the AES algorithm have found, from Property 3.5, a third-round distinguisher (balanced property), which Λset leads to with probability 1, E. Biham and N. Keller have found, in [22], a fourth-round distinguisher, which a pair of plaintexts referred to in Property 3.5 leads to with probability 0. That is, E. Biham and N. Keller have observed impossible differentials [17, 18] of the four rounds of the AES algorithm (differentials that never appear in the four rounds). Let us consider a pair of plaintexts which differ by only one byte. Then, we imagine the corresponding intermediate texts after the fourth-round ShiftRows transformation as described below: itext a : b#0 b#4 b#8 b#12 itext b : b′#0 b′#4 b′#8 b′#12 b#1 b#5 b#9 b#13 b′#1 b′#5 b′#9 b′#13 b#2 b#6 b#10 b#14 b′#2 b′#6 b′#10 b′#14 b#3 b#7 b#11 b#15, b′#3 b′#7 b′#11 b′#15
Now, let us suppose that the combination (b#0, b#7, b#10, b#13) in itext a is equal to the combination (b′#0, b′#7, b′#10, b′#13) in itext b. Then, after the third-round MixColumns 3.2. Distinctive output properties of the structure 22 transformation the data is equal in the first column, and thus after the second-round MixColumns transformation the data is equal in (byte#0, byte#5, byte#10, byte#15). This is a contradiction because the pair of plaintexts being considered is different from each other only in one byte and this plaintext pair must lead to the second-round interme- diate texts, which are different from each other in all bytes. Taking this contradiction into account, we can deduce that if a pair of plaintexts differ by only one byte, then the intermediate texts after the fourth-round ShiftRows transformation cannot be equal in (0,7,10,13). If we consider the other bytes, then we see the following property.
Property 3.7 (Impossible differentials) If a pair of plaintexts differ by only one byte, then the intermediate texts after the fourth-round ShiftRows transformation can- not be equal in any of the following combinations of bytes:
(0,7,10,13), (1,4,11,14), (2,5,8,15) nor (3,6,9,12), when the byte positions of the text block are described by
byte#0 byte#4 byte#8 byte#12 byte#1 byte#5 byte#9 byte#13 byte#2 byte#6 byte#10 byte#14 byte#3 byte#7 byte#11 byte#15.
Based on this property, E. Biham and N. Keller have proposed an Impossible dif- ferential cryptanalysis to attack five rounds of the AES algorithm [22]. The main idea of this attack is to eliminate wrong first-round keys by showing that the impossible property holds in the last four rounds if these keys are used. This method requires 229.5 chosen plaintexts and 231 time complexity for the attack on five rounds of the AES algorithm. Later, this attack has been developed to six rounds [26], assuming not only the first-round key but also the last-round key, although this extension requires a higher complexity. Table 3.2 shows the complexities of the Impossible differential cryptanalysis against the AES algorithm.
����Number�of�Rounds���������Chosen�Plaintexts������Time�Complexity
29.5 31 ��������������5����������������������������������������2 �����������������������������2 ��� �� ��� �� ��� 91.5��������������������������������������������� 122 ��������������6����������������������������������������2 2 �� ������
Table 3.2: Complexities of the IDC against the AES algorithm 3.2. Distinctive output properties of the structure 23
Fourth-round collision distinguisher
In [25], H. Gilbert and M. Minier have constructed an efficient fourth-round distin- guisher of the AES algorithm, by exploiting the existence of collisions between some partial functions induced by the cipher. They have first observed that the AES algo- rithm has a partial third-round collision property in which several bytes are involved. Then, from the relationship between the third round and the fourth round, they have found the fourth-round distinguisher. Before discussing the fourth-round collision dis- tinguisher in more detail, we define the concept of collision for future reference as outlined below.
Definition 3.5 (Collision) For any given function h and messages M and M ′, if
h(M) = h(M ′) when M =6 M ′, then we say that h(M) and h(M ′) collide.
Next, we discuss the third-round collision property followed by the fourth-round dis- tinguisher of the AES algorithm. Let us consider a set of the first-round input blocks (after the initial round key addition) of the AES algorithm, which vary in the first column (the other bytes are all the same), as shown in Figure 3.2.
1st �round�input�blocks 3rd �intermediate�texts 4th �intermediate�texts
y s t0
c0 t1 �•������� • c1 t2
c2 t3
y s’ t’ 0
c’ 0 t’ 1 �•������� • c’ 1 t’ 2
c’ 2 t’ 3
�• �• �•
Figure 3.2: Fourth-round collision distinguisher of the AES algorithm
24 Then, 2 triplets of c =(c0,c1,c2) can be considered for each value for y. With the con- sideration of two arbitrary triplets c and c′, H. Gilbert and M. Minier have constructed the concept of a partial third-round collision of the AES algorithm. Specifically, 3.2. Distinctive output properties of the structure 24
• they have observed that for any y ∈ {0....255} in a plaintext, s (s′) is entirely determined by a surprisingly small number of unknown bytes, which either only depend on the key or depend on both the key and the value of c (c′),
• then, based on the above observation, they have found the following third-round collision property, taking into account the well-known birthday paradox [15, 38].
Property 3.8 [25] In a given C set of about 216 c triplets (the number of all possible triplets is actually 224), there exist, with a non negligible probability, c and c′ (c =6 c′) which leads to
s = s′ for ∀ y ∈ {0....255}.
Now, let us consider the relationship between the third round and fourth round of the AES algorithm: if we consider the matrix formula described in Figure 2.2, we see that
−1 #0 s = S {(0e · t0 +0b · t1 +0d · t2 + 09 · t3)+ k4 },
−1 #0 −1 where S and k4 denote the S-box and the first byte of the fourth-round key respectively. In other words, we see that
0e · t0 +0b · t1 +0d · t2 + 09 · t3 is a one to one function of s. If we put this concept and the third-round collision property together, we find the following property to test the third-round collision with t0, t1, t2, t3 in the fourth-round intermediate texts.
Property 3.9 [25] c and c′ collide if and only if for ∀y ∈ {0....255},
′ ′ ′ ′ 0e · t0 +0b · t1 +0d · t2 + 09 · t3 =0e · t0 +0b · t1 +0d · t2 + 09 · t3.
This property means that the third-round collision can be tested with the fourth-round intermediate texts corresponding to c and c′ for any y. So, H. Gilbert and M. Minier regard this property as a fourth-round distinguisher. They have noted, based on their experiments, that it is sufficient to check the equality in Property 3.9 on 16 y values in order to text the collision between c and c′. Therefore, it requires 220 plaintexts (216 values for c triplet × 24 values for y) to test the fourth-round distinguisher. Based on the above observations, they have suggested a collision attack against the seven-round AES algorithm which has the initial round and one additional round before the four-round structure of Figure 3.2, and one additional round and the final 3.3. Cryptologic properties of the key schedule 25 round behind it; in this case, the distinguisher is considered to be between the second round and the fifth round. Their method is basically an exhaustive search of some key bytes of the initial round and the two final rounds, in order to check the distinguisher. They have noted that this attack requires 232 chosen plaintexts, and is faster than exhaustive key search on seven rounds of AES-192 and AES-256 (complexity: 2140) and marginally faster on seven rounds of AES-128.
3.3 Cryptologic properties of the key schedule
The designers of the AES algorithm have stated [28] that the key schedule of the AES algorithm was designed to provide resistance against cryptanalytic methods using the weakness of the key schedule, such as related key attacks [23, 32, 33]. They have mentioned that, from the security point of view, the following design criteria have been applied to the key expansion:
C1. to put the diffusion of Cipher Key differences into the Round Keys,
C2. to guarantee enough non-linearity to prohibit the full determination of Round Key differences from Cipher Key differences,
C3. to use an invertible transformation, that is, knowledge of any Nk (the number of columns of the Cipher Key) consecutive columns of the expanded key allows to regenerate all the Round Keys,
C4. not to allow calculation of many other Round Key bits from knowledge of a part of the Cipher Key or Round Key bits,
C5. to eliminate symmetry of the inner rounds.
Definition 3.6 [28] If a certain cipher treats all bytes of a state in very much the same way in the round transformation, then it is said to have symmetry in the round transformation.
Definition 3.7 [28] If the round transformation is the same for all rounds in a certain cipher, then it is said to have symmetry between the rounds.
They have also mentioned that the high diffusion and non-linearity of the AES key schedule makes it very improbable for the AES algorithm to be attacked by these types of attacks. 3.3. Cryptologic properties of the key schedule 26
However, some of the research studies that have carefully evaluated the security of the AES key schedule claim that although no serious weaknesses have been found, the AES key schedule does not live up to the designers’ expectations. Although there is not a close relationship with the weakness of the AES key schedule, E. Biham and N. Keller have shown, in [22], that if the key schedule of the AES algorithm were reversed, the complexity of the Square attack would be reduced by a factor of 28. G. Cater, E. Dawson and L. Nielsen have confirmed that in the AES key schedule all the Round Keys (and the Cipher Key) are regenerated with any Nk consecutive columns of the expanded key [24], as the designers of the AES algorithm have mentioned in the design criteria of the key schedule. As well as these observations, S. Lucks has observed the reverse order of the AES key expansion procedures, and has noted the following two properties of the AES key schedule [68].
Property 3.10 If all four columns in the seventh-round key of AES-256 are known, then three columns (Columns 1, 2, and 3) in the fifth-round key can be generated.
Property 3.11 If all four columns in the seventh-round key of AES-192 are known, then two columns (Columns 0 and 1) in the sixth-round key and one column (Column 3) in the fifth-round key can be generated.
Based on these observations, he has presented, in the same paper, a modified Square attack to reduce the number of key assumptions for the cryptanalysis of seven rounds of AES-192 and AES-256. He has newly computed the complexity of the Square attack, and has shown with his calculation that the Square attack requires 280 basic operations to attack six rounds of the AES algorithm. If all possible seventh-round keys are additionally assumed, then the seventh-round attack will require 2208 basic operations. (Note: in his calculation, one basic operation means five executions of byte-wise XOR, five executions of S-box−1 and one execution of MixColunm). However, noting the above properties of the key schedule, he reduced the amount of computations (the number of key assumptions) for AES-192 and AES-256 by 224 and 28 basic operations respectively. As a consequence, he has noted that attacking seven rounds of AES- 192 and AES-256 requires 2184 and 2200 basic operations respectively, with 232 chosen plaintexts. More importantly, N. Ferguson, J. Kelsey, S. Lucks, B. Schneier, M. Stay, D. Wag- ner, and D. Whiting have noted in [58] that the key schedule of the AES algorithm does not achieve its stated design criteria. In other words, they have claimed that the key schedule of the AES algorithm has several unexpected properties that seem to 3.3. Cryptologic properties of the key schedule 27 violate the published design criteria. First, they have pointed out, with an example of the key expansion of AES-256, that the AES key schedule does not achieve Criterion 4 described above, based on the following observations. Let us look at Figure 3.3, taking into account the key expansion routine described in Section 2.4.
1. If the values of seven bytes indicated by ♠ (seven bytes on (row#i=3, column#7) in each expanded block) are known (or assumed), then the values of 21 bytes indicated by @ are known as well (the value of i is variable although the case of i=3 is considered here) because
Rln = Rln−Nk ⊕ Rln−1,
where the number of columns in the Cipher Key, and the index of each column
in the round keys, are denoted by Nk = 8 and Rln respectively. In other words, if seven bytes on (row#i=3, column#7) in each expanded block are known, then we learn 28 (7+21) bytes of the expanded key.
2. Now, let us assume that the values of eight bytes indicated by ♣ are additionally known (eight bytes in row#(i−1 mod 4) in the first expanded block (this block is actually the Cipher Key)). Then, if we consider
Rln = Rln−Nk ⊕ SubBytes(RotBytes(Rln−1)),
we additionally see 52 bytes indicated by % in row#(i−1 mod 4) in the other ex- panded blocks. That is, we learn 60 (8+52) bytes of the expanded key from the eight additionally known bytes.
3. Summing up, we see that if 15 (7+8) bytes of the round keys are known, then 88 bytes are revealed in all.
4. If this idea is extended further, that is, if 16 more bytes in row#(i−2 mod 4) and row#(i−3 mod 4) of the first expanded block are known in step 2, then we see that 120 bytes are additionally revealed.
5. All in all, if 31 (7+8+8+8) bytes are known in the round keys, then 208 (28+60+ 60+60) bytes are found.
They have also remarked, with the observation below, that the AES key schedule does not provide a high level of diffusion, contrary to the designers’ statement that “the key schedule of Rijndael, with its high diffusion and non-linearity, makes it very improbable that related-key attacks can be successful for Rijndael” [28]. 3.3. Cryptologic properties of the key schedule 28
RK 0 RK 1 RK 8 RK 9
♣ ♣ ♣ ♣ ♣ ♣ ♣ ♣ % % % % % % % % ♠ @ @ @ @ ♠
RK 2 RK 3 RK 10 RK 11
% % % % % % % % % % % % % % % %
@ ♠ @ @ @ @ @ ♠
RK 4 RK 5 RK 12 RK 13
% % % % % % % % % % % % % % % %
@ @ ♠ @ @ @ @ @ @ ♠
RK 6 RK 7 RK 14 Bytes�not�used
% % % % % % % % % % % %
@ @ @ ♠
Figure 3.3: Correlations between the bytes of the expanded key
Property 3.12 [58] The AES key schedule takes many cycles before a low-weight dif- ference starts to affect a significant number of other bytes.
For example, these authors have observed that “if the key schedule runs backwards, then each byte affects two other bytes that are (almost) a full cycle further back” [58]. Based on this observation, they have claimed that it is more probable than the designers’ expectation that an attack on the AES algorithm can be mounted with a kind of related key attack. Indeed, they have presented a related-key attack applicable to nine rounds of AES-256 (AES-256 originally consists of 14 rounds), although this attack is basically a variant of the Square attack. This attack requires 277 chosen plaintexts under 256 related keys (total: 285 plaintexts) and a complexity of 2224. Throughout this section, we have reviewed some research studies relating to the key schedule of the AES algorithm. We observe that not many research studies have been performed on the key schedule of the AES algorithm, and no critical weakness of the 3.4. Algebraic properties of the algorithm 29 key schedule has been found so far. In addition, most detected properties have been used for reducing the complexities of previously known cryptanalytic methods. For this reason, we could say that although the AES key schedule has minor weaknesses from the cryptologic point of view, it does not have critical problems.
3.4 Algebraic properties of the algorithm
Despite the novelty of the AES algorithm, the simple algebraic structure of this cipher has led to some concerns about its security. In particular, some commentators have pointed out that the AES algorithm could be vulnerable to what is known as alge- braic attacks [57], which recover the Cipher Key from formulating algebraic equations between plaintexts and ciphertexts. In this section, we discuss the research studies that have observed the algebraic properties of the AES algorithm. We first review two papers whose findings are contrary to each other on the security of the elementary structure of the AES algorithm.
Simplicity of the linear layer
As previously mentioned, some research studies have concentrated on examining the simplicity of the AES algorithm. Among these research studies, S. Murphy and M. Robshaw have found that the linear layer of the AES algorithm has short periods [69, 70]. They first found that the affine transformation, which is one of the two functions used for generating the S-box (non-linear layer), can be separated from the non-linear layer and moved into the linear layer, as illustrated in Figure 3.4. In this modified structure, they have found that the maximal period of the modified linear layer is 16, with the following observations:
1. Since the entirety of the modified linear layer is a GF (2)-linear map, its action can be represented by a 128 × 128 binary matrix, M.
2. In this case, the characteristic polynomial c(x)(Det(M +xI)) and minimal poly- nomial m(x) (the polynomial of smallest degree such that m(M) =0) of M are represented by c(x) =(x + 1)128 = x128 + 1 and m(x) = (x + 1)15.
3. Since m(M) = 0 and x16 +1=(x + 1) × m(x),
M 16 = I. 3.4. Algebraic properties of the algorithm 30
4. As a consequence, 16 iterations of the modified linear transformation (M) give the identity mapping, which means that any 128-bit input of this transformation is mapped to itself after 16 repeated applications.
<�Functions�in�the�elementary�structure�> <�Re-grouping�of�the�functions�>
Non-linear�layer Non-linear�layer SubBytes�transformation(S-box) Multiplicative�inverse�in�GF(2 8) Multiplicative�inverse�in�GF(2 8) Affine�transformation�over�GF(2) 8 Linear�layer
Linear�layer Affine�transformation�over� GF(2) 8
ShiftRows�transformation ShiftRows�transformation
MixColumns�transformation MixColumns�transformation
Figure 3.4: Re-grouping of the functions in the elementary structure
Also, from further observations on the matrix M of the modified linear layer, they have found that there are inputs of the modified layer which are fixed over a very small number of iterations of the linear transformation:
• 216 inputs are fixed over one modified linear layer.
• 230 inputs are fixed over two iterations of the modified linear layer.
• 258 inputs are fixed over four iterations of the modified linear layer.
• 296 inputs are fixed over eight iterations of the modified linear layer.
Based on this observation, they have remarked that the linear diffusion layer of the AES algorithm may not be so effective at mixing data, and that there may be considerable inner structure within the diffusion layer. At this stage, to make the concept of “mixing data” clear, we briefly define the effect of mixing data, which Murphy and Robshaw considered, although they have used the concept of “mixing data” without definition. We note that the following definitions are also valid in other chapters of this thesis.
Definition 3.8 (Period) In a set K consisting of n elements, if an input I(∈ K) of a function F is mapped to itself after p iterations of F, then the period of F is p for I. 3.4. Algebraic properties of the algorithm 31
Definition 3.9 (Effect of mixing data) In a set K consisting of n elements, if the period of F is p for a certain input I, then the effect of mixing data of F, for I, is p defined by e = n .
They have also mentioned that “someone may find a more novel way to combine the rich structure in the diffusion layer of Rijndael with the highly structured inverse map”. However, despite the novelty of these observations, the designers of the AES algorithm counter-argued, with the following comments, that these observations do not sufficiently examine the security of the AES algorithm [29]. They have pointed out that
• these observations have been restricted to only the linear layer.
• these observations have not shown the substantial impact of the cyclic properties on the cryptologic weakness of the AES algorithm.
While the designers have defended the AES algorithm, other research studies have been undertaken that have made significant progress in exposing the algebraic weak- nesses caused by the simple structure of the AES algorithm.
Simple algebraic representation
N. Ferguson, R. Schroeppel, and D. Whiting have observed [57] that there is a very straightforward closed algebraic formula for the AES algorithm, and have remarked that it is highly structured and much simpler than algebraic formulations of any other block ciphers. Tracing the input-output relation of each basic function, they have initially derived a fairly simple algebraic expression for a single round of the AES algorithm, that is
(r+1) (r) wi,er,dr bi,j = ki,j + . (3.1) (b(r) )2dr er∈E,X dr∈D er,er+j where the variables are denoted by the following:
(r) bi,j : the byte on (row #i, column #j) in the input of round r. (r) th ki,j : the byte on (row #i, column #j) in the r round key. r: certain rounds w: certain constants. E: the range {0,. . .,3}. D: the range {0,1,. . .,7}. (r) (r) ⋆ all coordinates are reduced modulo 4 so that for example b8,4 = b0,0. 3.4. Algebraic properties of the algorithm 32
Then, applying an actual value r=2 to (3.1), they have shown that any byte of the third-round input block can be expressed by
(3) (2) wi,e2,d2 bi,j = ki,j + (3.2) (2) 2d2 e E, d D (b ) 2∈ X2∈ e2,e2+j w = k(2) + i,e2,d2 (3.3) i,j 2d2 d w e2∈E, d2∈D (1) 2 2 e2,e1,d1 X (ke ,e j) + e ∈E, d ∈D (1) d +d 2 2+ 1 1 (b )2 1 2 e1,e1+e2+j . P Also, using the fact that all subscripts and exponents are known and are independent of the key or plaintext, they have simplified equation (3.3) to a somewhat casual notation (1) (0) which clarifies the structure, taking into account that bi,j = pi,j + ki,j where pi,j is a plaintext byte. As a consequence, they have derived equation (3.4) for two rounds of the AES algorithm followed by equation (3.5) for five rounds:
C b(3) = K + 2 (3.4) i,j ∗ C1 K + e ∈E, d ∈D ∗ ∗ e2∈E,X d2∈D 1 1 K +p∗ P C b(6) = K + 5 (3.5) i,j ∗ C4 K + C K∗ 3 X + ∗ C K + 2 ∗ C P K + ∗ 1 ∗ P K +p∗ P P where K, Ci, and ∗ denote an expanded key byte, a known constant, and known ex- ponents or subscripts respectively (although these values depend on the summation variables that enclose the symbol). Following the same idea, they have also considered another nearly identical algebraic formula, which expresses any byte in the fifth-round intermediate text with the cipher text (not plaintext) and the expanded key. Consid- ering that these two values must agree, the expanded key could be found if the two equations were considered together. To break AES-128, which consists of ten rounds, these kinds of pairs of equations could be applied to each byte in the fifth-round inter- mediate text. The first equation would express each byte in the fifth-round intermediate text as the function of the plaintext bytes (this equation covers rounds 1 to 5), and the other equation would express the same byte as the function of the ciphertext bytes (this equation covers rounds 6 to 10). Here, considering that each summation symbol covers 32 (25) terms, a fully expanded version of equation (3.1) has 225 terms (as there are five summations in the equation) if the equation is described without summation symbols. So, combining two equations would lead to an equation with 226 unknowns. They have remarked from a purely information-theoretical standpoint that this merged 22 226 equation may be computable if at least 2 ( 16 ) known plaintext-ciphertext pairs are 3.4. Algebraic properties of the algorithm 33 given. However, they have not suggested a practical method to solve these kinds of equations. They have left solving these kinds of equations as an open problem, expect- ing that “there might very well exist techniques for handling this type of formula that we are unaware of, or somebody might develop them in the next 20 years or so”. They have finally commented that adding more rounds to the AES algorithm does not help improve security much in solving these kinds of equations, because each extra round adds a factor of 25 to the size of the fully expanded equation. Indeed, consider- ing that one summation symbol consists of 32 (25) terms in (3.1), we see the following extension, as they have commented:
• the full ten rounds of AES-128 could be represented by an equation with 250 terms (as ten rounds consist of ten summation symbols).
• the full 14 rounds of AES-256 could be represented by an equation with 270 terms (seven-round equation has 235 terms).
Overdefined system of quadratic equations
N. Courtois and J. Pieprzyk have observed in [55, 56] that the S-box of the AES algorithm can be described by an overdefined system of algebraic equations, and have presented XSL (eXtended Sparse Linearization) attack, which is a new method more efficient in solving the overdefined system than previously known general methods. They have first observed that the S-box can be described by a number of implicit quadratic Boolean equations. Let the input bits and output bits of the S-box be denoted by x =(x1, ...., xs=8) and z =(z1, ...., zs=8). Then, there exist equations of the form P(x1, ...., xs=8, z1, ...., zs=8), where the algebraic degree d is equal to two (d = 2). In principle, eight equations of the above form are (approximately) sufficient to fully describe the S-box. However, they have observed that more quadratic equations of this type can be constructed (this is the concept of “overdefined”, that is, r ≫ s (r is the actual number of such equations in the above form)). They have first obtained 7 quadratic equations (8 if 0 is not considered for x) from the following steps:
• Let us consider the multiplicative-inverse function (non-linear function) used for generating the S-box. Then, from the definition that
∀x =06 , 1= xy, (3.6) 3.4. Algebraic properties of the algorithm 34
we see that
7 0 7 0 x · y = (x7 · X + ··· + x ) · (y7 · X + ··· + y ) = (0, 0, 0, 0, 0, 0, 0, 1)
where the input of the function is denoted by x = (x7, ...., x0) and the corre-
sponding output by y =(y7, ...., y0).
• Given that the equation in connection with the least significant bit is true if, and only if, x =6 0, we see that there exist 7 equations that are true with probability 1 (8 if 0 is not considered for x).
• The above property remains even after the affine transformation, which is the linear function used for generating the S-box.
Then, they have observed that
∀x ∈ GF (28), x = x2 · y (3.7) and that this equation gives 8 additional quadratic equations. Equation (3.7) is sym- metric with respect to the exchange of x and y, so y = y2 · x which provides another 8 additional quadratic equations. They have also noted that another 16 equations can be obtained from the two equations below for the same reason:
x3 = x4 · y (3.8) y3 = y4 · x. (3.9)
All in all they have observed that 39 quadratic equations (40 if 0 is not considered for x) which are true with probability 1, can be obtained for the AES S-box, and that these equations are all linearly independent. Based on the above observations, deriving the following formulas, they have shown that the whole round of AES-128 can be described as a system of 8000 quadratic equations with 1600 variables, and that the whole round of the 256-bit Rijndael with 256-bit key provides 22400 quadratic equations with 4480 variables.
m = 4 × r × Nb × Nr + r(Lk − Hk)/s
n = 4 × s × (Nr − 1) × Nb + Lk. where the variables are denoted by the following: 3.4. Algebraic properties of the algorithm 35
m: the number of quadratic equations for a full round. n: the number of variables in the equations. r: the number of quadratic equations obtained from the S-box. s: the input-output size of the S-box (8 bits).
Nb: the number of columns (or words) for the input block.
Nr: the number of rounds.
Hk: the number of bits of the cipher key.
Lk: the number of true key variables (448 for AES-128. 1152 for AES-256).
They have noted that the problem of recovering the cipher key of the AES algorithm is the same as solving the overdefined system of the quadratic equations, as those kinds of overdefined systems of multivariate equations have already been used for the cryptanalysis of some asymmetric cryptosystems [2, 37, 53, 54]. Indeed, they have observed that the system for AES-128 can be solved with the complexity of 2330 by the XL (eXtended Linearization) algorithm [53]; the complexity is so high. However, presenting the XSL algorithm, they have also shown that the system for AES-128 can be solved with the complexity of 2230, and that AES-256 key can be broken with the complexity of 2255. In addition, they have noted that if cubic equations are considered with the AES S-box, the complexity is about 2203 at best case. Finally, they have concluded that the AES algorithm can be described as a system of overdefined and sparse quadratic equations over GF (2), and that the security of the AES algorithm does not grow exponentially with the number of rounds, according to their method of solving the system of overdefined equations. Although there are some concerns about the accuracy of this observation [13, 72, 76] (- for example, the correctness of counting the number of linearly independent equations), it seems certain that they have made a great achievement in the design and cryptanalysis of block ciphers, as referred to in [6] as well. The research study reviewed next shows that the complexity of the XSL attack would drop even more in GF (28).
Single field description
The conflict between operations in the two fields, GF (28) and GF (2), is one of the factors that leads to difficulty in the cryptanalysis of the AES algorithm. However, simplifying the linear layer described in Figure 3.4 into a single matrix multiplication M in GF (28), S. Murphy and M. Robshaw have recently defined a block cipher, BES (Big Encryption System) [71], in which data blocks of 128 bytes are operated, all of the operations are entirely described in GF (28) only, and the AES algorithm can be 3.4. Algebraic properties of the algorithm 36 embedded: R(B,K)= M · (B(−1))+ K where R, B, and K denote the round function, a plaintext, and a round key respectively. The inversion is the same as that used in the AES algorithm. That is, they have shown that the AES algorithm can be described with more simple algebraic operations in a single field, GF (28). In addition, from observations of the BES algorithm, they have found that the AES encryption can be described by an extremely sparse overdefined multivariate quadratic system over GF (28), and have noted that breaking the AES algorithm is equivalent to solving this system. We outline the main frame of their work below:
• They have first described a state vector A of the AES algorithm as a column vector:
a00 a01 a02 a03 T A = a10 a11 a12 a13 = (a00, a10, a20, a30, a01, a11, a21, a31,...,a33)
a20 a21 a22 a23
a30 a31 a32 a33.
• Then they have defined the BES algorithm, which has the following relationship with the AES algorithm:
AES(A, K)= φ−1(BES(φ(A),φ(K)))
where A and K denote the plaintext and the cipher key respectively. Here, we note that a state vector B of the BES algorithm is described by a column vector
T B =(b000, ...., b007, b100, ...., b107, ...... , b330, ...., b337)
and the map φ means a vector conjugate,
φ(aij)=(bij0, ...., bij7).
• With the AES encryption embedded in the BES framework, they have found that the AES algorithm can be expressed as a system of extremely sparse multivariate quadratic equations. Specifically, they have observed that the encryption of the AES algorithm can be described as an overdefined multivariate quadratic system consisting of 5248 equations over GF (28), and that 3840 of these are extremely sparse quadratic equations and 1408 are linear equations. These equations consist of 7808 terms, made from 2560 state variables and 1408 key variables. 3.4. Algebraic properties of the algorithm 37
Based on these observations, they have noted that if the XSL algorithm is applied to the above system, then the complexity could be much lower (about 2100) than if the XSL algorithm is directly applied to the GF (2) system, which is the one that the N. Courtois and J. Pieprzyk have considered. They have also commented that “it is clear that many aspects of the AES representation over GF (28) remain to be investigated”.
Some other observations
As well as the significant observations on the AES algorithm referred to above, some other research studies have also made considerable progress in examining the algebraic properties of the AES algorithm. Among them, J. Fuller and W. Millan have observed a linear redundancy of the S-box [30, 31]. Specifically, they have noted that “all the output functions of the AES S-box can be mapped to each other using affine transformations, and hence they are all in the same affine equivalence class” [30]. They have shown that there exist a non-singular matrix Dij and binary constant cij which lead to
bj(x)= bi(Dijx) ⊕ cij where bi(x) and bj(x) denote two distinct outputs (bits) from the AES S-box (b1 is the least significant bit). The following is an example of the AES S-box equivalence relationships that they have have demonstrated:
b2(x) = b1(D12x)
b3(x) = b1(D13x) ⊕ 1
b4(x) = b1(D14x) ⊕ 1
b5(x) = b1(D15x) ⊕ 1
b6(x) = b1(D16x)
b7(x) = b1(D17x)
b8(x) = b1(D18x) ⊕ 1.
Here, each of D12, ..., D18 represents an affine transformation using 8 × 8 matrix over 3.4. Algebraic properties of the algorithm 38
GF (2). For example,
10110010 01010110 00010010 10011000 D12 = 01011100 10001110 11010000 10001101 . Based on these observations, they have mentioned that this equivalence property may lead to new attacks on the AES algorithm, although they have not suggested a practical cryptanalytic method. In addition, they have suggested a non-redundant S-box to replace the original S-box in the AES algorithm [31]. E. Barkan and E. Biham have shown that there exist dual ciphers for the AES algorithm [16]. They have first defined the concept of dual ciphers by saying that if two ciphers E and E′ are isomorphic, that is, if there exist invertible transformations f(·), g(·), and h(·) such that
′ ∀ P ,K f(EK(P )) = Eg(K)(h(P )), where P and K denote the plaintext and the cipher key respectively, then they are called Dual ciphers. From this concept, they have observed that the AES algorithm has dual ciphers that are equivalent to the original cipher in all aspects. For the AES algorithm, these dual ciphers can produce the same cipher text for a given plaintext and a given key by the following equation:
−1 ∀ P ,K AESK (P ) = f DUALg(K)(h(P )).
Indeed, they have shown in [16] that hundreds of dual ciphers can be described for the AES algorithm, replacing the irreducible polynomial, the coefficients of the Mix- Columns transformation, and the affine transformation used for generating the S-box. Based on their observations, they have concluded that “the irreducible polynomial of Rijndael is chosen arbitrarily, and that it is possible to replace the irreducible poly- nomial of Rijndael by any other irreducible or primitive polynomial without changing the strength of cipher, and even without changing the cipher itself”. Chapter 4
Cyclic Properties of the AES Algorithm
From this chapter on, we present our further observations on the cryptologic properties of the AES algorithm. In this chapter, we discuss the algebraic properties of the AES algorithm, focusing on the cyclic properties, which have been considered mainly just for the stream cipher. We examine the cyclic properties of the AES algorithm via each function in the original structure. We first observe, in Section 4.1, the cyclic properties of each function used in the AES algorithm. Then, the cyclic properties of combined functions are considered in Section 4.2. We show that the AES algorithm consists of functions having very short periods, and that these short periods are not improved in the linear layer. We note, however, that when the non-linear layer and the linear layer are combined, the period is dramatically increased. In terms of the cyclic properties of each function, we have found that:
• any input data block of the SubBytes transformation (non-linear layer) returns to the initial state after 277182 (≈ 218) repeated applications of the SubBytes transformation; that is, the maximal period of the SubBytes transformation is 277182.
• any input data block of the ShiftRows transformation returns to the initial state after four repeated applications of the operation; that is, the maximal period of the ShiftRows transformation is four.
• any input data block of the MixColumns transformation maps to itself after four repeated applications of the operation. In other words, the maximal period of the MixColumns transformation is four.
In connection with the cyclic properties of combined functions, we have found that:
• when the ShiftRows transformation and MixColumns transformation in the linear layer are considered together, the maximal period is eight; that is, the maximal period of the linear layer is eight.
39 4.1. Cyclic properties of each function 40
• when the SubBytes transformation (non-linear layer) and the ShiftRows trans- formation (in the linear layer) are considered together, the maximal period is 554364 (≈ 219).
• more importantly, the maximal period of the composition of the SubBytes trans- formation (non-linear layer) and the MixColumns transformation (in the linear layer) is 1,440,607,416,177,321,097,705,832,170,004,940 (≈ 2110), which indicates that although the maximal periods of both the non-linear layer and the linear layer are short, the combination of these two layers brings huge synergy effects in the maximal period.
We advise that this chapter is based on the paper [9] published by B. Song and J. Seberry. For future reference, we define f n(I)= f ◦ f ◦ f ◦···◦ f(I).
i00 �i01 i02 i03
i10 i11 i12 i13
i20 i21 i22 i23 i i i i 30 31 32 33 Non-linear�layer
SubBytes Linear�layer
ShiftRows Round�Key
O00 O01 O02 O03 MixColumns ⊕ O10 O11 O12 O13 O20 O21 O22 O23
O30 O31 O32 O33
Figure 4.1: Elementary structure of the AES algorithm
4.1 Cyclic properties of each function
As previously mentioned, the non-linear layer of the AES algorithm is the SubBytes transformation (S-box), whilst the linear layer consists of two functions, the Mix- Columns transformation and the ShiftRows transformation. In this section, we ob- serve the maximal period and minimal period of each transformation. We first present a technical method to find the maximal and minimal period of the non-linear layer. This method could also be applicable to other block ciphers if they have byte-oriented non-linear layers. 4.1. Cyclic properties of each function 41
4.1.1 Cyclic properties of the SubBytes transformation
To obtain the cyclic properties of the non-linear layer of the AES algorithm, we first classify the 256 possible input values of the S-box into five small groups, in each of which every element consecutively maps to another.
Group��#1 �( maximal��period:�87) f2,�89,�a7,�5c,�4a,�d6,�f6,�42,�2c,�71,�a3,�0a,�67,�85,�97,�88,�c4,�1c,�9c,�de, 1d,�a4,�49,�3b,�e2,�98,�46,�5a,�be,�ae,�e4,�69,�f9,�99,�ee,�28,�34,�18,�ad,�95, 2a,�e5,�d9,�35,�96,�90,�60,�d0,�70,�51,�d1,�3e,�b2,�37,�9a,�b8,�6c,�50,�53,�ed, 55,�fc,�b0,�e7,�94,�22,�93,�dc,�86,�44,�1b,�af,�79,�b6,�4e,�2f,�15,�59,�cb,�1f, c0,� ba,�f4,�bf,�08,�30,�04
Group��#2 �(maximal��period:�81) 7c,�10,�ca,�74,�92,�4f,�84,�5f,�cf,�8a,�7e,�f3,�0d,�d7,�0e,�ab,�62,�aa,�ac,�91, 81,�0c,�fe,�bb,�ea,�87,�17,��f0,�8c,�64,�43,�1a,��a2,�3a,�80,�cd,�bd,�7a,�da,�57, 5b,�39,�12,�c9,�dd,�c1,�78,�bc,�65,�4d,�e3,�11,�82,�13,�7d,�ff,�16,�47,�a0,�e0, e1,�f8,�41,�83,�ec,�ce,�8b,�3d,�27,�cc,�4b,�b3,�6d,�3c,�eb,�e9,�1e,�72,�40,�09, 01
Group��#3 �(maximal��period:�59) 00,�63,�fb,�0f,�76,�38,�07,�c5,�a6,�24,�36,�05,�6b,�7f,�d2,�b5,�d5,�03,�7b,�21, fd,�54,�20,�b7,�a9,�d3,�66,�33,�c3,�2e,�31,�c7,�c6,�b4,�8d,�5d,�4c,�29,�a5,�06, 6f,�a8,�c2,�25,�3f,�75,�9d,�5e,�58,�6a,�02,�77,�f5,�e6,�8e,�19,�d4,�48,�52
Group��#4 �(maximal��period:�27) ef,�df,�9e,�0b,�2b,�f1,�a1,�32,�23,�26,�f7,�68,�45,�6e,�9f,�db,�b9,�56,�b1,�c8,�e8, 9b,�14,� fa,�2d,�d8,�61 Group��#5 �(maximal��period:�2) 73,�8f
�*�Each�value�in�each�table�is�followed�by�its�substitution�value
Table 4.1: Classifying the substitution values in the S-box
Property 4.1 Every input of the S-box returns to the initial value after some t repeated applications of the substitution. In other words, for any input p of the S-box=S,
St(p)= p.
Property 4.2 In Property 4.1, the 256 possible input values of the S-box can be clas- sified into five small groups, as in Table 4.1, according to the values of t. The values of t (the periods of each group) are 87, 81, 59, 27, and 2 respectively.
In Table 4.1, each value in each group is mapped to the value next to it. For example ‘f2’ → ‘89’ → ‘a7’ → ··· → ‘04’ → ‘f2’, and ‘73’ → ‘8f’ → ‘73’. From Properties 4.1. Cyclic properties of each function 42
4.1 and 4.2, we now expect that although the SubBytes transformation is a non-linear operation, every input block of the SubBytes transformation is mapped to itself after some repeated applications. From Property 4.2, if we consider the L.C.M (Least Com- mon Multiple) of 87, 81, 59, 27, and 2, we then find the following cyclic properties of the SubBytes transformation.
Property 4.3 For any input block I of the SubBytes transformation,
SubBytes277182(I)= I.
That is, the maximal period of the SubBytes transformation is 277182.
Property 4.4 For any input block I of the SubBytes transformation, if each byte of I is ‘8f’ or ‘73’, then
SubBytes2(I)= I.
In other words, the minimal period of the SubBytes transformation is two when each byte in the input block I is ‘8f’ or ‘73’.
Indeed, we see that an input block of the SubBytes transformation,
state0 : f2 71 00 ef 89 10 63 df a7 ca fb 73 5c 74 0f 8f returns to the initial state after 277182 iterations of the SubBytes transformation, and that if each byte in an input block is ‘8f’ or ‘73’ (in group 5) like
state0 : 73 8f 8f 8f 8f 8f 73 8f 8f 73 73 8f 73 8f 73 73, then this block returns to the initial state after just two iterations of the SubBytes trans- formation. At this stage we present another property which is immediately obtained from Property 4.3. The following property shows an algebraic relationship between the SubBytes transformation in the encryption procedures and its inverse used in the decryption procedures.
Property 4.5 For any input block I of the SubBytes transformation,
SubBytes−1(I)= SubBytes277181(I). 4.1. Cyclic properties of each function 43
4.1.2 Cyclic properties of the ShiftRows transformation
If we consider the shift value (row #0: 0, row #1: 1, row #2: 2, row #3: 3) of each row, as described in Figure 4.2, the maximal period of the ShiftRows transformation is immediately found.
♣ ♦ ♥ ♠ ♣ ♦ ♥ ♠ ♣ ♦ ♥ ♠ ShiftRows ♦ ♥ ♠ ♣ ♣ ♦ ♥ ♠ ♥ ♠ ♣ ♦ ♣ ♦ ♥ ♠ ♠ ♣ ♦ ♥
Figure 4.2: Illustration of the ShiftRows transformation
Property 4.6 For any input block I of the ShiftRows transformation,
ShiftRows(ShiftRows(ShiftRows(ShiftRows(I))))=I.
In other words, the maximal period of the ShiftRows transformation is four.
Property 4.7 The minimal period of the ShiftRows transformation is one when all bytes in an input block I are the same.
Property 4.6 instantly leads to an algebraic relationship between the ShiftRows trans- formation in the encryption process and its inverse used in the decryption process.
Property 4.8 For any input block I of the ShiftRows transformation,
ShiftRows−1(I)= ShiftRows3(I).
4.1.3 Cyclic properties of the MixColumns transformation
In terms of the MixColumns transformation, we have found that the maximal period of this function is 4, and that this function does not affect the data transformation for certain types of input blocks. Let us look once again at the algebraic structure of the MixColumns transformation described in Chapter 2. As previously described, each 8 input column Ic (four bytes) is considered as a polynomial over GF (2 ) and multiplied modulo x4 + 1 with a fixed polynomial
f(x)=03 · x3 + 01 · x2 + 01 · x + 02. 4.1. Cyclic properties of each function 44
This can be written as a matrix function (matrix multiplication)
02 03 01 01 b0 01 02 03 01 b MixColumn(I )= M(I )= · 1 (4.1) c c 01 01 02 03 b2 03 01 01 02 b 3 where
b0 b I = 1 c b2 b 3 . Here, if we look carefully at the matrix M in equation (4.1), we see that
05 00 04 00 00 05 00 04 M(M)= 04 00 05 00 00 04 00 05 0e 0b 0d 09 09 0e 0b 0d M(M(M)) = 0d 09 0e 0b 0b 0d 09 0e and 01 00 00 00 00 01 00 00 M(M(M(M))) = 00 00 01 00 00 00 00 01 . As a consequence we see that for any Ic
M(M(M(M(Ic)))) = Ic. (4.2)
If we now consider equation (4.2) for all four columns in an input block of the Mix- Columns transformation, then we finally find the following two properties.
Property 4.9 For any input block I (16 bytes) of the MixColumns transformation,
MixColumns(MixColumns(MixColumns(MixColumns(I)))) = I.
In other words, the maximal period of the MixColumns transformation is four. 4.1. Cyclic properties of each function 45
Indeed, from a randomly chosen example below, we see that the initial state (state0) of the MixColumns transformation is mapped to itself after four iterations of the Mix-
Columns transformation. In the following example, stater denotes the state after r iterations of the MixColumns transformation:
state0 : 26 17 66 f0 10 69 ab 01 63 09 cd 65 03 11 ef 00
state1 : 1c 8d 08 9d a0 cf 88 5d f5 5f 66 3b 1f 7b 09 6f
state2 : 29 6f fc 92 5c 92 a0 05 6c 71 57 07 4f ea e4 04
state3 : 95 e8 ab 33 6a 29 ba 95 7c 3a c5 95 d5 9d 3b a7
state4 : 26 17 66 f0 10 69 ab 01 63 09 cd 65 03 11 ef 00. From equation (4.1), we also note the somewhat surprising property that if all four bytes of Ic are the same, that is, b0 = b1 = b2 = b3, then the matrix multiplication does not influence the data transformation; that is,
02 03 01 01 b0 b0 01 02 03 01 b b M(I )= · 1 = 1 = I . (4.3) c c 01 01 02 03 b2 b2 03 01 01 02 b b 3 3 This means that if we consider equation (4.3) for all four columns in an input block of the MixColumns transformation, then we see the following property. 4.2. Cyclic properties of combined functions 46
Property 4.10 The minimal period of the MixColumns transformation is one when the bytes are the same in each column.
For example, if an input block of the MixColumns transformation is
state0 : 26 10 ab de 26 10 ab de 26 10 ab de 26 10 ab de, then we see that the state after the MixColumns transformation is also
state1 : 26 10 ab de 26 10 ab de 26 10 ab de 26 10 ab de.
Property 4.10 includes the fact that if all bytes in an input block of the MixColumns transformation are the same, then the MixColumns transformation does not affect the data transformation. From Property 4.9, we also immediately find an algebraic relationship between the MixColumns transformation in the encryption process and its inverse used in the decryption process.
Property 4.11 For any input block I of the MixColumns transformation,
MixColumns−1(I)= MixColumns3(I).
4.2 Cyclic properties of combined functions
We now observe the cyclic properties when the above functions are combined. We first observe the cyclic properties of the linear layer. Then we discuss the cyclic properties when the linear layer and the non-linear layer are combined.
4.2.1 Cyclic properties of the linear layer
The cyclic properties of the linear layer are observed when the ShiftRows transforma- tion and the MixColumns transformation are considered together. Considering that the maximal period of the ShiftRows transformation is four, and the maximal period of the MixColumns transformation is also four, we obtain the following property concerning the maximal period of the linear layer. 4.2. Cyclic properties of combined functions 47
Property 4.12 Any input block I of the linear layer is mapped to itself after eight repeated applications of the linear layer. In other words, the maximal period of the linear layer is eight.
In this case, we note that the maximal period of the linear layer is the addition of the maximal period of the ShiftRows transformation and that of the MixColumns transfor- mation. This is because every byte in each row returns to the initial position after four iterations of the ShiftRows transformation, without change in value by the ShiftRows transformation itself. Property 4.12 has also been verified by our implementation, and the following is a randomly chosen example of this property. In the following example, state0 denotes the initial state of the linear transformation, and stater denotes the state after r iterations of the linear transformation.
state0 : 26 17 66 f0 10 69 ab 01 63 09 cd 65 03 11 ef 00
state1 : 3a ae bd 2d b8 f6 d0 24 ce 73 92 d8 ce f1 ea d7
state2 : 30 3a 32 10 b7 a8 4d 39 91 9c 16 56 9f 66 cf 73
state3 : e6 6a d8 b1 32 c5 8e 15 21 61 98 ce 08 70 32 9e
state4 : 85 9b c5 7c 5a 2c e1 44 b1 7b 1f 17 4b ee a7 ff 4.2. Cyclic properties of combined functions 48
state5 : 85 49 02 ca 03 30 6b e2 8d 89 d1 22 42 d6 66 f0
state6 : 60 4f 62 65 7d bb 87 2a 07 a0 80 6a 8e 16 de 03
state7 : 95 e8 ab 33 95 6a 29 ba c5 95 7c 3a 9d 3b a7 d5
state8 : 26 17 66 f0 10 69 ab 01 63 09 cd 65 03 11 ef 00
Now, looking at the minimal periods of the ShiftRows transformation and the Mix- Columns transformation together, we also see the following property, which shows the minimal period of the linear layer.
Property 4.13 Any input block I of the linear layer, in which all bytes are the same, is mapped to itself after one application of the linear layer. That is, the minimal period of the linear layer is one.
This property means that if all bytes in the input block are the same, then the linear layer does not affect the data transformation at all.
4.2.2 Cyclic properties of the combined layer
When the SubBytes transformation (non-linear layer) and the ShiftRows transforma- tion (in the linear layer) are combined, we obtain the following cyclic property from the L.C.M of the two maximal periods. 4.2. Cyclic properties of combined functions 49
Property 4.14 Any input block I of the composition of the SubBytes transformation and the ShiftRows transformation is mapped to itself after 554364 repeated applications of the composition. In other words, the maximal period of the composition of the SubBytes transformation and the ShiftRows transformation is 554364.
If we consider the minimal periods of these two operations, then we also find the following property.
Property 4.15 For any input block I of the composition of the SubBytes transforma- tion and the ShiftRows transformation, if all bytes in the input block I are the same and are either ‘73’ or ‘8f’, then this block is mapped to itself after two repeated applications of the composition. That is, the minimal period of the composition of the SubBytes transformation and the ShiftRows transformation is two.
At this stage, we realise that the short periods of the AES functions are not im- proved even in the compositions which we have considered up until now. But, more importantly, we now show that although the maximal periods of both the non-linear layer and the linear layer are short as previously shown, the maximal period is dra- matically increased when the non-linear layer and the MixColumns transformation in the linear layer are considered together. To do this, we first change the order of the SubBytes transformation and the ShiftRows transformation, as shown in Figure 4.3 (b) (the order of these two functions is changeable). We then consider the S-box and the MixColumns transformation together. As a result, we obtain an extended S-box, ES-box, which consists of 232 non-linear substitution paths, as shown in Figure 4.3 (c) and Table 4.2.
x 0x00000000 0x00000001 • • • • 0xabcdef12 • • • 0xffffffff
↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓
ES(x) 0x63636363 0x7c7c425d • • • • 0x0eb03a4d • • • 0x16161616
Table 4.2: ES-box
Now, using the same concept as was used to obtain Property 4.2, we classify the 232 four-byte input values of the ES-box into 52 small groups according to their periods. Table 4.3 shows the classification of all substitution values in the ES-box, which has been obtained from our analysis (see Appendix A for more details). 4.2. Cyclic properties of combined functions 50
i00 �i01 i02 i03 i00 �i01 i02 i03 i00 �i01 i02 i03
i10 i11 i12 i13 i10 i11 i12 i13 i10 i11 i12 i13
i20 i21 i22 i23 i20 i21 i22 i23 i20 i21 i22 i23
i30 i31 i32 i33 i30 i31 i32 i33 i30 i31 i32 i33
S-box ShiftRows ShiftRows ShiftRows S-box
MixColumns MixColumns ES-box
⊕ ⊕ ⊕
O00 O01 O02 O03 O00 O01 O02 O03 O00 O01 O02 O03
O10 O11 O12 O13 O10 O11 O12 O13 O10 O11 O12 O13
O20 O21 O22 O23 O20 O21 O22 O23 O20 O21 O22 O23
O30 O31 O32 O33 O30 O31 O32 O33 O30 O31 O32 O33
(a) (b) (c)
Figure 4.3: Re-ordering of SubBytes and ShiftRows
The number of values in each group (the period of each group) is 1,088,297,796 (≈ 230), 637,481,159 (≈ 229), 129,021,490 (≈ 227), 64,376,666 (≈ 226), and so on. From these values we finally find the following property.
Property 4.16 The maximal period of the composition of the SubBytes transforma- tion (non-linear layer) and the MixColumns transformation (in the linear layer) is 1,440,607,416,177,321,097,705,832,170,004,940 (≈ 2110).
Here, we note that the maximal period of this composition is the largest L.C.M of any four values in Table 4.3. This is because one input block consists of four columns. In very rare cases, where each column in an input block I is ‘73737373’, ‘8f8f8f8f’, ‘5da35da3’, ‘c086c086’, ‘a35da35d’ or ‘86c086c0’ (each of these values is mapped to itself after two iterations of ES-box: see Appendix A), for example,
state0 : 8f c0 73 5d 8f 86 73 a3 8f c0 73 5d 8f 86 73 a3, the period of the composition of the SubBytes transformation and the MixColumns transformation is two (this is the minimal period of the composition of the non-linear 4.3. Comparison with DES 51
1088297796 ,� 637481159 ,� 637481159,� 637481159,� 637481159,� 129021490 , 129021490,�129021490,�129021490,�64376666,�64376666,� 11782972 ,�39488, 16934,�13548,�13548,�10756,�7582,�5640,�5640,�3560,�1902,�1902,�548,�548, 136,��90,��90,��87,��81,�59,�47,�47,��47,��47,���40,��36,��36,��27,��24,��21,��21,��15, 15,��12,��8,��4,��4,��4,��2,��2,��2
e.g.��Period�of�group�#1�:�1088297796,����Period�of�group����#2�:�637481159, ��������Period�of�group�# 6�:���129021490,���� Period�of��group�#12�:���11782972.
Table 4.3: Classifying the substitution values in the ES-box layer and the MixColumns transformation in the linear layer). If all bytes in an input block I of the composition of the SubBytes transformation and the MixColumns trans- formation are the same, then we find the following property, because this block leads to an output block in which all bytes are the same.
Property 4.17 For any input block I of the composition of the SubBytes transforma- tion and the MixColumns transformation, if all bytes in I are the same, then the period of this composition is the same as the period of the S-box.
For example, if the bytes in an input block I of the combined function of the SubBytes transformation and the MixColumns transformation are all ‘f2’, then this block is mapped to itself after 87 iterations of this combined function, because the MixColumns transformation does not affect the data transformation (see Group #1 in Table 4.1 and Period 87 in Appendix A). If all the bytes in an input block I of the combined function of the SubBytes transformation and the MixColumns transformation are ‘8f’, then this block is mapped to itself after two repeated applications of this combined function.
4.3 Comparison with DES
Although the cryptographic structure of the AES algorithm is different from that of DES, we can make the comparison of cyclic properties between these two algorithms. Among several research studies on the cyclic properties of DES [10, 14, 35, 36, 69, 70], we first refer to the following observations on the linear diffusion layer (32-bit permutation by Table 4.4 at the end of each round) , which is observed by S.Murphy and M. Robshaw [69, 70]: 4.3. Comparison with DES 52
• the minimal polynomial of the linear diffusion layer of DES has 56 degree, that is
m(x)=(1+ x + x2)4(1 + x + x2 + x3 + x4)4(1 + x + x2 + x4 + x6 + x7 + x8)4.
• the minimal period of the linear diffusion layer of DES is 1020.
Comparing the above properties with Property 4.12, we see that the linear diffusion layer of the AES algorithm has much shorter period than that of DES. From the view point of data mixing effect (recall Definition 3.9), we also see that the AES linear layer 23 1 1020 1 ( 2128 = 2123 ) is worse than the DES linear layer ( 232 ≈ 221 ).
16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 1432 27 3 9 19 13 30 6 22 11 4 25
Table 4.4: P-box of DES
We now refer to the cyclic property of the whole structure of DES, discussed in [14, 35]. In terms of the cyclic structure of DES, B. Kaliski, R.L. Rivest and A. Sherman announced that a small cycle had been found when alternately encrypting with the all zeroes and the all ones key. Specifically, they showed that when a 64-bit input is alternately encrypted with the all-zeroes key and the all-ones key, the input is reproduced after about 233 iterations [14]. Motivated by this observation, J.H. Moore and G.J Simmons did further studies on the cyclic structure of DES, using weak and semi-weak keys [35, 36] . Indeed, they presented some more weak keys which cause the DES structure to have the cycle of 232 . The following is two examples of the weak key disclosed by their observations:
00000001 00000001 00000001 00000001 00000001 00000001 00000001 00000001
11111110 11111110 11111110 11111110 11111110 11111110 11111110 11111110
At this stage, we note in advance that the AES structure has much shorter cycle than DES if the AES key schedule has weakness. We discuss the short period of the AES structure in more details in the next chapter. 4.3. Comparison with DES 53
In this chapter, we have discussed the cyclic properties of the AES algorithm. We have shown that the functions used in the AES algorithm have short periods and these short periods are not improved even in the linear layer. However, we have also shown that when the non-linear layer and the linear layer are combined, the composition brings remarkable synergy effects in increasing the maximal period. In the next chapter, we discuss the impact of the cyclic properties on the security of the AES algorithm, focussing more on the data blocks which cause the AES functions to have the minimal periods. Chapter 5
Security Impact of the Cyclic Property
In this chapter, we discuss the impact of the cyclic properties on the security of the AES algorithm. We show that in the AES algorithm, data blocks for which the elemen- tary structure (the whole composition of the SubBytes transformation, the ShiftRows transformation, and the MixColumns transformation) has short periods are apt to have a hidden simple algebraic relationship with their corresponding output blocks. To do this, we first find the input blocks for which the elementary structure has the short- est periods. As outlined in the previous chapter, the composition of the non-linear layer and the linear layer brings huge synergy effects in improving the periods, but the elementary structure has very short periods for certain types of input blocks. We then show that there are simple algebraic relationship, which must be unusual and undesirable from the cryptologic point of view, between those input blocks and their corresponding output blocks. We have found that:
• any input block of the elementary structure of the AES algorithm in which all the bytes are the same always leads to an output block in which all the bytes are the same.
• in this case, the ShiftRows transformation and the MixColumns transformation do not affect the data transformation, and so the effect of mixing data (see Definition 3.9) depends on only the S-box.
We advise that this chapter is based on the paper [9] published by B. Song and J. Seberry.
5.1 Cyclic properties of the elementary structure
We first discuss the cyclic properties in the whole composition of the non-linear layer and the linear layer. Summing up the previous observations, we find some consider- able cyclic properties in the entirely combined layer, which may reveal that the AES
54 5.1. Cyclic properties of the elementary structure 55 algorithm has some undesirable weaknesses in its algebraic structure. At this stage, we recall in more detail the concept of the effect of mixing data, defined in Definition 3.9 with an example. Let us consider a primitive polynomial
n n−1 n−2 2 f(x)= x + cn−1x + cn−2x + ...... + c2x + c1x +1. over GF (2). The number of possible states of the LFSR (Linear Feed Back Shift Register) generated by f(x) is 2n-1 (except the state of all 0), and the maximal period of this LFSR is 2n-1. This means that every state returns to the initial state after 2n-1 repeated actions of LFSR. If f(x) is not a primitive polynomial, then the maximal period of LFSR will never be 2n-1. In other words, all possible states of LFSR cannot appear, and some states are always missed. If the state of LFSR returns to the initial state after n iterations, then 2n-1-n states do not appear among all 2n-1 possible states. n In this case we say that the effect of mixing data is 2n−1 . We have just briefly connected the cyclic property to the effect of mixing data. We now observe the cyclic property (and so the effect of mixing data) in the elemen- tary structure of the AES algorithm, taking into account that the number of possible block states of the AES algorithm is 2128.
Property 5.1 For any input block I of the whole composition of the non-linear layer and the linear layer (the SubBytes transformation, the ShiftRows transformation and the MixColumns transformation), if all bytes in I are the same, then all bytes in the output block are also the same.
In the case above, the whole composition of the non-linear layer and the linear layer is equivalent to a single active s-box (substitution path) in the effect on the data trans- formation, because the ShiftRows transformation and the MixColumns transformation do not contribute to the data transformation. For example, if an input block is
state0 : d2 d2 d2 d2 d2 d2 d2 d2 d2 d2 d2 d2 d2 d2 d2 d2, then the output block of the entire layer is
state1 : b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5. 5.2. Cryptologic impact 56
Property 5.2 For any input block I of the whole composition of the non-linear layer and the linear layer, if all bytes in I are equal to i (any value), then the period of the whole composition for this input block is the same as the period of the S-box for i.
For example, if the bytes in an input block I of the whole composition of the non-linear layer and the linear layer are all ‘ef’, then this input block is mapped to itself after 27 iterations of the composition. This means that the effect of mixing data in the 27 128 composition is e = 2128 (2 is the number of all possible blocks presented by 128 bits), and means that this effect depends on only the S-box (the period of the S-box for ‘ef’ is 27 as shown in Table 4.1).
Property 5.3 For any input block I of the whole composition of the non-linear layer and the linear layer, if all bytes in I are the same and are either ‘73’ or ‘8f’, then I is mapped to itself after two iterations of the composition. In other words, the minimal period of the whole composition of the non-linear layer and the linear layer is two (and 2 so the minimal effect of mixing data is e = 2128 ).
5.2 Cryptologic impact
Given the above properties, we can see that the elementary structure of the AES algorithm has unusual cryptologic properties for the input blocks in which all bytes are the same. We now see that the AES algorithm may have considerable weaknesses in the cipher itself for the plaintexts in which all bytes are the same. We discuss AES-128 here because the result is the same in the other cases. Let us assume that the AES key expansion routine has the same property as the cipher part (data processing part) of the AES algorithm. That is, let us assume that contrary to the original key schedule of the AES algorithm, for a Cipher Key in which all bytes are the same, the AES key expansion routine generates the Round Keys in which each round key has all its bytes the same; this does not actually appear in the original key schedule. For example, as illustrated in Figure 5.1, suppose that the initial Round Key consists of all ‘26′, that the first Round Key consists of all ‘10′, ...... , and that the tenth Round Key consists of all ‘bd′. Then, if we consider the encryption procedure, we see that, regardless of the number of rounds, any plaintext in which all bytes are the same leads to a ciphertext 5.2. Cryptologic impact 57 in which all bytes are the same. That is, in Figure 5.1, if the plaintext
P : 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b is encrypted with the above Round Keys, then this plaintext leads to a ciphertext in which all bytes are the same:
C : 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 This means that if anyone uses, for encryption, a Cipher Key in which all bytes are the same, then attackers will easily become aware of this fact, with a chosen plaintext in which all bytes are the same. As long as the attackers realise this fact, it will be easy to find the Cipher Key. In this case, the effect of the whole encryption is the same as the effect of only 10 (the number of rounds) active s-boxes. However, we note that this scenario does not occur with the original key schedule of the AES algorithm because plaintexts having short periods are not able to keep up the short periods with the original key schedule. For example, let us consider the most simple case in which a plaintext, in which all bytes are ‘8f’, is encrypted with a Cipher Key in which all bytes are ‘00’. In this case, as is shown in Property 5.3, the period of the whole composition of the SubBytes transformation, the ShiftRows transformation and the MixColumns transformation is two for the intermediate text
Int0 : 73 73 73 73 73 73 73 73 73 73 73 73 73 73 73 73 after the initial round key addition. However, we have observed that the period of the composition of the SubBytes transformation and the MixColumns transformation becomes 1,088,297,796 (≈ 230) for the intermediate text
Int1 : ed ed ed ed ec ec ec ec ec ec ec ec ec ec ec ec 5.2. Cryptologic impact 58 after the first round key addition. From these observations, we see that for certain types of data blocks, the AES algorithm has algebraic weaknesses in the cipher itself, but that the key schedule covers these weaknesses.
6b 6b 6b 6b Plaintext 6b 6b 6b 6b
6b 6b 6b 6b RK 0 6b 6b 6b 6b 26 26 26 26 26 26 26 26 26 26 26 26 4d 4d 4d 4d 26 26 26 26 • 4d 4d 4d 4d • 4d 4d 4d 4d RK 1 4d 4d 4d 4d 10 10 10 10 • 10 10 10 10 • 10 10 10 10 f3 f3 f3 f3 10 10 10 10 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
80 80 80 80 • 80 80 80 80 • RK 9 80 80 80 80 • 67 67 67 67 80 80 80 80 • 67 67 67 67 67 67 67 67 67 67 67 67 aa aa aa aa aa aa aa aa
RK 10 aa aa aa aa bd bd bd bd aa aa aa aa bd bd bd bd bd bd bd bd bd bd bd bd 11 11 11 11 11 11 11 11 11 11 11 11 Ciphertext 11 11 11 11
Figure 5.1: Simple plaintext-ciphertext algebraic relationship in the cipher itself 5.3. Interim conclusion 59
5.3 Interim conclusion
Until now, we have summarised our further observations on the the cyclic properties of the AES algorithm and the impact on its security. Specifically, we have shown that the maximal period of each function used in the AES algorithm is short (the effect of mixing data is very small), and that the maximal period of the composition of the functions in the linear layer is short as well. However, we have also shown that the composition of the non-linear layer and the linear layer brings remarkable synergy effects in raising the maximal period. This means that although the functions used in the AES algorithm are mathematically simple and ineffective in mixing data, this cipher is much more complicated when all the functions are combined. But we have also observed that for some data blocks, which cause the AES elementary structure to have the shortest periods, the AES algorithm has considerable weaknesses in the cipher itself: input blocks in which all bytes are the same always lead to output blocks in which all bytes are the same. Summing up our observations, we see that in the AES structure
• the composition of the non-linear layer and the linear layer has extremely long periods for most data blocks, so this structure yields a complicated algebraic relationship between the input blocks and the output blocks.
• but even this composition has short periods for some data blocks, so this structure causes a very simple algebraic relationship between the input blocks and their corresponding output blocks.
We summarise here why some data blocks (the data blocks in which all bytes are the same) are obliged to have such a simple relationship with their corresponding output blocks even in the whole composition of the non-linear layer and the linear layer. Let us look at the matrix function MixColumn used in the MixColumns transformation once again. The branch number of this function is five, so this function leads to 225 active s-boxes for the four rounds of the AES algorithm, for an one-non-zero-byte input difference. This property makes the four-round characteristics probability of the AES algorithm P become 2−150. If the branch number of the function MixColumn were four, then the number of the active s-boxes after the fourth round would be 20 at most, and the four-round characteristics probability would be P = 2−120. From the above, we see that the function MixColumn has admirable advantages over Differential Cryptanalysis. However, from the stream cipher point of view, this function has such a short period that it can provide a simple algebraic relationship between an input state 5.3. Interim conclusion 60 and the corresponding output state. Let us recall Section 4.1.3. The maximal period of 4 MixColumn is four, so the effect of mixing data is 232 . Given that the maximal period of a 32-degree LFSR (Linear Feedback Shift Register) is 232-1, we see that this period of MixColumn is very short. As previously shown, this function does not influence the data transformation for the inputs in which all bytes are the same, and so the outputs are the same as the inputs. As a result, this property of MixColumn makes the data blocks in which all bytes are the same lead to output blocks in which all bytes are the same, even in the whole composition of the non-linear layer and the linear layer. In this case, the data transformation is dependent just on a single active s-box, because the ShiftRows transformation does not affect the data transformation either. From our observations, we see that the function MixColumn enables the AES algorithm to be secure against DC, as previously known; but, at the same time, the fact that this function does not affect the data transformation for the input in which all bytes are the same, leads the AES algorithm to have an unusual property in the cipher itself for the input blocks in which all bytes are the same. Chapter 6
Distinctive Output Properties of the AES Algorithm
In this chapter, we discuss our observations on distinctive output properties of the AES algorithm. We first observe some differential properties of the AES S-box. We then find some distinctive output properties of the matrix multiplication, MixColumn. Finally, we discuss consistent differential patterns of the AES algorithm. Before discussing the consistent differential patterns of the AES algorithm, we first define the concept of the consistent differential pattern of the block cipher. In terms of the consistent differential patterns of the AES algorithm, we have found that
• if two plaintexts of this cipher differ by only one byte, then there are always four pairs of bytes in the second-round output difference, with each pair having the same value (this pattern is consistent as long as the two plaintexts differ by only one byte).
• if two plaintexts of this cipher differ by up to four bytes in certain positions, then the above pattern appears in the second-round output difference as well.
• for any 28n plaintexts which vary in certain n bytes, if one of these plaintexts is paired with each of the other plaintexts, then any output difference is equal to the XOR of the other output differences after the third round.
• for any 232 plaintexts, which vary in certain four bytes and are the same in the other bytes, there exist some consistent differential patterns between the fourth- round intermediate texts.
• for any set of 232 plaintexts considered above, there exists a consistent differential pattern between the fifth-round intermediate texts.
61 6.1. Differential properties of the S-box 62
This chapter is organised as follows: some differential properties of the S-box are ob- served in Section 6.1; then some distinctive output properties of MixColumn (the ma- trix multiplication used in the MixColumns transformation) are considered in Section 6.2; and finally the consistent differential patterns of the AES algorithm are discussed in Section 6.3. We advise that this chapter is based on the papers [7] published by B. Song, H. Wang and J. Seberry, and [8] published by B. Song and J. Seberry.
6.1 Differential properties of the S-box
We now discuss our further observations on the differential properties of the AES S- box. As mentioned in Section 2.3, the AES S-box, which is the non-linear operation consisting of 256 substitution paths, is generated by two functions, a function f(x)= x−1 in GF (28) (‘00’ is mapped onto itself) and an affine transformation over GF (2). Given that this kind of function f(x) = x−1 in GF (2n), where f(x) =0 for x = 0, is differentially 2 uniform for odd n and differentially 4 uniform for even n (the highest 2 4 probability of non-trivial one round differential is 2n and 2n respectively) [42], we can expect that the AES S-box has uniform differential characteristics.
6.1.1 Distribution of output differences
We first discuss some distinctive output properties of the AES S-box observed from our exhaustive computer search. The following property proves that the AES S-box yields well-distributed output differences for any input difference.
Property 6.1 For any input difference ∆x of the AES S-box, a certain output differ- ence ∆y always appears twice while the other output differences appear just once.
The following data shows the output differences which appear twice for each input difference. For example, for the input difference ‘01’, the value ‘1f’ (in bold) appears twice in the output differences; and for the input difference ‘ff’, the value ‘75’ appears twice in the output differences (see also Figure 6.1 in which an example of Property 6.1 is illustrated in the case of ∆x = ‘ff’).
01:1f, 02:14, 03:18, 04:91, 05:08, 06:0c, 07:a6, 08:53, 09:62, 0a:04, 0b:48, 0c:9d, 0d:b4, 0e:c8, 0f:15, 10:a9, 11:e1, 12:aa, 13:1e, 14:99, 15:3a, 16:24, 17:93, 18:ce, 19:b7, 1a:c1, 1b:cc, 1c:ff, 1d:c7, 1e:11, 6.1. Differential properties of the S-box 63
1f:a3, 20:d4, 21:9e, 22:f0, 23:45, 24:55, 25:5c, 26:94, 27:af, 28:57, 29:c6, 2a:86, 2b:92, 2c:12, 2d:bb, 2e:52, 2f:76, 30:67, 31:a4, 32:40, 33:a0, 34:7b, 35:f5, 36:66, 37:f9, 38:64, 39:71, 3a:e3, 3b:81, 3c:88, 3d:44, 3e:d1, 3f:16, 40:6a, 41:e0, 42:4f, 43:79, 44:78, 45:0d, 46:39, 47:c3, 48:31, 49:58, 4a:b5, 4b:d0, 4c:4a, 4d:80, 4e:4c, 4f:e7, 50:30, 51:b2, 52:63, 53:8e, 54:43, 55:9f, 56:d2, 57:38, 58:09, 59:a8, 5a:dd, 5b:5a, 5c:29, 5d:2f, 5e:3b, 5f:ac, 60:b3, 61:8c, 62:c9, 63:98, 64:20, 65:2e, 66:50, 67:e6, 68:26, 69:9a, 6a:61, 6b:1c, 6c:33, 6d:5f, 6e:fc, 6f:cb, 70:32, 71:c0, 72:23, 73:ec, 74:f1, 75:fe, 76:5b, 77:96, 78:df, 79:d5, 7a:b9, 7b:42, 7c:73, 7d:9c, 7e:90, 7f:b1, 80:ae, 81:6f, 82:70, 83:8f, 84:3c, 85:f4, 86:27, 87:74, 88:a7, 89:c4, 8a:1d, 8b:5e, 8c:07, 8d:3e, 8e:7a, 8f:10, 90:03, 91:e2, 92:2c, 93:bf, 94:41, 95:49, 96:f3, 97:eb, 98:25, 99:8d, 9a:db, 9b:77, 9c:bd, 9d:3d, 9e:68, 9f:b8, a0:83, a1:51, a2:59, a3:69, a4:2a, a5:65, a6:47, a7:3f, a8:a1, a9:b0, aa:cf, ab:01, ac:f2, ad:f6, ae:87, af:1a, b0:84, b1:ab, b2:54, b3:0e, b4:ee, b5:b6, b6:2d, b7:ca, b8:0f, b9:35, ba:97, bb:89, bc:06, bd:19, be:cd, bf:6b, c0:d9, c1:1b, c2:46, c3:4d, c4:7f, c5:c5, c6:d7, c7:a5, c8:8b, c9:be, ca:17, cb:7c, cc:28, cd:de, ce:e8, cf:e9, d0:13, d1:5d, d2:d6, d3:05, d4:2b, d5:60, d6:95, d7:6d, d8:02, d9:56, da:34, db:da, dc:e5, dd:a2, de:7e, df:fd, e0:82, e1:9b, e2:fb, e3:72, e4:0a, e5:ba, e6:ed, e7:f7, e8:f8, e9:7d, ea:e4, eb:8a, ec:ad, ed:36, ee:4b, ef:bc, f0:ef, f1:c2, f2:ea, f3:6e, f4:dc, f5:85, f6:21, f7:0b, f8:22, f9:fa, fa:4e, fb:6c, fc:d3, fd:37, fe:d8, ff:75.
�x� :�‘ff�’
•�� •�� •
��0x00���0x01���0x02��� •��� •��� 0x49��� •��� •��� •��� •�� 0xb6��� •��� •��� •���0xfd���0xfe���0xff ���� ↓��������� ↓�������� ↓��������������������������������������������������������������������� ↓�������� ↓������� ↓ ��0x63���0x7c���0x77��� •��� •��� 0x3b��� •��� •��� •��� •��0x4e��� •��� •��� •���0x54��0xbb��0x16
�y� : ‘75’ ‘c7’ ‘23’ ‘75’ •��� •��� •
Figure 6.1: Example of the distribution of output differences in the S-box
From Property 6.1, we also see the following property, which shows that in the AES S- box the number of possible output differences is fixed regardless of the input difference (see Appendix B for examples). 6.1. Differential properties of the S-box 64
Property 6.2 For any input difference ∆x of the AES S-box, the number of possible output differences is always 127.
6.1.2 Relationship between the S-box and the keys
We now discuss some correlations between the S-box and the keys. Let us consider two inputs x and x′ of the Sbox-alone structure, as described in Figure 6.2. If these two inputs pass through the S-box XORed with a certain key, then the corresponding output difference ∆y is obtained, followed by two outputs y and y′. Taking into account Property 6.1, that for any input difference of the S-box, the same value appears at most twice in the output differences, we see that at most four keys (two keys for one output difference) can make the same output difference for these two inputs x and x′. From our computer search, we have found that if we consider five inputs (that is, four input differences: pairing one of the five inputs with each of the other inputs), then each key yields a unique combination of four output differences. For example, let us suppose that five inputs ‘00′, ‘ff′, ‘26′, ‘66′, and ‘bb′ are encrypted with a key ‘00′ in this structure. We then see five corresponding outputs ‘63′, ‘16′, ‘f7′, ‘33′ and ‘ea′. If we pair the first input ‘00′ with the other four inputs, then we see four input differences ‘ff′, ‘26′, ‘66′, and ‘bb′. In this case, the corresponding four output differences are ‘75′, ‘94′, ‘50′ and ‘89′, and no other keys yield these four output differences for the five inputs (note: if we consider only the first two inputs ‘00′ and ‘ff′, then we see that another three keys ‘ff′, ‘49′, and ‘b6′ also yield the same output difference ‘75′).
input�difference�( �x) ⊕ x x’
⊕ key
��0x00���0x01���0x02���0x03���0x04���0x05���0x06�� •��� •��� •��� •��� •��� •��� •����0xff ���� ↓��������� ↓�������� ↓��������� ↓�������� ↓��������� ↓���������� ↓����������������������������������������� ↓ ��0x63���0x7c���0x77���0x7b���0xf2���0x6b���0x6f���•��� •��� •��� •��� •��� •��� •����0x16
y y’ ⊕ output�difference�( �y)
Figure 6.2: Substitution in the S-box 6.1. Differential properties of the S-box 65
6.1.3 Relationship between the ES-box and the keys
The differential properties of the S-box observed in the previous section still remain even in the composition of the S-box and MixColumn because MixColumn is a linear function. To look into the differential properties of the composition, we consider the ES-box described in Table 4.2. If we consider the ES-box instead of the S-box in the structure of Figure 6.2, then we see that for any input difference ∆x (four bytes), 256 (4 × 4 × 4 × 4) keys at most lead to the same output difference (16 (2 × 2 × 2 × 2) keys at least make the same output difference). Of course, even in this structure, each key yields a unique combination of four output differences for any five inputs. This means that in the structure of Figure 6.3, if five input-output pairs are known, then only one pair of key0 and key1 is determined. The following is a randomly chosen example:
1. Let us suppose that a pair, input x and output y, is known for the structure of Figure 6.3. That is, x=(32 5a 98 34) and y=(a4 9c 7f f2).
2. To find the key pair of key0 and key1 used for the encryption, if we assume all the substitution paths in the ES-box, then we find 232 possible key pairs.
3. Now, let us consider another input-output pair of x′=(25 b5 ae 79) and y′=(83 5f 87 68) (∆x = (17 ef 36 4d), ∆y = (27 c3 f8 9a)). If we apply step 2 to this input-output pair, then we also see another 232 possible key pairs.
4. If we select the key pairs overlapped in step 2 and step 3, then one of these key pairs will be the key pair actually used. At this stage, there remain 16 key pairs
of key0 and key1, which are
(3c41153c, 6ea59186), (2b41153c, 90daee07), (3cae153c, 5e858196), (2bae153c, a0fafe17), (3c41233c,d967e431), (2b41233c, 27189bb0), (3cae233c, e947f421), (2bae233c, 17388ba0), (3c411571, 30fb733a), (2b411571, ce840cbb), (3cae1571, 00db632a), (2bae1571, fea41cab), (3c412371, 8739068d), (2b412371, 7946790c), (3cae2371, b719169d), (2bae2371, 4966691c).
5. Finally, if one more input-output pair of x′′=(14 66 f2 24) and y′′=(50 4e bc b5)
is considered, then a single pair of key0=(2b ae 15 3c) and key1=(a0 fa fe 17) remains in the end. This key pair is the key pair actually used. 6.1. Differential properties of the S-box 66
In this example, the key pair of key0 and key1 actually used is determined by three input-output pairs. This example shows a general case. We note once again that in any case, at most five input-output pairs determine the key pair of key0 and key1 in the structure of Figure 6.3.
input�difference�( �x) ⊕ x x’
⊕ key� 0 ES-box:�S-box�+�MixColumn
���0x00000000��0x00000001�� •�� •�� •�� •���0xabcdef12���� •�� •�� •�����0xffffffff ������������ ↓������������������ ↓�������������� ↓���� ↓������������ ↓�������������� ↓���� ↓������������ ↓ ��� ���0x63636363��0x7c7c425d��� •�� •�� •�� •���0x0eb03a4d��� •�� •�� •���0x16161616
⊕ key� 1
y y’ ⊕ output�difference�( �y)
Figure 6.3: Substitution in the composition of the S-box and MixColumn
6.1.4 Relationship between the elementary structure and the keys
Based on the above observations, if we now additionally consider the ShiftRows trans- formation, then we finally see the relationship between the AES elementary structure and the round keys. In the following property, the shift values of the ShiftRows trans- formation are considered for each row in the input block.
Property 6.3 For the AES elementary structure surrounded by the round keys, as described in Figure 6.4, if five input-output pairs are known and the inputs are different from each other in each of the four-byte combinations
(byte#0, byte#5, byte#10, byte#15), (byte#3, byte#4, byte#9, byte#14), (byte#2, byte#7, byte#8, byte#13), and (byte#1, byte#6, byte#11, byte#12), 6.2. Distinctive output properties of MixColumn 67
then only one key pair of Key0 and Key1 is determined in any case. That is, in the structure of Figure 6.4, if five chosen plaintexts are given, then the round key pair
(Key0, Key1) used for the encryption is found in any case.
b0 �b4 b8 b12
b1 b5 b9 b13
b2 b6 b10 b14
b3 b7 b11 b15
⊕ �Key� 0
SubBytes
�Key� 1 ShiftRows c0 �c4 c8 c12
c1 c5 c9 c13 MixColumns ⊕ c2 c6 c10 c14
c3 c7 c11 c15
Figure 6.4: Elementary structure surrounded by round keys
6.2 Distinctive output properties of MixColumn
Here we discuss some distinctive output properties of the function MixColumn used for the MixColumns transformation. We instantly obtain Property 6.4 from the fact that MixColumn is a linear function on the operation XOR. Although Property 6.4 (actually this can be the definition of the linear function on the operation XOR) looks very simple, this property is useful for finding consistent patterns in the difference between two chosen plaintexts.
′ ′ ′ ′ ′ Property 6.4 Let Ic = (b0, b1, b2, b3) and Ic = (b0, b1, b2, b3) be any two inputs of
MixColumn, and ∆Ic be the input difference between these two inputs. Then the output difference between the two corresponding outputs is equal to the MixColumn of the input difference. That is
′ ′ MixColumn(Ic) ⊕ MixColumn(Ic)= MixColumn(∆Ic = Ic ⊕ Ic).
While the designers of the AES algorithm have noted that changing one byte in the input of MixColumn leads to all bytes in the output of MixColumn changing [28], we have found the following property. 6.3. Consistent differential patterns of the AES algorithm 68
Property 6.5 For any four-byte input of MixColumn, if the value of a certain byte is α and the other three bytes are all β (α =6 β), then the value α appears in two bytes of the output of MixColumn. In other words, if the inputs of MixColumn are ′ ′′ ′′′ Ic =(α,β,β,β), Ic =(β,α,β,β), Ic =(β,β,α,β), or Ic =(β,β,β,α), then
MixColumn(Ic)=(γ,α,α,δ), ′ MixColumn(Ic)=(δ,γ,α,α), ′′ MixColumn(Ic )=(α,δ,γ,α), ′′′ MixColumn(Ic )=(α,α,δ,γ), γ ⊕ δ = α ⊕ β.
In Property 6.5, if the value of β is ‘00’, then we immediately find Property 6.6. Property 6.6 is a special case of Property 6.5. Property 6.6 will be used to find some consistent differential patterns of the AES algorithm. Property 6.6 For any four-byte input of MixColumn, if the value of a certain byte is α and the other three bytes are all ‘00’, then the value α appears in two bytes of the output of MixColumn and the XOR of the other two bytes of the output is α. That ′ ′ ′ ′ ′ ′ ′ is, if the inputs of MixColumn are Ic = (α, ‘00 , ‘00 , ‘00 ), Ic = (‘00 , α, ‘00 , ‘00 ), ′′ ′ ′ ′ ′′′ ′ ′ ′ Ic = (‘00 , ‘00 , α, ‘00 ), or Ic = (‘00 , ‘00 , ‘00 , α), then
MixColumn(Ic)=(γ,α,α,δ), ′ MixColumn(Ic)=(δ,γ,α,α), ′′ MixColumn(Ic )=(α,δ,γ,α), ′′′ MixColumn(Ic )=(α,α,δ,γ), γ ⊕ δ = α.
We note that Properties 6.5 and 6.6 are satisfied for the difference between two inputs as well, because of the linear property (Property 6.4) of the function MixColumn.
6.3 Consistent differential patterns of the AES al- gorithm
In this section, we observe some consistent differential patterns of the AES algorithm. We discuss how the AES algorithm tends to yield some differential patterns with prob- ability 1 after several rounds, although this cipher is probably secure against DC and LC as outlined in Chapter 3. For future reference, we first define the concept of con- sistent differential pattern in more detail before discussing the consistent differential patterns of the AES algorithm. 6.3. Consistent differential patterns of the AES algorithm 69
6.3.1 Concept of the consistent differential pattern
Let us consider an input difference and the corresponding possible output differences for a certain S-box used in a certain cipher algorithm. From the Differential-Cryptanalysis point of view, it has been considered very important to make the possible output differences well distributed for any input difference. This is because a cryptanalyst can find clues for a DC attack from the biased distribution of the output differences. Therefore, in the design of the block cipher, designers have made efforts to make the output differences as uniformly distributed as possible. However, there may be some hidden patterns in the output differences of the cipher, even in a case where the S-box has a uniform distribution. Let us suppose that for a certain type of input difference a certain function always leads to an output difference with a certain pattern. That is, for a certain function, there always appears a fixed pattern in the output difference for a certain type of input difference. This pattern may then influence the output difference even after a few rounds of this cipher, if the mathematical structure of the cipher is not very complicated. These kinds of patterns could appear not only in an output difference itself, but also in the relationship between several or more outputs. So, we define the consistent differential pattern as any kind of pattern which always appears (probability 1) in an output difference or in the relationship between several outputs. If a certain consistent differential pattern appears after t rounds of a certain cipher algorithm, then we call this differential pattern tth-round consistent differential pattern. Given that the concept of the consistent differential pattern includes byte or bit patterns existing in the output difference itself, we can say that the consistent differential pattern includes the concept of the truncated differentials [46].
6.3.2 Second-round consistent differential patterns
Let us first consider two plaintexts in which only the values of the first bytes (byte#0) are different from each other. The input difference is then
row #0: (p, 00, 00, 00), row #1: (00, 00, 00, 00), row #2: (00, 00, 00, 00), row #3: (00, 00, 00, 00).
Because the round key addition does not affect the difference, this pattern still remains even with the difference after the first-round SubBytes transformation (only the value of the first byte is changed: p → q, p and q are any hexadecimal values). After the 6.3. Consistent differential patterns of the AES algorithm 70
ShiftRows transformation of the first round, each byte maintains the same value in the difference. However, the first-round MixColumns transformation leads to a change in the value of the first byte in each row. The result, according to Property 6.6, is
(r, 00, 00, 00), (q, 00, 00, 00), (q, 00, 00, 00), (s, 00, 00, 00).
(Since MixColumn is a linear function, Property 6.6 is applicable to the difference.) As the round key addition does not affect the difference, the data is unchanged after the first round key addition. However, after the second-round SubBytes transformation, the value of the first byte in each row is changed to
(α, 00, 00, 00), (δ, 00, 00, 00), (γ, 00, 00, 00), (β, 00, 00, 00).
After this, the second-round ShiftRows transformation leads to
(α, 00, 00, 00), (00, 00, 00, δ), (00, 00, γ, 00), (00, β, 00, 00).
Here, the second-round MixColumns transformation causes, according to Property 6.6, a particular differential pattern in the output difference, such as (a) in Figure 6.5. This pattern remains after the second-round key addition, because the round key addition does not affect the difference. Therefore, we finally find a particular output pattern in the second round output difference
byte#1 = byte#2 = byte#0 ⊕ byte#3, byte#4 = byte#5 = byte#6 ⊕ byte#7, byte#8 = byte#11 = byte#9 ⊕ byte#10, byte#14 = byte#15 = byte#12 ⊕ byte#13.
This pattern is consistent provided only the values of the first bytes in the two plaintexts are different from each other. So we call this property the consistent differential pattern of the second round. If the byte having the different values between the two plaintexts 6.3. Consistent differential patterns of the AES algorithm 71
input�differences
p 00 00 00 00 p 00 00 00 00 p 00 00 00 00 p 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
⊕�=� δ output�differences β γ γ δ α δ α β α β β γ γ δ α δ α δ α β β γ γ δ γ δ α δ α β β γ
(a) (b) (c) (d)
Figure 6.5: Second-round consistent differential patterns 1 is moved, then the consistent differential pattern appears in other positions such as (b), (c), and (d) in Figure 6.5. Let us now consider two plaintexts which are different from each other by up to four bytes in the circled positions, as described in (a), (b), (c) or (d) of Figure 6.6.
input�differences
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
⊕�=� δ output�differences β γ γ δ α δ α β α β β γ γ δ α δ α δ α β β γ γ δ γ δ α δ α β β γ
(a) (b) (c) (d)
Figure 6.6: Second-round consistent differential patterns 2
If we apply the above steps to any pair of two plaintexts that one of the input differences in Figure 6.6, then we realise that this pair of plaintexts also produces, after the second round, one of the same consistent differential patterns as in Figure 6.5. The consistent differential patterns after the second round are described in Figure 6.6 for two plaintexts which differ by up to four bytes. Here, we note that unless the circled bytes in an input 6.3. Consistent differential patterns of the AES algorithm 72 difference are all equal to ‘00′ at the same time, the differential pattern always appears in the second-round output difference.
2 6.3.3 23rd-round consistent differential patterns Although it is a little more complicated, some consistent differential patterns after the third-round ShiftRows transformation can be found from the second-round consistent differential patterns and Property 6.2. To clarify this, we use an example of how to find the consistent differential patterns after the third-round ShiftRows transformation. Let us consider any two plaintexts which differ by only the first byte, as illustrated in Figure 6.5 (a), and apply the third-round SubBytes transformation to byte#1 and byte#2 in the second-round output difference, with the assumption that byte#1 = byte#2 = ‘ff′ (byte#1 and byte#2 must be the same according to the property of the second-round consistent differential patterns 1 (a)). We then see that according to Property 6.2, both values of byte#1 and byte#2 in the output difference, after the third-round SubBytes transformation, belong to the following set of 127 possible output differences caused by the input difference ‘ff′. We call this kind of set a differential set; see Appendix B to find the differential sets for other input differences. For example, from the following set we see that if the value of byte#1 in the output difference after the third-round SubBytes transformation is ‘26′, then ‘27′ is not able to appear on byte#2.
01, 02, 03, 07, 0a, 0b, 0c, 0f, 13, 15, 17, 1d, 1e, 1f, 21, 22, 23, 25, 26, 28, 29, 2a, 2d, 2f, 31, 35, 36, 39, 3a, 3c, 3e, 40, 42, 43, 44, 46, 4c, 4d, 50, 52, 53, 56, 57, 58, 59, 5a, 5d, 5e, 62, 63, 65, 68, 69, 6a, 6b, 6d, 70, 72, 73, 75, 76, 7b, 7c, 7e, 7f, 81, 84, 88, 8a, 8c, 8d, 8e, 8f, 94, 95, 99, 9a, 9c, 9e, 9f, a0, a6, aa, ab, ad, af, b3, b8, b9, ba, c1, c2, c3, c5, c6, c7, c8, ca, cb, cc, cd, cf, d4, d8, dd, de, e0, e2, e3, e4, e6, e7, eb, ec, ef, f1, f2, f3, f4, f5, f6, fa, fb, fc, fd, fe, ff.
If we now consider the third-round ShiftRows transformation, we see that both values of byte#10 and byte#13 in the output difference after this operation are obliged to belong to the above set. Similarly, if we apply the above idea to other byte pairs in the second-round output difference, namely (byte#4,byte#5), (byte#8,byte#11) and (byte#14,byte#15), then we finally find the following consistent differential pattern which appears in the output difference after the third-round ShiftRows transformation: if two plaintexts differ by only the first byte, then there are always four pairs of bytes in the output difference after the third-round ShiftRows transformation, with each pair 6.3. Consistent differential patterns of the AES algorithm 73 belonging to the same differential set, as illustrated in Figure 6.7 (a). Here we note that any pair of two plaintexts described in Figure 6.5 and Figure 6.6 leads to the same sorts of consistent differential patterns for the same reason. Figure 6.7 shows the correspondence between an input difference and the consistent differential pattern appearing in the output difference after the third-round ShiftRows transformation. In Figure 6.7, the values on the same mark belong to the same differential set.
input�differences
p 00 00 00 00 p 00 00 00 00 p 00 00 00 00 p 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 or
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
output�differences ♦ ♥ ♥ ♠ ♣ ♠ ♣ ♦ ♦ ♣ ♦ ♥ ♥ ♠ ♠ ♣ ♠ ♣ ♣ ♦ ♥ ♦ ♥ ♠ ♠ ♥ ♠ ♣ ♣ ♦ ♦ ♥
(a) (b) (c) (d)
2 Figure 6.7: 2 3 rd-round consistent differential patterns
6.3.4 Third-round consistent differential pattern
A third-round consistent differential pattern exists in the relationship between the third-round intermediate texts caused by more plaintexts. This third-round consistent differential pattern could be regarded as the generalisation of the third-round balanced property referred to in Section 3.2. Let us consider a group of 28n plaintexts that vary in n bytes and are the same in the other bytes. This group of plaintexts can then be divided into 28(n−1) small sets of 28 plaintexts that vary in only one byte. In other words, 28(n−1) small sets of 28 plaintexts exist in the group, and the plaintexts in each 6.3. Consistent differential patterns of the AES algorithm 74 small set are different from each other in only one byte. Given that the XOR of all the third-round intermediate texts for each small set is ‘00′ in all bytes (balanced property), we see that the XOR of all the third-round intermediate texts for the above group of 28n plaintexts is also ‘00’ in all bytes. That is, we see that
00 00 00 00 n 28 −1 00 00 00 00 C = (6.1) t t=0 00 00 00 00 M 00 00 00 00 when each of the third-round intermediate texts is denoted by Ct.
28n �plaintexts�variable�in�n�bytes
** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** •�� •�� •�� • ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **
third-round�intermediate�texts
C0 C1 C2 C28n -1 ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** •�� •�� •�� • ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** **
D1 •�� •�� •�� • D2 D3 D28n -1
D1�=� D2�� ⊕�D3�� ⊕�D4�� ⊕�� ⋅�⋅�⋅�⋅�⋅�� ⊕�D28n -1 D_ �:��difference
D2�=� D1�� ⊕�D3�� ⊕�D4�� ⊕�� ⋅�⋅�⋅�⋅�⋅�� ⊕�D28n -1
D3�=� D1�� ⊕�D2�� ⊕�D4�� ⊕�� ⋅�⋅�⋅�⋅�⋅�� ⊕�D28n -1 • • • ⊕ ⊕ ⊕ ⋅ ⋅ ⋅ ⋅ ⋅ ⊕ D������28n -1 �=� D1�� �D2�� �D3�� �� � � � � �� �D28n -2
Figure 6.8: Third-round consistent differential pattern
Now, if we pair any of these 28n third-round intermediate texts with each of the other intermediate texts, as shown in Figure 6.8, then we can obtain28n-1 third-round output differences and we see that any of these differences is equal to the XOR of the other 6.3. Consistent differential patterns of the AES algorithm 75 differences in all bytes. More visually, we see that
00 00 00 00 n 28 −1 00 00 00 00 D = (6.2) t t=1 00 00 00 00 M 00 00 00 00 , and that
28n−1 Dr = Dt, (6.3) t=1M,t=6 r where Dr denotes any of the third-round intermediate differences.
6.3.5 Fourth-round consistent differential patterns
Fourth-round consistent differential pattern 1
We now find a fourth-round consistent differential pattern from the third-round con- sistent differential pattern. Of the groups of plaintexts that lead to the third-round consistent differential pattern, let us consider a group of 232 plaintexts that vary in the first column (four bytes). If we imagine that these plaintexts are decrypted by one round with any round key, then we see that the decrypted texts vary in
(byte#0, byte#5, byte#10, byte#15).
That is, the 232 decrypted texts are different from each other in the circled bytes described in Figure 6.6 (a). This means that any 232 plaintexts that vary in
(byte#0, byte#5, byte#10, byte#15) lead, after one round, to the intermediate texts varying in the first column, and that if one of these plaintexts is paired with each of the other plaintexts, then after the fourth round, any of the 232-1 intermediate differences is equal to the XOR of the other intermediate differences. That is,
232−1 Dr = Dt, (6.4) t=1M,t=6 r where Dr denotes any of the fourth-round intermediate differences. This concept is also applicable to the other three columns, and we see the following the fourth-round consistent differential pattern. That is, for any 232 plaintexts that vary in either 6.3. Consistent differential patterns of the AES algorithm 76
(byte#0, byte#5, byte#10, byte#15), (byte#3, byte#4, byte#9, byte#14), (byte#2, byte#7, byte#8, byte#13), or (byte#1, byte#6, byte#11, byte#12) as illustrated in Figure 6.6, if one of these plaintexts is paired with each of the other plaintexts, then after the fourth round, any of the 232-1 intermediate differences is equal to the XOR of the other intermediate differences.
Fourth-round consistent differential pattern 2
We now simplify the fourth-round consistent differential pattern 1 so that fewer in- termediate texts are involved. In fact, the above fourth-round consistent differential pattern 1 can be said to be caused by this property. Let us once again consider 232 plaintexts that vary in
(byte#0, byte#5, byte#10, byte#15).
The first-round intermediate texts for these plaintexts then vary in the first column. Therefore, if we consider three more rounds, we then see, according to (6.1), that
00 00 00 00 232−1 00 00 00 00 C = (6.5) t t=0 00 00 00 00 M 00 00 00 00 where each of the fourth-round intermediate texts is denoted by Ct. In (6.5), if we just consider the values on a certain byte position k, then we see that
232−1 ′ #k ‘00 = bytet (6.6) t M=0 #k th where bytet denotes the k byte in the intermediate text Ct. Let us pay more careful attention to the values that appear on byte#k. If a certain value appears an even number of times, then this value does not affect (6.6). We realise, therefore, that only the values that appear an odd number of times are involved in (6.6), and we see that
′ ‘00 = valuep (6.7) M where valuep denotes each of the values that appears an odd number of times on the byte position k in the fourth-round intermediate texts. As a consequence, we find that 6.3. Consistent differential patterns of the AES algorithm 77 the plaintexts considered above lead to the fourth-round intermediate texts, which have the following consistent differential pattern on every byte position, such that
valuer = valuep (6.8) Mp=6 r where valuer is any of the values that appear an odd number of times. We recall that all other sets of 232 plaintexts that vary in either
(byte#3, byte#4, byte#9, byte#14), (byte#2, byte#7, byte#8, byte#13), or (byte#1, byte#6, byte#11, byte#12) also bring the same differential pattern.
Fourth-round consistent differential pattern 3
We now generalise the fourth-round consistent differential pattern 2. Let us consider any set of 232 plaintexts that vary in either
(byte#0, byte#5, byte#10, byte#15), (byte#3, byte#4, byte#9, byte#14), (byte#2, byte#7, byte#8, byte#13), or (byte#1, byte#6, byte#11, byte#12) and their corresponding fourth-round intermediate texts. Then, as previously estab- lished, we see that
00 00 00 00 232−1 00 00 00 00 C = (6.9) t t=0 00 00 00 00 M 00 00 00 00 where Ct denotes each of the fourth-round intermediate texts. Here, let us consider the values for a certain combination of n bytes in the fourth-round intermediate texts. If n < 4 (4 is the number of bytes that vary in the plaintexts), then there must be some values that appear more than once in the combination of n bytes. For example, if n = 3, then the total number of possible values for the combination of three bytes is 224. So, most values may appear more than once in the combination, because the 6.3. Consistent differential patterns of the AES algorithm 78 number of the fourth-round intermediate texts is 232. Even in the case of n = 4, there will be some values which appear more than once in the combination of four bytes, unless every value for the combination appears just once. Now let us look at (6.9). As long as the plaintexts vary in either
(byte#0, byte#5, byte#10, byte#15), (byte#3, byte#4, byte#9, byte#14), (byte#2, byte#7, byte#8, byte#13), or (byte#1, byte#6, byte#11, byte#12), the fourth-round intermediate texts always satisfy (6.9). This means that the XOR of the values that appear an odd number of times in the combination of n bytes must be 0 for the fourth-round intermediate texts. Otherwise the fourth-round intermediate texts cannot satisfy (6.9). As a consequence, we see the following fourth-round consistent differential patter 3: the XOR of the values that appear an odd number of times in the combination of n bytes is 0 for the fourth-round intermediate texts, caused by the plaintexts that vary in either
(byte#0, byte#5, byte#10, byte#15), (byte#3, byte#4, byte#9, byte#14), (byte#2, byte#7, byte#8, byte#13), or (byte#1, byte#6, byte#11, byte#12).
6.3.6 Fifth-round consistent differential pattern
We now discuss a fifth-round consistent differential pattern of the AES algorithm. In fact, this pattern is not a pattern that directly appears in fifth-round intermediate texts, but a pattern existing in the relationship between fourth-round intermediate texts and fifth-round intermediate texts. This pattern is also caused by the sets of 232 plaintexts that have been referred to in the fourth-round consistent differential patterns 1, 2 and 3. Let us recall any set of plaintexts that have been considered for the fourth- round consistent differential pattern 3. As mentioned in the fourth-round consistent differential pattern 3, the XOR of the values that appear an odd number of times in the combination of n bytes is 0 for the 232 corresponding fourth-round intermediate texts. Next, let us consider the four-byte combination 6.3. Consistent differential patterns of the AES algorithm 79
(byte#0, byte#5, byte#10, byte#15) in the fourth-round intermediate texts which moves to the first column in the fifth- round intermediate texts. As previously shown in the fourth-round consistent differ- ential pattern 3, the XOR of the values which appear an odd number of times in this combination must be ‘00000000′. Given that the bytes in this combination move to the first column in the fifth-round intermediate texts, we see that
′ −1 −1 −1 ‘00000000 = SubBytes (ShiftRows (MixColumn (RK5(Ip)))) (6.10) p M where Ip is a value that appears an odd number of times in the first column of the fifth- round intermediate texts, and RK5 is (the corresponding column of) the fifth round key. Also, if we change the order of SubBytes and ShiftRows, and combine SubBytes and MixColumns, then we can simplify (6.10) to (6.11) using the ES-box in Table 4.2 (ShiftRows is ommitable because it does not influence byte values):
′ −1 ‘00000000 = ES−box (RK5(Ip)). (6.11) p M If we now apply the above concept to some other four-byte combinations in the fourth- round intermediate texts, each of which is either
(byte#3, byte#4, byte#9, byte#14), (byte#2, byte#7, byte#8, byte#13), or (byte#1, byte#6, byte#11, byte#12), then we see that (6.10) and (6.11) also hold for the other three columns in the fifth- round intermediate texts. So, we call this property a fifth-round consistent differential pattern. We note that any 232 plaintexts that vary in either
(byte#0, byte#5, byte#10, byte#15), (byte#3, byte#4, byte#9, byte#14), (byte#2, byte#7, byte#8, byte#13), or (byte#1, byte#6, byte#11, byte#12) lead to the fifth-round consistent differential pattern above. 6.3. Consistent differential patterns of the AES algorithm 80
In this chapter, we have observed some distinctive output properties of the AES algorithm: some differential properties of the S-box used in the non-linear layer; some distinctive output properties of the matrix multiplication MixColumn used in the linear layer; and some consistent differential patterns existing in the partial rounds of the AES algorithm. In the next chapter, we discuss the impact of the consistent differential patterns on the security of the AES algorithm. Chapter 7
Security Impact of the Consistent Differential Pattern
In this chapter, we discuss the impact of the consistent differential patterns on the se- curity of the AES algorithm. We show that the consistent differential patterns observed in Chapter 6 can be used for the cryptanalysis of the reduced-round AES algorithm, independently or cooperatively with others. The cryptanalytic methods introduced in this chapter are not much more powerful, in the number of rounds, than other crypt- analytic methods previously proposed, but have some advantages in the requirements of the methods, such as the number of plaintexts and the complexity. We note that the purpose of proposing these cryptanalytic methods is to show that consistent differential patterns of a block cipher are directly related to its security. In discussing the cryptan- alytic methods, we consider AES-128, although the methods are applicable to AES-192 and AES-256 as well. We note that the last rounds of the AES structures discussed here do not include the MixColumns transformation, just as the original structure does not. We advise that this chapter is based on the paper [8] published by B. Song and J. Seberry.
7.1 Three rounds
We use two sets of five chosen plaintexts for the cryptanalysis of three rounds. One set (Set #1) consists of five plaintexts, which are different from each other only in the first byte (byte#0) as illustrated in Figure 6.5 (a). The other set (Set #2) consists of five plaintexts, which are different from each other only in the ninth byte (byte#8) as illus- trated in Figure 6.5 (c). We first use Set #1 to find half (8 bytes) of the third round key. Let us now pair any of the five ciphertexts with each of the other ciphertexts. Then we will obtain four pairs of ciphertexts. If these pairs of ciphertexts are decrypted with the correct third round key, then the second-round consistent differential pattern
81 7.1. Three rounds 82 illustrated in Figure 6.5 (a) must appear in the four corresponding second-round in- termediate differences, because the plaintexts are different from each other only in the first byte. That is,
byte#1=byte#2, byte#4=byte#5, byte#8=byte#11, byte#14=byte#15 in all the four second-round intermediate differences. Based on this concept, we find
(byte#13, byte#10), (byte#4, byte#1), (byte#8, byte#15), (byte#6, byte#3) of the third round key using the following steps.
1. We first find byte#13 and byte#10 of the third round key from the fact that byte#1=byte#2 in the second-round intermediate differences. Let us decrypt each byte#13 in a pair of the ciphertexts with all 28 possible values for byte#13 of the third round key, considering ShiftRows−1 and SubBytes−1. Then, according to Property 6.2, 127 values will appear for byte#1 in the second-round intermediate difference. Now, let us decrypt each byte#10 in the same pair of ciphertexts with all 28 possible values for byte#10 of the third round key. Then, for the same reason, 127 values will appear for byte#2 in the second-round intermediate dif- ference. Here, if we select the values for (byte#13, byte#10) which make byte#1 equal to byte#2 in the second-round intermediate difference, then those values are candidates for (byte#13, byte#10) of the third round key.
2. Now, if we decrypt each (byte#13, byte#10) in another pair of ciphertexts with those candidates for (byte#13, byte#10) of the third round key, and check whether byte#1 is equal to byte#2 in the second-round intermediate difference, then fewer candidates will remain for (byte#13, byte#10) of the third round key. If we apply this step to the remaining two pairs of ciphertexts, then a single pair of values will remain for (byte#13, byte#10) at the end, due to the differential property referred to in Section 6.1.2. This pair, byte#13 and byte#10, are the components of the third round key. 7.2. Four rounds 83
3. With the same principle, if we consider the other byte relations in the second- round intermediate differences, that is,
byte#4=byte#5, byte#8=byte#11, byte#14=byte#15,
then we can obtain
(byte#4, byte#1), (byte#8, byte#15), (byte#6, byte#3)
of the third round key.
Now, using the other set of five plaintexts (Set #2), which are different from each other only in the ninth byte (byte#8), we can find the rest of the third round key, which is
(byte#0, byte#7), (byte#2, byte#5), (byte#9, byte#12), (byte#11, byte#14)
In summary, if we have 10 chosen plaintexts, we can find the Cipher Key for the three-round AES algorithm. The time complexity of this method is about 28.
7.2 Four rounds
We now present a cryptanalytic method for the four-round AES algorithm, based on the third-round consistent differential pattern. We use one set of 28 chosen plaintexts which vary in byte#0 as illustrated in Figure 6.5 (a). This method is similar to the Square attack, given that the Square attack is based on the third-round balanced property. While the Square attack uses two sets of 28 chosen plaintexts, however, we use just one set, with the help of the second-round consistent differential patterns.
Basic concept
Let us suppose that a set of 28 chosen plaintexts, which differ by only one byte, is given. If these plaintexts are encrypted, then (6.1) or (6.2) will appear for the third-round 7.2. Four rounds 84 intermediate texts. This means that if the corresponding 28 fourth-round ciphertexts are decrypted with the correct fourth round key, then the third-round consistent differ- ential pattern ((6.1) or (6.2)) will appear for the third-round intermediate texts. Based on this idea, we first find all the possible fourth round keys. Then using the property of a second-round consistent differential pattern, we select the key actually used from those possible keys.
Finding possible keys
We first find the first byte (byte#0) of the fourth round key, taking into account the decryption procedures. Let us assume a value for the first byte of the fourth round key. If we decrypt (actually S-box−1) the corresponding bytes in the 28 ciphertexts with this assumed value, then we can obtain 28 first bytes in the third-round intermediate texts. If these values satisfy the third-round consistent differential pattern on byte#0 (check (6.1) or (6.2)), then the value initially assumed for byte#0 is eligible for the first byte of the fourth round key. If not, then the assumption is wrong, so another value is assumed for the first key byte. The probability that a wrong key will satisfy the third-round consistent differential pattern on byte#0 is 1/28, so one wrong key may be chosen. If we apply the above steps to the other 15 bytes of the fourth round key, considering the ShiftRows transformation (the MixColumns transformation does not exist in the last round), then we can obtain all eligible values for each byte of the fourth round key. At this stage, in probability, two values may be selected for each key byte, so the number of possible fourth round keys will be about 216 (16 is the number of the bytes in the round key) in probability.
Selecting the key actually used
Next, we select the fourth round key actually used from the above possible keys. In- stead of using another set of 28 chosen plaintexts, we use the second-round consistent differential pattern 1 (a) illustrated in Figure 6.5 (a). We first randomly choose two ciphertexts from the 28 ciphertexts. If we decrypt them with a possible fourth round key and the corresponding third round key (this third round key can be obtained from the key schedule if a possible fourth-round key is given), we will see the second-round intermediate difference followed by two second-round intermediate texts. We now check the second-round consistent differential pattern 1 (a) for the second-round intermedi- ate difference. If the second-round consistent differential pattern 1 (a) appears in the intermediate difference, then the possible key is the fourth round key actually used. 7.3. Five rounds 85
This is because the probability that the second-round consistent differential pattern 1 (a) appears by chance in one second-round intermediate difference is 1/232 unless the possible fourth round key is the key actually used. At this stage, since the num- ber of possible fourth round keys we must consider is about 216 in probability, it is good enough to check the second-round consistent differential pattern 1 (a) for just one second-round intermediate difference.
Complexity
For this method, we must assume 28 values for each key byte of the fourth round key, and look up S-box−1 28 times (the number of ciphertexts) for each assumed key value. Given that the round key block consists of 16 bytes, this task must be done 16 times during the process of finding possible keys. So, we must look up S-box 220 times. Also, during the process of selecting the key actually used, we must decrypt two ciphertexts for two rounds with each of 216 possible keys. This step requires 216×4 one-round decryptions. Considering the amount of the computation, the complexity of this method is not greater than 217 full encryptions of the four-round AES algorithm.
7.3 Five rounds
The cryptanalytic method which we present for the five-round AES algorithm is based on the fourth-round consistent differential pattern 2. For this method, we use a set of 232 chosen plaintexts that vary in (byte#0, byte#5, byte#10, byte#15) as described in Figure 6.6 (a).
Basic concept
Let us consider any set of 232 plaintexts that have been outlined in the consistent differential pattern 2. As previously shown, these plaintexts lead to the fourth-round intermediate texts, between which the fourth-round consistent differential pattern 2 appears. This means that if the corresponding ciphertexts are decrypted for one round with the correct fifth round key, then the consistent differential pattern 2 appears between the decrypted texts. Based on this concept, the fifth round key is found.
Finding possible keys
We first find all possible values for the first byte (byte#0) of the fifth round key, taking into account the decryption procedures. 7.3. Five rounds 86
1. We first count byte#0 in the 232 ciphertexts according to values. For exam- ple, ‘00′:16,777,217, ‘01′:16,002,912, ‘02′:16,725,365, . . . , ‘fd′: 16,865,401, ‘fe′: 16,643,202, ‘ff′: 16,763,202. Then, we observe the values which appear an odd number of times. (We are not interested in the values which appear an even num- ber of times). On average, the number of values which appear an odd number of times will be 128. Although we are using 232 chosen plaintexts, the number of values we have to consider now is just 128 on average. For example, ‘00′, ‘02′, . . . , ‘fd′. In fact, this task of counting values can be done at the same time as collecting the ciphertexts. This step will then not require any extra cost for the cryptanalysis.
2. Next, we assume a value for byte#0 of the fifth round key. If we decrypt (actually S-box−1) the values which appear an odd number of times in step 1 with this assumed key value, then we will see the corresponding fourth round values. If the assumed key value is correct, then the XOR of these values in the fourth-round intermediate texts will be ‘00’. If the XOR of these values is ‘00’, then we keep the assumed key value for byte#0 of the fifth round key. Otherwise, the assumption is wrong, so we assume another value for byte#0 of the fifth round key. Given that one wrong key may be chosen by chance, two values will be chosen for byte#0 of the fifth round key.
3. Now, we apply steps 1 and 2 to the other 15 bytes of the fifth round key, taking into account the ShiftRows transformation (the MixColumns transformation does not exist in the last round). Finally, two values for each key byte will be chosen, so the number of possible fifth-round keys will be about 216.
Selecting the key actually used
We now select the fifth round key actually used from the above possible keys. At this stage, we use the second-round consistent differential pattern 2 (a) illustrated in Figure 6.6 (a). We randomly choose two plaintexts from the 232 plaintexts, and decrypt the corresponding two ciphertexts with a possible fifth round key and the corresponding fourth and third round keys (these fourth and third round keys can be obtained from the key schedule if a possible fifth-round key is given). Then, we can check the second-round consistent differential pattern 2 (a) for the second-round intermediate difference. Finally, only one fifth round key will remain for the same reason outlined in the cryptanalysis of four rounds. 7.4. Six rounds 87
Complexity
For this method, encryption or decryption is not actually done in the process of finding possible keys. All we have to do is to assume 256 values for each fifth-round key byte, and look up S-box−1 128 times (the number of values which appear an odd number of times in the fifth-round intermediate texts) for each assumed key value. Given that the round key block consists of 16 bytes, this task must be done 16 times in the process of finding possible keys. So, we must look up S-box−1 219 (28 × 27 × 24) times on average. Also, in the process of selecting the key actually used, we must decrypt two ciphertexts for three rounds with 216 possible keys. This step requires 216×6 one- round decryptions. Considering the volume of the computation, the complexity of this method is about the same as 217 full encryptions of the five-round AES algorithm. We have implemented this method, and have practically applied it to finding the Cipher Key, which has been presented as a data example in FIPS 197 (Announcing the Advanced Encryption Standard) [63]. Appendix C shows the result. The results of our implementation have shown that if a set of 232 plaintexts is given, so we know the values which appear an odd number of times on each byte, then the Cipher Key of the five-round AES algorithm can be found in a few seconds. Another test result of our implementation is shown in Appendix C.
7.4 Six rounds
Here we describe a cryptanalytic method for the six-round AES algorithm, which is based on the fifth-round consistent differential pattern and the fourth-round consistent differential pattern 2. We use two sets of 232 chosen plaintexts that vary in (byte#0, byte#5, byte#10, byte#15). We slightly change the original structure of the six-round AES algorithm to Figure 7.1, so as to reduce the number of key assumptions. In the ′ ′ structure of Figure 7.1, we find RK5 and RK6. RK5 in Figure 7.1 and RK5 in the original six-round AES algorithm has the relationship
′ MixColumns(RK5)= RK5.
But, RK6 in Figure 7.1 is the same as the RK6 in the original six-round AES algorithm. Therefore, we can use the structure of Figure 7.1 to find the Cipher Key of the original structure of the six-round AES algorithm, because we will find the Cipher Key from
RK6. 7.4. Six rounds 88
232 chosen plaintexts
0 0 0 0 0 5 5 5 5 5 • • • 10 10 10 10 10 15 15 15 15 15
• • SB : SubBytes • SR : ShiftRows SB MC : MixColumns SR RK 4 0 4 8 12 MC 1 5 9 13 2 6 10 14 ⊕ 3 7 11 15 intermediate texts 0 0 0 0 5 5 5 5 • • • 10 10 10 10 15 15 15 15
SB RK’ 5 0 4 8 12 SR 1 5 9 13 2 6 10 14 ⊕ 3 7 11 15 intermediate texts 0 0 0 0 1 1 1 1 • • • 2 2 2 2 3 3 3 3
MC
RK 6 SB 0 4 8 12 SR 1 5 9 13 2 6 10 14 ⊕ 3 7 11 15
0 0 0 0 0 13 13 13 13 13 • • • 10 10 10 10 10 7 7 7 7 7
Figure 7.1: Checking the fourth-round consistent differential pattern 7.4. Six rounds 89
Finding possible key components
#0 #7 #10 #13 We first find (byte , byte , byte , byte ) in RK6 using the following steps.
1. We first select the values which appear an odd number of times in the combination of (byte#0, byte#7, byte#10, byte#13) in a set of the ciphertexts (on average, there are 231 values, which appear an odd number of times, in the combination).
2. We now assume a value for the combination of (byte#0, byte#7, byte#10, byte#13) in
RK6. If the values selected in step 1 are decrypted for one round with the assumed four-byte key, then the corresponding values are placed in the first column of the fifth-round intermediate texts (see Figure 7.1) and each value for the first column naturally appears an odd number of times (when we decrypt, we also count the values according to each byte). These values for the first column must satisfy the fifth-round consistent differential pattern if the assumed key value is correct; that is, these values must satisfy the fourth-round consistent differential pattern 2 after ShiftRows−1 and S-box−1 in Figure 7.1. We now check whether the values in the first column satisfy the fourth-round consistent differential pattern 2 after ShiftRows−1 and S-box−1.
3. This process is the same as the process of Finding Possible Keys in the cryptanal- ysis of five rounds. We select the values which appear an odd number of times on byte#0 in the fifth-round intermediate texts (we already know these values from step 2; we are not interested in the values which appear an even number of times). If we decrypt (actually S-box−1) these values with a value assumed #0 ′ #0 for byte of RK5, then we will obtain the the corresponding values on byte in the fourth-round intermediate texts. If the assumed key value is correct, then the XOR of these corresponding values will be ‘00′. If the XOR of these values ′ #0 ′ is ‘00 , then we keep the assumed key value for byte of RK5. Otherwise, the assumption is wrong, so we return to the beginning of step 3 for another value #0 ′ assumed for byte of RK5. If the four-byte key initially assumed for RK6 in #0 ′ step 2 is correct, then two values for byte of RK5 will be chosen, including one wrong value which may be chosen by chance. Step 3 is also applied to the other ′ #1 #2 #3 three bytes of RK5, which are byte , byte and byte . We can then check the fourth-round consistent differential pattern 2 for byte#5, byte#10 and byte#15 in the fourth-round intermediate texts as well.
4. Now, we check whether the above values for (byte#0, byte#7, byte#10, byte#13) of 7.4. Six rounds 90
#0 #1 #2 #3 ′ RK6 and for (byte , byte , byte , byte ) of RK5 are really eligible for the the components of each round key. To do this, we use the other set of chosen plaintexts. With the key components we have just found, we decrypt the values which appear an odd number of times in the combination of (byte#0, byte#7, byte#10, byte#13) in a new set of the ciphertexts. If any values for (byte#0, byte#7, #10 #13 #0 #1 #2 #3 ′ byte , byte ) of RK6 and for (byte , byte , byte , byte ) of RK5 satisfy the fourth-round consistent differential pattern 2 on byte#0, byte#5, byte#10 and byte#15 in the fourth-round intermediate texts, then those values are really eligible ′ for the key components of RK6 and RK5. This is because the probability that this event occurs by chance is 1/232 (the probability is 1/256 for each byte). At this stage the number of key combinations we may consider is 24 on average. If the key components which have been found in steps 2 and 3 pass this step, we #0 #7 #10 #13 keep the value initially assumed for (byte , byte , byte , byte ) of RK6 (we ′ do not keep the components of RK5). Otherwise, we return to the beginning of step 2.
5. Using the same concept, if we apply steps 1 to 4 to the other bytes in the cipher-
texts, then we can find the other components of RK6, which are
(byte#1, byte#4, byte#11, byte#14), (byte#2, byte#5, byte#8, byte#15), (byte#3, byte#6, byte#9, byte#12).
Selecting the key actually used
Now, we finally check, in order to be certain, whether the key components are all correct. Using the key schedule, we obtain the fifth, fourth, and third round keys from the sixth round key. Then we decrypt two ciphertexts with the original structure of the six-round AES algorithm (not the structure in Figure 7.1). As a consequence, we will check the second-round consistent differential pattern 2 (a). In fact, this step requires, if anything, only a small amount of computation, because wrong key components hardly ever pass step 4.
Complexity
For this method, we must consider four key bytes together in assuming the sixth round key. In step 2, for each assumption of the four-byte keys, we may decrypt, on average, 231 corresponding four-byte words for one round. Then, in step 3, we may look up 7.5. Seven-round extension 91
S-box−1 217 (28 × 27 × 4) times on average. After this, in step 4, we decrypt 231 four- byte words for one round, and look up S-box−1 210 (27 × 8) times to check whether the assumed key components of the sixth round key can coexist with the obtained key components of the fifth round key. These operations must be done 232 × 4 times, because the number of possible values for the four-byte key combination is 232 and the round-key block consists of 16 bytes (four columns). For this reason, this method requires 232 × 232 × 4 one-round decryptions of four bytes and (217 + 210) × 232 × 4 S-box−1 lookups. That is, 264 one-round decryptions of a ciphertext block and 251 + 244 S-box−1 lookups are needed to find the sixth round key. As well as all this, some more operations are required to count values in step 1 (step 1 must be done 8 times). However, these operations do not require as much computation as some others. Considering the volume of the computation, the complexity of this method is not greater than 262 full encryptions of the six-round AES algorithm, even in the worst case.
7.5 Seven-round extension
The cryptanalytic method for the six-round AES algorithm can be extended to seven rounds. We simply assume all the components (16 bytes) of the seventh round key. If we naively assume all the possible values for the seventh-round key, then it adds 128 bits to the key assumption. So, the complexity will be about 2190. Given this level of complexity, we see that this method is faster than an exhaustive key search for seven rounds of AES-192 and AES-256. But, for AES-128, this method requires more complexity than an exhaustive key search does. In this chapter we have discussed the impact of the consistent differential pattern on the security of the AES algorithm. We have shown that the consistent differential patterns observed in Chapter 6 can be used for the cryptanalysis of the AES algorithm, independently or cooperatively with others. Judging by the AES algorithm, we can say that the block cipher whose structure is very mathematical, statistical, and so rather uniform, is apt to have consistent differential patterns. Chapter 8
Conclusion
In this thesis, we have discussed our further studies on the cryptologic properties of the AES algorithm. In the preceding chapters, we have studied some algebraic properties of the AES algorithm. In particular, we have devoted much space to the cyclic properties and the distinctive output properties of this cipher. In terms of the the cyclic properties of the AES algorithm we have found that
• every function used in the AES algorithm has a very short period and these short periods are not increased in the linear layer;
• when the non-linear layer and the linear layer are combined, the period is dra- matically increased; and
• the combination of the non-linear layer and linear layer nevertheless still has short periods for certain types of input blocks, and causes the AES elementary structure to have an unusual algebraic property: input blocks in which all bytes are the same always lead to output blocks in which all bytes are the same. This property is mainly caused by the fact that the matrix multiplication, MixColumn, does not influence the data transformation for the inputs in which all bytes are the same.
Summing up our observations on the cyclic properties of the AES algorithm, we can say that the unusual property of the matrix multiplication MixColumn used in the MixColumns transformation causes the AES algorithm to have an undesirable crypto- logic property in the cipher part itself. However, the round key addition covers these weaknesses, as previously shown. In conjunction with the distinctive output properties of the AES algorithm, we have observed that the AES algorithm has the S-box, which provides uniformly distributed output differentials, and which enables the AES algorithm to be strong against con- ventional cryptanalytic methods, such as DC and LC. We have also observed, however,
92 93 that there are some consistent differential patterns in the AES structure:
• any two plaintexts that differ by only one byte cause a second-round consistent differential pattern; any two plaintexts that differ by up to four bytes in certain positions also cause a second-round consistent differential pattern;
2 • any two plaintexts referred to above lead to a 2 3 rd-round consistent differential pattern;
• any 28n plaintexts that vary in certain n bytes lead to a third-round consistent differential pattern;
• any 232 plaintexts that vary in four of the bytes cause some fourth-round consis- tent differential patterns; and
• any 232 plaintexts that vary in four of the bytes cause a fifth-round consistent differential pattern.
Summing up all our observations on the distinctive output properties of the AES algorithm, we note that the AES algorithm is very well designed to provide uniformly- distributed differentials in statistics, but that at the same time the structure also yields some undesirable consistent differential patterns. At the moment, we do not claim that the AES algorithm is not good enough as the standard algorithm for the next few decades. Rather, we believe that the AES algorithm is a well-designed block cipher that has many advantages over conventional cryptanalytic methods. It is also true, however, as shown in this thesis, that there are some unusual hidden cryptologic properties in the AES algorithm. These properties are related to both the functions used in the algorithm and the structure of the cipher. We believe that the cryptologic properties we have observed in the AES algorithm should even be considered in the design of other block ciphers. Appendix A
Classifying the substitution values in the ES-box
Elements in a period of 1088297796: 00000003, 7b7b4b53, 7f405130, 71ac6ebd, 105a9904, 4a76beea, d6c83be2, ae987220, ee1fe044, f1901c6f, cd76014f, d1cdea8b, 1af0d102, 9994cba1, 8cb9a470, 2a425311, ...... , 4487de39, 00000003.
Elements in a period of 637481159: 00000002, 77775f4b, 89fd4b43, 00dba021, 0bcc1d1d, 8beec4c1, 6631a583, de40d757, 7446e596, 98c6ca15, 66f0f1b8, 24a452a0, 574444c8, 68a85526, dc326604, b367ce7e, ...... , 3943ffc4, 00000002.
Elements in a period of 637481159: 00000004, f2f2cb5a, 281fe771, 04ab3955, b7fcab9e, eb7fc024, 28b50e24, 9155f64e, 6b8b8878, c1ee0e1b, 8c61f74e, a5362a75, 7ba56ecb, c88823c4, a60d44f9, a8257589, ...... , a6284276, 00000004.
Elements in a period of 637481159: 00000006, 6f6f777b, 7cc692fc, 1802f1b0, 9e5cb1ef, df03b03a, cddaab3e, 4807e396, 71601e19, 905af0ef, 4a57a737, 9c1e8049, c74d60b0, 9e97acb7, ad015a4d, e857b0bb, ...... , 24c3a2a6, 00000006.
Elements in a period of 637481159: 00000008, 303096c5, 3201cacf, 3ccd3262, 9845f5f7, b0c34792, 480f4322, b703bea7, 36ea718d, 66b33891, 5761c826, 834a7d1f, 9d81849d, a9f90e0d, 71cb65e9, 2f540490, ...... , d4f75ed0, 00000008.
Elements in a period of 129021490: 00000001, 7c7c425d, 70088c94, b4bfcfe3, 8209b92c, 029a2d80, 28a22878, aea0b931, 7902fa14, 39d58e74, aaad8e13, 83cb8c99, 68901293, 3f19d3c5, 4dca9c7a, 45a8453b, ...... , 40f39ed7, 00000001.
94 95
Elements in a period of 129021490: 00000007, c5c59234, f138b628, 2a4966d9, 9af3e756, 59b44e33, ed784679, 996e9c6e, 3c2d6c4d, 0d53ad73, 833d811f, 6676889f, 31cfee04, ca42100f, 201f4d96, 5d8201da, ...... , 25322e95, 00000007.
Elements in a period of 129021490: 00000009, 0101c5a7, 8629b3e6, 9f2cb203, 721b49c6, e5fc5e27, f686961b, 77ced757, 22b18f37, 9717083a, b0a38358, 4db69000, 0cbcc8d6, 56e15163, 40c9e60c, 1edfcaaf, ...... , f8bc508a, 00000009.
Elements in a period of 129021490: 00000010, caca832a, 7d56f7d5, 463d9bc5, 6f8ea48a, 573fa14f, 9f63ddb9, 2c3843e0, 10b07a57, 3c316fce, bc16e144, e0e3e426, 748f20b5, c863f0d8, 30ebb396, d5ea9cb3, ...... , 9660fca0, 00000010.
Elements in a period of 64376666: 00000016, 47470f2b, 2790e4d4, 02ffa6d6, 06c1285c, 2889a169, 51cee720, 1cccab02, ebdb8a78, dbbe7384, 502bf34f, 27392f1a, 02750917, a3a5e3fe, b48ef864, 283fd352, ...... , c50ccf88, 00000016.
Elements in a period of 64376666: 00000142, 330d8ce2, 03426fc6, 9e74db7a, d83e8599, 7652cf41, 793ea9df, f7390087, 92fe85e7, 4b1466ce, d082a90a, 615f779e, 7165cc06, ae8bc926, be157a22, e5faf657, ...... , e401999a, 00000142.
Elements in a period of 11782972: 000000ea, 878754b0, d0be72db, f04e8e17, 9b099a42, bfe90add, 945c80f8, 16bb2a63, b5476a2b, b979793f, ae950810, 572aeba2, 51903995, 210deb4e, 4547927c, 78f4607d, ...... , 638a2857, 000000ea.
Elements in a period of 39488: 00020002, 4b5f4b5f, 4b374b37, e1c8e1c8, d8c8d8c8, 68e168e1, 24992499, 9d459d45, 3e0e3e0e, 80998099, 8ba88ba8, d827d827, 208d208d, 78927892, 41b241b2, f044f044, ...... , 30a530a5, 00020002.
Elements in a period of 16934: 00010001, 5d425d42, 8cec8cec, 2b812b81, 10ed10ed, ef70ef70, d856d856, da0ada0a, 37073707, 247b247b, 180f180f, 00db00db, cc16cc16, 535f535f, a98ba98b, 14fa14fa, ...... , 6ad56ad5, 00010001. 96
Elements in a period of 13548: 00023af9, 468fbf7b, 08855ad7, 72d2d265, bcb8535a, 2d2f1149, 2d549f92, 5fa18416, cb0d8aa9, f1fb5a35, 60f0687e, 82efd85f, f2da440e, 40a10e81, e387629a, 09629ae5, ...... , 6b5493f6, 00023af9.
Elements in a period of 13548: 0005fde6, a1c7299d, ce0f4789, 903b5405, b6b47fb4, 4faff08c, 709d52aa, ec41e0ee, d0c3ec7b, 7d44ba32, 1fed72b3, 49c7a294, 3fc0eff5, 06865b2d, f3742a67, d783da71, ...... , 8bf1558a, 0005fde6.
Elements in a period of 10756: 001004ad, e474f2ac, 67475a99, bae96b4d, 4daa2abb, 3d7ebbb8, c693afa8, b75ec7fd, 331c9ad6, 6cc5358d, 9afb267a, 577e3784, 7d4c663a, 2d782b1b, 2a1c777b, bae3eb1f, ...... , 245557ee, 001004ad.
Elements in a period of 7582: 00070007, 34923492, b6e1b6e1, 398f398f, d0b1d0b1, 1ba31ba3, fe5bfe5b, a426a426, 2e902e90, 93c293c2, 35cc35cc, 37ea37ea, a0bda0bd, cf55cf55, 66106610, da23da23, ...... , d740d740, 00070007.
Elements in a period of 5640: 00022db0, 60198ddf, 1f1a07c5, 056d026b, 9af53808, 6d560052, d3e04b96, d7e151c3, f0a33d67, bf745cb3, 9a84b91a, 7e5eb685, cc06952d, d5330333, e0d06820, bb79d978, ...... , feb74bd1, 00022db0.
Elements in a period of 5640: 0015e186, 91861d8c, 159a3ab0, 064ec806, 287d3aa8, 30888dbc, 6715d55f, 36fd904b, 25be5f46, 0268fa94, 2ea80eb5, 419dda8b, 95fb34ed, 0849eac3, 84fa6cb0, 7e12e049, ...... , 5d50a4a6, 0015e186.
Elements in a period of 3560: 00094090, ac1ad06d, 88629702, 897ffc9b, 9cc732b8, b940ea44, 2bcd6742, 8c282968, 74bdceb7, 93490515, dc4eda9d, 6f7fe555, 039bcc0b, aaa58484, 491ef508, 36deceb9, ...... , f6110e3e, 00094090.
Elements in a period of 1902: 0000c22b, b73b421a, faa0ee71, ea2d63e2, 05a2019a, 5c237a90, 441363e2, d26f3880, 583a5fea, 07bcfde4, 039ab3b7, e10ef911, 1687e73e, 917cae35, 5b00e35b, fff5334b, ...... , 07a9ec2e, 0000c22b. 97
Elements in a period of 1902: 0021e4f9, 2aa0fc18, f7589225, 1e52dde3, 343bd875, f1f9848a, c81704c2, 173b886b, 7d0700d3, b4ad5670, 4525920a, b5a6660c, 10368e94, bbc99b1d, 03d3e8bf, cf092860, ...... , 76a21d37, 0021e4f9.
Elements in a period of 548: 00b800b8, 7d727d72, 9a259a25, ad2aad2a, 75057505, 6a9c6a9c, a17da17d, b37eb37e, 4ad44ad4, f16ff16f, b3bab3ba, 44dd44dd, b46eb46e, a9bba9bb, a198a198, daaedaae, ...... , 05a905a9, 00b800b8.
Elements in a period of 548: 00c600c6, d601d601, f973f973, b5a3b5a3, 70af70af, 01290129, d50cd50c, e21fe21f, 28702870, fe9bfe9b, fe51fe51, 6f056f05, 35f635f6, 25f125f1, 18861886, 648d648d, ...... , 85708570, 00c600c6.
Elements in a period of 136: 01d266c5, a9fe5e55, cfaac76e, b9070bca, a7ce59fc, 45a791df, 27d09248, 0eafd4d4, c6c99a47, 1766f9f9, aebf5a88, b1e9dc12, e6ac8152, a3a30714, 35b0843e, e8100266, ...... , f554d80d, 01d266c5.
Elements in a period of 90: 02338d7f, 3fdf63b8, c428b222, c0bee81a, bfe9c4bf, 2618360a, 7bdef964, bfe8d061, 395a5936, 33362e49, 98a1e91c, 589cf7c5, 63d3955f, a28683df, ca0304c1, eff778e5, ...... , 3c0c694e, 02338d7f.
Elements in a period of 90: 0304c1ca, f778e5ef, 09a40778, a07b06ec, 19dd56f2, d30cec1e, 69ba897e, ba0b56be, 91c44fda, ee7977ae, 80bf58e8, 68f8a703, 6e583124, 6a2f3a7b, 9a926fd1, 2cfbfe48, ...... , 8683dfa2, 0304c1ca.
Elements in a period of 87: f2f2f2f2, 89898989, a7a7a7a7, 5c5c5c5c, 4a4a4a4a, d6d6d6d6, f6f6f6f6, 42424242, 2c2c2c2c, 71717171, a3a3a3a3, 0a0a0a0a, 67676767, 85858585, 97979797, 88888888, ...... , 04040404, f2f2f2f2.
Elements in a period of 81: 7c7c7c7c, 10101010, cacacaca, 74747474, 92929292, 4f4f4f4f, 84848484, 5f5f5f5f, cfcfcfcf, 8a8a8a8a, 7e7e7e7e, f3f3f3f3, 0d0d0d0d, d7d7d7d7, 0e0e0e0e, abababab, ...... , 01010101, 7c7c7c7c. 98
Elements in a period of 59: 00000000, 63636363, fbfbfbfb, 0f0f0f0f, 76767676, 38383838, 07070707, c5c5c5c5, a6a6a6a6, 24242424, 36363636, 05050505, 6b6b6b6b, 7f7f7f7f, d2d2d2d2, b5b5b5b5, ...... , 52525252, 00000000.
Elements in a period of 47: 0112dc34, 267c8afb, b45a0a72, ff033dd5, 858a2660, 90b97790, afa867c3, 045cd890, 20a5dae6, a6cc9694, 273b32f3, 907b7f94, 536d9817, 33af56ad, 326c67a7, 6f4b8608, ...... , c406421d, 0112dc34.
Elements in a period of 47: 018b9ded, b4b1024d, d67c95ee, c580ca6b, 10c402b6, 9225eab2, 6f943c07, 030f13bb, fbfad249, e7aa1eff, b857e655, 47af2f82, d67ec6b1, 850435cd, 13748ea7, 123539b4, ...... , 32926cc7, 018b9ded.
Elements in a period of 47: 03c975a2, 2d5cc9b9, fe66c948, b7f3df9c, 1ed4fad4, 59ddb863, 421dc406, dc340112, 8afb267c, 0a72b45a, 3dd5ff03, 2660858a, 779090b9, 67c3afa8, d890045c, dae620a5, ...... , c0c8d6db, 03c975a2.
Elements in a period of 40: 0aff4adf, bcb47f4e, bb2626ae, def9dff6, 56cf65a4, f8207a9d, c41fbb12, 406b5387, 69cc8ea7, 711864fa, df0aff4a, 4ebcb47f, aebb2626, f6def9df, a456cf65, 9df8207a, ...... , 1864fa71, 0aff4adf.
Elements in a period of 36: 03d603d6, 7af77af7, a517a517, f107f107, 690d690d, a58ba58b, 704b704b, 8e6c8e6c, 8bc28bc2, 0d150d15, d05ed05e, 20082008, a225a225, 30353035, 3ba93ba9, 80b180b1, ...... , 3e0a3e0a, 03d603d6.
Elements in a period of 36: 07f107f1, 0d690d69, 8ba58ba5, 4b704b70, 6c8e6c8e, c28bc28b, 150d150d, 5ed05ed0, 08200820, 25a225a2, 35303530, a93ba93b, b180b180, c2c7c2c7, f81bf81b, 86688668, ...... , 17a517a5, 07f107f1.
Elements in a period of 27: efefefef, dfdfdfdf, 9e9e9e9e, 0b0b0b0b, 2b2b2b2b, f1f1f1f1, a1a1a1a1, 32323232, 23232323, 26262626, f7f7f7f7, 68686868, 45454545, 6e6e6e6e, 9f9f9f9f, dbdbdbdb, ...... , 61616161, efefefef. 99
Elements in a period of 24: 03d503d5, 8bf38bf3, 5d6d5d6d, acdcacdc, bfa8bfa8, 874d874d, e410e410, 34973497, 23b323b3, b0fbb0fb, 2cc42cc4, abc6abc6, d503d503, f38bf38b, 6d5d6d5d, dcacdcac, ...... , c6abc6ab, 03d503d5.
Elements in a period of 21: 050f050f, 514c514c, 3ac23ac2, d174d174, 7dd17dd1, 66a766a7, ed82ed82, d99fd99f, f21cf21c, a3b6a3b6, 82c682c6, 46e146e1, 05a705a7, 05320532, fbb3fbb3, cba9cba9, ...... , e344e344, 050f050f.
Elements in a period of 21: 0f050f05, 4c514c51, c23ac23a, 74d174d1, d17dd17d, a766a766, 82ed82ed, 9fd99fd9, 1cf21cf2, b6a3b6a3, c682c682, e146e146, a705a705, 32053205, b3fbb3fb, a9cba9cb, ...... , 44e344e3, 0f050f05.
Elements in a period of 15: 0e6e0e6e, c3f7c3f7, a2e4a2e4, 9ccf9ccf, 76227622, 75de75de, 86068606, 12391239, 64bf64bf, d59ed59e, 131b131b, c210c210, e00fe00f, d443d443, ecbeecbe, 0e6e0e6e.
Elements in a period of 15: 6e0e6e0e, f7c3f7c3, e4a2e4a2, cf9ccf9c, 22762276, de75de75, 06860686, 39123912, bf64bf64, 9ed59ed5, 1b131b13, 10c210c2, 0fe00fe0, 43d443d4, beecbeec, 6e0e6e0e.
Elements in a period of 12: 0327266c, 1eaab216, 7b2f7983, 27266c03, aab2161e, 2f79837b, 266c0327, b2161eaa, 79837b2f, 6c032726, 161eaab2, 837b2f79, 0327266c.
Elements in a period of 8: cac4cac4, a4cca4cc, 4d4f4d4f, 2d4a2d4a, c4cac4ca, cca4cca4, 4f4d4f4d, 4a2d4a2d, cac4cac4.
Elements in a period of 4: 01828fc8, 5627aa2f, 8fc80182, aa2f5627, 01828fc8.
Elements in a period of 4: 27aa2f56, c801828f, 2f5627aa, 828fc801, 27aa2f56. 100
Elements in a period of 4: a37dadf5, 7dadf5a3, adf5a37d, f5a37dad, a37dadf5.
Elements in a period of 2: 5da35da3, c086c086, 5da35da3.
Elements in a period of 2: a35da35d, 86c086c0, a35da35d.
Elements in a period of 2: 73737373, 8f8f8f8f, 73737373. Appendix B
Distribution of output differences
Output differences for an input difference 01: 01, 04, 06, 08, 09, 0a, 0b, 0c, 0d, 0e, 0f, 11, 14, 15, 18, 19, 1a, 1e, 1f, 21, 22, 24, 29, 2a, 2d, 2f, 30, 31, 35, 36, 37, 38, 39, 3a, 3b, 3f, 43, 47, 48, 4a, 4b, 4c, 4e, 4f, 51, 53, 54, 58, 59, 5a, 62, 63, 65, 69, 6a, 6b, 6c, 6e, 72, 75, 78, 79, 7d, 80, 82, 83, 84, 85, 87, 89, 8a, 8e, 91, 93, 97, 99, 9b, 9d, 9f, a1, a3, a6, a8, a9, aa, ab, ac, ad, b0, b2, b4, b5, b6, b7, ba, bc, c1, c2, c3, c7, c8, ca, cc, cd, ce, cf, d0, d2, d3, d8, dc, dd, e0, e1, e4, e7, ea, ed, ee, ef, f2, f6, f7, f8, fa, fb, ff.
Output differences for an input difference 02: 03, 04, 05, 06, 07, 0b, 0c, 0d, 0f, 11, 12, 14, 1b, 1c, 1d, 24, 25, 27, 2a, 2c, 2d, 2e, 2f, 36, 37, 38, 3c, 40, 41, 42, 47, 4d, 52, 53, 54, 55, 56, 57, 58, 59, 5a, 5d, 5f, 60, 64, 66, 67, 68, 6c, 6d, 6e, 70, 72, 75, 79, 7a, 7b, 7c, 7d, 80, 83, 84, 85, 86, 87, 88, 8a, 8c, 8e, 91, 94, 96, 97, 98, 99, 9a, 9b, 9c, 9d, 9f, a1, a2, a5, a7, a8, a9, aa, ac, ae, b1, b2, ba, bc, bd, be, c0, c1, c2, c3, c5, c8, cb, cd, ce, cf, d0, d1, d4, d5, da, db, de, e0, e3, e6, e7, e9, ec, ee, f0, f2, f3, f7, fa, fd, fe, ff.
Output differences for an input difference 03: 02, 04, 05, 08, 0a, 0b, 0c, 11, 12, 13, 14, 15, 16, 17, 18, 1b, 1e, 1f, 21, 22, 24, 28, 2b, 34, 36, 37, 3a, 40, 44, 45, 46, 48, 4b, 4d, 4e, 52, 53, 55, 56, 57, 5c, 5d, 60, 62, 64, 66, 67, 6c, 6d, 6e, 71, 72, 75, 76, 7b, 7c, 7d, 7e, 7f, 81, 82, 85, 86, 88, 8a, 8b, 91, 92, 93, 94, 95, 99, 9b, 9d, 9e, a0, a2, a3, a4, a5, a6, a9, aa, ad, af, b4, b7, ba, bb, bc, be, c1, c2, c5, c6, c7, c8, cc, ce, d1, d3, d4, d6, d7, d8, d9, da, dc, de, e1, e3, e4, e5, e8, e9, ea, ed, ef, f0, f5, f7, f8, f9, fa, fb, fd, ff.
Output differences for an input difference 04: 09, 12, 15, 16, 17, 18, 19, 1b, 1c, 1d, 1e, 20, 21, 26, 27, 29, 2c, 2d, 30, 31, 32, 33, 34, 35, 36, 37, 38, 3d, 3e, 42, 43, 45, 46, 47, 48, 49, 4a, 4b, 4e, 51, 53, 54, 55, 56, 57, 59, 5a, 5d, 60, 64, 65, 67, 68, 6a, 6f, 70, 73, 76, 78, 79, 7a, 7b, 7d, 7e, 81, 85,
101 102
87, 88, 8d, 8e, 91, 92, 93, 95, 96, 97, 98, 99, 9b, 9d, a0, a2, a3, a6, a9, ab, ac, af, b0, b1, b3, b6, ba, be, c2, c3, c4, c5, cb, cc, cd, ce, cf, d0, d4, d6, d7, d8, db, de, df, e2, e4, e6, e7, e8, ea, ec, ed, f1, f3, f4, f6, f9, fa, fb, ff.
Output differences for an input difference 05: 04, 08, 09, 0c, 0d, 11, 12, 14, 15, 16, 18, 1c, 1e, 1f, 20, 23, 24, 26, 29, 2e, 2f, 30, 31, 32, 33, 38, 39, 3a, 3b, 40, 42, 43, 44, 45, 48, 4a, 4c, 4f, 50, 52, 53, 55, 57, 58, 5a, 5b, 5c, 5f, 61, 62, 63, 64, 66, 67, 6a, 71, 73, 76, 78, 79, 7b, 80, 81, 86, 88, 8c, 8e, 90, 91, 92, 93, 94, 96, 98, 99, 9a, 9c, 9d, 9e, 9f, a0, a3, a4, a6, a8, a9, aa, ac, af, b1, b2, b3, b4, b5, b7, b9, bb, c0, c1, c3, c6, c7, c8, c9, cb, cc, ce, d0, d1, d2, d4, d5, dd, df, e0, e1, e3, e6, e7, ec, f0, f1, f5, f9, fc, fe, ff.
Output differences for an input difference 06: 01, 04, 05, 09, 0b, 0c, 0e, 10, 11, 12, 14, 19, 1a, 1b, 20, 23, 24, 26, 29, 30, 31, 32, 33, 35, 36, 37, 39, 3b, 3d, 3e, 3f, 40, 43, 49, 4a, 4c, 4d, 4f, 50, 51, 52, 53, 55, 56, 57, 5b, 5d, 5e, 60, 61, 63, 64, 65, 66, 67, 69, 6a, 6b, 6c, 6d, 6e, 6f, 72, 73, 74, 75, 77, 78, 7b, 7c, 7d, 85, 86, 88, 89, 8a, 8d, 8f, 90, 91, 94, 99, 9b, 9d, a2, a5, a9, aa, ab, b0, b3, b5, b6, b8, b9, ba, bc, be, bf, c1, c2, c4, c5, c8, c9, ca, ce, d1, d2, d4, da, dd, de, df, e2, e3, e9, eb, f0, f1, f4, f6, f7, fa, fc, fd, ff.
Output differences for an input difference 07: 01, 06, 08, 09, 0a, 10, 11, 13, 14, 16, 1c, 1d, 21, 22, 23, 25, 27, 28, 2e, 2f, 31, 32, 33, 35, 36, 37, 39, 3a, 3c, 3d, 3e, 3f, 41, 42, 43, 44, 45, 46, 48, 4e, 54, 55, 56, 57, 59, 60, 62, 64, 65, 66, 6d, 6e, 6f, 72, 73, 75, 76, 78, 79, 7b, 7c, 7e, 80, 83, 84, 86, 87, 89, 8e, 8f, 90, 93, 94, 96, 9a, 9b, 9d, 9e, a0, a4, a5, a6, a7, a9, aa, ac, b0, b2, b3, b5, b6, b7, b8, bb, bc, be, bf, c2, c5, c8, c9, ca, cc, cd, d2, d5, d6, d9, da, db, dc, dd, e0, e2, e3, e4, e5, e6, e7, e8, ed, f2, f3, f8, fc, fe, ff.
Output differences for an input difference 08: 02, 03, 09, 0b, 0c, 0f, 10, 11, 13, 15, 16, 1a, 1b, 1f, 21, 22, 24, 25, 26, 27, 2d, 30, 31, 32, 35, 38, 39, 3b, 3f, 47, 4b, 4c, 50, 51, 52, 53, 56, 57, 58, 5b, 5d, 62, 64, 66, 67, 68, 6a, 6b, 6d, 6f, 71, 74, 75, 76, 7a, 7d, 7e, 82, 83, 84, 87, 8b, 8c, 8d, 90, 93, 94, 95, 96, 9a, 9b, 9e, a1, a3, a4, a5, a6, a7, a8, a9, ab, ac, ae, af, b0, b1, b2, b3, b7, b8, bc, be, c0, c2, c3, c4, c6, c8, ca, cb, cd, ce, d1, d2, d4, d5, d7, d8, d9, df, e0, e1, e2, e6, e7, e8, e9, eb, ed, ef, f3, f7, f8, f9, fa, fc, fd.
Output differences for an input difference 09: 02, 03, 06, 07, 0c, 0e, 12, 13, 15, 16, 17, 19, 1a, 1c, 1d, 1e, 1f, 20, 25, 28, 29, 2e, 103
2f, 31, 32, 33, 37, 39, 3a, 3c, 3e, 3f, 43, 45, 46, 47, 4b, 4c, 4d, 4e, 51, 53, 54, 55, 56, 58, 5a, 5b, 5c, 5d, 5e, 5f, 61, 62, 63, 64, 66, 67, 68, 6a, 6c, 6d, 6e, 70, 71, 7c, 7d, 7e, 7f, 82, 83, 85, 86, 87, 89, 8d, 8e, 8f, 90, 92, 95, 96, 97, 98, 99, 9b, 9f, a1, a4, a6, aa, b0, b1, b6, b8, bb, bc, c0, c1, c3, c5, c7, c8, c9, cc, d1, d3, d5, dc, dd, de, df, e0, e2, e7, ea, eb, ed, ee, f0, f3, f4, f7, f8, f9, fd, ff.
Output differences for an input difference 0a: 02, 03, 04, 06, 07, 09, 0a, 0c, 0f, 11, 12, 13, 14, 17, 1d, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 2a, 2b, 2c, 2d, 30, 31, 32, 33, 34, 39, 3b, 3c, 40, 41, 43, 46, 47, 4a, 4b, 4c, 4e, 4f, 50, 52, 53, 54, 55, 57, 59, 5b, 61, 63, 64, 66, 67, 68, 6a, 70, 73, 78, 7a, 7b, 7e, 7f, 82, 83, 84, 86, 87, 88, 8b, 90, 91, 94, 95, 97, 99, 9d, a1, a7, a9, aa, ad, ae, b3, b5, b9, bd, c1, c8, c9, cd, ce, cf, d1, d2, d3, d4, d6, d7, d8, d9, db, dc, dd, df, e3, e4, e5, e8, ea, ed, ee, ef, f0, f1, f2, f3, f8, fb, fc, ff.
Output differences for an input difference 0b: 01, 07, 08, 09, 0c, 0d, 0e, 0f, 10, 11, 12, 16, 17, 18, 19, 1b, 1d, 1e, 20, 21, 22, 23, 24, 28, 2b, 2c, 2d, 2f, 30, 31, 33, 34, 36, 37, 39, 3a, 3b, 3c, 40, 41, 46, 47, 48, 4b, 4c, 53, 55, 56, 5a, 5d, 61, 65, 69, 6a, 6c, 6d, 6e, 6f, 70, 71, 72, 73, 74, 76, 79, 7b, 7f, 80, 82, 83, 84, 85, 86, 87, 88, 89, 8a, 8c, 8d, 8e, 96, 9a, 9e, 9f, a1, a4, a5, a9, af, b1, b4, b6, b8, b9, ba, bd, be, c0, c4, c6, c7, c8, c9, cb, cc, cd, ce, d0, d2, d5, d6, d8, db, e2, e3, e5, e6, e9, eb, ed, ef, f0, f1, f6, f8, f9, fd.
Output differences for an input difference 0c: 02, 03, 06, 07, 08, 09, 0a, 0d, 0f, 12, 13, 19, 1b, 1f, 20, 22, 25, 26, 28, 29, 2a, 2b, 2e, 2f, 30, 31, 32, 33, 35, 36, 37, 3a, 3c, 3d, 3e, 41, 43, 44, 49, 4a, 51, 53, 55, 56, 57, 58, 5c, 5d, 5f, 60, 62, 64, 65, 67, 6a, 6f, 71, 73, 78, 7b, 7d, 7f, 80, 82, 83, 84, 85, 88, 8b, 8c, 8d, 91, 99, 9a, 9b, 9c, 9d, 9e, 9f, a1, a2, a4, a7, a8, a9, ab, ad, ae, b0, b2, b3, b4, b6, b7, ba, bb, bd, be, c0, c2, c4, c5, c6, c7, ce, d3, d4, d5, d9, dc, de, df, e0, e1, e2, e5, ee, ef, f1, f2, f4, f5, f6, f8, fa, fe, ff.
Output differences for an input difference 0d: 01, 02, 06, 07, 08, 09, 0a, 0b, 0f, 11, 13, 17, 19, 1a, 1e, 1f, 20, 21, 23, 24, 26, 29, 2b, 2c, 2e, 2f, 30, 33, 35, 36, 39, 3c, 3e, 3f, 42, 43, 44, 45, 46, 47, 4c, 4d, 4e, 4f, 52, 53, 56, 59, 5b, 5d, 5f, 60, 62, 64, 67, 68, 69, 6c, 6e, 6f, 71, 75, 76, 77, 79, 7b, 7c, 7d, 82, 84, 86, 87, 88, 8c, 90, 91, 92, 93, 94, 96, 9a, 9b, 9d, 9f, a2, a3, a4, a5, a7, a8, aa, ab, ad, ae, af, b1, b2, b3, b4, b5, b6, b8, b9, ba, bf, c1, c3, c4, cc, cf, d0, d7, d8, db, e5, e7, e8, e9, ea, eb, ec, ee, f0, f3, f4, f5, f8. 104
Output differences for an input difference 0e: 02, 03, 04, 05, 07, 08, 0a, 0b, 15, 17, 1b, 1e, 1f, 21, 22, 24, 26, 27, 30, 31, 32, 33, 37, 39, 3b, 3e, 3f, 40, 41, 42, 43, 44, 47, 48, 49, 4a, 4b, 4f, 50, 52, 55, 56, 58, 59, 5a, 5c, 5f, 64, 66, 68, 69, 6b, 6d, 6e, 70, 71, 74, 76, 77, 79, 7c, 7f, 80, 82, 84, 86, 88, 89, 8a, 8f, 90, 91, 92, 93, 95, 97, 98, 9a, 9b, 9e, 9f, a0, a1, a2, a7, aa, ab, ac, b0, b1, b2, b6, b7, b8, b9, ba, bc, c0, c3, c4, c5, c7, c8, c9, cd, ce, d3, d4, d6, d9, db, dd, e2, e4, e5, e6, e8, e9, ea, ee, f1, f2, f6, f9, fa, fe, ff.
Output differences for an input difference 0f: 02, 03, 04, 08, 0a, 0c, 0f, 11, 15, 16, 17, 18, 19, 1a, 21, 23, 28, 29, 2b, 2e, 30, 31, 33, 36, 3c, 3e, 42, 47, 49, 4b, 4c, 4d, 4e, 4f, 50, 52, 54, 55, 57, 5d, 5e, 61, 62, 65, 66, 67, 69, 6d, 6e, 6f, 70, 71, 74, 75, 78, 7a, 7e, 80, 83, 85, 88, 89, 8a, 8d, 8e, 90, 92, 93, 96, 98, 99, 9a, 9b, 9c, 9d, 9e, 9f, a0, a2, a7, a8, aa, ab, ac, af, b0, b3, b8, bb, bd, be, bf, c0, c3, c5, c7, ca, cb, cc, cd, ce, cf, d0, d2, d3, d6, d7, d9, da, db, dd, df, e0, e1, e3, e9, ee, ef, f0, f1, f2, f3, f5, f7, f8, fa, fb.
. . . .
Output differences for an input difference fe: 03, 04, 07, 08, 09, 0d, 13, 15, 1c, 1e, 1f, 20, 23, 24, 27, 28, 29, 2b, 2e, 2f, 34, 36, 38, 3e, 3f, 40, 41, 44, 46, 47, 48, 49, 4c, 4d, 4e, 52, 55, 59, 5b, 5c, 5d, 60, 61, 63, 64, 66, 68, 69, 6a, 6b, 6c, 70, 71, 72, 73, 74, 75, 76, 77, 78, 7d, 7e, 84, 85, 86, 88, 89, 8b, 8c, 8e, 8f, 91, 92, 93, 96, 97, 9c, 9e, a0, a1, a5, a7, a8, aa, ab, ad, b0, b3, b5, b6, b7, b8, be, c2, c4, c7, c8, cb, cd, ce, d0, d2, d4, d5, d7, d8, da, db, dc, de, df, e0, e2, e7, ec, ed, ee, ef, f2, f6, f7, f8, f9, fb, fc, fd, ff.
Output differences for an input difference ff: 01, 02, 03, 07, 0a, 0b, 0c, 0f, 13, 15, 17, 1d, 1e, 1f, 21, 22, 23, 25, 26, 28, 29, 2a, 2d, 2f, 31, 35, 36, 39, 3a, 3c, 3e, 40, 42, 43, 44, 46, 4c, 4d, 50, 52, 53, 56, 57, 58, 59, 5a, 5d, 5e, 62, 63, 65, 68, 69, 6a, 6b, 6d, 70, 72, 73, 75, 76, 7b, 7c, 7e, 7f, 81, 84, 88, 8a, 8c, 8d, 8e, 8f, 94, 95, 99, 9a, 9c, 9e, 9f, a0, a6, aa, ab, ad, af, b3, b8, b9, ba, c1, c2, c3, c5, c6, c7, c8, ca, cb, cc, cd, cf, d4, d8, dd, de, e0, e2, e3, e4, e6, e7, eb, ec, ef, f1, f2, f3, f4, f5, f6, fa, fb, fc, fd, fe, ff. Appendix C
Implementation results of the five-round cryptanalysis
Test Result #1
1.1 A set of 232 chosen plaintexts
232 plaintexts
00 88 31 e0 00 88 31 e0 00 88 31 e0 00 88 31 e0 ff 88 31 e0 43 00 31 37 43 00 31 37 43 00 31 37 43 00 31 37 43 ff 31 37 • • • f6 30 00 07 f6 30 00 07 f6 30 00 07 f6 30 00 07 f6 30 ff 07 a8 8d a2 00 a8 8d a2 01 a8 8d a2 02 a8 8d a2 03 a8 8d a2 ff
f0 bb dd 4e b5 c2 ba 1a 7b af d8 82 68 83 58 ca 66 08 92 8a 49 b8 2a 64 c3 30 b8 4d b8 1b 7e 15 d1 ae d6 1e 98 37 0d db • • • de 63 f9 10 91 0d 91 37 45 5c 57 e8 8b 8e 00 57 50 b5 3c 6a ea b8 4b fa 40 55 bc 26 d1 b3 c3 fe 34 4f ee 57 92 3d fd 36
232 ciphertexts
1.2 Result of Finding Possible Keys
Eligible components for the fifth round key (RK5) :
byte #0 : 11, d4 byte #1 : d1, d3 byte #2 : 16, 6b, c6 ca byte #3 : 4a, f8 byte #4 : 7c, ab byte #5 : 80, 83 byte #6 : 7a, 9a, 9d, b6, b9, cd
105 106
byte #7 : 57, 87 byte #8 : ca, cf byte #9 : 06, f2 byte #10 : 8e, a0, b8 byte #11 : bc byte #12 : 11, 7b byte #13 : d4, f9 byte #14 : 15 byte #15 : 52, bc
1.3 Result of Selecting the Key Actually Used
RK5 : d4 d1 c6 f8 7c 83 9d 87 ca f2 b8 bc 11 f9 15 bc
RK4 : ef 44 a5 41 a8 52 5b 7f b6 71 25 3b db 0b ad 00
RK3 : 3d 80 47 7d 47 16 fe 3e 1e 23 7e 44 6d 7a 88 3b
RK2 : f2 c2 95 f2 7a 96 b9 43 59 35 80 7a 73 59 f6 7f
RK1 : a0 fa fe 17 88 54 2c b1 23 a3 39 39 2a 6c 76 05
RK0 : 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c
Cipher Key : 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c 107
Test Result #2
2.1 A set of 232 chosen plaintexts
232 plaintexts
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 00 00 • • • 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 ff
bb 0f 74 5a 5e d9 a6 1a e7 9d a4 17 aa 78 8d 1c 38 9e 84 cd 6f 5f 56 69 9d c7 99 82 83 f4 a9 d6 93 9d fa 72 10 1e 58 c2 • • • 45 99 7c 73 f1 a8 86 96 36 36 1a 76 48 cc cd bf 9d fa 6d 75 89 31 d8 21 bd d3 50 99 53 49 97 09 6d 44 9d 59 aa 2e 7a fe
232 ciphertexts
2.2 Result of Finding Possible Keys
Eligible components for the fifth round key (RK5) :
byte #0 : 8e byte #1 : 18, 63, b0 byte #2 : 49 byte #3 : 2a, 86 byte #4 : 39 byte #5 : 40, a7, ab byte #6 : 38, 46 byte #7 : 1d byte #8 : d9 byte #9 : 70 byte #10 : 10 byte #11 : 34, ad byte #12 : 64, 8f byte #13 : 67 byte #14 : 3d byte #15 : 49, e3 108
2.3 Result of Selecting the Key Actually Used
RK5 : 8e b0 49 86 39 40 38 1d d9 70 10 ad 8f 67 3d e3
RK4 : 6e 68 66 37 b7 f0 71 9b e0 30 28 b0 56 17 2d 4e
RK3 : aa 03 dd 79 d9 98 17 ac 57 c0 59 2b b6 27 05 fe
RK2 : 3a 49 de 81 73 9b ca d5 8e 58 4e 87 e1 e7 5c d5
RK1 : 30 80 de 29 49 d2 14 54 fd c3 84 52 6f bf 12 52
RK0 : 21 10 bd 66 79 52 ca 7d b4 11 90 06 92 7c 96 00
Cipher Key : 21 10 bd 66 79 52 ca 7d b4 11 90 06 92 7c 96 00 Bibliography
[1] A. Menezes, P. Orschot, and S. Vanstone, “Handbook of Applied Cryptography”, pp.81-83, CRC Press, Boca Raton, 1997.
[2] A. Shamir and A. Kipnis, “Cryptanalysis of the HFE Public Key Cryptosystem”, Proceedings of CRYPTO ’99, Lecture Notes In Computer Science Vol.1666, pp.19- 30, Springer-Verlag, Berlin, 1999.
[3] B. Schneier, J. Kelsey, D. Whiting, D. Wagner, and C. Hall, “Twofish: A 128- Bit Block Cipher”, 1st AES Candidate Conference, http://www.counterpane. com/twofish-paper.html, 1998.
[4] B. Schneier, “Applied Cryptography”, pp.193, John Wiley & Sons, Inc, New York, 1994.
[5] B. Schneier, “Applied Cryptography (Second Edition)”, pp.346-347, John Wiley & Sons, Inc, New York, 1996.
[6] B. Schneier, “Crypto-Gram Newsletter”, Counterpane Internet Security, http://www.counterpane.com/crypto-gram.htm, September 2002.
[7] B. Song, H. Wang, and J. Seberry, “A New Cryptanalytic Method Using the Dis- tribution Characteristics of Substitution Distances”, Proceedings of ICISC 2001, Lecture Notes In Computer Science Vol.2288, pp.18-31, Springer-Verlag, Berlin, 2002.
[8] B. Song and J. Seberry, “Consistent Differential Patterns of Rijndael”, Proceed- ings of ICISC 2002, Lecture Notes In Computer Science Vol.2587, pp.149-163, Springer-Verlag, Berlin, 2003.
[9] B. Song and J. Seberry, “Further Observations on the Structure of the AES Algo- rithm”, Proceedings of FSE 2003, Lecture Notes In Computer Science Vol.2887, pp.223-234, Springer-Verlag, Berlin, 2003.
109 BIBLIOGRAPHY 110
[10] B.S. Kaliski, R.L. Rivest and A.T. Sherman, “Is DES a Pure Cipher ? (Results of More Cycling Experiments on DES)”, Proceedings of CRYPTO ’85, pp.212-222, 1986.
[11] C. Burwick, D. Coppersmith, E. D’Avignon, R. Gennaro, S. Halevi, C. Jutla, S. M.Matyas Jr, L. O’Connor, M. Peyravian, D. Safford, and N.Zunic, “MARS-a candidate cipher for AES”, 1st AES Candidate Conference, http://www.research.ibm.com/security/mars.html, 1999.
[12] C. Lim, “CRYPTON: A New 128-bit Block Cipher”, 1st AES Candidate Confer- ence, http://dasan.sejong.ac.kr/∼chlim/english pub.html, 1998.
[13] D. Coppersmith, “Impact of Courtois and Piepryzk Results”, NIST AES Discus- sion Forum, http://www.nist.gov/aes.
[14] D. Coppersmith, “The Real Reason for Rivest’s Phenomenon”, Proceedings of CRYPTO ’85, pp.535-536, 1986.
[15] D. Stinson, “Cryptography (Theory and Practice)”, CRC Press, Boca Raton, 1995.
[16] E. Barkan and E. Biham, “In How Many Ways Can You Write Rijndael”, Proceed- ings of ASIACRYPT 2002, Lecture Notes In Computer Science Vol.2501, pp.160- 175, Springer-Verlag, Berlin, 2002.
[17] E. Biham, A. Biryukov, and A. Shamir, “Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials”, Proceedings of EUROCRYPT ’99, Lecture Notes In Computer Science Vol.1592, pp.12-23, Springer-Verlag, Berlin, 1999.
[18] E. Biham, A. Biryukov, and A. Shamir, “Miss in the Middle Attacks on IDEA and Khufu”, Proceedings of FSE ’99, Lecture Notes In Computer Science Vol.1636, pp.124-138, Springer-Verlag, Berlin, 1999.
[19] E. Biham and A. Shamir, “Differential cryptanalysis of DES-like Cryptosystems”, J. Cryptology, Vol.4, 1991.
[20] E. Biham and A. Shamir, “Differential cryptanalysis of the Data Encryption Stan- dard”, Springer-Verlag, Berlin, 1993.
[21] E. Biham and A. Shamir, “Differential cryptanalysis of the full 16-round DES”, Proceedings of CRYPTO ’92, Lecture Notes In Computer Science Vol.740, pp.494- 502, Springer-Verlag, Berlin, 1993. BIBLIOGRAPHY 111
[22] E. Biham and N. Keller, “Cryptanalysis of Reduced Variants of Rijndael”, http://csrc.nist.gov/CryptoToolkit/aes/round2/conf3/aes3papers.html, 2000.
[23] E. Biham, “New Types of Cryptanalytic Attacks Using Related Keys”, Proceedings of EUROCRYPT ’93, Lecture Notes In Computer Science Vol.765, pp.398-409, Springer-Verlag, Berlin, 1993.
[24] G. Carter, E. Dawson, and L. Nielsen, “Key Schedule Classification of the AES Candidates”, http://csrc.nist.gov/CryptoToolkit/aes/round1/conf2/aes2conf.htm, 2000.
[25] H. Gilbert and M. Minier, “A Collision Attack on 7 Rounds of Rijndael”, Pro- ceedings of the Third Advanced Encryption Standard Candidate Conference, NIST, pp.230-241, 2000.
[26] J. Cheon, M. Kim, K. Kim, J. Lee, and S. Kang, “Improved Impossible Differen- tial Cryptanalysis of Rijndael and Crypton”, Proceedings of ICISC 2001, Lecture Notes In Computer Science Vol.2288, pp.39-49, Springer-Verlag, Berlin, 2001.
[27] J. Daemen, L. Knudsen, and V. Rijmen, “The Block Cipher Square”, Proceedings of FSE ’97, Lecture Notes In Computer Science Vol.1267, pp.149-165, Springer- Verlag, Berlin, 1997.
[28] J. Daemen and V. Rijmen, “AES Proposal: Rijndael”, 1st AES Candidate Con- ference, http://csrc.nist.gov/encryption/aes/rijndael/, 1999.
[29] J. Daemen and V. Rijmen, “Answer to New Observations on Rijndael”, AES Fo- rum comment, August 2000, http://www.esat.kuleuven.ac.be/∼rijmen/rijndael/.
[30] J. Fuller and W. Millan, “Linear Redundancy in the AES S-Box”, IACR eprint, August 2002, http://eprint.iacr.org/.
[31] J. Fuller and W. Millan, “Linear Redundancy in S-Boxes”, Proceedings of FSE 2003, Lecture Notes In Computer Science Vol.2887, pp.74-86, Springer-Verlag, Berlin, 2003.
[32] J. Kelsey, B. Schneier and D. Wagner, “Key-schedule Cryptanalysis of IDEA, GDES, GOST, SAFER, and Triple-DES”, Proceedings of CRYPTO ’96, Lecture Notes In Computer Science Vol.1109, pp.237-252, Springer-Verlag, Berlin, 1996. BIBLIOGRAPHY 112
[33] J. Kelsey, B. Schneier and D. Wagner, “Related-key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA”, Proceedings of ICICS ’97, pp.203-207, Springer-Verlag, Berlin, 1997.
[34] J. Massey, G. Khachatrian, and M. Kuregian, “Nomination of SAFER+ as Can- didate Algorithm for the Advanced Encryption Standard (AES)”, 1st AES Can- didate Conference, http://www.cryptosoft.de/docs/Saferpls.pdf
[35] J.H. Moore and G.J. Simmons, “Cycle Structure of the DES With Weak and Semiweak Keys”, Proceedings of CRYPTO ’86, pp.3-32, 1986.
[36] J.H. Moore and G.J. Simmons, “Cycle Structure of the DES for Keys Having Palindromic (or Antipalindromic) Sequences of Round Keys”, IEEE Trans on Software Eng Vol.13, No 2, pp.262-273, 1987.
[37] J. Patarin, “Cryptanalysis of the Matsumoto and Imai Public Key Scheme of EU- ROCRYPT’88”, Proceedings of CRYPTO ’95, Lecture Notes In Computer Science Vol.0963, pp.248-261, Springer-Verlag, Berlin, 1995.
[38] J. Pieprzyk, T. Hardjono, and J. Seberry, “Fundamentals of Computer Security”, pp.244-245, Springer-Verlag, Berlin, 2003.
[39] K. Aoki, T. Ichikawa, M. Kanda, M Matsui, S. Moriai, J. Nakajima, and T. Tokita, “Camellia: A 128-bit Block Cipher Suitable for Multiple Plat- form”, Submission Documents to NESSIE project, algorithm available at http://info.isl.ntt.co.jp/camellia/.
[40] K. Nyberg and L. Knudsen, “Provable Security against a Differential Attack”, J. Cryptology, Vol.8, No.1, pp.27-37, 1995.
[41] K. Nyberg, “Linear Approximation of Block Ciphers”, Proceedings of EURO- CRYPT ’94, Lecture Notes in Computer Science Vol. 950, pp.439-444, Springer- Verlag, Berlin, 1995.
[42] K. Nyberg, “Differentially Uniform Mappings for Cryptography”, Proceedings of EUROCRYPT ’93, Lecture Notes in Computer Science Vol.765, pp.55-64, Springer-Verlag, Berlin, 1994.
[43] L. Brown, and J. Pieprzyk, “Introducing the New LOKI97 Block Cipher”, 1st AES Candidate Conference, http://www.unsw.adfa.edu.au/∼lpb/research/loki97, 1998. BIBLIOGRAPHY 113
[44] L. Keliher, H. Meijer, and S. Tavares, “New Methods for Upper Bounding the Max- imum Average Linear Hull Probability for SPNs”, Proceedings of EUROCRYPT 2001, Lecture Notes In Computer Science Vol.2045, pp.420-436, Springer-Verlag, Berlin, 2001.
[45] L. Keliher, H. Meijer, and S. Tavares, “Improving the Upper Bound on the Max- imum Average Linear Hull Probability for Rijndael”, Proceedings of SAC 2001, Lecture Notes In Computer Science Vol.2259, pp.112-128, Springer-Verlag, Berlin, 2001.
[46] L. Knudsen, “Truncated and Higher Order Differentials”, Proceedings of FSE ’94, Lecture Notes In Computer Science Vol.1008, pp.196-211, Springer-Verlag, Berlin, 1994.
[47] L. Knudsen and T. Berson, “Truncated Differentials of SAFER”, Proceedings of FSE ’96, Lecture Notes In Computer Science Vol.1039, pp.15-26, Springer-Verlag, Berlin, 1996.
[48] L. Knudsen and H. Raddum, “Recommendation to NIST for the AES”, Second round comments to NIST, May 2000, http://csrc.nist.gov/encryption/ aes/round2/comments/.
[49] L. Knudsen and D. Wagner, “Integral Cryptanalysis”, Proceedings of FSE 2002, Lecture Notes In Computer Science Vol.2365, pp.112-127, Springer-Verlag, Berlin, 2002.
[50] M. Matsui, “Linear cryptanalysis method for DES cipher”, Proceedings of EURO- CRYPT ’93, Lecture Notes in Computer Science Vol.765, pp.386-397, Springer- Verlag, Berlin, 1994.
[51] M. Matsui, “The First Experimental Cryptanalysis of the Data Encryption Standard”, CRYPTO’94, Lecture Notes in Computer Science Vol.839, pp.1-11, Springer-Verlag, Berlin, 1994.
[52] M. Sugita, K. Kobara, K. Uehara, S. Kubota, and H. Imai, “Relationships among Differential, Truncated Differential, Impossible Differential Cryptanalyses against Word-oriented Block Ciphers like Rijndael, E2”, Proceedings of the Third AES Candidate Conference, 2000. BIBLIOGRAPHY 114
[53] N. Courtois, A. Klimov, J. Patarin, and A. Shamir, “Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations”, Proceedings of EUROCRYPT 2000, Lecture Notes In Computer Science Vol.1807, pp.392-407, Springer-Verlag, Berlin, 2000.
[54] N. Courtois, “The Security of Hidden Field Equations (HFE)”, Proceedings of Cryptographer’ Track RSA Conference 2001, Lecture Notes In Computer Science Vol.2020, pp.266-281, Springer-Verlag, Berlin, 2001.
[55] N. Courtois and J. Pieprzyk, “Cryptanalysis of Block Ciphers with Overdefined Systems of Equations”, IACR eprint 2002/044, 2002, http://eprint.iacr.org/.
[56] N. Courtois and J. Pieprzyk, “Cryptanalysis of Block Ciphers with Overdefined Systems of Equations”, Proceedings of ASIACRYPT 2002, Lecture Notes In Com- puter Science Vol.2501, pp.267-287, Springer-Verlag, Berlin, 2002.
[57] N. Ferguson, R. Schroeppel, and D. Whiting, “A Simple Algebraic Representa- tion of Rijndael”, Proceedings of SAC 2001, Lecture Notes In Computer Science Vol.2259, pp.103-111, Springer-Verlag, Berlin, 2001.
[58] N. Ferguson, J. Kelsey, S. Lucks, B. Schneier, M. Stay, D. Wagner, and D. Whiting, “Improved Cryptanalysis of Rijndael”, Proceedings of FSE 2000, Lecture Notes In Computer Science Vol.1978, pp.213-230, Springer-Verlag, Berlin, 2000.
[59] NIST, “Data Encryption Standard”, FIPS 46-2, 1993.
[60] NIST, “Announcing Request for Candidate Algorithm Nominations for the Ad- vanced Encryption Standard (AES)”, Federal Register Vol.62, Num.177, pp.48051- 48058, 1997.
[61] NIST (E. Roback and M. Dworkin), “Conference Report”, Journal of Research of the National Institute of Standards and Technology, Vol.104, Num.1, pp.97-105, 1999.
[62] NIST (J. Nectvatal, E. Barker, L. Bassham, W.Burr, M. Dworkin, J. Foti, and E. Roback), “Report on the Development of the Advanced Encryption Standard (AES)”, NIST, http://csrc.nist.gov/CryptoToolkit/aes/round2/r2report.pdf, 2000.
[63] NIST, “Advanced Encryption Standard (AES)”, FIPS 197, 2001. BIBLIOGRAPHY 115
[64] NIST, “Advanced Encryption Standard (AES) Questions and Answers”, http:// www.nist.gov/public affairs/releases/aesq&a.htm.
[65] R. Anderson, E. Biham, and L. Knudsen, “Serpent: A Proposal for the Ad- vanced Encryption Standard”, 1st AES Candidate Conference, http://www.ftp.cl. cam.ac.uk/ftp/users/rja14/serpent.pdf, 1998.
[66] R. Rivest, M.J.B. Robshaw, R. Sidney, and Y.L. Yin, “The RC6TM Block Cipher”, 1st AES Candidate Conference, http://www.rsasecurity.com/rsalabs/rc6/, 1998.
[67] R. Schroeppel, “Second Round Comments to NIST”, Public Comments Re- garding the Advanced Encryption Standard (AES) Development Effort (Round 2 Comments), NIST, pp.128-149, 2000. http://csrc.nist.gov/CryptoToolkit/aes/ round2/comments/R2comments.pdf.
[68] S. Lucks, “Attacking Seven Rounds of Rijndael under 192-Bit and 256-Bit Keys”, Proceedings of the Third Advanced Encryption Standard Candidate Conference, NIST, pp.215-229, 2000.
[69] S. Murphy and M.J.B Robshaw, “New Observations on Rijndael”, AES Forum comment, August 2000, http://www.isg.rhul.ac.uk/∼sean/.
[70] S. Murphy and M.J.B Robshaw, “Further Comments on the Structure of Rijn- dael”, AES Forum comment, August 2000, http://www.isg.rhul.ac.uk/∼sean/.
[71] S. Murphy and M.J.B Robshaw, “Essential Algebraic Structure Within the AES”, Proceedings of CRYPTO 2002, Lecture Notes In Computer Science Vol.2442, pp.1- 16, Springer-Verlag, Berlin, 2002.
[72] S. Murphy and M.J.B Robshaw, “Comments on the Security of the AES and the XSL Technique”, Public Reports of the NESSIE Project, September 2002, http://www.cosic.esat.kuleuven.ac.be/nessie/reports/.
[73] S. Park, S. Sung, S. Chee, E. Yoon, and J. Lim, “On the Security of Rijndael- Like Structures against Differential and Linear Cryptanalysis”, Proceedings of ASIACRYPT 2002, Lecture Notes In Computer Science Vol.2501, pp.176-191, Springer-Verlag, Berlin, 2002.
[74] S. Park, S. Sung, S. Lee, and J. Lim, “Improving the Upper Bound on the Max- imum Differential and the Maximum Linear Hull Probability for SPN Structures BIBLIOGRAPHY 116
and AES”, Proceedings of FSE 2003, Lecture Notes In Computer Science Vol.2887, pp.247-260, Springer-Verlag, Berlin, 2003.
[75] T. Jakobsen and L. Knudsen, “The interpolation attack on block ciphers”, Proceed- ings of FSE ’97, Lecture Notes In Computer Science Vol.1267, pp.24-40, Springer- Verlag, Berlin, 1997.
[76] T. Moh, “On the Courtois-Pieprzyk’s attack on Rijndael”, http://www.usdsi.com /aes.html, September 2002.