International Journal of Network Security, Vol.9, No.2, PP.109–116, Sept. 2009 109

A New Involutory MDS for the AES

Jorge Nakahara Jr and Elcio´ Abrah˜ao (Corresponding author: Jorge Nakahara Jr)

Department of Informatics, UNISANTOS R. Dr. Carvalho de Mendon¸ca, 144, Santos, Brazil (Email: jorge [email protected]) (Received July 7, 2006; revised and accepted Nov. 8, 2006)

Abstract SB(X)= AKi (MC (SR (SB(X)))), namely function com- position operates in right-to-left order. There is an input This paper proposes a new, large diffusion layer for the transformation, AK0 prior to the first round, and the last AES . This new layer replaces the ShiftRows round does not include MC. Further details about AES and MixColumns operations by a new involutory matrix components can be found in [14]. in every round. The objective is to provide complete diffu- This paper proposes a new diffusion layer for the AES sion in a single round, thus sharply improving the overall cipher, that replaces the original SR and MC layers. This cipher security. Moreover, the new matrix elements have new layer consists of a 16 × 16 involutory MDS matrix, low Hamming-weight in order to provide equally good per- denoted M16×16. The new design was called MDS-AES. formance for both the encryption and decryption opera- Thus, the new round structure of MDS-AES becomes AKi tions. We use the construction instead of ◦ M16×16 ◦ SB(X) = AKi (M16×16 (SB(X))). This de- circulant matrices such as in the AES. The reason is that sign has two main consequences: (1) complete diffusion circulant matrices cannot be simultaneously MDS and in- is achieved in a single round thus improving the overall volutory. security of the cipher because the branch number [13, 14] Keywords: AES, involutory transformations, MDS matri- increases from 5 (in the AES) to 17; but (2) lower perfor- ces mance due to the larger number of matrix components. This paper is organized as follows: Section 2 presents elementary mathematical concepts necessary for further 1 Introduction developments in the following sections. Section 3 presents a new MDS matrix for the AES, aimed at replacing the The Advanced Encryption Standard (AES) algorithm is SR and MC layers altogether. The new cipher is called an SPN-type cipher designed by J. Daemen and V. Rijmen simply MDS-AES. Section 4 presents a security analysis for the AES Development Process [1]. The original cipher of MDS-AES. Section 5 concludes the paper. was called Rijndael, and it was selected out of fifteen can- didates during the AES Development Process, initiated by the National Institute of Standards and Technology 2 Preliminaries (NIST) in 1997. The AES will become the new de facto world standard in symmetric , as the succes- An involutory transformation (or simply ) f is sor of the Data Encryption Standard (DES) algorithm. In a self-inverse mapping, namely, f(x) = f −1(x), for all x Sep. 2000, Rijndael was officially standardized as FIPS over the domain of f. The use of involutions in cryptol- PUB 197 [24]. Rijndael (and the AES) have already been ogy dates back to Hebrew ciphers such as ATBASH, AL- implemented in several programming languages and are BAM and ATBAH, the German Enigma cipher [18], and embedded in several software systems [29]. The AES is more recently, the block ciphers Khazad [3] and the smallest instance of the Rijndael cipher [14], since the [2]. There are several reasons for the use of involutional AES operates on 128-bit text blocks, under keys of 128, mappings. For instance, they reduce the implementation 192 or 256 bits, for which the cipher iterates ten, twelve cost of both encryption and decryption operations, and and fourteen rounds, respectively. imply that both transformations have the same crypto- There are four transformations in a full round of Ri- graphic strength. Nonetheless, it is important that alge- jndael: SubBytes (SB), ShiftRows (SR), MixColumns braic properties due to involutions do not lead to crypt- (MC) and AddRoundKey (AKi). The subscripts i de- analytic attacks [6]. note the round number. One full round of Rijndael ap- It is important to emphasize that making the diffusion plied to a text block X consists of AKi ◦ MC ◦ SR ◦ layer of AES an involution does not make the full cipher International Journal of Network Security, Vol.9, No.2, PP.109–116, Sept. 2009 110 an involution (e.g. because the S-box is not an involu- a4×4 circulant MDS matrix was used in the block cipher tion). AES [24]. Nonetheless, this matrix is not involutory:

02x 03x 01x 01x 02x 03x 01x 01x 2.1 Finite Fields  01 02 03 01   01 02 03 01  x x x x · x x x x  01x 01x 02x 03x   01x 01x 02x 03x  A field is a commutative ring (with unity) in which all      03x 01x 01x 02x   03x 01x 01x 02x  nonzero elements have a multiplicative inverse [23]. In this paper we are concerned with the finite field GF(28) 05x 00x 04x 00x  00 05 00 04  used in AES and related ciphers [2, 3, 14]. For the = x x x x . 8  04x 00x 05x 00x  AES, GF(2 ) is represented as GF(2)/(m(x)), where   m(x) = x8 + x4 + x3 + x + 1 is an irreducible poly-  00x 04x 00x 05x  nomial over GF(2). A polynomial representation is as- 8 The fact that the AES is not involutory is not due to the sumed for every element a ∈ GF(2 ) in the AES. So, its elements. Consider an arbitrary 4 × 4 7 i a = (a7,a6,...,a1,a0)= ai.x , with ai ∈ GF (2) for Pi=0 (with rows rotated to the right to mimic the MixColumns 0 ≤ i ≤ 7. A compact representation of an element x ∈ matrix), 8 GF(2 ) uses hexadecimal digits (denoted with subscript a0 a1 a2 a3   x), expressing the coefficients of the polynomial represen- a3 a0 a1 a2 7 5 3 2 A = . tation. For instance, x + x + x + x +1= ADx, and  a2 a3 a0 a1    m(x)=11Bx.  a1 a2 a3 a0  Addition in GF(28) is simply bitwise exclusive-or, since If A were involutory then A · A = I4×4, where I4×4 de- GF(28) has characteristic two. Multiplication in GF(28) notes the 4 × 4 . This equation implies the is just polynomial multiplication modulo m(x). following two restrictions (where + is exclusive-or): 2 2 2.2 Error-correcting Codes a0 + a2 =1, and Error-correcting codes have already been suggested in the a2 + a2 =0. (1) design of public-key algorithms by McEliece [21]. The use 1 3 of error-correcting codes, such as MDS codes, in secret- If A were MDS, then in particular, the following determi- key algorithms has been suggested by Vaudenay in [30]. nants should be nonzero: The Hamming distance between two vectors (or code a1 a3 2 2 p n = a1 + a3 6=0. (2) words) from the n-dimensional vector space (GF (2 )) a3 a1 is the number of positions (out of n) by which the two vectors differ. The Hamming weight of a vector (or code The restriction (2) contradicts (1). Similar reasoning word) u ∈ (GF (2p))n is the Hamming distance between would result if the rows were rotated to the right. Thus, u and the null vector in (GF (2p))n, namely, the number we conclude that 4×4 circulant matrices cannot be simul- of nonzero positions in u. taneously MDS and involutory. Analogous reasoning also A linear [n,k,d]-code over GF(2p) is a k-dimensional applies to larger circulant matrices. For that reason, from subspace of the vector space (GF (2p))n, where the Ham- now on we consider other MDS construction techniques. ming distance between any two distinct n-element vec- In [17], Junod and Vaudenay suggested some heuristics tors is at least d, and d is the largest number with this for constructing low implementation-cost MDS matrices. property. A G for a linear [n,k,d]- Their aim was to design matrices with a large number of code C is a k × n matrix whose rows form a basis elements equal to 1 (and other elements of low Hamming- for C. Linear [n,k,d]-codes obey the Singleton bound, weight), to minimize the implementation overhead. They d ≤ n − k + 1. A code that meets the Singleton bound, claim that their construction leads to optimal matrices namely, d = n − k +1, is called a Maximum Distance Sep- in the sense of smallest number of xor, table look-up and arable or MDS code. Alternatively, an [n,k,d]-error cor- temporary variables. Nonetheless, their matrices are not involutory. recting code with generator matrix G = [Ik×k|A], where Another approach for the construction of involutory Ik×k is the k×k identity matrix, and A is a k×(n−k) ma- MDS matrices involves the so called Cauchy matrices trix, is MDS if and only if every submatrix formed 1 from i rows and i columns, 1 ≤ i ≤ min{k,n − k}, of A [8, 31] used in the block ciphers Khazad and Anubis [2]. is nonsingular [22]. Additionally, in these ciphers, the matrix elements were MDS matrices have become a fundamental component carefully chosen to minimize the number of primitive op- in the design of block ciphers such as SHARK [28], Square erations such as exclusive-or, table look-ups, and xtime [12] and Rijndael [24], to guarantee fast and effective dif- calls [14]. In this paper, we look for large involutory, MDS fusion in a small number of rounds. One approach to ob- matrices whose components also have low Hamming weight. tain MDS matrices is the use of circulant matrices, where In particular, we look for a 16 × 16 MDS matrix to provide each row is a rotated instance (by a single unit) of the complete diffusion in a single round (Figure 1). neighbouring rows (in the same direction). For example, 1In those papers such matrices were called Hadamard. International Journal of Network Security, Vol.9, No.2, PP.109–116, Sept. 2009 111

AES MDS−AES

a a a a a a a a aa a a a a a a a0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8a 9 a10 a 11 a12 a 13 a 14 a 15 0 1 2 3 4 5 6 7 8 910 11 12 13 14 15 K0 K0

AK0

SB SSSSSSSSSSSSSSSS SSSSSSSSSSSSSSSS

SR

first first round round MC

K1 K1 AK1

SSSSSSSSSSSSSSSS Nr SSSSSSSSSSSSSSSS last K round

last C C C C CCCCCCCCCCCC round 0 1 2 3 4 5 6 7 8 9 10 11 12 1314 15 KNr

C C C C CCCCCCCCCCCC 0 1 2 3 4 5 6 7 8 9 10 11 12 1314 15

Figure 1: Computational graphs of AES and MDS-AES

Definition 1. [31] Let x1, x2,...,xm, and y1, y2 ...,yn Criterion (1) guarantees fast diffusion in a small num- be elements in a field F , such that ber of rounds. Restriction (2) aims at equal diffusion power for both encryption and decryption. Restriction (3) (1) x1,...,xm are distinct, is due to the AES block size: 16 bytes. The last two re- strictions aim at high performance (in software and hard- (2) y1,...,yn are distinct, and ware implementations). The Hamming weight of each ma- (3) xi + yj 6=0 for 1 ≤ i ≤ m, 1 ≤ j ≤ n. trix element impacts the number of xor and xtime opera- tions. The higher-order bits in each matrix element affects An m × n Cauchy matrix over F has element ci,j = the number of calls to xtime [14], which stands for multi- 1 . The of a square Cauchy matrix is 2 8 xi+yj plication by 02x in GF(2 ). Nonetheless, due to the size (xi − xj )(yi − yj ) of these matrices, many more primitive operations will be Qi

2) Be involutory; 3 A New Involutory MDS Matrix

3) Be 16 × 16; We have searched for large involutory MDS matrices to replace the SR and MC layers in every round of the AES. 4) Each matrix element, in GF(28), should have low Our search technique followed the Cauchy matrix con- Hamming weight; struction (Section 2.2), in which all elements in a row are distinct. This construction method by itself guarantees 5) The highest-order bits in each matrix element should that the resulting matrix is MDS and involutory. preferably be in the least significant bit positions. Our search algorithm just needs to select the elements We call the modified AES cipher with the new MDS of the first rowof the 16×16 MDS matrix since the Cauchy matrix substituting the SR and MC layers, simply MDS- matrix construction only depends on this row. Once this AES (Figure 1). One full round of MDS-AES consists of row is determined, the remaining ones are simply permu- an SB layer, followed by the new MDS matrix, and by tations of the first row. Our first choice for an element in this row is 01 because it is the smallest nonzero element the AKi layer. The output transformation consists of an x SB layer followed by AKNr (the key post-whitening layer) 2This operation can be precomputed for all 256 possible inputs, (Figure 1). and the result stored in table. International Journal of Network Security, Vol.9, No.2, PP.109–116, Sept. 2009 112

design decision (incomplete diffusion in a single round) Table 1: Software performance comparison (estimated) was probably based on a security-performance trade-off. If diffusion were complete in a single round of the AES # byte operations per round then, all of the known attacks against the AES would have Cipher # xtime # xor total much lower impact. Namely, the corresponding attack AES 32 64 96 distinguishers would be shorter, and the corresponding MDS-AES 688 272 960 attacks would affect a smaller number of rounds. Conse- quently, with complete diffusion, the nominal number of rounds of a cipher could be reduced, compensating the in GF(28). Further elements are selected in increasing performance overhead due to a larger diffusion matrix. order, such that As an example, (truncated) differential distinguishers covering 4-round AES contain at least 25 active S-boxes 1) The elements are pairwise distinct; [10], as predicted in [13] (dashed lines in Figure 2(a), where a nonzero byte difference is denoted by δ). The 2) The Hamming weight of each element is upper- new, larger MDS matrix (3) causes the differential distin- bounded e.g. at most 4; guisher to contain at least 33 active S-boxes across only three rounds, due to the branch number of M16×16 (Fig- 3) The highest order bit in every element is preferably ure 2(b)): sixteen active byte differences in the first round, in the least significant positions. one active byte difference in the second round and sixteen If the value does not match the above restrictions then active byte differences in the third round. By counting the the algorithm looks for the next larger value and apply number of active S-boxes, the corresponding probability of the differential distinguishers drops from (2−6)25 (in the same procedure again until the 15th element is de- −6 33 termined. The 16th (rightmost) element in the first row AES) to (2 ) (in MDS-AES). This attack implies that of the matrix is simply the exclusive-or of the previous at least three rounds are needed for MDS-AES. Similar fifteen elements and 1. This 16th element must also be reasoning applies to (conventional) linear [20] attacks. different from the previous elements. Another important attack to consider on MDS-AES is The best matrix found according to these restrictions the multiset technique [12], since it is the most effective is the following: attack known on (reduced-round instance of) AES. More- over, in both ciphers, all internal operations are bytewise A performance comparison between M16×16 and the AES matrix simply counts the number of elementary op- and bijective. Using the terminology of [12, 15], the prop- erations per round, such as bytewise xors, number of xtime agation of active, passive, and balanced bytes in a mul- calls and number of table lookups (if xtime is stored in a tiset distinguisher can be described as follows. One can table). For simplicity, we assume that each of these op- start with a multiset with one active (plaintext) byte only. erations requires a single machine cycle. Thus, one single The remaining fifteen plaintext bytes are passive. Thus, round of MDS-AES costs the same number of elementary all bytes at the input to the second round will be active. operations as all MDS matrix computations in 9-round After two rounds, due to M16×16, all sixteen bytes became AES (under a 128-bit key). balanced. That is the input multiset to the third round. Now, again due to M16×16, all output bytes are not bal- anced anymore. Thus, the subkey AK3 can be recovered 4 Security Analysis bytewise by partially decrypting the third round until the end of the second round. This attack can be extended by The AES has been intensively analysed since 1997. guessing a full subkey at the top, a trick already used in Nonetheless, the known results apply only to reduced- [12], but at an additional cost of 2128 key guesses. This round variants: differential (DC) and linear (LC) analyses attack implies that at least four rounds are needed for [9], multiset attacks [13, 15], impossible differential (ID) MDS-AES. [4, 26, 27], collision [16], boomerang attacks [7] and so on. A sharp increase in security can be observed regard- A common feature exploited implicitly by all of these ing the collision attack of Gilbert and Minier [16]. Their attacks on reduced-round AES is the slow diffusion via attack applies up to 7-round AES (although requiring al- the combination of SR and MC layers. Notice that both most the entire codebook) and depends on incomplete SR and MC operate on 32-bit words at a time. It means diffusion in a AES round. This attack, thus, is ineffective that not all output bits depend on all input (plaintext against MDS-AES, since complete diffusion is achieved in and key) bits after a single round. In AES, for exam- a single round. ple, all plaintext bits diffuse completely after two rounds Concerning impossible differential (ID) [4, 27] attacks, [13, p.29]. Key bits, though, diffuses completely after a any truncated differential (with probability one) involv- number of rounds that depends on the user’s key size. ing two rounds must involve at least 17 active S-boxes, For 128-bit keys, complete diffusion is achieved after two because of the branch number of M16×16 matrix. Us- rounds, and it takes one more round to reach complete ing the meet-in-the-middle (MITM) technique [4] we con- diffusion for every 32 bits in the key size [13, p.29]. This cluded that any pair of truncated differentials E0 and E1 International Journal of Network Security, Vol.9, No.2, PP.109–116, Sept. 2009 113

01x 03x 04x 05x 06x 07x 08x 09x 0ax 0bx 0cx 0dx 0ex 10x 02x 1ex   03x 01x 05x 04x 07x 06x 09x 08x 0bx 0ax 0dx 0cx 10x 0ex 1ex 02x  04x 05x 01x 03x 08x 09x 06x 07x 0cx 0dx 0ax 0bx 02x 1ex 0ex 10x     05x 04x 03x 01x 09x 08x 07x 06x 0dx 0cx 0bx 0ax 1ex 02x 10x 0ex     06x 07x 08x 09x 01x 03x 04x 05x 0ex 10x 02x 1ex 0ax 0bx 0cx 0dx     07x 06x 09x 08x 03x 01x 05x 04x 10x 0ex 1ex 02x 0bx 0ax 0dx 0cx     08x 09x 06x 07x 04x 05x 01x 03x 02x 1ex 0ex 10x 0cx 0dx 0ax 0bx     09x 08x 07x 06x 05x 04x 03x 01x 1ex 02x 10x 0ex 0dx 0cx 0bx 0ax  M16×16 =   .  0ax 0bx 0cx 0dx 0ex 10x 02x 1ex 01x 03x 04x 05x 06x 07x 08x 09x     0bx 0ax 0dx 0cx 10x 0ex 1ex 02x 03x 01x 05x 04x 07x 06x 09x 08x     0cx 0dx 0ax 0bx 02x 1ex 0ex 10x 04x 05x 01x 03x 08x 09x 06x 07x     0dx 0cx 0bx 0ax 1ex 02x 10x 0ex 05x 04x 03x 01x 09x 08x 07x 06x     0ex 10x 02x 1ex 0ax 0bx 0cx 0dx 06x 07x 08x 09x 01x 03x 04x 05x     10x 0ex 1ex 02x 0bx 0ax 0dx 0cx 07x 06x 09x 08x 03x 01x 05x 04x     02x 1ex 0ex 10x 0cx 0dx 0ax 0bx 08x 09x 06x 07x 04x 05x 01x 03x     1ex 02x 10x 0ex 0dx 0cx 0bx 0ax 09x 08x 07x 06x 05x 04x 03x 01x 

for an ID attack might cover at most three rounds (two for matrices that satisfy all of the following properties: rounds in the top-down direction and one round from the (1) MDS, (2) involutory, (3) 16 × 16, (4) have elements bottom up, or vice-versa), otherwise, there would be no with low Hamming weight, and (5) the highest-order bits contradiction in between E0 and E1, or the differentials in each matrix element are in the least significant bit po- would not hold with certainty. It means that an ID distin- sitions. guisher (using the MITM) can cover at most three rounds The MDS-AES construction shows quite good resis- of MDS-AES (compared to four rounds in AES). More- tance against differential, linear, multiset, collision, im- over, in order to apply this distinguisher in an attack on possible differential and boomerang attacks. Given the 4-round MDS-AES, a full round subkey (128 bits) would attacks in Table 2, we conclude that (1) the resilience of need to be guessed at once (because of the M16×16 ma- MDS-AES is higher than that of the AES; (2) the best trix), making the attack impractical (and not significant attack (meaning higher number of rounds and lowest com- compared, for instance, with a multiset attack). putational resources) on reduced-round MDS-AES seems Concerning a boomerang attack [6], the construction of to be the multiset attack, which is the best known attack truncated differentials for a boomerang distinguisher has on reduced-round AES. the same drawbacks as in the ID attack, namely, any pair Notice that complete diffusion by itself cannot prevent of truncated differentials for a boomerang will have many other attacks such as slide and advanced slide attacks M × active byte differences due to the 16 16 matrix. This [5], nor mod-n attacks [19]; but the key schedule of the phenomenon happens both for differentials going in the AES already avoid round self-similarity which is crucial for top-down and the bottom-up directions, independent of these attacks; we assume that MDS-AES uses the same the initial number of nonzero byte differences. Therefore, key schedule algorithms of AES. Complete diffusion alone boomerang distinguishers for MDS-AES are expected to also does not prevent algebraic attacks [11]; a suggested be much shorter (two or three rounds) than the ones for countermeasure is to use an S-box with a more elaborate the AES (five rounds), and thus not relevant compared to algebraic representation in GF(28), e.g. the S-box of Skip- a multiset attack. jack [25], whose algebraic representation is not as simple Based on the security analysis described previously, at as that of the AES (see Appendix), and which looks ran- least five rounds are recommended for MDS-AES. dom, namely, it does not seem to be derived from the inver- sion mapping in GF(28). Moreover, the Skipjack S-box has 5 Conclusions similar differential and linear profiles as the AES S-box. It is left as an open problem if other 16×16, involutory This paper presented a new 16 × 16 MDS matrix for the MDS matrices can be found with elements having lower AES cipher. This design was called MDS-AES. The new Hamming weight than M16×16, with consequently lower matrix replaces the SR and MC layers altogether, and pro- implementation costs. vides complete diffusion in a single round, thus improving The only drawback of MDS-AES is the performance the overall security, since the branch number of the new penalty due to the larger number of primitive operations matrix is 17, compared to 5 in the AES. Moreover, the (xor, xtime, table look-up, temporary variables) implied involutory nature of the new matrix allows equally fast by the larger number of matrix components, making it diffusion for both the encryption and decryption opera- much slower than the AES. This fact indicates that the tions. The new matrix was found after a heuristic search new design is mostly of theoretical interest. International Journal of Network Security, Vol.9, No.2, PP.109–116, Sept. 2009 114

∆ ∆ ∆ ∆ ∆∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆∆∆ ∆ ∆ ∆ ∆ 0 K0 K

SSSSSSSSSSSSSSSS SSSSSSSSSSSSSSSS ∆ ∆ ∆ ∆

∆ ∆ ∆ ∆

∆ K1 ∆ 1 K (a) ∆ (b) SSSSSSSSSSSSSSSS SSSSSSSSSSSSSSSS ∆ ∆

K2 ∆ ∆ ∆ ∆ 2 K

∆ ∆ ∆ ∆ SSSSSSSSSSSSSSSS SSSSSSSSSSSSSSSS ∆ ∆ ∆ ∆

∆ ∆ ∆ ∆

K3 ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ 3 K ∆ ∆ ∆∆∆∆∆∆∆∆∆∆∆∆∆∆ ∆∆∆∆∆∆∆∆∆∆∆∆∆∆∆∆ SSSSSSSSSSSSSSSS ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆

∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆

∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆ ∆

Figure 2: (a) Differential trail (dashed line) for AES, and (b) for MDS-AES

Table 2: Comparison of attacks on (reduced-round) AES and MDS-AES

Cipher DC LC Multiset Collision ID Boomerang AES 2150 CP 2150 KP 29 CP ≈ 2128 CP 229.5 CP 239 CPACC (4 rounds) (4 rounds) (4 rounds) (7 rounds) (5 rounds) (5 rounds) MDS-AES 2198 CP 2198 KP 29 CP ineffective ineffective ineffective (3 rounds) (3 rounds) (3 rounds) CP: Chosen-Plaintext; KP: Known-Plaintext.

A topic for further research is the determination of [5] A. Biryukov and D. Wagner, “Slide attacks,” in 6th larger involutory MDS matrices (not of the Cauchy type) Fast Software Encryption Workshop, LNCS 1636, pp. for Rijndael-160, Rijndael-192, and Rijndael-224. We 245-259, Springer-Verlag, 1999. could not derived such matrices because their dimensions [6] A. Biryukov, “Analysis of involutional ciphers: are not powers of 2 (to fit the block size of the latter). Khazad and Anubis,” in 10th Fast Software Encryp- tion Workshop, LNCS 2887, pp. 45-53, Springer- Verlag, 2003. Acknowledgements [7] A. Biryukov, “The Boomerang attack on 5 and 6- round reduced AES,” in Proceedings of AES4 Con- Author funded by FAPESP under contract # 2005/02102- ference, LNCS 3373, pp. 11-15, Springer-Verlag, 9. 2004. [8] J. Bloemer, M. Kalfane, M. Karpinski, R. Karp, M. Luby, and D. Zuckerman, An XOR-based Erasure- References Resilient Coding Scheme, ICSI TR-95-048, Aug. 1995. [9] J. H. Cheon, M. Kim, K. Kim, J. -Y. Lee, and S. W. [1] AES, The Advanced Encryption Standard De- Kang, “Improved impossible differential cryptanaly- velopment Process, 1997. (http://csrc.nist. sis of Rijndael and crypton,” in Proceedings of ICISC gov/encryption/aes/) 2001, LNCS 2288, pp. 39-49, Springer-Verlag, 2001. [2] P. S. L. M. Barreto and V. Rijmen, “The ANUBIS [10] D. Coppersmith, “The data encryption algorithm block cipher,” in 1st NESSIE Workshop, Heverlee, and its strength against attacks,” IBM Journal on Belgium, Nov. 2000. Research and Development, vol. 38, no. 3, pp. 243- [3] P. S. L. M. Barreto and V. Rijmen, “The KHAZAD 250, 1994. legacy-level block cipher,” in 1st NESSIE Workshop, [11] N. T. Courtois and J. Pieprzyk, “Cryptanaly- Heverlee, Belgium, Nov. 2000. sis of block ciphers with overdefined systems of [4] E. Biham and N. Keller, “ of reduced quadratic equations,” in Advances in Cryptology variants of Rijndael,” in 3rd AES Conference, New (Asiacrypt’02), LNCS 2501, pp. 267-287, Springer- York, USA, 2000. Verlag, 2002. International Journal of Network Security, Vol.9, No.2, PP.109–116, Sept. 2009 115

[12] J. Daemen, L. R. Knudsen, and V. Rijmen, [30] S. Vaudenay, “On the need for multipermutations: “The block cipher SQUARE,” in 4th Fast Soft- Cryptanalysis of MD4 and SAFER,” in 2nd Fast ware Encryption Workshop, LNCS 1267, pp. 149- Software Encryption Workshop, LNCS 1008, pp. 286- 165, Springer-Verlag, 1997. 297, Springer-Verlag, 1995. [13] J. Daemen and V. Rijmen, “AES proposal: Rijn- [31] A. M. Youssef, S. Mister, and S. E. Tavares, “On dael,” in 1st AES Conference, California, USA, 1998. the design of linear transformation for substitution [14] J. Daemen and V. Rijmen, The Design of Rijndael – permutation encryption networks,” in Workshop on AES – The Advanced Encryption Standard, Springer- Selected Areas in Cryptography (SAC’97), pp. 40-48, Verlag, 2002. 1997. [15] N. Ferguson, J. Kelsey, S. Lucks, B. Schneier, M. Stay, D. Wagner, and D. Whiting, “Improved crypt- analysis of Rijndael,” in 7th Fast Software Encryp- Appendix tion Workshop, LNCS 1978, pp. 213-230, Springer- 127 Verlag, 2000. Compared with the expression S[t] = 63x +8fx · t + 191 223 239 247 251 [16] H. Gilbert and M. Minier, “A collision attack on b5x ·t +01x ·t +f4x ·t +25x ·t +f9x ·t +09x · 253 254 seven rounds of Rijndael,” in 3rd AES Conference, t +05x ·t of the AES S-box, the algebraic expression 8 New York, USA, 2000. of Skipjack’s S’-box in GF(2 )=GF(2)[x]/(m(x)) has a 8 [17] P. Junod and S. Vaudenay, “Perfect diffusion prim- more involved representation. For t ∈ GF (2 ): 0 2 3 4 5 itives for block ciphes – Building efficient MDS ma- S [t]= a3x +10x.t + b1x.t +7ax.t + ecx.t + a5x.t + 6 7 8 9 10 11 12 trices,” in Selected Areas in Cryptology (SAC 2004), 8bx.t +67x.t +11x.t +a1x.t +6ex.t +afx.t +0fx.t + 13 14 15 16 17 18 LNCS 3357, pp. 84-99, Springer-Verlag, 2004. 3cx.t + d6x.t + b9x.t +4fx.t + 27x.t +5cx.t + 19 20 21 22 23 24 [18] D. Kahn, The Codebreakers: the Story of Secret 6ax.t +6cx.t +9ax.t +1ex.t + cfx.t +65x.t + 25 26 27 28 29 30 Writing, MacMillan Publishing Company Inc., 1967. 77x.t +86x.t + f5x.t +93x.t + c8x.t +43x.t + 31 32 33 34 35 36 [19] J. Kelsey, B. Schneier, and D. Wagner, “Mod n crypt- 43x.t +39x.t + dbx.t +85x.t +05x.t +36x.t + 37 38 39 40 41 42 analysis, with applications against RC5P and M6,” 98x.t + d9x.t +3bx.t +8ax.t + c4x.t + f9x.t + 43 44 45 46 47 48 in 6th Fast Software Encryption Workshop, LNCS 68x.t +3dx.t + b0x.t + eex.t +0ax.t +74x.t + 49 50 51 52 53 54 1636, pp. 139-155, Springer-Verlag, 1999. 51x.t + c1x.t + d0x.t +76x.t +67x.t +88x.t + 55 56 57 58 59 60 d1x.t +38x.t +13x.t +06x.t + d0x.t + e2x.t + [20] M. Matsui, “Linear cryptanalysis method for DES 61 6 63 64 65 66 4bx.t +65x.t 2+ eax.t +1dx.t +27x.t + d9x.t + cipher,” in Advances in Cryptology (Eurocrypt’93), 67 68 69 70 71 72 5dx.t +39x.t + fbx.t + c9x.t + 13x.t +7cx.t + LNCS 765, pp. 386-397, Springer-Verlag, 1994. 73 74 75 76 77 78 43x.t + a6x.t +5fx.t + ddx.t + d9x.t +41x.t + [21] R. J. McEliece, A Public-Key Cryptosystem Based on 79 80 81 82 83 85 99x.t +67x.t + eex.t +07x.t +90x.t +9dx.t + Algebraic Coding Theory, pp. 42-44, DSN progress 86 87 8 89 90 91 afx.t + 89x.t + cfx.t 8+ c7x.t + dfx.t + f5x.t + report, Jet Propulsion Laboratory, Pasadena, 1978. 92 93 94 95 96 97 ffx.t +1fx.t +78x.t + dax.t +73x.t +1dx.t + [22] F. J. McWilliams and N. J. A. Sloane, The Theory 9 100 101 102 103 104 8bx.t 8+08x.t +e9x.t +84x.t +71x.t +16x.t + of Error Correcting Codes, Amsterdam, The Nether- 105 106 107 108 109 0bx.t + 6bx.t + 07x.t + 92x.t + f4x.t + lands, North Holland, 1977. 110 111 112 113 114 05x.t + 4ex.t + d5x.t + 1fx.t + 29x.t + [23] A. J. Menezes, P. C. v. Oorschot, and S. Vanstone, 115 116 117 118 119 29x.t + 08x.t + 36x.t + dbx.t + 2ex.t + Handbook of Applied Cryptography, CRC Press, 1997. 120 121 122 123 124 a2x.t + 5dx.t + 3dx.t + 72x.t + 36x.t + [24] NIST, Advanced Encryption Standard AES, FIPS 125 126 127 128 129 a5x.t + 60x.t + dax.t + 3cx.t + 28x.t + PUB 197 Federal Information Processing Standard 130 131 132 133 134 55x.t + a0x.t + 36x.t + 1ax.t + 81x.t + Publication 197, U.S. Department of Commerce, 135 136 137 138 139 140 60x.t +5bx.t +bfx.t +0fx.t +40x.t +0ax.t + Nov. 2001. 141 142 143 144 145 146 86x.t +cfx.t +7fx.t +0ax.t +e5x.t +5bx.t + [25] NIST, Skipjack and KEA Specification, version 2.0, 147 148 149 150 151 edx.t + a7x.t + e3x.t + a5x.t + 11x.t + May 1998. 152 153 154 155 156 dax.t + 6bx.t + 10x.t + 92x.t + d9x.t + 157 158 159 160 161 [26] R. C. W. Phan, “Classes of impossible differentials 6ex.t + 7ax.t + dcx.t + 17x.t + 84x.t + 162 163 164 165 166 of advanced encryption standard,” IEE Electronics e7x.t + 62x.t + 9fx.t + d3x.t + 0ex.t + 167 168 169 170 171 Letters, vol. 38, no. 11, pp. 508-510, May 2002. 71x.t + 80x.t + 13x.t + f6x.t + f3x.t + 172 173 174 175 176 [27] R. C. W. Phan and M. U. Siddiqi, “Generalized im- 0dx.t + 77x.t + 37x.t + f6x.t + a7x.t + 177 178 179 180 181 possible differentials of advanced encryption stan- 82x.t + 61x.t + 78x.t + 39x.t + 51x.t + 182 183 184 185 186 dard,” IEE Electronics Letters, vol. 37, no. 14, pp. 3ax.t + 3fx.t + a4x.t + e3x.t + 38x.t + 187 188 189 190 191 896-898, July 2001. 25x.t + 95x.t + 0ex.t + 71x.t + b1x.t + 192 193 194 195 196 197 [28] V. Rijmen, J. Daemen, B. Preneel, A. Bosselaers, 44x.t +cex.t +21x.t +c6x.t +96x.t +13x.t + 198 199 200 201 202 and E. D. Win, “The cipher SHARK,” in 3rd Fast d3x.t + 0cx.t + 13x.t + e9x.t + 19x.t + 203 204 205 206 207 Software Encryption Workshop, LNCS 1039, pp. 99- afx.t + 15x.t + fax.t + 15x.t + 4cx.t + 208 209 210 211 212 213 112, Springer-Verlag, 1996. e6x.t +19x.t +98x.t +09x.t +cdx.t +eex.t + 214 215 216 217 218 [29] The Block Cipher Rijndael, 10x.t + 59x.t + 1dx.t + 5bx.t + 6ax.t + 219 220 221 222 223 http://www.iaik.tugraz.at/research/krypto/AES/. 8fx.t + d5x.t + d4x.t + edx.t + cax.t + International Journal of Network Security, Vol.9, No.2, PP.109–116, Sept. 2009 116

224 225 226 227 228 02x.t + fex.t + f7x.t + bex.t + a3x.t + Elcio´ Abrah˜ao graduated as an Agronomic Engineer 229 230 231 232 233 fax.t + 17x.t + d3x.t + 81x.t + a0x.t + from Paulista State University, S˜ao Paulo, Brazil in 1993. 234 235 236 237 238 239 fcx.t +78x.t +6cx.t +bbx.t +9cx.t +abx.t + He further specialized in Informatics at Federal University 240 241 242 243 244 245 5ex.t +08x.t +a2x.t +1bx.t +14x.t +b8x.t + of Lavras, Minas Gerais, Brazil in 1998. He is a teacher at 246 247 248 249 250 78x.t + a4x.t + 34x.t + 4dx.t + 65x.t + Faculdade de Inform´atica Administra¸c˜ao Paulista (FIAP) 251 252 253 254 dax.t + d7x.t +6cx.t + bcx.t . since 2002, as well as a software engineering consultant at Grass Roots Bittime America, Miami, USA. He is cur- rently pursuing an MSc degree in Computer Science at Jorge Nakahara Jr obtained his BSc and MSc degrees Univ. Cat´olica de Santos, in Santos, Brazil. in Computer Science from the Institute of Mathematics and Statistics (IME) of the University of S˜ao Paulo, in S˜ao Paulo, Brazil, in 1989 and 1996. He further obtained a MSc and PhD degrees in Electrical Engineering from the Katholieke Universiteit Leuven, in Leuven, Belgium, in 1998 and 2003. He is currently a member of the Dis- tributed Systems group at the Univ. Cat´olica de Santos, in Santos, Brazil.