Key Schedule Classi cation of the AES

Candidates

G. Carterz E. Dawsony L. Nielseny

y Information Security Research Centre

z Scho ol of Mathematical Sciences

Queensland UniversityofTechnology

GPO Box 2434 Brisbane 4001

Queensland Australia

Abstract

An imp ortant comp onent of iterative, blo ck ciphers is the key schedule.

In most ciphers, a master key of sp eci ed length is manipulated to create

round subkeys. This manipulation is known as the key schedule. A strong

key schedule means a cipher will be more resistant to various forms of

attacks, such as di erential and linear cryptanalysis. In this pap er, the

Advanced Encryption StandardAES candidates are classi ed according

to their key schedules.

1 The Classi cation Schedule

The most powerful metho ds of analysis of iterative blo ck ciphers such as the

Data Encryption StandardDES [4] are attacks which aim to reveal round sub-

keys. These metho ds include di erential [5] and linear cryptanalysis [9].

In [1], the authors intro duced a new classi cation scheme for iterative blo ck

ciphers based on their key schedules. In essence, this scheme creates two cate-

gories of ciphers based on whether or not knowledge of a round subkey generated

by the key schedule reveals any information ab out other round subkeys or the

master key. Those that do, fall into Category 1 and those that do not, fall into

Category 2. Each of these categories is further sub divided into three Typ es, A,

B and C.

A Category 1, Typ e A cipher1A is one in which all bits of the master key

are used in each round, and hence knowledge of a round subkey yields all bits

of the master key and all other round subkeys. The cipher NDS [3] is suchan

example. At the other end of the scale, 2C ciphers are those in which each

round subkey is generated indep endently, and the length of the master key is

the sum of the lengths of all the round subkeys. The cipher DESIDES with

indep endent subkeys [5] is an example.

A 1B cipher is one where knowledge of a round subkey gives some, but not

all bits of the master key or other round subkeys. DES is an example. A 1C

cipher is one in which knowledge of a round subkey yields bits of other round 1

subkeys or the master key after some simple arithmetic op erations or function

inversions. SAFER K-64 [6] is an example.

In Category 2, knowledge of a round subkey do es not easily reveal informa-

tion ab out other round subkeys or the master key. A 2A cipher is one in which

not all bits of the master key are used to create each round subkey. In these

ciphers, certain master keys are guaranteed to pro duce at least two identical

round keys. A cipher such as CAST-128 [7] is an example. In other words, the

entropyof the round subkeys is not maximised. A 2B cipher is one in which

all master key bits are used in the determination of all round subkeys, thus

maximising the entropy of the subkeys. An example is Blow sh [8].

The most secure schedule classi cation is 2C. However, this may lead to un-

manageably large master keys for ciphers whose security cannot hop e to match

what is naively suggested by the key length. Further, exp ort restrictions on

cryptographic materials often limit the size of the key. For these reasons, the

b est we can hop e for is to mimic 2C schedules as closely as p ossible, with the

next strongest classi cation, 2B.

2 Classi cation of AES Candidates

In this section, all the AES candidates are classi ed according to the key sched-

ule classi cation describ ed in the previous section, and the justi cation for their

placement in a certain category presented. Although many of these candidates

p ermit parameter values outside the scop e of the AES standard, the analysis

presented b elow will assume a 128-bit blo ck size and a 128-bit, 192-bit or 256-bit

master key. The analysis of eachofthe AES candidates will assume the 256-

bit master key option and comments will b e made on the other two master key

options only where the master key length has rami cations for the classi cation.

For each of the AES ciphers, an outline of the key schedule will b e presented

and the following two questions p osed.

1. Given know lege of al l the bits of a round subkey, does this reveal any bits of

other round subkeys or the master key?

2. Do al l round subkeys depend on al l bits of the master key?

The answer to the rst question will place the cipher in either Category 1

or 2. The answer to the second question will determine whether the Category

2 ciphers are Typ e A or B. Note that no AES candidate is Category 2, Typ e

C. The results of the classi cation app ear in Table 1. The justi cation for the

classi cation of each cipher according to this scheme is presented b elow. The

description of the AES candidates was obtained from [2].

CAST-256

0 0 0

The 256-bit master key can b e describ ed as eight, 32-bit words, b b


b . By

0 1 7

setting low order bytes to zero, other master key lengths can b e obtained. For

0 0

example, if b and b are set to zero, the master key has length one hundred

6 7

and ninety-two bits.

j 1

is mo di ed as follows: To determine the j 'th round subkey each b

i

j j 1

b = b  f b ;c ;d ; 0  i  7; 1  j  12

j j

i+1mo d 8

i i

where f is one of three functions used in the cipher, and c and d are determin-

j j

j j j

is the . Key k ;k istic constants. The round subkey is, in fact, a key pair k

r m r 2

Type1A Type1B Type1C Type2A Type2B Type2C

MAGENTA CRYPTON DFC CAST-256

DEAL E2

Rijndael FROG

SAFER+ HPC

LOKI97

MARS

RC6

Serp ent

Two sh

Table 1: Classi cation of Key Schedules

concatenation of ve least signi cant bitsLSB of eachofthe mo di ed words

j j j j j j j j

j

b ;b ;b and b while k is the concatenation of mo di ed words b ;b ;b and b .

m

0 2 4 6 7 5 3 1

j j j

j j

Knowing the round subkey key pair k ;k  gives knowledge of words b ;b ;b

r m

7 5 3

j j j j j

and b as well as the ve LSB of eachof b ;b ;b and b . This is not enough

1 0 2 4 6

information to determine the previous round subkey. Hence CAST-256 is a

Typ e 2 cipher. However, it is worth p ointing out, that if the remaining unknown

j j j j

bits of b ;b ;b and b can b e determined, then all previous round subkeys and

0 2 4 6

the master key can b e found.

j j

j j

To generate the subkey pair, k ;k , all words b to b are used. As these

r m

0 7

words are dep endent on all the original master key words, subkey pairs are de-

p endent on all master key words. This leads to the conclusion that CAST-256

is a 2B cipher.

CRYPTON

The master key, if not two hundred and fty-six bits, is prep ended by ze-

ros to make it so. Using a mixture of linear and non-linear transformations,

eight, 32-bit expanded keys, E ;E


;E are pro duced from the original mas-

0 1 7

ter key. All subkeys are two hundred and fty-six bits, the rst and second

3 2 1 0

subkeys resp ectively b eing, K = K ;K ;K ;K  = E ;E ;E ;E  and

0 0 1 2 3

7 6 5 4

K =K ;K ;K ;K =E ;E ;E ;E . Subsequenteven round subkeys are

1 4 5 6 7

8i+11 8i+10 8i+9 8i+8

given by, K = K ;K ;K ;K ; 0  i  5 and odd round

2i+2

8j +15 8j +14 8j +13 8j +12

subkeys are given by K =K ;K ;K ;K ; 0  j  4.

2j +3

Now,

8i+8 8i

K = K  8i; i 2f0; 2; 4g

8i+8 8i

K = RC  K ; i 2f1; 3; 5g

i

8i+9 8i+1

K = RC  K ; i 2f0; 2; 4g

i

8i+9 8i+1 2

K = K  3i 20i + 41; i 2f1; 3; 5g

8i+10 8i+2 2

K = K  3i +10i + 16; i 2f0; 2; 4g

8i+10 8i+2

K = RC  K ; i 2f1; 3; 5g

i

8i+11 8i+3

K = RC  K ; i 2f0; 2; 4g

i

8i+11 8i+3

K = K  4i +4; i 2f1; 3; 5g

8j +12 8j +4

K = RC  K ; j 2f0; 2; 4g

j 3

8j +12 8j +4

K = K  4j +4; j 2f1; 3g

8j +13 8j +5 2

K = K  3j +10j + 16; j 2f0; 2; 4g

8j +13 8j +5

K = RC  K ; j 2f1; 3g

j

8j +14 8j +6

K = RC  K ; j 2f0; 2; 4g

j

8j +14 8j +6

K = K  4j + 12; j 2f1; 3g

8j +15 8j +7 2

K = K  3j 14j + 24; j 2f0; 2; 4g

8j +15 8j +7

K = RC  K ; j 2f1; 3g

j

where RC is a known constant and x  y is a known left shift of x by y bits.

x

8i+11 8i+10 8i+9 8i+8

Knowing even round subkey K ;K ;K ;K  means that the

following can b e shown true by undoing the ab ove equations, as follows.

8i 8i+8

K = K  8i; i 2f0; 2; 4g

8i 8i+8

K = RC  K ; i 2f1; 3; 5g

i

8i+1 8i+9

K = RC  K ; i 2f0; 2; 4g

i

8i+1 8i+9 2

K = K  3i 20i + 41; i 2f1; 3; 5g

8i+2 8i+10 2

K = K  3i +10i + 16; i 2f0; 2; 4g

8i+2 8i+10

K = RC  K ; i 2f1; 3; 5g

i

8i+3 8i+11

K = RC  K ; i 2f0; 2; 4g

i

8i+3 8i+11

K = K  4i +4; i 2f1; 3; 5g

Thus, the previous even round subkey is easily determined. A similar argument

applies to odd round subkeys. It follows that knowing one even/o dd round

subkey enables all previous even/o dd round subkeys to b e determined by sim-

ple arithmetic op erations. It is also worth noting that by using exactly the

same arguments, knowledge of an even/o dd round subkey enables all subse-

quenteven/o dd round subkeys to b e determined. Hence CRYPTON is a 1C

cipher.

DEAL

The key schedule of DEAL is created from two, three or four, 64-bit DES keys,

corresp onding to 128-bit, 192-bit and 256-bit master keys. The 128-bit and 192-

bit master keys are used in six rounds of DEAL, while the 256-bit version uses

eight rounds. In all three cases, the creation of the round subkeys is essentially

identical.

The eight round subkeys are generated from four indep endent master keys,

designated K ;K ;K and K , as follows.

1 2 3 4

RK = DESE K 

1 K 1

RK = DESE K  RK 

2 K 2 1

RK = DESE K  RK 

3 K 3 2

RK = DESE K  RK 

4 K 4 3

RK = DESE K f1g RK 

5 K 1 4

RK = DESE K f2g RK 

6 K 2 5

RK = DESE K f4g RK 

7 K 3 6

RK = DESE K f8g RK 

8 K 4 7 4

Note that fig denotes the representation of i as a 64-bit string and DESE X 

K

represents the encryption of X using DES with key K which is xed and known.

Knowing one value of RK ; i 2f2; 3; 4; 5; 6; 7; 8g do es not immediately yield

i

any bits of other subkeys or the master keys despite the fact that the decryption

DESD RK  can easily b e p erformed since K is known. On the other hand,

K i

knowledge of RK easily yields the master key K , since K = DESD RK .

1 1 1 K 1

Hence RK is muchweaker than the other subkeys and puts DEAL in the 1C

1

classi cation.

Further, RK dep ends only on master key K , RK dep ends only on master

1 1 2

keys K and K , and RK dep ends only on master keys K ;K and K . The

1 2 3 1 2 3

other RK 's dep end on all four master keys. Hence, not all subkeys dep end on

i

all bits of the master key.

If the known key K is replaced by K ;K , K or K then this would elim-

1 2 3 4

inate the weak RK and the cipher would fall into the 2A category. Another

1

alternativewould b e to let K = f K ;K ;K ;K  where f is a one way func-

1 2 3 4

tionOWF and this would put DEAL into the 2B category.

Decorrelated Fast Cipher-DFC

The master key K is initially padded on the right with a 256-bit known constant,

C . The result is then truncated to form padded master key K , so that what

0 C

remains is two hundred and fty-six bits long. This means that if K is one

hundred and twenty-eight bits then only the one hundred and twenty-eight most

signi cant bitsMSB of C are used to form K . Similarly,if K is one hundred

0 C

and ninety-two bits, the sixty-four MSB of C are used. Finally, if K is two

0

hundred and fty-six bits, no bits of C are required.

0

At this p oint, K is divided into eight, 32-bit strings such that K =

C C

8 2 1

. Note that X jY means X concatenated with Y . j


jK jK K

C C C

Now the following are de ned.

1 8

OAP = K jK

1

C C

5 4

OB P = K jK

1

C C

2 7

EAP = K jK

1

C C

6 3

EBP = K jK

1

C C

and for i =2; 3 and 4

i

OAP = OAP  C

i 1

1

i

OB P = OB P  C

i 1

2

i

EAP = EAP  C

i 1

1

i

EBP = EBP  C

i 1

2

i i

where C and C are known constants.

1 2

Now de ne

EF K =F jF jF jF 

1 1 2 3 4

where F = OAP jOB P . Similarly, de ne

i i i

EF K =f jf jf jf 

2 1 2 3 4

where f = EAP jEBP . Now de ne RK = 0 and create round subkeys

i i i 0

RK ; 0  i  8, as follows.

i 5



DFC RK  if i is o dd

i1

EF K 

1

RK =

i

DFC RK  if i is even,

i1

EF K 

2

where DFC X  means encrypt X using key EF K  in the DFC cipher.

i

EF K 

i

Now, knowledge of RK gives no bits of any other round subkeys unless

i

the encryption pro cess can b e reversed. On the other hand, the generation of

RK ; i odd involves only EF K  which in turn involves F ; i 2f1; 2; 3; 4g.Now

i 1 i

1 4 5

F involves only OAP and OB P . These in turn involve only K ; K ; K

i i i

C C C

8

and K , and not all bits of K or indeed K . A similar scenario applies for

C

C

RK ; i even. Thus, not all subkeys dep end on on all bits of the master key.

i

Hence, DFC is a Category 2, Typ e A cipher.

E2

De ne a 64-bit constant C . If the length of the master key, K , is one hundred

and twenty-eight bits, considered as the concatenation of K and K , then pass

1 2

C through a given set of S-b oxes three times to pro duce the 64-bit value K

3

and then a fourth time to pro duce 64-bit K . In this pro cess, the output of

4

the S-b oxes on each pass b ecomes the input for the next pass. If a 192-bit

master key is used, considered as the concatenation of K ; K and K , rep eat

1 2 3

the ab ove pro cess to pro duce K . If a 256-bit master key is in use then C

4

is not pro cessed as ab ove. Let the key resulting from the ab ove pro cedure b e

KA = K jK jK jK . The round subkeys are then formed as follows.

1 2 3 4

Firstly, KA and C are put into a function G used in the cipher such that the

output L ; Z ;C  = GK ;K ;K ;K ;C where L =U ;U ;U ;U ;Z =

0 0 0 1 2 3 4 0 1 2 3 4 0

Y ;Y ;Y ;Y , and C = V , and for i =1; 2; 3; 4

1 2 3 4 0

Y = f K 

i i

U = f U   Y and U = C

i i1 i 0

V = U

4

where f is a function used in the cipher. Note that U ;Y and V are all 64-bit

i i

values.

For i =0; 1;


; 7 de ne

L ; Z ;C  = GY ;C  1

i+1 i+1 i+1 i i

L = l ;l ;l ;l 

i+1 4i 4i+1 4i+2 4i+3

Next i

where l is a 64-bit blo ck.

i

For i =1; 2;


; 31 de ne

0 1 7

l =t ;t ;


;t 

i

i i i

Next i

Each 128-bit subkey is now generated as follows.

For i =0; 1;


; 15,

k = t ;t ;


;t 

i+1

0+i mo d 2 2+i mo d 2 30+i mo d 2

Next i

where means the greatest integer  x.

Knowledge of subkey k , i even, yields only eight bits out of a p ossible fty-

i

six from each of l ; j = 0; 1;


; 15 and hence only sixteen bits out of a

2j +1 6

p ossible two hundred and fty six bits of each L . In any L , only the bits

i i

involved in k are known, and these do not reveal any of the other bits of the

i

L 's involved with other round subkeys. A similar argument applies when k is

i i

known and i is o dd. Further, there is no simple waytoinvert equation 1 which

is required to track back to the master key. Thus, knowledge of a round subkey

yields no bits of other round subkeys or the master key.

An examination of the way L is constructed will show that it dep ends on

1

all master key bits and hence all subsequent L 's dep end on L . Since round

i 1

subkey i dep ends on L , it follows that all round subkeys dep end on L and

i 1

hence on all bits of the master key.

Now L = GZ ;C , that is GY ;Y ;Y ;Y ;U . As well,

1 0 0 1 2 3 4 4

U = f U   f K ; U = f U   f K ; U = f U   f K  and U =

4 3 4 3 2 3 2 1 2 1

f C   f K . Thus, U dep ends on all bits of the master key. Now L =

1 4 1

0 0 0 0 0

U ;U ;U ;U  where U = f U   f Y . Since U dep ends on all bits of the

4 1 4

1 2 3 4 1

0 0 0

master key so do es U and since U dep ends on U , L dep ends on all bits of

1

1

i i1

the master key. All the L 's contribute to the determination of subkey one, so

i

subkey one dep ends on all bits of the master key.

Now L dep ends on Y which in turn dep ends on L ,soL dep ends on

i i1 i1 i

L and hence on L and all bits of the master key. The conclusion is that E2

i1 1

is a 2B cipher.

FROG

The master key, K , in this cipher is essentially hashed to pro duce a 2304-byte

valid internal key, KI V . KI V can be thought of as the concatenation eight,

288-byte round subkeys. Each of these subkeys has three records, and eachof

these records is used in a di erentway to encrypt the plaintext. The hashing

pro cess b egins by concatenating copies of the master key until a 2304-byte array

has b een pro duced. The elements of this array are then XOR'd with a randomly

generated, but known constant. This unformatted arrayis then formatted so

that the resulting array is a preliminary version of the KI V . This formatting

is necessary so that the three records mentioned earlier achieve rapid di usion

and confusion. The formatted array is then encrypted by the FROG algorithm

itself to further the random app earance of the subkeys. This encrypted output

is again formatted to satisfy the reqiurements of the subkey records.

Knowledge of a round subkey do es not reveal any bits of other round subkeys,

since the 288-byte blo cks of KI V which determine each subkey are generated at

the same time and are essentially indep endent. Thus the FROG cipher b elongs

in Category 2, Typ e B.

Hasty Pudding Cipher-HPC

Assuming a 256-bit master key, K , divide it into four, 64-bit words, K ;K ;K

0 1 2

and K . Now construct a 256-element array, KX , each element, a 64-bit word.

3

The rst three elements, KX [0];KX[1] and KX [2] are resp ectively initialised

to known constants c ;c and c . The remaining elements of the array are

0 1 2

constructed as follows.

For i =3; 4;


; 255

KX [i] = KX [i 1]+KX [i 2]  KX [i 3]  23  KX [i 3]  41

Next i,

where x  y and x  y are resp ectively quantity x right shifted/left shifted by 7

y bits. Master key K is nowintro duced into KX as follows.

For i =0; 1;


; 127

KX [i] = KX [i]  K

i mo d 4

Next i

The resulting elements are then stirred as follows.

State variables, s ;j =0; 1;


; 7 are initialised resp ectively to KX [248 + j ]

j

and the following series of steps are p erformed in each of three passes over the

array KX .

For each KX [i];i =0; 1;


; 255

s = KX [i]  KX [i +1 ^ 255] + KX [s ^ 255]

0 0

s = s + s

1 1 0

s = s  s

3 3 2

s = s s

5 5 4

s = s  s

7 7 6

s = s +s SL 13

3 3 0

s = s  s SL 11

4 4 1

s = s  s SL s ^ 31

5 5 3 1

s = s +s SR 17

6 6 2

s = s _ s + s 

7 7 3 4

s = s s

2 2 5

s = s s  i

0 0 6

s = s + c

1 1 0

s = s +s SR j

2 2 7

s = s  s

2 2 1

s = s s

4 4 3

s = s  s

6 6 5

s = s + s

0 0 7

KX [i] = s + s

2 6

64

Note that the op erations + and are p erformed mo dulo 2 , ^ means

logical and, _ is logical or, SR and SL are right and left shifts resp ectively, and

j =0; 1; 2 represents the pass number over the array KX .

Supp ose KX [i] is known. From the last line in the set of steps ab ove, s + s

2 6

is known. However, there is no obvious way to determine either s or s . Even

2 6

if these were known, the nature of the stirring pro cess means that it is not

invertible, so no bits of the master key or other round subkeys can b e obtained

from a knowledge of KX [i].

Now s ;i =0; 1;


; 7 contains two copies of the master key arranged such

i

that any four s values, say s ;s ;s and s , with k 6 l 6 m 6 nmo d 4,

i k l m n

contain all bits of the master key. From the last line of the ab ove series of steps,

KX [i] dep ends on s and s . Tracing back through this series of steps it is easy

2 6

to see that s dep ends on s ;s ;s and s and that s is related to s ;s and

6 5 3 1 0 5 3 1

s . Hence, s dep ends on at least s ;s and s . Thus, KX [i] dep ends at least

4 6 0 1 3 8

on s ;s ;s and s , and since 0 6 1 6 2 6 3mo d 4;KX[i] dep ends on all bits

0 1 2 3

of the master key. Thus, all round subkeys dep end on all bits of the master key.

This puts the HPC cipher in the 2B class.

Because the 'spice' is not necessarily a secret key, it has b een delib erately

omitted from this discussion.

LOKI97

0 0 0 0

The master key, K is initialised into four, 64-bit words, K jK jK jK , as fol-

1 2 3 4

lows.

0 0 0 0

256-bit K = K jK jK jK yields K jK jK jK = K jK jK jK .

1 2 3 4 1 2 3 4

1 2 3 4

0 0 0 0

192-bit K = K jK jK yields K jK jK jK = K jK jK jf K ;K  where

1 2 3 1 2 3 1 2

1 2 3 4

f is a non-linear function used in the encryption pro cess.

0 0 0 0

128-bit K = K jK yields K jK jK jK = K jK jf K ;K jf K ;K .

1 2 1 2 2 1 1 2

1 2 3 4

These initialised keys are then pro cessed as follows to yield forty-eight, 64-bit

round subkeys, SK .

i

For i =1;


; 48

i1 i1 i1 i1

i

K = K  g K ;K ;K  2

i

1

4 1 3 2

i

SK = K

i

1

i1

i

K = K

4

3

i1

i

K = K

3

2

i1

i

K = K

2

1

Next i

Note that g K ;K ;K =f K + K + i; K  where  is a constant and f is

i 1 3 2 1 3 2

a function used in the cipher.

Knowledge of SK do es not reveal any bits of previous or subsequent round

i

subkeys, as these are dep endent on at least other three other unknown subkeys

or initialised master keys. Further, the generation of subkey SK involves all

1

bits of the master key as p er equation 2. Since the generation of subkey SK

i

dep ends on subkey SK ;SK ultimately dep ends on SK and hence on all

i1 i 1

bits of the master key. Thus, LOKI97 is a 2B cipher.

MAGENTA

For a master key, K , of one hundred and twenty-eight bits, this cipher has six

rounds under the control of the master key considered as two, 64-bit blo cks, K

1

and K . In rounds one, two, ve and six of the encryption pro cess, K is used.

2 1

In rounds four and ve, K is used.

2

In the 192-bit version of K = K jK jK , K is used in rounds i and 7 i.

1 2 3 i

In the 256-bit version, K = K jK jK jK , and the cipher has eight rounds

1 2 3 4

with K b eing used in rounds i and 9 i. Clearly, knowledge of a round subkey

i

yields immediately bits of the master key, as in DES. Thus, MAGENTA is a

1B cipher. 9

MARS

In this cipher, forty, 32-bit subkeys are required. An array, A, of forty-seven,

32-bit words is initialised using an n-word master key, k , as follows.

For i = 7; 6;


; 1,

A[i]=S [i +7]

Next i

where S [j ] is the j 'th entry of a xed and known S-b ox.

For i =1; 2;


; 38,

A[i]=A[i 7]  A[i 2]  3  k [i mo d n]  i

Next i

A[39] = n

This initialised array is further stirred as follows.

For j =1; 2;


; 7

For i =1; 2;


; 39

j j 1 j 1

A [i]=A [i]+S [A [i 1]]  9

9

Next i

j j 1 j

A [0] = A [0] + S [A [39]]  9

9

Next j

Note that S [x] is the S-b oxentry indexed by the nine LSB of x. The subkeys

9

are then created as follows.

For i =0; 1; 2;


; 39

A[i] b ecomes subkey K [7i mo d 40]

Next i

Consider now the case of n = 8, that is a 256-bit master key. In the initial-

ization of array A, A[i] dep ends on arraywords A[i 7] and A[i 2] as well as

master key word k [i mo d 8]. A careful analysis shows that not until the creation

of A[13] are the elements of array A dep endent on all eightwords of the master

key. Subsequent elements, with the exception of A[39], are also dep endent on

all master key words. A[39] do es not dep end on any bits of the master key at

all.

[

7 6 6

Now supp ose an attacker knows K [i]= A [j ]=A [j ]  S A [j 1]] 

9

7

9; for some j . There exists keys K [h] and K [g ] such that K [h]= A [j 1] =

6

7 6 6

[A[j 2]]  9 for some j , and K [g ]= A [j +1]= A [j + A [j 1]  S

9

[

6 6

A [j ]]  9 for some j . Knowledge of K [i] do es not reveal A [j ]or 1]  S

9

6

S [A [j 1]] which are comp onents of K [h] and K [g ]. Neither do es it reveal

9

7 6

any information on A [j 1] or A [j + 1], the other comp onents of K [h] and

K [g ] resp ectively. Similarly, knowledge of K [i] do es not reveal any information

ab out the master key.

The 7-round stirring pro cess esentially combines successiveentries in array A

7 1

to create a new array A . After the rst round of stirring, only elements T [1]

1

through to T [6] inclusive do not dep end on all bits of the master key. In each

2 3 4 5 6

of the remaining six rounds of stirring, T [1];T [2];T [3];T [4];T [5] and

7

T [6] successively come to dep end on all master key bits. Hence, all subkeys

dep end on all bits of the master key. Thus, MARS is a 2B cipher.

RC6

This cipher has a precursor named RC5 [? ]. The key schedule of RC6 is identical

to that of RC5 with the exception that a total of 2r + 4 subkeys are required

for RC6 while RC5 requires only 2r + 2 subkeysr is the numb er of rounds of 10

the cipher. The prop osed numb er of rounds of RC6 is twenty, so the number

of subkeys required is forty-four. The subkeys are generated as follows.

From a master key of sixteen, twenty-four or thirty-twobytes, an array L

of four, six or eight, 32-bit words is constructed. A second array S of forty-

four, 32-bit words is initialised by known constants. The following lo op is then

executed one hundred and thirty-two times3  44, after the variables i; j; A

and B are initialised to zero.

For s = 1 to 132

S [i]= S [i]+A + B   3

A = S [i]

L[j ]= L[j ]+A + B   A + B 

B = L[j ]

i i + 1mo d 44

j j + 1mo d c

Next s

Note that c =4; 6 or 8 when the master key used is 128-bit, 192-bit or 256-bit

resp ectively.

3 2

Supp ose now that round key S [i]=S [i]+A + B   3isknown. From this

knowledge, it is not p ossible to determine any of the quantities that are involved

3

in the calculation of S [i]. Even if these quantities were known, it would not

3 3

b e p ossible to determine, from a knowledge of these, S [i +1]or S [i 1], as

3

the quantities which form these are related to those of S [i]inavery dicult

to invert way. Hence, knowledge of a round subkey do es not yield any bits of

any other round subkey or the master key.

Further, eachentry in the array S is up dated three times in the ab ove lo op.

1 1

At the end of the rst up date, call it S , corresp onding to s = 44;S [0] to

1 1

S [7] inclusive are the only elements of array S that are not dep endentonall

elements of the array L, that is, all elements of the master key. By the end of

2

the second pass, all elements of S are dep endent on all elements of the master

key. It follows that RC6 is a 2B cipher.

Rijndael

This cipher stores its master key, K , in a4 i arrayof bytes, where i =4; 6

or 8 when K is a 128-bit, 192-bit or 256-bit key resp ectively. Given that the

AES standard supp orts a 128-bit blo ck size, the numb er of subkeys required is

128

 r + 1, where r is the numb er of rounds. For a 128-bit master key, r = 10,

4

for a 192-bit master key, r = 12 and for a 256-bit master key, r = 14.

An expanded key, K , is formed from the 256-bit master key array, A ; 0 

e x;y

x  3; 0  y  7 as follows. Note that elements of array A are bytes.

An array, W , with 4  14 + 1= 60 elements is constructed by setting

W [t]; t = 0; 1;


; 7 to be successively equal to the four bytes of the master

key, A ;A ;A ;A . Subsequent elements of array W are constructed by

0;t 1;t 2;t 3;t

the recursive relationship:

For j =8;j < 60 and j incremented by8

W [j ]=W [j 8]  f W [j 1]  g c 

j

For l =1; 2 and 3

W [l + j ]=W [l + j 8]  W [l + j 1]

Next l

W [j +4]= W [j 4]  hW [j + 3]

For l =5; 6 and 7 11

W [l + j ]=W [l + j 8]  W [l + j 1]

Next l

The functions f; g and h are functions asso ciated with encryption and de-

cryption and c is a deterministic constant.

j

For x =0; 1; 2;


; 14, round subkey x is given arrayentries W [8x] through

to W [8x + 7].

Now supp ose that round subkey KS is known. It follows that W [8x];W[8x+

x

1];


;W[8x + 7] are known. Subkey KS consists of array elements W [8x +

x+1

8];W[8x +9];


;W[8x + 15]. Now

W [8x +8]= W [8x]  f W [8x +7] g c  3

x

All of the quantities on the right hand side of equation 3 are known since they

are from the known subkey x or are constants. Hence W [8x +8] is known.

Since W [8x + p];p =9; 10;


; 15 dep ends in a simple wayon W [8x + p 1] and

W [8x + p 8] whichisknown from round subkey RK , calculating W [8x + p]

x

is easy. Hence, knowing subkey RK enables subkey RK to be easily de-

x x+1

termined. In fact, knowing subkey RK enables all subsequent subkeys to b e

x

determined. The conclusion is that the 256-bit master key version of the cipher

Rijndael is 1C.

SAFER+

For 128-bit, 192-bit and 256-bit master keys K , the resp ectivenumb er of rounds

in the cipher is eight, twelve and sixteen. The number of subkeys required is

resp ectively seventeen, twenty- ve and thirty-three. An analysis of the case

when a 256-bit master key will b e presented.

Firstly, thirty-three, 16-byte bias words, B , are created as follows.

i

For i =0; 1;


; 15

17i+j +18

j

45 mo d 257

B 45 mo d 257 4

i

Next i,

j

where B is the j 'th byte of bias word B and j =0; 1;


; 15. If the value of

i

i

j j

B , calculated in equation 4, is 256, then B is set to zero. The remaining bias

i i

words B to B inclusive are calculated as follows.

17 32

For i =17; 18;


; 32

j

17i+j +18

B 45 mo d 257

i

Next i

Note that B is a dummy and is not used at all.

0

A 33-byte word, K , is initialised by concatenating the thirty-twobytes of

e

the master key K and the byte formed by the XOR sum of the corresp onding

bits of the thirty-twobytes of the master key. This last byte is known as the

parity byte. The bytes of K will b e denoted by b ;b ;


;b ;b . Round i uses

e 0 1 31 32

two, 16-byte subkeys, K and K . The round one subkey, K , is calculated as

i i+1 0

follows.

K = b jb j


jb :

0 0 1 15 12

j

The concatenation of x through to x will b e written as C x . Hence

i j k

k =i

15

K = C b . Subsequent subkeys are generated as follows.

0 k

k =0

For i =1; 2;


; 32

For j =0; 1;


; 32

b = b  3

j j

Next j

k imod33 i+15 mo d 33

b + B  mo d 256 K = C

k i

i

k =i

Next i.

Now supp ose round subkey, K , is known. Hence,

i

k imod33 i+15 mo d 33

b + B mo d 256 C

k

i

k =i

is known. Since all the biases B are predetermined constants, b is simply

i k

k imod33 k imod33

calculated as K B mo d 256. Thus, bytes b to

i

i i

b are known. Right shifting each of these bytes by three bits, yields

i+15 mo d 33

fteen of the sixteen bytes used in in the calculation of K . Left shifting

i1

these known bytes by three bits will yield fteen of the sixteen bytes used in the

calculation of K . Thus, fteen bytes of subkeys K and K are easily

i+1 i1 i+1

determined. In fact, if the known bytes of K are right shifted by an amount

i

3i, then either fteen or sixteen bytes of the master key will b e known. Sixteen

will b e known if b is not one of the sixteen known bytes of K . On the other

33 i

hand, if b is one of the known bytes of K , then fteen bytes of the master key

33 i

can b e determined. Hence SAFER+ with a 256-bit master key is a 1C cipher.

Serp ent

This cipher requires thirty-three, 128-bit, round subkeys, and these are created

from one hundred and thirty-two, 32-bit, interim words which are generated

from the master key, K . If the master key is not twohundred and fty-six bits

in length, it is padded until it is. This padded master key, K , can b e thought

p

of as eight, 32-bit words lab elled W ;W ;


;W . The one hundred and

8 7 1

thirty-two, interim words are calculated as follows.

For i =0; 1;


; 131

W = W  W  W  W    i  11 5

i i8 i5 i3 i1

Next i,

where  is a known constant.

Now supp ose that subkey, K , is known.

i

Hence X = W ;W ;W ;W  is known. Each comp onent of X is

4i 4i+1 4i+2 4i+3

essentially the XOR sum of three previously calculated W values. The removal

j

of the constants  and i from the calculation is trivialsee equation 5. Thus,

each comp onent on its own do es not reveal any information ab out any other

W 's and hence do es not reveal any information ab out other round subkeys.

j

Further, the XOR linear combination of anynumb er of the comp onents of X ,

do es not isolate any single W value used in another round subkey. Hence,

j

knowledge of a round subkey do es not reveal any bits of other round subkeys

or the master key.

Now, round i subkey, K , is the concatenation of k ;k ;k ;k ,

i 4i 4i+1 4i+2 4i+3

where

k ;k ;k ;k  = S W ;W ;W ;W  6

4i 4i+1 4i+2 4i+3 4i 4i+1 4i+2 4i+3

3imod7 13

and S is an S-b ox of the cipher. From equation 6, the round i subkey, K , de-

x i

p ends on W ;W ;W ;W . From equation 5 the following three state-

4i 4i+1 4i+2 4i+3

ments are true.

1. W dep ends on key words W ;W ;W and W .

0 8 5 3 1

2. W dep ends on key words W ;W ;W and W and since the dep enden-

1 7 4 2 0

cies of W are known from 1, W dep ends on W ;W ;W ;W ;W ;W

0 1 8 7 5 4 3 2

and W .

1

3. W dep ends on key words W ;W ;W and W and since the dep endencies

2 6 3 1 1

of W are known from 2, W dep ends on W ;W ;W ;W ;W ;W ;W

1 2 8 7 6 5 4 3 2

and W , that is all bits of the master key.

1

Since from equation 5, W dep ends on key word W ; for i > 2;W will

i i1 i

ultimely dep end on W and hence on all bits of the master key. Since every

2

subkey K is dep endentonaW ;i > 2, all subkeys are dep endent on all bits of

i i

the master key. This analysis classes Serp ent as 2B.

Two sh

Two sh employs sixteen rounds with two, 32-bit subkeys in each round. Eight

other subkeys are required. Four are added to the plaintext b efore encryption

and the other four are added to the output of the last round of encryption.

Thus, forty round subkeys are required. As in previous ciphers, the case of a

256-bit master key will b e examined in detail.

Master key K is split into eight, 32-bit words, K ;K ;


;K where K =

0 1 7 i

m jm jm jm and m is the j 'th byte of K . Let M = K jK jK jK ,

4i+3 4i+2 4i+1 4i j e 0 2 4 6

the concatenation of the even index K 's, and M = K jK jK jK , the con-

j o 1 3 5 7

catenation of the o dd index K 's. De ne constants A and B as follows.

j i i

A = h2i; M 

i e

B = RO Lh2i +1; M ; 8

i o

Note that  is a de ned constant, h is a function used in the cipher and

RO Lx; y  means rotate left, the quantity x,by y bits.

i

The forty, round subkeys, K , are created as follows.

For i =0; 1;


; 19

2i 32

K = A + B mo d 2  7

i i

2i+1 32

K = RO LA +2B mo d 2 ; 9 8

i i

Next i

j

Supp ose K is known. From equations 7 and 8, there is no obvious wayto

determine A and B and hence M and M , which are required, if other round

i i e o

j

subkeys are to b e found from a knowledge of K . Thus, knowledge of a round

subkey do es not enable bits of other round subkeys or the master key to be

determined.

Clearly, each round subkey is a function of A and B which resp ectively are

i i

functions of M and M . M and M encompass all bits of the master key,so

e o e o

it follows likewise for A and B . Hence, all round subkeys dep end on all bits of

i i

the master key. It is now p ossible to classify Two sh as a 2B cipher.

2i 2i+1

However, it is worth noting that if two successive subkeys, K and K

32 2i 2i+1

are known, subtractingmo d 2  K from RO RK ; 9 will give B . From

i 14

this, A can b e determined from equation 8. With A and B now known, it is

i i i

p ossible to invert the function h and hence determine M and M which com-

e o

prise the master key.

3 Conclusion and Future Research

This pap er is in resp onse to calls by NIST for the analysis of the strengths and

weaknesses of the AES candidates. It concentrates solely on the key schedules

and makes no comment on the strengths and weaknesses of the algorithms or

other asp ects of the ciphers. The ma jority of candidates fall into the 2B, key

schedule classi cation and these exhibit stronger key schedules than those that

do not. For those in the other classi cations, it is recommended that they b e

upgraded to the 2B category. In some cases, this is easily achieved as explained

in the DEAL cipher. For the others, the natural extension of this pap er is to

upgrade them to the 2B class, and this is planned.

References

[1] Carter G., Dawson E., Nielsen L., Key Schedules of Iterative Block Ciphers,

Information Security and Privacy ACISP'98, LCNS 1438, pp. 80-89, 1998.

[2] Candidate Algorithms,http://www.nist.gov/aes.

[3] Beker H., Pip er F. Cipher systems: the protection of communications, North-

wo o d Bo oks, London, 1982.

[4] National Bureau of Standards, Data Encryption Standard, US Department

of Commerce, FIPS publication 46, 1977.

[5] Biham E., Shamir A. Di erential Cryptanalysis of DES-like cryptosystems,

Advances in Cryptology-Crypto'90, LNCS 537, pp 2-21, Springer, 1991.

[6] Massey J., SAFER K-64: a byte-oriented block ciphering algorithm, Fast

Software Encryption, LNCS 809, Springer-Verlag, 1994, pp 1-17.

[7] Adams C.M., Constructing Symmetric Ciphers Using the CAST Design Pro-

cedure, Designs, Co des and Cryptography,Vol. 12, No. 3, Nov. 1997.

[8] Schneier B., Description of a new variable-length key, 64-bit block ci-

pherBlow sh,Fast Software Encryption, LNCS 809, Springer-Verlag, 1993,

pp. 191-204.

[9] Matsui M., Linear cryptanalysis method for DES cipher, Advances in Cryp-

tology, Euro crypt'93, LNCS 765, Springer-Verlag, 1994, pp. 386-397.

[10] Rivest R., The RC5 encryption algorithm,Fast Software Encryption, LNCS

1008, Springer-Verlag, 1995, pp. 86-96. 15