Key Schedule Classi cation of the AES
Candidates
G. Carterz E. Dawsony L. Nielseny
y Information Security Research Centre
z Scho ol of Mathematical Sciences
Queensland UniversityofTechnology
GPO Box 2434 Brisbane 4001
Queensland Australia
Abstract
An imp ortant comp onent of iterative, blo ck ciphers is the key schedule.
In most ciphers, a master key of sp eci ed length is manipulated to create
round subkeys. This manipulation is known as the key schedule. A strong
key schedule means a cipher will be more resistant to various forms of
attacks, such as di erential and linear cryptanalysis. In this pap er, the
Advanced Encryption StandardAES candidates are classi ed according
to their key schedules.
1 The Classi cation Schedule
The most powerful metho ds of analysis of iterative blo ck ciphers such as the
Data Encryption StandardDES [4] are attacks which aim to reveal round sub-
keys. These metho ds include di erential [5] and linear cryptanalysis [9].
In [1], the authors intro duced a new classi cation scheme for iterative blo ck
ciphers based on their key schedules. In essence, this scheme creates two cate-
gories of ciphers based on whether or not knowledge of a round subkey generated
by the key schedule reveals any information ab out other round subkeys or the
master key. Those that do, fall into Category 1 and those that do not, fall into
Category 2. Each of these categories is further sub divided into three Typ es, A,
B and C.
A Category 1, Typ e A cipher1A is one in which all bits of the master key
are used in each round, and hence knowledge of a round subkey yields all bits
of the master key and all other round subkeys. The cipher NDS [3] is suchan
example. At the other end of the scale, 2C ciphers are those in which each
round subkey is generated indep endently, and the length of the master key is
the sum of the lengths of all the round subkeys. The cipher DESIDES with
indep endent subkeys [5] is an example.
A 1B cipher is one where knowledge of a round subkey gives some, but not
all bits of the master key or other round subkeys. DES is an example. A 1C
cipher is one in which knowledge of a round subkey yields bits of other round 1
subkeys or the master key after some simple arithmetic op erations or function
inversions. SAFER K-64 [6] is an example.
In Category 2, knowledge of a round subkey do es not easily reveal informa-
tion ab out other round subkeys or the master key. A 2A cipher is one in which
not all bits of the master key are used to create each round subkey. In these
ciphers, certain master keys are guaranteed to pro duce at least two identical
round keys. A cipher such as CAST-128 [7] is an example. In other words, the
entropyof the round subkeys is not maximised. A 2B cipher is one in which
all master key bits are used in the determination of all round subkeys, thus
maximising the entropy of the subkeys. An example is Blow sh [8].
The most secure schedule classi cation is 2C. However, this may lead to un-
manageably large master keys for ciphers whose security cannot hop e to match
what is naively suggested by the key length. Further, exp ort restrictions on
cryptographic materials often limit the size of the key. For these reasons, the
b est we can hop e for is to mimic 2C schedules as closely as p ossible, with the
next strongest classi cation, 2B.
2 Classi cation of AES Candidates
In this section, all the AES candidates are classi ed according to the key sched-
ule classi cation describ ed in the previous section, and the justi cation for their
placement in a certain category presented. Although many of these candidates
p ermit parameter values outside the scop e of the AES standard, the analysis
presented b elow will assume a 128-bit blo ck size and a 128-bit, 192-bit or 256-bit
master key. The analysis of eachofthe AES candidates will assume the 256-
bit master key option and comments will b e made on the other two master key
options only where the master key length has rami cations for the classi cation.
For each of the AES ciphers, an outline of the key schedule will b e presented
and the following two questions p osed.
1. Given know lege of al l the bits of a round subkey, does this reveal any bits of
other round subkeys or the master key?
2. Do al l round subkeys depend on al l bits of the master key?
The answer to the rst question will place the cipher in either Category 1
or 2. The answer to the second question will determine whether the Category
2 ciphers are Typ e A or B. Note that no AES candidate is Category 2, Typ e
C. The results of the classi cation app ear in Table 1. The justi cation for the
classi cation of each cipher according to this scheme is presented b elow. The
description of the AES candidates was obtained from [2].
CAST-256
0 0 0
The 256-bit master key can b e describ ed as eight, 32-bit words, b b b . By
0 1 7
setting low order bytes to zero, other master key lengths can b e obtained. For
0 0
example, if b and b are set to zero, the master key has length one hundred
6 7
and ninety-two bits.
j 1
is mo di ed as follows: To determine the j 'th round subkey each b
i
j j 1
b = b f b ;c ;d ; 0 i 7; 1 j 12
j j
i+1mo d 8
i i
where f is one of three functions used in the cipher, and c and d are determin-
j j
j j j
is the . Key k ;k istic constants. The round subkey is, in fact, a key pair k
r m r 2
Type1A Type1B Type1C Type2A Type2B Type2C
MAGENTA CRYPTON DFC CAST-256
DEAL E2
Rijndael FROG
SAFER+ HPC
LOKI97
MARS
RC6
Serp ent
Two sh
Table 1: Classi cation of Key Schedules
concatenation of ve least signi cant bitsLSB of eachofthe mo di ed words
j j j j j j j j
j
b ;b ;b and b while k is the concatenation of mo di ed words b ;b ;b and b .
m
0 2 4 6 7 5 3 1
j j j
j j
Knowing the round subkey key pair k ;k gives knowledge of words b ;b ;b
r m
7 5 3
j j j j j
and b as well as the ve LSB of eachof b ;b ;b and b . This is not enough
1 0 2 4 6
information to determine the previous round subkey. Hence CAST-256 is a
Typ e 2 cipher. However, it is worth p ointing out, that if the remaining unknown
j j j j
bits of b ;b ;b and b can b e determined, then all previous round subkeys and
0 2 4 6
the master key can b e found.
j j
j j
To generate the subkey pair, k ;k , all words b to b are used. As these
r m
0 7
words are dep endent on all the original master key words, subkey pairs are de-
p endent on all master key words. This leads to the conclusion that CAST-256
is a 2B cipher.
CRYPTON
The master key, if not two hundred and fty-six bits, is prep ended by ze-
ros to make it so. Using a mixture of linear and non-linear transformations,
eight, 32-bit expanded keys, E ;E ;E are pro duced from the original mas-
0 1 7
ter key. All subkeys are two hundred and fty-six bits, the rst and second
3 2 1 0
subkeys resp ectively b eing, K = K ;K ;K ;K = E ;E ;E ;E and
0 0 1 2 3
7 6 5 4
K =K ;K ;K ;K =E ;E ;E ;E . Subsequenteven round subkeys are
1 4 5 6 7
8i+11 8i+10 8i+9 8i+8
given by, K = K ;K ;K ;K ; 0 i 5 and odd round
2i+2
8j +15 8j +14 8j +13 8j +12
subkeys are given by K =K ;K ;K ;K ; 0 j 4.
2j +3
Now,
8i+8 8i
K = K 8i; i 2f0; 2; 4g
8i+8 8i
K = RC K ; i 2f1; 3; 5g
i
8i+9 8i+1
K = RC K ; i 2f0; 2; 4g
i
8i+9 8i+1 2
K = K 3i 20i + 41; i 2f1; 3; 5g
8i+10 8i+2 2
K = K 3i +10i + 16; i 2f0; 2; 4g
8i+10 8i+2
K = RC K ; i 2f1; 3; 5g
i
8i+11 8i+3
K = RC K ; i 2f0; 2; 4g
i
8i+11 8i+3
K = K 4i +4; i 2f1; 3; 5g
8j +12 8j +4
K = RC K ; j 2f0; 2; 4g
j 3
8j +12 8j +4
K = K 4j +4; j 2f1; 3g
8j +13 8j +5 2
K = K 3j +10j + 16; j 2f0; 2; 4g
8j +13 8j +5
K = RC K ; j 2f1; 3g
j
8j +14 8j +6
K = RC K ; j 2f0; 2; 4g
j
8j +14 8j +6
K = K 4j + 12; j 2f1; 3g
8j +15 8j +7 2
K = K 3j 14j + 24; j 2f0; 2; 4g
8j +15 8j +7
K = RC K ; j 2f1; 3g
j
where RC is a known constant and x y is a known left shift of x by y bits.
x
8i+11 8i+10 8i+9 8i+8
Knowing even round subkey K ;K ;K ;K means that the
following can b e shown true by undoing the ab ove equations, as follows.
8i 8i+8
K = K 8i; i 2f0; 2; 4g
8i 8i+8
K = RC K ; i 2f1; 3; 5g
i
8i+1 8i+9
K = RC K ; i 2f0; 2; 4g
i
8i+1 8i+9 2
K = K 3i 20i + 41; i 2f1; 3; 5g
8i+2 8i+10 2
K = K 3i +10i + 16; i 2f0; 2; 4g
8i+2 8i+10
K = RC K ; i 2f1; 3; 5g
i
8i+3 8i+11
K = RC K ; i 2f0; 2; 4g
i
8i+3 8i+11
K = K 4i +4; i 2f1; 3; 5g
Thus, the previous even round subkey is easily determined. A similar argument
applies to odd round subkeys. It follows that knowing one even/o dd round
subkey enables all previous even/o dd round subkeys to b e determined by sim-
ple arithmetic op erations. It is also worth noting that by using exactly the
same arguments, knowledge of an even/o dd round subkey enables all subse-
quenteven/o dd round subkeys to b e determined. Hence CRYPTON is a 1C
cipher.
DEAL
The key schedule of DEAL is created from two, three or four, 64-bit DES keys,
corresp onding to 128-bit, 192-bit and 256-bit master keys. The 128-bit and 192-
bit master keys are used in six rounds of DEAL, while the 256-bit version uses
eight rounds. In all three cases, the creation of the round subkeys is essentially
identical.
The eight round subkeys are generated from four indep endent master keys,
designated K ;K ;K and K , as follows.
1 2 3 4
RK = DESE K
1 K 1
RK = DESE K RK
2 K 2 1
RK = DESE K RK
3 K 3 2
RK = DESE K RK
4 K 4 3
RK = DESE K f1g RK
5 K 1 4
RK = DESE K f2g RK
6 K 2 5
RK = DESE K f4g RK
7 K 3 6
RK = DESE K f8g RK
8 K 4 7 4
Note that fig denotes the representation of i as a 64-bit string and DESE X
K
represents the encryption of X using DES with key K which is xed and known.
Knowing one value of RK ; i 2f2; 3; 4; 5; 6; 7; 8g do es not immediately yield
i
any bits of other subkeys or the master keys despite the fact that the decryption
DESD RK can easily b e p erformed since K is known. On the other hand,
K i
knowledge of RK easily yields the master key K , since K = DESD RK .
1 1 1 K 1
Hence RK is muchweaker than the other subkeys and puts DEAL in the 1C
1
classi cation.
Further, RK dep ends only on master key K , RK dep ends only on master
1 1 2
keys K and K , and RK dep ends only on master keys K ;K and K . The
1 2 3 1 2 3
other RK 's dep end on all four master keys. Hence, not all subkeys dep end on
i
all bits of the master key.
If the known key K is replaced by K ;K , K or K then this would elim-
1 2 3 4
inate the weak RK and the cipher would fall into the 2A category. Another
1
alternativewould b e to let K = f K ;K ;K ;K where f is a one way func-
1 2 3 4
tionOWF and this would put DEAL into the 2B category.
Decorrelated Fast Cipher-DFC
The master key K is initially padded on the right with a 256-bit known constant,
C . The result is then truncated to form padded master key K , so that what
0 C
remains is two hundred and fty-six bits long. This means that if K is one
hundred and twenty-eight bits then only the one hundred and twenty-eight most
signi cant bitsMSB of C are used to form K . Similarly,if K is one hundred
0 C
and ninety-two bits, the sixty-four MSB of C are used. Finally, if K is two
0
hundred and fty-six bits, no bits of C are required.
0
At this p oint, K is divided into eight, 32-bit strings such that K =
C C
8 2 1
. Note that X jY means X concatenated with Y . jjK jK K
C C C
Now the following are de ned.
1 8
OAP = K jK
1
C C
5 4
OB P = K jK
1
C C
2 7
EAP = K jK
1
C C
6 3
EBP = K jK
1
C C
and for i =2; 3 and 4
i
OAP = OAP C
i 1
1
i
OB P = OB P C
i 1
2
i
EAP = EAP C
i 1
1
i
EBP = EBP C
i 1
2
i i
where C and C are known constants.
1 2
Now de ne
EF K =F jF jF jF
1 1 2 3 4
where F = OAP jOB P . Similarly, de ne
i i i
EF K =f jf jf jf
2 1 2 3 4
where f = EAP jEBP . Now de ne RK = 0 and create round subkeys
i i i 0
RK ; 0 i 8, as follows.
i 5
DFC RK if i is o dd
i 1
EF K
1
RK =
i
DFC RK if i is even,
i 1
EF K
2
where DFC X means encrypt X using key EF K in the DFC cipher.
i
EF K
i
Now, knowledge of RK gives no bits of any other round subkeys unless
i
the encryption pro cess can b e reversed. On the other hand, the generation of
RK ; i odd involves only EF K which in turn involves F ; i 2f1; 2; 3; 4g.Now
i 1 i
1 4 5
F involves only OAP and OB P . These in turn involve only K ; K ; K
i i i
C C C
8
and K , and not all bits of K or indeed K . A similar scenario applies for
C
C
RK ; i even. Thus, not all subkeys dep end on on all bits of the master key.
i
Hence, DFC is a Category 2, Typ e A cipher.
E2
De ne a 64-bit constant C . If the length of the master key, K , is one hundred
and twenty-eight bits, considered as the concatenation of K and K , then pass
1 2
C through a given set of S-b oxes three times to pro duce the 64-bit value K
3
and then a fourth time to pro duce 64-bit K . In this pro cess, the output of
4
the S-b oxes on each pass b ecomes the input for the next pass. If a 192-bit
master key is used, considered as the concatenation of K ; K and K , rep eat
1 2 3
the ab ove pro cess to pro duce K . If a 256-bit master key is in use then C
4
is not pro cessed as ab ove. Let the key resulting from the ab ove pro cedure b e
KA = K jK jK jK . The round subkeys are then formed as follows.
1 2 3 4
Firstly, KA and C are put into a function G used in the cipher such that the
output L ; Z ;C = GK ;K ;K ;K ;C where L =U ;U ;U ;U ;Z =
0 0 0 1 2 3 4 0 1 2 3 4 0
Y ;Y ;Y ;Y , and C = V , and for i =1; 2; 3; 4
1 2 3 4 0
Y = f K
i i
U = f U Y and U = C
i i 1 i 0
V = U
4
where f is a function used in the cipher. Note that U ;Y and V are all 64-bit
i i
values.
For i =0; 1; ; 7 de ne
L ; Z ;C = GY ;C 1
i+1 i+1 i+1 i i
L = l ;l ;l ;l
i+1 4i 4i+1 4i+2 4i+3
Next i
where l is a 64-bit blo ck.
i
For i =1; 2; ; 31 de ne
0 1 7
l =t ;t ; ;t
i
i i i
Next i
Each 128-bit subkey is now generated as follows.
For i =0; 1; ; 15,
k = t ;t ; ;t
i+1
0+i mo d 2 2+i mo d 2 30+i mo d 2
Next i
where
Knowledge of subkey k , i even, yields only eight bits out of a p ossible fty-
i
six from each of l ; j = 0; 1; ; 15 and hence only sixteen bits out of a
2j +1 6
p ossible two hundred and fty six bits of each L . In any L , only the bits
i i
involved in k are known, and these do not reveal any of the other bits of the
i
L 's involved with other round subkeys. A similar argument applies when k is
i i
known and i is o dd. Further, there is no simple waytoinvert equation 1 which
is required to track back to the master key. Thus, knowledge of a round subkey
yields no bits of other round subkeys or the master key.
An examination of the way L is constructed will show that it dep ends on
1
all master key bits and hence all subsequent L 's dep end on L . Since round
i 1
subkey i dep ends on L , it follows that all round subkeys dep end on L and
i 1
hence on all bits of the master key.
Now L = GZ ;C , that is GY ;Y ;Y ;Y ;U . As well,
1 0 0 1 2 3 4 4
U = f U f K ; U = f U f K ; U = f U f K and U =
4 3 4 3 2 3 2 1 2 1
f C f K . Thus, U dep ends on all bits of the master key. Now L =
1 4 1
0 0 0 0 0
U ;U ;U ;U where U = f U f Y . Since U dep ends on all bits of the
4 1 4
1 2 3 4 1
0 0 0
master key so do es U and since U dep ends on U , L dep ends on all bits of
1
1
i i 1
the master key. All the L 's contribute to the determination of subkey one, so
i
subkey one dep ends on all bits of the master key.
Now L dep ends on Y which in turn dep ends on L ,soL dep ends on
i i 1 i 1 i
L and hence on L and all bits of the master key. The conclusion is that E2
i 1 1
is a 2B cipher.
FROG
The master key, K , in this cipher is essentially hashed to pro duce a 2304-byte
valid internal key, KI V . KI V can be thought of as the concatenation eight,
288-byte round subkeys. Each of these subkeys has three records, and eachof
these records is used in a di erentway to encrypt the plaintext. The hashing
pro cess b egins by concatenating copies of the master key until a 2304-byte array
has b een pro duced. The elements of this array are then XOR'd with a randomly
generated, but known constant. This unformatted arrayis then formatted so
that the resulting array is a preliminary version of the KI V . This formatting
is necessary so that the three records mentioned earlier achieve rapid di usion
and confusion. The formatted array is then encrypted by the FROG algorithm
itself to further the random app earance of the subkeys. This encrypted output
is again formatted to satisfy the reqiurements of the subkey records.
Knowledge of a round subkey do es not reveal any bits of other round subkeys,
since the 288-byte blo cks of KI V which determine each subkey are generated at
the same time and are essentially indep endent. Thus the FROG cipher b elongs
in Category 2, Typ e B.
Hasty Pudding Cipher-HPC
Assuming a 256-bit master key, K , divide it into four, 64-bit words, K ;K ;K
0 1 2
and K . Now construct a 256-element array, KX , each element, a 64-bit word.
3
The rst three elements, KX [0];KX[1] and KX [2] are resp ectively initialised
to known constants c ;c and c . The remaining elements of the array are
0 1 2
constructed as follows.
For i =3; 4; ; 255
KX [i] = KX [i 1]+KX [i 2] KX [i 3] 23 KX [i 3] 41
Next i,
where x y and x y are resp ectively quantity x right shifted/left shifted by 7
y bits. Master key K is nowintro duced into KX as follows.
For i =0; 1; ; 127
KX [i] = KX [i] K
i mo d 4
Next i
The resulting elements are then stirred as follows.
State variables, s ;j =0; 1; ; 7 are initialised resp ectively to KX [248 + j ]
j
and the following series of steps are p erformed in each of three passes over the
array KX .
For each KX [i];i =0; 1; ; 255
s = KX [i] KX [i +1 ^ 255] + KX [s ^ 255]
0 0
s = s + s
1 1 0
s = s s
3 3 2
s = s s
5 5 4
s = s s
7 7 6
s = s +s SL 13
3 3 0
s = s s SL 11
4 4 1
s = s s SL s ^ 31
5 5 3 1
s = s +s SR 17
6 6 2
s = s _ s + s
7 7 3 4
s = s s
2 2 5
s = s s i
0 0 6
s = s + c
1 1 0
s = s +s SR j
2 2 7
s = s s
2 2 1
s = s s
4 4 3
s = s s
6 6 5
s = s + s
0 0 7
KX [i] = s + s
2 6
64
Note that the op erations + and are p erformed mo dulo 2 , ^ means
logical and, _ is logical or, SR and SL are right and left shifts resp ectively, and
j =0; 1; 2 represents the pass number over the array KX .
Supp ose KX [i] is known. From the last line in the set of steps ab ove, s + s
2 6
is known. However, there is no obvious way to determine either s or s . Even
2 6
if these were known, the nature of the stirring pro cess means that it is not
invertible, so no bits of the master key or other round subkeys can b e obtained
from a knowledge of KX [i].
Now s ;i =0; 1; ; 7 contains two copies of the master key arranged such
i
that any four s values, say s ;s ;s and s , with k 6 l 6 m 6 nmo d 4,
i k l m n
contain all bits of the master key. From the last line of the ab ove series of steps,
KX [i] dep ends on s and s . Tracing back through this series of steps it is easy
2 6
to see that s dep ends on s ;s ;s and s and that s is related to s ;s and
6 5 3 1 0 5 3 1
s . Hence, s dep ends on at least s ;s and s . Thus, KX [i] dep ends at least
4 6 0 1 3 8
on s ;s ;s and s , and since 0 6 1 6 2 6 3mo d 4;KX[i] dep ends on all bits
0 1 2 3
of the master key. Thus, all round subkeys dep end on all bits of the master key.
This puts the HPC cipher in the 2B class.
Because the 'spice' is not necessarily a secret key, it has b een delib erately
omitted from this discussion.
LOKI97
0 0 0 0
The master key, K is initialised into four, 64-bit words, K jK jK jK , as fol-
1 2 3 4
lows.
0 0 0 0
256-bit K = K jK jK jK yields K jK jK jK = K jK jK jK .
1 2 3 4 1 2 3 4
1 2 3 4
0 0 0 0
192-bit K = K jK jK yields K jK jK jK = K jK jK jf K ;K where
1 2 3 1 2 3 1 2
1 2 3 4
f is a non-linear function used in the encryption pro cess.
0 0 0 0
128-bit K = K jK yields K jK jK jK = K jK jf K ;K jf K ;K .
1 2 1 2 2 1 1 2
1 2 3 4
These initialised keys are then pro cessed as follows to yield forty-eight, 64-bit
round subkeys, SK .
i
For i =1; ; 48
i 1 i 1 i 1 i 1
i
K = K g K ;K ;K 2
i
1
4 1 3 2
i
SK = K
i
1
i 1
i
K = K
4
3
i 1
i
K = K
3
2
i 1
i
K = K
2
1
Next i
Note that g K ;K ;K =f K + K + i; K where is a constant and f is
i 1 3 2 1 3 2
a function used in the cipher.
Knowledge of SK do es not reveal any bits of previous or subsequent round
i
subkeys, as these are dep endent on at least other three other unknown subkeys
or initialised master keys. Further, the generation of subkey SK involves all
1
bits of the master key as p er equation 2. Since the generation of subkey SK
i
dep ends on subkey SK ;SK ultimately dep ends on SK and hence on all
i 1 i 1
bits of the master key. Thus, LOKI97 is a 2B cipher.
MAGENTA
For a master key, K , of one hundred and twenty-eight bits, this cipher has six
rounds under the control of the master key considered as two, 64-bit blo cks, K
1
and K . In rounds one, two, ve and six of the encryption pro cess, K is used.
2 1
In rounds four and ve, K is used.
2
In the 192-bit version of K = K jK jK , K is used in rounds i and 7 i.
1 2 3 i
In the 256-bit version, K = K jK jK jK , and the cipher has eight rounds
1 2 3 4
with K b eing used in rounds i and 9 i. Clearly, knowledge of a round subkey
i
yields immediately bits of the master key, as in DES. Thus, MAGENTA is a
1B cipher. 9
MARS
In this cipher, forty, 32-bit subkeys are required. An array, A, of forty-seven,
32-bit words is initialised using an n-word master key, k , as follows.
For i = 7; 6; ; 1,
A[i]=S [i +7]
Next i
where S [j ] is the j 'th entry of a xed and known S-b ox.
For i =1; 2; ; 38,
A[i]=A[i 7] A[i 2] 3 k [i mo d n] i
Next i
A[39] = n
This initialised array is further stirred as follows.
For j =1; 2; ; 7
For i =1; 2; ; 39
j j 1 j 1
A [i]=A [i]+S [A [i 1]] 9
9
Next i
j j 1 j
A [0] = A [0] + S [A [39]] 9
9
Next j
Note that S [x] is the S-b oxentry indexed by the nine LSB of x. The subkeys
9
are then created as follows.
For i =0; 1; 2; ; 39
A[i] b ecomes subkey K [7i mo d 40]
Next i
Consider now the case of n = 8, that is a 256-bit master key. In the initial-
ization of array A, A[i] dep ends on arraywords A[i 7] and A[i 2] as well as
master key word k [i mo d 8]. A careful analysis shows that not until the creation
of A[13] are the elements of array A dep endent on all eightwords of the master
key. Subsequent elements, with the exception of A[39], are also dep endent on
all master key words. A[39] do es not dep end on any bits of the master key at
all.
[
7 6 6
Now supp ose an attacker knows K [i]= A [j ]=A [j ] S A [j 1]]
9
7
9; for some j . There exists keys K [h] and K [g ] such that K [h]= A [j 1] =
6
7 6 6
[A[j 2]] 9 for some j , and K [g ]= A [j +1]= A [j + A [j 1] S
9
[
6 6
A [j ]] 9 for some j . Knowledge of K [i] do es not reveal A [j ]or 1] S
9
6
S [A [j 1]] which are comp onents of K [h] and K [g ]. Neither do es it reveal
9
7 6
any information on A [j 1] or A [j + 1], the other comp onents of K [h] and
K [g ] resp ectively. Similarly, knowledge of K [i] do es not reveal any information
ab out the master key.
The 7-round stirring pro cess esentially combines successiveentries in array A
7 1
to create a new array A . After the rst round of stirring, only elements T [1]
1
through to T [6] inclusive do not dep end on all bits of the master key. In each
2 3 4 5 6
of the remaining six rounds of stirring, T [1];T [2];T [3];T [4];T [5] and
7
T [6] successively come to dep end on all master key bits. Hence, all subkeys
dep end on all bits of the master key. Thus, MARS is a 2B cipher.
RC6
This cipher has a precursor named RC5 [? ]. The key schedule of RC6 is identical
to that of RC5 with the exception that a total of 2r + 4 subkeys are required
for RC6 while RC5 requires only 2r + 2 subkeysr is the numb er of rounds of 10
the cipher. The prop osed numb er of rounds of RC6 is twenty, so the number
of subkeys required is forty-four. The subkeys are generated as follows.
From a master key of sixteen, twenty-four or thirty-twobytes, an array L
of four, six or eight, 32-bit words is constructed. A second array S of forty-
four, 32-bit words is initialised by known constants. The following lo op is then
executed one hundred and thirty-two times3 44, after the variables i; j; A
and B are initialised to zero.
For s = 1 to 132
S [i]= S [i]+A + B 3
A = S [i]
L[j ]= L[j ]+A + B A + B
B = L[j ]
i i + 1mo d 44
j j + 1mo d c
Next s
Note that c =4; 6 or 8 when the master key used is 128-bit, 192-bit or 256-bit
resp ectively.
3 2
Supp ose now that round key S [i]=S [i]+A + B 3isknown. From this
knowledge, it is not p ossible to determine any of the quantities that are involved
3
in the calculation of S [i]. Even if these quantities were known, it would not
3 3
b e p ossible to determine, from a knowledge of these, S [i +1]or S [i 1], as
3
the quantities which form these are related to those of S [i]inavery dicult
to invert way. Hence, knowledge of a round subkey do es not yield any bits of
any other round subkey or the master key.
Further, eachentry in the array S is up dated three times in the ab ove lo op.
1 1
At the end of the rst up date, call it S , corresp onding to s = 44;S [0] to
1 1
S [7] inclusive are the only elements of array S that are not dep endentonall
elements of the array L, that is, all elements of the master key. By the end of
2
the second pass, all elements of S are dep endent on all elements of the master
key. It follows that RC6 is a 2B cipher.
Rijndael
This cipher stores its master key, K , in a4 i arrayof bytes, where i =4; 6
or 8 when K is a 128-bit, 192-bit or 256-bit key resp ectively. Given that the
AES standard supp orts a 128-bit blo ck size, the numb er of subkeys required is
128
r + 1, where r is the numb er of rounds. For a 128-bit master key, r = 10,
4
for a 192-bit master key, r = 12 and for a 256-bit master key, r = 14.
An expanded key, K , is formed from the 256-bit master key array, A ; 0
e x;y
x 3; 0 y 7 as follows. Note that elements of array A are bytes.
An array, W , with 4 14 + 1= 60 elements is constructed by setting
W [t]; t = 0; 1; ; 7 to be successively equal to the four bytes of the master
key, A ;A ;A ;A . Subsequent elements of array W are constructed by
0;t 1;t 2;t 3;t
the recursive relationship:
For j =8;j < 60 and j incremented by8
W [j ]=W [j 8] f W [j 1] g c
j
For l =1; 2 and 3
W [l + j ]=W [l + j 8] W [l + j 1]
Next l
W [j +4]= W [j 4] hW [j + 3]
For l =5; 6 and 7 11
W [l + j ]=W [l + j 8] W [l + j 1]
Next l
The functions f; g and h are functions asso ciated with encryption and de-
cryption and c is a deterministic constant.
j
For x =0; 1; 2; ; 14, round subkey x is given arrayentries W [8x] through
to W [8x + 7].
Now supp ose that round subkey KS is known. It follows that W [8x];W[8x+
x
1]; ;W[8x + 7] are known. Subkey KS consists of array elements W [8x +
x+1
8];W[8x +9]; ;W[8x + 15]. Now
W [8x +8]= W [8x] f W [8x +7] g c 3
x
All of the quantities on the right hand side of equation 3 are known since they
are from the known subkey x or are constants. Hence W [8x +8] is known.
Since W [8x + p];p =9; 10; ; 15 dep ends in a simple wayon W [8x + p 1] and
W [8x + p 8] whichisknown from round subkey RK , calculating W [8x + p]
x
is easy. Hence, knowing subkey RK enables subkey RK to be easily de-
x x+1
termined. In fact, knowing subkey RK enables all subsequent subkeys to b e
x
determined. The conclusion is that the 256-bit master key version of the cipher
Rijndael is 1C.
SAFER+
For 128-bit, 192-bit and 256-bit master keys K , the resp ectivenumb er of rounds
in the cipher is eight, twelve and sixteen. The number of subkeys required is
resp ectively seventeen, twenty- ve and thirty-three. An analysis of the case
when a 256-bit master key will b e presented.
Firstly, thirty-three, 16-byte bias words, B , are created as follows.
i
For i =0; 1; ; 15
17i+j +18
j
45 mo d 257
B 45 mo d 257 4
i
Next i,
j
where B is the j 'th byte of bias word B and j =0; 1; ; 15. If the value of
i
i
j j
B , calculated in equation 4, is 256, then B is set to zero. The remaining bias
i i
words B to B inclusive are calculated as follows.
17 32
For i =17; 18; ; 32
j
17i+j +18
B 45 mo d 257
i
Next i
Note that B is a dummy and is not used at all.
0
A 33-byte word, K , is initialised by concatenating the thirty-twobytes of
e
the master key K and the byte formed by the XOR sum of the corresp onding
bits of the thirty-twobytes of the master key. This last byte is known as the
parity byte. The bytes of K will b e denoted by b ;b ; ;b ;b . Round i uses
e 0 1 31 32
two, 16-byte subkeys, K and K . The round one subkey, K , is calculated as
i i+1 0
follows.
K = b jb jjb :
0 0 1 15 12
j
The concatenation of x through to x will b e written as C x . Hence
i j k
k =i
15
K = C b . Subsequent subkeys are generated as follows.
0 k
k =0
For i =1; 2; ; 32
For j =0; 1; ; 32
b = b 3
j j
Next j
k imod33 i+15 mo d 33
b + B mo d 256 K = C
k i
i
k =i
Next i.
Now supp ose round subkey, K , is known. Hence,
i
k imod33 i+15 mo d 33
b + B mo d 256 C
k
i
k =i
is known. Since all the biases B are predetermined constants, b is simply
i k
k imod33 k imod33
calculated as K B mo d 256. Thus, bytes b to
i
i i
b are known. Right shifting each of these bytes by three bits, yields
i+15 mo d 33
fteen of the sixteen bytes used in in the calculation of K . Left shifting
i 1
these known bytes by three bits will yield fteen of the sixteen bytes used in the
calculation of K . Thus, fteen bytes of subkeys K and K are easily
i+1 i 1 i+1
determined. In fact, if the known bytes of K are right shifted by an amount
i
3i, then either fteen or sixteen bytes of the master key will b e known. Sixteen
will b e known if b is not one of the sixteen known bytes of K . On the other
33 i
hand, if b is one of the known bytes of K , then fteen bytes of the master key
33 i
can b e determined. Hence SAFER+ with a 256-bit master key is a 1C cipher.
Serp ent
This cipher requires thirty-three, 128-bit, round subkeys, and these are created
from one hundred and thirty-two, 32-bit, interim words which are generated
from the master key, K . If the master key is not twohundred and fty-six bits
in length, it is padded until it is. This padded master key, K , can b e thought
p
of as eight, 32-bit words lab elled W ;W ; ;W . The one hundred and