Analysis of Venkaiah Et Al.’S AES Design

International Journal of Network Security, Vol.9, No.3, PP.285–289, Nov. 2009 285

Analysis of Venkaiah et al.’s AES Design

Jorge Nakahara Jr Department of Informatics, Universidade Catolica de Santos, UNISANTOS R. Dr. Carvalho de Mendon¸ca, 144, POBOX 11070-906, S˜ao Paulo, Brazil (Email: jorge [email protected]) (Received Oct. 25, 2006; revised and accepted June 27, 2007)

Abstract overview of the impossible-differential technique. Sec- tion 5 concludes the paper. This paper describes impossible differential (ID) attacks on an AES variant designed by Venkaiah et al.. They claim that their cipher has improved resistance to ID at- 2 Venkaiah et al.’s AES Design tacks due to a new MixColumns matrix with a branch number 4, which is smaller than that of the original AES. In [14], Venkaiah et al. suggested a variant of AES with We argue against this statement. The contributions of a new S-box, a modified MixColumns matrix, and a new this paper include ID distinguishers for Venkaiah et al.’s irreducible polynomial for GF(28). They used x8 + x6 + cipher, and a discussion of the susceptibility of such vari- x5 + x + 1 as primitive irreducible polynomial for GF(28), ants to impossible differential and other modern cryptan- in contrast to the AES irreducible (but not primitive) alytic techniques. polynomial x8 + x4 + x3 + x + 1. Their new S-box was Keywords: AES, block cipher cryptanalysis, impossible constructed based on two transformations in this order: differentials ∗ • powers of 3, a primitive element in F257. If the power is 256, the result is treated as 0.

1 Introduction • take multiplicative inverse in GF(28), with 0 mapped to itself. Rijndael is a Substitution Permutation Network (SPN) type block cipher designed by Joan Daemen and Vincent One feature of their new S-box is its algebraic expres- Rijmen for the AES Development Process, initiated by the sion in GF(28) = GF(2)[x] / (x8+ x6 + x5 + x + 1): 0 2 3 4 5 National Institute of Standards and Technology (NIST) S [x]= 01x + 2fx.x + d2x.x + 23x.x + ddx.x + edx.x + 6 7 8 9 10 11 in the USA in 1997 [1, 9]. The 128-bit block version of a8x.x + 98x.x + 49x.x + 03x.x + a4x.x + 39x.x + 12 13 14 15 16 17 Rijndael, with a key of 128, 192 or 256 bits, is oﬃcially 78x.x + 8ex.x + 94x.x + f2x.x + 19x.x + 66x.x + 18 19 20 21 22 23 known as the AES [10]. Typically, text blocks, keys and bcx.x + 46x.x + 6fx.x + 74x.x + dbx.x + 70x.x + 24 25 26 27 28 29 subkeys are represented compactly by a 4 × Nb state ma- 75x.x + 43x.x + e3x.x + ebx.x + ebx.x + adx.x + 30 31 32 33 34 35 trix of bytes, where Nb is the number of 32-bit words in 79x.x + 22x.x + fbx.x + edx.x + 28x.x + 62x.x + 36 37 38 39 40 41 a block. For instance, the state matrix for a 4t-byte text f4x.x + 24x.x + 36x.x + 4bx.x + 31x.x + aex.x + 42 43 44 45 46 47 block, A = (a0,a1,a2,a3,a4,...,a4t−1), is denoted bfx.x + 3fx.x + 57x.x + 22x.x + 9fx.x + a4x.x + 48 49 50 51 52 53 b7x.x + 96x.x + 56x.x + 25x.x + 56x.x + 8ex.x + 54 55 56 57 58 59 a0 a4 ... a4t−4 c7x.x + 9cx.x + 26x.x + 57x.x + 05x.x + 82x.x + 60 61 62 63 64 65  a1 a5 ... a4t−3  eax.x + bbx.x + 2bx.x + f6x.x + 13x.x + 96x.x + State = (1) 66 67 68 69 70 71 a2 a6 ... a4t−2 c8x.x + 5ax.x + bax.x + dax.x + 27x.x + 60x.x +   72 73 74 75 76 77  a3 a7 ... a4t−1  c8x.x + 74x.x + b8x.x + d5x.x + f2x.x + c2x.x +   78 79 80 81 82 83 71x.x + a1x.x + c3x.x + 85x.x + b7x.x + 6dx.x + 84 85 86 87 88 89 namely, with bytes inserted columnwise. Note that byte 18x.x + c7x.x + 72x.x + eax.x + 07x.x + acx.x + 90 91 92 93 94 95 positions in a state matrix follows the subscripts of the 18x.x + 13x.x + 85x.x + b7x.x + a4x.x + c2x.x + 96 97 98 99 100 101 bytes in (1). 23x.x +eex.x +e2x.x +59x.x +46x.x +34x.x + 102 103 104 105 106 There are four layers in a full round of Rijndael, in a1x.x + 38x.x + 3cx.x + 0bx.x + 7dx.x + 107 108 109 110 111 order: SubBytes (denoted SB), ShiftRows (SR), Mix- b4x.x + 41x.x + 05x.x + e7x.x + eex.x + 112 113 114 115 116 Columns (MC) and AddRoundKey (AKi, where i is the 5dx.x + 80x.x + b5x.x + 15x.x + d4x.x + 117 118 119 120 121 round number) [10]. 65x.x + 85x.x + 8fx.x + ecx.x + 50x.x + 122 123 124 125 126 This paper is organized as follows: Section 2 describes ccx.x + 2ax.x + 8fx.x + 0cx.x + 85x.x + 127 128 129 130 131 the AES variant by Venkaiah et al.. Section 3 gives a brief 9ex.x + 3fx.x + 02x.x + e9x.x + 6ax.x + International Journal of Network Security, Vol.9, No.3, PP.285–289, Nov. 2009 286

132 133 134 135 136 c4x.x + 1ex.x + 7ax.x + 16x.x + c6x.x + there are 2 × 2 singular submatrices of MC’, such as 137 138 139 140 141 cfx.x + 3dx.x + 1cx.x + 9bx.x + eax.x + fc 142 96 143 64 144 02 145 85 146 01x 01x x.x + x.x + x.x + x.x + x.x + (3) 147 148 149 150 151 01x 01x 55x.x + 9fx.x + 20x.x + 96x.x + acx.x + 152 153 154 155 156 6dx.x + 96x.x + a7x.x + 0ex.x + 4fx.x + 75 157 29 158 a8 159 b5 160 fd 161 Notice that MC’ uses the same coefficients as the original x.x + x.x + x.x + x.x + x.x + MixColumns matrix of the AES, but in a different order. 162 163 164 165 166 66x.x + 6dx.x + 1fx.x + 51x.x + fex.x + The apparent motivation for the choice of MC’ was to 167 168 169 170 171 6dx.x + 98x.x + cbx.x + f2x.x + d6x.x + speed up the decryption procedure, since MC’ is involu- 61 172 4d 173 e6 174 10 175 4d 176 tory (it is its own inverse). But, this discrepancy between x.x + x.x + x.x + x.x + x.x + the performance of AES encryption and decryption pro- 80 177 88 178 a1 179 d8 180 f4 181 x.x + x.x + x.x + x.x + x.x + cedures can be diminished by other means, as pointed out 182 183 184 185 186 20x.x + f1x.x + 17x.x + 49x.x + 09x.x + by Barreto in [2], in which the InvMixColumns matrix is 187 188 189 190 191 f8x.x + 90x.x + cex.x + e6x.x + 2fx.x + split as 192 193 194 195 196 acx.x + 94x.x + 19x.x + b8x.x + 32x.x + 0ex 0bx 0dx 09x 05x 00x 04x 00x 02x 03x 01x 01x 3e 197 b7 198 06 199 93 200 60 201 09x 0ex 0bx 0dx 00x 05x 00x 04x 01x 02x 03x 01x x.x + x.x + x.x + x.x + x.x +   .   =   202 203 204 205 206 0dx 09x 0ex 0bx 04x 00x 05x 00x 01x 01x 02x 03x 09x.x + 22x.x + eex.x + 85x.x + d1x.x +        0bx 0dx 09x 0ex   00x 04x 00x 05x   03x 01x 01x 02x  5e 207 49 208 d6 209 61 210 47 211       x.x + x.x + x.x + x.x + x.x + (4) 79 212 1d 213 27 214 7a 215 19 216 x.x + x.x + x.x + x.x + x.x + The matrix in the right-hand-side of (4) is the AES ma- 68 217 ed 218 59 219 c4 220 e7 221 x.x + x.x + x.x + x.x + x.x + trix used in encryption mode. The leftmost matrix in (4) 4d 222 7a 223 75 224 a3 225 dd 226 x.x + x.x + x.x + x.x + x.x + is used in decryption mode. According to [2] “InvMix- f0 227 67 228 0e 229 0c 230 da 231 x.x + x.x + x.x + x.x + x.x + Column can be efficiently implemented with the same 53 232 ce 233 3c 234 a6 235 c0 236 x.x + x.x + x.x + x.x + x.x + resources as MixColumn, plus six exclusive-ors and four 70 237 32 238 77 239 56 240 95 241 x.x + x.x + x.x + x.x + x.x + xtime calls”. 20 242 d1 243 8b 244 20 245 a2 246 x.x + x.x + x.x + x.x + x.x + The main drawback of MC’ is that it is not an MDS d9 247 ea 248 a7 249 58 250 49 251 x.x + x.x + x.x + x.x + x.x + matrix like AES’s MixColumn matrix. Venkaiah et al. c9 252 0d 253 29 254 x.x + x.x + x.x , which is much more in- stated in [14] that MC’ “... has branch number 4 and, volved and certainly not as sparse as AES S-box expres- correspondingly, has low diffusion power. This reduction in 63 8f 127 b5 191 01 223 f4 239 sion S[x]= x + x.x + x.x + x.x + x.x + branch number may be viewed positively as a way to cur- 25 247 f9 251 09 253 05 254 x.x + x.x + x.x + x.x . The subscript x tail the effect of impossible differential cryptanalysis”. The indicates hexadecimal notation. The motivation for this consequences of the smaller branch number from an ID 0 new S-box, denoted S , may be related to attacks exploit- cryptanalysis perspective are discussed in Section 4. ing the sparsity of the algebraic expression of the AES An immediate consequence of the smaller branch num- S-box [8]. ber in Venkaiah et al.’s design concerns the resistance to The highest non-trivial differential probability and differential [6] and linear [13] cryptanalysis. In (5), we de- 0 maximum non-trivial linear probability of S are depicted pict an 4-round differential of Venkaiah et al.’s AES, con- in Table 1, together with the profiles for the AES S-box structed to minimize the number of active S-boxes, using [9]. These figures are called simply differential and linear MC’ and (3). The symbol δ denotes a nonzero exclusive-or 0 profiles of S . byte difference, and 0 a zero byte difference. The round From a differential cryptanalysis perspective, the AES transformations, AddRoundKey (AKi), SubBytes (SB), S-box maximum probability is smaller than Venkaiah et ShiftRows (SR) and MixColumns (MC) are composed in al.’s AES S-box. Thus, the former’s differential profile is left-to-right order, for instance, SR ◦ SB ◦ AK0(X) = better than the latter’s. Also, from a linear cryptanaly- SR(SB(AK0(X))). Notice that there are 20 active S- sis point of view, the original AES S-box linear profile is boxes in (5). Table 2 compares the number of active S- better than Venkaiah et al.’s profile. boxes of the best differential characteristics and linear re- Before discussing the minimum number of rounds for a lations across four rounds of Venkaiah et al.’s design and differential and a linear attack, we first discuss the diffu- for the AES. sion power of Venkaiah et al.’s AES. Another modification Taking into account Tables 1 and 2, Venkaiah et al.’s suggested in [14] is a new MixColumns matrix, which we design not only have a smaller number of active S-boxes denote MC’, with branch number four: (due to weaker diffusion of MC’), but also the differ- 0 02 01 03 01 ential profile of S is worse (higher) than that of the x x x x AES S-box. Concerning differential cryptanalysis (DC), 0  01x 02x 01x 03x  MC = (2) the estimated number of active S-boxes for four rounds 03x 01x 02x 01x   is 20, and the probability of the differential becomes  01x 03x 01x 02x    (2−4.41)20 = 2−88.2, while for the AES, the correspond- ( 25 −150 An example of an input/output difference tuple with ing probability is (2 − 6) )=2 . Analogously, for MC0 LC, Venkaiah et al.’s design restricted to four rounds has branch number four is (δ, 0, δ, 0) → (δ, 0, δ, 0), where bias of the linear relation equal to (2−2.83)20 = 2−56.6, MC0 δ =6 0. Similarly, (0, δ, 0,δ) → (0, δ, 0,δ). These differ- while for the AES, it is (2( − 3)25)=2−75. Thus, con- ences tuples show that MC’ is not an MDS matrix, since sidering conventional DC and LC, the original AES [9] is International Journal of Network Security, Vol.9, No.3, PP.285–289, Nov. 2009 287

Table 1: Diﬀerential and linear proﬁles of S and S0

Cipher Best nontrivial Best nontrivial DC proﬁle of S LC proﬁle of S0 AES 2−6 2−3 Venkaiah et al. 12/256 ≈ 2−4.41 36/256 ≈ 2−2.83

Table 2: Comparison of diﬀerential and linear proﬁles

Cipher Branch #act. S-boxes #act. S-boxes Number DC (4 rounds) LC (4 rounds) AES 5 25 25 Venkaiah et al.’s 4 20 20

# active S-box DC: minimum number of active S-boxes in a diﬀerential characteristic across 4 rounds. # active S-box LC: minimum number of active S-boxes in a linear relation across 4 rounds.

more robust than Venkaiah et al.’s design. distinguisher consists of the concatenation of both differentials. But, the differentials are constructed such that δ 0 0 0 δ 0 0 0 the output difference pattern of ∇ is incompatible with ◦ ◦  0 0 0 0  SR SB→ AK0  0 0 0 0  the output difference pattern of ∆, in the sense that the 0 0 δ 0 δ 0 0 0     output difference of ∇ cannot cause the input difference  0 0 0 0   0 0 0 0      of ∆. This contradiction explains the term “miss-in-the- δ 0 0 0 δ 0 0 0 SB◦AK ◦MC0 middle”. →1  0 0 0 0  SR→  0 0 0 0  δ 0 0 0 0 0 δ 0 In byte-oriented ciphers such as Rijndael (AES), it is      0 0 0 0   0 0 0 0      typical to use truncated differentials [12] to construct ∆ δ 0 δ 0 δ 0 δ 0 and ∇, because truncated difference patterns hold with SB◦AK ◦MC0 δ δ δ δ →2  0 0  SR→  0 0  certainty, and are independent of the S-box. In trun- δ 0 δ 0 δ 0 δ 0     cated differentials, one only distinguishes between zero  δ 0 δ 0   0 δ 0 δ      and nonzero differences, namely, the exact value of the δ 0 δ 0 δ 0 δ 0 0 nonzero difference is irrelevant. For bytewise difference SB◦AK3◦MC 0 δ 0 δ AK4◦SR δ 0 δ 0 →   →  (5) δ 0 δ 0 δ 0 δ 0 patterns (as in Rijndael), a nonzero byte difference will      0 δ 0 δ   δ 0 δ 0  be denoted δ. In contrast, a zero byte difference will be     denoted simply 0. Recall that although δ is used through- out the distinguisher, it does not mean that all these bytes contain the same difference value. The difference operator 3 Impossible Differential Attacks used in Rijndael is exclusive-or. In the following sections we assume that the user key Unlike differential and linear techniques, which look for size is the same as the block size, 128 bits. events such as text patterns or statistical correlations of high probability, the impossible differential (ID) method looks for events that never happen. The impossible differ- 4 ID Distinguisher for Venkaiah et ential (ID) technique operates in a chosen-plaintext set- ting. This attack was formerly proposed in [11] against al.’s AES the DEAL block cipher, and further applied to Skipjack [3], IDEA and Khufu [4], the AES [5] and several other In this section we demonstrate that a decrease in the ciphers. branch number (or diffusion power) in Venkaiah et al.’s ID distinguishers currently reported in the literature AES does not curtail the effect of impossible differential use the miss-in-the-middle technique described in [3]. attacks. This technique requires two differentials (∇ and ∆) both In (6) we have an example of 4-round ID distinguisher holding with probability one. We denote by ∇ the “top- for Venkaiah et al.’s AES. This distinguisher is exactly the down” truncated differential, because the difference pat- same one used in [5] by Biham and Keller against AES. terns propagate in the encryption direction. And ∆ is the The top-down truncated differential covers AK0 until MC’ “bottom-up” truncated differential because the difference of the third round. The bottom-up truncated differential patterns propagate in the decryption direction. The ID covers AK4 up until MC’ of the third round. These two International Journal of Network Security, Vol.9, No.3, PP.285–289, Nov. 2009 288 differentials are incompatible. Note the pattern of four (iii) Output the (only) 32-bit subkey value that is not nonzero byte differences in the leftmost column of the eliminated by the filtering in (ii). state matrix before the MC’ layer of the third round, and the pattern of four zero byte differences in the same col- The attack procedure and its complexities are the same umn after the MC’ layer. This difference pattern before as the one on the original AES: 231 time, 229.5 chosen and after MC’ in the leftmost column is contradictory plaintexts (CP), 232 memory. (even with the branch number 4). The symbol → means Another attack using (6) can recover subkey bits from that the difference pattern on the left-hand side causes the both AK0 and AK6 of 6 rounds of Venkaiah et al.’s AES, difference pattern on the right-hand side. Contradiction similar to [7]. This attack works as follows: is denoted by 6→. 32 (a) Create a pool of 2 plaintexts Pi = (p0,p1,...,p15) δ 0 0 0 δ 0 0 0 such that (p0,p5,p10,p15) assume all possible 32-bit 0 0 0 0 0 MC ◦SR◦SB◦AK0 δ 0 0 0   →   values, and the remaining bytes assume arbitrary 0 0 0 0 δ 0 0 0  0 0 0 0   δ 0 0 0  constant values. Each such pool leads to about     32 32 63 δ 0 0 0 2 (2 − 1)/2 ≈ 2 pairs Ci ⊕ Cj , with i =6 j; 0 SR◦SB◦AK1 0 0 0 δ SR◦SB◦AK2◦MC →   → 0 0 δ 0 59.5 91.5  0 δ 0 0  (b) Consider 2 pools, which mean 2 chosen plain-   texts (CP) and 2122.5 plaintext pairs. Find ciphertext δ δ δ δ 0 0 δ δ δ δ δ δ δ MC 0 δ δ δ   6→   pairs that contain zero difference in the bottommost δ δ δ δ 0 δ δ δ −64  δ δ δ δ   0 δ δ δ  two rows of the state matrix (a 2 filtration condi-     0 δ δ δ tion). The expected number of pairs that satisfy this −1 −1 AK3◦SB ◦SR ◦AK4 δ δ δ 0 122.5−64 58.5 ←   (6) restriction is 2 =2 . δ δ 0 δ  δ 0 δ δ    (c) Guess 64 bits of AK6 = (k6,0, k6,1,...,k6,15) corresponding to the topmost two rows of the state ma- The distinguisher (6) belongs to a set of related dis- trix, i.e. (k , k , k , k , k , k , k , k ). tinguishers, all of which share the same input difference 6,0 6,1 6,4 6,5 6,8 6,9 6,12 6,13 pattern, the same number of rounds, and the same number of zero output byte differences, but the precise output (d) For each ciphertext pair (Ci, Cj ) that satisfies step −1 ⊕ difference pattern changes. For example, (6) contains zero (b), decrypt the last round and compute MC’ (Ci byte differences in the ciphertext positions (0, 7, 10, 13) Cj ) and check if there are zero byte differences in of the state matrix, but other ciphertext difference pat- one of the forbidden positions (0,7,10,13), (1,4,11,14), terns also cause contradiction. These patterns contain (2,5,8,15), (3,6,9,12). The joint probability of these · −32 ≈ −30 zero byte differences only in positions (1, 4, 11, 14), (2, 5, difference patterns is 4 2 2 , and the expected number of remaining pairs is 258.5 · 2−30 = 8, 15) and (3, 6, 9, 12). Thus, all of these zero (ciphertext) 28.5 byte positions are ’forbidden’. 2 .

(e) For a plaintext pair (Pi, Pj ) corresponding to a ci- 4.1 ID Attack phertext pair from step (d), guess 32 subkey bits (k , k , k , k ) of AK = (k , k , . . ., A key-recovery ID attack on 5-round Venkaiah et al.’s 0,0 0,5 0,10 0,15 0 0,0 0,1 k ) and encrypt the first round until after the AES operates the same way as the one used against 5- 0,15 first MC’ layer. Keep those pairs for which there round AES in [5]. The distinguisher (6) is positioned in is only one nonzero byte difference in the leftmost the last four rounds. The attack works as follows: column after MC’. The probability of this event is 8 32 −22 32 4 · (2 − 1)/2 ≈ 2 for three zero byte differences (i) Create a pool of 2 plaintexts Pi = (p0,p1,...,p15), in a single column of MC’. such that (p0,p5,p10,p15) range over all 32-bit values, while the remaining bytes assume arbitrary constant values. Encrypt this pool across 5 rounds (f) Every subkey that leads to such difference is wrong. After analyzing 228.5 pairs, there remains about and obtain a corresponding ciphertext pool Ci = 28.5 6.5 232(1 − 2−22)2 ≈ 232 · e−2 < 1 wrong key values. (c0,c1,...,c15). Each such pool leads to about 32 32 63 2 (2 − 1)/2 ≈ 2 pairs Ci ⊕ Cj , with i =6 j; (g) Steps (c) and (d) require 2 · 258.5 · 264 = 2123.5 1- 119 (ii) For each pair of ciphertexts (Ci, Cj ) such that only round computations, and step (e) requires about 2 the bytes at position (0,7,10,13) are zero, guess 32 1-round computations [7]. The total time complex- 123.5 119 121 bits of AK0 in position (0,5,10,15) and decrypt the ity is (2 +2 )/6 ≈ 2 6-round computations, 91.5 32 first round of (Pi, Pj ) up to the leftmost column of 2 CP and 2 memory. To recover the remaining the first MC’ layer. If only one byte difference is bits of AK6, we repeat the same attack, but look for nonzero in this column (see (6)), then the guessed the subkey bits on the lower two rows of the state 32-bit subkey is wrong; matrix. Only the time complexity doubles. International Journal of Network Security, Vol.9, No.3, PP.285–289, Nov. 2009 289

[5] E. Biham, and N. Keller, “Cryptanalysis of reduced Table 3: Complexity of ID attacks on Venkaiah et al.’s variants of rijndael,” 3rd AES Conference, New York, AES USA, 2000. # Rounds Time Data Memory [6] E. Biham, and A. Shamir, “Differential cryptanalysis of DES-like cryptosystems,” Journal of Cryptology, 5 231 229.5 CP 232 vol. 4, no. 1, pp. 3-72, 1991. 6 2122 291.5 CP 232 [7] J. H. Cheon, M. Kim, K. Kim, J. Y. Lee, and S. Kang, “Improved impossible differential cryptanalysis of rijndael and crypton,” ICISC 2001, LNCS 2288, 5 Conclusion pp. 39-49, K. Kim edits, Springer-Verlag, 2001. [8] N. T. Courtois, and J. Pieprzyk, “Cryptanalysis of This paper argued about differential and linear cryptanal- block ciphers with overdefined systems of quadratic ysis of Venkaiah et al.’s AES design, and concluded that equations,” Cryptology, Asiacrypt’02, LNCS 2501, it is not better than the original AES (Table 2). pp. 267-287, Y. Zheng edits, Springer-Verlag, 2002. [9] J. Daemen, and V. Rijmen, “AES proposal: Rijn- In [14], it is claimed that “The reduction in branch dael,” 1st AES Conference, California, USA, 1998. number leading to low diffusion power may in fact be [10] FIPS197, Advanced Encryption Standard (AES), viewed as a factor that curtails the effect of impossible FIPS PUB 197 Federal Information Processing Stan- differential cryptanalysis.” We argue against their claim, dard Publication 197, U. S. Department of Com- and described impossible differential (ID) distinguishers merce, Nov. 2001. and attacks on reduced-round versions of Venkaiah et al.’s [11] L. R. Knudsen, DEAL- A 128-bit Block Cipher, Tech- AES. We used the same approach as [4] and [7] to con- nical Report #151, University of Bergen, Depart- struct the ID distinguishers and attack 4 and 5 rounds of ment of Informatics, Norway, Feb. 1998. Venkaiah et al.’s design. [12] L. R. Knudsen, and T. A. Berson, “Truncated dif- Table 3 lists the complexities of ID attacks on reduced- ferentials of SAFER,” 3rd Fast Software Encryption round variants of Venkaiah et al.’s design. These complex- Workshop, LNCS 1039, pp. 15-26, D. Gollmann ed- ities are the same as for reduced-round AES. Therefore, its, Springer-Verlag, 1996. we do not agree with their claim that a small branch num- [13] M. Matsui, “Linear cryptanalysis method for DES ci- ber effectively curtails the effect of ID attacks. pher,” Cryptology, Eurocrypt’93, LNCS 765, pp. 386- It is left as an open problem whether there are other 397, T. Helleseth edits, Springer-Verlag, 1994. ID distinguishers that achieve a better tradeoff (more [14] V. C. Venkaiah, K. Srinathan, and B. Bruhadeshwar, rounds, smaller attack complexities) on Venkaiah et al.’s Variations to S-box and MixColumn Transformations AES than (6). of AES, Technical Report, Deemed University, Feb. 2006. Acknowledgments Jorge Nakahara Jr is an assistant professor in Com- The research results presented in this paper were funded puter Science at the Universidade Católica de Santos in by FAPESP under contract 2005/02102-9. Santos, São Paulo, Brazil. He received his MS degree in Electrical Engineering and PhD from the Katholieke Uni- versiteit Leuven, in Leuven, Belgium, 2003. His research References interests include: symmetric and asymmetric cryptogra- phy, with emphasis on cryptanalysis. [1] AES, The Advanced Encryption Standard Develop- ment Process, 1997. (http://csrc.nist.gov/ encryption/aes/) [2] P. S. L. M. Barreto, On Efficient Implementation of InvMixColumn, Manuscript. (http://paginas.terra. com.br/informatica/ paulobarreto/) [3] E. Biham, A. Biryukov, and A. Shamir, Cryptanal- ysis of Skipjack Reduced to 31 Rounds using Impos- sible Differentials, Techical Report CS0947 revised, Technion, CS Department, 1998. [4] E. Biham, A. Biryukov, and A. Shamir, “Miss-in- the-middle attacks on IDEA, Khufu and Khafre,” 6th Fast Software Encryption Workshop, LNCS 1636, pp. 124-138, L. R. Knudsen edits, Springer-Verlag, 1999.