NIVERSITY U OF WOLLONGONG Observations on the Cryptologic Properties of the AES Algorithm A thesis submitted in fulfillment of the requirements for the award of the degree Doctor of Philosophy from UNIVERSITY OF WOLLONGONG by Beomsik Song School of Information Technology and Computer Science April 2004 c Copyright 2004 by Beomsik Song All Rights Reserved ii Dedicated to my mother, father, daughter, son and wife iii Certification This is to certify that the work reported in this thesis was done by the author, unless specified otherwise, and that no part of it has been submitted in a thesis to any other university or similar institution. Beomsik Song April 5, 2004 iv Abstract The AES algorithm is a symmetric block cipher, which will replace DES for the next few decades. This cipher has been reputed to be secure against conventional cryptanalytic methods, such as DC (Differential Cryptanalysis) and LC (Linear Cryptanalysis), but the simple algebraic structure of the cipher has led to some commentators’ concerns about its security. The purpose of this study is to observe the cryptologic properties of the AES algorithm from a new point of view, and to examine the security of this cipher on the basis of these observations. Some well-known research studies on the security of the AES algorithm are reviewed first, classified into four categories. We then discuss the cyclic properties and consis- tent differential patterns of this cipher using our own observations, which have been introduced in [7, 8, 9]. In terms of the cyclic properties of the AES algorithm, we have observed that every function used in the AES algorithm has a very short period, and that each layer has a short period as well. But we note that although the maximal periods of both the non- linear layer and the linear layer are short, the maximal period is dramatically increased when these two layers are combined. However, more importantly, we have observed that the AES algorithm still has a very unusual cyclic property for certain types of input blocks even in the combined layer, so that input blocks having short periods have simple hidden algebraic relations with their corresponding output blocks. In conjunction with the consistent differential patterns of the AES algorithm, we note that the AES structure is very well designed to be secure against DC and LC, as has previously been known. But we have also observed that it leads to some consistent differential patterns after certain rounds, which can be used for its cryptanalysis. v Acknowledgements First of all, I sincerely and deeply thank Professor Jennifer Seberry, my supervisor. She has always helped me whenever I was in difficulty. I shall never forget her con- stant affection towards students. I hope that I will have an opportunity to requite her kindness some day. I also cordially acknowledge those who allowed me to do my Ph.D study and who reserved my position at work during my period of study. Without their help, I would not have been able to study. I will always remember their support. I would also like to thank Ken Finlayson for his cordial assistance during my studies. I do not know how to thank him for his kindness. Finally, my thanks go to Professor Reihaneh Safavi-Naini, Doctor Yejing Wang, and Doctor Tianbing Xia as well for the various ways in which they have supported me. vi List of Publications The author has published some papers in this area. The papers are listed below and show how much work the author did in the preparation of this thesis. • B. Song, H. Wang, and J. Seberry, “A New Cryptanalytic Method Using the Distribution Characteristics of Substitution Distances”, Proceedings of ICISC 2001, Lecture Notes In Computer Science Vol.2288, pp.18-31, Springer-Verlag, Berlin, 2002. • B. Song and J. Seberry, “Consistent Differential Patterns of Rijndael”, Proceed- ings of ICISC 2002, Lecture Notes In Computer Science Vol.2587, pp.149-163, Springer-Verlag, Berlin, 2003. • B. Song and J. Seberry, “Further Observations on the Structure of the AES Algo- rithm”, Proceedings of FSE 2003, Lecture Notes In Computer Science Vol.2887, pp.223-234, Springer-Verlag, Berlin, 2003. • B. Song, J. Seberry and T. Xia, “Design Concept of a Plaintext-Dependent Block Cipher” (submitted). vii Contents Abstract v Acknowledgements vi List of Publications vii 1 Introduction 1 2 Description of the AES Algorithm 5 2.1 Basicmathematicsoperations . 5 2.2 Outlineofthestructure .......................... 7 2.3 Specificationofthefunctions. .. 8 2.4 ExpansionoftheCipherKey . 12 2.5 Inversecipher ................................ 14 3 Cryptologic Properties of the AES Algorithm 16 3.1 ImmunityagainstDCandLC . 16 3.2 Distinctive output properties of the structure . ........ 19 3.3 Cryptologic properties of the key schedule . ..... 25 3.4 Algebraicpropertiesofthealgorithm . .... 29 4 Cyclic Properties of the AES Algorithm 39 4.1 Cyclicpropertiesofeachfunction . ... 40 4.1.1 Cyclic properties of the SubBytes transformation . ..... 41 4.1.2 Cyclic properties of the ShiftRows transformation . ...... 43 4.1.3 Cyclic properties of the MixColumns transformation . ..... 43 4.2 Cyclic properties of combined functions . ..... 46 4.2.1 Cyclic properties of the linear layer . .. 46 4.2.2 Cyclic properties of the combined layer . .. 48 viii 4.3 ComparisonwithDES ........................... 51 5 Security Impact of the Cyclic Property 54 5.1 Cyclic properties of the elementary structure . ....... 54 5.2 Cryptologicimpact ............................. 56 5.3 Interimconclusion ............................. 59 6 Distinctive Output Properties of the AES Algorithm 61 6.1 DifferentialpropertiesoftheS-box . ... 62 6.1.1 Distribution of output differences . 62 6.1.2 Relationship between the S-boxandthekeys . 64 6.1.3 Relationship between the ES-boxandthekeys . 65 6.1.4 Relationship between the elementary structure and the keys . 66 6.2 Distinctive output properties of MixColumn . ..... 67 6.3 Consistent differential patterns of the AES algorithm . ........ 68 6.3.1 Concept of the consistent differential pattern . ..... 69 6.3.2 Second-round consistent differential patterns . ...... 69 2 6.3.3 2 3 rd-round consistent differential patterns . 72 6.3.4 Third-round consistent differential pattern . ..... 73 6.3.5 Fourth-round consistent differential patterns . ...... 75 6.3.6 Fifth-round consistent differential pattern . ..... 78 7 Security Impact of the Consistent Differential Pattern 81 7.1 Threerounds ................................ 81 7.2 Fourrounds ................................. 83 7.3 Fiverounds ................................. 85 7.4 Sixrounds.................................. 87 7.5 Seven-roundextension ........................... 91 8 Conclusion 92 A Classifying the substitution values in the ES-box 94 B Distribution of output differences 101 C Implementation results of the five-round cryptanalysis 105 Bibliography 109 ix List of Figures 1.1 Elementary structure of the SPN structure block cipher . ........ 2 2.1 Outline of the AES algorithm ....................... 7 2.2 Mixingoffourbytesinacolumn . 11 2.3 Illustration of the InvShiftRows transformation . ........ 14 2.4 Mixing of four bytes in the InvMixColumns transformation....... 15 3.1 Illustration of the third-round balanced property . ......... 20 3.2 Fourth-round collision distinguisher of the AES algorithm........ 23 3.3 Correlations between the bytes of the expanded key . ...... 28 3.4 Re-grouping of the functions in the elementary structure ........ 30 4.1 Elementary structure of the AES algorithm . .... 40 4.2 Illustration of the ShiftRows transformation . ....... 43 4.3 Re-ordering of SubBytes and ShiftRows . ... 50 5.1 Simple plaintext-ciphertext algebraic relationship in the cipher itself . 58 6.1 Example of the distribution of output differences in the S-box ..... 63 6.2 Substitution in the S-box ......................... 64 6.3 Substitution in the composition of the S-box and MixColumn ..... 66 6.4 Elementary structure surrounded by round keys . ..... 67 6.5 Second-round consistent differential patterns 1 . ........ 71 6.6 Second-round consistent differential patterns 2 . ........ 71 2 6.7 2 3 rd-round consistent differential patterns . .. 73 6.8 Third-round consistent differential pattern . ....... 74 7.1 Checking the fourth-round consistent differential pattern ........ 88 x List of Tables 1.1 Fifteen candidates for the Advanced Encryption Standard ....... 1 2.1 S-boxoftheAESalgorithm ........................ 9 2.2 S-box−1 oftheAESalgorithm....................... 14 3.1 Complexities of the Square attack against the AES algorithm...... 21 3.2 Complexities of the IDC against the AES algorithm . ..... 22 4.1 Classifying the substitution values in the S-box ............. 41 4.2 ES-box ................................... 49 4.3 Classifying the substitution values in the ES-box ............ 51 4.4 P-boxofDES ................................ 52 xi Chapter 1 Introduction In 1997, the NIST (National Institute of Standards and Technology) initiated an open call to develop the AES (Advanced Encryption Standard) algorithm to replace DES (Data Encryption Standard) for the next few decades [60]. Fifteen cipher algorithms summarised in Table 1.1 were announced as candidates at the first AES Candidate Conference in August 1998 [61], and then five algorithms were selected as the finalists in August 1999, after the second AES Candidate Conference [62]. These are MARS [11], RC6TM [66], Rijndael [28], Serpent [65], and Twofish [3]. Algorithm Origin Structure(Rounds) CRYPTON Korea SPNstructure(12) CAST-256 Canada ModifiedFeistelstructure(48)