International Journal of Network Security, Vol.9, No.3, PP.285–289, Nov. 2009 285 Analysis of Venkaiah et al.’s AES Design Jorge Nakahara Jr Department of Informatics, Universidade Catolica de Santos, UNISANTOS R. Dr. Carvalho de Mendon¸ca, 144, POBOX 11070-906, S˜ao Paulo, Brazil (Email: jorge [email protected]) (Received Oct. 25, 2006; revised and accepted June 27, 2007) Abstract overview of the impossible-differential technique. Sec- tion 5 concludes the paper. This paper describes impossible differential (ID) attacks on an AES variant designed by Venkaiah et al.. They claim that their cipher has improved resistance to ID at- 2 Venkaiah et al.’s AES Design tacks due to a new MixColumns matrix with a branch number 4, which is smaller than that of the original AES. In [14], Venkaiah et al. suggested a variant of AES with We argue against this statement. The contributions of a new S-box, a modified MixColumns matrix, and a new this paper include ID distinguishers for Venkaiah et al.’s irreducible polynomial for GF(28). They used x8 + x6 + cipher, and a discussion of the susceptibility of such vari- x5 + x + 1 as primitive irreducible polynomial for GF(28), ants to impossible differential and other modern cryptan- in contrast to the AES irreducible (but not primitive) alytic techniques. polynomial x8 + x4 + x3 + x + 1. Their new S-box was Keywords: AES, block cipher cryptanalysis, impossible constructed based on two transformations in this order: differentials ∗ • powers of 3, a primitive element in F257. If the power is 256, the result is treated as 0. 1 Introduction • take multiplicative inverse in GF(28), with 0 mapped to itself. Rijndael is a Substitution Permutation Network (SPN) type block cipher designed by Joan Daemen and Vincent One feature of their new S-box is its algebraic expres- Rijmen for the AES Development Process, initiated by the sion in GF(28) = GF(2)[x] / (x8+ x6 + x5 + x + 1): 0 2 3 4 5 National Institute of Standards and Technology (NIST) S [x]= 01x + 2fx.x + d2x.x + 23x.x + ddx.x + edx.x + 6 7 8 9 10 11 in the USA in 1997 [1, 9]. The 128-bit block version of a8x.x + 98x.x + 49x.x + 03x.x + a4x.x + 39x.x + 12 13 14 15 16 17 Rijndael, with a key of 128, 192 or 256 bits, is officially 78x.x + 8ex.x + 94x.x + f2x.x + 19x.x + 66x.x + 18 19 20 21 22 23 known as the AES [10]. Typically, text blocks, keys and bcx.x + 46x.x + 6fx.x + 74x.x + dbx.x + 70x.x + 24 25 26 27 28 29 subkeys are represented compactly by a 4 × Nb state ma- 75x.x + 43x.x + e3x.x + ebx.x + ebx.x + adx.x + 30 31 32 33 34 35 trix of bytes, where Nb is the number of 32-bit words in 79x.x + 22x.x + fbx.x + edx.x + 28x.x + 62x.x + 36 37 38 39 40 41 a block. For instance, the state matrix for a 4t-byte text f4x.x + 24x.x + 36x.x + 4bx.x + 31x.x + aex.x + 42 43 44 45 46 47 block, A = (a0,a1,a2,a3,a4,...,a4t−1), is denoted bfx.x + 3fx.x + 57x.x + 22x.x + 9fx.x + a4x.x + 48 49 50 51 52 53 b7x.x + 96x.x + 56x.x + 25x.x + 56x.x + 8ex.x + 54 55 56 57 58 59 a0 a4 ... a4t−4 c7x.x + 9cx.x + 26x.x + 57x.x + 05x.x + 82x.x + 60 61 62 63 64 65 a1 a5 ... a4t−3 eax.x + bbx.x + 2bx.x + f6x.x + 13x.x + 96x.x + State = (1) 66 67 68 69 70 71 a2 a6 ... a4t−2 c8x.x + 5ax.x + bax.x + dax.x + 27x.x + 60x.x + 72 73 74 75 76 77 a3 a7 ... a4t−1 c8x.x + 74x.x + b8x.x + d5x.x + f2x.x + c2x.x + 78 79 80 81 82 83 71x.x + a1x.x + c3x.x + 85x.x + b7x.x + 6dx.x + 84 85 86 87 88 89 namely, with bytes inserted columnwise. Note that byte 18x.x + c7x.x + 72x.x + eax.x + 07x.x + acx.x + 90 91 92 93 94 95 positions in a state matrix follows the subscripts of the 18x.x + 13x.x + 85x.x + b7x.x + a4x.x + c2x.x + 96 97 98 99 100 101 bytes in (1). 23x.x +eex.x +e2x.x +59x.x +46x.x +34x.x + 102 103 104 105 106 There are four layers in a full round of Rijndael, in a1x.x + 38x.x + 3cx.x + 0bx.x + 7dx.x + 107 108 109 110 111 order: SubBytes (denoted SB), ShiftRows (SR), Mix- b4x.x + 41x.x + 05x.x + e7x.x + eex.x + 112 113 114 115 116 Columns (MC) and AddRoundKey (AKi, where i is the 5dx.x + 80x.x + b5x.x + 15x.x + d4x.x + 117 118 119 120 121 round number) [10]. 65x.x + 85x.x + 8fx.x + ecx.x + 50x.x + 122 123 124 125 126 This paper is organized as follows: Section 2 describes ccx.x + 2ax.x + 8fx.x + 0cx.x + 85x.x + 127 128 129 130 131 the AES variant by Venkaiah et al.. Section 3 gives a brief 9ex.x + 3fx.x + 02x.x + e9x.x + 6ax.x + International Journal of Network Security, Vol.9, No.3, PP.285–289, Nov. 2009 286 132 133 134 135 136 c4x.x + 1ex.x + 7ax.x + 16x.x + c6x.x + there are 2 × 2 singular submatrices of MC’, such as 137 138 139 140 141 cfx.x + 3dx.x + 1cx.x + 9bx.x + eax.x + fc 142 96 143 64 144 02 145 85 146 01x 01x x.x + x.x + x.x + x.x + x.x + (3) 147 148 149 150 151 01x 01x 55x.x + 9fx.x + 20x.x + 96x.x + acx.x + 152 153 154 155 156 6dx.x + 96x.x + a7x.x + 0ex.x + 4fx.x + 75 157 29 158 a8 159 b5 160 fd 161 Notice that MC’ uses the same coefficients as the original x.x + x.x + x.x + x.x + x.x + MixColumns matrix of the AES, but in a different order. 162 163 164 165 166 66x.x + 6dx.x + 1fx.x + 51x.x + fex.x + The apparent motivation for the choice of MC’ was to 167 168 169 170 171 6dx.x + 98x.x + cbx.x + f2x.x + d6x.x + speed up the decryption procedure, since MC’ is involu- 61 172 4d 173 e6 174 10 175 4d 176 tory (it is its own inverse). But, this discrepancy between x.x + x.x + x.x + x.x + x.x + the performance of AES encryption and decryption pro- 80 177 88 178 a1 179 d8 180 f4 181 x.x + x.x + x.x + x.x + x.x + cedures can be diminished by other means, as pointed out 182 183 184 185 186 20x.x + f1x.x + 17x.x + 49x.x + 09x.x + by Barreto in [2], in which the InvMixColumns matrix is 187 188 189 190 191 f8x.x + 90x.x + cex.x + e6x.x + 2fx.x + split as 192 193 194 195 196 acx.x + 94x.x + 19x.x + b8x.x + 32x.x + 0ex 0bx 0dx 09x 05x 00x 04x 00x 02x 03x 01x 01x 3e 197 b7 198 06 199 93 200 60 201 09x 0ex 0bx 0dx 00x 05x 00x 04x 01x 02x 03x 01x x.x + x.x + x.x + x.x + x.x + . = 202 203 204 205 206 0dx 09x 0ex 0bx 04x 00x 05x 00x 01x 01x 02x 03x 09x.x + 22x.x + eex.x + 85x.x + d1x.x + 0bx 0dx 09x 0ex 00x 04x 00x 05x 03x 01x 01x 02x 5e 207 49 208 d6 209 61 210 47 211 x.x + x.x + x.x + x.x + x.x + (4) 79 212 1d 213 27 214 7a 215 19 216 x.x + x.x + x.x + x.x + x.x + The matrix in the right-hand-side of (4) is the AES ma- 68 217 ed 218 59 219 c4 220 e7 221 x.x + x.x + x.x + x.x + x.x + trix used in encryption mode. The leftmost matrix in (4) 4d 222 7a 223 75 224 a3 225 dd 226 x.x + x.x + x.x + x.x + x.x + is used in decryption mode. According to [2] “InvMix- f0 227 67 228 0e 229 0c 230 da 231 x.x + x.x + x.x + x.x + x.x + Column can be efficiently implemented with the same 53 232 ce 233 3c 234 a6 235 c0 236 x.x + x.x + x.x + x.x + x.x + resources as MixColumn, plus six exclusive-ors and four 70 237 32 238 77 239 56 240 95 241 x.x + x.x + x.x + x.x + x.x + xtime calls”. 20 242 d1 243 8b 244 20 245 a2 246 x.x + x.x + x.x + x.x + x.x + The main drawback of MC’ is that it is not an MDS d9 247 ea 248 a7 249 58 250 49 251 x.x + x.x + x.x + x.x + x.x + matrix like AES’s MixColumn matrix. Venkaiah et al. c9 252 0d 253 29 254 x.x + x.x + x.x , which is much more in- stated in [14] that MC’ “... has branch number 4 and, volved and certainly not as sparse as AES S-box expres- correspondingly, has low diffusion power.