Observations on the Cryptologic Properties of the AES ...

UWNIVERSITY

OLLONGONGOF

Observations on the CryptologicProperties of the AES Algorithm

A thesis submitted in fulfillment of the

requirements for the award of the degree

Doctor of Philosophy

from

UNIVERSITY OF WOLLONGONG

by

Beomsik Song

School of Information Technology and Computer Science

April 2004

c© Copyright 2004

by

Beomsik Song

All Rights Reserved

ii

Dedicated to

my mother, father, daughter, son and wife

iii

Certification

This is to certify that the work reported in this thesis was done

by the author, unless specified otherwise, and that no part of

it has been submitted in a thesis to any other university or

similar institution.

Beomsik SongApril 5, 2004

iv

Abstract

The AES algorithm is a symmetric block cipher, which will replace DES for the next few

decades. This cipher has been reputed to be secure against conventional cryptanalytic

methods, such as DC (Differential Cryptanalysis) and LC (Linear Cryptanalysis), but

the simple algebraic structure of the cipher has led to some commentators’ concerns

about its security.

The purpose of this study is to observe the cryptologic properties of the AES algorithm

from a new point of view, and to examine the security of this cipher on the basis of

these observations.

Some well-known research studies on the security of the AES algorithm are reviewed

first, classified into four categories. We then discuss the cyclic properties and consis-

tent differential patterns of this cipher using our own observations, which have been

introduced in [7, 8, 9].

In terms of the cyclic properties of the AES algorithm, we have observed that every

function used in the AES algorithm has a very short period, and that each layer has a

short period as well. But we note that although the maximal periods of both the non-

linear layer and the linear layer are short, the maximal period is dramatically increased

when these two layers are combined. However, more importantly, we have observed

that the AES algorithm still has a very unusual cyclic property for certain types of

input blocks even in the combined layer, so that input blocks having short periods have

simple hidden algebraic relations with their corresponding output blocks.

In conjunction with the consistent differential patterns of the AES algorithm, we note

that the AES structure is very well designed to be secure against DC and LC, as has

previously been known. But we have also observed that it leads to some consistent

differential patterns after certain rounds, which can be used for its cryptanalysis.

v

Acknowledgements

First of all, I sincerely and deeply thank Professor Jennifer Seberry, my supervisor.

She has always helped me whenever I was in difficulty. I shall never forget her con-

stant affection towards students. I hope that I will have an opportunity to requite her

kindness some day.

I also cordially acknowledge those who allowed me to do my Ph.D study and who

reserved my position at work during my period of study. Without their help, I would

not have been able to study. I will always remember their support.

I would also like to thank Ken Finlayson for his cordial assistance during my studies.

I do not know how to thank him for his kindness.

Finally, my thanks go to Professor Reihaneh Safavi-Naini, Doctor Yejing Wang, and

Doctor Tianbing Xia as well for the various ways in which they have supported me.

vi

List of Publications

The author has published some papers in this area. The papers are listed below and

show how much work the author did in the preparation of this thesis.

• B. Song, H. Wang, and J. Seberry, “A New Cryptanalytic Method Using the

Distribution Characteristics of Substitution Distances”, Proceedings of ICISC

2001, Lecture Notes In Computer Science Vol.2288, pp.18-31, Springer-Verlag,

Berlin, 2002.

• B. Song and J. Seberry, “Consistent Differential Patterns of Rijndael”, Proceed-

ings of ICISC 2002, Lecture Notes In Computer Science Vol.2587, pp.149-163,

Springer-Verlag, Berlin, 2003.

• B. Song and J. Seberry, “Further Observations on the Structure of the AES Algo-

rithm”, Proceedings of FSE 2003, Lecture Notes In Computer Science Vol.2887,

pp.223-234, Springer-Verlag, Berlin, 2003.

• B. Song, J. Seberry and T. Xia, “Design Concept of a Plaintext-Dependent Block

Cipher” (submitted).

vii

Contents

Abstract v

Acknowledgements vi

List of Publications vii

1 Introduction 1

2 Description of the AES Algorithm 5

2.1 Basic mathematics operations . . . . . . . . . . . . . . . . . . . . . . . 5

2.2 Outline of the structure . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.3 Specification of the functions . . . . . . . . . . . . . . . . . . . . . . . . 8

2.4 Expansion of the Cipher Key . . . . . . . . . . . . . . . . . . . . . . . 12

2.5 Inverse cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3 Cryptologic Properties of the AES Algorithm 16

3.1 Immunity against DC and LC . . . . . . . . . . . . . . . . . . . . . . . 16

3.2 Distinctive output properties of the structure . . . . . . . . . . . . . . . 19

3.3 Cryptologic properties of the key schedule . . . . . . . . . . . . . . . . 25

3.4 Algebraic properties of the algorithm . . . . . . . . . . . . . . . . . . . 29

4 Cyclic Properties of the AES Algorithm 39

4.1 Cyclic properties of each function . . . . . . . . . . . . . . . . . . . . . 40

4.1.1 Cyclic properties of the SubBytes transformation . . . . . . . . 41

4.1.2 Cyclic properties of the ShiftRows transformation . . . . . . . . 43

4.1.3 Cyclic properties of the MixColumns transformation . . . . . . 43

4.2 Cyclic properties of combined functions . . . . . . . . . . . . . . . . . . 46

4.2.1 Cyclic properties of the linear layer . . . . . . . . . . . . . . . . 46

4.2.2 Cyclic properties of the combined layer . . . . . . . . . . . . . . 48

viii

4.3 Comparison with DES . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

5 Security Impact of the Cyclic Property 54

5.1 Cyclic properties of the elementary structure . . . . . . . . . . . . . . . 54

5.2 Cryptologic impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

5.3 Interim conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

6 Distinctive Output Properties of the AES Algorithm 61

6.1 Differential properties of the S-box . . . . . . . . . . . . . . . . . . . . 62

6.1.1 Distribution of output differences . . . . . . . . . . . . . . . . . 62

6.1.2 Relationship between the S-box and the keys . . . . . . . . . . 64

6.1.3 Relationship between the ES-box and the keys . . . . . . . . . 65

6.1.4 Relationship between the elementary structure and the keys . . 66

6.2 Distinctive output properties of MixColumn . . . . . . . . . . . . . . . 67

6.3 Consistent differential patterns of the AES algorithm . . . . . . . . . . 68

6.3.1 Concept of the consistent differential pattern . . . . . . . . . . . 69

6.3.2 Second-round consistent differential patterns . . . . . . . . . . . 69

6.3.3 223rd-round consistent differential patterns . . . . . . . . . . . . 72

6.3.4 Third-round consistent differential pattern . . . . . . . . . . . . 73

6.3.5 Fourth-round consistent differential patterns . . . . . . . . . . . 75

6.3.6 Fifth-round consistent differential pattern . . . . . . . . . . . . 78

7 Security Impact of the Consistent Differential Pattern 81

7.1 Three rounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

7.2 Four rounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

7.3 Five rounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

7.4 Six rounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

7.5 Seven-round extension . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

8 Conclusion 92

A Classifying the substitution values in the ES-box 94

B Distribution of output differences 101

C Implementation results of the five-round cryptanalysis 105

Bibliography 109

ix

List of Figures

1.1 Elementary structure of the SPN structure block cipher . . . . . . . . . 2

2.1 Outline of the AES algorithm . . . . . . . . . . . . . . . . . . . . . . . 7

2.2 Mixing of four bytes in a column . . . . . . . . . . . . . . . . . . . . . 11

2.3 Illustration of the InvShiftRows transformation . . . . . . . . . . . . . 14

2.4 Mixing of four bytes in the InvMixColumns transformation . . . . . . . 15

3.1 Illustration of the third-round balanced property . . . . . . . . . . . . . 20

3.2 Fourth-round collision distinguisher of the AES algorithm . . . . . . . . 23

3.3 Correlations between the bytes of the expanded key . . . . . . . . . . . 28

3.4 Re-grouping of the functions in the elementary structure . . . . . . . . 30

4.1 Elementary structure of the AES algorithm . . . . . . . . . . . . . . . . 40

4.2 Illustration of the ShiftRows transformation . . . . . . . . . . . . . . . 43

4.3 Re-ordering of SubBytes and ShiftRows . . . . . . . . . . . . . . . . . . 50

5.1 Simple plaintext-ciphertext algebraic relationship in the cipher itself . . 58

6.1 Example of the distribution of output differences in the S-box . . . . . 63

6.2 Substitution in the S-box . . . . . . . . . . . . . . . . . . . . . . . . . 64

6.3 Substitution in the composition of the S-box and MixColumn . . . . . 66

6.4 Elementary structure surrounded by round keys . . . . . . . . . . . . . 67

6.5 Second-round consistent differential patterns 1 . . . . . . . . . . . . . . 71

6.6 Second-round consistent differential patterns 2 . . . . . . . . . . . . . . 71

6.7 223rd-round consistent differential patterns . . . . . . . . . . . . . . . . 73

6.8 Third-round consistent differential pattern . . . . . . . . . . . . . . . . 74

7.1 Checking the fourth-round consistent differential pattern . . . . . . . . 88

x

List of Tables

1.1 Fifteen candidates for the Advanced Encryption Standard . . . . . . . 1

2.1 S-box of the AES algorithm . . . . . . . . . . . . . . . . . . . . . . . . 9

2.2 S-box−1 of the AES algorithm . . . . . . . . . . . . . . . . . . . . . . . 14

3.1 Complexities of the Square attack against the AES algorithm . . . . . . 21

3.2 Complexities of the IDC against the AES algorithm . . . . . . . . . . . 22

4.1 Classifying the substitution values in the S-box . . . . . . . . . . . . . 41

4.2 ES-box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

4.3 Classifying the substitution values in the ES-box . . . . . . . . . . . . 51

4.4 P-box of DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

xi

Chapter 1

Introduction

In 1997, the NIST (National Institute of Standards and Technology) initiated an open

call to develop the AES (Advanced Encryption Standard) algorithm to replace DES

(Data Encryption Standard) for the next few decades [60]. Fifteen cipher algorithms

summarised in Table 1.1 were announced as candidates at the first AES Candidate

Conference in August 1998 [61], and then five algorithms were selected as the finalists

in August 1999, after the second AES Candidate Conference [62]. These are MARS

[11], RC6TM [66], Rijndael [28], Serpent [65], and Twofish [3].

Structure (Rounds)

SPN structure (12)

Modified Feistel structure (48)

Feistel structure (6)



Costa Rica (8)





SPN structure (10)

SPN structure (8)

SPN structure (32)


Algorithm

CRYPTON

CAST-256

DEAL

DFC

E2

FROG

HPC

LOKI97

MARS

RC6

RIJNDAEL

SAFER+

SERPENT

TWOFISH

Korea

Canada

Canada and Norway

France

Japan

Costa Rica

USA

Australia

USA

USA

Belgium

USA

UK, Norway and Israel

USA

Feistel structure (6)MAGENTA Germany

Origin

Table 1.1: Fifteen candidates for the Advanced Encryption Standard

1

2

Then a well-designed SPN (Substitution Permutation Network) structure block cipher,

Rijndael [28] was adopted (26th November 2001) as the AES algorithm (FIPS PUB

197) [63].

Note: As is well known, together with the Feistel structure [3, 39, 43,

59], the SPN structure [12, 27, 34, 65] is the most commonly used block

cipher structure. One round usually consists of two layers: a non-linear

substitution layer and a linear transformation layer as described in Figure

1.1. The non-linear layer takes charge of obscuring the relationship between

the plaintext and the ciphertext (confusion), and the linear layer has the

role of dissipating the redundancy of the plaintext by spreading it over

the ciphertext (diffusion) [4, 5]. These kinds of block ciphers ensure their

security by the repetitions of the elementary structure.

⊕

I 0 I 1 I 2 I 3 · · · · Ip · · · · Iq · · · · · In-1

S(I0) S(I1) S(I2) S(I3) S(Ip) S(I q) S(In-1)

Linear transformation

X X’

⊕ Round key

Y Y’

S-box

Figure 1.1: Elementary structure of the SPN structure block cipher

The AES algorithm (Rijndael) has been reputed to be secure against conventional

cryptanalytic methods [28, 52], such as DC (Differential Cryptanalysis) [19] and LC

(Linear Cryptanalysis) [50], and throughout the AES selection process its security

was examined with considerable cryptanalytic methods [22, 25, 28, 58, 68]. Also, the

designers have stated that the AES algorithm was designed to be secure against some

other known cryptanalytic methods, such as truncated differential cryptanalysis [46, 47],

related key attack [23, 33], and interpolation attack [75]. However, despite the novelty

[29] and advantages [62, 64] of the AES algorithm, the simple algebraic structure of

this cipher has led to some commentators’ concerns about the security of this cipher

3

[48, 57, 67, 69, 70]. In particular, S. Murphy and M.J.B. Robshaw [69, 70] have modified

the original structure of the AES algorithm so that the affine transformation, which is

one of the functions used for generating the S-box (non-linear layer), moves to the linear

layer, and have shown that any input to the modified linear layer of the AES algorithm

is mapped to itself after 16 iterations of the modified linear transformation (- the

maximal period of the modified linear layer is 16) [69, 70]. Based on these observations,

they have noted that the linear layer of the AES algorithm is surprisingly ineffective at

“mixing data” (definition in Chapter 3), contrary to what might have been expected.

They have also remarked that the unusual properties of the linear layer could imply

considerable algebraic weaknesses of the AES algorithm from a cryptanalytic point of

view. However, this research has led to an immediate refutation by the designers of

the AES algorithm [29] due to the fact that their observations have been restricted to

the linear layer, and that they have not shown practical connections between the short

period of the modified linear layer and cryptological weaknesses of this cipher. More

recently, through the proposal of the XSL attack, N. Courtois and J. Pieprzyk have

shown that the AES algorithm has unexpected algebraic properties, and that the AES

algorithm can be described by a system of overdefined and sparse quadratic equations

[55, 56]. They have also noted that the security of the AES algorithm is equivalent to

the difficulty of solving this system. From their observations, they have remarked that

“the security of Rijndael does not grow exponentially with the number of rounds”, and

have commented that “in order to prevent such attacks, at least a few S-boxes in a

cipher should not be described by a small system of overdefined multivariate equations”.

S. Murphy and M.J.B. Robshaw have also supported this idea in [71, 72]. However,

in spite of this significant progress in the cryptanalysis of the AES algorithm, it seems

to be still arguable whether the AES algorithm is seriously weak from a cryptological

point of view. Considering that the AES algorithm is a representative SPN structure

block cipher, and will be used for the next few decades, it is worth analysing the

cryptologic properties of the AES algorithm in further depth. If we understand which

part of the AES algorithm causes weakness from a cryptologic perspective, then it can

be considered in the design of other SPN structure block ciphers.

In this thesis, we introduce our further studies on the cryptologic properties of the

AES algorithm. In Chapter 2, we first describe the structure of the AES algorithm,

which we will study in this thesis. In Chapter 3, we then review some of the cryp-

tologic properties of the AES algorithm which have been observed since Rijndael was

4

proposed for the process of the AES selection. For the review, we classify the previ-

ous observations into four categories: the immunity of the AES algorithm against DC

and LC, distinctive output properties of the AES structure, cryptologic properties of

the key schedule, and algebraic properties of the algorithm. From Chapter 4 on , we

discuss our own observations on the cryptologic properties of the AES algorithm. In

Chapter 4, we study the cyclic properties of the AES algorithm. We observe that every

function used in the AES algorithm has a very short period, and that each layer has a

short period as well. But we note that although the maximal periods of both the non-

linear layer and the linear layer are short, the maximal period is dramatically increased

when these two layers are combined. In Chapter 5, we discuss the impact of the cyclic

properties on the security of the AES algorithm. We find that the AES algorithm has

a very unusual cyclic property for certain types of input blocks. We show that input

blocks with short periods could have relatively simple hidden algebraic relationships

with their corresponding output blocks. In Chapter 6, we observe some distinctive

output properties of the AES algorithm. We first discuss the differential properties of

the S-box used in the non-linear layer. We then find some distinctive output properties

of the matrix multiplication used in the linear layer. After this, we discuss consistent

differential patterns of the AES algorithm. We show that the AES algorithm is very

well designed to be secure against DC (the S-box yields well-distributed output differ-

ences for any input difference), but that it leads to some consistent differential patterns

after certain rounds. Before discussing the consistent differential patterns of the AES

algorithm, we define the concept of the consistent differential pattern. In Chapter 7,

we show the impact of the consistent differential patterns on the security of the AES

algorithm. Finally, in Chapter 8, we summarise our observations.

Chapter 2

Description of the AES Algorithm

In this chapter, we describe the structure of the AES algorithm. We first specify the

basic mathematics operations used in the algorithm: addition and multiplication. We

then explain the outline of the structure, followed by the role of each function. Finally,

we describe the procedures of the key expansion and the inverse cipher. Although the

structure of Rijndael [28] is the same as that of the AES algorithm, we have used the

Standard [63] itself for the basis of our discussion and study. When we refer to the non-

standard part (for example, 192 or 256-bit data blocks), we will use the representation

of Rijndael.

2.1 Basic mathematics operations

All the bytes in the algorithm are interpreted as finite field elements using a polynomial

representation, as described below:

b7x7 + b6x

6 + b5x5 + b4x

4 + b3x3 + b2x

2 + b1x1 + b0 =

7∑

i=0

bixi.

For example, the byte ‘e7′=(11100111) identifies the specific finite field element x7 +

x6 + x5 + x2 + x + 1. Throughout the algorithm, all the input bytes are added and

multiplied as outlined below; that is, the algorithm uses the following mathematical

concepts for addition and multiplication.

Addition

In the polynomial representation, the addition of two elements in a finite field is the

sum modulo 2 of the coefficients for the corresponding powers in the polynomials for

the two elements. That is, the addition is performed with the bitwise XOR (denoted

5

2.1. Basic mathematics operations 6

by ⊕) at the byte level. For example, the addition of ‘57′ and ‘83′ can be described as

(x6 + x4 + x2 + x + 1) + (x7 + x + 1) = x7 + x6 + x4 + x2

in the polynomial notation and as

(01010111) ⊕ (10000011) = (11010100)

in the binary notation, so the result is ‘d4′ in the hexadecimal notation.

Multiplication

In the polynomial representation, the multiplication (denoted by ·) in GF (28) of two

elements is achieved by the multiplication of polynomials modulo an irreducible poly-

nomial of degree 8. For the AES algorithm, this irreducible polynomial is given by

m(x) = x8 + x4 + x3 + x + 1.

For example, ‘57′ · ‘83′ = ‘c1′ due to the following polynomial computations:

(x6 + x4 + x2 + x + 1)(x7 + x + 1) =

x13 + x11 + x9 + x8 + x7 + x7 + x5 + x3 + x2 + x + x6 + x4 + x2 + x + 1 =

x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1

and

x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1 mod x8 + x4 + x3 + x + 1 =

x7 + x6 + 1 = (11000001) = ‘c1′.

The modular reduction by the irreducible polynomial m(x) ensures that the result

will be a binary polynomial of degree less than 8. The multiplication defined above

is associative and there exists a multiplicative identity ‘01′. For any non-zero binary

polynomial b(x) of degree less than 8, the multiplicative inverse, b−1(x), can be found

as follows: the extended Euclidean algorithm [1] can be used to compute polynomials

a(x) and c(x) such that

b(x)a(x) + m(x)c(x) = 1.

Hence, a(x) · b(x) mod m(x) = 1, and

b−1(x) = a(x) mod m(x).

2.2. Outline of the structure 7

2.2 Outline of the structure

The AES algorithm is an SPN structure block cipher that can process data blocks

of 128 bits with variable-length Cipher Keys (128, 192, and 256 bits) [63]. Although

Rijndael, the origin of the AES algorithm, was designed to handle additional block

sizes (192 and 256 bits) [28], these block sizes are not considered as the Standard.

Therefore, following the Standard, we refer to the algorithm as “AES-128”, “AES-

192”, and “AES-256” according to the key sizes.

SB

⊕

RK 0

SR

MC

SB

⊕

SR

MC

RK 1

⊕

RK 2

SB

SR

MC

⊕

RK 9SB

SR

⊕

RK 10

SB: SubBytes transformation

SR: ShiftRows transformation

MC : MixColumns transformation

RKp: pth round key

•

•

•

Input: 16 bytes

Output: 16 bytes

Figure 2.1: Outline of the AES algorithm

2.3. Specification of the functions 8

As shown in Figure 2.1, the elementary structure (one round) of the AES algorithm

consists of two layers: a non-linear layer (SubBytes transformation) and a linear layer

(ShiftRows transformation and MixColumns transformation). Each byte in an input

block is bytewise substituted by the SubBytes transformation using a substitution table

(S-box) described in Table 2.1, and then every byte in each row is cyclicly shifted by

a certain value by the ShiftRows transformation (bytes in row #0: 0, bytes in row

#1: 1, bytes in row #2: 2, bytes in row #3: 3) as illustrated in (2.1). After this,

all four bytes in each column are mixed by the matrix formula in Figure 2.2 through

the MixColumns transformation. After these operations, a 128-bit round key extended

from the Cipher Key is XORed in the last part of each round. The MixColumns

transformation is omitted in the last round (AES-128: 10th round, AES-192: 12th

round, AES-256: 14th round), but before the first round a 128-bit initial round key,

which is actually the same as the Cipher Key, is XORed to the plaintext through the

initial round key addition routine. The decryption is the reverse order of the encryption,

and the inverses of each operation are used, namely the InvSubBytes transformation,

InvShiftRows transformation and InvMixColumns transformation.

2.3 Specification of the functions

As previously mentioned in the outline of the structure, the elementary structure of the

AES algorithm consists of three functions: the SubBytes transformation, the ShiftRows

transformation, and the MixColumns transformation. The SubBytes transformation,

which is the non-linear layer of the algorithm, takes charge of confusion, and the

ShiftRows transformation and MixColumns transformation, which belong to the linear

layer, are used for diffusion.

SubBytes transformation

The SubBytes transformation is a non-linear byte substitution that operates indepen-

dently on each byte of the input block. The core of this operation is the S-box with 256

substitution paths as described in Table 2.1, and this invertible S-box is constructed

from the composition of the following two functions:

1. For any input byte, take a multiplicative inverse in the finite field GF (28), as

described in Section 2.1. The value ‘00′ is mapped to itself.


2. Apply an affine transformation over GF(2) defined by:

b′i = bi ⊕ b(i+4) mod 8 ⊕ b(i+5) mod 8 ⊕ b(i+6) mod 8 ⊕ b(i+7) mod 8 ⊕ ci

for 0 ≤ i < 8, where bi is the ith bit of the byte, and ci is the ith bit of a fixed

value ‘63′ = (01100011). This can be expressed as the following matrix form:

b′0

b′1

b′2

b′3

b′4

b′5

b′6

b′7

=

1 0 0 0 1 1 1 1

1 1 0 0 0 1 1 1

1 1 1 0 0 0 1 1

1 1 1 1 0 0 0 1

1 1 1 1 1 0 0 0

0 1 1 1 1 1 0 0

0 0 1 1 1 1 1 0

0 0 0 1 1 1 1 1

b0

b1

b2

b3

b4

b5

b6

b7

+

1

1

0

0

0

1

1

0

.

0 1 2 3 4 5 6 7 8 9 a b c d e f

0

1

2

3

5

4

6

7

8

9

a

c

b

d

e

f

ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0

63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76

b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15

04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75

09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84

53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf

d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8

51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2

cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73

60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db

e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79

e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08

ba 78 25 2e 1c a6 64 c6 e8 dd 74 1f 4b bd 8b 8a

70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e

e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df

8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16

e.g. input value: 0x65 → output value: 0x4d

Table 2.1: S-box of the AES algorithm

It is noted that we will sometimes use the notation SubBytes for the mathematical

representation of the SubBytes transformation. When the SubBytes transformation is


applied to just one byte, we use the notation SubByte without an ‘s’. The following

is an example of the SubBytes transformation (Sin is an input block and Sout is the

corresponding output block):

Sin : 26 17 66 f0

10 69 ab 01

63 09 cd 65

03 11 ef 00

−→

Sout : f7 f0 33 8c

ca f9 62 7c

fb 01 bd 4d

7b 82 df 63

ShiftRows transformation

The ShiftRows transformation is one of the two functions constructing the linear layer

of the algorithm. In the ShiftRows transformation, every byte in each row is cyclicly

shifted to the left by a certain offset, as illustrated in (2.1) (bytes in row #0: 0 (no

shift), bytes in row #1: 1, bytes in row #2: 2, bytes in row #3: 3). This has the effect

of moving the bytes to lower positions in the row, and the designers mention that

this operation is used for enhancing resistance against some attacks using truncated

differentials [46].

Sin : b0,0 b0,1 b0,2 b0,3

b1,0 b1,1 b1,2 b1,3

b2,0 b2,1 b2,2 b2,3

b3,0 b3,1 b3,2 b3,3

−→

Sout : b0,0 b0,1 b0,2 b0,3

b1,1 b1,2 b1,3 b1,0

b2,2 b2,3 b2,0 b2,1

b3,3 b3,0 b3,1 b3,2

(2.1)

MixColumns transformation

In the MixColumns transformation, each column in an input block is considered as a

four-term polynomial over GF (28), and multiplied modulo x4 + 1 with a fixed polyno-

mial

f(x) = ‘03′x3 + ‘01′x2 + ‘01′x + ‘02′.

For more detail, let us suppose that a certain column in an input block of the Mix-

Columns transformation is a four-byte word (b0, b1, b2, b3). Then this column is denoted

as

b(x) = b3x3 + b2x

2 + b1x + b0

in a four-term polynomial. If the polynomial b(x) is multiplied with f(x), then

h(x) = h6x6 + h5x

5 + h4x4 + h3x

3 + h2x2 + h1x + h0


where

h0 = ‘02′ · b0 h4 = ‘03′ · b1 ⊕ ‘01′ · b2 ⊕ ‘01′ · b3

h1 = ‘01′ · b0 ⊕ ‘02′ · b1 h5 = ‘03′ · b2 ⊕ ‘01′ · b3

h2 = ‘01′ · b0 ⊕ ‘01′ · b1 ⊕ ‘02′ · b2 h6 = ‘03′ · b3

h3 = ‘03′ · b0 ⊕ ‘01′ · b1 ⊕ ‘01′ · b2 ⊕ ‘02′ · b3.

At this stage, h(x) does not represent a four-byte word. Now, if we reduce h(x) modulo

a polynomial x4 + 1 with the property of

xi mod x4 + 1 = xi mod 4,

then the result can be reduced to a polynomial of degree less than 4. The modular

product of f(x) and b(x) is given by the four-term polynomial

d(x) = d3x3 + d2x

2 + d1x + d0 (2.2)

where

d0 = (‘02′ · b0) ⊕ (‘03′ · b1) ⊕ (‘01′ · b2) ⊕ (‘01′ · b3)

d1 = (‘01′ · b0) ⊕ (‘02′ · b1) ⊕ (‘03′ · b2) ⊕ (‘01′ · b3)

d2 = (‘01′ · b0) ⊕ (‘01′ · b1) ⊕ (‘02′ · b2) ⊕ (‘03′ · b3)

d3 = (‘03′ · b0) ⊕ (‘01′ · b1) ⊕ (‘01′ · b2) ⊕ (‘02′ · b3).

If we now express (2.2) as a matrix multiplication, then we see the matrix formula

in Figure 2.2. That is, the MixColumns transformation takes charge of mixing four

bytes in each column with the matrix formula in Figure 2.2. It is noted that we will

sometimes use the notation MixColumns for the mathematical representation of the

MixColumns transformation. When the MixColumns transformation is applied to just

one column, we use the notation MixColumn without an ‘s’.

d0

d1

d2

d3

02 03 01 01

01 02 03 01

01 01 02 03

03 01 01 02

=

b0

b1

b2

b3

Figure 2.2: Mixing of four bytes in a column

2.4. Expansion of the Cipher Key 12

2.4 Expansion of the Cipher Key

The AES algorithm takes the Cipher Key, K, and generates Round Keys from the

Cipher Key, performing a Key Expansion routine. Let us denote the number of rounds

of the AES algorithm by Nr, the number of columns in the Cipher Key by Nk, and

the index of each column in the Cipher Key by

Cl0, Cl1, . . . , ClNk−1.

Then the total number of columns for all the round keys, which is required for the

whole round encryption, is

4 × (Nr + 1),

considering that the number of columns in a data block is four, and that there is an

initial round key addition routine before the first round. Now, if we index, in order,

all the columns in the round keys by

Rl0, Rl1, Rl2, . . . , Rln, . . . , Rl4(Nr+1)−1,

then the columns are generated in the following manner:

• if Nk = 4 or 6 (AES-128 or AES-192), then

Rl0 = Cl0, Rl1 = Cl1, . . . , RlNk−1 = ClNk−1

Rln = Rln−Nk ⊕ SubBytes(RotBytes(Rln−1)) ⊕ Rcon[ nNk

] if n mod Nk = 0

Rln = Rln−Nk ⊕ Rln−1 else

• if Nk = 8 (AES-256), then

Rl0 = Cl0, Rl1 = Cl1, . . . , RlNk−1 = ClNk−1

Rln = Rln−Nk ⊕ SubBytes(RotBytes(Rln−1)) ⊕ Rcon[ nNk

] if n mod Nk = 0

Rln = Rln−Nk ⊕ SubBytes(Rln−1) ⊕ Rcon[ nNk

] else if n mod Nk = 4

Rln = Rln−Nk ⊕ Rln−1 else

Here, we note that SubBytes is the byte substitution by the S-box, and that RotBytes

is the rotation of bytes by

RotBytes(b0, b1, b2, b3) −→ (b1, b2, b3, b0).

The round constants are defined by

2.4. Expansion of the Cipher Key 13

Rcon[i] = (xi−1, 0x00, 0x00, 0x00)

with xi−1 being powers of x (=‘02′).

The following shows the round constants obtained from the above concept:

Rcon[1] = (0x01, 0x00, 0x00, 0x00),

Rcon[2] = (0x02, 0x00, 0x00, 0x00),

Rcon[3] = (0x04, 0x00, 0x00, 0x00),

Rcon[4] = (0x08, 0x00, 0x00, 0x00),

Rcon[5] = (0x10, 0x00, 0x00, 0x00),

Rcon[6] = (0x20, 0x00, 0x00, 0x00),

Rcon[7] = (0x40, 0x00, 0x00, 0x00),

for AES-256

Rcon[8] = (0x80, 0x00, 0x00, 0x00),

for AES-192

Rcon[9] = (0x1b, 0x00, 0x00, 0x00),

Rcon[10] = (0x36, 0x00, 0x00, 0x00)

for AES-128.

Finally, the columns generated by the above key expansion routine are allocated to

each round key by four columns, as shown below:

RKi=Rl4×i to Rl4×i+3

The following shows an example of the round key allocation in the case of AES-128

(Nk = 4).

RK0 = (Rl0, Rl1, Rl2, Rl3),

RK1 = (Rl4, Rl5, Rl6, Rl7),

RK2 = (Rl8, Rl9, Rl10, Rl11),

RK3 = (Rl12, Rl13, Rl14, Rl15),

RK4 = (Rl16, Rl17, Rl18, Rl19),

RK5 = (Rl20, Rl21, Rl22, Rl23),

RK6 = (Rl24, Rl25, Rl26, Rl27),

RK7 = (Rl28, Rl29, Rl30, Rl31),

RK8 = (Rl32, Rl33, Rl34, Rl35),

RK9 = (Rl36, Rl37, Rl38, Rl39),

RK10 = (Rl40, Rl41, Rl42, Rl43).

2.5. Inverse cipher 14

2.5 Inverse cipher

Unlike most Feistel structure block ciphers, the AES algorithm, which is a typical SPN

structure block, has the inverse cipher for decryption. Decryption is the reverse order

of the encryption, and the inverse of each function is used in the decryption cipher.

The InvSubBytes transformation, InvShiftRows transformation and InvMixColumns

transformation in the decryption cipher correspond to the SubBytes transformation,

ShiftRows transformation and MixColumns transformation respectively.

0 1 2 3 4 5 6 7 8 9 a b c d e f

0

1

2

3

5

4

6

7

8

9

a

c

b

d

e

f

7c e3 39 82 9b 2f ff 87 34 8e 43 44 c4 de e9 cb

52 09 6a d5 30 36 a5 38 bf 40 a3 9e 81 f3 d7 fb

54 7b 94 32 a6 c2 23 3d ee 4c 95 0b 42 fa c3 4e

08 2e a1 66 28 d9 24 b2 76 5b a2 49 6d 8b d1 25

72 f8 f6 64 86 68 98 16 d4 a4 5c cc 5d 65 b6 92

6c 70 48 50 fd ed b9 da 5e 15 46 57 a7 8d 9d 84

90 d8 ab 00 8c bc d3 0a f7 e4 58 05 b8 b3 45 06

d0 2c 1e 8f ca 3f 0f 02 c1 af bd 03 01 13 8a 6b

3a 91 11 41 4f 67 dc ea 97 f2 cf ce f0 b4 e6 73

96 ac 74 22 e7 ad 35 85 e2 f9 37 e8 1c 75 df 6e

47 f1 1a 71 1d 29 c5 89 6f b7 62 0e aa 18 be 1b

fc 56 3e 4b c6 d2 79 20 9a db c0 fe 78 cd 5a f4

1f dd a8 33 88 07 c7 31 b1 12 10 59 27 80 ec 5f

60 51 7f a9 19 b5 4a 0d 2d e5 7a 9f 93 c9 9c ef

a0 e0 3b 4d ae 2a f5 b0 c8 eb bb 3c 83 53 99 61

17 2b 04 7e ba 77 d6 26 e1 69 14 63 55 21 0c 7d

e.g. input value: 0x4d → output value: 0x65

Table 2.2: S-box−1 of the AES algorithm

InvShiftRowsb00 b01 b02 b03

b13 b10 b11 b12

b22 b23 b20 b21

b31 b32 b33 b30

b00 b01 b02 b03

b10 b11 b12 b13

b20 b21 b22 b23

b30 b31 b32 b33

Figure 2.3: Illustration of the InvShiftRows transformation

2.5. Inverse cipher 15

Table 2.2 is the substitution table (S-box−1) used in the InvSubBytes transformation,

and Figure 2.3 and Figure 2.4 represent the functions of the InvShiftRows transforma-

tion and InvMixColumns transformation respectively.

b0

b1

b2

b3

0e 0b 0d 09

09 0e 0b 0d

0d 09 0e 0b

0b 0d 09 0e

=

d0

d1

d2

d3

Figure 2.4: Mixing of four bytes in the InvMixColumns transformation

Chapter 3

Cryptologic Properties of the AESAlgorithm

In this chapter, we review a large body of previous research studies relating to the

cryptologic properties of the AES algorithm, which have been performed since Rijndael

was proposed for the process of the AES selection. In this review, those research

studies are classified into four fields according to the following research areas: immunity

against DC (Differential Cryptanalysis) and LC (Linear Cryptanalysis), distinctive

output properties of the structure, cryptologic properties of the key schedule, and

algebraic properties of the algorithm. We note that since the purpose of this chapter

is to review the cryptologic properties of the AES algorithm, we shall concentrate

on the cryptologic properties themselves rather than cryptanalytic methods using the

properties. We first discuss the cryptologic immunity of the AES algorithm against

two conventional cryptanalytic methods, DC and LC.

3.1 Immunity against DC and LC

DC [19, 20, 21] and LC [50, 51] have been regarded as the most powerful cryptan-

alytic methods against block ciphers since these cryptanalytic methods theoretically

succeeded in the attack on DES (Data Encryption Standard) [59]. For this reason, it

has been considered as essential in the design of block ciphers to prove their invulner-

ability against these cryptanalytic methods. In the case of the AES algorithm, it has

been proved by some research studies that the AES algorithm is strong enough against

DC and LC. These research studies have shown that the AES algorithm provides a

sufficiently low differential probability and linear probability, each of which has been

considered as a reliable measure to evaluate the strength of block ciphers against DC

and LC. For future reference, we first define some basic concepts.

16

3.1. Immunity against DC and LC 17

Definition 3.1 (DP and LP [73, 74]) For any S-box S with m-bit inputs and out-

puts, the Differential Probability DP S(δx, δy) and the Linear Probability LP S(Γδx, Γδy)

are defined by

DP S(δx, δy) =| x ∈ GF (2m) | S(x) ⊕ S(x ⊕ δx) = δy |

2m

and

LP S(Γδx, Γδy) =

(

| x ∈ GF (2m) | Γδx · x = Γδy · S(x) |

2m−1− 1

)2

respectively. Here δx, δy, Γδx, and Γδy denote an input difference, an output difference,

an input mask value, and an output mask value respectively. x · y denotes the parity (0

or 1) of bitwise product of x and y.

Definition 3.2 (MDP and MLP [73, 74]) Under Definition 3.1, the Maximal Dif-

ferential Probability p and the Maximal Linear Probability q are defined by

p = maxδx 6=0,δy

DP S(δx, δy)

and

q = maxΓδx,Γδy 6=0

LP S(Γδx, Γδy).

Definition 3.3 (Branch number) Let F be a linear function, and Ω(X) be the num-

ber of non-zero bytes in a byte vector X. Then the branch number Bn of the function

F is defined by

Bn = minX 6=0

[Ω(X) + Ω(F (X))].

The strength of the AES algorithm against DC and LC has already been computed

by the designers in the AES proposal [28]. From the fact that the branch number

of MixColumn used in the linear transformation is 5, the designers have shown that

the number of differentially active s-boxes for the four rounds is 25. Based on this

observation, they have proven that the four-round characteristic probability (P ) of the

AES algorithm is bounded by

P ≤ p25 = (2−6)25 = 2−150 (p is the MDP of the S-box).

This means that the differential characteristics having a probability bigger than 2−150

do not exist for the DC attack on the four-round AES [28] algorithm. In terms of

LC, the designers have also shown that there are no four-round linear trails with a

correlation above 2−75 [28].

3.1. Immunity against DC and LC 18

Also, on the basis of the fact that the strength of the block ciphers against DC

and LC depends on the maximal differential probability and the maximal linear hull

probability respectively [40, 41, 44, 45, 73] (the strength is inversely proportional to

the values of these probabilities), some other research studies have shown that the AES

algorithm is sufficiently secure against DC and LC.

In [52], although the authors have premised that a more accurate proof would be

necessary, they have commented, based on the following computation results, that in

probability the AES algorithm is secure against DC with six rounds.

Property 3.1 The maximal average of the differential probability of four rounds of

the AES algorithm is upper bounded by 1.065 × 2−128.

Property 3.2 The maximal average of the differential probability of five rounds of the

AES algorithm is upper bounded by 1.0007 × 2−128.

More recently, several research studies have presented improved methods for upper

bounding the maximal differential probability and the maximal linear hull probabil-

ity for SPN structure block ciphers, and have re-evaluated the strength of the AES

algorithm with their methods. These research studies have proven that the maximal

differential probability and the maximal linear hull probability for the AES algorithm

are bounded by the values below.

Property 3.3 [73] The maximal differential probability for four rounds of the AES

algorithm is approximately bounded by 1.06 × 2−96.

Property 3.4 [74] The maximal differential probability and the maximal linear hull

probability for four rounds of the AES algorithm are approximately bounded by 1.144×

2−111 and 1.075 × 2−106 respectively.

Summing up all the research studies reviewed above, the AES algorithm can be

said to be well designed against DC and LC. In fact, from the fact that the AES

algorithm uses the function MixColumn, whose branch number is five, for the linear

transformation, and that the number of the active S-boxes for four rounds of this cipher

is 25, we can perceive that the AES algorithm was designed to offer enough immunity

against DC and LC. This is because it is known that the maximal differential probability

has a very close relationship with the number of differentially active s-boxes, and that

the maximal linear hull probability is deeply dependent on the number of linearly active

s-boxes. It is generally understood that the greater the number of differentially active

3.2. Distinctive output properties of the structure 19

s-boxes, the lower the maximal differential probability becomes. Similarly, the greater

the number of linearly active s-boxes, the lower the maximal linear hull probability

becomes.

3.2 Distinctive output properties of the structure

While some research studies have shown that the AES algorithm provides enough

resistance against DC and LC, some others have observed that the AES structure yields

some distinctive output properties for a certain set of plaintexts, in a few rounds. In

this section, we review those distinctive output properties of the AES algorithm to

which cryptologists have paid attention. We first examine the third round balanced

property observed by the designers of the AES algorithm.

Third-round balanced property

As previously mentioned in Section 3.1, the branch number of MixColumn is five (if

one byte is changed for an input of the matrix formula in Figure 2.2, then all bytes are

changed in the output). This means that the change of one byte for an input block

of the MixColumns transformation leads to the change of one column (four bytes) in

the output block. Tracing the encryption procedures, and taking into consideration

the above property, the designers of the AES algorithm have observed the following

property.

Property 3.5 Any two plaintexts X and X’, which differ by only one byte in the same

byte position lead to second-round intermediate texts Y and Y’ which are different from

each other in all bytes. That is,

if X 6= X ′ in only one byte, then Y 6= Y ′ in all bytes.

Based on this property, tracing one more round, they have also observed that any set

of 256 chosen plaintexts (Λset) defined below leads to an interesting output property

after the third round (- they call this property the balanced property).

Definition 3.4 (Λset) For the AES algorithm, Λset is defined by a set of 256 plaintexts

which vary in only one byte (and are the same in the other bytes).

Property 3.6 (Third-round balanced property) For any Λset, the XOR of all the

third-round intermediate texts is ‘00’ in all bytes.


Figure 3.1 illustrates an example of Λset and the third-round balanced property caused

by the set (this property has been called an “integral property” in [49], because it is

caused by the summation of a certain set of output values).

ΛΛΛΛset

** ** **

** ** **

** ** **

** ** **

**

**

**

**

72 00 94

11 6d 19

d3 5a 47

68 11 b2

01

78

2f

7c

⊕⊕⊕⊕

72 00 94

11 6d 19

d3 5a 47

68 11 b2

02

78

2f

7c

72 00 94

11 6d 19

d3 5a 47

68 11 b2

03

78

2f

7c

72 00 94

11 6d 19

d3 5a 47

68 11 b2

f f

78

2f

7c

** ** **

** ** **

** ** **

** ** **

**

**

**

**

** ** **

** ** **

** ** **

** ** **

**

**

**

**

** ** **

** ** **

** ** **

** ** **

**

**

**

**

• • • •

• • • •

00 00 00

00 00 00

00 00 00

00 00 00

00

00

00

00

third-round intermediate texts

Figure 3.1: Illustration of the third-round balanced property

Based on this property, the Square attack was first introduced by the designers

of the AES algorithm (Rijndael). This attack was originally applied to the block

cipher Square [27], which is the basis of Rijndael. But since Rijndael inherited many

basic functions from Square, it has the same balanced property as Square has, thus this

attack is applicable to the AES algorithm as well. We summarise here how the balanced

property has been applied to the cryptanalysis of the AES algorithm. The designers

have used two Λsets for the attack on the AES algorithm reduced to four rounds. We

first use (Λset#1).

1. First, we assume one byte in the fourth-round key. Then, decrypt the corre-

sponding bytes in the 256 ciphertexts (we recall that the fourth round does not

have the MixColumns transformation because the fourth round is the last round

in this case).

2. If the assumption is correct, then the XOR of the corresponding bytes in the 256

third-round intermediate texts must be equal to ‘00′. If the XOR is equal to ‘00′,

then the assumed value is taken for the byte. If not, return to step 1 assuming

another value for the key byte.


3. If the above two steps are applied to all key bytes, all eligible components for the

fourth round key are obtained.

* Step 2 must be applied to the other set, Λset#2, to avoid the selection of wrong

keys, because wrong keys may satisfy the balanced property by chance with the

probability of 1/256 if only one Λset is considered.

The designers have extended this method up to six rounds, adding one round at the

beginning of the four rounds and one round at the end. Later, this method has been

developed to seven rounds using partial-sum techniques [58, 68]. Table 3.1 shows the

complexity of the Square attack against some reduced rounds of the AES algorithm.

Attack Number of Rounds Chosen Plaintexts Time Complexity

Square 4 29 29 5 211 240 6 232 272

Partial sum 6 6 × 232 244

7 2128 − 2119 2120

Table 3.1: Complexities of the Square attack against the AES algorithm

Fourth-round impossible differentials

While the designers of the AES algorithm have found, from Property 3.5, a third-round

distinguisher (balanced property), which Λset leads to with probability 1, E. Biham and

N. Keller have found, in [22], a fourth-round distinguisher, which a pair of plaintexts

referred to in Property 3.5 leads to with probability 0. That is, E. Biham and N. Keller

have observed impossible differentials [17, 18] of the four rounds of the AES algorithm

(differentials that never appear in the four rounds). Let us consider a pair of plaintexts

which differ by only one byte. Then, we imagine the corresponding intermediate texts

after the fourth-round ShiftRows transformation as described below:

itext a : b#0 b#4 b#8 b#12

b#1 b#5 b#9 b#13

b#2 b#6 b#10 b#14

b#3 b#7 b#11 b#15,

itext b : b′#0 b′#4 b′#8 b′#12

b′#1 b′#5 b′#9 b′#13

b′#2 b′#6 b′#10 b′#14

b′#3 b′#7 b′#11 b′#15

Now, let us suppose that the combination (b#0, b#7, b#10, b#13) in itext a is equal to the

combination (b′#0, b′#7, b′#10, b′#13) in itext b. Then, after the third-round MixColumns


transformation the data is equal in the first column, and thus after the second-round

MixColumns transformation the data is equal in (byte#0, byte#5, byte#10, byte#15). This

is a contradiction because the pair of plaintexts being considered is different from each

other only in one byte and this plaintext pair must lead to the second-round interme-

diate texts, which are different from each other in all bytes. Taking this contradiction

into account, we can deduce that if a pair of plaintexts differ by only one byte, then the

intermediate texts after the fourth-round ShiftRows transformation cannot be equal in

(0,7,10,13). If we consider the other bytes, then we see the following property.

Property 3.7 (Impossible differentials) If a pair of plaintexts differ by only one

byte, then the intermediate texts after the fourth-round ShiftRows transformation can-

not be equal in any of the following combinations of bytes:

(0,7,10,13), (1,4,11,14), (2,5,8,15) nor (3,6,9,12),

when the byte positions of the text block are described by

byte#0 byte#4 byte#8 byte#12



byte#3 byte#7 byte#11 byte#15.

Based on this property, E. Biham and N. Keller have proposed an Impossible dif-

ferential cryptanalysis to attack five rounds of the AES algorithm [22]. The main idea

of this attack is to eliminate wrong first-round keys by showing that the impossible

property holds in the last four rounds if these keys are used. This method requires

229.5 chosen plaintexts and 231 time complexity for the attack on five rounds of the

AES algorithm. Later, this attack has been developed to six rounds [26], assuming not

only the first-round key but also the last-round key, although this extension requires

a higher complexity. Table 3.2 shows the complexities of the Impossible differential

cryptanalysis against the AES algorithm.

Number of Rounds Chosen Plaintexts Time Complexity

5 229.5 231

6 291.5 2122

Table 3.2: Complexities of the IDC against the AES algorithm


Fourth-round collision distinguisher

In [25], H. Gilbert and M. Minier have constructed an efficient fourth-round distin-

guisher of the AES algorithm, by exploiting the existence of collisions between some

partial functions induced by the cipher. They have first observed that the AES algo-

rithm has a partial third-round collision property in which several bytes are involved.

Then, from the relationship between the third round and the fourth round, they have

found the fourth-round distinguisher. Before discussing the fourth-round collision dis-

tinguisher in more detail, we define the concept of collision for future reference as

outlined below.

Definition 3.5 (Collision) For any given function h and messages M and M ′, if

h(M) = h(M ′) when M 6= M ′,

then we say that h(M) and h(M ′) collide.

Next, we discuss the third-round collision property followed by the fourth-round dis-

tinguisher of the AES algorithm. Let us consider a set of the first-round input blocks

(after the initial round key addition) of the AES algorithm, which vary in the first

column (the other bytes are all the same), as shown in Figure 3.2.

y

c0

c1

c2

s t0

t1

t2

t3

1st round input blocks 3rd intermediate texts 4th intermediate texts

• •

y

c’0

c’1

c’2

s’ t’ 0

t’ 1

t’ 2

t’ 3

• •

• • •

Figure 3.2: Fourth-round collision distinguisher of the AES algorithm

Then, 224 triplets of c = (c0, c1, c2) can be considered for each value for y. With the con-

sideration of two arbitrary triplets c and c′, H. Gilbert and M. Minier have constructed

the concept of a partial third-round collision of the AES algorithm. Specifically,


• they have observed that for any y ∈ 0....255 in a plaintext, s (s′) is entirely

determined by a surprisingly small number of unknown bytes, which either only

depend on the key or depend on both the key and the value of c (c′),

• then, based on the above observation, they have found the following third-round

collision property, taking into account the well-known birthday paradox [15, 38].

Property 3.8 [25] In a given C set of about 216 c triplets (the number of all possible

triplets is actually 224), there exist, with a non negligible probability, c and c′ (c 6= c′)

which leads to

s = s′ for ∀ y ∈ 0....255.

Now, let us consider the relationship between the third round and fourth round of the

AES algorithm: if we consider the matrix formula described in Figure 2.2, we see that

s = S−1(0e · t0 + 0b · t1 + 0d · t2 + 09 · t3) + k#04 ,

where S−1 and k#04 denote the S-box−1 and the first byte of the fourth-round key

respectively. In other words, we see that

0e · t0 + 0b · t1 + 0d · t2 + 09 · t3

is a one to one function of s. If we put this concept and the third-round collision

property together, we find the following property to test the third-round collision with

t0, t1, t2, t3 in the fourth-round intermediate texts.

Property 3.9 [25] c and c′ collide if and only if for ∀y ∈ 0....255,

0e · t0 + 0b · t1 + 0d · t2 + 09 · t3 = 0e · t′0 + 0b · t′1 + 0d · t′2 + 09 · t′3.

This property means that the third-round collision can be tested with the fourth-round

intermediate texts corresponding to c and c′ for any y. So, H. Gilbert and M. Minier

regard this property as a fourth-round distinguisher. They have noted, based on their

experiments, that it is sufficient to check the equality in Property 3.9 on 16 y values in

order to text the collision between c and c′. Therefore, it requires 220 plaintexts (216

values for c triplet × 24 values for y) to test the fourth-round distinguisher.

Based on the above observations, they have suggested a collision attack against

the seven-round AES algorithm which has the initial round and one additional round

before the four-round structure of Figure 3.2, and one additional round and the final

3.3. Cryptologic properties of the key schedule 25

round behind it; in this case, the distinguisher is considered to be between the second

round and the fifth round. Their method is basically an exhaustive search of some key

bytes of the initial round and the two final rounds, in order to check the distinguisher.

They have noted that this attack requires 232 chosen plaintexts, and is faster than

exhaustive key search on seven rounds of AES-192 and AES-256 (complexity: 2140)

and marginally faster on seven rounds of AES-128.

3.3 Cryptologic properties of the key schedule

The designers of the AES algorithm have stated [28] that the key schedule of the AES

algorithm was designed to provide resistance against cryptanalytic methods using the

weakness of the key schedule, such as related key attacks [23, 32, 33]. They have

mentioned that, from the security point of view, the following design criteria have been

applied to the key expansion:

C1. to put the diffusion of Cipher Key differences into the Round Keys,

C2. to guarantee enough non-linearity to prohibit the full determination of Round

Key differences from Cipher Key differences,

C3. to use an invertible transformation, that is, knowledge of any Nk (the number of

columns of the Cipher Key) consecutive columns of the expanded key allows to

regenerate all the Round Keys,

C4. not to allow calculation of many other Round Key bits from knowledge of a part

of the Cipher Key or Round Key bits,

C5. to eliminate symmetry of the inner rounds.

Definition 3.6 [28] If a certain cipher treats all bytes of a state in very much the

same way in the round transformation, then it is said to have symmetry in the round

transformation.

Definition 3.7 [28] If the round transformation is the same for all rounds in a certain

cipher, then it is said to have symmetry between the rounds.

They have also mentioned that the high diffusion and non-linearity of the AES key

schedule makes it very improbable for the AES algorithm to be attacked by these

types of attacks.


However, some of the research studies that have carefully evaluated the security of

the AES key schedule claim that although no serious weaknesses have been found, the

AES key schedule does not live up to the designers’ expectations. Although there is

not a close relationship with the weakness of the AES key schedule, E. Biham and N.

Keller have shown, in [22], that if the key schedule of the AES algorithm were reversed,

the complexity of the Square attack would be reduced by a factor of 28. G. Cater, E.

Dawson and L. Nielsen have confirmed that in the AES key schedule all the Round

Keys (and the Cipher Key) are regenerated with any Nk consecutive columns of the

expanded key [24], as the designers of the AES algorithm have mentioned in the design

criteria of the key schedule. As well as these observations, S. Lucks has observed the

reverse order of the AES key expansion procedures, and has noted the following two

properties of the AES key schedule [68].

Property 3.10 If all four columns in the seventh-round key of AES-256 are known,

then three columns (Columns 1, 2, and 3) in the fifth-round key can be generated.

Property 3.11 If all four columns in the seventh-round key of AES-192 are known,

then two columns (Columns 0 and 1) in the sixth-round key and one column (Column

3) in the fifth-round key can be generated.

Based on these observations, he has presented, in the same paper, a modified Square

attack to reduce the number of key assumptions for the cryptanalysis of seven rounds

of AES-192 and AES-256. He has newly computed the complexity of the Square attack,

and has shown with his calculation that the Square attack requires 280 basic operations

to attack six rounds of the AES algorithm. If all possible seventh-round keys are

additionally assumed, then the seventh-round attack will require 2208 basic operations.

(Note: in his calculation, one basic operation means five executions of byte-wise XOR,

five executions of S-box−1 and one execution of MixColunm). However, noting the

above properties of the key schedule, he reduced the amount of computations (the

number of key assumptions) for AES-192 and AES-256 by 224 and 28 basic operations

respectively. As a consequence, he has noted that attacking seven rounds of AES-

192 and AES-256 requires 2184 and 2200 basic operations respectively, with 232 chosen

plaintexts.

More importantly, N. Ferguson, J. Kelsey, S. Lucks, B. Schneier, M. Stay, D. Wag-

ner, and D. Whiting have noted in [58] that the key schedule of the AES algorithm

does not achieve its stated design criteria. In other words, they have claimed that

the key schedule of the AES algorithm has several unexpected properties that seem to


violate the published design criteria. First, they have pointed out, with an example of

the key expansion of AES-256, that the AES key schedule does not achieve Criterion 4

described above, based on the following observations. Let us look at Figure 3.3, taking

into account the key expansion routine described in Section 2.4.

1. If the values of seven bytes indicated by ♠ (seven bytes on (row#i=3, column#7)

in each expanded block) are known (or assumed), then the values of 21 bytes

indicated by @ are known as well (the value of i is variable although the case of

i=3 is considered here) because

Rln = Rln−Nk ⊕ Rln−1,

where the number of columns in the Cipher Key, and the index of each column

in the round keys, are denoted by Nk = 8 and Rln respectively. In other words,

if seven bytes on (row#i=3, column#7) in each expanded block are known, then

we learn 28 (7+21) bytes of the expanded key.

2. Now, let us assume that the values of eight bytes indicated by ♣ are additionally

known (eight bytes in row#(i−1 mod 4) in the first expanded block (this block is

actually the Cipher Key)). Then, if we consider

Rln = Rln−Nk ⊕ SubBytes(RotBytes(Rln−1)),

we additionally see 52 bytes indicated by % in row#(i−1 mod 4) in the other ex-

panded blocks. That is, we learn 60 (8+52) bytes of the expanded key from the

eight additionally known bytes.

3. Summing up, we see that if 15 (7+8) bytes of the round keys are known, then 88

bytes are revealed in all.

4. If this idea is extended further, that is, if 16 more bytes in row#(i−2 mod 4) and

row#(i−3 mod 4) of the first expanded block are known in step 2, then we see that

120 bytes are additionally revealed.

5. All in all, if 31 (7+8+8+8) bytes are known in the round keys, then 208 (28+60+

60+60) bytes are found.

They have also remarked, with the observation below, that the AES key schedule does

not provide a high level of diffusion, contrary to the designers’ statement that “the key

schedule of Rijndael, with its high diffusion and non-linearity, makes it very improbable

that related-key attacks can be successful for Rijndael” [28].


♣ ♣ ♣♣

RK0 RK1

♣ ♣ ♣

♠

♣ % % %

@

% % % %

@ @ ♠

%

@

RK8 RK9

% % %% % % %

@ ♠

%

RK2 RK3

% % %

@ @

% % % %

@ @ ♠

%

@

RK10 RK11

% % %% % % %

@ @ ♠

%

RK4 RK5

% % %

@ @ @

% % % %

@ @ ♠

%

@

RK12 RK13

% % %% % % %

@ @ ♠

%

@

RK6 RK7

% % %%

RK14 Bytes not used

Figure 3.3: Correlations between the bytes of the expanded key

Property 3.12 [58] The AES key schedule takes many cycles before a low-weight dif-

ference starts to affect a significant number of other bytes.

For example, these authors have observed that “if the key schedule runs backwards,

then each byte affects two other bytes that are (almost) a full cycle further back”

[58]. Based on this observation, they have claimed that it is more probable than the

designers’ expectation that an attack on the AES algorithm can be mounted with a

kind of related key attack. Indeed, they have presented a related-key attack applicable

to nine rounds of AES-256 (AES-256 originally consists of 14 rounds), although this

attack is basically a variant of the Square attack. This attack requires 277 chosen

plaintexts under 256 related keys (total: 285 plaintexts) and a complexity of 2224.

Throughout this section, we have reviewed some research studies relating to the key

schedule of the AES algorithm. We observe that not many research studies have been

performed on the key schedule of the AES algorithm, and no critical weakness of the

3.4. Algebraic properties of the algorithm 29

key schedule has been found so far. In addition, most detected properties have been

used for reducing the complexities of previously known cryptanalytic methods. For

this reason, we could say that although the AES key schedule has minor weaknesses

from the cryptologic point of view, it does not have critical problems.

3.4 Algebraic properties of the algorithm

Despite the novelty of the AES algorithm, the simple algebraic structure of this cipher

has led to some concerns about its security. In particular, some commentators have

pointed out that the AES algorithm could be vulnerable to what is known as alge-

braic attacks [57], which recover the Cipher Key from formulating algebraic equations

between plaintexts and ciphertexts. In this section, we discuss the research studies

that have observed the algebraic properties of the AES algorithm. We first review two

papers whose findings are contrary to each other on the security of the elementary

structure of the AES algorithm.

Simplicity of the linear layer

As previously mentioned, some research studies have concentrated on examining the

simplicity of the AES algorithm. Among these research studies, S. Murphy and M.

Robshaw have found that the linear layer of the AES algorithm has short periods

[69, 70]. They first found that the affine transformation, which is one of the two

functions used for generating the S-box (non-linear layer), can be separated from the

non-linear layer and moved into the linear layer, as illustrated in Figure 3.4. In this

modified structure, they have found that the maximal period of the modified linear

layer is 16, with the following observations:

1. Since the entirety of the modified linear layer is a GF (2)-linear map, its action

can be represented by a 128 × 128 binary matrix, M .

2. In this case, the characteristic polynomial c(x) (Det(M +xI)) and minimal poly-

nomial m(x) (the polynomial of smallest degree such that m(M) = 0) of M are

represented by

c(x) = (x + 1)128 = x128 + 1 and

m(x) = (x + 1)15.

3. Since m(M) = 0 and x16 + 1 = (x + 1) × m(x),

M16 = I.


4. As a consequence, 16 iterations of the modified linear transformation (M) give

the identity mapping, which means that any 128-bit input of this transformation

is mapped to itself after 16 repeated applications.

Multiplicative inverse in GF(28)

Affine transformation over GF(2)8


SubBytes transformation(S-box)

Non-linear layer

Linear layer

Multiplicative inverse in GF(28)



Non-linear layer

Linear layer

Affine transformation over GF(2)8


< Functions in the elementary structure > < Re-grouping of the functions >

Figure 3.4: Re-grouping of the functions in the elementary structure

Also, from further observations on the matrix M of the modified linear layer, they

have found that there are inputs of the modified layer which are fixed over a very small

number of iterations of the linear transformation:

• 216 inputs are fixed over one modified linear layer.

• 230 inputs are fixed over two iterations of the modified linear layer.

• 258 inputs are fixed over four iterations of the modified linear layer.

• 296 inputs are fixed over eight iterations of the modified linear layer.

Based on this observation, they have remarked that the linear diffusion layer of the AES

algorithm may not be so effective at mixing data, and that there may be considerable

inner structure within the diffusion layer. At this stage, to make the concept of “mixing

data” clear, we briefly define the effect of mixing data, which Murphy and Robshaw

considered, although they have used the concept of “mixing data” without definition.

We note that the following definitions are also valid in other chapters of this thesis.

Definition 3.8 (Period) In a set K consisting of n elements, if an input I(∈ K) of

a function F is mapped to itself after p iterations of F, then the period of F is p for I.


Definition 3.9 (Effect of mixing data) In a set K consisting of n elements, if the

period of F is p for a certain input I, then the effect of mixing data of F, for I, is

defined by e = p

n.

They have also mentioned that “someone may find a more novel way to combine the

rich structure in the diffusion layer of Rijndael with the highly structured inverse

map”. However, despite the novelty of these observations, the designers of the AES

algorithm counter-argued, with the following comments, that these observations do

not sufficiently examine the security of the AES algorithm [29]. They have pointed out

that

• these observations have been restricted to only the linear layer.

• these observations have not shown the substantial impact of the cyclic properties

on the cryptologic weakness of the AES algorithm.

While the designers have defended the AES algorithm, other research studies have

been undertaken that have made significant progress in exposing the algebraic weak-

nesses caused by the simple structure of the AES algorithm.

Simple algebraic representation

N. Ferguson, R. Schroeppel, and D. Whiting have observed [57] that there is a very

straightforward closed algebraic formula for the AES algorithm, and have remarked

that it is highly structured and much simpler than algebraic formulations of any other

block ciphers. Tracing the input-output relation of each basic function, they have

initially derived a fairly simple algebraic expression for a single round of the AES

algorithm, that is

b(r+1)i,j = k

(r)i,j +

∑

er∈E,dr∈D

wi,er,dr

(b(r)er ,er+j)

2dr. (3.1)

where the variables are denoted by the following:

b(r)i,j : the byte on (row #i, column #j) in the input of round r.

k(r)i,j : the byte on (row #i, column #j) in the rth round key.

r: certain rounds

w: certain constants.

E: the range 0,. . .,3.

D: the range 0,1,. . .,7.

⋆ all coordinates are reduced modulo 4 so that for example b(r)8,4 = b

(r)0,0.


Then, applying an actual value r=2 to (3.1), they have shown that any byte of the

third-round input block can be expressed by

b(3)i,j = k

(2)i,j +

∑

e2∈E, d2∈D

wi,e2,d2

(b(2)e2,e2+j)

2d2(3.2)

= k(2)i,j +

∑

e2∈E, d2∈D

wi,e2,d2

(k(1)e2,e2+j)

2d2 +∑

e1∈E,d1∈D

w2d2e2,e1,d1

(b(1)e1,e1+e2+j

)2d1+d2

.

(3.3)

Also, using the fact that all subscripts and exponents are known and are independent of

the key or plaintext, they have simplified equation (3.3) to a somewhat casual notation

which clarifies the structure, taking into account that b(1)i,j = pi,j + k

(0)i,j where pi,j is a

plaintext byte. As a consequence, they have derived equation (3.4) for two rounds of

the AES algorithm followed by equation (3.5) for five rounds:

b(3)i,j = K +

∑

e2∈E, d2∈D

C2

K∗ +∑

e1∈E,d1∈DC1

K∗+p∗∗

(3.4)

b(6)i,j = K +

∑ C5

K∗ +∑ C4

K∗+∑ C3

K∗+∑ C2

K∗+∑ C1

K∗+p∗∗

(3.5)

where K, Ci, and ∗ denote an expanded key byte, a known constant, and known ex-

ponents or subscripts respectively (although these values depend on the summation

variables that enclose the symbol). Following the same idea, they have also considered

another nearly identical algebraic formula, which expresses any byte in the fifth-round

intermediate text with the cipher text (not plaintext) and the expanded key. Consid-

ering that these two values must agree, the expanded key could be found if the two

equations were considered together. To break AES-128, which consists of ten rounds,

these kinds of pairs of equations could be applied to each byte in the fifth-round inter-

mediate text. The first equation would express each byte in the fifth-round intermediate

text as the function of the plaintext bytes (this equation covers rounds 1 to 5), and

the other equation would express the same byte as the function of the ciphertext bytes

(this equation covers rounds 6 to 10). Here, considering that each summation symbol

covers 32 (25) terms, a fully expanded version of equation (3.1) has 225 terms (as there

are five summations in the equation) if the equation is described without summation

symbols. So, combining two equations would lead to an equation with 226 unknowns.

They have remarked from a purely information-theoretical standpoint that this merged

equation may be computable if at least 222 (226

16) known plaintext-ciphertext pairs are


given. However, they have not suggested a practical method to solve these kinds of

equations. They have left solving these kinds of equations as an open problem, expect-

ing that “there might very well exist techniques for handling this type of formula that

we are unaware of, or somebody might develop them in the next 20 years or so”.

They have finally commented that adding more rounds to the AES algorithm does not

help improve security much in solving these kinds of equations, because each extra

round adds a factor of 25 to the size of the fully expanded equation. Indeed, consider-

ing that one summation symbol consists of 32 (25) terms in (3.1), we see the following

extension, as they have commented:

• the full ten rounds of AES-128 could be represented by an equation with 250

terms (as ten rounds consist of ten summation symbols).

• the full 14 rounds of AES-256 could be represented by an equation with 270 terms

(seven-round equation has 235 terms).

Overdefined system of quadratic equations

N. Courtois and J. Pieprzyk have observed in [55, 56] that the S-box of the AES

algorithm can be described by an overdefined system of algebraic equations, and have

presented XSL (eXtended Sparse Linearization) attack, which is a new method more

efficient in solving the overdefined system than previously known general methods.

They have first observed that the S-box can be described by a number of implicit

quadratic Boolean equations. Let the input bits and output bits of the S-box be

denoted by x = (x1, ...., xs=8) and z = (z1, ...., zs=8). Then, there exist equations of the

form P(x1, ...., xs=8, z1, ...., zs=8), where the algebraic degree d is equal to two (d = 2).

In principle, eight equations of the above form are (approximately) sufficient to fully

describe the S-box. However, they have observed that more quadratic equations of

this type can be constructed (this is the concept of “overdefined”, that is, r ≫ s (r is

the actual number of such equations in the above form)). They have first obtained 7

quadratic equations (8 if 0 is not considered for x) from the following steps:

• Let us consider the multiplicative-inverse function (non-linear function) used for

generating the S-box. Then, from the definition that

∀x 6= 0, 1 = xy, (3.6)


we see that

x · y = (x7 · X7 + · · ·+ x0) · (y7 · X

7 + · · · + y0)

= (0, 0, 0, 0, 0, 0, 0, 1)

where the input of the function is denoted by x = (x7, ...., x0) and the corre-

sponding output by y = (y7, ...., y0).

• Given that the equation in connection with the least significant bit is true if, and

only if, x 6= 0, we see that there exist 7 equations that are true with probability

1 (8 if 0 is not considered for x).

• The above property remains even after the affine transformation, which is the

linear function used for generating the S-box.

Then, they have observed that

∀x ∈ GF (28), x = x2 · y (3.7)

and that this equation gives 8 additional quadratic equations. Equation (3.7) is sym-

metric with respect to the exchange of x and y, so y = y2 · x which provides another

8 additional quadratic equations. They have also noted that another 16 equations can

be obtained from the two equations below for the same reason:

x3 = x4 · y (3.8)

y3 = y4 · x. (3.9)

All in all they have observed that 39 quadratic equations (40 if 0 is not considered for

x) which are true with probability 1, can be obtained for the AES S-box, and that

these equations are all linearly independent.

Based on the above observations, deriving the following formulas, they have shown

that the whole round of AES-128 can be described as a system of 8000 quadratic

equations with 1600 variables, and that the whole round of the 256-bit Rijndael with

256-bit key provides 22400 quadratic equations with 4480 variables.

m = 4 × r × Nb × Nr + r(Lk − Hk)/s

n = 4 × s × (Nr − 1) × Nb + Lk.

where the variables are denoted by the following:


m: the number of quadratic equations for a full round.

n: the number of variables in the equations.

r: the number of quadratic equations obtained from the S-box.

s: the input-output size of the S-box (8 bits).

Nb: the number of columns (or words) for the input block.

Nr: the number of rounds.

Hk: the number of bits of the cipher key.

Lk: the number of true key variables (448 for AES-128. 1152 for AES-256).

They have noted that the problem of recovering the cipher key of the AES algorithm

is the same as solving the overdefined system of the quadratic equations, as those

kinds of overdefined systems of multivariate equations have already been used for the

cryptanalysis of some asymmetric cryptosystems [2, 37, 53, 54]. Indeed, they have

observed that the system for AES-128 can be solved with the complexity of 2330 by

the XL (eXtended Linearization) algorithm [53]; the complexity is so high. However,

presenting the XSL algorithm, they have also shown that the system for AES-128 can

be solved with the complexity of 2230, and that AES-256 key can be broken with the

complexity of 2255. In addition, they have noted that if cubic equations are considered

with the AES S-box, the complexity is about 2203 at best case. Finally, they have

concluded that the AES algorithm can be described as a system of overdefined and

sparse quadratic equations over GF (2), and that the security of the AES algorithm

does not grow exponentially with the number of rounds, according to their method of

solving the system of overdefined equations. Although there are some concerns about

the accuracy of this observation [13, 72, 76] (- for example, the correctness of counting

the number of linearly independent equations), it seems certain that they have made

a great achievement in the design and cryptanalysis of block ciphers, as referred to in

[6] as well. The research study reviewed next shows that the complexity of the XSL

attack would drop even more in GF (28).

Single field description

The conflict between operations in the two fields, GF (28) and GF (2), is one of the

factors that leads to difficulty in the cryptanalysis of the AES algorithm. However,

simplifying the linear layer described in Figure 3.4 into a single matrix multiplication

M in GF (28), S. Murphy and M. Robshaw have recently defined a block cipher, BES

(Big Encryption System) [71], in which data blocks of 128 bytes are operated, all of

the operations are entirely described in GF (28) only, and the AES algorithm can be


embedded:

R(B, K) = M · (B(−1)) + K

where R, B, and K denote the round function, a plaintext, and a round key respectively.

The inversion is the same as that used in the AES algorithm. That is, they have shown

that the AES algorithm can be described with more simple algebraic operations in a

single field, GF (28). In addition, from observations of the BES algorithm, they have

found that the AES encryption can be described by an extremely sparse overdefined

multivariate quadratic system over GF (28), and have noted that breaking the AES

algorithm is equivalent to solving this system. We outline the main frame of their

work below:

• They have first described a state vector A of the AES algorithm as a column

vector:

a00 a01 a02 a03

A = a10 a11 a12 a13 = (a00, a10, a20, a30, a01, a11, a21, a31, . . . , a33)T

a20 a21 a22 a23

a30 a31 a32 a33.

• Then they have defined the BES algorithm, which has the following relationship

with the AES algorithm:

AES(A, K) = φ−1(BES(φ(A), φ(K)))

where A and K denote the plaintext and the cipher key respectively. Here, we

note that a state vector B of the BES algorithm is described by a column vector

B = (b000, ...., b007, b100, ...., b107, ......, b330, ...., b337)T

and the map φ means a vector conjugate,

φ(aij) = (bij0, ...., bij7).

• With the AES encryption embedded in the BES framework, they have found that

the AES algorithm can be expressed as a system of extremely sparse multivariate

quadratic equations. Specifically, they have observed that the encryption of the

AES algorithm can be described as an overdefined multivariate quadratic system

consisting of 5248 equations over GF (28), and that 3840 of these are extremely

sparse quadratic equations and 1408 are linear equations. These equations consist

of 7808 terms, made from 2560 state variables and 1408 key variables.


Based on these observations, they have noted that if the XSL algorithm is applied

to the above system, then the complexity could be much lower (about 2100) than if the

XSL algorithm is directly applied to the GF (2) system, which is the one that the N.

Courtois and J. Pieprzyk have considered. They have also commented that “it is clear

that many aspects of the AES representation over GF (28) remain to be investigated”.

Some other observations

As well as the significant observations on the AES algorithm referred to above, some

other research studies have also made considerable progress in examining the algebraic

properties of the AES algorithm.

Among them, J. Fuller and W. Millan have observed a linear redundancy of the

S-box [30, 31]. Specifically, they have noted that “all the output functions of the AES

S-box can be mapped to each other using affine transformations, and hence they are

all in the same affine equivalence class” [30]. They have shown that there exist a

non-singular matrix Dij and binary constant cij which lead to

bj(x) = bi(Dijx) ⊕ cij

where bi(x) and bj(x) denote two distinct outputs (bits) from the AES S-box (b1 is

the least significant bit). The following is an example of the AES S-box equivalence

relationships that they have have demonstrated:

b2(x) = b1(D12x)

b3(x) = b1(D13x) ⊕ 1

b4(x) = b1(D14x) ⊕ 1

b5(x) = b1(D15x) ⊕ 1

b6(x) = b1(D16x)

b7(x) = b1(D17x)

b8(x) = b1(D18x) ⊕ 1.

Here, each of D12, ..., D18 represents an affine transformation using 8 × 8 matrix over


GF (2). For example,

D12 =

1 0 1 1 0 0 1 0

0 1 0 1 0 1 1 0

0 0 0 1 0 0 1 0

1 0 0 1 1 0 0 0

0 1 0 1 1 1 0 0

1 0 0 0 1 1 1 0

1 1 0 1 0 0 0 0

1 0 0 0 1 1 0 1

.

Based on these observations, they have mentioned that this equivalence property may

lead to new attacks on the AES algorithm, although they have not suggested a practical

cryptanalytic method. In addition, they have suggested a non-redundant S-box to

replace the original S-box in the AES algorithm [31].

E. Barkan and E. Biham have shown that there exist dual ciphers for the AES

algorithm [16]. They have first defined the concept of dual ciphers by saying that if

two ciphers E and E ′ are isomorphic, that is, if there exist invertible transformations

f(·), g(·), and h(·) such that

∀ P ,K f(EK(P )) = E ′g(K)(h(P )),

where P and K denote the plaintext and the cipher key respectively, then they are

called Dual ciphers. From this concept, they have observed that the AES algorithm

has dual ciphers that are equivalent to the original cipher in all aspects. For the AES

algorithm, these dual ciphers can produce the same cipher text for a given plaintext

and a given key by the following equation:

∀ P ,K AESK(P ) = f−1DUALg(K)(h(P )).

Indeed, they have shown in [16] that hundreds of dual ciphers can be described for

the AES algorithm, replacing the irreducible polynomial, the coefficients of the Mix-

Columns transformation, and the affine transformation used for generating the S-box.

Based on their observations, they have concluded that “the irreducible polynomial of

Rijndael is chosen arbitrarily, and that it is possible to replace the irreducible poly-

nomial of Rijndael by any other irreducible or primitive polynomial without changing

the strength of cipher, and even without changing the cipher itself”.

Chapter 4

Cyclic Properties of the AES Algorithm

From this chapter on, we present our further observations on the cryptologic properties

of the AES algorithm. In this chapter, we discuss the algebraic properties of the AES

algorithm, focusing on the cyclic properties, which have been considered mainly just

for the stream cipher. We examine the cyclic properties of the AES algorithm via each

function in the original structure. We first observe, in Section 4.1, the cyclic properties

of each function used in the AES algorithm. Then, the cyclic properties of combined

functions are considered in Section 4.2. We show that the AES algorithm consists of

functions having very short periods, and that these short periods are not improved in

the linear layer. We note, however, that when the non-linear layer and the linear layer

are combined, the period is dramatically increased.

In terms of the cyclic properties of each function, we have found that:

• any input data block of the SubBytes transformation (non-linear layer) returns

to the initial state after 277182 (≈ 218) repeated applications of the SubBytes

transformation; that is, the maximal period of the SubBytes transformation is

277182.

• any input data block of the ShiftRows transformation returns to the initial state

after four repeated applications of the operation; that is, the maximal period of

the ShiftRows transformation is four.

• any input data block of the MixColumns transformation maps to itself after four

repeated applications of the operation. In other words, the maximal period of

the MixColumns transformation is four.

In connection with the cyclic properties of combined functions, we have found that:

• when the ShiftRows transformation and MixColumns transformation in the linear

layer are considered together, the maximal period is eight; that is, the maximal

period of the linear layer is eight.

39

4.1. Cyclic properties of each function 40

• when the SubBytes transformation (non-linear layer) and the ShiftRows trans-

formation (in the linear layer) are considered together, the maximal period is

554364 (≈ 219).

• more importantly, the maximal period of the composition of the SubBytes trans-

formation (non-linear layer) and the MixColumns transformation (in the linear

layer) is 1,440,607,416,177,321,097,705,832,170,004,940 (≈ 2110), which indicates

that although the maximal periods of both the non-linear layer and the linear

layer are short, the combination of these two layers brings huge synergy effects

in the maximal period.

We advise that this chapter is based on the paper [9] published by B. Song and J.

Seberry. For future reference, we define fn(I) = f f f · · · f(I).

i00 i01 i02 i03

i10 i11 i12 i13

i20 i21 i22 i23

i30 i31 i32 i33

O00 O01 O02 O03

O10 O11 O12 O13

O20 O21 O22 O23

O30 O31 O32 O33

MixColumns

ShiftRows

SubBytes

Round Key

⊕

Non-linear layer

Linear layer

Figure 4.1: Elementary structure of the AES algorithm

4.1 Cyclic properties of each function

As previously mentioned, the non-linear layer of the AES algorithm is the SubBytes

transformation (S-box), whilst the linear layer consists of two functions, the Mix-

Columns transformation and the ShiftRows transformation. In this section, we ob-

serve the maximal period and minimal period of each transformation. We first present

a technical method to find the maximal and minimal period of the non-linear layer.

This method could also be applicable to other block ciphers if they have byte-oriented

non-linear layers.


4.1.1 Cyclic properties of the SubBytes transformation

To obtain the cyclic properties of the non-linear layer of the AES algorithm, we first

classify the 256 possible input values of the S-box into five small groups, in each of

which every element consecutively maps to another.

f2, 89, a7, 5c, 4a, d6, f6, 42, 2c, 71, a3, 0a, 67, 85, 97, 88, c4, 1c, 9c, de,1d, a4, 49, 3b, e2, 98, 46, 5a, be, ae, e4, 69, f9, 99, ee, 28, 34, 18, ad, 95,2a, e5, d9, 35, 96, 90, 60, d0, 70, 51, d1, 3e, b2, 37, 9a, b8, 6c, 50, 53, ed,55, fc, b0, e7, 94, 22, 93, dc, 86, 44, 1b, af, 79, b6, 4e, 2f, 15, 59, cb, 1f,c0, ba, f4, bf, 08, 30, 04

7c, 10, ca, 74, 92, 4f, 84, 5f, cf, 8a, 7e, f3, 0d, d7, 0e, ab, 62, aa, ac, 91,81, 0c, fe, bb, ea, 87, 17, f0, 8c, 64, 43, 1a, a2, 3a, 80, cd, bd, 7a, da, 57,5b, 39, 12, c9, dd, c1, 78, bc, 65, 4d, e3, 11, 82, 13, 7d, ff, 16, 47, a0, e0,e1, f8, 41, 83, ec, ce, 8b, 3d, 27, cc, 4b, b3, 6d, 3c, eb, e9, 1e, 72, 40, 09,01

00, 63, fb, 0f, 76, 38, 07, c5, a6, 24, 36, 05, 6b, 7f, d2, b5, d5, 03, 7b, 21,fd, 54, 20, b7, a9, d3, 66, 33, c3, 2e, 31, c7, c6, b4, 8d, 5d, 4c, 29, a5, 06,6f, a8, c2, 25, 3f, 75, 9d, 5e, 58, 6a, 02, 77, f5, e6, 8e, 19, d4, 48, 52

ef, df, 9e, 0b, 2b, f1, a1, 32, 23, 26, f7, 68, 45, 6e, 9f, db, b9, 56, b1, c8, e8,9b, 14, fa, 2d, d8, 61

73, 8f

Group #1 (maximal period: 87)





* Each value in each table is followed by its substitution value

Table 4.1: Classifying the substitution values in the S-box

Property 4.1 Every input of the S-box returns to the initial value after some t repeated

applications of the substitution. In other words, for any input p of the S-box=S,

St(p) = p.

Property 4.2 In Property 4.1, the 256 possible input values of the S-box can be clas-

sified into five small groups, as in Table 4.1, according to the values of t. The values

of t (the periods of each group) are 87, 81, 59, 27, and 2 respectively.

In Table 4.1, each value in each group is mapped to the value next to it. For example

‘f2’ → ‘89’ → ‘a7’ → · · · → ‘04’ → ‘f2’, and ‘73’ → ‘8f’ → ‘73’. From Properties


4.1 and 4.2, we now expect that although the SubBytes transformation is a non-linear

operation, every input block of the SubBytes transformation is mapped to itself after

some repeated applications. From Property 4.2, if we consider the L.C.M (Least Com-

mon Multiple) of 87, 81, 59, 27, and 2, we then find the following cyclic properties of

the SubBytes transformation.

Property 4.3 For any input block I of the SubBytes transformation,

SubBytes277182(I) = I.

That is, the maximal period of the SubBytes transformation is 277182.

Property 4.4 For any input block I of the SubBytes transformation, if each byte of I

is ‘8f ’ or ‘73’, then

SubBytes2(I) = I.

In other words, the minimal period of the SubBytes transformation is two when each

byte in the input block I is ‘8f ’ or ‘73’.

Indeed, we see that an input block of the SubBytes transformation,

state0 : f2 71 00 ef

89 10 63 df

a7 ca fb 73

5c 74 0f 8f

returns to the initial state after 277182 iterations of the SubBytes transformation, and

that if each byte in an input block is ‘8f’ or ‘73’ (in group 5) like

state0 : 73 8f 8f 8f

8f 8f 73 8f

8f 73 73 8f

73 8f 73 73,

then this block returns to the initial state after just two iterations of the SubBytes trans-

formation. At this stage we present another property which is immediately obtained

from Property 4.3. The following property shows an algebraic relationship between

the SubBytes transformation in the encryption procedures and its inverse used in the

decryption procedures.

Property 4.5 For any input block I of the SubBytes transformation,

SubBytes−1(I) = SubBytes277181(I).


4.1.2 Cyclic properties of the ShiftRows transformation

If we consider the shift value (row #0: 0, row #1: 1, row #2: 2, row #3: 3) of each

row, as described in Figure 4.2, the maximal period of the ShiftRows transformation

is immediately found.

♣

♣

♣

♣

♦

♦

♦

♦

♥

♥

♥

♥

♠

♠

♠

♠

♣

♣

♣

♣

♦

♦

♦

♦

♥

♥

♥

♥

♠

♠

♠

♠

ShiftRows

Figure 4.2: Illustration of the ShiftRows transformation

Property 4.6 For any input block I of the ShiftRows transformation,

ShiftRows(ShiftRows(ShiftRows(ShiftRows(I))))=I.

In other words, the maximal period of the ShiftRows transformation is four.

Property 4.7 The minimal period of the ShiftRows transformation is one when all

bytes in an input block I are the same.

Property 4.6 instantly leads to an algebraic relationship between the ShiftRows trans-

formation in the encryption process and its inverse used in the decryption process.

Property 4.8 For any input block I of the ShiftRows transformation,

ShiftRows−1(I) = ShiftRows3(I).

4.1.3 Cyclic properties of the MixColumns transformation

In terms of the MixColumns transformation, we have found that the maximal period

of this function is 4, and that this function does not affect the data transformation

for certain types of input blocks. Let us look once again at the algebraic structure of

the MixColumns transformation described in Chapter 2. As previously described, each

input column Ic (four bytes) is considered as a polynomial over GF (28) and multiplied

modulo x4 + 1 with a fixed polynomial

f(x) = 03 · x3 + 01 · x2 + 01 · x + 02.


This can be written as a matrix function (matrix multiplication)

MixColumn(Ic) = M(Ic) =

02 03 01 01

01 02 03 01

01 01 02 03

03 01 01 02

·

b0

b1

b2

b3

(4.1)

where

Ic =

b0

b1

b2

b3

.

Here, if we look carefully at the matrix M in equation (4.1), we see that

M(M) =

05 00 04 00

00 05 00 04

04 00 05 00

00 04 00 05

M(M(M)) =

0e 0b 0d 09

09 0e 0b 0d

0d 09 0e 0b

0b 0d 09 0e

and

M(M(M(M))) =

01 00 00 00

00 01 00 00

00 00 01 00

00 00 00 01

.

As a consequence we see that for any Ic

M(M(M(M(Ic)))) = Ic. (4.2)

If we now consider equation (4.2) for all four columns in an input block of the Mix-

Columns transformation, then we finally find the following two properties.

Property 4.9 For any input block I (16 bytes) of the MixColumns transformation,

MixColumns(MixColumns(MixColumns(MixColumns(I)))) = I.

In other words, the maximal period of the MixColumns transformation is four.


Indeed, from a randomly chosen example below, we see that the initial state (state0)

of the MixColumns transformation is mapped to itself after four iterations of the Mix-

Columns transformation. In the following example, stater denotes the state after r

iterations of the MixColumns transformation:

state0 : 26 17 66 f0

10 69 ab 01

63 09 cd 65

03 11 ef 00

state1 : 1c 8d 08 9d

a0 cf 88 5d

f5 5f 66 3b

1f 7b 09 6f

state2 : 29 6f fc 92

5c 92 a0 05

6c 71 57 07

4f ea e4 04

state3 : 95 e8 ab 33

6a 29 ba 95

7c 3a c5 95

d5 9d 3b a7

state4 : 26 17 66 f0

10 69 ab 01

63 09 cd 65

03 11 ef 00.

From equation (4.1), we also note the somewhat surprising property that if all four

bytes of Ic are the same, that is, b0 = b1 = b2 = b3, then the matrix multiplication does

not influence the data transformation; that is,

M(Ic) =

02 03 01 01

01 02 03 01

01 01 02 03

03 01 01 02

·

b0

b1

b2

b3

=

b0

b1

b2

b3

= Ic. (4.3)

This means that if we consider equation (4.3) for all four columns in an input block of

the MixColumns transformation, then we see the following property.

4.2. Cyclic properties of combined functions 46

Property 4.10 The minimal period of the MixColumns transformation is one when

the bytes are the same in each column.

For example, if an input block of the MixColumns transformation is

state0 : 26 10 ab de

26 10 ab de

26 10 ab de

26 10 ab de,

then we see that the state after the MixColumns transformation is also

state1 : 26 10 ab de

26 10 ab de

26 10 ab de

26 10 ab de.

Property 4.10 includes the fact that if all bytes in an input block of the MixColumns

transformation are the same, then the MixColumns transformation does not affect

the data transformation. From Property 4.9, we also immediately find an algebraic

relationship between the MixColumns transformation in the encryption process and its

inverse used in the decryption process.

Property 4.11 For any input block I of the MixColumns transformation,

MixColumns−1(I) = MixColumns3(I).

4.2 Cyclic properties of combined functions

We now observe the cyclic properties when the above functions are combined. We first

observe the cyclic properties of the linear layer. Then we discuss the cyclic properties

when the linear layer and the non-linear layer are combined.

4.2.1 Cyclic properties of the linear layer

The cyclic properties of the linear layer are observed when the ShiftRows transforma-

tion and the MixColumns transformation are considered together. Considering that the

maximal period of the ShiftRows transformation is four, and the maximal period of the

MixColumns transformation is also four, we obtain the following property concerning

the maximal period of the linear layer.


Property 4.12 Any input block I of the linear layer is mapped to itself after eight

repeated applications of the linear layer. In other words, the maximal period of the

linear layer is eight.

In this case, we note that the maximal period of the linear layer is the addition of the

maximal period of the ShiftRows transformation and that of the MixColumns transfor-

mation. This is because every byte in each row returns to the initial position after four

iterations of the ShiftRows transformation, without change in value by the ShiftRows

transformation itself. Property 4.12 has also been verified by our implementation, and

the following is a randomly chosen example of this property. In the following example,

state0 denotes the initial state of the linear transformation, and stater denotes the state

after r iterations of the linear transformation.

state0 : 26 17 66 f0

10 69 ab 01

63 09 cd 65

03 11 ef 00

state1 : 3a ae bd 2d

b8 f6 d0 24

ce 73 92 d8

ce f1 ea d7

state2 : 30 3a 32 10

b7 a8 4d 39

91 9c 16 56

9f 66 cf 73

state3 : e6 6a d8 b1

32 c5 8e 15

21 61 98 ce

08 70 32 9e

state4 : 85 9b c5 7c

5a 2c e1 44

b1 7b 1f 17

4b ee a7 ff


state5 : 85 49 02 ca

03 30 6b e2

8d 89 d1 22

42 d6 66 f0

state6 : 60 4f 62 65

7d bb 87 2a

07 a0 80 6a

8e 16 de 03

state7 : 95 e8 ab 33

95 6a 29 ba

c5 95 7c 3a

9d 3b a7 d5

state8 : 26 17 66 f0

10 69 ab 01

63 09 cd 65

03 11 ef 00

Now, looking at the minimal periods of the ShiftRows transformation and the Mix-

Columns transformation together, we also see the following property, which shows the

minimal period of the linear layer.

Property 4.13 Any input block I of the linear layer, in which all bytes are the same,

is mapped to itself after one application of the linear layer. That is, the minimal period

of the linear layer is one.

This property means that if all bytes in the input block are the same, then the linear

layer does not affect the data transformation at all.

4.2.2 Cyclic properties of the combined layer

When the SubBytes transformation (non-linear layer) and the ShiftRows transforma-

tion (in the linear layer) are combined, we obtain the following cyclic property from

the L.C.M of the two maximal periods.


Property 4.14 Any input block I of the composition of the SubBytes transformation

and the ShiftRows transformation is mapped to itself after 554364 repeated applications

of the composition. In other words, the maximal period of the composition of the

SubBytes transformation and the ShiftRows transformation is 554364.

If we consider the minimal periods of these two operations, then we also find the

following property.

Property 4.15 For any input block I of the composition of the SubBytes transforma-

tion and the ShiftRows transformation, if all bytes in the input block I are the same and

are either ‘73’ or ‘8f ’, then this block is mapped to itself after two repeated applications

of the composition. That is, the minimal period of the composition of the SubBytes

transformation and the ShiftRows transformation is two.

At this stage, we realise that the short periods of the AES functions are not im-

proved even in the compositions which we have considered up until now. But, more

importantly, we now show that although the maximal periods of both the non-linear

layer and the linear layer are short as previously shown, the maximal period is dra-

matically increased when the non-linear layer and the MixColumns transformation in

the linear layer are considered together. To do this, we first change the order of the

SubBytes transformation and the ShiftRows transformation, as shown in Figure 4.3

(b) (the order of these two functions is changeable).

We then consider the S-box and the MixColumns transformation together. As a result,

we obtain an extended S-box, ES-box, which consists of 232 non-linear substitution

paths, as shown in Figure 4.3 (c) and Table 4.2.

0x00000000 0x00000001 • • • • 0xabcdef12 • • • 0xffffffff

↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓

0x63636363 0x7c7c425d • • • • 0x0eb03a4d • • • 0x16161616

x

ES(x)

Table 4.2: ES-box

Now, using the same concept as was used to obtain Property 4.2, we classify the 232

four-byte input values of the ES-box into 52 small groups according to their periods.

Table 4.3 shows the classification of all substitution values in the ES-box, which has

been obtained from our analysis (see Appendix A for more details).


i00 i01 i02 i03

i10 i11 i12 i13

i20 i21 i22 i23

i30 i31 i32 i33

O00 O01 O02 O03

O10 O11 O12 O13

O20 O21 O22 O23

O30 O31 O32 O33

S-box

⊕

MixColumns

ShiftRows

i00 i01 i02 i03

i10 i11 i12 i13

i20 i21 i22 i23

i30 i31 i32 i33

O00 O01 O02 O03

O10 O11 O12 O13

O20 O21 O22 O23

O30 O31 O32 O33

S-box

⊕

MixColumns

ShiftRows

i00 i01 i02 i03

i10 i11 i12 i13

i20 i21 i22 i23

i30 i31 i32 i33

O00 O01 O02 O03

O10 O11 O12 O13

O20 O21 O22 O23

O30 O31 O32 O33

ES-box

⊕

ShiftRows

(a) (b) (c)

Figure 4.3: Re-ordering of SubBytes and ShiftRows

The number of values in each group (the period of each group) is 1,088,297,796 (≈ 230),

637,481,159 (≈ 229), 129,021,490 (≈ 227), 64,376,666 (≈ 226), and so on. From these

values we finally find the following property.

Property 4.16 The maximal period of the composition of the SubBytes transforma-

tion (non-linear layer) and the MixColumns transformation (in the linear layer) is

1,440,607,416,177,321,097,705,832,170,004,940 (≈ 2110).

Here, we note that the maximal period of this composition is the largest L.C.M of any

four values in Table 4.3. This is because one input block consists of four columns.

In very rare cases, where each column in an input block I is ‘73737373’, ‘8f8f8f8f’,

‘5da35da3’, ‘c086c086’, ‘a35da35d’ or ‘86c086c0’ (each of these values is mapped to

itself after two iterations of ES-box: see Appendix A), for example,

state0 : 8f c0 73 5d

8f 86 73 a3

8f c0 73 5d

8f 86 73 a3,

the period of the composition of the SubBytes transformation and the MixColumns

transformation is two (this is the minimal period of the composition of the non-linear

4.3. Comparison with DES 51

1088297796, 637481159, 637481159, 637481159, 637481159, 129021490,

129021490, 129021490, 129021490, 64376666, 64376666, 11782972, 39488,

16934, 13548, 13548, 10756, 7582, 5640, 5640, 3560, 1902, 1902, 548, 548,

136, 90, 90, 87, 81, 59, 47, 47, 47, 47, 40, 36, 36, 27, 24, 21, 21, 15,

15, 12, 8, 4, 4, 4, 2, 2, 2

e.g. Period of group #1 : 1088297796, Period of group #2 : 637481159,

Period of group #6 : 129021490, Period of group #12 : 11782972.

Table 4.3: Classifying the substitution values in the ES-box

layer and the MixColumns transformation in the linear layer). If all bytes in an input

block I of the composition of the SubBytes transformation and the MixColumns trans-

formation are the same, then we find the following property, because this block leads

to an output block in which all bytes are the same.

Property 4.17 For any input block I of the composition of the SubBytes transforma-

tion and the MixColumns transformation, if all bytes in I are the same, then the period

of this composition is the same as the period of the S-box.

For example, if the bytes in an input block I of the combined function of the SubBytes

transformation and the MixColumns transformation are all ‘f2’, then this block is

mapped to itself after 87 iterations of this combined function, because the MixColumns

transformation does not affect the data transformation (see Group #1 in Table 4.1 and

Period 87 in Appendix A). If all the bytes in an input block I of the combined function

of the SubBytes transformation and the MixColumns transformation are ‘8f’, then this

block is mapped to itself after two repeated applications of this combined function.

4.3 Comparison with DES

Although the cryptographic structure of the AES algorithm is different from that of

DES, we can make the comparison of cyclic properties between these two algorithms.

Among several research studies on the cyclic properties of DES [10, 14, 35, 36, 69,

70], we first refer to the following observations on the linear diffusion layer (32-bit

permutation by Table 4.4 at the end of each round) , which is observed by S.Murphy

and M. Robshaw [69, 70]:


• the minimal polynomial of the linear diffusion layer of DES has 56 degree, that

is

m(x) = (1 + x + x2)4(1 + x + x2 + x3 + x4)4(1 + x + x2 + x4 + x6 + x7 + x8)4.

• the minimal period of the linear diffusion layer of DES is 1020.

Comparing the above properties with Property 4.12, we see that the linear diffusion

layer of the AES algorithm has much shorter period than that of DES. From the view

point of data mixing effect (recall Definition 3.9), we also see that the AES linear layer

( 23

2128 = 12123 ) is worse than the DES linear layer (1020

232 ≈ 1221 ).

16 7 20 21 29 12 28 171 15 23 26 5 18 31 102 8 24 14 32 27 3 9

19 13 30 6 22 11 4 25

Table 4.4: P-box of DES

We now refer to the cyclic property of the whole structure of DES, discussed in

[14, 35]. In terms of the cyclic structure of DES, B. Kaliski, R.L. Rivest and A.

Sherman announced that a small cycle had been found when alternately encrypting

with the all zeroes and the all ones key. Specifically, they showed that when a 64-bit

input is alternately encrypted with the all-zeroes key and the all-ones key, the input is

reproduced after about 233 iterations [14]. Motivated by this observation, J.H. Moore

and G.J Simmons did further studies on the cyclic structure of DES, using weak and

semi-weak keys [35, 36] . Indeed, they presented some more weak keys which cause the

DES structure to have the cycle of 232 . The following is two examples of the weak key

disclosed by their observations:

00000001 00000001 00000001 00000001

00000001 00000001 00000001 00000001

11111110 11111110 11111110 11111110

11111110 11111110 11111110 11111110

At this stage, we note in advance that the AES structure has much shorter cycle than

DES if the AES key schedule has weakness. We discuss the short period of the AES

structure in more details in the next chapter.


In this chapter, we have discussed the cyclic properties of the AES algorithm. We

have shown that the functions used in the AES algorithm have short periods and these

short periods are not improved even in the linear layer. However, we have also shown

that when the non-linear layer and the linear layer are combined, the composition

brings remarkable synergy effects in increasing the maximal period. In the next chapter,

we discuss the impact of the cyclic properties on the security of the AES algorithm,

focussing more on the data blocks which cause the AES functions to have the minimal

periods.

Chapter 5

Security Impact of the Cyclic Property

In this chapter, we discuss the impact of the cyclic properties on the security of the

AES algorithm. We show that in the AES algorithm, data blocks for which the elemen-

tary structure (the whole composition of the SubBytes transformation, the ShiftRows

transformation, and the MixColumns transformation) has short periods are apt to have

a hidden simple algebraic relationship with their corresponding output blocks. To do

this, we first find the input blocks for which the elementary structure has the short-

est periods. As outlined in the previous chapter, the composition of the non-linear

layer and the linear layer brings huge synergy effects in improving the periods, but

the elementary structure has very short periods for certain types of input blocks. We

then show that there are simple algebraic relationship, which must be unusual and

undesirable from the cryptologic point of view, between those input blocks and their

corresponding output blocks. We have found that:

• any input block of the elementary structure of the AES algorithm in which all

the bytes are the same always leads to an output block in which all the bytes are

the same.

• in this case, the ShiftRows transformation and the MixColumns transformation

do not affect the data transformation, and so the effect of mixing data (see

Definition 3.9) depends on only the S-box.

We advise that this chapter is based on the paper [9] published by B. Song and J.

Seberry.

5.1 Cyclic properties of the elementary structure

We first discuss the cyclic properties in the whole composition of the non-linear layer

and the linear layer. Summing up the previous observations, we find some consider-

able cyclic properties in the entirely combined layer, which may reveal that the AES

54

5.1. Cyclic properties of the elementary structure 55

algorithm has some undesirable weaknesses in its algebraic structure. At this stage,

we recall in more detail the concept of the effect of mixing data, defined in Definition

3.9 with an example. Let us consider a primitive polynomial

f(x) = xn + cn−1xn−1 + cn−2x

n−2 + . . . . . . + c2x2 + c1x + 1.

over GF (2). The number of possible states of the LFSR (Linear Feed Back Shift

Register) generated by f(x) is 2n-1 (except the state of all 0), and the maximal period

of this LFSR is 2n-1. This means that every state returns to the initial state after

2n-1 repeated actions of LFSR. If f(x) is not a primitive polynomial, then the maximal

period of LFSR will never be 2n-1. In other words, all possible states of LFSR cannot

appear, and some states are always missed. If the state of LFSR returns to the initial

state after n iterations, then 2n-1-n states do not appear among all 2n-1 possible states.

In this case we say that the effect of mixing data is n2n−1

. We have just briefly connected

the cyclic property to the effect of mixing data.

We now observe the cyclic property (and so the effect of mixing data) in the elemen-

tary structure of the AES algorithm, taking into account that the number of possible

block states of the AES algorithm is 2128.

Property 5.1 For any input block I of the whole composition of the non-linear layer

and the linear layer (the SubBytes transformation, the ShiftRows transformation and

the MixColumns transformation), if all bytes in I are the same, then all bytes in the

output block are also the same.

In the case above, the whole composition of the non-linear layer and the linear layer is

equivalent to a single active s-box (substitution path) in the effect on the data trans-

formation, because the ShiftRows transformation and the MixColumns transformation

do not contribute to the data transformation. For example, if an input block is

state0 : d2 d2 d2 d2

d2 d2 d2 d2

d2 d2 d2 d2

d2 d2 d2 d2,

then the output block of the entire layer is

state1 : b5 b5 b5 b5

b5 b5 b5 b5

b5 b5 b5 b5

b5 b5 b5 b5.

5.2. Cryptologic impact 56


and the linear layer, if all bytes in I are equal to i (any value), then the period of the

whole composition for this input block is the same as the period of the S-box for i.

For example, if the bytes in an input block I of the whole composition of the non-linear

layer and the linear layer are all ‘ef’, then this input block is mapped to itself after

27 iterations of the composition. This means that the effect of mixing data in the

composition is e = 272128 (2128 is the number of all possible blocks presented by 128 bits),

and means that this effect depends on only the S-box (the period of the S-box for ‘ef’

is 27 as shown in Table 4.1).


and the linear layer, if all bytes in I are the same and are either ‘73’ or ‘8f ’, then I is

mapped to itself after two iterations of the composition. In other words, the minimal

period of the whole composition of the non-linear layer and the linear layer is two (and

so the minimal effect of mixing data is e = 22128 ).

5.2 Cryptologic impact

Given the above properties, we can see that the elementary structure of the AES

algorithm has unusual cryptologic properties for the input blocks in which all bytes are

the same. We now see that the AES algorithm may have considerable weaknesses in

the cipher itself for the plaintexts in which all bytes are the same. We discuss AES-128

here because the result is the same in the other cases. Let us assume that the AES key

expansion routine has the same property as the cipher part (data processing part) of

the AES algorithm. That is, let us assume that contrary to the original key schedule

of the AES algorithm, for a Cipher Key in which all bytes are the same, the AES key

expansion routine generates the Round Keys in which each round key has all its bytes

the same; this does not actually appear in the original key schedule. For example, as

illustrated in Figure 5.1, suppose that the initial Round Key consists of all ‘26′, that

the first Round Key consists of all ‘10′, . . . . . . , and that the tenth Round Key consists

of all ‘bd′. Then, if we consider the encryption procedure, we see that, regardless of the

number of rounds, any plaintext in which all bytes are the same leads to a ciphertext


in which all bytes are the same. That is, in Figure 5.1, if the plaintext

P : 6b 6b 6b 6b

6b 6b 6b 6b

6b 6b 6b 6b

6b 6b 6b 6b

is encrypted with the above Round Keys, then this plaintext leads to a ciphertext in

which all bytes are the same:

C : 11 11 11 11

11 11 11 11

11 11 11 11

11 11 11 11

This means that if anyone uses, for encryption, a Cipher Key in which all bytes are

the same, then attackers will easily become aware of this fact, with a chosen plaintext

in which all bytes are the same. As long as the attackers realise this fact, it will be

easy to find the Cipher Key. In this case, the effect of the whole encryption is the

same as the effect of only 10 (the number of rounds) active s-boxes. However, we note

that this scenario does not occur with the original key schedule of the AES algorithm

because plaintexts having short periods are not able to keep up the short periods with

the original key schedule. For example, let us consider the most simple case in which a

plaintext, in which all bytes are ‘8f’, is encrypted with a Cipher Key in which all bytes

are ‘00’. In this case, as is shown in Property 5.3, the period of the whole composition

of the SubBytes transformation, the ShiftRows transformation and the MixColumns

transformation is two for the intermediate text

Int0 : 73 73 73 73

73 73 73 73

73 73 73 73

73 73 73 73

after the initial round key addition. However, we have observed that the period of

the composition of the SubBytes transformation and the MixColumns transformation

becomes 1,088,297,796 (≈ 230) for the intermediate text

Int1 : ed ed ed ed

ec ec ec ec

ec ec ec ec

ec ec ec ec


after the first round key addition. From these observations, we see that for certain

types of data blocks, the AES algorithm has algebraic weaknesses in the cipher itself,

but that the key schedule covers these weaknesses.

6b 6b 6b

6b 6b 6b

6b 6b 6b

6b 6b 6b

6b

6b

6b

6b

4d 4d 4d

4d 4d 4d

4d 4d 4d

4d 4d 4d

4d

4d

4d

4d

26 26 26

26 26 26

26 26 26

26 26 26

26

26

26

26

f3 f3 f3

f3 f3 f3

f3 f3 f3

f3 f3 f3

f3

f3

f3

f3

10 10 10

10 10 10

10 10 10

10 10 10

10

10

10

10

Ciphertext

80 80 80

80 80 80

80 80 80

80 80 80

80

80

80

80

aa aa aa

aa aa aa

aa aa aa

aa aa aa

aa

aa

aa

aa

11 11 11

11 11 11

11 11 11

11 11 11

11

11

11

11

bd bd bd

bd bd bd

bd bd bd

bd bd bd

bd

bd

bd

bd

67 67 67

67 67 67

67 67 67

67 67 67

67

67

67

67

Plaintext

•

•

•

•

•

•

•

•

RK 0

RK 1

RK 9

RK 10

Figure 5.1: Simple plaintext-ciphertext algebraic relationship in the cipher itself

5.3. Interim conclusion 59

5.3 Interim conclusion

Until now, we have summarised our further observations on the the cyclic properties

of the AES algorithm and the impact on its security. Specifically, we have shown that

the maximal period of each function used in the AES algorithm is short (the effect

of mixing data is very small), and that the maximal period of the composition of

the functions in the linear layer is short as well. However, we have also shown that

the composition of the non-linear layer and the linear layer brings remarkable synergy

effects in raising the maximal period. This means that although the functions used

in the AES algorithm are mathematically simple and ineffective in mixing data, this

cipher is much more complicated when all the functions are combined. But we have

also observed that for some data blocks, which cause the AES elementary structure

to have the shortest periods, the AES algorithm has considerable weaknesses in the

cipher itself: input blocks in which all bytes are the same always lead to output blocks

in which all bytes are the same. Summing up our observations, we see that in the AES

structure

• the composition of the non-linear layer and the linear layer has extremely long

periods for most data blocks, so this structure yields a complicated algebraic

relationship between the input blocks and the output blocks.

• but even this composition has short periods for some data blocks, so this structure

causes a very simple algebraic relationship between the input blocks and their

corresponding output blocks.

We summarise here why some data blocks (the data blocks in which all bytes are the

same) are obliged to have such a simple relationship with their corresponding output

blocks even in the whole composition of the non-linear layer and the linear layer. Let

us look at the matrix function MixColumn used in the MixColumns transformation

once again. The branch number of this function is five, so this function leads to 225

active s-boxes for the four rounds of the AES algorithm, for an one-non-zero-byte input

difference. This property makes the four-round characteristics probability of the AES

algorithm P become 2−150. If the branch number of the function MixColumn were

four, then the number of the active s-boxes after the fourth round would be 20 at

most, and the four-round characteristics probability would be P = 2−120. From the

above, we see that the function MixColumn has admirable advantages over Differential

Cryptanalysis. However, from the stream cipher point of view, this function has such a

short period that it can provide a simple algebraic relationship between an input state

5.3. Interim conclusion 60

and the corresponding output state. Let us recall Section 4.1.3. The maximal period of

MixColumn is four, so the effect of mixing data is 4232 . Given that the maximal period

of a 32-degree LFSR (Linear Feedback Shift Register) is 232-1, we see that this period

of MixColumn is very short. As previously shown, this function does not influence the

data transformation for the inputs in which all bytes are the same, and so the outputs

are the same as the inputs. As a result, this property of MixColumn makes the data

blocks in which all bytes are the same lead to output blocks in which all bytes are the

same, even in the whole composition of the non-linear layer and the linear layer. In

this case, the data transformation is dependent just on a single active s-box, because

the ShiftRows transformation does not affect the data transformation either. From

our observations, we see that the function MixColumn enables the AES algorithm to

be secure against DC, as previously known; but, at the same time, the fact that this

function does not affect the data transformation for the input in which all bytes are

the same, leads the AES algorithm to have an unusual property in the cipher itself for

the input blocks in which all bytes are the same.

Chapter 6

Distinctive Output Properties of the AESAlgorithm

In this chapter, we discuss our observations on distinctive output properties of the AES

algorithm. We first observe some differential properties of the AES S-box. We then find

some distinctive output properties of the matrix multiplication, MixColumn. Finally,

we discuss consistent differential patterns of the AES algorithm. Before discussing the

consistent differential patterns of the AES algorithm, we first define the concept of the

consistent differential pattern of the block cipher. In terms of the consistent differential

patterns of the AES algorithm, we have found that

• if two plaintexts of this cipher differ by only one byte, then there are always four

pairs of bytes in the second-round output difference, with each pair having the

same value (this pattern is consistent as long as the two plaintexts differ by only

one byte).

• if two plaintexts of this cipher differ by up to four bytes in certain positions, then

the above pattern appears in the second-round output difference as well.

• for any 28n plaintexts which vary in certain n bytes, if one of these plaintexts is

paired with each of the other plaintexts, then any output difference is equal to

the XOR of the other output differences after the third round.

• for any 232 plaintexts, which vary in certain four bytes and are the same in the

other bytes, there exist some consistent differential patterns between the fourth-

round intermediate texts.

• for any set of 232 plaintexts considered above, there exists a consistent differential

pattern between the fifth-round intermediate texts.

61

6.1. Differential properties of the S-box 62

This chapter is organised as follows: some differential properties of the S-box are ob-

served in Section 6.1; then some distinctive output properties of MixColumn (the ma-

trix multiplication used in the MixColumns transformation) are considered in Section

6.2; and finally the consistent differential patterns of the AES algorithm are discussed

in Section 6.3.

We advise that this chapter is based on the papers [7] published by B. Song, H.

Wang and J. Seberry, and [8] published by B. Song and J. Seberry.

6.1 Differential properties of the S-box

We now discuss our further observations on the differential properties of the AES S-

box. As mentioned in Section 2.3, the AES S-box, which is the non-linear operation

consisting of 256 substitution paths, is generated by two functions, a function f(x) =

x−1 in GF (28) (‘00’ is mapped onto itself) and an affine transformation over GF (2).

Given that this kind of function f(x) = x−1 in GF (2n), where f(x) = 0 for x = 0, is

differentially 2 uniform for odd n and differentially 4 uniform for even n (the highest

probability of non-trivial one round differential is 22n and 4

2n respectively) [42], we can

expect that the AES S-box has uniform differential characteristics.

6.1.1 Distribution of output differences

We first discuss some distinctive output properties of the AES S-box observed from

our exhaustive computer search. The following property proves that the AES S-box

yields well-distributed output differences for any input difference.

Property 6.1 For any input difference ∆x of the AES S-box, a certain output differ-

ence ∆y always appears twice while the other output differences appear just once.

The following data shows the output differences which appear twice for each input

difference. For example, for the input difference ‘01’, the value ‘1f’ (in bold) appears

twice in the output differences; and for the input difference ‘ff’, the value ‘75’ appears

twice in the output differences (see also Figure 6.1 in which an example of Property

6.1 is illustrated in the case of ∆x = ‘ff’).

01:1f, 02:14, 03:18, 04:91, 05:08, 06:0c, 07:a6, 08:53, 09:62, 0a:04,

0b:48, 0c:9d, 0d:b4, 0e:c8, 0f:15, 10:a9, 11:e1, 12:aa, 13:1e, 14:99,

15:3a, 16:24, 17:93, 18:ce, 19:b7, 1a:c1, 1b:cc, 1c:ff, 1d:c7, 1e:11,


1f:a3, 20:d4, 21:9e, 22:f0, 23:45, 24:55, 25:5c, 26:94, 27:af, 28:57,

29:c6, 2a:86, 2b:92, 2c:12, 2d:bb, 2e:52, 2f:76, 30:67, 31:a4, 32:40,

33:a0, 34:7b, 35:f5, 36:66, 37:f9, 38:64, 39:71, 3a:e3, 3b:81, 3c:88,

3d:44, 3e:d1, 3f:16, 40:6a, 41:e0, 42:4f, 43:79, 44:78, 45:0d, 46:39,

47:c3, 48:31, 49:58, 4a:b5, 4b:d0, 4c:4a, 4d:80, 4e:4c, 4f:e7, 50:30,

51:b2, 52:63, 53:8e, 54:43, 55:9f, 56:d2, 57:38, 58:09, 59:a8, 5a:dd,

5b:5a, 5c:29, 5d:2f, 5e:3b, 5f:ac, 60:b3, 61:8c, 62:c9, 63:98, 64:20,

65:2e, 66:50, 67:e6, 68:26, 69:9a, 6a:61, 6b:1c, 6c:33, 6d:5f, 6e:fc,

6f:cb, 70:32, 71:c0, 72:23, 73:ec, 74:f1, 75:fe, 76:5b, 77:96, 78:df,

79:d5, 7a:b9, 7b:42, 7c:73, 7d:9c, 7e:90, 7f:b1, 80:ae, 81:6f, 82:70,

83:8f, 84:3c, 85:f4, 86:27, 87:74, 88:a7, 89:c4, 8a:1d, 8b:5e, 8c:07,

8d:3e, 8e:7a, 8f:10, 90:03, 91:e2, 92:2c, 93:bf, 94:41, 95:49, 96:f3,

97:eb, 98:25, 99:8d, 9a:db, 9b:77, 9c:bd, 9d:3d, 9e:68, 9f:b8, a0:83,

a1:51, a2:59, a3:69, a4:2a, a5:65, a6:47, a7:3f, a8:a1, a9:b0, aa:cf,

ab:01, ac:f2, ad:f6, ae:87, af:1a, b0:84, b1:ab, b2:54, b3:0e, b4:ee,

b5:b6, b6:2d, b7:ca, b8:0f, b9:35, ba:97, bb:89, bc:06, bd:19,

be:cd, bf:6b, c0:d9, c1:1b, c2:46, c3:4d, c4:7f, c5:c5, c6:d7, c7:a5,

c8:8b, c9:be, ca:17, cb:7c, cc:28, cd:de, ce:e8, cf:e9, d0:13, d1:5d,

d2:d6, d3:05, d4:2b, d5:60, d6:95, d7:6d, d8:02, d9:56, da:34,

db:da, dc:e5, dd:a2, de:7e, df:fd, e0:82, e1:9b, e2:fb, e3:72, e4:0a,

e5:ba, e6:ed, e7:f7, e8:f8, e9:7d, ea:e4, eb:8a, ec:ad, ed:36, ee:4b,

ef:bc, f0:ef, f1:c2, f2:ea, f3:6e, f4:dc, f5:85, f6:21, f7:0b, f8:22, f9:fa,

fa:4e, fb:6c, fc:d3, fd:37, fe:d8, ff:75.

0x00 0x01 0x02 • • 0x49 • • • • 0xb6 • • • 0xfd 0xfe 0xff

↓ ↓ ↓ ↓ ↓ ↓

0x63 0x7c 0x77 • • 0x3b • • • • 0x4e • • • 0x54 0xbb 0x16

∆x : ‘ff ’

∆y : ‘75’ ‘c7’ ‘23’ ‘75’ • • •

• • •

Figure 6.1: Example of the distribution of output differences in the S-box

From Property 6.1, we also see the following property, which shows that in the AES S-

box the number of possible output differences is fixed regardless of the input difference

(see Appendix B for examples).


Property 6.2 For any input difference ∆x of the AES S-box, the number of possible

output differences is always 127.

6.1.2 Relationship between the S-box and the keys

We now discuss some correlations between the S-box and the keys. Let us consider

two inputs x and x′ of the Sbox-alone structure, as described in Figure 6.2. If these

two inputs pass through the S-box XORed with a certain key, then the corresponding

output difference ∆y is obtained, followed by two outputs y and y′. Taking into account

Property 6.1, that for any input difference of the S-box, the same value appears at most

twice in the output differences, we see that at most four keys (two keys for one output

difference) can make the same output difference for these two inputs x and x′. From

our computer search, we have found that if we consider five inputs (that is, four input

differences: pairing one of the five inputs with each of the other inputs), then each key

yields a unique combination of four output differences. For example, let us suppose that

five inputs ‘00′, ‘ff′, ‘26′, ‘66′, and ‘bb′ are encrypted with a key ‘00′ in this structure.

We then see five corresponding outputs ‘63′, ‘16′, ‘f7′, ‘33′ and ‘ea′. If we pair the first

input ‘00′ with the other four inputs, then we see four input differences ‘ff′, ‘26′, ‘66′,

and ‘bb′. In this case, the corresponding four output differences are ‘75′, ‘94′, ‘50′ and

‘89′, and no other keys yield these four output differences for the five inputs (note: if

we consider only the first two inputs ‘00′ and ‘ff′, then we see that another three keys

‘ff′, ‘49′, and ‘b6′ also yield the same output difference ‘75′).

0x00 0x01 0x02 0x03 0x04 0x05 0x06 • • • • • • • 0xff

↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓

0x63 0x7c 0x77 0x7b 0xf2 0x6b 0x6f • • • • • • • 0x16

⊕ key

x’x

y’y

⊕

output difference (∆y)

input difference (∆x)

⊕

Figure 6.2: Substitution in the S-box


6.1.3 Relationship between the ES-box and the keys

The differential properties of the S-box observed in the previous section still remain

even in the composition of the S-box and MixColumn because MixColumn is a linear

function. To look into the differential properties of the composition, we consider the

ES-box described in Table 4.2. If we consider the ES-box instead of the S-box in the

structure of Figure 6.2, then we see that for any input difference ∆x (four bytes), 256

(4× 4× 4× 4) keys at most lead to the same output difference (16 (2× 2× 2× 2) keys

at least make the same output difference). Of course, even in this structure, each key

yields a unique combination of four output differences for any five inputs. This means

that in the structure of Figure 6.3, if five input-output pairs are known, then only one

pair of key0 and key1 is determined. The following is a randomly chosen example:

1. Let us suppose that a pair, input x and output y, is known for the structure of

Figure 6.3. That is, x=(32 5a 98 34) and y=(a4 9c 7f f2).

2. To find the key pair of key0 and key1 used for the encryption, if we assume all

the substitution paths in the ES-box, then we find 232 possible key pairs.

3. Now, let us consider another input-output pair of x′=(25 b5 ae 79) and y′=(83

5f 87 68) (∆x = (17 ef 36 4d), ∆y = (27 c3 f8 9a)). If we apply step 2 to this

input-output pair, then we also see another 232 possible key pairs.

4. If we select the key pairs overlapped in step 2 and step 3, then one of these key

pairs will be the key pair actually used. At this stage, there remain 16 key pairs

of key0 and key1, which are

(3c41153c, 6ea59186), (2b41153c, 90daee07),

(3cae153c, 5e858196), (2bae153c, a0fafe17),

(3c41233c, d967e431), (2b41233c, 27189bb0),

(3cae233c, e947f421), (2bae233c, 17388ba0),

(3c411571, 30fb733a), (2b411571, ce840cbb),

(3cae1571, 00db632a), (2bae1571, fea41cab),

(3c412371, 8739068d), (2b412371, 7946790c),

(3cae2371, b719169d), (2bae2371, 4966691c).

5. Finally, if one more input-output pair of x′′=(14 66 f2 24) and y′′=(50 4e bc b5)

is considered, then a single pair of key0=(2b ae 15 3c) and key1=(a0 fa fe 17)

remains in the end. This key pair is the key pair actually used.


In this example, the key pair of key0 and key1 actually used is determined by three

input-output pairs. This example shows a general case. We note once again that in

any case, at most five input-output pairs determine the key pair of key0 and key1 in

the structure of Figure 6.3.

⊕ key 0

x’x

y’y

⊕

output difference (∆y)

input difference (∆x)

⊕

0x00000000 0x00000001 • • • • 0xabcdef12 • • • 0xffffffff

↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ 0x63636363 0x7c7c425d • • • • 0x0eb03a4d • • • 0x16161616

⊕ key 1

ES-box: S-box + MixColumn

Figure 6.3: Substitution in the composition of the S-box and MixColumn

6.1.4 Relationship between the elementary structure and the

keys

Based on the above observations, if we now additionally consider the ShiftRows trans-

formation, then we finally see the relationship between the AES elementary structure

and the round keys. In the following property, the shift values of the ShiftRows trans-

formation are considered for each row in the input block.

Property 6.3 For the AES elementary structure surrounded by the round keys, as

described in Figure 6.4, if five input-output pairs are known and the inputs are different

from each other in each of the four-byte combinations

(byte#0, byte#5, byte#10, byte#15),



and


6.2. Distinctive output properties of MixColumn 67

then only one key pair of Key0 and Key1 is determined in any case. That is, in the

structure of Figure 6.4, if five chosen plaintexts are given, then the round key pair

(Key0, Key1) used for the encryption is found in any case.

b0 b4 b8 b12

b1 b5 b9 b13

b2 b6 b10 b14

b3 b7 b11 b15

MixColumns

ShiftRows

SubBytes

Key 1

⊕

Key 0

c0 c4 c8 c12

c1 c5 c9 c13

c2 c6 c10 c14

c3 c7 c11 c15

⊕

Figure 6.4: Elementary structure surrounded by round keys

6.2 Distinctive output properties of MixColumn

Here we discuss some distinctive output properties of the function MixColumn used

for the MixColumns transformation. We instantly obtain Property 6.4 from the fact

that MixColumn is a linear function on the operation XOR. Although Property 6.4

(actually this can be the definition of the linear function on the operation XOR) looks

very simple, this property is useful for finding consistent patterns in the difference

between two chosen plaintexts.

Property 6.4 Let Ic = (b0, b1, b2, b3) and I ′c = (b′0, b

′1, b

′2, b

′3) be any two inputs of

MixColumn, and ∆Ic be the input difference between these two inputs. Then the

output difference between the two corresponding outputs is equal to the MixColumn of

the input difference. That is

MixColumn(Ic) ⊕ MixColumn(I ′c) = MixColumn(∆Ic = Ic ⊕ I ′

c).

While the designers of the AES algorithm have noted that changing one byte in the

input of MixColumn leads to all bytes in the output of MixColumn changing [28],

we have found the following property.

6.3. Consistent differential patterns of the AES algorithm 68

Property 6.5 For any four-byte input of MixColumn, if the value of a certain byte

is α and the other three bytes are all β (α 6= β), then the value α appears in two

bytes of the output of MixColumn. In other words, if the inputs of MixColumn are

Ic = (α, β, β, β), I ′c = (β, α, β, β), I ′′

c = (β, β, α, β), or I ′′′c = (β, β, β, α), then

MixColumn(Ic) = (γ, α, α, δ),

MixColumn(I ′c) = (δ, γ, α, α),

MixColumn(I ′′c ) = (α, δ, γ, α),

MixColumn(I ′′′c ) = (α, α, δ, γ),

γ ⊕ δ = α ⊕ β.

In Property 6.5, if the value of β is ‘00’, then we immediately find Property 6.6.

Property 6.6 is a special case of Property 6.5. Property 6.6 will be used to find some

consistent differential patterns of the AES algorithm.

Property 6.6 For any four-byte input of MixColumn, if the value of a certain byte

is α and the other three bytes are all ‘00’, then the value α appears in two bytes of the

output of MixColumn and the XOR of the other two bytes of the output is α. That

is, if the inputs of MixColumn are Ic = (α, ‘00′, ‘00′, ‘00′), I ′c = (‘00′, α, ‘00′, ‘00′),

I ′′c = (‘00′, ‘00′, α, ‘00′), or I ′′′

c = (‘00′, ‘00′, ‘00′, α), then

MixColumn(Ic) = (γ, α, α, δ),

MixColumn(I ′c) = (δ, γ, α, α),

MixColumn(I ′′c ) = (α, δ, γ, α),

MixColumn(I ′′′c ) = (α, α, δ, γ),

γ ⊕ δ = α.

We note that Properties 6.5 and 6.6 are satisfied for the difference between two inputs

as well, because of the linear property (Property 6.4) of the function MixColumn.

6.3 Consistent differential patterns of the AES al-

gorithm

In this section, we observe some consistent differential patterns of the AES algorithm.

We discuss how the AES algorithm tends to yield some differential patterns with prob-

ability 1 after several rounds, although this cipher is probably secure against DC and

LC as outlined in Chapter 3. For future reference, we first define the concept of con-

sistent differential pattern in more detail before discussing the consistent differential

patterns of the AES algorithm.


6.3.1 Concept of the consistent differential pattern

Let us consider an input difference and the corresponding possible output differences for

a certain S-box used in a certain cipher algorithm. From the Differential-Cryptanalysis

point of view, it has been considered very important to make the possible output

differences well distributed for any input difference. This is because a cryptanalyst

can find clues for a DC attack from the biased distribution of the output differences.

Therefore, in the design of the block cipher, designers have made efforts to make the

output differences as uniformly distributed as possible. However, there may be some

hidden patterns in the output differences of the cipher, even in a case where the S-box

has a uniform distribution. Let us suppose that for a certain type of input difference

a certain function always leads to an output difference with a certain pattern. That

is, for a certain function, there always appears a fixed pattern in the output difference

for a certain type of input difference. This pattern may then influence the output

difference even after a few rounds of this cipher, if the mathematical structure of the

cipher is not very complicated. These kinds of patterns could appear not only in an

output difference itself, but also in the relationship between several or more outputs.

So, we define the consistent differential pattern as any kind of pattern which always

appears (probability 1) in an output difference or in the relationship between several

outputs. If a certain consistent differential pattern appears after t rounds of a certain

cipher algorithm, then we call this differential pattern tth-round consistent differential

pattern. Given that the concept of the consistent differential pattern includes byte

or bit patterns existing in the output difference itself, we can say that the consistent

differential pattern includes the concept of the truncated differentials [46].

6.3.2 Second-round consistent differential patterns

Let us first consider two plaintexts in which only the values of the first bytes (byte#0)

are different from each other. The input difference is then

row #0: (p, 00, 00, 00),

row #1: (00, 00, 00, 00),

row #2: (00, 00, 00, 00),

row #3: (00, 00, 00, 00).

Because the round key addition does not affect the difference, this pattern still remains

even with the difference after the first-round SubBytes transformation (only the value

of the first byte is changed: p → q, p and q are any hexadecimal values). After the


ShiftRows transformation of the first round, each byte maintains the same value in the

difference. However, the first-round MixColumns transformation leads to a change in

the value of the first byte in each row. The result, according to Property 6.6, is

(r, 00, 00, 00),

(q, 00, 00, 00),

(q, 00, 00, 00),

(s, 00, 00, 00).

(Since MixColumn is a linear function, Property 6.6 is applicable to the difference.)

As the round key addition does not affect the difference, the data is unchanged after the

first round key addition. However, after the second-round SubBytes transformation,

the value of the first byte in each row is changed to

(α, 00, 00, 00),

(δ, 00, 00, 00),

(γ, 00, 00, 00),

(β, 00, 00, 00).

After this, the second-round ShiftRows transformation leads to

(α, 00, 00, 00),

(00, 00, 00, δ),

(00, 00, γ, 00),

(00, β, 00, 00).

Here, the second-round MixColumns transformation causes, according to Property 6.6,

a particular differential pattern in the output difference, such as (a) in Figure 6.5. This

pattern remains after the second-round key addition, because the round key addition

does not affect the difference. Therefore, we finally find a particular output pattern in

the second round output difference

byte#1 = byte#2 = byte#0 ⊕ byte#3,



byte#14 = byte#15 = byte#12 ⊕ byte#13.

This pattern is consistent provided only the values of the first bytes in the two plaintexts

are different from each other. So we call this property the consistent differential pattern

of the second round. If the byte having the different values between the two plaintexts


α

α

β

β

γ

γ

δ

δ

α

α

β

β

γ

γ

δ

δ

α

α

β

β

γ

γ

δ

δ

α

α

β

β

γ

γ

δ

δ

(a) (c)(b) (d)

input differences

00 00 00

00 00 00

00 00 00

00 00 00

p

00

00

00

p 00 00

00 00 00

00 00 00

00 00 00

00

00

00

00

00 p 00

00 00 00

00 00 00

00 00 00

00

00

00

00

00 00 p

00 00 00

00 00 00

00 00 00

00

00

00

00

output differences⊕ = δ

Figure 6.5: Second-round consistent differential patterns 1

is moved, then the consistent differential pattern appears in other positions such as

(b), (c), and (d) in Figure 6.5.

Let us now consider two plaintexts which are different from each other by up to

four bytes in the circled positions, as described in (a), (b), (c) or (d) of Figure 6.6.

00 00 00

00 00 00

00 00 00

00 00 00

00

00

00

00

00 00 00

00 00 00

00 00 00

00 00 00

00

00

00

00

00 00

00 00

00 00

00 00 00

00

00

00

00 00 00

00 00

00 00

00 00

00

00

00

input differences

α

α

β

β

γ

γ

δ

δ

α

α

β

β

γ

γ

δ

δ

α

α

β

β

γ

γ

δ

δ

α

α

β

β

γ

γ

δ

δ

(a) (c)(b) (d)

output differences⊕ = δ

Figure 6.6: Second-round consistent differential patterns 2

If we apply the above steps to any pair of two plaintexts that one of the input differences

in Figure 6.6, then we realise that this pair of plaintexts also produces, after the second

round, one of the same consistent differential patterns as in Figure 6.5. The consistent

differential patterns after the second round are described in Figure 6.6 for two plaintexts

which differ by up to four bytes. Here, we note that unless the circled bytes in an input


difference are all equal to ‘00′ at the same time, the differential pattern always appears

in the second-round output difference.

6.3.3 223rd-round consistent differential patterns

Although it is a little more complicated, some consistent differential patterns after the

third-round ShiftRows transformation can be found from the second-round consistent

differential patterns and Property 6.2. To clarify this, we use an example of how to find

the consistent differential patterns after the third-round ShiftRows transformation. Let

us consider any two plaintexts which differ by only the first byte, as illustrated in Figure

6.5 (a), and apply the third-round SubBytes transformation to byte#1 and byte#2 in

the second-round output difference, with the assumption that byte#1 = byte#2 = ‘ff′

(byte#1 and byte#2 must be the same according to the property of the second-round

consistent differential patterns 1 (a)). We then see that according to Property 6.2, both

values of byte#1 and byte#2 in the output difference, after the third-round SubBytes

transformation, belong to the following set of 127 possible output differences caused

by the input difference ‘ff′. We call this kind of set a differential set; see Appendix B

to find the differential sets for other input differences. For example, from the following

set we see that if the value of byte#1 in the output difference after the third-round

SubBytes transformation is ‘26′, then ‘27′ is not able to appear on byte#2.

01, 02, 03, 07, 0a, 0b, 0c, 0f, 13, 15, 17, 1d, 1e, 1f, 21, 22, 23, 25, 26, 28,

29, 2a, 2d, 2f, 31, 35, 36, 39, 3a, 3c, 3e, 40, 42, 43, 44, 46, 4c, 4d, 50, 52,

53, 56, 57, 58, 59, 5a, 5d, 5e, 62, 63, 65, 68, 69, 6a, 6b, 6d, 70, 72, 73, 75,

76, 7b, 7c, 7e, 7f, 81, 84, 88, 8a, 8c, 8d, 8e, 8f, 94, 95, 99, 9a, 9c, 9e, 9f, a0,

a6, aa, ab, ad, af, b3, b8, b9, ba, c1, c2, c3, c5, c6, c7, c8, ca, cb, cc, cd, cf,

d4, d8, dd, de, e0, e2, e3, e4, e6, e7, eb, ec, ef, f1, f2, f3, f4, f5, f6, fa, fb, fc,

fd, fe, ff.

If we now consider the third-round ShiftRows transformation, we see that both values

of byte#10 and byte#13 in the output difference after this operation are obliged to

belong to the above set. Similarly, if we apply the above idea to other byte pairs

in the second-round output difference, namely (byte#4,byte#5), (byte#8,byte#11) and

(byte#14,byte#15), then we finally find the following consistent differential pattern which

appears in the output difference after the third-round ShiftRows transformation: if

two plaintexts differ by only the first byte, then there are always four pairs of bytes in

the output difference after the third-round ShiftRows transformation, with each pair


belonging to the same differential set, as illustrated in Figure 6.7 (a). Here we note

that any pair of two plaintexts described in Figure 6.5 and Figure 6.6 leads to the

same sorts of consistent differential patterns for the same reason. Figure 6.7 shows

the correspondence between an input difference and the consistent differential pattern

appearing in the output difference after the third-round ShiftRows transformation. In

Figure 6.7, the values on the same mark belong to the same differential set.

♦

♠

♦

♠

♥

♣

♣

♥

♦

♠

♥

♣

♥

♣

♠

♦

♣

♥

♥

♣

♠

♦

♠

♦

♣

♥

♦

♠

♠

♦

♣

♥

(a) (c)(b) (d)

input differences

00 00 00

00 00 00

00 00 00

00 00 00

p

00

00

00

p 00 00

00 00 00

00 00 00

00 00 00

00

00

00

00

00 p 00

00 00 00

00 00 00

00 00 00

00

00

00

00

00 00 p

00 00 00

00 00 00

00 00 00

00

00

00

00

output differences

00 00 00

00 00 00

00 00 00

00 00 00

00

00

00

00

00 00 00

00 00 00

00 00 00

00 00 00

00

00

00

00

00 00

00 00

00 00

00 00 00

00

00

00

00 00 00

00 00

00 00

00 00

00

00

00

or

Figure 6.7: 223rd-round consistent differential patterns

6.3.4 Third-round consistent differential pattern

A third-round consistent differential pattern exists in the relationship between the

third-round intermediate texts caused by more plaintexts. This third-round consistent

differential pattern could be regarded as the generalisation of the third-round balanced

property referred to in Section 3.2. Let us consider a group of 28n plaintexts that vary

in n bytes and are the same in the other bytes. This group of plaintexts can then be

divided into 28(n−1) small sets of 28 plaintexts that vary in only one byte. In other

words, 28(n−1) small sets of 28 plaintexts exist in the group, and the plaintexts in each


small set are different from each other in only one byte. Given that the XOR of all the

third-round intermediate texts for each small set is ‘00′ in all bytes (balanced property),

we see that the XOR of all the third-round intermediate texts for the above group of

28n plaintexts is also ‘00’ in all bytes. That is, we see that

28n−1⊕

t=0

Ct =

00 00 00 00

00 00 00 00

00 00 00 00

00 00 00 00

(6.1)

when each of the third-round intermediate texts is denoted by Ct.

** ** **

** ** **

** ** **

** ** **

**

**

**

**

** ** **

** ** **

** ** **

** ** **

**

**

**

**

** ** **

** ** **

** ** **

** ** **

**

**

**

**

** ** **

** ** **

** ** **

** ** **

**

**

**

**

• • • •

28n plaintexts variable in n bytes

** ** **

** ** **

** ** **

** ** **

**

**

**

**

** ** **

** ** **

** ** **

** ** **

**

**

**

**

** ** **

** ** **

** ** **

** ** **

**

**

**

**

** ** **

** ** **

** ** **

** ** **

**

**

**

**

• • • •

third-round intermediate texts

D1

D2 D28n-1• • • •D3

C0 C1 C2

D_ : differenceD1 = D2 ⊕ D3 ⊕ D4 ⊕ ⋅ ⋅ ⋅ ⋅ ⋅ ⊕ D28n-1

C28n-1

D2 = D1 ⊕ D3 ⊕ D4 ⊕ ⋅ ⋅ ⋅ ⋅ ⋅ ⊕ D28n-1

D3 = D1 ⊕ D2 ⊕ D4 ⊕ ⋅ ⋅ ⋅ ⋅ ⋅ ⊕ D28n-1

D = D1 ⊕ D2 ⊕ D3 ⊕ ⋅ ⋅ ⋅ ⋅ ⋅ ⊕ D28n-1 28n-2

•

•

•

Figure 6.8: Third-round consistent differential pattern

Now, if we pair any of these 28n third-round intermediate texts with each of the other

intermediate texts, as shown in Figure 6.8, then we can obtain 28n-1 third-round output

differences and we see that any of these differences is equal to the XOR of the other


differences in all bytes. More visually, we see that

28n−1⊕

t=1

Dt =

00 00 00 00

00 00 00 00

00 00 00 00

00 00 00 00

,

(6.2)

and that

Dr =28n−1⊕

t=1,t6=r

Dt, (6.3)

where Dr denotes any of the third-round intermediate differences.

6.3.5 Fourth-round consistent differential patterns

Fourth-round consistent differential pattern 1

We now find a fourth-round consistent differential pattern from the third-round con-

sistent differential pattern. Of the groups of plaintexts that lead to the third-round

consistent differential pattern, let us consider a group of 232 plaintexts that vary in

the first column (four bytes). If we imagine that these plaintexts are decrypted by one

round with any round key, then we see that the decrypted texts vary in

(byte#0, byte#5, byte#10, byte#15).

That is, the 232 decrypted texts are different from each other in the circled bytes

described in Figure 6.6 (a). This means that any 232 plaintexts that vary in

(byte#0, byte#5, byte#10, byte#15)

lead, after one round, to the intermediate texts varying in the first column, and that

if one of these plaintexts is paired with each of the other plaintexts, then after the

fourth round, any of the 232-1 intermediate differences is equal to the XOR of the other

intermediate differences. That is,

Dr =232−1⊕

t=1,t6=r

Dt, (6.4)

where Dr denotes any of the fourth-round intermediate differences. This concept is

also applicable to the other three columns, and we see the following the fourth-round

consistent differential pattern. That is, for any 232 plaintexts that vary in either





or


as illustrated in Figure 6.6, if one of these plaintexts is paired with each of the other

plaintexts, then after the fourth round, any of the 232-1 intermediate differences is

equal to the XOR of the other intermediate differences.


We now simplify the fourth-round consistent differential pattern 1 so that fewer in-

termediate texts are involved. In fact, the above fourth-round consistent differential

pattern 1 can be said to be caused by this property. Let us once again consider 232

plaintexts that vary in


The first-round intermediate texts for these plaintexts then vary in the first column.

Therefore, if we consider three more rounds, we then see, according to (6.1), that

232−1⊕

t=0

Ct =

00 00 00 00

00 00 00 00

00 00 00 00

00 00 00 00

(6.5)

where each of the fourth-round intermediate texts is denoted by Ct. In (6.5), if we just

consider the values on a certain byte position k, then we see that

‘00′ =232−1⊕

t=0

byte#kt (6.6)

where byte#kt denotes the kth byte in the intermediate text Ct. Let us pay more careful

attention to the values that appear on byte#k. If a certain value appears an even

number of times, then this value does not affect (6.6). We realise, therefore, that only

the values that appear an odd number of times are involved in (6.6), and we see that

‘00′ =⊕

valuep (6.7)

where valuep denotes each of the values that appears an odd number of times on the

byte position k in the fourth-round intermediate texts. As a consequence, we find that


the plaintexts considered above lead to the fourth-round intermediate texts, which have

the following consistent differential pattern on every byte position, such that

valuer =⊕

p 6=r

valuep (6.8)

where valuer is any of the values that appear an odd number of times. We recall that

all other sets of 232 plaintexts that vary in either



or


also bring the same differential pattern.


We now generalise the fourth-round consistent differential pattern 2. Let us consider

any set of 232 plaintexts that vary in either




or


and their corresponding fourth-round intermediate texts. Then, as previously estab-

lished, we see that

232−1⊕

t=0

Ct =

00 00 00 00

00 00 00 00

00 00 00 00

00 00 00 00

(6.9)

where Ct denotes each of the fourth-round intermediate texts. Here, let us consider

the values for a certain combination of n bytes in the fourth-round intermediate texts.

If n < 4 (4 is the number of bytes that vary in the plaintexts), then there must be

some values that appear more than once in the combination of n bytes. For example,

if n = 3, then the total number of possible values for the combination of three bytes

is 224. So, most values may appear more than once in the combination, because the


number of the fourth-round intermediate texts is 232. Even in the case of n = 4, there

will be some values which appear more than once in the combination of four bytes,

unless every value for the combination appears just once. Now let us look at (6.9). As

long as the plaintexts vary in either




or


the fourth-round intermediate texts always satisfy (6.9). This means that the XOR of

the values that appear an odd number of times in the combination of n bytes must be 0

for the fourth-round intermediate texts. Otherwise the fourth-round intermediate texts

cannot satisfy (6.9). As a consequence, we see the following fourth-round consistent

differential patter 3: the XOR of the values that appear an odd number of times in

the combination of n bytes is 0 for the fourth-round intermediate texts, caused by the

plaintexts that vary in either




or


6.3.6 Fifth-round consistent differential pattern

We now discuss a fifth-round consistent differential pattern of the AES algorithm. In

fact, this pattern is not a pattern that directly appears in fifth-round intermediate

texts, but a pattern existing in the relationship between fourth-round intermediate

texts and fifth-round intermediate texts. This pattern is also caused by the sets of 232

plaintexts that have been referred to in the fourth-round consistent differential patterns

1, 2 and 3. Let us recall any set of plaintexts that have been considered for the fourth-

round consistent differential pattern 3. As mentioned in the fourth-round consistent

differential pattern 3, the XOR of the values that appear an odd number of times in

the combination of n bytes is 0 for the 232 corresponding fourth-round intermediate

texts. Next, let us consider the four-byte combination



in the fourth-round intermediate texts which moves to the first column in the fifth-

round intermediate texts. As previously shown in the fourth-round consistent differ-

ential pattern 3, the XOR of the values which appear an odd number of times in this

combination must be ‘00000000′. Given that the bytes in this combination move to the

first column in the fifth-round intermediate texts, we see that

‘00000000′ =⊕

p

SubBytes−1(ShiftRows−1(MixColumn−1(RK5(Ip)))) (6.10)

where Ip is a value that appears an odd number of times in the first column of the fifth-

round intermediate texts, and RK5 is (the corresponding column of) the fifth round

key. Also, if we change the order of SubBytes and ShiftRows, and combine SubBytes

and MixColumns, then we can simplify (6.10) to (6.11) using the ES-box in Table

4.2 (ShiftRows is ommitable because it does not influence byte values):

‘00000000′ =⊕

p

ES−box−1(RK5(Ip)). (6.11)

If we now apply the above concept to some other four-byte combinations in the fourth-

round intermediate texts, each of which is either



or


then we see that (6.10) and (6.11) also hold for the other three columns in the fifth-

round intermediate texts. So, we call this property a fifth-round consistent differential

pattern. We note that any 232 plaintexts that vary in either




or


lead to the fifth-round consistent differential pattern above.


In this chapter, we have observed some distinctive output properties of the AES

algorithm: some differential properties of the S-box used in the non-linear layer; some

distinctive output properties of the matrix multiplication MixColumn used in the

linear layer; and some consistent differential patterns existing in the partial rounds

of the AES algorithm. In the next chapter, we discuss the impact of the consistent

differential patterns on the security of the AES algorithm.

Chapter 7

Security Impact of the ConsistentDifferential Pattern

In this chapter, we discuss the impact of the consistent differential patterns on the se-

curity of the AES algorithm. We show that the consistent differential patterns observed

in Chapter 6 can be used for the cryptanalysis of the reduced-round AES algorithm,

independently or cooperatively with others. The cryptanalytic methods introduced in

this chapter are not much more powerful, in the number of rounds, than other crypt-

analytic methods previously proposed, but have some advantages in the requirements

of the methods, such as the number of plaintexts and the complexity. We note that the

purpose of proposing these cryptanalytic methods is to show that consistent differential

patterns of a block cipher are directly related to its security. In discussing the cryptan-

alytic methods, we consider AES-128, although the methods are applicable to AES-192

and AES-256 as well. We note that the last rounds of the AES structures discussed

here do not include the MixColumns transformation, just as the original structure does

not. We advise that this chapter is based on the paper [8] published by B. Song and

J. Seberry.

7.1 Three rounds

We use two sets of five chosen plaintexts for the cryptanalysis of three rounds. One set

(Set #1) consists of five plaintexts, which are different from each other only in the first

byte (byte#0) as illustrated in Figure 6.5 (a). The other set (Set #2) consists of five

plaintexts, which are different from each other only in the ninth byte (byte#8) as illus-

trated in Figure 6.5 (c). We first use Set #1 to find half (8 bytes) of the third round

key. Let us now pair any of the five ciphertexts with each of the other ciphertexts.

Then we will obtain four pairs of ciphertexts. If these pairs of ciphertexts are decrypted

with the correct third round key, then the second-round consistent differential pattern

81

7.1. Three rounds 82

illustrated in Figure 6.5 (a) must appear in the four corresponding second-round in-

termediate differences, because the plaintexts are different from each other only in the

first byte. That is,

byte#1=byte#2,

byte#4=byte#5,

byte#8=byte#11,

byte#14=byte#15

in all the four second-round intermediate differences. Based on this concept, we find

(byte#13, byte#10),

(byte#4, byte#1),

(byte#8, byte#15),

(byte#6, byte#3)

of the third round key using the following steps.

1. We first find byte#13 and byte#10 of the third round key from the fact that

byte#1=byte#2 in the second-round intermediate differences. Let us decrypt each

byte#13 in a pair of the ciphertexts with all 28 possible values for byte#13 of the

third round key, considering ShiftRows−1 and SubBytes−1. Then, according to

Property 6.2, 127 values will appear for byte#1 in the second-round intermediate

difference. Now, let us decrypt each byte#10 in the same pair of ciphertexts with

all 28 possible values for byte#10 of the third round key. Then, for the same

reason, 127 values will appear for byte#2 in the second-round intermediate dif-

ference. Here, if we select the values for (byte#13, byte#10) which make byte#1

equal to byte#2 in the second-round intermediate difference, then those values

are candidates for (byte#13, byte#10) of the third round key.

2. Now, if we decrypt each (byte#13, byte#10) in another pair of ciphertexts with

those candidates for (byte#13, byte#10) of the third round key, and check whether

byte#1 is equal to byte#2 in the second-round intermediate difference, then fewer

candidates will remain for (byte#13, byte#10) of the third round key. If we apply

this step to the remaining two pairs of ciphertexts, then a single pair of values will

remain for (byte#13, byte#10) at the end, due to the differential property referred

to in Section 6.1.2. This pair, byte#13 and byte#10, are the components of the

third round key.

7.2. Four rounds 83

3. With the same principle, if we consider the other byte relations in the second-

round intermediate differences, that is,

byte#4=byte#5,

byte#8=byte#11,

byte#14=byte#15,

then we can obtain

(byte#4, byte#1),

(byte#8, byte#15),

(byte#6, byte#3)

of the third round key.

Now, using the other set of five plaintexts (Set #2), which are different from each other

only in the ninth byte (byte#8), we can find the rest of the third round key, which is

(byte#0, byte#7),

(byte#2, byte#5),

(byte#9, byte#12),

(byte#11, byte#14)

In summary, if we have 10 chosen plaintexts, we can find the Cipher Key for the

three-round AES algorithm. The time complexity of this method is about 28.

7.2 Four rounds

We now present a cryptanalytic method for the four-round AES algorithm, based on the

third-round consistent differential pattern. We use one set of 28 chosen plaintexts which

vary in byte#0 as illustrated in Figure 6.5 (a). This method is similar to the Square

attack, given that the Square attack is based on the third-round balanced property.

While the Square attack uses two sets of 28 chosen plaintexts, however, we use just one

set, with the help of the second-round consistent differential patterns.

Basic concept

Let us suppose that a set of 28 chosen plaintexts, which differ by only one byte, is given.

If these plaintexts are encrypted, then (6.1) or (6.2) will appear for the third-round

7.2. Four rounds 84

intermediate texts. This means that if the corresponding 28 fourth-round ciphertexts

are decrypted with the correct fourth round key, then the third-round consistent differ-

ential pattern ((6.1) or (6.2)) will appear for the third-round intermediate texts. Based

on this idea, we first find all the possible fourth round keys. Then using the property

of a second-round consistent differential pattern, we select the key actually used from

those possible keys.

Finding possible keys

We first find the first byte (byte#0) of the fourth round key, taking into account the

decryption procedures. Let us assume a value for the first byte of the fourth round key.

If we decrypt (actually S-box−1) the corresponding bytes in the 28 ciphertexts with

this assumed value, then we can obtain 28 first bytes in the third-round intermediate

texts. If these values satisfy the third-round consistent differential pattern on byte#0

(check (6.1) or (6.2)), then the value initially assumed for byte#0 is eligible for the first

byte of the fourth round key. If not, then the assumption is wrong, so another value

is assumed for the first key byte. The probability that a wrong key will satisfy the

third-round consistent differential pattern on byte#0 is 1/28, so one wrong key may be

chosen. If we apply the above steps to the other 15 bytes of the fourth round key,

considering the ShiftRows transformation (the MixColumns transformation does not

exist in the last round), then we can obtain all eligible values for each byte of the fourth

round key. At this stage, in probability, two values may be selected for each key byte,

so the number of possible fourth round keys will be about 216 (16 is the number of the

bytes in the round key) in probability.

Selecting the key actually used

Next, we select the fourth round key actually used from the above possible keys. In-

stead of using another set of 28 chosen plaintexts, we use the second-round consistent

differential pattern 1 (a) illustrated in Figure 6.5 (a). We first randomly choose two

ciphertexts from the 28 ciphertexts. If we decrypt them with a possible fourth round

key and the corresponding third round key (this third round key can be obtained from

the key schedule if a possible fourth-round key is given), we will see the second-round

intermediate difference followed by two second-round intermediate texts. We now check

the second-round consistent differential pattern 1 (a) for the second-round intermedi-

ate difference. If the second-round consistent differential pattern 1 (a) appears in the

intermediate difference, then the possible key is the fourth round key actually used.

7.3. Five rounds 85

This is because the probability that the second-round consistent differential pattern

1 (a) appears by chance in one second-round intermediate difference is 1/232 unless

the possible fourth round key is the key actually used. At this stage, since the num-

ber of possible fourth round keys we must consider is about 216 in probability, it is

good enough to check the second-round consistent differential pattern 1 (a) for just

one second-round intermediate difference.

Complexity

For this method, we must assume 28 values for each key byte of the fourth round

key, and look up S-box−1 28 times (the number of ciphertexts) for each assumed key

value. Given that the round key block consists of 16 bytes, this task must be done

16 times during the process of finding possible keys. So, we must look up S-box 220

times. Also, during the process of selecting the key actually used, we must decrypt

two ciphertexts for two rounds with each of 216 possible keys. This step requires 216×4

one-round decryptions. Considering the amount of the computation, the complexity of

this method is not greater than 217 full encryptions of the four-round AES algorithm.

7.3 Five rounds

The cryptanalytic method which we present for the five-round AES algorithm is based

on the fourth-round consistent differential pattern 2. For this method, we use a set

of 232 chosen plaintexts that vary in (byte#0, byte#5, byte#10, byte#15) as described in

Figure 6.6 (a).

Basic concept

Let us consider any set of 232 plaintexts that have been outlined in the consistent

differential pattern 2. As previously shown, these plaintexts lead to the fourth-round

intermediate texts, between which the fourth-round consistent differential pattern 2

appears. This means that if the corresponding ciphertexts are decrypted for one round

with the correct fifth round key, then the consistent differential pattern 2 appears

between the decrypted texts. Based on this concept, the fifth round key is found.

Finding possible keys

We first find all possible values for the first byte (byte#0) of the fifth round key, taking

into account the decryption procedures.

7.3. Five rounds 86

1. We first count byte#0 in the 232 ciphertexts according to values. For exam-

ple, ‘00′:16,777,217, ‘01′:16,002,912, ‘02′:16,725,365, . . . , ‘fd′: 16,865,401, ‘fe′:

16,643,202, ‘ff′: 16,763,202. Then, we observe the values which appear an odd

number of times. (We are not interested in the values which appear an even num-

ber of times). On average, the number of values which appear an odd number

of times will be 128. Although we are using 232 chosen plaintexts, the number

of values we have to consider now is just 128 on average. For example, ‘00′, ‘02′,

. . . , ‘fd′. In fact, this task of counting values can be done at the same time as

collecting the ciphertexts. This step will then not require any extra cost for the

cryptanalysis.

2. Next, we assume a value for byte#0 of the fifth round key. If we decrypt (actually

S-box−1) the values which appear an odd number of times in step 1 with this

assumed key value, then we will see the corresponding fourth round values. If the

assumed key value is correct, then the XOR of these values in the fourth-round

intermediate texts will be ‘00’. If the XOR of these values is ‘00’, then we keep the

assumed key value for byte#0 of the fifth round key. Otherwise, the assumption is

wrong, so we assume another value for byte#0 of the fifth round key. Given that

one wrong key may be chosen by chance, two values will be chosen for byte#0 of

the fifth round key.

3. Now, we apply steps 1 and 2 to the other 15 bytes of the fifth round key, taking

into account the ShiftRows transformation (the MixColumns transformation does

not exist in the last round). Finally, two values for each key byte will be chosen,

so the number of possible fifth-round keys will be about 216.


We now select the fifth round key actually used from the above possible keys. At

this stage, we use the second-round consistent differential pattern 2 (a) illustrated

in Figure 6.6 (a). We randomly choose two plaintexts from the 232 plaintexts, and

decrypt the corresponding two ciphertexts with a possible fifth round key and the

corresponding fourth and third round keys (these fourth and third round keys can

be obtained from the key schedule if a possible fifth-round key is given). Then, we

can check the second-round consistent differential pattern 2 (a) for the second-round

intermediate difference. Finally, only one fifth round key will remain for the same

reason outlined in the cryptanalysis of four rounds.

7.4. Six rounds 87

Complexity

For this method, encryption or decryption is not actually done in the process of finding

possible keys. All we have to do is to assume 256 values for each fifth-round key byte,

and look up S-box−1 128 times (the number of values which appear an odd number

of times in the fifth-round intermediate texts) for each assumed key value. Given that

the round key block consists of 16 bytes, this task must be done 16 times in the process

of finding possible keys. So, we must look up S-box−1 219 (28 × 27 × 24) times on

average. Also, in the process of selecting the key actually used, we must decrypt two

ciphertexts for three rounds with 216 possible keys. This step requires 216×6 one-

round decryptions. Considering the volume of the computation, the complexity of this

method is about the same as 217 full encryptions of the five-round AES algorithm.

We have implemented this method, and have practically applied it to finding the

Cipher Key, which has been presented as a data example in FIPS 197 (Announcing

the Advanced Encryption Standard) [63]. Appendix C shows the result. The results

of our implementation have shown that if a set of 232 plaintexts is given, so we know

the values which appear an odd number of times on each byte, then the Cipher Key

of the five-round AES algorithm can be found in a few seconds. Another test result of

our implementation is shown in Appendix C.

7.4 Six rounds

Here we describe a cryptanalytic method for the six-round AES algorithm, which is

based on the fifth-round consistent differential pattern and the fourth-round consistent

differential pattern 2. We use two sets of 232 chosen plaintexts that vary in (byte#0,

byte#5, byte#10, byte#15). We slightly change the original structure of the six-round

AES algorithm to Figure 7.1, so as to reduce the number of key assumptions. In the

structure of Figure 7.1, we find RK ′5 and RK6. RK ′

5 in Figure 7.1 and RK5 in the

original six-round AES algorithm has the relationship

MixColumns(RK ′5) = RK5.

But, RK6 in Figure 7.1 is the same as the RK6 in the original six-round AES algorithm.

Therefore, we can use the structure of Figure 7.1 to find the Cipher Key of the original

structure of the six-round AES algorithm, because we will find the Cipher Key from

RK6.

7.4. Six rounds 88

SB

SB

SR

MC

SB

SR

SR

MC

232 chosen plaintexts

•

•

•

intermediate texts

RK6

1 5 9 13

2 6 10 14

3 7 11 15

0 4 8 12

1 5 9 13

2 6 10 14

3 7 11 15

0 4 8 12

1 5 9 13

2 6 10 14

3 7 11 15

0 4 8 12

13

10

7

0

RK’5

RK4

13

10

7

0

13

10

7

0

13

10

7

0

13

10

7

0

1

2

3

0

1

2

3

0

1

2

3

0

1

2

3

0

• • •

• • •

5

10

15

0

• • •5

10

15

0

5

10

15

0

5

10

15

0

5

10

15

0

5

10

15

0

5

10

15

0

5

10

15

0

5

10

15

0

• • •

SB : SubBytes

SR : ShiftRows

MC : MixColumns

⊕

⊕

⊕

intermediate texts

Figure 7.1: Checking the fourth-round consistent differential pattern

7.4. Six rounds 89

Finding possible key components

We first find (byte#0, byte#7, byte#10, byte#13) in RK6 using the following steps.

1. We first select the values which appear an odd number of times in the combination

of (byte#0, byte#7, byte#10, byte#13) in a set of the ciphertexts (on average, there

are 231 values, which appear an odd number of times, in the combination).

2. We now assume a value for the combination of (byte#0, byte#7, byte#10, byte#13) in

RK6. If the values selected in step 1 are decrypted for one round with the assumed

four-byte key, then the corresponding values are placed in the first column of the

fifth-round intermediate texts (see Figure 7.1) and each value for the first column

naturally appears an odd number of times (when we decrypt, we also count the

values according to each byte). These values for the first column must satisfy

the fifth-round consistent differential pattern if the assumed key value is correct;

that is, these values must satisfy the fourth-round consistent differential pattern

2 after ShiftRows−1 and S-box−1 in Figure 7.1. We now check whether the

values in the first column satisfy the fourth-round consistent differential pattern

2 after ShiftRows−1 and S-box−1.

3. This process is the same as the process of Finding Possible Keys in the cryptanal-

ysis of five rounds. We select the values which appear an odd number of times

on byte#0 in the fifth-round intermediate texts (we already know these values

from step 2; we are not interested in the values which appear an even number

of times). If we decrypt (actually S-box−1) these values with a value assumed

for byte#0 of RK ′5, then we will obtain the the corresponding values on byte#0

in the fourth-round intermediate texts. If the assumed key value is correct, then

the XOR of these corresponding values will be ‘00′. If the XOR of these values

is ‘00′, then we keep the assumed key value for byte#0 of RK ′5. Otherwise, the

assumption is wrong, so we return to the beginning of step 3 for another value

assumed for byte#0 of RK ′5. If the four-byte key initially assumed for RK6 in

step 2 is correct, then two values for byte#0 of RK ′5 will be chosen, including one

wrong value which may be chosen by chance. Step 3 is also applied to the other

three bytes of RK ′5, which are byte#1, byte#2 and byte#3. We can then check the

fourth-round consistent differential pattern 2 for byte#5, byte#10 and byte#15 in

the fourth-round intermediate texts as well.

4. Now, we check whether the above values for (byte#0, byte#7, byte#10, byte#13) of

7.4. Six rounds 90

RK6 and for (byte#0, byte#1, byte#2, byte#3) of RK ′5 are really eligible for the

the components of each round key. To do this, we use the other set of chosen

plaintexts. With the key components we have just found, we decrypt the values

which appear an odd number of times in the combination of (byte#0, byte#7,

byte#10, byte#13) in a new set of the ciphertexts. If any values for (byte#0, byte#7,

byte#10, byte#13) of RK6 and for (byte#0, byte#1, byte#2, byte#3) of RK ′5 satisfy

the fourth-round consistent differential pattern 2 on byte#0, byte#5, byte#10 and

byte#15 in the fourth-round intermediate texts, then those values are really eligible

for the key components of RK6 and RK ′5. This is because the probability that

this event occurs by chance is 1/232 (the probability is 1/256 for each byte). At

this stage the number of key combinations we may consider is 24 on average. If

the key components which have been found in steps 2 and 3 pass this step, we

keep the value initially assumed for (byte#0, byte#7, byte#10, byte#13) of RK6 (we

do not keep the components of RK ′5). Otherwise, we return to the beginning of

step 2.

5. Using the same concept, if we apply steps 1 to 4 to the other bytes in the cipher-

texts, then we can find the other components of RK6, which are





Now, we finally check, in order to be certain, whether the key components are all

correct. Using the key schedule, we obtain the fifth, fourth, and third round keys from

the sixth round key. Then we decrypt two ciphertexts with the original structure of the

six-round AES algorithm (not the structure in Figure 7.1). As a consequence, we will

check the second-round consistent differential pattern 2 (a). In fact, this step requires,

if anything, only a small amount of computation, because wrong key components hardly

ever pass step 4.

Complexity

For this method, we must consider four key bytes together in assuming the sixth round

key. In step 2, for each assumption of the four-byte keys, we may decrypt, on average,

231 corresponding four-byte words for one round. Then, in step 3, we may look up

7.5. Seven-round extension 91

S-box−1 217 (28 × 27 × 4) times on average. After this, in step 4, we decrypt 231 four-

byte words for one round, and look up S-box−1 210 (27 × 8) times to check whether

the assumed key components of the sixth round key can coexist with the obtained

key components of the fifth round key. These operations must be done 232 × 4 times,

because the number of possible values for the four-byte key combination is 232 and

the round-key block consists of 16 bytes (four columns). For this reason, this method

requires 232 × 232 × 4 one-round decryptions of four bytes and (217 + 210) × 232 ×

4 S-box−1 lookups. That is, 264 one-round decryptions of a ciphertext block and 251

+ 244 S-box−1 lookups are needed to find the sixth round key. As well as all this,

some more operations are required to count values in step 1 (step 1 must be done

8 times). However, these operations do not require as much computation as some

others. Considering the volume of the computation, the complexity of this method is

not greater than 262 full encryptions of the six-round AES algorithm, even in the worst

case.

7.5 Seven-round extension

The cryptanalytic method for the six-round AES algorithm can be extended to seven

rounds. We simply assume all the components (16 bytes) of the seventh round key.

If we naively assume all the possible values for the seventh-round key, then it adds

128 bits to the key assumption. So, the complexity will be about 2190. Given this

level of complexity, we see that this method is faster than an exhaustive key search for

seven rounds of AES-192 and AES-256. But, for AES-128, this method requires more

complexity than an exhaustive key search does.

In this chapter we have discussed the impact of the consistent differential pattern

on the security of the AES algorithm. We have shown that the consistent differential

patterns observed in Chapter 6 can be used for the cryptanalysis of the AES algorithm,

independently or cooperatively with others. Judging by the AES algorithm, we can say

that the block cipher whose structure is very mathematical, statistical, and so rather

uniform, is apt to have consistent differential patterns.

Chapter 8

Conclusion

In this thesis, we have discussed our further studies on the cryptologic properties of the

AES algorithm. In the preceding chapters, we have studied some algebraic properties of

the AES algorithm. In particular, we have devoted much space to the cyclic properties

and the distinctive output properties of this cipher. In terms of the the cyclic properties

of the AES algorithm we have found that

• every function used in the AES algorithm has a very short period and these short

periods are not increased in the linear layer;

• when the non-linear layer and the linear layer are combined, the period is dra-

matically increased; and

• the combination of the non-linear layer and linear layer nevertheless still has short

periods for certain types of input blocks, and causes the AES elementary structure

to have an unusual algebraic property: input blocks in which all bytes are the

same always lead to output blocks in which all bytes are the same. This property

is mainly caused by the fact that the matrix multiplication, MixColumn, does

not influence the data transformation for the inputs in which all bytes are the

same.

Summing up our observations on the cyclic properties of the AES algorithm, we can

say that the unusual property of the matrix multiplication MixColumn used in the

MixColumns transformation causes the AES algorithm to have an undesirable crypto-

logic property in the cipher part itself. However, the round key addition covers these

weaknesses, as previously shown.

In conjunction with the distinctive output properties of the AES algorithm, we have

observed that the AES algorithm has the S-box, which provides uniformly distributed

output differentials, and which enables the AES algorithm to be strong against con-

ventional cryptanalytic methods, such as DC and LC. We have also observed, however,

92

93

that there are some consistent differential patterns in the AES structure:

• any two plaintexts that differ by only one byte cause a second-round consistent

differential pattern; any two plaintexts that differ by up to four bytes in certain

positions also cause a second-round consistent differential pattern;

• any two plaintexts referred to above lead to a 223rd-round consistent differential

pattern;

• any 28n plaintexts that vary in certain n bytes lead to a third-round consistent

differential pattern;

• any 232 plaintexts that vary in four of the bytes cause some fourth-round consis-

tent differential patterns; and

• any 232 plaintexts that vary in four of the bytes cause a fifth-round consistent

differential pattern.

Summing up all our observations on the distinctive output properties of the AES

algorithm, we note that the AES algorithm is very well designed to provide uniformly-

distributed differentials in statistics, but that at the same time the structure also yields

some undesirable consistent differential patterns.

At the moment, we do not claim that the AES algorithm is not good enough as

the standard algorithm for the next few decades. Rather, we believe that the AES

algorithm is a well-designed block cipher that has many advantages over conventional

cryptanalytic methods. It is also true, however, as shown in this thesis, that there are

some unusual hidden cryptologic properties in the AES algorithm. These properties

are related to both the functions used in the algorithm and the structure of the cipher.

We believe that the cryptologic properties we have observed in the AES algorithm

should even be considered in the design of other block ciphers.

Appendix A

Classifying the substitution values in theES-box

Elements in a period of 1088297796:

00000003, 7b7b4b53, 7f405130, 71ac6ebd, 105a9904, 4a76beea, d6c83be2,

ae987220, ee1fe044, f1901c6f, cd76014f, d1cdea8b, 1af0d102, 9994cba1,

8cb9a470, 2a425311, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 4487de39, 00000003.


00000002, 77775f4b, 89fd4b43, 00dba021, 0bcc1d1d, 8beec4c1, 6631a583,

de40d757, 7446e596, 98c6ca15, 66f0f1b8, 24a452a0, 574444c8, 68a85526,

dc326604, b367ce7e, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 3943ffc4, 00000002.


00000004, f2f2cb5a, 281fe771, 04ab3955, b7fcab9e, eb7fc024, 28b50e24,

9155f64e, 6b8b8878, c1ee0e1b, 8c61f74e, a5362a75, 7ba56ecb, c88823c4,

a60d44f9, a8257589, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , a6284276, 00000004.


00000006, 6f6f777b, 7cc692fc, 1802f1b0, 9e5cb1ef, df03b03a, cddaab3e,

4807e396, 71601e19, 905af0ef, 4a57a737, 9c1e8049, c74d60b0, 9e97acb7,

ad015a4d, e857b0bb, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ., 24c3a2a6, 00000006.


00000008, 303096c5, 3201cacf, 3ccd3262, 9845f5f7, b0c34792, 480f4322,

b703bea7, 36ea718d, 66b33891, 5761c826, 834a7d1f, 9d81849d, a9f90e0d,

71cb65e9, 2f540490, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , d4f75ed0, 00000008.


00000001, 7c7c425d, 70088c94, b4bfcfe3, 8209b92c, 029a2d80, 28a22878,

aea0b931, 7902fa14, 39d58e74, aaad8e13, 83cb8c99, 68901293, 3f19d3c5,

4dca9c7a, 45a8453b, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 40f39ed7, 00000001.

94

95


00000007, c5c59234, f138b628, 2a4966d9, 9af3e756, 59b44e33, ed784679,

996e9c6e, 3c2d6c4d, 0d53ad73, 833d811f, 6676889f, 31cfee04, ca42100f,

201f4d96, 5d8201da, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 25322e95, 00000007.


00000009, 0101c5a7, 8629b3e6, 9f2cb203, 721b49c6, e5fc5e27, f686961b,

77ced757, 22b18f37, 9717083a, b0a38358, 4db69000, 0cbcc8d6, 56e15163,

40c9e60c, 1edfcaaf, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , f8bc508a, 00000009.


00000010, caca832a, 7d56f7d5, 463d9bc5, 6f8ea48a, 573fa14f, 9f63ddb9,

2c3843e0, 10b07a57, 3c316fce, bc16e144, e0e3e426, 748f20b5, c863f0d8,

30ebb396, d5ea9cb3, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 9660fca0, 00000010.


00000016, 47470f2b, 2790e4d4, 02ffa6d6, 06c1285c, 2889a169, 51cee720,

1cccab02, ebdb8a78, dbbe7384, 502bf34f, 27392f1a, 02750917, a3a5e3fe,

b48ef864, 283fd352, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , c50ccf88, 00000016.


00000142, 330d8ce2, 03426fc6, 9e74db7a, d83e8599, 7652cf41, 793ea9df,

f7390087, 92fe85e7, 4b1466ce, d082a90a, 615f779e, 7165cc06, ae8bc926,

be157a22, e5faf657, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , e401999a, 00000142.


000000ea, 878754b0, d0be72db, f04e8e17, 9b099a42, bfe90add, 945c80f8,

16bb2a63, b5476a2b, b979793f, ae950810, 572aeba2, 51903995, 210deb4e,

4547927c, 78f4607d, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 638a2857, 000000ea.


00020002, 4b5f4b5f, 4b374b37, e1c8e1c8, d8c8d8c8, 68e168e1, 24992499,

9d459d45, 3e0e3e0e, 80998099, 8ba88ba8, d827d827, 208d208d, 78927892,

41b241b2, f044f044, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ., 30a530a5, 00020002.


00010001, 5d425d42, 8cec8cec, 2b812b81, 10ed10ed, ef70ef70, d856d856,

da0ada0a, 37073707, 247b247b, 180f180f, 00db00db, cc16cc16, 535f535f,

a98ba98b, 14fa14fa, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 6ad56ad5, 00010001.

96


00023af9, 468fbf7b, 08855ad7, 72d2d265, bcb8535a, 2d2f1149, 2d549f92,

5fa18416, cb0d8aa9, f1fb5a35, 60f0687e, 82efd85f, f2da440e, 40a10e81,

e387629a, 09629ae5, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 6b5493f6, 00023af9.


0005fde6, a1c7299d, ce0f4789, 903b5405, b6b47fb4, 4faff08c, 709d52aa,

ec41e0ee, d0c3ec7b, 7d44ba32, 1fed72b3, 49c7a294, 3fc0eff5, 06865b2d,

f3742a67, d783da71, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 8bf1558a, 0005fde6.


001004ad, e474f2ac, 67475a99, bae96b4d, 4daa2abb, 3d7ebbb8, c693afa8,

b75ec7fd, 331c9ad6, 6cc5358d, 9afb267a, 577e3784, 7d4c663a, 2d782b1b,

2a1c777b, bae3eb1f, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 245557ee, 001004ad.


00070007, 34923492, b6e1b6e1, 398f398f, d0b1d0b1, 1ba31ba3, fe5bfe5b,

a426a426, 2e902e90, 93c293c2, 35cc35cc, 37ea37ea, a0bda0bd, cf55cf55,

66106610, da23da23, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , d740d740, 00070007.


00022db0, 60198ddf, 1f1a07c5, 056d026b, 9af53808, 6d560052, d3e04b96,

d7e151c3, f0a33d67, bf745cb3, 9a84b91a, 7e5eb685, cc06952d, d5330333,

e0d06820, bb79d978, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , feb74bd1, 00022db0.


0015e186, 91861d8c, 159a3ab0, 064ec806, 287d3aa8, 30888dbc, 6715d55f,

36fd904b, 25be5f46, 0268fa94, 2ea80eb5, 419dda8b, 95fb34ed, 0849eac3,

84fa6cb0, 7e12e049, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 5d50a4a6, 0015e186.


00094090, ac1ad06d, 88629702, 897ffc9b, 9cc732b8, b940ea44, 2bcd6742,

8c282968, 74bdceb7, 93490515, dc4eda9d, 6f7fe555, 039bcc0b, aaa58484,

491ef508, 36deceb9, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , f6110e3e, 00094090.


0000c22b, b73b421a, faa0ee71, ea2d63e2, 05a2019a, 5c237a90, 441363e2,

d26f3880, 583a5fea, 07bcfde4, 039ab3b7, e10ef911, 1687e73e, 917cae35,

5b00e35b, fff5334b, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 07a9ec2e, 0000c22b.

97


0021e4f9, 2aa0fc18, f7589225, 1e52dde3, 343bd875, f1f9848a, c81704c2,

173b886b, 7d0700d3, b4ad5670, 4525920a, b5a6660c, 10368e94, bbc99b1d,

03d3e8bf, cf092860, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 76a21d37, 0021e4f9.


00b800b8, 7d727d72, 9a259a25, ad2aad2a, 75057505, 6a9c6a9c, a17da17d,

b37eb37e, 4ad44ad4, f16ff16f, b3bab3ba, 44dd44dd, b46eb46e, a9bba9bb,

a198a198, daaedaae, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 05a905a9, 00b800b8.


00c600c6, d601d601, f973f973, b5a3b5a3, 70af70af, 01290129, d50cd50c,

e21fe21f, 28702870, fe9bfe9b, fe51fe51, 6f056f05, 35f635f6, 25f125f1,

18861886, 648d648d, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 85708570, 00c600c6.


01d266c5, a9fe5e55, cfaac76e, b9070bca, a7ce59fc, 45a791df, 27d09248,

0eafd4d4, c6c99a47, 1766f9f9, aebf5a88, b1e9dc12, e6ac8152, a3a30714,

35b0843e, e8100266, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , f554d80d, 01d266c5.


02338d7f, 3fdf63b8, c428b222, c0bee81a, bfe9c4bf, 2618360a, 7bdef964,

bfe8d061, 395a5936, 33362e49, 98a1e91c, 589cf7c5, 63d3955f, a28683df,

ca0304c1, eff778e5, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 3c0c694e, 02338d7f.


0304c1ca, f778e5ef, 09a40778, a07b06ec, 19dd56f2, d30cec1e, 69ba897e,

ba0b56be, 91c44fda, ee7977ae, 80bf58e8, 68f8a703, 6e583124, 6a2f3a7b,

9a926fd1, 2cfbfe48, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 8683dfa2, 0304c1ca.


f2f2f2f2, 89898989, a7a7a7a7, 5c5c5c5c, 4a4a4a4a, d6d6d6d6, f6f6f6f6,

42424242, 2c2c2c2c, 71717171, a3a3a3a3, 0a0a0a0a, 67676767, 85858585,

97979797, 88888888, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 04040404, f2f2f2f2.


7c7c7c7c, 10101010, cacacaca, 74747474, 92929292, 4f4f4f4f, 84848484,

5f5f5f5f, cfcfcfcf, 8a8a8a8a, 7e7e7e7e, f3f3f3f3, 0d0d0d0d, d7d7d7d7,

0e0e0e0e, abababab, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 01010101, 7c7c7c7c.

98


00000000, 63636363, fbfbfbfb, 0f0f0f0f, 76767676, 38383838, 07070707,

c5c5c5c5, a6a6a6a6, 24242424, 36363636, 05050505, 6b6b6b6b, 7f7f7f7f,

d2d2d2d2, b5b5b5b5, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 52525252, 00000000.


0112dc34, 267c8afb, b45a0a72, ff033dd5, 858a2660, 90b97790, afa867c3,

045cd890, 20a5dae6, a6cc9694, 273b32f3, 907b7f94, 536d9817, 33af56ad,

326c67a7, 6f4b8608, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , c406421d, 0112dc34.


018b9ded, b4b1024d, d67c95ee, c580ca6b, 10c402b6, 9225eab2, 6f943c07,

030f13bb, fbfad249, e7aa1eff, b857e655, 47af2f82, d67ec6b1, 850435cd,

13748ea7, 123539b4, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 32926cc7, 018b9ded.


03c975a2, 2d5cc9b9, fe66c948, b7f3df9c, 1ed4fad4, 59ddb863, 421dc406,

dc340112, 8afb267c, 0a72b45a, 3dd5ff03, 2660858a, 779090b9, 67c3afa8,

d890045c, dae620a5, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , c0c8d6db, 03c975a2.


0aff4adf, bcb47f4e, bb2626ae, def9dff6, 56cf65a4, f8207a9d, c41fbb12,

406b5387, 69cc8ea7, 711864fa, df0aff4a, 4ebcb47f, aebb2626, f6def9df,

a456cf65, 9df8207a, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 1864fa71, 0aff4adf.


03d603d6, 7af77af7, a517a517, f107f107, 690d690d, a58ba58b, 704b704b,

8e6c8e6c, 8bc28bc2, 0d150d15, d05ed05e, 20082008, a225a225, 30353035,

3ba93ba9, 80b180b1, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 3e0a3e0a, 03d603d6.


07f107f1, 0d690d69, 8ba58ba5, 4b704b70, 6c8e6c8e, c28bc28b, 150d150d,

5ed05ed0, 08200820, 25a225a2, 35303530, a93ba93b, b180b180, c2c7c2c7,

f81bf81b, 86688668, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 17a517a5, 07f107f1.


efefefef, dfdfdfdf, 9e9e9e9e, 0b0b0b0b, 2b2b2b2b, f1f1f1f1, a1a1a1a1,

32323232, 23232323, 26262626, f7f7f7f7, 68686868, 45454545, 6e6e6e6e,

9f9f9f9f, dbdbdbdb, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 61616161, efefefef.

99


03d503d5, 8bf38bf3, 5d6d5d6d, acdcacdc, bfa8bfa8, 874d874d, e410e410,

34973497, 23b323b3, b0fbb0fb, 2cc42cc4, abc6abc6, d503d503, f38bf38b,

6d5d6d5d, dcacdcac, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , c6abc6ab, 03d503d5.


050f050f, 514c514c, 3ac23ac2, d174d174, 7dd17dd1, 66a766a7, ed82ed82,

d99fd99f, f21cf21c, a3b6a3b6, 82c682c6, 46e146e1, 05a705a7, 05320532,

fbb3fbb3, cba9cba9, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , e344e344, 050f050f.


0f050f05, 4c514c51, c23ac23a, 74d174d1, d17dd17d, a766a766, 82ed82ed,

9fd99fd9, 1cf21cf2, b6a3b6a3, c682c682, e146e146, a705a705, 32053205,

b3fbb3fb, a9cba9cb, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 44e344e3, 0f050f05.


0e6e0e6e, c3f7c3f7, a2e4a2e4, 9ccf9ccf, 76227622, 75de75de, 86068606,

12391239, 64bf64bf, d59ed59e, 131b131b, c210c210, e00fe00f, d443d443,

ecbeecbe, 0e6e0e6e.


6e0e6e0e, f7c3f7c3, e4a2e4a2, cf9ccf9c, 22762276, de75de75, 06860686,

39123912, bf64bf64, 9ed59ed5, 1b131b13, 10c210c2, 0fe00fe0, 43d443d4,

beecbeec, 6e0e6e0e.


0327266c, 1eaab216, 7b2f7983, 27266c03, aab2161e, 2f79837b, 266c0327,

b2161eaa, 79837b2f, 6c032726, 161eaab2, 837b2f79, 0327266c.


cac4cac4, a4cca4cc, 4d4f4d4f, 2d4a2d4a, c4cac4ca, cca4cca4, 4f4d4f4d,

4a2d4a2d, cac4cac4.


01828fc8, 5627aa2f, 8fc80182, aa2f5627, 01828fc8.


27aa2f56, c801828f, 2f5627aa, 828fc801, 27aa2f56.

100


a37dadf5, 7dadf5a3, adf5a37d, f5a37dad, a37dadf5.


5da35da3, c086c086, 5da35da3.


a35da35d, 86c086c0, a35da35d.


73737373, 8f8f8f8f, 73737373.

Appendix B

Distribution of output differences

Output differences for an input difference 01:

01, 04, 06, 08, 09, 0a, 0b, 0c, 0d, 0e, 0f, 11, 14, 15, 18, 19, 1a, 1e, 1f, 21, 22, 24,

29, 2a, 2d, 2f, 30, 31, 35, 36, 37, 38, 39, 3a, 3b, 3f, 43, 47, 48, 4a, 4b, 4c, 4e, 4f,

51, 53, 54, 58, 59, 5a, 62, 63, 65, 69, 6a, 6b, 6c, 6e, 72, 75, 78, 79, 7d, 80, 82, 83,

84, 85, 87, 89, 8a, 8e, 91, 93, 97, 99, 9b, 9d, 9f, a1, a3, a6, a8, a9, aa, ab, ac, ad,

b0, b2, b4, b5, b6, b7, ba, bc, c1, c2, c3, c7, c8, ca, cc, cd, ce, cf, d0, d2, d3, d8,

dc, dd, e0, e1, e4, e7, ea, ed, ee, ef, f2, f6, f7, f8, fa, fb, ff.


03, 04, 05, 06, 07, 0b, 0c, 0d, 0f, 11, 12, 14, 1b, 1c, 1d, 24, 25, 27, 2a, 2c, 2d, 2e,

2f, 36, 37, 38, 3c, 40, 41, 42, 47, 4d, 52, 53, 54, 55, 56, 57, 58, 59, 5a, 5d, 5f, 60,

64, 66, 67, 68, 6c, 6d, 6e, 70, 72, 75, 79, 7a, 7b, 7c, 7d, 80, 83, 84, 85, 86, 87, 88,

8a, 8c, 8e, 91, 94, 96, 97, 98, 99, 9a, 9b, 9c, 9d, 9f, a1, a2, a5, a7, a8, a9, aa, ac,

ae, b1, b2, ba, bc, bd, be, c0, c1, c2, c3, c5, c8, cb, cd, ce, cf, d0, d1, d4, d5, da,

db, de, e0, e3, e6, e7, e9, ec, ee, f0, f2, f3, f7, fa, fd, fe, ff.


02, 04, 05, 08, 0a, 0b, 0c, 11, 12, 13, 14, 15, 16, 17, 18, 1b, 1e, 1f, 21, 22, 24, 28,

2b, 34, 36, 37, 3a, 40, 44, 45, 46, 48, 4b, 4d, 4e, 52, 53, 55, 56, 57, 5c, 5d, 60, 62,

64, 66, 67, 6c, 6d, 6e, 71, 72, 75, 76, 7b, 7c, 7d, 7e, 7f, 81, 82, 85, 86, 88, 8a, 8b,

91, 92, 93, 94, 95, 99, 9b, 9d, 9e, a0, a2, a3, a4, a5, a6, a9, aa, ad, af, b4, b7, ba,

bb, bc, be, c1, c2, c5, c6, c7, c8, cc, ce, d1, d3, d4, d6, d7, d8, d9, da, dc, de, e1,

e3, e4, e5, e8, e9, ea, ed, ef, f0, f5, f7, f8, f9, fa, fb, fd, ff.


09, 12, 15, 16, 17, 18, 19, 1b, 1c, 1d, 1e, 20, 21, 26, 27, 29, 2c, 2d, 30, 31, 32, 33,

34, 35, 36, 37, 38, 3d, 3e, 42, 43, 45, 46, 47, 48, 49, 4a, 4b, 4e, 51, 53, 54, 55, 56,

57, 59, 5a, 5d, 60, 64, 65, 67, 68, 6a, 6f, 70, 73, 76, 78, 79, 7a, 7b, 7d, 7e, 81, 85,

101

102

87, 88, 8d, 8e, 91, 92, 93, 95, 96, 97, 98, 99, 9b, 9d, a0, a2, a3, a6, a9, ab, ac, af,

b0, b1, b3, b6, ba, be, c2, c3, c4, c5, cb, cc, cd, ce, cf, d0, d4, d6, d7, d8, db, de,

df, e2, e4, e6, e7, e8, ea, ec, ed, f1, f3, f4, f6, f9, fa, fb, ff.


04, 08, 09, 0c, 0d, 11, 12, 14, 15, 16, 18, 1c, 1e, 1f, 20, 23, 24, 26, 29, 2e, 2f, 30,

31, 32, 33, 38, 39, 3a, 3b, 40, 42, 43, 44, 45, 48, 4a, 4c, 4f, 50, 52, 53, 55, 57, 58,

5a, 5b, 5c, 5f, 61, 62, 63, 64, 66, 67, 6a, 71, 73, 76, 78, 79, 7b, 80, 81, 86, 88, 8c,

8e, 90, 91, 92, 93, 94, 96, 98, 99, 9a, 9c, 9d, 9e, 9f, a0, a3, a4, a6, a8, a9, aa, ac,

af, b1, b2, b3, b4, b5, b7, b9, bb, c0, c1, c3, c6, c7, c8, c9, cb, cc, ce, d0, d1, d2,

d4, d5, dd, df, e0, e1, e3, e6, e7, ec, f0, f1, f5, f9, fc, fe, ff.


01, 04, 05, 09, 0b, 0c, 0e, 10, 11, 12, 14, 19, 1a, 1b, 20, 23, 24, 26, 29, 30, 31, 32,

33, 35, 36, 37, 39, 3b, 3d, 3e, 3f, 40, 43, 49, 4a, 4c, 4d, 4f, 50, 51, 52, 53, 55, 56,

57, 5b, 5d, 5e, 60, 61, 63, 64, 65, 66, 67, 69, 6a, 6b, 6c, 6d, 6e, 6f, 72, 73, 74, 75,

77, 78, 7b, 7c, 7d, 85, 86, 88, 89, 8a, 8d, 8f, 90, 91, 94, 99, 9b, 9d, a2, a5, a9, aa,

ab, b0, b3, b5, b6, b8, b9, ba, bc, be, bf, c1, c2, c4, c5, c8, c9, ca, ce, d1, d2, d4,

da, dd, de, df, e2, e3, e9, eb, f0, f1, f4, f6, f7, fa, fc, fd, ff.


01, 06, 08, 09, 0a, 10, 11, 13, 14, 16, 1c, 1d, 21, 22, 23, 25, 27, 28, 2e, 2f, 31, 32,

33, 35, 36, 37, 39, 3a, 3c, 3d, 3e, 3f, 41, 42, 43, 44, 45, 46, 48, 4e, 54, 55, 56, 57,

59, 60, 62, 64, 65, 66, 6d, 6e, 6f, 72, 73, 75, 76, 78, 79, 7b, 7c, 7e, 80, 83, 84, 86,

87, 89, 8e, 8f, 90, 93, 94, 96, 9a, 9b, 9d, 9e, a0, a4, a5, a6, a7, a9, aa, ac, b0, b2,

b3, b5, b6, b7, b8, bb, bc, be, bf, c2, c5, c8, c9, ca, cc, cd, d2, d5, d6, d9, da, db,

dc, dd, e0, e2, e3, e4, e5, e6, e7, e8, ed, f2, f3, f8, fc, fe, ff.


02, 03, 09, 0b, 0c, 0f, 10, 11, 13, 15, 16, 1a, 1b, 1f, 21, 22, 24, 25, 26, 27, 2d, 30,

31, 32, 35, 38, 39, 3b, 3f, 47, 4b, 4c, 50, 51, 52, 53, 56, 57, 58, 5b, 5d, 62, 64, 66,

67, 68, 6a, 6b, 6d, 6f, 71, 74, 75, 76, 7a, 7d, 7e, 82, 83, 84, 87, 8b, 8c, 8d, 90, 93,

94, 95, 96, 9a, 9b, 9e, a1, a3, a4, a5, a6, a7, a8, a9, ab, ac, ae, af, b0, b1, b2, b3,

b7, b8, bc, be, c0, c2, c3, c4, c6, c8, ca, cb, cd, ce, d1, d2, d4, d5, d7, d8, d9, df,

e0, e1, e2, e6, e7, e8, e9, eb, ed, ef, f3, f7, f8, f9, fa, fc, fd.


02, 03, 06, 07, 0c, 0e, 12, 13, 15, 16, 17, 19, 1a, 1c, 1d, 1e, 1f, 20, 25, 28, 29, 2e,

103

2f, 31, 32, 33, 37, 39, 3a, 3c, 3e, 3f, 43, 45, 46, 47, 4b, 4c, 4d, 4e, 51, 53, 54, 55,

56, 58, 5a, 5b, 5c, 5d, 5e, 5f, 61, 62, 63, 64, 66, 67, 68, 6a, 6c, 6d, 6e, 70, 71, 7c,

7d, 7e, 7f, 82, 83, 85, 86, 87, 89, 8d, 8e, 8f, 90, 92, 95, 96, 97, 98, 99, 9b, 9f, a1,

a4, a6, aa, b0, b1, b6, b8, bb, bc, c0, c1, c3, c5, c7, c8, c9, cc, d1, d3, d5, dc, dd,

de, df, e0, e2, e7, ea, eb, ed, ee, f0, f3, f4, f7, f8, f9, fd, ff.

Output differences for an input difference 0a:

02, 03, 04, 06, 07, 09, 0a, 0c, 0f, 11, 12, 13, 14, 17, 1d, 20, 21, 22, 23, 24, 25, 26,

27, 28, 29, 2a, 2b, 2c, 2d, 30, 31, 32, 33, 34, 39, 3b, 3c, 40, 41, 43, 46, 47, 4a, 4b,

4c, 4e, 4f, 50, 52, 53, 54, 55, 57, 59, 5b, 61, 63, 64, 66, 67, 68, 6a, 70, 73, 78, 7a,

7b, 7e, 7f, 82, 83, 84, 86, 87, 88, 8b, 90, 91, 94, 95, 97, 99, 9d, a1, a7, a9, aa, ad,

ae, b3, b5, b9, bd, c1, c8, c9, cd, ce, cf, d1, d2, d3, d4, d6, d7, d8, d9, db, dc,

dd, df, e3, e4, e5, e8, ea, ed, ee, ef, f0, f1, f2, f3, f8, fb, fc, ff.

Output differences for an input difference 0b:

01, 07, 08, 09, 0c, 0d, 0e, 0f, 10, 11, 12, 16, 17, 18, 19, 1b, 1d, 1e, 20, 21, 22, 23,

24, 28, 2b, 2c, 2d, 2f, 30, 31, 33, 34, 36, 37, 39, 3a, 3b, 3c, 40, 41, 46, 47, 48, 4b,

4c, 53, 55, 56, 5a, 5d, 61, 65, 69, 6a, 6c, 6d, 6e, 6f, 70, 71, 72, 73, 74, 76, 79, 7b,

7f, 80, 82, 83, 84, 85, 86, 87, 88, 89, 8a, 8c, 8d, 8e, 96, 9a, 9e, 9f, a1, a4, a5, a9,

af, b1, b4, b6, b8, b9, ba, bd, be, c0, c4, c6, c7, c8, c9, cb, cc, cd, ce, d0, d2, d5,

d6, d8, db, e2, e3, e5, e6, e9, eb, ed, ef, f0, f1, f6, f8, f9, fd.

Output differences for an input difference 0c:

02, 03, 06, 07, 08, 09, 0a, 0d, 0f, 12, 13, 19, 1b, 1f, 20, 22, 25, 26, 28, 29, 2a, 2b,

2e, 2f, 30, 31, 32, 33, 35, 36, 37, 3a, 3c, 3d, 3e, 41, 43, 44, 49, 4a, 51, 53, 55, 56,

57, 58, 5c, 5d, 5f, 60, 62, 64, 65, 67, 6a, 6f, 71, 73, 78, 7b, 7d, 7f, 80, 82, 83, 84,

85, 88, 8b, 8c, 8d, 91, 99, 9a, 9b, 9c, 9d, 9e, 9f, a1, a2, a4, a7, a8, a9, ab, ad, ae,

b0, b2, b3, b4, b6, b7, ba, bb, bd, be, c0, c2, c4, c5, c6, c7, ce, d3, d4, d5, d9,

dc, de, df, e0, e1, e2, e5, ee, ef, f1, f2, f4, f5, f6, f8, fa, fe, ff.

Output differences for an input difference 0d:

01, 02, 06, 07, 08, 09, 0a, 0b, 0f, 11, 13, 17, 19, 1a, 1e, 1f, 20, 21, 23, 24, 26, 29,

2b, 2c, 2e, 2f, 30, 33, 35, 36, 39, 3c, 3e, 3f, 42, 43, 44, 45, 46, 47, 4c, 4d, 4e, 4f,

52, 53, 56, 59, 5b, 5d, 5f, 60, 62, 64, 67, 68, 69, 6c, 6e, 6f, 71, 75, 76, 77, 79, 7b,

7c, 7d, 82, 84, 86, 87, 88, 8c, 90, 91, 92, 93, 94, 96, 9a, 9b, 9d, 9f, a2, a3, a4, a5,

a7, a8, aa, ab, ad, ae, af, b1, b2, b3, b4, b5, b6, b8, b9, ba, bf, c1, c3, c4, cc, cf,

d0, d7, d8, db, e5, e7, e8, e9, ea, eb, ec, ee, f0, f3, f4, f5, f8.

104

Output differences for an input difference 0e:

02, 03, 04, 05, 07, 08, 0a, 0b, 15, 17, 1b, 1e, 1f, 21, 22, 24, 26, 27, 30, 31, 32, 33,

37, 39, 3b, 3e, 3f, 40, 41, 42, 43, 44, 47, 48, 49, 4a, 4b, 4f, 50, 52, 55, 56, 58, 59,

5a, 5c, 5f, 64, 66, 68, 69, 6b, 6d, 6e, 70, 71, 74, 76, 77, 79, 7c, 7f, 80, 82, 84, 86,

88, 89, 8a, 8f, 90, 91, 92, 93, 95, 97, 98, 9a, 9b, 9e, 9f, a0, a1, a2, a7, aa, ab, ac,

b0, b1, b2, b6, b7, b8, b9, ba, bc, c0, c3, c4, c5, c7, c8, c9, cd, ce, d3, d4, d6, d9,

db, dd, e2, e4, e5, e6, e8, e9, ea, ee, f1, f2, f6, f9, fa, fe, ff.

Output differences for an input difference 0f:

02, 03, 04, 08, 0a, 0c, 0f, 11, 15, 16, 17, 18, 19, 1a, 21, 23, 28, 29, 2b, 2e, 30, 31,

33, 36, 3c, 3e, 42, 47, 49, 4b, 4c, 4d, 4e, 4f, 50, 52, 54, 55, 57, 5d, 5e, 61, 62, 65,

66, 67, 69, 6d, 6e, 6f, 70, 71, 74, 75, 78, 7a, 7e, 80, 83, 85, 88, 89, 8a, 8d, 8e, 90,

92, 93, 96, 98, 99, 9a, 9b, 9c, 9d, 9e, 9f, a0, a2, a7, a8, aa, ab, ac, af, b0, b3, b8,

bb, bd, be, bf, c0, c3, c5, c7, ca, cb, cc, cd, ce, cf, d0, d2, d3, d6, d7, d9, da, db,

dd, df, e0, e1, e3, e9, ee, ef, f0, f1, f2, f3, f5, f7, f8, fa, fb.

...

...

Output differences for an input difference fe:

03, 04, 07, 08, 09, 0d, 13, 15, 1c, 1e, 1f, 20, 23, 24, 27, 28, 29, 2b, 2e, 2f, 34, 36,

38, 3e, 3f, 40, 41, 44, 46, 47, 48, 49, 4c, 4d, 4e, 52, 55, 59, 5b, 5c, 5d, 60, 61, 63,

64, 66, 68, 69, 6a, 6b, 6c, 70, 71, 72, 73, 74, 75, 76, 77, 78, 7d, 7e, 84, 85, 86, 88,

89, 8b, 8c, 8e, 8f, 91, 92, 93, 96, 97, 9c, 9e, a0, a1, a5, a7, a8, aa, ab, ad, b0, b3,

b5, b6, b7, b8, be, c2, c4, c7, c8, cb, cd, ce, d0, d2, d4, d5, d7, d8, da, db, dc,

de, df, e0, e2, e7, ec, ed, ee, ef, f2, f6, f7, f8, f9, fb, fc, fd, ff.

Output differences for an input difference ff:

01, 02, 03, 07, 0a, 0b, 0c, 0f, 13, 15, 17, 1d, 1e, 1f, 21, 22, 23, 25, 26, 28, 29, 2a,

2d, 2f, 31, 35, 36, 39, 3a, 3c, 3e, 40, 42, 43, 44, 46, 4c, 4d, 50, 52, 53, 56, 57, 58,

59, 5a, 5d, 5e, 62, 63, 65, 68, 69, 6a, 6b, 6d, 70, 72, 73, 75, 76, 7b, 7c, 7e, 7f, 81,

84, 88, 8a, 8c, 8d, 8e, 8f, 94, 95, 99, 9a, 9c, 9e, 9f, a0, a6, aa, ab, ad, af, b3, b8,

b9, ba, c1, c2, c3, c5, c6, c7, c8, ca, cb, cc, cd, cf, d4, d8, dd, de, e0, e2, e3, e4,

e6, e7, eb, ec, ef, f1, f2, f3, f4, f5, f6, fa, fb, fc, fd, fe, ff.

Appendix C

Implementation results of the five-roundcryptanalysis

Test Result #1

1.1 A set of 232 chosen plaintexts

232 plaintexts

43 00 31 37

f6 30 00 07

a8 8d a2 00

00 88 31 e0

• • •43 00 31 37

f6 30 00 07

a8 8d a2 03

00 88 31 e0

43 00 31 37

f6 30 00 07

a8 8d a2 01

00 88 31 e0

43 00 31 37

f6 30 00 07

a8 8d a2 02

00 88 31 e0

43 ff 31 37

f6 30 ff 07

a8 8d a2 ff

ff 88 31 e0

232 ciphertexts

• • •49 b8 2a 64

de 63 f9 10

ea b8 4b fa

f0 bb dd 4e

c3 30 b8 4d

91 0d 91 37

40 55 bc 26

b5 c2 ba 1a

b8 1b 7e 15

45 5c 57 e8

d1 b3 c3 fe

7b af d8 82

d1 ae d6 1e

8b 8e 00 57

34 4f ee 57

68 83 58 ca

98 37 0d db

50 b5 3c 6a

92 3d fd 36

66 08 92 8a

1.2 Result of Finding Possible Keys

Eligible components for the fifth round key (RK5) :

byte #0 : 11, d4

byte #1 : d1, d3

byte #2 : 16, 6b, c6 ca

byte #3 : 4a, f8

byte #4 : 7c, ab

byte #5 : 80, 83

byte #6 : 7a, 9a, 9d, b6, b9, cd

105

106

byte #7 : 57, 87

byte #8 : ca, cf

byte #9 : 06, f2

byte #10 : 8e, a0, b8

byte #11 : bc

byte #12 : 11, 7b

byte #13 : d4, f9

byte #14 : 15

byte #15 : 52, bc

1.3 Result of Selecting the Key Actually Used

RK5 : d4 d1 c6 f8 7c 83 9d 87 ca f2 b8 bc 11 f9 15 bc

RK4 : ef 44 a5 41 a8 52 5b 7f b6 71 25 3b db 0b ad 00

RK3 : 3d 80 47 7d 47 16 fe 3e 1e 23 7e 44 6d 7a 88 3b

RK2 : f2 c2 95 f2 7a 96 b9 43 59 35 80 7a 73 59 f6 7f

RK1 : a0 fa fe 17 88 54 2c b1 23 a3 39 39 2a 6c 76 05

RK0 : 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c

Cipher Key : 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c

107

Test Result #2

2.1 A set of 232 chosen plaintexts

232 plaintexts

00 00 00 00

00 00 00 00

00 00 00 00

00 00 00 00

• • •

232 ciphertexts

• • •6f 5f 56 69

45 99 7c 73

89 31 d8 21

bb 0f 74 5a

9d c7 99 82

f1 a8 86 96

bd d3 50 99

5e d9 a6 1a

83 f4 a9 d6

36 36 1a 76

53 49 97 09

e7 9d a4 17

93 9d fa 72

48 cc cd bf

6d 44 9d 59

aa 78 8d 1c

10 1e 58 c2

9d fa 6d 75

aa 2e 7a fe

38 9e 84 cd

00 00 00 00

00 00 00 00

00 00 00 01

00 00 00 00

00 00 00 00

00 00 00 00

00 00 00 02

00 00 00 00

00 00 00 00

00 00 00 00

00 00 00 03

00 00 00 00

00 ff 00 00

00 00 ff 00

00 00 00 ff

ff 00 00 00

2.2 Result of Finding Possible Keys

Eligible components for the fifth round key (RK5) :

byte #0 : 8e

byte #1 : 18, 63, b0

byte #2 : 49

byte #3 : 2a, 86

byte #4 : 39

byte #5 : 40, a7, ab

byte #6 : 38, 46

byte #7 : 1d

byte #8 : d9

byte #9 : 70

byte #10 : 10

byte #11 : 34, ad

byte #12 : 64, 8f

byte #13 : 67

byte #14 : 3d

byte #15 : 49, e3

108

2.3 Result of Selecting the Key Actually Used

RK5 : 8e b0 49 86 39 40 38 1d d9 70 10 ad 8f 67 3d e3

RK4 : 6e 68 66 37 b7 f0 71 9b e0 30 28 b0 56 17 2d 4e

RK3 : aa 03 dd 79 d9 98 17 ac 57 c0 59 2b b6 27 05 fe

RK2 : 3a 49 de 81 73 9b ca d5 8e 58 4e 87 e1 e7 5c d5

RK1 : 30 80 de 29 49 d2 14 54 fd c3 84 52 6f bf 12 52

RK0 : 21 10 bd 66 79 52 ca 7d b4 11 90 06 92 7c 96 00

Cipher Key : 21 10 bd 66 79 52 ca 7d b4 11 90 06 92 7c 96 00

Bibliography

[1] A. Menezes, P. Orschot, and S. Vanstone, “Handbook of Applied Cryptography”,

pp.81-83, CRC Press, Boca Raton, 1997.

[2] A. Shamir and A. Kipnis, “Cryptanalysis of the HFE Public Key Cryptosystem”,

Proceedings of CRYPTO ’99, Lecture Notes In Computer Science Vol.1666, pp.19-

30, Springer-Verlag, Berlin, 1999.

[3] B. Schneier, J. Kelsey, D. Whiting, D. Wagner, and C. Hall, “Twofish: A 128-

Bit Block Cipher”, 1st AES Candidate Conference, http://www.counterpane.

com/twofish-paper.html, 1998.

[4] B. Schneier, “Applied Cryptography”, pp.193, John Wiley & Sons, Inc, New York,

1994.

[5] B. Schneier, “Applied Cryptography (Second Edition)”, pp.346-347, John Wiley

& Sons, Inc, New York, 1996.

[6] B. Schneier, “Crypto-Gram Newsletter”, Counterpane Internet Security,

http://www.counterpane.com/crypto-gram.htm, September 2002.

[7] B. Song, H. Wang, and J. Seberry, “A New Cryptanalytic Method Using the Dis-

tribution Characteristics of Substitution Distances”, Proceedings of ICISC 2001,

Lecture Notes In Computer Science Vol.2288, pp.18-31, Springer-Verlag, Berlin,

2002.

[8] B. Song and J. Seberry, “Consistent Differential Patterns of Rijndael”, Proceed-

ings of ICISC 2002, Lecture Notes In Computer Science Vol.2587, pp.149-163,


[9] B. Song and J. Seberry, “Further Observations on the Structure of the AES Algo-

rithm”, Proceedings of FSE 2003, Lecture Notes In Computer Science Vol.2887,


109

BIBLIOGRAPHY 110

[10] B.S. Kaliski, R.L. Rivest and A.T. Sherman, “Is DES a Pure Cipher ? (Results of

More Cycling Experiments on DES)”, Proceedings of CRYPTO ’85, pp.212-222,

1986.

[11] C. Burwick, D. Coppersmith, E. D’Avignon, R. Gennaro, S. Halevi, C.

Jutla, S. M.Matyas Jr, L. O’Connor, M. Peyravian, D. Safford, and

N.Zunic, “MARS-a candidate cipher for AES”, 1st AES Candidate Conference,

http://www.research.ibm.com/security/mars.html, 1999.

[12] C. Lim, “CRYPTON: A New 128-bit Block Cipher”, 1st AES Candidate Confer-

ence, http://dasan.sejong.ac.kr/∼chlim/english pub.html, 1998.

[13] D. Coppersmith, “Impact of Courtois and Piepryzk Results”, NIST AES Discus-

sion Forum, http://www.nist.gov/aes.

[14] D. Coppersmith, “The Real Reason for Rivest’s Phenomenon”, Proceedings of

CRYPTO ’85, pp.535-536, 1986.

[15] D. Stinson, “Cryptography (Theory and Practice)”, CRC Press, Boca Raton,

1995.

[16] E. Barkan and E. Biham, “In How Many Ways Can You Write Rijndael”, Proceed-

ings of ASIACRYPT 2002, Lecture Notes In Computer Science Vol.2501, pp.160-


[17] E. Biham, A. Biryukov, and A. Shamir, “Cryptanalysis of Skipjack Reduced to 31

Rounds Using Impossible Differentials”, Proceedings of EUROCRYPT ’99, Lecture

Notes In Computer Science Vol.1592, pp.12-23, Springer-Verlag, Berlin, 1999.

[18] E. Biham, A. Biryukov, and A. Shamir, “Miss in the Middle Attacks on IDEA

and Khufu”, Proceedings of FSE ’99, Lecture Notes In Computer Science Vol.1636,


[19] E. Biham and A. Shamir, “Differential cryptanalysis of DES-like Cryptosystems”,

J. Cryptology, Vol.4, 1991.

[20] E. Biham and A. Shamir, “Differential cryptanalysis of the Data Encryption Stan-

dard”, Springer-Verlag, Berlin, 1993.

[21] E. Biham and A. Shamir, “Differential cryptanalysis of the full 16-round DES”,

Proceedings of CRYPTO ’92, Lecture Notes In Computer Science Vol.740, pp.494-


BIBLIOGRAPHY 111

[22] E. Biham and N. Keller, “Cryptanalysis of Reduced Variants of Rijndael”,

http://csrc.nist.gov/CryptoToolkit/aes/round2/conf3/aes3papers.html, 2000.

[23] E. Biham, “New Types of Cryptanalytic Attacks Using Related Keys”, Proceedings

of EUROCRYPT ’93, Lecture Notes In Computer Science Vol.765, pp.398-409,


[24] G. Carter, E. Dawson, and L. Nielsen, “Key Schedule Classification of the AES

Candidates”,

http://csrc.nist.gov/CryptoToolkit/aes/round1/conf2/aes2conf.htm, 2000.

[25] H. Gilbert and M. Minier, “A Collision Attack on 7 Rounds of Rijndael”, Pro-

ceedings of the Third Advanced Encryption Standard Candidate Conference, NIST,

pp.230-241, 2000.

[26] J. Cheon, M. Kim, K. Kim, J. Lee, and S. Kang, “Improved Impossible Differen-

tial Cryptanalysis of Rijndael and Crypton”, Proceedings of ICISC 2001, Lecture


[27] J. Daemen, L. Knudsen, and V. Rijmen, “The Block Cipher Square”, Proceedings

of FSE ’97, Lecture Notes In Computer Science Vol.1267, pp.149-165, Springer-

Verlag, Berlin, 1997.

[28] J. Daemen and V. Rijmen, “AES Proposal: Rijndael”, 1st AES Candidate Con-

ference, http://csrc.nist.gov/encryption/aes/rijndael/, 1999.

[29] J. Daemen and V. Rijmen, “Answer to New Observations on Rijndael”, AES Fo-

rum comment, August 2000, http://www.esat.kuleuven.ac.be/∼rijmen/rijndael/.

[30] J. Fuller and W. Millan, “Linear Redundancy in the AES S-Box”, IACR eprint,

August 2002, http://eprint.iacr.org/.

[31] J. Fuller and W. Millan, “Linear Redundancy in S-Boxes”, Proceedings of FSE


Berlin, 2003.

[32] J. Kelsey, B. Schneier and D. Wagner, “Key-schedule Cryptanalysis of IDEA,

GDES, GOST, SAFER, and Triple-DES”, Proceedings of CRYPTO ’96, Lecture


BIBLIOGRAPHY 112

[33] J. Kelsey, B. Schneier and D. Wagner, “Related-key Cryptanalysis of 3-WAY,

Biham-DES, CAST, DES-X, NewDES, RC2, and TEA”, Proceedings of ICICS

’97, pp.203-207, Springer-Verlag, Berlin, 1997.

[34] J. Massey, G. Khachatrian, and M. Kuregian, “Nomination of SAFER+ as Can-

didate Algorithm for the Advanced Encryption Standard (AES)”, 1st AES Can-

didate Conference, http://www.cryptosoft.de/docs/Saferpls.pdf

[35] J.H. Moore and G.J. Simmons, “Cycle Structure of the DES With Weak and

Semiweak Keys”, Proceedings of CRYPTO ’86, pp.3-32, 1986.

[36] J.H. Moore and G.J. Simmons, “Cycle Structure of the DES for Keys Having

Palindromic (or Antipalindromic) Sequences of Round Keys”, IEEE Trans on

Software Eng Vol.13, No 2, pp.262-273, 1987.

[37] J. Patarin, “Cryptanalysis of the Matsumoto and Imai Public Key Scheme of EU-

ROCRYPT’88”, Proceedings of CRYPTO ’95, Lecture Notes In Computer Science

Vol.0963, pp.248-261, Springer-Verlag, Berlin, 1995.

[38] J. Pieprzyk, T. Hardjono, and J. Seberry, “Fundamentals of Computer Security”,


[39] K. Aoki, T. Ichikawa, M. Kanda, M Matsui, S. Moriai, J. Nakajima, and

T. Tokita, “Camellia: A 128-bit Block Cipher Suitable for Multiple Plat-

form”, Submission Documents to NESSIE project, algorithm available at

http://info.isl.ntt.co.jp/camellia/.

[40] K. Nyberg and L. Knudsen, “Provable Security against a Differential Attack”, J.

Cryptology, Vol.8, No.1, pp.27-37, 1995.

[41] K. Nyberg, “Linear Approximation of Block Ciphers”, Proceedings of EURO-

CRYPT ’94, Lecture Notes in Computer Science Vol. 950, pp.439-444, Springer-


[42] K. Nyberg, “Differentially Uniform Mappings for Cryptography”, Proceedings

of EUROCRYPT ’93, Lecture Notes in Computer Science Vol.765, pp.55-64,


[43] L. Brown, and J. Pieprzyk, “Introducing the New LOKI97 Block Cipher”, 1st

AES Candidate Conference, http://www.unsw.adfa.edu.au/∼lpb/research/loki97,

1998.

BIBLIOGRAPHY 113

[44] L. Keliher, H. Meijer, and S. Tavares, “New Methods for Upper Bounding the Max-

imum Average Linear Hull Probability for SPNs”, Proceedings of EUROCRYPT


Berlin, 2001.

[45] L. Keliher, H. Meijer, and S. Tavares, “Improving the Upper Bound on the Max-

imum Average Linear Hull Probability for Rijndael”, Proceedings of SAC 2001,


2001.

[46] L. Knudsen, “Truncated and Higher Order Differentials”, Proceedings of FSE ’94,


1994.

[47] L. Knudsen and T. Berson, “Truncated Differentials of SAFER”, Proceedings of

FSE ’96, Lecture Notes In Computer Science Vol.1039, pp.15-26, Springer-Verlag,

Berlin, 1996.

[48] L. Knudsen and H. Raddum, “Recommendation to NIST for the AES”,

Second round comments to NIST, May 2000, http://csrc.nist.gov/encryption/

aes/round2/comments/.

[49] L. Knudsen and D. Wagner, “Integral Cryptanalysis”, Proceedings of FSE 2002,


2002.

[50] M. Matsui, “Linear cryptanalysis method for DES cipher”, Proceedings of EURO-

CRYPT ’93, Lecture Notes in Computer Science Vol.765, pp.386-397, Springer-


[51] M. Matsui, “The First Experimental Cryptanalysis of the Data Encryption

Standard”, CRYPTO’94, Lecture Notes in Computer Science Vol.839, pp.1-11,


[52] M. Sugita, K. Kobara, K. Uehara, S. Kubota, and H. Imai, “Relationships among

Differential, Truncated Differential, Impossible Differential Cryptanalyses against

Word-oriented Block Ciphers like Rijndael, E2”, Proceedings of the Third AES

Candidate Conference, 2000.

BIBLIOGRAPHY 114

[53] N. Courtois, A. Klimov, J. Patarin, and A. Shamir, “Efficient Algorithms for

Solving Overdefined Systems of Multivariate Polynomial Equations”, Proceedings

of EUROCRYPT 2000, Lecture Notes In Computer Science Vol.1807, pp.392-407,


[54] N. Courtois, “The Security of Hidden Field Equations (HFE)”, Proceedings of

Cryptographer’ Track RSA Conference 2001, Lecture Notes In Computer Science


[55] N. Courtois and J. Pieprzyk, “Cryptanalysis of Block Ciphers with Overdefined

Systems of Equations”, IACR eprint 2002/044, 2002, http://eprint.iacr.org/.

[56] N. Courtois and J. Pieprzyk, “Cryptanalysis of Block Ciphers with Overdefined

Systems of Equations”, Proceedings of ASIACRYPT 2002, Lecture Notes In Com-

puter Science Vol.2501, pp.267-287, Springer-Verlag, Berlin, 2002.

[57] N. Ferguson, R. Schroeppel, and D. Whiting, “A Simple Algebraic Representa-

tion of Rijndael”, Proceedings of SAC 2001, Lecture Notes In Computer Science


[58] N. Ferguson, J. Kelsey, S. Lucks, B. Schneier, M. Stay, D. Wagner, and D. Whiting,

“Improved Cryptanalysis of Rijndael”, Proceedings of FSE 2000, Lecture Notes In

Computer Science Vol.1978, pp.213-230, Springer-Verlag, Berlin, 2000.

[59] NIST, “Data Encryption Standard”, FIPS 46-2, 1993.

[60] NIST, “Announcing Request for Candidate Algorithm Nominations for the Ad-

vanced Encryption Standard (AES)”, Federal Register Vol.62, Num.177, pp.48051-

48058, 1997.

[61] NIST (E. Roback and M. Dworkin), “Conference Report”, Journal of Research of

the National Institute of Standards and Technology, Vol.104, Num.1, pp.97-105,

1999.

[62] NIST (J. Nectvatal, E. Barker, L. Bassham, W.Burr, M. Dworkin, J. Foti, and

E. Roback), “Report on the Development of the Advanced Encryption Standard

(AES)”, NIST, http://csrc.nist.gov/CryptoToolkit/aes/round2/r2report.pdf,

2000.

[63] NIST, “Advanced Encryption Standard (AES)”, FIPS 197, 2001.

BIBLIOGRAPHY 115

[64] NIST, “Advanced Encryption Standard (AES) Questions and Answers”, http://

www.nist.gov/public affairs/releases/aesq&a.htm.

[65] R. Anderson, E. Biham, and L. Knudsen, “Serpent: A Proposal for the Ad-

vanced Encryption Standard”, 1st AES Candidate Conference, http://www.ftp.cl.

cam.ac.uk/ftp/users/rja14/serpent.pdf, 1998.

[66] R. Rivest, M.J.B. Robshaw, R. Sidney, and Y.L. Yin, “The RC6TM Block Cipher”,

1st AES Candidate Conference, http://www.rsasecurity.com/rsalabs/rc6/, 1998.

[67] R. Schroeppel, “Second Round Comments to NIST”, Public Comments Re-

garding the Advanced Encryption Standard (AES) Development Effort (Round

2 Comments), NIST, pp.128-149, 2000. http://csrc.nist.gov/CryptoToolkit/aes/

round2/comments/R2comments.pdf.

[68] S. Lucks, “Attacking Seven Rounds of Rijndael under 192-Bit and 256-Bit Keys”,

Proceedings of the Third Advanced Encryption Standard Candidate Conference,

NIST, pp.215-229, 2000.

[69] S. Murphy and M.J.B Robshaw, “New Observations on Rijndael”, AES Forum

comment, August 2000, http://www.isg.rhul.ac.uk/∼sean/.

[70] S. Murphy and M.J.B Robshaw, “Further Comments on the Structure of Rijn-

dael”, AES Forum comment, August 2000, http://www.isg.rhul.ac.uk/∼sean/.

[71] S. Murphy and M.J.B Robshaw, “Essential Algebraic Structure Within the AES”,

Proceedings of CRYPTO 2002, Lecture Notes In Computer Science Vol.2442, pp.1-


[72] S. Murphy and M.J.B Robshaw, “Comments on the Security of the AES and

the XSL Technique”, Public Reports of the NESSIE Project, September 2002,

http://www.cosic.esat.kuleuven.ac.be/nessie/reports/.

[73] S. Park, S. Sung, S. Chee, E. Yoon, and J. Lim, “On the Security of Rijndael-

Like Structures against Differential and Linear Cryptanalysis”, Proceedings of

ASIACRYPT 2002, Lecture Notes In Computer Science Vol.2501, pp.176-191,


[74] S. Park, S. Sung, S. Lee, and J. Lim, “Improving the Upper Bound on the Max-

imum Differential and the Maximum Linear Hull Probability for SPN Structures

BIBLIOGRAPHY 116

and AES”, Proceedings of FSE 2003, Lecture Notes In Computer Science Vol.2887,


[75] T. Jakobsen and L. Knudsen, “The interpolation attack on block ciphers”, Proceed-

ings of FSE ’97, Lecture Notes In Computer Science Vol.1267, pp.24-40, Springer-


[76] T. Moh, “On the Courtois-Pieprzyk’s attack on Rijndael”, http://www.usdsi.com

/aes.html, September 2002.

Date post:	18-Mar-2022
Category:	Documents
Upload:	others
View:	7 times
Download:	0 times