AES - The State of the Art of Rijndael's Security
ELISABETH OSWALD * JOAN DAEMEN Vincent Rijmen
October 30, 2002
1 Introduction
In October 2000, The US National Institute of Standards and Technology (NIST) Announced
That Rijndael Was Selected As Advanced Encryption Standard (AES). this paper gives an
Overview of the Most Important Cryptanalysis Performed On Rijndael.
This Paper Doesn't Contain A Description of rijndael. For a fulll specification, We Refer
The Reader To [DR02]. in this paper we give an overview about the attacks Which Have Been
Proposed for the rijndael algorithm and ideas Which Could Lead to new attacks That Have Been
Made Public Recently. Asummary of Thase Attacks, Their Complexity and How Many Rounds
Of rijndael for a Given Key Size THE CAN BREAK, IS Presented in Table 1. in this Table The
Published Attacks Which Can Break Reduced Versions of Rijndael, this Means Version with Less
Than The Specified Rounds, Are Listed. This List Includes The Name of The Attack, ITS Publications
Date in The Second Column, The Authors in The Third Column, And How Many Rounds of Which
Version of rijndael in the remaining column. for example, the attack based on iMPossible
Differentials Was Published in 2000 by [bk00] and can Only Break 6 Rounds Out 10 of rijndael
Specified for 128 Bits (I.E. AES-128).
ATTACK YEAR AUTHOR AES-128 AES-192 AES-256
10 Rounds 12 Rounds 14 Rounds
Impossible DiffERENTIAL 2001 [CKK 01] 6 Rounds
Square attics 2000 [luc00] 7 Rounds 7 Rounds
2000 [FKL 00] 7 Rounds 7 Rounds 9 Rounds
Collision Attack 2000 [GM00] 7 Rounds 7 Rounds 7 Rounds
Table 1: Shortcut Attacks on Reduced Versions of Rijndael
It's.
As a conclusion we can say That for the time being no attack faster Than Exhaustive Key
Search Is Known for Rijndael. None of the Recently Published Ideas Has Lead to an attack.
For A More Detailed Treatment of Attacks and a Discussion of Some New Ideas WE Invite
The Reader To Read The Remainder of this Paper Which is Organized As Follows. in Section 2 WE
* IAIK, GRAZ University of Technology
† Erg Group - Proton World
‡ Cryptomatic and IAik, Graz University of Technology
1
Discuss The Most Common Terms And Concepts Used In Cryptanalysis. Then, In Section 3 WE
List and shortly Discuss All Known Cryptanalytic Attacks on Rijndael, And in Section 4 We deal
WITH New Ideas (Algebraic Methods) Which Have Been Recently Proposed and Are Being Now
Discussed in the cryptographic community.
2 Cryptanalysis in General
Exmaust Key Search Is The Basic Technique of Trying All Key Values One by One Until The Correct
Key is found. To Identify The Correct Key It Is Sufficient To Know A Small Amount of Plaintext
And ITS Corresponding Ciphertext. if The Plaintext Has Some Known Form of Redundancy, Such
As Consisting Of Ascii Coded Text, A Small Amount of Ciphertext Is Sufficient. Exhaustive Key
Search Is An Attack That Does Not Exploit The Internal Structure of a Cipher. in The Following
Section, We Discuss Attacks That Exploit Structural Properties of The Block Cipher. Thepes
Of attack area Denoted by The Term Cryptanalysis. Acryptanalytic Attack Breaks a Cipher in
The Academical Sense ITS Expected Workload Is Below That of Exhaust Key Search. Suchan Attack IS Called A Shortcut Attack. The Existence of A Shortcut Attack for a Given Cipher
Does Not Necessarily Mean That The Cipher Has No Longer Any Security To Offer, Because MOST
Shortcut Attacks Described in Cryptographic Literature Cannot Be Implement In A Practical
Setting.
While Exhaust Key Search Only Requires A Few Plaintext-Ciphertext PaiRs, or Some Ciphertext
That Corresponds with Redundant Plaintext, MOST SHORTCUT Attacks Tend to Be Much
More demanding. Some Need Huge Quantities of PlainText-Ciphertext PaiRs (KNown Plaintext),
In Other Attacks The Cryptanalyst Must Have Ciphertext Values Corresponding with PlainText
That He Has Chosen (Chosen Plaintext). in So-Called Related-Key Attacks, The Cryptanalyst Must
Even be in a position to Encipher Chosen Plaintexts with diff (unknown) Key Values That
Have Certain Relations, Chosen by The Cryptanalyst.
Still, The Presence or Absence of Shortcut Attacks for a Cipher IS A Quality Criterion That IS
Widely Accepted in the Cryptographic Community. AS A Matter of Fact, The Foremost criterion
For Being SELECTED AMONG THE FINALISTS in The Aes Competition Was The Absence Of Shortcut
Attacks. Finding shortcut attacks for the completion ciphers......
For Many Modern Ciphers, No Shortcut Attacks Are Known. Still, The Resistance of iTITIVE
Block ciphers with respect to a specific cryptanalytic method can be evatated by Performing
It on reduced-round version of the block cipher. attics on reduced-round version allow to
Get An Idea of The Security Margin of a Cipher. if for a cipher with r rounds there
SHORTCUT ATACK AGAINST A Reduced-Round Version With R-R ROUNDS, The Cipher Has An AbsoluteSecurity Margin of R Rounds OR A Relative Security Margin of R / R. Note That That Discovery
Of An Attack ON A Reduced-Round Version with R / 2 Rounds Doesn't Mean That The Cipher IS
Half-broken. Indeed, The Complexity of Most Academic Attacks Increases Exponentially in The
Number of rounds.
As advances in cryptanalysis of a cipher tnd to enable the breaking of more and more
Rounds over Time, The Security Margin Indicates The Resistance of The Cipher Against Improvements
Of known types of cryptanalysis. However, It Says Nothing About the likelihood of these
OR About The Resistance of The Cipher Against Unknown Attacks.
Often, for new types of cryptanalysis it is not trivial to accountly estimate the complexity
Of the attack. in tres, one can get a better idea of this complexity by importing the
Attack on Reduced-Round Versions of The Target Cipher, Where it is offen infeasible to import
2
The attack for the full cipher.
3 Cryptanalysis of rijndael
3.1 Differential and Linear Cryptanalysis
Differential and Linear Cryptanalysis Are The Two Most Powerful General Purpose Cryptographic
Attacks known to date. provoding lower bounds for the complexity of these attacks WAS THE
Main cryptographic criterion in the design of rijndael.
For rijndael, An Upper Bound of 2-150 for the probability of any 4-Round Differential Trail
And Of 2-75 for the correlation of any 4-Round Linear Trail Has Been Proven. in Combination
With The Number of Rounds in Rijndael, Thase Bounds Provide a High Security Margin Against
Both DiffERENTIAL AND LINEAR CRYPTANALSIS. For a details, We Referto [DR02].
3.2 Variants
After their publication, Linear and Differential Attacks Have Been Extended in Several Ways
And New Attacks Have Been Published That Are Related To The Best KNown Extension IS
KNOWN As Truncated Differentials. They Have Been Already Taken Into Account in The Design of
Rijndael from the start [DR02]. Other attics Use Difference Propagation and Correlation in
DiffERENT WAYS.
Impossible Differentials. There exists an Impossible Differential Attack On 5 rounds, Requiring
229.5 Chosen Plaintexts [BK00], 231 Encryptions, 242 BYTES of Memory and 226 Time For
Precomputation. This Result Was Improved In [CKK 01] and Lead to an Attack ON A 6 Round
Version.
Square attacks. The Most Powerful Cryptanalysis of rijndael to date is the square attack.
This is a chosen-plaintext attack That Exploits the byte-oriented structure of the cipher and
Works on Any Cipher with a Round Structure Similar To The One of Rijndael. It Was First Described
In The Paper Presenting a Predecessor of Rijndael, The Block Cipher Square [DKR97] and IS
Since the offten refered to as the square attack. Other names for this Attack Are 'Saturation
ATTACK '(PROPOSED BY LUCKS in [luc00], this Attack Can Break A 7 Rounds of Rijndael For 192
And 256-bit Keys, I.A. AES-192 and AD 256), 'INTEGRAL CRYPTANALSIS' by L. Knudsen and
D. Wagner [kW02] or 'structural atticks' by A. Biryukov and A. Shamir [BS01] (Neither of
The Two Last Papers Describe An Attack On Rijndael.
The Original Square Attack Can Break Round-Reduced Variants of Rijndael Up to 6 or 7
Rounds (I. AES-128 and AES-192) Faster Than Exhaust Key Search. N. Ferguson et al. [fkl 00] Proposed Some Optimizations That Reduce The Work Factor of The Attack. So, THIS
Attack Breaks a 9-Round AES-256 Keys with 277 Plaintexts Under 256 Related Keys, And 2222
Encryptions.
Collision Attacks. This Attack Has Been Introduces by Gilbert and Minier In [GM00] and
Is Still The Best Atack in The Sense That It Can Break 7 Rounds of AES-128, AES-192 and
AES-256 (for 128-bit Keys the Authors Claim That The Complexity of The Attack is Marginally
Lower Than The Complexity of An Exhaust Key Search.
3
4 IDEAS AND OBSERVATIONS
While The Methods Discussed in The Previous Chapter Lead to Attacks Against Reduced Versions
Of rijndael, The Methods We Discuss now Haven't Lead to any attack yet. Most of these Ideas
Arecyd to what is called algebraic attics which can be briefly string as Follows:
1. Collecting Step: The Cryptanalyst Expresses The Cipher Asia Set of Simple Equation SIQUATIONS
In a Number of Variables. These Variables include bits (or bytes) from the plaintext,
Ciphertext and the key, and type value all, and ibediate computation values and round
Keys. The Term Simple Can Be Defined Very Loosely As Suitable for the next step.
2. Solving step: The cryptanalyst Uses Some Data Input Such as Plaintext-Ciphertext PAIRS,
Substitutes these Values in The Corresponding Variables in The Set of equations collected
IN Step 1 and Tries To Solve The Resulting Set of equations, Thereby recovering the key.
Due to the design criteria of rijndael, IT Can Be Expressed with eleguant equations in
Several Ways. THE Key Issue To Be Judged However, IS WHETHER Equations That Look Elegant
To the Mathematician's Mind, Are Also Simple To Solve. Several Attempts Have Been Made TocRuct Algebraic Attacks for Rijndael. None Have Resulted In Shortcut Attacks as Yet, And
Most of the papers contrude That More research is required. in The Following Paragraphs WE
Discuss a Number of Attempts.
Continued Fractions. Ferguson, Schroeppel and whiting [fsw01] Derive a closed formula
FOR RIJNDAEL That Can Be Seen as a generalization of continued fractions. Any byte of the
Intermediate Result After 5 Rounds Can Be Expressed As Follows.
X = K
C1
K * C2
K * C3
K * C4
K * C5
K * p **
(1)
Here every k is a byte depending on several bytes of the expanded key, Each Ci is a known
Constant and Each * is a known exponent or subscript, but these value depend on the summation
Variables That Enclose The Symbol. Afully Expanded Version of (1) HAS 225 Terms. in
ORDER TO BREAK 10-ROUND RIJNDAEL (AES-128), a Cryptanalyst Could Use for Each Intermediate
Byte 2 Equation of this Type. The First One Would Express The Intermediate Variables After 5
Rounds as function of the placeXText bytes. The second equation would cover cover rounds 6-10 by
Expressing The Same Intermediate Variables As a Function of The Ciphertext Bytes. Combining
Both Equation Would Result in An equation with 226 unknowns. by referenceing this equation
For 226/16 KNown PlainText / Ciphertext Pairs, Enough Information Could Be Gathered To Solve
For the unknowns, in an information-TheoreTic Sense. It is currently unknown what a practical
Algorithm to Solve this Type of equations..
XSL. Courtois and Pieprzyck [CP02A] Observe That The S-BOX Used in Rijndael Can Be
Described by a number of implicit quadratic boolean equplicit quadratic boolean equplicit quadratics..................... ..
FORM
f (x1,..., x8, y1,... Y8) = 0, (2)
4
WHERE The algebraic deterree of f equals two.
In Principle, 8 equations of the type (2) suffice to define the s-box, but courtois and
Pieprzyck Observe That More Equation of this Type Can Be Constructed. Furthermore, They
Claim That The SETRA Equations Can Be Used To Reduce The Complexity of The Solving STEP.
This Claim Implies That for Special Instances of The OtherWise NP-HARD Problem of Solving
Multivariate Quadratic Equations (Shortly Referred To As the MQ-Problem), They Found AN
Algorithm Which Can Tackle this Problem in sub-exponential time. However, Several ResearChers
Doubt The Correctness of Their Calculation. for Example Don Coppersmith1 Says' I Believe That
THE COURTOIS-PIEPRZYK WORK IS FLAWED. The Number of Linearly Independent
Equations. The result is what of do not in fact Have enough linear equations to solid the
SYSTEM '(See [COP02B]. Furthermore, He Adds in a letterprinted in [Cop02a],' The Method
Has Some Merits, And IS Worth Investigating, But it Does Not Break Rijndael As It Stands'.
Also T. Moh2 Doubts The Correctness [Moh02] of their counting method. Anyway, Under the
Assumtion That Their Counting Method Is Correct, The Complexity Estimation for the Attack in
The Best Case Scenario IS 2255 (Under Certain Assumptions for Certain Parameters Which Can Be
Found in Their Paper [CP02A] in Section 8.1) Steps. This Means, That Their Attack Wouldly ONLY
Break rijndael with a 256-bit key (AES-256)
Attack, Influence The Complexity of this attack.
Embedding. Murphy and Robshaw [MR02] Define The Block Cipher Bes, Which Operates
On Data Blocks of 128 Bytes Instead of Bits. According to Murphy and Robshaw, The Algebraic
Structure of Bes Is Even More Elegant and Simple That of Rijndael. Furthermore, Rijndael
Can Be Embedded Into Bes. This Means That There IS A MAP φ Such That:
Rijndaelk (x) = φ-1 BESφ (k) (φ (x)). (3)
In this equation k Denotes the cipher key and x the plaintext. Murphy and Robshaw Proceed
With some Observations on the Properties of Bes. However, Thase Properties of Bes Do Not NOT
Translate to Properties of rijndael.
Murphy and Robshaw Believe That When THE XSL Method Is Applied To Bes, The Complexity
Of The Solving Step Could Be Significantly Smaller Than in The Case Where XSL IS Directly
Applied to rijndael.
Dual Cipher. In [BB02] The Concept of Dual Ciphers Is Introducesd. It is Basically a Generalization
Of the 'Embedding' Technique. This Means That IF We Take Invertible Mappings F, G
And h, the the there exists a dual copher Dual Such That:
Rijndaelk (x) = f-1dualg (k) (h (p)). (4)
In this equation k Denotes the cipher key and x the placext. This means that the dual
Cipher Is Equivalent To The Original Cipher In The Sense That It Products The Same Ciphertext
FOR A GIVEN PLAINTEXT AND A GIVEN Key by Applying Functions on The Plaintext, The Key and THE
Output of the dual copher. as a consequence, one can IMPLEMENT AND CRYPTANALYZE THE DUAL
1HE OWNS A PhD in Pure Mathematics, Joined IBM and is a co-designer of the data encryption standarddes.
2HE OWNS A PhD in Pure Mathematics and Conducts Research in The Fields of Algebra.
5
Cipher INSTEAD OF THE ORIGINAL CIPHER. In [BB02], 240 Dual Ciphers for Rijndael Are Identified.
NO Weakness Of these Dual Ciphers Have Been Reported. Asimilar Concept, Called Rijndael
GF is defined in [DR02]. IT IS Demonstrated That All The Ciphers of The Rijndael-GF Family
Have Exactly The Same Security Level Against Differential and Linear Cryptanalysis.
5ConClusion
WE Provided An Overview About The Published Attacks And Observation On Rijndael in this
Paper. furthermore, We discussed ideas which could list new attacket. at the time of
Writing this Paper, No Shortcut Attacks on Rijndael Have Been Found.
References
[Bb02] Elad Barkan and Eli Biham. In How Many Ways CAN you Write Rijndael? In
Yuliang Zheng, Aditor, Proceedings of asiacrypt'02, LeCTure Notes in Computer
Springer-Verlag, 2002. Also A NESSIE Report.
[BK00] Eli Biham and Nathan Keller. Cryptanalysis of Reduced Variants of Rijndael. In
Proceedings of the third advanced encryption standard conference. Nist, April
2000.
[BS01] Alex Biryukov and Adi Shamir. Structural Cryptanalysis of Sasas. In Birgit
Pfitzmann, Editor, Proceedings of Eurocrypt'01, Number 2045 in Lecture Notes in
Computer science, Pages 394-405. Springer-Verlag, 2001.
[CKK 01] Jung Heche Cheon, Munju Kim, Kwangjo Kim, Jung-yeun Lee, And Sungwoo
Kang. Improved Impossible Differential Cryptanalysis of rijndael and crypton.
IN K. Kim, Editor, Information Security and Cryptology - ICISC 2001, Number
2288 in Lecture Notes in Computer Science, Pages 39-49. Springer, 2001.
[COP02A] D. CopPersmith. XSL Against Rijndael. Crypto-Gram, Oktober 2002. [COP02B] Don Coppersmith. Impact of Courtois and PiePryzk Results. Nist AES Discussion
Forum, September 2002. Available from
http://www.nist.gov/aes.
[CP02A] Nicolas T. Courtois and Josef PiePrzyk. Cryptanalysis of Block Ciphers with
Overdefined Systems of Equations. in Yuliang Zheng, Editor, Proceedings of Asiapt '
02, LeCTure Notes in Computer Science. Springer-Verlag, 2002. Different
Version of the preprint [CP02B].
[CP02B] Nicolas T. Courtois and Josef PiePrzyk. Cryptanalysis of Block Ciphers with
Overdefined Systems of Equations. IACR EPRINT Server, 2002. Available At
Http://eprint.iacr.org/2002/044/.
[DKR97] Joan Daemen, Lars Ramkilde Knudsen, And Vincent Rijmen. The Block Cipher
Square. In Eli Biham, Editor, Proceedings of Fast Software Encryption - FSE'97,
Number 1267 in Lecture Notes In Computer Science, Pages 149-165. Springer
Verlag, 1997.
6
[DR02] Joan daemen and vincent rijmen. The design of rijndael. INFORMATION SECURITY
And cryptography. Springer Verlag, 2002.
[FKL 00] N. Ferguson, John Kelsey, Stefan Lucks, Bruce Schneier, M. Stay, D. Wagner,
David Wagner, And Doug Whiting. Improved Cryptanalysis of Rijndael. In Bruce
Schneier, Editor, Proceedings of fastware encryption - fse'00, Number 1978
In Lecture Notes In Computer Science, Pages 213-230. Springer-Verlag, 2000.
[Fsw01] Niels Ferguson, Richard Schroeppel, And Doug Whiting. Asimple Algebraic Representation
Of rijndael. in Serge Vaudenay and AMR M. Youssef, Editors, Proceedings
Of SELECTED AREAS IN CRYPTOGRAPHY - SAC'01, Number 2259 in Lecture Notes
In Computer Science, Pages 103-111. SPRINGER-VERLAG, 2001.
[GM00] Henri Gilbert and marine minier. Acollision Attack On Seven Rounds of Rijndael.in Proceedings of The Third Advanced Encryption Standard Conference, Pages 230-
241. Nist, April 2000.
[KW02] Lars Ramkilde Knudsen and David Wagner. Integral CryptanAlysis (Extended Abstract).
In Joan Daemen and Vincent Rijmen, Editors, Proceedings of Fast Software
Encryption - FSE'02, Number 2365 in Lecture Notes in Computer Science, Pages
112-127. SPRINGER-VERLAG, 2002.
[Luc00] Stefan Lucks. Attacking Seven Rounds of Rijndael Under 192-bit and 256-bit keys.
In procedings of the third advanced encryption standard conference. Nist,
April 2000.
[Moh02] T. Moh. On The Courtois-Pieprzyk's Attack on Rijndael. University of San Diego
Web-site, September 2002. Available from
Http://www.usdsi.com/aes.html.
[MR02] Sean Murphy and Matthew J. B. Robshaw. Essential Algebraic Structure Within
THE AES. in Moti Yung, Editor, Proceedings of crypto'02, Number 2442 in Lecture
NOTES IN Computer Science, Pages 17-38. Springer-Verlag, 2002.
Seduce
