See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/245229506

AES - The State of the Art of Rijndael's Security

Article

CITATIONS READS

8 191

3 authors, including:

Elisabeth Oswald Vincent Rijmen

University of Bristol KU Leuven
92 PUBLICATIONS 6,200 CITATIONS 256 PUBLICATIONS 16,496 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Vincent Rijmen on 03 July 2014.

The user has requested enhancement of the downloaded file.

 AES - The State of the Art of Rijndael’s Security
∗
Elisabeth Oswald Joan Daemen† Vincent Rijmen‡

October 30, 2002

1 Introduction
In October 2000, the US National Institute of Standards and Technology (NIST) announced
that Rijndael was selected as Advanced Encryption Standard (AES). This paper gives an
overview of the most important cryptanalysis performed on Rijndael.
This paper doesn’t contain a description of Rijndael. For a full specification, we refer
the reader to [DR02]. In this paper we give an overview about the attacks which have been
proposed for the Rijndael algorithm and ideas which could lead to new attacks that have been
made public recently. A summary of these attacks, their complexity and how many rounds
of Rijndael for a given key size they can break, is presented in table 1. In this table the
published attacks which can break reduced versions of Rijndael, this means version with less
than the specified rounds, are listed. This list includes the name of the attack, its publications
date in the second column, the authors in the third column, and how many rounds of which
version of Rijndael in the remaining columns. For example, the attack based on impossible
differentials was published in 2000 by [BK00] and can only break 6 rounds out 10 of Rijndael
specified for 128 bits (i.e. AES-128).

Attack Year Author AES-128 AES-192 AES-256

10 Rounds 12 Rounds 14 Rounds
Impossible Differential 2001 [CKK+ 01] 6 rounds
Square Attacks 2000 [Luc00] 7 rounds 7 rounds
2000 [FKL+ 00] 7 rounds 7 rounds 9 rounds
Collision Attack 2000 [GM00] 7 Rounds 7 Rounds 7 Rounds

Table 1: Shortcut Attacks on Reduced Versions of Rijndael

It follows from the table, that almost all attacks (except the attack published in 2001)
were already known to the NIST at the time when the selection of the AES was made.
As a conclusion we can say that for the time being no attack faster than exhaustive key
search is known for Rijndael. None of the recently published ideas has lead to an attack.
For a more detailed treatment of attacks and a discussion of some new ideas we invite
the reader to read the remainder of this paper which is organized as follows. In section 2 we
∗
IAIK, Graz University of Technology
†
ERG Group – Proton World
‡
Cryptomathic and IAIK, Graz University of Technology

1
discuss the most common terms and concepts used in cryptanalysis. Then, in section 3 we
list and shortly discuss all known cryptanalytic attacks on Rijndael, and in section 4 we deal
with new ideas (algebraic methods) which have been recently proposed and are being now
discussed in the cryptographic community.

2 Cryptanalysis in General
Exhaustive key search is the basic technique of trying all key values one by one until the correct
key is found. To identify the correct key it is sufficient to know a small amount of plaintext
and its corresponding ciphertext. If the plaintext has some known form of redundancy, such
as consisting of ASCII coded text, a small amount of ciphertext is sufficient. Exhaustive key
search is an attack that does not exploit the internal structure of a cipher. In the following
section, we discuss attacks that exploit structural properties of the block cipher. These types
of attack are denoted by the term cryptanalysis. A cryptanalytic attack breaks a cipher in
the academical sense if its expected workload is below that of exhaustive key search. Such
an attack is called a shortcut attack. The existence of a shortcut attack for a given cipher
does not necessarily mean that the cipher has no longer any security to offer, because most
shortcut attacks described in cryptographic literature cannot be implemented in a practical
setting.
While exhaustive key search only requires a few plaintext-ciphertext pairs, or some ci-
phertext that corresponds with redundant plaintext, most shortcut attacks tend to be much
more demanding. Some need huge quantities of plaintext-ciphertext pairs (known plaintext),
in other attacks the cryptanalyst must have ciphertext values corresponding with plaintext
that he has chosen (chosen plaintext). In so-called related-key attacks, the cryptanalyst must
even be in a position to encipher chosen plaintexts with different (unknown) key values that
have certain relations, chosen by the cryptanalyst.
Still, the presence or absence of shortcut attacks for a cipher is a quality criterion that is
widely accepted in the cryptographic community. As a matter of fact, the foremost criterion
for being selected among the finalists in the AES competition was the absence of shortcut
attacks. Finding shortcut attacks for the competing ciphers was the name of the game.
For many modern ciphers, no shortcut attacks are known. Still, the resistance of iterative
block ciphers with respect to a specific cryptanalytic method can be evaluated by performing
it on reduced-round versions of the block cipher. Attacks on reduced-round versions allow to
get an idea of the security margin of a cipher. If for a cipher with R rounds there exists a
shortcut attack against a reduced-round version with R −r rounds, the cipher has an absolute
security margin of r rounds or a relative security margin of r/R. Note that the discovery
of an attack on a reduced-round version with R/2 rounds doesn’t mean that the cipher is
half-broken. Indeed, the complexity of most academic attacks increases exponentially in the
number of rounds.
As advances in cryptanalysis of a cipher tend to enable the breaking of more and more
rounds over time, the security margin indicates the resistance of the cipher against improve-
ments of known types of cryptanalysis. However, it says nothing about the likelihood of these
advances in cryptanalysis or about the resistance of the cipher against unknown attacks.
Often, for new types of cryptanalysis it is not trivial to accurately estimate the complexity
of the attack. In these cases, one can get a better idea of this complexity by implementing the
attack on reduced-round versions of the target cipher, where it is often infeasible to implement

2
the attack for the full cipher.

3 Cryptanalysis of Rijndael
3.1 Differential and linear cryptanalysis
Differential and linear cryptanalysis are the two most powerful general purpose cryptographic
attacks known to date. Providing lower bounds for the complexity of these attacks was the
main cryptographic criterion in the design of Rijndael.
For Rijndael, an upper bound of 2−150 for the probability of any 4-round differential trail
and of 2−75 for the correlation of any 4-round linear trail has been proven. In combination
with the number of rounds in Rijndael, these bounds provide a high security margin against
both differential and linear cryptanalysis. For a detailed treatment of these aspects, we refer
to [DR02].

3.2 Variants
After their publication, linear and differential attacks have been extended in several ways
and new attacks have been published that are related to them. The best known extension is
known as truncated differentials. They have been already taken into account in the design of
Rijndael from the start [DR02]. Other attacks use difference propagation and correlation in
different ways.

Impossible Differentials. There exists an impossible differential attack on 5 rounds, re-

quiring 229.5 chosen plaintexts [BK00], 231 encryptions, 242 bytes of memory and 226 time for
precomputation. This result was improved in [CKK+ 01] and lead to an attack on a 6 round
version.

Square attacks. The most powerful cryptanalysis of Rijndael to date is the square attack.
This is a chosen-plaintext attack that exploits the byte-oriented structure of the cipher and
works on any cipher with a round structure similar to the one of Rijndael. It was first described
in the paper presenting a predecessor of Rijndael, the block cipher Square [DKR97] and is
since then often referred to as the Square attack. Other names for this attack are ’saturation
attack’ (proposed by Lucks in [Luc00], this attack can break a 7 rounds of Rijndael for 192
and 256-bit keys, i.e. AES-192 and AES-256), ’Integral Cryptanalysis’ by L. Knudsen and
D. Wagner [KW02] or ’Structural attacks’ by A. Biryukov and A. Shamir [BS01] (neither of
the two last papers describe an attack on Rijndael).
The original square attack can break round-reduced variants of Rijndael up to 6 or 7
rounds (i.e. AES-128 and AES-192) faster than exhaustive key search. N. Ferguson et al.
[FKL+ 00] proposed some optimizations that reduce the work factor of the attack. So, this
attack breaks a 9-round AES-256 keys with 277 plaintexts under 256 related keys, and 2224
encryptions.

Collision Attacks. This attack has been introduced by Gilbert and Minier in [GM00] and
is still the best attack in the sense that it can break 7 rounds of AES-128, AES-192 and
AES-256 (for 128-bit keys the authors claim that the complexity of the attack is marginally
lower than the complexity of an exhaustive key search).

3
4 Ideas and Observations
While the methods discussed in the previous chapter lead to attacks against reduced versions
of Rijndael, the methods we discuss now haven’t lead to any attack yet. Most of these ideas
are related to what is called algebraic attacks which can be briefly sketched as follows:

1. Collecting step: The cryptanalyst expresses the cipher as a set of simple equations
in a number of variables. These variables include bits (or bytes) from the plaintext,
ciphertext and the key, and typically also of intermediate computation values and round
keys. The term simple can be defined very loosely as suitable for the next step.

2. Solving step: the cryptanalyst uses some data input such as plaintext-ciphertext pairs,
substitutes these values in the corresponding variables in the set of equations collected
in step 1 and tries to solve the resulting set of equations, thereby recovering the key.

Due to the design criteria of Rijndael, it can be expressed with elegant equations in
several ways. The key issue to be judged however, is whether equations that look elegant
to the mathematician’s mind, are also simple to solve. Several attempts have been made to
construct algebraic attacks for Rijndael. None have resulted in shortcut attacks as yet, and
most of the papers conclude that more research is required. In the following paragraphs we
discuss a number of attempts.

Continued fractions. Ferguson, Schroeppel and Whiting [FSW01] derive a closed formula
for Rijndael that can be seen as a generalization of continued fractions. Any byte of the
intermediate result after 5 rounds can be expressed as follows.

C1
x=K+  C2
(1)
K∗ +  C3
K∗+ 
K∗+ C4 C5
K∗+
K ∗ +p∗
∗

Here every K is a byte depending on several bytes of the expanded key, each Ci is a known
constant and each ∗ is a known exponent or subscript, but these values depend on the sum-
mation variables that enclose the symbol. A fully expanded version of (1) has 225 terms. In
order to break 10-round Rijndael (AES-128), a cryptanalyst could use for each intermediate
byte 2 equations of this type. The first one would express the intermediate variables after 5
rounds as function of the plaintext bytes. The second equation would cover rounds 6–10 by
expressing the same intermediate variables as a function of the ciphertext bytes. Combining
both equations would result in an equation with 226 unknowns. By repeating this equation
for 226 /16 known plaintext/ciphertext pairs, enough information could be gathered to solve
for the unknowns, in an information-theoretic sense. It is currently unknown what a practical
algorithm to solve this type of equations would look like.

XSL. Courtois and Pieprzyck [CP02a] observe that the S-box used in Rijndael can be
described by a number of implicit quadratic Boolean equations. If the 8 input bits are
denoted by x1 , . . . x8 , and the 8 output bits by y1 , . . . y8 , then there exist equations of the
form
f (x1 , . . . , x8 , y1 , . . . y8 ) = 0, (2)

4
where the algebraic degree of f equals two.
In principle, 8 equations of the type (2) suffice to define the S-box, but Courtois and
Pieprzyck observe that more equations of this type can be constructed. Furthermore, they
claim that these extra equations can be used to reduce the complexity of the solving step.
This claim implies that for special instances of the otherwise NP-hard problem of solving
multivariate quadratic equations (shortly referred to as the MQ-problem), they found an
algorithm which can tackle this problem in sub-exponential time. However, several researchers
doubt the correctness of their calculations. For example Don Coppersmith1 says ’I believe that
the Courtois-Pieprzyk work is flawed. They overcount the number of linearly independent
equations. The result is that they do not in fact have enough linear equations to solve the
system’ (see [Cop02b]. Furthermore, he adds in a letter printed in [Cop02a], ’The method
has some merits, and is worth investigating, but it does not break Rijndael as it stands’.
Also T. Moh2 doubts the correctness [Moh02] of their counting method. Anyway, under the
assumption that their counting method is correct, the complexity estimation for the attack in
the best case scenario is 2255 (under certain assumptions for certain parameters which can be
found in their paper [CP02a] in section 8.1) steps. This means, that their attack would only
break Rijndael with a 256-bit key (AES-256), since then the exhaustive key search would have
complexity 2256 . It is unclear what properties of Rijndael, or any other block cipher under
attack, influence the complexity of this attack.

Embedding. Murphy and Robshaw [MR02] define the block cipher BES, which operates
on data blocks of 128 bytes instead of bits. According to Murphy and Robshaw, the algebraic
structure of BES is even more elegant and simple than that of Rijndael. Furthermore, Rijndael
can be embedded into BES. This means that there is a map φ such that:
 
RijndaelK (x) = φ−1 BESφ(K) (φ(x)) . (3)

In this equation K denotes the cipher key and x the plaintext. Murphy and Robshaw proceed
with some observations on the properties of BES. However, these properties of BES do not
translate to properties of Rijndael.
Murphy and Robshaw believe that when the XSL method is applied to BES, the complex-
ity of the solving step could be significantly smaller than in the case where XSL is directly
applied to Rijndael.

Dual Cipher. In [BB02] the concept of dual ciphers is introduced. It is basically a gener-
alization of the ’embedding’ technique. This means that if we take invertible mappings f, g
and h, then there exists a dual cipher DU AL such that:

RijndaelK (x) = f −1 DU ALg(K) (h(P )). (4)

In this equation K denotes the cipher key and x the plaintext. This means that the dual
cipher is equivalent to the original cipher in the sense that it produces the same ciphertext
for a given plaintext and a given key by applying functions on the plaintext, the key and the
output of the dual cipher. As a consequence, one can implement and cryptanalyze the dual
1
He owns a PhD in pure mathematics, joined IBM and is a co-designer of the Data Encryption Standard
DES.
2
He owns a PhD in pure mathematics and conducts research in the fields of algebra.

5
cipher instead of the original cipher. In [BB02], 240 dual ciphers for Rijndael are identified.
No weaknesses of these dual ciphers have been reported. A similar concept, called Rijndael-
GF is defined in [DR02]. It is demonstrated that all the ciphers of the Rijndael-GF family
have exactly the same security level against differential and linear cryptanalysis.

5 Conclusion
We provided an overview about the published attacks and observations on Rijndael in this
paper. Furthermore, we discussed ideas which could lead to new attacks. At the time of
writing this paper, no shortcut attacks on Rijndael have been found.

References
[BB02] Elad Barkan and Eli Biham. In how many ways can you write Rijndael? In
Yuliang Zheng, editor, Proceedings of Asiacrypt’02, Lecture Notes in Computer
Science. Springer-Verlag, 2002. Also a NESSIE report.

[BK00] Eli Biham and Nathan Keller. Cryptanalysis of reduced variants of RIJNDAEL. In
Proceedings of the Third Advanced Encryption Standard Conference. NIST, April
2000.

[BS01] Alex Biryukov and Adi Shamir. Structural cryptanalysis of SASAS. In Birgit
Pfitzmann, editor, Proceedings of Eurocrypt’01, number 2045 in Lecture Notes in
Computer Science, pages 394–405. Springer-Verlag, 2001.

[CKK+ 01] Jung Hee Cheon, MunJu Kim, Kwangjo Kim, Jung-Yeun Lee, and SungWoo
Kang. Improved Impossible Differential Cryptanalysis of Rijndael and Crypton.
In K. Kim, editor, Information Security and Cryptology - ICISC 2001, number
2288 in Lecture Notes in Computer Science, pages 39–49. Springer, 2001.

[Cop02a] D. Coppersmith. XSL Against Rijndael. CRYPTO-GRAM, Oktober 2002.

[Cop02b] Don Coppersmith. Impact of Courtois and Piepryzk results. NIST AES Discussion
Forum, September 2002. Available from http://www.nist.gov/aes.

[CP02a] Nicolas T. Courtois and Josef Pieprzyk. Cryptanalysis of block ciphers with
overdefined systems of equations. In Yuliang Zheng, editor, Proceedings of Asi-
acrypt’02, Lecture Notes in Computer Science. Springer-Verlag, 2002. Different
version of the preprint [CP02b].

[CP02b] Nicolas T. Courtois and Josef Pieprzyk. Cryptanalysis of block ciphers with
overdefined systems of equations. IACR eprint server, 2002. Available at
http://eprint.iacr.org/2002/044/.

[DKR97] Joan Daemen, Lars Ramkilde Knudsen, and Vincent Rijmen. The block cipher
Square. In Eli Biham, editor, Proceedings of Fast Software Encryption – FSE’97,
number 1267 in Lecture Notes in Computer Science, pages 149–165. Springer-
Verlag, 1997.

6
 [DR02] Joan Daemen and Vincent Rijmen. The Design of Rijndael. Information Security
and Cryptography. Springer Verlag, 2002.

[FKL+ 00] N. Ferguson, John Kelsey, Stefan Lucks, Bruce Schneier, M. Stay, D. Wagner,
David Wagner, and Doug Whiting. Improved cryptanalysis of Rijndael. In Bruce
Schneier, editor, Proceedings of Fast Software Encryption – FSE’00, number 1978
in Lecture Notes in Computer Science, pages 213–230. Springer-Verlag, 2000.

[FSW01] Niels Ferguson, Richard Schroeppel, and Doug Whiting. A simple algebraic rep-
resentation of Rijndael. In Serge Vaudenay and Amr M. Youssef, editors, Proceed-
ings of Selected Areas in Cryptography – SAC’01, number 2259 in Lecture Notes
in Computer Science, pages 103–111. Springer-Verlag, 2001.

[GM00] Henri Gilbert and Marine Minier. A collision attack on seven rounds of Rijndael.
In Proceedings of the Third Advanced Encryption Standard Conference, pages 230–
241. NIST, April 2000.

[KW02] Lars Ramkilde Knudsen and David Wagner. Integral cryptanalysis (extended ab-
stract). In Joan Daemen and Vincent Rijmen, editors, Proceedings of Fast Software
Encryption – FSE’02, number 2365 in Lecture Notes in Computer Science, pages
112–127. Springer-Verlag, 2002.

[Luc00] Stefan Lucks. Attacking seven rounds of Rijndael under 192-bit and 256-bit keys.
In Proceedings of the Third Advanced Encryption Standard Conference. NIST,
April 2000.

[Moh02] T. Moh. On the Courtois-Pieprzyk’s attack on Rijndael. University of San Diego

Web-Site, September 2002. Available from http://www.usdsi.com/aes.html.

[MR02] Sean Murphy and Matthew J. B. Robshaw. Essential algebraic structure within
the AES. In Moti Yung, editor, Proceedings of Crypto’02, number 2442 in Lecture
Notes in Computer Science, pages 17–38. Springer-Verlag, 2002.

View publication stats