. The authors of Rijndael [3] describe the \Square attack" as the best known attack against the block cipher Rijndael. If the key size is 128 bit, the attack is faster than exhaustive search for up to six rounds. We extend the Square attack on Rijndael variants with larger keys of 192 bit and 256 bit. Our attacks exploit minor weaknesses of the Rijndael key schedule and are faster than exhaustive search for up to seven rounds of Rijndael. 1 Introduction The block cipher Rijndael [3] has been proposed as an AES candidate and was selected for the secound round. It is a member of a fast-growing family of Square-like ciphers [2-6]. Rijndael allows both a variable block length of M 32 bit with M 2 f4; 6; 8g and a variable key length of N 32 bit, N an integer. In the context of this paper we concentrate on M = 4, i.e., on a block length of 128 bit, and on N 2 f4; 6; 8g, i.e., on key sizes of 128, 192, and 256 bit. We abridge these variants by RD-128, RD-192 and RD-256. The number R of ...

this report, an analysis of the key schedule of the AES candidates [1] is presented, taking [18] as a starting point. Software implementations of key schedule of AES candidates were obtained from either the authors of the ciphers, or from [3]. There are many different criteria which can be applied to key schedule analysis [22, 30], including : weak keys, semi-weak keys, complementation properties, reconstruction of master key or other subkeys from recovered subkey bits, dependence of subkeys on the (full/partial) master keys material (key diffusion). These aspects will be taken into account in the analysis besides particular characteristics of individual key schedule algorithms. Let EK (:) be an encryption function. A key K for which EK (EK (X)) = X