Abstract. We present a 5-round distinguisher for AES. We exploit this distinguisher to develop a meet-in-the-middle attack on 7 rounds of AES-192 and 8 rounds of AES-256. We also give a time-memory tradeoff generalization of the basic attack which gives a better balancing between different costs of the attack. As an additional note, we state a new squarelike property of the AES algorithm.

ABSTRACT: Impossible differential cryptanalysis is one of the cryptanalysis methods that are applicable to the new Advanced Encryption Standard (AES). In this paper, we present an introduction to the method by applying it on Mini-AES, the mini version of the AES published in Cryptologia recently.

This paper1 analyses all 24 possible round constructions using different combinations of the four round components of the AES cipher: SubBytes, ShiftRows, AddRoundKey and MixColumns. We investigate how the different round orderings affect the security of AES against differential, linear, multiset, impossible differential and boomerang attacks. The cryptographic strenght of each cipher variant was measured by the size of each distinguisher, their probability or correlation value and the number of active S-boxes. Our analyses indicate that all these permutations of the AES components have similar cryptographic strength (concerning these five attacks), although there are implementation advantages for certain permutations. Keywords: Active S-box, AES, cryptanalysis 1

This paper proposes a new, large diffusion layer for the AES block cipher. This new layer replaces the ShiftRows and MixColumns operations by a new involutory matrix in every round. The objective is to provide complete diffusion in a single round, thus sharply improving the overall cipher security. Moreover, the new matrix elements have low Hamming-weight in order to provide equally good performance for both the encryption and decryption operations. We use the Cauchy matrix construction instead of circulant matrices such as in the AES. The reason is that circulant matrices cannot be simultaneously MDS and involutory.

Abstract. Finding the longest impossible differentials is an essential assignment in proceeding impossible differential cryptanalysis. In this paper, we introduce a novel tool to search the longest truncated impossible differentials for word-oriented block ciphers with bijective S-boxes. It costs polynomial time to return a flag indicating whether a truncated differential is impossible under several filter conditions. To demonstrate the strength of our tool, we show that it allows to automatically find the longest truncated impossible differentials for many word-oriented block ciphers. It independently rediscovers all known truncated impossible differentials on nine round CLEFIA. What’s more, it finds new and longest truncated impossible differentials for the AES, ARIA, Camellia without F L and F L −1 layers, E2, MIBS, LBlock and Piccolo. Finally, we give an impossible differential of 14-round LBlock to illustrate that our tool is more powerful than the U-method and UID-method. We expect that the tool proposed in this paper will be useful for evaluating the security of block ciphers against impossible differentials, especially when one tries to design a word-oriented block cipher with bijective S-boxes. Key words: word-oriented block ciphers, truncated impossible differentials, difference propagation system, U-method, UID-method 1