## On the Order of Round Components in the AES (2006)

### BibTeX

@MISC{Nakahara06onthe,

author = {Jorge Nakahara},

title = {On the Order of Round Components in the AES},

year = {2006}

}

### OpenURL

### Abstract

This paper1 analyses all 24 possible round constructions using different combinations of the four round components of the AES cipher: SubBytes, ShiftRows, AddRoundKey and MixColumns. We investigate how the different round orderings affect the security of AES against differential, linear, multiset, impossible differential and boomerang attacks. The cryptographic strenght of each cipher variant was measured by the size of each distinguisher, their probability or correlation value and the number of active S-boxes. Our analyses indicate that all these permutations of the AES components have similar cryptographic strength (concerning these five attacks), although there are implementation advantages for certain permutations. Keywords: Active S-box, AES, cryptanalysis 1

### Citations

493 | Differential Cryptanalysis of DES-like Cryptosystems
- Biham, Shamir
- 1991
(Show Context)
Citation Context ... provide either higher security or significant implementation advantages. This paper studies the security implications of different orderings of the round components with respect to differential (DC) =-=[7]-=-, linear (LC) [27], multiset (M) [11, 14], impossible differential (ID) [5, 24] and boomerang (B) attacks [9]. The first two techniques are benchmarks for any modern block cipher. The other ones are c... |

427 |
cryptanalysis method for DES cipher
- Matsui, Linear
- 1993
(Show Context)
Citation Context ...igher security or significant implementation advantages. This paper studies the security implications of different orderings of the round components with respect to differential (DC) [7], linear (LC) =-=[27]-=-, multiset (M) [11, 14], impossible differential (ID) [5, 24] and boomerang (B) attacks [9]. The first two techniques are benchmarks for any modern block cipher. The other ones are considered because ... |

107 | A.: Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials
- Biham, Biryukov, et al.
- 1999
(Show Context)
Citation Context ...his paper studies the security implications of different orderings of the round components with respect to differential (DC) [7], linear (LC) [27], multiset (M) [11, 14], impossible differential (ID) =-=[5, 24]-=- and boomerang (B) attacks [9]. The first two techniques are benchmarks for any modern block cipher. The other ones are considered because they are among the best known attacks on reducedround AES var... |

100 | AES proposal: Rijndael
- Daemen, Rijmen
- 1998
(Show Context)
Citation Context ...een rounds, respectively. The AES has been intensively analysed since 1998. Most of the known results, though, concern attacks on reduced-round variants: differential and linear analyses [12], square =-=[15, 18]-=-, impossible differential [6, 30, 29], collision [20], and boomerang attacks [9]. All of these attacks 1 Research funded by FAPESP (Fundação de Amparo à Pesquisa do Estado de São Paulo) under contract... |

70 | The Design of Rijndael: AES—The Advanced Encryption Standard - Daemen, Rijmen - 2002 |

52 | Improved cryptanalysis of Rijndael
- Ferguson, Kelsey, et al.
- 2001
(Show Context)
Citation Context ...een rounds, respectively. The AES has been intensively analysed since 1998. Most of the known results, though, concern attacks on reduced-round variants: differential and linear analyses [12], square =-=[15, 18]-=-, impossible differential [6, 30, 29], collision [20], and boomerang attacks [9]. All of these attacks 1 Research funded by FAPESP (Fundação de Amparo à Pesquisa do Estado de São Paulo) under contract... |

32 | D.: Integral Cryptanalysis
- Knudsen, Wagner
(Show Context)
Citation Context ...differential cryptanalysis of DES in [13]. 3 Multiset Distinguisher The multiset technique [11] has similarities with the Square attack [14], the saturation attack [26] and the integral cryptanalysis =-=[22, 25]-=-. All of these techniques operate in a chosen-plaintext (CP) setting, and the first published attack was a dedicated one on the Square block cipher [14]. Nonetheless, this technique has already been a... |

26 |
Cryptanalysis of reduced variants of Rijndael. unpublished
- Biham, Keller
- 1999
(Show Context)
Citation Context ...has been intensively analysed since 1998. Most of the known results, though, concern attacks on reduced-round variants: differential and linear analyses [12], square [15, 18], impossible differential =-=[6, 30, 29]-=-, collision [20], and boomerang attacks [9]. All of these attacks 1 Research funded by FAPESP (Fundação de Amparo à Pesquisa do Estado de São Paulo) under contract 2005/02102-9. have time complexity l... |

23 | Deal — A 128-bit Block Cipher
- Knudsen
- 1998
(Show Context)
Citation Context ...his paper studies the security implications of different orderings of the round components with respect to differential (DC) [7], linear (LC) [27], multiset (M) [11, 14], impossible differential (ID) =-=[5, 24]-=- and boomerang (B) attacks [9]. The first two techniques are benchmarks for any modern block cipher. The other ones are considered because they are among the best known attacks on reducedround AES var... |

19 |
The Block Cipher
- Daemen, Knudsen, et al.
- 1997
(Show Context)
Citation Context ...ignificant implementation advantages. This paper studies the security implications of different orderings of the round components with respect to differential (DC) [7], linear (LC) [27], multiset (M) =-=[11, 14]-=-, impossible differential (ID) [5, 24] and boomerang (B) attacks [9]. The first two techniques are benchmarks for any modern block cipher. The other ones are considered because they are among the best... |

18 | Improved impossible differential cryptanalysis of Rijndael and Crypton
- Cheon, Kim, et al.
- 2002
(Show Context)
Citation Context ...lve and fourteen rounds, respectively. The AES has been intensively analysed since 1998. Most of the known results, though, concern attacks on reduced-round variants: differential and linear analyses =-=[12]-=-, square [15, 18], impossible differential [6, 30, 29], collision [20], and boomerang attacks [9]. All of these attacks 1 Research funded by FAPESP (Fundação de Amparo à Pesquisa do Estado de São Paul... |

15 | The saturation attack - a bait for Twofish
- Lucks
- 1994
(Show Context)
Citation Context ...s. This concept originated with the differential cryptanalysis of DES in [13]. 3 Multiset Distinguisher The multiset technique [11] has similarities with the Square attack [14], the saturation attack =-=[26]-=- and the integral cryptanalysis [22, 25]. All of these techniques operate in a chosen-plaintext (CP) setting, and the first published attack was a dedicated one on the Square block cipher [14]. Noneth... |

14 | Structural cryptanalysis of SASAS
- Biryukov, Shamir
- 2010
(Show Context)
Citation Context ...ignificant implementation advantages. This paper studies the security implications of different orderings of the round components with respect to differential (DC) [7], linear (LC) [27], multiset (M) =-=[11, 14]-=-, impossible differential (ID) [5, 24] and boomerang (B) attacks [9]. The first two techniques are benchmarks for any modern block cipher. The other ones are considered because they are among the best... |

13 |
Di erential Cryptanalysis of the Full 16-round DES
- Biham, Shamir
- 1992
(Show Context)
Citation Context ... 4.25 rounds, holds with certainty, and has 40 active S-boxes along its trail. 4 Differential and Linear Distinguishers The differential cryptanalysis (DC) technique was developed by Biham and Shamir =-=[7, 8]-=-, and initially applied to the DES cipher. The linear cryptanalysis (LC) technique was developed by Matsui in [27]. Both attacks have become benchmarks for any modern block cipher, including the AES [... |

12 |
A collision attack on seven rounds of Rijndael
- Gilbert, Minier
- 2000
(Show Context)
Citation Context ...alysed since 1998. Most of the known results, though, concern attacks on reduced-round variants: differential and linear analyses [12], square [15, 18], impossible differential [6, 30, 29], collision =-=[20]-=-, and boomerang attacks [9]. All of these attacks 1 Research funded by FAPESP (Fundação de Amparo à Pesquisa do Estado de São Paulo) under contract 2005/02102-9. have time complexity lower than that o... |

6 |
Square-like attacks on reduced rounds of IDEA
- Demirci
(Show Context)
Citation Context ...tting, and the first published attack was a dedicated one on the Square block cipher [14]. Nonetheless, this technique has already been applied to several ciphers, with or without wordwise operations =-=[17, 23, 25, 26]-=-. A fundamental concept in a multiset attack is the Λ-set [14], which is a multiset [11] (a set with multiplicities) containing b full n-bit text block elements, where n is the block size and b is typ... |

5 | Classes of Impossible Differentials of Advanced Encryption Standard
- Phan
- 2002
(Show Context)
Citation Context ...has been intensively analysed since 1998. Most of the known results, though, concern attacks on reduced-round variants: differential and linear analyses [12], square [15, 18], impossible differential =-=[6, 30, 29]-=-, collision [20], and boomerang attacks [9]. All of these attacks 1 Research funded by FAPESP (Fundação de Amparo à Pesquisa do Estado de São Paulo) under contract 2005/02102-9. have time complexity l... |

4 |
The Advanced Encryption Standard Development Process
- AES
- 1997
(Show Context)
Citation Context ...(AES) is an SPNtype block cipher designed by J. Daemen and V. Rijmen in 1998. The original cipher was called Rijndael, and it was selected out of fifteen candidates during the AES Development Process =-=[1]-=-, initiated by the National Institute of Standards and Technology (NIST) in 1997. It is expected that the AES will become the new de facto world standard in symmetric cryptography, as the successor of... |

4 | The boomerang attack on 5 and 6-round reduced AES
- Biryukov
- 2005
(Show Context)
Citation Context ...he known results, though, concern attacks on reduced-round variants: differential and linear analyses [12], square [15, 18], impossible differential [6, 30, 29], collision [20], and boomerang attacks =-=[9]-=-. All of these attacks 1 Research funded by FAPESP (Fundação de Amparo à Pesquisa do Estado de São Paulo) under contract 2005/02102-9. have time complexity lower than that of an exhaustive key search.... |

3 |
The data encryption algorithm and its strength against attacks
- Coppersmith
- 1994
(Show Context)
Citation Context ... of the distinguisher. For instance, in the linear cryptanalysis of AES, an active S-box has both nonzero input and output masks. This concept originated with the differential cryptanalysis of DES in =-=[13]-=-. 3 Multiset Distinguisher The multiset technique [11] has similarities with the Square attack [14], the saturation attack [26] and the integral cryptanalysis [22, 25]. All of these techniques operate... |

2 |
The Boomerang Attack, 6th Fast Software Encryption
- Wagner
- 1999
(Show Context)
Citation Context ...plaintexts. 4 For instance, distinct diffusion layers [10]. 7 Boomerang Distinguisher The boomerang technique is a chosen-plaintext adaptively-chosen-ciphertext (CPACC) attack, developed by Wagner in =-=[32]-=-. The approach used for the AES variants follows that of Biryukov in [9]. The boomerang technique exploits encryption schemes EK, under a secret key K, that can be decomposed into two pieces EK = E1 ◦... |

1 |
How Many Ways Can You Write Rijndael, IACR Cryptology ePrint Archive #157, 2002. 5 Except for a preprocessing step of the decryption subkeys
- Barkan, Biham, et al.
- 2009
(Show Context)
Citation Context ...s 1 Research funded by FAPESP (Fundação de Amparo à Pesquisa do Estado de São Paulo) under contract 2005/02102-9. have time complexity lower than that of an exhaustive key search. Some papers such as =-=[2, 3]-=- by Biham and Barkan studied AES variants with different component values compared to [28], namely, different matrix constants, primitive and non-primitive irreducible polynomials, and new parameters ... |

1 |
The Book of Rijndaels, IACR Cryptology ePrint Archive #158
- Barkan, Biham
- 2002
(Show Context)
Citation Context ...s 1 Research funded by FAPESP (Fundação de Amparo à Pesquisa do Estado de São Paulo) under contract 2005/02102-9. have time complexity lower than that of an exhaustive key search. Some papers such as =-=[2, 3]-=- by Biham and Barkan studied AES variants with different component values compared to [28], namely, different matrix constants, primitive and non-primitive irreducible polynomials, and new parameters ... |

1 |
Saturation attacks on reduced-round skipjack
- Hwang, Lee, et al.
- 2002
(Show Context)
Citation Context ... uses significantly different schemes for encryption and decryption, care must be exercised to avoid one of them to become weaker than the other 4 , and thus more susceptible to cryptanalytic attacks =-=[4, 21]-=-. 6 Impossible-Differential Distinguisher The impossible-differential (ID) technique was due to Knudsen in [24]. Unlike conventional differential attacks that look for differentials or characteristics... |

1 |
Integral cryptanalysis of
- Hu, Zhang, et al.
- 1999
(Show Context)
Citation Context ...differential cryptanalysis of DES in [13]. 3 Multiset Distinguisher The multiset technique [11] has similarities with the Square attack [14], the saturation attack [26] and the integral cryptanalysis =-=[22, 25]-=-. All of these techniques operate in a chosen-plaintext (CP) setting, and the first published attack was a dedicated one on the Square block cipher [14]. Nonetheless, this technique has already been a... |