## Analysis of Venkaiah et al.’s AES Design (2006)

### BibTeX

@MISC{Nakahara06analysisof,

author = {Jorge Nakahara},

title = {Analysis of Venkaiah et al.’s AES Design},

year = {2006}

}

### OpenURL

### Abstract

This paper describes impossible differential (ID) attacks on an AES variant designed by Venkaiah et al.. They claim that their cipher has improved resistance to ID attacks due to a new MixColumns matrix with a branch number 4, which is smaller than that of the original AES. We argue against this statement. The contributions of this paper include ID distinguishers for Venkaiah et al.’s cipher, and a discussion of the susceptibility of such variants to impossible differential and other modern cryptanalytic techniques.

### Citations

494 | Differential Cryptanalysis of DES‐like Cryposys‐ tems
- Biham, Shamir
- 1991
(Show Context)
Citation Context ...ranch number from an ID cryptanalysis perspective are discussed in Section 4. An immediate consequence of the smaller branch number in Venkaiah et al.’s design concerns the resistance to differential =-=[6]-=- and linear [13] cryptanalysis. In (5), we depict an 4-round differential of Venkaiah et al.’s AES, constructed to minimize the number of active S-boxes, using MC’ and (3). The symbol δ denotes a nonz... |

428 |
Linear cryptanalysis method for DES cipher
- Matsui
- 1994
(Show Context)
Citation Context ...om an ID cryptanalysis perspective are discussed in Section 4. An immediate consequence of the smaller branch number in Venkaiah et al.’s design concerns the resistance to differential [6] and linear =-=[13]-=- cryptanalysis. In (5), we depict an 4-round differential of Venkaiah et al.’s AES, constructed to minimize the number of active S-boxes, using MC’ and (3). The symbol δ denotes a nonzero exclusive-or... |

193 | Cryptanalysis of block ciphers with over defined systems of equations
- Courtois, Pieprzyk
- 2002
(Show Context)
Citation Context ...x.x254 . The subscript x indicates hexadecimal notation. The motivation for this new S-box, denoted S ′, may be related to attacks exploiting the sparsity of the algebraic expression of the AES S-box =-=[8]-=-. The highest non-trivial differential probability and maximum non-trivial linear probability of S ′ are depicted in Table 1, together with the profiles for the AES S-box [9]. These figures are called... |

135 | Slide attacks
- Biryukov, Wagner
- 1999
(Show Context)
Citation Context ...ssible differential (ID) technique operates in a chosen-plaintext setting. This attack was formerly proposed in [11] against the DEAL block cipher, and further applied to Skipjack [3], IDEA and Khufu =-=[4]-=-, the AES [5] and several other ciphers. ID distinguishers currently reported in the literature use the miss-in-the-middle technique described in [3]. This technique requires two differentials (∇ and ... |

107 | A.: Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials
- Biham, Biryukov, et al.
- 1999
(Show Context)
Citation Context ...ver happen. The impossible differential (ID) technique operates in a chosen-plaintext setting. This attack was formerly proposed in [11] against the DEAL block cipher, and further applied to Skipjack =-=[3]-=-, IDEA and Khufu [4], the AES [5] and several other ciphers. ID distinguishers currently reported in the literature use the miss-in-the-middle technique described in [3]. This technique requires two d... |

26 |
Cryptanalysis of reduced variants of Rijndael. unpublished
- Biham, Keller
- 1999
(Show Context)
Citation Context ...ential (ID) technique operates in a chosen-plaintext setting. This attack was formerly proposed in [11] against the DEAL block cipher, and further applied to Skipjack [3], IDEA and Khufu [4], the AES =-=[5]-=- and several other ciphers. ID distinguishers currently reported in the literature use the miss-in-the-middle technique described in [3]. This technique requires two differentials (∇ and ∆) both holdi... |

23 | Deal — A 128-bit Block Cipher
- Knudsen
- 1998
(Show Context)
Citation Context ...ty, the impossible differential (ID) method looks for events that never happen. The impossible differential (ID) technique operates in a chosen-plaintext setting. This attack was formerly proposed in =-=[11]-=- against the DEAL block cipher, and further applied to Skipjack [3], IDEA and Khufu [4], the AES [5] and several other ciphers. ID distinguishers currently reported in the literature use the miss-in-t... |

18 | Improved impossible differential cryptanalysis of Rijndael and Crypton
- Cheon, Kim, et al.
- 2002
(Show Context)
Citation Context ...one on the original AES: 2 31 time, 2 29.5 chosen plaintexts (CP), 2 32 memory. Another attack using (6) can recover subkey bits from both AK0 and AK6 of 6 rounds of Venkaiah et al.’s AES, similar to =-=[7]-=-. This attack works as follows: (a) Create a pool of 232 plaintexts Pi = (p0, p1, . . . , p15) such that (p0, p5, p10, p15) assume all possible 32-bit values, and the remaining bytes assume arbitrary ... |

4 |
The Advanced Encryption Standard Development Process
- AES
- 1997
(Show Context)
Citation Context ...n Network (SPN) type block cipher designed by Joan Daemen and Vincent Rijmen for the AES Development Process, initiated by the National Institute of Standards and Technology (NIST) in the USA in 1997 =-=[1, 9]-=-. The 128-bit block version of Rijndael, with a key of 128, 192 or 256 bits, is officially known as the AES [10]. Typically, text blocks, keys and subkeys are represented compactly by a 4 × Nb state m... |

2 |
Truncated differentials
- Knudsen, Berson
- 1996
(Show Context)
Citation Context ...ce of ∇ cannot cause the input difference of ∆. This contradiction explains the term “miss-in-themiddle”. In byte-oriented ciphers such as Rijndael (AES), it is typical to use truncated differentials =-=[12]-=- to construct ∆ and ∇, because truncated difference patterns hold with certainty, and are independent of the S-box. In truncated differentials, one only distinguishes between zero and nonzero differen... |

1 |
On Efficient Implementation of InvMixColumn, Manuscript. (http://paginas.terra. com.br/informatica/ paulobarreto
- Barreto
(Show Context)
Citation Context ...nce MC’ is involutory (it is its own inverse). But, this discrepancy between the performance of AES encryption and decryption procedures can be diminished by other means, as pointed out by Barreto in =-=[2]-=-, in which the InvMixColumns matrix is split as ⎡ ⎤ 0ex 0bx 0dx 09x 09x 0ex 0bx 0dx ⎢ ⎥ ⎣ 0dx 09x 0ex 0bx ⎦ . ⎡ ⎤ 05x 00x 04x 00x 00x 05x 00x 04x ⎢ ⎥ ⎣ 04x 00x 05x 00x ⎦ = ⎡ ⎤ 02x 03x 01x 01x 01x 02x ... |

1 |
Variations to S-box and MixColumn Transformations of AES
- Venkaiah, Srinathan, et al.
- 2006
(Show Context)
Citation Context ...ws: Section 2 describes the AES variant by Venkaiah et al.. Section 3 gives a brief Secoverview of the impossible-differential technique. tion 5 concludes the paper. 2 Venkaiah et al.’s AES Design In =-=[14]-=-, Venkaiah et al. suggested a variant of AES with a new S-box, a modified MixColumns matrix, and a new irreducible polynomial for GF(2 8 ). They used x 8 + x 6 + x 5 +x+1 as primitive irreducible poly... |