Rijndael Attacks

1. Rijndael Attacks CSC 692 Presenter Karthik Parameswar

2. Introduction • Advanced Encryption Standard (AES) is the new Federal Information Processing Standard (FIPS) • Intended use by U.S. Government organizations to protect sensitive (unclassified) information. • On October 2nd, 2000, NIST selected Rijndael as the Advanced Encryption Standard

3. Security of AES/ Rijndael • Designed with state of the art cryptographic research • Designed to have strong resistance against classical approximation attacks.

4. Known Attacks • Up to 6 rounds using the same technique used to attack the block cipher -Square Time Complexity – 2^72 Data Complexity - 2^32 chosen plaintext • Up to 7 rounds – A collision attack Time Complexity – 2 ^140 Data Complexity - 2^32 chosen plaintext Key size 192 and 256 bits

5. 6 Round attack • Variant of “Square” attack and exploits the byte oriented structure of Rijndael • Attack based upon an efficient distinguisher between 3 Rijndael inner rounds and a random permutation. • Details found in [2].

6. 7 Round attack • Square-6 attack can be extended to 7 rounds but slower than exhaustive key search. Details in [2] and [4]. Time Complexity – 2^200 Collision Attack • Based on efficient distinguisher between 4 Rijndael inner rounds and a random permutation. • Faster than exhaustive key search. • Details in [1].

7. 7 Round Attack - contd • Extending the Square attack on Rijndael variants with larger keys of 192 bit and 256 bit • Attack exploits minor weakness of Rijndael key schedule • Faster than exhaustive key search for up to 7 rounds • details in [3]

8. An Improvement on existing attacks • A new technique called partial-sum technique • Dramatically reduced the complexity of 6-round attacks. • Uses the idea to attack 7 and 8 rounds of Rijndael. • details in [4]

9. Another Attack • Proposed by Courtois and Pieprzky • tries to express the entire algorithm as multivariate quadratic polynomials, • uses an innovative technique to treat the terms of those polynomials as individual variables. • gives a system of linear equations in a quadratically large number of variables that has to be solved (gross oversimplification of the paper)

10. Another attack - contd • Can use minimization techniques to make the solution easier. • Claims to break the entire algorithm with one or two know plaintext • Time complexity claim is 2^100 • Details in [5]

11. Summary of Results

12. Conclusions • The attacks described are highly impractical. Furthermore, they are not sufficient to reduce the complexity of the full Rijndael due to its security margin. • Interesting that cryptoanalysis techniques exist for 7 out of 10 rounds for 128-bit keys, 8 of 12 rounds for 192-bit keys, and 9 of 14 rounds for 256-bit keys • Results exhibit a weakness in key schedule but does not necessitate key schedule modification. • Signs are good that Rijndael will be sufficient for block-cipher implementations in the coming decades.

13. References [1] Henri Gilbert, Marine Minier. A collision attack on 7 rounds of Rijndael http://csrc.nist.gov/CryptoToolkit/aes/round2/conf3/papers/11-hgilbert.pdf [2] J.Daemen L.Knudsen, and V.Rijmen. The block cipher Square. http://www.esat.kuleuven.ac.be/~cosicart/pdf/VR-9700.PDF [3] Stefan Lucks. Attacking seven rounds of Rijndael under 192-bit and 256-bit keys. http://th.informatik.uni-mannheim.de/ People/ Lucks /papers.html

14. References - contd [4] Neils Ferguson, John Kelsey, Stefan Lucks, Bruce Schneier, Mike Stay, David Wagner, and Doug Whiting. Improved Cryptanalysis of Rijndael. http://www.counterpane.com/rijndael.pdf [5] Nicolas T. Courtois, Joseph Pieprzyk Cryptanalysis on Block Ciphers with Overdefined System of Equations http://eprint.iacr.org/2002/044.pdf