Rijndael Attacks

1. Rijndael Attacks CSC 692 Presenter Karthik Parameswar

2. Introduction Rijndael is the Advanced Encryption Standard (AES) Criteria taken into account in its design were • Resistance against known attacks • Speed and code compactness on wide range of platforms • Design simplicity

3. Known Attacks • Up to 6 rounds using the same technique used to attack the block cipher -Square Time Complexity – 2^72 Data Complexity - 2^32 chosen plaintext • Up to 7 rounds – A collision attack Time Complexity – 2 ^140 Data Complexity - 2^32 chosen plaintext Key size 192 and 256 bits

4. 6 Round attack • Variant of “Square” attack and exploits the byte oriented structure of Rijndael • Attack based upon an efficient distinguisher between 3 Rijndael inner rounds and a random permutation. • Details found in [2].

5. 7 Round attack • 6 round attack can be extended to 7 rounds but slower than exhaustive key search. Details in [2] and [4]. Time Complexity – 2^200 Collision Attack • Efficient distinguisher between 4 Rijndael inner rounds and a random permutation. Details in [1]. • Faster than exhaustive key search.

6. 7 Round Attack - contd • Extending the Square attack on Rijndael variants with larger keys of 192 bit and 256 bit • Attack exploits minor weakness of Rijndael key schedule • Faster than exhaustive key search for up to 7 rounds • Details in [2]

7. An Improvement on existing attacks • A new technique called partial-sum technique • Dramatically reduced the complexity of 6-round attacks. • Uses the idea to attack 7 and 8 rounds of Rijndael. • details in [4]

8. Another Attack • Proposed by Courtois and Pieprzky • tries to express the entire algorithm as multivariate quadratic polynomials, • uses an innovative technique to treat the terms of those polynomials as individual variables. • gives a system of linear equations in a quadratically large number of variables that has to be solved (gross oversimplification of the paper)

9. Another attack - contd • Can use minimization techniques to make the solution easier. • Claims to break the entire algorithm with one or two know plaintext • Time complexity claim is 2^100 • Details in [5]

10. Summary of Results

11. Conclusions • The attacks described are highly impractical. Furthermore, they are not sufficient to reduce the complexity of the full Rijndael due to its security margin. • Interesting that cryptoanalysis techniques exist for 7 out of 10 rounds for 128-bit keys, 8 of 12 rounds for 192-bit keys, and 9 of 14 rounds for 256-bit keys • Results exhibit a weakness in key schedule but does not necessitate key schedule modification. • Signs are good that Rijndael will be sufficient for block-cipher implementations in the coming decades.

12. References [1] Henri Gilbert, Marine Minier. A collision attack on 7 rounds of Rijndael [2] J.Daemen L.Knudsen, and V.Rijmen. The block cipher Square. [3] Stefan Lucks. Attacking seven rounds of Rijndael under 192-bit and 256-bit keys. [4] Neils Ferguson, John Kelsey, Stefan Lucks, Bruce Schneier, Mike Stay, David Wagner, and Doug Whiting. Improved Cryptanalysis of Rijndael.

13. References - contd [5] Nicolas T. Courtois, Joseph Pieprzyk Cryptanalysis on Block Ciphers with Overdefined System of Equations