Cryptography Reference
In-Depth Information
•
Confusion means that 'relationships are lost' so that one cannot draw
conclusions on the input matrix from the result of one round.
ByteSub
and
AddRoundKey
are mainly responsible for this task.
Only the continual consecutive execution of these rounds (which are nothing but
a deterministic substitution of 128-bit states with subsequent XOR addition of
a secret key) represents (hopefully) an almost unsolvable task for cryptanalysts.
Neither differential nor linear cryptanalysis (which works even against DES in
theory), nor the so-called interpolation attack work in this case; there are no
weak keys, and even attacks with related keys (interesting for smartcards) fail,
in contrast to DES.
As for all five final candidates of the AES challenge, no effective attacks are
known on Rijndael. If you reduced the number of rounds, you would obtain the
following results (which become of interest only with 192-bit and 256-bit keys):
6 rounds
: Using 6
∗
2
32
chosen plaintext blocks, you can compute the key with
2
44
complex (i.e., approximately 17 billion) operations.
This means for practical purposes that about 400 Gbytes of plaintext given by
the attacker have to be encrypted and analyzed. If one complex operation takes
one microsecond, then this would take roughly 200 days (or 5 hours with one
nanosecond).
7 rounds
: Requires almost 2
128
chosen plaintexts (corresponding to approxi-
mately 5
∗
10
39
bytes) and a computing effort of 2
120
. With one nanosecond per
operation, this would take 4
∗
10
19
(40 trillion) years.
Notice how tremendously the security grows by adding a 7th round! However,
Rijndael runs at least ten rounds (depending on the key length).
Though theoretical weaknesses were discovered in the way the round keys are
created, they may only be of academic interest. There is no practical impact
based on current knowledge.
Algebraic Cryptanalysis
Several experts expressed their doubts about the security of Rijndael, argu-
ing that the design was too simple to be secure. Though complex, 'hard-to-
understand' methods (such as DES, among others) may be harder to attack
mathematically, this is only an apparent benefit in an age of fast comput-
ers and high-performing software which can, for example, handle much more
complex formulas than humans will ever be able to.
