In this paper we consider the security of block ciphers which contain alternate layers of invertible S-boxes and affine mappings (there are many popular cryptosystems which use this structure, including the winner of the AES competition, Rijndael). We show that a five-layer scheme with 128-bit plaintexts and 8-bit S-boxes is surprisingly weak against what we call a multiset attack, even when all the S-boxes and affine mappings are key dependent (and thus completely unknown to the attacker). We tested the multiset attack with an actual implementation, which required just 216 chosen plaintexts and a few seconds on a single PC to find the 217 bits of information in all the unknown elements of the scheme.
Key wordsCryptanalysis Structural cryptanalysis Multiset attack Block ciphers Substitution permutation networks Substitution affine networks Rijndael AES
Unable to display preview. Download preview PDF.
- R. Anderson, E. Biham, L. Knudsen, Serpent: a proposal for the AES, in 1st AES Conference (1998) Google Scholar
- E. Biham, Cryptanalysis of patarin’s 2-round public key system with S-boxes (2R), in Advances in Cryptology, Proceedings of EUROCRYPT’2000. Lecture Notes in Computer Science, vol. 1807 (Springer, Berlin, 2000), pp. 408–416 Google Scholar
- A. Biryukov, C. De Cannière, A. Braeken, B. Preneel, A toolbox for cryptanalysis: linear and affine equivalence algorithms, in Advances in Cryptology, Proceedings of EUROCRYPT’2003. Lecture Notes in Computer Science, vol. 2656 (Springer, Berlin, 2003), pp. 33–50 Google Scholar
- J. Daemen, L. Knudsen, V. Rijmen, The block cipher square, in Proceedings of FSE’97. Lecture Notes in Computer Science, vol. 1267 (Springer, Berlin, 1997), pp. 147–165 Google Scholar
- H. Gilbert, M. Minier, A collision attack on seven rounds of Rijndael, in Proceedings of the Third AES Candidate Conference (2000), pp. 230–241 Google Scholar
- S. Lucks, Attacking seven rounds of Rijndael under 192-bit and 256-bit keys, in Proceedings of the Third AES Candidate Conference (2000), pp. 215–229 Google Scholar
- J. Patarin, L. Goubin, Asymmetric cryptography with S-Boxes, in Proceedings of ICICS 97. Lecture Notes in Computer Science, vol. 1334 (Springer, Berlin, 1997), pp. 369–380 Google Scholar