Designs, Codes and Cryptography

, Volume 73, Issue 1, pp 85–103 | Cite as

Revisiting key schedule’s diffusion in relation with round function’s diffusion



We study the weakness of key schedules from an observation: many existing attacks use the fact that the key schedules poorly distribute key bits in the diffusion path of round functions. This reminds us of the importance of the diffusion’s relation between key schedules and round functions. We present new cryptanalysis results by exploring such diffusion relation and propose a new criterion for necessary key schedule diffusion. We discuss potential attacks and summarize the causes for key schedules without satisfying this criterion. One major cause is that overlapping between the diffusion of key schedules and round functions leads to information leakage of key bits. Finally, a measure to estimate our criterion for recursive key schedules is presented. Today designing key schedule still lacks practical and necessary principles. For a practical key schedule with limited diffusion, our work adds more insight to its requirements and helps to maximize the security level.


Key schedule Diffusion Block cipher SHACAL-2 AES XTEA 

Mathematics Subject Classification (2010)

94A60 14G50 11T71 


  1. 1.
    Kelsey, J., Schneiery, B., Wagner, D.: Key Schedule Weaknesses in SAFER+. Second AES Candidate Conference (1999)Google Scholar
  2. 2.
    Knudsen, Lars R.: Practically secure Feistel ciphers. FSE’93, LNCS, Vol. 809, pp. 211–221. Springer (1994)Google Scholar
  3. 3.
    Kelsey, J., Schneier, B., Wagner, D.: Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. Advances in Cryptology-CRYPTO’96, pp. 237–251. Springer (1996)Google Scholar
  4. 4.
    Kelsey, J., Schneier, B., Wagner, D.: Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. INFORMATION AND COMMUNICATIONS SECURITY 1997, LNCS, 1334, 233–246Google Scholar
  5. 5.
    Kohno, T., Kelsey, J., Schneier, B.: Preliminary Cryptanalysis of Reduced-Round Serpent. Third AES Candidate Conference, pp. 195–211. (2000)Google Scholar
  6. 6.
    Biham, E., Dunkelman, O., Keller, N., Shamir, A.: New Data-Efficient Attacks on Reduced-Round IDEA.
  7. 7.
    Jia, K., Yu, H., Wang, X.: A Meet-in-the-Middle Attack on the Full KASUMI.
  8. 8.
    Sun, X., Lai, X.: Improved Integral Attacks on MISTY1. In: Jacobson Jr., M.J. Rijmen, V., Safavi-Naini, R. (Eds.): SAC 2009, LNCS, vol. 5867, pp. 266C280. Springer, Heidelberg (2009)Google Scholar
  9. 9.
    Sekar, G., Mouha, N., Velichkov, V., Preneel, B.: Meet-in-the-Middle Attacks on Reduced-Round XTEA. Topics in Cryptology - CT-RSA 2011, LNCS, Vol. 6558, pp. 250–267. Springer (2011)Google Scholar
  10. 10.
    Kelsey, J., Schneier, B.: Key-Schedule Cryptanalysis of DEAL. SAC ’99 Proceedings of the 6th Annual International Workshop on Selected Areas in Cryptography pp. 118–134Google Scholar
  11. 11.
    Daemen, J.: Rijmen. The Design of Rijndael AES - The Advanced Encryption Standard (2002)Google Scholar
  12. 12.
    May, L., Henricksen, M., Millan, W.L., Carter, G., Dawson, E.: Strengthening the Key Schedule of the AES. In: Batten, L., Seberry, J. (eds.) ACISP 2002. LNCS, vol. 2384, pp. 226C240. Springer, Heidelberg (2002)Google Scholar
  13. 13.
    Blumenthal, U., Bellovin, S.M.:A better key schedule for DES-like ciphers. Proceedings of PRAGOCRYPT’96, CTU Publishing House, 42–54 (1996)Google Scholar
  14. 14.
    Carter, G., Dawson, E., Nielsen, L.: Key Schedules of Iterated Block Ciphers. In: Boyd, C., Dawson, E. (eds.) ACISP 1998. LNCS, vol. 1438, pp. 80C89. Springer, Heidelberg (1998)Google Scholar
  15. 15.
    Brown L., Scberry J.: Key scheduling in DES—type cryptosystems. In: Advances in Cryptology, Proceedinos of AUSCRYPT ’90, LNCS, vol. 453, pp. 221–228. Springer-Vedag, Berlin (1990).Google Scholar
  16. 16.
    Choy, J., Zhang, A., Khoo, K., Henricksen, M., Poschmann, A.: AES Variants Secure Against Related-Key Differential and Boomerang Attacks. WISTP 2011, LNCS, Vol. 6633, pp. 191–207, Springer (2011)Google Scholar
  17. 17.
    J. Lu, Y. Wei, J. Kim, P.A. Fouque, Cryptanalysis of Reduced Versions of the Camellia Block Cipher, SAC (2011)Google Scholar
  18. 18.
    Shin, Y., Kim, J., Kim, G., Hong, S., Lee, S.: Differential-linear type attacks on reduced rounds of SHACAL-2. Proceedings of ACISP04, H. Wang, J. Pieprzyk, and V. Varadharajan (eds.), LNCS, Vol. 3108, pp. 110C122. Springer-Verlag (2004)Google Scholar
  19. 19.
    Wei, Y., Hu, Y., Chen, J.: Differential-nonlinear attack on 33-round SHACAL-2. Journal of Xidian University (2010)Google Scholar
  20. 20.
    Handschuh, H., Naccache, D.: SHACAL : A Family of Block Ciphers. Submission to the NESSIE project, 2002,
  21. 21.
    Bogdanov, A., Wang, M.: Zero Correlation Linear Cryptanalysis with Reduced Data Complexity. FSE, In (2012)Google Scholar
  22. 22.
    Demirci, H., Selçuk, A.A.: A Meet-in-the-Middle Attack on 8-Round AES. In: Proceedings of Fast Software Encryption 15. LNCS, vol. 5806, pp. 116–26. Springer, Heidelberg (2008)Google Scholar
  23. 23.
    Ferguson, N., Kelsey, J., Lucks, S., Schneier, B., Stay, M., Wagner D., Whiting, D.: Improved cryptanalysis of Rijndael. In B. Schneier, editor, Proceedings of FSE 2000, LNCS, pp. 213C230, Springer-Verlag, (2000)Google Scholar
  24. 24.
    Piret, G. and Quisquater J.J.: Integral Cryptanalysis on reduced-round Safer++. IACR Cryptology ePrint Archive 33–33 (2003)Google Scholar
  25. 25.
    Lai, X., Massey, J.L., Murphy, S.: Markov Ciphers and Differential Cryptanalysis. Advances in Cryptology, proceedings of EUROCRYPT 1991, LNCS 547, pages 17C38, Springer (1992)Google Scholar
  26. 26.
    3rd Generation Partnership Project, Technical Specification Group Services and System Aspects, 3G Security, Specification of the 3GPP Confidentiality and Integrity Algorithms; Document2: KASUMI Specification, V3.1.1 (2001)Google Scholar
  27. 27.
    Matsui, M.: New block encryption algorithm MISTY. In: FSE97, LNCS 1267, p. 54C68 (1997).Google Scholar
  28. 28.
    Aoki K., Ichikawa T., Kanda M., Matsui M., Moriai S., Nakajima J., Tokita T.: Camellia: a 128-bit block cipher suitable for multiple platformsdesign and analysis. In: Stinson D.R., Tavares S.E. (eds.) SAC 2000. LNCS, vol. 2012, pp. 39–56. Springer, Heidelberg (2001).Google Scholar
  29. 29.
    Needham R.M., Wheeler D.J.: Tea Extensions, Technical Report.: Computer Laboratory, University of Cambridge. (1997).
  30. 30.
    Meyer C.H., Matyas S.M.: Cryptography: A New Dimension in Data Security. Wiley, New York (1982).Google Scholar
  31. 31.
    Anderson R., Biham E., Knudsen L.R.: Serpent: A Proposal for the Advanced Encryption Standard. NIST AES Proposal (1998).Google Scholar
  32. 32.
    Massey J.L., Khachatrian G.H., Kuregian M.K.: Nomination of SAFER++ as Candidate Algorithm for NESSIE. (2000).
  33. 33.
    Knudsen L.R.: A detailed analysis of SAFER K. J. Cryptol. 13(4), 417C436 (2000)Google Scholar
  34. 34.
    Bogdanov A., Khovratovich D., Rechberger C.: Biclique cryptanalysis of the full AES. In: Lee D.H., Wang X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 344C371. Springer, Heidelberg (2011).Google Scholar
  35. 35.
    Wheeler D.J., Needham R.M.: TEA, a tiny encryption algorithm. In: FSE 1994, vol. 1008, pp. 363–366, Springer, Heidelberg (1994).Google Scholar
  36. 36.
    Sasaki Y., Wang L., Sakai Y., Sakiyama K., Ohta K.: Three-subset meet-in-the-middle attack on reduced XTEA. Prog. Cryptol. 7374, 138–154 (2012).Google Scholar
  37. 37.
    Isobe T., Shibutani K.: Security analysis of the lightweight block ciphers XTEA, LED and Piccolo. In: Susilo W., Mu Y., Seberry J. (eds.) ACISP. LNCS, vol. 7372, pp. 71–86. Springer, Heidelberg (2012).Google Scholar
  38. 38.
    John B.K., George I.D.: Structured design of substitution–permutation encryption networks. IEEE Trans. Comput. C 28(10), 747–753 (1979).Google Scholar
  39. 39.
    Dunkelman O., Keller N., Shamir A.: Improved single-key attacks on 8-round AES-192 and AES-256. In: Advances in Cryptology-ASIACRYPT 2010. pp. 158–176. Springer, Heidelberg (2010).Google Scholar

Copyright information

© Springer Science+Business Media New York 2013

Authors and Affiliations

  1. 1.Department of Computer Science and EngineeringShanghai Jiao Tong UniversityShanghaiChina
  2. 2.Department of Computer Science and EngineeringShanghai Jiao Tong UniversityShanghaiChina

Personalised recommendations