Designs, Codes and Cryptography

, Volume 83, Issue 2, pp 327–343 | Cite as

A new counting method to bound the number of active S-boxes in Rijndael and 3D

  • Mahdi Sajadieh
  • Arash Mirzaei
  • Hamid Mala
  • Vincent Rijmen


Security against differential and linear cryptanalysis is an essential requirement for modern block ciphers. This measure is usually evaluated by finding a lower bound for the minimum number of active S-boxes. The 128-bit block cipher AES which was adopted by National Institute of Standards and Technology (NIST) as a symmetric encryption standard in 2001 is a member of Rijndael family of block ciphers. For Rijndael, the block length and the key length can be independently specified to 128, 192 or 256 bits. It has been proved that for all variants of Rijndael the lower bound of the number of active S-boxes for any 4-round differential or linear trail is 25, and for 4r (\(r \ge 1\)) rounds 25r active S-boxes is a tight bound only for Rijndael with block length 128. In this paper, a new counting method is introduced to find tighter lower bounds for the minimum number of active S-boxes for several consecutive rounds of Rijndael with larger block lengths. The new method shows that 12 and 14 rounds of Rijndael with 192-bit block length have at least 87 and 103 active S-boxes, respectively. Also the corresponding bounds for Rijndael with 256-bit block are 105 and 120, respectively. Additionally, a modified version of Rijndael-192 is proposed for which the minimum number of active S-boxes is more than that of Rijndael-192. Moreover, we extend the method to obtain a better lower bound for the number of active S-boxes for the block cipher 3D. Our counting method shows that, for example, 20 and 22 rounds of 3D have at least 185 and 205 active S-boxes, respectively.


Block cipher Rijndael 3D Active S-box 

Mathematics Subject Classification

11T71 14G50 


  1. 1.
    Biham E., Shamir A.: Differential cryptanalysis of DES-like cryptosystems. In: CRYPTO’90. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1990).Google Scholar
  2. 2.
    Bogdanov A., Knudsen L.R., Leander G., Paar C., Poschmann A., Robshaw M.J., Seurin Y., Vikkelsoe C.: Present: an ultra-lightweight block cipher. In: CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007).Google Scholar
  3. 3.
    Daemen J.: Cipher and hash function design strategies based on linear and differential cryptanalysis. Ph.D. thesis, Elektrotechniek Katholieke Universiteit Leuven, Belgium (1995).Google Scholar
  4. 4.
    Daemen J., Rijmen V.: The Design of Rijndael: AES—The Advanced Encryption Standard. Springer, Berlin (2002).Google Scholar
  5. 5.
    Kanda M.: Practical security evaluation against differential and linear cryptanalysis for Feistel ciphers with SPN round function. In: SAC 2000. LNCS, vol. 2012, pp. 324-338. Springer, Heidelberg (2001).Google Scholar
  6. 6.
    Kanda M., Moriai S., Aoki K., Ueda H., Takashima Y., Ohta K., Matsumoto T.: E2-A New 128-bit block cipher. IEICE Trans. Fundam. Electron. Commun. Comput. Sci E83–A(1), 48–59 (2000).Google Scholar
  7. 7.
    Matsui M.: Linear cryptanalysis method for DES cipher. In EUROCRYPT’93, vol. 765, pp. 386–397. Springer, Berlin (1993).Google Scholar
  8. 8.
    Matsui M.: Differential path search of the block cipher E2. Technical Report ISEC99-19, IEICE (1999). (written in Japanese)Google Scholar
  9. 9.
    Mouha N., Wang Q., Gu D., Preneel B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Information Security and Cryptology, pp. 57–76. Springer, Berlin (2012).Google Scholar
  10. 10.
    Nakahara J.: 3D: A three-dimensional block cipher. In: CANS 2008. LNCS, vol. 5339, pp 252–267. Springer, Berlin (2008).Google Scholar
  11. 11.
    Shibutani K.: On the diffusion of generalized Feistel structures regarding differential and linear cryptanalysis. In: SAC 2010. LNCS, vol. 6544, pp. 211–228. Springer, Heidelberg (2011).Google Scholar
  12. 12.
    Shirai T., Araki K.: On generalized Feistel structures using the diffusion switching mechanism. IEICE Trans. Fundam. Electron. Commun. Comput. Sci E91A(8), 2120–2129 (2008).Google Scholar
  13. 13.
    Shirai T., Kanamaru S., Abe G.: Improved upper bounds of differential and linear characteristic probability for Camellia. In: FSE02. LNCS, vol. 2365, pp. 128–142. Springer, Heidelberg (2002).Google Scholar
  14. 14.
    Shirai T., Shibutani K.: On Feistel structures using a diffusion switching mechanism. In: Robshaw M. (ed.) FSE’06. LNCS, vol. 4047, pp. 41–56. Springer, Heidelberg (2006).Google Scholar
  15. 15.
    Sun S., Hu L., Song L., Xie Y., Wang P.: Automatic security evaluation of block ciphers with S-bp structures against related-key differential attacks. Cryptology ePrint Archive, Report 2013/547 (2013).
  16. 16.
    Wu S., Wang M.: Security evaluation against differential cryptanalysis for block cipher structures. Cryptology ePrint Archive, Report 2013/551 (2013).

Copyright information

© Springer Science+Business Media New York 2016

Authors and Affiliations

  • Mahdi Sajadieh
    • 1
  • Arash Mirzaei
    • 2
  • Hamid Mala
    • 3
  • Vincent Rijmen
    • 4
  1. 1.Department of Electrical EngineeringIslamic Azad University, Isfahan (Khorasgan) BranchIsfahanIran
  2. 2.Department of Electrical and Computer EngineeringIsfahan University of TechnologyIsfahanIran
  3. 3.Department of Computer EngineeringUniversity of IsfahanIsfahanIran
  4. 4.Department of Electrical Engineering (ESAT)KU Leuven and iMindsLeuvenBelgium

Personalised recommendations