Related-Key Differential Cryptanalysis of 192-bit Key AES Variants

  • Goce Jakimoski
  • Yvo Desmedt
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3006)


A related-key differential cryptanalysis is applied to the 192-bit key variant of AES. Although any 4-round differential trail has at least 25 active bytes, one can construct 5-round related-key differential trail that has only 15 active bytes and break six rounds with 2106 plaintext/ciphertext pairs and complexity 2112. The attack can be improved using truncated differentials. In this case, the number of required plaintext/ciphertext pairs is 281 and the complexity is about 286. Using impossible related-key differentials we can break seven rounds with 2111 plaintext/ciphertext pairs and computational complexity 2116. The attack on eight rounds requires 288 plaintext/ciphertext pairs and its complexity is about 2183 encryptions. In the case of differential cryptanalysis, if the iterated cipher is Markov cipher and the round keys are independent, then the sequence of differences at each round output forms a Markov chain and the cipher becomes resistant to differential cryptanalysis after sufficiently many rounds, but this is not true in the case of related-key differentials. It can be shown that if in addition the Markov cipher has K-f round function and the hypothesis of stochastic equivalence for related keys holds, then the iterated cipher is resistant to related-key differential attacks after sufficiently many rounds.


Differential cryptanalysis related keys Markov ciphers Advanced Encryption Standard 


  1. 1.
    Advanced Encryption Standard (AES), FIPS Publication 197 (November 26, 2001), available at
  2. 2.
    Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. Journal of Cryptology 4(1), 3–72 (1991)MATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    Biham, E., Shamir, A.: Differential Cryptanalysis of Snefru, Khafre, REDOC II, LOKI, and Lucifer. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 156–171. Springer, Heidelberg (1992)Google Scholar
  4. 4.
    Biham, E.: New Types of Cryptanalytic Attacks Using Related Keys. Journal of Cryptology 7(4), 229–246 (1994)MATHCrossRefGoogle Scholar
  5. 5.
    Biham, E., Biryukov, A., Ferguson, N., Knudsen, L., Schneier, B., Shamir, A.: Cryptanalysis of MAGENTA,
  6. 6.
    Biham, E., Keller, N.: Cryptanalysis of Reduced Variants of Rijndael,
  7. 7.
    Cheon, J., Kim, M., Kim, K., Lee, J., Kang, S.: Improved Impossible Differential Cryptanalysis of Rijndael and Crypton. In: Kim, K.-c. (ed.) ICISC 2001. LNCS, vol. 2288, p. 39. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
  9. 9.
    Daemen, J., Rijmen, V.: AES Proposal: Rijndael,
  10. 10.
    Daemen, J.: Cipher and hash function design strategies based on linear and differential cryptanalysis. Doctoral Dissertation, K.U.Leuven (March 1995)Google Scholar
  11. 11.
    Ferguson, N., Kelsey, J., Schneier, B., Stay, M., Wagner, D., Whiting, D.: Improved Cryptanalysis of Rijndael. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, p. 213. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  12. 12.
    Jacobson Jr., M.J., Huber, K.: The MAGENTA Block Cipher Algorithm. AES candidate, http:// Scholar
  13. 13.
    Kelsey, J., Schneier, B., Wagner, D.: Key-schedule cryptanalysis of IDEA, GDES, GOST, SAFER, and Triple-DES. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 237–252. Springer, Heidelberg (1996)Google Scholar
  14. 14.
    Knudsen, L.R.: Truncated and Higher Order Differentials. In: Fast Software Encryption, 2nd International Workshop Proceedings, pp. 196–211. Springer, Heidelberg (1995)Google Scholar
  15. 15.
    Lai, X.: Higher Order Derivations and Differential Cryptanalysis. In: Communications and Cryptography: Two Sides of One Tapestry, pp. 227–233. Kluwer Academic Publishers, Dordrecht (1994)Google Scholar
  16. 16.
    Lai, X., Massey, J., Murphy, S.: Markov Ciphers and Differential Cryptanalysis. In: CRYPTO 1991, pp. 17–38. Springer, Heidelberg (1991)Google Scholar
  17. 17.
    Quisquater, J.-J., Samyde, D.: Eddy current for Magnetic Analysis with Active Sensor. In: Proceedings of Esmart 2002, 3rd edn., Nice, France (September 2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Goce Jakimoski
    • 1
  • Yvo Desmedt
    • 1
  1. 1.Computer Science DepartmentFlorida State University TallahasseeFloridaUSA

Personalised recommendations