The Design of Rijndael
Impossible differential cryptanalysis of 7-round advanced encryption standard (AES)
Information Processing Letters - Devoted to the rapid publication of short contributions to information processing
New results on impossible differential cryptanalysis of reduced AES
ICISC'07 Proceedings of the 10th international conference on Information security and cryptology
Automatic search of attacks on round-reduced AES and applications
CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
Biclique cryptanalysis of the full AES
ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security
Preimage attacks on Feistel-SP functions: impact of omitting the last network twist
ACNS'13 Proceedings of the 11th international conference on Applied Cryptography and Network Security
Hi-index | 0.89 |
The Advanced Encryption Standard (AES) is the most widely deployed block cipher. It follows the modern iterated block cipher approach, iterating a simple round function multiple times. The last round of AES slightly differs from the others, as a linear mixing operation (called MixColumns) is omitted from it. Following a statement of the designers, it is widely believed that the omission of the last round MixColumns has no security implications. As a result, the majority of attacks on reduced-round variants of AES assume that the last round of the reduced-round version is free of the MixColumns operation. In this letter we challenge this belief, showing evidence that the omission of MixColumns affects the security of (reduced-round) AES. First, we consider a simple example of 1-round AES, where we show that the omission reduces the time complexity of an attack with a single known plaintext from 2^4^8 to 2^1^6. Then, we examine several previously known attacks on 7-round AES-192 and show that the omission reduces their time complexities by a factor of 2^1^6.