A Five-Round Algebraic Property of the Advanced Encryption Standard

Transcription

1 A Five-Round Algebraic Property of the Advanced Encryption Standard Jianyong Huang, Jennifer Seberry and Willy Susilo Centre for Computer and Information Security Research (CCI) School of Computer Science and Software Engineering University of Wollongong, Australia {jyh33, jennie, Abstract This paper presents a five-round algebraic property of the Advanced Encryption Standard (AES) In the proposed property, we modify twenty bytes from five intermediate values at some fixed locations in five consecutive rounds, and we show that after five rounds of operations, such modifications do not change the intermediate result and finally still produce the same ciphertext We introduce an algorithm named δ, and the algorithm accepts a plaintext and a key as two inputs and outputs twenty bytes, which are used in the five-round property We demonstrate that the δ algorithm has 2 variants for AES-12, 2 variants for AES-192 and 36 variants for AES-256 By employing the δ algorithm, we define a modified version of the AES algorithm, the δaes The δaes calls the δ algorithm to generate twenty bytes, and uses these twenty bytes to modify the AES round keys The δaes employs the same key scheduling algorithm, constants and round function as the AES For a plaintext and a key, the AES and the δaes produce the same ciphertext Keywords: AES, A Five-Round Algebraic Property of the AES, Algorithm δ, Variants of Algorithm δ, Linear Equations, δaes 1 Introduction The block cipher Rijndael [1] was selected as the Advanced Encryption Standard (AES) by National Institute of Standards and Technology Rijndael has a simple and elegant structure, and it was designed carefully to withstand two well-known cryptanalytic attacks: differential cryptanalysis [2] and linear cryptanalysis [3] Most operations of Rijndael are based on the algebraic Galois field GF(2 ), which can be implemented efficiently in dedicated hardware and in software on a wide range of processors Since Rijndael was adopted as a standard [4], there have been many research efforts aiming to evaluate the security of this cipher A block cipher, named Big Encryption System (BES), was defined in [5], and Rijndael can be embedded into BES The extended Linearization (XL) [6] and the extended Sparse Linearization (XSL) [7] techniques are new methods to solve nonlinear algebraic equations The concept of dual ciphers was introduced in [], and a collision attack on 7 rounds of Rijndael was proposed in [9] The most effective attacks on

2 2 J Huang, J Seberry and W Susilo reduced-round variants of the AES are Square attack which was used to attack the cipher Square [1,1] The idea of the Square attack was later employed to improve the cryptanalysis of Rijndael [11], and to attack seven rounds of Rijndael under 192-bit and 256-bit keys [12] A multiplicative masking method of AES was proposed in [13] and further discussed in [14] The design of an AES-based stream cipher LEX was described in [15], and the construction of an AES-based message authentication code can be found in [16] So far, no short-cut attack against the full-round AES has been found In this paper, we present a five round property of the AES We modify twenty bytes from five intermediate values at some fixed locations in five consecutive rounds, and we demonstrate that after five rounds of operations, such modifications do not change the intermediate result and finally still produce the same ciphertext We introduce an algorithm named δ, and the δ algorithm takes a plaintext and a key as two inputs and outputs twenty bytes, which are used in the five-round property By employing the δ algorithm, we define a modified version of the AES algorithm, the δaes The δaes calls the δ algorithm to generate twenty bytes, and uses these twenty bytes to modify the AES round keys For a plaintext and a key, the AES and the δaes produce the same ciphertext This paper is organized as follows: Section 2 provides a short description of the AES In Section 3, we present the five-round algebraic property of the AES, and introduce the δ algorithm In Section 4, we define a modified version the AES algorithm, the δaes Finally, Section 5 concludes this paper Appendix A and Appendix B provide the process of finding the values of the eight variables which are used in Section 3 2 Description of the AES We provide a brief description of the AES, and refer the reader to [4] for a complete description of this cipher AES is a block cipher with a 12-bit block length and supports key lengths of 12, 192 or 256 bits For encryption, the input is a plaintext block and a key, and the output is a ciphertext block The plaintext is first copied to 4 4 array of bytes, which is called the state The bytes of a state is organized in the following format: a a 4 a a 12 a 1 a 5 a 9 a 13 a 2 a 6 a 1 a 14 a 3 a 7 a 11 a 15 where a i denote the i-th byte of the block After an initial round key addition, the state array is transformed by performing a round function 1, 12, or 14 times (for 12-bit, 192-bit or 256-bit keys respectively), and the final state is the ciphertext We denote the AES with 12-bit keys by AES-12, with 192- bit keys by AES-192, and with 256-bit keys by AES-256 Each round of AES consists of the following four transformations (the final round does not include MixColumns):

3 A Five-Round Algebraic Property of the Advanced Encryption Standard 3 1 The SubBytes () transformation It is a non-linear byte substitution that operates independently on each byte of the state using a substitution table 2 The ShiftRows () transformation The bytes of the state are cyclically shifted over different numbers of bytes Row is unchanged, and Row i is shifted to the left i byte cyclicly, i {1, 2, 3} 3 The MixColumns () transformation It operates on the state column-bycolumn, considering each column as a four-term polynomial The columns are treated as polynomials over GF(2 ) and multiplied modulo x with a fixed polynomial, written as {3}x 3 + {1}x 2 + {1}x + {2} 4 The AddRoundKey () transformation A round key is added to the state by a simple bitwise exclusive-or (XOR) operation The key expansion of the AES generates a total of Nb(Nr + 1) words: the algorithm needs an initial set of Nb words, and each of the Nr rounds requires Nb words of key data, where Nb is 4, and Nr is set to 1, 12, or 14 for 12-bit, 192-bit, or 256-bit key sizes respectively For a 12-bit key K, we denote the round keys by K i K4 i K i K12 i K1 i K5 i K9 i K13 i K2 i K6 i K1 i K14 i, K3 i K7 i K11 i K15 i where i is the round number, i {1, 2, 1} We note that the round key used in the initial round is the secret key K itself, and the secret key is represented without the superscript i 3 A Five-Round Property of AES We present a five-round property of the AES in this section In the proposed property, we modify twenty bytes from five intermediate values at some fixed locations in five consecutive rounds, and we show that after five rounds of operations, such modifications do not change the intermediate result and finally still produce the same ciphertext The modifications are carried out by performing four extra XOR operations at the end of each round (ie, after the transformation), and in total, we perform twenty extra XOR operations in five rounds We require that each of these five rounds must contain,, and transformations We use Figure 1 and Figure 2 to describe this property The layout of the twenty bytes in the five intermediate values is shown in Figure 2, and the twenty bytes are G, G 2, G, G 1, M, M 2, M, M 1, R, R 2, R, R 1, V, V 2, V, V Z, Z 2, Z, and Z 1 In Figure 1, all intermediate values are listed when using the AES algorithm to encrypt a plaintext P under a 12-bit key K, and all bytes of the intermediate values are denoted by plain variables Correspondingly, Figure 2 enumerates all intermediate values of the AES with 2 extra XOR operations The twenty-byte modifications take place in Round 1, 2, 3, 4 and 5, and after 1,

4 4 J Huang, J Seberry and W Susilo transformation in each of these five rounds, we perform XOR operations on Bytes, 2, and 1 We show that the twenty-byte modifications do not change the input to Round 6, ie, both the AES and the AES with 2 extra XOR operations generate the same input to Round 6 In Figure 2, a variable marked by a asterisk indicates that the value at that location has been affected by the twenty-byte modifications, and a plain variable shows that the value at that location is not affected by the twenty-byte modifications For example, after in Round 1 in Figure 2, Byte G i is XORed with Byte G i, and after, we have four modified bytes Hi, i {, 2,, 1}, and twelve unchanged bytes: H 1, H 3, H 4, H 5, H 6, H 7, H 9, H 11, H 12, H 13, H 14, and H The δ Algorithm To decide the values of the twenty bytes: G i, M i, R i, V i and Z i, i {, 2,, 1}, we introduce an algorithm named δ For any plaintext P and any key K used in the AES algorithm, the δ algorithm accepts P and K as two inputs, and generates an output which contains twenty bytes {G i, M i, R i, V i, Z i }, where G i, M i, R i, V i, and Z i are bytes, i {, 2,, 1} The δ algorithm includes a number of steps: 1 Process the first five rounds of the AES algorithm by taking the plaintext P and the key K as the inputs, ie, start with the initial round, and process Round 1, 2, 3, 4 and 5 of the AES Therefore, we know all intermediate values in Figure 1, from initial round to Round 5 2 Initialize G i, M i, R i, V i and Z i to zero, i {, 2,, 1} 3 Choose G, G 2, G and G 1 freely The only requirement is that at least one of these four bytes is not equal to zero, namely, G, G 2, G and G 1 cannot be all zeros If G, G 2, G and G 1 are all zeros, the δ algorithm outputs twenty zero bytes Once G, G 2, G and G 1 are decided, the remaining 16 bytes will be computed by the procedures described in Section 311, Appendix A, Appendix B and Section Decide M, M 2, M and M 1 5 Decide R, R 2, R and R 1 6 Decide V, V 2, V and V 1 7 Decide Z, Z 2, Z and Z 1 Remark 1 There are combinations of {G, G 2, G, G 1 } because each byte can have 2 possible values 311 Deciding M, M 2, M and M 1 After we have decided the values of G, G 2, G and G 1, we carry out a four-round computation (of the AES with extra 12 XOR operations), called Routine Computation One, which starts with the initial round and ends with in Round 4 (see Figure 2) All intermediate values from the computation of this time are stored in array called Buffer One

5 A Five-Round Algebraic Property of the Advanced Encryption Standard 5 Initial Round Plaintext P P P 1 P 2 P 3 P 4 P 5 P 6 P 7 P P 9 P 1 P 11 P 15 P 12 P 13 P 14 A A 1 A 2 A 3 A 4 A 5 A 6 A 7 A A 12 A 9 A 13 A 1 A 14 A 11 A 15 Round 1 Round 2 Round 3 Round 4 Round 5 B B 1 B 2 B 3 H H 1 H 2 H 3 N N 1 N 2 N 3 S S 1 S 2 S 3 W W 1 W 2 W 3 B 4 B 5 B 6 B 7 H 4 H 5 H 6 H 7 N 4 N 5 N 6 N 7 S 4 S 5 S 6 S 7 B B 12 B 9 B 13 B 1 B 14 B 11 B 15 H H 12 H 9 H 13 H 1 H 14 H 11 H 15 N N 12 N 9 N 13 N 1 N 14 N 11 N 15 S S 9 S 1 S 11 S 12 S 13 S 14 S 15 W 4 W W 12 W 5 W 9 W 13 W 6 W 1 W 14 W 7 W 11 W 15 D D 1 D 2 D 3 J J 1 J 2 J 3 O O 1 O 2 O 3 T T 1 T 2 T 3 X X 1 X 2 X 3 D 4 D 5 D 6 D 7 J 4 J 5 J 6 J 7 O 4 O 5 O 6 O 7 T 4 T 5 T 6 T 7 X 4 X 5 X 6 X 7 D D 12 D 9 D 13 D 1 D 14 D 11 D 15 J J 9 J 1 J 11 J 12 J 13 J 14 J 15 O O 12 O 9 O 13 O 1 O 14 O 11 O 15 T T 9 T 1 T 11 T 12 T 13 T 14 T 15 X X 12 X 9 X 13 X 1 X 14 X 11 X 15 F F 1 F 2 F 3 L L 1 L 2 L 3 Q Q 1 Q 2 Q 3 U U 1 U 2 U 3 Y Y 1 Y 2 Y 3 F 4 F 5 F 6 F 7 L 4 L 5 L 6 L 7 Q 4 Q 5 Q 6 Q 7 U 4 U 5 U 6 U 7 Y 4 Y 5 Y 6 Y 7 F F 9 F 1 F 11 F 12 F 13 F 14 F 15 L L 9 L 1 L 11 L 15 L 12 L 13 L 14 Q Q 9 Q 1 Q 11 Q 15 Q 12 Q 13 Q 14 U U 9 U 1 U 11 U 15 Y Y 9 Y 1 Y 11 U 12 U 13 U 14 Y 12 Y 13 Y 14 Y 15 G G 1 G 2 G 3 M M 1 M 2 M 3 R R 1 R 2 R 3 V V 1 V 2 V 3 Z Z 1 Z 2 Z 3 G 4 G 5 G 6 G 7 G G 12 G 9 G 13 G 1 G 14 G 11 G 15 M 4 M M 12 M 5 M 9 M 13 M 6 M 1 M 14 M 7 M 11 M 15 R 4 R 5 R 6 R 7 V 4 V 5 V 6 V 7 Z 4 Z 5 Z 6 Z 7 R R 12 R 9 R 13 R 1 R 14 R 11 R 15 V V 9 V 1 V 11 V 12 V 13 V 14 V 15 Z Z 12 Z 9 Z 13 Z 1 Z 14 Z 11 Z 15 Round 6 b b 1 b 2 b 3 b 4 b 5 b 6 b 7 b b 9 b 1 b 11 b 12 b 13 b 14 b 15 d d 1 d 2 d 3 d 4 d 5 d 6 d 7 d d 9 d 1 d 11 d 12 d 13 d 14 d 15 f f 1 f 2 f 3 f 4 f 5 f 6 f 7 f f 9 f 1 f 11 f 12 f 13 f 14 f 15 g g 1 g 2 g 3 g 4 g 5 g 6 g 7 g g 9 g 1 g 11 g 12 g 13 g 14 g 15 Round 7 h h 1 h 2 h 3 h 4 h 5 h 6 h 7 h h 9 h 1 h 11 h 12 h 13 h 14 h 15 j j 1 j 2 j 3 j 4 j 5 j 6 j 7 j j 9 j 1 j 11 j 12 j 13 j 14 j 15 l l 1 l 2 l 3 l 4 l 5 l 6 l 7 l l 9 l 1 l 11 l 12 l 13 l 14 l 15 m m 4 m 1 m 5 m 2 m 6 m 3 m 7 m m 12 m 9 m 13 m 1 m 14 m 11 m 15 Round Round 9 n n 1 n 2 n 3 s s 1 s 2 s 3 n 4 n 5 n 6 n 7 s 4 s 5 s 6 s 7 n n 9 n 1 n 11 s s 9 s 1 s 11 n 12 n 13 n 14 n 15 s 12 s 13 s 14 s 15 o o 1 o 2 o 3 t t 1 t 2 t 3 o 4 o 5 o 6 o 7 t 4 t 5 t 6 t 7 o o 9 o 1 o 11 t t 9 t 1 t 11 o 12 o 13 o 14 o 15 t 12 t 13 t 14 t 15 q q 1 q 2 q 3 u u 1 u 2 u 3 q 4 q 5 q 6 q 7 u 4 u 5 u 6 u 7 q q 9 q 1 q 11 u u 9 u 1 u 11 q 12 q 13 q 14 q 15 u 12 u 13 u 14 u 15 r r 1 r 2 r 3 v v 1 v 2 v 3 r 4 r 5 r 6 r 7 v 4 v 5 v 6 v 7 r r 9 r 1 r 11 v v 9 v 1 v 11 r 12 r 13 r 14 r 15 v 12 v 13 v 14 v 15 Round 1 w w 1 w 2 w 3 w 4 w 5 w 6 w 7 w w 12 w 9 w 13 w 1 w 14 w 11 w 15 x x 1 x 2 x 3 x 4 x 5 x 6 x 7 x x 9 x 1 x 11 x 12 x 13 x 14 x 15 z z 1 z 2 z 3 z 4 z 5 z 6 z 7 z z 9 z 1 z 11 z 12 z 13 z 14 z 15 Fig1 The Intermediate Values of AES-12

6 6 J Huang, J Seberry and W Susilo P P 4 P P 12 A A 4 A A 12 Initial Round Plaintext P P 1 P 2 P 5 P 6 P 9 P 13 P 1 P 14 A 1 A 2 A 5 A 9 A 13 A 6 A 1 A 14 P 3 P 7 P 11 P 15 A 3 A 7 A 11 A 15 B B 4 B B 12 D D 4 D D 12 F F 4 F F 12 G G 4 G G 12 G G 1 B 1 B 2 B 5 B 9 B 13 B 6 B 1 B 14 D 1 D 2 D 5 D 9 D 13 D 6 D 1 D 14 F 1 F 2 F 5 F 6 F 9 F 13 F 1 F 14 G 1 G 2 G 5 G 9 G 13 G 6 G 1 G 14 G 2 G 1 B 3 B 7 B 11 B 15 D 3 D 7 D 11 D 15 F 3 F 7 F 11 F 15 G 3 G 7 G 11 G 15 H H 4 H H 12 J J 4 J J 12 L L 4 L L 12 M M 4 M M 12 M M 2 H 1 H 2 H 5 H 9 H 13 H 6 H 1 H 14 J 1 J 2 J 5 J 6 J 9 J 13 J 1 J 14 L 1 L 2 L 5 L 6 L 9 L 13 L 1 L 14 M 1 M 2 M 5 M 9 M 13 M 6 M 1 M 14 M 2 M 1 H 3 H 7 H 11 H 15 J 3 J 7 J 11 J 15 L 3 L 7 L 11 L 15 M 3 M 7 M 11 M 15 N N 4 N N 12 O O 4 O O 12 Q Q 4 Q Q 12 R R 4 R R 12 R R 3 N 1 N 2 N 5 N 9 N 13 N 6 N 1 N 14 O 1 O 2 O 5 O 9 O 13 O 6 O 1 O 14 Q 1 Q 2 Q 5 Q 9 Q 13 Q 6 Q 1 Q 14 R 1 R 2 R 5 R 9 R 13 R 6 R 1 R 14 R 2 R 1 N 3 N 7 N 11 N 15 O 3 O 7 O 11 O 15 Q 3 Q 7 Q 11 Q 15 R 3 R 7 R 11 R 15 S S 4 S S 12 T T 4 T T 12 U U 4 U U 12 V V 4 V V 12 V V 4 S 1 S 2 S 5 S 6 S 9 S 13 S 1 S 14 T 1 T 2 T 5 T 6 T 9 T 13 T 1 T 14 U 1 U 2 U 5 U 6 U 9 U 13 U 1 U 14 V 1 V 2 V 5 V 6 V 9 V 13 V 1 V 14 V 2 V 1 S 3 S 7 S 11 S 15 T 3 T 7 T 11 T 15 U 3 U 7 U 11 U 15 V 3 V 7 V 11 V 15 W W 4 W W 12 X X 4 X X 12 Y Y 4 Y Y 12 Z Z 4 Z Z 12 Z Z 5 W 1 W 5 W 9 W 13 W 2 W 6 W 1 W 14 X 1 X 2 X 5 X 9 X 13 X 6 X 1 X 14 Y 1 Y 2 Y 5 Y 6 Y 9 Y 13 Y 1 Y 14 Z 1 Z 2 Z 5 Z 6 Z 9 Z 13 Z 1 Z 14 Z 2 Z 1 W 3 W 7 W 11 W 15 X 3 X 7 X 11 X 15 Y 3 Y 7 Y 11 Y 15 Z 3 Z 7 Z 11 Z 15 b b 4 b b 12 d d 4 d d 12 f f 4 f f 12 g g 4 g g 12 6 b 1 b 2 b 5 b 6 b 9 b 1 b 13 b 14 d 1 d 2 d 5 d 6 d 9 d 13 d 1 d 14 f 1 f 2 f 5 f 6 f 9 f 13 f 1 f 14 g 1 g 2 g 5 g 6 g 9 g 13 g 1 g 14 b 3 b 7 b 11 b 15 d 3 d 7 d 11 d 15 f 3 f 7 f 11 f 15 g 3 g 7 g 11 g 15 h h 4 h h 12 j j 4 j j 12 l l 4 l l 12 m m 4 m m 12 7 h 1 h 2 h 5 h 6 h 9 h 13 h 1 h 14 j 1 j 2 j 5 j 6 j 9 j 1 j 13 j 14 l 1 l 2 l 5 l 6 l 9 l 1 l 13 l 14 m 1 m 2 m 5 m 9 m 13 m 6 m 1 m 14 h 3 h 7 h 11 h 15 j 3 j 7 j 11 j 15 l 3 l 7 l 11 l 15 m 3 m 7 m 11 m 15 n n 4 n n 12 o o 4 o o 12 q q 4 q q 12 r r 4 r r 12 n 1 n 2 n 5 n 6 n 9 n 13 n 1 n 14 o 1 o 2 o 5 o 6 o 9 o 13 o 1 o 14 q 1 q 2 q 5 q 6 q 9 q 13 q 1 q 14 r 1 r 2 r 5 r 6 r 9 r 13 r 1 r 14 n 3 n 7 n 11 n 15 o 3 o 7 o 11 o 15 q 3 q 7 q 11 q 15 r 3 r 7 r 11 r 15 s s 4 s s 12 t t 4 t t 12 u u 4 u u 12 v v 4 v v 12 9 s 1 s 2 s 5 s 6 s 9 s 13 s 1 s 14 t 1 t 2 t 5 t 6 t 9 t 1 t 13 t 14 u 1 u 2 u 5 u 6 u 9 u 13 u 1 u 14 v 1 v 2 v 5 v 6 v 9 v 13 v 1 v 14 s 3 s 7 s 11 s 15 t 3 t 7 t 11 t 15 u 3 u 7 u 11 u 15 v 3 v 7 v 11 v 15 w w 4 w w 12 x x 4 x x 12 z z 4 z z 12 1 w 1 w 2 w 5 w 9 w 13 w 6 w 1 w 14 x 1 x 2 x 5 x 6 x 9 x 13 x 1 x 14 z 1 z 2 z 5 z 6 z 9 z 13 z 1 z 14 w 3 w 7 w 11 w 15 x 3 x 7 x 11 x 15 z 3 z 7 z 11 z 15 Fig2 The Intermediate Values of AES-12 with Extra 2 XOR Operations

7 A Five-Round Algebraic Property of the Advanced Encryption Standard 7 (note that Routine Computation One produces 19 intermediate values) Routine Computation One Initial round : Round 1 : Round 2 : Round 3 : Round 4 : We denote the input and output of in Round 4 by T T4 T T 12 T1 T5 T9 T 13 T2 T6 T1 T14 U U4 U U 12 U1 U5 U9 U 13 U2 U6 U1 U14 T 3 T 7 T 11 T 15 U 3 U 7 U 11 U 15 Next, we will show that there is an algebraic relation between Bytes {M, M 2, M, M 1 } and Bytes {U 4, U 6, U 12, U 14 } Based on this relationship, we can change the values of {U4, U 6, U 12, U 14 } to the values of {U 4, U 6, U 12, U 14 } by setting the values of {M, M 2, M, M 1} After we have decided the values of {M, M 2, M, M 1 }, we aim to have an intermediate value after in Round 4 in the format of U U 4 U U 12 U1 U5 U9 U 13 U2 U 6 U1 U 14 U 3 U 7 U 11 U 15 The steps of deciding {M, M 2, M, M 1 } are listed as follows: {M, M 2, M, M 1} {N, N 2, N, N 1} {O, O 2, O, O 1} {Q 1, Q 3, Q 9, Q 11} {R 1, R 3, R 9, R 11} {S 1, S 3, S 9, S 11} {T 5, T 7, T 13, T 15} {U 4, U 6, U 12, U 14} After we change the values of {U 4, U 6, U 12, U 14 } to the values of {U 4, U 6, U 12, U 14 }, the input and output of in Round 4 become T T4 T T 12 T1 T5 T9 T 13 T2 T6 T1 T14 U U 4 U U 12 U1 U5 U9 U 13 U2 U 6 U1 U 14 T 3 T 7 T 11 T 15 U 3 U 7 U 11 U 15 Our next target is to modify the values of {T 5, T 7, T 13, T 15 } according to the values of {U 4, U 6, U 12, U 14 } From the transformation, we have the following

8 J Huang, J Seberry and W Susilo formula: U U 4 U U T T4 T T 12 U1 U5 U9 U T1 T5 T9 T 13 = U2 U 6 U1 U T2 T6 T1 T 14 U3 U7 U11 U T3 T7 T11 T15 To find out the values of {T5, T 7, T 13, T 15 }, we need to solve the following two groups of linear functions, which are marked by (1) and (2) T 4 T = U 4 T 6 T7 T 4 T = U 6 T 6 T 7 (1) T 12 T = U T14 12 T 15 T 12 T = U 14 T 14 T15 (2) In (1), there are two linear equations with two undecided variables T5 and T 7, and thus we can solve (1) to obtain the values of T5 and T 7 Similarly, there are two linear equations in (2) with two undecided variables T13 and T15, and therefore we can solve (2) to get the values of T13 and T 15 After having T 5, T 7, T13 and T 15, perform 1 (inverse ShiftRows) and 1 (inverse SubBytes), and we have the values of R1, R3, R9 and after in Round 3 Apply the transformation to R1, R3, R9 and R11, and we have the values of Q 1, Q 3, Q 9 and Q 11 Our next task is to modify the values of O, O 2, O and O 1 In Round 3, the input and output of are as follows: Q Q 4 Q Q O O 4 O O 12 Q 1 Q 5 Q 9 Q O 1 O5 O 9 O 13 = Q 2 Q 6 Q 1 Q O2 O 6 O1 O 14 Q 3 Q 7 Q 11 Q O 3 O7 O 11 O15 We can form two groups of linear equations, which are named (3) and (4), and solve them to decide O, O 2, O and O 1 There are two linear equations in (3) with two undetermined variables O and O 2, and we can solve them to determine the values of O and O2 Also, there are two linear equations in (4) with two undecided variables O and O 1, and we can get O and O 1 by solving (4)

9 A Five-Round Algebraic Property of the Advanced Encryption Standard 9 O O = Q O 1 2 O 3 O O = Q O2 3 O 3 (3) O O = Q O 9 1 O 11 O O = Q O 11 1 O 11 Once knowing the values of O, O 2, O and O 1, we perform 1 and thus we get Bytes N, N 2, N and N 1 after in Round 3 Finally, Bytes M, M 2, M and M 1 are decided by the following computations (note that M, M2, M and M1 are obtained from Buffer One): M = M 1 (N ), M 2 = M 2 1 (N 2 ), M = M 1 (N ), M 1 = M 1 1 (N 1) At this stage, we have decided the values of {G i, M i }, and {R i, V i, Z i } are not yet decided (note: they are still initialized to zero), i {, 2,, 1} The process of deciding R, R 2, R and R 1 and the routine of finding V, V 2, V and V 1 are similar to the steps of determining M, M 2, M and M 1, and they are described in Appendix A and Appendix B respectively 312 Deciding Z, Z 2, Z and Z 1 Perform Routine Computation Two second time, and the intermediate value after in Round 5 is Y Y 4 Y Y 12 Y 1 Y 5 Y 9 Y 13 Y2 Y 6 Y1 Y 14 Y 3 Y 7 Y 11 Y 15 Apply to the intermediate value above, we have Z Z 4 Z Z 12 Z 1 Z 5 Z 9 Z 13 Z2 Z 6 Z1 Z 14 Z 3 Z 7 Z 11 Z 15 Bytes Z, Z 2, Z and Z 1 are computed as follows: (note that Z, Z 2, Z and Z 1 are obtained from the computation in which the AES algorithm is used to encrypt the plaintext P under the key K (see Round 5 in Figure 1)): Z = Z Z, Z 2 = Z 2 Z 2, (4)

10 1 J Huang, J Seberry and W Susilo Z = Z Z, Z 1 = Z 1 Z1 Finally, we have decided all values of {G i, M i, R i, V i, Z i }, i {, 2,, 1} Now, we carry out a five-round computation of the AES with extra 2 XOR operations, called Routine Computation Three, by using Bytes G, G 2, G, G 1, M, M 2, M, M 1, R, R 2, R, R 1, V, V 2, V, V 1, Z, Z 2, Z, and Z 1, and we will get the same input to Round 6 as the AES algorithm Routine Computation Three Initial round : Round 1 : Round 2 : Round 3 : Round 4 : Round 5 : Remark 2 The most important part of the δ algorithm is solving those eight groups of linear equations: (1), (2), (3), (4), (5), (6), (7) and () There is one question needs to be answered The question is: are these eight groups of linear equations independent? The answer to this question is choosing different values of Bytes G, G 2, G, G 1 if we face such situations Among the twenty bytes: G, G 2, G, G 1, M, M 2, M, M 1, R, R 2, R, R 1, V, V 2, V, V 1, Z, Z 2, Z, and Z 1, we can select the values of G, G 2, G and G 1 freely As we showed in Remark 1, there are combinations of these four bytes, and correspondingly, we can have intermediate values in Figure 2, starting with in Round 2 and ending with in Round 1 If we meet any dependent equations, we can overcome this problem by choosing different values of Bytes G, G 2, G and G 1 Therefore, this question will not cause any trouble So far, we have not met any dependent equations in our large-sample experiments Remark 3 From Remark 1, we note that there is more than one combination of the twenty output bytes of Algorithm δ for a given pair of (P, K) Remark 4 For distinct plaintext and cipher key pairs (P, K), Algorithm δ needs to perform individual computations to decide the values of the twenty bytes 32 Variants of Algorithm δ We show that there are other variants of the δ algorithm In section 31, the locations of the twenty bytes are {, 2,, 1}, and there are three other combinations, which are {4, 6, 12, 14}, {1, 3, 9, 11} and {5, 7, 13, 15} In Figure 2, {G i, M i, R i, V i, Z i } operate in Round {1, 2, 3, 4, 5}, and they can also operate in

11 A Five-Round Algebraic Property of the Advanced Encryption Standard 11 Round {2, 3, 4, 5, 6}, {3, 4, 5, 6, 7}, {4, 5, 6, 7, }, or Round {5, 6, 7,, 9} Therefore, there are 4 different combinations for the byte locations, and there are 5 different combinations for the round numbers in AES-12 In total, there are 2 (= 4 5) variants of the δ algorithm for AES-12 The δ algorithm has 2 (= 4 7) variants for AES-192, and 36 (= 4 9) variants for AES The Modified Version of the AES: δaes By employing the δ algorithm, we propose a modified version of the AES, which is named δaes The major difference between the AES and the δaes is that the δaes uses modified AES round keys In Figure 2 in Section 3, we apply 2 extra XOR operations to the intermediate values after in Round 1, 2, 3, 4 and 5 by using Bytes {G i, M i, R i, V i, Z i }, i {, 2,, 1} The construction of the δaes comes from the fact that we can use Bytes {G i, M i, R i, V i, Z i } to XOR with AES Round Key 1, 2, 3, 4 and 5 (instead of with the intermediate values after ), and we still get the same result, i {, 2,, 1} There are twentybyte differences between the AES round keys and the δaes round keys The δaes employs the same key scheduling algorithm, constants and round function (ie, SubBytes, ShiftRows, MixColumns and AddRoundKey) as the AES The construction of the δaes is adding two procedures, which are calling the δ algorithm and modifying the AES round keys, to the AES algorithm 1 Suppose for a plaintext P and a cipher key K, the AES algorithm produces a ciphertext C, written as C = AES K (P) 2 By accepting P and K as two inputs, use the δ algorithm to generate twenty output bytes: {G i, M i, R i, V i, Z i }, i {, 2,, 1}1 3 Apply the AES key scheduling algorithm to K and get the round keys 4 Use {G i, M i, R i, V i, Z i } to XOR with the corresponding AES round keys and get the round keys for the δaes, i {, 2,, 1} 5 After carrying out the transformations above, the δaes uses the same round function (ie, SubBytes, ShiftRows, MixColumns and AddRoundKey) to process the plaintext P with modified AES round keys, and finally the δaes also generates the same ciphertext C, denoted by C = δaes K (P) Compared with the AES algorithm, the δaes needs to do some extra transformations, ie, calling the δ algorithm and modifying the AES round keys Moreover, for distinct plaintext and cipher key pairs (P, K), the δaes needs to carry out individual computations to get Bytes {G i, M i, R i, V i, Z i }, {, 2,, 1} 1 For simplicity, we use only one variant of the δ algorithm here Other variants of the δ algorithm also work

12 12 J Huang, J Seberry and W Susilo 5 Conclusions We described a five-round algebraic property of the AES algorithm In the presented property, we modify twenty bytes from five intermediate values at some fixed locations in five consecutive rounds by carrying out twenty extra XOR operations, and we show that after five rounds of processing, such modifications do not change the intermediate result and finally still produce the same ciphertext We defined an algorithm named δ, and the δ algorithm takes a plaintext and a cipher key as two inputs and outputs twenty bytes, which are used in the five-round property By employing the δ algorithm, we proposed a modified version of the AES algorithm, the δaes The δaes uses the δ algorithm to generate twenty output bytes, which are used to modify the AES round keys For a plaintext and a key, the AES and the δaes produce the same ciphertext References 1 Daemen, J, Rijmen, V: AES Proposal: Rijndael, AES Round 1 Technical Evaluation CD-1: Documentation, National Institute of Standards and Technology (199) 2 Biham, E, Shamir, A: Differential Cryptanalysis of the Data Encryption Standard Springer, Heidelberg (1993) 3 Matsui, M: Linear Cryptoanalysis Method for DES Cipher In: Advances in Cryptology - EUROCRYPT 1993, LNCS, vol 765, pp Springer, Heidelberg (1994) 4 NIST: Federal Information Processing Standards (FIPS) 197: Advanced Encryption Standard (AES) National Institute of Standards and Technology (26 November 21) 5 Murphy, S, Robshaw, M: Essential Algebraic Structure within the AES In: Advances in Cryptology - CRYPTO 22, LNCS, vol 2442, pp 1-16 Springer, Heidelberg (22) 6 Courtois, N, Klimov, A, Patarin, J, Shamir, A: Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations In: Advances in Cryptology - EUROCRYPT 2, LNCS, vol 17, pp Springer, Heidelberg (2) 7 Courtois, N, Pieprzyk, J: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations In: Advances in Cryptology - ASIACRYPT 22, LNCS, vol 251, pp Springer, Heidelberg (22) Barkan, E, Biham, E: In How Many Ways Can You Write Rijndael? In: Advances in Cryptology - ASIACRYPT 22, LNCS, vol 251, pp Springer, Heidelberg (22) 9 Gilbert, H, Minier, M: A Collision Attack on 7 Rounds of Rijndael In: The Third Advanced Encryption Standard Candidate Conference, pp (2) 1 Daemen, J, Knudsen, L, Rijmen, V: The Block Cipher Square In: Fast Software Encryption 1997, LNCS, vol 1267, pp Springer, Heidelberg (1997) 11 Ferguson, N, Kelsey, J, Lucks, S, Schneier, B, Stay, M, Wagner, D, Whiting, D: Improved Cryptanalysis of Rijndael In: Fast Software Encryption 2, LNCS, vol 197, pp Springer, Heidelberg (21)

13 A Five-Round Algebraic Property of the Advanced Encryption Standard Lucks, S: Attacking Seven Rounds of Rijndael under 192-bit and 256-bit Keys In: The Third Advanced Encryption Standard Candidate Conference, pp (2) 13 Akkar, ML, Giraud, C: An Implementation of DES and AES, Secure against Some Attacks In: Cryptographic Hardware and Embedded Systems 21, LNCS, vol 2162, pp Springer, Heidelberg (21) 14 Golic, J, Tymen, C: Multiplicative Masking and Power Analysis of AES In: Cryptographic Hardware and Embedded Systems 22, LNCS, vol 2523, pp Springer, Heidelberg (23) 15 Biryukov, A: The Design of a Stream Cipher LEX In: Selected Areas in Cryptography 26, LNCS, vol 4356, pp Springer, Heidelberg (26) 16 Daemen, J, Rijmen, V: A New MAC Construction ALRED and a Specific Instance ALPHA-MAC In: Fast Software Encryption 25, LNCS, vol 3557, pp 1-17 Springer, Heidelberg (25) A Deciding R, R 2, R and R 1 Perform Routine Computation One second time, and all intermediate values from the computation of this time are stored in an array called Buffer Two The intermediate value after in Round 4 is U U 4 U U 12 U1 U5 U9 U 13 U2 U 6 U1 U 14 U 3 U 7 U 11 U 15 We will demonstrate that there is an algebraic relation between Bytes {R, R 2, R, R 1 } and Bytes {U 1, U 3, U 9, U 11 } By employing this relationship, we are able to change the values of {U1, U 3, U 9, U 11 } to the values of {U 1, U 3, U 9, U 11 } by choosing the values of {R, R 2, R, R 1} The moves of determining the values of {R, R 2, R, R 1 } are shown below: {R, R 2, R, R 1} {S, S 2, S, S 1} {T, T 2, T, T 1} {U 1, U 3, U 9, U 11} After we replace the values of {U 1, U 3, U 9, U 11 } with the values of {U 1, U 3, U 9, U 11 }, the input and output of in Round 4 are T T4 T T 12 T1 T5 T9 T 13 T2 T6 T1 T14 U U 4 U U 12 U 1 U5 U 9 U 13 U2 U 6 U1 U 14 T 3 T 7 T 11 T 15 U 3 U 7 U 11 U 15 We need to modify the values of {T, T2, T, T1} according to the values of {U 1, U 3, U 9, U 11 } We can form two groups of linear equations, which are named (5) and (6) There are two undecided variables T and T 2 in (5), and we can solve (5) to get the values of T and T2 In (6), there are two undetermined variables T and T 1, and we can find out the values of T and T 1 by solving (6)

14 14 J Huang, J Seberry and W Susilo T T = U 1 T 2 T 3 T T = U T2 3 T 3 (5) T T = U 9 T 1 T11 T T = U 11 T 1 T11 (6) After knowing the values of {T, T 2, T, T 1 }, we perform 1 and have four corresponding values {S, S2, S, S1} after in Round 4 Bytes R, R 2, R and R 1 are computed as follows: (note that R, R 2, R and R 1 are obtained from Buffer Two): R = R 1 (S ), R 2 = R 2 1 (S2 ), R = R 1 (S), R 1 = R1 1 (S1) At this moment, we have decided the values of {G i, M i, R i }, and {V i, Z i } are not determined and they are still equal to their initial values, i {, 2,, 1} B Deciding V, V 2, V and V 1 After having the values of R, R 2, R and R 1, we carry out a five-round computation of the AES with 16 extra XOR operations, called Routine Computation Two, which begins with the initial round and ends with in Round 5 (See Figure 2) All intermediate values from the computation of this time are stored in an array named Buffer Three (note that Routine Computation Two generates 24 intermediate values) Routine Computation Two Initial round : Round 1 : Round 2 : Round 3 : Round 4 : Round 5 :

15 A Five-Round Algebraic Property of the Advanced Encryption Standard 15 After in Round 5, we will have an intermediate value in the following format: Y Y 4 Y Y 12 Y1 Y 5 Y9 Y 13 Y2 Y 6 Y1 Y 14 Y 3 Y 7 Y 11 Y 15 There is an algebraic relation between Bytes {V, V 2, V, V 1 } and Bytes {Y1, Y3, Y9, Y11}, and we can change the values of {Y1, Y3, Y9, Y11} to the values of {Y 1, Y 3, Y 9, Y 11 } by setting the values of {V, V 2, V, V 1} The steps of determining the values of {V, V 2, V, V 1 } are shown below: {V, V 2, V, V 1} {W, W 2, W, W 1} {X, X 2,X, X 1} {Y 1, Y 3, Y 9, Y 11} We replace Bytes {Y1, Y3, Y9, Y11} with Bytes {Y 1, Y 3, Y 9, Y 11 }, and the input and output of in Round 5 are X X 4 X X 12 Y Y 4 Y Y 12 X1 X 5 X9 X 13 Y 1 Y 5 Y 9 Y 13 X2 X 6 X1 X 14 Y2 Y 6 Y1 Y 14 X 3 X 7 X 11 X 15 Y 3 Y 7 Y 11 Y 15 We form two groups of linear functions, marked by (7) and () There are two undecided variables X and X 2 in (7), and we can solve (7) to get the values of X and X 2 In (), there are two undecided variables X and X 1, and we can obtain the values of X and X1 by solving () X X = Y X2 1 X 3 X X = Y 3 X 2 X3 (7) X X = Y 9 X 1 X 11 X X = Y X1 11 X 11 After deciding the values of {X, X2, X, X1}, we perform 1 and have four corresponding values {W, W 2, W, W 1 } after in Round 5 Bytes V, V 2, V and V 1 are computed as follows: (note that V, V 2, V and V 1 are obtained from Buffer Three): V = V 1 (W ), V 2 = V 2 1 (W 2 ), V = V 1 (W ), V 1 = V 1 1 (W1 ) At this stage, we have decided the values of {G i, M i, R i, V i }, and Z i determined and it is equal to the initial value, i {, 2,, 1} () is not