On the Presence of Cascading Effect in the Key Expansion Mechanism of Rijndael-The AES

: Rijndael-The AES is 128-bit block cipher based on an elegant algebraic structure over F 28 . This cipher employs a simple approach to its substitution, permutation (SP) operations. We take a close look on the Key Expansion Mechanism of Rijndael - The AES. This study highlights on the presence of the cascading effect in its key expansion mechanism. Thus, lowering the brute-force key guess attack by a factor of 2 31 . Hence, for the key size of 128 bits the key diversity is 2 97 instead of 2 128 .


INTRODUCTION
Rijndael Algorithm [1][2][3] was designed by two Belgian cryptographers: Vincent Rijmen and John Daemen, as one of the candidates for the Advanced Encryption Standard (AES) selection. The AES committee was formulated by the U.S. Government under the umbrella of National Institute of Standards and Technology (NIST) to find another cryptographic algorithm in order to replace the existing 64-bit block cipher of 1977 -the Data Encryption Standards (DES) to protect sensitive digital information over the next few decades.
After a stringent qualifying process of three rounds involving the whole world's cryptographic community [4][5][6] , Rijndael algorithm was proposed by the AES committee as Advanced Encryption Standard -The AES on Nov. 26 Rijndael possesses an elegant algebraic structure over 8 2 F [6,[7][8][9] . It supports a variable block size and variable key size of 128, 160, 192, 224 or 256 bits each. But for the AES, its block size is fixed to 128-bits and keeping the variable key size of 128, 192 and 256 bits. It has 10, 12 or 14 iterations of round transformations depending on the key size of 128, 192 or 256 bits respectively in conjunction with an initial round of key addition. Each (except the last) round transformation function is composed of the four sub transformation functions: Byte Substitution or bs, Row Shift or rs, Mix Column or mc and Add Round Key or ak. The last round transformation does not include the mc function.
In this study we present an analysis of the block cipher Rijndael while concentrating on its 128-bit version. This cipher employs a simple approach to its substitution, permutation (SP) operations. We take a close look on its Key Expansion Mechanism; highlighting on the presence of the repeated pattern in the expanded key bytes in a peculiar manner, which we name as the cascading effect. Due to the presence of this pattern in the key expansion mechanism, the bruteforce key guess attack on Rijndael key schedule is lowered by a factor of 2 31 . Hence, the key size of 128 bits has a key diversity of 2 97 instead of 2 128 .

Notations:
We fix the block size and key size to 128 bits. We consider the 10 round version. We use the following notations. Let for all round index i 0, ,10 = ⋅⋅⋅ and byte index j 0, ,15 = ⋅⋅⋅ : i j X : j th text byte of i-th round (in particular, X j 0 is the initial input plain text byte and is fixed) 11 j X : j th cipher text byte. We also adopt the standard practice of treating the elements of 8 2 F as integers in the range 0, … , 255.

bs, using S-box, transforms the individual byte a(x) to bs(a(x)).
Mathematically, ii. Rc(a(x)) is another round dependent byte oriented constant function defined over F 2 8 . POW(a(x)) contains powers of a(x) in the field. Then x x x 1 + + + equivalently base 16 63 .
Thus, the byte substitution operation transforms a byte a(x) to bs(a(x)) as per the following relation. Let    Modified key expansion mechanism of rijndael: As the functions bs(.) and Rcon(.) transformations inherently operate on individual bytes of every input word, thus, a modified byte oriented version for key expansion algorithm can be derived. Therefore, for the present study with key size and block size of 128 bits and 10 cipher rounds, a total of 176 [= 4*(N b *(N r + 1))] bytes from the 16 bytes (=128 bits) of the user defined key k n with n = {0,…,15} are to be expanded.
In order to guess the keys used for encrypting the data we take a close look at the key expansion mechanism of Rijndael and try to derive some relationship between expanded key values and the initial key values that are stored in K 0 j . The following are our observations for the first round of expanded key values: Let in 0   j  0  1  2  3  12  13  14  15 K : k , k , k , k , k , k , k , k ; the mentioned eight key bytes are assumed to be known. Hence, K 1 j the first round keys can be obtained as per the following relations: K K K K bs K Rc 1