Variants of the AES Key Schedule for Better Truncated Differential Bounds

  • Patrick Derbez
  • Pierre-Alain Fouque
  • Jérémy Jean
  • Baptiste Lambin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11349)


Differential attacks are one of the main ways to attack block ciphers. Hence, we need to evaluate the security of a given block cipher against these attacks. One way to do so is to determine the minimal number of active S-boxes, and use this number along with the maximal differential probability of the S-box to determine the minimal probability of any differential characteristic. Thus, if one wants to build a new block cipher, one should try to maximize the minimal number of active S-boxes. On the other hand, the related-key security model is now quite important, hence, we also need to study the security of block ciphers in this model.

In this work, we search how one could design a key schedule to maximize the number of active S-boxes in the related-key model. However, we also want this key schedule to be efficient, and therefore choose to only consider permutations. Our target is AES, and along with a few generic results about the best reachable bounds, we found a permutation to replace the original key schedule that reaches a minimal number of active S-boxes of 20 over 6 rounds, while no differential characteristic with a probability larger than \(2^{-128}\) exists. We also describe an algorithm which helped us to show that there is no permutation that can reach 18 or more active S-boxes in 5 rounds. Finally, we give several pairs \((P_s, P_k)\), replacing respectively the ShiftRows operation and the key schedule of the AES, reaching a minimum of 21 active S-boxes over 6 rounds, while again, there is no differential characteristic with a probability larger than \(2^{-128}\).


AES Key schedule Related-key Truncated differential 

Supplementary material


  1. 1.
    Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999). Scholar
  2. 2.
    Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991)MathSciNetCrossRefGoogle Scholar
  3. 3.
    Biryukov, A., Khovratovich, D.: Related-key cryptanalysis of the full AES-192 and AES-256. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 1–18. Springer, Heidelberg (2009). Scholar
  4. 4.
    Biryukov, A., Khovratovich, D., Nikolić, I.: Distinguisher and related-key attack on the full AES-256. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 231–249. Springer, Heidelberg (2009). Scholar
  5. 5.
    Biryukov, A., Nikolić, I.: Automatic search for related-key differential characteristics in byte-oriented block ciphers: application to AES, Camellia, Khazad and others. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 322–344. Springer, Heidelberg (2010). Scholar
  6. 6.
    Černỳ, V.: Thermodynamical approach to the traveling salesman problem: an efficient simulation algorithm. J. Optim. Theory Appl. 45(1), 41–51 (1985)MathSciNetCrossRefGoogle Scholar
  7. 7.
    Choy, J., Zhang, A., Khoo, K., Henricksen, M., Poschmann, A.: AES variants secure against related-key differential and boomerang attacks. In: Ardagna, C.A., Zhou, J. (eds.) WISTP 2011. LNCS, vol. 6633, pp. 191–207. Springer, Heidelberg (2011). Scholar
  8. 8.
    Daemen, J., Rijmen, V.: AES Proposal: Rijndael (1999)Google Scholar
  9. 9.
    Fouque, P.-A., Jean, J., Peyrin, T.: Structural evaluation of AES, and chosen-key distinguisher of 9-round AES-128. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 183–203. Springer, Heidelberg (2013). Scholar
  10. 10.
    Gérault, D., Lafourcade, P., Minier, M., Solnon, C.: Revisiting AES Related-Key Differential Attacks with Constraint Programming. IACR Cryptology ePrint Archive 2017/139 (2017)Google Scholar
  11. 11.
    Jean, J.: TikZ for Cryptographers (2016).
  12. 12.
    Jean, J., Nikolić, I.: Efficient design strategies based on the AES round function. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 334–353. Springer, Heidelberg (2016). Scholar
  13. 13.
    Jean, J., Nikolić, I., Peyrin, T.: Tweaks and keys for block ciphers: the TWEAKEY framework. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 274–288. Springer, Heidelberg (2014). Scholar
  14. 14.
    Khoo, K., Lee, E., Peyrin, T., Sim, S.M.: Human-readable proof of the related-key security of AES-128. IACR Trans. Symmetric Cryptol. 2017(2), 59–83 (2017)Google Scholar
  15. 15.
    Kirkpatrick, S., Gelatt, C.D., Vecchi, M.P.: Optimization by simulated annealing. Science 220(4598), 671–680 (1983)MathSciNetCrossRefGoogle Scholar
  16. 16.
    Knudsen, L.: DEAL-a 128-bit block cipher (1998)Google Scholar
  17. 17.
    Liu, G., Ghosh, M., Song, L.: Security analysis of SKINNY under related-tweakey settings. IACR Trans. Symmetric Cryptol. 2017(3), 37–72 (2017)Google Scholar
  18. 18.
    Matsui, M.: On correlation between the order of S-boxes and the strength of DES. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 366–375. Springer, Heidelberg (1995). Scholar
  19. 19.
    Nikolić, I.: Tweaking AES. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 198–210. Springer, Heidelberg (2011). Scholar
  20. 20.
    Nikolić, I.: How to use metaheuristics for design of symmetric-key primitives. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10626, pp. 369–391. Springer, Cham (2017). Scholar
  21. 21.
    Zong, R., Dong, X., Wang, X.: MILP-Aided Related-Tweak/Key Impossible Differential Attack and Its applications to QARMA, Joltik-BC. Cryptology ePrint Archive, Report 2018/142 (2018).

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Patrick Derbez
    • 1
  • Pierre-Alain Fouque
    • 1
  • Jérémy Jean
    • 2
  • Baptiste Lambin
    • 1
  1. 1.Univ Rennes, CNRS, IRISARennesFrance
  2. 2.ANSSIParisFrance

Personalised recommendations