Prev: RSA signing for authenticated, secure channel?
Next: Parallel crypto breakthrough
From: Tom St Denis on 29 Jan 2010 13:21
Just skimmed over a paper that suggests that the last round of AES
should include the MixColumns step because it adds security under a
differential attack [see http://eprint.iacr.org/2010/041 ].

What I don't get is MixColumns is totally irrelevant to differential
attacks as it is linear. One could take the XOR difference of two
blocks and run it through the InvMixColumn transform and it'd be just
like you never had the function and you don't need to know the round
key or text values [just their difference].

So suppose you had added on another MC in the last round, an attacker
would have to just transform it back to see what the difference was
after the final SubBytes layer.

???

Tom
From: J.D. on 29 Jan 2010 15:11
On Jan 29, 1:21 pm, Tom St Denis <t...(a)iahu.ca> wrote:
> Just skimmed over a paper that suggests that the last round of AES
> should include the MixColumns step because it adds security under a
> differential attack [seehttp://eprint.iacr.org/2010/041].
>
> What I don't get is MixColumns is totally irrelevant to differential
> attacks as it is linear. One could take the XOR difference of two
> blocks and run it through the InvMixColumn transform and it'd be just
> like you never had the function and you don't need to know the round
> key or text values [just their difference].
>
> So suppose you had added on another MC in the last round, an attacker
> would have to just transform it back to see what the difference was
> after the final SubBytes layer.
>
> ???
>
> Tom

Read the paper more closely:

"However, we show in this letter that the omission of MixColumns is
not
innocent, since the altering of the last round key affects the
security with respect to attacks which exploit relations between the
subkeys. Indeed, the key schedule of AES is relatively simple, and the
knowledge of two (specific) bytes in a round subkey allows an
adversary to deduce the value of another byte in the previous
round subkey. Such deduction is problematic when the last round key kr
is replaced by MC-1(kr), since then the basic relations between the
two last round subkeys involve at least six bytes. As a result, the
time complexity of attacks based on guessing subkey material in the
last two rounds may increase when the last MixColumns exists." -pg 2-3.
From: adacrypt on 2 Feb 2010 07:38
On Jan 29, 6:21 pm, Tom St Denis <t...(a)iahu.ca> wrote:
> Just skimmed over a paper that suggests that the last round of AES
> should include the MixColumns step because it adds security under a
> differential attack [seehttp://eprint.iacr.org/2010/041].
>
> What I don't get is MixColumns is totally irrelevant to differential
> attacks as it is linear.  One could take the XOR difference of two
> blocks and run it through the InvMixColumn transform and it'd be just
> like you never had the function and you don't need to know the round
> key or text values [just their difference].
>
> So suppose you had added on another MC in the last round, an attacker
> would have to just transform it back to see what the difference was
> after the final SubBytes layer.
>
> ???
>
> Tom

Incredible the way Bull propagates Bull-adacrypt
From: J.D. on 2 Feb 2010 14:16
> Incredible the way Bull propagates Bull-adacrypt

Stop posting.

 | 
Pages: 1
Prev: RSA signing for authenticated, secure channel?
Next: Parallel crypto breakthrough