Đang tải... (xem toàn văn)
This paper presents a method to improve the key schedule of Rijndael 128-bit for the purpose of making it more resistance to the related-key differential and boomerang attacks. In this study, two statistical tests, namely the Frequency test and the Strict Avalanche Criterion test were employed to respectively evaluate the properties of bit confusion and bit diffusion
Journal of ICT, 17, No (July) 2018, pp: 409–434 How to cite this paper: Hussien, H M., Muda, Z., & S., Yasin, S M (2018) New key expansion function of Rijndael 128-bit resistance to the related-key attacks Journal of Information and Communication Technology, 19 (3), 409-434 NEW KEY EXPANSION FUNCTION OF RIJNDAEL 128-BIT RESISTANCE TO THE RELATED-KEY ATTACKS Hassan Mansur Hussien, Zaiton Muda & Sharifah Md Yasin Faculty of Computer Science and Information Technology, Universiti Putra Malaysia, Malaysia hassanalobady@gmail.com; zaitonm@upm.edu.my: ifah@upm.edu.my ABSTRACT A master key of special length is manipulated based on the key schedule to create round sub-keys in most block ciphers A strong key schedule is described as a cipher that will be more resistant to various forms of attacks, especially in related-key model attacks Rijndael is the most common block cipher, and it was adopted by the National Institute of Standards and Technology, USA in 2001 as an Advance Encryption Standard However, a few studies on cryptanalysis revealed that a security weakness of Rijndael refers to its vulnerability to related-key differential attack as well as the related-key boomerang attack, which is mainly caused by the lack of nonlinearity in the key schedule of Rijndael In relation to this, constructing a key schedule that is both efficient and provably secure has been an ongoing open problem Hence, this paper presents a method to improve the key schedule of Rijndael 128-bit for the purpose of making it more resistance to the related-key differential and boomerang attacks In this study, two statistical tests, namely the Frequency test and the Strict Avalanche Criterion test were employed to respectively evaluate the properties of bit confusion and bit diffusion The results showed that the proposed key expansion function has excellent statistical properties and agrees with the concept of Shannon’s diffusion and confusion bits Meanwhile, the Mixed Received: 19 November 2017 Accepted: 10 April 2018 409 Published: 12 June 2018 Journal of ICT, 17, No (July) 2018, pp: 409–434 Integer Linear Programming based approach was adopted to evaluate the resistance of the proposed approach towards the related-key differential and boomerang attacks The proposed approach was also found to be resistant against the two attacks discovered in the original Rijndael Overall, these results proved that the proposed approach is able to perform better compared to the original Rijndael key expansion function and that of the previous research Keywords: Jey expansion function, related-key attacks, Rijndael Cipher, Mixed Integer Linear Programming, active s-boxes INTRODUCTION A secret key block cipher is crucial in primitive cryptography Generally, one fundamental motivation behind the use of a block cipher is to protect the information that are transmitted in insecure communication environments On top of that, block ciphers are applied as a component in different security domains, which probably requires the construction of other secret key cryptographic primitives such as cryptographic pseudorandom number generators, message authentication codes, and hash functions Nowadays, Rijndael has become the most common block cipher that is used as a standard for symmetric encryption in many countries (Lu, 2015) Moreover, it has also been extensively applied as a significant symmetric block cipher algorithm in the computer security field The Rijndael algorithm encryption was adopted as an Advanced Encryption Standard (AES) in 2001 by the National Institute of Standards and Technology (NIST) (Daemen & Rijmen, 2013) As a result, it promotes the vast adoption of Rijndael for commercial and governmental purposes by focusing on both hardware and software implementation Furthermore, it is an agile design with an extremely effective and efficient performance cipher In regard to this, a recent cryptanalysis study managed to unearth certain security weaknesses in the Rijndael (Biryukov & Khovratovich, 2009; Biryukov et al., 2010; Biryukov & Nikolić, 2010; Jean, 2013; Cui et al., 2015) The findings of the study revealed that three variants of the Rijndael which are 128, 192, and 256 bits of keys are not equipped with the ideal resistance or level of security against the related-key model attack considering that the adversary can encrypt plaintexts or decrypt ciphertext under a set of keys connected via a known relationship More importantly, it should be noted that these attacks are only theoretical and require computational power that is beyond our reach Nevertheless, the problem of producing Rijndael algorithm with an ideal resistance in the face 410 Journal of ICT, 17, No (July) 2018, pp: 409–434 of the cryptographic standards has remained unsolved for quite some time On a more important note, it has been widely acknowledged that the key expansion function of Rijndael is the weakest point of its design, whereas the round function has been very strongly and securely designed Therefore, Permutation Network (SPN) where all bit alterations in each round and the first round of SPN requires th the current research aims to emphasize only on the key expansion function of XOR-ing with to be the performed on the current state with theround roundfunction keys Next, it needs to pass through Rijndael unchanged state transformation substitution layer that consists of blocks of data which are supplanted with other blocks On top of that, is required to undergo a permutation layer where bits are permuted and shuffled around Hence, th THE SECURITY operation willDESCRIPTION be repeated again and again until the last OF roundRIJNDAEL performs an XOR with a final round key produce the output In relation to this, it should be noted that a well-designed SPN with several rounds Rijndael is a block cipher that contains both variable block length and variable substitution and block permutation adopted principles specified of confusion key length The lengthboxes and key lengththecanShannon’s be independently as and diffusio Meanwhile, part of the transformation Rijndael is the first minimum N-1 roundsand (N is the number any multipletheofmain 32 bits, whereby 128 bits isinconsidered as the 256 bits that as the maximum Thisand setup based of on bytes the Substitution rounds) involves 4×4, 4×6, 4×8is matrix for Rijndael Permutation 128-bit, 192-bit, and 256-b Network (SPN) where all bit alterations in each round and the first round ofnamely SubByte respectively Apart from that, it also consists of four several transformation functions, SPN requires the XOR-ing to be performed on the current state with the round ShiftRows, MixColums, and AddRoundKey keys Next, it needs to pass through a substitution layer that consists of blocks of data which are supplanted with other blocks On top of that, it is required The key schedule routine islayer equal to thebits number of rounds,and whereby it takes independent inpu to undergo a permutation where are permuted shuffled around Hence, operationconverts will be arepeated again and until theaslast data thatthis respectively single key of 16, 24,again and 32 bytes wellround as outputs expande performs an XOR with a final round key to produce the output In relation keys of 16×11, 16×13, and 16×15 bytes for Rijndael 128-bit, 192-bit, and 256-bit In this case, to this, it should be noted that a well-designed SPN with several rounds of should be noted that the processes of producing sub-keys include three elements of the operation substitution and permutation boxes adopted the Shannon’s principles of function g and (), namely RotWord, SubByte,the andmain Rcon These are applied on the first confusion diffusion Meanwhile, part of the transformation in sub column o the right side of first 4×4, N-1 4×6, rounds and 4×8 (N matrix expanded of sub-keys the key expansio Rijndael is the is the numberbytes of rounds) that Hence, involves 4×4, 4×6, and 4×8 matrix of bytes for Rijndael 128-bit, 192-bit, and 256-bit, function is represented through the source code in Algorithm in order to produce the expande respectively Apart from that, it also consists of four several transformation sub-keys of Rijndael 128-bits functions, namely SubBytes, ShiftRows, MixColums, and AddRoundKey Algorithm The Key expansion function of Rijndael 128-bits "For i = , … Nk – W[i] = k[i] ; End for For i = Nk , … … … , 4(Nr + 1) − Do Temp → W{i – 1}; if i mod Nk == then Temp → SubByte(RotWord(temp)) ⊕ Rcon N[i/Nk] ; W[i] → W[i − Nk] ⊕ temp End" In most studiesisofequal cryptographic, the main objective has been observed to revolv The key established schedule routine to the number of rounds, whereby it takes independent input data that respectively converts a single key of 16, 24, around the security analysis of Rijndael Hence, the designers of Rijndael and adapted its securi resistance to differential cryptanalysis by looking at the property of the "MixColumns" transformatio 411 More importantly, this method relies on the upper extent separable code, whereby the submitters o Rijndael managed to prove its security in regard to the secret-key model attacks Mo y expansion function of Rijndael 128-bits Journal of ICT, 17, No (July) 2018, pp: 409–434 (Nr + 1) −321 bytes Do as well as outputs expanded keys of 16×11, 16×13, and 16×15 bytes for Rijndael 128-bit, 192-bit, and 256-bit In this case, it should be noted that }; the processes of producing sub-keys include three elements of the operations then function g (),N[i/Nk] namely; RotWord, SubByte, and Rcon These are applied on tWord(temp)) ⊕ Rcon the first sub column on the right side of 4×4, 4×6, and 4×8 matrix expanded ] ⊕ temp bytes of sub-keys Hence, the key expansion function is represented through the source code in Algorithm in order to produce the expanded sub-keys of Rijndael 128-bits udies of cryptographic, the main objective has been observed to revolve In most established studies of cryptographic, the main objective has nalysis of Rijndael Hence, the designers security Hence, been observed to revolve around of theRijndael security adapted analysis its of Rijndael its security resistance to differential cryptanalysisthebydesigners looking atoftheRijndael propertyadapted of the "MixColumns" transformation cryptanalysis by looking at the property of the “MixColumns” transformation method reliesMore on theimportantly, upper extent code, on whereby the submitters of code, thisseparable method relies the upper extent separable Rijndael managed to prove its security prove its whereby security the in submitters regard toofthe secret-key model attacks Morein regard to the secret-key model attacks More specifically, the max probability probability differential is that found to to be be approximately approximatelyequals to differential of of Rijndael Rijndael is that is found 256 2–6 , while the present active S-box Rijndael 128-bit is performed for four rounds with a probability higher than 2–300 which is far lower than the desired threshold of 2–128 for a 128-bit block cipher Additionally, Mouha et al (2012) developed a technique that determines the maximum number of active S-boxes for up to 14 rounds to prove the security bounds of Rijndael or any other block cipher against differential cryptanalysis that rely on the Mixed Integer Linear Programming (MILP) approach Furthermore, it is important to note that the security analysis of Rijndael is mostly concentrated on either the secret-key model attacks or the related-key model attacks The secretkey model attacks are established on the exposure of the state transformation round of Rijndael instead of the vulnerabilities of the Rijndael key expansion function Accordingly, the reduced number of rounds for Rijndael is believed to be caused by the omission of MixColumns from the last rounds, which includes the Partial Sums Technique Attacks on six rounds (Tunstall, 2012), Boomerang Technique Attacks on six rounds (Biryukov, 2005), and Impossible Differential Technique Attacks on seven rounds of Rijndael 128-bit (Mala et al., 2010) On another note, Li and Jin (2016) introduced the Meet-in-themiddle Technique Attack on ten rounds of Rijndael 256-bit In addition, the improvement for seven-, eight-, and twelve-round attacks on the 128-bit, 192-bit, and 256-bit key variants respectively was carried out on Rijndael based on the omission of MixColumns from the last round using the Biclique cryptanalysis in the Meet-in-the-middle Technique Attack (Bogdanov et al., 2011; Tao & Wu, 2015) Recently, several weaknesses that include related-key differential attacks and related-key boomerang attacks in the Rijndael key expansion function managed 412 Journal of ICT, 17, No (July) 2018, pp: 409–434 to found by the cryptanalysts (Biryukov & Khovratovich, 2009; Biryukov et al., 2010; Biryukov & Nikolić, 2010; Jean, 2013; Cui et al., 2015) This situation is mainly caused by the lack of nonlinearity in the key schedule of the Rijndael that leads to a limited number of active bytes in each sub-key and slow diffusion into the key expansion function In this case, the main reason that causes the slow diffusion into the key expansion function is resulted by the existence of extremely linear function in the structural constraints of the original algorithm Meanwhile, the related-key model scenario attacks arise as a result of the leaks that occur in the key expansion function Hence, the related-key differential attack on all 10 rounds of AES 128-bits the adversary was able to recover the keys and managed to work with all the sub-keys In regard to this, the adversary works only at the weakness of the key based on a few of the characteristic of the differential into the sub-keys bytes On the other hand, the related-key boomerang attacks have led to key-recovery and managed to work with the whole keys Table shows the best cryptanalytic effects performed on Rijndael variants in the related-key model attacks Table Best cryptanalysis Results on Reduced Rijndael Variants in The Related-Key Model Attacks Version Round Data Time Memory Technique Reference 128 239 239 232 Boomerang (Biryukov, 2005) 271 271 232 Boomerang (Biryukov, 2005) 2 Boomerang (Biryukov et al., 2010) 2 Differential (Biryukov et al., 2010) 2 Differential (Jean, 2013) 2 square (Cui et al., 2015) 267 2143 264 Boomerang (Gorski & Lucks, 2008) 10 2 Rectangle (Kim et al., 2007) 12 2 Boomerang (Biryukov et al., 2010) 12 2 Boomerang (Biryukov et al., 2010) 2 64 Rectangle (Biham et al., 2005; Kim et al., 2007) 10 2114 2173 264 Rectangle (Biham et al., 2005; Kim et al., 2007) 14 2131 2131 264 Differential (Biryukov et al., 2010) 14 2 Boomerang (Biryukov & Khovratovich, 2009) 192 256 97 97 97 24 125 123 116 99 99.5 97 97 97 130 182 176 169 120 99.5 32 32 32 32 64 48 32 56 413 Journal of ICT, 17, No (July) 2018, pp: 409–434 RELATED WORK A considerable amount of studies had been carried out to determine the ability of cryptanalysis in enhancing the performance of Rijndael cipher following the establishment of Rijndael as an advanced encryption standard (AES) In relation to this, there have also been several studies that showed the weakness of the key expansion of Rijndael This weakness showed in their studies as a leaking bit in the subkeys, slow diffusion, and too linear property May et al (2002) presented three desired properties for a key expansion function that are described as follows: (1) resistance against the collisionone-way function (irreversible function), (2) lower respective information between each of the sub-key bits and main key bits, and (3) effective speed in target software implementation Therefore, property one is quantified with Shannon’s concepts of diffusion and confusion bits Meanwhile, property two between the sub-keys may be avoided altogether with the fulfillment of property one; hence, giving weight to the author’s perspective that the designer of such a cryptosystem is not suggested to use the main key bits straight in the sub-keys However, it was also found that each of the expanded subkeys was not in line with Shannon’s concepts after performing two statistical tests, namely the Frequency test to achieve the bit confusion property and the Strict Avalanche Criterion (SAC) test for the purpose of determining the bit diffusion property As a result, a new key schedule with high nonlinearity is proposed However, the standard for a related-key attack model is not suitable due to its high nonlinearity Nevertheless, the properties developed by May et al (2002) was proposed before the recent release of attacks of the related-key, whereby it managed to successfully figure out a method that can theoretically break the full AES-192 and AES-256 as well as the 128-bit variation of AES Meanwhile, Choy et al (2011) proposed the resisted related-key differentials and the boomerang attack However, May et al (2002) emphasizes that key expansion function is able to meet the security objective as it exhibits a strong efficiency drawback when testing for key agility This situation is driven by the high amount of S-box transformation that is used in the expansion function of the key which significantly decrease the performance speed, especially involving a Re-key for each block message in the hash mode (Jean et al., 2014) An extra (but small) number of SubByte operations or any other straightforward operation seems to boost the structure of the Rijndael key expansion function In relation to this, Nikolić (2011) introduced a newer version of the Rijndael resistance to related-key scenario attacks which requires the running of security analysis for the purpose of proving the new version of Rijndael 414 a newer version of the Rijndael resistance to related -key scenario attacks which Journal of ICT, 17, No (July) 2018, pp: 409–434 he running of security analysis for the purpose of proving the new version of Rijndael against differential related-key attacks In addition, the same technique was developed against involves differential In search addition,forthethesame ov and Nikolićresistance (2010) which an related-key automatic attacks algorithm best technique was developed by Biryukov and Nikolić (2010) which involves an l probability characteristics of an search S-boxfor inthe thebest SP-network ciphers that should be automatic algorithm differentialof probability characteristics an S-box function in the SP-network that should be carried out t based on the ofexpansion of a keyofforciphers the purpose of evaluating the based block on the expansion function of a key for the purpose of evaluating the block Furthermore, no extra characteristics in the differential probability are observed in the encryption Furthermore, no extra characteristics in the differential probability -bit variant of the 128-bit key because the valid differential for 128-bit is 2−128 Apart are observed in the XAES 128-bit variant of the 128-bit key because the valid –128 differential for 128-bit is Apart from that, Biryukov and Nikolić (2010) Biryukov and Nikolić (2010) similarly argued that the bound of active bytes in the similarly argued that the bound of active bytes in the block cipher regarding 128 differentialattack attack would would not not have have active S-boxes = 22 active S-boxes However, However, er regarding thethedifferential Gérault et al (2017) improved the upper related-key differential for the whole al (2017) improved upper cipher related-key differential the whole Rijndael 128-bit Rijndaelthe128-bit and showed that theforoptimal solution for rounds of optimal Rijndael-128 onlyfor contains 12 active S-boxes instead 13, in which is showed that the solution rounds of Rijndael -128 only of contains 12 active in agreement with the previous works of Biryukov and Nikolić (2010) and stead of 13, in which is in agreement with the previous works of Biryukov and Nikolić Fouque & Peyrin (2013) Hence, the problem of locating the exact minimum d Fouque & Peyrin (2013) Hence, the problem of Rijndael-128 locating the in exact minimum number number of active S-boxes for 6-round the related-key model is stillRijndael-128 unsolved, which has related-key led to 19 active S-boxes dueunsolved, to the lower bound S-boxes for 6-round in the model is still which has of the bottom for active bytes on the entire original Rijndael 128-bit for all active S-boxes characteristics due to the lower bound ofa the bottom active bytes on the entire Nevertheless, higher valuefor than the desired threshold of –128 for characteristics a 128-bit block cipher is reflected due to value the level of the security of ijndael 128-bit2for all Nevertheless, a higher than desired –114 in terms of the valid differential characteristics Contrastingly, Huang of 2−128 for a 128-bit block cipher is reflected due to the level of security of 2−114 in and Lai (2016) presented another Rijndael key expansion function by only he valid differential characteristics Contrastingly, Huang adding an exchange of the matrix subscripts in theand rowsLai and(2016) columnspresented without the extra operational S-boxes or the rotation However, the resistance of thein jndael key expansion function by only adding an exchange of the matrix subscripts key schedule of Huang and Lai (2016) has not been formally proven against the related-key differential and boomerang attacks or any others attacks established on the vulnerabilities of the Rijndael key expansion function for the purpose of managing theoretically attack on original Rijndael block cipher in the related-key model The linear transformation function boosts the Rijndael key expansion function by increasing the diffusion property of the key part On another note, Muda et al (2010) presented a new 128-bit key version of Rijndael block cipher by adding ShiftRow transformation cyclical shifts without doing any changes to the first row of the expanded sub-key However, the state matrix is changed by shifting three bytes to the right in the second row Meanwhile, the third row is changed with a shift of two bytes to the right, while the fourth row is changed with a shift of one byte to the right As recommended by May et al (2002), the ShiftRow transformation was tested with two statistical tests for security measurement, namely the confusion and diffusion tests This new transformation managed to fulfil the security requirement with better results 415 Journal of ICT, 17, No (July) 2018, pp: 409–434 compared to the original Rijndael key expansion function On top of that, Muda et al (2015) proposed a new 128-bit Rijndael key expansion function by adding the ShiftColumn linear transformation into the key expansion structure which include the slight shifting of the XOR-ing bit as well as the replacement of the column with different offsets Conversely, the new ShiftColumn transformation was also developed by Mahmod et al (2009) In relation to this, the results from the measurement Performance Tests, the Frequency test (to measure confusion property), and SAC test (to measure diffusion property) showed that this new proposed approach were successful in attaining both properties compared to the original Rijndael key schedule and the approach proposed by Muda et al (2010) through the investigation performed on the diffusion property in Rijndael block cipher On another note, Yan and Chen (2016) added a non-linear transformation into the key expansion function for the purpose of increasing the diffusion property for the block cipher as a whole Moreover, a method was presented to improve the security of the AES key expansion function by adding double S-boxes More importantly, the experimental results generated by the three random groups of data indicate that the improved algorithm has a more stable diffusivity However, according to the studies of Muda et al (2010;2015) and Yan and Chen (2016), the resistance of the key schedules has not been officially proven against related-key differential and related-key boomerang attacks or any other attacks established on the vulnerabilities of the Rijndael key expansion function Hence, it is still not able to manage theoretical attacks on the cipher in the related-key model Therefore, only the key schedule was shown to have excellent statistical properties that adhere to the concepts of Shannon’s confusion and diffusion, but without conducting a test on the key agility DESCRIPTION OF THE PROPOSED APPROACH This section elaborates on the new design for the key scheduling that was employed in the Rijndael 128-bit block cipher The proposed approach for the new Rijndael key schedule can be presented in two perspectives First, the interior design of the core function for the Rotword operation is adjusted Moreover, it should be noted that the new xRotword has a different rotation in the round, whereby every first word of the 32 bits has two-rotation bytes instead of one byte in order to generate the sub-keys Currently, the rotate operations (Rotword) are performed according to the bit permutations that produce a diffusion layer in the key expansion function More importantly, any changes made on every round of key schedule function will increase the diffusion layer According to Bogdanov et al (2011), the symmetric key block 416 Journal of ICT, 17, No (July) 2018, pp: 409–434 cipher will not be vulnerable to the related-key attacks provided that the shift pattern in the key scheduling are executed Second, an extra function is added to the constraint structure of the key expansion function which is known as the S ( ) function The S ( ) function is described as four bytes of input and output Hence, the S ( ) function works by requesting the nonlinear transformation of SubBytes to all the four input bytes On top of that, a byte-wise S-box substitution function is used in every second column and XORing with the previous column which acts as the basic structure of the key schedule On a more important note, a byte-wise S-box substitution consists of the confusion layer and symmetry elimination in Rijndael and provides nonlinearity with the purpose of prohibiting the full determination of differences in the expanded key Hence, this approach is believed to increase the security of the key expansion function while also mixing the key bits of the initial key for the sub-keys Nevertheless, it is important to note that diffusion and confusion are considered as the best solutions in enhancing the security of the Rijndael key expansion against attacks Moreover, the addition of nonlinear transformation into the key expansion function will lead to a more differential characteristic (active S-boxes), thus ensuring that the cipher will most likely be secured against differential attacks in related-key models based on the differential characteristics Apart from that, the change in the key expansion function has led to the achievement of the following two objectives: (1) the improvement of security algorithm of the key expansion function, and (2) the positive maintenance of the algorithm performance The Rijndael key expansion function is word-oriented that represents one word = 32 bits and consists of three operational functions, namely RotWord, SubByte, and Rcon These operations are called the g ( ) function which is described as a nonlinear transformation that applies a four-byte input and output on each of the first sub-column for the expanded keys Meanwhile, the remaining three words of the sub-keys are recursively computed On top of that, the RotWord one-byte rotation occurs in every round of the generation of sub-keys In regard to this, it should be noted that the newly proposed xRotword consists of two rotations in every round that generate sub-keys Hence, SubByte and Rcon are deliberated to be similar to the original Rijndael 128-bit Therefore, the bytes of the second column are applied by the new S ( ) function in the key expansion The design of the proposed algorithm approach for the key expansion function is represented via the source code in Algorithm 2, while a pictorial representation of the outlines of the internal structure of the key expansion function is depicted in Figure 417 The design of the proposed algorithm approach for the key expansion function is represented via the Journal of aICT, 17, No (July) 2018, 409–434 source code in Algorithm 2, while pictorial representation of the pp: outlines of the internal structure of the key expansion function is depicted in Figure Algorithm A new Key schedule of AES 128-bits “For i = , … Nk – W[i] = k[i] ; End for For i = Nk , … … … , 4(Nr + 1) − Do Temp → W[i – 1]; if i mod Nk == then Temp → SubByte (xRotword(temp)) Rcon N[i/Nk] ; End if If Nk = and i mod == then Temp S () [temp] ; which the S () function request non − linear transformation of SubBytes End if W[i] → W[i − Nk] ⊕ temp End" Figur e The Intern al Struct ure of Figure The Internal Structure of the key expansion function THE MEASUREMENT OF SECURITY The main objective of the current research is to enhance and strengthen the security of the Rijndael key expansion function In this case, the diffusion and confusion bits of the key expansion function for the proposed approach (SAES) is measured against the key expansion function of the original Rjndael (AES) as well as the previous approach (TAES) that were respectively taken from the studies of Daemen and Rijmen (2013) and Muda et al (2015) 418 ecific linearsubjected constraints on the variables The model usedThe in this research is theused in this resea to specific linear constraints on technique the variables model technique Journal of ICT, 17, No (July) 2018, pp: 409–434 proach considering its ability to relieve the whole integer the standard linear MILP-based approach considering its ability to constraint relieve theonwhole integer constraint on the stand ariables Hence, this particular set up as isthis referred as theset 0-1upMILP variables.asMouha programming variables Hence, particular as is referred the 0-1etMILP variables is the MILP-based approach considering its ability to relieve the whole mmended the use of constraint either a on or 1thevariable foreither the purpose describing the Hence, differential al integer (2012) recommended the use of aprogramming or 1ofvariable for the purpose of describing the d standard linear variables this particular setinup as referred as theencryption 0-1 variables Mouha et al (2012) of the rounds presentedout word-oriented block Hence, itblock should be noted that propagation of theisrounds presented in MILP word-oriented encryption Hence, it should be recommended the use of either a or variable for the purpose of describing ariables are tovariables constraints by the particularimposed structures as the structures as w thesubjected generated areimposed subjected byas thewell particular the differential propagation out of to theconstraints rounds presented in word-oriented block Hence, itcipher shouldMoreover, be notedthe that the generated variables are he definition cipher.encryption Moreover, this technique provides of any block the cipher operations of the definition thisanalysis technique provides analysis of any blo subjected to constraints imposed by the particular structures as well as the , three-forked branches, andthree-forked MDS code operations In this it operations is best to suppose that it is best to su based on XORs, and MDScase, code In this case, operations of the definitionbranches, cipher Moreover, this technique provides the ck cipher algorithm contains Equations (1), (2), and (3) presented below: analysis of any block cipher based on XORs, three-forked branches, and the Rijndael block cipher algorithm contains Equations (1), (2), and (3) presented below: MDS code operations In this case, it is best to suppose that the Rijndael block cipher algorithm contains Equations (1), (2), and (3) presented below: 𝑤𝑤 − box , S = 𝑓𝑓2 𝑤𝑤 OR ,⊕ = 𝑓𝑓2 𝑤𝑤 𝑤𝑤 → S𝑓𝑓2− box , S = 𝑓𝑓2 𝑤𝑤 → 𝑓𝑓2𝑤𝑤 × 𝑓𝑓2𝑤𝑤2.→XOR 𝑓𝑓2 ,⊕ = 𝑓𝑓 𝑤𝑤 × 𝑓𝑓2𝑤𝑤 → 𝑓𝑓 𝑤𝑤 2 𝑚𝑚 𝑚𝑚 near transformation3.L Linear = 𝑓𝑓2𝑤𝑤 transformation → 𝑓𝑓2𝑚𝑚𝑤𝑤 L = 𝑓𝑓2𝑤𝑤 → 𝑓𝑓2𝑚𝑚𝑤𝑤 (1) (2) (3) On a more important note, the aim is to find the differential characteristics from the all zero-difference input state to the same all-zero output state after a avariable number of steps has mentioned, of security ortant note,Onthe aim to find the differential characteristics fromthe themeasure allcharacteristics zero-difference moreisimportant note, theAs aim is been to find the differential from the all zerofor the proposed approach relies on the number of active S-boxes, whereby e same all-zero output after variable number As has been mentioned, the input state bound tostate the on same output stateofafter a variable number of steps As has been ment a lower theaall-zero success probability ofsteps a related-key differential attacks may lead to statefor collisions the offinding characteristics urity for themeasure proposed relies theNext, number active S-boxes, whereby lowerS-boxes, whereb of approach security the on proposed approach reliesdifferential on the number of aactive were transformed into MILP-Based Approach with the objective functions uccess probability of the a related-key differential attacks may lead to state collisions Next, bound on success probability a related-key attacks lead to state collisio of counting and minimizing the of number of activedifferential S-boxes in the AESmay cipher erential characteristics were transformed into MILP-Based Approach the objective the finding differential characteristics were transformed intowith MILP-Based Approach with the Variables Involved In MILP-Based Approach unting and minimizing number of minimizing active S-boxes the AES cipher.S-boxes in the AES cipher functions ofthe counting and the in number of active The MILP-based approach is a method that automatically evaluates the security of SPN structures and can be applied in single-key or related-key scenarios lved In MILP-Based Approach Variables Involved In MILP-Based Approach On top of that, it can also be used to obtain security bounds for the purpose (SAES) of minimizing or maximizing the number of active S-boxes In addition, the d approachThe isoriginal aMILP-based method that automatically evaluates securityapproach of SPN structures andused can of SPN structure Rijndael 128-bitis(AES) and that thetheprevious (TAES) approach a method automatically evaluates the are security as benchmarks in calculating thethat, minimized bounds of active bytessecurity in the ingle-key or scenarios On top of it can also betop used obtain berelated-key applied in single-key or related-key scenarios On of tothat, it can also be used to obtai scenario of related-key attacks of the proposed approach (SAES) purpose of minimizing orpurpose maximizing the number active S-boxes In addition, the S-boxes In add Constraints generation for S-box and objective function bounds for the of minimizing or of maximizing the number of active Constraints generation for S-box and objective el 128-bit (AES) and the previous approach (TAES) are usedapproach as function benchmarks calculating original Rijndael 128-bit (AES) and the previous (TAES)inare used as benchmarks in c w bounds of Figure active inbounds the scenario of related-key of the proposed approach the minimized of active bytes in related-key of the Figure depicts every input difference of the theof entire SS–− box, Sattacks issued 2bytes depicts every input difference Δi the ∈attacks Fscenario entire box, S issued in proposed the diagr of in the diagram of the operation Rijndael algorithm cipher The present study operation Rijndael algorithm cipher The present study presents a new 0-1 variable Ai in order t presents a new 0-1 variable Ai in order to perform corresponding S-boxes, corresponding S-boxes, be it in active or inactive state For instance, let Ai = or Ai = f 420 or Δi = Additionally, the full number of active S-boxes ∑i Ai bytes are selected in minim objective function that is subjected to the constraints of the operation of the Rijndael algorith SAES) k=0 dL ≥ X i … 2018, pp: 409–434 Journal of ICT, 17, No 3…(July) dL ≥ X i n−1 dL ≥ yj0 … be it in active or inactive state FordLinstance, ≥ yj n−1 let Ai = or Ai = for ∆i # or { ∆i = Additionally, the full number of active S-boxes Ʃi Ai bytes are selected in minimizing the objective function that is subjected to the constraints of of thetoRijndael the round variable refers a dummyalgorithm data requestcipher, either including or in value, or the function value of BL dL is Where thethedLoperation and key schedule algorithm However, an S-box will 𝑚𝑚be considered active describedprovided as the number branches in the linear L = 𝑓𝑓2𝑤𝑤 → 𝑓𝑓2𝑚𝑚𝑤𝑤 that of it has a difference of Atransformation = i (SAES) (SAES) Constraints generation for S-box and objective function Constraints generation for S-box and objective function Constraints generation for S-box and objectivewfunction nd objective function Figure depicts every input difference Δi ∈ F2 of the entire S − box, S issued in the operation Rijndael algorithm cipher The present study presents a new 0-1 variable Ai in o w Figure depicts every input difference Δi ∈ F2 of the entire wS − box, S issued in the diagram of the w depicts everyS input difference Δi ∈ Fof of the entire S − box, S issued in the nce Δi ∈ F2 ofFigure the entire S − box, issued diagram the corresponding S-boxes, be it in in the active or inactive state For instance, let Ai = or Ai operation Rijndael algorithm cipher The present study presents a new 0-1 variable Ai in order to perform operation Rijndael algorithm cipher The present study presents a new 0-1 variable Ai in or The present study presents a new 0-1 variable A in order to perform i or Δ = Additionally, the full number of active S-boxes ∑ Ai bytes are selected in orresponding S-boxes,i be it in active or inactive state For instance, let Ai = i1 or A = for Δi ≠ corresponding S-boxes, it 1inoractive inactive instance, i let Ai = or Ai a= ive or inactive state For instance, let Abe Ai = Δi ≠state objective function that isi = subjected to 0or thefor constraints of For the operation of the Rijndael or Δi = Additionally, the full number of active S-boxes ∑i Ai bytes are selected in minimizing the ∑i Ai bytes or Δi = ∑ 0.the Additionally, the full of active are selected including and number keyminimizing schedule algorithm an S-box will beincm umber of active 0S-boxes bytesfunction are selected in theS-boxesHowever, i Ai round objective function that is subjected to the constraints of the operation of the Rijndael algorithm cipher, objective function is subjected to to the constraints of the operation ofa difference the Rijndael cipher, of the operation of the Rijndael alg provided that it hasthat of algorithm Ai the = 1.constraints ncluding the round function and key schedule algorithm However, an S-box will be considered active including the round andbekey scheduleactive algorithm However, an S-box will be co y schedule algorithm However, an function S-box will considered provided that it has a difference of Ai = provided that itgeneration has a difference ofEncryption Ai = Rounds of the Rijndael 128-bit Constraints forTwo XOR Figure 2: Illustration of the i = Figure 2: Illustration of the Two Encryption Rounds of the Rijndael 128-bit (Lars & Matthew, 2011) Constraints generation for XOR 𝑤𝑤 Constraints generation Supposeofthat 𝐴𝐴 , 𝐵𝐵 𝑎𝑎𝑎𝑎𝑎𝑎infor ∈the𝑓𝑓XOR and consists different approach input ofthat XOR operations The representation the variables of the of MILP-based corresponds to a withi 2construction Constraints generation for XOR characteristic can be changed by minimizing the bounds of active bytes for 𝑤𝑤 the block cipher in the 𝑤𝑤 contains output differe expansion algorithm, AddRoundKey) Also, 𝐶𝐶 operations ∈ 𝑓𝑓2 if itwithin Suppose that 𝐴𝐴 , 𝐵𝐵 𝑎𝑎𝑎𝑎𝑎𝑎 ∈ 𝑓𝑓function and consists of different input of XOR Rijndael (key 𝑤𝑤 attacks of related-key Hence, S-box isRijndael determined be input active if and only if it has within a Suppose , 𝐵𝐵 𝑎𝑎𝑎𝑎𝑎𝑎 ∈ 𝑓𝑓2 anand and consists different of XOR operations Suppose consists ofof different of XOR operations consists scenario of different inputthat of 𝐴𝐴XOR operations within (keyto input 𝑤𝑤 within Rijndael (key expansion function AddRoundKey) Also, itBcontains output difference xpansion function algorithm, AddRoundKey) Also, 𝐶𝐶 ∈ 𝑓𝑓2algorithm, 𝑤𝑤 A if + +𝐶𝐶C ∈≥ 𝑓𝑓2d 𝑤𝑤 if it contains output differen algorithm, AddRoundKey) Also, output difference ifit itcontains contains output difference oundKey) Also,expansion 𝐶𝐶 ∈ 𝑓𝑓2 iffunction ⊕ d⊕ ≥ a A + B + C ≥ 2d⊕ d⊕ ≥ b A + B + C ≥ 2d⊕ A + B + C ≥ 2d⊕ d⊕ ≥ a { d ≥c (4) d⊕⊕≥ a d⊕ ≥ a d⊕ ≥ b d⊕ ≥ b d⊕ ≥ b d⊕ ≥ c { d⊕ ≥ c { d⊕ ≥ c { Where the the 𝒅𝒅⊕ variable Where variable isis dummy dummydata datathat thattakes takesthe thevalue valueofof0-1 0-1 Where the 𝒅𝒅⊕ variable is dummy data that takes the value of 0-1 421 𝒅𝒅⊕ variable is dummy(2) datais that takes theforvalue 0-1 XOR operation in the ta that takes the Where value ofthe 0-1 The above-mentioned Equation introduced eachofsub-key especially for each XOR operation that may have a positive or negative value in inp Journal of ICT, 17, No (July) 2018, pp: 409–434 The above-mentioned Equation (2) is introduced for each sub-key XOR operation in the Rijndael cipher, especially for each XOR operation that may have a positive or negative value in input difference in contrast to the related-key model However, it might not have any difference or receive at most one non-zero input difference However, the XOR operations may be ignored if there is no effect on the output difference Meanwhile, all the XORs depicted in Figure are taken into consideration in the related-key model Constraints generation for linear transformation 0-1 is the dependent variable that indicates the level-word for a linear transformation; hence, the above-mentioned Equation (3) is introduced d for input and output difference of a diffusion linear-transformation for input and output difference of a diffusion linear-transformation into t {𝑖𝑖0mentioned and(3){𝑗𝑗is0 ,introduced theoutput permutation of{j , ., , … , 𝑖𝑖Equation … , 𝑗𝑗Suppose } are that 𝑛𝑛−1 }Rijndael 𝑛𝑛−1 the cipher {i0, ., in–1}layer and jn–1} are the for input and difference of a diffusion linear-transformation permutation layer of {0, , n – 1} Then, let X and y , k ∈ {0, , n – ik nd 𝑦𝑦into , kRijndael ∈ {0 , cipher … … ,Suppose 𝑛𝑛 − that have }, whereby 𝑖𝑖𝑛𝑛−1variables i, k𝑗𝑗been {𝑖𝑖0 , … ,the } and {𝑗𝑗0 , … 𝑛𝑛−1 } are the permutation layer of 𝑖𝑖 𝑘𝑘 the 1}, whereby the variables have been previously subjected to the following 𝑛𝑛 − } Then, let 𝑋𝑋𝑖𝑖 𝑘𝑘 and 𝑦𝑦𝑖𝑖 𝑘𝑘 , k ∈ {0 , … … , 𝑛𝑛 − }, whereby the variables have been {0 , … … , constraints: constraints: n−1 previously subjected to the following constraints: ∑( X i k + yj k ) ≥ BL dL k=0 { dL ≥ X i …… dL ≥ X i n−1 dL ≥ yj0 … dL ≥ yj n−1 n−1 ∑( X i k + yj k ) ≥ BL dL k=0 { dL ≥ X i …… dL ≥ X i n−1 dL ≥ yj0 … dL ≥ yj n−1 (5) Where the dL variable refers to a dummy data request either or in value, or the value of BL dL is Where either the dL 0variable ummy data request or inrefers value,toora dummy the valuedata of request BL d𝑚𝑚L iseither or in value, → 𝑓𝑓2𝑚𝑚𝑤𝑤 in the linear described asorthethe number of of branches linear transformation L = 𝑓𝑓2of 𝑤𝑤 value BL dLinisthedescribed as the number branches 𝑚𝑚 𝑚𝑚 in the linear transformation transformation L = 𝑓𝑓2𝑤𝑤 → 𝑓𝑓2𝑤𝑤 The representation of the variables in the construction of the MILP-based approach that corresponds to a characteristic can be changed by minimizing the bounds of active bytes for the block cipher in the scenario of related-key attacks Hence, an S-box is determined to be active if and only if it has a difference which acts as a method that determines the new linear diffusion transformation prior to the utilization of the MILP-based approach in TAES The ShiftColumn that consists of three basic operations (left shift, XOR, Right shift) alongside 422 e which acts as a method that determines the new linear diffusion transformation prior to the Journal of ICT, 17, No (July) 2018, pp: 409–434 n of the MILP-based approach in TAES The ShiftColumn that consists of three basic operations t, XOR, Right shift) alongside with Rotword, SubBytes, and Rcon operations should be with Rotword, SubBytes, and Rcon operations should be developed and applied d and applied on the first sub-column for the key schedule algorithm The new component is on the first sub-column for the key schedule algorithm The new component o the key schedule algorithm of TAES in order to contribute to the diffusion property to with is applied to the key schedule algorithm of TAES in order to contribute the the property withcipher the purpose enhancing is theassumed securitytoofhave the input wholeand of enhancing the diffusion security of the whole Hence, of a component cipher Hence, a component is assumed to have input and output if and only if and only if it has a difference variableofoflinear lineartransformation transformation relying it has a difference.Next, Next,aa new new 0-1 0-1 variable relying on on (3)the is introduced finding the difference using theNevertheless, XOR in Equation (3) is introducedEquation by finding difference by using the XOR in Equation (2) it is not (2) Nevertheless, it is not difficult to check the diffusion effect of the linear to check the diffusion effect ofbecause the linear becauseis the ShiftColumn function transformation the transformation ShiftColumn function assumed to be applied on is 𝑤𝑤 𝑤𝑤 to be applied on the variable variable 𝑓𝑓2 → 𝑓𝑓2 with branch number number𝐵𝐵𝑟𝑟 < 𝑤𝑤 + Overall, the outcome of the four primary transformations of the AES, TAES, and SAES function is assessedof bythe calculating the round keys Consequently, he outcome of the fourround primary transformations AES, TAES, and SAES round function is a function to keep track of the indices for the active or non-active objective by calculating the round keys Consequently, a function to keep track of the indices for the active function is presented through the operations of AES that requires at least one tive objective function is presented the operations of AES transformation that requires at preserves least one SS-box to be active through considering that the SubByte this that property Hence, transformation it is safe to say preserves that the SubByte transformation not to active considering the SubByte this property Hence, itdid is safe introduce any linear constraints to the MILP-based approach In addition, the he SubByte transformation any linear constraints to thethe MILP-based approach same holds did truenot for introduce the ShiftRows transformation because only permutation of the bytes involve the internal state of AES However, the MixColumns on, the same holds true for the ShiftRows transformation because the only permutation of the transformation implemented a linear code with maximal distance (MDS) olve the internaland stateintroduced of AES However, the MixColumns transformation implemented a linear a linear constraint to the MILP-based approach In addition, the (MDS) AddRoundKey transformation for to thethe Rijndael-128-bit sub-key In h maximal distance and introduced a linear XORs constraint MILP-based approach into the state similarly introduced linear inequalities into the MILP-based the AddRoundKey transformation XORs theXOR Rijndael-128-bit into the state approach considering thatforthe y = x1 ⊕ x2 sub-key of two variables, xi,similarly x2 ∈ {0, 1}, x is performed with sub-keys, while x is described as the round d linear inequalities into the MILP-based approach considering that the XOR 𝑦𝑦 = 𝑥𝑥1 ⊕ 𝑥𝑥2 of function state Similarly, the key expansion function (calculation of round bles 𝑥𝑥1 , 𝑥𝑥2 ∈ {0,keys) 1}, 𝑥𝑥also while is MILP-based described as approach the round based function introducedwith linearsub-keys, constraints into𝑥𝑥2the is performed on the fact that each XOR operation for every word byte of the expanded submilarly, the key expansion function (calculation of round keys) also introduced linear constraints keys has one Xi variable per key byte ∈ {0, 1}, Xi = that will be performed MILP-based approach the fact that operation for every In word byte of only ifbased it has on a difference and each Xi = XOR without any difference the event of the (x1X , xi variable ) = (0, 0), should 0, and only y becomes sub-keys has one perit key bytebe∈ noted {0, 1},that Xii y= certainly that willbecomes be performed if it has a i if (x1, x2 ) ∈ {(0, 1), (1, 0)} However, the behavior is undetermined where e and Xii = without the event = (0, on 0),the it should be noted that y ,𝑥𝑥12 )based the (xany , x2)difference = (1, 1), asIny can either of be (𝑥𝑥 or actual values of the corresponding becomes 0, and y becomes differences if (𝑥𝑥 , 𝑥𝑥 ) ∈ {(0, 1), (1, 0)} However, the behavior is ined where the On (𝑥𝑥1 ,𝑥𝑥 ) = (1, 1), as ynote, can aeither be 0approach or based on the actual valuesofofa the a 2more important practical to evaluate the security nding differences.block cipher against related-key differential attacks is by determining the lower bound of the number of active S-boxes of all rounds throughout the cipher and key Hence, this is believed to prove the resistance of the proposed approach related-key differential attacks Apart from will also allowrelatedthe e important note,against a practical approach to evaluate the security of a that, blockit cipher against development of differential characteristics on all rounds provided that the rential attacks is characteristics by determining lower bound of following the number of active S-boxes of all rounds arethe equipped with the formal properties: ut the cipher and key Hence, this is believed to prove the resistance of the proposed approach 423 elated-key differential attacks Apart from that, it will also allow the development of differential istics on all rounds provided that the characteristics are equipped with the following formal Journal of ICT, 17, No (July) 2018, pp: 409–434 1) No two differential characteristics will occur with a probability of 2− p1 and 2−p2 on round one and round two, respectively considering that Round1 + Round2 ≥ rounds − and 2p1 + 2p2 ≤ k, whereby k refers to 128 bits Moreover, the purpose of this determination is to stop the boomerang attacks on the full rounds of Rijndael 128-bit However, it can be assumed that two rounds can be gained for free via several techniques, but the remaining Round1 + Round2 will remain to be part of the boomerang 2) No differential characteristics will occur on the full rounds with a probability higher than 2−128, where k refers to 128 bits Hence, this is certainly presented to stop the related-key differential attacks on the full round of Rijndael 128-bit EXPERIMENTAL RESULTS This section will further discuss the analysis of the results in regard to the experiments conducted for the purpose of comparing the proposed approach (SAES) with the original Rijndael (AES) as well as the previous approach (TAES) The Frequency Test and Strict Avalanche Criterion Test Results The Frequency and Strict Avalanche Criterion SAC tests are considered as the suitable methods to determine the weakness in each sub-key due to their ability to identify security weakness in the key expansion function The Frequency Test Figure shows the plotted graph for the Frequency test that measures the confusion property by only observing the key expansion function In this case, all 20 sub-keys that successfully meet the decision rule for the P-value test are generated from the key of the proposed approach as shown in Figure On the other hand, the sub-keys in the previous approach (TAES) failed to meet this rule because the TAES presented a linear diffusion transformation (ShiftColumn) which was applied on the first sub-column for the key schedule algorithm However, the confusion test showed that not all the sub-keys managed to adhere to this property Similarly, the key expansion for the original Rijndael (AES) is revealed to be lacking in this property Meanwhile, the concept of Shannon’s confusion can only be achieved after seven rounds of sub-keys On top of that, the new transformation presented into the key expansion function known as the S ( ) function requires the a SubBytes operation to be applied on 424 that the 𝑆𝑆 ( ) function introduces non-linearity to the key expansion function Therefore, it is clear that the SubBytes operation acts as theJournal common confusion of element ICT, 17, in No.achieving (July) 2018, pp: 409–434 Finally, a total of 180 sub-keys from the key of the proposed approach were tested, and the results showed the second column of each sub-key with the purpose of maintaining the concept of Shannon’s confusion In this case, it is believed that the S ( ) function sub-keysintroduces that are greater than 0.01 further that bit mixing can Therefore, be satisfied at 1% significant non-linearity to theindicates key expansion function it the is clear that the SubBytes operation as the common element in achieving level Therefore, this implies that theacts sequence is considered random with a confidenceconfusion level of 99% that the sub-keys managed to obtain the confusion bits Hence, this is believed that the P-values of the The Frequency Test hould not exceed 128 P-Value 0.8 0.6 0.4 = 22 active s − boxes 0.2 10 11 12 13 14 15 16 17 18 19 20 able summarizes the number of differential characteristics in the related-key model The MILP-based Sub-Keys pproach was constructed in correspond to the characteristic of the AES 128-bit, TAES 128-bit, and AES TAES SAES AES 128-bit with lower bounds of active S-boxes bytes Meanwhile, C++ implementation managed to enerate the MILP-based approach that Sub-Keys was then from solved theofIBM ILOG CPLEX Figure 20 Selected theusing Result the Frequency Test Optimizer 12.7 Figure 20 Selected Sub-Keys from the Result of the Frequency Test unning on a personal laptop with a CPU Intel(R) Core(TM) i7-3610QM (2.30 GHz) and 8.00 GB RAM CPLEX, 2011) The SACFinally, Test a total of 180 sub-keys from the key of the proposed approach were tested, and the results showed that the sub-keys managed to obtain the confusion Hence, this is ofbelieved that the generated P-values from of the that are greater Figure 4bits shows the D-value the 20 sub-keys thesub-keys key expansion of the proposed than 0.01 further indicates that bit mixing can be satisfied at the 1% significant As can be approach observed in Table 2, the lower bounds of the active s-boxes of the bytes in the related-key (SAES) that manages to successfully meet the decision rule for measuring the diffusion level Therefore, this implies that the sequence is considered random with a model of AES 128-bit consist of 20change active S-boxes Hence, the best related-key differential characteristic property However, alevel slight confidence of 99% in the 𝑔𝑔 ( ) function of the key expansion function can also be the introduction of the xRotWord operation Nevertheless, manages to fulfill the (2−6 )it20 still n terms ofobserved the validwith differential characteristics is shown as10-round = 2−120 , which is considered The Strict Avalanche Criterion Test of Shannon's diffusion due to the fact that the xRotword has a different rotation in the round of for a 128-bit On the other hand, the result of the differential igher thanconcept the needed threshold of 2−128 generation sub-keys Basically, it should be understood that every first 32-bit (sub-column) word has two efers to the activation nonlinear operations the sub-keys key part of the AES from 128-bit to the Figureof4fewer shows the D-value of thein 20 generated thecompared key rotation bytes instead of one byte As a result of this change, a big difference can be observed in the rest expansion of the proposed approach (SAES) that manages to successfully meet ate roundoffunction This situation is believed to be on thethe result of the key input expansion function the sub-columns in rule the single sub-key based concept of each bita that willchange affectpart eachof AES the decision for measuring the diffusion property However, slight 28-bit thatoutput onlybit hasthea 𝑔𝑔 ( ) function, is aexpansion non-linear function four-byte in function ofwhich the key function canwith alsoabe observedinput with and output theofintroduction of the for xRotWord operation it still managesthree to words of pplied on the first each sub-column the expanded keys.Nevertheless, Meanwhile, the remaining fulfill the concept of Shannon’s diffusion due to the fact that the xRotword has he sub-keys are recursively computed withround the XOR operation, thus resulting in anit extremely a different rotation in the of generation sub-keys Basically, should be linear key every firstGérault 32-bit et (sub-column) word at hasal.,two rotation art According understood to previous that studies (e.g al., 2017; Khoo 2017), the bytes lower bound of instead of one byte As a result of this change, a big difference can be observed ctive s-boxes of in the original AES in all the characteristics is 19 active s-boxes; thebytes rest offor thethe sub-columns in the128-bit single sub-key based on the concept of each bit that will affect each output bit.characteristics is (2−6 )19 = 2−114 ence, the level ofinput security in terms of valid differential 425 n this case, it is important to note that TAES 128–bit shares similar security vulnerabilities as the AES round function transformation in the key expansion function Hence, the speed performance of the block Journal of ICT, 17,when No (July) 2018,was pp: 409–434 cipher was significantly decreased, especially a Re-key used for each block message in the hash mode Strict Avalanche Criterion test D-Value 1 10 11 12 13 14 15 16 17 18 19 20 Sub-keys AES TAES SAES Figure 20 Selected Sub-Keys from the Result of the (SAC) Test Figure 20 Selected Sub-Keys from the Result of the (SAC) Test Resistance Against Related-key Differential Attack The original Rijndael (AES) failed the SAC test because the D-value of the sub-key higher than 1.628 Meanwhile, the attacks, key expansion in AES function The related-key modelisinvolves the expansion of differential whereasfunction the key expansion is lacking the concept of Shannon’s diffusion becomes part of the primitive that include the construction of a long differential characteristic The attacks attempt to build characteristic differentials on the whole of the presented Rijndael 128-bit, On long the contrary, the previous approach knownround as TAES a linearwhereby the diffusion transformation (ShiftColumn) into the128-bit first sub-column for the key attack specifies a difference in the master key for the Rijndael for the purpose of creating related schedule algorithm This approach was found to produce excellent statistical properties which agrees with the concept of Shannon’s diffusion bits However, related keys.itTherefore, the results of efficiency the differential shouldwhen activate fewer operations in the suffered from a strong drawback tested for nonlinear key agility due to the round theofkey expansion function state compared to complex that of the bestfunction regular transformation differential On intop that, the probability of the valid Hence, the speed performance of the block cipher was significantly decreased, −128 characteristicespecially must be higher because the each lowerblock boundmessage of activeinbytes in differential attacks when than a Re-key was used for the hash mode keys Meanwhile, the best differential probability of an S-box should be 2−6 in order to benefit from Resistance Against Related-key Differential Attack The related-key model involves the expansion of differential attacks, whereas the key expansion function becomes part of the primitive that include the construction of a long differential characteristic The attacks attempt to build long characteristic differentials on the whole round of the Rijndael 128-bit, whereby the attack specifies a difference in the master key for the Rijndael 128bit for the purpose of creating related keys Meanwhile, the best differential 426 Journal of ICT, 17, No (July) 2018, pp: 409–434 128order to benefit from related keys probability of an S-box should 2–6 in should not be exceed = 22 active s − boxes should activate fewer nonlinear Therefore, the results of the differential operations in the state compared to that of the best regular differential On top of that, the probability of the valid characteristic must be higher than 2–128 Table summarizes the number of differential characteristics in the because the lower bound of active bytes in differential attacks should not 128 approach was constructed in correspond to the characteristic of th should notexceed exceed = 22 active s − boxes SAES 128-bit with lower bounds of active S-boxes bytes Meanwh Table summarizes the number of differential characteristics in the relatedgenerate approach the MILP-based approachinthat was thentosolved using the key model.the The MILP-based was constructed correspond the The Table summarizes number of differential characteristics in the related-key model MILP-b characteristic of the AES 128-bit, 128-bit, andwith SAES 128-bit with lower running on aTAES personal laptop a CPU Intel(R) Core(TM) i7-3610 approach was constructed in correspond to the characteristic of the AESmanaged 128-bit, to TAES 128-bit bounds of active S-boxes bytes Meanwhile, C++ implementation (CPLEX, 2011) generate MILP-based that wasbytes then solved using C++ the IBM ILOG SAES 128-bit with the lower bounds ofapproach active S-boxes Meanwhile, implementation manag CPLEX Optimizer 12.7 running on a personal laptop with a CPU Intel(R) generate the MILP-based approach thatGHz) was and then8.00 solved IBM ILOG Core(TM) i7-3610QM (2.30 GB using RAM the (CPLEX, 2011) CPLEX Optimizer As can be observed in Table 2, the lower bounds of the active s-b running on a personal laptop with a CPU Intel(R) Core(TM) i7-3610QM (2.30 GHz) and 8.00 GB R As can be observed inmodel Tableof2,AES the lower bounds of of the20active of the 128-bit consist actives-boxes S-boxes Hence, the best (CPLEX, 2011) bytes in the related-key model of AES 128-bit consist of 20 active S-boxes in termsdifferential of the validcharacteristic differential characteristics is shown Hence, the best related-key in terms of the valid as10-round –6 20 –120 differential characteristics is shown as10-round (2 ) = , which is On the oth a 128-bit than the needed threshold of 2−128offorthe As can beconsidered observed in Tablethan 2,higher the needed lower bounds of of the active higher the threshold 2–128 for as-boxes 128-bit On thebytes other in the related to theS-boxes activation of fewer nonlinear operations in the key part hand,128-bit the result of the differential refers toHence, the activation of fewer nonlinear model of AES consist ofrefers 20 active the best related-key differential characte operations in the keystate partround of thefunction AES 128-bit comparedistobelieved the20state round This situation be ,the result the (2−6key ) =expansion in terms offunction the valid This differential characteristics 2to−120 which is of consi situation is believed istoshown be theas10-round result of the that only has a 𝑔𝑔 On ( ) function, is aresult non-linear part threshold of AES 128-bit 128-bit thatfor only function, nona 128-bit the other which hand, the of the functio differ higher thanfunction the needed of 2−128 linear function with aapplied four-byte input and output applied on the first of each on operations the first of in each sub-column the expanded keys Mean refers to the activation for of fewer nonlinear thethe key part of for the AES 128-bit sub-column the expanded keys Meanwhile, remaining three words of compared t the sub-keys aretorecursively computed with theresulting XORfunction operation, sub-keys aresituation recursively computed with theresult XOR operation, thus state roundthe function This is believed be the of the key expansion partthus of in an extremely linearpart key part According to previous studies (e.g Gérault According to previous studies (e.g Gérault et etal., 2017; Kho 128-bit that hasKhoo a 𝑔𝑔 at ( )al., function, which is bound a non-linear function a bytes four-byte al.,only 2017; 2017), the lower of active s-boxeswith of the for input and o active s-boxes of the bytes isfor19the original AEShence, 128-bit in all the the original AES 128-bit in all the characteristics active s-boxes; applied on the first of each sub-column for the expanded keys Meanwhile, the remaining three wor –6 19 the level of security hence, in terms of valid differential characteristics is (2 ) = level security in terms of resulting valid differential characteristic the sub-keys are recursively computed the with the of XOR operation, thus in an extremely linea 2–114 part According to previous studies (e.g Gérault et al., 2017; Khoo at al., 2017), the lower bou Table case, itAES is important note TAES 128–bit shares simila active s-boxes of the bytes for In thethis original 128-bit into all thethat characteristics is 19 active s-b 128-bit key expansion that areisresponsible manage the t −114 related-key differential analysis (2−6 )19 = 2to hence, the Results level ofof security in terms of valid differentialfunction characteristics related-key model In relation to this, the analysis for the compone # Rounds AES 128-bit TAES 128-bit SAES 128-bit TAES 128-bit does not produce any extra differential characteris In this case, it is important to note thatinTAES security# vulnerabilities as the # active # time the #128–bit active shares # time insimilar # active time S-boxes assessment seconds the seconds S-boxes (in the was performed on S-boxes the new linear diffusion transformation 128-bit key expansion function that are responsible to manage the theoreticalseconds attack on the cipher i three basic operations (left shift, XOR, Right shift), which was 0 for the component 0of the key 1 expansion functi related-key model In relation to this,1 the analysis algorithm Apart from that, the new component was applied on t TAES 128-bit does not produce any extra differential characteristic On a(continued) more important not expanded sub-key alongside with the g () function, while the rest assessment on the new linear diffusion transformation was performed on the ShiftColumn that consi 427 computed using only the XOR operation Unfortunately, this only c three basic operations (left shift, XOR, Right shift), which was introduced into the key sch without introducing any extra differential concerning the active s-box Journal of ICT, 17, No (July) 2018, pp: 409–434 # Rounds AES 128-bit TAES 128-bit SAES 128-bit # active S-boxes # time in the seconds # active S-boxes # time in the seconds # active S-boxes # time (in the seconds 1 1 3 3 4 9 10 11 11 14 6 12 16 12 18 17 18 14 20 14 25 20 21 17 24 17 28 23 25 19 27 19 30 25 30 10 20 35 20 45 28 40 In this case, it is important to note that TAES 128–bit shares similar security vulnerabilities as the AES 128-bit key expansion function that are responsible to manage the theoretical attack on the cipher in the related-key model In relation to this, the analysis for the component of the key expansion function of TAES 128-bit does not produce any extra differential characteristic On a more important note, an assessment on the new linear diffusion transformation was performed on the ShiftColumn that consists of three basic operations (left shift, XOR, Right shift), which was introduced into the key schedule algorithm Apart from that, the new component was applied on the first subcolumn for each of the expanded sub-key alongside with the g () function, while the rest of the subcolumns were recursively computed using only the XOR operation Unfortunately, this only contributes to the shifting of the bits without introducing any extra differential concerning the active s-boxes bytes Hence, the best related-key differential characteristic in terms of the valid differential characteristics for TAES 128-bit for the 10-round is (2–6)20 = (2–120) Hence, it is considered higher than the required threshold of the level of security for the differential probability 2–128 for the 128-bit haracteristics Finally, were found theconcluded proposed that approach it caninbe no differential characteristics were found in the proposed approach (SAES 128-bit), particularly in the full rounds −128 th a probability higher than This situation is with a probability higher than 2−128 This situation is believed to be caused active s-boxes related-key model the s-boxes full by in thethe minimum number of on active in the related-key model on the rounds that contains 28 active s-boxes or in other words, (2–6)28 = 2–168 ords, (2−6 )28 full = 2−168 differential probability Hence, differential probability Hence, the attacks will not work because the value −128 for threshold of 2–128 for a 128-bit The ower compared to thelower required threshold is much compared to of the2required valid extra differential characteristic presented in the SAES 128-bit is due to presented in the SAES 128-bit is due to the extra the extra nonlinear transformation of the key expansion function of SAES on of SAES In this case, the 𝑆𝑆 ( ) function function isis applied applied on the bytes of the second column in nsion for the purpose of preventing the related-key 428 of AES 128-bit Hence, this approach was found to n function, thus it is considered to be more secured Journal of ICT, 17, No (July) 2018, pp: 409–434 the key expansion for the purpose of preventing the related-key differential attacks from occurring on the full round of AES 128-bit Hence, this approach was found to contribute to a higher security for the key expansion function, thusof it is considered be more secured against related-key differential attacks on a smaller number rounds in thetocase compared to the recently established AES 128-bit r single-key or related-key differential Resistance Boomerangs Attack ential characteristics insteadAgainst of one Related-key long probability of anItS-box is 2−6 ; to hence, is important note no that differential characteristic is utilized on a smaller −128 rounds in theofcase of Boomerangs attacks Hence, the attacker can higher than number for all of combinations use either single-key or related-key differential characteristics Moreover, of presenting thisthe determination is to two stop short differential characteristics instead of one long adversary builds characteristic on the block cipher In AES, the best differential probability of an S-box is 2−6; hence, no two differential characteristics should occur with a probability higher than 2−128 for all combinations of two characteristics that rang attacks onhave the awhole total of1010rounds, rounds The purpose of presenting this determination is to stop the boomerang attacks on the full rounds of AES 128-bit der is reminded that the lower bound of cteristics are 20 Meanwhile, active s-boxes it the development of the Boomerang attacks on thisHence, will allow the whole 10 rounds, particularly in the context of AES 128-bit Moreover, or all combinations of two characteristics the reader is reminded that the lower bound of active S-boxes of the bytes s differential characteristic not exist on the AESmust 128-bit for all the characteristics are 20 active s-boxes Hence, it is the possible to buildhastwo independent differential characteristics for all rding to this concept, AES 128-bit combinations of two characteristics that contains 10 rounds in total On a more here is a total of important 20 active S-boxes the note, thisfor differential characteristic must not exist with a probability −128 higher than or 22 active S-boxes According to this concept, the AES 128found to have a 2−120 probability that is bit has active S-boxes for the top characteristics for Round 1, while there is S 128-bit Therefore, has a for the bottom characteristics of Round Hence, a total the of 20attacker active S-boxes the adversary was found to have a 2−120 probability that is considered higher quate for an attack to cover 10 rounds −128 than the valid probability for the AES 128-bit Therefore, the attacker with two characteristics in total of to 22-20 cover = active S-boxes that is deemed adequate for an has a remainder attack to cover 10 rounds Therefore, it can be said that the AES 128-bit could omerang attacks is higher than 2−128 for be attacked with two characteristics in total to cover all 10 rounds On the for key-recoveryother and hand, all thethe keys, totalwhich probability for the boomerang attacks is higher than 2−128 for the of differential the rounds of AES 128-bit that will enable the attack for keye caused by absence of rest extra recovery and all the keys, which is similar to the TAES-128 bit This situation on the component of the key expansion is believed to be caused by absence of extra differential characteristics based on the analysis of this study AES shares similar security margin to conducted on the component of the key expansion function of TAES Nevertheless, it should be noted that TAES shares similar security margin to boomerangs attacks as that of the AES-128 bit On another note, the number of active S-boxes in the differential characteristic 128 al characteristic is equal to to 22 for the equal the security analysis of the SAES 128-bit regarding acks The characteristic of Round is 0, sary showed the probability of (2−6 )25 = 429 Journal of ICT, 17, No (July) 2018, pp: 409–434 Boomerang attacks The characteristic of Round is 0, while the characteristic of Round is 25 Meanwhile, the adversary showed the probability of (2–6)25 = 2–150 which is much lower than the valid probability 2–128 for the AES 128-bit; hence, it will prevent the boomerang attacks Likewise, the number of active S-boxes would be 2+23 = 25 and 17+10 =27 for the two characteristics build on 2, and 6, rounds, respectively However, this is considered much lower compared to the valid differential probability Meanwhile, the lower bound of the active S-boxes of the bytes will be 14 +14 = 28 when two characteristics is built on rounds, which is greater than 22 In addition, the characteristics of Rounds and consist of 24 active S-boxes, thus exceeding the 22 active S-boxes Hence, all the characteristics have proven that the proposed approach (SAES) is secured against Boomerang attacks based on all the combinations of the two characteristics that cover 10 rounds in total with a probability lower than 2–128 Therefore, this managed to proof the security of the proposed approach against the related-key Boomerang attacks Resistance Against Other Attacks in the Form of a Secret-key Model In this case, it should be reminded that the secret-key attacks are established on the exposure of the state transformation round of Rijndael instead of the vulnerabilities of the Rijndael key expansion function The secret-key model scenario attacks occurred due to the omission of MixColumns from the last round According to Dunkelman and Keller (2010) and AlMarashda et al (2011), the omission of MixColumns affects the security of (reduced-round) AES On top of that, the state round function of AES has been strongly and securely designed in regard to differential cryptanalysis in the secret-key model attack scenario, with the best differential characteristics of probability 2–330 on 10 rounds of AES Meanwhile, the state round function remains unchanged and only the key schedule was adjusted CONCLUSION The current research successfully presented an enhancement to the security of the Rijndael key schedule algorithm In this case, it is important to note that there are three different variants to the key schedule in the Rijndael cipher which are the 128-bit, 192-bit, and 256-bit for10, 12, and 14 rounds, respectively However, the present study only focused on the 128-bit key size due to the recent theoretical attacks that occurred as a result of the weakness found in this key schedule On top of that, the 128-bit key schedule of the Rijndael cipher are not equipped with sufficient differential characteristics (active S-boxes), thus able to prevent the related-key model attacks caused by the extremely linear nature of the constraint in the original algorithm On another 430 Journal of ICT, 17, No (July) 2018, pp: 409–434 note, the proposed key expansion function (SAES) showed better statistical properties in terms of the confusion and diffusion bits compared to the original key expansion function (AES) and previous key expansion function (TAES) Moreover, the proposed approach managed to illustrate ideal security against related-key attacks in the form of differential cryptanalysis and boomerang attacks This situation is believed to be caused by the number of active S-boxes of the bytes which is 28 as well as the security level recorded as 2-168, thus reflecting a much lower value than the valid requirement in managing the attacks theoretically Finally, it can be concluded that the original approach and previous approach not have ideal security against these attacks ACKNOWLEDGMENT This work was supported by Putra Research Grant Scheme, project Code GP/2017/9588400 The authors gratefully acknowledge use of service and facilities of the Faculty of Computer Science and Information Technology at Universiti Putra Malaysia REFERENCES AlMarashda, K., AlSalami, Y., Salah, K., & Martin, T (2011) On the security of inclusion or omission of MixColumns in AES cipher In 6th International Conference for Internet Technology and Secured Transactions (pp 34–39) IEEE Biaoshuai, T., & Wu, H (2015) Improving the Biclique cryptanalysis of AES In Australasian Conference on Information Security and Privacy (pp 39–56) Springer, Cham https://doi.org/10.1007/978-3-319-19962-7_3 Biham, E., Dunkelman, O., & Keller, N (2005) Related-Key Boomerang and Rectangle Attacks In Annual International Conference on the Theory and Applications of Cryptographic Techniques (pp 507–525) Springer, Berlin, Heidelberg https://doi.org/10.1007/11426639_30 Biryukov, A (2005) The Boomerang Attack on and 6-Round Reduced AES Boomerang Attack In International Conference on Advanced Encryption Standard (pp 11–15) https://doi.org/10.1007/11506447 Biryukov, A., & Khovratovich, D (2009) Related-key cryptanalysis of the full AES-192 and AES-256 In International Conference on the Theory and Application of Cryptology and Information Security (pp 1–18) 431 Journal of ICT, 17, No (July) 2018, pp: 409–434 Springer, Berlin, Heidelberg https://doi.org/10.1007/978-3-642-103667_1 Biryukov, A., Khovratovich, D., & Nikolić, I (2010) Distinguisher and related-key attack on the full AES-256 In Advances in CryptologyCRYPTO 2009 (pp 231–249) Springer, Berlin, Heidelberg https://doi org/10.1007/978-3-642-03356-8_14 Biryukov, A., & Nikolić, I (2010) Automatic search for related-key differential characteristics in byte-oriented block ciphers: Application to AES, Camellia, Khazad and others In Annual International Conference on the Theory and Applications of Cryptographic Techniques (pp 322– 344) Springer, Berlin, Heidelberg https://doi.org/10.1007/978-3-64213190-5_17 Bogdanov, A., Khovratovich, D., & Rechberger, C (2011) Biclique cryptanalysis of the full AES In Advances in cryptology–ASIACRYPT (pp 344–371) https://doi.org/10.1007/978-3-642-25385-0_19 Choy, J., Zhang, A., Khoo, K., Henricksen, M., & Poschmann, A (2011) AES variants secure against related-key differential and boomerang attacks In International Workshop on Information Security Theory and Practices (pp 191–207) Springer, Berlin, Heidelberg https://doi org/10.1007/978-3-642-21040-2_13 Cui, J., Zhong, H., Shi, R., & Wang, J (2015) Related-key cryptanalysis on 7-round AES-128/192 International Journal of Electronic Security and Digital Forensics, 7(2), 166–178 https://doi.org/10.1504/ IJESDF.2015.069609 Daemen, J., & Rijmen, V (2013) The Design of Rijndael: AES - The Advanced Encryption Standard Springer Science & Business Media https://doi org/10.1007/978-3-662-04722-4 Dunkelman, O., & Keller, N (2010) The effects of the omission of last round’s MixColumns on AES Information Processing Letters, 110(8– 9), 304–308 https://doi.org/10.1016/j.ipl.2010.02.007 Fouque, P., Jean, J., & Peyrin, T (2013) Structural Evaluation ofAES and Chosen-Key Distinguisher of 9-round AES-128 In Advances in Cryptology–CRYPTO (pp 183–203) Springer, Berlin, Heidelberg https://doi.org/10.1007/978-3-642-40041-4_11 432 Journal of ICT, 17, No (July) 2018, pp: 409–434 Gérault, D., Lafourcade, P., Minier, M., & Solnon, C (2017) Revisiting AES Related-Key Differential Attacks with Constraint Programming IACR Cryptology EPrint Archive, 139 Retrieved from ia.cr/2017/139 Gorski, M., & Lucks, S (2008) New Related-Key Boomerang Attacks on AES In International Conference on Cryptology in India (pp 266–278) Springer, Berlin, Heidelberg https://doi.org/10.1007/978-3-540-897545_21 Huang, J., & Lai, X (2016) Transposition of AES Key Schedule In International Conference on Information Security and Cryptology (p 260) Springer, Cham https://doi.org/10.1007/978-3-319-54705-3_6 Jean, J (2013) Cryptanalysis of symmetric-key primitives based on the AES block cipher Cryptography and Security [cs.CR] (Unpublished doctoral dissertation) Ecole Normale Supérieure de Paris-ENS Paris Retrieved from https://tel.archives-ouvertes.fr/tel-00911049 Jean, J., Nikolic, I., & Peyrin, T (2014) Tweaks and keys for block ciphers: The TWEAKEY framework In International Conference on the Theory and Application of Cryptology and Information Security (pp 274–288) Springer, Berlin, Heidelberg https://doi.org/10.1007/978-3-662-456088_15 Khoo, K., Lee, E., Peyrin, T., & Sim, S M (2017) Human-readable proof of the related-key security of AES-128 IACR Transactions on Symmetric Cryptology, 2, 59–83 https://doi.org/10.13154/tosc.v2017.i2.59-83 Kim, J., Hong, S., & Preneel, B (2007) Related-key rectangle attacks on reduced AES-192 and AES-256 In International Workshop on Fast Software Encryption (pp 225–241) Springer, Berlin, Heidelberg https://doi.org/10.1007/978-3-540-74619-5_155 Lars, K R., & Matthew, R (2011) The block chipher companion Springer Retrieved from www.springer.com/gp/book/9783642173417 Li, R., & Jin, C (2016) Meet-in-the-middle attacks on 10-round AES256 Designs, Codes, and Cryptography, 80(3), 459–471 https://doi org/10.1007/s10623-015-0113-3 Lu, J (2015) A methodology for differential-linear cryptanalysis and its applications Designs, Codes, and Cryptography, 77(1), 11–48 https:// doi.org/10.1007/s10623-014-9985-x 433 Journal of ICT, 17, No (July) 2018, pp: 409–434 Mahmod, R., Ali, S A., Azim, A., & Ghani, A (2009) A shift column with different offset for better rijndael security International Journal of Cryptology Research, 1(2), 245–255 Mala, H., Dakhilalian, M., Rijmen, V., & Modarres-Hashemi, M (2010) Improved impossible differential cryptanalysis of 7-round AES-128 In Lecture Notes in Computer Science (pp 282–291) https://doi org/10.1007/978-3-642-17401-8_20 May, L., Henricksen, M., Millan, W., Carter, G., & Dawson, E (2002) Strengthening the Key Schedule of the AES In Proceedings of the 7th Australian Conference on Information Security and Privacy (pp 226– 240) https://doi.org/10.1007/3-540-45450-0_19 Mouha, N., Wang, Q., Gu, D., & Preneel, B (2012) Differential and linear cryptanalysis using mixed-integer linear programming In International Conference on Information Security and Cryptology, 57–76 https://doi org/10.1007/978-3-642-34704-7_5 Muda, Z., Mahmod, R., & Sulong, M R (2010) Key transformation approch for Rijndael secuirty Information Technology Journal, 9(2), 290–297 Muda, Z., Sulaiman, S., Yasin, S M., & Mahmod, R (2015) Tshiftcolumn: A new transformation in 128-bit Rijndael key expansion to improve security requirements Journal of Theoretical and Applied Information Technology, 73(1), 130–136 Nikolić, I (2011) Tweaking AES Lecture Notes in Computer Science, 6544, 198–210 https://doi.org/10.1007/978-3-642-19574-7_14 Tunstall, M (2012) Improved “Partial Sums”-based square attack on AES In International Conference on Security and Cryptography (pp 25–34) https://doi.org/10.5220/0003990300250034 Yan, J., & Chen, F (2016) An improved AES key expansion algorithm In International Conference on Electrical, Mechanical and Industrial Engineering (pp 113–116) 434 ... Structure of the key expansion function THE MEASUREMENT OF SECURITY The main objective of the current research is to enhance and strengthen the security of the Rijndael key expansion function. .. carried out t based on the ofexpansion of a keyofforciphers the purpose of evaluating the based block on the expansion function of a key for the purpose of evaluating the block Furthermore, no extra... focused on the 128-bit key size due to the recent theoretical attacks that occurred as a result of the weakness found in this key schedule On top of that, the 128-bit key schedule of the Rijndael