Following a statement of the designers, it is widely believed that the omission of the last round MixColumns has no security implications. As a result, the majority of attacks on reduced-round variants of AES assume that the last round of the reduced-round version is free of the MixColumns operation.
In this note we refute this belief, showing that the omission of MixColumns does affect the security of (reduced-round) AES. First, we consider a simple example of 1-round AES, where we show that the omission reduces the time complexity of an attack with a single known plaintext from 2^{48} to 2^{16}. Then, we examine several previously known attacks on 7-round AES-192 and show that the omission reduces their time complexities by a factor of 2^{16}.
Category / Keywords: secret-key cryptography / AES, MixColumns, Impossible Differential Cryptanalysis Publication Info: Submitted to a journal Date: received 27 Jan 2010 Contact author: orr dunkelman at weizmann ac il Available formats: PDF | BibTeX Citation Version: 20100129:153203 (All versions of this report) Discussion forum: Show discussion | Start new discussion