Paper 2006/039

Two-Round AES Differentials

Joan Daemen and Vincent Rijmen


In this paper we study the probability of differentials and characteristics over 2 rounds of the AES with the objective to understand how the components of the AES round transformation interact. We extend and correct the analysis of the differential properties of the multiplicative inverse in GF($2^n$). We show that AES has characteristics with a fixed-key probability that is many times larger than the EDP. For instance, in the case of 2-round AES, we measured factors up to $2^{100}$. We study the number of characteristics with EDP $>0$ whose probability adds up to the probability of a differential and derive formulas that allow to produce a close estimate of this number for any differential. We show how the properties discovered in our study can be used to explain the values of the differentials with the largest EDP values and to construct new distinguishers using truncated differentials.

Note: Corrected a typo. Thanks to Ralph Wernsdorf.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. J. Daemen, V. Rijmen, ``Understanding two-round differentials in AES,'' in R. De Prisco, M. Yung (Eds.), SCN 2006, LNCS 4116, pp. 78-94, 2006; J. Daemen, V. Rijmen, ``Plateau characteristics and AES,'' IET Information Security, Volume 1, No. 1, March 2007, pp. 11--17.
Contact author(s)
vincent rijmen @ iaik tugraz at
2009-02-06: last of 9 revisions
2006-02-06: received
See all versions
Short URL
Creative Commons Attribution


      author = {Joan Daemen and Vincent Rijmen},
      title = {Two-Round AES Differentials},
      howpublished = {Cryptology ePrint Archive, Paper 2006/039},
      year = {2006},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.