Paper 2010/041

The Effects of the Omission of Last Round's MixColumns on AES

Orr Dunkelman and Nathan Keller


The Advanced Encryption Standard (AES) is the most widely deployed block cipher. It follows the modern iterated block cipher approach, iterating a simple round function multiple times. The last round of AES slightly differs from the others, as a linear mixing operation (called MixColumns) is omitted from it. Following a statement of the designers, it is widely believed that the omission of the last round MixColumns has no security implications. As a result, the majority of attacks on reduced-round variants of AES assume that the last round of the reduced-round version is free of the MixColumns operation. In this note we refute this belief, showing that the omission of MixColumns does affect the security of (reduced-round) AES. First, we consider a simple example of 1-round AES, where we show that the omission reduces the time complexity of an attack with a single known plaintext from 2^{48} to 2^{16}. Then, we examine several previously known attacks on 7-round AES-192 and show that the omission reduces their time complexities by a factor of 2^{16}.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Submitted to a journal
AESMixColumnsImpossible Differential Cryptanalysis
Contact author(s)
orr dunkelman @ weizmann ac il
2010-01-29: received
Short URL
Creative Commons Attribution


      author = {Orr Dunkelman and Nathan Keller},
      title = {The Effects of the Omission of Last Round's MixColumns on  AES},
      howpublished = {Cryptology ePrint Archive, Paper 2010/041},
      year = {2010},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.