### The Effects of the Omission of Last Round's MixColumns on AES

Orr Dunkelman and Nathan Keller

##### Abstract

The Advanced Encryption Standard (AES) is the most widely deployed block cipher. It follows the modern iterated block cipher approach, iterating a simple round function multiple times. The last round of AES slightly differs from the others, as a linear mixing operation (called MixColumns) is omitted from it. Following a statement of the designers, it is widely believed that the omission of the last round MixColumns has no security implications. As a result, the majority of attacks on reduced-round variants of AES assume that the last round of the reduced-round version is free of the MixColumns operation. In this note we refute this belief, showing that the omission of MixColumns does affect the security of (reduced-round) AES. First, we consider a simple example of 1-round AES, where we show that the omission reduces the time complexity of an attack with a single known plaintext from 2^{48} to 2^{16}. Then, we examine several previously known attacks on 7-round AES-192 and show that the omission reduces their time complexities by a factor of 2^{16}.

Available format(s)
Category
Secret-key cryptography
Publication info
Published elsewhere. Submitted to a journal
Keywords
AESMixColumnsImpossible Differential Cryptanalysis
Contact author(s)
orr dunkelman @ weizmann ac il
History
Short URL
https://ia.cr/2010/041

CC BY

BibTeX

@misc{cryptoeprint:2010/041,
author = {Orr Dunkelman and Nathan Keller},
title = {The Effects of the Omission of Last Round's MixColumns on  AES},
howpublished = {Cryptology ePrint Archive, Paper 2010/041},
year = {2010},
note = {\url{https://eprint.iacr.org/2010/041}},
url = {https://eprint.iacr.org/2010/041}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.