Improved Cryptanalysis of Rijndael Niels Ferguson 1 , John Kelsey 1 , Stefan Lucks ⋆2 , Bruce Schneier 1 , Mike Stay 3 , David Wagner 4 , and Doug Whiting 5 1 Counterpane Internet Security, Inc., 3031 Tisch Way Suite 100PE, San Jose, CA 95128 2 University of Mannheim, 68131 Mannheim, Germany 3 AccessData Corp. 2500 N. University Ave. Ste. 200, Provo, UT 84606 4 University of California Berkeley, Soda Hall, Berkeley, CA 94720 5 Hi/fn, Inc., 5973 Avenida Encinas Suite 110, Carlsbad, CA 92008 Abstract. We improve the best attack on Rijndael reduced to 6 rounds from complexity 2 72 to 2 44 . We also present the first known attacks on 7- and 8-round Rijndael. The attacks on 8-round Rijndael work for 192- bit and 256-bit keys. Finally, we discuss the key schedule of Rijndael and describe a related-key attack that can break 9-round Rijndael with 256-bit keys. 1 Introduction Rijndael is one of the five AES candidate ciphers that made it to the second round [DR98]. Rijndael has 10, 12, or 14 rounds, depending on the key size. Previously it was known how to break up to 6 rounds of Rijndael [DR98]. Independently from our work, Gilbert and Minier [GM00] presented an attack on 7 rounds of Rijndael. In section 2, we describe a new partial sum technique that can dramatically reduce the complexity of the 6-round attacks. We also show how to use these ideas to attack 7 and 8 rounds of Rijndael, in some cases using additional known texts (where available) to reduce the workfactor. The attacks against 7-round Rijndael with 128-bit keys and 8-round Rijndael with 192-bit and 256-bit keys require nearly the entire Rijndael codebook (2 128 − 2 119 chosen plaintexts); they are therefore not very practical even for an adversary with sufficient computing power. All of these attacks use extensions of the dedicated Square attack, as described in [DKR97,DR98,DBRP99]. In section 3, we turn our attention to the key schedule. We show several unexpected properties of the key schedule that seem to violate the published design criteria. Although we do not know of any attacks that critically depend on these properties, we consider them unsettling. Finally, in section 4, we exploit the slow diffusion of the Rijndael key schedule to develop a related-key attack that can be mounted on 9 rounds of Rijndael with a 256-bit key. A summary of these attacks, including time and data complexities, is de- scribed in table 1. We also refer the reader to appendix A for a detailed listing of notation used to refer to intermediate values in the cipher. ⋆ Supported by DFG grant KR 1521/3-2.