On the Role of Key Schedules in Attacks on Iterated Ciphers Lars R. Knudsen 1 and John E. Mathiassen 2 1 Department of Mathematics, Technical University of Denmark 2 Department of Informatics, University of Bergen, Norway Abstract. This paper considers iterated ciphers and their resistance against linear and differential cryptanalysis. In the theory of these at- tacks one assumes independence of the round keys in the ciphers. Very often though, the round keys are computed in a key schedule algorithm from a short key in a nonrandom fashion. In this paper it is shown by experiments that ciphers with complex key schedules resist both at- tacks better than ciphers with more straightforward key schedules. It is well-known that by assuming independent round keys the probabilities of differentials and linear hulls can be modeled by Markov chains and that for most such ciphers the distribution of the probabilities of these converge to the uniform distribution after some number of rounds. The presented experiments illustrate that some iterated ciphers with very simple key schedules will never reach this uniform distribution. Also the experiments show that ciphers with well-designed, complex key schedules reach the uniform distribution faster (using fewer rounds) than ciphers with poorly designed key schedules. As a side result it was found that there exist ciphers for which the differential of the highest probability for one fixed key is also the differential of the highest probability for any other key. It is believed that this is the first such example provided in the literature. 1 Introduction Most block ciphers today are so-called iterated ciphers. Here the ciphertext is computed as a function of the plaintext and the user-selected key, K, in a num- ber of iterations. Typically, the user-selected key is input to a key scheduling algorithm, which returns a series of r keys, K 1 ,...,K r . Let g(·, ·) be a func- tion which is a bijective mapping, when the second argument is fixed. Then the ciphertext is computed as c r , where c i = g(c i-1 ,K i ), c 0 is the plaintext and the K i s are the so-called round keys. This is called an r-round iterated cipher. Since g is assumed to be injective for fixed K i , c i-1 = g -1 (c i ,K i ), and the plaintext can be computed from the ciphertext and the round keys by inverting the encryption process. P. Samarati et al. (Eds.): ESORICS 2004, LNCS 3193, pp. 322–334, 2004. c  Springer-Verlag Berlin Heidelberg 2004