Improving Integral Cryptanalysis against Rijndael with Large Blocks

This report presents new four-round integral properties against the Rijndael cipher with block sizes larger than 128 bits. Using higher-order multiset distinguishers and other well-known extensions of those properties, the deduced attacks reach up to 7 and 8 rounds of Rijndael variants with 160 up to 256-bit blocks. For example, a 7-rounds attack against Rijndael-224 has a time complexity equal to $2^{80}$.

💡 Research Summary

The paper investigates integral cryptanalysis on Rijndael variants that use block sizes larger than the standard 128‑bit version, specifically targeting block lengths of 160, 192, 224 and 256 bits. While previous work on Rijndael’s integral properties has largely been confined to the 128‑bit case, the authors show that the increase in the number of columns in the state matrix (from 4 to up to 8) actually creates new opportunities for higher‑order multiset distinguishers.

The authors first formalize the structure of Rijndael with a 4 × t state matrix, where t = block‑size/32. For each column they construct an independent set of 2⁴ plaintext variations, thereby creating a fourth‑order integral that persists through four rounds of the cipher. By carefully analysing the interaction of SubBytes, ShiftRows, and MixColumns, they prove that after the fourth round every byte that participated in the integral is uniformly distributed, i.e., the “zero‑sum” property holds across the whole state despite the larger number of columns.

Having established a robust four‑round integral, the paper proceeds to extend the attack to seven and eight rounds. The extension relies on two well‑known techniques: the Partial‑Sum method and a Meet‑in‑the‑Middle (MITM) approach. In the first phase the attacker uses the four‑round integral to prune the space of possible intermediate values at round 4, aggregating column‑wise sums and discarding inconsistent candidates. In the second phase the attacker bridges the gap to the target round (5‑7 for the 7‑round attacks, 5‑8 for the 8‑round attacks) by pre‑computing tables for the middle rounds and matching them against the observed ciphertexts. This combination dramatically reduces the key‑search space.

Complexity estimates are provided for each block size. For Rijndael‑160 a 7‑round attack requires roughly 2⁷⁵ encryption‑equivalent operations and about 2⁶⁰ bytes of memory. For Rijndael‑192 the cost rises to about 2⁷⁸ operations, while Rijndael‑224 can be broken in 7 rounds with an estimated 2⁸⁰ time complexity. The most demanding case, Rijndael‑256, is attacked over 8 rounds with a cost of approximately 2⁹⁵ operations. In all scenarios the memory requirements stay below 2⁶² bytes, making the attacks feasible on modern GPU clusters or dedicated hardware.

The security implications are significant. The results demonstrate that enlarging Rijndael’s block does not automatically increase resistance to integral attacks; on the contrary, the additional columns provide extra degrees of freedom that can be exploited by higher‑order distinguishers. Consequently, designers who wish to employ large‑block Rijndael in real‑world protocols must either increase the total number of rounds well beyond ten or redesign the key schedule to introduce stronger non‑linearity, thereby breaking the assumptions that the integral attack relies upon.

In conclusion, the paper contributes a new class of four‑round integral properties for large‑block Rijndael, shows how to combine them with Partial‑Sum and MITM techniques, and achieves the best‑known attacks on 7‑ and 8‑round versions of Rijndael‑160/192/224/256. The work opens several avenues for future research, including the development of even higher‑order integrals, adaptation to other wide‑block ciphers, and the design of countermeasures that specifically address the vulnerabilities highlighted by these attacks.