The square attack on block cipher ARIA

Abstract

ARIA is very similar to Rijndael. Rijndael is the algorithm that has been selected by the U.S. National Institute of Standards and Technology (NIST) as the candidate for the Advanced Encryption Standard. Rijndael was based on cipher named Square. In the same paper as the cipher itself, a ‘dedicated’ chosen plaintext attack which exploits the rather unique structure of Square, was soon found by Knudsen. This four-round attack, known as the Square Attack, can be extended naturally to the ARIA. And this attack can recover the master key with high probability only having 28 plaintext-four round ciphertext pairs. The Square attack can be increased to 6 rounds and is referred to as the Square-6 attack in this report. This kind of attack is known as a Multiset Attack. Other proposed names include ‘Saturation attack’, ‘Structural attack’, and ‘Integral cryptanalysis’. A multiset differs from the normal notion of a set by the fact that it allows the same value to appear multiple times. An element of a multiset is therefore a pair (value, multiplicity). In a multiset attack, the adversary carefully chooses multisets of plaintexts and studies their propagation through the cipher. While the element values obviously change, other properties such as multiplicity or ”integral” (i.e., sum of all components) can remain unchanged, allowing cryptanalysis.