Secure and Efficient Crypto System Based On 128-Bit AES

Transcription

1 Secure and Efficient Crypto System Based On 128-Bit AES Pramod Raj B 1, Manju Devi 2 1 M.Tech. Scholar, Department of E&C, BTL Institute of Technology, Bangalore, Karnataka, India, pramodraj031@gmail.com 2 Associate Professor, Department of E&C, BTL Institute of Technology, Bangalore, Karnataka, India, manju3devi@gmail.com Abstract The AES algorithm was selected in 2000 by the US National Institute of Standards and Technologies (NIST) as a replacement to the Data Encryption Standard (DES) cryptographic algorithm. It is based on Rijndael algorithm which is a symmetric-key algorithm that processes fixed data of 128-bit blocks. The AES algorithm is suited for an efficient implementation on a wide range of processors. It can be used as encryption standard in embedded systems and especially the smart cards. There are many implementations of the AES reported in literature; some of them use Field Programmable Gate Arrays (FPGA) or Application Specific Integrated Circuits (ASIC) while others use smart card. According to the performance needed; the designs are divided into two categories. The first category aims at high-speed AES encryption cores and high throughput, while requiring a reasonable amount of resources.the second category involves only ultra rapid implementations and demanding an extremely small area. Recently, much research has been conducted for security of data transactions on embedded platforms. Advanced Encryption Standard (AES) is considered as one of a candidate algorithm for data encryption/decryption. One important application of this standard is cryptography on smart cards. In this thesis we describe a 32-bits architecture developed for Rijndael algorithm to accelerate execution on 32-bits platforms with reduced memory. Using the FPGA device XC6VCX75T of virtex-6 family a very low-cost implementation of 174 occupied Slices is obtained under MHz frequency. Keywords: AES, DES, Cryptography, Symmetric key, Asymmetric key, Encryption, Decryption Xilinx *** INTRODUCTION The previous standard algorithm, the Data Encryption Standard (DES) was once very secure. However, due to developments in processing power and parallel processing technologies, this algorithm became quite vulnerable to exhaustive key search attacks, as the key length of the algorithm was considered to be short. Since the algorithm was designed for a fixed block size and key length, an alternative algorithm was essential. As a result, the National Institute of Standards and Technology proposed the Advanced Encryption Standard (AES) to replace the DES. In the current standard AES algorithm the block size is double that of the DES of 128-bit, and the key length has expanded from 56 to 128-bit and could even support 192 and 256-bit. All of the cryptographic algorithms we have looked at so far have some problem. The earlier ciphers can be broken with ease on modern computation systems. The DES algorithm was broken in 1998 using a system that cost about $250,000. It was also far too slow in software as it was developed for mid-1970 s hardware and does not produce efficient software code. Triple DES on the other hand, has three times as many rounds as DES and is correspondingly slower. As well as this, the 64 bit block size of triple DES and DES is not very efficient and is questionable when it comes to security. What was required was a brand new encryption algorithm. One that would be resistant to all known attacks. The National Institute of Standards and Technology (NIST) wanted to help in the creation of a new standard. However, because of the controversy that went with the DES algorithm, and the years of some branches of the U.S. government trying everything they could to hinder deployment of secure cryptography this was likely to raise strong skepticism. The problem was that NIST did actually want to help create a new excellent encryption standard but they couldn t get involved directly. Unfortunately they were really the only ones with the technical reputation and resources to the lead the effort. Instead of designing or helping to design a cipher, what they did instead was to set up a contest in which anyone in the world could take part. The contest was announced on the 2nd of January 1997 and the idea was to develop a new encryption algorithm that would be used for protecting sensitive, non-classified, U.S. government information. The ciphers had to meet a lot of Special Issue June-2014, Paper id - IJRETM-2014-SP-006 1

2 requirements and the whole design had to be fully documented (unlike the DES cipher). Once the candidate algorithms had been submitted, several years of research in the form of cryptographic conferences took place. In the first round of the competition 15 algorithms were accepted and this was narrowed to 5 in the second round. The fifteen algorithms are shown in table 7 of which the 5 that were selected are shown in bold. The algorithms were tested for efficiency and security both by some of the world s best publicly renowned cryptographers and NIST itself. After all this investigation NIST finally chose an algorithm known as Rijndael. Rijndael was named after the two Belgian cryptographers who developed and submitted it Dr. Joan Daemen of Proton World International and Dr. Vincent Rijmen, a postdoctoral researcher in the Electrical Engineering Department of Katholieke Universisteit Leuven. On the 26 November 2001, AES (which is a standardized version of Rijndael) 2. LITERATURE SURVEY 2.1 Implementation of AES algorithm Hardware implementation mainly deals with implementation of AES algorithm on a single-chip FPGA using pipelined approach[1], area-throughput trade off for an ASIC implementation in a 0.18µm CMOS technology[2], crypto-memory and SRAM architecture[3], high speed non-pipelined FPGA[4], a fully sub-pipelined encryptor to achieve a throughput of Gbps on Xilinx device[5], a prototype chip implemented using 0.35µm CMOS technology[6][7][8]. Software implementation deals with fast implementation of algorithm in smart cards[9], PDA secure communication with Java[10], on optimum construction of composite fields for the AES[11], evaluation of different implementations for high end servers [12], implementation approaches for AES algorithm in C, C++ and MATLAB [13], security protocol for automobile remote key less system [14]. 2.2Cryptanalysis of AES algorithm Cryptanalysis includes Fast Algebraic Attacks on Block Cipher such as linear cryptanalysis, differential cryptanalysis, extended Sparse Linearization (XSL) [15] and active attack on AES algorithm [16]. Like most modern block ciphers, AES is designed with resistance against differential and linear cryptanalysis in mind, using the latest results in cryptographic research. For example, Cheon [17] has shown that differential cryptanalysis requires chosen cipher texts to attack 6-round AES-128. Gilbert and Minier [18] describe that an attack of 7-round AES-192 and AES-256 with 2 32 chosen plaintexts and a complexity of about 2 140, compared to Brute-force attack, where the complexity is or 2 256, and an attack of 7-round AES-128 with 2 32 chosen plaintexts, the computational complexity is slightly less than the Brute-force exhaustive search As reported in Ferguson [19] a related-key attack of 9-round AES-256 is possible with time complexity of 2 224, which is of course far from practical. No attack is known for AES of more than 7 rounds. On the other hand, although AES has been chosen as the encryption standard, the security of AES has gone through twists and turns of controversy. The algebraic nature of AES [20] has interestingly opened up possible avenues of other non-traditional attacks as summarized in [21]. It started with Courtois and Pieprzyk [22] [23] presenting evidence that the security of AES might not grow exponentially as intended with the number of rounds. The technique is based on expressing the S-boxes of AES in an over defined system of multivariate quadratic (MQ) equations which can be solved by XSL and which is based on extended Linierization (XL) [24]. The security of AES therefore lies on the computational complexity of XL, which to date remains an open problem [25]. In spite of Moh's dispute [26], whether the technique would not work, remains to be proved [27]. In the meantime, Murphy and Robshaw [28] derive an alter- native representation of AES that is easier for cryptanalysis, by embedding AES in a cipher called BES that uses only simple algebraic operations in Gallios Field GF(2 8 ). They showed that AES encryption can be described by an extremely sparse over determined multivariate quadratic system over GF(28), whose solution would recover the key. In another paper, Murphy and Robshaw[29] argue that while XSL does not have estimates accurate enough to substantiate claims of the existence of a key recovery attack, XSL does help to solve their GF(2 8 ) system of equations more efficiently than Courtois GF(2) system of equations. Combining Coppersmith's [30] correction to Courtois estimate, Murphy further deduces that the security of AES-128 would be reduced from the theoretical complexity of exhaustive key search from to 2 100, if XSL is a valid technique. On the other front, Fuller and Millan [31] unravel serious linear redundancy in the only nonlinear component, i.e. the S-box of AES of 8 8 behaves actually like an S-box of 8 _ 1 matrix. They, by studying the invariance properties of the local connection Special Issue June-2014, Paper id - IJRETM-2014-SP-006 2

3 structure of affine equivalence classes, discover that the outputs of the S-box are all equivalent under affine transformation. The essence of their discovery can be summarized in the following simple mathematical expression. If b i (x) and b j (x) are two distinct outputs of the S-box, then there exists a non-singular 8_8 matrix Dij and a binary constant c ij such that b j (x) = b i (x) D ij c ij. Independent of the above development, Filiol [32] shocked the scienti_c community by announcing a break of AES with his plaintext dependent repetition codes cryptanalysis technique. By detecting bias in the Boolean functions of AES, Filio claimed that he was able to obtain 2 bits of an AES key with only 231 cipher texts and a computational complexity of mere O(231). Fortunately, several independent cryptographers were quick to dismiss the claim. 3. DATA ENCRYPTION STANDARD The DES was adopted in 1977 by the US. National Bureau of Standards (NBS), now known as the NIST, as a Federal Information Processing Standard (FIPS PUB 46) for unclassified government communications. It was also approved in 1981 by the American National Standards Institute (ANSI) as a private-sector standard (ANSI X3.92). The DES is a block cipher based on the Feistel network structure, which encrypts and decrypts blocks of data of 64-bit size under the control of a key 56-bit in length. The 56-bit of the key are extracted from a 64 bit string, while the remaining 8-bit are used for detecting errors among the bytes of the key. This involves a parity check, which is achieved by setting the least significant bit (LSB) of each byte such that the resulting parity of that byte is odd. The algorithm, as shown in Figure 1, starts by initial permutation (IP) followed by 16 identical key dependent rounds of transformation ignoring the final swap. The ciphertext is then produced after passing the output through a final permutation which is the inverse of the initial permutation (IP-1). Since the design is based on the Feistel structure, both encryption and decryption use the same algorithm except in terms of the order of the round keys. After initial permutation the input is equally split into two halves, which are both processed through subsequent rounds according to equations 1 and.2, respectively. L i= R i-1 (1) R i= L i-1 f(r i-1, k i ) (2) Where L and R stand for the left and right half of the data, respectively, denotes bitwise XOR operation (bit-by-bit addition modulo 2). The round transformation consists of four layers, which are expansion permutation, round key addition, element substitution and finally permutation. This round transformation works only on the right-hand half of the data. The expansion permutation layer is used to expand the right half of the data from 32 to 48-bit. Expansion is achieved by duplicating and permutating the outer bits of every 4-bit, as illustrated in Figure 2. This layer improves the avalanche effect by rapidly spreading the dependency of the output bits on the input bits. The output from the expansion permutation layer is XORed with the 48-bit round key. Sixteen different 48- bit round keys are generated from the 56-bit key via the key schedule algorithm. This operation is achieved by first ignoring the parity bit from each byte of the 8-byte of the key. Then the remaining 56-bit are permutated and subsequently split into two halves. Next, each half is left-shifted in a circular manner by either one offset for rounds 1, 2, 9 and 16, or two offsets for the other rounds. After that a 48-bit round sub-key is chosen out of the 56-bit. These two operations are known permuted choice (PC) or compression permutation, as a subset of data is chosen after permuting the all. The next step after the key addition layer is the element substitution layer. Eight different 6 4 S-boxes are used, and thus the 48- bit are converted into eight 6-bit groups. The S-box conducts non-linear mapping, the six input bits to the S-box are mapped into four output bits. The final layer of the round functions is permutation, which permutates the 32-bit resulting from the mapping. Security of the DES: The key length of the DES algorithm is considered short in terms of processing power nowadays, and the code can be broken using an exhaustive key search attack that decrypts the encrypted message with all possible key spaces using 256 or on average 255 combinations to recover the right key. A variety of attacks against the DES are described in the literature. For instance, differential cryptanalysis can break the cipher with a complexity of 247 of chosen-plaintext, and linear cryptanalysis can succeed with an availability of 243 known plaintext ciphertext pairs. Special Issue June-2014, Paper id - IJRETM-2014-SP-006 3

4 Triple DES: One of the variants of the DES algorithm is the Triple DES algorithm, also known as the Triple Data Encryption Algorithm (TDEA), which IBM suggested to improve the security of the DES algorithm by increasing the length of the key without altering the algorithm. The improvement is achieved by repeating the procedures three times using two or three different keys. Here, encryption and decryption are processed according to equations 3 and 4, respectively, where E and D refer to normal single DES encryption and decryption. Fig -1: DES and Key Schedule Algorithms Fig -2: Expansion Permutation CT=Ek 3 (Dk 2 (Ek 1 (PT))) (3) PT=Dk 1 (Ek 2 (Dk 3 (CT))) (4) Where CT, PT, E, D and k stand for ciphertext, plaintext, encryption, decryption, and key, respectively. The ANSI X9.52 standard identifies there possible keying options as follows: 1. The three keys k1, k2 and k3 are independent. 2. Keys k1 and k2 are independent and k3 = k1. Special Issue June-2014, Paper id - IJRETM-2014-SP-006 4

5 3. The values of the three keys are the same (k1 = k2 = k3), and are equivalent to the single DES. The security of the system is thereby enhanced, since the exhaustive key search now requires 2168 attempts to break the system if all keys are independent, or 2112 if two of the keys are independent (as in point 2 above), which is clearly much harder than with just 256 as in the single DES. 4. PROPOSED SYSTEM Salient features of AES: AES is a block cipher with a block length of 128 bits. AES allows for three different key lengths: 128, 192, or 256 bits. Most of our discussion will assume that the key length is 128 bits. Encryption consists of 10 rounds of processing for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-bit keys. Except for the last round in each case, all other rounds are identical. Each round of processing includes one single-byte based substitution step, a row-wise permutation step, a column-wise mixing step, and the addition of the round key. The order in which these four steps are executed is different for encryption and decryption. To appreciate the processing steps used in a single round, it is best to think of a 128-bit block as consisting of a 4 4 matrix of bytes, arranged as follows: Therefore, the first four bytes of a 128-bit input block occupy the first column in the 4 4 matrix of bytes. The next four bytes occupy the second column, and so on. The 4 4 matrix of bytes is referred to as the state array. AES also has the notion of a word. A word consists of four bytes, that is 32 bits. Therefore, each column of the state array is a word, as is each row. Each round of processing works on the input state array and produces an output state array. The output state array produced by the last round is rearranged into a 128-bit output block. Unlike DES, the decryption algorithm differs substantially from the encryption algorithm. Although, overall, the same steps are used in encryption and decryption, the order in which the steps are carried out is different, as mentioned previously. AES, notified by NIST as a standard in 2001, is a slight variation of the Rijndael cipher invented by two Belgian cryptographers Joan Daemen and Vincent Rijmen. Whereas AES requires the block size to be 128 bits, the original Rijndael cipher works with any block size (and any key size) that is a multiple of 32 as long as it exceeds 128. The state array for the different block sizes still Special Issue June-2014, Paper id - IJRETM-2014-SP-006 5

6 has only four rows in the Rijndael cipher. However, the number of columns depends on size of the block. For example, when the block size is 192, the Rijndael cipher requires a state array to consist of 4 rows and 6 columns. As explained, DES was based on the Feistel network. On the other hand, what AES uses is a substitution-permutation network in a more general sense. Each round of processing in AES involves byte-level substitutions followed by word-level permutations. Speaking generally, DES also involves substitutions and permutations, except that the permutations are based on the Feistel notion of dividing the input block into two halves, processing each half separately, and then swapping the two halves. The nature of substitutions and permutations in AES allows for a fast software implementation of the algorithm. Rijndael was designed to have the following characteristics: Resistance against all known attacks. Speed and code compactness on a wide range of platforms. Design Simplicity. The encryption key and its expansion: Assuming a 128-bit key, the key is also arranged in the form of a matrix of 4 4 bytes. As with the input block, the first word from the key fills the first column of the matrix, and so on. The four column words of the key matrix are expanded into a schedule of 44 words. Each round consumes four words from the key schedule. Figure depicts the arrangement of the encryption key in the form of 4-byte words and the expansion of the key into a key schedule consisting of 44 4-byte words. The overall structure of AES: The overall structure of AES encryption/decryption is shown in Figure 3. The number of rounds shown in Figure.2, 10, is for the case when the encryption key is 128 bit long. (As mentioned earlier, the number of rounds is 12 when the key is 192 bits, and 14 when the key is 256.) Before any round-based processing for encryption can begin, the input state array is XORed with the first four words of the key schedule. The same thing happens during decryption except that now we XOR the ciphertext state array with the last four words of the key schedule. For encryption, each round consists of the following four steps: 1) Substitute bytes, 2) Shift rows, 3) Mix columns, and round key. The last step consists of XORing the output of the previous three steps with four words from the key schedule. 4) Add For decryption, each round consists of the following four steps: 1) Inverse shift rows, 2) Inverse substitute bytes, 3) Add round key, And 4) Inverse mix columns. The third step consists of xoring the output of the previous two steps with four words from the key Schedule. The last round for encryption does not involve the Mix columns step. The last round for decryption does not involve the Inverse mix columns step. Special Issue June-2014, Paper id - IJRETM-2014-SP-006 6

7 Fig -3: The overall structure of AES for the case of 128-bit encryption key. The four steps in each round Of processing: Figure 4 shows the different steps that are carried out in each round except the last one. STEP 1 is called SubBytes for byte-by-byte substitution during the forward process. The corresponding substitution step used during decryption is called InvSubBytes. This step consists of using a lookup table to find a replacement byte for a given byte in the input state array. The entries in the lookup table are created by using the notions of multiplicative inverses in GF(2 8 ) and bit scrambling todestroy the bit-level correlations inside each byte. STEP 2 is called ShiftRows for shifting the rows of the state array during the forward process. The corresponding transformation during decryption is denoted InvShiftRows for Inverse Shift-Row Transformation. Fig -4: One round of encryption is shown at left and one round of decryption at right. The goal of this transformation is to scramble the byte order inside each 128-bit block. STEP 3 is called MixColumns for mixing up of the bytes in each column separately during the forward process. The corresponding transformation during decryption is denoted InvMixColumns and stands for inverse mix column transformation. The goal is here is to further scramble up the 128-bit input block. The shift-rows step along with the mix-column step causes each bit of the ciphertext to depend on every bit of the plain- text after 10 rounds of processing. STEP 4 is called AddRoundKey for adding the round key to the output of the previous step during the forward process. The corresponding step during decryption is denoted InvAddRound Key for inverse add round key transformation. The key expansion algorithm: Each round has its own round key that is derived from the original 128-bit encryption key in the manner described in this section.one of the four steps of each round, for both encryption anddecryption, involves XORing of the Special Issue June-2014, Paper id - IJRETM-2014-SP-006 7

8 round key with the statearray. The AES Key Expansion algorithm is used to derive the 128-bit round key for each round from the original 128-bit encryptionkey. As you ll see, the logic of the key expansion algorithm is desiged to ensure that if you change onebit of the encryption key, it should affect the roundkeys for several rounds.in the same manner as the 128-bit input block is arranged in theform of a state array, the algorithm first arranges the 16 bytes ofthe encryption key in the form of a 4 4 array of bytes as shownbelow. The first four bytes of the encryption key constitute the word w 0, the next four bytes the word w 1, and so on.the algorithm subsequently expands the words [w 0,w 1,w 2,w 3 ] into a 44-word key schedule that can be labeled w 0, w 1, w 2, w 3,..., w 43. Of these, the words [w 0,w 1,w 2,w 3 ] are bitwise XOR ed with the input block before the round-based processing begins. The remaining 40 words of the key schedule are used four words at a time in each of the 10 rounds. The above two statements are also true for decryption, except for the fact that we now reverse the order of the words in the key schedule, as shown in Figure 2: The last four words of the key schedule are bitwise XOR ed with the 128-bit ciphertext block before any round-based processing begins. Subsequently, each of the four words in the remaining 40 words of the key schedule are used in each of the ten rounds of processing.as shown in the figure, the key expansion takes place on a four-word to fourword basis, in the sense that each grouping of four words decides what the next grouping of four words will be. 5. RESULTS Encrypted output Fig -5: The key expansion takes place on a four-word to four-word basis as shown here. Input: Key: 30c81c46a35ce411e5fbc1191a0a52ef 2b7e151628aed2a6abf cf4f3c cipher text:43b1cd7f598ece23881b00e3ed Special Issue June-2014, Paper id - IJRETM-2014-SP-006 8

9 Decrypted output Fig -6: Simulation Results for AES Encryption Input: Key: 43b1cd7f598ece23881b00e3ed b7e151628aed2a6abf cf4f3c Plain text: 30c81c46a35ce411e5fbc1191a0a52ef 6. CONCLUSION AND FUTURE SCOPE Fig -7: Simulation Results for AES Decryption This paper reports the implementation results of the AES algorithm on different Xilinx Virtex FPGAs. A 32- bit architecture implementation of the AES crypto module is addressed. This work details the design of the AES system based on iterative loop architecture. With the proposed architecture a consumed power reduction of 15mw is achieved, compared with the AES-128 bit. The proposed design achieved frequency is better compared with the standards. Furthermore, the proposed 32-bit architecture of the AES occupies a reasonable amount of resources in terms of slices. From the obtained performances, we can conclude that our proposed 32-bit AES Architecture is suitable to be used at the systems with resource constrained environments adapted for smart cards. This Implementation of 128 bit AES using Rijndael algorithm, and the same can be extended to encrypt 192 and 256 bits of plain text data with proper key length, which makes even tougher to decrypt the original data form an unauthorized receivers. Special Issue June-2014, Paper id - IJRETM-2014-SP-006 9

10 7. REFERENCES [1] E Rodriguez-Henriquez, N.A. Saqib and A. Diaz-Pkrez, 4.2 Gbit/s single-chip FPGA implementation of AES algorithm, Electronics Letters, Vol. 39 No (2003) [2] AlirezaHodjat and Ingrid Verbauwhede, Speed - area Trade off for 10 to 100 Gbits Throughput AES Processor, IEEE (2003) [3] Anna Labb, Annie Prez and Jean-Michel Portal, Efficient Hardware Implementation Of A Crypto-Memory Based On Aes Algorithm And Sram Architecture, II (2003). [4] Refik Sever A. NeslinsmailoluYusuf.Tekmen Murat AkarBurakOkcan, A High Speed Fpga Implementation Of The RijndaelAlgorithm, Proceedings Of The Euromicro Systems on Digital System Design, IEEE (2004). [5] Xinmiao Zhang and Keshab K. Parhi, An E_cient 21.56gbps Aes Implementation On FPGA, IEEE, (2004). [6] Naga M. Kosaraju, Murali Varanasi and Saraju P. Mahanty, A High Performance VLSI Architecture for Advanced Encryption Standard (AES) Algorithm, Proceedings of the 19th International Conference of VLSI Design, IEEE (2006). [7] Arshad Aziz, An E_cient FPGA Based sequential Implementation of Advanced Encryption Standard, IEEE, (2004). [8] Chih-Pin Su, Chia-Lung Horng, Chih-Tsun Huang and Cheng-Wen Wu, A Con_gurable AES Processor for Enhanced Security, IEEE, , (2005). [9] Chi-Feng Lu, Yan-Shun Kao, Hsia-Ling Chiang, Chung- Huang Yang, Fast Implementation of AES Cryptographic Algorithms in Smart cards, IEEE, (2003). [10] LIU Niansheng, GUO Donghui and Huang Jiaxiang, AES Algorithm Implementation for PDA Secure Communication with Java, IEEE, (2007). [11] Xinmiao Zhang and Keshab K Parhi, On the Optimum Constructions of Composite Field for the AES Algorithms, IEEE Transactions on Circuits and Systems - II Express briefs, Vol 53 No 10, (2006). [12] Ulrich Mayer, Christopher Oelsner and Thomas Kohler, Evaluation of Different Rijndael Implementation for High End servers, 2002 IEEE, II , (2002). [13] Xinmiao Zhang and Keshab K. Parhi, Implementation Approaches for the Advanced Encryption Standard Algorithm, IEEE, (2002). [14] Xiao Ni, Weiren Shi and Victor Foo Siang Fook, AES Security Protocol Implementation for Automobile Remote Keyless Systems, IEEE, (2007). [15] Nicolas T. Courtois, CTC2 and Fast Algebraic Attacks on Block Cipher Revisited (2002). [16] Baodian Wei Dongsu Liu and Xinmeiwang, Activity Attack on Rijindael, Proceedings of the 17th International Conference on Advanced Information Networking and Applications IEEE, (2003). [17] Cheon J., Kim M., Kim K., J.Y. Lee, S.W.K. Improved Impossible Differential Cryptanalysis of Rijndael and Crypton. In Kim, K., ed.: 4th International Conference on Information Security and Cryptology, ICISC Volume 2288 of LNCS., Springer-Verlag (2002) [18] Gilbert H., Minier M. A collision attack on seven rounds of Rijndael. In: Proc. 3rd AES Conference (AES3). (2000). Special Issue June-2014, Paper id - IJRETM-2014-SP

11 [19] Ferguson N., Kelsey J., Lucks S., Schneier B., Stay M.,Wagner D., Whiting D., Improved Cryptanalysis of Rijndael. In Schneier, B., ed.: Fast Software Encryption, 7th International Workshop, FSE Volume 1978 of LNCS., Springer-Verlag (2001). [20] Rande R. Schroeppel N.F., Whiting D. A Simple Algebraic Representation of Rijndael. In Selected Areas in Cryptography, 8th Annual International Workshop,SAC Volume 2259 of LNCS, Springer-Verlag (2001) [21] Schneier B. AES News. Crypto-gram newsletter, Counterpane Internet Security,Inc. (2002). [22] Courtois N., Pieprzyk J. Cryptanalysis of Block Ciphers with Overde_ned Systems of Equations. Cryptology eprint Archive: Report 2002/044 (2002). [23] Courtois N., Pieprzyk J. Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. In Zheng, Y., ed., Advances in Cryptology - ASIACRYPT 2002: 8th International Conference on Theory and Application of Cryptology and Information Security. Volume 2501 of LNCS., Springer-Verlag (2002), [24] Courtois N., Goubin L., Meier W., Tacier J.D. Solving under defined systems of multivariate quadratic equations. In: PKC Volume 2274 of LNCS., Springer- Verlag (2002) [25] Courtois N., Patarin J. About the XL Algorithm over GF(2). In Joye, M., ed. Topics in Cryptology - CT-RSA 2003, The Cryptographers' Track at the RSA Conference Volume 2612 of LNCS., Springer-Verlag (2003) [26] Moh T. On the Courtois-Pieprzyk's Attack on Rijndael.Web page (2002) [27] Schneier B. More on AES Cryptanalysis.Crypto-gram newsletter, Counterpane Internet Security, Inc. (2002). [28] Murphy S., Robshaw M. Essential Algebraic Structure within the AES. In Yung, M., ed.: Advances in Cryptology - CRYPTO 2002, 22nd Annual International Cryptology Conference. Volume 2442 of LNCS., Springer-Verlag (2002) [29] Murphy S., Robshaw M. Comments on the Security of the AES and the XSL Technique (2002). mrobshaw/rijndael/xslnote. [30] Coppersmith D., Impact of Courtois and Pieprzyk results. Forum message (2002) [31] Fuller J., Millan W. On Linear Redundancy in the AES S-Box. Cryptology eprint Archive: Report 2002/111 (2002). [32] FILIOL E. Plaintext-dependant repetition codes cryptanalysis of block ciphers - the aes case. Cryptology eprint Archive: Report 2003/003 (2003). Special Issue June-2014, Paper id - IJRETM-2014-SP