12

The number of AES rounds increases with the key length. Why increase the number of rounds at all, and how were these round counts chosen?

2 Answers2

9

There are two reasons:

  • More rounds means more security against cryptanalysis, simply, since there is more confusion and diffusion.
  • For a secure block cipher, there should be no attack faster than exhaustive key search (i.e. brute force). As exhaustive key search takes a lot longer for a larger key size, a theoretical attacker can afford more work to "break" the larger cipher. Thus we also increase the round number a bit to increase the security level of our cipher accordingly.
  • For a larger key size (as well as a larger block size), we need more rounds so that every key bit affects every ciphertext bit in a similar way, i.e. without measurable differences which would allow any cryptanalysis.

The 10 rounds for AES-128 seem to be about the lower level of what is (approximately) 128-bit-secure, and 10 rounds for a AES-256-like-cipher would have way below 256 bits of security.

Paŭlo Ebermann
  • 22,946
  • 7
  • 82
  • 119
9

Some quotes from The Design of Rijndael (pdf, see Section 3.5 "The Number of Rounds"):

For Rijndael with a block length and key length of 128 bits, no shortcut attacks had been found for reduced versions with more than six rounds. We added four rounds as a security margin.

The addition of four rounds is justified by:

Two rounds of Rijndael provide 'full diffusion' in the following sense: every state bit depends on all state bits two rounds ago, or a change in one state bit is likely to affect half of the state bits after two rounds. Adding four rounds can be seen as adding a 'full diffusion step' at the beginning and at the end of the cipher.

Regarding longer key lengths:

For Rijndael versions with a longer key, the number of rounds was raised by one for every additional 32 bits in the cipher key.

Unfortunately no derivation of this magic 1:32 ratio is given.

otus
  • 32,462
  • 5
  • 75
  • 167