6

Rijndael was the only AES candidate which defined a different number of rounds for their 128, 192, and 256-bit versions (10, 12, and 14, respectively). The others had a fixed number of rounds (32 for Serpent, 16 for Twofish, etc.) regardless of the key size. Why was this? It may have reflected the intention of having three different security levels and leaning towards speed for the "lower" security level, but that still doesn't explain why only Rijndael did this instead of settling on, say, 14 rounds.

Is there some cryptographic attack which is unique to Rijndael which would warrant this?

forest
  • 15,626
  • 2
  • 49
  • 103

1 Answers1

10

The others had a fixed number of rounds (32 for Serpent, 16 for Twofish, etc.) regardless of the key size. Why was this? Is there some cryptographic attack which is unique to Rijndael which would warrant this?

During the second AES conference, the Rijndael team was asked about this design decision. They turned it around, and pointed out that smaller keys have a smaller level of security (and hence a lower threshold on what would be considered a break). After all, an attack that works with effort $O(2^{180})$ would be considered a break against a 256 bit key, but not against a 128 bit key, hence for 128 bit keys, you can get by with fewer rounds. The same type of reasoning would appear to be applicable to the other candidates (although it would be a tad more complicated with MARS, given that it uses multiple types of rounds internally).

Now, the Serpent team responded that they didn't want to give anyone a reason not to use 256 bit keys, hence they would not consider a faster version for shorter keys. As for the other three teams (MARS, RC6, Twofish), it appears that it just never occurred to them.

poncho
  • 154,064
  • 12
  • 239
  • 382