A Collision Attack on 7 Rounds of Rijndael.
H. Gilbert and M. Minier

Rijndael is one of the five candidate blockciphers selected by NIST for the final phase of the AES selection process. The best attack of Rijndael so far is due to the algorithm designers ; this attack is based upon the existence of an effcient distinguisher between 3 Rijndael inner rounds and a random permutation, and it is limited to 6 rounds for each of the three possible values of the keysize parameter (128 bits, 196 bits and 256 bits). In this paper, we construct an efficient distinguisher between 4 inner rounds of Rijndael and a random permutation of the blocks space, by exploiting the existence of collisions between some partial functions in- duced by the cipher. We present an attack based upon this 4-rounds distinguisher that requires 232 chosen plaintexts and is applicable to up to 7-rounds for the 196 keybits and 256 keybits version of Rijndael. Since the minimal number of rounds in the Rijndael parameter settings proposed for AES is 10, our attack does not endanger the security of the cipher, indicate any fl aw in the design or prove any inadequacy in selec- tion of number of rounds. The only claim we make is that our results represent improvements of the previously known cryptanalytic results on Rijndael.