# Chapter 4Cryptanalysis on Block Ciphers

In this chapter, several cryptanalyses against block ciphers are introduced. The discussion is mainly focused on AES-128, which is the AES with a 128-bit key, although many of the discussions can also be applied to other block ciphers in general.

The ideal security of block ciphers and the goal of the cryptanalysis are firstly defined. Then, many techniques in several cryptanalytic approaches are introduced. The first topic is the differential cryptanalysis, which provides the basic concepts of cryptanalysis. The second topic is the impossible differential cryptanalysis. Finally, the last topic is the integral cryptanalysis. Key recovery attacks against reduced-round versions of AES-128 are demonstrated for each approach.

## 4.1 Basics of Cryptanalysis

*4.1.1 Block Ciphers*

Block cipher *E* takes as input a key *K* of a fixed bit-length, and produces a one-to-one map (permutation) from *b*-bit plaintext to *b*-bit ciphertext, where *b* is a bit-length of the fixed block size. Let *k* be a bit-length of the fixed key size. Then, block ciphers are described as follows:

**4.1**
**4.2**
The permutation is required to behave completely independent for different choices ...