This is the final extension of the SQUARE attack we will talk about.

We can gain an extra round by adding a round at the beginning. Here's how it works:

The extra round placed at the beginning will output the Λ-set we had in the previous attack at the beginning of its first round.

This way nothing is modified in the way we perform our attack.

Here is what it looks like, without yet revealing the magic behind the additional first round and the pre-whitening phase (hidden behind the unknown)

To obtain this Λ-set we need once more time to predict some key bytes. Four more bytes to be exact, of the first subkey (before the first round key).

The way to do this is to generate \(2^{32}\) plaintexts, all having the same bytes in the unactive positions and covering all the different possible bytes in the first byte column (right before the first round's MixColumns transformation).

This way, once you make a key guess, you will only need to pick the relevant plaintexts instead of re-generating the correct set of plaintexts that will get transformed into a Λ-set at the output of the first round.

For this attack, you need to make guesses on \(5+4=9\) bytes of subkeys, which in a worst case scenario would make you go through \(2^{8*9} = 2^{72}\) possibilities.

That's it! You've reached the end of this set :)

There is more to the Square attack or to structual attacks in general. How does it extend to AES-192 and AES-256? What about other ciphers? How do false positives influence the complexity of the attacks? ...

You can read more about it, or you can look at a different attack in our next set.