Why are the shiftrows in AES in a fixed order? Can the order be changed?

Question

It seems AES uses fixed shiftrows as follows:

B0  B4  B8  B12  No shift
B1  B5  B9  B13  Right-shift 3 places
B2  B6  B10 B14  Right-shift 2 places
B3  B7  B11 B15  Right-shift 1 place

Would it make a difference to security if the rows were shifted differently? Not to disturb the carefully selected shifts (0, 1, 2 and 3 shifts), but just the order of them: For example:

Right-shift 3 places
No shift
Right-shift 1 place
Right-shift 2 places

Related: What would happen to AES if we replaced MixColumns with ShiftColumns? and AES with shuffleBytes instead of shiftRows — e-sushi, Aug 01 '16 at 12:16

score 2 · Accepted Answer · answered Aug 01 '16 at 03:52

2

No it would not make a difference to security, but it will no longer be AES since it does not match the specification.

As long as all 4 rows have a different rotation count through 0-3 bytes, the permutation will fully mix the state after 2 rounds.

answered Aug 01 '16 at 03:52

Richie Frame

13,097
1
25
42

Actually, we don't know if it would make a difference to security. The proofs against linear and differential crypto would still apply; however there are deeper attacks against (reduced round) AES known; unless someone sits down and studies how these attacks would work against the modified AES (and they may work better, and they may work worse), one ought to be hesitant to say – poncho Aug 01 '16 at 15:54

Why are the shiftrows in AES in a fixed order? Can the order be changed?

1 Answers1

Linked