Mixture Differential Cryptanalysis: New Approaches for Distinguishers and Attacks on round-reduced AES

At Eurocrypt 2017 the first secret-key distinguisher for 5-round AES - based on the “multiple-of-8” property - has been presented. Although it allows to distinguish a random permutation from an AES-like one, it seems rather hard to implement a key-recovery attack different than brute-force like using such a distinguisher. In this paper we introduce “Mixture Differential Cryptanalysis” on round-reduced AESlike ciphers, a way to translate the (complex) “multiple-of-8” 5-round distinguisher into a simpler and more convenient one (though, on a smaller number of rounds). Given a pair of chosen plaintexts, the idea is to construct new pairs of plaintexts by mixing the generating variables of the original pair of plaintexts. Here we theoretically prove that for 4-round AES the corresponding ciphertexts of the original pair of plaintexts lie in a particular subspace if and only if the corresponding pairs of ciphertexts of the new pairs of plaintexts have the same property. Such secret-key distinguisher - which is independent of the secret-key, of the details of the S-Box and of the MixColumns matrix (except for the branch number equal to 5) - can be used as starting point to set up new key-recovery attacks on round-reduced AES. Besides a theoretical explanation, we also provide a practical verification both of the distinguisher and of the attack.

[1]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[2]  Pierre-Alain Fouque,et al.  Exhausting Demirci-Selçuk Meet-in-the-Middle Attacks against Reduced-Round AES , 2013, IACR Cryptol. ePrint Arch..

[3]  Adi Shamir,et al.  Improved Key Recovery Attacks on Reduced-Round AES with Practical Data and Memory Complexities , 2019, Journal of Cryptology.

[4]  Ferhat Karakoç,et al.  Universal Forgery and Key Recovery Attacks on ELmD Authenticated Encryption Algorithm , 2016, ASIACRYPT.

[5]  David A. Wagner,et al.  The Boomerang Attack , 1999, FSE.

[6]  Christian Rechberger,et al.  A New Structural-Differential Property of 5-Round AES , 2017, EUROCRYPT.

[7]  Susan K. Langford,et al.  Differential-Linear Cryptanalysis , 1994, CRYPTO.

[8]  Vincent Rijmen,et al.  The Block Cipher Square , 1997, FSE.

[9]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[10]  Palash Sarkar,et al.  Another look at normal approximations in cryptanalysis , 2015, IACR Cryptol. ePrint Arch..

[11]  Vincent Rijmen,et al.  Understanding Two-Round Differentials in AES , 2006, SCN.

[12]  Jung Hee Cheon,et al.  Improved Impossible Differential Cryptanalysis of Rijndael and Crypton , 2001, ICISC.

[13]  Gregor Leander,et al.  Differential-Linear Cryptanalysis Revisited , 2014, FSE.

[14]  Tor Helleseth,et al.  Yoyo Tricks with AES , 2017, ASIACRYPT.

[15]  Ing Rj Ser Approximation Theorems of Mathematical Statistics , 1980 .

[16]  Nicky Mouha,et al.  Simpira v2: A Family of Efficient Permutations Using the AES Round Function , 2016, ASIACRYPT.

[17]  Christian Rechberger,et al.  Subspace Trail Cryptanalysis and its Applications to AES , 2017, IACR Trans. Symmetric Cryptol..

[18]  Céline Blondeau,et al.  Multiple Differential Cryptanalysis: Theory and Practice , 2011, FSE.

[19]  Ali Aydin Selçuk,et al.  On Probability of Success in Linear and Differential Cryptanalysis , 2008, Journal of Cryptology.

[20]  Eli Biham,et al.  Cryptanalysis of reduced variants of RIJNDAEL , 2000 .

[21]  Dengguo Feng,et al.  New Results on Impossible Differential Cryptanalysis of Reduced AES , 2007, ICISC.

[22]  Matthew J. B. Robshaw,et al.  Small Scale Variants of the AES , 2005, FSE.

[23]  Jérémy Jean,et al.  Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting , 2013, IACR Cryptol. ePrint Arch..

[24]  Christian Rechberger,et al.  New and Old Limits for AES Known-Key Distinguishers , 2017 .

[25]  Andrey Bogdanov,et al.  Biclique Cryptanalysis of the Full AES , 2011, ASIACRYPT.

[26]  Patrick Derbez,et al.  Meet-in-the-Middle Attacks on AES , 2013 .

[27]  Eli Biham,et al.  Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials , 1999 .

[28]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[29]  Serge Vaudenay,et al.  How Far Can We Go Beyond Linear Cryptanalysis? , 2004, ASIACRYPT.

[30]  Michael Tunstall,et al.  Improved "Partial Sums"-based Square Attack on AES , 2012, SECRYPT.

[31]  Sean Murphy,et al.  The Return of the Cryptographic Boomerang , 2011, IEEE Transactions on Information Theory.

[32]  Tyge Tiessen,et al.  Polytopic Cryptanalysis , 2016, EUROCRYPT.

[33]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.