Extended Truncated-differential Distinguishers on Round-reduced AES

Distinguishers on round-reduced AES have attracted considerable attention in the recent years. While the number of rounds covered in key-recovery attacks did not increase, subspace, yoyo, mixture-differential, and multiple-of-n cryptanalysis advanced the understanding of the properties of the cipher. For substitution-permutation networks, integral attacks are a suitable target for extension since they usually end after a linear layer sums several subcomponents. Based on results by Patarin, Chen et al. already observed that the expected number of collisions for a sum of permutations differs slightly from that for a random primitive. Though, their target remained lightweight primitives. The present work illustrates how the well-known integral distinguisher on three-round AES resembles a sum of PRPs and can be extended to truncated-differential distinguishers over 4 and 5 rounds. In contrast to previous distinguishers by Grassi et al., our approach allows to prepend a round that starts from a diagonal subspace. We demonstrate how the prepended round can be used for key recovery with a new differential key-recovery attack on six-round AES. Moreover, we show how the prepended round can also be integrated to form a six-round distinguisher. For all distinguishers and the key-recovery attack, our results are supported by implementations with Cid et al.’s established Small-AES version. While the distinguishers do not threaten the security of the AES, they try to shed more light on its properties.

[1]  Chenhui Jin,et al.  Upper bound of the length of truncated impossible differentials for AES , 2018, Des. Codes Cryptogr..

[2]  Vincent Rijmen,et al.  Provable Security Evaluation of Structures Against Impossible Differential and Zero Correlation Linear Cryptanalysis , 2016, EUROCRYPT.

[3]  Meiqin Wang,et al.  Statistical Integral Distinguisher with Multi-structure and Its Application on AES , 2017, ACISP.

[4]  Ali Aydin Selçuk,et al.  On Probability of Success in Linear and Differential Cryptanalysis , 2008, Journal of Cryptology.

[5]  Jacques Patarin Generic Attacks for the Xor of k Random Permutations , 2013, ACNS.

[6]  Yu Sasaki,et al.  Meet-in-the-Middle Technique for Integral Attacks against Feistel Ciphers , 2012, Selected Areas in Cryptography.

[7]  Adi Shamir,et al.  Key Recovery Attacks on 3-round Even-Mansour, 8-step LED-128, and Full AES2 , 2013, IACR Cryptol. ePrint Arch..

[8]  Anne Canteaut,et al.  PRINCE - A Low-Latency Block Cipher for Pervasive Computing Applications - Extended Abstract , 2012, ASIACRYPT.

[9]  Valérie Nachef,et al.  Improved Attacks on Extended Generalized Feistel Networks , 2016, CANS.

[10]  Yosuke Todo,et al.  FFT Key Recovery for Integral Attack , 2014, CANS.

[11]  Sondre Rønjom,et al.  The Exchange Attack: How to Distinguish 6 Rounds of AES with 288.2 chosen plaintexts , 2019, IACR Cryptol. ePrint Arch..

[12]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[13]  Michael Tunstall,et al.  Improved "Partial Sums"-based Square Attack on AES , 2012, SECRYPT.

[14]  Lorenzo Grassi,et al.  MixColumns Properties and Attacks on (round-reduced) AES with a Single Secret S-Box , 2018, IACR Cryptol. ePrint Arch..

[15]  Andrey Bogdanov,et al.  Biclique Cryptanalysis of the Full AES , 2011, ASIACRYPT.

[16]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[17]  María Naya-Plasencia,et al.  Making the Impossible Possible , 2016, Journal of Cryptology.

[18]  Adi Shamir,et al.  Cube Attacks on Tweakable Black Box Polynomials , 2009, IACR Cryptol. ePrint Arch..

[19]  Bruce Schneier,et al.  Improved Cryptanalysis of Rijndael , 2000, FSE.

[20]  Adi Shamir,et al.  Improved Key Recovery Attacks on Reduced-Round AES with Practical Data and Memory Complexities , 2019, Journal of Cryptology.

[21]  Valérie Nachef,et al.  Improvements of Attacks on Various Feistel Schemes , 2016, Mycrypt.

[22]  H. Heys Integral cryptanalysis of the BSPN block cipher , 2013, 2014 27th Biennial Symposium on Communications (QBSC).

[23]  Marine Minier,et al.  A Collision Attack on 7 Rounds of Rijndael , 2000, AES Candidate Conference.

[24]  Tor Helleseth,et al.  Yoyo Tricks with AES , 2017, ASIACRYPT.

[25]  Adi Shamir,et al.  The Retracing Boomerang Attack , 2020, IACR Cryptol. ePrint Arch..

[26]  Vincent Rijmen,et al.  Links Among Impossible Differential, Integral and Zero Correlation Linear Cryptanalysis , 2015, CRYPTO.

[27]  Stefan Kölbl,et al.  Security of the AES with a Secret S-Box , 2015, FSE.

[28]  Lorenzo Grassi,et al.  Probabilistic Mixture Differential Cryptanalysis on Round-Reduced AES , 2019, SAC.

[29]  Kaisa Nyberg,et al.  Differentially Uniform Mappings for Cryptography , 1994, EUROCRYPT.

[30]  Matthew J. B. Robshaw,et al.  Small Scale Variants of the AES , 2005, FSE.

[31]  Gregor Leander,et al.  On the Classification of 4 Bit S-Boxes , 2007, WAIFI.

[32]  Valérie Nachef,et al.  4-point Attacks with Standard Deviation Analysis on A-Feistel Schemes , 2014, IACR Cryptol. ePrint Arch..

[33]  Christof Paar,et al.  Block Ciphers - Focus on the Linear Layer (feat. PRIDE) , 2014, CRYPTO.

[34]  Christian Rechberger,et al.  New Rigorous Analysis of Truncated Differentials for 5-round AES , 2018, IACR Cryptol. ePrint Arch..

[35]  Anne Canteaut,et al.  A General Proof Framework for Recent AES Distinguishers , 2019, IACR Cryptol. ePrint Arch..

[36]  Valérie Nachef,et al.  Automatic Expectation and Variance Computing for Attacks on Feistel Schemes , 2016, IACR Cryptol. ePrint Arch..

[37]  Christian Rechberger,et al.  A New Structural-Differential Property of 5-Round AES , 2017, EUROCRYPT.

[38]  Vincent Rijmen,et al.  The Block Cipher Square , 1997, FSE.

[39]  Howard M. Heys,et al.  Substitution-permutation networks resistant to differential and linear cryptanalysis , 1996, Journal of Cryptology.

[40]  Navid Ghaedi Bardeh,et al.  A Key-Independent Distinguisher for 6-round AES in an Adaptive Setting , 2019, IACR Cryptol. ePrint Arch..

[41]  Palash Sarkar,et al.  Rigorous upper bounds on data complexities of block cipher cryptanalysis , 2015, IACR Cryptol. ePrint Arch..

[42]  Yosuke Todo,et al.  Structural Evaluation by Generalized Integral Property , 2015, EUROCRYPT.

[43]  Sihem Mesnager,et al.  Statistical integral distinguisher with multi-structure and its application on AES-like ciphers , 2018, Cryptography and Communications.

[44]  Andrey Bogdanov,et al.  Integrals Go Statistical: Cryptanalysis of Full Skipjack Variants , 2016, FSE.

[45]  Ali Aydin Selçuk,et al.  A Meet-in-the-Middle Attack on 8-Round AES , 2008, FSE.

[46]  Vincent Rijmen,et al.  Improved Impossible Differential Cryptanalysis of 7-Round AES-128 , 2010, INDOCRYPT.

[47]  Vincent Rijmen,et al.  New Insights on AES-Like SPN Ciphers , 2016, CRYPTO.

[48]  Chenhui Jin,et al.  More accurate results on the provable security of AES against impossible differential cryptanalysis , 2019, Designs, Codes and Cryptography.

[49]  Christian Rechberger,et al.  Subspace Trail Cryptanalysis and its Applications to AES , 2017, IACR Trans. Symmetric Cryptol..

[50]  Sondre Rønjom A Short Note on a Weight Probability Distribution Related to SPNs , 2019, IACR Cryptol. ePrint Arch..

[51]  Jung Hee Cheon,et al.  Improved Impossible Differential Cryptanalysis of Rijndael and Crypton , 2001, ICISC.

[52]  Vincent Rijmen,et al.  A New Classification of 4-bit Optimal S-boxes and Its Application to PRESENT, RECTANGLE and SPONGENT , 2015, FSE.

[53]  Lorenzo Grassi,et al.  Mixture Differential Cryptanalysis: New Approaches for Distinguishers and Attacks on round-reduced AES , 2018, IACR Cryptol. ePrint Arch..

[54]  Valérie Nachef,et al.  Generic attacks with standard deviation analysis on a-feistel schemes , 2017, Cryptography and Communications.

[55]  Yosuke Todo FFT-Based Key Recovery for the Integral Attack , 2014, IACR Cryptol. ePrint Arch..

[56]  Chunhua Su,et al.  A New Statistical Approach for Integral Attack , 2015, NSS.

[57]  Kai Hu,et al.  Towards Key-Dependent Integral and Impossible Differential Distinguishers on 5-Round AES , 2018, IACR Cryptol. ePrint Arch..

[58]  Jérémy Jean,et al.  Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting , 2013, IACR Cryptol. ePrint Arch..