Low-Data Complexity Attacks on AES

The majority of current attacks on reduced-round variants of block ciphers seeks to maximize the number of rounds that can be broken, using less data than the entire codebook and less time than exhaustive key search. In this paper, we pursue a different approach, restricting the data available to the adversary to a few plaintext/ciphertext pairs. We argue that consideration of such attacks (which received little attention in recent years) improves our understanding of the security of block ciphers and of other cryptographic primitives based on block ciphers. In particular, these attacks can be leveraged to more complex attacks, either on the block cipher itself or on other primitives (e.g., stream ciphers, MACs, or hash functions) that use a small number of rounds of the block cipher as one of their components. As a case study, we consider the Advanced Encryption Standard (AES)-the most widely used block cipher. The AES round function is used in many cryptographic primitives, such as the hash functions Lane, SHAvite-3, and Vortex or the message authentication codes ALPHA-MAC, Pelican, and Marvin. We present attacks on up to four rounds of AES that require at most three known/chosen plaintexts. We then apply these attacks to cryptanalyze an AES-based stream cipher (which follows the leak extraction methodology), and to mount the best known plaintext attack on six-round AES.

[1]  Dengguo Feng,et al.  Improved Related-Key Impossible Differential Attacks on Reduced-Round AES-192 , 2006, Selected Areas in Cryptography.

[2]  Bruce Schneier,et al.  Improved Cryptanalysis of Rijndael , 2000, FSE.

[3]  Martin Hell,et al.  Breaking the F-FCSR-H Stream Cipher in Real Time , 2008, ASIACRYPT.

[4]  Martin Hell,et al.  An Efficient State Recovery Attack on X-FCSR-256 , 2009, FSE.

[5]  Marine Minier,et al.  A Collision Attack on 7 Rounds of Rijndael , 2000, AES Candidate Conference.

[6]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[7]  Alex Biryukov,et al.  Slide Attacks , 1999, FSE.

[8]  Wei Wang,et al.  New Birthday Attacks on Some MACs Based on Block Ciphers , 2009, CRYPTO.

[9]  Stefan Lucks,et al.  Western European Workshop on Research in Cryptology , 2005 .

[10]  Adi Shamir,et al.  Improved Single-Key Attacks on 8-Round AES-192 and AES-256 , 2010, Journal of Cryptology.

[11]  Orr Dunkelman,et al.  A New Attack on the LEX Stream Cipher , 2008, ASIACRYPT.

[12]  Eli Biham,et al.  Cryptanalysis of reduced variants of RIJNDAEL , 2000 .

[13]  Eli Biham,et al.  A Practical Attack on KeeLoq , 2008, Journal of Cryptology.

[14]  Marc Stevens,et al.  Fast Collision Attack on MD5 , 2006, IACR Cryptol. ePrint Arch..

[15]  Adi Shamir,et al.  Improved Attacks on Full GOST , 2012, IACR Cryptol. ePrint Arch..

[16]  Adi Shamir,et al.  A Practical-Time Attack on the A5/3 Cryptosystem Used in Third Generation GSM Telephony , 2010, IACR Cryptol. ePrint Arch..

[17]  Joan Daemen,et al.  AES Proposal : Rijndael , 1998 .

[18]  Zheng Yuan,et al.  A Flaw in The Internal State Recovery Attack on ALPHA-MAC , 2010, IACR Cryptol. ePrint Arch..

[19]  D. Bernstein Understanding brute force , 2005 .

[20]  Brian A. Carter,et al.  Advanced Encryption Standard , 2007 .

[21]  Adi Shamir,et al.  Side Channel Cube Attacks on Block Ciphers , 2009, IACR Cryptol. ePrint Arch..

[22]  Jongsung Kim,et al.  Related-Key Rectangle Attacks on Reduced AES-192 and AES-256 , 2007, FSE.

[23]  Ali Aydin Selçuk,et al.  A Meet-in-the-Middle Attack on 8-Round AES , 2008, FSE.

[24]  Alex Biryukov,et al.  Distinguisher and Related-Key Attack on the Full AES-256 , 2009, CRYPTO.

[25]  Jongsung Kim,et al.  New Impossible Differential Attacks on AES , 2008, INDOCRYPT.

[26]  Raphael C.-W. Phan,et al.  Impossible differential cryptanalysis of 7-round Advanced Encryption Standard (AES) , 2004, Inf. Process. Lett..

[27]  Dengguo Feng,et al.  New Results on Impossible Differential Cryptanalysis of Reduced AES , 2007, ICISC.

[28]  Takanori Isobe,et al.  A Single-Key Attack on the Full GOST Block Cipher , 2011, Journal of Cryptology.

[29]  P. Bel,et al.  RAPPORT DE STAGE , 2002 .

[30]  Soichi Furuya,et al.  Slide Attacks with a Known-Plaintext Cryptanalysis , 2001, ICISC.

[31]  Alex Biryukov,et al.  Related-Key Cryptanalysis of the Full AES-192 and AES-256 , 2009, ASIACRYPT.

[32]  Alex Biryukov,et al.  The Design of a Stream Cipher LEX , 2006, Selected Areas in Cryptography.

[33]  Vincent Rijmen,et al.  A New MAC Construction ALRED and a Specific Instance ALPHA-MAC , 2005, FSE.

[34]  Nicolas Courtois,et al.  Security Evaluation of GOST 28147-89 in View of International Standardisation , 2012, Cryptologia.

[35]  Pierre-Alain Fouque,et al.  Automatic Search of Attacks on round-reduced AES and Applications , 2011, IACR Cryptol. ePrint Arch..

[36]  Anne Canteaut,et al.  Sosemanuk, a Fast Software-Oriented Stream Cipher , 2008, The eSTREAM Finalists.

[37]  Eli Biham,et al.  Miss in the Middle Attacks on IDEA and Khufu , 1999, FSE.

[38]  Gregory V. Bard,et al.  Algebraic and Slide Attacks on KeeLoq , 2008, FSE.

[39]  Eli Biham,et al.  Differential Cryptanalysis of the Data Encryption Standard , 1993, Springer New York.

[40]  Kasteelpark Arenberg,et al.  The Hash Function Hamsi , 2008 .

[41]  E. Biham,et al.  The SHAvite-3 Hash Function , 2008 .

[42]  Orr Dunkelman,et al.  Cryptanalysis of the Stream Cipher LEX , 2013, Des. Codes Cryptogr..

[43]  Andrey Bogdanov Cryptanalysis of the KeeLoq block cipher , 2007, IACR Cryptol. ePrint Arch..

[44]  Jung Hee Cheon,et al.  Improved Impossible Differential Cryptanalysis of Rijndael and Crypton , 2001, ICISC.

[45]  Orhun Kara,et al.  A New Class of Weak Keys for Blowfish , 2007, FSE.

[46]  Eli Biham,et al.  Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials , 1999, Journal of Cryptology.

[47]  Thomas Peyrin,et al.  Collisions on SHA-0 in One Hour , 2008, FSE.

[48]  Behnam Bahrak,et al.  Impossible differential attack on seven-round AES-128 , 2008, IET Inf. Secur..

[49]  Stefan Lucks,et al.  Attacking Seven Rounds of Rijndael under 192-bit and 256-bit Keys , 2000, AES Candidate Conference.

[50]  Alex Biryukov,et al.  Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds , 2010, IACR Cryptol. ePrint Arch..

[51]  Orr Dunkelman,et al.  The effects of the omission of last round's MixColumns on AES , 2010, Inf. Process. Lett..

[52]  Paulo S. L. M. Barreto,et al.  The MARVIN message authentication code and the LETTERSOUP authenticated encryption scheme , 2009, Secur. Commun. Networks.

[53]  Jongin Lim,et al.  On the Security of Rijndael-Like Structures against Differential and Linear Cryptanalysis , 2002, ASIACRYPT.

[54]  A. Biryukov A New 128-bit Key Stream Cipher LEX , 2005 .

[55]  Vincent Rijmen,et al.  Known-Key Distinguishers for Some Block Ciphers , 2007, ASIACRYPT.

[56]  Alex Biryukov,et al.  Advanced Slide Attacks , 2000, EUROCRYPT.

[57]  Alex Biryukov,et al.  Speeding up Collision Search for Byte-Oriented Hash Functions , 2009, CT-RSA.