1 Introduction

1.1 Background

In symmetric-key cryptanalysis, one usually starts by identifying a distinguisher on the reduced-round target cipher and then proceeds with the key-recovery attack for more rounds. Besides the key recovery, the distinguishing property of some cryptographic schemes itself has been more and more important because many of new ciphers are designed based on well-studied schemes. Among these underlying primitives, reduced-round Advanced Encryption Standard (AES) [4] is a very popular choice. In one hand, the security of reduced-round AES has been analyzed a lot and in the other hand, processor manufactures provided single round instruction for AES, which much encourages researchers to rely on them for new designs. For example, the authentication encryption algorithm AEGIS [14] uses four rounds of AES in the state update functions and ELmd [5] suggests using some reduced-round including 5-round AES. Although the security of these schemes does not completely depend on the basic primitives, it is useful to understand them more deeply by studying the reduced-round AES.

Many distinguishers on reduced-round AES have been proposed and used to evaluate its security for different number of rounds. Traditional distinguishers can only cover four or less rounds [1, 2, 4, 6, 8, 10]. At Crypto’16, Sun et al. proposed the first 5-round zero-correlation (ZC) linear hull and transformed it into a 5-round integral distinguisher. Then, with the statistical integral technique presented at FSE’16 [13], Cui et al. gave an attack on 5-round AES [3]. In [7, 8], 5-round ID distinguishers were put forward by Grassi et al. In all, the 5-round ZC linear hull, integral, statistical integral and ID distinguishers are all key-dependent, which are valid only if the conditions of keys are satisfied. Later, the first key-independent 5-round distinguisher, named multiple-of-n distinguisher, was given in [9]. This distinguisher has a key-dependent variant based on the multiple-of-n property [7]. More recently, an interesting adaptive chosen-plaintext-ciphertext distinguisher Yoyo was proposed to mount a distinguishing attack [11] on reduced-round AES.

This paper focuses on the key-dependent distinguishers on 5-round AES. Key-dependent distinguishers can be regarded as “something in the middle” between secret-key distinguishers and key recovery attacks. Although the complexities of the key-dependent integral and ID distinguishers are higher than that of the multiple-of-n or Yoyo distinguisher, more insights for structural properties of AES such as the details of MixColumns (MC) matrix can be identified, which is based on the fact that all public key-dependent distinguishers on 5-round AES are based on the details of coefficients of this matrix.

Among key-dependent distinguishers on 5-round AES, there is a big gap between the complexities of the integral and ID distinguishers. Even with the same property (Property 1 which we will introduce in Sect. 2.3) of MC matrix, the integral distinguisher requires the whole codebook, while the ID distinguisher just needs \(2^{98.2}\) chosen plaintexts. Moreover, it is claimed that the integral distinguisher proceeds only under chosen-ciphertext setting in [12] and the ID distinguishers work only under chosen-plaintext model in [7, 8], because these two kinds of distinguishers are based or Property 1 or Property 2 of MC matrix (introduced in Sect. 2) but \(MC^{-1}\) matrix does not have such properties.

It is strange that the key-dependent integral and ID distinguishers can work only under specific scenarios, which is a limitation for key-dependent distinguishers. This paper investigates the principles behind the phenomenon and try to remove the limitations. The key-dependent integral distinguisher proposed at Crypto’16 requires the whole codebook and \(2^{128}\) memory accesses. However, a distinguisher that requires the full codebook is usually thought as a trivial attack. Thus, we hope to reduce the complexities of the key-dependent integral distinguisher.

1.2 Contributions

The contributions of this paper are two-fold as follows:

Improved Key-Dependent Integral Distinguisher on 5-Round AES. Key-dependent integral distinguisher on 5-round AES [12] is derived by setting the constraints on the ciphertexts and requires the whole codebook. We construct a new integral distinguisher with only \(2^{96}\) chosen plaintexts. Both our distinguisher and the one in [12] take advantage of the same property of MC matrix. In addition, our distinguisher works under the chosen-plaintext setting instead of the chosen-ciphertext setting. The complexities of chosen-plaintext and chosen-ciphertext key-dependent integral distinguishers are very different. We find that the reason lies on the addition of the last round key. Under chosen-ciphertext setting, we have to guess one byte of key information to achieve the attack while we avoid it under the chosen-plaintext setting.

Key-Dependent ID Distinguishers on 5-Round AES Under Chosen-Ciphertext Setting. We transform the chosen-plaintext key-dependent ID distinguishers into chosen-ciphertext ones, which extends the attacks presented in [7, 8]. Both the distinguisher with \(2^{98.2}\) chosen plaintexts in [8] and the one with \(2^{76.4}\) chosen plaintexts in [7] can be transformed into new ID distinguishers with \(2^{99.6}\) and \(2^{76.5}\) chosen ciphertexts, respectively. The key-dependent ID distinguishers have slightly different complexities under different attacking scenarios. As the case for integral distinguishers, we analyze the influences of the key addition operation which the key-dependent ID distinguishers depend on.

The complexities of key-dependent integral and ID distinguishers under different models are listed in Table 1.

Table 1. Key-dependent integral and ID distinguishers on 5-round AES.
Full size table

1.3 Outline of This Paper

In Sect. 2, some preliminaries are given. Then, we present new key-dependent integral distinguishers on 5-round AES in Sect. 3. In Sect. 4, we give the ID distinguishers on 5-round AES under chosen-ciphertext setting. At last, we conclude this paper in Sect. 5.

2 Preliminaries

2.1 Notations

To make the description clear and concise, we list some notations used in this paper as follows.

  • P: plaintext;

  • C: ciphertext;

  • \(K^r\): round key of the r-th round and the whitening key is \(K^0\);

  • \(X^{r,OP}\): the state after OP operation of the r-th round. e.g. \(X^{4,MC}\) is the state after the MixColumns operation of the fourth round function, the state after the whitening key addition is denoted as \(X^{0,AK}\);

  • \(X_{i,j}\), \(i,j = 0,1,2,3\): the byte in the i-th row and j-th column of the state X.

  • \(OP_r\): the OP operation of the r-th round, \(AK_0\) means the AddRoundKey operation with the whitening key.

2.2 Description of AES

AES [4] is a 128-bit iterative block cipher that adopts substitution-permutation network (SPN). It has three versions according to the size of key, namely AES-128, -192 and -256, respectively, whose total rounds \(N_r\) are 10, 12 and 14 individually. The 128-bit internal state of AES can be regarded as a \(4\times 4\) matrix, each cell of which is an 8-bit value. All operations in AES are defined in the finite field \(GF(2^8)\) whose irreducible polynomial is \(m(x) = x^8 + x^4 + x^3 + x + 1\). Each round function \(R(x) = AK \circ MC \circ SR \circ SB(x)\) has four components as follows.

  • SubBytes (SB): A nonlinear bijective mapping \(S : \mathbb {F}_2^8 \rightarrow \mathbb {F}_2^8\) on each byte of the state;

  • ShiftRows (SR): Left rotate the i-th row by i bytes, where \(i = 0, 1, 2, 3\);

  • MixColumns (MC): Left multiply with an MDS matrix over the field \(GF(2^8)\) on each column. The matrices used in the MC operation and its reverse operation \(MC^{-1}\) are

    $$ MC = \begin{bmatrix} 0x2&0x3&0x1&0x1 \\ 0x1&0x2&0x3&0x1 \\ 0x1&0x1&0x2&0x3 \\ 0x3&0x1&0x1&0x2 \end{bmatrix} \quad and \quad MC^{-1} = \begin{bmatrix} 0xe&0xb&0xd&0x9 \\ 0x9&0xe&0xb&0xd \\ 0xd&0x9&0xe&0xb \\ 0xb&0xd&0x9&0xe \end{bmatrix}; $$

  • AddRoundKey (AK): XOR with a round key.

We can change the orders of MC and AK operations in some situations, i.e. \(R(x) = MC \circ EAK \circ SR \circ SB(x)\), where \(MC\circ EAK = AK \circ MC\). Note that there is a whitening key XORed with plaintext before the first round function and the MC operation in the last round is omitted.

For decryption process, \(N_r\) reverse rounds are applied to the ciphertext matrix. Each reverse round function applies four reverse operations: InvSubBytes\((SB^{-1})\), InvShiftRows\((SR^{-1})\), InvMixColumns\((MC^{-1})\) and InvAddRoundKey\((AK^{-1})\).

2.3 Previous Integral and ID Distinguishers on 5-Round AES

In this subsection, we recall the previous key-dependent integral and ID distinguishers on 5 rounds of AES [7, 8, 12]. The key techniques for these distinguishers are that they take advantage of the properties of MC matrix and manage to extend the known 4-round distinguishers one more round. We conclude the properties as follows.

Property 1

The matrix of MC operation has two equal coefficients in each row or each column, i.e., the MC matrix of AES has two elements equal to 1 in each row or each column.

Property 2

The matrix of MC operation has two rows satisfying Eq. (1) or two columns satisfying Eq. (2).

$$\begin{aligned} {\left\{ \begin{array}{ll} MC[i_1,j] \oplus MC[i_1,k] \oplus MC[i_1,l] = 0,\\ MC[i_2,j] \oplus MC[i_2,k] \oplus MC[i_2,l] = 0. \end{array}\right. } \end{aligned}$$
(1)
$$\begin{aligned} {\left\{ \begin{array}{ll} MC[j,i_1] \oplus MC[k,i_1] \oplus MC[l,i_1] = 0,\\ MC[j,i_2] \oplus MC[k,i_2] \oplus MC[l,i_2] = 0. \end{array}\right. } \end{aligned}$$
(2)

where \(i_1\ne i_2\), \(j \ne k \ne l\), \(0\le i_1, i_2, j, k, l \le 3\).

Integral Distinguisher on 5-Round AES [12]. The 5-round integral distinguisher is transformed from a 5-round ZC linear hull based on Property 1 by setting a specific condition on ciphertexts. The ZC linear hull is illustrated in Proposition 1 and Fig. 4 in Appendix D.

Proposition 1

Divide the whole ciphertext-plaintext space into \(2^8\) sets according to the value of \(C_{0,0} \oplus C_{1,3}\) as

$$ V_\varDelta = \{ (C,P) | C_{0,0} \oplus C_{1,3} = \varDelta , \varDelta \in \mathbb {F}_2^8\}. $$

If the input mask \(\varGamma _{in}\) on ciphertext and output mask \(\varGamma _{out}\) on plaintext are as follows,

$$\begin{aligned} \varGamma _{in} = (\alpha _{i,j}), 0 \leqslant i,j \leqslant 3,\quad \alpha _{i,j} = {\left\{ \begin{array}{ll} a, &{} \text {if } (i, j) \in \{(0,0), (1,3)\};\\ 0, &{} \text {otherwise.} \end{array}\right. } \end{aligned}$$
$$\begin{aligned} \varGamma _{out} = (\beta _{i,j}), 0 \leqslant i,j \leqslant 3,\quad \beta _{i,j} = {\left\{ \begin{array}{ll} nonzero, &{} \text {if } (i,j) = (0,0);\\ 0, &{} \text {otherwise.} \end{array}\right. } \end{aligned}$$

where \(a \in \mathbb {F}_2^8 \backslash \{0\}\).

Then \((\varGamma _{in} \rightarrow \varGamma _{out})\) is a 5-round ZC linear hull when the ciphertexts are chosen from one specific set of \(V_{\varDelta }, \varDelta = K^5_{0,0}\oplus K^5_{1,3}\).

Bogdanov et al. proposed a link between ZC linear hull and integral distinguisher in [2], which is summarized in Theorem 1.

Theorem 1

(From [2]). Assume \(H: \mathbb {F}^s_{2} \times \mathbb {F}^t_{2} \rightarrow \mathbb {F}^u_{2} \times \mathbb {F}^v_{2}\) is (part of) a cipher, without loss of generality, we can decompose the cipher and define the part cipher as

$$\begin{aligned} H(x,y) = \begin{pmatrix} H_1(x,y) \\ H_2(x,y) \end{pmatrix}, H_1: \mathbb {F}^s_2 \times \mathbb {F}^t_2 \rightarrow \mathbb {F}^u_2, H_2: \mathbb {F}^s_2 \times \mathbb {F}^t_2 \rightarrow \mathbb {F}^v_2. \\ \end{aligned}$$

If we fix the t bits of input value as \(\lambda \) and consider only u bits of the output value, we can construct another function \(T_\lambda (x) : \mathbb {F}^s_2 \rightarrow \mathbb {F}^u_2\) as follows

$$\begin{aligned} T_\lambda (x) = H_1(x,\lambda ). \end{aligned}$$

When the input and output linear masks a and b are independent, the approximation \( b \cdot H(x) \oplus a \cdot x \) has correlation zero for any \(a=(a_1,0)\) and any \(b=(b_1,0) \ne 0\) (zero-correlation) if and only if the function \(T_\lambda \) is balanced for any \(\lambda \) (integral).

With Theorem 1, one ZC linear hull on 5-round AES can be transformed into an integral distinguisher, which is shown in Proposition 2.

Proposition 2

Divide the whole ciphertext-plaintext space into \(2^{8}\) sets

$$ V_\varDelta = \{ (C,P) | C_{0,0} \oplus C_{1,3} = \varDelta , \varDelta \in \mathbb {F}_2^8 \}. $$

There is always one \(\varDelta \) such that

$$ T_\varDelta = \sum _{(C,P)\in V_\varDelta } P = 0. $$

Note that this 5-round integral distinguisher requires the full codebook.

ID Distinguishers on 5-Round AES [7, 8]. The first ID distinguisher on 5-round AES [8] is similar to the 5-round integral one [12]. It manages to extend the traditional 4-round impossible distinguisher one more round. This 5-round ID (see Fig. 5 in Appendix D) is summarized in Proposition 3.

Proposition 3

For plaintexts in the sets

there is always one \(\varDelta \) such that the difference of any two corresponding ciphertexts after 5-round AES encryption cannot be inactive in three reverse-diagonals at the same time.

This ID distinguisher requires \(2^{98.2}\) chosen plaintexts with success rate \(95\%\).

The second ID distinguisher based on Property 2 was proposed in [7], which requires \(2^{76.4}\) chosen plaintexts. It is illustrated in Proposition 4 and shown in Fig. 6 in Appendix D.

Proposition 4

For plaintexts in the sets

there is always one tuple of \(( \varDelta _1, \varDelta _2 )\) that the difference of ciphertexts after 5-round AES encryption cannot be inactive in two reverse-diagonals in the same time.

This distinguisher requires \(2^{76.4}\) chosen plaintexts with success rate \(95\%\).

3 Improved Integral Distinguishers on AES

The 5-round integral distinguisher based on Property 1 proposed in [12] requires the whole codebook, which will limit its contribution. However, we can improve this distinguisher by significantly reducing data and time complexities. In Sect. 3.1, we put forward an improved 5-round integral distinguisher based on Property 1 with \(2^{96}\) chosen plaintexts, which is the longest integral distinguisher on AES as far as we know. In fact, our attack can be regarded as a chosen-plaintext counterpart of the distinguisher in [12]. Interestingly, the data complexities are very different between the two distinguishers. In Sect. 3.2, we discuss the reason why there is such a big gap between the data complexities. Originally, we plan to construct the key-dependent integral distinguisher based on Property 2 which was already used in building the key-dependent ID distinguisher, but we fail to do it. We discuss the reasons for it in Appendix A.

3.1 Improved Key-Dependent Integral Distinguisher on 5-Round AES

The 5-round integral distinguisher in [12] requires the whole codebook while the ID distinguisher in [8] needs only \(2^{98.2}\) chosen plaintexts. Both distinguishers use Property 1 of MC matrix. There is a big gap for complexities between them. In this section, we will propose an improved integral distinguisher to eliminate or narrow this gap.

Fig. 1.
figure 1

5-round ZC linear hull of AES.

Full size image

In order to improve the 5-round integral distinguisher, we first construct a novel 4-round integral distinguisher on AES summarized in Lemma 1, which is transformed from a 4-round ZC linear hull shown in Fig. 1 (from Round 1 to Round 4), whose input mask \(\varGamma _{in}\) and output mask \(\varGamma _{out}\) are as follows.

$$\begin{aligned} \varGamma _{in} = (\alpha _{i,j}), 0 \leqslant i,j \leqslant 3,\quad \alpha _{i,j} = {\left\{ \begin{array}{ll} nonzero &{} \text {if } (i,j) \in \{(0,0), (1,1), (2,2), (3,3)\}, \\ 0 &{} \text {otherwise} \end{array}\right. }. \end{aligned}$$
(3)
$$\begin{aligned} \varGamma _{out} = (\beta _{i,j}), 0 \leqslant i,j \leqslant 3,\quad \beta _{i,j} = {\left\{ \begin{array}{ll} b &{} \text {if } (i,j) \in \{(0,0),(1,0)\},\\ 0 &{} \text {otherwise} \end{array}\right. }, b \in \mathbb {F}_2^8. \end{aligned}$$
(4)

Lemma 1

For 4-round AES with MC operation in the last round, if we take all \(2^{96}\) plaintexts P by fixing \((P_{0,0},P_{1,1},P_{2,2},P_{3,3})\) as constant, each value of \(C_{0,0} \oplus C_{1,0} \in \mathbb {F}_2^8\) of ciphertexts appears \(2^{88}\) times.

Proof

As shown in Fig. 1, \(\varGamma _{in}\) and \(\varGamma _{out}\) (Eqs. (3) and (4)) are independent and lead to a ZC linear hull on 4 rounds of AES. According to Theorem 1,

  • \(\varGamma _{in}\) can be denoted as (a, 0), where a can be any value in \(\mathbb {F}_2^{32}\);

  • \(\varGamma _{out}\) can be denoted as (bb, 0), where b can be any value in \(\mathbb {F}_2^8\backslash \{0\}\).

Since it is required that \(\varGamma _{out}\) should be any value except 0, we proceed with some transformations on the output of 4-round AES in order to satisfy the conditions of Theorem 1.

Firstly, we can rewrite 4-round AES as a function H with two inputs and three outputs:

$$ H(x, y) = ( H_1(x, y), H_2(x,y), H_3(x,y)). $$

where \(x=(P_{0,0},P_{1,1},P_{2,2},P_{3,3})\), y is the concatenated value of other 12 bytes of plaintext, \((H_1(x,y),H_2(x,y)) = (C_{0,0},C_{1,0})\) and \(H_3(x,y)\) is the concatenated value of other 14 bytes.

We can produce a new function \(H'\) based on the function H with the same inputs:

$$ H'(x,y) = (H_1 (x, y) \oplus H_2 (x, y), H_3 (x, y)). $$

Then for the new function \(H'\), we derive that the linear approximation with \(\varGamma _{in}=(a,0)\) and \(\varGamma _{out}=(b,0)\) has correlation zero, where a can be any value in \(\mathbb {F}_2^{32}\) and b can be any value in \(\mathbb {F}_2^8\backslash \{0\}\).

With Theorem 1, we can transform the ZC linear approximation on \(H'\) into an integral distinguisher, i.e. if we take all \(2^{96}\) plaintexts P by fixing \((P_{0,0},P_{1,1},P_{2,2},P_{3,3})\) as constant, the values of \(H_1 (x, y) \oplus H_2 (x, y)\) are balanced, which means that each value of \(C_{0,0} \oplus C_{1,0} \in \mathbb {F}_2^8\) of ciphertexts appears \(2^{88}\) times.    \(\square \)

Based on Lemma 1, we can add one more round behind the 4-round integral distinguisher to deduce a 5-round integral distinguisher by the idea of Lemma 2 as follows.

Lemma 2

For one-round AES without MC operation (i.e. \(AK\circ SR\circ SB\)), if we take N plaintexts P where \(N_1\) plaintexts satisfy \(P_{0,0} \oplus P_{1,0} = 0\), then there must be at least one \(\delta \in \mathbb {F}_2^8\) such that the number of ciphertexts C satisfying \(C_{0,0} \oplus C_{1,3} = \delta \) is exactly \(N_1\) with probability 1.

Proof

Due to the bijective mapping S-box S, we have

$$\begin{aligned} S(P_{0,0})\oplus S(P_{1,0}) = {\left\{ \begin{array}{ll} 0, &{} \text {if } P_{0,0} \oplus P_{1,0} = 0,\\ nonzero, &{} \text {if } P_{0,0} \oplus P_{1,0} \ne 0. \end{array}\right. } \end{aligned}$$

After SB operation, there are exactly \(N_{1}\) values of \(X^{1,SB}\) satisfying \(X^{1,SB}_{0,0} \oplus X^{1,SB}_{1,0} = 0\), which leads \(C_{0,0} \oplus C_{1,3} = K^{1}_{0,0}\oplus K^{1}_{1,3}\) as well. Let \(\delta = K^{1}_{0,0}\oplus K^{1}_{1,3}\), thus \(C_{0,0} \oplus C_{1,3} =\delta \) happens exactly \(N_{1}\) times.    \(\square \)

With Lemmas 1 and 2, our new 5-round integral distinguisher on AES is summarized in Proposition 5.

Proposition 5

Taking all \(2^{96}\) plaintexts P by fixing \((P_{0,0},P_{1,1},P_{2,2},P_{3,3})\) as constant, after 5-round AES encryption, there is at least one \(\delta \in \mathbb {F}_2^8\) such that the number of ciphertexts satisfying \(C_{0,0}\oplus C_{1,3} = \delta \) is exactly \(2^{88}\). Meanwhile, for any random permutation, the same event happens with probability only about \(2^{-40.7}\).

Proof

For 5-round AES, \(X^{4,AK}_{0,0} \oplus X^{4,AK}_{1,0} = 0\) happens \(2^{88}\) (out of \(2^{96}\)) times according to Lemma 1. Then due to Lemma 2, \(N=2^{96}\) and \(N_{1} = 2^{88}\), so there is one \(\delta \) such that \(C_{0,0} \oplus C_{1,3} =\delta \) happens exactly \(2^{88}\) times.

For a random permutation, the number \(N_{\delta }\) of ciphertexts satisfying \(C_{0,0} \oplus C_{1,3} = \delta \) for a fixed \(\delta \) follows the binomial distribution

$$ N_\delta \sim \mathcal {B}(2^{96}, 2^{-8}). $$

According to the Central Limit Theorem, the normal distribution can approximate the binomial distribution in this situation. Now

$$ N_\delta \sim \mathcal {N}(2^{88}, 2^{96}\times 2^{-8} \times ( 1 - 2^{-8})). $$

Therefore, \(p(N_{\delta } = 2^{88}) \approx 2^{-48.64}\). Because of \(2^{8}\) possible values for \(\delta \), the probability that there is at least one value for \(\delta \) satisfying \(N_\delta = 2^{88}\) is \(1 - (1 - p(N_{\delta } = 2^{88}) )^{2^{8}} \approx 2^{-40.7}\).    \(\square \)

The whole process of the integral distinguishing attack on 5-round AES is illustrated in Algorithm 1.

figure a

In Algorithm 1, the data complexity is \(2^{96}\) chosen plaintexts and the time complexity is about \(2^{96}\) memory accesses. Since we set a \(2^8\) vector counter, the memory requirements are \(2^8\) which can be ignored. The type-II error probability (the probability to wrongfully accept a random permutation as AES) is \(2^{-40.7}\).

3.2 Gap for Complexities Between Chosen-Plaintext and Chosen-Ciphertext Integral Distinguishers

Interestingly, there exists a gap between the complexities of chosen-plaintext and chosen-ciphertext integral distinguishers although they are constructed from a same (or similar) ZC linear hull.

Fig. 2.
figure 2

5-round integral distinguisher with(out) \(AK_5\).

Full size image

In the chosen-ciphertext integral distinguisher, we need to guess one byte of \(K^5_{0,0} \oplus K^5_{1,3}\), which increases the complexities by a factor of \(2^8\). This inspires us that the AK operation which the integral distinguisher depends on, i.e. \(AK_5\), influences the complexities. In this subsection, we investigate the influences of \(AK_5\) on complexities by considering chosen-ciphertext and chosen-plaintext integral distinguishers on 5-round AES with and without \(AK_5\), respectively. Notice that we use a general variant of the key-dependent integral distinguisher with four active masks on plaintext bytes (see Fig. 2).

Under Chosen-Ciphertext Setting. If we omit the operation \(AK_5\) (the enclosure area by dotted line in Fig. 2) and decrypt from \(X^{5,SR}\) in subspace \(V_{X^{5,SR}}\) as follows to the plaintext P

we can construct a chosen-ciphertext integral distinguisher whose corresponding plaintexts satisfy the balance property, i.e. each possible value of plaintext byte has the same number of occurrences. Since the size of \(V_{X^{5,SR}}\) is \(2^{96}\), this integral distinguisher requires data complexity \(2^{96}\) chosen ciphertexts.

If the operation \(AK_5\) is included into the distinguisher (whole area in Fig. 2), we have to take a subspace of ciphertexts \(V_C\) which can produce \(V_{X^{5,SR}}\) after the proceeding with the \(AK_5^{-1}\). Thus the set \(V_C\) must be

$$\begin{aligned}&\,\,\,\,\, V_C = \{ ( C, P )~|~C_{0,0} \oplus C_{1,3} = K^5_{0,0} \oplus K^5_{1,3}, C_{0,1} \oplus C_{3,2} = K^5_{0,1} \oplus K^5_{3,2}, \qquad \quad \\&C_{2,0} \oplus C_{3,3} = K^5_{2,0} \oplus K^5_{3,3}, C_{1,2} \oplus C_{2,1} = K^5_{1,2} \oplus K^5_{2,1}, C_{i,j} \in \mathbb {F}_2^8, 0 \leqslant i, j \leqslant 3 \}. \end{aligned}$$

However, the exact values of \(K^5_{0,0} \oplus K^5_{1,3}\), \( K^5_{0,1} \oplus K^5_{3,2}\), \( K^5_{2,0} \oplus K^5_{3,3}\) and \( K^5_{1,2} \oplus K^5_{2,1}\) are unknown, so we have to take the whole space of (CP) and divide it into \(2^{32}\) subspaces as follows:

with \(\varDelta _i \in \mathbb {F}^8_2, 0 \leqslant i \leqslant 3 \).

There is always one tuple of \((\varDelta _0, \varDelta _1, \varDelta _2, \varDelta _3 )\) equal to \((K^5_{0,0} \oplus K^5_{1,3}, K^5_{0,1} \oplus K^5_{3,2},K^5_{2,0} \oplus K^5_{3,3},K^5_{1,2} \oplus K^5_{2,1})\) and thus the data complexity becomes \(2^{128}\) instead of \(2^{96}\) chosen ciphertexts.

Under Chosen-Plaintext Setting. If we exclude \(AK_5\) operation from 5-round AES and encrypt all \(2^{96}\) possible plaintexts P to \(X^{5,SR}\) by fixing \( ( P_{0,0}, P_{1,1}, P_{2,2}, P_{3,3} )\) as constant. From Sect. 3.1, each of the following four events

$$\begin{aligned} 1. ~X^{5,SR}_{0,0} \oplus X^{5,SR}_{1,3} = 0,\qquad \qquad 2.~ X^{5,SR}_{0,1} \oplus X^{5,SR}_{3,2} = 0, \\ 3. ~X^{5,SR}_{2,0} \oplus X^{5,SR}_{3,3} = 0,\qquad \qquad 4. ~X^{5,SR}_{1,2} \oplus X^{5,SR}_{2,1} = 0, \end{aligned}$$

occurs \(2^{88}\) times with probability 1. We can distinguish AES from a random permutation with \(2^{96}\) chosen plaintexts.

Again we take \(AK_5\) operation into consideration, each of four events

$$\begin{aligned} 1.~C_{0,0} \oplus C_{1,3} = K^5_{0,0}\oplus K^5_{1,3},\qquad \qquad 2.~C_{0,1} \oplus C_{3,2} = K^5_{0,1}\oplus K^5_{3,2}, \\ 3.~C_{2,0} \oplus C_{3,3} = K^5_{2,0}\oplus K^5_{3,3},\qquad \qquad 4.~C_{1,2} \oplus C_{2,1} = K^5_{1,2}\oplus K^5_{2,1}, \end{aligned}$$

occurs \(2^{88}\) times with probability 1, respectively.

Though we do not know any information about the secret key, we can predict there is always one tuple of \(( \varDelta '_0, \varDelta '_1,\varDelta '_2,\varDelta '_3 ) \) ensuring each of the four experiences

$$\begin{aligned} 1.~C_{0,0} \oplus C_{1,3} = \varDelta '_0,\qquad \qquad 2.~C_{0,1} \oplus C_{3,2} = \varDelta '_1, \\ 3.~C_{2,0} \oplus C_{3,3} = \varDelta '_2,\qquad \qquad 4.~C_{1,2} \oplus C_{2,1} = \varDelta '_3, \end{aligned}$$

to occur \(2^{88}\) times (when \(( \varDelta '_0, \varDelta '_1,\varDelta '_2,\varDelta '_3 )\) are just the four XOR values of \(K_5\)). Yet any one event occurs with probability about \(2^{-40.7}\) for a random permutation. So \(2^{96}\) chosen plaintexts are enough to proceed this distinguishing attack.

At last, we summarize the reasons resulting in the gap from two cases between chosen-plaintext and chosen-ciphertext integral distinguishers. If \(AK_5\) is omitted, the data complexities of the two distinguishers under both settings are the same. If \(AK_5\) is included, the chosen-ciphertext integral distinguisher has to take the whole codebook while the chosen-plaintext integral distinguisher does not increase the data complexity. To make it more clear, we compare the data complexities of them in Table 2.

Table 2. Data complexities of integral distinguishers with(out) \(AK_5\).
Full size table

4 ID Distinguishers on 5-Round AES Under Chosen-Ciphertext Setting

Until now there have been two key-dependent ID distinguishers on 5-round AES in [7, 8] by utilizing the Property 1 and 2 of MC matrix respectively. In this section we put forward two ID distinguishers on 5-round AES under chosen-ciphertext model in Sects. 4.1 and 4.2 respectively, which are transformed from the ones under chosen-plaintext setting. Their data complexities are \(2^{99.6}\) and \(2^{76.5}\) chosen ciphertexts, which are slightly different from those of the original ones with \(2^{98.2}\) and \(2^{76.4}\) chosen plaintexts, respectively. We analyze the reasons in Appendix C.

4.1 ID Distinguisher on 5-Round AES Based on Property 1 of MC

In this subsection, we first propose 16 key-dependent IDs for 5-round AES shown in Proposition 6 and we list one of them in Fig. 5. With these IDs, a distinguisher under chosen-ciphertext model is put forward with data complexity \(2^{99.6}\) chosen ciphertexts.

Proposition 6

If the difference of ciphertext pair \((C^1, C^2)\) is nonzero at the four bytes \((C_{0,3},C_{1,2},C_{2,1},C_{3,0})\) and zero at other 12 bytes, after 5-round AES decryption, the corresponding plaintext pair \((P^1, P^2)\) never satisfies each of the following 16 cases:

$$\begin{aligned}&P^1_{s,t} \oplus P^1_{s+1, t+1} = P^2_{s,t} \oplus P^2_{s+1,t+1} = K^0_{s,t} \oplus K^0_{s+1,t+1},\\&P^1_{l,m} \oplus P^2_{l,m} = 0, (l,m) \ne (s,t),(s+1,t+1), \end{aligned}$$

where \(0\leqslant s,t \leqslant 3 \).Footnote 1

Proof

Proof by contradiction. Assume that there is one ciphertext pair \((C^{1},C^{2})\) leading to such plaintext pair \((P^{1},P^{2})\). From the forward direction, since there exists one (st) such that \((P^{1},P^{2})\) satisfies \(P^1_{s,t} \oplus P^1_{s+1, t+1} = P^2_{s,t} \oplus P^2_{s+1,t+1} = K^0_{s,t} \oplus K^0_{s+1,t+1}\), we have \(\varDelta X^{1,SB}_{s,t} = \varDelta X^{1,SB}_{s+1,t+1}\). Due to the Property 1 of MC matrix, there are only three nonzero bytes of difference \(\varDelta X^{1,MC}\) in one column, which leads to at least one zero byte on each column of \(\varDelta X^{3,SR}\). From the backward direction, \((C^{1},C^{2})\) results in at most one nonzero byte for each column of \(\varDelta X^{3,MC}\). Since the branch number of MC matrix is 5, each column of \(\varDelta X^{3,MC}\) has at least two zero bytes. This yields a contradiction and shows that they are IDs.    \(\square \)

Taking \((s,t) =(0,0)\) as an example, we illustrate Proposition 6 in Fig. 5. Actually, the value of \(K^0_{s,t} \oplus K^0_{s+1,t+1}\) is secret, so we cannot directly check whether \(P^1_{s,t} \oplus P^1_{s+1, t+1} = P^2_{s,t} \oplus P^2_{s+1,t+1} = K^0_{s,t} \oplus ~ K^0_{s+1,t+1}\) or not. In the following, we will define good pair to further identify if there exist solutions for \(K^0_{s,t} \oplus K^0_{s+1,t+1}\) by using the ID characteristic.

Definition 1

(Good Pair). One pair \((P^1, P^2)\) is a good pair related to (st) if it satisfies the following conditions:

$$\begin{aligned}&P^1_{s,t} \oplus P^1_{s+1, t+1} = P^2_{s,t} \oplus P^2_{s+1,t+1},\\&P^1_{l,m} \oplus P^2_{l,m} = 0, (l,m) \ne (s,t),(s+1,t+1), \end{aligned}$$

where (st), \(0\leqslant s,t \leqslant 3\).

No matter how many ciphertext pairs as the form in Proposition 6 we take, for each (st) there always exists one value \(\delta _{s,t} \in \mathbb {F}^{8}_{2}\) that \(P^1_{s,t} \oplus P^1_{s+1, t+1} =P^2_{s,t} \oplus P^2_{s+1,t+1}=\delta _{s,t}=K^0_{s,t} \oplus ~ K^0_{s+1,t+1}\) never happens for each good pair.

According to the fact above, we put forward an ID distinguishing attack on 5-round AES under chosen-ciphertext model, see Algorithm 2. For each of 16 (st), \(0\le s, t, \le 3\), we take \(N_{s}\) structures of ciphertexts that each one includes \(2^{32}\) ciphertexts by traversing all values of bytes \((C_{0,3},C_{1,2},C_{2,1},C_{3,0})\) and fixing other bytes as constant, to find all good pairs and record their \(P^1_{s,t} \oplus P^1_{s+1, t+1}\) in a vector counter \(V_{{s,t}}\). For 5-round AES, there is always a value \(\delta _{{st}}\) never happening in \(V_{{s,t}}\) for each (st). The probability that there is always a value \(\delta _{{s,t}}\) never happening in \(V_{{s,t}}\) for each (st) for a random permutation is calculated in Proposition 7.

Proposition 7

For a random permutation, for each of 16 (st), \(0\le s,t\le 3\), the probability that there always exists at least one value \(\delta _{{s,t}}=P^1_{s,t} \oplus P^1_{s+1, t+1} \) never appearing for any one of N random good pairs is \(2^{128} \times (1 - 2^{-8})^{16N}\).

Proof

For a random permutation and any given value of (st), the event that there is at least one value for \(\delta _{{s,t}} =P^1_{s,t} \oplus P^1_{s+1, t+1}\) never occurring for any one of N random good pairs happens with the following probability

$$ p_{s,t} = 2^8 \times (1 - 2^{-8})^N, $$

then the probability that this event happens for all 16 values of (st) is \( p_{s,t}^{16}=2^{128}\times (1 - 2^{-8})^{16N}\).    \(\square \)

figure b

By setting the type-II error probability as \(5\%\), it means that the success rate is 95%, then, \(N \approx 2^{10.6}\) good pairs are required for each \((s,t), 0\le s,t \le 3\). Since the probability to find a good pair from random ones is \(2^{-120}\), we have \(N_{s} = 2^{67.6}\) by using \(N_{s} \times 2^{63} \times 2^{-120} = N\). As a result, the data complexity is \(2^{99.6}\) chosen ciphertexts. From Algorithm 2, Step 6 needs \(16\times N_{s} \times 2^{32} = 2^{103.6}\) memory accesses. Since the time to sort a table of size \(2^{n}\) is \(O(2^{n}log(2^{n}))\), Step 7 needs about \(16\times N_{s} 2^{32}log(2^{32})\). Then the time complexities of Step 8 and Steps 9–10 are \(16\times N_{s} \times 2^{32} = 2^{103.6}\) and \(16\times N_{s}\times N = 2^{82.2}\) memory accesses, respectively. Totally, the time complexity is about \(2^{103.6}\) memory accesses. The memory requirements are \(2^{32}\) to construct table T.

4.2 ID Distinguisher on 5-Round AES Based on Property 2 of MC

Similar to the method of constructing ID distinguisher on 5-round AES under chosen-ciphertext model in Sect. 4.1, we also can get an ID distinguisher under chosen-ciphertext model by using Property 2 of MC matrix transformed from the distinguisher in [7], see Proposition 8.

Proposition 8

If the difference of ciphertext pair \((C^1, C^2)\) is nonzero at the eight bytes \((C_{0,3}, C_{1,2}, C_{2,1}, C_{3,0}, C_{0,2}, C_{1,2}, C_{2,0}, C_{3,3})\) and zero at other 8 bytes, after 5-round AES decryption, the corresponding plaintext pair \((P^1,P^2)\) never satisfies any one of the following 16 cases:

$$\begin{aligned}&P^1_{s,t} \oplus P^1_{s+1, t+1} = P^2_{s,t} \oplus P^2_{s+1,t+1} = K^0_{s,t} \oplus K^0_{s+1,t+1},\\&P^1_{s,t} \oplus P^1_{s+2, t+2} = P^2_{s,t} \oplus P^2_{s+2,t+2} = K^0_{s,t} \oplus K^0_{s+2,t+2},\\&P^1_{l,m} \oplus P^2_{l,m} = 0, (l,m) \ne (s,t),(s+1,t+1),(s+2,t+2), \end{aligned}$$

where \(0\leqslant s,t \leqslant 3 \).

However, for a random permutation, under each (st), the probability that there always exists a tuple \((\delta ^1_{s,t}, \delta ^2_{s,t})\) that \(\delta ^1_{s,t}=P^1_{s,t} \oplus P^1_{s+1, t+1}\) and \(\delta ^2_{s,t}=P^1_{s,t} \oplus P^1_{s+2, t+2}\) never appearing for any one of N random good pairs is \(2^{256} \times (1 - 2^{-16})^{16N}\).

We omit the proof here due to its similarity to the distinguisher in Sect. 4.1. The distinguisher is illustrated in Algorithm 3 which is in Appendix B. The data and time complexities are \(2^{76.5}\) chosen-ciphertexts and \(2^{80.5}\) memory accesses, respectively. The type-II error probability is 5%.

5 Conclusions

In this paper, we study key-dependent integral and ID distinguishers on 5-round AES. A new key-dependent integral distinguisher is constructed with \(2^{96}\) chosen plaintexts, which is more efficient than the previous one that requires the full codebook. Under different settings, the complexities of key-dependent integral distinguishers have a significant gap while those of the key-dependent ID distinguishers are almost the same. We analyze the principles behind the phenomena. If the AK operation which the key-dependent distinguishers depend on is positioned in the end of the distinguishers, the data complexities of integral and ID distinguishers will be almost unchanged no matter whether we consider or not the AK operations. Otherwise, the data complexities will increase significantly when we contain the AK operations in 5-round AES.