Probabilistic Mixture Differential Cryptanalysis on Round-Reduced AES

Abstract

At Eurocrypt 2017 the first secret-key distinguisher for 5-round AES has been presented. Although it allows to distinguish a random permutation from an AES-like one, it seems (rather) hard to exploit such a distinguisher in order to implement a key-recovery attack different than brute-force like. On the other hand, such result has been exploited to set up a new (competitive) secret-key distinguisher for 4-round AES, called “Mixture Differential Cryptanalysis”.

In this paper, we combine this new 4-round distinguisher with a modified version of a truncated differential distinguisher in order to set up a new 5-round distinguisher, that exploits properties which are independent of the secret key, of the details of the S-Box and of the MixColumns matrix. As a result, while a “classical” truncated differential distinguisher exploits the probability that a pair of (two) texts satisfies or not a given differential trail independently of the others pairs, our distinguisher works with sets of \(N\gg 2 \) (related) pairs of texts. In particular, our new 5-round AES distinguisher exploits the fact that such sets of texts satisfy some properties with a different probability than for a random permutation.

Even if such 5-round distinguisher has a higher complexity than e.g. the “multiple-of-8” one present in the literature, it can be used as starting point to set up the first key-recovery attack on 6-round AES that exploits directly a 5-round secret-key distinguisher. The goal of this paper is indeed to present and explore new approaches, showing that even a distinguisher like the one presented at Eurocrypt – believed to be hard to exploit – can be the starting point for new secret-key distinguishers and/or key-recovery attacks.

Appendices

A Subspace Trails for AES

In this section, we give all the details about the subspace trails of AES presented in [11], and briefly recalled in Sect. 3.

Definition 7

The column spaces \(\mathcal C_i\) are defined as \(\mathcal C_i = \langle e_{0, i}, e_{1, i}, e_{2, i}, e_{3, i} \rangle \).

For instance, \(\mathcal C_0\) corresponds to the symbolic matrix

$$ \mathcal C_0 = \biggl \{ \begin{bmatrix} x_1 &{} 0 &{} 0 &{} 0\\ x_2 &{} 0 &{} 0 &{} 0\\ x_3 &{} 0 &{} 0 &{} 0\\ x_4 &{} 0 &{} 0 &{} 0 \end{bmatrix} \, \biggl | \, \forall x_1, x_2, x_3, x_4 \in \mathbb F_{2^8} \biggl \} \equiv \begin{bmatrix} x_1 &{} 0 &{} 0 &{} 0\\ x_2 &{} 0 &{} 0 &{} 0\\ x_3 &{} 0 &{} 0 &{} 0\\ x_4 &{} 0 &{} 0 &{} 0 \end{bmatrix} . $$

Definition 8

The diagonal spaces \(\mathcal D_i\) are defined as \(\mathcal D_i = SR^{-1}(\mathcal C_i)\). Similarly, the inverse-diagonal spaces \(\mathcal {ID}_i\) are defined as \(\mathcal {ID}_i = SR(\mathcal C_i).\)

For instance, \(\mathcal D_0\) and \(\mathcal {ID}_0\) correspond to symbolic matrix

$$ \mathcal D_0 \equiv \begin{bmatrix} x_1 &{} 0 &{} 0 &{} 0\\ 0 &{} x_2 &{} 0 &{} 0 \\ 0 &{} 0 &{} x_3 &{} 0\\ 0 &{} 0 &{} 0 &{} x_4 \end{bmatrix}, \qquad \mathcal {ID}_0 \equiv \begin{bmatrix} x_1 &{} 0 &{} 0 &{} 0\\ 0 &{} 0 &{} 0 &{}x_2 \\ 0 &{} 0 &{} x_3 &{} 0\\ 0 &{} x_4 &{} 0 &{} 0 \end{bmatrix} $$

for all \(x_1, x_2, x_3, x_4 \in \mathbb F_{2^8}\).

Definition 9

The i-th mixed spaces \(\mathcal M_i\) are defined as \(\mathcal M_i = MC (\mathcal {ID}_i)\).

For instance, \(\mathcal M_0\) corresponds to symbolic matrix

$$ \mathcal M_0 \equiv \begin{bmatrix} 0\text{ x } 02 \cdot x_1 &{} x_4 &{} x_3 &{} 0 \text{ x } 03\cdot x_2 \\ x_1 &{} x_4 &{} 0 \text{ x } 03\cdot x_3 &{} 0\text{ x } 02 \cdot x_2 \\ x_1 &{} 0 \text{ x } 03\cdot x_4 &{} 0\text{ x } 02 \cdot x_3 &{} x_2 \\ 0 \text{ x } 03\cdot x_1 &{} 0\text{ x } 02 \cdot x_4 &{} x_3 &{} x_2 \end{bmatrix} $$

for all \(x_1, x_2, x_3, x_4 \in \mathbb F_{2^8}\).

B Proof – Probabilities of Sect. 3.2

In this section, we prove the probabilities given in Sect. 3.2. We remark that all the following probabilities are not the exact ones, but “good enough” approximations useful for the target of the paper. In particular, as discussed in detail in [7, Appendix A.2], the error in all the following probabilities is of magnitude \(2^{-128}\).

Let \(I, J \subseteq \{0,1,2,3\}\). We recall that

$$\begin{aligned} \mathcal M_I \cap \mathcal M_J = \mathcal M_{I\cap J}. \end{aligned}$$

(12)

where \(\mathcal M_I \cap \mathcal M_J = \{0\}\) if \(I\cap J = \emptyset \). Moreover, referring to [11], we recall that the probability that a random text x belongs to \(\mathcal M_I\) is well approximated by \(Prob(x\in \mathcal M_I) = 2^{-32 \cdot (4-|I|)}\), while given two random texts \(x\ne y\)

$$ Prob(R(x) \oplus R(y) \in \mathcal M_J \, | \, x \oplus y \in \mathcal M_I) = (2^8)^{-4\cdot |I| + |I|\cdot |J|}. $$

Proposition 1

The probability \(p_{|I|}\) that a random text x belongs to the subspace \(\mathcal M_I\) for a certain \( I \subseteq \{0,1,2,3\}\) with \(|I| = l\) fixed is well approximated by

$$\begin{aligned} p_{|I|} = Prob(\exists I \subseteq \{0,1,2,3\} \, |I| = l \, \text { s.t. } \, x \in \mathcal M_I) = (-1)^{|I|}\cdot \sum _{i=4-|I|}^3 (-1)^i \cdot c_{|I|, i}\cdot \left( {\begin{array}{c}4\\ i\end{array}}\right) \cdot 2^{-32\cdot i} \end{aligned}$$

where \(c_{2, 3} = 3\) and \(c_{|I|, i} = 1\) for \(\{|I|, i\}\ne \{2,3\}\).

Proof

By definition, given the events \(A_1, ..., A_n\) in a probability space \( (\varOmega ,{\mathcal {F}},{\mathbb {P}})\) then:

$$ Prob {\biggl (}\bigcup _{i=1}^{n}A_{i}{\biggr )}=\sum _{k=1}^{n}\biggl ((-1)^{k-1}\sum _{\scriptstyle I\subset \{1,\ldots ,n\} \atop \scriptstyle |I|=k} Prob \left( \bigcap _{{i\in I}}A_{i}\right) \biggl ), $$

where the last sum runs over all subsets I of the indexes 1, ..., n which contain exactly k elements¹⁴. Due to (12), it follows that for \(|I|=1\)

$$\begin{aligned}&Prob(\exists I \subseteq \{0,1,2,3\} \, |I| = 1 \, \text { s.t. } \, x \oplus y \in \mathcal M_I) =\\ =&\sum _{I \subseteq \{0,1,2,3\}, \, |I|=1} Prob(x \oplus y \in \mathcal M_I) = 4\cdot 2^{-96}. \end{aligned}$$

For \(|I| = 3\), the probability is given by:

$$\begin{aligned}&Prob(\exists I \subseteq \{0,1,2,3\} \, |I| = 3 \, \text { s.t. } \, x \in \mathcal M_I) = \\ =&\sum _{I \subseteq \{0,1,2,3\}, \, |I|=3} Prob(x \in \mathcal M_I) - \sum _{I \subseteq \{0,1,2,3\}, \, |I|=2} Prob(x \in \mathcal M_I) + \\ +&\sum _{I \subseteq \{0,1,2,3\}, \, |I|=1} Prob(x \in \mathcal M_I)= 4 \cdot 2^{-32} - 6\cdot 2^{-64} + 4\cdot 2^{-96}, \end{aligned}$$

since given 4 different sets \(\mathcal M_I\) for \(|I| = 3\) there are \(\left( {\begin{array}{c}4\\ 2\end{array}}\right) = 6\) possible intersections of 2 sets and \(\left( {\begin{array}{c}4\\ 3\end{array}}\right) = 4\) possible intersections of 3 sets (all intersections are not empty). Finally for \(|I|=2\)

$$\begin{aligned}&Prob(\exists I \subseteq \{0,1,2,3\} \, |I| = 2 \, \text { s.t. } \, x \oplus y \in \mathcal M_I) =\\ =&\sum _{I \subseteq \{0,1,2,3\}, \, |I|=2} Prob(x \oplus y \in \mathcal M_I) - \sum _{I \subseteq \{0,1,2,3\}, \, |I|=1} Prob(x \oplus y \in \mathcal M_I) =\\&= 6\cdot 2^{-64} - 12\cdot 2^{-96}, \end{aligned}$$

since given 6 different sets \(\mathcal M_I\) for \(|I| = 2\) there are \(\left( {\begin{array}{c}6\\ 2\end{array}}\right) = 15\) possible intersections of 2 sets. However, note that only 12 of them are not empty (since \(\mathcal M_{0,1} \cap \mathcal M_{2,3} = \mathcal M_{0,2} \cap \mathcal M_{1,3} = \mathcal M_{0,3} \cap \mathcal M_{1,2} = \emptyset \)). The result follows from \(\left( {\begin{array}{c}6\\ 1\end{array}}\right) = \left( {\begin{array}{c}4\\ 2\end{array}}\right) = 6\) and \(\left( {\begin{array}{c}6\\ 2\end{array}}\right) - 3= \left( {\begin{array}{c}4\\ 3\end{array}}\right) \cdot 3 = 12\).    \(\square \)

Proposition 2

Let x, y be two random elements. Assume that there exists \(I \subseteq \{0,1,2,3\}\) such that \(x \oplus y \in \mathcal M_I\) (\(x \oplus y \notin \mathcal M_L\) for all \(L \subseteq \{0,1,2,3\}\) with \(|L| < |I|\)). The probability that \(\exists J \subseteq \{0,1,2,3\}\) with \(|J|=l\) fixed such that \(R(x) \oplus R(y) \in \mathcal M_J\) is well approximated by

$$\begin{aligned} \begin{aligned} p_{|J|, |I|}&\equiv Prob(\exists J \, |J|=l\, \text { s.t. } \, R(x) \oplus R(y) \in \mathcal M_J \, | \, x \oplus y \in \mathcal M_I) = \\&= (-1)^{|J|}\cdot \sum _{i=4-|J|}^3 (-1)^i \cdot c_{|J|, i} \cdot \left( {\begin{array}{c}4\\ i\end{array}}\right) \cdot 2^{- 8\cdot i \cdot |I|}. \end{aligned} \end{aligned}$$

where \(c_{2, 3} = 3\) and \(c_{|J|, i} = 1\) for \(\{|J|, i\}\ne \{2,3\}\).

Proof

As before, for \(|J|=3\):

$$\begin{aligned}&Prob(\exists J \, |J|=3\,\text { s.t. } \, R(x) \oplus R(y) \in \mathcal M_J \, | \, x \oplus y \in \mathcal M_I) =\\ =&\sum _{z=1}^3\sum _{J \subseteq \{0,1,2,3\}, \, |J|=z} (-1)^{z+1} \cdot Prob(R(x) \oplus R(y) \in \mathcal M_J \, | \, x \oplus y \in \mathcal M_I) = \\ =&4 \cdot 2^{-8\cdot |I|} - 6\cdot 2^{-16 \cdot |I|} + 4\cdot 2^{-24 \cdot |I|} = (-1)^{3}\cdot \sum _{i=1}^3 (-1)^i \cdot \left( {\begin{array}{c}4\\ i\end{array}}\right) \cdot 2^{- 8\cdot i \cdot |I|}. \end{aligned}$$

Similar results for \(|J|=2\) and \(|J|=1\) can be computed in a similar way.    \(\square \)

Proposition 3

Let x, y be two random elements such that \(x \oplus y \notin \mathcal M_I\) for each \(I \subseteq \{0,1,2,3\}\). Then, the probability that \(\exists J \subseteq \{0,1,2,3\}\) for \(|J|=l\) fixed such that \(R(x) \oplus R(y) \in \mathcal M_J\) is well approximated by

$$\begin{aligned} \hat{p}_{|J|, 3} \equiv Prob(\exists J \, \text { s.t. } \, R(x) \oplus R(y) \in \mathcal M_J \, | \, x \oplus y \notin \mathcal M_I \, \forall I) = \frac{p_{|J|} -p_{|J|,3}\cdot p_3}{1-p_{3}}. \end{aligned}$$

Proof

Let A and B be two events, and let C be the event such that \(A\cup C\) is equal to the sample space and such that \(A \cap C = \emptyset \). By definition

$$ Prob(B) = Prob(B \, | \, A)\cdot Prob(A) + Prob(B \, | \, C)\cdot Prob(C). $$

Thus

$$\begin{aligned}&p_{|J|} \equiv Prob(\exists J \,\text { s.t. } \, R(x) \oplus R(y) \in \mathcal M_J ) = \\ = Prob(\exists J \, \text { s.t. } \,&R(x) \oplus R(y) \in \mathcal M_J \, | \, x \oplus y \notin \mathcal M_I \, \forall I) \cdot Prob(x \oplus y \notin \mathcal M_I \, \forall I) + \\ + Prob(\exists J \, \text { s.t. } \,&R(x) \oplus R(y) \in \mathcal M_J \,| \, \exists I \, \text { s.t. } \,x \oplus y \in \mathcal M_I) \cdot \! Prob(\exists I \, \text { s.t. } \, x \oplus y \in \mathcal M_I). \end{aligned}$$

Note that¹⁵

$$\begin{aligned}&Prob(\exists I \, \text { s.t. } \, x \oplus y \in \mathcal M_I) = Prob\biggl ( x \oplus y \in \bigcup _{\forall I \subseteq \{0,1,2,3\}} \mathcal M_I\biggl ) =\\ =&Prob\biggl ( x \oplus y \in \bigcup _{I \subseteq \{0,1,2,3\}, \, |I|=3} \mathcal M_I\biggl ) \equiv p_3. \end{aligned}$$

It follows that \(p_{|J|} = p_{|J|,3} \cdot p_{3} + \hat{p}_{|J|,3} \cdot (1-p_{3})\), that is the thesis.    \(\square \)

1.1 B.1 Pairs with n Equal Generating “Variables in \((\mathbb F_{2^8})^{|I|}\)”

Here we show that given texts in the same cosets of \(\mathcal C_I\) (and similar for \(\mathcal M_I\)) for \(I\subseteq \{0,1,2,3\}\), the number of pairs of texts with v equal generating “variable(s) in \((\mathbb F_{2^8})^{|I|}\)” for \(0\le v\le 3\) is given by

$$\begin{aligned} \left( {\begin{array}{c}4\\ v\end{array}}\right) \cdot 2^{32 \cdot |I| -1} \cdot (2^{8\cdot |I|}-1)^{4-v} \end{aligned}$$

First of all, what is a “variable(s) in \((\mathbb F_{2^8})^{|I|}\)”? W.l.o.g consider \(|I|=2\) and assume \(I=\{0,1\}\) (the other cases are analogous). Given a text p in a coset of \(\mathcal M_I\), that is \(\mathcal M_I \oplus a\) for a given \(a\in \mathcal M_I^\perp \), \(\exists p_0^\prime , p_0^{''}, p_1^\prime , p_1^{''}, p_2 ^\prime , p_2^{''}, p_3^\prime , p_3^{''} \in \mathbb F_{2^8}\) s.t.

$$ p = a \oplus \begin{bmatrix} p_0^\prime &{} p_3^{''} &{} 0 &{} 0\\ p_1^\prime &{} p_0^{''}&{} 0 &{} 0 \\ p_2^\prime &{} p_1^{''} &{} 0 &{} 0\\ p_3^\prime &{} p_2^{''}&{} 0 &{} 0 \end{bmatrix}. $$

As for the case \(|I|=1\), the text p is defined by a \((p_0, p_1, p_2, p_3)\) where \(p_0 \equiv (p_0^\prime , p_0^{''}), p_1 \equiv (p_1^\prime , p_1^{''}), p_2 \equiv (p_2^\prime , p_2^{''}), p_3 \equiv (p_3^\prime , p_3^{''})\). In other words, the idea is to consider variables in \((\mathbb F_{2^8})^{2} \equiv \mathbb F_{2^8} \times \mathbb F_{2^8}\) and not in \(\mathbb F_{2^8}\). For \(|I|=3\), the idea is to work with variables in \((\mathbb F_{2^8})^3\).

Note. Given \(x=(x_0, x_1)\) and \(y=(y_0, y_1)\) in \((\mathbb F_{2^8})^{2}\), we say that \(x=y\) if and only if \(x_0 = y_0 \text { and } x_1 =y_1\). E.g. if \(x_0 = y_0\) and \(x_1\ne y_1\) (or viceversa), it follows that \(x\ne y\) as variables in \((\mathbb F_{2^8})^{2}\). Analogous result holds in \((\mathbb F_{2^8})^{3}\).

Proof. W.l.o.g. consider for simplicity the case \(|I|=1\). First of all, note that there are \(\left( {\begin{array}{c}4\\ v\end{array}}\right) \) different combinations of \(v\le 4\) variables. If \(v\ge 1\), the v variables that must be equal for the two texts of the pair can take \((2^8)^v\) different values. For each one of the remaining \(4-v\) variables, the variables must be different for the two texts of each pair. Thus, these \(4-v\) variables can take exactly \(\bigl [(2^8)^{4-v} \cdot (2^{8}-1)^{4-v} \bigl ] / 2\) different values. The result follows immediately.

The formula for the other cases is obtained in an analogous way.    \(\square \)

C Distinguisher on 5-Round AES – Cost

Here we discuss the computational cost of distinguisher on 5-round AES proposed in Sect. 5 for the case of cosets of \(\mathcal C_I\) with \(|I|=1\).

A first possibility is to construct all the pairs, to divide them in sets \(\mathcal S\) defined above, and to count the number of sets that satisfy the required property working on each set separately. Since just the cost to construct all the pairs given \(2^{38.67}\) cosets is approximately of \(2^{38.67} \cdot 2^{31} \cdot (2^{32}-1) \simeq 2^{101.67}\) table look-ups, we present a more efficient way to implement the distinguisher.

To do this, we introduce a partial order \(\preceq \).

Definition 10

Let \(I\subset \{0,1,2,3\}\) with \(|I|=3\) and let \(l \in \{0,1,2,3\} \setminus I\). Let \(t^1, t^2 \in \mathbb F^{4\times 4}_{2^8}\) with \(t^1\ne t^2\). Texts \(t^1\) and \(t^2\) satisfy \(t^1 \preceq t^2\) if and only if one of the two following conditions is satisfied (indexes are taken modulo 4):

• there exists \(j \in \{0,1,2,3\}\) s.t. \(MC^{-1}(t^1)_{i,l-i} = MC^{-1}(t^2)_{i,l-i}\) for all \(i < j\) and \(MC^{-1}(t^1)_{j,l-j} < MC^{-1}(t^2)_{j,l-j}\);

• \(MC^{-1}(t^1)_{i,l-i} = MC^{-1}(t^2)_{i,l-i}\) for all \(\, i = 0, ...., 3\), and \(MC^{-1}(t^1) < MC^{-1}(t^2)\) where < is defined in Definition 4.

Let \(J\subseteq \{0,1,2,3\}\) with \(|J|=3\). First of all, one has to re-order the ciphertexts with respect to a partial order \(\preceq \) just defined. The cost to re-order a set of n texts w.r.t. a given partial order is \(\mathcal O(n\cdot \log n)\) table look-ups.

For each coset of \(\mathcal C_0\), given ordered (plaintexts, ciphertexts) and working only on consecutive ciphertexts, the idea is to count the number of collisions for each set \(\mathcal S_{(x_0, x_1), (y_0, y_1)}^{i,j}\). In more details, for each coset of \(\mathcal C_0\) it is possible to construct \(N = 3\cdot 2^{15} \cdot (2^8-1)^2\) different sets \(\mathcal S_{(x_0, x_1), (y_0, y_1)}^{i,j}\) for each \(i, j \in \{0,1,2,3\}\) with \(i\ne j\) and for each \(x_0\ne y_0\) and \(x_1\ne y_1\). The idea is to consider a vector \(A[0, ..., N - 1]\) such that

$$ A[x] = {\left\{ \begin{array}{ll} 1 &{} \text {if the }x\text {-th set }\mathcal S\text { satisfies the required property};\\ 0 &{} \text {otherwise} \end{array}\right. } $$

All details are given in the following – pseudo-code is given in Algorithm 1.

To set up the distinguisher, it is sufficient to define a function \(\varphi \) that returns the index of a set \(\mathcal S_{(x_0, x_1), (y_0, y_1)}^{i,j}\) (where \(i<j\)) in the vector \(A[0, ..., N-1]\). Assuming \(x_0<y_0\) and \(x_1 < y_1\) (note that a set \(\mathcal S\) contains all plaintexts generated by different combinations of these four variables, so this condition is always fulfilled), the function \({\varphi (\cdot ): \, (\mathbb F_{2^8})^4 \times (\{0,1,2,3\})^2\rightarrow \, \mathbb N}\) can be defined as

$$\begin{aligned} {{ \varphi (x_0, x_1, y_0, y_1, i, j) = 1\,065\,369\,600\times {\phi (i,j)}+ \varPhi (x_0, x_1, y_0, y_1) }} \end{aligned}$$

(13)

where \(1\,065\,369\,600 = 32\,640^2\) (where \(32\,640 = 2^{n-1} \cdot (2^n-1)\) for \(n = 8\)), where \(\phi (0,1) = 0\), \(\phi (0,2) = 1\), \(\phi (0,3) = 2\), \(\phi (1,2) = 3\), \(\phi (1,3) = 4\), \(\phi (2,3) = 5\) and

$$ \varPhi (x_0, x_1, y_0, y_1) = \biggl [x_0 + \frac{y_0 \times (y_0 -1)}{2}\biggl ] + \,32\,640 \times \biggl [x_1 + \frac{y_1 \times (y_1 -1)}{2} \biggl ] $$

where each value of \(x_0, x_1, y_0, y_1 \in \mathbb F_{2^8}\) is replaced by its corresponding number in \(\{0,1,..., 255\}\). The previous formula for \(\varPhi \) is obtained by observing that

1. 1.

   for a fixed \(y \ge 1\), there are exactly y different pairs (x, y) that satisfy \(x \ge 0\) and \(x< y\);

2. 2.

   for a fixed \(z \ge 1\), there are exactly \( \sum _{i = 1}^{z-1} i = \frac{z \cdot (z-1)}{2} \) different pairs (x, y) that satisfy \(x,y \ge 0\) and \(x< y \le z\).

3. 3.

   given a pair (w, z) (where \(0\le w<z\)), there are exactly

   $$ w + \frac{z \cdot (z-1)}{2} $$

   different pairs (x, y) that satisfy (1) \(y < z\) or (2) \(y=z\) and \(x \le w\).

As a result, using Algorithm 1 to implement the distinguisher, the computational cost is well approximated by

$$\begin{aligned} 4 \cdot&\biggl [ 2^{32} \cdot \log (2^{32}) \text { (re-ordering process) } + \bigl (2^{32} + 2\cdot 2^{31} \bigl ) \text { (access to }(p^i, c^i) \text { and to }A[\cdot ] \text { -} \\&\text {- increment number of collisions) } \biggl ] + \frac{1}{2^{18}} \cdot 6 \cdot 2^{16} \cdot (2^8-1)^2 \text { (final ``for'')} \simeq 2^{39.07} \end{aligned}$$

table look-ups for each initial coset, where \(\left( {\begin{array}{c}2^{32}\\ 2\end{array}}\right) \cdot 2^{-32} \simeq 2^{31}\) is the average number of pairs such that the two ciphertexts belong to the same coset of \(\mathcal M_J\) for J fixed with \(|J|=3\). Since the attacker must use \(2^{38.66}\) different initial cosets to have a probability of success higher than 95%, the total computational cost is of \(2^{39.07}\cdot 2^{38.66} = 2^{77.73}\) table look-ups, or \(\approx 2^{71.1}\) five-round encryptions.

D Variant of the 5-Round AES Distinguisher of Sect. 5

In this section, we propose two variants of the 5-round secret-key distinguisher proposed in Sect. 5. The second one is the most competitive distinguisher (from the point of view of the data and the computational costs), but it can not be used for a key-recovery attacks, as discuss in the following.

To set up the distinguisher, we must recall one result from [8, 10]:

Theorem 5

Given the subspace \(\mathcal C_0 \cap \mathcal D_{0,2,3} \equiv \langle e_{0,0}, e_{1,0}, e_{2,0}\rangle \subseteq \mathcal C_0\), consider two plaintexts \(p^1\) and \(p^2\) in the same coset of \(\left( \mathcal C_0 \cap \mathcal D_{0,2,3} \right) \oplus a\) generated by \(p^1 \equiv (x^1, y^1, w^1)\) and \(p^2 \equiv (x^2, y^2, w^2)\). Let \(\hat{p}^1, \hat{p}^2 \in \left( \mathcal D_{0,2,3} \cap \mathcal C_0 \right) \oplus a\) be other two plaintexts generated by

$$\begin{aligned} 1. \,&(x^1, y^1, w^1, z) \,\text { and } \,(x^2, y^2, w^2, z);&\qquad 2. \,&(x^2, y^1, w^1, z) \,\text { and } \,(x^1, y^2, w^2, z); \\ 3. \,&(x^1, y^2, w^1, z) \,\text { and } \,(x^2, y^1, w^2, z);&\qquad 4. \,&(x^1, y^1, w^2, z) \,\text { and } \,(x^2, y^2, w^1, z). \end{aligned}$$

where z can take any possible value in \(\mathbb F_{2^8}\). The following event

$$ R^4(p^1) \oplus R^4(p^2) \in \mathcal M_J \quad \textit{ if and only if } \quad R^4(\hat{p}^1) \oplus R^4(\hat{p}^2) \in \mathcal M_J $$

holds with prob. 1 for 4-round AES, independently of the secret key, of the details of the S-Box and of the MixColumns matrix.

1.1 Variant of the 5-Round Distinguisher of Sect. 5: Plaintexts in \(\mathcal C_{0,1}\)

Details of the Distinguisher. Consider \(2^{64}\) chosen plaintexts with two active column (8 active bytes), e.g. a coset of \(\mathcal C_{0,1}\), and the corresponding ciphertexts after 5-round. For each \((\mathbf x, \mathbf y) \in \mathbb F_{2^8}^6 \times \mathbb F_{2^8}^6\) where \(\mathbf x = (x_0, x_1, x_2, ..., x_5)\) and \(\mathbf y = (y_0, y_1, y_2, ..., y_5)\) such that \((x_0, x_1) \ne (y_0, y_1)\), \((x_2, x_3) \ne (y_2, y_3)\) and \((x_4, x_5) \ne (y_4, y_5)\), let \(\mathcal T^{3}_{(\mathbf x, \mathbf y)}\) be the set of pairs of plaintexts be defined as follows

$$\begin{aligned}&\mathcal T^{3}_{(\mathbf x, \mathbf y)} = \bigl \{ (p, q) \in \mathbb F_{2^8}^{4\times 4} \times \mathbb F_{2^8}^{4\times 4} \, \, \text {s.t. for each }A, B\in \mathbb F_{2^8}: \, \\&\quad p \equiv \bigl ((x_0, x_2, x_4, A), (B, x_1, x_3, x_5)\bigl ), q\equiv \bigl ((y_0, y_2, y_4, A), (B, y_1, y_3, y_5)\bigl ) \quad \text {or } \\&\quad p \equiv \bigl ((y_0, x_2, x_4, A), (B, y_1, x_3, x_5)\bigl ), q\equiv \bigl ((x_0, y_2, y_4, A), (B, x_1, y_3, y_5)\bigl )\quad \text {or } \\&\quad p \equiv \bigl ((x_0, y_2, x_4, A), (B, x_1, y_3, x_5)\bigl ), q\equiv \bigl ((y_0, x_2, y_4, A), (B, y_1, x_3, y_5) \bigl )\quad \text {or } \\&\quad p \equiv \bigl ((x_0, x_2, y_4, A), (B, x_1, x_3, y_5)\bigl ), q\equiv \bigl ((y_0, y_2, x_4, A), (B, y_1, y_3, x_5)\bigl ) \quad \bigl \}. \end{aligned}$$

In other words, the pair of plaintexts \(p, q \in \mathcal C_0\oplus a\) can be of the form

$$ p\equiv \begin{bmatrix} x_0 &{} B &{} 0 &{} 0\\ x_2 &{} x_1 &{} 0 &{} 0 \\ x_4&{} x_3 &{} 0 &{}0\\ A &{} x_5 &{} 0 &{}0 \end{bmatrix} q\equiv \begin{bmatrix} y_0 &{} B &{} 0 &{} 0\\ y_2 &{} y_1&{} 0 &{} 0 \\ y_4 &{} y_3 &{} 0 &{}0\\ A &{} y_5 &{} 0 &{}0 \end{bmatrix}\quad \text {or } \quad p\equiv \begin{bmatrix} y_0 &{} B &{} 0 &{} 0\\ x_2 &{} y_1 &{} 0 &{} 0 \\ x_4&{} x_3 &{} 0 &{}0\\ A &{} x_5 &{} 0 &{}0 \end{bmatrix} q\equiv \begin{bmatrix} x_0 &{} B &{} 0 &{} 0\\ y_2 &{} x_1&{} 0 &{} 0 \\ y_4 &{} y_3 &{} 0 &{}0\\ A &{} y_5 &{} 0 &{}0 \end{bmatrix} $$

and so on. Similar definitions can be given for the set \(\mathcal T^{i}_{(\mathbf x, \mathbf y)} \) for each \(i\in \{0,1,2,3\}\), where the constant bytes is in the i-th diagonal. Given \(2^{64}\) plaintexts as before, it is possible to construct \(\frac{1}{2^{18}} \cdot 4\cdot 2^{63} \cdot (2^{16}-1)^3 \simeq 2^{95}\) different sets, where each set contains exactly \(2^{18}\) different pairs of plaintexts (we emphasize that these pairs of plaintexts are not independent, in the sense that a particular relationships among the generating variable holds).

Consider \(n\gg 1\) random sets, and count the number of sets for which two ciphertexts (generated by 5-round AES or by a random permutation) of at least one pair of texts belong to the same coset of a subspace \(\mathcal M_J\) for \(J\subseteq \{0,1,2,3\}\) and \(|J|=3\). As we are going to prove, this number is on average lower for AES than for a random permutation, independently of the secret key, of the details of the S-Box and of the MixColumns matrix. In more details, the numbers of sets for 5-round AES \(n_{AES}\) and for a random permutation \(n_{rand}\) are well approximated by \( n_{AES} \simeq n\cdot p_{AES}\) and \( n_{rand}\simeq n\cdot p_{rand} \) where

$$\begin{aligned} p_{AES}&\simeq 2^{-12} - 1048575 \cdot 2^{-45} + \underbrace{46\,884\,625\,075 \cdot 2^{-76}}_{\approx \, 2.73 \, \cdot \, 2^{-42}} + ...\\ p_{rand}&\simeq 2^{-12} - 1048575 \cdot 2^{-45} + \underbrace{183\,251\,413\,675 \cdot 2^{-76}}_{\approx \, 10.667 \, \cdot \, 2^{-42}} + ... \end{aligned}$$

These numbers are derived using the same proof¹⁶ proposed in Sect. 5.

Data Cost. In order to compute the data cost, we use the same argumentation of Sect. 5.2. Since \(|p_{AES} - p_{rand}| \simeq 2^{-39.011}\) and \(p_{AES}\simeq p_{rand} \simeq 2^{-12}\), it follows that n must satisfy \(n> 2^{68.243}\) for a probability of success of approximately 95%. Since a single coset of \(\mathcal C_I\) for \(|I|=2\) contains approximately \(2^{95}\) different sets \(\mathcal T\), less than a single coset is sufficient to implement the distinguisher. In particular, a subset of the coset \(\mathcal C_{0,1} \oplus a\) of the form

$$ \biggl \{ a\oplus \begin{bmatrix} x_0 &{} y_1 &{} 0 &{} 0\\ z_0 &{} x_1 &{} 0 &{} 0 \\ w_0 &{} z_1 &{} 0 &{}0 \\ y_0 &{} w_1 &{} 0 &{} 0 \end{bmatrix} \, \biggl | \, \forall x_0, x_1, y_0, y_1, z_0, z_1 \in \mathbb F_{2^8}^2, \, \forall w_0, w_1 \in \{0x00, 0x01, 0x02, 0x03\} \biggl \} $$

for a certain constant a is sufficient to set up the distinguisher. Indeed, for such a set it is possible to construct approximately \(\frac{1}{2^{18}}\cdot 3 \cdot (2^{48} \cdot 4^2) \cdot [(2^{16}-1)^2 \cdot (16 -1)] \simeq 2^{71.5}\) different sets \(\mathcal T\) (remember that we are working with variables in \(\mathbb F_{2^8}^2\)), for a total of \((2^{8})^6 \cdot 4^2 \simeq 2^{52}\) chosen plaintexts.

Computational Cost. About the computational cost, the idea is to exploit Algorithm 1 opportunely modified and adapted to the sets \(\mathcal T\) in order to implement the distinguisher. Using \(2^{52}\) chosen plaintexts in the same coset of \(\mathcal C_I\) for \(|I|=2\), the cost to count the number of sets \(\mathcal T\) for which two ciphertexts of at least one pair of plaintexts belong to the same coset of \(\mathcal M_J\) is

$$\begin{aligned} 4 \cdot&\bigl [ 2^{52} \cdot \log (2^{52}) \text { (re-ordering process) } + \bigl (2^{52} + 2\cdot 2^{57} \bigl ) \text { (access to }(p^i, c^i) \text {and to }\\&A[\cdot ] \text {-- increment number of collisions) } \bigl ] + 2^{71.5} \text { (final ``for'')} \simeq 2^{71.5} \end{aligned}$$

table look-ups, where \(\left( {\begin{array}{c}2^{52}\\ 2\end{array}}\right) \cdot 2^{-32} \cdot (4\cdot 2^{-16}) \simeq 2^{57}\) is the average number of pairs such that the two ciphertexts belong to the same coset of \(\mathcal M_J\) for a fixed J with \(|J|=3\) and the two plaintexts are in the same coset of \(\mathcal C_{0,1}\cap \mathcal D_I\) for a certain I with \(|I|=3\) (by definition of \(\mathcal T\)). Equivalently, the total cost is well approximated by \(2^{64.86}\) five-round encryptions.

E Key-Recovery Attack on 6-Round AES – Cost

Here we analyze the computational cost of the key-recovery attack on 6-round AES proposed in Sect. 6. The attack is implemented by exploiting Algorithm 1 for each possible guessed key in order to count the number of sets \(\mathcal S\) that satisfy the required property (i.e. two ciphertexts of at least one pair belong to the same coset of \(\mathcal M_J\) for a certain J with \(|J|=3\)). Since this number of sets is higher for a wrongly guessed key than for the right one, it is possible to recover the right candidate of the key.

An implementation of the attack is described by the pseudo-code given in Algorithm 2. To compute the computational cost, it is sufficient to re-consider the cost of the 5-round distinguisher. Given a coset of \(\mathcal C_0\), the cost to count the number of sets \(\mathcal S\) with the required property is \(2^{39.1}\) table look-ups. This step is repeated for each one of the \(2^{32}\) (partially) guessed key and for each one of the \(2^{40.77}\) initial cosets of \(\mathcal D_0\), for a cost of \(2^{39.05}\cdot 2^{40.77} \cdot 2^{32} = 2^{111.82}\) table look-ups. Moreover, one needs to partially compute 1-round encryption for each possible guessed key and for each initial coset, for a cost of \(4\cdot 2^{32}\cdot 2^{40.77} \cdot 2^{32} = 2^{106.77}\) S-Box look-ups. As a result, the total cost of finding one diagonal of the key is well approximated by \(2^{111.82}\) table look-ups, or equivalently \(2^{104.92}\) six-round encryptions (under the assumption 20 table/S-Box look-ups \(\approx 1\)-round encryption). The total cost to find the entire key (using brute force on the last three diagonal) is of \(2^{104.92} + 2^{96} = 2^{104.93}\) six-round encryptions.

Why is it not possible to set up the key-recovery attack using cosets of \(\mathcal D_I\) with \(|I|=2\) instead of \(|I|=1\) (that is, the one proposed in Appendix D)? Without going into details, one has to guess 64 bits of the key instead of 32 for the attack that exploits the distinguisher proposed in Appendix D. As a consequence, this attack requires approximately \(2^{88.1}\) chosen plaintexts (in \(2^{24.1}\) different initial cosets of \(\mathcal D_I\) with \(|I|=2\)) and it has a total computational cost of approximately \(2^{176.2}\) six-round encryptions, (much) higher than the cost of a brute force attack.