Abstract
At Eurocrypt 2017 the first secret-key distinguisher for 5-round AES has been presented. Although it allows to distinguish a random permutation from an AES-like one, it seems (rather) hard to exploit such a distinguisher in order to implement a key-recovery attack different than brute-force like. On the other hand, such result has been exploited to set up a new (competitive) secret-key distinguisher for 4-round AES, called “Mixture Differential Cryptanalysis”.
In this paper, we combine this new 4-round distinguisher with a modified version of a truncated differential distinguisher in order to set up a new 5-round distinguisher, that exploits properties which are independent of the secret key, of the details of the S-Box and of the MixColumns matrix. As a result, while a “classical” truncated differential distinguisher exploits the probability that a pair of (two) texts satisfies or not a given differential trail independently of the others pairs, our distinguisher works with sets of \(N\gg 2 \) (related) pairs of texts. In particular, our new 5-round AES distinguisher exploits the fact that such sets of texts satisfy some properties with a different probability than for a random permutation.
Even if such 5-round distinguisher has a higher complexity than e.g. the “multiple-of-8” one present in the literature, it can be used as starting point to set up the first key-recovery attack on 6-round AES that exploits directly a 5-round secret-key distinguisher. The goal of this paper is indeed to present and explore new approaches, showing that even a distinguisher like the one presented at Eurocrypt – believed to be hard to exploit – can be the starting point for new secret-key distinguishers and/or key-recovery attacks.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
A pair of texts has a certain difference if and only if the texts belong to the same coset of a particular subspace \(\mathcal X\).
- 2.
Sometimes we use the notation \(R_{k}\) instead of R to highlight the round key k.
- 3.
The i-th diagonal of a \(4 \times 4\) matrix A is defined as the elements that lie on row r and column c such that \(r- c = i\) mod 4. The i-th anti-diagonal of a \(4 \times 4\) matrix A is defined as the elements that lie on row r and column c such that \(r+c = i\) mod 4.
- 4.
We mention that the following probabilities are “sufficiently good” approximations for the target of the paper, i.e. the errors of these approximations are so small that they do not affect the results of this paper. We refer to [7, Appendix A.2] for a discussion about this point.
- 5.
More precisely:
$$\begin{aligned} \begin{aligned} p_{AES}&\simeq 2^{-13} - 524\,287 \cdot 2^{-46} - {22\,370\,411\,853 \cdot 2^{-77}} + ... \\ p_{rand}&\simeq 2^{-13} - 524\,287 \cdot 2^{-46} + {45\,812\,722\,347\cdot 2^{-77}}+ ... \end{aligned} \end{aligned}$$ - 6.
As recalled in Sect. 3.2, this probability is approximately equal to \(2^{-6}\) for the AES case and \(2^{-30}\) for the random case.
- 7.
A normal distribution is a valid approximation in the case in which the skewness (i.e. the asymmetry) of the binomial distribution is close to zero. The skewness \(\gamma \) of a binomial distribution \(\mathcal B(n,p)\) – given by \(\gamma = (1-2p)/\sqrt{np(1-p)}\) – is close to zero when \(p=0.5\) and/or \(n\cdot p \gg 1\).
- 8.
For \(p_{rand}, p_{AES}\ll 1\): \(p_{rand} \cdot (1-p_{rand}) + p_{AES} \cdot (1-p_{AES})< p_{rand} + p_{AES} < 2 \cdot \max (p_{rand}, p_{AES})\).
- 9.
In Appendix E, we briefly explain why it is not possible to set up the key-recovery attack using cosets of \(\mathcal D_I\) with \(|I|=2\) instead of \(|I|=1\).
- 10.
The approximation “20 table look-ups \(\approx 1\) round of encryption” – largely used in the literature – is due to the fact that the cost of each round of AES is well approximated by the cost of 20 S-Box look-ups (16 for the round \(+\) 4 for the key-schedule). Even if this approximation is not formally correct – the size of the table of an S-Box look-up (equal to \(2^8\)) is smaller than the size of the table used for our distinguisher (approximately of \(2^{32}\) – see Algorithm 1), it allows to give a comparison between our distinguishers and the others currently present in the literature.
- 11.
The source codes of the distinguishers/attacks are available at https://github.com/Krypto-iaik/Distinguisher_5RoundAES.
- 12.
To the best of our knowledge, the only case in which the behavior of small scale AES does not match the one of real AES is the case of zero-sum distinguishers – see e.g. [14, Table 6]. In such a case, due to the degree of S-Box\((x)=x^{-1}\) in \(\mathbb F_2^n\) for \(n=4,8\), it is possible to cover more rounds (with a smaller data cost) for small scale AES than for real AES using zero-sum distinguishers. Since our results are independent of the details of the S-Box, we claim that our verification on the small scale variant of AES is strong evidence for it to hold for the real AES.
- 13.
For completeness, we mention that potentially it is possible to (slightly) reduce the data cost by relaxing the property that the number of sets \(\mathcal S\) that satisfy the required property is the lowest one for the right key. The right key is then found by a brute force attack on the candidates that pass the test.
- 14.
For example for \(n = 2\), it follows that \({{Prob}}(A_{1}\cup A_{2})={Prob}(A_{1})+{Prob}(A_{2})-{\mathbb {P}}(A_{1}\cap A_{2})\), while for \(n = 3\) it follows that \(Prob(A_{1}\cup A_{2}\cup A_{3})={Prob}(A_{1})+{Prob}(A_{2})+{Prob}(A_{3})-{Prob}(A_{1}\cap A_{2})-{Prob}(A_{1}\cap A_{3})-{Prob}(A_{2}\cap A_{3})+{Prob}(A_{1}\cap A_{2}\cap A_{3})\).
- 15.
If \(x\oplus y\in \mathcal M_I\) for \(|I|<3\), then \(\exists J\) with \(|J|=3\) and \(I\subseteq J\) such that \(x\oplus y\in \mathcal M_J\).
- 16.
A complete proof will be provide in the extended-version of this paper.
References
Bar-On, A., Dunkelman, O., Keller, N., Ronen, E., Shamir, A.: Improved key recovery attacks on reduced-round AES with practical data and memory complexities. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 185–212. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_7
Boura, C., Canteaut, A., Coggia, D.: A general proof framework for recent AES distinguishers. IACR Trans. Symmetric Cryptol. 2019(1), 170–191 (2019)
Cheon, J.H., Kim, M.J., Kim, K., Jung-Yeun, L., Kang, S.W.: Improved impossible differential cryptanalysis of Rijndael and Crypton. In: Kim, K. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 39–49. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45861-1_4
Cid, C., Murphy, S., Robshaw, M.J.B.: Small scale variants of the AES. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 145–162. Springer, Heidelberg (2005). https://doi.org/10.1007/11502760_10
Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography. Springer, Heidelberg (2002). https://doi.org/10.1007/978-3-662-04722-4
Derbez, P., Fouque, P.-A.: Exhausting Demirci-Selçuk meet-in-the-middle attacks against reduced-round AES. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 541–560. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43933-3_28
Grassi, L.: Mixture differential cryptanalysis and structural truncated differential attacks on round-reduced AES. Cryptology ePrint Archive, Report 2017/832 (2017). https://eprint.iacr.org/2017/832
Grassi, L.: Mixture differential cryptanalysis: a new approach to distinguishers and attacks on round-reduced AES. IACR Trans. Symmetric Cryptol. 2018(2), 133–160 (2018)
Grassi, L., Rechberger, C.: New rigorous analysis of truncated differentials for 5-round AES. IACR Cryptol. ePrint Arch. 2018, 182 (2018)
Grassi, L., Rechberger, C., Rønjom, S.: A new structural-differential property of 5-round AES. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 289–317. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_10
Grassi, L., Rechberger, C., Rønjom, S.: Subspace trail cryptanalysis and its applications to AES. IACR Trans. Symmetric Cryptol. 2016(2), 192–225 (2017). http://ojs.ub.rub.de/index.php/ToSC/article/view/571
Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-60590-8_16
Rønjom, S., Bardeh, N.G., Helleseth, T.: Yoyo tricks with AES. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 217–243. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_8
Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 287–314. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_12
Tunstall, M.: Improved “Partial Sums"-based square attack on AES. In: International Conference on Security and Cryptography - SECRYPT 2012. LNCS, vol. 4817, pp. 25–34 (2012)
Acknowledgements
The author thanks the anonymous reviewers for their valuable comments and suggestions, and Willi Meier for shepherding the paper. This work has been partially supported by IOV42.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Subspace Trails for AES
In this section, we give all the details about the subspace trails of AES presented in [11], and briefly recalled in Sect. 3.
Definition 7
The column spaces \(\mathcal C_i\) are defined as \(\mathcal C_i = \langle e_{0, i}, e_{1, i}, e_{2, i}, e_{3, i} \rangle \).
For instance, \(\mathcal C_0\) corresponds to the symbolic matrix
Definition 8
The diagonal spaces \(\mathcal D_i\) are defined as \(\mathcal D_i = SR^{-1}(\mathcal C_i)\). Similarly, the inverse-diagonal spaces \(\mathcal {ID}_i\) are defined as \(\mathcal {ID}_i = SR(\mathcal C_i).\)
For instance, \(\mathcal D_0\) and \(\mathcal {ID}_0\) correspond to symbolic matrix
for all \(x_1, x_2, x_3, x_4 \in \mathbb F_{2^8}\).
Definition 9
The i-th mixed spaces \(\mathcal M_i\) are defined as \(\mathcal M_i = MC (\mathcal {ID}_i)\).
For instance, \(\mathcal M_0\) corresponds to symbolic matrix
for all \(x_1, x_2, x_3, x_4 \in \mathbb F_{2^8}\).
B Proof – Probabilities of Sect. 3.2
In this section, we prove the probabilities given in Sect. 3.2. We remark that all the following probabilities are not the exact ones, but “good enough” approximations useful for the target of the paper. In particular, as discussed in detail in [7, Appendix A.2], the error in all the following probabilities is of magnitude \(2^{-128}\).
Let \(I, J \subseteq \{0,1,2,3\}\). We recall that
where \(\mathcal M_I \cap \mathcal M_J = \{0\}\) if \(I\cap J = \emptyset \). Moreover, referring to [11], we recall that the probability that a random text x belongs to \(\mathcal M_I\) is well approximated by \(Prob(x\in \mathcal M_I) = 2^{-32 \cdot (4-|I|)}\), while given two random texts \(x\ne y\)
Proposition 1
The probability \(p_{|I|}\) that a random text x belongs to the subspace \(\mathcal M_I\) for a certain \( I \subseteq \{0,1,2,3\}\) with \(|I| = l\) fixed is well approximated by
where \(c_{2, 3} = 3\) and \(c_{|I|, i} = 1\) for \(\{|I|, i\}\ne \{2,3\}\).
Proof
By definition, given the events \(A_1, ..., A_n\) in a probability space \( (\varOmega ,{\mathcal {F}},{\mathbb {P}})\) then:
where the last sum runs over all subsets I of the indexes 1, ..., n which contain exactly k elementsFootnote 14. Due to (12), it follows that for \(|I|=1\)
For \(|I| = 3\), the probability is given by:
since given 4 different sets \(\mathcal M_I\) for \(|I| = 3\) there are \(\left( {\begin{array}{c}4\\ 2\end{array}}\right) = 6\) possible intersections of 2 sets and \(\left( {\begin{array}{c}4\\ 3\end{array}}\right) = 4\) possible intersections of 3 sets (all intersections are not empty). Finally for \(|I|=2\)
since given 6 different sets \(\mathcal M_I\) for \(|I| = 2\) there are \(\left( {\begin{array}{c}6\\ 2\end{array}}\right) = 15\) possible intersections of 2 sets. However, note that only 12 of them are not empty (since \(\mathcal M_{0,1} \cap \mathcal M_{2,3} = \mathcal M_{0,2} \cap \mathcal M_{1,3} = \mathcal M_{0,3} \cap \mathcal M_{1,2} = \emptyset \)). The result follows from \(\left( {\begin{array}{c}6\\ 1\end{array}}\right) = \left( {\begin{array}{c}4\\ 2\end{array}}\right) = 6\) and \(\left( {\begin{array}{c}6\\ 2\end{array}}\right) - 3= \left( {\begin{array}{c}4\\ 3\end{array}}\right) \cdot 3 = 12\). \(\square \)
Proposition 2
Let x, y be two random elements. Assume that there exists \(I \subseteq \{0,1,2,3\}\) such that \(x \oplus y \in \mathcal M_I\) (\(x \oplus y \notin \mathcal M_L\) for all \(L \subseteq \{0,1,2,3\}\) with \(|L| < |I|\)). The probability that \(\exists J \subseteq \{0,1,2,3\}\) with \(|J|=l\) fixed such that \(R(x) \oplus R(y) \in \mathcal M_J\) is well approximated by
where \(c_{2, 3} = 3\) and \(c_{|J|, i} = 1\) for \(\{|J|, i\}\ne \{2,3\}\).
Proof
As before, for \(|J|=3\):
Similar results for \(|J|=2\) and \(|J|=1\) can be computed in a similar way. \(\square \)
Proposition 3
Let x, y be two random elements such that \(x \oplus y \notin \mathcal M_I\) for each \(I \subseteq \{0,1,2,3\}\). Then, the probability that \(\exists J \subseteq \{0,1,2,3\}\) for \(|J|=l\) fixed such that \(R(x) \oplus R(y) \in \mathcal M_J\) is well approximated by
Proof
Let A and B be two events, and let C be the event such that \(A\cup C\) is equal to the sample space and such that \(A \cap C = \emptyset \). By definition
Thus
Note thatFootnote 15
It follows that \(p_{|J|} = p_{|J|,3} \cdot p_{3} + \hat{p}_{|J|,3} \cdot (1-p_{3})\), that is the thesis. \(\square \)
1.1 B.1 Pairs with n Equal Generating “Variables in \((\mathbb F_{2^8})^{|I|}\)”
Here we show that given texts in the same cosets of \(\mathcal C_I\) (and similar for \(\mathcal M_I\)) for \(I\subseteq \{0,1,2,3\}\), the number of pairs of texts with v equal generating “variable(s) in \((\mathbb F_{2^8})^{|I|}\)” for \(0\le v\le 3\) is given by
First of all, what is a “variable(s) in \((\mathbb F_{2^8})^{|I|}\)”? W.l.o.g consider \(|I|=2\) and assume \(I=\{0,1\}\) (the other cases are analogous). Given a text p in a coset of \(\mathcal M_I\), that is \(\mathcal M_I \oplus a\) for a given \(a\in \mathcal M_I^\perp \), \(\exists p_0^\prime , p_0^{''}, p_1^\prime , p_1^{''}, p_2 ^\prime , p_2^{''}, p_3^\prime , p_3^{''} \in \mathbb F_{2^8}\) s.t.
As for the case \(|I|=1\), the text p is defined by a \((p_0, p_1, p_2, p_3)\) where \(p_0 \equiv (p_0^\prime , p_0^{''}), p_1 \equiv (p_1^\prime , p_1^{''}), p_2 \equiv (p_2^\prime , p_2^{''}), p_3 \equiv (p_3^\prime , p_3^{''})\). In other words, the idea is to consider variables in \((\mathbb F_{2^8})^{2} \equiv \mathbb F_{2^8} \times \mathbb F_{2^8}\) and not in \(\mathbb F_{2^8}\). For \(|I|=3\), the idea is to work with variables in \((\mathbb F_{2^8})^3\).
Note. Given \(x=(x_0, x_1)\) and \(y=(y_0, y_1)\) in \((\mathbb F_{2^8})^{2}\), we say that \(x=y\) if and only if \(x_0 = y_0 \text { and } x_1 =y_1\). E.g. if \(x_0 = y_0\) and \(x_1\ne y_1\) (or viceversa), it follows that \(x\ne y\) as variables in \((\mathbb F_{2^8})^{2}\). Analogous result holds in \((\mathbb F_{2^8})^{3}\).
Proof. W.l.o.g. consider for simplicity the case \(|I|=1\). First of all, note that there are \(\left( {\begin{array}{c}4\\ v\end{array}}\right) \) different combinations of \(v\le 4\) variables. If \(v\ge 1\), the v variables that must be equal for the two texts of the pair can take \((2^8)^v\) different values. For each one of the remaining \(4-v\) variables, the variables must be different for the two texts of each pair. Thus, these \(4-v\) variables can take exactly \(\bigl [(2^8)^{4-v} \cdot (2^{8}-1)^{4-v} \bigl ] / 2\) different values. The result follows immediately.
The formula for the other cases is obtained in an analogous way. \(\square \)
C Distinguisher on 5-Round AES – Cost
Here we discuss the computational cost of distinguisher on 5-round AES proposed in Sect. 5 for the case of cosets of \(\mathcal C_I\) with \(|I|=1\).
A first possibility is to construct all the pairs, to divide them in sets \(\mathcal S\) defined above, and to count the number of sets that satisfy the required property working on each set separately. Since just the cost to construct all the pairs given \(2^{38.67}\) cosets is approximately of \(2^{38.67} \cdot 2^{31} \cdot (2^{32}-1) \simeq 2^{101.67}\) table look-ups, we present a more efficient way to implement the distinguisher.
To do this, we introduce a partial order \(\preceq \).
Definition 10
Let \(I\subset \{0,1,2,3\}\) with \(|I|=3\) and let \(l \in \{0,1,2,3\} \setminus I\). Let \(t^1, t^2 \in \mathbb F^{4\times 4}_{2^8}\) with \(t^1\ne t^2\). Texts \(t^1\) and \(t^2\) satisfy \(t^1 \preceq t^2\) if and only if one of the two following conditions is satisfied (indexes are taken modulo 4):
-
there exists \(j \in \{0,1,2,3\}\) s.t. \(MC^{-1}(t^1)_{i,l-i} = MC^{-1}(t^2)_{i,l-i}\) for all \(i < j\) and \(MC^{-1}(t^1)_{j,l-j} < MC^{-1}(t^2)_{j,l-j}\);
-
\(MC^{-1}(t^1)_{i,l-i} = MC^{-1}(t^2)_{i,l-i}\) for all \(\, i = 0, ...., 3\), and \(MC^{-1}(t^1) < MC^{-1}(t^2)\) where < is defined in Definition 4.
Let \(J\subseteq \{0,1,2,3\}\) with \(|J|=3\). First of all, one has to re-order the ciphertexts with respect to a partial order \(\preceq \) just defined. The cost to re-order a set of n texts w.r.t. a given partial order is \(\mathcal O(n\cdot \log n)\) table look-ups.
For each coset of \(\mathcal C_0\), given ordered (plaintexts, ciphertexts) and working only on consecutive ciphertexts, the idea is to count the number of collisions for each set \(\mathcal S_{(x_0, x_1), (y_0, y_1)}^{i,j}\). In more details, for each coset of \(\mathcal C_0\) it is possible to construct \(N = 3\cdot 2^{15} \cdot (2^8-1)^2\) different sets \(\mathcal S_{(x_0, x_1), (y_0, y_1)}^{i,j}\) for each \(i, j \in \{0,1,2,3\}\) with \(i\ne j\) and for each \(x_0\ne y_0\) and \(x_1\ne y_1\). The idea is to consider a vector \(A[0, ..., N - 1]\) such that
All details are given in the following – pseudo-code is given in Algorithm 1.
To set up the distinguisher, it is sufficient to define a function \(\varphi \) that returns the index of a set \(\mathcal S_{(x_0, x_1), (y_0, y_1)}^{i,j}\) (where \(i<j\)) in the vector \(A[0, ..., N-1]\). Assuming \(x_0<y_0\) and \(x_1 < y_1\) (note that a set \(\mathcal S\) contains all plaintexts generated by different combinations of these four variables, so this condition is always fulfilled), the function \({\varphi (\cdot ): \, (\mathbb F_{2^8})^4 \times (\{0,1,2,3\})^2\rightarrow \, \mathbb N}\) can be defined as
where \(1\,065\,369\,600 = 32\,640^2\) (where \(32\,640 = 2^{n-1} \cdot (2^n-1)\) for \(n = 8\)), where \(\phi (0,1) = 0\), \(\phi (0,2) = 1\), \(\phi (0,3) = 2\), \(\phi (1,2) = 3\), \(\phi (1,3) = 4\), \(\phi (2,3) = 5\) and
where each value of \(x_0, x_1, y_0, y_1 \in \mathbb F_{2^8}\) is replaced by its corresponding number in \(\{0,1,..., 255\}\). The previous formula for \(\varPhi \) is obtained by observing that
-
1.
for a fixed \(y \ge 1\), there are exactly y different pairs (x, y) that satisfy \(x \ge 0\) and \(x< y\);
-
2.
for a fixed \(z \ge 1\), there are exactly \( \sum _{i = 1}^{z-1} i = \frac{z \cdot (z-1)}{2} \) different pairs (x, y) that satisfy \(x,y \ge 0\) and \(x< y \le z\).
-
3.
given a pair (w, z) (where \(0\le w<z\)), there are exactly
$$ w + \frac{z \cdot (z-1)}{2} $$different pairs (x, y) that satisfy (1) \(y < z\) or (2) \(y=z\) and \(x \le w\).
As a result, using Algorithm 1 to implement the distinguisher, the computational cost is well approximated by
table look-ups for each initial coset, where \(\left( {\begin{array}{c}2^{32}\\ 2\end{array}}\right) \cdot 2^{-32} \simeq 2^{31}\) is the average number of pairs such that the two ciphertexts belong to the same coset of \(\mathcal M_J\) for J fixed with \(|J|=3\). Since the attacker must use \(2^{38.66}\) different initial cosets to have a probability of success higher than 95%, the total computational cost is of \(2^{39.07}\cdot 2^{38.66} = 2^{77.73}\) table look-ups, or \(\approx 2^{71.1}\) five-round encryptions.
D Variant of the 5-Round AES Distinguisher of Sect. 5
In this section, we propose two variants of the 5-round secret-key distinguisher proposed in Sect. 5. The second one is the most competitive distinguisher (from the point of view of the data and the computational costs), but it can not be used for a key-recovery attacks, as discuss in the following.
To set up the distinguisher, we must recall one result from [8, 10]:
Theorem 5
Given the subspace \(\mathcal C_0 \cap \mathcal D_{0,2,3} \equiv \langle e_{0,0}, e_{1,0}, e_{2,0}\rangle \subseteq \mathcal C_0\), consider two plaintexts \(p^1\) and \(p^2\) in the same coset of \(\left( \mathcal C_0 \cap \mathcal D_{0,2,3} \right) \oplus a\) generated by \(p^1 \equiv (x^1, y^1, w^1)\) and \(p^2 \equiv (x^2, y^2, w^2)\). Let \(\hat{p}^1, \hat{p}^2 \in \left( \mathcal D_{0,2,3} \cap \mathcal C_0 \right) \oplus a\) be other two plaintexts generated by
where z can take any possible value in \(\mathbb F_{2^8}\). The following event
holds with prob. 1 for 4-round AES, independently of the secret key, of the details of the S-Box and of the MixColumns matrix.
1.1 Variant of the 5-Round Distinguisher of Sect. 5: Plaintexts in \(\mathcal C_{0,1}\)
Details of the Distinguisher. Consider \(2^{64}\) chosen plaintexts with two active column (8 active bytes), e.g. a coset of \(\mathcal C_{0,1}\), and the corresponding ciphertexts after 5-round. For each \((\mathbf x, \mathbf y) \in \mathbb F_{2^8}^6 \times \mathbb F_{2^8}^6\) where \(\mathbf x = (x_0, x_1, x_2, ..., x_5)\) and \(\mathbf y = (y_0, y_1, y_2, ..., y_5)\) such that \((x_0, x_1) \ne (y_0, y_1)\), \((x_2, x_3) \ne (y_2, y_3)\) and \((x_4, x_5) \ne (y_4, y_5)\), let \(\mathcal T^{3}_{(\mathbf x, \mathbf y)}\) be the set of pairs of plaintexts be defined as follows
In other words, the pair of plaintexts \(p, q \in \mathcal C_0\oplus a\) can be of the form
and so on. Similar definitions can be given for the set \(\mathcal T^{i}_{(\mathbf x, \mathbf y)} \) for each \(i\in \{0,1,2,3\}\), where the constant bytes is in the i-th diagonal. Given \(2^{64}\) plaintexts as before, it is possible to construct \(\frac{1}{2^{18}} \cdot 4\cdot 2^{63} \cdot (2^{16}-1)^3 \simeq 2^{95}\) different sets, where each set contains exactly \(2^{18}\) different pairs of plaintexts (we emphasize that these pairs of plaintexts are not independent, in the sense that a particular relationships among the generating variable holds).
Consider \(n\gg 1\) random sets, and count the number of sets for which two ciphertexts (generated by 5-round AES or by a random permutation) of at least one pair of texts belong to the same coset of a subspace \(\mathcal M_J\) for \(J\subseteq \{0,1,2,3\}\) and \(|J|=3\). As we are going to prove, this number is on average lower for AES than for a random permutation, independently of the secret key, of the details of the S-Box and of the MixColumns matrix. In more details, the numbers of sets for 5-round AES \(n_{AES}\) and for a random permutation \(n_{rand}\) are well approximated by \( n_{AES} \simeq n\cdot p_{AES}\) and \( n_{rand}\simeq n\cdot p_{rand} \) where
These numbers are derived using the same proofFootnote 16 proposed in Sect. 5.
Data Cost. In order to compute the data cost, we use the same argumentation of Sect. 5.2. Since \(|p_{AES} - p_{rand}| \simeq 2^{-39.011}\) and \(p_{AES}\simeq p_{rand} \simeq 2^{-12}\), it follows that n must satisfy \(n> 2^{68.243}\) for a probability of success of approximately 95%. Since a single coset of \(\mathcal C_I\) for \(|I|=2\) contains approximately \(2^{95}\) different sets \(\mathcal T\), less than a single coset is sufficient to implement the distinguisher. In particular, a subset of the coset \(\mathcal C_{0,1} \oplus a\) of the form
for a certain constant a is sufficient to set up the distinguisher. Indeed, for such a set it is possible to construct approximately \(\frac{1}{2^{18}}\cdot 3 \cdot (2^{48} \cdot 4^2) \cdot [(2^{16}-1)^2 \cdot (16 -1)] \simeq 2^{71.5}\) different sets \(\mathcal T\) (remember that we are working with variables in \(\mathbb F_{2^8}^2\)), for a total of \((2^{8})^6 \cdot 4^2 \simeq 2^{52}\) chosen plaintexts.
Computational Cost. About the computational cost, the idea is to exploit Algorithm 1 opportunely modified and adapted to the sets \(\mathcal T\) in order to implement the distinguisher. Using \(2^{52}\) chosen plaintexts in the same coset of \(\mathcal C_I\) for \(|I|=2\), the cost to count the number of sets \(\mathcal T\) for which two ciphertexts of at least one pair of plaintexts belong to the same coset of \(\mathcal M_J\) is
table look-ups, where \(\left( {\begin{array}{c}2^{52}\\ 2\end{array}}\right) \cdot 2^{-32} \cdot (4\cdot 2^{-16}) \simeq 2^{57}\) is the average number of pairs such that the two ciphertexts belong to the same coset of \(\mathcal M_J\) for a fixed J with \(|J|=3\) and the two plaintexts are in the same coset of \(\mathcal C_{0,1}\cap \mathcal D_I\) for a certain I with \(|I|=3\) (by definition of \(\mathcal T\)). Equivalently, the total cost is well approximated by \(2^{64.86}\) five-round encryptions.
E Key-Recovery Attack on 6-Round AES – Cost
Here we analyze the computational cost of the key-recovery attack on 6-round AES proposed in Sect. 6. The attack is implemented by exploiting Algorithm 1 for each possible guessed key in order to count the number of sets \(\mathcal S\) that satisfy the required property (i.e. two ciphertexts of at least one pair belong to the same coset of \(\mathcal M_J\) for a certain J with \(|J|=3\)). Since this number of sets is higher for a wrongly guessed key than for the right one, it is possible to recover the right candidate of the key.
An implementation of the attack is described by the pseudo-code given in Algorithm 2. To compute the computational cost, it is sufficient to re-consider the cost of the 5-round distinguisher. Given a coset of \(\mathcal C_0\), the cost to count the number of sets \(\mathcal S\) with the required property is \(2^{39.1}\) table look-ups. This step is repeated for each one of the \(2^{32}\) (partially) guessed key and for each one of the \(2^{40.77}\) initial cosets of \(\mathcal D_0\), for a cost of \(2^{39.05}\cdot 2^{40.77} \cdot 2^{32} = 2^{111.82}\) table look-ups. Moreover, one needs to partially compute 1-round encryption for each possible guessed key and for each initial coset, for a cost of \(4\cdot 2^{32}\cdot 2^{40.77} \cdot 2^{32} = 2^{106.77}\) S-Box look-ups. As a result, the total cost of finding one diagonal of the key is well approximated by \(2^{111.82}\) table look-ups, or equivalently \(2^{104.92}\) six-round encryptions (under the assumption 20 table/S-Box look-ups \(\approx 1\)-round encryption). The total cost to find the entire key (using brute force on the last three diagonal) is of \(2^{104.92} + 2^{96} = 2^{104.93}\) six-round encryptions.
Why is it not possible to set up the key-recovery attack using cosets of \(\mathcal D_I\) with \(|I|=2\) instead of \(|I|=1\) (that is, the one proposed in Appendix D)? Without going into details, one has to guess 64 bits of the key instead of 32 for the attack that exploits the distinguisher proposed in Appendix D. As a consequence, this attack requires approximately \(2^{88.1}\) chosen plaintexts (in \(2^{24.1}\) different initial cosets of \(\mathcal D_I\) with \(|I|=2\)) and it has a total computational cost of approximately \(2^{176.2}\) six-round encryptions, (much) higher than the cost of a brute force attack.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Grassi, L. (2020). Probabilistic Mixture Differential Cryptanalysis on Round-Reduced AES. In: Paterson, K., Stebila, D. (eds) Selected Areas in Cryptography – SAC 2019. SAC 2019. Lecture Notes in Computer Science(), vol 11959. Springer, Cham. https://doi.org/10.1007/978-3-030-38471-5_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-38471-5_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-38470-8
Online ISBN: 978-3-030-38471-5
eBook Packages: Computer ScienceComputer Science (R0)