Abstract
In this work, we present new low-data secret-key distinguishers and key-recovery attacks on reduced-round AES. The starting point of our work is “Mixture Differential Cryptanalysis” recently introduced at FSE/ToSC 2019, a way to turn the “multiple-of-8” 5-round AES secret-key distinguisher presented at Eurocrypt 2017 into a simpler and more convenient one (though, on a smaller number of rounds). By reconsidering this result on a smaller number of rounds, we present as our main contribution a new secret-key distinguisher on 3-round AES with the smallest data complexity in the literature (that does not require adaptive chosen plaintexts/ciphertexts), namely approximately half of the data necessary to set up a 3-round truncated differential distinguisher (which is currently the distinguisher in the literature with the lowest data complexity). For a success probability of 95%, our distinguisher requires just 10 chosen plaintexts versus 20 chosen plaintexts necessary to set up the truncated differential attack.
Besides that, we present new competitive low-data key-recovery attacks on 3- and 4-round AES, both in the case in which the S-box is known and in the case in which it is secret.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
The i-th diagonal of a \(4 \times 4\) matrix A is defined as the elements that lie on row r and column c such that \( c-r = i\) mod 4. The i-th anti-diagonal of a \(4 \times 4\) matrix A is defined as the elements that lie on row r and column c such that \(r+c = i\) mod 4.
- 3.
That is, we assume that \(\alpha \ne \beta \), \(\alpha \ne \gamma \), \(\alpha \ne \delta \), \(\beta \ne \gamma \), \(\beta \ne \delta \), and \(\gamma \ne \delta \).
- 4.
To be more precise, this is actually the probability for a random function. In particular, note that the event \(\varPi (x) \oplus \varPi (y) = 0^{4\times 4}\) can never happen, or equivalently at least one byte of \(\varPi (x) \oplus \varPi (y)\) is different from zero in the case in which \(\varPi (\cdot )\) is a permutation for \(x\ne y\). At the same time, since the probability that \(\varPi (x) \oplus \varPi (y) = 0^{4\times 4}\) is \(2^{-128}\), such event just influences in a negligible way the probability given in Eq. (4).
- 5.
Even if this approximation is not formally correct – the size of the table of an S-box lookup is smaller than the size of the table used for our proposed distinguisher – it allows to give a comparison between our distinguishers and others currently present in the literature. This approximation is largely used in the literature (assuming that the linear/affine operations of each AES round are negligible in terms of costs).
- 6.
If it is not omitted, since MixColumns is a linear operation, it is sufficient to swap the final MixColumns and the final AddRoundKey operation: \( k \oplus MC(\cdot ) = MC(k^\prime \oplus \cdot ), \) where \(k^\prime = MC^{-1}(\cdot )\). When \(k^\prime \) is given, one can find k using the relation \(k=MC(k^\prime )\).
- 7.
Note that the case \(i=j=h\) and \(h\ne l\) is included here.
- 8.
We highlight that it seems not possible to simply re-use sets of texts \(\mathfrak T\) defined as in Eq. (5) in order to decrease the total data complexity, since this has an impact on the rank of the generated sets of equations. We leave the open problem to analyze alternative strategies that allow to reduce the data complexity.
- 9.
The Rouché-Capelli theorem states that a system of linear equations in \(n\) variables has a solution if and only if the rank of its coefficient matrix is equal to the rank of its augmented matrix. Since we are assigning linearly independent values to the new variables and since the rank of the whole matrix is at least \(247\), the rank of the augmented matrix is always larger than or equal to the rank of the coefficient matrix. Thus, verifying that the rank of the coefficient matrix increases when assigning a variable and that it reaches \(256\) is sufficient for our purposes.
- 10.
For example, we can choose assignments with low hamming weight.
References
Bar-On, A., Dunkelman, O., Keller, N., Ronen, E., Shamir, A.: Improved key recovery attacks on reduced-round AES with practical data and memory complexities. J. Cryptol. 33(3), 1003–1043 (2019). https://doi.org/10.1007/s00145-019-09336-w
Bardeh, N.G., Rønjom, S.: The exchange attack: how to distinguish six rounds of AES with \(2^{88.2}\)chosen plaintexts. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11923, pp. 347–370. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_12
Bouillaguet, C., Derbez, P., Fouque, P.-A.: Automatic search of attacks on round-reduced AES and applications. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 169–187. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_10
Boura, C., Canteaut, A., Coggia, D.: A general proof framework for recent AES distinguishers. IACR Trans. Symmetric Cryptol. 2019(1), 170–191 (2019)
Daemen, J., Knudsen, L., Rijmen, V.: The block cipher square. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052343
Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography. Springer, Heidelberg (2002). https://doi.org/10.1007/978-3-662-04722-4
Dunkelman, O., Keller, N., Ronen, E., Shamir, A.: The retracing boomerang attack. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 280–309. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_11
Grassi, L.: MixColumns properties and attacks on (round-reduced) AES with a single secret S-box. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 243–263. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76953-0_13
Grassi, L.: Mixture differential cryptanalysis: a new approach to distinguishers and attacks on round-reduced AES. IACR Trans. Symmetric Cryptol. 2018(2), 133–160 (2018)
Grassi, L., Rechberger, C.: Rigorous analysis of truncated differentials for 5-round AES. IACR Cryptol. ePrint Arch, p. 182 (2018)
Grassi, L., Rechberger, C., Rønjom, S.: Subspace trail cryptanalysis and its applications to AES. IACR Trans. Symmetric Cryptol. 2016(2), 192–225 (2016)
Grassi, L., Rechberger, C., Rønjom, S.: A new structural-differential property of 5-round AES. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 289–317. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_10
Grassi, L., Schofnegger, M.: Mixture integral attacks on reduced-round AES with a known/secret S-box. IACR Cryptol. ePrint Arch, p. 772 (2019)
Knudsen, L., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45661-9_9
Rønjom, S., Bardeh, N.G., Helleseth, T.: Yoyo tricks with AES. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 217–243. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_8
Sun, B., Liu, M., Guo, J., Qu, L., Rijmen, V.: New insights on AES-like SPN ciphers. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 605–624. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_22
Tiessen, T.: Polytopic cryptanalysis. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 214–239. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_9
Tiessen, T., Knudsen, L.R., Kölbl, S., Lauridsen, M.M.: Security of the AES with a secret S-box. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 175–189. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48116-5_9
Acknowledgment
The authors thank the reviewers for their valuable comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Impossible Mixture Integral Attack on 4-round AES
A Impossible Mixture Integral Attack on 4-round AES
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Grassi, L., Schofnegger, M. (2020). Mixture Integral Attacks on Reduced-Round AES with a Known/Secret S-Box. In: Bhargavan, K., Oswald, E., Prabhakaran, M. (eds) Progress in Cryptology – INDOCRYPT 2020. INDOCRYPT 2020. Lecture Notes in Computer Science(), vol 12578. Springer, Cham. https://doi.org/10.1007/978-3-030-65277-7_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-65277-7_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-65276-0
Online ISBN: 978-3-030-65277-7
eBook Packages: Computer ScienceComputer Science (R0)