Skip to main content
Springer Nature Link
Log in

Improved Truncated Differential Distinguishers of AES with Concrete S-Box

  • Conference paper
  • First Online:
Progress in Cryptology – INDOCRYPT 2022 (INDOCRYPT 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13774))

Included in the following conference series:

  • 659 Accesses

Abstract

The security of Advanced Encryption Standard (AES) is one of the most important issues in cryptanalysis. In ToSC 2020, Bao et al. proposed an open question about the relation between the input-output indices and the probability of truncated differentials. In this work, we try to answer this question, and accomplish a tighter bound for several types of truncated differential distinguishers based on the differential distribution table (DDT) of the S-box of AES.

In order to reduce the computational complexity, we choose the starting point in the middle of the differential instead of the beginning, construct the DDT of 32-bit to 8/16-bit Super-Sboxes adopting an integrated S-box technique, and explore the divide-and-combine algorithm to perform the accurate calculation. For the 4-round truncated differentials with only one active byte in the input difference and one inactive byte in the output difference, we investigate the concrete probability of all 256 combinations of input-output indices. Moreover, our computation algorithms remove the independence assumption of functions in Bao et al.’s work, and can be generalized to compute the probability of truncated differentials ended with two inactive bytes in one column. To take full advantage of the results, we construct statistical model based on conditional probability, and propose 4/5/6-round truncated differential distinguishers, respectively. Our 6-round distinguisher needs \(2^{62.88}\) chosen-plaintexts and \(2^{63.42}\) encryptions, which is better than the published 6-round distinguishers in key-independent secret-key setting. For all truncated differentials presented in this work, we perform experimental verifications on Small-AES variants, and the results show our algorithms can provide reliable results. It is noted that the results do not threaten the security of AES.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    The details of the Small-AES and the different 4-bit S-boxes are presented in Appendix A.

  2. 2.

    The results will be presented in the full paper.

  3. 3.

    The complete algorithms contain Algorithm 4, 5, and 6. Algorithm 5 and are presented in Appendix B.

  4. 4.

    The source code of all algorithms to compute the probability and experimental verifications, the supplementary algorithms, and the verified results are provided in the github: https://github.com/ccchang123456/truncated_differential.git.

References

  1. National Institute of Standards and Technology: Advanced Encryption Standard, FIPS 197. US Department of Commerce, Washington D.C., November 2001. http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

  2. Baignères, T., Junod, P., Vaudenay, S.: How far can we go beyond linear cryptanalysis? In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 432–450. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30539-2_31

    Chapter  Google Scholar 

  3. Bao, Z., Guo, J., List, E.: Extended truncated-differential distinguishers on round-reduced AES. IACR Trans. Symmetric Cryptol. 2020(3), 197–261 (2020). https://doi.org/10.13154/tosc.v2020.i3.197-261

  4. Bar-On, A., Dunkelman, O., Keller, N., Ronen, E., Shamir, A.: Improved key recovery attacks on reduced-round AES with practical data and memory complexities. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 185–212. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_7

    Chapter  Google Scholar 

  5. Bardeh, N.G.: A Key-Independent Distinguisher for 6-round AES in an Adaptive Setting. IACR Cryptol. ePrint Arch., 2019:945. https://eprint.iacr.org/2019/945

  6. Bardeh, N.G., Rønjom, S.: The exchange attack: How to Distinguish Six Rounds of AES with \(2^{88.2}\)Chosen Plaintexts. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11923, pp. 347–370. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_12

    Chapter  Google Scholar 

  7. Bellare, M., Kilian, J., Rogaway, P.: The security of cipher block chaining. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 341–358. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_32

    Chapter  Google Scholar 

  8. Biryukov, A., De Cannière, C., Quisquater, M.: On multiple linear approximations. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 1–22. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_1

    Chapter  Google Scholar 

  9. Bogdanov, A., Khovratovich, D., Rechberger, C.: Biclique cryptanalysis of the full AES. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 344–371. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_19

    Chapter  Google Scholar 

  10. Boura, C., Lallemand, V., Naya-Plasencia, M., Suder, V.: Making the Impossible Possible. J. Cryptol. 31(1), 101–133 (2017). https://doi.org/10.1007/s00145-016-9251-7

    Article  MathSciNet  MATH  Google Scholar 

  11. Cid, C., Murphy, S., Robshaw, M.J.B.: Small scale variants of the AES. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 145–162. Springer, Heidelberg (2005). https://doi.org/10.1007/11502760_10

    Chapter  MATH  Google Scholar 

  12. Daemen, J., Knudsen, L., Rijmen, V.: The block cipher Square. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052343

    Chapter  Google Scholar 

  13. Daemen, J., Rijmen, V.: The Pelican MAC Function 2.0. IACR Cryptol. ePrint Arch., 2005:88. http://eprint.iacr.org/2005/088

  14. Daemen, J., Rijmen, V.: Two-Round AES Differentials. IACR Cryptol. ePrint Arch., 2006:39. http://eprint.iacr.org/2006/039

  15. Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography. Springer (2002). https://doi.org/10.1007/978-3-662-04722-4

  16. Daemen, J., Rijmen, V.: Understanding two-round differentials in AES. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 78–94. Springer, Heidelberg (2006). https://doi.org/10.1007/11832072_6

    Chapter  Google Scholar 

  17. Daemen, J., Rijmen, V.: Plateau characteristics. IET Inf. Secur. 1(1), 11–17 (2007). https://doi.org/10.1049/iet-ifs:20060099

    Article  Google Scholar 

  18. Demirci, H., Selçuk, A.A.: A meet-in-the-middle attack on 8-round AES. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 116–126. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71039-4_7

    Chapter  Google Scholar 

  19. Derbez, P., Fouque, P.-A., Jean, J.: [Improved key recovery attacks on reduced-round, in the single-key setting]. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 371–387. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_23

    Chapter  MATH  Google Scholar 

  20. Dunkelman, O., Keller, N., Shamir, A.: Improved single-key attacks on 8-round AES-192 and AES-256. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 158–176. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_10

    Chapter  Google Scholar 

  21. Ferguson, N., Kelsey, J., Lucks, S., Schneier, B., Stay, M., Wagner, D., Whiting, D.: Improved cryptanalysis of rijndael. In: Goos, G., Hartmanis, J., van Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 213–230. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44706-7_15

    Chapter  Google Scholar 

  22. Gilbert, H., Peyrin, T.: Super-Sbox cryptanalysis: improved attacks for AES-like permutations. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 365–383. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13858-4_21

    Chapter  Google Scholar 

  23. Grassi, L.: Mixture Differential Cryptanalysis and Structural Truncated Differential Attacks on Round-Reduced AES. IACR Cryptol. ePrint Arch., 2017:832. https://ia.cr/2017/832

  24. Grassi, L.: Probabilistic mixture differential cryptanalysis on round-reduced AES. In: Paterson, K.G., Stebila, D. (eds.) SAC 2019. LNCS, vol. 11959, pp. 53–84. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-38471-5_3

    Chapter  Google Scholar 

  25. Grassi, L., Rechberger, C.: Truncated Differential Properties of the Diagonal Set of Inputs for 5-round AES. Accepted by ACISP 2022. IACR Cryptol. ePrint Arch., 2018:182. https://eprint.iacr.org/2018/182

  26. Grassi, L., Rechberger, C., Rønjom, S.: Subspace Trail Cryptanalysis and its Applications to AES. IACR Trans. Symmetric Cryptol. 2016(2), 192–225 (2016). https://doi.org/10.13154/tosc.v2016.i2.192-225

  27. Grassi, L., Rechberger, C., Rønjom, S.: A new structural-differential property of 5-round AES. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 289–317. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_10

    Chapter  Google Scholar 

  28. Gupta, B., Guttman, I., Jayalath, K.: Statistics and probability with applications for engineers and scientists using MINITAB. R JMP (2020). https://doi.org/10.1002/9781119516651

    Article  MATH  Google Scholar 

  29. Kaliski, B.S., Robshaw, M.J.B.: Linear cryptanalysis using multiple approximations. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 26–39. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_4

    Chapter  Google Scholar 

  30. Li, L., Jia, K., Wang, X.: Improved single-key attacks on 9-round AES-192/256. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 127–146. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46706-0_7

    Chapter  Google Scholar 

  31. Matsui, M.: The first experimental cryptanalysis of the data encryption standard. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 1–11. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_1

    Chapter  Google Scholar 

  32. Patarin, J.: Generic attacks for the Xor of k random permutations. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 154–169. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38980-1_10

    Chapter  Google Scholar 

  33. Preneel, B.: Davies-Meyer Hash Function. In: van Tilborg, H.C.A. (ed.) Encyclopedia of Cryptography and Security. Springer (2005). https://doi.org/10.1007/0-387-23483-7_96

  34. Preneel, B.: Davies-Meyer. In: van Tilborg, H.C.A., Jajodia, S. (eds.) Encyclopedia of Cryptography and Security, 2nd Ed, pp. 312–313. Springer (2011). https://doi.org/10.1007/978-1-4419-5906-5_569

  35. Rønjom, S., Bardeh, N.G., Helleseth, T.: Yoyo tricks with AES. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 217–243. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_8

    Chapter  Google Scholar 

  36. Samajder, S., Sarkar, P.: Rigorous upper bounds on data complexities of block cipher cryptanalysis. J. Math. Cryptol. 11(3), 147–175 (2017). https://doi.org/10.1515/jmc-2016-0026

    Article  MathSciNet  MATH  Google Scholar 

  37. Zhang, B., Xu, C., Meier, W.: Fast correlation attacks over extension fields, large-unit linear approximation and cryptanalysis of SNOW 2.0. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 643–662. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_31

    Chapter  Google Scholar 

Download references

Acknowledgments

We sincerely thank the anonymous reviewers for providing valuable comments to help us improve the overall quality of the paper. This work is supported by the National Key Research and Development Program of China (Grant No. 2018YFA0704702 & 2022YFB2701700), the National Natural Science Foundation of China (Grant No. 62032014), the Shandong Provincial Natural Science Foundation (Grant No. ZR2020MF053), the Major Basic Research Project of Natural Science Foundation of Shandong Province (Grant No. ZR202010220025), and the Education Teaching Reform and Research Program of Shandong University (Grant No. 2022Y286).

Author information

Authors and Affiliations

  1. School of Cyber Science and Technology, Shandong University, Qingdao, 266237, Shandong, China

    Chengcheng Chang, Meiqin Wang, Ling Sun & Wei Wang

  2. Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Qingdao, 266237, Shandong, China

    Chengcheng Chang, Meiqin Wang, Ling Sun & Wei Wang

  3. Quancheng Laboratory, Jinan, 250103, China

    Meiqin Wang, Ling Sun & Wei Wang

Authors
  1. Chengcheng Chang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Meiqin Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ling Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Wei Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wei Wang .

Editor information

Editors and Affiliations

  1. University of Hyogo, Hyogo, Japan

    Takanori Isobe

  2. Indian Institute of Technology Madras, Chennai, India

    Santanu Sarkar

Appendices

Appendix

A Brief Description of Small-AES [11].

Small-AES is a 4-bit variant of AES. The differences compared to AES are: 1) Its length is 64-bit of a 4 \(\times \) 4 state matrix, where each element is a 4-bit nibble instead of a byte. 2) The operations are performed in the finite field \(GF(2^{4})\). The modulo polynomial of the MC operation becomes \(X^{4}+X+1\). The details of key schedule are omitted.

The details of the S-boxes are defined in Table 4.

Table 4. Different 4-bit S-boxes were employed to perform our tests on Small-AES.
Full size table

B Algorithm 5 and Algorithm 6 in the Calculation of 4-Round Truncated Differential with One Active Cell in Input and Two Inactive in Output

Algorithm 4, 5, and 6 make up the complete algorithm for calculating the truncated differential intruduced in Sect. 3.3. Algorithm 5 corresponds to the modified Algorithm 2, and Algorithm 6 corresponds to the modified Algorithm 3.

figure e
figure f

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Chang, C., Wang, M., Sun, L., Wang, W. (2022). Improved Truncated Differential Distinguishers of AES with Concrete S-Box. In: Isobe, T., Sarkar, S. (eds) Progress in Cryptology – INDOCRYPT 2022. INDOCRYPT 2022. Lecture Notes in Computer Science, vol 13774. Springer, Cham. https://doi.org/10.1007/978-3-031-22912-1_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-22912-1_19

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-22911-4

  • Online ISBN: 978-3-031-22912-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics