Skip to main content
SpringerLink
Log in

Statistical integral distinguisher with multi-structure and its application on AES-like ciphers

  • Published:
Cryptography and Communications Aims and scope Submit manuscript

Abstract

Integral attack is one of the most powerful tools in the field of symmetric ciphers. In order to reduce the time complexity of original integral one, Wang et al. firstly proposed a statistical integral distinguisher at FSE’16. However, they don’t consider the cases that there are several integral properties on output and multiple structures of data should be used at the same time. In terms of such cases, we put forward a new statistical integral distinguisher, which enables us to reduce the data complexity comparing to the traditional integral ones under multiple structures. As illustrations, we use it into the known-key distinguishers on AES-like ciphers including AES and the permutations of Whirlpool, PHOTON and Grøstl-256 hash functions based on the Gilbert’s work at ASIACRYPT’14. These new distinguishers are the best ones comparing with previous ones under known-key setting. Moreover, we propose a secret-key distinguisher on 5-round AES under chosen-ciphertext mode. Its data, time and memory complexities are 2114.32 chosen ciphertexts, 2110 encryptions and 233.32 blocks. This is the best integral distinguisher on AES with secret S-box under secret-key setting so far.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3

Similar content being viewed by others

Notes

  1. Active property means that the values on target bits are uniform distributed.

  2. Here is an underlying assumption that all \(T^{i}_{\lambda }(y) = H_{i}(\lambda , y)\)are i.i.d.. If {H i (λ,y)}are simple and have strong relationship with each other, this assumption is incorrect.However, in actual ciphers, integral distinguishers often include so many rounds that{H i (λ,y)}arecomplicated and have enough randomness. So this assumption here is suitable in practice, which isalso verified by experiments in Appendix AA.1.

  3. These improved known-key distinguishers on AES-like cipher in this paper follow the idea in Gilbert’ work at ASIACRYPT’14, but we adopt statistical integral method instead of integral method and more delicate processes to reduce the data and time complexities.

References

  1. Aoki, K.: A middletext distinguisher for full CLEFIA-128. In: Proceedings of the international symposium on information theory and its applications, ISITA 2012, Honolulu, October 28-31, 2012, pp 521–525. IEEE, Piscataway (2012)

  2. Aumasson, J.-P., Meier, W.: Zero-sum distinguishers for reduced keccak-f and for the core functions of luffa and hamsi 01 (2018)

  3. Barreto, P.S.L.M., Rijmen, V.: Whirlpool. In: van Tilborg, H.C.A., Jajodia, S. (eds.) Encyclopedia of cryptography and security. 2nd edn., pp 1384–1385. Springer, Berlin (2011)

  4. Biryukov, A. , Khovratovich, D., Nikolic, I.: Distinguisher and related-key attack on the full AES-256. In: Halevi, S. (ed.) Advances in cryptology - CRYPTO 2009, 29th annual international cryptology conference, Santa Barbara, August 16-20, 2009, Proceedings, vol. 5677 of Lecture Notes in Computer Science, pp 231–249. Springer, Berlin (2009)

  5. Blondeau, C., Peyrin, T., Wang, L.: Known-key distinguisher on full PRESENT. In: Gennaro, R., Robshaw, M. (eds.): Advances in cryptology - CRYPTO 2015 - 35th annual cryptology conference, Santa Barbara, August 16-20, 2015, Proceedings, Part I, vol. 9215 of lecture notes in computer science, pp. 455–474. Springer, Berlin (2015)

  6. Cui, T., Sun, L., Chen, H., Wang, M.: Statistical integral distinguisher with multi-structure and its application on AES. In: Pieprzyk, J., Suriadi, S. (eds.) Information security and privacy - 22nd Australasian conference, ACISP 2017, Auckland, July 3-5, 2017, Proceedings, Part I, vol. 10342 of lecture notes in computer science, pp 402–420. Springer, Berlin (2017)

  7. Daemen, J., Knudsen, L. R., Rijmen, V.: The block cipher square. In: Biham, E. (ed.) Fast software encryption, 4th international workshop, FSE ’97, Haifa, Israel, January 20-22, 2017 proceedings, vol. 1267 of lecture notes in computer science, pp 149–165. Springer, Berlin (1997)

  8. Daemen, J., Rijmen, V.: The design of Rijndael: AES - the advanced encryption standard. Information Security and Cryptography. Springer, Berlin (2002)

    Book  MATH  Google Scholar 

  9. Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl - a SHA-3 candidate. In: Handschuh, H., Lucks, S., Preneel, B., Rogaway, P. (eds.) Symmetric Cryptography, 11.01. – 16.01.2009, vol. 09031 of Dagstuhl seminar proceedings. Schloss Dagstuhl - Leibniz-Zentrum für Informatik, Germany (2009)

  10. Gilbert, H.: A simplified representation of AES. In: Sarkar, P., Iwata, T. (eds.) Advances in cryptology - ASIACRYPT 2014 - 20th international conference on the theory and application of cryptology and information security, Kaoshiung, R.O.C., December 7-11, 2014, Proceedings, Part I, vol. 8873 of lecture notes in computer science, pp 200–222. Springer, Berlin (2014)

  11. Gilbert, H. , Peyrin, T.: Super-sbox cryptanalysis: Improved attacks for aes-like permutations. In: Hong, S., Iwata, T. (eds.) Fast software encryption, 17th international workshop, FSE 2010, Seoul, February 7-10, 2010, Revised Selected Papers, vol. 6147 of lecture notes in computer science, pp 365–383. Springer, Berlin (2010)

  12. Grassi, L., Rechberger, C., Rønjom, S.: Subspace trail cryptanalysis and its applications to AES. IACR Trans Symmetric Cryptol 2016(2), 192–225 (2016)

    Google Scholar 

  13. Grassi, L., Rechberger, C., Rønjom, S.: A new structural-differential property of 5-round AES. In: Coron, J., Nielsen, J.B. (eds.) Advances in cryptology - EUROCRYPT 2017 - 36th annual international conference on the theory and applications of cryptographic techniques, Paris, April 30 - May 4, 2017, Proceedings, Part II, volume 10211 of lecture notes in computer science, pp 289–317 (2017)

  14. Guo, J., Peyrin, T., Poschmann, A.: The PHOTON family of lightweight hash functions. In: Rogaway, P. (ed.) Advances in cryptology - CRYPTO 2011 - 31st annual cryptology conference, Santa Barbara, August 14-18, 2011 proceedings, vol. 6841 of lecture notes in computer science, pp 222–239. Springer, Berlin (2011)

  15. Jean, J., Naya-Plasencia, M., Peyrin, T.: Improved rebound attack on the finalist grøstl. In: Canteaut, A. (ed.) Fast software encryption - 19th international workshop, FSE 2012, Washington, March 19-21, 2012, Revised Selected papers, vol. 7549 of lecture notes in computer science, pp 110–126. Springer, Berlin (2012)

  16. Jean, J., Naya-Plasencia, M., Peyrin, T.: Multiple limited-birthday distinguishers and applications. In: Lange, T., Lauter, K.E., Lisonek, P. (eds.) Selected areas in cryptography - SAC 2013 - 20th international conference, Burnaby, August 14-16, 2013, Revised Selected papers, vol. 8282 of lecture notes in computer science, pp 533–550. Springer, Berlin (2013)

  17. Knudsen, L.R., Rijmen, V.: Known-key distinguishers for some block ciphers. In: Kurosawa, K. (ed.) Advances in cryptology - ASIACRYPT 2007, 13th international conference on the theory and application of cryptology and information security, Kuching, December 2-6, 2007, Proceedings, vol. 4833 of lecture notes in computer science, pp 315–324. Springer, Berlin (2007)

  18. Knudsen, L.R., Wagner, D.A.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) Fast software encryption, 9th international workshop, FSE 2002, Leuven, February 4-6, 2002, revised papers, vol. 2365 of lecture notes in computer science, pp 112–127. Springer, Berlin (2002)

  19. Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: Rebound distinguishers: Results on the full whirlpool compression function. In: Matsui, M. (ed.) Advances in cryptology - ASIACRYPT 2009, 15th international conference on the theory and application of cryptology and information security, Tokyo, December 6-10, 2009. Proceedings, vol. 5912 of lecture notes in computer science, pp 126–143. Springer, Berlin (2009)

  20. Lamberger, M., Mendel, F., Schläffer, M., Rechberger, C., Rijmen, V.: The rebound attack and subspace distinguishers: Application to whirlpool. J. Cryptology 28(2), 257–296 (2015)

    Article  MathSciNet  MATH  Google Scholar 

  21. Mendel, F., Peyrin, T., Rechberger, C., Schläffer, M.: Improved cryptanalysis of the reduced grøstl compression function, ECHO permutation and AES block cipher. In: Rijmen, JrM.J.J.V., Safavi-Naini, R. (eds.) Selected areas in cryptography, 16th annual international workshop, SAC 2009, Calgary, August 13-14, 2009, revised selected papers, vol. 5867 of lecture notes in computer science, pp 16–35. Springer, Berlin (2009)

  22. Minier, M., Phan, R.C., Pousse, B.: Distinguishers for ciphers and known key attack against rijndael with large blocks. In: Preneel, B. (ed.) Progress in cryptology - AFRICACRYPT 2009, Second international conference on cryptology in Africa, Gammarth, June 21-25, 2009, Proceedings, vol. 5580 of lecture notes in computer science, pp 60–76. Springer, Berlin (2009)

  23. Sun, B., Liu, M., Guo, J., Qu, L., Rijmen, V.: New insights on aes-like SPN ciphers. In: Robshaw, M., Katz, J. (eds.) Advances in cryptology - CRYPTO 2016 - 36th annual international cryptology conference, Santa Barbara, August 14-18, 2016, Proceedings, Part I, vol. 9814 of lecture notes in computer science, pp 605–624. Springer, Berlin (2016)

  24. Sun, B. , Liu, Z., Rijmen, V., Li, R., Cheng, L., Wang, Q., AlKhzaimi, H., Li, C.: Links among impossible differential, integral and zero correlation linear cryptanalysis. In: Gennaro, R., Robshaw, M. (eds.): Advances in cryptology - CRYPTO 2015 - 35th annual cryptology conference, Santa Barbara, August 16-20, 2015, Proceedings, Part I, vol. 9215 of lecture notes in computer science, pp. 95–115. Springer, Berlin (2015)

  25. Wang, M., Cui, T., Chen, H., Sun, L., Wen, L., Bogdanov, A.: Integrals go statistical: Cryptanalysis of full skipjack variants. In: Peyrin, T. (ed.) Fast software encryption - 23rd international conference, FSE 2016, Bochum, March 20-23, 2016, revised selected papers, vol. 9783 of lecture notes in computer science, pp 399–415. Springer, Berlin (2016)

Download references

Acknowledgements

This work has been supported by NSFC Projects (No. 61572293, No. 61502276, No. 61692276), National Cryptography Development Fund (MMJJ20170102), National Natural Science Foundation of Shandong Province, China (ZR2016FM22), Fundamental Research Fund of Shandong Academy of Sciences (NO.2018:12-16), Major Scientific and Technological Innovation Projects of Shandong Province, China (2017CXGC0704).

Author information

Authors and Affiliations

  1. Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, 250100, China

    Tingting Cui, Huaifeng Chen, Ling Sun & Meiqin Wang

  2. Nanyang Technological University, Singapore, Singapore

    Tingting Cui

  3. Department of Mathematics, University of Paris VIII, Saint-Denis, France

    Sihem Mesnager

Authors
  1. Tingting Cui
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Huaifeng Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sihem Mesnager
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ling Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Meiqin Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Meiqin Wang.

Additional information

This article is part of the Topical Collection on Special Issue on Statistics in Design and Analysis of Symmetric Ciphers

This is an extended version of [6] presented at ACISP 2017. In [6] we proposed astatistical integral distinguisher with multiple structures model and used it directly into known-key distinguishers on AES. In this paper, besides the content of [6], we generalize the known-key distinguisher on AES-like cipher in Section 4, and apply it not only on AES but also on other AES-like ciphers such as Whirlpool, PHOTON and Grøstl-256 in Section 5. The construction of the whole paper is changed comparing with [6].

Appendices

Appendix

A.1 Experimental results

In order to verify the theoretical model of statistical integral distinguisher in Section 3, we implement the distinguishing attack in Section 4.2 on a mini variant of AES with the block size 64-bit denoted as AES* here. The round function of AES* is similar to that of AES, including four operations, i.e.,SB,SR,MC and AK. 64-bit block is partitioned into 16 nibbles and SB uses S-box S0 in LBlock. SR is same as that of AES, and the matrix used in MC is

$$M=\left( \begin{array}{llll} 1&1&4&9\\ 9&1&1&4\\ 4&9&1&1\\ 1&4&9&1 \end{array}\right), $$

which is defined over GF(24). For the multiplication, each nibble and value in M are considered as a polynomial over GF(2) and then the nibble is multiplied modulo x4 + x + 1 by the value in M. The addition is simply XOR operation. The subkeys are XORed with the nibbles in AK operation.

There is similar known-key integral distinguisher for 8-round AES* since its similarity to AES, see Fig. 1. Given a set of data \(\mathcal {Z}=\{(x,0,0,0) \oplus R(y,0,0,0)|x\in (0,1)^{16}\}\) for fixed y, i.e., the first column of \(\mathcal {Z}\) takes all 216 possible values and other columns are fixed to some constants, after SRS operation, each column of output v is active, i.e. that 216 values are uniformly distributed on each column of ouput. Since \(R^{-1}(\mathcal {Z})=\{R^{-1}(x,0,0,0)\oplus (y,0,0,0)\}\) has 216 structures that each one takes all 216 possible values on the first columns and constants on other columns, after (SRS)− 1 operation, each column of output u is active.

In our experiment, we consider the distributions of four 8-bit values in v including the first and second nibble in each column of v. Here s = 16,t = 8 and b = 4. If we set α0 = 0.2 and take different values for N and N s , α1 and τ can be computed using (8). By randomly choosing N s values for y and N values for x, we proceed the experiment to compute the statistics C for AES* and random permutations. With 2000 times of experiments, we can obtain the empirical error probabilities \(\widehat {\alpha _{0}}\) and \(\widehat {\alpha _{1}}\). The experimental results for \(\widehat {\alpha _{0}}\) and \(\widehat {\alpha _{1}}\) are compared with the theoretical values α0 and α1 in Fig. 4.

Fig. 4
figure 4

Experimental results for AES* considering four input bytes. In detail, set the value of α0 and change the values of N and N s , the theoretical and empirical α0 are shown in the left part of figure, corresponding α1 calculated and tested by equation (5) are shown in the right part of figure

Full size image

Moreover, we implement the second experiment where we set b= 4 including two bytes of u and two bytes of v. We set α0 = 0.2 and let N = N s , the empirical error probabilities are obtained from 1000 times of experiments. The experimental results for \(\widehat {\alpha _{0}}\) and \(\widehat {\alpha _{1}}\) are compared with the theoretical values α0 and α1 in Fig. 5.

Fig. 5
figure 5

Experimental results for AES* considering two input and output bytes. In detail, set the theoretical α0 = 0.2 and change the values of N, then the corresponding theoretical α1 and empirical α0 and α1 are calculated and tested by equation (5) in this figure

Full size image

Figures 4 and 5 show that the test results for the error probabilities are in good accordance with those for theoretical model.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Cui, T., Chen, H., Mesnager, S. et al. Statistical integral distinguisher with multi-structure and its application on AES-like ciphers. Cryptogr. Commun. 10, 755–776 (2018). https://doi.org/10.1007/s12095-018-0286-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12095-018-0286-5

Keywords

Mathematics Subject Classification (2010)

Search

Navigation