Cryptanalysis of AES-PRF and its dual

A dedicated pseudorandom function (PRF) called AES-PRF was proposed by Mennink and Neves at FSE 2018 (ToSC 2017, Issue 3). AES-PRF is obtained from AES by using the output of the 5-th round as the feed-forward to the output state. This paper presents extensive security analysis of AES-PRF and its va...

Full description

Saved in:
Bibliographic Details
Main Authors: Todo, Yosuke, Sun, Siwei, Iwata, Tetsu, Derbez, Patrick, Sun, Ling, Wang, Meiqin, Wang, Haoyang
Other Authors: School of Physical and Mathematical Sciences
Format: Article
Language:English
Published: 2019
Subjects:
Online Access:https://hdl.handle.net/10356/104039
http://hdl.handle.net/10220/49461
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Nanyang Technological University
Language: English
id sg-ntu-dr.10356-104039
record_format dspace
spelling sg-ntu-dr.10356-1040392023-02-28T19:44:14Z Cryptanalysis of AES-PRF and its dual Todo, Yosuke Sun, Siwei Iwata, Tetsu Derbez, Patrick Sun, Ling Wang, Meiqin Wang, Haoyang School of Physical and Mathematical Sciences AES-PRF Dual-AES-PRF DRNTU::Science::Mathematics A dedicated pseudorandom function (PRF) called AES-PRF was proposed by Mennink and Neves at FSE 2018 (ToSC 2017, Issue 3). AES-PRF is obtained from AES by using the output of the 5-th round as the feed-forward to the output state. This paper presents extensive security analysis of AES-PRF and its variants. Specifically, we consider unbalanced variants where the output of the s-th round is used as the feed-forward. We also analyze the security of “dual” constructions of the unbalanced variants, where the input state is used as the feed-forward to the output of the s-th round. We apply an impossible differential attack, zero-correlation linear attack, traditional differential attack, zero correlation linear distinguishing attack and a meet-in-the-middle attack on these PRFs and reduced round versions. We show that AES-PRF is broken whenever s ≤ 2 or s ≥ 6, or reduced to 7 rounds, and Dual-AES-PRF is broken whenever s ≤ 4 or s ≥ 8. Our results on AES-PRF improve the initial security evaluation by the designers in various ways, and our results on Dual-AES-PRF give the first insight to its security. Published version 2019-07-24T06:41:28Z 2019-12-06T21:25:04Z 2019-07-24T06:41:28Z 2019-12-06T21:25:04Z 2018 Journal Article Derbez, P., Iwata, T., Sun, L., Sun, S., Todo, Y., Wang, H., & Wang, M. (2018). Cryptanalysis of AES-PRF and its dual. IACR Transactions on Symmetric Cryptology, 2018(2), 161-191. doi:10.13154/tosc.v2018.i2.161-191 https://hdl.handle.net/10356/104039 http://hdl.handle.net/10220/49461 10.13154/tosc.v2018.i2.161-191 en IACR Transactions on Symmetric Cryptology © 2018 The Author(s). All rights reserved. This paper was published by Ruhr University Bochum in IACR Transactions on Symmetric Cryptology and is made available with permission of The Author(s). 31 p. application/pdf
institution Nanyang Technological University
building NTU Library
continent Asia
country Singapore
Singapore
content_provider NTU Library
collection DR-NTU
language English
topic AES-PRF
Dual-AES-PRF
DRNTU::Science::Mathematics
spellingShingle AES-PRF
Dual-AES-PRF
DRNTU::Science::Mathematics
Todo, Yosuke
Sun, Siwei
Iwata, Tetsu
Derbez, Patrick
Sun, Ling
Wang, Meiqin
Wang, Haoyang
Cryptanalysis of AES-PRF and its dual
description A dedicated pseudorandom function (PRF) called AES-PRF was proposed by Mennink and Neves at FSE 2018 (ToSC 2017, Issue 3). AES-PRF is obtained from AES by using the output of the 5-th round as the feed-forward to the output state. This paper presents extensive security analysis of AES-PRF and its variants. Specifically, we consider unbalanced variants where the output of the s-th round is used as the feed-forward. We also analyze the security of “dual” constructions of the unbalanced variants, where the input state is used as the feed-forward to the output of the s-th round. We apply an impossible differential attack, zero-correlation linear attack, traditional differential attack, zero correlation linear distinguishing attack and a meet-in-the-middle attack on these PRFs and reduced round versions. We show that AES-PRF is broken whenever s ≤ 2 or s ≥ 6, or reduced to 7 rounds, and Dual-AES-PRF is broken whenever s ≤ 4 or s ≥ 8. Our results on AES-PRF improve the initial security evaluation by the designers in various ways, and our results on Dual-AES-PRF give the first insight to its security.
author2 School of Physical and Mathematical Sciences
author_facet School of Physical and Mathematical Sciences
Todo, Yosuke
Sun, Siwei
Iwata, Tetsu
Derbez, Patrick
Sun, Ling
Wang, Meiqin
Wang, Haoyang
format Article
author Todo, Yosuke
Sun, Siwei
Iwata, Tetsu
Derbez, Patrick
Sun, Ling
Wang, Meiqin
Wang, Haoyang
author_sort Todo, Yosuke
title Cryptanalysis of AES-PRF and its dual
title_short Cryptanalysis of AES-PRF and its dual
title_full Cryptanalysis of AES-PRF and its dual
title_fullStr Cryptanalysis of AES-PRF and its dual
title_full_unstemmed Cryptanalysis of AES-PRF and its dual
title_sort cryptanalysis of aes-prf and its dual
publishDate 2019
url https://hdl.handle.net/10356/104039
http://hdl.handle.net/10220/49461
_version_ 1759855606098821120