Extended truncated-differential distinguishers on round-reduced AES
Distinguishers on round-reduced AES have attracted considerable attention in the recent years. While the number of rounds covered in key-recovery attacks did not increase, subspace, yoyo, mixture-differential, and multiple-of-n cryptanalysis advanced the understanding of the properties of the cipher...
Saved in:
| Main Authors: | , , |
|---|---|
| Other Authors: | |
| Format: | Article |
| Language: | English |
| Published: |
2020
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/145110 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| id |
sg-ntu-dr.10356-145110 |
|---|---|
| record_format |
dspace |
| spelling |
sg-ntu-dr.10356-1451102023-02-28T19:34:42Z Extended truncated-differential distinguishers on round-reduced AES Bao, Zhenzhen Guo, Jian List, Eik School of Physical and Mathematical Sciences Science::Mathematics Cryptanalysis AES Distinguishers on round-reduced AES have attracted considerable attention in the recent years. While the number of rounds covered in key-recovery attacks did not increase, subspace, yoyo, mixture-differential, and multiple-of-n cryptanalysis advanced the understanding of the properties of the cipher. For substitution-permutation networks, integral attacks are a suitable target for extension since they usually end after a linear layer sums several subcomponents. Based on results by Patarin, Chen et al. already observed that the expected number of collisions for a sum of permutations differs slightly from that for a random primitive. Though, their target remained lightweight primitives. The present work illustrates how the well-known integral distinguisher on three-round AES resembles a sum of PRPs and can be extended to truncated-differential distinguishers over 4 and 5 rounds. In contrast to previous distinguishers by Grassi et al., our approach allows to prepend a round that starts from a diagonal subspace. We demonstrate how the prepended round can be used for key recovery with a new differential key-recovery attack on six-round AES. Moreover, we show how the prepended round can also be integrated to form a six-round distinguisher. For all distinguishers and the key-recovery attack, our results are supported by implementations with Cid et al.’s established Small-AES version. While the distinguishers do not threaten the security of the AES, they try to shed more light on its properties. Ministry of Education (MOE) Nanyang Technological University Published version The stay by Eik List at Nanyang Technical University Singapore was kindly supported by the DAAD IPID4all programme through the Bauhaus Research School at Weimar. Parts of the research leading to these results was made possible by DFG Grant LU 608/9-1. This research is partially supported by Nanyang Technological University in Singapore under Grant 04INS000397C230, Singapore’s Ministry of Education under Grants RG18/19 and MOE2019-T2-1-060. Special thanks go to Lorenzo Grassi and Sondre Rønjom for numerous fruitful discussions, suggestions, and hints that lead to considerable improvements. Moreover, we thank Navid Bardeh and Sondre Rønjom for discussions and insights on their recent publications. Thanks to Jannis Bossert and Stefan Lucks for their helpful suggestions on the four-round distinguisher. Moreover, our thanks go to Maik Fröbe, Johannes Kiesel, and Michael Völske for their kind support for working on the Webis betaweb cluster. We thank the ToSC reviewers and Orr Dunkelman for numerous very good comments and hints that improved the quality of this work considerably. They also hinted us to the work by Heys [Hey14]. 2020-12-11T03:05:23Z 2020-12-11T03:05:23Z 2020 Journal Article Bao, Z., Guo, J., & List, E. (2020). Extended truncated-differential distinguishers on round-reduced AES. IACR Transactions on Symmetric Cryptology, 2020(3), 197-261. doi:10.13154/tosc.v2020.i3.197-261 2519-173X https://hdl.handle.net/10356/145110 10.13154/tosc.v2020.i3.197-261 3 2020 197 261 en 04INS000397C230 RG18/19 MOE2019-T2-1-060 IACR Transactions on Symmetric Cryptology © 2020 Zhenzhen Bao, Jian Guo, Eik List. This work is licensed under a Creative Commons Attribution 4.0 International License. application/pdf |
| institution |
Nanyang Technological University |
| building |
NTU Library |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
NTU Library |
| collection |
DR-NTU |
| language |
English |
| topic |
Science::Mathematics Cryptanalysis AES |
| spellingShingle |
Science::Mathematics Cryptanalysis AES Bao, Zhenzhen Guo, Jian List, Eik Extended truncated-differential distinguishers on round-reduced AES |
| description |
Distinguishers on round-reduced AES have attracted considerable attention in the recent years. While the number of rounds covered in key-recovery attacks did not increase, subspace, yoyo, mixture-differential, and multiple-of-n cryptanalysis advanced the understanding of the properties of the cipher. For substitution-permutation networks, integral attacks are a suitable target for extension since they usually end after a linear layer sums several subcomponents. Based on results by Patarin, Chen et al. already observed that the expected number of collisions for a sum of permutations differs slightly from that for a random primitive. Though, their target remained lightweight primitives. The present work illustrates how the well-known integral distinguisher on three-round AES resembles a sum of PRPs and can be extended to truncated-differential distinguishers over 4 and 5 rounds. In contrast to previous distinguishers by Grassi et al., our approach allows to prepend a round that starts from a diagonal subspace. We demonstrate how the prepended round can be used for key recovery with a new differential key-recovery attack on six-round AES. Moreover, we show how the prepended round can also be integrated to form a six-round distinguisher. For all distinguishers and the key-recovery attack, our results are supported by implementations with Cid et al.’s established Small-AES version. While the distinguishers do not threaten the security of the AES, they try to shed more light on its properties. |
| author2 |
School of Physical and Mathematical Sciences |
| author_facet |
School of Physical and Mathematical Sciences Bao, Zhenzhen Guo, Jian List, Eik |
| format |
Article |
| author |
Bao, Zhenzhen Guo, Jian List, Eik |
| author_sort |
Bao, Zhenzhen |
| title |
Extended truncated-differential distinguishers on round-reduced AES |
| title_short |
Extended truncated-differential distinguishers on round-reduced AES |
| title_full |
Extended truncated-differential distinguishers on round-reduced AES |
| title_fullStr |
Extended truncated-differential distinguishers on round-reduced AES |
| title_full_unstemmed |
Extended truncated-differential distinguishers on round-reduced AES |
| title_sort |
extended truncated-differential distinguishers on round-reduced aes |
| publishDate |
2020 |
| url |
https://hdl.handle.net/10356/145110 |
| _version_ |
1759858278683115520 |