Abstract
Distinguishers on round-reduced AES have attracted considerable attention in the recent years. While the number of rounds covered in key-recovery attacks did not increase, subspace, yoyo, mixture-differential, and multiple-of-n cryptanalysis advanced the understanding of the properties of the cipher.For substitution-permutation networks, integral attacks are a suitable target for extension since they usually end after a linear layer sums several subcomponents. Based on results by Patarin, Chen et al. already observed that the expected number of collisions for a sum of permutations differs slightly from that for a random primitive. Though, their target remained lightweight primitives.The present work illustrates how the well-known integral distinguisher on three-round AES resembles a sum of PRPs and can be extended to truncated-differential distinguishers over 4 and 5 rounds. In contrast to previous distinguishers by Grassi et al., our approach allows to prepend a round that starts from a diagonal subspace. We demonstrate how the prepended round can be used for key recovery with a new differential key-recovery attack on six-round AES. Moreover, we show how the prepended round can also be integrated to form a six-round distinguisher. For all distinguishers and the key-recovery attack, our results are supported by implementations with Cid et al.’s established Small-AES version. While the distinguishers do not threaten the security of the AES, they try to shed more light on its properties.
Highlights
During the previous two decades, the Advanced Encryption Standard (AES) [Nat01] has withstood vast amounts of cryptanalysis
We present the results of a practical implementation of the five-round distinguisher and the six-round key-recovery attacks with a small-scale variant of the AES
As for our four-round distinguisher, we show the theoretical probability of inverse-diagonal collisions after almost five rounds in Setting (2)
Summary
During the previous two decades, the Advanced Encryption Standard (AES) [Nat01] has withstood vast amounts of cryptanalysis. Besides the biclique-based accelerated exhaustive search [BKR11],1 the best-known attacks on AES-128 in the secret-key model cover seven rounds, as had been the state of the art close after its announcement [FKL+00]. Among the keyrecovery attacks that cover that most rounds [BLNS18, DFJ13, FKL+00, MDRM10], the meet-in-the-middle attacks by Derbez et al possess the lowest time and data complexities since 2013 [DFJ13]. Their attacks were based on Demirci and Selçuk’s [DS08] variant of the earlier collision attack by Gilbert and Minier [GM00]. Received: 2019-06-01 Revised: 2019-09-01 Accepted: 2020-01-23 Published: 2020-09-28
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
