Improved mixture differential attacks on 6-round AES-like ciphers towards time and data complexities

Abstract

AES is the most widely used symmetric cipher. Many cryptographic primitives are designed following the structure of AES, called AES-like ciphers. Mixture differential cryptanalysis is a structural cryptanalysis technique for AES, which gave the best key recovery attack on 5-round AES in the chosen-plaintext setting and attacks with practical data and memory complexities on round-reduced AES. In this paper, we study the mixture differential attacks on 6 rounds of AES-like ciphers, and propose two improved attacks towards optimizing time and data complexities respectively. As an application to AES, we give the improved mixture differential attack on 6 rounds of AES-128 with time complexity 262.74, reducing by a factor of 210.26 compared with the previous mixture differential attack. For low data complexity, we show the improved 6-round mixture differential attack on AES-128 with data complexity 224.05, reducing by a factor of about 4. We also apply two attacks to 6 super-rounds of Saturnin, one of the second-round candidates in NIST lightweight cryptography standardization process, which is the first security evaluation of Saturnin against mixture differential cryptanalysis.