Faster Chosen-Key Distinguishers on Reduced-Round AES
نویسندگان
چکیده
In this paper, we study the AES block cipher in the chosen-key setting. The adversary’s goal of this security model is to find triplets (m,m′, k) satisfying some properties more efficiently for the AES scheme than generic attacks. It is a restriction of the classical chosen-key model, since as it has been defined originally, differences in the keys are possible. This model is related to the known-key setting, where the adversary receives a key k, and tries to find a pair of messages (m,m′) that has some property more efficiently than generic attacks. Both models have been called open-key model in the literature and are interesting for the security of AES-based hash functions. Here, we show that in the chosen-key setting, attacking seven rounds (resp. eight rounds) of AES-128 can be done in time and memory 2 (resp. 2) while the generic attack would require 2 computations as a variant of the birthday paradox can be used to predict the generic complexity. We have checked our results experimentally and we extend them to distinguisers of AES-256.
منابع مشابه
New Insights on AES-Like SPN Ciphers
It has been proved in Eurocrypt 2016 by Sun et al. that if the details of the S-boxes are not exploited, an impossible differential and a zero-correlation linear hull can extend over at most 4 rounds of the AES. This paper concentrates on distinguishing properties of AES-like SPN ciphers by investigating the details of both the underlying S-boxes and the MDS matrices, and illustrates some new i...
متن کاملTotal break of Zorro using linear and differential attacks
An AES-like lightweight block cipher, namely Zorro, was proposed in CHES 2013. While it has a 16-byte state, it uses only 4 S-Boxes per round. This weak nonlinearity was widely criticized, insofar as it has been directly exploited in all the attacks on Zorro reported by now, including the weak key, reduced round, and even full round attacks. In this paper, using some properties discovered by Wa...
متن کاملMixture Differential Cryptanalysis: New Approaches for Distinguishers and Attacks on round-reduced AES
At Eurocrypt 2017 the first secret-key distinguisher for 5-round AES has been presented. Although it allows to distinguish a random permutation from an AES-like one, it seems (rather) hard to exploit such a distinguisher in order to implement a key-recovery attack different than brute-force like. In this paper we introduce “Mixture Differential Cryptanalysis”, a new technique to set up new secr...
متن کاملNew and Old Limits for AES Known-Key Distinguishers
Known-key distinguishers have been introduced by Knudsen and Rijmen in 2007 to better understand the security of block ciphers in situations where the key can not be considered to be secret, i.e. the “thing between secret-key model and hash function use-cases”. AES is often considered as a target of such analyses, simply because AES or its building blocks are used in many settings that go beyon...
متن کاملA Simplified Representation of AES
We show that the so-called super S-box representation of AES – that provides a simplified view of two consecutive AES rounds – can be further simplified. In the untwisted representation of AES presented here, two consecutive AES rounds are viewed as the composition of a non-linear transformation S and an affine transformation R that respectively operate on the four 32-bit columns and on the fou...
متن کامل