Mixture Integral Attacks on Reduced-Round AES with a Known/Secret S-Box

Publikation: ArbeitspapierWorking paperForschung

Abstract

In this work, we present new low-data secret-key distinguishers and key-recovery attacks on reduced-round AES.

The starting point of our work is “Mixture Differential Cryptanalysis” recently introduced at FSE/ToSC 2019, a way to turn the “multiple-of-8” 5-round AES secret-key distinguisher presented at Eurocrypt 2017 into a simpler and more convenient one (though, on a smaller number of rounds). By reconsidering this result on a smaller number of rounds, we present as our main contribution a new secret-key distinguisher on 3-round AES with the smallest data complexity in the literature (that does not require adaptive chosen plaintexts/ciphertexts), i.e. approximately half of the data necessary to set up a 3-round truncated differential distinguisher (which is currently the distinguisher in the literature with the lowest data complexity). E.g. for a probability of success of 95%, our distinguisher requires just 10 chosen plaintexts versus 20 chosen plaintexts necessary to set up the truncated differential one.

Besides that, we present new competitive low-data key-recovery attacks on 3- and 4-round AES, both in the case in which the S-Box is known and in the case in which it is secret.
Originalspracheenglisch
PublikationsstatusVeröffentlicht - 2 Jul 2019

Fingerprint

Recovery

Schlagwörter

    Dies zitieren

    @techreport{cd2b8f812bcb4768a03642c0d1cffeca,
    title = "Mixture Integral Attacks on Reduced-Round AES with a Known/Secret S-Box",
    abstract = "In this work, we present new low-data secret-key distinguishers and key-recovery attacks on reduced-round AES.The starting point of our work is “Mixture Differential Cryptanalysis” recently introduced at FSE/ToSC 2019, a way to turn the “multiple-of-8” 5-round AES secret-key distinguisher presented at Eurocrypt 2017 into a simpler and more convenient one (though, on a smaller number of rounds). By reconsidering this result on a smaller number of rounds, we present as our main contribution a new secret-key distinguisher on 3-round AES with the smallest data complexity in the literature (that does not require adaptive chosen plaintexts/ciphertexts), i.e. approximately half of the data necessary to set up a 3-round truncated differential distinguisher (which is currently the distinguisher in the literature with the lowest data complexity). E.g. for a probability of success of 95{\%}, our distinguisher requires just 10 chosen plaintexts versus 20 chosen plaintexts necessary to set up the truncated differential one.Besides that, we present new competitive low-data key-recovery attacks on 3- and 4-round AES, both in the case in which the S-Box is known and in the case in which it is secret.",
    keywords = "AES, Mixture Differential Cryptanalysis, Secret-Key Distinguisher, Low-Data Attack, Secret S-Box",
    author = "Lorenzo Grassi and Markus Schofnegger",
    year = "2019",
    month = "7",
    day = "2",
    language = "English",
    type = "WorkingPaper",

    }

    TY - UNPB

    T1 - Mixture Integral Attacks on Reduced-Round AES with a Known/Secret S-Box

    AU - Grassi, Lorenzo

    AU - Schofnegger, Markus

    PY - 2019/7/2

    Y1 - 2019/7/2

    N2 - In this work, we present new low-data secret-key distinguishers and key-recovery attacks on reduced-round AES.The starting point of our work is “Mixture Differential Cryptanalysis” recently introduced at FSE/ToSC 2019, a way to turn the “multiple-of-8” 5-round AES secret-key distinguisher presented at Eurocrypt 2017 into a simpler and more convenient one (though, on a smaller number of rounds). By reconsidering this result on a smaller number of rounds, we present as our main contribution a new secret-key distinguisher on 3-round AES with the smallest data complexity in the literature (that does not require adaptive chosen plaintexts/ciphertexts), i.e. approximately half of the data necessary to set up a 3-round truncated differential distinguisher (which is currently the distinguisher in the literature with the lowest data complexity). E.g. for a probability of success of 95%, our distinguisher requires just 10 chosen plaintexts versus 20 chosen plaintexts necessary to set up the truncated differential one.Besides that, we present new competitive low-data key-recovery attacks on 3- and 4-round AES, both in the case in which the S-Box is known and in the case in which it is secret.

    AB - In this work, we present new low-data secret-key distinguishers and key-recovery attacks on reduced-round AES.The starting point of our work is “Mixture Differential Cryptanalysis” recently introduced at FSE/ToSC 2019, a way to turn the “multiple-of-8” 5-round AES secret-key distinguisher presented at Eurocrypt 2017 into a simpler and more convenient one (though, on a smaller number of rounds). By reconsidering this result on a smaller number of rounds, we present as our main contribution a new secret-key distinguisher on 3-round AES with the smallest data complexity in the literature (that does not require adaptive chosen plaintexts/ciphertexts), i.e. approximately half of the data necessary to set up a 3-round truncated differential distinguisher (which is currently the distinguisher in the literature with the lowest data complexity). E.g. for a probability of success of 95%, our distinguisher requires just 10 chosen plaintexts versus 20 chosen plaintexts necessary to set up the truncated differential one.Besides that, we present new competitive low-data key-recovery attacks on 3- and 4-round AES, both in the case in which the S-Box is known and in the case in which it is secret.

    KW - AES

    KW - Mixture Differential Cryptanalysis

    KW - Secret-Key Distinguisher

    KW - Low-Data Attack

    KW - Secret S-Box

    M3 - Working paper

    BT - Mixture Integral Attacks on Reduced-Round AES with a Known/Secret S-Box

    ER -