### Abstract

In this work, we present new low-data secret-key distinguishers and key-recovery attacks on reduced-round AES.

The starting point of our work is ``Mixture Differential Cryptanalysis'' recently introduced at FSE/ToSC 2019, a way to turn the ``multiple-of-8'' 5-round AES secret-key distinguisher presented at Eurocrypt 2017 into a simpler and more convenient one (though, on a smaller number of rounds). By reconsidering this result on a smaller number of rounds, we present as our main contribution a new secret-key distinguisher on 3-round AES with the smallest data complexity in the literature (that does not require adaptive chosen plaintexts/ciphertexts), i.e., approximately half of the data necessary to set up a 3-round truncated differential distinguisher (which is currently the distinguisher in the literature with the lowest data complexity). For a success probability of 95%, our distinguisher requires just 10 chosen plaintexts versus 20 chosen plaintexts necessary to set up the truncated differential one.

Besides that, we present new competitive low-data key-recovery attacks on 3- and 4-round AES, both in the case in which the S-box is known and in the case in which it is secret.

The starting point of our work is ``Mixture Differential Cryptanalysis'' recently introduced at FSE/ToSC 2019, a way to turn the ``multiple-of-8'' 5-round AES secret-key distinguisher presented at Eurocrypt 2017 into a simpler and more convenient one (though, on a smaller number of rounds). By reconsidering this result on a smaller number of rounds, we present as our main contribution a new secret-key distinguisher on 3-round AES with the smallest data complexity in the literature (that does not require adaptive chosen plaintexts/ciphertexts), i.e., approximately half of the data necessary to set up a 3-round truncated differential distinguisher (which is currently the distinguisher in the literature with the lowest data complexity). For a success probability of 95%, our distinguisher requires just 10 chosen plaintexts versus 20 chosen plaintexts necessary to set up the truncated differential one.

Besides that, we present new competitive low-data key-recovery attacks on 3- and 4-round AES, both in the case in which the S-box is known and in the case in which it is secret.

Original language | English |
---|---|

Title of host publication | INDOCRYPT 2020 |

Publisher | Springer |

Publication status | Accepted/In press - 2020 |

### Keywords

- AES
- Mixture Differential Cryptanalysis
- Secret-Key Distinguisher
- Low-Data Attack
- Secret S-Box

## Fingerprint Dive into the research topics of 'Mixture Integral Attacks on Reduced-Round AES with a Known/Secret S-Box'. Together they form a unique fingerprint.

## Cite this

Grassi, L., & Schofnegger, M. (Accepted/In press). Mixture Integral Attacks on Reduced-Round AES with a Known/Secret S-Box. In

*INDOCRYPT 2020*Springer.