TY - GEN
T1 - A new structural-differential property of 5-round AES
AU - Grassi, Lorenzo
AU - Rechberger, Christian
AU - Rønjom, Sondre
PY - 2017
Y1 - 2017
N2 - AES is probably the most widely studied and used block cipher. Also versions with a reduced number of rounds are used as a building block in many cryptographic schemes, e.g. several candidates of the SHA-3 and CAESAR competition are based on it. So far, non-random properties which are independent of the secret key are known for up to 4 rounds of AES. These include differential, impossible differential, and integral properties. In this paper we describe a new structural property for up to 5 rounds of AES, differential in nature and which is independent of the secret key, of the details of the MixColumns matrix (with the exception that the branch number must be maximal) and of the SubBytes operation. It is very simple: By appropriate choices of difference for a number of input pairs it is possible to make sure that the number of times that the difference of the resulting output pairs lie in a particular subspace is always a multiple of 8. We not only observe this property experimentally (using a small-scale version of AES), we also give a detailed proof as to why it has to exist. As a first application of this property, we describe a way to distinguish the 5-round AES permutation (or its inverse) from a random permutation with only 232 chosen texts that has a computational cost of 235.6 lookups into memory of size 236 bytes which has a success probability greater than 99%.
AB - AES is probably the most widely studied and used block cipher. Also versions with a reduced number of rounds are used as a building block in many cryptographic schemes, e.g. several candidates of the SHA-3 and CAESAR competition are based on it. So far, non-random properties which are independent of the secret key are known for up to 4 rounds of AES. These include differential, impossible differential, and integral properties. In this paper we describe a new structural property for up to 5 rounds of AES, differential in nature and which is independent of the secret key, of the details of the MixColumns matrix (with the exception that the branch number must be maximal) and of the SubBytes operation. It is very simple: By appropriate choices of difference for a number of input pairs it is possible to make sure that the number of times that the difference of the resulting output pairs lie in a particular subspace is always a multiple of 8. We not only observe this property experimentally (using a small-scale version of AES), we also give a detailed proof as to why it has to exist. As a first application of this property, we describe a way to distinguish the 5-round AES permutation (or its inverse) from a random permutation with only 232 chosen texts that has a computational cost of 235.6 lookups into memory of size 236 bytes which has a success probability greater than 99%.
KW - AES
KW - Block cipher
KW - Permutation
KW - Secret-key distinguisher
UR - http://www.scopus.com/inward/record.url?scp=85018687641&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-56614-6_10
DO - 10.1007/978-3-319-56614-6_10
M3 - Conference paper
AN - SCOPUS:85018687641
SN - 9783319566139
VL - 10211 LNCS
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 289
EP - 317
BT - Advances in Cryptology – EUROCRYPT 2017 - 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings
PB - Springer Verlag Wien
ER -