Improved Key Recovery Attacks on Reduced-Round AES with Practical Data and Memory Complexities

@article{BarOn2019ImprovedKR,
  title={Improved Key Recovery Attacks on Reduced-Round AES with Practical Data and Memory Complexities},
  author={Achiya Bar-On and Orr Dunkelman and Nathan Keller and Eyal Ronen and Adi Shamir},
  journal={Journal of Cryptology},
  year={2019},
  volume={33},
  pages={1003-1043}
}
Determining the security of AES is a central problem in cryptanalysis, but progress in this area had been slow and only a handful of cryptanalytic techniques led to significant advancements. At Eurocrypt 2017 Grassi et al. presented a novel type of distinguisher for AES-like structures, but so far all the published attacks which were based on this distinguisher were inferior to previously known attacks in their complexity. In this paper we combine the technique of Grassi et al. with several… 

Mixture Integral Attacks on Reduced-Round AES with a Known/Secret S-Box

TLDR
This work presents as the main contribution a new secret-key distinguisher on 3-round AES with the smallest data complexity in the literature (that does not require adaptive chosen plaintexts/ciphertexts), namely approximately half of the data necessary to set up a 3- round truncated differential distinguisher.

Practical Attacks on Reduced-Round AES

TLDR
This paper presents a practical key-recovery attack on 5-round AES with a secret s-box that requires \(2^{32}\) adaptively chosen ciphertexts, which is as far as the authors know a new record.

An Efficient Parallel Implementation of Impossible-Differential Cryptanalysis for Five-Round AES-128

TLDR
This paper reports the parallel implementation of the impossible-differential cryptanalysis of five-round AES-128, originally proposed by Biham and Keller, and proposes an improvement of the attack by exploiting data and task parallelism.

Extended Expectation Cryptanalysis on Round-reduced AES

TLDR
The present work applies expectation-based distinguishers from a sum of PRPs to round-reduced AES, showing how to extend the well-known 3-round integral distinguisher to expectation distinguishers over 4 and 5 rounds and demonstrating how the prepended round can be used for key recovery.

Extended Truncated-differential Distinguishers on Round-reduced AES

TLDR
The present work illustrates how the well-known integral distinguisher on three-round AES resembles a sum of PRPs and can be extended to truncated-differential distinguishers over 4 and 5 rounds and how the prepended round can be integrated to form a six-round distinguisher.

Structure Evaluation of AES-like Ciphers against Mixture Differential Cryptanalysis

TLDR
A new structure called a boomerang struncture is proposed and it is shown that the mixture differential cryptanalysis is not suitable to be applied to AES-like ciphers with high round number, and it can be directly deduced from the framework that there is no mixture di-erential distinguisher for 6-round AES.

Mixture Differential Cryptanalysis: New Approaches for Distinguishers and Attacks on round-reduced AES

  • Lorenzo Grassi
  • Mathematics, Computer Science
    IACR Cryptol. ePrint Arch.
  • 2017
TLDR
This paper introduces “Mixture Differential Cryptanalysis” on round-reduced AESlike ciphers, a way to translate the (complex) “multiple-of-8” 5-round distinguisher into a simpler and more convenient one (though, on a smaller number of rounds).

The Exchange Attack: How to Distinguish 6 Rounds of AES with 288.2 chosen plaintexts

TLDR
The main result of this paper is that AES up to at least six rounds is biased when restricted to exchange-invariant sets of plaintexts.

Truncated Boomerang Attacks and Application to AES-based Ciphers

TLDR
A general framework for boomerang attacks with truncated differentials, which takes into account structures on the plaintext and ciphertext sides, and includes an analysis of the key recovery step, is introduced.

Mixture-Based 5-Round Physical Attack against AES: Attack Proposal and Noise Evaluation

TLDR
This paper considers the recently proposed 5-round mixture differential cryptanalysis, which is not physical attack, into the physical attack scenarios, and proposes the corresponding physical attack that uses the leakage as deep as 5 rounds.

References

SHOWING 1-10 OF 33 REFERENCES

Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting

In this paper, we revisit meet-in-the-middle attacks on AES in the single-key model and improve on Dunkelman, Keller and Shamir attacks at Asiacrypt 2010. We present the best attack on 7 rounds of

Improved "Partial Sums"-based Square Attack on AES

TLDR
It is demonstrated that the quantity of chosen plaintext-ciphertext pairs can be halved producing the same reduction in the time complexity, which is achieved by eliminating hypotheses on-the-fly when bytes in consecutive subkeys are related because of the key schedule.

Biclique Cryptanalysis of the Full AES

TLDR
This paper presents the novel technique of block cipher cryptanalysis with bicliques, which leads to the following results: the first key recovery method for the full AES-128 with computational complexity 2126.1.4 and key recovery methods with lower complexity for the reduced-round versions of AES not considered before.

Mixture Differential Cryptanalysis: New Approaches for Distinguishers and Attacks on round-reduced AES

  • Lorenzo Grassi
  • Mathematics, Computer Science
    IACR Cryptol. ePrint Arch.
  • 2017
TLDR
This paper introduces “Mixture Differential Cryptanalysis” on round-reduced AESlike ciphers, a way to translate the (complex) “multiple-of-8” 5-round distinguisher into a simpler and more convenient one (though, on a smaller number of rounds).

Low-Data Complexity Attacks on AES

TLDR
This paper presents attacks on up to four rounds of AES that require at most three known/chosen plaintexts, and applies these attacks to cryptanalyze an AES-based stream cipher, and to mount the best known plaintext attack on six-round AES.

Mixture Differential Cryptanalysis: a New Approach to Distinguishers and Attacks on round-reduced AES

  • Lorenzo Grassi
  • Mathematics, Computer Science
    IACR Transactions on Symmetric Cryptology
  • 2018
TLDR
This paper introduces “Mixture Differential Cryptanalysis” on round-reduced AESlike ciphers, a way to translate the (complex) “multiple-of-8” 5-round distinguisher into a simpler and more convenient one (though, on a smaller number of rounds).

Yoyo Tricks with AES

TLDR
New fundamental properties of SPNs turn out to be particularly useful in the adaptive chosen ciphertext/plaintext setting and are introduced by introducing for the first time key-independent yoyo-distinguishers for 3- to 5-rounds of AES.

Exhausting Demirci-Selçuk Meet-in-the-Middle Attacks against Reduced-Round AES

TLDR
A way is found to automatically model SPN block cipher and meet-in-the-middle attacks that allows to perform exhaustive search of this kind of attacks and automatically recover all the recent improved attacks of Derbez, Fouque and Jean on AES.

Block Ciphers That Are Easier to Mask: How Far Can We Go?

TLDR
A detailed security analysis of this new cipher taking its design specificities into account is provided, leading us to exploit innovative techniques borrowed from hash function cryptanalysis (that are sometimes of independent interest).

Automatic Search of Attacks on round-reduced AES and Applications

In this paper, we describe versatile and powerful algorithms for searching guess-and-determine and meet-in-the-middle attacks on byte-oriented symmetric primitives. To demonstrate the strengh of