Paper 2013/366

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Pierre-Alain Fouque, Jérémy Jean, and Thomas Peyrin

Abstract

While the symmetric-key cryptography community has now a good experience on how to build a secure and efficient fixed permutation, it remains an open problem how to design a key-schedule for block ciphers, as shown by the numerous candidates broken in the related-key model or in a hash function setting. Provable security against differential and linear cryptanalysis in the related-key scenario is an important step towards a better understanding of its construction. Using a structural analysis, we show that the full AES-128 cannot be proven secure unless the exact coefficients of the MDS matrix and the S-Box differential properties are taken into account since its structure is vulnerable to a related-key differential attack. We then exhibit a chosen-key distinguisher for AES-128 reduced to 9 rounds, which solves an open problem of the symmetric community. We obtain these results by revisiting algorithmic theory and graph-based ideas to compute all the best differential characteristics in SPN ciphers, with a special focus on AES-like ciphers subject to related-keys. We use a variant of Dijkstra's algorithm to efficiently find the most efficient related-key attacks on SPN ciphers with an algorithm linear in the number of rounds.

Note: Correction of typos.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
A major revision of an IACR publication in CRYPTO 2013
DOI
10.1007/978-3-642-40041-4_11
Keywords
SPNBlock CipherAESRelated-KeyChosen-Key
Contact author(s)
Jeremy Jean @ ens fr
History
2015-05-11: revised
2013-06-10: received
See all versions
Short URL
https://ia.cr/2013/366
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2013/366,
      author = {Pierre-Alain Fouque and Jérémy Jean and Thomas Peyrin},
      title = {Structural Evaluation of {AES} and Chosen-Key Distinguisher of 9-round {AES}-128},
      howpublished = {Cryptology {ePrint} Archive, Paper 2013/366},
      year = {2013},
      doi = {10.1007/978-3-642-40041-4_11},
      url = {https://eprint.iacr.org/2013/366}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.