Cryptology ePrint Archive: Report 2013/366

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Pierre-Alain Fouque and Jérémy Jean and Thomas Peyrin

Abstract: While the symmetric-key cryptography community has now a good experience on how to build a secure and efficient fixed permutation, it remains an open problem how to design a key-schedule for block ciphers, as shown by the numerous candidates broken in the related-key model or in a hash function setting. Provable security against differential and linear cryptanalysis in the related-key scenario is an important step towards a better understanding of its construction.

Using a structural analysis, we show that the full AES-128 cannot be proven secure unless the exact coefficients of the MDS matrix and the S-Box differential properties are taken into account since its structure is vulnerable to a related-key differential attack. We then exhibit a chosen-key distinguisher for AES-128 reduced to 9 rounds, which solves an open problem of the symmetric community. We obtain these results by revisiting algorithmic theory and graph-based ideas to compute all the best differential characteristics in SPN ciphers, with a special focus on AES-like ciphers subject to related-keys. We use a variant of Dijkstra's algorithm to efficiently find the most efficient related-key attacks on SPN ciphers with an algorithm linear in the number of rounds.

Category / Keywords: secret-key cryptography / SPN, Block Cipher, AES, Related-Key, Chosen-Key

Original Publication (with major differences): IACR-CRYPTO-2013
DOI: 10.1007/978-3-642-40041-4_11

Date: received 10 Jun 2013, last revised 11 May 2015

Contact author: Jeremy Jean at ens fr

Available format(s): PDF | BibTeX Citation

Note: Correction of typos.

Version: 20150511:083209 (All versions of this report)

Short URL: ia.cr/2013/366

Discussion forum: Show discussion | Start new discussion