Paper 2009/242

Examples of differential multicollisions for 13 and 14 rounds of AES-256

Alex Biryukov, Dmitry Khovratovich, and Ivica Nikolić

Abstract

Here we present practical differential $q$-multicollisions for AES-256, which can be tested on any implementation of AES-256. In our paper "Distinguisher and Related-Key Attack on the Full AES-256" $q$-multicollisions are found with complexity $q\cdot 2^{67}$. We relax conditions on the plaintext difference $\Delta_P$ allowing some bytes to vary and find multicollisions for 13 and 14 round AES with complexity $q\cdot 2^{37}$. Even with the relaxation there is still a large complexity gap between our algorithm and the lower bound that we have proved in Lemma 1. Moreover we believe that in practice finding even two fixed-difference collisions for a good cipher would be very challenging.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Keywords
AESchosen key distinguisher
Contact author(s)
khovratovich @ gmail com
History
2009-05-30: received
Short URL
https://ia.cr/2009/242
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2009/242,
      author = {Alex Biryukov and Dmitry Khovratovich and Ivica Nikolić},
      title = {Examples of differential multicollisions for 13 and 14 rounds of AES-256},
      howpublished = {Cryptology ePrint Archive, Paper 2009/242},
      year = {2009},
      note = {\url{https://eprint.iacr.org/2009/242}},
      url = {https://eprint.iacr.org/2009/242}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.