So far, non-random properties which are independent of the secret key are known for up to 4 rounds of AES. These include differential, impossible differential, and integral properties.
In this paper we describe a new structural property for up to 5 rounds of AES, differential in nature and which is independent of the secret key, of the details of the MixColumns matrix (with the exception that the branch number must be maximal) and of the SubBytes operation. It is very simple: By appropriate choices of difference for a number of input pairs it is possible to make sure that the number of times that the difference of the resulting output pairs lie in a particular subspace is always a multiple of 8.
We not only observe this property experimentally (using a small-scale version of AES), we also give a detailed proof as to why it has to exist. As a first application of this property, we describe a way to distinguish the 5-round AES permutation (or its inverse) from a random permutation with only $2^{32}$ chosen texts that has a computational cost of $2^{35.6}$ look-ups into memory of size $2^{36}$ bytes which has a success probability greater than 99%.
Category / Keywords: Block cipher, Permutation, AES, Secret-Key Distinguisher Original Publication (with major differences): IACR-EUROCRYPT-2017 Date: received 13 Feb 2017, last revised 22 Feb 2017 Contact author: lorenzo grassi at iaik tugraz at Available format(s): PDF | BibTeX Citation Version: 20170222:111519 (All versions of this report) Short URL: ia.cr/2017/118 Discussion forum: Show discussion | Start new discussion