Cryptology ePrint Archive: Report 2017/832

New Approaches for Distinguishers and Attacks on round-reduced AES

Lorenzo Grassi

Abstract: At Eurocrypt 2017 the first secret-key distinguisher for 5-round AES has been presented. Although it allows to distinguish a random permutation from an AES-like one, it seems (rather) hard to exploit such a distinguisher in order to implement a key-recovery attack different than brute-force like. In this paper, we propose new secret-key distinguishers for 4 and 5 rounds of AES that exploit properties which are independent of the secret key and of the details of the S-Box. While the 4-round distinguisher exploits in a different way the same property presented at Eurocrypt 2017, the new proposed 5-round ones are obtained by combining our new 4-round distinguisher with a modified version of a truncated differential distinguisher. As a result, while a "classical" truncated differential distinguisher exploits the probability that a couple of texts satisfies or not a given differential trail independently of the others couples, our distinguishers work with sets of N >> 1 (related) couples of texts. In particular, our new 5-round AES distinguishers exploit the fact that such sets of texts satisfy some properties with a different probability than a random permutation.

Even if such 5-round distinguishers have higher complexity than the one present in the literature, one of them can be used as starting point to set up the first key-recovery attack on 6-round AES that exploits directly a 5-round secret-key distinguisher. The goal of this paper is indeed to present and explore new approaches, showing that even a distinguisher like the one presented at Eurocrypt - believed to be hard to exploit - can be used to set up a key-recovery attack.

Category / Keywords: AES - Secret-Key Distinguisher - Key-Recovery Attack - Truncated Differential - Subspace Trail Cryptanalysis

Date: received 30 Aug 2017, last revised 15 Nov 2017

Contact author: lorenzo grassi at iaik tugraz at

Available format(s): PDF | BibTeX Citation

Note: - New proof of the proposed distinguishers using the super-Sbox notation - 2 new secret-key distinguishers for 5-round AES which are independent of the secret key - Re-organization of the paper (attacks on AES with a single secret S-Box moved to a different paper) - New practical results

Version: 20171115:141007 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]