Cryptology ePrint Archive: Report 2018/182

New Rigorous Analysis of Truncated Differentials for 5-round AES

Lorenzo Grassi and Christian Rechberger

Abstract: Since the development of cryptanalysis of AES and AES-like constructions in the late 1990s, the set of inputs (or a subset of it) which differ only in one diagonal has special importance. It appears in various (truncated) differential, integral, and impossible differential attacks, among others.

In this paper we present new techniques to analyze this special set of inputs, and report on new properties. In differential cryptanalysis, statements about the probability distribution of output differences, like mean or variance, are of interest. So far such statements were only possible for up to 4 rounds of AES. In this paper we consider the probabilistic distribution of the number of different pairs of corresponding ciphertexts that lie in certain subspaces after 5 rounds. We show that the following two properties (independent of any key or constant additions) hold for 5 rounds of the AES permutation:

the mean value is bigger for AES than for a random permutation;

the variance is approximately by a factor 36 higher for AES than for a random permutation.

For a large class of AES-like constructions, with an APN-like assumption on the S-Box which closely resembles the AES-Sbox, we can even give rigorous proofs of these properties. The technique we developed for that may be of independent interest.

While the distinguisher based on the variance is (almost) independent of the details of the S-Box and of the MixColumns matrix, the mean value distinguisher does depend on the details of the S-Box and may give rise to a new design criterion for S-Boxes.

To the best of our knowledge this seems to be the first time that such a precise differential analysis was performed. Practical implementations and verification confirm our analysis.

Category / Keywords: AES, Truncated-Differential Cryptanalysis, Distinguisher/Attack

Date: received 14 Feb 2018, last revised 13 Jul 2018

Contact author: lorenzo grassi at iaik tugraz at

Available format(s): PDF | BibTeX Citation

Note: - New assumptions of the main Theorem

- New practical result (about the variance) on full scale AES

Version: 20180713:144052 (All versions of this report)

Short URL: ia.cr/2018/182

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]