**Rigorous Analysis of Truncated Differentials for 5-round AES**

*Lorenzo Grassi and Christian Rechberger*

**Abstract: **Since the development of cryptanalysis of AES and AES-like constructions in the late 1990s, the set of inputs (or a subset of it) which differ only in one diagonal has special importance. It appears in various (truncated) differential, integral, and
impossible differential attacks, among others.

In this paper we present new techniques to analyze this special set of inputs, and report on new properties. In cryptanalysis, statements about the probability distribution of output differences are of interest. Until recently such statements were only possible for up to 4 rounds of AES (many results since two decades), and the only property described for 5 rounds is the multiple-of-8 property (Eurocrypt 2017). On the other hand, our understanding of this property is far from complete: e.g. does this property influence the average number of output pairs that lie in a particular subspace (i.e. the mean) and/or other probabilistic parameters?

Here we answer these questions by considering more generally the probability distribution of the number of different pairs of corresponding ciphertexts that lie in certain subspaces after 5 rounds. The variance of such a distribution is shown to be higher than for a random permutation, which immediately follows from the Eurocrypt 2017 result. Surprisingly, also the mean of the distribution is significantly different from random, something which cannot be explained by the multiple-of-8 property. To show this, a new approach is developed. For a rigorous proof of it, we need an APN-like assumption on the S-Box which closely resembles the AES-Sbox.

**Category / Keywords: **secret-key cryptography / AES, Truncated-Differential Cryptanalysis, Distinguisher/Attack

**Date: **received 14 Feb 2018, last revised 4 Jun 2019

**Contact author: **lorenzo grassi at iaik tugraz at

**Available format(s): **PDF | BibTeX Citation

**Note: **The paper has been completely re-written.

In this new version, we mainly focus on the probabilistic distribution for 5-round AES (rather than on possibility to set up new 5-round distinguishers), which is described in details in the new Theorem 2 - Sect. 4.

At the same time, more practical tests in order to support our distinguishers have been done. Previous claims about the normal approximation have been removed (in this new version, such an approximation is exploited only in order to set up the distinguisher based on the mean).

Finally, a new section with a complete list of open problems have been added.

**Version: **20190604:090617 (All versions of this report)

**Short URL: **ia.cr/2018/182

[ Cryptology ePrint archive ]