You are looking at a specific version 20190604:090617 of this paper. See the latest version.

Paper 2018/182

Rigorous Analysis of Truncated Differentials for 5-round AES

Lorenzo Grassi and Christian Rechberger

Abstract

Since the development of cryptanalysis of AES and AES-like constructions in the late 1990s, the set of inputs (or a subset of it) which differ only in one diagonal has special importance. It appears in various (truncated) differential, integral, and impossible differential attacks, among others. In this paper we present new techniques to analyze this special set of inputs, and report on new properties. In cryptanalysis, statements about the probability distribution of output differences are of interest. Until recently such statements were only possible for up to 4 rounds of AES (many results since two decades), and the only property described for 5 rounds is the multiple-of-8 property (Eurocrypt 2017). On the other hand, our understanding of this property is far from complete: e.g. does this property influence the average number of output pairs that lie in a particular subspace (i.e. the mean) and/or other probabilistic parameters? Here we answer these questions by considering more generally the probability distribution of the number of different pairs of corresponding ciphertexts that lie in certain subspaces after 5 rounds. The variance of such a distribution is shown to be higher than for a random permutation, which immediately follows from the Eurocrypt 2017 result. Surprisingly, also the mean of the distribution is significantly different from random, something which cannot be explained by the multiple-of-8 property. To show this, a new approach is developed. For a rigorous proof of it, we need an APN-like assumption on the S-Box which closely resembles the AES-Sbox.

Note: The paper has been completely re-written. In this new version, we mainly focus on the probabilistic distribution for 5-round AES (rather than on possibility to set up new 5-round distinguishers), which is described in details in the new Theorem 2 - Sect. 4. At the same time, more practical tests in order to support our distinguishers have been done. Previous claims about the normal approximation have been removed (in this new version, such an approximation is exploited only in order to set up the distinguisher based on the mean). Finally, a new section with a complete list of open problems have been added.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint. MINOR revision.
Keywords
AESTruncated-Differential CryptanalysisDistinguisherAttack
Contact author(s)
lorenzo grassi @ iaik tugraz at
History
2022-04-25: last of 6 revisions
2018-02-14: received
See all versions
Short URL
https://ia.cr/2018/182
License
Creative Commons Attribution
CC BY
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.