Cryptology ePrint Archive: Report 2019/652

The Exchange Attack: How to Distinguish Six Rounds of AES with $2^{88.2}$ chosen plaintexts

Navid Ghaedi Bardeh and Sondre Rønjom

Abstract: In this paper we present exchange-equivalence attacks which is a new cryptanalytic attack technique suitable for SPN-like block cipher designs. Our new technique results in the first secret-key chosen plaintext distinguisher for 6-round AES. The complexity of the distinguisher is about $2^{88.2}$ in terms of data, memory and computational complexity. The distinguishing attack for AES reduced to six rounds is a straight-forward extension of an exchange attack for 5-round AES that requires $2^{30}$ in terms of chosen plaintexts and computation. This is also a new record for AES reduced to five rounds. The main result of this paper is that AES up to at least six rounds is biased when restricted to exchange-invariant sets of plaintexts.

Category / Keywords: secret-key cryptography / SPN, AES, Exchange Equivalence Attacks, Exchange Invariant Sets, Exchange Equivalence Class, Secret-Key model, Differential Cryptanalysis

Original Publication (in the same form): IACR-ASIACRYPT-2019

Date: received 3 Jun 2019, last revised 14 Sep 2019

Contact author: Navid bardeh at uib no

Available format(s): PDF | BibTeX Citation

Version: 20190914:081818 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]