## Cryptology ePrint Archive: Report 2019/652

The Exchange Attack: How to Distinguish 6 Rounds of AES with $2^{88.2}$ chosen plaintexts

Navid Ghaedi Bardeh and Sondre Rønjom

Abstract: In this paper we present exchange equivalence attacks which is a cryptanalytic attack technique suitable for SPN-like block cipher designs. Our new technique results in a secret-key chosen plaintext distinguisher for 6-round AES. The complexity of the distinguisher is about $2^{88.2}$ in terms of data, memory and computational complexity. The distinguishing attack for AES reduced to 6 rounds is a straight-forward extension of an exchange attack for 5-round AES that requires about $2^{30}$ in terms of chosen plaintexts and computation. This is also a new record for AES reduced to 5 rounds. The main result of this paper is that AES up to at least 6 rounds is biased when restricted to exchange invariant sets of plaintexts.

Category / Keywords: secret-key cryptography / SPN, AES, Exchange Equivalence Attacks, Exchange Invariant Sets, Exchange Equivalence Class, Secret-Key model, Difference Cryptanalysis