Related-Key Differential Analysis of the AES

IF 1.7 Q3 COMPUTER SCIENCE, SOFTWARE ENGINEERING

IACR Transactions on Symmetric Cryptology Pub Date : 2023-12-08 DOI:10.46586/tosc.v2023.i4.215-243

Christina Boura, Patrick Derbez, Margot Funk

{"title":"Related-Key Differential Analysis of the AES","authors":"Christina Boura, Patrick Derbez, Margot Funk","doi":"10.46586/tosc.v2023.i4.215-243","DOIUrl":null,"url":null,"abstract":"The Advanced Encryption Standard (AES) is considered to be the most important and widely deployed symmetric primitive. While the cipher was designed to be immune against differential and other classical attacks, this immunity does not hold in the related-key setting, and various related-key attacks have appeared over time. This work presents tools and algorithms to search for related-key distinguishers and attacks of differential nature against the AES. First, we propose two entirely different approaches to find optimal truncated differential characteristics and bounds on the minimum number of active S-boxes for all variants of the AES. In the first approach, we propose a simple MILP model that handles better linear inconsistencies with respect to the AES system of equations and that compares particularly well to previous tool-based approaches to solve this problem. The main advantage of this tool is that it can easily be used as the core algorithm to search for any attack on AES exploiting related-key differentials. Then, we design a fast and low-memory algorithm based on dynamic programming that has a very simple to understand complexity analysis and does not depend on any generic solver. This second algorithm provides us useful insight on the related-key differential search problem for AES and shows that the search space is not as big as one would expect. Finally, we build on the top of our MILP model a fully automated tool to search for the best differential MITM attacks against the AES. We apply our tool on AES-256 and find an attack on 13 rounds with only two related keys. This attack can be seen as the best known cryptanalysis against this variant if only 2 related keys are permitted.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":null,"pages":null},"PeriodicalIF":1.7000,"publicationDate":"2023-12-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Transactions on Symmetric Cryptology","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.46586/tosc.v2023.i4.215-243","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

The Advanced Encryption Standard (AES) is considered to be the most important and widely deployed symmetric primitive. While the cipher was designed to be immune against differential and other classical attacks, this immunity does not hold in the related-key setting, and various related-key attacks have appeared over time. This work presents tools and algorithms to search for related-key distinguishers and attacks of differential nature against the AES. First, we propose two entirely different approaches to find optimal truncated differential characteristics and bounds on the minimum number of active S-boxes for all variants of the AES. In the first approach, we propose a simple MILP model that handles better linear inconsistencies with respect to the AES system of equations and that compares particularly well to previous tool-based approaches to solve this problem. The main advantage of this tool is that it can easily be used as the core algorithm to search for any attack on AES exploiting related-key differentials. Then, we design a fast and low-memory algorithm based on dynamic programming that has a very simple to understand complexity analysis and does not depend on any generic solver. This second algorithm provides us useful insight on the related-key differential search problem for AES and shows that the search space is not as big as one would expect. Finally, we build on the top of our MILP model a fully automated tool to search for the best differential MITM attacks against the AES. We apply our tool on AES-256 and find an attack on 13 rounds with only two related keys. This attack can be seen as the best known cryptanalysis against this variant if only 2 related keys are permitted.

查看原文本刊更多论文

AES 的相关密钥差异分析

高级加密标准（AES）被认为是最重要、应用最广泛的对称基本密码。虽然该密码在设计上对差分攻击和其他经典攻击具有免疫力，但这种免疫力在相关密钥设置中并不成立，而且随着时间的推移出现了各种相关密钥攻击。本研究提出了针对 AES 的相关密钥区分器和差分攻击的搜索工具和算法。首先，我们提出了两种完全不同的方法，为 AES 的所有变体寻找最佳截断差分特征和活动 S 盒最小数量的边界。在第一种方法中，我们提出了一个简单的 MILP 模型，该模型能更好地处理与 AES 方程系统有关的线性不一致性问题，与之前基于工具的方法相比，该方法能更好地解决这一问题。该工具的主要优势在于，它可以很容易地用作核心算法，用于搜索任何利用相关密钥差分对 AES 进行的攻击。然后，我们设计了一种基于动态编程的快速、低内存算法，其复杂性分析非常简单易懂，而且不依赖于任何通用求解器。第二种算法为我们提供了关于 AES 相关密钥差分搜索问题的有用见解，并表明搜索空间并没有想象的那么大。最后，我们在 MILP 模型的基础上建立了一个全自动工具，用于搜索针对 AES 的最佳差分 MITM 攻击。我们将工具应用于 AES-256，发现了一种只需两个相关密钥就能对 13 轮进行攻击的方法。如果只允许使用 2 个相关密钥，这种攻击可视为针对该变体的已知最佳密码分析。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IACR Transactions on Symmetric Cryptology Mathematics-Applied Mathematics

CiteScore

5.50

自引率

22.90%

发文量