• PDF / 184,849 Bytes
• 12 Pages / 430 x 660 pts Page_size
• 66 Downloads / 207 Views

DOWNLOAD

REPORT

State Key Laboratory of Information Security, Graduate University of Chinese Academy of Sciences, Beijing 100049, P.R. China [email protected] 2 State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100080, P.R. China {wwl,feng}@is.iscas.ac.cn

Abstract. In this paper, we present some new results on impossible differential cryptanalysis of reduced AES, which update the best known impossible differential attacks on reduced AES. First, we present some new attacks on 6-round AES (for all the three key length). Second, we extend to 7-round AES, also for all the three key variants. Especially for 128-bit keys, the best known results can attack up to 7 rounds using square attack and collision attack respectively, but their complexity are both marginal either on data or on time (ie. require nearly the entire codebook, or close to key exhaustive search). In this sense, our attack is the first non-marginal one on 7-round AES with 128-bit keys. Thirdly, we extend to 8 rounds for 256-bit keys, which is also non-marginal compared with the best non-related-key attacks so far. Finally, we give an improvement of the 7-round attack for 192-bit keys in R.C.W.Phan’s paper, which makes the time complexity reduced greatly. Keywords: AES, cryptanalysis, impossible differentials.

1

Introduction

AES [1] supports 128-bit block size with three different key lengths (128, 192, and 256 bits), which is denoted as AES-128, AES-192 and AES-256 respectively, and we write AES for all the three variants. Ever since the selection of AES, its security has drawn much attention from worldwide cryptology researchers. Because of the importance of AES, it’s very necessary to constantly reevaluate its security under various cryptanalytic techniques. In this paper, we study the security of AES against impossible differential attack. Impossible differential attacks [2] use differentials that hold with probability 0 (or non-existing differentials) to eliminate wrong key material and leave the right key candidate. There have been several impossible differential attacks on AES [3,4,5]. In [3], E.Biham and N.Keller present an impossible differential attack on 5-round AES-128 using some 4-round impossible differentials. Later in [4], J.H.Cheon et al. improved the attack to 6-round AES-128. Note that the attacks K.-H. Nam and G. Rhee (Eds.): ICISC 2007, LNCS 4817, pp. 239–250, 2007. c Springer-Verlag Berlin Heidelberg 2007 

240

W. Zhang, W. Wu, and D. Feng

in the above two papers didn’t exploit the key schedule, so the same attacks can also apply to AES-192 and AES-256. In [5], R.C.W.Phan gave attacks on 7-round AES-192 and AES-256 exploiting weaknesses in the key schedule. From which we can see that the best impossible differential attack on AES-128 reached up to 6 rounds [4], and on AES-192 and AES-256 both up to 7 rounds [5]. In this paper, we present some new results on impossible differential cryptanalysis of AES. First, we present some new attacks on 6-round AES, whose complexity is reduced significantly compared

Recommend Documents

Cryptanalysis of Kalyna Block Cipher Using Impossible Differential Technique

202 49 19MB

Linear and Differential Cryptanalysis

182 93 14MB

Integral Cryptanalysis of Reduced-Round Tweakable TWINE

148 63 25MB

Linear Structures: Applications to Cryptanalysis of Round-Reduced Keccak

175 90 1MB

Some Existence Results on Impulsive Differential Equations

212 15 19MB

Exploiting Linearity in White-Box AES with Differential Computation Analysis

185 112 393KB

abstractXOR: A global constraint dedicated to differential cryptanalysis

153 75 48MB

Mission: Impossible?

176 19 234KB

Impossible Sports

163 70 9MB

Mixture Integral Attacks on Reduced-Round AES with a Known/Secret S-Box

150 35 32MB

Cryptanalysis

184 64 9MB

New Results on Truncated Elliptical Distributions

196 27 1MB