Statistical Integral Distinguisher with Multi-structure and Its Application on AES

Abstract

Advanced Encryption Standard (AES), published by NIST, is widely used in data encryption algorithms, hash functions, authentication encryption schemes and so on. Studying distinguishing attacks on (reduced round) AES can help designers and cryptanalysts to evaluate the security of target ciphers. Since integral attack is one of the most powerful tool in the field of symmetric ciphers, in this paper, we evaluate the security of AES by integral cryptanalysis. Firstly we put forward a new statistical integral distinguisher with multiple structures on input and integral properties on output, which enables us to reduce the data complexity comparing to the traditional integral distinguishers under multiple structures. As illustrations, we propose a secret-key distinguisher on 5-round AES with secret S-box under chosen-ciphertext mode. Its data, time and memory complexities are \(2^{114.32}\) chosen ciphertexts, \(2^{110}\) encryptions and \(2^{33.32}\) blocks. This is the best integral distinguisher on AES with secret S-box under secret-key setting so far. Then we present improved known-key distinguishers on 8-round and full 10-round AES-128 with reduced complexities based on Gilbert’s work at ASIACRYPT’14. These distinguishers are the best ones according to the time complexity. Moreover, the proposed statistical integral model could be used to proceed known-key distinguishing attacks on other AES-like ciphers.

A Appendix

1.1 A.1 Experiment Results

In order to verify the theoretical model of statistical integral distinguisher in Sect. 3, we implement the distinguishing attack in Sect. 5 on a mini variant of AES with the block size 64-bit denoted as AES* here. The round function of AES* is similar to that of AES, including four operations, i.e., SB, SR, MC and AK. 64-bit block is partitioned into 16 nibbles and SB uses S-box \(S_0\) in LBlock. SR is same as that of AES, and the matrix used in MC is

$$\begin{aligned} M=\begin{pmatrix} 1&{}1&{}4&{}9\\ 9&{}1&{}1&{}4\\ 4&{}9&{}1&{}1\\ 1&{}4&{}9&{}1 \end{pmatrix}, \end{aligned}$$

which is defined over \(GF(2^4)\). For the multiplication, each nibble and value in M are considered as a polynomial over GF(2) and then the nibble is multiplied modulo \(x^4+x+1\) by the value in M. The addition is simply XOR operation. The subkeys are XORed with the nibbles in AK operation.

There is similar known-key integral distinguisher for 8-round AES* since its similarity to AES, see Fig. 1. Given a set of data \(\mathcal {Z}=\{(x,0,0,0) \oplus R(y,0,0,0)|x\in (0,1)^{16}\}\) for fixed y, i.e., the first column of \(\mathcal {Z}\) takes all \(2^{16}\) possible values and other columns are fixed to some constants, after \(S\diamond R\diamond S\) operation, each column of output u is active, i.e. that \(2^{16}\) values are uniformly distributed on each column of output. Since \(R^{-1}(\mathcal {Z})=\{R^{-1}((x,0,0,0)\oplus (y,0,0,0))\}\) has \(2^{16}\) structures that each one takes all \(2^{16}\) possible values on the first columns and constants on other columns, after \((S\diamond R\diamond S)^{-1}\) operation, each column of output u is active.

Fig. 4.

Experimental results for AES* considering four input bytes. In detail, set the value of \(\alpha _0\) and change the values of N and \(N_s\), the theoretical and empirical \(\alpha _0\) are shown in the left part of figure, corresponding \(\alpha _1\) calculated and tested by Eq. (5) are shown in the right part of figure.

In our experiment, we consider the distributions of four 8-bit values in v including the first and second nibble in each column of v. Here \(s=16, t=8\) and \(b=4\). If we set \(\alpha _0=0.2\) and take different values for N and \(N_s\), \(\alpha _1\) and \(\tau \) can be computed using Eq. (8). By randomly choosing \(N_s\) values for y and N values for x, we proceed the experiment to compute the statistics \(C'\) for AES* and random permutations. With 2000 times of experiments, we can obtain the empirical error probabilities \(\widehat{\alpha _0}\) and \(\widehat{\alpha _1}\). The experimental results for \(\widehat{\alpha _0}\) and \(\widehat{\alpha _1}\) are compared with the theoretical values \(\alpha _0\) and \(\alpha _1\) in Fig. 4.

Fig. 5.

Experimental results for AES* considering two input and output bytes. In detail, set the theoretical \(\alpha _0=0.2\) and change the values of N, then the corresponding theoretical \(\alpha _1\) and empirical \(\alpha _0\) and \(\alpha _1\) are calculated and tested by Eq. (5) in this figure

Moreover, we implement the second experiment where we set \(b=4\) including two bytes of u and two bytes of v. We set \(\alpha _0=0.2\) and let \(N=N_s\), the empirical error probabilities are obtained from 1000 times of experiments. The experimental results for \(\widehat{\alpha _0}\) and \(\widehat{\alpha _1}\) are compared with the theoretical values \(\alpha _0\) and \(\alpha _1\) in Fig. 5.

Figures 4 and 5 show that the test results for the error probabilities are in good accordance with those for theoretical model.