Distinguisher and Related-Key Attack on the Full AES-256

Biryukov, Alex; Khovratovich, Dmitry; Nikolić, Ivica

doi:10.1007/978-3-642-03356-8_14

Cited by 227 publications

(276 citation statements)

References 16 publications

(19 reference statements)

Supporting

Mentioning

268

Contrasting

Unclassified

Order By: Relevance

“…An evasive property means in this context a property impossible to achieve with the same complexity and a non-negligible probability using oracle accesses to a random function. 4 We propose to view the permutations and compression functions based upon the generic AES construction as families of permutations (resp. functions) indexed by the parameter set I = C × SB equipped with the uniform probability distribution.…”

Section: Extended Known Key Model For the Considered Schemesmentioning

confidence: 99%

See 1 more Smart Citation

Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations

Gilbert

Peyrin

2010

Lecture Notes in Computer Science

140

213

View full text Add to dashboard Cite

Abstract. In this paper, we improve the recent rebound and start-fromthe-middle attacks on AES-like permutations. Our new cryptanalysis technique uses the fact that one can view two rounds of such permutations as a layer of big Sboxes preceded and followed by simple affine transformations. The big Sboxes encountered in this alternative representation are named Super-Sboxes. We apply this method to two second-round SHA-3 candidates Grøstl and ECHO, and obtain improvements over the previous cryptanalysis results for these two schemes. Moreover, we improve the best distinguisher for the AES block cipher in the known-key setting, reaching 8 rounds for the 128-bit version.

show abstract

Section: Extended Known Key Model For the Considered Schemesmentioning

confidence: 99%

“…a family of independent random permutations indexed by the key space, even when the key values can be chosen by an adversary. It has been recently shown that the full AES-256 does not behave as an ideal cipher due to the existence of a so-called chosen key distinguisher [4].…”

Section: Introductionmentioning

confidence: 99%

Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations

Gilbert

Peyrin

2010

Lecture Notes in Computer Science

140

213

View full text Add to dashboard Cite

show abstract

“…Since the original work of Knudsen and Biham, there have been many reported cases of successful related-key cryptanalysis [9,27,7], and notably of the Advanced Encryption Standard (AES) [10,11]. These results led to the consensual view that RKA resilience should be a standard design goal for lowlevel cryptographic primitives such as block ciphers and hash functions.…”

Section: Introductionmentioning

confidence: 99%

“…This vulnerability is relevant for practical applications of Feistel constructions, since many important cryptanalytic results such as those presented by Biryukov et al [10,11] can be described as utilizing related keys that are derived by xor-ing the original key with a constant. This in particular permits an attacker to selectively modify the secret key for the output round in a Feistel network and break the security of the construction.…”

Section: Introductionmentioning

confidence: 99%

The Related-Key Analysis of Feistel Constructions

Barbosa

Farshim

2015

Fast Software Encryption

View full text Add to dashboard Cite

Abstract. It is well known that the classical three-and four-round Feistel constructions are provably secure under chosen-plaintext and chosen-ciphertext attacks, respectively. However, irrespective of the number of rounds, no Feistel construction can resist related-key attacks where the keys can be offset by a constant. In this paper we show that, under suitable reuse of round keys, security under related-key attacks can be provably attained. Our modification is substantially simpler and more efficient than alternatives obtained using generic transforms, namely the PRG transform of Bellare and Cash (CRYPTO 2010) and its random-oracle analogue outlined by Lucks (FSE 2004). Additionally we formalize Luck's transform and show that it does not always work if related keys are derived in an oracle-dependent way, and then prove it sound under appropriate restrictions.

show abstract

“…A classical example is the complementation property of DES which, despite being often viewed as a "benign" undesirable property, implies that DES does not behave as an ideal cipher. For AES, no such non-random properties were known until Biryukov et al [10] showed that socalled q-multicollisions can be found faster for AES-256 than for an ideal cipher. Known-key and chosen-key attacks were first put forward as an important cryptanalysis goal by Knudsen ans Rijmen [36], and have since then become an active area of research [48,27,54].…”

Section: Introductionmentioning

confidence: 99%

How to Construct an Ideal Cipher from a Small Set of Public Permutations

Lampe

Seurin

2013

Advances in Cryptology - ASIACRYPT 2013

View full text Add to dashboard Cite

Abstract. We show how to construct an ideal cipher with n-bit blocks and n-bit keys (i.e. a set of 2 n public n-bit permutations) from a small constant number of n-bit random public permutations. The construction that we consider is the single-key iterated Even-Mansour cipher, which encrypts a plaintext x ∈ {0, 1} n under a key k ∈ {0, 1} n by alternatively xoring the key k and applying independent random public n-bit permutations P1, . . . , Pr (this construction is also named a keyalternating cipher). We analyze this construction in the plain indifferentiability framework of Maurer, Renner, and Holenstein (TCC 2004), and show that twelve rounds are sufficient to achieve indifferentiability from an ideal cipher. We also show that four rounds are necessary by exhibiting attacks for three rounds or less.

show abstract

Distinguisher and Related-Key Attack on the Full AES-256

Cited by 227 publications

References 16 publications

Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations

Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations

The Related-Key Analysis of Feistel Constructions

How to Construct an Ideal Cipher from a Small Set of Public Permutations

Contact Info

Product

Resources

About