Structural attacks on block ciphers Sondre Rnjom NSM/UiB September - - PowerPoint PPT Presentation

Structural attacks on block ciphers

Sondre Rønjom NSM/UiB September 2, 2017

1 Preliminaries 2 Subspaces in block ciphers 3 From subspace trails to invariant subspaces in Simpira 4 Zero-difference cryptanalysis of AES

Preliminaries Block ciphers

Block ciphers

F K0 K1 P F K2

Figure: Typical Design Figure: Classical SPN

Preliminaries Block ciphers

Block ciphers as family of permutations

Block ciphers A block cipher defines a map E : P ⇥ K ! C that takes plaintexts and keys to ciphertexts. Set of permutations

1 fixing a key K 2 K defines a permutation

EK : P ! C

2 fixing all keys defines a set

E = {E0, E1, . . . , E|K|1} F K0 K1 P F Kn C

Preliminaries Block ciphers

Block ciphers as family of permutations

Block ciphers A block cipher defines a map E : P ⇥ K ! C that takes plaintexts and keys to ciphertexts. Set of permutations

1 fixing a key K 2 K defines a permutation

EK : P ! C

2 fixing all keys defines a set

E = {E0, E1, . . . , E|K|1} F K0 K1 P F Kn C

Preliminaries Block ciphers

Is the block cipher sufficiently generic ?

Distinguishers and property testing Is there a property that distinguishes one or a class of few from the many ?

Preliminaries Block ciphers

Distinguisher to key recovery

Er

K

? D(nr)

K

p S c S distinguisher for r out of n rounds of the cipher guess enough key bytes in decryption direction verify key guess in the middle using distinguisher

Preliminaries Block ciphers

Distinguisher to key recovery

Er

K

? D(nr)

K

p S c S distinguisher for r out of n rounds of the cipher guess enough key bytes in decryption direction verify key guess in the middle using distinguisher

Preliminaries Block ciphers

Distinguisher to key recovery

Er

K

? D(nr)

K

p S c S distinguisher for r out of n rounds of the cipher guess enough key bytes in decryption direction verify key guess in the middle using distinguisher

Subspaces in block ciphers

Subspace attacks

Subspaces in block ciphers Preliminaries

Subspace cryptanalysis

Basic exploitation Plaintexts or ciphertexts stay inside linear and affine subspaces for many rounds (form of truncated differentials) Brief overview A Cryptanalysis of PRINTcipher: The Invariant Subspace Attack(CRYPTO’11) A Generic Approach to Invariant Subspace Attacks: Cryptanalysis of Robin, iSCREAM and Zorro, (EC’15) Subspace Trail Cryptanalysis and its Applications to AES (FSE ’17) related to superbox cryptanalysis and truncated differentials ...active research area

Subspaces in block ciphers Preliminaries

Some notation

Fn is n-dimensional space over field F let V be a subspace of Fn Let F be a function on Fn (a permutation) S = F(V ) = {F(v), | v 2 V } cosets : V a = {v a | v 2 V } for V ✓ Fn

Subspaces in block ciphers Invariant subspaces

Invariant subspace attacks

F V a V b Consider a permutation formed by iterating a permutation F xored with a fixed round key K. Assume the round function maps a coset V a to a coset V b

Subspaces in block ciphers Invariant subspaces

Invariant subspace attacks

F V a V b K 2 (a b) V V a ...and that the fixed round key K is in V (a b).

Subspaces in block ciphers Invariant subspaces

Invariant subspace attacks

F V a V b K 2 (a b) V V a F V b Then this process repeats itself. Plaintexts in coset V a are mapped to itself

Subspaces in block ciphers Invariant subspaces

Invariant subspace attacks

F V a V b K 2 (a b) V V a F V b Confidentiality is broken: Density of weak keys =2ndim(V )

Subspaces in block ciphers Invariant subspaces

A Cryptanalysis of PRINTcipher: The Invariant Subspace Attack, [Leander+]

Inspecting components reveals invariant subspace for large class

• f keys

block size n = 48 Fixed key K in each round (used for key-dependent p and XOR) Round constant Finds 252 weak keys out of 280

Subspaces in block ciphers Subspace trail cryptanalysis

Subspace Trails

F V1 a V2 b Ki V2 c F V3 d

Figure: Subspace trail

Let Rm denote m applications of the round function F with fixed round keys Ki. Subspace Trails A (constant dimensional) generic subspace trail (V0, V1, ..., Vm) is such that for each a, there exist a unique b such that F(Vi a) = Vi+1 b.

Subspaces in block ciphers Subspace trail cryptanalysis

Subspace Trails

F V1 a V2 b Ki V2 c F V3 d

Figure: Subspace trail

Let Rm denote m applications of the round function F with fixed round keys Ki. Subspace Trails A (constant dimensional) generic subspace trail (V0, V1, ..., Vm) is such that for each a, there exist a unique b such that F(Vi a) = Vi+1 b.

Subspaces in block ciphers Subspace trail cryptanalysis

Connecting trails / Trail branching

U = (U0, . . . , Um) V = (V0, . . . , Vn) ai, bi random and fixed constants. F m(U0 a0) = Um am F n(V0 b0) = Vn bn. Endpoints of U and V correlate (intersect)

R U0 a0 U1 a1 R U2 a2 A0,0 ⇢ V0 a0,q1 A0,q1 ⇢ V0 a0,0 R A1,0 ⇢ V1 a1,q1 R A1,q1 ⇢ V1 a1,0 R R A2,q1 ⇢ V2 a2,q1 A2,0 ⇢ V2 a2,0

Subspaces in block ciphers Subspace trail cryptanalysis

Connecting trails / Trail branching

U = (U0, . . . , Um) V = (V0, . . . , Vn) ai, bi random and fixed constants. F m(U0 a0) = Um am F n(V0 b0) = Vn bn. Endpoints of U and V correlate (intersect)

R U0 a0 U1 a1 R U2 a2 A0,0 ⇢ V0 a0,q1 A0,q1 ⇢ V0 a0,0 R A1,0 ⇢ V1 a1,q1 R A1,q1 ⇢ V1 a1,0 R R A2,q1 ⇢ V2 a2,q1 A2,0 ⇢ V2 a2,0

Subspaces in block ciphers Subspace trail cryptanalysis

Connecting trails / Trail branching

U = (U0, . . . , Um) V = (V0, . . . , Vn) ai, bi random and fixed constants. F m(U0 a0) = Um am F n(V0 b0) = Vn bn. Endpoints of U and V correlate (intersect)

R U0 a0 U1 a1 R U2 a2 A0,0 ⇢ V0 a0,q1 A0,q1 ⇢ V0 a0,0 R A1,0 ⇢ V1 a1,q1 R A1,q1 ⇢ V1 a1,0 R R A2,q1 ⇢ V2 a2,q1 A2,0 ⇢ V2 a2,0

Subspaces in block ciphers Subspace trail cryptanalysis

Subspace trails in AES

SB SR MC block size 128 bit, typical key size 2 {128, 256}, rounds 2 {10, 14} internal state viewed as a 4 ⇥ 4 matrix states over F28 rounds consist of fixed function F and addition of round keys F = MC SR SB

Subspaces in block ciphers Subspace trail cryptanalysis

Diagonal Space

Let ei,j be the 4 ⇥ 4 matrix with a single 1 in position i, j (or as a vector of length 16 with a single 1 in position 4 · j + i). Definition (Diagonal spaces) The diagonal spaces Di are defined as Di =< e0,i, e1,i+1, e2,i+2, e3,i+3 > where i + j is computed modulo 4. For instance, the diagonal space D0 corresponds to the symbolic matrix D0 = ⇢ 2 6 6 4 x1 x2 x3 x4 3 7 7 5

• 8x1, x2, x3, x4 2 F28
• .

Subspaces in block ciphers Subspace trail cryptanalysis

Diagonal Space

Let ei,j be the 4 ⇥ 4 matrix with a single 1 in position i, j (or as a vector of length 16 with a single 1 in position 4 · j + i). Definition (Diagonal spaces) The diagonal spaces Di are defined as Di =< e0,i, e1,i+1, e2,i+2, e3,i+3 > where i + j is computed modulo 4. For instance, the diagonal space D0 corresponds to the symbolic matrix D0 = ⇢ 2 6 6 4 x1 x2 x3 x4 3 7 7 5

• 8x1, x2, x3, x4 2 F28
• .

Subspaces in block ciphers Subspace trail cryptanalysis

Column Space

Definition (Column spaces) The column spaces Ci are defined as Ci =< e0,i, e1,i, e2,i, e3,i > . For instance, the columns space C0 corresponds to the image of C0 = ⇢ 2 6 6 4 x1 x2 x3 x4 3 7 7 5

• 8x1, x2, x3, x4 2 F28
• .

Subspaces in block ciphers Subspace trail cryptanalysis

Column Space

Definition (Column spaces) The column spaces Ci are defined as Ci =< e0,i, e1,i, e2,i, e3,i > . For instance, the columns space C0 corresponds to the image of C0 = ⇢ 2 6 6 4 x1 x2 x3 x4 3 7 7 5

• 8x1, x2, x3, x4 2 F28
• .

Subspaces in block ciphers Subspace trail cryptanalysis

Mixed Space

Definition (Mixed spaces) The ith mixed subspace Mi is defined as Mi = MC SR(Ci). For instance, M0 corresponds to the image of

M0 = ⇢ 2 6 6 4 α · x1 x4 x3 (α + 1) · x2 x1 x4 (α + 1) · x3 α · x2 x1 (α + 1) · x4 α · x3 x2 (α + 1) · x1 α · x4 x3 x2 3 7 7 5

• ∀x1, x2, x3, x4 ∈ F28
• where α is the generator of the AES field.

Subspaces in block ciphers Subspace trail cryptanalysis

Mixed Space

Definition (Mixed spaces) The ith mixed subspace Mi is defined as Mi = MC SR(Ci). For instance, M0 corresponds to the image of

M0 = ⇢ 2 6 6 4 α · x1 x4 x3 (α + 1) · x2 x1 x4 (α + 1) · x3 α · x2 x1 (α + 1) · x4 α · x3 x2 (α + 1) · x1 α · x4 x3 x2 3 7 7 5

• ∀x1, x2, x3, x4 ∈ F28
• where α is the generator of the AES field.

Subspaces in block ciphers Subspace trail cryptanalysis

Subspace Trail Cryptanalysis and its Applications to AES[GRR17], FSE ’17

SB SR MC For fixed I, J ⇢ {0, 1, 2, 3}, |I| + |J|  4

1 R(DI a) = CI b 2 R(CI a) = MI b 3 R2(CI a) = MI b 4 MI \ DJ = {0} 1 R(

) R( ) =

2 R(

) R( ) = MC SR( )

3 R2(

) R2( ) = MC SR( )

4 R4(

) R4( ) 6= MC SR( )

R DI a1 CI a2 R MI a3 A1,qd ⇢ DJ a1,qd A1,1 ⇢ DJ a1,1 R A2,qd ⇢ CJ a2,qd R A2,1 ⇢ CJ a1,1 R R A3,qd ⇢ MJ a3,qd A3,1 ⇢ MJ a3,1

Subspaces in block ciphers Subspace trail cryptanalysis

Subspace Trail Cryptanalysis and its Applications to AES[GRR17], FSE ’17

SB SR MC For fixed I, J ⇢ {0, 1, 2, 3}, |I| + |J|  4

1 R(DI a) = CI b 2 R(CI a) = MI b 3 R2(CI a) = MI b 4 MI \ DJ = {0} 1 R(

) R( ) =

2 R(

) R( ) = MC SR( )

3 R2(

) R2( ) = MC SR( )

4 R4(

) R4( ) 6= MC SR( )

R DI a1 CI a2 R MI a3 A1,qd ⇢ DJ a1,qd A1,1 ⇢ DJ a1,1 R A2,qd ⇢ CJ a2,qd R A2,1 ⇢ CJ a1,1 R R A3,qd ⇢ MJ a3,qd A3,1 ⇢ MJ a3,1

Subspaces in block ciphers Subspace trail cryptanalysis

Subspace Trail Cryptanalysis and its Applications to AES[GRR17], FSE ’17

SB SR MC For fixed I, J ⇢ {0, 1, 2, 3}, |I| + |J|  4

1 R(DI a) = CI b 2 R(CI a) = MI b 3 R2(CI a) = MI b 4 MI \ DJ = {0} 1 R(

) R( ) =

2 R(

) R( ) = MC SR( )

3 R2(

) R2( ) = MC SR( )

4 R4(

) R4( ) 6= MC SR( )

R DI a1 CI a2 R MI a3 A1,qd ⇢ DJ a1,qd A1,1 ⇢ DJ a1,1 R A2,qd ⇢ CJ a2,qd R A2,1 ⇢ CJ a1,1 R R A3,qd ⇢ MJ a3,qd A3,1 ⇢ MJ a3,1

Subspaces in block ciphers Subspace trail cryptanalysis

Subspace Trail Cryptanalysis and its Applications to AES[GRR17], FSE ’17

SB SR MC For fixed I, J ⇢ {0, 1, 2, 3}, |I| + |J|  4

1 R(DI a) = CI b 2 R(CI a) = MI b 3 R2(CI a) = MI b 4 MI \ DJ = {0} 1 R(

) R( ) =

2 R(

) R( ) = MC SR( )

3 R2(

) R2( ) = MC SR( )

4 R4(

) R4( ) 6= MC SR( )

R DI a1 CI a2 R MI a3 A1,qd ⇢ DJ a1,qd A1,1 ⇢ DJ a1,1 R A2,qd ⇢ CJ a2,qd R A2,1 ⇢ CJ a1,1 R R A3,qd ⇢ MJ a3,qd A3,1 ⇢ MJ a3,1

Subspaces in block ciphers Subspace trail cryptanalysis

Subspace Trail Cryptanalysis and its Applications to AES[GRR17], FSE ’17

SB SR MC For fixed I, J ⇢ {0, 1, 2, 3}, |I| + |J|  4

1 R(DI a) = CI b 2 R(CI a) = MI b 3 R2(CI a) = MI b 4 MI \ DJ = {0} 1 R(

) R( ) =

2 R(

) R( ) = MC SR( )

3 R2(

) R2( ) = MC SR( )

4 R4(

) R4( ) 6= MC SR( )

R DI a1 CI a2 R MI a3 A1,qd ⇢ DJ a1,qd A1,1 ⇢ DJ a1,1 R A2,qd ⇢ CJ a2,qd R A2,1 ⇢ CJ a1,1 R R A3,qd ⇢ MJ a3,qd A3,1 ⇢ MJ a3,1

Subspaces in block ciphers Subspace trail cryptanalysis

Subspace Trail Cryptanalysis and its Applications to AES[GRR17], FSE ’17

SB SR MC For fixed I, J ⇢ {0, 1, 2, 3}, |I| + |J|  4

1 R(DI a) = CI b 2 R(CI a) = MI b 3 R2(CI a) = MI b 4 MI \ DJ = {0} 1 R(

) R( ) =

2 R(

) R( ) = MC SR( )

3 R2(

) R2( ) = MC SR( )

4 R4(

) R4( ) 6= MC SR( )

R DI a1 CI a2 R MI a3 A1,qd ⇢ DJ a1,qd A1,1 ⇢ DJ a1,1 R A2,qd ⇢ CJ a2,qd R A2,1 ⇢ CJ a1,1 R R A3,qd ⇢ MJ a3,qd A3,1 ⇢ MJ a3,1

Subspaces in block ciphers Subspace trail cryptanalysis

Subspace Trail Cryptanalysis and its Applications to AES[GRR17], FSE ’17

SB SR MC For fixed I, J ⇢ {0, 1, 2, 3}, |I| + |J|  4

1 R(DI a) = CI b 2 R(CI a) = MI b 3 R2(CI a) = MI b 4 MI \ DJ = {0} 1 R(

) R( ) =

2 R(

) R( ) = MC SR( )

3 R2(

) R2( ) = MC SR( )

4 R4(

) R4( ) 6= MC SR( )

R DI a1 CI a2 R MI a3 A1,qd ⇢ DJ a1,qd A1,1 ⇢ DJ a1,1 R A2,qd ⇢ CJ a2,qd R A2,1 ⇢ CJ a1,1 R R A3,qd ⇢ MJ a3,qd A3,1 ⇢ MJ a3,1

Subspaces in block ciphers Subspace trail cryptanalysis

Subspace Trail Cryptanalysis and its Applications to AES[GRR17], FSE ’17

SB SR MC For fixed I, J ⇢ {0, 1, 2, 3}, |I| + |J|  4

1 R(DI a) = CI b 2 R(CI a) = MI b 3 R2(CI a) = MI b 4 MI \ DJ = {0} 1 R(

) R( ) =

2 R(

) R( ) = MC SR( )

3 R2(

) R2( ) = MC SR( )

4 R4(

) R4( ) 6= MC SR( )

R DI a1 CI a2 R MI a3 A1,qd ⇢ DJ a1,qd A1,1 ⇢ DJ a1,1 R A2,qd ⇢ CJ a2,qd R A2,1 ⇢ CJ a1,1 R R A3,qd ⇢ MJ a3,qd A3,1 ⇢ MJ a3,1

Subspaces in block ciphers Subspace trail cryptanalysis

Subspace Trail Cryptanalysis and its Applications to AES[GRR17], FSE ’17

SB SR MC For fixed I, J ⇢ {0, 1, 2, 3}, |I| + |J|  4

1 R(DI a) = CI b 2 R(CI a) = MI b 3 R2(CI a) = MI b 4 MI \ DJ = {0} 1 R(

) R( ) =

2 R(

) R( ) = MC SR( )

3 R2(

) R2( ) = MC SR( )

4 R4(

) R4( ) 6= MC SR( )

R DI a1 CI a2 R MI a3 A1,qd ⇢ DJ a1,qd A1,1 ⇢ DJ a1,1 R A2,qd ⇢ CJ a2,qd R A2,1 ⇢ CJ a1,1 R R A3,qd ⇢ MJ a3,qd A3,1 ⇢ MJ a3,1

Subspaces in block ciphers Subspace trail cryptanalysis

Attack on Simpira

From subspace trails to invariant subspaces in Simpira Overview

Simpira (now Simpira v1)

Simpira: A Family of Efficient Permutations Using the AES Round Function, [GM16] a family of cryptographic permutations supporting 128 ⇥ b bits designed to achieve high throughput on all modern 64-bit processors uses only one building block, AES (Intel/AMD/ARM native instructions) Generalized Feistel Structure Claim: no structural distinguishers with complexity below 2128.

From subspace trails to invariant subspaces in Simpira Overview

Simpira (now Simpira v1)

Simpira: A Family of Efficient Permutations Using the AES Round Function, [GM16] a family of cryptographic permutations supporting 128 ⇥ b bits designed to achieve high throughput on all modern 64-bit processors uses only one building block, AES (Intel/AMD/ARM native instructions) Generalized Feistel Structure Claim: no structural distinguishers with complexity below 2128.

From subspace trails to invariant subspaces in Simpira Overview

Simpira (now Simpira v1)

Simpira: A Family of Efficient Permutations Using the AES Round Function, [GM16] a family of cryptographic permutations supporting 128 ⇥ b bits designed to achieve high throughput on all modern 64-bit processors uses only one building block, AES (Intel/AMD/ARM native instructions) Generalized Feistel Structure Claim: no structural distinguishers with complexity below 2128.

From subspace trails to invariant subspaces in Simpira Overview

Simpira (now Simpira v1)

Simpira: A Family of Efficient Permutations Using the AES Round Function, [GM16] a family of cryptographic permutations supporting 128 ⇥ b bits designed to achieve high throughput on all modern 64-bit processors uses only one building block, AES (Intel/AMD/ARM native instructions) Generalized Feistel Structure Claim: no structural distinguishers with complexity below 2128.

From subspace trails to invariant subspaces in Simpira Overview

Simpira (now Simpira v1)

Simpira: A Family of Efficient Permutations Using the AES Round Function, [GM16] a family of cryptographic permutations supporting 128 ⇥ b bits designed to achieve high throughput on all modern 64-bit processors uses only one building block, AES (Intel/AMD/ARM native instructions) Generalized Feistel Structure Claim: no structural distinguishers with complexity below 2128.

From subspace trails to invariant subspaces in Simpira Overview

Simpira (now Simpira v1)

Simpira: A Family of Efficient Permutations Using the AES Round Function, [GM16] a family of cryptographic permutations supporting 128 ⇥ b bits designed to achieve high throughput on all modern 64-bit processors uses only one building block, AES (Intel/AMD/ARM native instructions) Generalized Feistel Structure Claim: no structural distinguishers with complexity below 2128.

From subspace trails to invariant subspaces in Simpira Overview

Simpira with b = 4

512 bit permutation f (x): one AES round minus constants F-function: F t

i (x) = f (f (x) + kt,i)

Different constants in each new F-function Iterated for many rounds (not important) Suitable for a wide range of applications.

From subspace trails to invariant subspaces in Simpira Overview

Simpira with b = 4

512 bit permutation f (x): one AES round minus constants F-function: F t

i (x) = f (f (x) + kt,i)

Different constants in each new F-function Iterated for many rounds (not important) Suitable for a wide range of applications.

From subspace trails to invariant subspaces in Simpira Overview

Simpira with b = 4

512 bit permutation f (x): one AES round minus constants F-function: F t

i (x) = f (f (x) + kt,i)

Different constants in each new F-function Iterated for many rounds (not important) Suitable for a wide range of applications.

From subspace trails to invariant subspaces in Simpira Overview

Simpira with b = 4

512 bit permutation f (x): one AES round minus constants F-function: F t

i (x) = f (f (x) + kt,i)

Different constants in each new F-function Iterated for many rounds (not important) Suitable for a wide range of applications.

From subspace trails to invariant subspaces in Simpira Overview

Simpira with b = 4

512 bit permutation f (x): one AES round minus constants F-function: F t

i (x) = f (f (x) + kt,i)

Different constants in each new F-function Iterated for many rounds (not important) Suitable for a wide range of applications.

From subspace trails to invariant subspaces in Simpira Overview

Simpira with b = 4

512 bit permutation f (x): one AES round minus constants F-function: F t

i (x) = f (f (x) + kt,i)

Different constants in each new F-function Iterated for many rounds (not important) Suitable for a wide range of applications.

From subspace trails to invariant subspaces in Simpira Two round property

Initial observation for two rounds

(xt

0, xt 1, xt 2, xt 3) (xt+2 ,F t+1

2

(xt

0)xt 3,xt 0,F t 1(xt 0)xt 1))

F t

i (x) = f (f (x) + kt,i) where kt,i ∈ C0,1

(xt

0, xt 1, xt 2, xt 3) ∈ F4⇥4⇥4 28

St+1 =(xt+1 , xt+1

1

, xt+1

2

, xt+1

3

) =(F t

1(xt 0) ⊕ xt 1, F t 2(xt 3) ⊕ xt 2, xt 3, xt 0)

St+2 =(xt+2 , xt+2

1

, xt+2

2

, xt+2

3

) =(F t+1

1

(xt+1 ) ⊕ xt+1

1

, F t+1

2

(xt+1

3

) ⊕ xt+1

2

, xt+1

3

, xt+1 ) xt+1

3

= xt

0, xt+1 2

= xt

3, xt+1

= F t

1(xt 0) ⊕ xt 1

Structure (a, b, c, d)

R2

− → (z, F1(a) ⊕ d, a, F2(a) ⊕ b).

From subspace trails to invariant subspaces in Simpira Two round property

Initial observation for two rounds

(xt

0, xt 1, xt 2, xt 3) (xt+2 ,F t+1

2

(xt

0)xt 3,xt 0,F t 1(xt 0)xt 1))

F t

i (x) = f (f (x) + kt,i) where kt,i ∈ C0,1

(xt

0, xt 1, xt 2, xt 3) ∈ F4⇥4⇥4 28

St+1 =(xt+1 , xt+1

1

, xt+1

2

, xt+1

3

) =(F t

1(xt 0) ⊕ xt 1, F t 2(xt 3) ⊕ xt 2, xt 3, xt 0)

St+2 =(xt+2 , xt+2

1

, xt+2

2

, xt+2

3

) =(F t+1

1

(xt+1 ) ⊕ xt+1

1

, F t+1

2

(xt+1

3

) ⊕ xt+1

2

, xt+1

3

, xt+1 ) xt+1

3

= xt

0, xt+1 2

= xt

3, xt+1

= F t

1(xt 0) ⊕ xt 1

Structure (a, b, c, d)

R2

− → (z, F1(a) ⊕ d, a, F2(a) ⊕ b).

From subspace trails to invariant subspaces in Simpira Two round property

Initial observation for two rounds

(xt

0, xt 1, xt 2, xt 3) (xt+2 ,F t+1

2

(xt

0)xt 3,xt 0,F t 1(xt 0)xt 1))

F t

i (x) = f (f (x) + kt,i) where kt,i ∈ C0,1

(xt

0, xt 1, xt 2, xt 3) ∈ F4⇥4⇥4 28

St+1 =(xt+1 , xt+1

1

, xt+1

2

, xt+1

3

) =(F t

1(xt 0) ⊕ xt 1, F t 2(xt 3) ⊕ xt 2, xt 3, xt 0)

St+2 =(xt+2 , xt+2

1

, xt+2

2

, xt+2

3

) =(F t+1

1

(xt+1 ) ⊕ xt+1

1

, F t+1

2

(xt+1

3

) ⊕ xt+1

2

, xt+1

3

, xt+1 ) xt+1

3

= xt

0, xt+1 2

= xt

3, xt+1

= F t

1(xt 0) ⊕ xt 1

Structure (a, b, c, d)

R2

− → (z, F1(a) ⊕ d, a, F2(a) ⊕ b).

From subspace trails to invariant subspaces in Simpira Two round property

Initial observation for two rounds

(xt

0, xt 1, xt 2, xt 3) (xt+2 ,F t+1

2

(xt

0)xt 3,xt 0,F t 1(xt 0)xt 1))

F t

i (x) = f (f (x) + kt,i) where kt,i ∈ C0,1

(xt

0, xt 1, xt 2, xt 3) ∈ F4⇥4⇥4 28

St+1 =(xt+1 , xt+1

1

, xt+1

2

, xt+1

3

) =(F t

1(xt 0) ⊕ xt 1, F t 2(xt 3) ⊕ xt 2, xt 3, xt 0)

St+2 =(xt+2 , xt+2

1

, xt+2

2

, xt+2

3

) =(F t+1

1

(xt+1 ) ⊕ xt+1

1

, F t+1

2

(xt+1

3

) ⊕ xt+1

2

, xt+1

3

, xt+1 ) xt+1

3

= xt

0, xt+1 2

= xt

3, xt+1

= F t

1(xt 0) ⊕ xt 1

Structure (a, b, c, d)

R2

− → (z, F1(a) ⊕ d, a, F2(a) ⊕ b).

From subspace trails to invariant subspaces in Simpira Two round property

Initial observation for two rounds

(xt

0, xt 1, xt 2, xt 3) (xt+2 ,F t+1

2

(xt

0)xt 3,xt 0,F t 1(xt 0)xt 1))

F t

i (x) = f (f (x) + kt,i) where kt,i ∈ C0,1

(xt

0, xt 1, xt 2, xt 3) ∈ F4⇥4⇥4 28

St+1 =(xt+1 , xt+1

1

, xt+1

2

, xt+1

3

) =(F t

1(xt 0) ⊕ xt 1, F t 2(xt 3) ⊕ xt 2, xt 3, xt 0)

St+2 =(xt+2 , xt+2

1

, xt+2

2

, xt+2

3

) =(F t+1

1

(xt+1 ) ⊕ xt+1

1

, F t+1

2

(xt+1

3

) ⊕ xt+1

2

, xt+1

3

, xt+1 ) xt+1

3

= xt

0, xt+1 2

= xt

3, xt+1

= F t

1(xt 0) ⊕ xt 1

Structure (a, b, c, d)

R2

− → (z, F1(a) ⊕ d, a, F2(a) ⊕ b).

From subspace trails to invariant subspaces in Simpira Two round property

Initial observation for two rounds

(xt

0, xt 1, xt 2, xt 3) (xt+2 ,F t+1

2

(xt

0)xt 3,xt 0,F t 1(xt 0)xt 1))

F t

i (x) = f (f (x) + kt,i) where kt,i ∈ C0,1

(xt

0, xt 1, xt 2, xt 3) ∈ F4⇥4⇥4 28

St+1 =(xt+1 , xt+1

1

, xt+1

2

, xt+1

3

) =(F t

1(xt 0) ⊕ xt 1, F t 2(xt 3) ⊕ xt 2, xt 3, xt 0)

St+2 =(xt+2 , xt+2

1

, xt+2

2

, xt+2

3

) =(F t+1

1

(xt+1 ) ⊕ xt+1

1

, F t+1

2

(xt+1

3

) ⊕ xt+1

2

, xt+1

3

, xt+1 ) xt+1

3

= xt

0, xt+1 2

= xt

3, xt+1

= F t

1(xt 0) ⊕ xt 1

Structure (a, b, c, d)

R2

− → (z, F1(a) ⊕ d, a, F2(a) ⊕ b).

From subspace trails to invariant subspaces in Simpira Two round property

The parallel F-function

f (x) one AES round minus key addition f (x) ⇥ f (x) (in parallell) constants c1 = and c2 = Parallell F-function F1(a) ⇥ F2(a) =f (f (a) c1) ⇥ f (f (a) c2)

From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F-functions

SB SR MC SB SR MC

Trivial Invariant subspace in f (x) ⇥ f (x) f (a) ⇥ f (a) = b ⇥ b

From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F-functions

c1 c2

Constants space constants c1 = and c2 = Adding a constant We begin with an invariant space a ⇥ a f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) ⇥ = ⇥

From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F-functions

c1 c2

Constants space constants c1 = and c2 = Adding a constant We begin with an invariant space a ⇥ a f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) ⇥ = ⇥

From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F-functions

c1 c2

Constants space constants c1 = and c2 = Adding a constant We begin with an invariant space a ⇥ a f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) ⇥ = ⇥

From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F-functions

c1 c2

Constants space constants c1 = and c2 = Adding a constant We begin with an invariant space a ⇥ a f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) ⇥ = ⇥

From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F-functions

SB SR MC SB SR MC

One more round We begin with an invariant subspace a ⇥ a f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) ⇥ = ⇥ ... and apply another AES round... f ( )⇥f ( ) = MC SR( )⇥MC SR( ) Subspace trail in paralllel F-function F1( )⇥F2( ) = MCSR( )⇥MCSR( )

From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F-functions

SB SR MC SB SR MC

One more round We begin with an invariant subspace a ⇥ a f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) ⇥ = ⇥ ... and apply another AES round... f ( )⇥f ( ) = MC SR( )⇥MC SR( ) Subspace trail in paralllel F-function F1( )⇥F2( ) = MCSR( )⇥MCSR( )

From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F-functions

SB SR MC SB SR MC

One more round We begin with an invariant subspace a ⇥ a f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) ⇥ = ⇥ ... and apply another AES round... f ( )⇥f ( ) = MC SR( )⇥MC SR( ) Subspace trail in paralllel F-function F1( )⇥F2( ) = MCSR( )⇥MCSR( )

From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F-functions

SB SR MC SB SR MC

One more round We begin with an invariant subspace a ⇥ a f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) ⇥ = ⇥ ... and apply another AES round... f ( )⇥f ( ) = MC SR( )⇥MC SR( ) Subspace trail in paralllel F-function F1( )⇥F2( ) = MCSR( )⇥MCSR( )

From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F-functions

SB SR MC SB SR MC

One more round We begin with an invariant subspace a ⇥ a f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) ⇥ = ⇥ ... and apply another AES round... f ( )⇥f ( ) = MC SR( )⇥MC SR( ) Subspace trail in paralllel F-function F1( )⇥F2( ) = MCSR( )⇥MCSR( )

From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F-functions

SB SR MC SB SR MC

One more round We begin with an invariant subspace a ⇥ a f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) ⇥ = ⇥ ... and apply another AES round... f ( )⇥f ( ) = MC SR( )⇥MC SR( ) Subspace trail in paralllel F-function F1( )⇥F2( ) = MCSR( )⇥MCSR( )

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds

(a, b, c, d) R2

• ! (z, F1(a) d, a, F2(a) b)

F1( ) ⇥ F2( ) = MC SR( ) ⇥ MC SR( ) (Imagine MC SR around all values of the state) ( , , ,

• ) = (a, b, c, d)

R2 ( , F1( )

• ,

, F2( ) ) = ( ,

• ,

,

• )

= ( ,

• ,

, ) = ( , , ,

• )

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds

(a, b, c, d) R2

• ! (z, F1(a) d, a, F2(a) b)

F1( ) ⇥ F2( ) = MC SR( ) ⇥ MC SR( ) (Imagine MC SR around all values of the state) ( , , ,

• ) = (a, b, c, d)

R2 ( , F1( )

• ,

, F2( ) ) = ( ,

• ,

,

• )

= ( ,

• ,

, ) = ( , , ,

• )

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds

(a, b, c, d) R2

• ! (z, F1(a) d, a, F2(a) b)

F1( ) ⇥ F2( ) = MC SR( ) ⇥ MC SR( ) (Imagine MC SR around all values of the state) ( , , ,

• ) = (a, b, c, d)

R2 ( , F1( )

• ,

, F2( ) ) = ( ,

• ,

,

• )

= ( ,

• ,

, ) = ( , , ,

• )

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds

(a, b, c, d) R2

• ! (z, F1(a) d, a, F2(a) b)

F1( ) ⇥ F2( ) = MC SR( ) ⇥ MC SR( ) (Imagine MC SR around all values of the state) ( , , ,

• ) = (a, b, c, d)

R2 ( , F1( )

• ,

, F2( ) ) = ( ,

• ,

,

• )

= ( ,

• ,

, ) = ( , , ,

• )

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds

(a, b, c, d) R2

• ! (z, F1(a) d, a, F2(a) b)

F1( ) ⇥ F2( ) = MC SR( ) ⇥ MC SR( ) (Imagine MC SR around all values of the state) ( , , ,

• ) = (a, b, c, d)

R2 ( , F1( )

• ,

, F2( ) ) = ( ,

• ,

,

• )

= ( ,

• ,

, ) = ( , , ,

• )

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds

(a, b, c, d) R2

• ! (z, F1(a) d, a, F2(a) b)

F1( ) ⇥ F2( ) = MC SR( ) ⇥ MC SR( ) (Imagine MC SR around all values of the state) ( , , ,

• ) = (a, b, c, d)

R2 ( , F1( )

• ,

, F2( ) ) = ( ,

• ,

,

• )

= ( ,

• ,

, ) = ( , , ,

• )

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds

(a, b, c, d) R2

• ! (z, F1(a) d, a, F2(a) b)

F1( ) ⇥ F2( ) = MC SR( ) ⇥ MC SR( ) (Imagine MC SR around all values of the state) ( , , ,

• ) = (a, b, c, d)

R2 ( , F1( )

• ,

, F2( ) ) = ( ,

• ,

,

• )

= ( ,

• ,

, ) = ( , , ,

• )

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds

(a, b, c, d) R2

• ! (z, F1(a) d, a, F2(a) b)

F1( ) ⇥ F2( ) = MC SR( ) ⇥ MC SR( ) (Imagine MC SR around all values of the state) ( , , ,

• ) = (a, b, c, d)

R2 ( , F1( )

• ,

, F2( ) ) = ( ,

• ,

,

• )

= ( ,

• ,

, ) = ( , , ,

• )

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds

(a, b, c, d) R2

• ! (z, F1(a) d, a, F2(a) b)

F1( ) ⇥ F2( ) = MC SR( ) ⇥ MC SR( ) (Imagine MC SR around all values of the state) ( , , ,

• ) = (a, b, c, d)

R2 ( , F1( )

• ,

, F2( ) ) = ( ,

• ,

,

• )

= ( ,

• ,

, ) = ( , , ,

• )

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds

(a, b, c, d) R2

• ! (z, F1(a) d, a, F2(a) b)

F1( ) ⇥ F2( ) = MC SR( ) ⇥ MC SR( ) (Imagine MC SR around all values of the state) ( , , ,

• ) = (a, b, c, d)

R2 ( , F1( )

• ,

, F2( ) ) = ( ,

• ,

,

• )

= ( ,

• ,

, ) = ( , , ,

• )

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds

Invariant subspaces in Simpira

( , , ,

• ) = (a, MC SR(z1x), b, MC SR(z2x c))

where a, b set to all possible values (q32) zi set to all possible values in two left columns (q16) x set to all possible values in two right columns (q8) c random fixed value in two right columns (q8) Conclusion for Simpira Invariant subspaces in round function from non-invariant subspaces in AES F-function. Covers whole plaintext space with 264 invariant cosets of dimension 56 over Fq (first time?) Trivial distinguisher

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds

Invariant subspaces in Simpira

( , , ,

• ) = (a, MC SR(z1x), b, MC SR(z2x c))

where a, b set to all possible values (q32) zi set to all possible values in two left columns (q16) x set to all possible values in two right columns (q8) c random fixed value in two right columns (q8) Conclusion for Simpira Invariant subspaces in round function from non-invariant subspaces in AES F-function. Covers whole plaintext space with 264 invariant cosets of dimension 56 over Fq (first time?) Trivial distinguisher

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds

Invariant subspaces in Simpira

( , , ,

• ) = (a, MC SR(z1x), b, MC SR(z2x c))

where a, b set to all possible values (q32) zi set to all possible values in two left columns (q16) x set to all possible values in two right columns (q8) c random fixed value in two right columns (q8) Conclusion for Simpira Invariant subspaces in round function from non-invariant subspaces in AES F-function. Covers whole plaintext space with 264 invariant cosets of dimension 56 over Fq (first time?) Trivial distinguisher

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds

Invariant subspaces in Simpira

( , , ,

• ) = (a, MC SR(z1x), b, MC SR(z2x c))

where a, b set to all possible values (q32) zi set to all possible values in two left columns (q16) x set to all possible values in two right columns (q8) c random fixed value in two right columns (q8) Conclusion for Simpira Invariant subspaces in round function from non-invariant subspaces in AES F-function. Covers whole plaintext space with 264 invariant cosets of dimension 56 over Fq (first time?) Trivial distinguisher

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds

Invariant subspaces in Simpira

( , , ,

• ) = (a, MC SR(z1x), b, MC SR(z2x c))

where a, b set to all possible values (q32) zi set to all possible values in two left columns (q16) x set to all possible values in two right columns (q8) c random fixed value in two right columns (q8) Conclusion for Simpira Invariant subspaces in round function from non-invariant subspaces in AES F-function. Covers whole plaintext space with 264 invariant cosets of dimension 56 over Fq (first time?) Trivial distinguisher

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds

Invariant subspaces in Simpira

( , , ,

• ) = (a, MC SR(z1x), b, MC SR(z2x c))

where a, b set to all possible values (q32) zi set to all possible values in two left columns (q16) x set to all possible values in two right columns (q8) c random fixed value in two right columns (q8) Conclusion for Simpira Invariant subspaces in round function from non-invariant subspaces in AES F-function. Covers whole plaintext space with 264 invariant cosets of dimension 56 over Fq (first time?) Trivial distinguisher

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds

Zero-difference cryptanalysis of AES

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

The zero difference pattern

Definition (Zero difference pattern) Let α = (α0, α1, . . . , αn1) 2 Fn

• q. Define

ν(α) = (z0, z1, . . . , zn1) 2 Fn

2

where zi = ( 1 if αi is zero,

• therwise.

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Setting

Let α = (α0, α1, . . . , αn1) 2 Fn

q denote the state of a block

cipher. Let q = 2k and let s be a kxk permutation s-box. The S-box working on a state is defined by S(α) = (s(α0), s(α1), . . . , s(αn1)) Let L be a linear layer in the block cipher We consider a substitution permutation networn (SPN) of the form S L S L S.

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Setting

Let α = (α0, α1, . . . , αn1) 2 Fn

q denote the state of a block

cipher. Let q = 2k and let s be a kxk permutation s-box. The S-box working on a state is defined by S(α) = (s(α0), s(α1), . . . , s(αn1)) Let L be a linear layer in the block cipher We consider a substitution permutation networn (SPN) of the form S L S L S.

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Setting

Let α = (α0, α1, . . . , αn1) 2 Fn

q denote the state of a block

cipher. Let q = 2k and let s be a kxk permutation s-box. The S-box working on a state is defined by S(α) = (s(α0), s(α1), . . . , s(αn1)) Let L be a linear layer in the block cipher We consider a substitution permutation networn (SPN) of the form S L S L S.

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Setting

Let α = (α0, α1, . . . , αn1) 2 Fn

q denote the state of a block

cipher. Let q = 2k and let s be a kxk permutation s-box. The S-box working on a state is defined by S(α) = (s(α0), s(α1), . . . , s(αn1)) Let L be a linear layer in the block cipher We consider a substitution permutation networn (SPN) of the form S L S L S.

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

The S-box

Lemma For two states α and β in Fn

q, the zero difference pattern is

preserved by a permutation S-box ν(α β) = ν(S(α) S(β)). Proof. Follows since αi βi = 0 iff s(αi) s(βi) = 0 and thus the S-box preserves the zero difference pattern.

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

The S-box

Lemma For two states α and β in Fn

q, the zero difference pattern is

preserved by a permutation S-box ν(α β) = ν(S(α) S(β)). Proof. Follows since αi βi = 0 iff s(αi) s(βi) = 0 and thus the S-box preserves the zero difference pattern.

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

The exchange operation

Definition For a vector c 2 Fn

2 and a pair of states α, β 2 Fn q define a new

state ρc(α, β) by ρc(α, β)i = ( αi if ci = 1, βi if ci = 0. Example Let c = (0110) and α = (α0, α1, α2, α3) and β = (β0, β1, β2, β3). Then α

0 = ρ(0110)(α, β) = (β0, α1, α2, β3)

and β

0 = ρ(0110)(β, α) = (α0, β1, β2, α3)

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

The exchange operation

Definition For a vector c 2 Fn

2 and a pair of states α, β 2 Fn q define a new

state ρc(α, β) by ρc(α, β)i = ( αi if ci = 1, βi if ci = 0. Example Let c = (0110) and α = (α0, α1, α2, α3) and β = (β0, β1, β2, β3). Then α

0 = ρ(0110)(α, β) = (β0, α1, α2, β3)

and β

0 = ρ(0110)(β, α) = (α0, β1, β2, α3)

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Properties of the exchange operation (I)

Lemma

a) ρc(α, β)i ρc(β, α)i = α β b) S(ρc(α, β)) S(ρc(β, α)) = S(α) S(β) c) ρc(S(α), S(β)) = S(ρc(α, β))

Proof.

a) ρc(α, β) ⊕ ρc(β, α) = ( αi ⊕ βi if ci = 1, βi ⊕ αi if ci = 0 b) s(ρc(α, β)) ⊕ s(ρc(β, α)) = ( s(αi) ⊕ s(βi) if ci = 1, s(βi) ⊕ s(αi) if ci = 0 . c) ρc(S(α), S(β)) = S(ρc(α, β)) = ( s(αi) if ci = 1, s(βi) if ci = 0 .

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Properties of the exchange operation (I)

Lemma

a) ρc(α, β)i ρc(β, α)i = α β b) S(ρc(α, β)) S(ρc(β, α)) = S(α) S(β) c) ρc(S(α), S(β)) = S(ρc(α, β))

Proof.

a) ρc(α, β) ⊕ ρc(β, α) = ( αi ⊕ βi if ci = 1, βi ⊕ αi if ci = 0 b) s(ρc(α, β)) ⊕ s(ρc(β, α)) = ( s(αi) ⊕ s(βi) if ci = 1, s(βi) ⊕ s(αi) if ci = 0 . c) ρc(S(α), S(β)) = S(ρc(α, β)) = ( s(αi) if ci = 1, s(βi) if ci = 0 .

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Properties of the exchange operation (I)

Lemma

a) ρc(α, β)i ρc(β, α)i = α β b) S(ρc(α, β)) S(ρc(β, α)) = S(α) S(β) c) ρc(S(α), S(β)) = S(ρc(α, β))

Proof.

a) ρc(α, β) ⊕ ρc(β, α) = ( αi ⊕ βi if ci = 1, βi ⊕ αi if ci = 0 b) s(ρc(α, β)) ⊕ s(ρc(β, α)) = ( s(αi) ⊕ s(βi) if ci = 1, s(βi) ⊕ s(αi) if ci = 0 . c) ρc(S(α), S(β)) = S(ρc(α, β)) = ( s(αi) if ci = 1, s(βi) if ci = 0 .

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Properties of the exchange operation (I)

Lemma

a) ρc(α, β)i ρc(β, α)i = α β b) S(ρc(α, β)) S(ρc(β, α)) = S(α) S(β) c) ρc(S(α), S(β)) = S(ρc(α, β))

Proof.

a) ρc(α, β) ⊕ ρc(β, α) = ( αi ⊕ βi if ci = 1, βi ⊕ αi if ci = 0 b) s(ρc(α, β)) ⊕ s(ρc(β, α)) = ( s(αi) ⊕ s(βi) if ci = 1, s(βi) ⊕ s(αi) if ci = 0 . c) ρc(S(α), S(β)) = S(ρc(α, β)) = ( s(αi) if ci = 1, s(βi) if ci = 0 .

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Properties of the exchange operation (I)

Lemma

a) ρc(α, β)i ρc(β, α)i = α β b) S(ρc(α, β)) S(ρc(β, α)) = S(α) S(β) c) ρc(S(α), S(β)) = S(ρc(α, β))

Proof.

a) ρc(α, β) ⊕ ρc(β, α) = ( αi ⊕ βi if ci = 1, βi ⊕ αi if ci = 0 b) s(ρc(α, β)) ⊕ s(ρc(β, α)) = ( s(αi) ⊕ s(βi) if ci = 1, s(βi) ⊕ s(αi) if ci = 0 . c) ρc(S(α), S(β)) = S(ρc(α, β)) = ( s(αi) if ci = 1, s(βi) if ci = 0 .

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Properties of the exchange operation (I)

Lemma

a) ρc(α, β)i ρc(β, α)i = α β b) S(ρc(α, β)) S(ρc(β, α)) = S(α) S(β) c) ρc(S(α), S(β)) = S(ρc(α, β))

Proof.

a) ρc(α, β) ⊕ ρc(β, α) = ( αi ⊕ βi if ci = 1, βi ⊕ αi if ci = 0 b) s(ρc(α, β)) ⊕ s(ρc(β, α)) = ( s(αi) ⊕ s(βi) if ci = 1, s(βi) ⊕ s(αi) if ci = 0 . c) ρc(S(α), S(β)) = S(ρc(α, β)) = ( s(αi) if ci = 1, s(βi) if ci = 0 .

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Properties of the exchange operation (II)

Lemma Let L be a linear transformation. Then L(ρc(α, β)) L(ρc(β, α)) = L(α) L(β) Proof. Lemma 2a) gives ρc(α, β) ρc(β, α) = α β and the result follows from the linearity of L.

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Properties of the exchange operation (II)

Lemma Let L be a linear transformation. Then L(ρc(α, β)) L(ρc(β, α)) = L(α) L(β) Proof. Lemma 2a) gives ρc(α, β) ρc(β, α) = α β and the result follows from the linearity of L.

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Properties of the zero-difference pattern

Let ν(α) denote the zero difference pattern of α = (α0, α1, . . . , αn1). Lemma a) ν(α β) = ν(S(α) S(β)) b) ν(S(L(α)) S(L(β))) = ν(S(L(ρc(α, β))) S(L(ρc(β, α)))) Proof.

a) Since S is a permutation (αi ⊕ βi) = 0 iff s(αi) ⊕ s(βi) = 0 b) Since Lemma 3 implies L(ρc(α, β)) ⊕ L(ρc(β, α)) = L(α) ⊕ L(β) then (S(L(α)) ⊕ S(L(β)))i = 0 iff (L(α) ⊕ L(β))i = 0 iff (L(ρc(α, β)) ⊕ L(ρc(β, α)))i = 0 iff (S(L(ρc(α, β))) ⊕ S(L(ρc(β, α)))i = 0

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Properties of the zero-difference pattern

Let ν(α) denote the zero difference pattern of α = (α0, α1, . . . , αn1). Lemma a) ν(α β) = ν(S(α) S(β)) b) ν(S(L(α)) S(L(β))) = ν(S(L(ρc(α, β))) S(L(ρc(β, α)))) Proof.

a) Since S is a permutation (αi ⊕ βi) = 0 iff s(αi) ⊕ s(βi) = 0 b) Since Lemma 3 implies L(ρc(α, β)) ⊕ L(ρc(β, α)) = L(α) ⊕ L(β) then (S(L(α)) ⊕ S(L(β)))i = 0 iff (L(α) ⊕ L(β))i = 0 iff (L(ρc(α, β)) ⊕ L(ρc(β, α)))i = 0 iff (S(L(ρc(α, β))) ⊕ S(L(ρc(β, α)))i = 0

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Properties of the zero-difference pattern

Let ν(α) denote the zero difference pattern of α = (α0, α1, . . . , αn1). Lemma a) ν(α β) = ν(S(α) S(β)) b) ν(S(L(α)) S(L(β))) = ν(S(L(ρc(α, β))) S(L(ρc(β, α)))) Proof.

a) Since S is a permutation (αi ⊕ βi) = 0 iff s(αi) ⊕ s(βi) = 0 b) Since Lemma 3 implies L(ρc(α, β)) ⊕ L(ρc(β, α)) = L(α) ⊕ L(β) then (S(L(α)) ⊕ S(L(β)))i = 0 iff (L(α) ⊕ L(β))i = 0 iff (L(ρc(α, β)) ⊕ L(ρc(β, α)))i = 0 iff (S(L(ρc(α, β))) ⊕ S(L(ρc(β, α)))i = 0

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Properties of the zero-difference pattern

Let ν(α) denote the zero difference pattern of α = (α0, α1, . . . , αn1). Lemma a) ν(α β) = ν(S(α) S(β)) b) ν(S(L(α)) S(L(β))) = ν(S(L(ρc(α, β))) S(L(ρc(β, α)))) Proof.

a) Since S is a permutation (αi ⊕ βi) = 0 iff s(αi) ⊕ s(βi) = 0 b) Since Lemma 3 implies L(ρc(α, β)) ⊕ L(ρc(β, α)) = L(α) ⊕ L(β) then (S(L(α)) ⊕ S(L(β)))i = 0 iff (L(α) ⊕ L(β))i = 0 iff (L(ρc(α, β)) ⊕ L(ρc(β, α)))i = 0 iff (S(L(ρc(α, β))) ⊕ S(L(ρc(β, α)))i = 0

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

The Zero-differences and the exchange operation

Theorem Let α

0 = ρc(α, β) and β 0 = ρc(β, α), then

ν(S(L(S(α))) S(L(S(β)))) = ν(S(L(S(α

0))) S(L(S(β 0))))

Proof.

α ⊕ β = ρc(α, β) ⊕ ρc(β, α) ⇓ S ⇓ = ⇓ S ⇓ S(α) ⊕ S(β) = S(ρc(α, β)) ⊕ S(ρc(β, α)) ⇓ L ⇓ = ⇓ L ⇓ L(S(α)) ⊕ L(S(β)) = L(S(ρc(α, β))) ⊕ L(S(ρc(β, α))) ⇓ S ⇓ ⇓ S ⇓ S(L(S(α)) ⊕ S(L(S(β))) S(L(S(ρc(α, β)))) ⊕ S(L(S(ρc(β, α))))

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

The Zero-differences and the exchange operation

Theorem Let α

0 = ρc(α, β) and β 0 = ρc(β, α), then

ν(S(L(S(α))) S(L(S(β)))) = ν(S(L(S(α

0))) S(L(S(β 0))))

Proof.

α ⊕ β = ρc(α, β) ⊕ ρc(β, α) ⇓ S ⇓ = ⇓ S ⇓ S(α) ⊕ S(β) = S(ρc(α, β)) ⊕ S(ρc(β, α)) ⇓ L ⇓ = ⇓ L ⇓ L(S(α)) ⊕ L(S(β)) = L(S(ρc(α, β))) ⊕ L(S(ρc(β, α))) ⇓ S ⇓ ⇓ S ⇓ S(L(S(α)) ⊕ S(L(S(β))) S(L(S(ρc(α, β)))) ⊕ S(L(S(ρc(β, α))))

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

The Zero-differences and the exchange operation

Theorem Let α

0 = ρc(α, β) and β 0 = ρc(β, α), then

ν(S(L(S(α))) S(L(S(β)))) = ν(S(L(S(α

0))) S(L(S(β 0))))

Proof.

α ⊕ β = ρc(α, β) ⊕ ρc(β, α) ⇓ S ⇓ = ⇓ S ⇓ S(α) ⊕ S(β) = S(ρc(α, β)) ⊕ S(ρc(β, α)) ⇓ L ⇓ = ⇓ L ⇓ L(S(α)) ⊕ L(S(β)) = L(S(ρc(α, β))) ⊕ L(S(ρc(β, α))) ⇓ S ⇓ ⇓ S ⇓ S(L(S(α)) ⊕ S(L(S(β))) S(L(S(ρc(α, β)))) ⊕ S(L(S(ρc(β, α))))

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

The Zero-differences and the exchange operation

Theorem Let α

0 = ρc(α, β) and β 0 = ρc(β, α), then

ν(S(L(S(α))) S(L(S(β)))) = ν(S(L(S(α

0))) S(L(S(β 0))))

Proof.

α ⊕ β = ρc(α, β) ⊕ ρc(β, α) ⇓ S ⇓ = ⇓ S ⇓ S(α) ⊕ S(β) = S(ρc(α, β)) ⊕ S(ρc(β, α)) ⇓ L ⇓ = ⇓ L ⇓ L(S(α)) ⊕ L(S(β)) = L(S(ρc(α, β))) ⊕ L(S(ρc(β, α))) ⇓ S ⇓ ⇓ S ⇓ S(L(S(α)) ⊕ S(L(S(β))) S(L(S(ρc(α, β)))) ⊕ S(L(S(ρc(β, α))))

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

The Zero-differences and the exchange operation

Theorem Let α

0 = ρc(α, β) and β 0 = ρc(β, α), then

ν(S(L(S(α))) S(L(S(β)))) = ν(S(L(S(α

0))) S(L(S(β 0))))

Proof.

α ⊕ β = ρc(α, β) ⊕ ρc(β, α) ⇓ S ⇓ = ⇓ S ⇓ S(α) ⊕ S(β) = S(ρc(α, β)) ⊕ S(ρc(β, α)) ⇓ L ⇓ = ⇓ L ⇓ L(S(α)) ⊕ L(S(β)) = L(S(ρc(α, β))) ⊕ L(S(ρc(β, α))) ⇓ S ⇓ ⇓ S ⇓ S(L(S(α)) ⊕ S(L(S(β))) S(L(S(ρc(α, β)))) ⊕ S(L(S(ρc(β, α))))

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

The Zero-differences and the exchange operation

Theorem Let α

0 = ρc(α, β) and β 0 = ρc(β, α), then

ν(S(L(S(α))) S(L(S(β)))) = ν(S(L(S(α

0))) S(L(S(β 0))))

Proof.

α ⊕ β = ρc(α, β) ⊕ ρc(β, α) ⇓ S ⇓ = ⇓ S ⇓ S(α) ⊕ S(β) = S(ρc(α, β)) ⊕ S(ρc(β, α)) ⇓ L ⇓ = ⇓ L ⇓ L(S(α)) ⊕ L(S(β)) = L(S(ρc(α, β))) ⊕ L(S(ρc(β, α))) ⇓ S ⇓ ⇓ S ⇓ S(L(S(α)) ⊕ S(L(S(β))) S(L(S(ρc(α, β)))) ⊕ S(L(S(ρc(β, α))))

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Typical use of exchange operation

µ(p0 ⊕ p1)

(()

= µ(p00) ⊕ p10) ⇓ S ⇓ = ⇑ S1 ⇑ S(p0) ⊕ S(p1) = L1(S1(c00)) ⊕ L1(S1(c10)) ⇓ L ⇓ = ⇑ L1 ⇑ L(S(p0) ⊕ L(S(p1)) = S1(c00) ⊕ S1(c10) ⇓ S ⇓ ⇑ S1 ⇑ c0 ⊕ c1 ⇒ c00 ⊕ c10

Zero difference preservation a) Pick two plaintexts p0 and p1 with a zero difference µ(p0 p1). b) Encrypt p0 and p1 to c0 and c1. c) Make two new ciphertexts c00 = ρc(c0, c1) and c10 = ρc(c1, c2). d) Decrypt c00 and c10. e) ν(p0 p1) = ν(p00 p10)

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Typical use of exchange operation

µ(p0 ⊕ p1)

(()

= µ(p00) ⊕ p10) ⇓ S ⇓ = ⇑ S1 ⇑ S(p0) ⊕ S(p1) = L1(S1(c00)) ⊕ L1(S1(c10)) ⇓ L ⇓ = ⇑ L1 ⇑ L(S(p0) ⊕ L(S(p1)) = S1(c00) ⊕ S1(c10) ⇓ S ⇓ ⇑ S1 ⇑ c0 ⊕ c1 ⇒ c00 ⊕ c10

Zero difference preservation a) Pick two plaintexts p0 and p1 with a zero difference µ(p0 p1). b) Encrypt p0 and p1 to c0 and c1. c) Make two new ciphertexts c00 = ρc(c0, c1) and c10 = ρc(c1, c2). d) Decrypt c00 and c10. e) ν(p0 p1) = ν(p00 p10)

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Typical use of exchange operation

µ(p0 ⊕ p1)

(()

= µ(p00) ⊕ p10) ⇓ S ⇓ = ⇑ S1 ⇑ S(p0) ⊕ S(p1) = L1(S1(c00)) ⊕ L1(S1(c10)) ⇓ L ⇓ = ⇑ L1 ⇑ L(S(p0) ⊕ L(S(p1)) = S1(c00) ⊕ S1(c10) ⇓ S ⇓ ⇑ S1 ⇑ c0 ⊕ c1 ⇒ c00 ⊕ c10

Zero difference preservation a) Pick two plaintexts p0 and p1 with a zero difference µ(p0 p1). b) Encrypt p0 and p1 to c0 and c1. c) Make two new ciphertexts c00 = ρc(c0, c1) and c10 = ρc(c1, c2). d) Decrypt c00 and c10. e) ν(p0 p1) = ν(p00 p10)

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Typical use of exchange operation

µ(p0 ⊕ p1)

(()

= µ(p00) ⊕ p10) ⇓ S ⇓ = ⇑ S1 ⇑ S(p0) ⊕ S(p1) = L1(S1(c00)) ⊕ L1(S1(c10)) ⇓ L ⇓ = ⇑ L1 ⇑ L(S(p0) ⊕ L(S(p1)) = S1(c00) ⊕ S1(c10) ⇓ S ⇓ ⇑ S1 ⇑ c0 ⊕ c1 ⇒ c00 ⊕ c10

Zero difference preservation a) Pick two plaintexts p0 and p1 with a zero difference µ(p0 p1). b) Encrypt p0 and p1 to c0 and c1. c) Make two new ciphertexts c00 = ρc(c0, c1) and c10 = ρc(c1, c2). d) Decrypt c00 and c10. e) ν(p0 p1) = ν(p00 p10)

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Typical use of exchange operation

µ(p0 ⊕ p1)

(()

= µ(p00) ⊕ p10) ⇓ S ⇓ = ⇑ S1 ⇑ S(p0) ⊕ S(p1) = L1(S1(c00)) ⊕ L1(S1(c10)) ⇓ L ⇓ = ⇑ L1 ⇑ L(S(p0) ⊕ L(S(p1)) = S1(c00) ⊕ S1(c10) ⇓ S ⇓ ⇑ S1 ⇑ c0 ⊕ c1 ⇒ c00 ⊕ c10

Zero difference preservation a) Pick two plaintexts p0 and p1 with a zero difference µ(p0 p1). b) Encrypt p0 and p1 to c0 and c1. c) Make two new ciphertexts c00 = ρc(c0, c1) and c10 = ρc(c1, c2). d) Decrypt c00 and c10. e) ν(p0 p1) = ν(p00 p10)

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Typical use of exchange operation

µ(p0 ⊕ p1)

(()

= µ(p00) ⊕ p10) ⇓ S ⇓ = ⇑ S1 ⇑ S(p0) ⊕ S(p1) = L1(S1(c00)) ⊕ L1(S1(c10)) ⇓ L ⇓ = ⇑ L1 ⇑ L(S(p0) ⊕ L(S(p1)) = S1(c00) ⊕ S1(c10) ⇓ S ⇓ ⇑ S1 ⇑ c0 ⊕ c1 ⇒ c00 ⊕ c10

Zero difference preservation a) Pick two plaintexts p0 and p1 with a zero difference µ(p0 p1). b) Encrypt p0 and p1 to c0 and c1. c) Make two new ciphertexts c00 = ρc(c0, c1) and c10 = ρc(c1, c2). d) Decrypt c00 and c10. e) ν(p0 p1) = ν(p00 p10)

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Typical use of exchange operation

µ(p0 ⊕ p1)

(()

= µ(p00) ⊕ p10) ⇓ S ⇓ = ⇑ S1 ⇑ S(p0) ⊕ S(p1) = L1(S1(c00)) ⊕ L1(S1(c10)) ⇓ L ⇓ = ⇑ L1 ⇑ L(S(p0) ⊕ L(S(p1)) = S1(c00) ⊕ S1(c10) ⇓ S ⇓ ⇑ S1 ⇑ c0 ⊕ c1 ⇒ c00 ⊕ c10

Zero difference preservation a) Pick two plaintexts p0 and p1 with a zero difference µ(p0 p1). b) Encrypt p0 and p1 to c0 and c1. c) Make two new ciphertexts c00 = ρc(c0, c1) and c10 = ρc(c1, c2). d) Decrypt c00 and c10. e) ν(p0 p1) = ν(p00 p10)

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Typical use of exchange operation

µ(p0 ⊕ p1)

(()

= µ(p00) ⊕ p10) ⇓ S ⇓ = ⇑ S1 ⇑ S(p0) ⊕ S(p1) = L1(S1(c00)) ⊕ L1(S1(c10)) ⇓ L ⇓ = ⇑ L1 ⇑ L(S(p0) ⊕ L(S(p1)) = S1(c00) ⊕ S1(c10) ⇓ S ⇓ ⇑ S1 ⇑ c0 ⊕ c1 ⇒ c00 ⊕ c10

Zero difference preservation a) Pick two plaintexts p0 and p1 with a zero difference µ(p0 p1). b) Encrypt p0 and p1 to c0 and c1. c) Make two new ciphertexts c00 = ρc(c0, c1) and c10 = ρc(c1, c2). d) Decrypt c00 and c10. e) ν(p0 p1) = ν(p00 p10)

Zero-difference cryptanalysis of AES Zero differences and exchange operations in SPNs

Typical use of exchange operation

µ(p0 ⊕ p1)

(()

= µ(p00) ⊕ p10) ⇓ S ⇓ = ⇑ S1 ⇑ S(p0) ⊕ S(p1) = L1(S1(c00)) ⊕ L1(S1(c10)) ⇓ L ⇓ = ⇑ L1 ⇑ L(S(p0) ⊕ L(S(p1)) = S1(c00) ⊕ S1(c10) ⇓ S ⇓ ⇑ S1 ⇑ c0 ⊕ c1 ⇒ c00 ⊕ c10

Zero difference preservation a) Pick two plaintexts p0 and p1 with a zero difference µ(p0 p1). b) Encrypt p0 and p1 to c0 and c1. c) Make two new ciphertexts c00 = ρc(c0, c1) and c10 = ρc(c1, c2). d) Decrypt c00 and c10. e) ν(p0 p1) = ν(p00 p10)

Zero-difference cryptanalysis of AES 3 Rounds of AES

Three Rounds of AES

SB MC SB MC SB SB MC SB MC SB SB MC SB MC SB SB MC SB MC SB

Figure: Three rounds SB MC SR S = Q S

R3 = (AKMCSRSB)(AKMCSRSB)(AKMCSRSB). Rewrite in terms of S = MC SB MC L = SR MC SR R⇤3 = (SB MC SR) (SB MC SB) = Q S

Zero-difference cryptanalysis of AES 3 Rounds of AES

Three Round AES Distinguisher

Theorem Three rounds of AES can be distinguished from a random cipher using one pair of chosen plaintexts and one (adaptively) chosen ciphertext.

c0 c1 v p0 p1 u S SR MC SB S SR MC SB S1 SR1 (MC SB)1 νc(c0, c1) = v

1

Select p0 p1 that differ in only

• ne word

2

ask for encryption c0 and c1 of p0 and p1

3

Let Hi be the image of the ith column of SR(S(p0) S(p1)) under MC SB

4

select v = (v0, v1, v2, v3) where vi 2 {c0

i , c1 i } 5

ask for decryption (denote u) of v

6

Then ν(p0 p1) = ν(u pj) since the ith component of v is in Hi

Probability 296 for random.

Zero-difference cryptanalysis of AES 3 Rounds of AES

Three Round AES Distinguisher

Theorem Three rounds of AES can be distinguished from a random cipher using one pair of chosen plaintexts and one (adaptively) chosen ciphertext.

c0 c1 v p0 p1 u S SR MC SB S SR MC SB S1 SR1 (MC SB)1 νc(c0, c1) = v

1

Select p0 p1 that differ in only

• ne word

2

ask for encryption c0 and c1 of p0 and p1

3

Let Hi be the image of the ith column of SR(S(p0) S(p1)) under MC SB

4

select v = (v0, v1, v2, v3) where vi 2 {c0

i , c1 i } 5

ask for decryption (denote u) of v

6

Then ν(p0 p1) = ν(u pj) since the ith component of v is in Hi

Probability 296 for random.

Zero-difference cryptanalysis of AES 3 Rounds of AES

Three Round AES Distinguisher

Theorem Three rounds of AES can be distinguished from a random cipher using one pair of chosen plaintexts and one (adaptively) chosen ciphertext.

c0 c1 v p0 p1 u S SR MC SB S SR MC SB S1 SR1 (MC SB)1 νc(c0, c1) = v

1

Select p0 p1 that differ in only

• ne word

2

ask for encryption c0 and c1 of p0 and p1

3

Let Hi be the image of the ith column of SR(S(p0) S(p1)) under MC SB

4

select v = (v0, v1, v2, v3) where vi 2 {c0

i , c1 i } 5

ask for decryption (denote u) of v

6

Then ν(p0 p1) = ν(u pj) since the ith component of v is in Hi

Probability 296 for random.

Zero-difference cryptanalysis of AES 3 Rounds of AES

Three Round AES Distinguisher

Theorem Three rounds of AES can be distinguished from a random cipher using one pair of chosen plaintexts and one (adaptively) chosen ciphertext.

c0 c1 v p0 p1 u S SR MC SB S SR MC SB S1 SR1 (MC SB)1 νc(c0, c1) = v

1

Select p0 p1 that differ in only

• ne word

2

ask for encryption c0 and c1 of p0 and p1

3

Let Hi be the image of the ith column of SR(S(p0) S(p1)) under MC SB

4

select v = (v0, v1, v2, v3) where vi 2 {c0

i , c1 i } 5

ask for decryption (denote u) of v

6

Then ν(p0 p1) = ν(u pj) since the ith component of v is in Hi

Probability 296 for random.

Zero-difference cryptanalysis of AES 3 Rounds of AES

Three Round AES Distinguisher

Theorem Three rounds of AES can be distinguished from a random cipher using one pair of chosen plaintexts and one (adaptively) chosen ciphertext.

c0 c1 v p0 p1 u S SR MC SB S SR MC SB S1 SR1 (MC SB)1 νc(c0, c1) = v

1

Select p0 p1 that differ in only

• ne word

2

ask for encryption c0 and c1 of p0 and p1

3

Let Hi be the image of the ith column of SR(S(p0) S(p1)) under MC SB

4

select v = (v0, v1, v2, v3) where vi 2 {c0

i , c1 i } 5

ask for decryption (denote u) of v

6

Then ν(p0 p1) = ν(u pj) since the ith component of v is in Hi

Probability 296 for random.

Zero-difference cryptanalysis of AES 3 Rounds of AES

Three Round AES Distinguisher

Theorem Three rounds of AES can be distinguished from a random cipher using one pair of chosen plaintexts and one (adaptively) chosen ciphertext.

c0 c1 v p0 p1 u S SR MC SB S SR MC SB S1 SR1 (MC SB)1 νc(c0, c1) = v

1

Select p0 p1 that differ in only

• ne word

2

ask for encryption c0 and c1 of p0 and p1

3

Let Hi be the image of the ith column of SR(S(p0) S(p1)) under MC SB

4

select v = (v0, v1, v2, v3) where vi 2 {c0

i , c1 i } 5

ask for decryption (denote u) of v

6

Then ν(p0 p1) = ν(u pj) since the ith component of v is in Hi

Probability 296 for random.

Zero-difference cryptanalysis of AES 3 Rounds of AES

Three Round AES Distinguisher

Theorem Three rounds of AES can be distinguished from a random cipher using one pair of chosen plaintexts and one (adaptively) chosen ciphertext.

c0 c1 v p0 p1 u S SR MC SB S SR MC SB S1 SR1 (MC SB)1 νc(c0, c1) = v

1

Select p0 p1 that differ in only

• ne word

2

ask for encryption c0 and c1 of p0 and p1

3

Let Hi be the image of the ith column of SR(S(p0) S(p1)) under MC SB

4

select v = (v0, v1, v2, v3) where vi 2 {c0

i , c1 i } 5

ask for decryption (denote u) of v

6

Then ν(p0 p1) = ν(u pj) since the ith component of v is in Hi

Probability 296 for random.

Zero-difference cryptanalysis of AES 4 Rounds of AES

Four Rounds of AES

SB MC SB MC SB MC SB SB MC SB MC SB MC SB SB MC SB MC SB MC SB SB MC SB MC SB MC SB

Figure: S L S in AES

Zero-difference cryptanalysis of AES 4 Rounds of AES

Four Round AES Distinguisher

Theorem Four rounds of AES can be distinguished from a random cipher using one pair of chosen plaintexts and one (adaptively) chosen ciphertext pair.

c0 c1 v0 v1 p0 p1 u0 u1 S L S S L S S1 L1 S1 S1 L1 S1 ρc(ci, ci+1 (mod 2)) = vi

1

Select p0 p1 that differ in only

• ne word

2

ask for encryption c0 and c1 of p0 and p1

3

construct v0 = ρc(c0, c1), v1 = ρc(c1, c0)

4

get plaintexts u0, u1.

5

if AES, then same zero difference pattern (prob for random = 296)

Extends to 5-round distinguisher and key-recovery.

Zero-difference cryptanalysis of AES 4 Rounds of AES

Four Round AES Distinguisher

Theorem Four rounds of AES can be distinguished from a random cipher using one pair of chosen plaintexts and one (adaptively) chosen ciphertext pair.

c0 c1 v0 v1 p0 p1 u0 u1 S L S S L S S1 L1 S1 S1 L1 S1 ρc(ci, ci+1 (mod 2)) = vi

1

Select p0 p1 that differ in only

• ne word

2

ask for encryption c0 and c1 of p0 and p1

3

construct v0 = ρc(c0, c1), v1 = ρc(c1, c0)

4

get plaintexts u0, u1.

5

if AES, then same zero difference pattern (prob for random = 296)

Extends to 5-round distinguisher and key-recovery.

Zero-difference cryptanalysis of AES 4 Rounds of AES

Four Round AES Distinguisher

Theorem Four rounds of AES can be distinguished from a random cipher using one pair of chosen plaintexts and one (adaptively) chosen ciphertext pair.

c0 c1 v0 v1 p0 p1 u0 u1 S L S S L S S1 L1 S1 S1 L1 S1 ρc(ci, ci+1 (mod 2)) = vi

1

Select p0 p1 that differ in only

• ne word

2

ask for encryption c0 and c1 of p0 and p1

3

construct v0 = ρc(c0, c1), v1 = ρc(c1, c0)

4

get plaintexts u0, u1.

5

if AES, then same zero difference pattern (prob for random = 296)

Extends to 5-round distinguisher and key-recovery.

Zero-difference cryptanalysis of AES 4 Rounds of AES

Four Round AES Distinguisher

Theorem Four rounds of AES can be distinguished from a random cipher using one pair of chosen plaintexts and one (adaptively) chosen ciphertext pair.

c0 c1 v0 v1 p0 p1 u0 u1 S L S S L S S1 L1 S1 S1 L1 S1 ρc(ci, ci+1 (mod 2)) = vi

1

Select p0 p1 that differ in only

• ne word

2

ask for encryption c0 and c1 of p0 and p1

3

construct v0 = ρc(c0, c1), v1 = ρc(c1, c0)

4

get plaintexts u0, u1.

5

if AES, then same zero difference pattern (prob for random = 296)

Extends to 5-round distinguisher and key-recovery.

Zero-difference cryptanalysis of AES 4 Rounds of AES

Four Round AES Distinguisher

Theorem Four rounds of AES can be distinguished from a random cipher using one pair of chosen plaintexts and one (adaptively) chosen ciphertext pair.

c0 c1 v0 v1 p0 p1 u0 u1 S L S S L S S1 L1 S1 S1 L1 S1 ρc(ci, ci+1 (mod 2)) = vi

1

Select p0 p1 that differ in only

• ne word

2

ask for encryption c0 and c1 of p0 and p1

3

construct v0 = ρc(c0, c1), v1 = ρc(c1, c0)

4

get plaintexts u0, u1.

5

if AES, then same zero difference pattern (prob for random = 296)

Extends to 5-round distinguisher and key-recovery.

Zero-difference cryptanalysis of AES 6 Rounds of AES

6 Round AES as S L S L S

6 rounds AES is S L S LS preserve zero differences in middle combine with impossible differential property first distinguisher for 6 rounds (high complexity)

SB MC SB MC SB MC SB MC SB MC SB SB MC SB MC SB MC SB MC SB MC SB SB MC SB MC SB MC SB MC SB MC SB SB MC SB MC SB MC SB MC SB MC SB

Figure: Six Rounds AES

Zero-difference cryptanalysis of AES 6 Rounds of AES

Conclusion

new records 3-6 round distinguishers AES new record 5 round key recovery can be applied directly to similar designs as well can be improved (more rounds) for lightweight designs

Zero-difference cryptanalysis of AES 6 Rounds of AES

Conclusion

Thank you!

Zero-difference cryptanalysis of AES 6 Rounds of AES

Exchange operation and S L S L S ciphers

Theorem Let p00 = ρc(p0, p1) p10 = ρc(p1, p0) c0⇤ = ρc(c0, c1) c1⇤ = ρc(c1, c0) G2 = S L S ν(G2(p00) G2(p10)) = ν(G 1

2 (c⇤0) G 1 2 (c⇤1)).

p0 ⊕ p1 = p00 ⊕ p10 p0⇤ ⊕ p1⇤ ⇓ S ⇓ = ⇓ S ⇓ ⇑ S1 ⇑ S(p0) ⊕ S(p1) = S(p00) ⊕ S(p10) ⇓ L ⇓ = ⇓ L ⇓ ⇑ L1 ⇑ L(S(p0) ⊕ L(S(p1)) = L(S(p00)) ⊕ L(S(p10)) G 1

2

(c0⇤) ⊕ G 1

2

(c1⇤) ⇓ S ⇓ = ⇓ S ⇓ ⇑ S1 ⇑ ⇓ L ⇓ = G2(p00) ⊕ G2(p10) ⇑ L1 ⇑ ⇓ S ⇓ ⇑ S1 ⇑ c0 ⊕ c1 ⇒ c0⇤ ⊕ c1⇤

Zero-difference cryptanalysis of AES 6 Rounds of AES

Exchange operation and S L S L S ciphers

Theorem Let p00 = ρc(p0, p1) p10 = ρc(p1, p0) c0⇤ = ρc(c0, c1) c1⇤ = ρc(c1, c0) G2 = S L S ν(G2(p00) G2(p10)) = ν(G 1

2 (c⇤0) G 1 2 (c⇤1)).

p0 ⊕ p1 = p00 ⊕ p10 p0⇤ ⊕ p1⇤ ⇓ S ⇓ = ⇓ S ⇓ ⇑ S1 ⇑ S(p0) ⊕ S(p1) = S(p00) ⊕ S(p10) ⇓ L ⇓ = ⇓ L ⇓ ⇑ L1 ⇑ L(S(p0) ⊕ L(S(p1)) = L(S(p00)) ⊕ L(S(p10)) G 1

2

(c0⇤) ⊕ G 1

2

(c1⇤) ⇓ S ⇓ = ⇓ S ⇓ ⇑ S1 ⇑ ⇓ L ⇓ = G2(p00) ⊕ G2(p10) ⇑ L1 ⇑ ⇓ S ⇓ ⇑ S1 ⇑ c0 ⊕ c1 ⇒ c0⇤ ⊕ c1⇤

Zero-difference cryptanalysis of AES 6 Rounds of AES

Exchange operation and S L S L S ciphers

Theorem Let p00 = ρc(p0, p1) p10 = ρc(p1, p0) c0⇤ = ρc(c0, c1) c1⇤ = ρc(c1, c0) G2 = S L S ν(G2(p00) G2(p10)) = ν(G 1

2 (c⇤0) G 1 2 (c⇤1)).

p0 ⊕ p1 = p00 ⊕ p10 p0⇤ ⊕ p1⇤ ⇓ S ⇓ = ⇓ S ⇓ ⇑ S1 ⇑ S(p0) ⊕ S(p1) = S(p00) ⊕ S(p10) ⇓ L ⇓ = ⇓ L ⇓ ⇑ L1 ⇑ L(S(p0) ⊕ L(S(p1)) = L(S(p00)) ⊕ L(S(p10)) G 1

2

(c0⇤) ⊕ G 1

2

(c1⇤) ⇓ S ⇓ = ⇓ S ⇓ ⇑ S1 ⇑ ⇓ L ⇓ = G2(p00) ⊕ G2(p10) ⇑ L1 ⇑ ⇓ S ⇓ ⇑ S1 ⇑ c0 ⊕ c1 ⇒ c0⇤ ⊕ c1⇤

Zero-difference cryptanalysis of AES 6 Rounds of AES

Exchange operation and S L S L S ciphers

Theorem Let p00 = ρc(p0, p1) p10 = ρc(p1, p0) c0⇤ = ρc(c0, c1) c1⇤ = ρc(c1, c0) G2 = S L S ν(G2(p00) G2(p10)) = ν(G 1

2 (c⇤0) G 1 2 (c⇤1)).

p0 ⊕ p1 = p00 ⊕ p10 p0⇤ ⊕ p1⇤ ⇓ S ⇓ = ⇓ S ⇓ ⇑ S1 ⇑ S(p0) ⊕ S(p1) = S(p00) ⊕ S(p10) ⇓ L ⇓ = ⇓ L ⇓ ⇑ L1 ⇑ L(S(p0) ⊕ L(S(p1)) = L(S(p00)) ⊕ L(S(p10)) G 1

2

(c0⇤) ⊕ G 1

2

(c1⇤) ⇓ S ⇓ = ⇓ S ⇓ ⇑ S1 ⇑ ⇓ L ⇓ = G2(p00) ⊕ G2(p10) ⇑ L1 ⇑ ⇓ S ⇓ ⇑ S1 ⇑ c0 ⊕ c1 ⇒ c0⇤ ⊕ c1⇤

Zero-difference cryptanalysis of AES 6 Rounds of AES

Exchange operation and S L S L S ciphers

Theorem Let p00 = ρc(p0, p1) p10 = ρc(p1, p0) c0⇤ = ρc(c0, c1) c1⇤ = ρc(c1, c0) G2 = S L S ν(G2(p00) G2(p10)) = ν(G 1

2 (c⇤0) G 1 2 (c⇤1)).

p0 ⊕ p1 = p00 ⊕ p10 p0⇤ ⊕ p1⇤ ⇓ S ⇓ = ⇓ S ⇓ ⇑ S1 ⇑ S(p0) ⊕ S(p1) = S(p00) ⊕ S(p10) ⇓ L ⇓ = ⇓ L ⇓ ⇑ L1 ⇑ L(S(p0) ⊕ L(S(p1)) = L(S(p00)) ⊕ L(S(p10)) G 1

2

(c0⇤) ⊕ G 1

2

(c1⇤) ⇓ S ⇓ = ⇓ S ⇓ ⇑ S1 ⇑ ⇓ L ⇓ = G2(p00) ⊕ G2(p10) ⇑ L1 ⇑ ⇓ S ⇓ ⇑ S1 ⇑ c0 ⊕ c1 ⇒ c0⇤ ⊕ c1⇤

Zero-difference cryptanalysis of AES 6 Rounds of AES

Exchange operation and S L S L S ciphers

Theorem Let p00 = ρc(p0, p1) p10 = ρc(p1, p0) c0⇤ = ρc(c0, c1) c1⇤ = ρc(c1, c0) G2 = S L S ν(G2(p00) G2(p10)) = ν(G 1

2 (c⇤0) G 1 2 (c⇤1)).

p0 ⊕ p1 = p00 ⊕ p10 p0⇤ ⊕ p1⇤ ⇓ S ⇓ = ⇓ S ⇓ ⇑ S1 ⇑ S(p0) ⊕ S(p1) = S(p00) ⊕ S(p10) ⇓ L ⇓ = ⇓ L ⇓ ⇑ L1 ⇑ L(S(p0) ⊕ L(S(p1)) = L(S(p00)) ⊕ L(S(p10)) G 1

2

(c0⇤) ⊕ G 1

2

(c1⇤) ⇓ S ⇓ = ⇓ S ⇓ ⇑ S1 ⇑ ⇓ L ⇓ = G2(p00) ⊕ G2(p10) ⇑ L1 ⇑ ⇓ S ⇓ ⇑ S1 ⇑ c0 ⊕ c1 ⇒ c0⇤ ⊕ c1⇤

Zero-difference cryptanalysis of AES 6 Rounds of AES

Exchange operation and S L S L S ciphers

Theorem Let p00 = ρc(p0, p1) p10 = ρc(p1, p0) c0⇤ = ρc(c0, c1) c1⇤ = ρc(c1, c0) G2 = S L S ν(G2(p00) G2(p10)) = ν(G 1

2 (c⇤0) G 1 2 (c⇤1)).

p0 ⊕ p1 = p00 ⊕ p10 p0⇤ ⊕ p1⇤ ⇓ S ⇓ = ⇓ S ⇓ ⇑ S1 ⇑ S(p0) ⊕ S(p1) = S(p00) ⊕ S(p10) ⇓ L ⇓ = ⇓ L ⇓ ⇑ L1 ⇑ L(S(p0) ⊕ L(S(p1)) = L(S(p00)) ⊕ L(S(p10)) G 1

2

(c0⇤) ⊕ G 1

2

(c1⇤) ⇓ S ⇓ = ⇓ S ⇓ ⇑ S1 ⇑ ⇓ L ⇓ = G2(p00) ⊕ G2(p10) ⇑ L1 ⇑ ⇓ S ⇓ ⇑ S1 ⇑ c0 ⊕ c1 ⇒ c0⇤ ⊕ c1⇤