Abstract. In this paper we present two related-key attacks on the full AES. For AES-256 we show the first key recovery attack that works for all the keys and has 2 99.5 time and data complexity, while the recent attack by Biryukov-Khovratovich-Nikolić works for a weak key class and has much higher complexity. The second attack is the first cryptanalysis of the full AES-192. Both our attacks are boomerang attacks, which are based on the recent idea of finding local collisions in block ciphers and enhanced with the boomerang switching techniques to gain free rounds in the middle. 1

Abstract. AES is the best known and most widely used block cipher. Its three versions (AES-128, AES-192, and AES-256) differ in their key sizes (128 bits, 192 bits and 256 bits) and in their number of rounds (10, 12, and 14, respectively). In the case of AES-128, there is no known attack which is faster than the 2 128 complexity of exhaustive search. However, AES-192 and AES-256 were recently shown to be breakable by attacks which require 2 176 and 2 119 time, respectively. While these complexities are much faster than exhaustive search, they are completely non-practical, and do not seem to pose any real threat to the security of AES-based systems. In this paper we describe several attacks which can break with practical complexity variants of AES-256 whose number of rounds are comparable to that of AES-128. One of our attacks uses only two related keys and 2 39 time to recover the complete 256-bit key of a 9-round version of AES-256 (the best previous attack on this variant required 4 related keys and 2 120 time). Another attack can break a 10 round version of AES-256 in 2 45 time, but it uses a stronger type of related subkey attack (the best previous attack on this variant required 64 related keys and 2 172 time). While neither AES-128 nor AES-256 can be directly broken by these attacks, the fact that their hybrid (which combines the smaller number of rounds from AES-128 along with the larger key size from AES-256) can be broken with such a low complexity raises serious concern about the remaining safety margin offered by the AES family of cryptosystems. 1

Abstract. In this paper we construct a chosen-key distinguisher and a related-key attack on the full 256-bit key AES. We define a notion of differential q-multicollision and show that for AES-256 q-multicollisions can be constructed in time q · 2 67 and with negligible memory, while we prove that the same task for an ideal cipher of the same block size would require at least O(q · 2 q−1 q+1 128) time. Using similar approach and with the same complexity we can also construct q-pseudo collisions for AES-256 in Davies-Meyer hashing mode, a scheme which is provably secure in the ideal-cipher model. We have also computed partial q-multicollisions in time q · 2 37 on a PC to verify our results. These results show that AES-256 can not model an ideal cipher in theoretical constructions. Finally we extend our results to find the first publicly known attack on the full 14-round AES-256: a related-key distinguisher which works for one out of every 2 35 keys with 2 120 data and time complexity and negligible memory. This distinguisher is translated into a key-recovery attack with total complexity of 2 131 time and 2 65 memory. Keywords: AES, related-key attack, chosen key distinguisher, Davies-Meyer, ideal cipher.

This paper fills an important foundational gap with the first proofs, under standard assumptions and in the standard model, of the existence of pseudorandom functions (PRFs) and pseudorandom permutations (PRPs) resisting rich and relevant forms of related-key attacks (RKA). An RKA allows the adversary to query the function not only under the target key but under other keys derived from it in adversary-specified ways. Based on the Naor-Reingold PRF we obtain an RKA-PRF whose keyspace is a group and that is proven, under DDH, to resist attacks in which the key may be operated on by arbitrary adversary-specified group elements. Previous work was able only to provide schemes in idealized models (ideal cipher, random oracle), under new, non-standard assumptions, or for limited classes of attacks. The reason was technical difficulties that we resolve via a new approach and framework that, in addition to the above, yields other RKA-PRFs including a DLIN-based one derived from the Lewko-Waters PRF. Over the last 15 years cryptanalysts and blockcipher designers have routinely and consistently targeted RKA-security; it is visibly important for abuse-resistant cryptography; and it helps protect against fault-injection sidechannel attacks. Yet ours are the first significant proofs of existence of secure constructs. We warn that our constructs are proofs-of-concept

Abstract. In this paper we analyze the security of systems based on modular additions, rotations, and XORs (ARX systems). We provide both theoretical support for their security and practical cryptanalysis of real ARX primitives. We use a technique called rotational cryptanalysis, that is universal for the ARX systems and is quite efficient. We illustrate the method with the best known attack on reduced versions of the block cipher Threefish (the core of Skein). Additionally, we prove that ARX with constants are functionally complete, i.e. any function can be realized with these operations.

Abstract. In this paper we present two new attacks on round reduced versions of the AES. We present the first application of the related-key boomerang attack on 7 and 9 rounds of AES-192. The 7-round attack requires only 2 18 chosen plaintexts and ciphertexts and needs 2 67.5 encryptions. We extend our attack to nine rounds of AES-192. This leaves to a data complexity of 2 67 chosen plaintexts and ciphertexts using about 2 143.33 encryptions to break 9 rounds of AES-192.

Abstract. In this paper we apply impossible differential attacks to reduced round AES. Using various techniques, including the early abort approach and key schedule considerations, we significantly improve previously known attacks due to Bahrak-Aref and Phan. The improvement of these attacks leads to the best known impossible differential attacks on 7-round AES-128 and AES-192, as well as to the best known impossible differential attacks on 8-round AES-256.

Abstract—In this paper, we further study the key schedule of the AES algorithm and present some repeated differential properties of the AES-128 and AES-256 key schedules. We define the concept of repeated differential pattern for the AES-128 key schedule, and the notion of double-sized repeated differential pattern for the AES-256 key schedule. We show that if we use the key schedule to expand two 128-bit (or 256-bit) secret keys with the repeated differential pattern (or double-sized repeated differential pattern), the resultant 10round (or 14-round) subkeys have a large number of bytes in common and the differential pattern has strong repeated features.