## Distinguisher and Related-Key Attack on the Full AES-256 (2009)

Venue: | Advances in Cryptology – CRYPTO 2009, Proceedings, volume 5677 of Lecture Notes in Computer Science |

Citations: | 26 - 2 self |

### BibTeX

@INPROCEEDINGS{Biryukov09distinguisherand,

author = {Alex Biryukov and Dmitry Khovratovich and Ivica Nikolić},

title = {Distinguisher and Related-Key Attack on the Full AES-256},

booktitle = {Advances in Cryptology – CRYPTO 2009, Proceedings, volume 5677 of Lecture Notes in Computer Science},

year = {2009},

pages = {231--249},

publisher = {Springer}

}

### OpenURL

### Abstract

Abstract. In this paper we construct a chosen-key distinguisher and a related-key attack on the full 256-bit key AES. We define a notion of differential q-multicollision and show that for AES-256 q-multicollisions can be constructed in time q · 2 67 and with negligible memory, while we prove that the same task for an ideal cipher of the same block size would require at least O(q · 2 q−1 q+1 128) time. Using similar approach and with the same complexity we can also construct q-pseudo collisions for AES-256 in Davies-Meyer hashing mode, a scheme which is provably secure in the ideal-cipher model. We have also computed partial q-multicollisions in time q · 2 37 on a PC to verify our results. These results show that AES-256 can not model an ideal cipher in theoretical constructions. Finally we extend our results to find the first publicly known attack on the full 14-round AES-256: a related-key distinguisher which works for one out of every 2 35 keys with 2 120 data and time complexity and negligible memory. This distinguisher is translated into a key-recovery attack with total complexity of 2 131 time and 2 65 memory. Keywords: AES, related-key attack, chosen key distinguisher, Davies-Meyer, ideal cipher.

### Citations

203 |
The Design of Rijndael
- Daemen, Rijmen
- 2002
(Show Context)
Citation Context ...d (AES) is a block cipher which was chosen by NIST from a set of 15 candidate designs in a thorough evaluation process that lasted from September 1997 till October 2000. On November 26, 2001 Rijndael =-=[7]-=-, a 128-bit block, 128/192/256-bit key block cipher has become a standard as U.S. FIPS 197 [18]. In June 2003 the US government has approved the use of 128, 192, 256 bit key AES for SECRET and 192, 25... |

104 | Black-box analysis of the block-cipher-based hash-function construction from
- Black, Rogaway, et al.
- 2002
(Show Context)
Citation Context ...l cipher, this gives us additional confidence that such property (in our case ”differential multicollisions”) should not be present in a good cipher. There are also many constructions provably secure =-=[3,10]-=- in the ideal cipher model. This model assumes that both the key and the plaintext are accessible to the attacker. If a block cipher3 ∗ — for each key. Attack Known-key integral 7 1 2 56 # rounds # k... |

94 |
Multicollisions in iterated hash functions. application to cascaded constructions
- Joux
(Show Context)
Citation Context ...e then show that it is relatively easy to find q pseudo-collisions for AES-256 in the Davies-Meyer mode. We also point out that we construct one-block pseudo-collisions and thus the technique of Joux =-=[11]-=- does not apply here. Our goal is for fixed differences ∆I, ∆M to find many pseudo-collisions for the H E (I, M) def = EM (I)⊕I which is the Davies-Meyer compression function with AES-256 as the under... |

79 |
Oded Goldreich, and Shai Halevi, The random oracle methodology, revisited
- Canetti
- 1998
(Show Context)
Citation Context ...s of block cipher security and to fill the gap between theoretical models like random oracle and ideal cipher and the real world of ciphers which have fixed description and are efficiently computable =-=[2,5]-=-. However a proper security definition which would capture the intuition behind chosen/known key attacks is still an open problem. The second direction that we studied was application of the trails th... |

54 | function based on block ciphers
- Lai, Massey
- 1992
(Show Context)
Citation Context ... short output (128 bits) if being instantiated with AES. The double block length (DBL) hash functions [3] are more practical constructions. The famous examples are MDC-2, MDC-4, Abreast-DM, Tandem-DM =-=[17,6,15]-=-, for which the security proof has been a separate challenging task [21,9,16]. So far we do not know how our results can be carried on to these modes instantiated with AES-256, and expect it to be a s... |

53 | Improved cryptanalysis of Rijndael
- Ferguson, Kelsey, et al.
- 1978
(Show Context)
Citation Context ...6 2 173 q-multicollisions 14 2q 2q q · 2 67 Partial q-multicollisions 14 2q 2q q · 2 37 Related-key distinguisher 14 2 35 Related-key key recovery 14 2 35 2 119 ∗ 119 ∗ 2 2 96 ∗ 96 ∗ 2 2 56 2 32 [14] =-=[8]-=- ? [1,13] - Sec. 2 - Sec. 2.3 - Sec. 4.1 2 65 Sec. 4.2 Table 1. Best attacks on AES-256 (e.g., AES) exhibits a property that should not appear in the ideal cipher then instantiation of a provably secu... |

26 | N.: 'Related-Key Boomerang and Rectangle Attacks
- Biham, Dunkelman, et al.
(Show Context)
Citation Context ...3 q-multicollisions 14 2q 2q q · 2 67 Partial q-multicollisions 14 2q 2q q · 2 37 Related-key distinguisher 14 2 35 Related-key key recovery 14 2 35 2 119 ∗ 119 ∗ 2 2 96 ∗ 96 ∗ 2 2 56 2 32 [14] [8] ? =-=[1,13]-=- - Sec. 2 - Sec. 2.3 - Sec. 4.1 2 65 Sec. 4.2 Table 1. Best attacks on AES-256 (e.g., AES) exhibits a property that should not appear in the ideal cipher then instantiation of a provably secure constr... |

16 |
Known-Key Distinguishers for Some Block Ciphers
- Knudsen, Rijmen
(Show Context)
Citation Context ... the differential multicollision for AES-256 can be constructed significantly faster than for an ideal cipher. Previously a known-key distinguisher for seven rounds of AES with 256 texts was found in =-=[14]-=-. To verify our results we found partial q-multicolisions in several hours on a PC using the publicly available implementation of AES-256. As a direct application of this differential q-multicollision... |

15 | The ideal-cipher model, revisited: An uninstantiable blockcipher-based hash function
- Black
- 2006
(Show Context)
Citation Context ...s of block cipher security and to fill the gap between theoretical models like random oracle and ideal cipher and the real world of ciphers which have fixed description and are efficiently computable =-=[2,5]-=-. However a proper security definition which would capture the intuition behind chosen/known key attacks is still an open problem. The second direction that we studied was application of the trails th... |

15 |
The collision intractability of MDC-2 in the ideal-cipher model
- Steinberger
- 2008
(Show Context)
Citation Context ...gth (DBL) hash functions [3] are more practical constructions. The famous examples are MDC-2, MDC-4, Abreast-DM, Tandem-DM [17,6,15], for which the security proof has been a separate challenging task =-=[21,9,16]-=-. So far we do not know how our results can be carried on to these modes instantiated with AES-256, and expect it to be a separate non-trivial task. 4 Related-key attack on AES-256 In this section we ... |

12 |
Secure program load with manipulation detection code
- Meyer, Schilling
- 1998
(Show Context)
Citation Context ... short output (128 bits) if being instantiated with AES. The double block length (DBL) hash functions [3] are more practical constructions. The famous examples are MDC-2, MDC-4, Abreast-DM, Tandem-DM =-=[17,6,15]-=-, for which the security proof has been a separate challenging task [21,9,16]. So far we do not know how our results can be carried on to these modes instantiated with AES-256, and expect it to be a s... |

11 | Related-key rectangle attacks on reduced AES-192 and AES-256
- Kim, Hong, et al.
(Show Context)
Citation Context ...3 q-multicollisions 14 2q 2q q · 2 67 Partial q-multicollisions 14 2q 2q q · 2 37 Related-key distinguisher 14 2 35 Related-key key recovery 14 2 35 2 119 ∗ 119 ∗ 2 2 96 ∗ 96 ∗ 2 2 56 2 32 [14] [8] ? =-=[1,13]-=- - Sec. 2 - Sec. 2.3 - Sec. 4.1 2 65 Sec. 4.2 Table 1. Best attacks on AES-256 (e.g., AES) exhibits a property that should not appear in the ideal cipher then instantiation of a provably secure constr... |

6 | The security of Abreast-DM in the ideal cipher model. http://eprint.iacr.org/2009/225.pdf 15
- Lee, Kwon
- 2010
(Show Context)
Citation Context ...gth (DBL) hash functions [3] are more practical constructions. The famous examples are MDC-2, MDC-4, Abreast-DM, Tandem-DM [17,6,15], for which the security proof has been a separate challenging task =-=[21,9,16]-=-. So far we do not know how our results can be carried on to these modes instantiated with AES-256, and expect it to be a separate non-trivial task. 4 Related-key attack on AES-256 In this section we ... |

4 |
Data authentication using modification dectection codes based on a public one way encryption function
- Coppersmith, Pilpel, et al.
- 1990
(Show Context)
Citation Context ... short output (128 bits) if being instantiated with AES. The double block length (DBL) hash functions [3] are more practical constructions. The famous examples are MDC-2, MDC-4, Abreast-DM, Tandem-DM =-=[17,6,15]-=-, for which the security proof has been a separate challenging task [21,9,16]. So far we do not know how our results can be carried on to these modes instantiated with AES-256, and expect it to be a s... |

3 |
On the security of Tandem-DM
- Fleischmann, Gorski, et al.
- 2009
(Show Context)
Citation Context ...gth (DBL) hash functions [3] are more practical constructions. The famous examples are MDC-2, MDC-4, Abreast-DM, Tandem-DM [17,6,15], for which the security proof has been a separate challenging task =-=[21,9,16]-=-. So far we do not know how our results can be carried on to these modes instantiated with AES-256, and expect it to be a separate non-trivial task. 4 Related-key attack on AES-256 In this section we ... |

2 |
Frédéric Valette. On the security of randomized CBC-MAC, beyond the birthday paradox limit: a new construction
- Jaulmes
- 2002
(Show Context)
Citation Context ...l cipher, this gives us additional confidence that such property (in our case ”differential multicollisions”) should not be present in a good cipher. There are also many constructions provably secure =-=[3,10]-=- in the ideal cipher model. This model assumes that both the key and the plaintext are accessible to the attacker. If a block cipher3 ∗ — for each key. Attack Known-key integral 7 1 2 56 # rounds # k... |

2 |
Ivica Nikolić. Speeding up collision search for byte-oriented hash functions. In CT-RSA 2009. A Triangulation tool We make our triangulation tool publicly available, as a Windows executable binary file, at https://cryptolux.uni.lu/mediawiki/uploads/0/03/K
- Khovratovich, Biryukov
(Show Context)
Citation Context ...s get admissible inputs. In the next paragraphs we explain how to construct such executions efficiently. Triangulation algorithm Search for free variables. The triangulation algorithm was proposed in =-=[12]-=- as a tool for solving systems of non-linear equations, which appear in differential attacks. Given the constraints on the internal variables, the algorithm outputs a special set of variables, called ... |

1 |
available at http://www.five-ten-sg.com/risks/ risks-19.87.txt
- challenge
- 1998
(Show Context)
Citation Context ... attack trivial? Intuitively we need a challenge in the chosen or known key scenario in which even the constructor of the challenge could participate. This is similar to Blaze’s challenge for the DES =-=[4]-=-: Find a DES key such that some ciphertext block of the form < XXXXXXXX > decrypts to a plaintext block of the form < Y Y Y Y Y Y Y Y >. This challenge, then, has the desirable property that a result ... |

1 | A proof of security in O(2 n ) for the xor of two random permutations
- Patarin
- 2008
(Show Context)
Citation Context ...n−1 . L ≥ q q−2 2 q+2 2e (n−1)−1 = O(q · 2 q−2 q+2 n ). (8) L ≥ q · 2 n−2 = O(q · 2 n ). (9) □6 Remark 2. The function F∆K,∆P (K, P ) = EK(P )⊕EK⊕∆K (P ⊕∆P ) is a xor of two permutations. Patarin in =-=[20]-=- has shown that the xor of two random permutations can not be distinguished from a pseudo-random function with less than 2n queries. In [22] it was proven that q-multicollision search for a random fun... |

1 |
Birthday paradox for multicollisions. IEICE Transactions, 91-A(1):39–45, 2008. A Details on the triangulation algorithm. The idea of the triangulation algorithm is to express all internal transformations as a set of equations. In a cipher the variables ar
- Suzuki, Tonien, et al.
(Show Context)
Citation Context ...P )⊕EK⊕∆K (P ⊕∆P ) is a xor of two permutations. Patarin in [20] has shown that the xor of two random permutations can not be distinguished from a pseudo-random function with less than 2n queries. In =-=[22]-=- it was proven that q-multicollision search for a random function requires at least (q!) 1 q 2 q−1 q n effort. In our case we can not use this result since it assumes that ∆K and ∆P are fixed in advan... |