Meet-in-the-middle attacks on AES with value constraints

Abstract

In meet-in-the-middle (MITM) attacks, the sizes of the precomputation tables determine the effectiveness. In this paper, value constraints are presented to reduce the size of the precomputation table in MITM attacks on AES. Based on a differential property of linear combinations of multiple S-boxes, value constraints related to input or output in four and five rounds of AES are explored. Meanwhile, with these value constraints, a method of setting up non-linear equations is proposed to reduce the sizes of the precomputation tables by decreasing the number of byte parameters. Compared with the existing results, their sizes can be reduced by \(2^8\), \(2^{16}\), or \(2^{24}\). Finally, some attacks are improved with lower time and memory complexities.

Appendices

A Special cases for Property 2 and Property 3 about S-boxes

For Property 2, there is one special case. When \(\Delta _{in}^{0,0}=\Delta _{in}^{1,0}=\Delta _{in}^{0}\) and \(\Delta _{in}^{0,1}=\Delta _{in}^{1,1}=\Delta _{in}^{1}\), it degenerates into the solution of a single S-box. Then, Corollary 1 can be achieved.

Corollary 1

Given four non-zero differences \(\Delta _{in}^{0}, \Delta _{in}^{1}, \Delta _{out}^0\), and \(\Delta _{out}^1\) in \({GF(2^8)}\),

$$\begin{aligned} \left[ {\begin{array}{*{20}{c}} {{a_{0,0}}}&{}{{a_{0,1}}}\\ {{a_{1,0}}}&{}{{a_{1,1}}} \end{array}} \right] \left[ \begin{array}{l} S({x_0}) \oplus S({x_0} \oplus \Delta _{in}^0)\\ S({x_1}) \oplus S({x_1} \oplus \Delta _{in}^1) \end{array} \right] = \left[ \begin{array}{l} \Delta _{out}^0\\ \Delta _{out}^1 \end{array} \right] \end{aligned}$$

has one solution for \(x_0, x_1\) in average, where \(a_{0,0},a_{0,1},a_{1,0}, a_{1,1}\in {GF(2^8)}\) are fixed coefficients. This property also applies to \({S^{ - 1}}\).

For Property 3, a similar conclusion can be obtained.

Corollary 2

Given \((t^2+t)\) non-zero differences \(\Delta _{in}^{i,j},\Delta _{out}^j \in {GF(2^8)}~ (i = 0,1, \cdots ,t - 1; j = 0,1, \cdots ,t - 1; t\in \{1,2,3,4\})\),

$$\begin{aligned} \left[ {\begin{array}{*{20}{c}} {{a_{0,0}}}&{}{{a_{0,1}}}&{} \cdots &{}{{a_{0,(t - 1)}}}\\ {{a_{1,0}}}&{}{{a_{1,1}}}&{} \cdots &{}{{a_{1,(t - 1)}}}\\ \cdots &{} \cdots &{} \cdots &{} \cdots \\ {{a_{(t - 1),0}}}&{}{{a_{(t - 1),1}}}&{} \cdots &{}{{a_{(t - 1),(t - 1)}}} \end{array}} \right] \left[ \begin{array}{l} ~~~S({x_0}) \oplus S({x_0} \oplus \Delta _{in}^0)\\ ~~~S({x_1}) \oplus S({x_1} \oplus \Delta _{in}^1)\\ ~~~~~~~~~~\cdots \\ S({x_{t - 1}}) \oplus S({x_{t - 1}} \oplus \Delta _{in}^{t - 1}) \end{array} \right] = \left[ \begin{array}{l} \Delta _{out}^0\\ \Delta _{out}^1\\ ~\cdots \\ \Delta _{out}^{t-1} \end{array} \right] \end{aligned}$$

has one solution for \(x_0,x_1,\cdots ,x_{t-1}\) in average, where \({a_{i,j}} \in {GF(2^8)}\) is a fixed coefficient. This property also applies to  \({S^{ - 1}}\).

B Improvements on GDS attacks with value constraints

DS attacks on 7-round and 8-round AES-192 with value constraints are studied in Sect. 4.1. At FSE 2014, Derbez et al. proposed GDS attacks on 7-round AES-128 and 9-round AES-256 with practical data complexities. In this section, these GDS attacks with value constraints will be discussed. Only the conclusions are given since the details are similar to those in Sect. 4.1.

1.1 B.1 An attack on 7-round AES-128

Fig. 11

Attacks on 7-round AES-128/192/256. Black bytes stand for non-zero differences. White bytes stand for zero differences. Gray bytes play no role. Bytes in circles denote a 2-byte constraint: when \(X_1^0[0]||X_1^1[0]||X_1^2[0] = 0||1||2\), \(e_{pre}^1 \oplus e_{pre}^0 = CON\) and \(e_{pre}^2 \oplus e_{pre}^0 = CON\)

The property of four AES rounds [16] is first reviewed, where a generalized sequence is used. It is performed on the equation \(03 \cdot \Delta {Z_4}[8] \oplus \Delta {Z_4}[9] \oplus 02 \cdot \Delta {Z_4}[10] = \Delta {X_5}[8] \oplus \Delta {X_5}[9]\). Let \(e_{pre}=03 \cdot {Z_4}[8] \oplus {Z_4}[9] \oplus 02 \cdot {Z_4}[10]\) and \(e_{out}={X_5}[8] \oplus {X_5}[9]\).

Proposition 5

(4-round GDS property [16]) Let \(\{ X_1^0,X_1^1 \cdots , X_1^{255}\} \) be a \(\delta \)-set where the active byte is \(X_1^{}[0]\) and \(X_1^{i}[0]=i~( i=0,1,\cdots ,255)\). Consider the encryption of the \(\delta \)-set through four AES rounds (see the dotted box without circles in Fig. 11), and then the sequence \((e_{pre}^1\oplus e_{pre}^0,e_{pre}^1\oplus e_{pre}^0, \cdots , e_{pre}^{255}\oplus e_{pre}^0)\) takes about \({2^{19 \times 8}}\) values, which are determined by 19 parameters \(B_{pre}[{4 \hbox {-} round}~GDS] = {X_2^0}[col(0)]||{X_3^0}[SR^{-1}(col(0,2,3))]||\) \({K_3}[2;8;13]\).

For four AES rounds in Proposition 5, if a 2-byte constraint is added, 19 parameters \(B_{pre}[{4 \hbox {-} round}~GDS]\) can be reduced to \(19-2=17\) parameters \(B^{constraint}_{pre}[{4 \hbox {-} round}~GDS]\) as follows.

Observation 4

(4-round GDS property with a 2-byte constraint) In Proposition 5, if outputs of a tuple \((X_1^0,X_1^1,X_1^2)\) of the \(\delta \)-set conforms to

$$\begin{aligned}&\hbox {a 2-byte constraint:} \left\{ \begin{array}{l} e_{pre}^1 \oplus e_{pre}^0 =CON, \\ e_{pre}^2 \oplus e_{pre}^0 = CON, \end{array} \right. \end{aligned}$$

which is depicted in the dotted box of Fig. 11, then we have

$$\begin{aligned}B^{constraint}_{pre}[{4 \hbox {-} round}~GDS] = {X_2^0}[col(0)]||{X_3^0}[SR^{-1}(col(0,2,3))]||{K_3}[2].\end{aligned}$$

Attack 4: An attack on 7-round AES-128 based on Observation 4.

We apply four AES rounds with a 2-byte value constraint to attack 7-round AES-128 by adding one round at the beginning and two rounds at the end (see Fig. 11). This attack is similar to Attack 1 in Sect. 4.1.2.

In the precomputation phase based on Observation 4, we have \(B^{constraint}_{pre}[{4 \hbox {-} round}~GDS] = {X_2^0}[col(0)]||{K_3}[2]|| {X_3^0}[SR^{-1}(col(0,2,3))]\). Thus, in order to compute and store all possible values of 29-byte sequences with the 17-byte \(B^{constraint}_{pre}[{4 \hbox {-} round}~GDS)]\), the \(\mathrm TIME_{pre}\) is \(29\times 2^{8\times 17}\times 1.25/7\approx 2^{138.4}\), and the MEMORY is \(29\times 2^{8\times 17}/16\approx 2^{137}\) 16-byte blocks.

In the online phase for attacking 7-round AES-128 with the key schedule \({KS_6}[SR(col(1,2))]\Rightarrow {KS_5}[5,8]\), we have \({K_{on}} {=} {K_{-1}}[SR^{-1}(col(0))]||{K_0}[0]||{KS_6}[SR(col(1,2))]\).

In Phase A for detecting the right triplet, the time complexity is \(2^{8}\times 2^{8\times 13}= 2^{112}\) memory accesses, which is equal to about \(2^{104}\) encryptions. In Phase B for checking the \(\delta \)-set, the time complexity is \(32 \times 2^{8\times 13}\times 1/7\approx 2^{106.4}\) encryptions with 13-byte \(K_{on}\). Thus, the \(\mathrm TIME_{on}\) is \(2^{106.4}\) encryptions.

All in all, the DATA is \(2^{32}\) chosen plaintexts, the MEMORY is \(2^{137}\) AES blocks, and the TIME (including \(\mathrm TIME_{pre}\) and \(\mathrm TIME_{on}\)) is \(2^{138.4}+2^{106.4}\approx 2^{138.4}\) encryptions.

One structure of \(2^{32}\) chosen plaintexts can be divided into \(2^{24}\) \(\delta \)-sets. However, only \(2^{24}\times 2^{-8}\times 2^{-8}=2^8\) \(\delta \)-sets remain when there are constraints that \(e_{on}^1 \oplus e_{on}^0 =CON\) and \(e_{on}^2 \oplus e_{on}^0 =CON\). Thus, after Demirci-Selçuk’s TMD tradeoff [13], the DATA is \(max({2^8 \times 2^{16+8}, 2^8 \times 2^{16+n}})\)=\(max({2^{32},2^{24+n}})\) chosen plaintexts, the MEMORY is \(2^{137-n}\) AES blocks, and the TIME is \(2^{138.4-n}+2^{106.4+n}\) encryptions. When \(n=16\), the DATA is \(2^{40}\) chosen plaintexts, the MEMORY is \(2^{121}\) AES blocks, and the TIME is \(2^{123.4}\) encryptions.

Attack 5: An attack on 7-round AES-256 based on Observation 4.

The attack on 7-round AES-128 described in Attack 4 can be applied to AES-256. But in that case \(KS_5\) and \(KS_6\) are independent, the TIME is increased by a factor of \(2^{16}\). After Demirci-Selçuk’s TMD tradeoff [13], the DATA is \(max({2^8 \times 2^{16+8}, 2^8 \times 2^{16+n}})\)=\(max({2^{32},2^{24+n}})\) chosen plaintexts, the MEMORY is \(2^{137-n}\) AES blocks, and the TIME is \(2^{138.4-n}+2^{122.4+n}\) encryptions. When \(n=8\), the DATA is \(2^{32}\) chosen plaintexts, the MEMORY is \(2^{129}\) AES blocks, and the TIME is \(2^{131.4}\) encryptions.

Attack 6: An attack on 7-round AES-192 based on Observation 4.

The attack on 7-round AES-192 is similar to the case of 7-round AES-128 except for the different attack path [16] and only 1-byte deduced subkey from other known subkeys. After Demirci-Selçuk’s TMD tradeoff [13], the DATA is \(max({2^8 \times 2^{16+8}, 2^8 \times 2^{16+n}})=max({2^{32},2^{24+n}})\) chosen plaintexts, the MEMORY is \(2^{137-n}\) AES blocks and the TIME is \(2^{138.4-n}+2^{114.4+n}\) encryptions. When \(n=12\), the DATA is \(2^{36}\) chosen plaintexts, the MEMORY is \(2^{125}\) AES blocks, and the TIME is \(2^{127.4}\) encryptions.

1.2 B.2 An attack on 9-round AES-256

The property of five AES rounds [16] is first reviewed, where a generalized sequence is used. It is performed on the equation \(07 \cdot \Delta {Z_5}[8] \oplus 07 \cdot \Delta {Z_5}[9] \oplus 02 \cdot \Delta {Z_5}[11] = 03 \cdot \Delta {X_6}[8] \oplus \Delta {X_6}[9]\). Let \(e_{pre}=07 \cdot {Z_5}[8] \oplus 07 \cdot {Z_5}[9] \oplus 02 \cdot {Z_5}[11]\) and \(e_{on}=03 \cdot {X_6}[8] \oplus {X_6}[9]\).

Proposition 6

(5-round \(\mathrm GDS_{256}\) property [16]) Let \(\{ W_0^0,W_0^1 \cdots ,W_0^{255}\} \) be a \(\delta \)-set where the active byte is \(W_0^{}[1]\) and \(W_0^{i}[1]=i~ (i=0,1,\cdots ,255)\). Consider the encryption of the \(\delta \)-set through five AES rounds (see the dotted box without circles in Fig. 12), and then the sequence \(( e_{pre}^1\oplus e_{pre}^0,e_{pre}^2\oplus e_{pre}^0, \cdots ,e_{pre}^{255}\oplus e_{pre}^0)\) takes about \({2^{35 \times 8}}\) values, which are determined by 35 parameters \(B_{pre}[{5 \hbox {-} round} GDS] = {X_2^0}[col(3)]||X_3^0||{X_4^0}[SR^{-1}(col(0,2,3))]||{K_4}[1;11;12]\).

Fig. 12

An attack on 9-round AES-256. Black bytes stand for non-zero differences. White bytes stand for zero differences. Gray bytes play no role. Bytes in circles denote a 2-byte constraint: when \(W_0^0[1]||W_0^1[1]||W_0^2[1] = 0||1||2\), \(e_{pre}^1 \oplus e_{pre}^0 = CON\) and \(e_{pre}^2 \oplus e_{pre}^0 = CON\)

For five full AES rounds in Proposition 6, if a 2-byte constraint is added, 35 parameters \(B_{pre}[{5 \hbox {-} round}~GDS]\) can be reduced to \(35-2=33\) parameters \(B^{constraint}_{pre}[{5 \hbox {-} round}~GDS]\) as follows.

Observation 5

(5-round \(\mathrm GDS_{256}\) property with a 2-byte constraint) In Proposition 6, if outputs of a tuple \((W_0^0,W_0^1,W_0^2)\) of the \(\delta \)-set conforms to

$$\begin{aligned}&\hbox {a 2-byte constraint:} \left\{ \begin{array}{l} e_{pre}^1 \oplus e_{pre}^0 =CON, \\ e_{pre}^2 \oplus e_{pre}^0 = CON, \end{array} \right. \end{aligned}$$

which is depicted in the dotted box of Fig. 12, then we have

$$\begin{aligned}B^{constraint}_{pre}[{5 \hbox {-} round}~GDS] = {X_2^0}[col(3)]||X_3^0||{X_4^0}[SR^{-1}(col(0,2,3))]||{K_4}[1].\end{aligned}$$

Attack 7: An Attack on 9-round AES-256 based on Observation 5.

We apply five AES rounds with a 2-byte value constraint to attack 9-round AES-256 by adding one round at the beginning and three rounds at the end (see Fig. 12). This attack is similar to Attack 1 in Sect. 4.1.2.

In the precomputation phase based on Observation 5, we have \(B^{constraint}_{pre}[{5 \hbox {-} round}~GDS] = {X_2^0}[col(3)]||X_3^0|| {X_4^0}[SR^{-1}(col(0,2,3))]||{KS_4}[1]\). Thus, in order to compute and store all possible values of 29-byte sequence with the 33-byte \(B^{constraint}_{pre}[{5 \hbox {-} round}~GDS ]\), the \(\mathrm TIME_{pre}\) is \(29\times 2^{8\times 33}\times 2/9= 2^{266.8}\) encryptions, and the MEMORY is \(29\times 2^{8\times 33}/16 \approx 2^{265}\) 16-byte blocks for the 29-byte sequence.

In the online phase for attacking 9-round AES-256 with the key schedule \({K_8}\Rightarrow {KS_6}[9,12]\), we have \({K_{on}} = {K_{-1}}[SR^{-1}(col(0))]||{KS_7}[SR(col(2,3))]||{K_8}\). In Phase A for detecting the right triplet such that \(e_{on}^1 \oplus e_{on}^0 =CON\) and \(e_{on}^2 \oplus e_{on}^0 =CON\) for each \(K_{on}\), the time complexity is about \(2^8\times 2^{8\times 28}=2^{232}\) memory accesses, which is equal to about \(2^{224}\) encryptions. In Phase B for checking the \(\delta \)-set, the time complexity is about \(32\times 2^{8\times 28}\times 2/9=2^{226.8}\) encryptions with 28-byte \(K_{on}\). Thus, the \(\mathrm TIME_{on}\) is \(2^{226.8}\) encryptions.

All in all, the DATA is \(2^{32}\) chosen plaintexts, the MEMORY is \(2^{265}\) AES blocks, and the TIME (including \(\mathrm TIME_{pre}\) and \(\mathrm TIME_{on}\)) is \(2^{266.8}+2^{226.8}\) encryptions.

After Demirci-Selçuk’s TMD tradeoff [13], the DATA is \(max({2^{32},2^{24+n}})\) chosen plaintexts, the MEMORY is \(2^{265-n}\) AES blocks, and the TIME is \(2^{266.8-n}+2^{226.8+n}\) encryptions. When \(n=20\), the DATA is \(2^{44}\) chosen plaintexts, the MEMORY is \(2^{245}\) AES blocks, and the TIME is \(2^{247.8}\) encryptions.

C Improvements on another TDC attack with value constraints

A TDC attack on 9-round AES-192 with value constraints is studied in Sect. 4.2. In this section, another TDC attack on 9-round AES-256 with value constraints will be discussed. Only the conclusions are given since the details are similar to those in Sect. 4.2.

Fig. 13

An attack on 9-round AES-256. Black bytes stand for non-zero differences. White bytes stand for zero differences. Bytes in circles denote a \((2, n_0n_1)\) constraint: \(\Delta {X_1}[1]\in \{ CON_{in}^0,CON_{in}^1, \cdots ,CON_{in}^{{n_0-1}}\},\Delta {W_5}[12] \in \{ CON_{out}^0,CON_{out}^1, \cdots ,CON_{out}^{{n_1-1}}\}\)

Proposition 7 gives the property of five AES rounds under 256 key bits in DS attacks.

Proposition 7

(5-round \(\mathrm DS _{256}\) property [17]) Let \(\{ W_0^0,W_0^1, \cdots , W_0^{255}\} \) be a \(\delta \)-set where the active byte is \(W_0^{}[1]\) and \(W_0^{i}[1]=i (i=0,1,\cdots ,255)\). Consider the encryption of the \(\delta \)-set through five AES rounds under 256 key bits (see the dotted box without circles in Fig. 13), and then the ordered sequence \((W_{5}^1[12] \oplus W_{5}[12], W_{5}^2[12]\oplus W_{5}[12], \cdots ,W_{5}^{255}[12]\oplus W_{5}[12])\) takes about \({2^{40 \times 8}}\) values, which are determined by 40 parameters \(B_{pre}[{5 \hbox {-} round}~DS_{256}]= {X_2}[col(3)]||{X_3}||X_4^{}||X_5^{}[S{R^{ - 1}}(col(3))]\).

Proposition 8 gives the property of five AES rounds under 256 key bits in TDC attacks.

Proposition 8

(5-round \(\mathrm TDC _{256}\) property [17]) In Proposition 7, if a pair \((W_0,W_0^{\prime })\) of the \(\delta \)-set conforms to a TDC (see the dotted box without circles in Fig. 13), then we have \(B_{pre}[{5 \hbox {-} round}~TDC_{256}]=\Delta {X_1}[1]||{X_1}[1]||{X_2}[col(3)]|| {X_3}||{X_4}[0;4;8]||{X_5}[12].\)

For five AES rounds under 256 key bits in Proposition 8, when the input \(\Delta {X_1}[1]\) and output \(\Delta {W_5}[12]\) in the TDC take \(n_0\) and \(n_1\) fixed constants, respectively, the parameters can be achieved with a (2, \(n_0n_1\)) constraint in Observation 6. The proof is similar to that in Observation 3.

Observation 6

(5-round \(\mathrm TDC _{256}\) property with a (2, \(n_0n_1\)) constraint) In Proposition 8, if inputs and outputs of a pair \((W_0,W_0^{\prime })\) of the \(\delta \)-set conform to

$$\begin{aligned}&\hbox {a (2, }n_0n_1)\hbox { constraint:} \\&\quad \left\{ \begin{array}{l} \Delta {X_1}[1] \in \{ CON_{in}^0,CON_{in}^1, \cdots ,CON_{in}^{{n_0} - 1}\} ~({n_0} \in \{ 1,2, \cdots ,256\}), \\ \Delta {W_5}[12] \in \{ CON_{out}^0,CON_{out}^1, \cdots ,CON_{out}^{{n_1} - 1}\} ~({n_1} \in \{ 1,2, \cdots ,256\}), \end{array} \right. \end{aligned}$$

which is depicted in the dotted box of Fig. 13, then we have

\(\small {B^{constraint}_{pre}[{{5 \hbox {-} round}~TDC_{256}]}} \qquad {= \bigcup \limits _{\begin{array}{c} \scriptstyle \quad \quad \quad \quad \Delta {X_1}[1] \in \{ CON_{in}^0, \cdots ,CON_{in}^{{n_0 - 1}}\},\\ \scriptstyle {X_5}[S{R^{ - 1}}(col(3)] \in \{ \gamma (CON_{out}^0)\;, \cdots ,\gamma (CON_{out}^{n_1 - 1})\} \end{array}} {X_1}[1]||{X_2}[col(3)]||{X_3}||{X_4}[0;4;8].}\)

Attack 8: An Attack on 9-round AES-256 based on Observation 6

We apply five AES rounds with a \((2,n_0n_1)\) value constraint to attack 9-round AES-256 by adding one round at the beginning and three rounds at the end (see Fig. 13). The attack is similar to Attack 3 in Sect. 4.2.2.

In the precomputation phase based on Observation 6, we have

$$\begin{aligned}{} & {} {B^{constraint}_{pre}[{{5 \hbox {-} round}~TDC_{256}]} }\\{} & {} \qquad ={ \bigcup \limits _{\begin{array}{c} \scriptstyle \quad \quad \quad \quad \Delta {X_1}[1] \in \{ CON_{in}^0, \cdots ,CON_{in}^{{n_0 - 1}}\},\\ \scriptstyle {X_5}[S{R^{ - 1}}(col(3)] \in \{ \gamma (CON_{out}^0), \cdots ,\gamma (CON_{out}^{n_1 - 1})\} \end{array}} {{X_1}[1]||{X_2}[col(3)]||{X_3}||{X_4}[0;4;8] } }.\end{aligned}$$

Thus, in order to compute and store all possible values of the 31-byte sequence with \(n_0\times n_1\times 2^{8\times 24}\) values of \(B^{constraint}_{pre}[{5 \hbox {-} round}~TDC_{256}]\), the \(\mathrm TIME_{pre}\) is \(31\times (n_0 \times n_1\times 2^{8\times 24})\times 2.5/9 \approx 2^{195.1}n_0n_1\) encryptions, and the MEMORY is \(31\times (n_0 \times n_1\times 2^{8\times 24})/16 \approx 2^{192.9}n_0n_1\) 16-byte blocks.

In the online phase for attacking 9-round AES-256 with the key schedule \(K_8 \Rightarrow KS_6[12]\), we have \({K_{on}} = {K_{ - 1}}[SR^{-1}(col(3)]||K{S_7}[SR(col(3)]||{K_8}\).Thus, the \(\mathrm TIME_{on}\) is \(32 \times 2^{8\times 24}\times 1.5/9=2^{194.5}\) encryptions with 24-byte \(K_{on}\) which is determined by Phase B.

All in all, the DATA is \(2^{129}/(n_0n_1)\) chosen plaintexts, the MEMORY is \(2^{193}n_0n_1\) AES blocks, and the TIME (including \(\mathrm TIME_{pre}\) and \(\mathrm TIME_{on}\)) is \(2^{195.1}n_0n_1+2^{194.5}\) encryptions. When \(n_0n_1=2^2\), the DATA is \(2^{127}\) chosen plaintexts, the MEMORY is \(2^{194.9}\) AES blocks and the TIME is \(2^{197.1}\) encryptions. When \(n_0n_1=2^8\), the DATA is \(2^{121}\) chosen plaintexts, the MEMORY is \(2^{201}\) AES blocks, and the TIME is \(2^{203.1}\) encryptions.

Using the technique in [16], whole attack can be split up into some weak-key attacks according to the relation \(K_3||K_8\Rightarrow K_{-1}[10;15]||K_4[11;12]\), and the memory complexity is reduced by \(2^{32}\).