# Towards Key-Dependent Integral and Impossible Differential Distinguishers on 5-Round AES

## Abstract

Reduced-round AES has been a popular underlying primitive to design new cryptographic schemes and thus its security including distinguishing properties deserves more attention. At Crypto’16, a key-dependent integral distinguisher on 5-round AES was put forward, which opened up a new direction to take more insights into the distinguishing properties of AES. After that, two key-dependent impossible differential (ID) distinguishers on 5-round AES were proposed at FSE’16 and CT-RSA’18, respectively. It is strange that the current key-dependent integral distinguisher requires significantly higher complexities than the key-dependent ID distinguishers, even though they are constructed with the same property of MixColumns (\(2^{128} \gg 2^{98.2}\)). Proposers of the 5-round key-dependent distinguishers claimed that the corresponding integral and ID distinguishers can only work under chosen-ciphertext and chosen-plaintext settings, respectively, which is very different from the situations of traditional key-independent distinguishers.

In this paper, we first construct a novel key-dependent integral distinguisher on 5-round AES with \(2^{96}\) chosen plaintexts, which is much better than the previous key-dependent integral distinguisher that requires the full codebook proposed at Crypto’16. Secondly, We show that both distinguishers are valid under either chosen-plaintext setting or chosen-ciphertext setting, which is different from the claims of previous cryptanalysis. However, under different settings, complexities of key-dependent integral distinguishers are very different while those of the key-dependent ID distinguishers are almost the same. We analyze the reasons for it.

## Keywords

AES Key-dependent Integral Impossible differential## Notes

### Acknowledgement

The authors thank the anonymous SAC 2018 reviewers for careful reading and many helpful comments. This work is supported by National Natural Science Foundation of China (Grant No. 61572293), Key Science Technology Project of Shandong Province (Grant No. 2015GGX101046), and Chinese Major Program of National Cryptography Development Foundation (Grant No. MMJJ2017012).

## Supplementary material

## References

- 1.Biham, E., Keller, N.: Cryptanalysis of reduced variants of Rijndael. In: 3rd AES Conference, vol. 230 (2000)Google Scholar
- 2.Bogdanov, A., Leander, G., Nyberg, K., Wang, M.: Integral and multidimensional linear distinguishers with correlation zero. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 244–261. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_16CrossRefGoogle Scholar
- 3.Cui, T., Sun, L., Chen, H., Wang, M.: Statistical integral distinguisher with multi-structure and its application on AES. In: Pieprzyk, J., Suriadi, S. (eds.) ACISP 2017. LNCS, vol. 10342, pp. 402–420. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-60055-0_21CrossRefGoogle Scholar
- 4.Daemen, J., Rijmen, V.: The Design of Rijndael: AES-The Advanced Encryption Standard. ISC. Springer Science & Business Media, Heidelberg (2013). https://doi.org/10.1007/978-3-662-04722-4CrossRefzbMATHGoogle Scholar
- 5.Datta, N., Nandi, M.: ELmD v2.0 (2015). Submission to the caesar competitionGoogle Scholar
- 6.Gilbert, H., Minier, M.: A collision attack on 7 rounds of Rijndael. In: AES Candidate Conference, pp. 230–241 (2000)Google Scholar
- 7.Grassi, L.: MixColumns properties and attacks on (round-reduced) AES with a single secret S-Box. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 243–263. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76953-0_13CrossRefGoogle Scholar
- 8.Grassi, L., Rechberger, C., Rønjom, S.: Subspace trail cryptanalysis and its applications to AES. IACR Trans. Symmetric Cryptol.
**2016**(2), 192–225 (2016)Google Scholar - 9.Grassi, L., Rechberger, C., Rønjom, S.: A new structural-differential property of 5-round AES. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 289–317. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_10CrossRefGoogle Scholar
- 10.Lu, J., Dunkelman, O., Keller, N., Kim, J.: New impossible differential attacks on AES. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 279–293. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89754-5_22CrossRefGoogle Scholar
- 11.Rønjom, S., Bardeh, N.G., Helleseth, T.: Yoyo tricks with AES. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 217–243. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_8CrossRefGoogle Scholar
- 12.Sun, B., Liu, M., Guo, J., Qu, L., Rijmen, V.: New insights on AES-like SPN ciphers. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 605–624. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_22CrossRefGoogle Scholar
- 13.Wang, M., Cui, T., Chen, H., Sun, L., Wen, L., Bogdanov, A.: Integrals go statistical: cryptanalysis of full skipjack variants. IACR Cryptology ePrint Archive 2016:178 (2016)Google Scholar
- 14.Wu, H., Preneel, B.: AEGIS: a fast authenticated encryption algorithm. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 185–201. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43414-7_10CrossRefGoogle Scholar