Experimental Verification of Super-Sbox Analysis — Confirmation of Detailed Attack Complexity
This paper implements the super-sbox analysis on 8-round AES proposed by Gilbert and Peyrin in order to verify its correctness and the attack cost. The attack consists of three parts; the first outbound phase, inbound phase with a super-sbox technique, and the second outbound phase. Gilbert and Peyrin estimated that the attack would require 248 computational cost and 232 memory, which could be feasible but not easy to practically implement. In this research, we first analyze the relationship among memory, computational cost, and the number of solutions in the inbound phase, and then show that the tradeoff exists for the super-sbox analysis. With this tradeoff, we implement the attack for each of the outbound phase independently so that the cost for the entire attack can be estimated by the experiments. As a result of our experiment, we show that the computational cost to obtain a pair of values satisfying the inbound phase is approximately 4 times higher and the freedom degrees are 4 times smaller than the previous estimation, which indicates that applying the super-sbox analysis is harder than expected.
Keywordssuper-sbox analysis time-memory tradeoff AES AES based hash
Unable to display preview. Download preview PDF.
- 3.U.S. Department of Commerce, National Institute of Standards and Technology: Federal Register Vol. 72(212) (November 2, 2007) Notices (2007) http://csrc.nist.gov/groups/ST/hash/documents/FR_Notice_Nov07.pdf
- 4.U.S. Department of Commerce, National Institute of Standards and Technology: Specification for the ADVANCED ENCRYPTION STANDARD (AES) (Federal Information Processing Standards Publication 197) (2001)Google Scholar
- 6.Rijmen, V., Barreto, P.S.L.M.: The WHIRLPOOL hashing function. Submitted to NISSIE (September 2000)Google Scholar
- 7.Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl addendum. Submission to NIST (updated) (2009)Google Scholar
- 8.Benadjila, R., Billet, O., Gilbert, H., Macario-Rat, G., Peyrin, T., Robshaw, M., Seurin, Y.: SHA-3 proposal: ECHO. Submission to NIST (updated) (2009)Google Scholar
- 9.Biham, E., Dunkelman, O.: The SHAvite-3 hash function. Submission to NIST (Round 2) (2009)Google Scholar
- 12.Mendel, F., Peyrin, T., Rechberger, C., Schläffer, M.: Improved cryptanalysis of the reduced Grøstl compression function, ECHO permutation and AES block cipher. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 16–35. Springer, Heidelberg (2009)CrossRefGoogle Scholar
- 16.Naya-Plasencia, M.: Scrutinizing rebound attacks: new algorithms for improving the complexities. Cryptology ePrint Archive, Report 2010/607 (2010), http://eprint.iacr.org/2010/607
- 19.Peyrin, T.: Improved cryptanalysis of ECHO and Grøstl. Cryptology ePrint Archive, Report 2010/223 (2010), http://eprint.iacr.org/2010/223 Full version of CRYPTO 2010