TY - JOUR
T1 - Low-data complexity attacks on AES
AU - Bouillaguet, Charles
AU - Derbez, Patrick
AU - Dunkelman, Orr
AU - Fouque, Pierre Alain
AU - Keller, Nathan
AU - Rijmen, Vincent
N1 - Funding Information: Manuscript received December 12, 2010; revised July 07, 2011; accepted January 20, 2012. Date of publication August 01, 2012; date of current version October 16, 2012. V. Rijmen was supported in part by the Research Fund K. U. Leuven (OT/08/027), in part by the IAP Programme P6/26 BCRYPT of the Belgian State (Belgian Science Policy), and in part by the European Commission through the ICT programme under Contract ICT-2007-216676 ECRYPT II.
PY - 2012
Y1 - 2012
N2 - The majority of current attacks on reduced-round variants of block ciphers seeks to maximize the number of rounds that can be broken, using less data than the entire codebook and less time than exhaustive key search. In this paper, we pursue a different approach, restricting the data available to the adversary to a few plaintext/ciphertext pairs. We argue that consideration of such attacks (which received little attention in recent years) improves our understanding of the security of block ciphers and of other cryptographic primitives based on block ciphers. In particular, these attacks can be leveraged to more complex attacks, either on the block cipher itself or on other primitives (e.g., stream ciphers, MACs, or hash functions) that use a small number of rounds of the block cipher as one of their components. As a case study, we consider the Advanced Encryption Standard (AES)the most widely used block cipher. The AES round function is used in many cryptographic primitives, such as the hash functions Lane, SHAvite-3, and Vortex or the message authentication codes ALPHA-MAC, Pelican, and Marvin. We present attacks on up to four rounds of AES that require at most three known/chosen plaintexts. We then apply these attacks to cryptanalyze an AES-based stream cipher (which follows the leak extraction methodology), and to mount the best known plaintext attack on six-round AES.
AB - The majority of current attacks on reduced-round variants of block ciphers seeks to maximize the number of rounds that can be broken, using less data than the entire codebook and less time than exhaustive key search. In this paper, we pursue a different approach, restricting the data available to the adversary to a few plaintext/ciphertext pairs. We argue that consideration of such attacks (which received little attention in recent years) improves our understanding of the security of block ciphers and of other cryptographic primitives based on block ciphers. In particular, these attacks can be leveraged to more complex attacks, either on the block cipher itself or on other primitives (e.g., stream ciphers, MACs, or hash functions) that use a small number of rounds of the block cipher as one of their components. As a case study, we consider the Advanced Encryption Standard (AES)the most widely used block cipher. The AES round function is used in many cryptographic primitives, such as the hash functions Lane, SHAvite-3, and Vortex or the message authentication codes ALPHA-MAC, Pelican, and Marvin. We present attacks on up to four rounds of AES that require at most three known/chosen plaintexts. We then apply these attacks to cryptanalyze an AES-based stream cipher (which follows the leak extraction methodology), and to mount the best known plaintext attack on six-round AES.
KW - Advanced Encryption Standard (AES)
KW - cryptanalysis
KW - reflection attacks
KW - slide attacks
UR - http://www.scopus.com/inward/record.url?scp=84867921561&partnerID=8YFLogxK
U2 - https://doi.org/10.1109/TIT.2012.2207880
DO - https://doi.org/10.1109/TIT.2012.2207880
M3 - Article
SN - 0018-9448
VL - 58
SP - 7002
EP - 7017
JO - IEEE Transactions on Information Theory
JF - IEEE Transactions on Information Theory
IS - 11
M1 - 6256730
ER -