ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2021, Vol. 58 ›› Issue (10): 2213-2221.doi: 10.7544/issn1000-1239.2021.20210549

所属专题: 2021密码学与网络空间安全治理专题

• 信息安全 • 上一篇    下一篇



  1. (中国科学院软件研究所 北京 100190) (中国科学院大学 北京 100049) (
  • 出版日期: 2021-10-01
  • 基金资助: 

Key-Recovery Attack on Reduced-Round AES-128 Using the Exchange-Equivalence

Zhang Li, Wu Wenling, Zhang Lei, Zheng Yafei   

  1. (Institute of Software, Chinese Academy of Science, Beijing 100190) (University of Chinese Academy of Sciences, Beijing 100049)
  • Online: 2021-10-01
  • Supported by: 
    This work was supported by the National Natural Science Foundation of China (62072445).

摘要: 高级加密标准(advanced encryption standard, AES)是一种高安全性的密钥加密系统,在实际生活中受到了多方面认可及使用,自它诞生以来对于它的安全性问题的研究一直是密码学者最感兴趣的.目前对全轮的AES的攻击难度非常大,现有分析方法难以突破穷举搜索方法.朝着突破全轮AES的方向努力,近些年来研究人员十分关注对于缩减轮版本的AES攻击,并且已经涌现了许多优秀的分析方法,其中交换等价攻击——一种新的适合于类SPN分组密码设计的密码分析攻击技术广受关注.研究人员利用该技术得到了比以往更好的秘密密钥选择明文区分器和自适应选择密文区分器.使用了这一新技术,基于AES的5轮自适应选择密文区分器,在恢复密钥时利用了AES加密算法列混合变换系数矩阵的基本性质和0差分性质,提出了一种带有秘密S盒的6轮缩减轮AES-128的密钥恢复攻击,该攻击只要求2\+\{51.5\}选择明文和2\+\{57.42\}自适应选择密文的数据复杂度以及2\+\{72\}时间复杂度.此外,一个小版本AES上的实验验证了提出的密钥恢复攻击.该版本AES块大小为64b,在状态中的每一个字是4b半字节,该实验结果也支持了该研究的理论.最后,当前的对6轮缩减轮AES-128密钥恢复攻击结果比已有的对缩减轮AES-128的密钥恢复攻击结果更优.

关键词: 高级加密标准, 区分器, 交换等价攻击, 密钥独立, 密钥恢复攻击

Abstract: The advanced encryption standard (AES) is a kind of high-security secret key cryptosystem. It has been widely recognized and used in real life. Since its birth, the research on its security has been the most interesting to cryptographers. At present, it is very difficult to break the full round AES, and the existing analysis methods are difficult to break through the exhaustive search method. So in recent years, researchers have focused on the attacks which can break reduced-round versions of AES, and there are a lot of excellent analysis methods that have emerged, among them, exchange-equivalence attacks, a new cryptanalytic attack technique suitable for SPN-like block cipher designs is widely concerned. Using this technology, researchers have obtained better the secret-key chosen plaintext distinguisher and adaptive chosen ciphertext distinguisher. In this paper, we run through this new technology, based on 5-round adaptive chosen ciphertexts distinguisher on AES, and at the same time, we use a basic property of the Mixcolumns coefficient matrix and a zero difference property to present a new key-recovery attack on 6-round reduced-round AES-128 with a single secret S-Box that requires only 2\+\{51.5\} chosen plaintexts and 2\+\{57.42\} adaptively chosen ciphertexts data complexity and 2\+\{72\} time complexity. In addition, we practically verified our key-recovery attack on a small-scale variant of the AES. The block size of the small-scale AES is 64 bits, and each word is a 4-bit nibble in the state matrix. The experimental result supports our theory. Finally, the results of the current key-recovery attack on 6-round Reduced-Round AES-128 are better than the previously known attack on Reduced-Round AES-128.

Key words: advanced encryption standard (AES), distinguisher, exchange-equivalence attack, key-independent, key-recovery attack