ISSN 1000-1239 CN 11-1777/TP

Journal of Computer Research and Development ›› 2021, Vol. 58 ›› Issue (10): 2213-2221.doi: 10.7544/issn1000-1239.2021.20210549

Special Issue: 2021密码学与网络空间安全治理专题

Previous Articles     Next Articles

Key-Recovery Attack on Reduced-Round AES-128 Using the Exchange-Equivalence

Zhang Li, Wu Wenling, Zhang Lei, Zheng Yafei   

  1. (Institute of Software, Chinese Academy of Science, Beijing 100190) (University of Chinese Academy of Sciences, Beijing 100049)
  • Online:2021-10-01
  • Supported by: 
    This work was supported by the National Natural Science Foundation of China (62072445).

Abstract: The advanced encryption standard (AES) is a kind of high-security secret key cryptosystem. It has been widely recognized and used in real life. Since its birth, the research on its security has been the most interesting to cryptographers. At present, it is very difficult to break the full round AES, and the existing analysis methods are difficult to break through the exhaustive search method. So in recent years, researchers have focused on the attacks which can break reduced-round versions of AES, and there are a lot of excellent analysis methods that have emerged, among them, exchange-equivalence attacks, a new cryptanalytic attack technique suitable for SPN-like block cipher designs is widely concerned. Using this technology, researchers have obtained better the secret-key chosen plaintext distinguisher and adaptive chosen ciphertext distinguisher. In this paper, we run through this new technology, based on 5-round adaptive chosen ciphertexts distinguisher on AES, and at the same time, we use a basic property of the Mixcolumns coefficient matrix and a zero difference property to present a new key-recovery attack on 6-round reduced-round AES-128 with a single secret S-Box that requires only 2\+\{51.5\} chosen plaintexts and 2\+\{57.42\} adaptively chosen ciphertexts data complexity and 2\+\{72\} time complexity. In addition, we practically verified our key-recovery attack on a small-scale variant of the AES. The block size of the small-scale AES is 64 bits, and each word is a 4-bit nibble in the state matrix. The experimental result supports our theory. Finally, the results of the current key-recovery attack on 6-round Reduced-Round AES-128 are better than the previously known attack on Reduced-Round AES-128.

Key words: advanced encryption standard (AES), distinguisher, exchange-equivalence attack, key-independent, key-recovery attack

CLC Number: