In this paper, we examine the security of reduced AES-192 and AES-256 against related-key rectangle attacks by exploiting the weakness in the AES key schedule. We find the following two new attacks: 9-round reduced A...In this paper, we examine the security of reduced AES-192 and AES-256 against related-key rectangle attacks by exploiting the weakness in the AES key schedule. We find the following two new attacks: 9-round reduced AES-192 with 4 related keys, and 10-round reduced AES-256 with 4 related keys. Our results show that related-key rectangle attack with 4 related keys on 9-round reduced AES-192 requires a data complexity of about 2^101 chosen plaintexts and a time complexity of about 2^174.8 encryptions, and moreover, related-key rectangle attack with 4 related keys on 10-round reduced AES-256 requires a data complexity of about 2^97.5 chosen plaintexts and a time complexity of about 2^254 encryptions. These attacks are the first known attacks on 9-round reduced AES-192 and 10-round reduced AES-256 with only 4 related keys. Furthermore, we give an improvement of the 10-round reduced AES-192 attack presented at FSE2007, which reduces both the data complexity and the time complexity.展开更多
As a family of tweakable block ciphers,HALFLOOP is standardized in the interoperability and performance standards for medium and highfrequency radio systems published by the United States Department of Defense.Althoug...As a family of tweakable block ciphers,HALFLOOP is standardized in the interoperability and performance standards for medium and highfrequency radio systems published by the United States Department of Defense.Although HALFLOOP-24 has been destroyed in real-world practical attacks,seeking stronger attacks from the structure of ciphers against two larger variants of HALFLOOP is to be further explored.Since HALFLOOP has a property of smaller internal states compared to master keys,it leads to a low diffusion in the key schedule.Considering that related-key boomerang attacks have a significant effect on such ciphers and can even achieve full-round attacks,we evaluate the resistance of two larger variants of HALFLOOP against related-key boomerang attacks in the paper.First,we propose a more efficient model to search for sandwich distinguishers of ciphers with non-linear key schedules.Specifically,we derive more constraints rather than simple relationships in the internal linear layer to further restrict the appropriate distinguishers into a smaller space.In addition,we utilize the ladder switch effect in the related-key model to guarantee the differential transition with probability one among the master key quartet,thereby avoiding possible weak-key attacks or invalid trails.Second,applying the model to HALFLOOP,we propose a full-round related-key boomerang attack on HALFLOOP-48 and nearly full-round related-key attacks on HALFLOOP-96.The relevant results demonstrate that the security of two larger variants of HALFLOOP is weak in related-key scenario.Therefore,in addition to the serious flaw brought by the tweak,the low diffusion in the key schedule algorithm is also worthy of attention.展开更多
基金Supported by the National Natural Science Foundation of China (Grant No. 60673072)the National Basic Research Program of China(Grant No. 2007CB311201)
文摘In this paper, we examine the security of reduced AES-192 and AES-256 against related-key rectangle attacks by exploiting the weakness in the AES key schedule. We find the following two new attacks: 9-round reduced AES-192 with 4 related keys, and 10-round reduced AES-256 with 4 related keys. Our results show that related-key rectangle attack with 4 related keys on 9-round reduced AES-192 requires a data complexity of about 2^101 chosen plaintexts and a time complexity of about 2^174.8 encryptions, and moreover, related-key rectangle attack with 4 related keys on 10-round reduced AES-256 requires a data complexity of about 2^97.5 chosen plaintexts and a time complexity of about 2^254 encryptions. These attacks are the first known attacks on 9-round reduced AES-192 and 10-round reduced AES-256 with only 4 related keys. Furthermore, we give an improvement of the 10-round reduced AES-192 attack presented at FSE2007, which reduces both the data complexity and the time complexity.
基金supported by the National Natural Science Foundation of China(Grant No.62206312).
文摘As a family of tweakable block ciphers,HALFLOOP is standardized in the interoperability and performance standards for medium and highfrequency radio systems published by the United States Department of Defense.Although HALFLOOP-24 has been destroyed in real-world practical attacks,seeking stronger attacks from the structure of ciphers against two larger variants of HALFLOOP is to be further explored.Since HALFLOOP has a property of smaller internal states compared to master keys,it leads to a low diffusion in the key schedule.Considering that related-key boomerang attacks have a significant effect on such ciphers and can even achieve full-round attacks,we evaluate the resistance of two larger variants of HALFLOOP against related-key boomerang attacks in the paper.First,we propose a more efficient model to search for sandwich distinguishers of ciphers with non-linear key schedules.Specifically,we derive more constraints rather than simple relationships in the internal linear layer to further restrict the appropriate distinguishers into a smaller space.In addition,we utilize the ladder switch effect in the related-key model to guarantee the differential transition with probability one among the master key quartet,thereby avoiding possible weak-key attacks or invalid trails.Second,applying the model to HALFLOOP,we propose a full-round related-key boomerang attack on HALFLOOP-48 and nearly full-round related-key attacks on HALFLOOP-96.The relevant results demonstrate that the security of two larger variants of HALFLOOP is weak in related-key scenario.Therefore,in addition to the serious flaw brought by the tweak,the low diffusion in the key schedule algorithm is also worthy of attention.
