Impossible Differential Impossible Differential Cryptanalysis of Mini-AESCryptanalysis of Mini-AES
Daniel R. CloutierDaniel R. Cloutier
13 May13 May 20042004
AgendaAgenda
Mini-AES vs. S-AESMini-AES vs. S-AES 4 Round Impossible Differential4 Round Impossible Differential Attacking 5 Round Mini-AESAttacking 5 Round Mini-AES ConclusionConclusion QuestionsQuestions
Based on: “Impossible Differential Cryptanalysis of Mini-AES,” by Raphael Chung-Wei Phan, Cryptologia, Vol. 27, No. 4, Oct 2003
Structure of Mini-AESStructure of Mini-AES
Same Basic Setup as S-AESSame Basic Setup as S-AES• 16 Bit Input/Output/Round Key16 Bit Input/Output/Round Key• 2x2 Matrices2x2 Matrices• Nibble SubNibble Sub• Shift RowsShift Rows• Mix ColumnsMix Columns• Add Round KeyAdd Round Key• Add Round Key Prior to Round 1Add Round Key Prior to Round 1• No Mix Columns in Last RoundNo Mix Columns in Last Round
PP00 PP22
PP11 PP33
P = PP = P00 P P11 P P22 P P33
DefinitionsDefinitions
Impossible DifferentialImpossible Differential P vs. CP vs. C Passive vs. Active NibblesPassive vs. Active Nibbles
• Ex. P = Ex. P = 01000100 0011 1110 1001 0011 1110 1001
P’ = P’ = 11101110 0011 1110 1001 0011 1110 1001
Impact on Active Nibbles: Impact on Active Nibbles: Nibble SubNibble Sub
P = P = 0100 0100 0011 1110 10010011 1110 1001
P’ =P’ = 1110 1110 0011 1110 1001 0011 1110 1001
After Nibble Sub…After Nibble Sub…
P = P = 11101110 1111 0110 0111 1111 0110 0111
P’ = P’ = 01000100 1111 0110 0111 1111 0110 0111
Impact on Active Nibbles:Impact on Active Nibbles:Shift RowsShift Rows
P = P = 11101110 1111 0110 0111 1111 0110 0111
P’ = P’ = 01000100 1111 0110 0111 1111 0110 0111
After Shift Rows…After Shift Rows…
P = P = 11101110 01110111 0110 0110 11111111
P’ = P’ = 01000100 01110111 0110 0110 11111111
Impact on Active Nibbles:Impact on Active Nibbles:Mix ColsMix Cols
P = P = 11101110 0111 0110 1111 0111 0110 1111
P’ = P’ = 01000100 0111 0110 1111 0111 0110 1111
After Mix Cols…After Mix Cols…
P = P = 1111 01101111 0110 0111 1110 0111 1110
P’ = P’ = 0010 00010010 0001 0111 1110 0111 1110
Impact on Active Nibbles:Impact on Active Nibbles:Add Round KeyAdd Round Key
P = P = 1111 01101111 0110 0111 1110 0111 1110
P’ = P’ = 0010 00010010 0001 0111 1110 0111 1110
After Add Round KeyAfter Add Round Key
P = P P = P KKii = = PP00PP11PP22PP33
P’ = P’ P’ = P’ KKii = = PP’’00PP’’
11PP’’22PP’’
33
Trace First Two Rounds Trace First Two Rounds 4 Round Mini-AES4 Round Mini-AES
P = P = 0101 0101 1111 0110 11001111 0110 1100
P’ =P’ = 0100 0100 1111 0110 1100 1111 0110 1100
Round 0: KRound 0: K00 = 0101 1010 1100 0011 = 0101 1010 1100 0011• Add Round Key:Add Round Key:
P = P = 0000 0000 0101 1010 11110101 1010 1111
P’ = P’ = 00010001 0101 1010 1111 0101 1010 1111
Round 1Round 1
P = P = 00000000 0101 1010 1111 0101 1010 1111P’ = P’ = 00010001 0101 1010 1111 0101 1010 1111
Nibble SubNibble SubP = P = 11101110 1111 0110 0111 1111 0110 0111P’ = P’ = 01000100 1111 0110 0111 1111 0110 0111
Shift RowsShift RowsP = P = 11101110 01110111 0110 0110 11111111P’ = P’ = 01000100 01110111 0110 0110 11111111
Round 1 - ContinuedRound 1 - Continued
P = P = 11101110 0111 0110 1111 0111 0110 1111P’ = P’ = 0100 0100 0111 0110 11110111 0110 1111
Mix ColsMix ColsP = P = 1111 01101111 0110 0111 1110 0111 1110P’ = P’ = 0010 00010010 0001 0111 1110 0111 1110
Add Round Key: Add Round Key: KK11 = 1100 0011 0101 1010 = 1100 0011 0101 1010
P = P = 00110011 01010101 0010 0100 0010 0100P’ = P’ = 11101110 00100010 0010 0100 0010 0100
Round 2Round 2
P = P = 00110011 0101 0010 0100 0101 0010 0100P’ = P’ = 11101110 0010 0010 0100 0010 0010 0100
Nibble SubNibble SubP = P = 00010001 1111 1101 0010 1111 1101 0010P’ = P’ = 00000000 1101 1101 0010 1101 1101 0010
Shift RowsShift RowsP = P = 00010001 00100010 1101 1101 11111111P’ = P’ = 00000000 00100010 1101 1101 11011101
Round 2 - ContinuedRound 2 - Continued
P = P = 0001 0001 0010 1101 0010 1101 11111111P’ = P’ = 00000000 0010 1101 0010 1101 11011101
Mix ColsMix ColsP = P = 0111 0100 1001 10110111 0100 1001 1011P’ = P’ = 0100 0110 1101 11010100 0110 1101 1101
Add Round Key: Add Round Key: KK22 = 1111 0010 1011 1100 = 1111 0010 1011 1100
P = P = 1000 0110 0010 01111000 0110 0010 0111P’ = P’ = 1011 0100 0110 00011011 0100 0110 0001
Trace Last 2 Rounds In ReverseTrace Last 2 Rounds In Reverse
C = C = 01000100 0011 1001 0011 1001 01010101
C’ = C’ = 1110 1110 0011 1001 0011 1001 11101110
Inverse Key Add: Inverse Key Add: KK44 = 0010 1011 1100 0111 = 0010 1011 1100 0111
C = C = 01100110 1000 0101 1000 0101 00100010
C’ = C’ = 11001100 1000 0101 1000 0101 10011001
Round 4 - ContinuedRound 4 - Continued
C = C = 0110 0110 1000 0101 1000 0101 00100010C’ = C’ = 11001100 1000 0101 1000 0101 10011001
Inverse Shift RowsInverse Shift RowsC = C = 0110 00100110 0010 0101 0101 10001000C’ = C’ = 1100 10011100 1001 0101 0101 10001000
Inverse Nibble SubInverse Nibble SubC = C = 1010 01001010 0100 1100 0111 1100 0111C’ = C’ = 1011 11011011 1101 1100 0111 1100 0111
Round 3Round 3
C = C = 1010 01001010 0100 1100 0111 1100 0111C’ = C’ = 1011 11011011 1101 1100 0111 1100 0111
Inv Key Add: KInv Key Add: K33 = 1011 1100 0111 1101 = 1011 1100 0111 1101C = C = 0001 10000001 1000 1011 1010 1011 1010C’ = C’ = 0000 00010000 0001 1011 1010 1011 1010
Inverse Mix ColsInverse Mix ColsC = C = 0000 10010000 1001 1001 1000 1001 1000C’ = C’ = 0010 00110010 0011 1001 1000 1001 1000
Round 3 - ContinuedRound 3 - Continued
C = C = 0000 10010000 1001 1001 1000 1001 1000C’ = C’ = 0010 00110010 0011 1001 1000 1001 1000
Inverse Shift RowsInverse Shift RowsC = C = 00000000 10001000 1001 1001 10011001C’ = C’ = 00100010 10001000 1001 1001 00110011
Inverse Nibble SubInverse Nibble SubC = C = 11101110 0111 1101 0111 1101 11011101C’ = C’ = 01000100 0111 1101 0111 1101 10001000
After Round 2After Round 2
P = P = 1000 0110 0010 01111000 0110 0010 0111
P’ = P’ = 1011 0100 0110 00011011 0100 0110 0001
C = C = 11101110 0111 1101 0111 1101 11011101
C’ =C’ = 0100 0100 0111 1101 0111 1101 10001000
Attacking 5 Round Mini-AES:Attacking 5 Round Mini-AES:Setting Up the AttackSetting Up the Attack
Obtain 2Obtain 21313 plaintexts, P plaintexts, P Obtain 2Obtain 21313 plaintexts, P’ plaintexts, P’
• P’ differs from P in the 1P’ differs from P in the 1stst and 4 and 4thth nibble nibble Obtain C and C’ for each P, P’Obtain C and C’ for each P, P’ Discard C/C’ pairs w/o exactly one active Discard C/C’ pairs w/o exactly one active
nibble in each row and column.nibble in each row and column.• Probability for usable C/C’ pair:Probability for usable C/C’ pair:
(2(2-4-4 x 2 x 2-4-4) + (2) + (2-4-4 x 2 x 2-4-4) = 2) = 2-7-7
• Number of usable C/C’ pairs:Number of usable C/C’ pairs:221313 x 2 x 2-7-7 = 2 = 266
Attacking 5 Round Mini-AES:Attacking 5 Round Mini-AES:Performing the AttackPerforming the Attack
For each of the 2For each of the 266 pairs… pairs…• Compute X and X’ for each K (2Compute X and X’ for each K (288 values) values)
X = Encrypt P through Mix Cols in Round 1X = Encrypt P through Mix Cols in Round 1
X’ = Encrypt P’ through Mix Cols in Round 1X’ = Encrypt P’ through Mix Cols in Round 1• Discard K if X/X’ have only one active nibble in Discard K if X/X’ have only one active nibble in
the first column.the first column. Probability = 2Probability = 2-4-4 x 2 = 2 x 2 = 2-3-3
Attacking 5 Round Mini-AES:Attacking 5 Round Mini-AES:Analyzing the ResultsAnalyzing the Results
Probability that a random key never Probability that a random key never gets rejected:gets rejected:• (1 – 2(1 – 2-3-3))2^62^6
Wrong Keys Remaining:Wrong Keys Remaining:• 2288(1-2(1-2-3-3))2^62^6 ≈ 0 ≈ 0
Only the correct value of KOnly the correct value of K00 remains remains
ConclusionConclusion
Impossible Differential Attack is good Impossible Differential Attack is good for theory.for theory.
Too Many Known Plaintexts!Too Many Known Plaintexts! Especially effective for AES because Especially effective for AES because
of the key schedule.of the key schedule.
ReferencesReferences
• “Impossible Differential Cryptanalysis of Mini-AES,” by Raphael Chung-Wei Phan, Cryptologia, Vol. 27, No. 4, Oct 2003
• “Mini Advanced Encryption Standard (Mini-AES): A Testbed for Cryptanalysis Students,” by Raphael Chung-Wei Phan, Cryptologia, Vol. 26, No. 4, October 2002
QuestionsQuestions