Keywords

1 Introduction

Block ciphers are among the most important primitives in constructing symmetric cryptographic schemes such as encryption algorithms, hash functions, authentication schemes and pseudo-random number generators. The Advanced Encryption Standard (AES) [12] is currently the most interesting candidate to build different schemes. For example, in the on-going Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) [10], among many others, the permutation of PRIMATEs [1] is designed based on an AES-like SPN structure, AEGIS [40] uses 4 AES round-functions in the state update functions, ELmD [13] recommends to use some round-reduced AES including the 5-round AES to partially encrypt the data, and 4-round AES is adopted by Marble [21], and used to build the AESQ permutation in PAEQ [5]. Although the security of these candidates does not completely depend on the underlying primitives, we believe that security of the round-reduced AES could give some new insights to both the design and cryptanalysis of the authenticated encryption algorithms.

1.1 Distinguishers

The distinguishing properties refer to those properties of a cipher that random permutations do not have thus we can distinguish a cipher from random permutations. For example, in differential cryptanalysis [4], one always finds an r-round differential characteristic with high probability while for random permutations such a differential characteristic does not exist.

In [11], Daemen et al. proposed a new method that can break more rounds of SQUARE than differential and linear cryptanalysis, which is named the SQUARE attack consequently. Some similar ideas such as the saturation attack [30], the multi-set attack [6], and the higher-order differential attack [23, 27] have also been proposed. In [26], Knudsen and Wagner proposed the integral cryptanalysis as a generalized case of these attacks. In an integral attack, with some special inputs, one checks whether the sum of the corresponding ciphertexts is zero or not. Integral attacks on the round-reduced AES are based on the following distinguisher:

Property 1

[12, 17]. Let 15 bytes of the input be constants and the remaining byte take all possible values from \(\mathbb F_{2^{8}}\). Such a set is called a \(\Lambda \)-set. Then, the sum of each byte of the output of the third round is 0. Furthermore, let the 4 bytes in the diagonal of the state take all possible values from \(\mathbb F_{2^{8}}^4\) and the other 12 bytes be constants, then the output of 1-round AES can be divided into \(2^{24}\) \(\Lambda \)-sets. Therefore, the sum of each byte of the output of the fourth round is 0.

Gilbert and Minier showed that the set of functions mapping one active byte to one byte after 3 rounds depends on 9-byte parameters [20]. Therefore, the whole set can be described by using a table of \(2^{72}\) entries of 256-byte sequences. This idea was later generalized by Demirci and Selçuk in [14] using meet-in-the-middle techniques. They showed that on 4 rounds, the value of each byte of the ciphertext can be described by a function of the active byte parameterized by 25 in [14] and 24 8-bit parameters in [15].

Property 2

[15]. The set of functions mapping one active byte to one byte after 4 rounds AES depends on 24 one-byte parameters.

Knudsen [24] and Biham et al. [3] independently proposed impossible-differential cryptanalysis. The main idea of impossible-differential cryptanalysis is to use differentials that hold with probability zero to discard the wrong keys that lead to the impossible differential. Now, it is one of the most effective methods towards many different ciphers. One of the 4-round impossible differentials is shown as follows:

Property 3

 [31, 32, 34]. The differential, where there is only one nonzero (active) byte of the input difference and output difference, respectively, is a 4-round impossible differential of the AES.

Zero-correlation linear cryptanalysis was proposed by Bogdanov and Rijmen in [9]. They try to construct some linear hulls with correlation exactly zero. The 4-round zero correlation linear hull of the AES is shown as follows:

Property 4

[9]. If there is only one nonzero (active) byte of the input mask and output mask, respectively, then the correlation of 4-round AES is 0.

In summary, although there exist some 5-round distinguishers for AES-192 and AES-256 [16], the known distinguishers for all version of the AES only cover at most 4 rounds.

All the above distinguishers are in the secret-key setting, which were used in key recovery attacks. At Asiacrypt 2007, Knudsen and Rijmen proposed the known-key distinguisher for block ciphers [25]. In the setting that the key is public to the attacker, one can construct 7-round known-key distinguisher for the AES, which was improved to 8-round and 10-round in [19]. Allowing even more degrees of freedom to attackers so that they can even choose keys, distinguishers of 9-round AES were proposed [18] in the chosen-key setting. In this paper, we restrict ourselves to the secret-key setting, and the distinguishers to be presented are natural extensions of those used in key recovery attacks.

1.2 Key-Recovery Attacks

The aim of a key-recovery attack is to recover some round keys of a cipher. Usually, the attack is applied once some distinguishing property of the reduced-round block cipher has been found. Up to date, the biclique attack can recover some subkeys of the full round AES with slightly less than exhaustive complexity [7]. We briefly list some results of the key-recovery attacks against round-reduced AES as in Table 1, together with the number of rounds of the underlying distinguishers used.

Table 1. Some key-recovery attacks against AES-128
Full size table

1.3 Details of the Components of a Cipher

If we choose the parameters carefully, the dedicated cipher based on the AES-like structure can be resilient to both differential [4] and linear cryptanalysis [33]. For example, based on the fact that the branch number of the MixColumns is 5, it is proved in [12] that the number of active S-boxes of 4-round AES is at least 25. Since the maximal differential probability of the S-box is \(2^{-6}\), there does not exist any differential characteristic of 4-round AES with probability larger than \(2^{-6 \times 25} = 2^{-150}\).

In most cases, especially in the cryptanalysis of AES, one does not have the necessity to investigate the details of the S-boxes. Thus, the corresponding results are independent of the non-linear components. In other words, if some other S-boxes with similar differential/linear properties are chosen in a cipher, the corresponding cryptanalytic results remain almost the same. To characterize what “being independent of the choice of the S-boxes” means, in [37], Sun et al. proposed the concept of Structure of a block cipher. By structural evaluation, we mean the domain of cryptography that analyzes a cryptosystem in terms of generic constructions which keep the linear parts of the cipher and omit the details of the non-linear components.

The influence of the choices of S-boxes in constructing integral distinguishers has been studied in [22, 29, 35]. For example, if ARIA adopts only one S-box, more balanced bytes could be determined and if the order of different S-boxes is changed (There are 4 different S-boxes in ARIA), one will get different integral distinguishers from the one constructed in [29]. In [35], the authors pointed out that in some cases, the key-recovery attacks based on the integral distinguisher may fail. Very recently, Todo proposed the division property [38] by which one could build longer integral distinguishers provided the algebraic degree of the S-boxes is known. For example, a 6-round integral for MISTY1 was built in [39] based on which the first cryptanalysis result against the full MISTY1 was found.

Although there are already 4-round impossible differentials and zero-correlation linear hulls for the AES, the effort to find new impossible differentials and zero-correlation linear hulls that could cover more rounds has never been stopped. In Eurocrypt 2016, Sun et al. proved that, unless the details of the S-boxes are exploited, one cannot find any impossible differential or zero-correlation linear hull of the AES that covers 5 or more rounds:

Property 5

[36]. There does not exist any impossible differential or zero-correlation linear hull of \(\mathcal E^{\text {AES}}\) which covers \(r\ge 5\) rounds. Or equivalently, there does not exist any 5-round impossible differential or zero-correlation linear hull of the AES unless the details of the S-boxes are considered.

To increase the performance of a block cipher, one usually uses an MDS (Maximal Distance Seperatable) matrix whose elements are restricted to low hamming weights in order to reduce the workload of the multiplications over finite fields. Furthermore, it is noticed that not only the MDS matrices are always circulant, but also there are identical elements in each row. For example, in AES, the first row of the MDS matrix is \((\texttt {02},\texttt {03},\texttt {01},\texttt {01})\). However, most known techniques have not made use of these observations and there is little literature concentrating on the choices of these matrices in constructing distinguishers of round-reduced AES. Since known impossible differentials and zero-correlation linear hulls of round-reduced AES are constructed based on the fact that the branch number of the MixColumns is 5, these two types of distinguishers still hold even if a different \(4\times 4\) MDS matrix over \(\mathbb F_{2^8}\) is used. Furthermore, since the inverse of an MDS matrix also has the MDS property, these distinguishers hold not only in the chosen-plaintext setting, but also in the chosen-ciphertext setting.

1.4 Our Contributions

This paper concentrates on the details of both the S-boxes and MDS matrices that are used in AES-like SPN structures. Denote by \(M_{\textsf {MC}}\) the MDS matrix used in a cipher. If there are two identical elements in a row of \((M_{\textsf {MC}}^{-1})^{\text {T}}\) and if the cipher adopts identical S-boxes, then we can construct a 5-round distinguisher. This implies that applied to AES, our distinguisher covers the most number of rounds up till now.

  1. (1)

    If the difference of two sub-key bytes is known, we can construct several types of 5-round zero-correlation linear hulls for such ciphers without MixColumns operation in the last round which could be turned into 5-round integrals both with and without MixColumns operations in the last round. Furthermore, we not only prove that 5 rounds of such ciphers with MixColumns operation in the last round can be distinguished from a random permutation, but also that some sub-keys can be recovered from the distinguisher directly.

  2. (2)

    In a hash function setting, where an AES-like SPN structure is used as a building block and the chaining value acts as the key, there always exist 5-round distinguishers. As a proof of concept, we give two types of 5-round distinguishers for the hash function Whirlpool.

For the AES, every row of \((M_{\textsf {MC}}^{-1})^{\text {T}}\) contains 4 different elements. Thus we cannot apply the results to the AES directly. However, for the decryption of the AES, every row of \((M_{\textsf {MC}}^{-1})^{\text {T}}\) contains twice the same element 01, therefore we can construct a 5-round distinguisher for the AES in a chosen-ciphertext mode:

  1. (3)

    For 5-round AES, divide the whole space of plaintext-ciphertext pairs into the following \(2^8\) subsets:

    $$A_\varDelta =\{(p,c)|c_{0,0}\oplus c_{1,3}=\varDelta \}.$$

    Then, there always exists a \(\varDelta \) such that \(\sum _{(p,c)\in A_\varDelta }p=0\), while for random permutations, this happens with probability \(1-(1-2^{-128})^{2^8}\approx 2^{-120}\). Furthermore, we can deduce \(k_{0,0}\oplus k_{1,3}=\varDelta \) from the distinguisher.

Since this property only applies in the chosen-ciphertext setting, we conclude that the security margin of the AES under the chosen-plaintext setting may be different from the one under the chosen-ciphertext setting. Furthermore, since we have proved that 5-round AES can be distinguished from a random permutation, more attention should be paid when round-reduced AES is used as a building block in some new cryptographic schemes.

Though we have already found some 5-round distinguisher, we leave as an open problem whether we could mount more efficient key-recovery attack against round-reduced AES or other AES-based schemes.

2 Preliminaries

Before proceeding to our results, we first introduce some notations here on both boolean functions and the ciphers we are analyzing.

2.1 Boolean Functions

Given a boolean function \(G: \mathbb F^n_2\rightarrow \mathbb F_2\), the correlation of G is defined by

$$c(G(x))\triangleq \frac{1}{2^n}\sum _{x\in \mathbb F_2^n}(-1)^{G(x)}.$$

Given a vectorial function \(H: \mathbb F^n_2\rightarrow \mathbb F^k_2\), the correlation of the linear approximation for a k-bit output mask b and an n-bit input mask a is defined by

$$c(a\cdot x\oplus b\cdot H(x))\triangleq \frac{1}{2^n}\sum _{x\in \mathbb F_2^n}(-1)^{a\cdot x\oplus b\cdot H(x)},$$

where “\(\cdot \)” is the inner product of two elements. If \(c(a\cdot x\oplus b\cdot H(x))=0\), then \(a\rightarrow b\) is called a zero-correlation linear hull of H, following the same definition in [9]. Let \(A\subseteq \mathbb F_2^n\), \(B\subseteq \mathbb F_2^k\), if for all \(a\in A\), \(b\in B\), \(c(a\cdot x\oplus b\cdot H(x))=0\), then \(A\rightarrow B\) is called a zero-correlation linear hull of H.

In this paper, we denote by \(\text {circ}(a_0,a_1,\ldots ,a_{n-1})\) a circulant matrix defined as follows:

$$\begin{aligned} \text {circ}(a_0,a_1,\ldots ,a_{n-1})=\begin{pmatrix} a_0&{}a_1&{}\ldots &{}a_{n-1}\\ a_{n-1}&{}a_0&{}\ldots &{}a_{n-2}\\ \vdots &{}\vdots &{}\vdots &{}\vdots \\ a_{1}&{}a_2&{}\cdots &{}a_{0} \end{pmatrix}. \end{aligned}$$

For any vector \(v=(v_0,v_1,\ldots ,v_{n-1})\in \mathbb F_{2^b}^n\), the Hamming Weight of v is defined as the number of non-zero components of v:

$$\begin{aligned} \text {wt}(v)=\#\{i|v_i\ne 0, i=0,1,\ldots ,n-1\}. \end{aligned}$$

Let \(P\in \mathbb F_{2^b}^{n\times n}\), then the branch number of P is defined as

$$\begin{aligned} \mathcal B(P)=\min _{0\ne x\in \mathbb F_{2^b}^n}\{\text {wt}(x)+\text {wt}(Px)\}. \end{aligned}$$

Obviously, for any \(x\in \mathbb F_{2^b}^n\), we always have \(\text {wt}(Px)\le n\). Therefore, we can choose x such that \(\text {wt}(x)=1\) which indicates that \(\mathcal B(P)\le n+1\). A matrix \(P\in \mathbb F_{2^b}^{n\times n}\) is called Maximum Distance Separable (MDS) matrix if and only if \(\mathcal B(P)=n+1\). In the proof of the security of a cipher against differential and linear cryptanalysis, one can make use of the branch number to bound the number of active S-boxes. Since a larger branch number usually gives more active S-boxes, MDS matrices are widely used in modern block ciphers including AES.

2.2 SPN and AES-Like SPN Ciphers

To keep our results as general as possible, we are going to give a generic description of the Substitution-Permutation Network (SPN) ciphers and AES-like ciphers, respectively. We assume that the input can be viewed as an \(n\times n\) square matrix over \(\mathbb F_{2^b}\), which implies that both the input (plaintext) and output (ciphertext) of the block ciphers count \(n^2b\) bits. The cipher successively applies R round functions, and we denote respectively by \(s^{(r)}\) and \(k^{(r)}\) the input and sub-key states of the r-th round. The state \(s^{(0)}\) is initialized with the input plaintext. One round function is composed of the following layers: a key addition layer (KA) where an \(n^2b\)-bit roundkey \(k^{(r-1)}\) is xored to \(s^{(r-1)}\), a block cipher permutation layer BC that updates the \(n^2b\)-bit current state of the block cipher after addition of the subkey, i.e. \(s^{(r)} = \textsf {BC}(s^{(r-1)}\oplus k^{(r-1)})\). For an SPN cipher, the permutation \(\textsf {BC}\) is composed of SubBytes (\(\textsf {SB}\)) which applies non-linear transformations to the \(n^2\) b-bit bytes in parallel, and then a layer \(\textsf {P}\) which is linear over \(\mathbb F_{2}^{n^2b}\), i.e. \(\textsf {BC}=\textsf {P}\circ \textsf {SB}\). The final ciphertext is then defined as \(s^{(r)}\oplus k^{(r)}\). In the following, we will simply use \(\mathcal E(n,b,r)\) to denote an r-round AES-like SPN cipher which operates on \(n\times n\) b-bit bytes.

In the case of AES-like ciphers, the internal state of BC can be viewed as a square matrix of b-bit cells with n rows and n columns. A cell of \(s^{(r)}\) is denoted by \(s^{(r)}_{i,j}\), where i is its row position and j its column position in the square matrix, starting counting from 0. Then, the linear layer itself is composed of the ShiftRows transformation (SR), which can be defined as a permutation \(\pi _{\textsf {SR}}=(l_0,l_1,\ldots ,l_{n-1})\) on \(\mathbb Z_n=\{0,1,\ldots ,n-1\}\) that moves cell \(s^{(r)}_{i,j}\) by \(l_i\) positions to the left in its own row, and the MixColumns transformation (MC), which linearly mixes all the columns of the matrix. Overall, for AES-like ciphers, we always have \(\textsf {BC}=P\circ S=\textsf {MC}\circ \textsf {SR}\circ \textsf {SB}\).

The AES Block Cipher. AES only uses a single S-box which is based on the inverse function over \(\mathbb F_{2^8}\) to construct the round function. The SR and the MC of AES are defined as follows:

$$\begin{aligned} \pi _\textsf {SR}= & {} (0,1,2,3),\\ M_{\textsf {MC}}= & {} \begin{pmatrix} \texttt {02}&{}\texttt {03}&{}\texttt {01}&{}\texttt {01}\\ \texttt {01}&{}\texttt {02}&{}\texttt {03}&{}\texttt {01}\\ \texttt {01}&{}\texttt {01}&{}\texttt {02}&{}\texttt {03}\\ \texttt {03}&{}\texttt {01}&{}\texttt {01}&{}\texttt {02} \end{pmatrix}=\text {circ}(\texttt {02},\texttt {03},\texttt {01},\texttt {01}). \end{aligned}$$

Since we do not investigate the key-recovery attacks, please refer to [12] for the details of the key schedule.

3 Zero-Correlation Linear Cryptanalysis of AES-Like SPN Ciphers

3.1 Zero-Correlation Linear Hull of 4-round AES-Like Ciphers

In zero-correlation linear cryptanalysis, we construct some linear hulls with correlation exactly zero. One of the most efficient methods to construct zero correlation linear hulls is based on the miss-in-the-middle technique, i.e., we start from the beginning and the end of the cipher, partially encrypt the plaintext and decrypt the ciphertext, respectively. Then some contradiction could be found in the middle round of the cipher with probability 1. For example, the 4-round zero-correlation linear hull of the AES is built as follows [9] (see Fig. 1): if only the first byte of the input mask is active, then after 1 round, all the 4 bytes in the first column of the output mask are active. Thus in each column of the input mask to the second MixColumns, the number of active bytes is 1. Using the same technique, we find that if there is only 1 active byte in the output mask of the forth round, in each column of the output mask to the second MixColumns round, the number of active bytes is 1. Since the branch number of MixColumns is 5, we find a contradiction which indicates that the correlation of such a linear hull is 0.

Fig. 1.
figure 1

4-round zero-correlation linear hull of the AES

Full size image

To enhance the performance of a cipher, designers usually use identical S-boxes and a diffusion layer whose elements often have relatively low hamming weights, which not necessarily but often cause some weakness as shown in the following.

3.2 New Cryptanalysis of 5-round AES-Like Ciphers

Though it has been proven that the longest zero-correlation linear hull of the AES only covers 4 rounds if we do not investigate the details of the S-box, we can improve this result exactly by exploiting these details.

In this section, we are going to use the miss-in-the-middle technique to construct some novel distinguishers of AES-like SPN ciphers, provided that the difference of two sub-keys bytes is known. Firstly, we recall the following propositions for the propagation of input-output masks/differentials of linear functions:

Proposition 1

Let \(\mathcal L\) be a linear transformation defined on \(\mathbb F_2^{\text {T}}\), and \(L\in \mathbb F_2^{t\times t}\) be the matrix representation of \(\mathcal L\). Then,

  1. (1)

    For any input-output mask \(\varGamma _I\rightarrow \varGamma _O\), if the correlation is nonzero, we always have \(\varGamma _O=(L^{-1})^{\text {T}}\varGamma _I\).

  2. (2)

    For any input-output difference \(\varDelta _I\rightarrow \varDelta _O\), if the differential probability is nonzero, we always have \(\varDelta _O=L\varDelta _I\).

Since ShiftRows in the first round does not influence the results, in this section, we omit \(\textsf {SR}\) in the first round. Denote by \((M^{-1}_\textsf {MC})^{\text {T}}=(m_{i,j}^*)\) the transpose of the inverse of \(M_\textsf {MC}\). We assume that an AES-like SPN cipher \(\mathcal E(n,b,r)\) satisfies the following conditions:

  1. (1)

    There exists a triplet \((i,j_0,j_1)\) such that \(m_{i,j_0}^*=m_{i,j_1}^*\) where \(j_0\ne j_1\);

  2. (2)

    Without loss of generality, the S-boxes used at positions \((j_0,0)\) and \((j_1,0)\) are identical.

Lemma 1

Let \(\mathcal E(n,b,r)\) be an AES-like SPN cipher satisfying conditions (1) and (2). Define

$$V=\{(s_{i,j})\in \mathbb F_{2^b}^{n\times n}|s_{j_0,0}\oplus s_{j_1,0}=k_{j_0,0}\oplus k_{j_1,0}\}.$$

For any \(0\ne a\in \mathbb F_{2^b}\), let the input mask be

$$\begin{aligned} \varGamma _I=(\alpha _{i,j})_{0\le i,j\le n-1},\quad \alpha _{i,j}={\left\{ \begin{array}{ll}a\quad (i,j)=(j_0,0), (j_1,0),\\ 0\quad \text {otherwise},\end{array}\right. } \end{aligned}$$

and the output mask be \(\varGamma _O=(\beta _{i,j})\in \mathbb F_{2^b}^{n\times n}\). Then, if the correlation \(\varGamma _I\rightarrow \varGamma _O\) of \(\mathcal E(n,b,1)\) on V is non-zero, we have

$$\begin{aligned} wt(\beta _{0,0,},\beta _{1,0},\ldots ,\beta _{n-1,0})=n-1, \end{aligned}$$

\(\beta _{i,j}=0\) for \(j\ge 1\), and the absolute value of the correlation is 1.

Proof

Let the output mask of the SB layer be

$$\varGamma _{\textsf {SB}}=(\gamma _{i,j})\in \mathbb F_{2^b}^{n\times n}.$$

To make the correlation non-zero, \(\gamma _{i,j}=0\) should hold if \(\alpha _{i,j}=0\). Next, we will show \(\gamma _{j_0,0}=\gamma _{j_1,0}\). Since \(s_{j_0,0}\oplus s_{j_1,0}=k_{j_0,0}\oplus k_{j_1,0}\), denote by

$$x=s_{j_0,0}\oplus k_{j_0,0}=s_{j_1,0}\oplus k_{j_1,0},$$

then

$$\begin{aligned} \varGamma _I\cdot X\oplus \varGamma _{\textsf {SB}}\cdot S(X)= & {} a\cdot x\oplus a\cdot x\oplus \gamma _{j_0,0}\cdot S(x)\oplus \gamma _{j_1,0}\cdot S(x)\\= & {} (\gamma _{j_0,0}\oplus \gamma _{j_1,0})\cdot S(x), \end{aligned}$$

Since S(x) is a permutation on \(\mathbb F_{2^b}\), if \(\gamma _{j_0,0}\oplus \gamma _{j_1,0}\ne 0\), the correlation of \((\gamma _{j_0,0}\oplus \gamma _{j_1,0})\cdot S(x)\) is always 0. On the other hand, if \(\gamma _{j_0,0}\oplus \gamma _{j_1,0}=0\), the correlation is always 1.

Therefore, to make the correlation non-zero, according to Proposition 1, the output mask of \(\mathcal E(n,b,1)\) should be

$$\begin{aligned} \varGamma _O=(M^{-1}_\textsf {MC})^{\text {T}}\varGamma _{\textsf {SB}}. \end{aligned}$$

Taking this into consideration, the absolute value of the correlation is always 1 which ends our proof.   \(\square \)

Lemma 2

Let \(\mathcal E(n,b,r)\) be an AES-like SPN cipher satisfying conditions (1) and (2). Let \(\varDelta =k_{j_0,0}^{(0)}\oplus k_{j_1,0}^{(0)}\), and define

$$V_\varDelta =\{(s_{i,j}^{(0)})\in \mathbb F_{2^b}^{n\times n}|s_{j_0,0}^{(0)}\oplus s_{j_1,0}^{(0)}=\varDelta \}.$$

For any \(0\ne a\in \mathbb F_{2^b}\), let the input mask be

$$\begin{aligned} \varGamma _I=(\alpha _{i,j})_{0\le i,j\le n-1},\quad \alpha _{i,j}={\left\{ \begin{array}{ll}a\quad (i,j)=(j_0,0), (j_1,0),\\ 0\quad \text {otherwise},\end{array}\right. } \end{aligned}$$

and for any \(0\ne d\in \mathbb F_{2^b}\), \((u,v)\in \mathbb Z_n\times \mathbb Z_n\), let the output mask be

$$\begin{aligned} \varGamma _O^{(u,v)}=(\beta _{i,j})_{0\le i,j\le n-1},\quad \beta _{i,j}={\left\{ \begin{array}{ll}d\quad (i,j)=(u,v),\\ 0\quad \text {otherwise}.\end{array}\right. } \end{aligned}$$

Then for \(\mathcal E(n,b,5)\) without MixColumns in the last round, the correlation for \(\varGamma _I\rightarrow \varGamma _O^{(u,v)}\) on \(V_\varDelta \) is always 0.

Proof

The proof is divided into 2 halves (Fig. 2 gives the procedure of the proof for the case \(n=4\) and \(\pi _{\textsf {SR}}=(0,3,2,1)\)):

Firstly, from the encryption direction, let the input mask be \(\varGamma _I\) as defined above. According to Lemma 1, the output mask of the first round has the following properties: there are \(n-1\) non-zero elements in the first column and all of the elements in other columns are zero.

Then, in the second round, the output mask of the SB layer keeps the pattern of the input mask and SR shifts the \(n-1\) non-zero elements to \(n-1\) different columns. Since MC has the MDS property, we can conclude that the output mask of the second round has the following properties: there exists 1 column such that all elements in this columns are 0’s, and all elements in the other columns are non-zero.

In the third round, the output mask of the SB layer keeps the pattern of the input mask and SR shifts the n zero elements to n different columns, i.e., there are \(n-1\) non-zero elements in each column of the input mask of MC in the third round.

Using the same technique, we can find that from the decryption direction, there is only 1 non-zero element in each column of the output mask of MC in the third round.

Since the MC has the MDS property, i.e., the sum of number of non-zero elements from both the input and output mask of MC is at least \(n+1\), the correlation of \(\varGamma _I\rightarrow \varGamma _O^{(u,v)}\) is 0.   \(\square \)

Fig. 2.
figure 2

Proof for the zero correlation linear hull of \(\mathcal E(n,b,5)\)

Full size image

4 Integrals for the AES-Like SPN Ciphers

Links between integrals and zero correlation linear hulls were first studied by Bogdanov et al. at Asiacrypt 2012 [8], and then refined at CRYPTO 2015 [37]. In [37], Sun et al. proved that a zero correlation linear hull of a block cipher always implies the existence of an integral distinguisher which gives a novel way to construct integrals of a cipher. For example, the 4-round zero-correlation linear hull of the AES implies the following distinguisher: Let 15 bytes of the input take all possible values from \(\mathbb F_{2^8}^{15}\) and the other 1 byte be constant, then each byte of the output before the MixColumns operation in the forth round takes each value from \(\mathbb F_{2^8}\) exactly \(2^{112}\) times.

This section mainly discusses the integral properties of the AES-like ciphers based on the links between zero correlation linear hulls and integrals. It was pointed out at CRYPTO 2015 [37] that a zero-correlation linear hull always implies the existence of an integral, based on which we can get the following results.

Corollary 1

Let \(\mathcal E(n,b,r)\) be an AES-like SPN cipher satisfying conditions (1) and (2). Let \(\varDelta =k_{j_0,0}^{(0)}\oplus k_{j_1,0}^{(0)}\) and the input set be

$$V_\varDelta =\{(s_{i,j}^{(0)})_{0\le i,j \le n-1}\in \mathbb F_{2^b}^{n\times n}|s_{j_0,0}^{(0)}\oplus s_{j_1,0}^{(0)}=\varDelta \}.$$

Then for each output byte of \(\mathcal E(n,b,5)\) without MixColumns, every value of \(\mathbb F_{2^b}\) appears exactly \(2^{(n^2-2)b}\) times, and the sum of every output byte of \(\mathcal E(n,b,5)\) with MixColumns is 0.

Since there exists exactly one value in \(\{0,1,\cdots ,2^b-1\}\) which is equal to \(\delta =k_{j_0,0}^{(0)}\oplus k_{j_1,0}^{(0)}\), we have:

Theorem 1

Denote by \(\mathcal E(n,b,r)\) an r-round AES-like SPN cipher with MixColumns in the last round, where b and n are the sizes of the S-boxes and the MDS matrix, respectively. Let \((M^{-1}_{\textsf {MC}})^{\text {T}}=(m_{i,j}^*)\in \mathbb F_{2^b}^{n\times n}\) be the transpose of the inverse of \(M_{\textsf {MC}}\). Assume that there exists a triplet \((i,j_0,j_1)\) such that \(m_{i,j_0}^*=m_{i,j_1}^*\). Then \(\mathcal E(n,b,5)\) can be distinguished from a random permutation \(\mathcal R\) as follows: for \(F\in \{\mathcal E(n,b,5),\mathcal R\}\) and \(\varDelta =0,1,\ldots ,2^b-1\), divide the whole input-output space into the following \(2^b\) subsets:

$$A_\varDelta ^F=\{(p,c)|c=F(p), p_{j_0,a_0}\oplus p_{j_1,a_1}=\varDelta \},$$

where \(\textsf {SR}\) moves \(p_{j_0,a_0}\) and \(p_{j_1,a_1}\) to the same column, and let

$$T_\varDelta ^F=\sum _{(p,c)\in A_\varDelta ^F}c.$$

If the S-boxes applied to \(p_{j_0,a_0}\) and \(p_{j_1,a_1}\) are identical, there always exists a \(\varDelta \) such that \(T_\varDelta ^{\mathcal E(n,b,5)}=0\), while for random permutations, this happens with probability \(1-(1-2^{-n^2b})^{2^b}\approx 2^{-(n^2-1)b}.\) Furthermore, we can deduce that the value of \(k_{j_0,a_0}\oplus k_{j_1,a_1}\) is \(\varDelta \).

This theorem can be clearly deduced from Corollary 1 above. We can further give a direct proof as follows.

Proof

Without loss of generality, let \((M^{-1}_\textsf {MC})^{\text {T}}=(m_{i,j}^*)\) and \(m_{0,0}^*=m_{0,1}^*=\texttt {01}\). Let the input and output of the MixColumns operation be \((x_0,x_0,x_1,\ldots ,x_{n-2})^{\text {T}}\) and \((y_0,y_1,\ldots ,y_{n-1})^{\text {T}}\), respectively. Then we have

$$\begin{aligned} \begin{pmatrix}x_0\\ x_0\\ x_1\\ \vdots \\ x_{n-2} \end{pmatrix}=\begin{pmatrix}{} \texttt {01}&{}*&{}\cdots &{}*&{}*\\ \texttt {01}&{}*&{}\cdots &{}*&{}*\\ *&{}*&{}\cdots &{}*&{}*\\ &{}&{}\cdots &{}\\ *&{}*&{}\cdots &{}*&{}* \end{pmatrix}\begin{pmatrix}y_0\\ y_1\\ y_2\\ \vdots \\ y_{n-1}\end{pmatrix}, \end{aligned}$$

which implies

$$x_0=y_0\oplus l_1(y_1,\ldots ,y_{n-1})=y_0\oplus l_2(y_1,\ldots ,y_{n-1}),$$

where \(l_1\) and \(l_2\) are different linear functions on \((y_1,\ldots ,y_{n-1})\). Accordingly, we always have

$$(l_1\oplus l_2)(y_1,\ldots ,y_{n-1})=0.$$

Since the dimension of the input is \(n-1\), we conclude that \(y_0\) is independent of \(y_1,\ldots ,y_{n-1}\), i.e., the number of possible values for \((y_1,\ldots ,y_{n-1})\) is \(2^{(n-2)b}\). Thus the output of the first round can be divided into the following \(2^{(n-2)b}\) subsets: the last \(n-1\) bytes of the first columns are fixed to \((y_1,\ldots ,y_{n-1})\) and the other \(n^2-n+1\) bytes take all possible value from \(\mathbb F_{2^b}^{n^2-n+1}\). Taking the 4-round integral distinguisher into consideration, we conclude that the sum of the output of the fifth round with MixColumns is 0.   \(\square \)

Since a lot of AES-based ciphers adopt circulant MDS matrices, now we will list a result when a cipher uses a circulant MDS matrix:

Corollary 2

Let \(\mathcal E(n,b,r)\) be an AES-like SPN cipher which uses a circulant MDS matrix \(M_{\textsf {MC}}=\text {circ}(m_0,m_1,\ldots ,m_{n-1})\in \mathbb F_{2^b}^{n\times n}\). Denote by \((M^{-1}_{\textsf {MC}})^{\text {T}}=\text {circ}(m_0^*,m_1^*,\ldots ,m_{n-1}^*)\) the transpose of the inverse of \(M_{\textsf {MC}}\). If there exists a \((j_0,j_1)\) where \(j_0\ne j_1\) such that \(m_{j_0}^*=m_{j_1}^*\), then the plaintext-ciphertext space of \(\mathcal E(n,b,5)\) can be divided into \(2^{nb}\) subsets \(A_{\varDelta }\) and \(|A_{\varDelta }|=2^{(n^2-n)b}\), and there exists a \(\varDelta \) such that the sum of ciphertexts in \(A_{\varDelta }\) is 0. Moreover, some sub-keys can also be deduced from the partition.

5 Application to Hashing Schemes

To apply these results to block ciphers directly, we need to know the difference of the corresponding sub-key bytes which is impossible in most cases. However, if the cipher is used as a building block of a hash function and the chain value acts as the key, we can always get a new distinguisher of the hash function based on these new observations. We use Whirlpool [2] as an example in this section.

5-Round Distinguisher for Whirlpool. Whirlpool [2] is a hash function proposed by Barreto and Rijmen as a candidate for the NESSIE project. It iterates the Miyaguchi-Preneel hashing scheme over t padded message blocks \(m_i\), \(0\le i\le t-1\), using the dedicated 512-bit block cipher W:

$$\begin{aligned} H_i=W_{H_{i-1}}(m_{i-1})\oplus H_{i-1}\oplus m_{i-1},\quad i=1,2,\ldots ,t. \end{aligned}$$

The W block cipher only employs one S-box, and the SR and the MC are defined as follows:

$$\begin{aligned} \pi _\textsf {SR}= & {} (0,1,2,3,4,5,6,7),\\ M_{\textsf {MC}}= & {} \text {circ}(\texttt {01},\texttt {01},\texttt {04},\texttt {01},\texttt {08},\texttt {05},\texttt {02},\texttt {09}). \end{aligned}$$

Notice that the \(\textsf {SR}\) of Whirlpool applies to columns and \(\textsf {MC}\) applies to rows, respectively (Fig. 3).

Fig. 3.
figure 3

The structure of Whirlpool Hash Function.

Full size image

Noting that the matrix

$$(M_{\textsf {MC}}^{-1})^{\text {T}}=\text {circ}(\texttt {04},\texttt {3E},\texttt {CB},\texttt {C2},\texttt {C2},\texttt {A4},\texttt {0E},\texttt {AE}),$$

has two identical elements in each row, according to Theorem 1, we have the following distinguishing property for Whirlpool:

Corollary 3

Let \(V_1=\{(p_{i,j})\in \mathbb F_{2^8}^{8\times 8}| p_{0,3}\oplus p_{0,4}=h_{0,3}^{(0)}\oplus h_{0,4}^{(0)}\}\). Then for Whirlpool reduced to 5 rounds, the sum of all the outputs over \(V_1\) is 0.

Although this distinguisher covers less rounds than the rebound attack [28], our result shows some new features of Whirlpool that could be exploited in the future. From the direct proof of Theorem 1, the key point is that the outputs of the first round could be divided into some known structures which lead to 4-round integrals. Therefore we have the following property:

Corollary 4

Let \(V_2=\{(p_{i,j})\in \mathbb F_{2^8}^{8\times 8}|\texttt {AE} \cdot S(p_{0,0}\oplus h_{0,0}^{(0)})=\texttt {04} \cdot S(p_{1,1}\oplus h_{1,1}^{(0)})\}\). Then for Whirlpool reduced to 5 rounds, the sum of all the outputs over \(V_2\) is 0.

Proof

Let the input of the first column to the first MixColumns be \(X=(x_0,\ldots ,x_7)^{\text {T}}\) and \(Y=(y_0,\ldots ,y_7)^{\text {T}}\) be the corresponding output. Then \(x_0=S(p_{0,0}\oplus h_{0,0}^{(0)})\), \(x_1=S(p_{1,1}\oplus h_{1,1}^{(0)})\) and we have \(\texttt {AE}\cdot x_0=\texttt {04}\cdot x_1\). Since \(X=M_{\textsf {MC}}^{-1}Y\), therefore,

$$\begin{aligned} {\left\{ \begin{array}{ll} x_0=\texttt {04}\cdot y_0\oplus \texttt {3E}\cdot y_1\oplus \texttt {CB}\cdot y_2\oplus \texttt {C2}\cdot y_3\oplus \texttt {C2}\cdot y_4\oplus \texttt {A4}\cdot y_5\oplus \texttt {0E}\cdot y_6\oplus \texttt {AE}\cdot y_7\\ x_1=\texttt {AE}\cdot y_0\oplus \texttt {04}\cdot y_1\oplus \texttt {3E}\cdot y_2\oplus \texttt {CB}\cdot y_3\oplus \texttt {C2}\cdot y_4\oplus \texttt {C2}\cdot y_5\oplus \texttt {A4}\cdot y_6\oplus \texttt {0E}\cdot y_7. \end{array}\right. } \end{aligned}$$

Consequently,

$$\begin{aligned}&\texttt {AE}(\texttt {3E}\cdot y_1\oplus \texttt {CB}\cdot y_2\oplus \texttt {C2}\cdot y_3\oplus \texttt {C2}\cdot y_4\oplus \texttt {A4}\cdot y_5\oplus \texttt {0E}\cdot y_6\oplus \texttt {AE}\cdot y_7)\\= & {} \texttt {04}(\texttt {04}\cdot y_1\oplus \texttt {3E}\cdot y_2\oplus \texttt {CB}\cdot y_3\oplus \texttt {C2}\cdot y_4\oplus \texttt {C2}\cdot y_5\oplus \texttt {A4}\cdot y_6\oplus \texttt {0E}\cdot y_7), \end{aligned}$$

which implies that there exists a linear function l such that

$$y_4=l(y_1,y_2,y_3,y_5,y_6,y_7).$$

Since the dimension of the input is \(n-1\), we know that \(y_0\) is independent of \(y_1,\ldots ,y_7\). As in constructing the 4-round integral distinguisher of the AES based on the 3-round distinguisher, place this property in front of the known 4-round integral distinguisher for Whirlpool and we conclude that the sum of the outputs is 0.   \(\square \)

Furthermore, we can extend the results to the structures with different S-boxes and no constraints on the elements of \((M_{\textsf {MC}}^{-1})^{\text {T}}\).

Theorem 2

In a Miyaguchi-Preneel hashing mode, if the block cipher adopts a 5-round AES-like structure, there always exists a subset V such that when the input takes all possible value in V, the sum of output is 0.

Let the first two elements in the first column of the inverse MDS matrix be \(a_0\) and \(a_1\), and the input to these two positions be \(S_0(p_{0,0}\oplus h_{0,0})\) and \(S_1(p_{1,1}\oplus h_{1,1})\). For any \(p_{0,0}\), we can always choose \(p_{1,1}\) such that

$$a_1S_0(p_{0,0}\oplus h_{0,0})=a_0S_1(p_{1,1}\oplus h_{1,1}).$$

Then the conclusion follows from the proof of Corollary 4.

6 Application to AES

AES is one of the most widely used block ciphers since 2000, and many cryptographic primitives adopt round-reduced AES as a building block. The first known integral distinguisher for the AES covers 3 rounds [12] which was later improved to a 4-round higher-order integral [17]. However, the technique that improved the 3-round integral to a 4-round one cannot be directly used to improve the integral from 4 rounds to 5 rounds. In the following, we will show that the improvement is possible provided the difference of some sub-key bytes is known.

Since for \(M_{\textsf {MC}}\) adopted in the AES, we have

$$\begin{aligned}(M_{\textsf {MC}}^{-1})^{\text {T}}= \begin{pmatrix}{} \texttt {0E}&{}\texttt {09}&{}\texttt {0D}&{}\texttt {0B}\\ \texttt {0B}&{}\texttt {0E}&{}\texttt {09}&{}\texttt {0D}\\ \texttt {0D}&{}\texttt {0B}&{}\texttt {0E}&{}\texttt {09}\\ \texttt {09}&{}\texttt {0D}&{}\texttt {0B}&{}\texttt {0E} \end{pmatrix}=\text {circ}(\texttt {0E},\texttt {09},\texttt {0D},\texttt {0B}), \end{aligned}$$

i.e., the elements in each row are different from each other, it seems that we cannot construct such distinguishers for 5-round AES. However, since there are two 1’s in each columns of \(M_{\textsf {MC}}=\text {circ}(\texttt {02},\texttt {03},\texttt {01},\texttt {01})\), we can construct a distinguisher for \(AES^{-1}\), i.e., we can turn the chosen-plaintext distinguishers shown in Theorem 1 into a chosen-ciphertext one.

Lemma 3

Let \(V=\{(x_{i,j})\in \mathbb F_{2^8}^{4\times 4}| x_{0,0}\oplus x_{1,3}=k_{0,0}\oplus k_{1,3}\}\) be the input set. Then for each output byte of 5-round AES\(^{-1}\) without MixColumns operation in the last round, every value of \(\mathbb F_{2^8}\) appears \(2^{112}\) times and the sum of every output byte of the 5-round AES\(^{-1}\) with MixColumns operation in the last round is 0.

Theorem 3

5-round AES with MixColumns in the last round can be distinguished from a random permutations as follows. Divide the whole input-output space into the following \(2^8\) subsets:

$$A_\varDelta =\{(p,c)| c_{0,0}\oplus c_{1,3}=\varDelta \},$$

and let

$$T_\varDelta =\sum _{(p,c)\in A_\varDelta }p.$$

Then there always exists a \(\varDelta \) such that \(k_{0,0}\oplus k_{1,3}=\varDelta \) and \(T_\varDelta =0\). For random permutations, this happens with probability \(1-(1-2^{-128})^{2^8}\approx 2^{-120}\).

To the best of our knowledge, Theorem 3 gives the best distinguisherFootnote 1 of the AES with respect to the rounds it covers. Since the AES adopts a circulant MDS matrix, we can get many other different variants of this property by dividing the whole set into different subsets. For example,

Corollary 5

5-round AES with MixColumns in the last round can be distinguished from a random permutation as follows. Divide the whole input-output space into the following \(2^{32}\) subsets:

$$A_{\alpha ,\beta ,\gamma ,\phi }=\{(p,c)|c_{0,0}\oplus c_{1,3}=\alpha ,c_{0,1}\oplus c_{3,2}=\beta ,c_{1,2}\oplus c_{2,1}=\gamma ,c_{2,0}\oplus c_{3,3}=\phi \},$$

and let

$$T_{\alpha ,\beta ,\gamma ,\phi }=\sum _{(p,c)\in A_{\alpha ,\beta ,\gamma ,\phi }}p.$$

Then there always exists an \((\alpha ,\beta ,\gamma ,\phi )\in \mathbb F_{2^8}^4\) such that \(T_{\alpha ,\beta ,\gamma ,\phi }=0\). For random permutations, this happens with probability \(1-(1-2^{-128})^{2^{32}}\approx 2^{-96}\).

7 Conclusion

Distinguishers on AES-like SPN structures are covered extensively in the literature. For example, we already have 4-round zero-correlation linear hulls for AES-like structures without MixColumns in the last round and 4-round integral distinguishers for AES-like structures with MixColumns in the last round. Note that these distinguishers do not depend on which S-box and MDS matrix are used in the cipher. This paper gives some new insights on such ciphers especially with detailed S-boxes and MDS matrices.

Firstly, we observe that if there are two identical elements in a row of the transpose of the inverse matrix of the MixColumns operation, and the S-boxes used in these two positions are identical, then we can construct some 5-round zero-correlation linear hull for a 5-round AES-like SPN structure provided some differences of the sub-key bytes are known. Then, under the same setting, and based on the link between zero-correlation linear hulls and integrals, we construct 5-round integrals for such AES-like SPN structures both with and without the MixColumns operation in the last round. These results show that such 5-round AES-like SPN structures can be theoretically distinguished from random permutations.

Secondly, in a hashing scheme where the chaining value serves as the secret key in block ciphers, we can further remove the constraint on the matrices and S-boxes. We apply the new results to the Whirlpool hash function and construct 5-round integral-like distinguishers.

Furthermore, since these results do not apply to the AES directly, we find that although we cannot build a distinguisher in a chosen-plaintext mode, we can construct a 5-round distinguisher for the AES in the chosen-ciphertext mode which is the best distinguisher for the AES with respect to the number of rounds it covers.

Our results show that despite the key schedule, there may be some difference between the security margins of round-reduced AES under chosen-plaintext attacks and that under chosen-ciphertext attacks. Since we can distinguish 5-round AES from random permutations, some dedicated cryptographic schemes should be carefully investigated to guarantee the security claims. Furthermore, when we design an AES-like cipher, it is better to choose those MDS matrices \(M_{\text {MC}}\) such that both \(M_{\text {MC}}\) and \(M_{\text {MC}}^{-1}\) do not have identical elements in the same columns.

Now that we get some new features of 5-round AES, we leave as an open problem whether one could mount better key-recovery attack against round-reduced AES or some other schemes based on the AES-like SPN structure.