Non-Existence of One-Byte Active Impossible Differentials for 5-Round AES in the Master-Key Setting

作     者：YAN Xueping TAN Lin QI Wenfeng YAN Xueping;TAN Lin;QI Wenfeng

作者机构：PLA Strategic Support Force Information Engineering UniversityZhengzhou 450000China 

出 版 物：《Journal of Systems Science & Complexity》 (系统科学与复杂性学报（英文版）)

年 卷 期：2023年第36卷第3期

页      面：1336-1350页

核心收录：

学科分类：11[军事学] 1105[军事学-军队指挥学] 0839[工学-网络空间安全] 08[工学] 110505[军事学-密码学] 110503[军事学-军事通信学] 

基　　金：supported by the National Cryptography Development Fund of China under Grant Nos.MMJJ20170103 and MMJJ20180204 

主　　题：AES impossible differential key schedule master-key setting 

摘      要：Impossible differential cryptanalysis is an important approach to evaluate the security of block ciphers. In EUROCRYPT 2016, Sun, et al. proved that there exists no impossible differential longer than four rounds for the AES structure where S-boxes are arbitrary. In DCC 2019, Wang,et al. proved that any differential is possible for 5-round AES, assuming that the round keys are independent and uniformly random. In ASIACRYPT 2020, Hu, et al. used automatic search to show that there exists no one-byte active impossible differential for 5-round AES-128 considering the relations of 3-round keys. By algebraic methods, this paper theoretically proves that there exists no one-byte active impossible differential for 5-round AES even considering the relations of all round keys. Firstly,the authors prove the independence of ten bytes in the consecutive four round keys under the key schedule of AES-128. Then 5-round AES is decomposed to three subfunctions and the propagations of the considered differences in these subfunctions are discussed. Finally, the authors prove that the considered differential trails can be connected by the ten bytes of round keys. Furthermore, for any given one-byte active differential, there are at least 2^(51) master keys such that the differential is possible for 5-round AES-128.