Related-Key Differential Cryptanalysis of 192-bit Key AES Variants

摘要

A related-key differential cryptanalysis is applied to the 192-bit key variant of AES. Although any 4-round differential trail has at least 25 active bytes, one can construct 5-round related-key differential trail that has only 15 active bytes and break six rounds with 2106 plaintext/ciphertext pairs and complexity 2112. The attack can be improved using truncated differentials. In this case, the number of required plaintext/ciphertext pairs is 2~(81) and the complexity is about 2~(86). Using impossible related-key differentials we can break seven rounds with 2111 plaintext/ciphertext pairs and computational complexity 2~(116). The attack on eight rounds requires 2~(88) plaintext/ciphertext pairs and its complexity is about 2~(183) encryptions. In the case of differential cryptanalysis, if the iterated cipher is Markov cipher and the round keys are independent, then the sequence of differences at each round output forms a Markov chain and the cipher becomes resistant to differential cryptanalysis after sufficiently many rounds, but this is not true in the case of related-key differentials. It can be shown that if in addition the Markov cipher has K-f round function and the hypothesis of stochastic equivalence for related keys holds, then the iterated cipher is resistant to related-key differential attacks after sufficiently many rounds.