[PPT] - A New Structural-Differential Property of 5-Round AES Lorenzo PowerPoint Presentation

SLIDE 1

A New Structural-Differential Property of 5-Round AES

Lorenzo Grassi, Christian Rechberger and Sondre Rønjom May, 2017

SLIDE 2

www.iaik.tugraz.at

Introduction

AES is probably the most widely studied and used block cipher. So far, non-random properties which are independent of the secret key are known for up to 4 rounds of AES. We propose a new structural property for up to 5 rounds of AES which is independent of the secret key.

1 / 30

SLIDE 3

www.iaik.tugraz.at

Part I Secret-Key Distinguisher up to 5 Rounds of AES

SLIDE 5

www.iaik.tugraz.at

AES

High-level description of AES: block cipher based on a design principle known as substitution-permutation network; block size of 128 bits = 16 bytes, organized in a 4 × 4 matrix; key size of 128/192/256 bits; 10/12/14 rounds: Ri(x) = ki ⊕ MC ◦ SR ◦ S-Box(x).

3 / 30

SLIDE 6

www.iaik.tugraz.at

Secret-Key Distinguisher

Secret-Key Distinguisher: one of the weakest cryptographic attack. Setting: Two Oracles:

ne simulates the block cipher for which the cryptography

key has been chosen at random; the other simulates a truly random permutation. Goal: distinguish the two oracles, i.e. decide which oracle is the cipher. Secret-Key Distinguishers are usually starting points for Key-Recovery Attacks.

4 / 30

SLIDE 7

www.iaik.tugraz.at

Secret-Key Distinguisher up to 4-round AES

Up to 4-round AES, Secret-Key Distinguisher exploits one of the following property: Truncated Differential; Integral/Zero Sum; Impossible Differential. They are all independent of the secret key.

5 / 30

SLIDE 8

www.iaik.tugraz.at

Secret-Key Distinguisher on 4-round AES - Details

Secret-Key Distinguisher on 4-round AES: Integral Property [DKR97] Impossible Differential Property [BK00]. Consider a set of 232 plaintexts with one active diagonal:     A C C C C A C C C C A C C C C A     .

6 / 30

SLIDE 9

www.iaik.tugraz.at

Impossible Differential Distinguisher [BK00]

7 / 30

SLIDE 10

www.iaik.tugraz.at

Balance/Zero-Sum Property [DKR97]

    A C C C C A C C C C A C C C C A    

R4(·)

− − − →     B B B B B B B B B B B B B B B B    

R(·)

− − →? Given the same initial set of plaintexts, is there any property which is independent of the secret key after 5-round AES?

8 / 30

SLIDE 11

www.iaik.tugraz.at

Balance/Zero-Sum Property [DKR97]

    A C C C C A C C C C A C C C C A    

R4(·)

− − − →     B B B B B B B B B B B B B B B B    

R(·)

− − →? Given the same initial set of plaintexts, is there any property which is independent of the secret key after 5-round AES?

8 / 30

SLIDE 12

www.iaik.tugraz.at

Related Work on 5 rounds of AES

Key-Recovery Attack can be used as Secret-Key Distinguisher: the knowledge of the entire key is (usually) necessary to distinguish the block cipher from the random permutation. At CRYPTO 2016, Sun, Liu, Gou, Qu and Rijmen [SMG+16] proposed a Zero-Sum Distinguisher for 5-round AES that depends on one byte - not all - of the secret key to distinguish 5-round AES from the random permutation; is independent of the S-Box but not of the MixColumns matrix; requires the full codebook.

9 / 30

SLIDE 13

www.iaik.tugraz.at

Structural Property for 5 Rounds of AES

Assume 5-round AES without the final MixColumns operation. Theorem Consider a set of 232 chosen plaintexts with one active

diagonal. Let n the number of different pairs of ciphertexts

which are equal in one (fixed) anti-diagonal. The number n is a multiple of 8 with probability 1, i.e. ∃ n′ ∈ N s.t. n = 8 · n′, independently of the secret key, of the details

f S-Box and of MixColumns matrix (assuming branch

number equal to 5). A similar result holds also in decryption direction (i.e. using chosen ciphertexts instead of plaintexts).

10 / 30

SLIDE 14

www.iaik.tugraz.at

Distinguisher on 5-round of AES (1/2)

Goal: Distinguish 5-round of AES from random permutation. Consider 232 plaintexts with one active diagonal. Count the number n of pairs of ciphertexts (after 5 rounds) which are equal in one (fixed) anti-diagonal. If n mod 8 = 0, then the permutation is a random one.

11 / 30

SLIDE 15

www.iaik.tugraz.at

Distinguisher on 5-round of AES (2/2)

To distinguish 5-round AES from a random permutation with probability of success higher than 99.5%: data cost: 232 chosen plaintexts/ciphertexts; computational cost: 235.6 table look-ups on table of size 236 bytes. Practically verified

https://github.com/Krypto-iaik/AES_5round_SKdistinguisher

12 / 30

SLIDE 16

www.iaik.tugraz.at

Part II A Formal Description

SLIDE 17

www.iaik.tugraz.at

Subspace Trails for AES [GRR16] (FSE 2017)

We define the following subspaces: column space CI; diagonal space DI; inverse-diagonal space IDI; mixed space MI.

13 / 30

SLIDE 18

www.iaik.tugraz.at

The Diagonal Space

Definition The diagonal spaces Di for i ∈ {0, 1, 2, 3} are defined as Di = e0,i, e1,(i+1), e2,(i+2), e3,(i+3). E.g. D0 corresponds to symbolic matrix D0 ≡     x1 x2 x3 x4     for all x1, x2, x3, x4 ∈ F28.

14 / 30

SLIDE 19

www.iaik.tugraz.at

Meaning of “p1 ⊕ p2 ∈ Di”

Texts p1 and p2 belong in Di ⊕ a (i.e. a coset of Di) p1, p2 ∈ Di ⊕ a ≡ {x ⊕ a | ∀x ∈ Di} if and only if p1 ⊕ p2 ∈ Di, that is p1 and p2 are equal in all bytes expect for ones in the i-th diagonal. E.g. p1, p2 ∈ D0 ⊕ a iff p1 ⊕ p2 ∈ D0 iff p1 ⊕ p2 ≡     ? ? ? ?    

15 / 30

SLIDE 20

www.iaik.tugraz.at

The Inverse-Diagonal Space

Definition The inverse-diagonal spaces IDi for i ∈ {0, 1, 2, 3} are defined as IDi = e0,i, e1,(i−1), e2,(i−2), e3,(i−3). E.g. ID0 corresponds to symbolic matrix ID0 ≡     x1 x2 x3 x4     for all x1, x2, x3, x4 ∈ F28.

16 / 30

SLIDE 21

www.iaik.tugraz.at

The Mixed Space

Definition The i-th mixed spaces Mi for i ∈ {0, 1, 2, 3} are defined as Mi = MC(IDi). E.g. M0 corresponds to symbolic matrix M0 ≡     0x02 · x1 x4 x3 0x03 · x2 x1 x4 0x03 · x3 0x02 · x2 x1 0x03 · x4 0x02 · x3 x2 0x03 · x1 0x02 · x4 x3 x2     for all x1, x2, x3, x4 ∈ F28.

17 / 30

SLIDE 22

www.iaik.tugraz.at

Subspace Trail for AES

For I ⊆ {0, 1, 2, 3}, let DI, IDI and MI defined as: DI =

i∈I

Di, IDI =

i∈I

IDi, MI =

i∈I

Mi. Theorem For each a ∈ DI, there exists (unique) b ∈ MI s.t. R2(DI ⊕ a) = MI ⊕ b. Equivalently, for each x, y: Prob(R2(x) ⊕ R2(y) ∈ MI | x ⊕ y ∈ DI) = 1.

18 / 30

SLIDE 23

www.iaik.tugraz.at

Subspace Trail for AES

For I ⊆ {0, 1, 2, 3}, let DI, IDI and MI defined as: DI =

i∈I

Di, IDI =

i∈I

IDi, MI =

i∈I

Mi. Theorem For each a ∈ DI, there exists (unique) b ∈ MI s.t. R2(DI ⊕ a) = MI ⊕ b. Equivalently, for each x, y: Prob(R2(x) ⊕ R2(y) ∈ MI | x ⊕ y ∈ DI) = 1.

18 / 30

SLIDE 24

www.iaik.tugraz.at

Structural Property for 5 Rounds of AES

Given DI ⊕ a (i.e. a coset of DI), consider all the 232·|I| plaintexts and the corresponding ciphertexts after 5 rounds, i.e. (pi, ci ≡ R5(pi)) for i = 0, ..., 232·|I| − 1 where pi ∈ DI ⊕ a. Theorem For a fixed J ⊆ {0, 1, 2, 3}, let n the number of different pairs of ciphertexts (ci, cj) for i = j such that ci ⊕ cj ∈ MJ n := |{(pi, ci), (pj, cj) | ∀pi, pj ∈ DI⊕a, pi < pj and ci⊕cj ∈ MJ}|. The number n is a multiple of 8, i.e. ∃ n′ ∈ N s.t. n = 8 · n′, independently of the secret key, of the details of S-Box and

f MixColumns matrix (assuming branch number equal to 5).

19 / 30

SLIDE 25

www.iaik.tugraz.at

Part III Sketch of the Proof

SLIDE 26

www.iaik.tugraz.at

Reduction to a Single Round (1/2)

Remember: R2(DI ⊕ a) = MI ⊕ b and for each x, y: Prob(R2(x) ⊕ R2(y) ∈ MI | x ⊕ y ∈ DI) = 1. Since DI ⊕ a

R2(·)

− − − − →

prob. 1 MI ⊕ b

R(·)

− − → DJ ⊕ a′

R2(·)

− − − − →

prob. 1 MJ ⊕ b′,

we can focus only on the middle round!

20 / 30

SLIDE 27

www.iaik.tugraz.at

Reduction to a Single Round (1/2)

Remember: R2(DI ⊕ a) = MI ⊕ b and for each x, y: Prob(R2(x) ⊕ R2(y) ∈ MI | x ⊕ y ∈ DI) = 1. Since DI ⊕ a

R2(·)

− − − − →

prob. 1 MI ⊕ b

R(·)

− − → DJ ⊕ a′

R2(·)

− − − − →

prob. 1 MJ ⊕ b′,

we can focus only on the middle round!

20 / 30

SLIDE 28

www.iaik.tugraz.at

Reduction to a Single Round (2/2)

Given MI ⊕ a, consider all the 232·|I| plaintexts and the corresponding ciphertexts after 1 round, i.e. (pi, ci ≡ R(pi)) for i = 0, ..., 232·|I| − 1 where pi ∈ MI ⊕ a. Lemma Let n the number of different pairs of ciphertexts (ci, cj) for i = j such that ci ⊕ cj ∈ DJ n := |{(pi, ci), (pj, cj) | ∀pi, pj ∈ MI⊕a, pi < pj and ci⊕cj ∈ DJ}|. The number n is a multiple of 8, independently of the secret key, of the details of S-Box and of MixColumns matrix (assuming branch number equal to 5).

21 / 30

SLIDE 29

www.iaik.tugraz.at

Sketch of the Proof

W.l.o.g. I = {0}. Given p1, p2 ∈ M0 ⊕ a, there exist x1, y1, z1, w1 ∈ F28 and x2, y2, z2, w2 ∈ F28 s.t.: pi = a ⊕     2 · xi yi zi 3 · wi xi yi 3 · zi 2 · wi xi 3 · yi 2 · zi wi 3 · xi 2 · yi zi wi     , for i = 1, 2 and where 2 ≡ 0x02 and 3 ≡ 0x03. For the following: p1 “≡” x1, y1, z1, w1 and p2 “≡” x2, y2, z2, w2.

22 / 30

SLIDE 30

www.iaik.tugraz.at

Sketch of the Proof

Study the following cases: 3 variables are equal, e.g. x1 = x2 and y1 = y2, z1 = z2, w1 = w2; 2 variables are equal, e.g. x1 = x2,y1 = y2 and z1 = z2, w1 = w2; 1 variable is equal, e.g. x1 = x2, y1 = y2, z1 = z2 and w1 = w2; all variables are different, e.g. x1 = x2, y1 = y2, z1 = z2, w1 = w2. If 3 variables are equal, then R(p1) ⊕ R(p2) = c1 ⊕ c2 / ∈ DJ with prob. 1.

23 / 30

SLIDE 31

www.iaik.tugraz.at

Sketch of the Proof

Study the following cases: 3 variables are equal, e.g. x1 = x2 and y1 = y2, z1 = z2, w1 = w2; 2 variables are equal, e.g. x1 = x2,y1 = y2 and z1 = z2, w1 = w2; 1 variable is equal, e.g. x1 = x2, y1 = y2, z1 = z2 and w1 = w2; all variables are different, e.g. x1 = x2, y1 = y2, z1 = z2, w1 = w2. If 3 variables are equal, then R(p1) ⊕ R(p2) = c1 ⊕ c2 / ∈ DJ with prob. 1.

23 / 30

SLIDE 32

www.iaik.tugraz.at

Sketch of the Proof (2 variables are different)

W.l.o.g. consider p1 ≡ x1, y1, z, w and p2 ≡ x2, y2, z, w. R(p1) ⊕ R(p2) ∈ DJ if and only if R(ˆ p1) ⊕ R(ˆ p2) ∈ DJ where ˆ p1 ≡ x1, y2, z, w, ˆ p2 ≡ x2, y1, z, w. It is sufficient to prove that R(p1) ⊕ R(p2) = R(ˆ p1) ⊕ R(ˆ p2). (R(p1) ⊕ R(p2))0,0 = =2 · [S-Box(2 · x1 ⊕ a0,0) ⊕ S-Box(2 · x2 ⊕ a0,0)]⊕ ⊕ 3 · [S-Box(y1 ⊕ a1,1) ⊕ S-Box(y2 ⊕ a1,1)] = =(R(ˆ p1) ⊕ R(ˆ p2))0,0.

24 / 30

SLIDE 33

www.iaik.tugraz.at

Sketch of the Proof (2 variables are different)

Given p1 ≡ x1, y1, z, w and p2 ≡ x2, y2, z, w, R(p1) ⊕ R(p2) ∈ DJ if and only if R(ˆ p1) ⊕ R(ˆ p2) ∈ DJ where ˆ p1 ≡ x1, y1, z, w, ˆ p2 ≡ x2, y2, z, w

r

ˆ p1 ≡ x1, y2, z, w, ˆ p2 ≡ x2, y1, z, w for all z, w ∈ F28. Note: p1 ≡ x1, y1, z, w and p2 ≡ x2, y2, z, w such that R(p1) ⊕ R(p2) ∈ DJ can exist if and only if |J| ≥ 3.

25 / 30

SLIDE 34

www.iaik.tugraz.at

Sketch of the Proof (3 variables are different)

W.l.o.g. consider p1 ≡ x1, y1, z1, w and p2 ≡ x2, y2, z2, w. R(p1) ⊕ R(p2) ∈ DJ if and only if R(ˆ p1) ⊕ R(ˆ p2) ∈ DJ where ˆ p1 ≡ x1, y1, z1, w, ˆ p2 ≡ x2, y2, z2, w ˆ p1 ≡ x2, y1, z1, w, ˆ p2 ≡ x1, y2, z2, w ˆ p1 ≡ x1, y2, z1, w, ˆ p2 ≡ x2, y1, z2, w ˆ p1 ≡ x1, y1, z2, w, ˆ p2 ≡ x2, y2, z1, w for each w ∈ F28. Note: p1 ≡ x1, y1, z1, w and p2 ≡ x2, y2, z2, w such that R(p1) ⊕ R(p2) ∈ DJ can exist if and only if |J| ≥ 2.

26 / 30

SLIDE 35

www.iaik.tugraz.at

Sketch of the Proof (4 variables are different)

W.l.o.g. consider p1 ≡ x1, y1, z1, w1 and p2 ≡ x2, y2, z2, w2. R(p1) ⊕ R(p2) ∈ DJ if and only if R(ˆ p1) ⊕ R(ˆ p2) ∈ DJ where ˆ p1 ≡ x2, y1, z1, w1, ˆ p2 ≡ x1, y2, z2, w2; ˆ p1 ≡ x1, y2, z1, w1, ˆ p2 ≡ x2, y1, z2, w2; ˆ p1 ≡ x1, y1, z2, w1, ˆ p2 ≡ x2, y2, z1, w2; ˆ p1 ≡ x1, y1, z1, w2, ˆ p2 ≡ x2, y2, z2, w1; ˆ p1 ≡ x1, y1, z2, w2, ˆ p2 ≡ x2, y2, z1, w1; ˆ p1 ≡ x1, y2, z1, w2, ˆ p2 ≡ x2, y1, z2, w1; ˆ p1 ≡ x1, y2, z2, w1, ˆ p2 ≡ x2, y1, z1, w2. Note: p1 ≡ x1, y1, z1, w1 and p2 ≡ x2, y2, z2, w2 such that R(p1) ⊕ R(p2) ∈ DJ can exist if and only if |J| ≥ 1.

27 / 30

SLIDE 36

www.iaik.tugraz.at

Sketch of the Proof

n := |{(pi, ci), (pj, cj) | ∀pi, pj ∈ MI⊕a, pi < pj and ci⊕cj ∈ DJ}|. If |J| = 1, then n = 8 · n′; If |J| = 2, then n = 8 · n′ + 4 · 28 · n

′′;

If |J| = 3, then n = 8 · n′ + 4 · 28 · n

′′ + 2 · 216 · n ′′′.

The number of collisions n is a multiple of 8 independently of I, J, the secret key, the details of the S-Box and the MixColumns

peration (expect for the branch number equal to 5).

28 / 30

SLIDE 37

www.iaik.tugraz.at

Part IV Open Problems

SLIDE 38

www.iaik.tugraz.at

Open Problems

First 5-round Secret-Key Distinguisher for AES independent of the secret key. Open Problems: Set up a 6-round Secret-Key Distinguisher for AES independent of the secret key; Set up a key recovery attack that exploits this 5-round secret key distinguisher (or a modified version of it); Apply “similar” distinguisher to other constructions.

29 / 30

SLIDE 39

www.iaik.tugraz.at

Thanks for your attention! Questions? Comments?

30 / 30

SLIDE 40

www.iaik.tugraz.at

Partial Order of the Plaintexts

Definition Given two different texts t1 and t2, we say that t1 ≤ t2 if t1 = t2

r if there exists i, j ∈ {0, 1, 2, 3} such that

1 t1

k,l = t2 k,l for all k, l ∈ {0, 1, 2, 3} with k + 4 · l < i + 4 · j

2 t1

i,j < t2 i,j.

If t1 ≤ t2 and t1 = t2, then t1 < t2.

SLIDE 41

www.iaik.tugraz.at

References I

E. Biham and N. Keller,

Cryptanalysis of Reduced Variants of Rijndael Unpublished 2000, http://csrc.nist.gov/archive/ aes/round2/conf3/papers/35-ebiham.pdf

J. Daemen, L. Knudsen and V. Rijmen,

The Block Cipher Square FSE 1997

L. Grassi, C. Rechberger and S. Rønjom,

Subspace Trail Cryptanalysis and its Applications to AES IACR Transactions on Symmetric Cryptology 2016

SLIDE 42

www.iaik.tugraz.at

References II

B. Sun and M. Liu and J. Gou and L. Qu and V. Rijmen,

A New Structural-Differential Property of 5-Round AES

Lorenzo Grassi, Christian Rechberger and Sondre Rønjom May, 2017

Introduction

AES is probably the most widely studied and used block cipher. So far, non-random properties which are independent of the secret key are known for up to 4 rounds of AES. We propose a new structural property for up to 5 rounds of AES which is independent of the secret key.

Table of Contents

1 Secret-Key Distinguisher up to 5 Rounds of AES 2 A Formal Description 3 Sketch of the Proof 4 Open Problems

Part I Secret-Key Distinguisher up to 5 Rounds of AES

AES

High-level description of AES: block cipher based on a design principle known as substitution-permutation network; block size of 128 bits = 16 bytes, organized in a 4 × 4 matrix; key size of 128/192/256 bits; 10/12/14 rounds: Ri(x) = ki ⊕ MC ◦ SR ◦ S-Box(x).

Secret-Key Distinguisher

Secret-Key Distinguisher: one of the weakest cryptographic attack. Setting: Two Oracles:

key has been chosen at random; the other simulates a truly random permutation. Goal: distinguish the two oracles, i.e. decide which oracle is the cipher. Secret-Key Distinguishers are usually starting points for Key-Recovery Attacks.

Secret-Key Distinguisher up to 4-round AES

Up to 4-round AES, Secret-Key Distinguisher exploits one of the following property: Truncated Differential; Integral/Zero Sum; Impossible Differential. They are all independent of the secret key.

Secret-Key Distinguisher on 4-round AES - Details

Secret-Key Distinguisher on 4-round AES: Integral Property [DKR97] Impossible Differential Property [BK00]. Consider a set of 232 plaintexts with one active diagonal:     A C C C C A C C C C A C C C C A     .

Impossible Differential Distinguisher [BK00]

Balance/Zero-Sum Property [DKR97]

    A C C C C A C C C C A C C C C A    

− − − →     B B B B B B B B B B B B B B B B    

− − →? Given the same initial set of plaintexts, is there any property which is independent of the secret key after 5-round AES?

Balance/Zero-Sum Property [DKR97]

    A C C C C A C C C C A C C C C A    

− − − →     B B B B B B B B B B B B B B B B    

− − →? Given the same initial set of plaintexts, is there any property which is independent of the secret key after 5-round AES?

Related Work on 5 rounds of AES

Structural Property for 5 Rounds of AES

Assume 5-round AES without the final MixColumns operation. Theorem Consider a set of 232 chosen plaintexts with one active

which are equal in one (fixed) anti-diagonal. The number n is a multiple of 8 with probability 1, i.e. ∃ n′ ∈ N s.t. n = 8 · n′, independently of the secret key, of the details

number equal to 5). A similar result holds also in decryption direction (i.e. using chosen ciphertexts instead of plaintexts).

Distinguisher on 5-round of AES (1/2)

Goal: Distinguish 5-round of AES from random permutation. Consider 232 plaintexts with one active diagonal. Count the number n of pairs of ciphertexts (after 5 rounds) which are equal in one (fixed) anti-diagonal. If n mod 8 = 0, then the permutation is a random one.

Distinguisher on 5-round of AES (2/2)

To distinguish 5-round AES from a random permutation with probability of success higher than 99.5%: data cost: 232 chosen plaintexts/ciphertexts; computational cost: 235.6 table look-ups on table of size 236 bytes. Practically verified

https://github.com/Krypto-iaik/AES_5round_SKdistinguisher

Part II A Formal Description

Subspace Trails for AES [GRR16] (FSE 2017)

We define the following subspaces: column space CI; diagonal space DI; inverse-diagonal space IDI; mixed space MI.

The Diagonal Space

Definition The diagonal spaces Di for i ∈ {0, 1, 2, 3} are defined as Di = e0,i, e1,(i+1), e2,(i+2), e3,(i+3). E.g. D0 corresponds to symbolic matrix D0 ≡     x1 x2 x3 x4     for all x1, x2, x3, x4 ∈ F28.

Meaning of “p1 ⊕ p2 ∈ Di”

The Inverse-Diagonal Space

Definition The inverse-diagonal spaces IDi for i ∈ {0, 1, 2, 3} are defined as IDi = e0,i, e1,(i−1), e2,(i−2), e3,(i−3). E.g. ID0 corresponds to symbolic matrix ID0 ≡     x1 x2 x3 x4     for all x1, x2, x3, x4 ∈ F28.

The Mixed Space

Subspace Trail for AES

For I ⊆ {0, 1, 2, 3}, let DI, IDI and MI defined as: DI =

Di, IDI =

IDi, MI =

Mi. Theorem For each a ∈ DI, there exists (unique) b ∈ MI s.t. R2(DI ⊕ a) = MI ⊕ b. Equivalently, for each x, y: Prob(R2(x) ⊕ R2(y) ∈ MI | x ⊕ y ∈ DI) = 1.

Subspace Trail for AES

For I ⊆ {0, 1, 2, 3}, let DI, IDI and MI defined as: DI =

Di, IDI =

IDi, MI =

Mi. Theorem For each a ∈ DI, there exists (unique) b ∈ MI s.t. R2(DI ⊕ a) = MI ⊕ b. Equivalently, for each x, y: Prob(R2(x) ⊕ R2(y) ∈ MI | x ⊕ y ∈ DI) = 1.

Structural Property for 5 Rounds of AES

Part III Sketch of the Proof

Reduction to a Single Round (1/2)

Remember: R2(DI ⊕ a) = MI ⊕ b and for each x, y: Prob(R2(x) ⊕ R2(y) ∈ MI | x ⊕ y ∈ DI) = 1. Since DI ⊕ a

− − − − →

− − → DJ ⊕ a′

− − − − →

we can focus only on the middle round!

Reduction to a Single Round (1/2)

Remember: R2(DI ⊕ a) = MI ⊕ b and for each x, y: Prob(R2(x) ⊕ R2(y) ∈ MI | x ⊕ y ∈ DI) = 1. Since DI ⊕ a

− − − − →

− − → DJ ⊕ a′

− − − − →

we can focus only on the middle round!

Reduction to a Single Round (2/2)

Sketch of the Proof

Sketch of the Proof

Sketch of the Proof

Sketch of the Proof (2 variables are different)

Sketch of the Proof (2 variables are different)

Given p1 ≡ x1, y1, z, w and p2 ≡ x2, y2, z, w, R(p1) ⊕ R(p2) ∈ DJ if and only if R(ˆ p1) ⊕ R(ˆ p2) ∈ DJ where ˆ p1 ≡ x1, y1, z, w, ˆ p2 ≡ x2, y2, z, w

ˆ p1 ≡ x1, y2, z, w, ˆ p2 ≡ x2, y1, z, w for all z, w ∈ F28. Note: p1 ≡ x1, y1, z, w and p2 ≡ x2, y2, z, w such that R(p1) ⊕ R(p2) ∈ DJ can exist if and only if |J| ≥ 3.

Sketch of the Proof (3 variables are different)

Sketch of the Proof (4 variables are different)

Sketch of the Proof

n := |{(pi, ci), (pj, cj) | ∀pi, pj ∈ MI⊕a, pi < pj and ci⊕cj ∈ DJ}|. If |J| = 1, then n = 8 · n′; If |J| = 2, then n = 8 · n′ + 4 · 28 · n