New Yoyo Tricks with AES -based Permutations

in Abstract. In Asiacrypt 2017, Rønjom et al. reported some interesting generic properties of SPNs, leading to what they call the Yoyo trick, and applied it to ﬁnd the most eﬃcient distinguishers on AES . In this work, we explore the Yoyo idea in distinguishing public permutations for the ﬁrst time. We introduce the notion of nested zero diﬀerence pattern which extends the Yoyo idea and helps to compose it using improbable and impossible diﬀerential strategies to penetrate higher number of rounds. We devise a novel inside-out application of Yoyo which enables us to start the Yoyo game from an internal round. As an application, we investigate the AES - based public permutation AESQ used inside the authenticated cipher PAEQ . We achieve the ﬁrst deterministic distinguisher of AESQ up to 8 rounds and the ﬁrst 9-round distinguisher of AESQ that start from the ﬁrst round with a practical complexity of around 2 26 . We manage to augment Yoyo with improbable and impossible diﬀerentials leading to distinguishers on 9 , 10 , 12 rounds with complexities of about 2 2 , 2 28 , 2 126 respectively. Further, with impossible diﬀerentials and a bi-directional Yoyo strategy, we obtain a 16-round impossible diﬀerential distinguisher with a complexity of 2 126 . Our results outperform all previous records on AESQ by a substantial margin. As another application, we apply the proposed strategies on AES in the known-key setting leading to one of the best 8-round known-key distinguisher with a complexity of 2 30 . Finally, this work ampliﬁes the scope of the Yoyo technique as a generic cryptanalysis tool.


Introduction
Non-random behavior of a cryptographic construction has been historically seen as a sign of an inherent weakness waiting to be exploited.In this regard, devising distinguishers forms one of the fundamental aims of a cryptanalyst since they help exhibit non-randomness.A distinguisher generally constitutes a statistical or structural property of a cryptoprimitive that is not expected to occur for an equivalent random function.The scope of distinguishers is further amplified by the probability of their possible conversion/extension to more stronger forms of attacks like key-recovery for block ciphers or collisions for hash functions.The SHA3 competition [oST] witnessed the Zero-Sum distinguisher (introduced by Aumasson and Meier [AM09]) which was one of the most studied attacks against the internal public permutation Keccak−f of SHA3 winner Keccak.On the other hand, a multitude of distinguishing attacks have been reported on AES [DR02] both in the secret-key as well as known-key setting (introduced by Knudsen and Rijmen [KR07]).The known-key paradigm is of particular interest since it enables studying a cipher as a public permutation.Moreover, as argued by Knudsen and Rijmen, non-existence of a known-key distinguisher implies non-existence of a secret-key one, making it imperative to study the former.This work aims to explore distinguishing attacks on public permutations based on AES with the motivation that results reported here might lead to stronger attacks on constructions where these permutations are deployed as an internal transformation.
We investigate an interesting cryptanalytic tool called the Yoyo game which was recently shown to be very effective in devising distinguishers [RBH17] on the block cipher standard AES.The Yoyo strategy was first reported in crypto literature by Biham et al. who used it for the cryptanalysis of SKIPJACK [BBD + 99].In the Yoyo game, new pairs of plaintexts and ciphertexts are made adaptively from the original pairs.While making new pairs a certain property is kept invariant.A common strategy is the use of zero difference in the pairs.Suppose a pair of plaintext/ciphertexts have certain zero difference after some rounds of a cipher.In the Yoyo game, it is verified whether new pairs of plaintexts/ciphertexts that are formed by swapping bytes/words of the original pairs still hold the same zero difference after the same number of rounds of the cipher.Using the Yoyo game Biryukov et al. have found a 7-round distinguisher for Feistel networks [BLP16].In Asiacrypt 2017, Rønjom et al. applied the Yoyo game to generic Substitution-Permutation (SP) networks [RBH17] and proposed a generic 2-SP round deterministic distinguisher.As a case-study they applied the strategy on variants of AES and found many practical distinguishers on up to 5 rounds of AES.They also reported a distinguisher for 6-round AES with data complexity 2 122.83 and a key recovery attack on 5-round AES with complexity 2 31 that requires 2 11.3 plaintexts/ciphertexts pairs.
The current work intends to look at the Yoyo technique as a general cryptanalysis strategy specially in the light of public permutations.In particular, we look at AESQ, the AES-based internal permutation of CAESAR [cae] round 2 candidate PAEQ [BA14].PAEQ, along with AESQ permutation was introduced by Biryukov and Khovratovich in ISC 2014 [BK14].There are many variants of PAEQ but across all variants, the same permutation AESQ of width 512 bits is used.The designers themselves have done a lot of cryptanalysis on PAEQ and have shown a Constrained Input Constrained Output (CICO) attack with complexity 2 32 on 8-round AESQ.They have also proposed a 12-round distinguisher with complexity 2 256 .Bagheri et al. have reduced the complexity of the 12-round disgtinguisher to 2 128 [BMS16].They have extended their work for 16-round AESQ permutation and shown a distinguisher with complexity 2 192 using 2 128 memory.A key recovery attack has also been devised on PAEQ targeting the diffusion of the AESQ permutation by Saha et al. [SKMC16].They have proposed a 8-round key recovery with complexity of 2 48 .This work reports a family of distinguishers on AESQ which primarily capitalize on the Yoyo game.This is the first time that Yoyo based distinguishers have been devised for a public permutation.The basic Yoyo idea is augmented with other cryptanalytic principles to penetrate a higher number of rounds.In doing so, the first practical 9-round distinguisher that works from the first round is achieved.The inside-out technique is leveraged up on to reach up to 10 rounds with practical complexities and extended to 12 rounds with 2 126 queries.Further, we introduce the idea of bi-directional Yoyo game where two Yoyo games are played in opposite directions and connected using the properties of the linear layer of AESQ.This leads to the development of a 16-round distinguisher with a complexity of 2 126 .We summarize our results in comparison to the previous works in Table 1.As can be seen, the current work outperforms all previous results by a huge margin while requiring negligible memory.Finally, to emphasize the scope of the devised techniques we apply them to AES which under the known-key setting also behaves like a public permutation.Applying bi-directional Yoyo on AES helps devise one of the best 8-round distinguishers with complexity of 2 30 and negligible memory requirement, as shown in Table 3.
The rest of the work is organized as follows.In Section 2, a brief overview of AESQ permutation is given.In Section 3, tools used throughout the paper are discussed.In Section 4.1, a deterministic distinguisher for 8-round AESQ is presented.This deterministic distinguisher is extended and a 9-round probabilistic distinguisher is illustrated in Section 4.2.In Section 5, a brief overview of improbable differential and inside-out technique and their application to AESQ is given.In Section 6, impossible Yoyo distinguishers for 12 and 16-round AESQ are demonstrated.In Section 7, impossible differential Yoyo and impossible differential bi-directional Yoyo techniques is applied to round-reduced AES in known-key setting.Experimental setup and results are briefly mentioned in Section 8 and elaborated in Appendix A. Arguments in favour of the validity of the work are discussed in Section 9.The concluding remarks are furnished in Section 10.

Description of AESQ
PAEQ is an authenticated encryption scheme.In its core, PAEQ uses the 512-bit AESQ permutation.This can be viewed as four 128-bit registers with each register running two rounds of AES where XOR-ing the subkey operation is replaced with XOR-ing a round constant.In AESQ, a state is of 64 bytes.There are four groups of 16 bytes each.We call each of them as register and named them as A,B,C and D from left to right.Each columns of the registers is 32-bit words and is numbered from 0 to 3. Like, first and last column of register A is A[0] and A[3] respectively.Two rounds AES is run for each of the registers.Then a shuffling is done among all the registers.Shuffle mapping is shown in Table 2.In original AESQ, this operation is repeated 10 times.So, AESQ permutation consists of 20 AES rounds.Fig. 1 shows a 2-Round AESQ Permutation.

Tools for the Analysis
In this section, we describe the necessary notations, definitions, and concepts that will be used in our subsequent analysis.

Notations
We enlist some notations frequently used in this work below.
x ← y x gets the value of y Probability of occurence of event E wt(x) Weight of a vector x x i i th component of vector x AESQ i→j AESQ permutation from round i to round j We, additionally, try to reuse some of the notations used in [RBH17].So a generic permutation is assumed to be of the form of F n q → F n q where, q = 2 k given by: Here, S is considered as a large SBox to be visualized as a concatenation of smaller component SBoxes operating on F q .The linear layer over F n q is denoted by L. A word represents an element of F q while the internal state is a vector of words α = Based on this the authors in [RBH17] define the Zero Difference Pattern (ZDP) as below: Interestingly, the zero-difference pattern does not consider the nature of separate words when they are non-zero and just classifies them into one category.Our aim is to look further into individual words i.e. we want to investigate the nature of α i when z i = 0. To facilitate this, we define a unit as the element on which the smallest SBox of the cipher is defined.For e.g. for AES a unit is a byte.It can be noted that considering the smallest SBox a word is 8-bit, while considering the SuperSBox representation [DR06], a word is 32 bits.So, the AES state representation changes from F 16 2 8 to (F 4 2 8 ) 4 .When a word uses multiple units, the zero difference pattern does not take into account the nature of these units and marks a word active even if at least one unit in the word is active.We want to study the activity of the units.So we introduce the notion of Nested Zero Difference Pattern.

Definition 2. Nested Zero Difference Pattern
, where β ij is the unit.The Nested Zero Difference Pattern (ν 2 ) defined for α is where ν 2 (α i ) takes values in F n 2 and y i = 1 if β ij = 0 or y i = 0 otherwise1 .
The following example will make things clearer.
Example 1.Here we show the different words of the AES state considering the inputs of the SuperSBox.Note that the words will change based on whether we are observing the SuperSBox input or output.Let us consider the Zero Difference Pattern of the sample state (α) in Fig. 2: ν(α) = (0, 0, 1, 0) and wt(ν(α)) = 1.Thus ZDP considers only one word to be inactive.Let us now look at the Nested ZDP of the state α.It can be easily inferred that Nested ZDP gives more information pertaining to the active words.The idea of Nested ZDP will be useful when we will consider differentials over and above the Yoyo game.

Yoyo Analysis for Two Generic SP-Rounds
Rønjom et al. have carried out Yoyo analysis for two generic SP-rounds [RBH17].Two generic SP-round is where L is the linear transform layer and S is the permutation layer.For simplicity, the final L layer is omitted and the modified two generic SP round is denoted as G 2 = S • L • S. They have presented a deterministic distinguisher for G 2 .For the explanation of the distinguisher and how it works, we have to go through some definitions originally defined in their paper.The next definition signifies how to swap between pairs of texts to form a new pair of texts.
Definition 3. [RBH17] Let, α, β ∈ F n q be two states and v ∈ F n 2 be a vector, then ρ v (α, β) is a new state in F n q created from α, β by swapping components among them.The i th component of ρ v (α, β) is defined as The following theorem describes the deterministic distinguisher for 2 generic SP-rounds.
The trick is to choose any random pair of plaintexts with certain zero difference pattern and encrypt them using G 2 .Then swap words/bytes between the produced ciphertexts and create a new pair of ciphertexts.Decrypt the new pair using G 2 and obtain a new pair of plaintexts.The zero difference pattern of these new pair of plaintexts will be same as the zero difference pattern of the original pairs of plaintexts.This event occurs with probability 1.This property of two generic SP-rounds can be exploited to distinguish it from a random construction.

SuperSBox and MegaSBox of AESQ
Let us consider round 2 and round 3 (before MixColumns) of AESQ permutation.We can consider the input to round 2 as 16 diagonals of 4 bytes each.In round 2, after SubBytes and ShiftRows operation each of the 16 diagonals aligns in a single column.Effect of MixColumns and shuffle operation is confined within the column.SubBytes and ShiftRows operation of round 3 dealigns the column into a inverse diagonal.From the above analysis we observe that a group of 4 bytes (a diagonal) in the input to round 2 affects only a group of 4 bytes (inverse diagonal) in the output of round 3 (before MixColumns).These operations can be grouped into a single 32-bit SBox called as SuperSBox.Therefore, round 2 and round 3 of AESQ permutation can be viewed as a single round with 16 parallel SuperSBoxes.
This concept can be further extended and four round AESQ permutation can be viewed as a single round with 128-bit MegaSBoxes [DLP + 09, BA14].We are now analysing round 2 to round 5 of AESQ permutation.AESQ state consists of 4 registers of 128 bits each.Consider four diagonals each from all the registers.After the SubBytes and ShiftRows operation each of them transforms into a column.MixColumns and adding a constant operation does not influence the other columns.Shuffling accumulates all the four columns into a single register where each of the registers undergoes two rounds of AES-like operation (round 3 and 4) which again does not influence the other registers.Shuffling disperse the columns from a single register to four registers.Round 5 SubBytes and ShiftRows operation dealigns the columns into inverse diagonals.These operations can be grouped into a single 128-bit MegaSBox and round 2 to 5 (before MixColumns) can be viewed as a single round with 4 parallel MegaSBoxes.The following MixColumns operation can be considered as mega-linear transformation on AESQ state (512-bits) and called as MegaMixColumns (MMC) operation.Fig. 4 shows how two rounds and four rounds of AESQ permutation exhibits the properties of SuperSBox and MegaSBox.

Analysis of permutations in the attack context
Only a few permutations as a single and secure object have been designed for the use i structions.The most well-known is the Keccak 1600-bit permutation, which is used in the hashing algorithm; the others are used in the SHA-3 competitors: CubeHash [4], Gros It is worth noticing that a permutation per se can not be formally defined "secure".T make is an informal statement like the 2 l "flat sponge" claim [6], which basically states with complexity below 2 l and specific for the particular permutation exists.The param defining the capacity parameters in sponge functions and in fact measures the designers In our case we claim l = 256 or the 256-bit security of AESQ against all attacks.In o our claim, we look at the existing attacks on permutation-based designs and check if they Collision attacks.We first consider collision attacks on sponge-based hash function attacks on the reduced Keccak [10] strongly rely on high-probability differential trails [16 a couple of rounds over their length with the help of message-modification techniques internal-differential attack, while exploiting similarities within the internal state, is also propagation of difference generated by the round constants.Hence to prevent these att demonstrate the absence of high-probability differential trails for a high number of roun Let us now consider compression functions based on permutations.For example, Gros where P and Q are AES-based permutations.The main strategy in collision attacks construction of a truncated differential trail with low input and output Hamming we conforming inputs are found with the rebound attack and are tested for a collision.
Preimage attacks.The preimage attacks on sponge-based hash functions have bee the differential properties of the permutation.As long as a differential generated by me ∆M has high probability in some output bits, it can be used to speed up the preimage se are also generic methods that can save a factor of several bits by exploiting incomplete final rounds, but we note that their complexity can not be reduced much.The invarian not apply because of round constants. 14

Data Complexity and Success Probability
For a distinguishing event, the data complexity and the success probability depend on the probabilities p and p 0 = p(1 + q) of the same event respectively in the random case and in the case of the algorithm under consideration.In [PR18], detailed analysis of various relations between data complexity of the distinguisher and the corresponding success probability is presented.We use the most general result from [PR18, Theorem 2], which involves no crude approximation such as ignoring the constant terms or assuming p, q to be small.Surprisingly, in the existing works with which we compare our results, only the data complexity is given and none of them explicitly mention the success probability.We have computed their success probabilities and we find that at the same success probability, we achieve much lower complexities.Moreover, for our new distinguishers, we explicitly mention the success probabilities along with the reported complexities.

Distinguishers using Direct Yoyo on AESQ
In order to adapt the Yoyo trick on AESQ, we need to first identify the S • L • S construction embedded in the permutation.To do that one has to recall the notion of MegaSBox whereby 3.5 rounds 2 of AESQ starting from an even round can be depicted as independent computations of four 128-bit words (Ref.Fig. 4).These four MegaSBoxes constitute the first S layer of the generic SPN.The subsequent MegaMixColumns corresponds to L layer while the next iteration of four MegaSBoxes represent the last S layer thereby completing the S • L • S sequence.Fig. 4 shows this construction starting from Round-2.So two generic SP-rounds map to 8 rounds of AESQ without the last MMC.So, the Yoyo distinguisher pertaining to two generic SP-rounds as discussed above directly applies to AESQ 2→9 .In the next subsection we work out the details of this distinguisher which is the first deterministic 8-round distinguisher for the AESQ permutation.Figure 6: Word configuration for each MegaSBox

Distinguisher for 8 Rounds
Let us first look at the Yoyo game for AESQ which we will call as a subroutine for the distinguishing algorithm.The Yoyo game shown in Algorithm 1 is tailored w.r.t AESQ i→j but will be analogous for any corresponding random permutation.The procedure is self-explanatory except for two things: • The function MSwap is used to swap words between two states of AESQ.Apart from the states it accepts an argument DIRECTION which decides whether input or output words (Ref.Fig. 4) will be swapped.So, if DIRECTION = FORWARD, then output words will be swapped while for DIRECTION = BACKWARD, it will be done in accordance with input word pattern.This distinction takes into account the direction in which the game is being played.As will be seen later, we will need to play the game in the backward direction to penetrate a higher number of rounds.Moreover, MSwap can, at random, swap any one, two or three words of the states.As shown by the authors of [RBH17], all such word-swap configurations are equivalent and preserve the properties of the Yoyo game.
• The argument Mode is used to play either half or full of the Yoyo game and respectively receives values MID or FULL.Later, in this work we will show how output of half of the game can be used to generate input states that help to distinguish up to 16 rounds of AESQ.
Algorithm 1 Yoyo Game for AESQ else if Mode = FULL then 7: return (p 1 , p 2 ) 10: end procedure With the Yoyo game in place, the 8-round distinguisher that uses it, is straightforward as shown in Algorithm 2. The distinguisher accepts a permutation PERMUTE.It chooses inputs p 1 and p 2 such that α = p 1 ⊕ p 2 has a particular ZDP (of weight at least one and at most three), say ν(α) = (1, 0, 1, 0).Then it plays the Yoyo game generating two new inputs p 1 and p 2 with ∆ = p 1 ⊕ p 2 .If PERMUTE = AESQ 2→9 , it is ensured that ZDP of α is same as that of ∆.
Algorithm 2 Distinguisher for AESQ 2→9 Output: 1 for AESQ, -1 otherwise 8-Round AESQ without last MMC At least one word active 3: end if 9: end procedure The pictorial description is captured by Fig. 7.It is intentionally shown that the Nested ZDP might differ which will definitely happen probabilistically.This is because the Yoyo principle guarantees that the ZDP will be preserved but has no claim on the activity pattern inside the active words.In the next subsection we will show how assuming a particular Nested ZDP enables us to extend the distinguisher to include the first round making it the first 9-round AESQ result that starts from round one.

Extension to 9-round AESQ
The inclusion of the first round relies on the notion of Nested ZDP that we introduced earlier.The basic idea is to: • First leverage on the determinism of the 8-round Yoyo while imposing some restriction on both the input and output Nested ZDP, thereby making it probabilistic.If the input and output differences of the Yoyo are α and η respectively, then the restrictions are of the form: 1. Input: Exactly one byte active in one word.
2. Output: Exactly one byte inactive in one word.
• The second step is to find a one-round differential to connect with the input difference α.This is standard3 and we can, with a probability 2 −22 , find an input difference that conforms to the input restriction for the Yoyo game.This leads to the inclusion of round one in the forward direction.
• The last step is to include the round in the backward direction.One can easily note that if the output restriction is satisfied then, the extra round in the return path will automatically lead to a state that has four inactive bytes.More precisely, if the last difference is denoted by ∆ then we have ∃i : wt(ν 2 (∆ i )) = 4. Also, the inactive bytes will belong to same diagonal due to the last inverse ShiftRows operation of Round 1.
Fig. 8 gives an overview of the entire extension strategy and also depicts a particular configuration of states that conform to the above statements while Algorithm 3 illustrates the distinguishing procedure.In the next section, we introduce the notion of improbable differential Yoyo whereby we try to compose the Yoyo game with improbable differentials capitalizing on the inside-out strategy.

Improbable Differential Yoyo
In Indocrypt 2010, Tezcan introduced the notion of improbable differential cryptanalysis [Tez10].The idea is to find a differential which is less probable for a given permutation (say, P) in comparison to a random permutation (say, R).So if P r P (∆ in → ∆ out ) = p 0 while P r R (∆ in → ∆ out ) = p, then for the improbability criteria we must have p 0 < p, where P r P and P r R , represent the probabilities of the input difference ∆ in and output difference ∆ out to occur for P and R respectively.Tezcan argued that improbability led to the well-known impossibility criteria where p 0 = 0.He further proposed an idea known as the expansion technique [Tez10] to devise improbable differential by connecting (multiple) differentials with an impossible differential.The expansion technique is briefly stated below: Then probability of the improbable differential for a given permutation P is given by: Our idea is to: • First, use our notion of Nested ZDP with properties of the MixColumns to devise an impossible differential.
• Then, we find a differential that connects the starting ZDP of the Yoyo game with input difference of the impossible differential.
Overall, by virtue of the expansion technique, we are able to devise an improbable differential leading to higher number of rounds than that covered by the Yoyo game.In order to do this, we will use the inside-out technique described next.

The Inside-Out Technique
The inside-out technique has been used extensively in distinguishing public permutations like the Keccak-f permutation [AM09], whereby the idea is to start from an intermediate state to generate a set of inverted initial states that preserve a certain property (e.g. the zero-sum property in case of Keccak).Here we try to adapt the technique to incorporate the Yoyo game.The idea is as follows: • Play the Yoyo game from an intermediate round to generate pairs of input states.
• In the return path of the Yoyo game, we extend the number of rounds using an improbable/impossible differential.
In the next subsection we will show different distinguishers based on the following claim which leads to impossible differences at various rounds of AESQ.
Claim 5.1 (Impossible Difference).Let the input difference before the r th round (where r denotes an odd round) MegaMixColumns be δ and let exactly one word of δ (say δ i ) be active i.e. wt(ν(δ)) = 3, then the following will hold 1.If wt(ν 2 (δ i )) = 0, then all 64 SBoxes of the state will be active before (r + 1) th round Mega-MixColumns.

Unconditionally, all 4
MegaSBoxes of the state will be active before (r + 4) th round Mega-MixColumns.
Proof.The proof proceeds as below: 1. wt(ν(δ)) = 3 and wt(ν 2 (δ i ) = 0) implies that every byte in word δ i is active.Since only one word is active, we have a byte active in every column.The word-configuration will be in accordance with MegaSBox output words (See Fig. 4).Now, the claim follows directly from the property of AES MixColumns.It is well known that the total number of active bytes before and after a MixColumns operation cannot be less than 5. Since, the input to every MixColumns operation in the r th round has 1 byte active, then the output has all 4 bytes of the column active with a probability 1.So the entire state is active after r th round MMC.Thus in the (r + 1) th round, all SBoxes of the state have non-zero input difference and hence cannot have a zero output difference and hence will be all active deterministically up to the next MMC operation.If the output difference is denoted by η, then Pr wt(ν 2 (η)) = 1 = 0 ← Impossible Difference 2. The argument remains the same with the only difference that after the r th round MMC all 16 SuperSBoxes are activated that span 1.5 rounds ending just before (r + 1) th round MMC.Since, all SuperSBoxes are active, it is impossible to have a zero-difference at the output of any of them.
3. For MegaSBox, the restriction wt(ν 2 (δ i )) = 0 is no longer required.So, we only need wt(ν(δ)) = 3. Irrespective of the status of the bytes inside the word, after r th round MMC, all 4 MegaSBoxes will be activated and will span 3.5 rounds.Thus, at the end of (r + 4) th round MMC, we cannot have the case that any of the words signifying the output of the MegaSBoxes is inactive.If the output difference is denoted by γ, then Pr wt(ν(γ)) = 1 = 0 ← Impossible Difference The implications of Claim 5.1 are captured by Fig. 9 which shows the particular case of r = 9 relevant for this work.So, we have three impossible differentials covering 10, 10 to 11 and 10 to 13 rounds respectively.We next show how we convert the first two into improbable differentials to get a 9-round and 10-round distinguisher with practical complexities.Later, using the third one, we will devise an impossible differential distinguisher for 12 rounds.

Improbable Differential Yoyo Distinguisher for 9-round and 10round AESQ
As per the requirement of the expansion technique explained earlier, we need an impossible differential and a connecting differential that conforms to its input.Now, Claim 5.1 (1,2) already gives us the impossible differential.We are interested particularly for the case when r = 9.So, for r = 9, we have 1 and 2 round impossible differential (without last MMC as shown in Fig. 9).We now use the Yoyo game to generate the connecting differential.The strategy is demonstrated in Fig. 10.The probabilities can be derived as below: So, the technique is to use the Yoyo game to generate an "arbitrary" number of inputs pairs (p 1 , p 2 ) such that the output difference of these pairs over AESQ 2→10 or AESQ 2→11 can never have an inactive SBox or SuperSBox respectively.To ascertain the data complexity one needs to find the probabilities of these events occurring for a random permutation.In the next subsection we find the data-complexity.
We directly use Eq.(2) to derive the probability of the combined differential.For the 9-round attack, the probability of observing at least one inactive SBox for a random permutation is 1 − 255 256 64 ≈ 0.22.Similarly, for 10 rounds the probability of observing Thus the numbers of input pairs needed to distinguish AESQ 2→10 and AESQ 2→11 are around 1 0.22 ≈ 5 and 2 28 respectively with a success probability of 82% and 77% respectively, thereby leading to the first practical distinguishers for these rounds of AESQ.For merely 5 samples in case of 9 rounds, the Normal approximation used in [PR18, Theorem 2] does not hold and so we perform direct calculation of false positive and false negative errors in computing the theoretical estimate of the success probability.Algorithm 4 captures both 9/10 round distinguishers at the same time.In the next section, we introduce the notion of impossible differential Yoyo in the inside-out setting.Based on that we develop two distinguishers on 12 and 16 rounds of AESQ.

Impossible Differential Yoyo
Impossible differential has been shown to be a special case of improbable differential [Tez14,TS16].Now it is easy to note that if the connecting differential used in the expansion technique occurs with a probability 1, then the combined differential becomes impossible.The basic idea is to use the determinism of the Yoyo game along with the inside-out technique to arrive at the input of an impossible differential.We do this in two ways: The first way leverages upon the third part of Claim 5.1.The second way tries to combine two Yoyo games in two directions.count ← 0 10: return 1 19: end procedure

Impossible Differential Yoyo Distinguisher for 12-round AESQ
This attack is similar to the ones described in the previous with only difference that we no longer have restriction on the connecting differential due to Claim 5.1 (3).So what we have is an impossible differential spanning 3.5 rounds due to the MegaSBox and the connecting differential that hold with probability 1 due to the Yoyo game.Fig. 11a illustrates the strategy while the procedural details are covered by Algorithm 5.

Algorithm 5 Distinguisher for AESQ 2→13
Output: 1 for AESQ, -1 otherwise 12-Round AESQ without last MMC end while 11: return 1 12: end procedure The probability that any one of the words corresponding to the MegaSBoxes is active for a random permutation is p = 4 2 128 .Further, we have p = 1 and therefore p 0 = 0, resulting in a data complexity of 2 126 with a success probability of 84%.Next we show an interesting way to combine two Yoyo games to come up with a 16-round distinguisher starting from round 2.

Impossible Differential Bi-directional Yoyo Distinguisher for 16round AESQ
As the name suggests, bi-directional Yoyo combines two Yoyo games.These games are played in opposite directions and employ the inside-out strategy.The ZDP requirements of the two games are different as stated below: • Game 1 is played with AESQ −1 2→9 without last MMC.Only one word should be active in the input differential.So the weight of ZDP needs to be 3.
• Game 2 is played with AESQ 10→17 without last MMC.All words should be active in the input differential.So the weight of ZDP needs to be 0.
• In order to connect Game 1 and Game 2, we will use an MMC operation.One can visualize this as the MMC of Round 9 which is excluded while playing Game 1.So the claim is as follows: Claim 6.1.If i 3 = MMC(i 1 ) and i 4 = MMC(i 2 ), then 1. wt(ν(i 3 ⊕ i 4 )) = 0 and 2. Pr wt(ν(r 1 ⊕ r 2 )) = 1 = 0 Proof.The first claim follows from the fact that due to Game 1, wt(ν(i 1 ⊕ i 2 )) = 3.So, we have exactly one word active in (i 1 ⊕ i 2 ).This also implies that due to the word configuration (Recall Fig. 4) we can have exactly one byte active in each column of (i 1 ⊕ i 2 ).Due to the property of MixColumns, every single active byte in (i 1 ⊕ i 2 ) will lead to a fully (all four bytes) active column in (i 3 ⊕ i 4 ).Since, the minimum number of active bytes in (i 1 ⊕ i 2 ) is one, so after after MMC on i 1 and i 2 , we will have at least one column active in (i 3 ⊕ i 4 ).Now, as each byte in the active column belongs to a different word, so an active column implies four active words i.e. wt(ν(i 3 ⊕ i 4 )) = 0.
The second claim can be easily inferred from Game 2. Since, the input difference of Game 2 has four active words, so we cannot have an inactive word in the output difference r 1 ⊕ r 2 .
The entire bi-directional game is captured by Fig. 11b.Once Game 1 and Game 2 are connected, we can appreciate the fact that the combination of the second half of Game 1, the connecting MMC layer and the first half of Game 2 actually behaves like AESQ 2→17 without the last MMC.This leads us in the direction of the distinguishing strategy described in Algorithm 6.So one can arbitrarily generate pairs of inputs for 16 round AESQ starting from round 2 excluding last MMC.The corresponding outputs under MSwap when subjected to AESQ −1 10→17 without Round 10 MMC can never lead to output difference having one inactive word.For a random permutation this happens with a probability of 2 −126 .So, the data complexity and the success probability remain the same as the 12-round distinguisher.

Algorithm 6 Distinguisher for AESQ 2→17
Output: 1 for AESQ, -1 otherwise 16-Round AESQ without last MMC 1: procedure ImpDistBiYoyo(PERMUTE) Excludes possibility of trivial extension 8: end while 14: return 1 15: end procedure In the next section, we investigate the Known-Key security of AES in the light of the impossible differential Yoyo strategies developed above.

Applications to AES in the Known-Key Setting
Rønjom et al. have already shown application of Yoyo on AES in the secret key paradigm and argued that the maximum penetration was up to 6 rounds.In contrast, here we are more interested in public permutations which is motivated by our need to engage strategies like inside-out and start-in-the-middle which are implicitly inhibited in the secret-key setting.So an obvious direction would be to look at the known-key notion under which AES behaves as a public permutation and which opens up the avenue to expose AES to our extension strategies.As suggested, known-key refers to the scenario where the attacker has access to the key.Introduced by Knudsen and Rijmen [KR07] in Asiacrypt 2007, the idea was mainly motivated by the fact that non-existence of known-key distinguishers would imply non-existence of secret-key ones.Additionally, since block-ciphers are often used as primitives in hash functions where key-input could be totally or partially controllable, such kind of known-key analysis is imperative.The known-key security of block ciphers has received a lot of attention with Andreeva et al. attempting to formalize it first [ABM13] and later being systematically treated by Mennink and Preneel [MP15] in the context of hash functions.Below, we explore how some of the techniques introduced so far adapt to AES in this setting.In the process, we are able to device the one of the most efficient 8-round known-key distinguisher in terms of overall cost.It is assumed that the reader is familiar with AES and the notations used here are analogous to AESQ.The basic approach, as also taken in [RBH17] and earlier in this work for AESQ, is to capitalize on the well-known AES SuperSBox.
Impossible Differential Yoyo for 6-round AES The first idea is to apply the basic impossible differential Yoyo technique described in Section 6.1.So we use the inside-out philosophy to devise a connecting differential as per the last part of Claim 5.1 which is easily adapted to be applicable on AES.So we initiate the Yoyo game such that weight of ZDP is three.By virtue of the game, we get back the same ZDP at the end of 3.5 rounds.Now due to MixColumns (MC) of fourth round, all SuperSBoxes get activated.Thus, propagating forward for two rounds, due to the SuperSBox property, we cannot have the case, that the output difference has at least one inactive SuperSBox.The same for a random permutation would occur with a probability of 2 −30 .Impossible Differential Bi-directional Yoyo for 8-round AES The bi-directional Yoyo trick introduced in the last section extends easily to the known-key model of AES.Since a single S • L • S instance covers 4 rounds barring the last MixColumns (MC), two back-to-back Yoyo games with MC in between extends the attack to 8 rounds.As argued earlier, since the same impossible differential is used here, we are able to devise an 8-round known-key distinguisher with a complexity of 2 30 with negligible memory.Fig. 12 depicts both the 6 and 8 round distinguishers.
Since, the introduction of known-key model, AES, in particular, has been analyzed extensively.Below we look at the state-of-the-art in devising 8-round known-key distinguishers on AES.Our inclination to 8 rounds stems from the urge to make a direct comparison with the maximum rounds we are able to penetrate here.This is captured in Table 3, where all the complexities (including ours) correspond to a success probability of 84%.Grassi and Rechberger [GR17] provide a near exhaustive analysis of known-key distinguishers while improving most of the available ones and also reporting new ones.Their main contribution was to show that the idea proposed by Gilbert [Gil14] is not limited to 10 rounds and can be further extended to 12 rounds.Going back to results on 8 rounds, we can see from Table 3 that the result reported here is only superseded by the extended multiple differential trail attack by Grassi and Rechberger while incurring some extra memory complexity.
The experimental details of the success probabilities computed for the distinguishers are provided in Appendix A.1.We now provide a discussion on all the distinguishing strategies introduced in this work.

Discussion
Distinguishing public permutations has always been seen as tricky due to the unkeyed nature of these crypto primitives.Two important things that are needed to be ensured to make a distinguisher in this setting meaningful are non-triviality and randomness.
A distinguisher should not be trivial in the sense that it should not be trivially extendible meaning that it is not supposed to work for any arbitrary number of rounds.Let us now discuss all distinguishers presented here in the light of this intended property.It is easily noticeable that the limitation of the Yoyo principle to hold only for (S • L • S) is the first line of defence against non-triviality.Thus rounds covered based on only a single Yoyo game cannot be extended beyond any 8 rounds of AESQ excluding last MMC while starting from an even round.The same is true for 4 rounds of AES without the last MC.As regards the strategies that were composed with Yoyo, they mostly rely on differentials that work over certain specified rounds and hence are not arbitrarily extendible.The only exception comes with the bi-directional Yoyo distinguisher where the last verification might seem non-standard.However, the non-triviality is ensured by the last MSwap operation (for example, Step 7 of Algorithm 6 for AESQ).Without that operation the distinguisher would be trivial because one could any number of rounds as a part of first half of the second Yoyo game and invert the same number of rounds in the verification step.
The requirement of randomness is fundamental to devising distinguishers in general and for public permutations in particular.This is primarily because due to the unkeyed nature one could easily enumerate the permutation and employ the inverse to have a trivial verification.The distinguishing strategy should allow in principle sufficient randomness in choosing the inputs.In this respect, all distinguishers developed in the current work allow for that.Most of the distinguishers use first half of the Yoyo game as a subroutine and can generate almost arbitrary number of inputs which conform to certain input differences.These inputs lead to certain required differences in the middle either deterministically by virtue of the Yoyo technique or probabilistically augmenting Yoyo with probable, improbable or impossible differentials.This work explores many ways to extend the Yoyo game.The authors in [RBH17], have shown attacks on 3/5 rounds AES, where they extend the basic Yoyo game.However, with the exception of the AESQ 2→9 and AESQ 1→9 distinguishers, the strategies reported here differ from the ones shown in [RBH17].This is mostly because of the inside-out philosophy used here which becomes inapplicable in the secret-key setting.The main contribution of this work comes in the form of the idea of using the inside-out technique to partially deploying the Yoyo game as an input generator.The notion of Nested ZDP introduced here seems to work nicely as a combiner of Yoyo and classical differential cryptanalysis.Along with MixColumns, the techniques used here exploit the properties of SuperSBoxes and MegaSBoxes.The bi-directional Yoyo game is the most effective strategy leading to doubling of the number of rounds penetrated.One might look critically at the last verification which uses AESQ −1 10→17 .However, usage of such kind of verification is available in literature of distinguishers on Feistel schemes [LWZ15].Moreover, as argued earlier, the strategy ensures non-triviality.Except the 12 and 16 round distinguishers of AESQ, all other distinguishers of AESQ and AES rely on practical data complexities and negligible memory.The closest comparable results for AESQ are due to Bagheri et al. [BMS16] who report and time-memory trade-off attacks.Though the maximum number of rounds is same, the current work exponentially outperforms the former both in terms of data and memory requirements.
In case of 8-round AES, in the known-key setting, with the exception of [GR17], our result beats all other works, while being the only one that requires negligible memory.Table 4 summarizes the attacks presented here.It should be noted however that comparing attacks in the known-key model only by their complexity is not completely fair, as one has to take into consideration also the rate of simplicity of the found non-random property, which may affect the chances to extend the distinguisher to more rounds or to more powerful attacks.In this respect, our attack is not directly comparable to several of the previous results, as the non-random property we find is somewhat complex.

Conclusion
In this work we explored the impact of the Yoyo cryptanalytic strategy on public permutation AESQ as well as AES in the known-key model.We deployed the basic Yoyo technique to get a deterministic 8-round distinguisher for AESQ and extended it using our notion of Nested ZDP to include the first round using around 2 26 queries.In addition to this we used the inside-out strategy to augment Yoyo using classical, improbable and impossible differentials to reach 9, 10, 12 rounds starting from round 2 with data complexities of about 2 2 , 2 28 and 2 126 respectively.The final strategy devised here allows us to combine two Yoyo games giving a 16-round distinguisher using 2 126 queries.The impossible difference based Yoyo strategies when applied to AES lead to known-key distinguishers for 6 and 8 rounds with a complexity of 2 30 .One may note that all improbable distinguishers reported can be converted to impossible ones while paying some extra cost in terms of data complexity.The success probabilities of the attacks have been computed to be high enough and all distinguishers with practical complexities were verified using computer simulations.
It can be noted that attacks on AESQ presented here exclude the last MMC and except the attack on AESQ 1→9 all of them start from round 2 due to the reliance on the MegaSBox.It would be interesting to overcome these limitations by looking further into the design of AESQ or possibly the Yoyo game itself.The bi-directional Yoyo game warrants further attention and might become a valuable generic cryptanalytic tool for analyzing other public crypto primitives.

A Experimental Verification
Most of the distinguishers presented in this paper have practical complexities.These have been performed experimentally and their complexities have been verified.All the experiments have been performed on a system with Intel core i7-6700 CPU@3.40 × 8 and memory 16GB.For programming, we have used Java openjdk version 1.8.0_181.For implementing AES functionalities, we have used publicly available code [Dew].
The distinguisher for AESQ 2→9 is deterministic in nature and this attack is performed in negligible time using Algorithm 2. The complexity of the distinguisher for AESQ 1→9 is 2 26.05 .For the attack, pairs of plaintexts having only one word difference have been chosen at random.Plaintexts pairs whose differences have not mitigated into a byte after the first round of AESQ are filtered out.Among the remaining pairs, all possible swapping are done between the corresponding ciphertexts.Algorithm 3 describes the distinguisher.This attack has been performed using a single thread and it took 17435867(≈ 2 24.05 ) iterations in 557 seconds for successfully finding a pair of plaintexts and a swap vector which conforms to our claim.The following pair of texts conform to our claim when swapped after forward permutation using the given vector.• Initial difference of two input states:
The distinguishing attacks on AES 1→8 introduced in this paper have practical complexity.This distinguishing attack is similar to Algorithm 6 with reduced complexity.The distinguishing algorithm ran for 2 30 iterations in 2977.575seconds in the above machine and have not found the impossible differential with an inactive SuperSBox.For random permutation, we have found this differential in 187840320 (≈ 2 27.48 ) iterations.

Figure 2 :
Figure 2: Different words and a sample state showing zero and non-zero bytes.

Figure 9 :
Figure 9: Different State Configurations Conforming to Claim 5.1

Table 4 :
Distinguishers reported in this work states before swapping (before last MixColumns and ShiftRows) 