Cryptanalysis of AES-PRF and Its Dual

. A dedicated pseudorandom function (PRF) called AES-PRF was proposed by Mennink and Neves at FSE 2018 (ToSC 2017, Issue 3). AES-PRF is obtained from AES by using the output of the 5-th round as the feed-forward to the output state. This paper presents extensive security analysis of AES-PRF and its variants. Speciﬁcally, we consider unbalanced variants where the output of the s -th round is used as the feed-forward. We also analyze the security of “dual” constructions of the unbalanced variants, where the input state is used as the feed-forward to the output of the s -th round. We apply an impossible diﬀerential attack, zero-correlation linear attack, traditional diﬀerential attack, zero correlation linear distinguishing attack and a meet-in-the-middle attack on these PRFs and reduced round versions. We show that AES-PRF is broken whenever s ≤ 2 or s ≥ 6, or reduced to 7 rounds, and Dual-AES-PRF is broken whenever s ≤ 4 or s ≥ 8. Our results on AES-PRF improve the initial security evaluation by the designers in various ways, and our results on Dual-AES-PRF give the ﬁrst insight to its security.


Introduction
A pseudorandom permutation (PRP) is one of the main primitives in symmetric-key cryptography to realize security functionalities such as encryption, authentication and authenticated encryption.A PRP is a keyed permutation, where for a randomly chosen key, it is indistinguishable from a truly random permutation [LR88], and this security notion is the main security goal in the design of block ciphers.Cryptanalysis of block ciphers is a long-standing topic in symmetric-key cryptography, and design approaches for an efficient block cipher resisting all known attacks are well studied.Many secure block ciphers are readily available, some of which are standardized and stand the test of extensive cryptanalysis.For instance there is a comfortable consensus in the community that AES [DR02] is indeed a PRP.E K E K (d) EDMD: The Dual of EDM [MN17a] Figure 1: Common PRP-to-PRF conversion schemes, where E K is an n-bit PRP The invertibility of a block cipher is necessary in some modes of operation.For instance the CBC encryption mode [Dwo01] needs the decryption of the block cipher for its decryption.The authenticated encryption mode OCB [KR11] also needs the block cipher decryption.However, there are various other examples where the invertibility is unnecessary, and the security actually increases if a PRP is replaced with a pseudorandom function (PRF), which is a keyed function that is indistinguishable from a truly random function [GGM86].For instance the CTR encryption mode [Dwo01] remains secure only if the query complexity is sufficiently smaller than 2 n/2 [BDJR97], where n is the block length of the underlying PRP, but this limitation becomes void if a PRF is used instead.The same argument holds for the authenticated encryption GCM [MV04,Dwo07].This limitation of the query complexity is often referred to as the birthday bound, and the examples illustrate that highly secure symmetric-key schemes can be obtained once we have a highly secure PRF.
Given ample candidate block ciphers for PRPs, various techniques to convert a PRP into a PRF have been developed.This approach is called the PRP-to-PRF conversion, and the simplest way is to regard the PRP itself as a PRF, but it is well known that the security is limited to the birthday bound.There have been various developments to obtain a PRF with higher security.A scheme that remains secure even beyond the birthday query complexity is said to have beyond the birthday bound security, and we list some of such methods in Fig. 1.However, all these constructions have non-small efficiency costs.The truncation method decreases the rate at which randomness is generated, and each of the other three methods is twice as expensive as one block cipher call.
To maintain both efficiency and beyond the birthday bound security, based on the design called SURF by Bernstein [Ber97] and inspired by EDMD [MN17a], Mennink and Neves [MN17b] explored a dedicated design of a PRF.Specifically, given an r-round iterative block cipher E K , let E 1 K be the first r/2 rounds of E K and E 2 K be the last r/2 rounds.Their proposal called FastPRF turns it into a non-invertible function, a PRF, by FastPRF K (X) = E K (X) ⊕ E 1 K (X).We see that it runs as fast as the underlying block cipher, and incurs the cost of, besides the block cipher, one additional XOR and the management of one extra data block.The approach is generic in that it transforms any block cipher into a PRF, and [MN17b] proposes a concrete instantiation with AES, which is the main target of this paper.The PRF, called AES-PRF, is as efficient as AES, and inherits the design principle of EDMD.The 128-bit key version of AES has 10 rounds, which is the focus of this paper1 , and we decompose it into the first s rounds and the last t rounds, where s + t = 10.We then XOR the output state of the s-th round to the ciphertext, and this gives the output of AES-PRF, which we write AES-PRF s,t (See Fig 3).The primal proposal of [MN17b] is the case (s, t) = (5, 5), i.e., the balanced case, while [MN17b] also proposes unbalanced cases to evaluate the general security that AES-PRF offers.
The efficiency and cost-effectiveness of AES-PRF comes at the cost of provable security, i.e., the provable security result of EDMD no longer applies to AES-PRF, since the proof requires that the components are two independent PRPs.This implies that the security of AES-PRF relies on the evaluation by cryptanalysts, which we present in this paper.
In [MN17b], the initial security evaluation is presented, and it was shown that the cases (s, t) = (1, 9) and (9, 1) can be broken, while the security of the case (s, t) = (2, 8) is left as an open question.They also summarize generic attacks, where it can always break AES-PRF with 2 n query complexity, or if the query complexity is q, then the success probability of the distinguishing attack is q 2 /2 2n when q < 2 n/2 , and O(q/2 3n/2 ) if q > 2 n/2 [MN17b].They conjecture that AES-PRF cannot be distinguished from a random function significantly faster than by either bruteforcing the key or by the above mentioned generic attacks.
In this paper, we extensively analyze the security of AES-PRF s,t .We also evaluate the security of the dual version of AES-PRF, which we write Dual-AES-PRF, that corresponds to the EDM counterpart of AES.From the provable security view point, EDM and EDMD have roughly the same security bound.More precisely, EDM is secure up to about 2 n /(67n) query complexity, and EDMD is secure up to about 2 n /67 query complexity [MN17b].The effect of the slight difference of the security bound is unknown, and it would be therefore interesting to see the security of both AES-PRF and Dual-AES-PRF from the cryptanalytic perspective.Dual-AES-PRF is depicted in Fig. 4.
We consider a set of rich cryptanalytic techniques that we find to be effective on these PRFs, and we apply an impossible differential attack [BBS99,Knu98], zero correlation linear attack [BLNW12,BR14], traditional differential attack [BS90], zero correlation linear distinguishing attack [BLNW12,BR14] and a meet-in-the-middle attack [DS08,DKS10,DFJ13].See Table 1 for the summary of our results.These results improve the initial security evaluation by the designers in various ways, and significantly improve the insight of their security.From these results, our observations can be summarized as follows.
• Our results indicate that the security of AES-PRF is higher than Dual-AES-PRF from the applicability of differential attacks.This is consistent with the rationale discussed in [MN17b] for the preference of EDMD over EDM for the base scheme of AES-PRF.
• In terms of the number of rounds of the first part (s rounds), both AES-PRF and Dual-AES-PRF have only one round as the security margin.
• The balanced case (s, t) = (5, 5) is certainly a natural choice of the design.However, our results indicate that (s, t) = (4, 6) for AES-PRF is potential to be more secure, since the margin with respect to the attacked rounds becomes larger.
This paper is organized as follows.In Sect.2, we describe AES-PRF and Dual-AES-PRF as well as the underlying block cipher.In Sect.3, we present an overview of our results with the cryptanalysis techniques we use.Then, Sects.4, 5 and 6 are the core of our paper where we detail our attacks against AES-PRF, Dual-AES-PRF and round-reduced AES-PRF, respectively.We conclude the paper in Sect.7.Many attacks are also described in the Supplemental Material A and B.

Description of AES
AES is the most common block cipher whose block length is 128 bits.AES accepts 128, 192 and 256-bit secret keys, and each is referred to as AES-128, AES-192 and AES-256, respectively.In this paper, we focus on the analysis of PRFs instantiated with AES-128.The internal state of AES-128 is represented as a 4 × 4 matrix whose elements take a 1-byte value, and we refer to a particular byte of the internal state x by x[i], as depicted in Fig. 2. We write x[i 1 , i 2 , . . ., i m ] to denote m bytes with position i 1 , i 2 , . . ., i m , and x[i : j] simply denotes consecutive bytes as positions between i and j.
The round function updates the state by applying four basic transformations: SubBytes (SB), ShiftRows (SR), MixColumns (M C) and AddRoundKey (AK).SubBytes is a nonlinear byte-wise substitution that applies an S-box to every byte of internal state.ShiftRows is a rotation of i-th row by i bytes to the left, where i starts from 0. MixColumns is a linear transformation that applies on each column by multiplying an invertible 4 × 4 matrix.AddRoundKey is an exclusive-or of internal state with round key.AES-128 iterates the round function 10 times, where an additional whitening key is XORed before the first round, and MixColumns is omitted in the last round.
In this paper, we use the following notation: x I i denotes the input of the round i, while x S i , x R i , x M i and x O i denote the intermediate values after the application of SubBytes, ShiftRows, MixColumns and AddRoundKey operations of round i, respectively.Then, we have x O i−1 = x I i for i ≥ 2. The i-th round key is denoted as K i , and the initial whitening subkey is K 0 .In some cases, we interchange the order of the MixColumns and AddRoundKey operations since these operations are linear.We denote the equivalent subkey by EK i , that is EK i = M C −1 (K i ), and x E i represents the intermediate value after the application of AddRoundKey with equivalent subkey.
The key schedule works as follows.The 128-bit master key is divided into four 32-bit words where RotByte is a one byte rotation to the left, and Rcon denotes the round-dependent constant.The i-th round key is (W

AES-PRF and Dual-AES-PRF
x key The construction of AES-PRF is proposed by [MN17b].The AES is decomposed into sub-blocks, and they are chained like the dual of encrypted Davies-Meyer construction.There are several settings for the decomposition, e.g., 10 rounds of AES-128 can be decomposed into the first s rounds and the last t = 10 − s rounds, as depicted in Fig. 3.

Definition 1 (AES-PRF s,t
2 ).(s + t)-round AES is decomposed into the first s rounds and the last t rounds.The output of AES-PRF s,t is the XOR between the state encrypted by s-round AES and the state encrypted by (s + t)-round AES.
Unless otherwise stated, AES-PRF s,t adopts AES-128 with s + t = 10 rounds or its round-reduced variant when s + t < 10.The construction with s = 0 is equivalent to the Davies-Meyer construction, and that with t = 0 is clearly insecure.
x key It is natural to consider the dual of AES-PRF depicted in Fig. 4, and we call it Dual-AES-PRF.Unlike AES-PRF, in Dual-AES-PRF, the plaintext is used as the feedforward instead of the intermediate state.Similarly to AES-PRF s,t , when the first sub-block has s rounds and the last sub-block has t rounds, we call it Dual-AES-PRF s,t .The construction with s = 0 is obviously insecure, and that with t = 0 is exactly the same as the Davies-Meyer construction.
Therefore, s can be chosen from 1 to 9 for both AES-PRF and Dual-AES-PRF.The designers also showed a few attacks on AES-PRF, where both s = 1 and t = 1 are broken.We note that, as noted in [MN17b], Dual-AES-PRF is exposed to some risks that the adversary has control over the intermediate state.

Overview of Our Attacks
In this paper, we show various types of attack against AES-PRF and Dual-AES-PRF.Before we present the details of our attacks, we first summarize the overview to help readers to see the relationship among these attacks.Our attacks can be separated into two categories.The first one is that either of the first or the last sub-block can be regarded as a random permutation, and the other is that the number of rounds in both sub-blocks is restricted.We show five different types of attack: impossible differential attack, zero correlation linear attack, differential attack, zero correlation linear distinguisher and meet-in-the-middle attack.The first four attacks belong to the first category, and the meet-in-the-middle attack belongs to the second category.We present in Fig. 5 the summary of the attacks in the first category.
Impossible differential attack.An impossible differential attack was proposed independently by Biham et al. [BBS99] and Knudsen [Knu98].Incorrect keys are discarded by using differentials that never occur in real ciphers.See Figs.5a and 5c.When the sub-block with the feed-forward structure is ideal, we can construct a very simple impossible differential as the input has non-zero differences but the difference of the output before XOR is 0. In other words, if the output after XORing the feed-forward value has the same difference as the input, it is an impossible differential.Our goal is to recover the secret key in the other sub-block.As a result, we can attack both AES-PRF with s ≤ 2 and Dual-AES-PRF with t ≤ 2. The designers of AES-PRF also showed the attack against AES-PRF with s = 1, but the attack against AES-PRF with s = 2 was left as an open problem [MN17b].Therefore, we solve this open problem.Details are presented in Sects.4.1 and 5.1.

Zero-correlation linear attack.
A zero-correlation linear attack was successfully used by Bogdanov and Rijmen [BLNW12,BR14].The correct key is recovered by using linear approximations that hold for exactly 50% of the input values.The attack outline is similar to the impossible differential attack above (see Figs. 5a and 5c again).Namely, if the output of the sub-block with the feed-forward structure has the same linear mask as the input, it is zero-correlation linear.Our goal is to recover the secret key in the other sub-block.
Similarly to the impossible differential, we can attack both AES-PRF with s ≤ 2 and Dual-AES-PRF with t ≤ 2. Details are presented in Sects.4.2 and 5.2.

Differential attack.
The most simple differential attack exploits differentials that hold with a high probability, but our differential attack exploits the differential that holds with probability 1.As the designers of AES-PRF claimed, Dual-AES-PRF has vulnerability where the intermediate state can be controlled by observing the collision of the output.If the output of Dual-AES-PRF collides, we know the difference of the intermediate state always coincides with the difference of the input (see Fig. 5d).Therefore, we can recover the secret key by using such a differential that holds with probability 1.As a result, we can attack only Dual-AES-PRF when s ≤ 4. Note that this attack cannot be applied to AES-PRF because we cannot control the difference of the intermediate state.Details are presented in Sect.5.2.
Zero-correlation linear distinguisher.One of the reasons that the designers of AES-PRF chose the EDMD construction instead of the EDM construction is the vulnerability described above.Namely, we cannot control the difference of the intermediate state of the AES-PRF.However, we show that it is possible to control the linear mask very well thanks to the duality [Mat94].See Fig. 5b.When the input linear mask is zero and the output linear mask is non-zero, the linear masks for the input and output of the last sub-block are the same as the output of the linear mask.Therefore, if chosen linear masks are zero correlation for the last sub-block, we obtain a zero-correlation linear distinguisher.
We can construct such a linear mask up to t ≤ 4. As a result, AES-PRF with t ≤ 4 is also vulnerable similar to Dual-AES-PRF.On the other hand, this attack only brings the distinguisher, and it is left as an open problem to recover the secret key by exploiting this idea.Details are presented in Sect.4.3.
Meet-in-the-Middle attack.AES-PRF relies on AES as the underlying block cipher.As the best known results against AES are based on meet-in-the-middle attacks, it makes sense to study how this cryptanalysis technique applies to AES-PRF.As a result, we can attack all variants of AES-PRF reduced to 7 rounds.On the other hand, Dual-AES-PRF seems to provide more resistance against such attacks and we can only break few variants.Surprisingly, unbalanced variants are the ones offering the best security.The details of our attacks are presented in Sect.6.1.

Impossible Differential
We show impossible differential attacks against AES-PRF s,t with s = 1 or 2, where Fig. 5a illustrates the impossible differential attack for AES-PRF s,t .In this subsection, we focus on AES-PRF 2,8 because AES-PRF 1,9 is clearly less secure than AES-PRF 2,8 .Please refer to Supplemental Material A.1 for the attack against AES-PRF 1,9 .

Data Requirement for Impossible Differential Attack
Before explaining the detail procedure to attack AES-PRF by using the impossible differential, we first introduce a formula to estimate the data requirement.
The impossible differential attack exploits differentials that never occur in real ciphers.Assume that each pair ((P, C), (P , C )) can reject 2 σ keys and 2 τ is the size of the targeted key space, the probability that an incorrect key is rejected by one pair is 2 σ−τ .The average number of pairs N required to be left with at most 2 α key candidates is given by the following formula [BBS99, BNS14]: This inequality can be rewritten as: (1)

Property of AES S-Box
We exploit the property of the differential distribution table (DDT) of AES S-box to recover the secret key.
Property 1.For a given input difference ∆X, let us consider the output difference ∆Y .
For 129/256 such pairs, the differential transition is impossible.For 126/256 such pairs, there are two ordered pairs, i.e., S(X) ⊕ S(X ⊕ ∆X) = ∆Y and S(X ⊕ ∆X) ⊕ S(X) = ∆Y .And for the remaining 1/256 pair, there are four ordered pairs.This property implies that pairs of input/output values of the AES S-box are immediately recovered once a pair of input/output differences is given.Moreover, the number of recovered values is 1 in average because 0 × 129/256 + 2 × 126/256 + 4 × 1/256 = 1.The key recovery attack based on this property has been applied to AES [BDD + 12], and we also exploit this property to recover the secret key.

Impossible Differential Attack for AES-PRF 2,8
It is easy to check that AES-PRF 2,8 is equivalent to the keyed function depicted in Fig. 6, that is, for every plaintext P , the function presented in Fig. 6 always outputs AES-PRF 2,8 (P ).Before the analysis, we emphasize that the following contents should be read with the company of Fig. 6.
Our attack targets 11 subkey bytes: Before the attack, we store the set C of all 2 88 possible values for the 11 subkey bytes in memory, and incorrect keys will be removed from C based on impossible differential attack shown in Algorithm 1.
Assume that we have a pair (P, P ) of plaintexts with difference ∆P .Let C and C be the corresponding ciphertexts such that 11 bytes of M C −1 (∆C) are 0 as depicted in Fig. 6.Then, any key guess under which the input difference of Prepare 2 64 plaintexts traversing all the 2 64 possibilities of the 8 bytes marked with , while the remaining bytes are fixed to constants.These 2 64 plaintexts forms a structure from which we obtain pairs of plaintexts with 11 bytes of M C −1 (∆C) being 0. In practice, such pairs can be identified with the following approach.We encrypt the 2 64 plaintexts and insert them into a hash table H according to M C −1 (∆C).Good pairs can be created in those slots of the hash table with more than one elements.
For each such pair (good pair), we guess the 2 bytes of ∆x M 1 marked with .For any of the 2 16 possible guesses, we can get corresponding x I 1 [0, 5, 10, 15] and x S 1 [0, 5, 10, 15] from Property 1.Since the plaintexts are known, we can derive 4 bytes of the subkey K 0 marked by .At this point, we can compute are incorrect, and we can get such x I 2 [0 : 1] from Property 1.Since both x I 2 [0 : 1] and x M 1 [0 : 1] are known, we can derive the 2 bytes of K 1 marked by .We store the 2 16 possible subkey guesses in a hash table G indexed by (K ).Similarly, we guess the 3 red bytes of ∆x M 1 , from which the 7 pink bytes of K 0 and K 1 can be derived.Since the subkeys must satisfy the following equations extracted from the key schedule algorithm of AES, whose probability is 2 −16 , for each of the 2 24 guesses of (K 0 ).If it is empty, we discard the guess.Otherwise, we remove the subkey guesses produced by combining the current guess and the guesses in the hash table G indexed by (K ) from the set C. Note that given one good pair approximately 2 16 × 2 24 × 2 −16 = 2 24 keys are rejected.

Zero-Correlation Linear
Figure 5a illustrates the zero-correlation linear attack for AES-PRF s,t .Similarly to the impossible differential attack, we focus on AES-PRF 2,8 , and please refer to Supplemental for every of the 2 24 values of ∆x M 1 marked with do 10 Derive the 7 bytes of K 0 and K 1 marked by

Data Requirement for Zero-Correlation Linear Attack
In this section, we briefly introduce the data complexity of zero-correlation linear attack.For more information, please refer to [BLNW12, BN17, SCW17].
Let the adversary be given N plaintext-ciphertext pairs and non-trivial zero-correlation linear approximations for an n-bit block cipher.For each of the given approximations, the adversary computes the number V [i] of times the linear approximations are fulfilled on N − 1.Then, the adversary evaluates the statistic: After setting the type-I error probability (the probability to miss the right key) to α 0 , and the type-II error probability (the probability to accept a wrong key) to α 1 , the number N of known-plaintexts3 in the attack is where χ 1−α0 and χ ( ) are the respective quantiles of the χ 2 -distribution with degrees of freedom evaluated on the points 1 − α 0 and α 1 , respectively.

Zero-Correlation Linear Attack for AES-PRF 2,8
The linear mask Γ that we use under this case is depicted in Fig. 7.The number of non-trivial zero-correlation linear approximations is = (2 8 − 1)4 under this setting.Note that AES-PRF 2,8 is equivalent to the keyed function depicted in Fig. 8.The detailed key-recovery attack can be found in Algorithm 2. Complexity Analysis.In this attack, we use = (2 8 − 1) 4 non-trivial zero-correlation linear approximations.We set the type-I error probability to α 0 = 2 −4 , and the type-II error probability to α 1 = 2 −17 .Thus, the data complexity is 2 115.06 known-plaintexts 4 .Then, the key space is reduced to 2 64−17 = 2 47 , and we exhaustively guess the remaining 64 bits.Therefore, the final exhaustive search requires the complexity of 2 64+47 = 2 111 .Since V 1 and V 2 constitute the largest memory and the sizes of other counters are negligible, the memory complexity is roughly 2 65 .The time complexity on Steps 5-21 of Algorithm 2 is 2 106.00 .Thus, the total computational time, which is dominated by the data collection part and the final exhaustive search phase, is about 2 115.14 .

16
Allocate a counter V [z] for each of (2 8−1 ) 4 zero-correlation linear approximations, and set it to zero.
The guessed key bytes constitute a possible subkey candidate.

20
All master keys that are compatible with are tested exhaustively against a maximum of 2 plaintext-ciphertext pairs.

Zero-Correlation Linear Distinguisher
For the distinguishing attack, we use the zero-correlation linear distinguisher illustrated in Fig. 5b, where we show distinguishing attacks against AES-PRF 7,3 and AES-PRF 6,4 .The main observation is that 0 is a zero-correlation linear approximation, where AES t denotes the last t rounds of AES.Since the input mask is zero, we only need to evaluate the zero-correlation property at the output.After determining Γ, we compute the χ 2 -statistic with N plaintext-ciphertext pairs.Then, we can distinguish this construction with a random function by comparing the value of T with a predetermined threshold τ .
Let n be the block length and be the number of non-trivial zero-correlation linear approximations.Then, the data complexity of our distinguishing attack is roughly estimated as O(2 n− /2 ) [BW12,BLNW12].In order to reduce the data complexity, we should increase the number of involved zero-correlation linear approximations.We only consider truncated linear trails and exhaustively search all 2 16 input/output patterns Γ p = (γ 0 , γ 1 , . . ., γ 15 ), γ i ∈ {0, 1}.The maximum Hamming weight of Γ p such that Γ p AES3 −−−→ Γ p constitutes a zerocorrelation trail achieves 11.One family of zero-correlation linear approximations satisfying this case can be found in Fig. 9.The bytes marked with denote bytes with non-zero linear masks.We omit AddRoundKey operation because it does not affect the propagation of linear mask.

Complexity Analysis.
For the attack of AES-PRF 7,3 , we use = (2 8 − 1) 11 non-trivial zero-correlation linear approximations.We set the type-I error probability to α 0 = 2 −2 , and the type-II error probability to α 1 = 2 −2 .Thus, the data complexity is 2 84.96 knownplaintexts.The time complexity is about 2 84.96 because data collection phase dominates the time complexity.The memory complexity is roughly 2 84.96 .The maximum Hamming weight of Γ p such that Γ p AES4 −−−→ Γ p constitutes a zerocorrelation trail is 8.One family of zero-correlation linear approximations satisfying this condition can be found in Fig. 10, where bytes marked with denote bytes with non-zero linear masks.

Impossible Differential
The overview of the impossible differential attack against Dual-AES-PRF 8,2 is shown in Fig. 11.We first prepare pairs (P, P ) of plaintexts whose difference ∆P is active in 4 bytes P [0, 4, 5, 9].Then, we pick pairs where the difference of corresponding ciphertexts is inactive in C[2, 3, 5, 6, 8, 9, 12, 15].Any key guess under which the difference of the intermediate state is also ∆P must be incorrect, since this leads to an impossible differential ∆P 0 of the permutation.
Prepare 2 32 plaintexts traversing all the 2 32 possibilities of the 4 bytes marked with , while the remaining bytes are fixed to constants.From such 2 32 plaintexts, the probability that the pair of ciphertexts has the difference above is For each such pair (good pair), we guess the 2 bytes of K 10 marked with .For any of the 2 16 possible guesses, we can derive ∆x Then, the key bytes marked with 1 can be derived.At this point, the main diagonal K 10 [0, 7, 10, 13] is known, and x E 9 [0, 1] can be computed.Together with the knowledge of ∆P [0, 5] and ∆x S 9 [0, 5](= ∆x E 9 [0, 1]), we obtain x S 9 [0, 5] from Property 1.Then, the key bytes of EK 9 marked with 2 can be derived.Similarly, we continue the guess on the 2 bytes of K 10 marked with , which leads to the determination of the bytes of K 10 marked with 1 and the bytes of EK 9 marked with 2 .Therefore, for each good pair, approximately 2 16 × 2 16 = 2 32 keys are rejected.Moreover, the time complexity is 2 32 for each good pair.

Zero-Correlation Linear
Figure 5c illustrates the zero-correlation linear attack for Dual-AES-PRF s,t .The analysis in this subsection is restricted to t = 2, and please refer to Supplemental Material B.2 for the zero-correlation attack against Dual-AES-PRF 9,1 .
The linear mask Γ that we use under this case is the same as the one given in Fig. 7.The number of non-trivial zero-correlation linear approximations is = (2 8 − 1) 4 under this setting.
Note that Dual-AES-PRF 8,2 is equivalent to the keyed function depicted in Fig. 12.The key-recovery attack can be found in Algorithm 4.
x E Algorithm 4: Zero-correlation linear attack on Dual-AES-PRF 8,2 6 for each possible 32-bit subkey value K 10 [0, 7, 10, 13] do Complexity Analysis.In this attack, we use = (2 8 − 1) 4 non-trivial zero-correlation linear approximations.We set the type-I error probability to α 0 = 2 −4 , and the type-II error probability to α 1 = 2 −17 .Thus, the data complexity is 2 115.06 known-plaintexts.Since V 1 and V 2 constitute the largest memory and the sizes of other counters are negligible, the memory complexity is roughly 2 65 .The time complexity on Steps 5-21 of Algorithm 4 is 2 106.00 .Thus, the total computational time, which is dominated by the data collection part and the final exhaustive search phase, is about 2 115.14 .

Differential
The differential attack that we utilize in this subsection is illustrated in Fig. 5d.We show the differential attack against Dual-AES-PRF 4,6 in this subsection.Please refer to Supplemental Material B.3 and B.4 for the differential attacks against Dual-AES-PRF 2,8 and Dual-AES-PRF 3,7 , respectively.An illustration for the key-recovery procedure can be found in Fig. 13.Independently of any probabilities, once the key is fixed, AES is a permutation, and then, Dual-AES-PRF s,t (x) = Dual-AES-PRF s,t (y) is equivalent to AES s (x) ⊕ x = AES s (y) ⊕ y, which can be rewritten as x ⊕ y = AES s (x) ⊕ AES s (y).In our attack, we encrypt plaintexts with only one active byte.Hence, whenever a pair (x, y) collides, then AES 4 (x) ⊕ AES 4 (y) is equal to x ⊕ y, so differences at input and output of 4-round AES have only one active byte (at the same position) and thus the trail depicted on Fig. 13 is followed with probability 1.

Differential Attack for Dual-AES-PRF 4,6
In order to obtain one collision pair at the output, we need to create 2 128 pairs.Consider a structure of 2 8 plaintexts that the unique gray byte shown in Fig. 13 is active, while the remaining bytes in white are fixed to constants.From one structure of 2 8 plaintexts, we are able to construct 2 8 × (2 8 − 1)/2 ≈ 2 15 pairs.Thus, 2 113 structures are required.If we find a collision at the output, we know the difference at x O 4 .For the collision pair (P, P ) satisfying the input difference, we enumerate all 2 72 possible differences at x S 1 , x S 2 , and x I 4 .Then, all input and output differences of the SubBytes operations in the first four rounds are known.From Property 1, partial values of x I i and x S i (1 ≤ i ≤ 4), whose positions correspond to all active bytes of the SubBytes operation, can be recovered.Then, 10-byte information of the subkey can be obtained, which are dyed in blue in Fig. 13.For each guess of the differences, we are able to retrieve 80-bit information of the subkeys, and all master keys that are compatible with are tested exhaustively against a maximum of two plaintext-ciphertext pairs.A detailed description can be found in Algorithm 5.
In total, the data complexity of this attack is 2 121 chosen plaintexts.The time complexity is also 2 121 .Since the input difference of the collision pair must follow the input difference of the distinguisher, we do not need to consider pairs constructed by choosing plaintexts from different structures.In other words, in the collision searching phase, each structure can be handled, independently.Thus, the memory complexity is 2 8 .Algorithm 5: Differential attack on Dual-AES-PRF 4,6 with one collision pair Input: The collision pair, the input difference ∆x I 1 , and the output difference ∆x O 4 . 1 for each of the 2 8 active values of ∆x S 1 do In this section we describe key-recovery attacks against AES-PRF and Dual-AES-PRF when the number of rounds is reduced to 7. Indeed, the best known attacks against round-reduced versions of AES-128 are able to break up to 7 rounds and it is worth to show that using the feed-forward of an internal state does not increase the security.

Demirci-Selçuk attack against AES-PRF 3,4
In this section, we show how to apply a Demirci-Selçuk attack [DS08] against AES-PRF 3,4 .Interested reader may refer to [DF16] for further details and improvements of this cryptanalysis technique.
We want to emphasize this is the first time that this cryptanalysis technique is applied to a primitive which is not a block cipher.Hence, beside its interest in understanding the security of AES-PRF, we believe this attack opens a new research line as future work may try to extend the application range of Demirci-Selçuk attacks.

4-round Distinguisher
Our attack against AES-PRF 3,4 relies on the exact same 4-round distinguisher than the original attack of Demerci-Selçuk.Denoting δ-set a collection of 256 plaintexts such that one byte is active and takes all the possible values while other ones are constant, we have the following property: Lemma 1 (4-round distinguisher).Consider the encryption of a δ-set through four full AES rounds.For each of the 16 bytes of the state, the ordered sequence of 255 differences of that byte in the corresponding ciphertexts is fully determined by just 25 byte parameters.Consequently, for any fixed byte position, there are at most (2 8 ) 25 = 2 200 possible sequences when we consider all the possible choices of keys and δ-sets (out of the (2 8 ) 255 = 2 2040 theoretically possible 255-byte sequences).
The proof of this lemma is straightforward and can be found in [DF13].

Differential Enumeration Technique
The 4-round distinguisher above cannot be used to attack AES-128 since there are too many sequences to store.However, in 2010 Dunkelman et al. proposed a powerful technique to reduce the memory requirement of the attack [DKS10].This technique, later improved by Derbez et al. in [DFJ13], asks to store only the sequences built from a δ-set containing a message P that belongs to a pair (P, P ) following a well-chosen truncated differential characteristic, depicted on Fig. 14.
The 4-round distinguisher is between rounds 2 and 6.Given a δ-set such that coloured byte of x I 2 takes all the possible values, the sequence of differences in coloured byte of x R 6 is fully determined by the 25 coloured bytes of x I 3 , x I 4 , x I 5 and x I 6 .Indeed, if one knows the value of those bytes for one message of the δ-set, he can propagate the differences from x R 2 to x R 6 and hence build the sequence.However, if the message belongs to a pair following the truncated differential characteristic of Fig. 14, the 25 coloured bytes can assume only (2 8 ) 11 = 2 88 values.Indeed, it is enough to know the differences in coloured bytes of x R 2 , x R 3 , x I 5 , x I 6 and x R 6 to deduce the required bytes, since differences before and after the S-box is known for all of them.

Attack against AES-PRF 3,4
The attack is quite similar to the original attack against AES-128.As it, we start by computing and storing in a hash table all the 2 88 sequences constructed by following the differential enumeration technique.This is the offline phase and this step has a time complexity of 2 88 × 2 8 = 2 96 partial encryptions and 2 88 × 2 8 = 2 96 bytes of memory are required.
Then, in the online phase, one has to find a pair following the truncated differential characteristic.Classically, we start by asking for a structure of 2 32 messages with one diagonal active and other bytes constant.Then, if a pair follows the characteristic, difference of ciphertexts belongs to a subspace of dimension 8 because difference in state x I 4 belongs to a subspace of 4, as well as difference in state x I 8 .Hence, we sort the 2 32 messages according to the 8 constant (linear combinations of) bytes to identify pairs that may follow the truncated differential.Hopefully, for each such pair, it is straightforward to recover ∆x I 8 and ∆x I 4 assuming the pair follows the characteristic.Then one guesses ∆x I 2 and ∆x R 2 to recover the actual value of coloured bytes of Similarly, it is enough to guess ∆x R 6 to recover the actual value of x I 7 and x R 7 .At this step, we have a message P 0 for which we know the actual value of grey bytes as well as black bytes of x I 3 and x R 3 .Hence, we now have to compute a δ-set from this message, compute the corresponding sequence of differences and check whether it is in the table or not.If the sequence does not belong to the table, we know with probability 1 that either the pair did not follow the characteristic or we made one wrong guess.In the opposite case, if the sequence is in the table, with very high probability the pair follows the truncated characteristic and the guesses are correct.To compute the sequence, we propagate difference on x I 2 to both x I 4 and the plaintext.Then, using the corresponding ciphertext and ∆x I 4 we compute ∆x I 8 and propagate it to x R 6 .Complexities.Time and memory complexities both are around 2 96 .In the online phase, to get a pair following the truncated differential characteristic, we need about 2 81 structures of 2 32 plaintexts.Indeed, each pair of such structure follows the characteristic with probability 2 −24−120 = 2 −144 and one structure contains 2 32+31 = 2 63 pairs.Hence, the data complexity of the attack is 2 113 chosen plaintexts.In the first step, for each structure we sort the corresponding ciphertexts to identify pairs that may follow the characteristic.This step requires 2 32 × 16 = 2 36 bytes of storage and its time complexity is around 2 32 .Repeated for each structure, the time complexity of this step is around 2 113 .Approximately 2 81+63−64 = 2 80 pairs pass this step.For each of them we then need to guess 2 differences and propagate 2 8 differences, leading to a complexity around 2 80+16+8 = 2 104 encryptions.

Key-recovery.
At the end of the attack, we have a message for which we also know the right value of 4 bytes in state x I 1 .This directly leads to the knowledge of 4 key bytes.One can recover the remaining key bytes by exhaustive search.
Trade-off.It is possible to optimize the overall complexity of the attack by storing several tables.Indeed, with the same structure we have 4 choices for active byte of x I 2 as well as 16 choices for the actives byte of x R 6 .Hence, we can decrease the overall complexity to 2 113−2−4 = 2 107 .It is worth noticing that the overall complexity of this attack is very close to 2 100 , overall complexity of the original attack against 7-round AES-128.
Remarks.The main difference between attacking AES-PRF 3,4 and AES-128 is the dimension of the subspace in which ∆C belongs.Let denote by V 4 and V 8 the subspaces in which ∆x I 4 and ∆x I 8 respectively belong.Note that whatever the position of the active byte on x I 2 as well as the position of the active byte on x I 6 , V 4 ∩ V 8 = {0} and thus we can directly deduce both ∆x I 4 and ∆x I 8 from ∆C.This is why the complexity of the attack is similar for both AES-PRF 3,4 and AES-128.
It is worth mentioning that if the last MixColumns operation is not omitted the result above does not hold.In that case, for some positions of the active bytes, V 4 = V 8 and thus one should make four extra guesses to identify ∆x I 4 and ∆x I 8 , increasing the time complexity by a factor 2 32 .

Attack against Other Variants
This attack can be applied to AES-PRF s,7−s in straightforward way for all values of s.We only distinguish two cases: difference in state x I s will be computed from x I 2 for s ≤ 3 and from x I 6 otherwise.For Dual-AES-PRF s,7−s , surprisingly, it seems that we can only mount attacks with s ∈ {3, 4, 7}.Indeed, in other cases, the truncated differential characteristic used in the attack becomes impossible, making the differential enumeration technique not efficient enough to beat exhaustive search for 128-bit version.

Conclusions
In this paper, we performed an extensive security analysis of the pseudo-random function AES-PRF proposed by Mennink and Neves at FSE 2018.By applying several well-known cryptanalysis techniques to AES-PRF, we complemented the initial analysis provided by the designers with stronger attacks.Surprisingly, we found that the unbalanced version AES-PRF 4,6 seems to offer better security margins than the original design AES-PRF 5,5 according to the current results of our cryptanalysis.We also evaluated the dual version of AES-PRF and showed that this construction is a bit weaker, as expected by Mennink and Neves.Indeed, we were able to mount a key-recovery attack against Dual-AES-PRF 4, * , while we only found a distinguisher against AES-PRF * ,4 .Finally, we also studied roundreduced versions of both AES-PRF and Dual-AES-PRF.The best known attacks against the underlying block cipher, AES-128, break up to 7 rounds and we wondered whether the PRF reduced to 7 rounds was secure or not.As a result, we found that all variants of AES-PRF reduced to 7 rounds can be broken with complexities similar to attacks against AES-128.
All in all, while our attacks only apply to the unbalanced or round-reduced versions of AES-PRF, and do not endanger the full design, they provide further insight into its security.
Finally, this paper focuses on the 128-bit key version of AES-PRF and Dual-AES-PRF, and we leave the analyses of 192-bit and 256-bit key versions as open questions.

A.2 Zero-Correlation Attack for AES-PRF 1,9
The linear mask Γ we use in this case is depicted in Fig. 16.Thus, the number of non-trivial zero-correlation linear approximations is = (2 8 − 1) 7 under this setting.Note that AES-PRF 1,9 is equivalent to the keyed function depicted in Fig. 17.The key-recovery attack can be found in Algorithm 7.

Complexity Analysis
In this attack, we use = (2 8 − 1) 7 non-trivial zero-correlation linear approximations.We set the type-I error probability to α 0 = 2 −4 , and the type-II error probability to α 1 = 2 −26 .Thus, the data complexity is 2 103.34 known-plaintexts.Since V 1 is the largest memory and the sizes of the other counters are negligible, the memory complexity is roughly 2 96 .The time complexity, which is dominated by the subkey guessing part, is about 2 122.49 .).Then, the values of x I 2 and x S 2 at bytes [0 : 3] can be retrieved.Thus, the value of K 1 at bytes [0 : 3] can be computed as K 1 = M C • SR(x S 1 ) ⊕ x I 2 .Then, we enumerate all 2 32 differences of x S 1 at bytes [3, 4, 9, 14].With a similar analysis, we are able to obtain the value of K 0 at bytes [3, 4, 9, 14], and the value of K 1 at bytes [4 : 7] under each guess. Since we obtain 2 56 120-bit information of the subkeys by combining the two sets composed of 2 32 candidates.At last, all master keys that are compatible with the candidates are tested exhaustively against a maximum of two plaintextciphertext pairs.
In total, the data complexity of this attack is 2 64 known plaintexts.The time complexity, which is dominated by the data collection phase and the exhaustive search phase, is 2 65 .The memory complexity, which is dominated by the collision searching phase, is 2 64 .

B.4 Differential Attack for Dual-AES-PRF 3,7
An illustration for the key-recovery procedure can be found in Fig. 21.
Consider a sturcture of 2 32 plaintexts such that the 4 gray bytes shown in Fig. 21 are active, while the remaining bytes in white are fixed to constants.From one structure of 2 32 plaintexts, we are able to construct 2 32 × (2 32 − 1)/2 ≈ 2 63 pairs.In order to obtain one collision pair at the output, we need to create 2 128 pairs.Thus, 2 65 structures are required.If we find a collision at the output, we know the difference at x O 3 .

Figure 5 :
Figure 5: Summary of attacks, where either of the first or last sub-block can be regarded a random permutation.

empty then 12 Discard the derived key guess 13 else 14
Remove the key values derived by combining the 7-byte value and the guesses in the hash tableG indexed by (K 1 [4] + K 0 [4], K 1 [5]) from C the attack against AES-PRF 1,9 .

Table 1 :
Summary of results.The mark * in column s is 10 − t and that in column t is 10 − s, but they can take any value.