New Key-Recovery Attack on Reduced-Round AES

. A new fundamental 4-round property of AES, called the zero-diﬀerence property, was introduced by Rønjom, Bardeh and Helleseth at Asiacrypt 2017. Our work characterizes it in a simple way by exploiting the notion of related diﬀerences which was introduced and well analyzed by the AES designers. We extend the 4-round property by considering some further properties of related diﬀerences over the AES linear layer, generalizing the zero-diﬀerence property. This results in a new key-recovery attack on 7-round AES which is the ﬁrst attack on 7-round AES by exploiting the zero-diﬀerence property.


Introduction
The Rijndael block cipher [DR98] has been designed in the late 1990's by Joan Daemen and Vincent Rijmen, and was chosen as the Advanced Encryption Standard (AES) by NIST in 2000.It is since then the most used and the most analysed symmetric primitive worldwide.There are three versions of AES, with different key sizes, and a different number of rounds: AES-128 with 10 rounds, AES-192 with 12 rounds, and AES-256 with 14 rounds.During the previous two decades, many different cryptanalytic techniques have been applied to AES.Up to now, the best attacks on AES-128 in the secret-key model cover seven rounds.The impossible-differential attack [LP21] and the meet-in-the-middle attack [DFJ13] are the best-known two attacks on AES-128.
A key-recovery attack against a block cipher is generally based on the existence of a distinguishing property.A distinguishing property refers to a statistical or structural property of a cipher that a random permutation does not have, thus we can distinguish the cipher from a random permutation.For example, impossible-differential attacks and meet-in-the-middle attacks on 7-round AES-128 exploit 4-round distinguishers.
Recently, in a series of works, new distinguishers for reduced-round AES appeared [GRR17, RBH17, Gra18, BR19b, BR19a, Bar19].These distinguishers exhibit new and fundamental properties of the AES which result in new efficient key-recovery attacks on 5-round AES.At Eurocrypt 2017, the authors of [GRR17] proposed the first key-independent 5-round distinguisher which requires 2 32 chosen texts with a computational cost of 2 35.6 look-ups into a memory of size 2 36 bytes.They showed that by encrypting cosets of certain subspaces of the plaintext space the number of times the difference of ciphertext pairs lies in a particular subspace of the state space always is a multiple of 8, known as the multiple-of-8

Related work
The idea of using several differentials simultaneously in an attack has been studied in several works (see [DKR97, BG11, Tie16, RBH17, Gra18, DKRS20]).Besides the results which are constituted by assuming independence of the differentials, few works [Tie16, RBH17,Gra18,DKRS20] have studied the propagation of multiple input differences through a cipher with a focus on the correlation between their differentials.
Related differentials can be considered as a particular form of polytopic differentials (polytopic transition) introduced in polytopic cryptanalysis [Tie16].While there is not any specific relation between input differences considered in polytopic differentials, the input and output differences in related differentials are restricted to have a specific form (they have to be related differences).
As opposed to higher-order differentials, the probability of related differentials can be evaluated by the ordinary differential cryptanalysis technique due to the specific form of related differences considered in related differentials.

Overview of this paper and main result
Section 2 describes the AES and recalls the notion of related difference and differential.Section 3 presents the link between the notion of related difference and the zero-difference property, and it generalizes the zero-difference property.Section 4 presents related differentials trails for 2 and 4-round AES.It also explains how to extend the zero-difference property to 6 and 8 rounds.Section 5 explains how to mount a key-recovery attack on 7-round AES based on the zero-difference property.For comparison, Table 1 summarizes the current best key-recovery attacks for 7 rounds of AES-128.Note that most of the known best attacks exploit properties of the AES key-schedule.Our result is independent of the key-schedule, which makes it in some sense more general.

Preliminaries
In this section, we start by providing a brief description of the AES.Then, the related differences and differentials, and the zero-difference cryptanalysis are described briefly with necessary results.We work throughout this paper with finite fields of characteristic 2 that are fields containing q = 2 m elements, seen as extensions of F 2 .

AES
The Advanced Encryption Standard (AES) [AES01] is the most widely adopted block cipher in the world today.An AES internal state α is typically represented by a 4 by 4 matrix of bytes where α i ∈ F 2 8 .AES-128 has 10 rounds where one full round of AES applies four operations to the state matrix: • SubBytes (SB) applies 16 identical Sboxes S a , 8-bit to 8-bit, independently to each byte of the state, • ShiftRows (SR) shifts the i-th row left by i positions, • MixColumns (M C) applies a fixed linear transformation to each column, • AddKey (AK) xors a 128-bit round-key to the state.
In the last round, the M C operation is omitted.Also, an additional AK is applied to the plaintext before it is used as input to the first round.We denote by R t (x) the sequence of t full rounds of AES, including the first additional AK.

Related differentials
In [DR09], Daemen and Rijmen define a new type of difference called related differences.
They studied the propagation of these differences through the AES linear layer.We call an element of F q a word and a vector of words α = (α 0 , α 1 , ..., α n−1 ) ∈ F n q a state.Then the related differences and differentials are defined in [DR09] as below: Definition 1 (related differences [DR09]).A pair of differences ∆x, ∆x ∈ F n q are related differences if and only if: (1) It is obvious that relation (1) holds iff at least one of ∆x i , ∆x i and ∆x i ⊕ ∆x i equals zero for every value of i.For a state α ∈ F n q , we can define four distinct states, called a quartet, (α, α ⊕ ∆x, α ⊕ ∆x , α ⊕ ∆x ⊕ ∆x ) where the two differences ∆x and ∆x are related.The main important property of this quartet is that the sets In general, the set of all related differences ∆x and ∆x is defined as follows As shown in [DR09], related differences can be combined into related differentials.Definition 2 (related differentials [DR09]).Two differentials (∆x, ∆y) and (∆x , ∆y ) for a linear map M are related differentials if and only if, ∆y = M (∆x), ∆y = M (∆x ), the differences ∆x,∆x are related differences and the differences ∆y, ∆y are related differences.
The MixColumns map of AES has some related differentials, where two related differences ∆x and ∆x are defined over F 4 2 8 [DR09].Four of them are listed in Table 2.The other related differentials can be derived from these four by means of rotation and/or multiplication by a scalar (see [DR09] for more details).In this paper we call them byte-related differences and differentials when they are defined over F 4 2 8 .

Zero-difference cryptanalysis
In [RBH17], a new fundamental property against 2 rounds of SPNs was introduced, called the zero-difference property.Consider an SPN where the round key is xored to state α ∈ F n q .The Sbox layer S can be seen as the concatenation of n independent Sboxes S x over F q and P denotes the linear layer.We recall here the main definitions and notations from [RBH17].
Thus, ν(α) simply indicates the non-zero words of the state.

Definition 4 ( [RBH17]
).For a vector v ∈ F n 2 and a pair of states α, β ∈ F n q define a new state ρ v (α, β) ∈ F n q such that the i'th component is defined by This is equivalent to is a new pair of states formed by exchanging individual words between α and β according to the binary coefficients of v. From the definition it can be seen that Assume d is the total number of common words between α and β, α i = β i .Then, the number of possible unique pairs (α , β ) generated this way is 2 n−d−1 (including the original pair).Now, the following theorem shows a relation over a 2-round SPN.
Since P is linear and invertible, given a difference ∆x ∈ F n q , we can compute the difference after P −1 (∆x), with probability one.Therefore, we define µ(∆x) = ν(P −1 (∆x)) and reformulate the result of Theorem 1 to a full 2-round SPN: Theorem 1 states that sets of pairs of states that are equivalent by exchange of any subset of words encrypts to a set of pairs of states after 2-round SPN that all have a difference of (non-)zero in exactly the same words before the final linear layer.We call these pairs of states related pairs.In the next section, we will show that the set of related pairs is larger than the set considered here.

Generalization of zero-difference cryptanalysis with related differences
The central notion of this work is to redefine the zero-difference property with the concept of related differences.We will show that quartets defined with two related differences have the same property that quartets exploited in the zero-difference property have.This allows to redefine the main result of zero-difference cryptanalysis in [RBH17], Theorem 1, with the notion of related differences.Moreover, this redefinition permits to generate a larger number of related pairs than mentioned in Subsection 2.3.Besides generating a larger number of related pairs, this redefinition allows to embed related differentials within the zero-difference property.Since both input and output differences in related differentials are related differences, this combination is intuitively straightforward.Then, as a result, the adversary can attack more rounds of an SPN if related differentials exist for that SPN.

Generating more related pairs
Zero-difference cryptanalysis [RBH17,BR19a] works with a quartet (α, β, ρ v (α, β), ρ v (β, α)), where α, β ∈ F n q .This quartet is very similar to the quartet defined by two related differences ∆x and ∆x in Subsection 2.2.More precisely, this quartet can be defined by two related differences ∆x and ∆x where the following condition holds: Interestingly, this quartet has the same property that the quartet defined by related differences has: The only difference between these two quartets is that the condition ∆x i = 0 was not considered in zero-difference property for generating new pairs of states.The following theorem shows that quartets defined by related differences work in the zero-difference property as well.
Theorem 2. Let α ∈ F n q and ∆x, ∆x ∈ F n q be two related differences then where Proof.Since the Sbox layer operates independently on individual words and the sets It then follows that Since the Sbox layer operates independently on individual words and each S-box is a permutation, the (non-)zero words of each input difference map into (non-)zero words in the corresponding output difference We now show that considering the condition ∆x i = 0 makes it possible to generate a larger number of related pairs, instead of the 2 n−d−1 pairs in Definition 4. The set of all related pairs constituted by all related differences ∆x and ∆x is defined as follows Since we can choose two related differences ∆x and ∆x , if we choose ∆x i = 0 for some i, then there is exactly one value in those coordinates i of α and α ⊕ ∆x, i.e. α i .So we have freedom to choose a second value for those coordinates i, i.e. α i ⊕ ∆x i .In this way, when d words of ∆x are zero, at most (q d − 1) • 2 n−d−1 pairs can be generated.Note that, if ∆x i = 0 for some i, then it means that we already chose the two values for those coordinates of α and α ⊕ ∆x. 1 For typical 128-bit SPN based block ciphers, we have q = 2 32 and n = 4.As an example, by selecting d = 2, the total number of related pairs that are generated in this way is 2 65 , including the original pair.
In order to cover all cases to generate new pairs of states, the trivial case is also considered when both ∆x i and ∆x i can equal zero for some coordinates i, which means that the four states have a common value in this coordinate.So we can state that the property of this quartet is that the sets {α i , α i ⊕ ∆x i , α i ⊕ ∆x i , α i ⊕ ∆x i ⊕ ∆x i }, for every i, contain at most two different elements.
The main advantage of redefining the zero-difference property with the concept of related differences, is to combine two techniques: related differentials and zero-difference cryptanalysis.In the next subsection, we discuss this in more details.

Embedding related differentials within zero-difference cryptanalysis
Now we are ready to combine the zero-difference property with related differentials for SPNs.Consider a t-round SPN which is divided into two parts: E = F • F , where F represents the first t − 2 rounds of the encryption operation, and F represents the final two rounds of the encryption operation.Assume that there are related differentials with probability pr over F : Since the differences ∆y and ∆y are related differences, from Theorem 2, we have where β = F (α) and α ∈ F n q .We then have a zero-difference property over the t-round SPN with probability pr: We add this as a simple theorem to summarize the combination of the zero-difference property with related differentials for SPNs.
Theorem 3. Let E = F • F , where F and F are a t-round and a two-round SPN, respectively.If ∆y = F (∆x) and ∆y = F (∆x ) are related differentials with probability pr, then holds with probability pr.
Proof.Since differences ∆y and ∆y are related differences, with probability pr, from Theorem 2, we have where β = F (α) and α ∈ F n q .It then follows that The existence of related differentials for an SPN relies on the details of its linear layer.In the case of AES-like ciphers, the linear layer is composed of the MixColumns and ShiftRows transformations.As studied in [DR09], there exist some MixColumns-like transformations without related differentials.They show examples of matrices with Hadamard structures which allow no related differentials.For example, they showed that the following 4 × 4 Hadamard matrix which is used for linear transformation in the Anubis block cipher [BR00] has related differentials.However, if the four 6's are replaced by 9's, then there are no related differentials.
Thus, in the cases of matrices which have related differentials, the combination mentioned here is not avoidable.In the next section, we will show that there are related differentials for up to 4-round AES with certain probabilities.They result into extensions of the zero-difference property up to 8 rounds, using the generalization mentioned here.

Extensions of the zero-difference property for reducedround AES
In this section, we investigate how to extend the result of Theorem 2 to 6-and 8-round AES.
For this, we look for related differentials over reduced-round AES.Let's first reformulate x 0 x 5 x 10 x 15 x 4 x 9 x 14 x 3 x 8 x 13 x 2 x 7 x 12 x 1 x 6 x 11 where S can be seen as the concatenation of four independent superboxes operating over F 4 2 8 .Then, four-round AES can be seen as This is a typical superbox representation of 4-round AES in the literature [DR09, Gil14, RBH17].So the relation (4) also holds for the case of four-round AES where F = R 4 and α, ∆x, ∆x ∈ F 4×4 2 8 .We say that ∆x, ∆x are diagonal related differences if and only if where ∆x i and ∆x i indicate the diagonal i of the differences.It other words, the diagonals i in α i , α i ⊕ ∆x i , α i ⊕ ∆x i and α i ⊕ ∆x i ⊕ ∆x i take at most two values, for every i.
Our aim now is to find related differentials over reduced-round AES.The basic idea consists of choosing an input quartet (α, α ⊕ ∆x, α ⊕ ∆x , α ⊕ ∆x ⊕ ∆x ), where ∆x and ∆x are diagonal related differences, such that the corresponding output quartet (R t (α), R t (α ⊕ ∆x), R t (α ⊕ ∆x ), R t (α ⊕ ∆x ⊕ ∆x )) for t = 2, 4, can be also defined by only two related differences Then, the relation (4) will extend to 6-round and 8-round AES.To determine the essential role of M C in creating our results, we denote by now G can also be seen as four parallel superboxes operating on 4 bytes of the state independently (not four bytes placed in a column of state), a graphical representation of G depicted in Figure 2.This 4-round AES decomposition is a bit different from the decomposition of 4-round AES mentioned above.However, this 4-round AES decomposition will clearly show how the middle and last M C affect differences which forms a basis for our results.We have noticed that a careful combination of byte-related differentials sets from Table 2, provides related differentials over 2-round and 4-round AES.

2-round related differentials for AES
and ∆x and ∆x are related differences.It is obvious from this quartet that two states α ⊕ ∆x and α ⊕ ∆x ⊕ ∆x are generated by exchanging diagonals 1 and 3 between α and α ⊕ ∆x.Now assume that we have where λ i ∈ F 2 8 .Since G is acting independently on 32-bit chunks of the state, the differences In other words, since two diagonals in each of input differences ∆x and ∆x ⊕ ∆x equal zero, we have that the two diagonals in the corresponding output differences equal zero (notice that G contains two SR operations).Therefore, M C maps the three differences given in ( 8) and (9) to the following set of differences which are diagonal related differences.Therefore, We now need to estimate the probability that, given an input quartet (α, α ⊕ ∆x, α ⊕ ∆x , α ⊕ ∆x ⊕ ∆x ), the conditions (8) and ( 9) hold.Note that the input and output differences of G are related differences.This implies that for every i the sets contain only two different elements.In other words, the output (input) difference of each superbox in G takes exactly a specific value considering this quartet.If we assume that the output differences of each superbox in G have a uniform distribution, then, for each specific value of (λ 0 , λ 1 , λ 2 , λ 3 ), the conditions (8) and (9) hold with probability (2 32 −1) −4 ≈ 2 −128 .Thus, considering all possible non-zero values of each λ i , the conditions (8) and (9) holds with probability (2 8 − 1) 4 • 2 −128 ≈ 2 −96 .This 2-round related differentials trail is depicted in Figure 3.We have also noticed that an identical rotation on all columns of the difference G(α) ⊕ G(α ⊕ ∆x), causes a new related-differentials trail.There are three different cases for such rotations on So there are four possible difference values for G(α) ⊕ G(α ⊕ ∆x).Then, such event happens with probability approximately 4 • 2 −96 = 2 −94 .For a random permutation, such an event happens with a negligible probability.We may summarize the result as follows.
and ∆x, ∆x ∈ F 4×4 2 8 be two related differences, where all diagonals in ∆x are non-zero and two non-consecutive diagonals in ∆x are zero, then the relations hold with probability approximately 2 −94 , averaged over all possible keys.
More importantly, these 2-round related differentials can be extended to 4-round related differentials.

4-round related differentials for AES
Suppose now that the differences (10) map to the following differences through G, respectively: where γ i ∈ F 2 8 .Then M C maps these three differences to a new set of differences, respectively: which are again diagonal related differences.Using the similar considerations to estimate the probability of set of related differences (8) and (9) in Subsection 4.1, we expect that the set of differences (13) holds with probability (2 8 − 1) 4 • (2 32 − 1) −4 ≈ 2 −96 , since there are (2 8 − 1) 4 non-zero values for (γ 0 , γ 1 , γ 2 , γ 3 ) and the specific output difference of each superbox happens with probability (2 32 − 1) −1 .Thus, the probability of 4-round related differentials trail is 2 −96 • 2 −96 = 2 −192 approximately.Also another set of related differences, by exchanging the positions of 5γ i and 4γ i , and 7γ i and γ i in the related differences set (13), works here.And, there are four sets of related differences for (8) and (9).Therefore, in total, there are eight 4-round related differentials trails so the probability of this event is 4 • 2 • 2 −192 = 2 −189 approximately.For a random permutation, such an event happens with a negligible probability.It then provides relations up to 6 rounds for 0 < t ≤ 6, since all differences are diagonal related differences every two rounds.There is another 4-round related differentials trail, provided in Appendix A. We may summarize the results as follows.
and ∆x, ∆x ∈ F 4×4 2 8 be two related differences, where all diagonals in ∆x are non-zero and two non-consecutive diagonals in ∆x are zero, then the relations for 0 < t ≤ 6, and hold with probability approximately 2 −189 , averaged over all possible keys.
Figure 4: 4-round related differential trails starting with ∆x, ∆x and ∆x⊕∆x respectively.Differences ∆x, ∆x and ∆x ⊕ ∆x are not shown here through the lack of space.
Proof.Assume that the input quartet (α, α ⊕ ∆x, α ⊕ ∆x , α ⊕ ∆x ⊕ ∆x ) conforms to the 4-round differential depicted in Figure 4 which happens with probability 2 −189 .Since the input differences, and state differences at the end of round 2 and 4 are diagonal related differences, from Theorem 2, we have for 0 < t ≤ 6.Also, since the differences are also related differences, due to Theorem 2 we have Note that the probability that a random input quartet follows the set of relations 15 is negligible since a random quartet satisfies each relation with probability 2 −128 .However, Theorem 5 by itself cannot be considered as a distinguisher since the adversary cannot check those relations without the knowledge of the round-keys.In the next section, we show that the results of Theorem 5 can be exploited to mount a key recovery attack on 7-round AES.

New key-recovery attack for 7-round of AES-128
In this section, we present a 7-round key-recovery attack for AES-128, which follows from a straight-forward extension of Equation 15.Let an input quartet (P 0 , P 0 ⊕ ∆x, P 0 ⊕ ∆x , P 0 ⊕ ∆x ⊕ ∆x ) be generated by two related differences ∆x and ∆x where P 0 is a random plaintext and all diagonals in ∆x are non-zero and two non-consecutive diagonals in ∆x are zero.Let (C 0 , C 1 , C 2 , C 3 ) be the corresponding ciphertexts after 7-round AES.Assume now this input quartet (P 0 , P 0 ⊕ ∆x, P 0 ⊕ ∆x , P 0 ⊕ ∆x ⊕ ∆x ) conforms to the differential characteristics depicted in Figure 5, which embeds the previous 4-round related-differentials characteristic in the first four rounds.It happens with probability 2 −189 from Theorem 5. Thus, we have Assume the following additional condition holds where wt(µ(R 7 (P 0 )⊕R 7 (P 0 ⊕∆x )) = 2.In other words, it means that ) is zero in exactly the same columns.The goal of this attack is to find candidates for this quartet by first filtering output quartets exploiting the Condition (18).Then, for each of candidates the Condition (17) will be partially checked to recover some bytes of the last-round key.And, by guessing the remaining bytes of the last-round key, we can perform the check whether the quartet conforms to the 7-round differential characteristics.We first need to estimate the probability that Condition (18) holds.Denote Ω t = R t (P 0 ) ⊕ R t (P 0 ⊕ ∆x ).Condition (18) indicates that two columns in Ω 6 should be zero.On the other hand, observe that two diagonals in the difference Ω 4 are zero, see ( 14).This induces that two diagonals in the difference Ω 5 are zero.It follows that four bytes in Ω 5 should be zero.Thus, the pair (P 0 , P 0 ⊕ ∆x ) follows Condition (18) when four bytes in Ω 5 are zero.The pair (P 0 ⊕ ∆x, P 0 ⊕ ∆x ⊕ ∆x ) then satisfies Condition (18) with probability one since R 6 (P 0 ) ⊕ R 6 (P 0 ⊕ ∆x ) = R 6 (P 0 ⊕ ∆x) ⊕ R 6 (P 0 ⊕ ∆x ⊕ ∆x ).

Data collection
The input quartet (P 0 , P 0 ⊕ ∆x, P 0 ⊕ ∆x , P 0 ⊕ ∆x ⊕ ∆x ) can be seen as two pairs of plaintexts where the plaintext pair (P 0 ⊕ ∆x , P 0 ⊕ ∆x ⊕ ∆x ) is generated by exchanging two diagonals between plaintexts in (P 0 , P 0 ⊕ ∆x).We now generate 2 218.4 such unique quartets as follows.
To generate input quartets (P 0 , P 0 ⊕ ∆x, P 0 ⊕ ∆x , P 0 ⊕ ∆x ⊕ ∆x ), where P 0 is a random plaintext and all diagonals in ∆x are non-zero and two non-consecutive diagonals in ∆x are zero, we pick two random subsets A 0 and A 1 of F 8 2 8 , each of size m.Then we generate all m 2 possible plaintexts from these two sets where the first and third diagonals take the possible elements from the set A 0 and the second and last diagonals take the Figure 5: 7-round differential trails starting with ∆x,∆x and ∆x ⊕ ∆x respectively.A white cell indicates that the state difference is zero for that bytes.Both darker and lighter line pattern cell indicate that the state difference is non-zero in the cell while darker one also indicates the value of difference in a cell equal to the value of one of other two differences in the same cell.
possible elements from the set A 1 .Note that, from each set, we can generate m 2 unique combinations of pairs.Then the number of unique quartets generated from this set, Theorem 2] for more details, assume there are only two sets).If we set m = 2 55.1 , then we can prepare 2 109.2• 2 109.2= 2 218.4 such quartets.The expected number of quartets conforming to the 7-round characteristic of Figure 5 equals one.
We can find them, using hash tables as follows.We know that both pairs (P 0 , P 0 ⊕ ∆x ) and (P 0 ⊕ ∆x, P 0 ⊕ ∆x ⊕ ∆x ), which should satisfy Condition (18), are different in ∆x We also know that the set of plaintexts A is formed by spanning the first and third diagonals with the possible elements from A 0 and the rest of diagonals with elements from A 1 .In order to find two pairs that satisfy Condition (18), we first search for plaintext pairs which differ in ∆x , such that their corresponding ciphertext pairs differ in two columns before the last linear layer.Since we can generate 2 109.2combinations of pairs from A 0 and there are 2 55.1 elements in A 1 , the expected number of remaining pairs equals 2 55.1 • 2 109.2−64= 2 100.3 .We store them in the list N 1 .Therefore, it requires 2 110.2 table look ups in the ciphertexts table, using a hash table.
We now want to generate pairs of pairs (quartets) from N 1 , 2 100.3 pairs, such that they satisfy Condition (18).Notice that N 1 contains pairs which differ in ∆x , so not all possible pairs of pairs, 2 199.6 quartets, are our desired input quartets.In other words, we are interested in pairs of pairs which constitute a quartet made by ∆x and ∆x.Also, notice that the plaintexts P 0 ⊕ ∆x and P 0 ⊕ ∆x ⊕ ∆x are generated by exchanging two diagonals between P 0 and P 0 ⊕ ∆x.Thus, in order to filter undesired input quartets, we insert the 2 100.3 remaining pairs into a hash table indexed by ∆x , i.e. 2 109.2possible combinations of pairs from A 0 .So, we find quartets which satisfy the conditions (18) and (19) simultaneously.The expected number of input quartets equals 2 199.6−109.2= 2 90.4 .By repeating this for all possible cases where two columns in the difference R 7 (P 0 ) ⊕ R 7 (P 0 ⊕ ∆x ) are zero, where ∆x and ∆x are related differences.This quartet conforms the the differential characteristics depicted in Figure 6 with probability of 2 −189 .

B 6-round distinguisher for AES
Theorem 4 in Section 3 can be used directly to set up a straightforward 6-round chosenplaintext distinguisher for AES.Consider an input quartet (P 0 , P 0 ⊕∆x, P 0 ⊕∆x , P 0 ⊕∆x⊕ ∆x ) generated by two related differences ∆x and ∆x where P 0 is a random plaintext and all diagonals in ∆x are non-zero and two non-consecutive diagonals in ∆x are zero.And, let this input quartet map to (C 0 , C 1 , C 2 , C 3 ) after 6-round AES encryption.By Theorem 4, with probability 2 −94 we have µ(R 6 (P 0 ) ⊕ R 6 (P 0 ⊕ ∆x )) = µ(R 6 (P 0 ⊕ ∆x) ⊕ R 6 (P 0 ⊕ ∆x ⊕ ∆x )).Similar to the data collection in Subsection 5.1, we set m = 2 47.5 and we prepare 2 188 different input quartets.For the AES case, the expected number of quartets that satisfy the conditions ( 22) and (21) equals one, while for a random permutation, the expected number of quartets equals 2 188−190 = 2 −2 .Thus, the data complexity of the 6-rounds distinguisher is m 2 = 2 95 chosen plaintexts.

Figure 1 :
Figure 1: A schematic of the related differences and the associated quartet.The square collapses to a line or point depending on ∆x i and ∆x i .

GFigure 2 :
Figure 2: A graphical representation of G given input and output x and y respectively.Input and output of each super-box indicates with a same color.

Figure 6 :
Figure 6: 4-round related differentials trails starting with ∆x, ∆x and ∆x ⊕ ∆x respectively.Differences ∆x, ∆x and ∆x ⊕ ∆x are not shown here through the lack of space.

Table 1 :
Current best cryptanalysis of 7-round AES-128 in the secret-key model.

Table 2 :
The sets of byte-related differentials over AES MixColumns.