Revisiting Yoyo Tricks on AES


  • Sandip Kumar Mondal Department of Pure Mathematics, University of Calcutta, Kolkata, India
  • Mostafizar Rahman University of Hyogo, Kobe, Japan
  • Santanu Sarkar Department of Mathematics, Indian Institute of Technology Madras, Chennai, India
  • Avishek Adhikari Department of Mathematics, Presidency University, Kolkata, India



AES, Distinguisher, Yoyo


At Asiacrypt 2017, Rønjom et al. presented key-independent distinguishers for different numbers of rounds of AES, ranging from 3 to 6 rounds, in their work titled “Yoyo Tricks with AES”. The reported data complexities for these distinguishers were 3, 4, 225.8, and 2122.83, respectively. In this work, we revisit those key-independent distinguishers and analyze their success probabilities.
We show that the distinguishing algorithms provided for 5 and 6 rounds of AES in the paper of Rønjom et al. are ineffective with the proposed data complexities. Our thorough theoretical analysis has revealed that the success probability of these distinguishers for both 5-round and 6-round AES is approximately 0.5, with the corresponding data complexities mentioned earlier.
We investigate the reasons behind this seemingly random behavior of those reported distinguishers. Based on our theoretical findings, we have revised the distinguishing algorithm for 5-round AES. Our revised algorithm demonstrates success probabilities of approximately 0.55 and 0.81 for 5-round AES, with data complexities of 229.95 and 230.65, respectively. We have also conducted experimental tests to validate our theoretical findings, which further support our findings.
Additionally, we have theoretically demonstrated that improving the success probability of the distinguisher for 6-round AES from 0.50000 to 0.50004 would require a data complexity of 2129.15. This finding invalidates the reported distinguisher by Rønjom et al. for 6-round AES.




How to Cite

Mondal, S. K., Rahman, M., Sarkar, S., & Adhikari, A. (2023). Revisiting Yoyo Tricks on AES. IACR Transactions on Symmetric Cryptology, 2023(4), 28–57.