Cryptanalysis of AES-PRF and Its Dual

Authors

  • Patrick Derbez Université de Rennes, The French National Centre for Scientific Research (CNRS) , Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), Rennes, France
  • Tetsu Iwata Nagoya University, Nagoya, Japan
  • Ling Sun Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, China;School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore, Singapore
  • Siwei Sun State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China; Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, Beijing, China; School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China
  • Yosuke Todo NTT Secure Platform Laboratories, Tokyo, Japan
  • Haoyang Wang School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore, Singapore
  • Meiqin Wang Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education,Shandong University, Shandong, China

DOI:

https://doi.org/10.13154/tosc.v2018.i2.161-191

Keywords:

AES-PRF, Dual-AES-PRF, Impossible differential, Zero-correlation linear, Meet-in-the-middle

Abstract

A dedicated pseudorandom function (PRF) called AES-PRF was proposed by Mennink and Neves at FSE 2018 (ToSC 2017, Issue 3). AES-PRF is obtained from AES by using the output of the 5-th round as the feed-forward to the output state. This paper presents extensive security analysis of AES-PRF and its variants. Specifically, we consider unbalanced variants where the output of the s-th round is used as the feed-forward. We also analyze the security of “dual” constructions of the unbalanced variants, where the input state is used as the feed-forward to the output of the s-th round. We apply an impossible differential attack, zero-correlation linear attack, traditional differential attack, zero correlation linear distinguishing attack and a meet-in-the-middle attack on these PRFs and reduced round versions. We show that AES-PRF is broken whenever s ≤ 2 or s ≥ 6, or reduced to 7 rounds, and Dual-AES-PRF is broken whenever s ≤ 4 or s ≥ 8. Our results on AES-PRF improve the initial security evaluation by the designers in various ways, and our results on Dual-AES-PRF give the first insight to its security.

Published

2018-06-07

Issue

Section

Articles

How to Cite

Cryptanalysis of AES-PRF and Its Dual. (2018). IACR Transactions on Symmetric Cryptology, 2018(2), 161-191. https://doi.org/10.13154/tosc.v2018.i2.161-191