TY - JOUR AU - Derbez, Patrick AU - Iwata, Tetsu AU - Sun, Ling AU - Sun, Siwei AU - Todo, Yosuke AU - Wang, Haoyang AU - Wang, Meiqin PY - 2018/06/07 Y2 - 2024/03/29 TI - Cryptanalysis of AES-PRF and Its Dual JF - IACR Transactions on Symmetric Cryptology JA - ToSC VL - 2018 IS - 2 SE - Articles DO - 10.13154/tosc.v2018.i2.161-191 UR - https://tosc.iacr.org/index.php/ToSC/article/view/892 SP - 161-191 AB - <p>A dedicated pseudorandom function (PRF) called AES-PRF was proposed by Mennink and Neves at FSE 2018 (ToSC 2017, Issue 3). AES-PRF is obtained from AES by using the output of the 5-th round as the feed-forward to the output state. This paper presents extensive security analysis of AES-PRF and its variants. Specifically, we consider unbalanced variants where the output of the s-th round is used as the feed-forward. We also analyze the security of “dual” constructions of the unbalanced variants, where the input state is used as the feed-forward to the output of the s-th round. We apply an impossible differential attack, zero-correlation linear attack, traditional differential attack, zero correlation linear distinguishing attack and a meet-in-the-middle attack on these PRFs and reduced round versions. We show that AES-PRF is broken whenever <em>s</em> ≤ 2 or <em>s</em> ≥ 6, or reduced to 7 rounds, and Dual-AES-PRF is broken whenever <em>s</em> ≤ 4 or <em>s</em> ≥ 8. Our results on AES-PRF improve the initial security evaluation by the designers in various ways, and our results on Dual-AES-PRF give the first insight to its security.</p> ER -