Coefficient Properties Of The MixColumns Matrix And Its Influence On The Security Of AES

Advanced Encryption Standard(AES)is currently the most widely used block cipher algorithm and an important part of high security guarantees in commu-nications.AES adopts a fixed-length 128-bit block size,uses SPN structure and itcratively performs round function operations.The AES round function has four components,respectively are SubBytes(SB),ShiftRows(SR),MixColumns(MC)and AddRoundKey(AK).The MixColumns operation can realize the diffusion in block cipher.At the same time,the number of matrix branches used in the MlixColumns is 5,it ensures that any continuous four rounds of AES have at least 25 active S-Boxes,which makes the AES secure effectively against the dif-ferential and linear cryptanalysis.However,the choices of the coefficients of the MixColumns matrix may undermine the AES security aga.inst some novel-type attacks.A particular property of the AES MixColumns matrix coefficient,has been noticed in recent papers that each row or column of the matrix has ele-ments that sum to zero.Several attacks have been developed taking advantage of the coefficient,property.Among them,Sun et al.established the first integral distinguisher for the 5-round AES at Crypto 2016.Grassi further studied the coefficient properties of the MixColumns matrix at FSE 2017 and CT-RSA 2018,and respectively proposed the first 5-round impossible differential distinguisher and 5-round key recovery attack with a secret S-box.Regarding the attack with a secret S-Box,there is no need to know the specific information of the S-Box dur-ing the key recovery process,and the object of the attack scheme can be regarded as a variant,AES.The first attack on AES with a secret S-Box was proposed by Tiessen et al.at FSE 2015.The author first recovered the equivalent affine of the S-Box and then recovered the secret key informat,ion.However during the attack using the matrix coefficient property,we can directly recover the key information without recover any information about S-Box.In this thesis,we focus on the effect of matrix coefficient property on the secu-rity of AES with a secret S-Box.We first summarize the two coefficient properties of MixColumns matrix.Then based on these two properties,respectively pro-posed a 5-round key recovery attack.Inspired by the exchange attack proposed in Asiacrypt 2019,we exploit the basic idea of exchange attack,and based on the property that the sum of some coefficients of the MixColumns matrix is zero,by reasonably choosing plaintext and guessing the key,we can distinguish the correct key from the wrong key.Both attack schemes can recover 12 key byte difference.For the first property,we need 242.6 chosen plaintexts.Compared with the previous attack based on MixColumns matrix coefficient property.the present attacks here are the best in terms of the complexity under the chosen-plaintext scenario.For the second property,we need 246 chosen plaintexts.Our attack has been verified on the small scale AES.