UCL Discovery

Abstract

A related-key differential cryptanalysis is applied to the 192-bit key variant of AES. Although any 4-round differential trail has at least 25 active bytes, one can construct 5-round related-key differential trail that has only 15 active bytes and break six rounds with 2(106) plaintext/ciphertext pairs and complexity 2(112). The attack can be improved using truncated differentials. In this case, the number of required plaintext/ciphertext pairs is 2(81) and the complexity is about 2(86). Using impossible related-key differentials we can break seven rounds with 2111 plaintext/ciphertext pairs and computational complexity 2(116).The attack on eight rounds requires 2(88) plaintext/ciphertext pairs and its complexity is about 2(183) encryptions. In the case of differential cryptanalysis, if the iterated cipher is Markov cipher and the round keys are independent, then the sequence of differences at each round output forms a Markov chain and the cipher becomes resistant to differential cryptanalysis after sufficiently many rounds, but this is not true in the case of related-key differentials. It can be shown that if in addition the Markov cipher has K - f round function and the hypothesis of stochastic equivalence for related keys holds, then the iterated cipher is resistant to related-key differential attacks after sufficiently many rounds.