Low-data mixture integral distinguishers and attacks on reduced-round AES.
This program contains the distinguisher on 3-round AES. The modeOfOperation define at the top of the source code specifies whether AES (modeOfOperation = 0) or a random permutation (modeOfOperation = 1, in our case 21-round AES) is used.
The program can be compiled with gcc AES_3round_ImpossibleMixtureIntegralDistinguisher.c -o dist.
As input, it generates 10 chosen plaintexts and the corresponding ciphertexts generated by 3-round AES (with a random secret key) or/and a random permutation. The distinguisher is able to check if such ciphertexts have been generated by AES or by a random permutation with a probability of 95% (that is, in the remaining 5% of the cases it is not able to distinguish between the two permutations).
This source file contains both the key-recovery attacks on 3-round and on 4-round AES. It can be compiled with g++ -std=c++11 -O2 -o aes_key_recovery aes_key_recovery.cpp -lcrypto -maes. The attack on 3-round AES is fully executed, while only the 4-byte candidates are printed during the 4-round attack.
Finally, this file contains the attack on 3-round AES with a single secret S-box. The key relations are printed in the final step of the attack.
For a complete description of the distinguishers and of the attacks, we refer to the paper.