Key-Recovery Attack on 5-Round AES with Multiple-of-8 Property

Hanbeom Shin; Sunyeop Kim; Byoungjin Seok; Dongjae Lee; Deukjo Hong; Jaechul Sung; Seokhie Hong

doi:10.1587/transfun.2025EAP1069

Key-Recovery Attack on 5-Round AES with Multiple-of-8 Property

Hanbeom Shin
, Sunyeop Kim
, Byoungjin Seok
, Dongjae Lee^*
, Deukjo Hong
, Jaechul Sung
, Seokhie Hong

^*Corresponding author for this work

Department of Computer Science & Artificial Intelligence

Korea University
Hansung University
Kangwon National University
University of Seoul

Research output: Contribution to journal › Journal article › peer-review

Abstract

SUMMARY At EUROCRYPT 2017, Grassi et al. proposed the multiple-of-8 property for 5-round AES, which states that the number of pairs in a certain input-output subspace, referred to as right pairs, is always a multiple of 8. However, no key-recovery attack has been proposed that utilizes this property until now. In this paper, we identify a new aspect of the multiple-of-8 property: when the number of right pairs is exactly eight, these eight pairs all have the same difference from after the 1st round SubBytes to before the 4th round SubBytes. Based on this observation, we propose a new key-recovery attack on 5-round AES. Our attack requires data and time complexities of 2^32.6 chosen plaintexts and 5-round AES encryptions, and a memory complexity of 2³¹ 128-bit blocks to recover a 32-bit subkey with a success probability of 50.5%. Although it is not the best attack on 5-round AES, it is notable as the first key-recovery attack that utilizes the multiple-of-8 property. We validate our observation through experiments and demonstrate its applicability to other ciphers with SPN structures, beyond AES.

Original language	English
Pages (from-to)	712-724
Number of pages	13
Journal	IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
Volume	E109.A
Issue number	3
DOIs	https://doi.org/10.1587/transfun.2025EAP1069
State	Published - 2026.03

Keywords

AES
key-recovery attack
mixture-differential cryptanalysis
multiple-of-8 property

Access to Document

10.1587/transfun.2025EAP1069

Cite this

@article{12ffd8de408542b3ae65ff0dcef2bc27,

title = "Key-Recovery Attack on 5-Round AES with Multiple-of-8 Property",

abstract = "SUMMARY At EUROCRYPT 2017, Grassi et al. proposed the multiple-of-8 property for 5-round AES, which states that the number of pairs in a certain input-output subspace, referred to as right pairs, is always a multiple of 8. However, no key-recovery attack has been proposed that utilizes this property until now. In this paper, we identify a new aspect of the multiple-of-8 property: when the number of right pairs is exactly eight, these eight pairs all have the same difference from after the 1st round SubBytes to before the 4th round SubBytes. Based on this observation, we propose a new key-recovery attack on 5-round AES. Our attack requires data and time complexities of 232.6 chosen plaintexts and 5-round AES encryptions, and a memory complexity of 231 128-bit blocks to recover a 32-bit subkey with a success probability of 50.5\%. Although it is not the best attack on 5-round AES, it is notable as the first key-recovery attack that utilizes the multiple-of-8 property. We validate our observation through experiments and demonstrate its applicability to other ciphers with SPN structures, beyond AES.",

keywords = "AES, key-recovery attack, mixture-differential cryptanalysis, multiple-of-8 property",

author = "Hanbeom Shin and Sunyeop Kim and Byoungjin Seok and Dongjae Lee and Deukjo Hong and Jaechul Sung and Seokhie Hong",

note = "Publisher Copyright: Copyright {\textcopyright} 2026 The Institute of Electronics.",

year = "2026",

month = mar,

doi = "10.1587/transfun.2025EAP1069",

language = "English",

volume = "E109.A",

pages = "712--724",

journal = "IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences",

issn = "0916-8508",

number = "3",

}

TY - JOUR

T1 - Key-Recovery Attack on 5-Round AES with Multiple-of-8 Property

AU - Shin, Hanbeom

AU - Kim, Sunyeop

AU - Seok, Byoungjin

AU - Lee, Dongjae

AU - Hong, Deukjo

AU - Sung, Jaechul

AU - Hong, Seokhie

PY - 2026/3

Y1 - 2026/3

N2 - SUMMARY At EUROCRYPT 2017, Grassi et al. proposed the multiple-of-8 property for 5-round AES, which states that the number of pairs in a certain input-output subspace, referred to as right pairs, is always a multiple of 8. However, no key-recovery attack has been proposed that utilizes this property until now. In this paper, we identify a new aspect of the multiple-of-8 property: when the number of right pairs is exactly eight, these eight pairs all have the same difference from after the 1st round SubBytes to before the 4th round SubBytes. Based on this observation, we propose a new key-recovery attack on 5-round AES. Our attack requires data and time complexities of 232.6 chosen plaintexts and 5-round AES encryptions, and a memory complexity of 231 128-bit blocks to recover a 32-bit subkey with a success probability of 50.5%. Although it is not the best attack on 5-round AES, it is notable as the first key-recovery attack that utilizes the multiple-of-8 property. We validate our observation through experiments and demonstrate its applicability to other ciphers with SPN structures, beyond AES.

AB - SUMMARY At EUROCRYPT 2017, Grassi et al. proposed the multiple-of-8 property for 5-round AES, which states that the number of pairs in a certain input-output subspace, referred to as right pairs, is always a multiple of 8. However, no key-recovery attack has been proposed that utilizes this property until now. In this paper, we identify a new aspect of the multiple-of-8 property: when the number of right pairs is exactly eight, these eight pairs all have the same difference from after the 1st round SubBytes to before the 4th round SubBytes. Based on this observation, we propose a new key-recovery attack on 5-round AES. Our attack requires data and time complexities of 232.6 chosen plaintexts and 5-round AES encryptions, and a memory complexity of 231 128-bit blocks to recover a 32-bit subkey with a success probability of 50.5%. Although it is not the best attack on 5-round AES, it is notable as the first key-recovery attack that utilizes the multiple-of-8 property. We validate our observation through experiments and demonstrate its applicability to other ciphers with SPN structures, beyond AES.

KW - AES

KW - key-recovery attack

KW - mixture-differential cryptanalysis

KW - multiple-of-8 property

UR - https://www.scopus.com/pages/publications/105033078072

U2 - 10.1587/transfun.2025EAP1069

DO - 10.1587/transfun.2025EAP1069

M3 - Journal article

AN - SCOPUS:105033078072

SN - 0916-8508

VL - E109.A

SP - 712

EP - 724

JO - IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences

JF - IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences

IS - 3

ER -

Key-Recovery Attack on 5-Round AES with Multiple-of-8 Property

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this