Based on « General Practical Cryptanalysis of the Sum of Round-Reduced Block Ciphers and ZIP-AES »: Antonio Flórez-Gutiérrez, Lorenzo Grassi, Gregor Leander, Ferdinand Sybleyras and Yosuke Todo, presented at ASIACRYPT 2024.

In recent years, there has been an increased interest in the desgin of pseudorandom functions (PRFs), as they provide better security than block ciphers when used in some modes of operations. In this talk, I will present a low-latency PRF called ZIP-AES and its associated ZIP construction. ZIP-AES consists of two branches, one of which is 5-round AES, and the other of which is inverse 5-round AES, which are XORed to obtain the output. The main feature of ZIP-AES is that, as it uses the AES round function and has a very short critical path, a great software performance with exceptionally low latency can be achieved due to the existence of AES-specific instructions in most modern microprocessors. Furthermore, it is designed so that its resistance to many cryptanalysis families can be deduced from existing cryptanalysis of AES. For differential and linear cryptanalysis, it is possible to prove that any trail of ZIP-AES has an equivalent counterpart for full 10-round AES. For other cryptanalysis families, we can recycle known attacks on reduced-round AES to quickly assess its resistance, as is shown with integral cryptanalysis. The construction is also quite resistant to several kinds of key recovery attacks. This intermediate approach between security reduction of modes and dedicated cryptanalysis, which we call general practical cryptanalysis, can provide an effective and efficient way of assessing the security of new constructions, as well as guide the design of cryptanalysis-friendly primitives in the future.