zbMATH — the first resource for mathematics

Improved single-key attacks on 8-round AES-192 and AES-256. (English) Zbl 1321.94055
Summary: AES is the most widely used block cipher today, and its security is one of the most important issues in cryptanalysis. After 13 years of analysis, related-key attacks were recently found against two of its flavors (AES-192 and AES-256). However, such a strong type of attack is not universally accepted as a valid attack model, and in the more standard single-key attack model at most 8 rounds of these two versions can be currently attacked. In the case of 8-round AES-192, the only known attack (found 10 years ago) is extremely marginal, requiring the evaluation of essentially all the \(2^{128}\) possible plaintext/ciphertext pairs in order to speed up exhaustive key search by a factor of 16. In this paper we introduce three new cryptanalytic techniques, and use them to get the first non-marginal attack on 8-round AES-192 (making its time complexity about a million times faster than exhaustive search, and reducing its data complexity to about 1/32,000 of the full codebook). In addition, our new techniques can reduce the best known time complexities for all the other combinations of 7-round and 8-round AES-192 and AES-256.
This paper is an extended version of [Asiacrypt 2010, Lect. Notes Comput. Sci. 6477, 158–176 (2010; Zbl 1253.94045)].

94A60 Cryptography
Full Text: DOI
[1] Biryukov, A.; Khovratovich, D., Related-key cryptanalysis of the full AES-192 and AES-256, No. 5912, 1-18, (2009), Berlin · Zbl 1267.94041
[2] Biryukov, A.; Khovratovich, D.; Nikolic, I., Distinguisher and related-key attack on the full AES-256, No. 5677, 231-249, (2009), Berlin · Zbl 1252.94051
[3] Biryukov, A.; Dunkelman, O.; Keller, N.; Khovratovich, D.; Shamir, A., Key recovery attacks of practical complexity on AES-256 variants with up to 10 rounds, No. 6110, 299-319, (2010), Berlin · Zbl 1280.94040
[4] Daemen, J.; Rijmen, V., AES proposal: rijndael, (1998)
[5] J. Daemen, V. Rijmen, The Design of Rijndael: AES—the Advanced Encryption Standard (Springer, Berlin, 2002) · Zbl 1065.94005
[6] Demirci, H.; Aydin Selçuk, A., A meet-in-the-middle attack on 8-round AES, No. 5086, 116-126, (2008), Berlin · Zbl 1154.68391
[7] Demirci, H.; Taskin, I.; Çoban, M.; Baysal, A., Improved meet-in-the-middle attacks on AES, No. 5922, 144-156, (2009), Berlin · Zbl 1273.94345
[8] P. Derbez, P.-A. Fouque, Exhausting Demirci-Selcuk Meet-in-the-Middle Attacks against Reduced-Round AES, pre-proceedings of Fast Software Encryption 2013. Lecture Notes in Computer Science (2013, to appear)
[9] Derbez, P.; Fouque, P.-A.; Jean, J., Improved key recovery attacks on reduced-round AES in the single-key setting, (2013) · Zbl 1306.94044
[10] Dunkelman, O.; Keller, N., A new attack on the LEX stream cipher, No. 5350, 539-556, (2008), Berlin · Zbl 1206.94065
[11] Ferguson, N.; Kelsey, J.; Lucks, S.; Schneier, B.; Stay, M.; Wagner, D.; Whiting, D., Improved cryptanalysis of rijndael, 213-230, (2001), Berlin · Zbl 0994.68631
[12] Gilbert, H.; Minier, M., A collision attack on 7 rounds of rijndael, New York, USA
[13] Lu, J.; Dunkelman, O.; Keller, N.; Kim, J., New impossible differential attacks on AES, No. 5365, 279-293, (2008), Berlin · Zbl 1203.94113
[14] Mala, H.; Dakhilalian, M.; Rijmen, V.; Modarres-Hashemi, M., Improved impossible differential cryptanalysis of 7-round AES-128, No. 6498, 282-291, (2010), Berlin · Zbl 1253.94060
[15] US National Institute of Standards and Technology, Advanced Encryption Standard, Federal Information Processing Standards Publications, vol. 197 (2001) · Zbl 1267.94041
[16] Zhang, W.; Wu, W.; Zhang, L.; Feng, D., Improved related-key impossible differential attacks on reduced-round AES-192, No. 4356, 15-27, (2007), Berlin · Zbl 1161.94434
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. It attempts to reflect the references listed in the original paper as accurately as possible without claiming the completeness or perfect precision of the matching.