zbMATH — the first resource for mathematics

Meet-in-the-middle attacks on 10-round AES-256. (English) Zbl 1402.94062
Summary: Meet-in-the-middle attack on AES is proposed by H. Demirci and A. A. Selçuk at FSE 2008 [Lect. Notes Comput. Sci. 5086, 116–126 (2008; Zbl 1154.68391)], and improved greatly by O. Dunkelman et al. at Asiacrypt 2010 [Lect. Notes Comput. Sci. 6477, 158–176 (2010; Zbl 1253.94045)] and P. Derbez et al. at Eurocrypt 2013 [Lect. Notes Comput. Sci. 7881, 371–387 (2013; Zbl 1306.94044)] with various time/memory/data tradeoff techniques. At FSE 2014, L. Li et al. [Lect. Notes Comput. Sci. 8540, 127–146 (2015; Zbl 1360.94317)] give the most efficient attack on 9-round AES-256 based on a 5-round meet-in-the-middle distinguisher. In this paper, we revisit Demirci and Selçuk’s attack and present the first 6-round meet-in-the-middle distinguisher on AES-256 using the differential enumerate and key-dependent sieve techniques. Based on this distinguisher, we propose the first attack on 10-round AES-256 in the single-key model except biclique attack. Moreover, we can further reduce the data complexity by using several distinguishers in parallel and reduce the memory complexity by dividing the whole attack into a series of weak-key attacks. Finally, we can achieve the attack with a data complexity of \(2^{111}\) chosen plaintexts, a time complexity of \(2^{253}\) 10-round AES encryptions and a memory complexity of \(2^{211.2}\) AES blocks.
Reviewer: Reviewer (Berlin)

94A60 Cryptography
LEX; Square
Full Text: DOI
[1] Biryukov A., Khovratovich D.: Related-key cryptanalysis of the full AES-192 and AES-256. In: Advances in Cryptology—ASIACRYPT 2009, pp. 1-18. Springer, Heidelberg (2009). · Zbl 1267.94041
[2] Biryukov A., Khovratovich D., Nikolić I.: Distinguisher and related-key attack on the full AES-256. In: Advances in Cryptology—CRYPTO 2009, pp. 231-249. Springer, Heidelberg (2009). · Zbl 1252.94051
[3] Biryukov A., Dunkelman O., Keller N., Khovratovich D., Shamir A.: Key recovery attacks of practical complexity on AES-256 variants with up to 10 rounds. In: Advances in Cryptology—EUROCRYPT 2010, pp. 299-319. Springer, Heidelberg (2010). · Zbl 1280.94040
[4] Bogdanov A., Khovratovich D., Rechberger C.: Biclique cryptanalysis of the full AES. In: Advances in Cryptology—ASIACRYPT 2011, pp. 344-371. Springer, Heidelberg (2011). · Zbl 1227.94032
[5] Daemen J., Rijmen V.: AES proposal: Rijndael. In: First Advanced Encryption Standard (AES) Conference (1998). · Zbl 1065.94005
[6] Daemen J., Rijmen V.: Understanding two-round differentials in AES. In: Security and Cryptography for Networks, pp. 78-94. Springer, Heidelberg (2006). · Zbl 1152.94413
[7] Daemen J., Knudsen L., Rijmen V.: The block cipher square. In: Fast Software Encryption, pp. 149-165. Springer, Heidelberg (1997). · Zbl 1385.94025
[8] Demirci, H., Selçuk, A.A.: A meet-in-the-middle attack on 8-round AES. In: Fast Software Encryption, pp. 116-126. Springer, Heidelberg (2008). · Zbl 1154.68391
[9] Demirci H., Taşkın İ., Çoban M., Baysal A.: Improved meet-in-the-middle attacks on AES. In: Progress in Cryptology—INDOCRYPT 2009, pp. 144-156. Springer, Heidelberg (2009). · Zbl 1273.94345
[10] Derbez P., Fouque P.A., Jean J., et al.: Improved key recovery attacks on reduced-round AES in the single-key setting. In: EUROCRYPT, vol. 7881, pp. 371-387. Springer, Heidelberg (2013). · Zbl 1306.94044
[11] Derbez P., Fouque P.A., Jean J.: Exhausting demirci-selçuk meet-in-the-middle attacks against reduced-round AES. In: FSE (2013).
[12] Dunkelman O., Keller N.: A new attack on the LEX stream cipher. In: Advances in Cryptology—ASIACRYPT 2008, pp. 539-556. Springer, Heidelberg (2008). · Zbl 1206.94065
[13] Dunkelman O., Keller N., Shamir A.: Improved single-key attacks on 8-round AES-192 and AES-256. In: Advances in Cryptology—ASIACRYPT 2010, pp. 158-176. Springer, Heidelberg (2010). · Zbl 1253.94045
[14] Ferguson N., Kelsey J., Lucks S., Schneier B., Stay M., Wagner D., Whiting D.: Improved cryptanalysis of Rijndael. In: Fast Software Encryption, pp. 213-230. Springer, Heidelberg (2001). · Zbl 0994.68631
[15] Fouque P.A., Jean J., Peyrin T.: Structural evaluation of AES and chosen-key distinguisher of 9-round AES-128. In: Advances in Cryptology—CRYPTO 2013, pp. 183-203. Springer, Heidelberg (2013). · Zbl 1310.94144
[16] Gilbert H.: A simplified representation of AES. In: Advances in Cryptology—ASIACRYPT 2014, pp. 200-222. Springer, Heidelberg (2014). · Zbl 1306.94054
[17] Gilbert H., Minier M.: A collisions attack on the 7-rounds Rijndael. In: AES Candidate Conference (2000).
[18] Li L., Jia K., Wang X.: Improved single-key attacks on 9-round AES-192/256. In: FSE (2014). · Zbl 1360.94317
[19] Lu J., Dunkelman O., Keller N., Kim J.: New impossible differential attacks on AES. In: Progress in Cryptology—INDOCRYPT 2008, pp. 279-293. Springer, Heidelberg (2008). · Zbl 1203.94113
[20] Lucks S., et al.: Attacking seven rounds of Rijndael under 192-bit and 256-bit keys. In: AES Candidate Conference, vol. 2000 (2000).
[21] Mala H., Dakhilalian M., Rijmen V., Modarres-Hashemi M.: Improved impossible differential cryptanalysis of 7-round AES-128. In: Progress in Cryptology—INDOCRYPT 2010, pp. 282-291. Springer, Heidelberg (2010). · Zbl 1253.94060
[22] Wei Y., Lu J., Hu Y.: Meet-in-the-middle attack on 8 rounds of the AES block cipher under 192 key bits. In: Information Security Practice and Experience, pp. 222-232. Springer, Berlin (2011). · Zbl 1292.94151
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. It attempts to reflect the references listed in the original paper as accurately as possible without claiming the completeness or perfect precision of the matching.