## Improved key recovery attacks on reduced-round AES with practical data and memory complexities.(English)Zbl 1457.94097

Summary: Determining the security of AES is a central problem in cryptanalysis, but progress in this area had been slow and only a handful of cryptanalytic techniques led to significant advancements. L. Grassi et al. [EUROCRYPT 2017, Lect. Notes Comput. Sci. 10211, 289–317 (2017; Zbl 1415.94433)] presented a novel type of distinguisher for AES-like structures, but so far all the published attacks which were based on this distinguisher were inferior to previously known attacks in their complexity. In this paper we combine the technique of L. Grassi et al. [loc. cit.] with several other techniques in a novel way to obtain the best known key recovery attack on 5-round AES in the single-key model, reducing its overall complexity from about $$2^{32}$$ to less than $$2^{22}$$. Extending our techniques to 7-round AES, we obtain the best known attacks on reduced-round AES-192 which use practical amounts of data and memory, breaking the record for such attacks which was obtained in 2000 by the classical Square attack. In addition, we use our techniques to improve the Gilbert-Minier attack (2000) on 7-round AES, reducing its memory complexity from $$2^{80}$$ to $$2^{40}$$.

### MSC:

 94A60 Cryptography 94A62 Authentication, digital signatures and secret sharing

### Keywords:

mixture differentials; AES; cryptanalysis

Zbl 1415.94433

### Software:

LED; ELmD; Square
Full Text: