Meet-in-the-middle attacks on 10-round AES-256

Meet-in-the-middle attack on AES is proposed by Demirci and Selçuk at FSE 2008, and improved greatly by Dunkelman et al. at ASIACRYPT 2010 and Derbez et al. at EUROCRYPT 2013 with various time/memory/data tradeoff techniques. At FSE 2014, Li et al. give the most efficient attack on 9-round AES-256 based on a 5-round meet-in-the-middle distinguisher. In this paper, we revisit Demirci and Selçuk’s attack and present the first 6-round meet-in-the-middle distinguisher on AES-256 using the differential enumerate and key-dependent sieve techniques. Based on this distinguisher, we propose the first attack on 10-round AES-256 in the single-key model except biclique attack. Moreover, we can further reduce the data complexity by using several distinguishers in parallel and reduce the memory complexity by dividing the whole attack into a series of weak-key attacks. Finally, we can achieve the attack with a data complexity of $$2^{111}$$2111 chosen plaintexts, a time complexity of $$2^{253}$$2253 10-round AES encryptions and a memory complexity of $$2^{211.2}$$2211.2 AES blocks.

[1]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[2]  Adi Shamir,et al.  Improved Single-Key Attacks on 8-Round AES-192 and AES-256 , 2010, Journal of Cryptology.

[3]  Pierre-Alain Fouque,et al.  Exhausting Demirci-Selçuk Meet-in-the-Middle Attacks against Reduced-Round AES , 2013, IACR Cryptol. ePrint Arch..

[4]  Jérémy Jean,et al.  Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting , 2013, IACR Cryptol. ePrint Arch..

[5]  Keting Jia,et al.  Improved Single-Key Attacks on 9-Round AES-192/256 , 2014, FSE.

[6]  Ali Aydin Selçuk,et al.  A Meet-in-the-Middle Attack on 8-Round AES , 2008, FSE.

[7]  Zheng Yuan New Impossible Differential Attacks on AES , 2010 .

[8]  H. Gilbert A collisions attack on the 7-rounds Rijndael , 2022 .

[9]  Hüseyin Demirci,et al.  Improved Meet-in-the-Middle Attacks on AES , 2009, INDOCRYPT.

[10]  Thomas Peyrin,et al.  Structural Evaluation of AES and Chosen-Key Distinguisher of 9-Round AES-128 , 2013, CRYPTO.

[11]  Alex Biryukov,et al.  Related-Key Cryptanalysis of the Full AES-192 and AES-256 , 2009, ASIACRYPT.

[12]  Andrey Bogdanov,et al.  Biclique Cryptanalysis of the Full AES , 2011, ASIACRYPT.

[13]  Henri Gilbert,et al.  A Simplified Representation of AES , 2014, ASIACRYPT.

[14]  Alex Biryukov,et al.  Distinguisher and Related-Key Attack on the Full AES-256 , 2009, CRYPTO.

[15]  Jiqiang Lu,et al.  Meet-in-the-Middle Attack on 8 Rounds of the AES Block Cipher under 192 Key Bits , 2011, ISPEC.

[16]  Vincent Rijmen,et al.  The Block Cipher Square , 1997, FSE.

[17]  Bruce Schneier,et al.  Improved Cryptanalysis of Rijndael , 2000, FSE.

[18]  Orr Dunkelman,et al.  A New Attack on the LEX Stream Cipher , 2008, ASIACRYPT.

[19]  Vincent Rijmen,et al.  Improved Impossible Differential Cryptanalysis of 7-Round AES-128 , 2010, INDOCRYPT.

[20]  Stefan Lucks,et al.  Attacking Seven Rounds of Rijndael under 192-bit and 256-bit Keys , 2000, AES Candidate Conference.

[21]  Alex Biryukov,et al.  Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds , 2010, IACR Cryptol. ePrint Arch..

[22]  Vincent Rijmen,et al.  Understanding Two-Round Differentials in AES , 2006, SCN.