## A Meet-in-the-Middle Attack on 8-Round AES

Citations: | 8 - 0 self |

### BibTeX

@MISC{Demirci_ameet-in-the-middle,

author = {Hüseyin Demirci and Ali Aydın Selçuk},

title = {A Meet-in-the-Middle Attack on 8-Round AES},

year = {}

}

### OpenURL

### Abstract

Abstract. We present a 5-round distinguisher for AES. We exploit this distinguisher to develop a meet-in-the-middle attack on 7 rounds of AES-192 and 8 rounds of AES-256. We also give a time-memory tradeoff generalization of the basic attack which gives a better balancing between different costs of the attack. As an additional note, we state a new squarelike property of the AES algorithm.

### Citations

193 | Cryptanalysis of block ciphers with over defined systems of equations
- Courtois, Pieprzyk
- 2002
(Show Context)
Citation Context ...ts in 2 46 steps of analysis. The 6-round boomerang attack requires 2 78 chosen plaintexts, 2 78 steps of analysis, and 2 36 bytes of memory. There is also a class of algebraic attacks applied on AES =-=[7]-=-. The authors write the AES S-box as a system of implicit quadratic equations. As a result, the cryptanalysis of the system turns out to be solving a huge system of quadratic equations. In [7], XSL me... |

130 |
A Cryptanalytic Time – Memory trade-Off
- Hellman
- 1980
(Show Context)
Citation Context ... increases by a factor of 2 128 . Hence the time complexity of the attack on 8-round AES becomes 2 208 while the memory complexity is 2 206 . Although this attack appears to be dominated by Hellman’s =-=[14]-=- time-memory tradeoff on both counts, it is a non-trivial attack faster than exhaustive search on 8-round AES-256. The performance of our attacks and the previous attacks on AES are summarized in Tabl... |

110 | The block cipher Square
- Daemen, Knudsen, et al.
- 1997
(Show Context)
Citation Context ... adopted by NIST as the Advanced Encryption Standard (AES), the new standard encryption algorithm of the US government to replace DES. The algorithm is a member of the family of squaretype algorithms =-=[8]-=- designed by Vincent Rijmen and John Daemen. It is currently one of the most widely used and analyzed ciphers in the world. AES is a 128-bit block cipher and accepts key sizes of 128, 192 and 256 bits... |

100 | AES proposal: Rijndael - Daemen, Rijmen - 1998 |

52 | Improved cryptanalysis of Rijndael
- Ferguson, Kelsey, et al.
- 2001
(Show Context)
Citation Context ...lgorithm designers applied the square attack to the cipher [8]. The attack uses about 2 32 chosen plaintexts and breaks 6 rounds of AES with about 2 72 complexity. The square attack has been improved =-=[11]-=- and the workload has been reduced to 2 46 . For the key lengths 192 and 256 bits, the attack can be increased one more round with the help of the key schedule [18]. In [13] a collision attack has bee... |

33 | Provable security against a differential attcks
- Nyberg, Knudsen
- 1995
(Show Context)
Citation Context ... is a single s-box substitution used for all entries of the table based on the inverse mapping in GF (2 8 ) plus an affine mapping, which is known to have excellent differential and linear properties =-=[19]-=-. The shift row operation shifts the ith row i units left for i = 0, 1, 2, 3. Mix column operation is an MDS matrix multiplication which confuses the four entries of each column of the table. Key mixi... |

28 | Attacking seven rounds of Rijndael under 196-bit and 256-bit keys
- Lucks
(Show Context)
Citation Context ...The square attack has been improved [11] and the workload has been reduced to 2 46 . For the key lengths 192 and 256 bits, the attack can be increased one more round with the help of the key schedule =-=[18]-=-. In [13] a collision attack has been applied to the cipher using a distinguishing property of the four-round encryption. With 2 32 chosen plaintexts, the attack breaks 7 rounds of AES-192 and AES-256... |

26 |
Cryptanalysis of reduced variants of Rijndael. unpublished
- Biham, Keller
- 1999
(Show Context)
Citation Context ...unds of AES-192 and AES-256 with a complexity of 2 140 . For AES-128, the attack is marginally faster than exhaustive search. The impossible differential attack has been applied up to 7 rounds of AES =-=[3, 6, 22, 20, 21]-=-; but the complexities of these attacks are higher than the square 2sattack. Biryukov applied the boomerang attack technique to 5 and 6 rounds of the cipher [4]. For the 128 bit key length, the boomer... |

21 |
M.: A collision attack on 7 rounds of Rijndael
- Gilbert, Minier
- 2000
(Show Context)
Citation Context ... paper proceeds as follows: In Section 2 we briefly explain the AES block cipher and give a survey of the previous attacks. In Section 3, we review the 4-round AES distinguisher of Gilbert and Minier =-=[13]-=-. In Section 4, we introduce our 5-round distinguisher for AES. In Section 5, we describe our attacks on AES-192 and AES-256 based on this distinguisher. We conclude the paper with a summary of the re... |

18 | Improved impossible differential cryptanalysis of Rijndael and Crypton
- Cheon, Kim, et al.
- 2002
(Show Context)
Citation Context ...the values obtained by this decryption to the values in the precomputed set. When a match is found, the key value tried is most likely the right key value. The details of the attack are as follows: 6 =-=(6)-=-s1. For each of the 225×8 possible values of the parameters in (6), calculate the function a11 → C (4) 11 , for each 0 ≤ a11 ≤ 255, according to equations (1–4) and (5). 2. Let Kinit denote the initia... |

14 | Structural cryptanalysis of SASAS
- Biryukov, Shamir
- 2010
(Show Context)
Citation Context ... + K (3) 44 . (4) 5 (3)sSince C (4) 11 the fixed values � = 2S(C(3) 11 ) + 3S(C(3) 22 c1, c2, . . . , c20, K (3) 11 ) + S(C(3) 33 , K(3) 22 , K(3) 33 ) + S(C(3) 44 � , K(3) 44 , K(4) 11 ) + K(4) 11 , =-=(5)-=- are sufficient to express the function a11 → C (4) 11 . ⊓⊔ Although each of the diagonal entries depend on 9 fixed parameters, it is interesting to observe that the fourth round entry C (4) 11 is ent... |

9 | Related-key impossible differential attacks on 8-round AES-192
- Biham, Dunkelman, et al.
- 2006
(Show Context)
Citation Context ...m of quadratic equations. In [7], XSL method is suggested if the system of equations is overdefined and sparse which is the case for AES. Recently, related key attacks have been applied to the cipher =-=[1, 2, 16, 15, 17, 23]-=-. These attacks work up to 10 rounds of AES-192 and AES-256. Throughout the paper, we use K (r) and C (r) to denote the round key and the ciphertext of the rth round; K (r) ij and C(r) ij denote the b... |

9 |
Related-key differential cryptanalysis of 192-bit key AES variants
- Jakimoski, Desmedt
- 2004
(Show Context)
Citation Context ...m of quadratic equations. In [7], XSL method is suggested if the system of equations is overdefined and sparse which is the case for AES. Recently, related key attacks have been applied to the cipher =-=[1, 2, 16, 15, 17, 23]-=-. These attacks work up to 10 rounds of AES-192 and AES-256. Throughout the paper, we use K (r) and C (r) to denote the round key and the ciphertext of the rth round; K (r) ij and C(r) ij denote the b... |

8 |
Related-key rectangle attacks on reduced versions of SHACAL-1 and AES-192
- Hong, Kim, et al.
- 2005
(Show Context)
Citation Context ...m of quadratic equations. In [7], XSL method is suggested if the system of equations is overdefined and sparse which is the case for AES. Recently, related key attacks have been applied to the cipher =-=[1, 2, 16, 15, 17, 23]-=-. These attacks work up to 10 rounds of AES-192 and AES-256. Throughout the paper, we use K (r) and C (r) to denote the round key and the ciphertext of the rth round; K (r) ij and C(r) ij denote the b... |

5 | Classes of Impossible Differentials of Advanced Encryption Standard
- Phan
- 2002
(Show Context)
Citation Context ...unds of AES-192 and AES-256 with a complexity of 2 140 . For AES-128, the attack is marginally faster than exhaustive search. The impossible differential attack has been applied up to 7 rounds of AES =-=[3, 6, 22, 20, 21]-=-; but the complexities of these attacks are higher than the square 2sattack. Biryukov applied the boomerang attack technique to 5 and 6 rounds of the cipher [4]. For the 128 bit key length, the boomer... |

5 | Improved related-key impossible differential attacks on reducedround AES-192
- Zhang, Wu, et al.
- 2006
(Show Context)
Citation Context |

4 |
Related-key rectangle attacks on reduced
- Hong, Kim, et al.
- 2005
(Show Context)
Citation Context |

2 |
Boomerang attack on 5- and 6-round aes
- BIRYUKOV
- 2004
(Show Context)
Citation Context ...ed up to 7 rounds of AES [3, 6, 22, 20, 21]; but the complexities of these attacks are higher than the square 2sattack. Biryukov applied the boomerang attack technique to 5 and 6 rounds of the cipher =-=[4]-=-. For the 128 bit key length, the boomerang attack breaks 5 rounds of AES using 2 46 adaptive chosen plaintexts in 2 46 steps of analysis. The 6-round boomerang attack requires 2 78 chosen plaintexts,... |

1 |
Related-key and boomerang attacks
- Biham, Dunkelman, et al.
- 2005
(Show Context)
Citation Context |

1 |
A new meet in the middle attack on IDEA
- Demirci, Selçuk, et al.
- 2004
(Show Context)
Citation Context ... use a birthday-paradox-like approach to reduce the precomputation complexity, which enables a 7-round attack on AES-192. Our attack is also related to the meet-in-the-middle attack of Demirci et al. =-=[10]-=- on the IDEA block cipher, where a large sieving set is precomputed according to a certain distinguishing property of the cipher, and this set is later used to discover the round keys by a partial dec... |

1 |
Impossible differential cryptanalysis of
- Phan
- 2004
(Show Context)
Citation Context ...unds of AES-192 and AES-256 with a complexity of 2 140 . For AES-128, the attack is marginally faster than exhaustive search. The impossible differential attack has been applied up to 7 rounds of AES =-=[3, 6, 22, 20, 21]-=-; but the complexities of these attacks are higher than the square 2sattack. Biryukov applied the boomerang attack technique to 5 and 6 rounds of the cipher [4]. For the 128 bit key length, the boomer... |