Abstract
In the single-key attack scenario, meet-in-the-middle (MitM) attack method has led to the best currently published cryptanalytic results on the AES block cipher, except biclique attack. Particularly, for AES with a 192-bit key (AES-192), Li et al. published 5-round MitM distinguishers and 9-round MitM attacks in 2014, by introducing the key-dependent sieve technique to reduce the number of unknown constants for a MitM distinguisher and using a so-called weak-key approach to reduce the memory complexity of an ordinary MitM attack, and their final main result is an attack on the first 9 rounds of AES-192 with a data complexity of \(2^{121}\) chosen plaintexts, a memory complexity of \(2^{181}\) bytes and a time complexity of \(2^{187.7}\) encryptions. In this paper, we observe that Li et al. used a wrong direction for the rotation operation of the AES-192 key schedule, which causes all their distinguishers and attacks to be seriously flawed, but fortunately we exploit a correct 5-round distinguisher with different active input and output byte positions, so that the resulting 9-round AES-192 attacks with/without Li et al.’s weak-key approach have the same complexities as Li et al.’s (flawed) attacks. Further, we give a trick to exploit two complicated additional one-byte linear relations (between the round keys of precomputation phase and the round keys of online phase) to further reduce memory complexity, and finally we make an attack on the 9-round AES-192 with a data complexity of \(2^{121}\) chosen plaintexts, a memory complexity of \(2^{172.3}\) bytes and a time complexity of \(2^{187.6}\) encryptions. Besides, we show that the 5-round MitM distinguisher can be extended to a 6-round MitM distinguisher, which can also attack the 9-round AES-192 with the same complexity. Our work corrects and improves Li et al.’s work, and the trick can potentially be used for MitM attacks on other block ciphers.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We note that in [19, 20] Wang and Zhu gave a 5-round MitM distinguisher on AES-192 with 22 byte parameters and presented a 9-round AES-192 attack with a different complexity compared with Li et al.’s 9-round AES-192 attacks. However, we point out their attack is seriously flawed and invalid in the full version of this paper.
References
Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer, New York (1993). https://doi.org/10.1007/978-1-4613-9314-6
Bogdanov, A., Khovratovich, D., Rechberger, C.: Biclique cryptanalysis of the full AES. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 344–371. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_19
Daemen, J., Rijmen, V.: The Design of Rijndael: AES–The Advanced Encryption Standard. Springer, Heidelberg (2002). https://doi.org/10.1007/978-3-662-04722-4
Daemen, J., Rijmen, V.: Understanding two-round differentials in AES. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 78–94. Springer, Heidelberg (2006). https://doi.org/10.1007/11832072_6
Demirci, H., Selçuk, A.A.: A Meet-in-the-middle attack on 8-round AES. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 116–126. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71039-4_7
Derbez, P., Fouque, P.A.: Exhausting Demirci-Selçuk meet-in-the-middle attacks against reduced-round AES. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 541–560. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43933-3_28
Derbez, P., Fouque, P.A.: Automatic search of meet-in-the-middle and impossible differential attacks. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 157–184. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-53008-5_6
Derbez, P., Fouque, P.A., Jean, J.: Improved key recovery attacks on reduced-round AES in the single-key setting. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 371–387. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_23
Diffie, W., Hellman, M.: Exhaustive cryptanalysis of the NBS data encryption standard. Computer 10(6), 74–84 (1977)
Dunkelman, O., Keller, N., Shamir, A.: Improved single-key attacks on 8-round AES-192 and AES-256. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 158–176. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_10
Ferguson, N., et al.: Improved cryptanalysis of Rijndael. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 213–230. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44706-7_15
Gilbert, H., Minier, M.: A collision attack on 7 rounds of Rijndael. In: The Third Advanced Encryption Standard Candidate Conference, pp. 230–241. NIST (2000)
Gilbert, H., Peyrin, T.: Super-Sbox cryptanalysis: improved attacks for AES-like permutations. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 365–383. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13858-4_21
Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-60590-8_16
Li, L., Jia, K., Wang, X.: Improved single-key attacks on 9-round AES-192/256. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 127–146. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46706-0_7
Li, R., Jin, C.: Meet-in-the-middle attacks on 10-round AES-256. Des. Codes Cryptogr. 80(3), 459–471 (2016). https://doi.org/10.1007/s10623-015-0113-3
Lu, J., Dunkelman, O., Keller, N., Kim, J.: New impossible differential attacks on AES. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 279–293. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89754-5_22
National Institute of Standards and Technology (NIST). Advanced Encryption Standard (AES), FIPS-197 (2001)
Wang, G., Zhu, C.: Single key recovery attacks on reduced AES-192 and Kalyna-128/256. Sci. China Inf. Sci. 60, 099101:1-099101:3 (2017). https://doi.org/10.1007/s11432-016-0417-7
Wang, G., Zhu, C.: Single key recovery attacks on reduced AES-192 and Kalyna-128/256. Supplementary File
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Lu, J., Zhou, W. (2024). Improved Meet-in-the-Middle Attacks on Nine Rounds of the AES-192 Block Cipher. In: Oswald, E. (eds) Topics in Cryptology – CT-RSA 2024. CT-RSA 2024. Lecture Notes in Computer Science, vol 14643. Springer, Cham. https://doi.org/10.1007/978-3-031-58868-6_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-58868-6_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-58867-9
Online ISBN: 978-3-031-58868-6
eBook Packages: Computer ScienceComputer Science (R0)