Abstract
In the single-key attack scenario, meet-in-the-middle (MitM) attack method has led to the best currently published cryptanalytic results on the AES block cipher, except biclique attack. Particularly, for AES with a 192-bit key (AES-192), Li et al. published 5-round MitM distinguishers and 9-round MitM attacks in 2014, by introducing the key-dependent sieve technique to reduce the number of unknown constants for a MitM distinguisher and using a so-called weak-key approach to reduce the memory complexity of an ordinary MitM attack, and their final main result is an attack on the first 9 rounds of AES-192 with a data complexity of \(2^{121}\) chosen plaintexts, a memory complexity of \(2^{181}\) bytes and a time complexity of \(2^{187.7}\) encryptions. In this paper, we observe that Li et al. used a wrong direction for the rotation operation of the AES-192 key schedule, which causes all their distinguishers and attacks to be seriously flawed, but fortunately we exploit a correct 5-round distinguisher with different active input and output byte positions, so that the resulting 9-round AES-192 attacks with/without Li et al.’s weak-key approach have the same complexities as Li et al.’s (flawed) attacks. Further, we give a trick to exploit two complicated additional one-byte linear relations (between the round keys of precomputation phase and the round keys of online phase) to further reduce memory complexity, and finally we make an attack on the 9-round AES-192 with a data complexity of \(2^{121}\) chosen plaintexts, a memory complexity of \(2^{172.3}\) bytes and a time complexity of \(2^{187.6}\) encryptions. Besides, we show that the 5-round MitM distinguisher can be extended to a 6-round MitM distinguisher, which can also attack the 9-round AES-192 with the same complexity. Our work corrects and improves Li et al.’s work, and the trick can potentially be used for MitM attacks on other block ciphers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We note that in [19, 20] Wang and Zhu gave a 5-round MitM distinguisher on AES-192 with 22 byte parameters and presented a 9-round AES-192 attack with a different complexity compared with Li et al.’s 9-round AES-192 attacks. However, we point out their attack is seriously flawed and invalid in the full version of this paper.
References
Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer, New York (1993). https://doi.org/10.1007/978-1-4613-9314-6
Bogdanov, A., Khovratovich, D., Rechberger, C.: Biclique cryptanalysis of the full AES. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 344–371. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_19
Daemen, J., Rijmen, V.: The Design of Rijndael: AES–The Advanced Encryption Standard. Springer, Heidelberg (2002). https://doi.org/10.1007/978-3-662-04722-4
Daemen, J., Rijmen, V.: Understanding two-round differentials in AES. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 78–94. Springer, Heidelberg (2006). https://doi.org/10.1007/11832072_6
Demirci, H., Selçuk, A.A.: A Meet-in-the-middle attack on 8-round AES. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 116–126. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71039-4_7
Derbez, P., Fouque, P.A.: Exhausting Demirci-Selçuk meet-in-the-middle attacks against reduced-round AES. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 541–560. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43933-3_28
Derbez, P., Fouque, P.A.: Automatic search of meet-in-the-middle and impossible differential attacks. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 157–184. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-53008-5_6
Derbez, P., Fouque, P.A., Jean, J.: Improved key recovery attacks on reduced-round AES in the single-key setting. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 371–387. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_23
Diffie, W., Hellman, M.: Exhaustive cryptanalysis of the NBS data encryption standard. Computer 10(6), 74–84 (1977)
Dunkelman, O., Keller, N., Shamir, A.: Improved single-key attacks on 8-round AES-192 and AES-256. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 158–176. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_10
Ferguson, N., et al.: Improved cryptanalysis of Rijndael. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 213–230. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44706-7_15
Gilbert, H., Minier, M.: A collision attack on 7 rounds of Rijndael. In: The Third Advanced Encryption Standard Candidate Conference, pp. 230–241. NIST (2000)
Gilbert, H., Peyrin, T.: Super-Sbox cryptanalysis: improved attacks for AES-like permutations. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 365–383. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13858-4_21
Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-60590-8_16
Li, L., Jia, K., Wang, X.: Improved single-key attacks on 9-round AES-192/256. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 127–146. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46706-0_7
Li, R., Jin, C.: Meet-in-the-middle attacks on 10-round AES-256. Des. Codes Cryptogr. 80(3), 459–471 (2016). https://doi.org/10.1007/s10623-015-0113-3
Lu, J., Dunkelman, O., Keller, N., Kim, J.: New impossible differential attacks on AES. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 279–293. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89754-5_22
National Institute of Standards and Technology (NIST). Advanced Encryption Standard (AES), FIPS-197 (2001)
Wang, G., Zhu, C.: Single key recovery attacks on reduced AES-192 and Kalyna-128/256. Sci. China Inf. Sci. 60, 099101:1-099101:3 (2017). https://doi.org/10.1007/s11432-016-0417-7
Wang, G., Zhu, C.: Single key recovery attacks on reduced AES-192 and Kalyna-128/256. Supplementary File
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Lu, J., Zhou, W. (2024). Improved Meet-in-the-Middle Attacks on Nine Rounds of the AES-192 Block Cipher. In: Oswald, E. (eds) Topics in Cryptology – CT-RSA 2024. CT-RSA 2024. Lecture Notes in Computer Science, vol 14643. Springer, Cham. https://doi.org/10.1007/978-3-031-58868-6_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-58868-6_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-58867-9
Online ISBN: 978-3-031-58868-6
eBook Packages: Computer ScienceComputer Science (R0)