# Improved Key Recovery Attacks on Reduced-Round AES with Practical Data and Memory Complexities

@article{BarOn2019ImprovedKR, title={Improved Key Recovery Attacks on Reduced-Round AES with Practical Data and Memory Complexities}, author={Achiya Bar-On and Orr Dunkelman and Nathan Keller and Eyal Ronen and Adi Shamir}, journal={Journal of Cryptology}, year={2019}, volume={33}, pages={1003-1043} }

Determining the security of AES is a central problem in cryptanalysis, but progress in this area had been slow and only a handful of cryptanalytic techniques led to significant advancements. At Eurocrypt 2017 Grassi et al. presented a novel type of distinguisher for AES-like structures, but so far all the published attacks which were based on this distinguisher were inferior to previously known attacks in their complexity. In this paper we combine the technique of Grassi et al. with several…

## 28 Citations

Mixture Integral Attacks on Reduced-Round AES with a Known/Secret S-Box

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2019

This work presents as the main contribution a new secret-key distinguisher on 3-round AES with the smallest data complexity in the literature (that does not require adaptive chosen plaintexts/ciphertexts), namely approximately half of the data necessary to set up a 3- round truncated differential distinguisher.

Practical Attacks on Reduced-Round AES

- Computer Science, MathematicsAFRICACRYPT
- 2019

This paper presents a practical key-recovery attack on 5-round AES with a secret s-box that requires \(2^{32}\) adaptively chosen ciphertexts, which is as far as the authors know a new record.

An Efficient Parallel Implementation of Impossible-Differential Cryptanalysis for Five-Round AES-128

- Computer ScienceSPACE
- 2019

This paper reports the parallel implementation of the impossible-differential cryptanalysis of five-round AES-128, originally proposed by Biham and Keller, and proposes an improvement of the attack by exploiting data and task parallelism.

Extended Expectation Cryptanalysis on Round-reduced AES

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2019

The present work applies expectation-based distinguishers from a sum of PRPs to round-reduced AES, showing how to extend the well-known 3-round integral distinguisher to expectation distinguishers over 4 and 5 rounds and demonstrating how the prepended round can be used for key recovery.

Extended Truncated-differential Distinguishers on Round-reduced AES

- Mathematics, Computer ScienceIACR Trans. Symmetric Cryptol.
- 2020

The present work illustrates how the well-known integral distinguisher on three-round AES resembles a sum of PRPs and can be extended to truncated-differential distinguishers over 4 and 5 rounds and how the prepended round can be integrated to form a six-round distinguisher.

Mixture Differential Cryptanalysis: New Approaches for Distinguishers and Attacks on round-reduced AES

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2017

This paper introduces “Mixture Differential Cryptanalysis” on round-reduced AESlike ciphers, a way to translate the (complex) “multiple-of-8” 5-round distinguisher into a simpler and more convenient one (though, on a smaller number of rounds).

The Exchange Attack: How to Distinguish 6 Rounds of AES with 288.2 chosen plaintexts

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2019

The main result of this paper is that AES up to at least six rounds is biased when restricted to exchange-invariant sets of plaintexts.

Truncated Boomerang Attacks and Application to AES-based Ciphers

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2022

A general framework for boomerang attacks with truncated differentials, which takes into account structures on the plaintext and ciphertext sides, and includes an analysis of the key recovery step, is introduced.

Mixture-Based 5-Round Physical Attack against AES: Attack Proposal and Noise Evaluation

- Computer Science, MathematicsIEICE Trans. Fundam. Electron. Commun. Comput. Sci.
- 2022

This paper considers the recently proposed 5-round mixture diﬀerential cryptanalysis, which is not physical attack, into the physical attack scenarios, and proposes the corresponding physical attack that uses the leakage as deep as 5 rounds.

New Key Recovery Attack on Reduced-Round AES

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2022

This work extends the 4-round property of AES by considering some further properties of related differences over the AES linear layer, generalizing the zero-difference property, which results in a new key-recovery attack on 7-round AES.

## References

SHOWING 1-10 OF 32 REFERENCES

Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2012

In this paper, we revisit meet-in-the-middle attacks on AES in the single-key model and improve on Dunkelman, Keller and Shamir attacks at Asiacrypt 2010. We present the best attack on 7 rounds of…

Improved "Partial Sums"-based Square Attack on AES

- Computer Science, MathematicsSECRYPT
- 2012

It is demonstrated that the quantity of chosen plaintext-ciphertext pairs can be halved producing the same reduction in the time complexity, which is achieved by eliminating hypotheses on-the-fly when bytes in consecutive subkeys are related because of the key schedule.

Biclique Cryptanalysis of the Full AES

- Computer Science, MathematicsASIACRYPT
- 2011

This paper presents the novel technique of block cipher cryptanalysis with bicliques, which leads to the following results: the first key recovery method for the full AES-128 with computational complexity 2126.1.4 and key recovery methods with lower complexity for the reduced-round versions of AES not considered before.

Mixture Differential Cryptanalysis: New Approaches for Distinguishers and Attacks on round-reduced AES

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2017

This paper introduces “Mixture Differential Cryptanalysis” on round-reduced AESlike ciphers, a way to translate the (complex) “multiple-of-8” 5-round distinguisher into a simpler and more convenient one (though, on a smaller number of rounds).

Low-Data Complexity Attacks on AES

- Computer Science, MathematicsIEEE Transactions on Information Theory
- 2012

This paper presents attacks on up to four rounds of AES that require at most three known/chosen plaintexts, and applies these attacks to cryptanalyze an AES-based stream cipher, and to mount the best known plaintext attack on six-round AES.

Meet-in-the-Middle Attacks on AES

- Computer Science, Mathematics
- 2013

A new technique to solve a particular kind of equations designed to attack the AES, which relies on both the linear algebra and the "Meet-in-the-Middle" technique and leads to many solvers with different but predictable complexity.

Yoyo Tricks with AES

- Computer Science, MathematicsASIACRYPT
- 2017

New fundamental properties of SPNs turn out to be particularly useful in the adaptive chosen ciphertext/plaintext setting and are introduced by introducing for the first time key-independent yoyo-distinguishers for 3- to 5-rounds of AES.

Exhausting Demirci-Selçuk Meet-in-the-Middle Attacks against Reduced-Round AES

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2013

A way is found to automatically model SPN block cipher and meet-in-the-middle attacks that allows to perform exhaustive search of this kind of attacks and automatically recover all the recent improved attacks of Derbez, Fouque and Jean on AES.

Block Ciphers That Are Easier to Mask: How Far Can We Go?

- Computer Science, MathematicsCHES
- 2013

A detailed security analysis of this new cipher taking its design specificities into account is provided, leading us to exploit innovative techniques borrowed from hash function cryptanalysis (that are sometimes of independent interest).

Automatic Search of Attacks on round-reduced AES and Applications

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2012

In this paper, we describe versatile and powerful algorithms for searching guess-and-determine and meet-in-the-middle attacks on byte-oriented symmetric primitives. To demonstrate the strengh of…