Improved Single-Key Attacks on 9-Round AES-192/256

Li, Leibo; Jia, Keting; Wang, Xiaoyun

doi:10.1007/978-3-662-46706-0_7

Cited by 40 publications

(58 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To assess the resistance of the proposed schemes against meet-in-themiddle attacks, we focus on the more recent advances done in this context. In particular, we target the new meet-in-the-middle strategy on AES devised by Dunkelman, Keller and Shamir in [24], which has later been improved by Derbez, Fouque and Jean in [22,23], Derbez and Fouque in [21] and Li, Jia and Wang in [40]. This technique uses the key schedule equations to perform an advanced differential meet-in-the-middle cryptanalysis of reduced-round variants of AES-like ciphers.…”

Section: Security Analysismentioning

confidence: 99%

Tweaks and Keys for Block Ciphers: The TWEAKEY Framework

Jean

Nikolić

Peyrin

2014

Lecture Notes in Computer Science

196

153

View full text Add to dashboard Cite

Abstract. We propose the TWEAKEY framework with goal to unify the design of tweakable block ciphers and of block ciphers resistant to related-key attacks. Our framework is simple, extends the key-alternating construction, and allows to build a primitive with arbitrary tweak and key sizes, given the public round permutation (for instance, the AES round). Increasing the sizes renders the security analysis very difficult and thus we identify a subclass of TWEAKEY, that we name STK, which solves the size issue by the use of finite field multiplications on low hamming weight constants. We give very efficient instances of STK, in particular, a 128-bit tweak/key/state block cipher Deoxys-BC that is the first AES-based ad-hoc tweakable block cipher. At the same time, Deoxys-BC could be seen as a secure alternative to AES-256, which is known to be insecure in the related-key model. As another member of the TWEAKEY framework, we describe Kiasu-BC, which is a very simple and even more efficient tweakable variation of AES-128 when the tweak size is limited to 64 bits. In addition to being efficient, our proposals, compared to the previous schemes that use AES as a black box, offer security beyond the birthday bound. Deoxys-BC and Kiasu-BC represent interesting pluggable primitives for authenticated encryption schemes, for instance, ΘCB3 instantiated with Kiasu-BC runs at about 0.75 c/B on Intel Haswell. Our work can also be seen as advances on the topic of secure key schedule design for AES-like ciphers, describing several proposals in this direction.

show abstract

Section: Security Analysismentioning

confidence: 99%

Tweaks and Keys for Block Ciphers: The TWEAKEY Framework

Jean

Nikolić

Peyrin

2014

Lecture Notes in Computer Science

196

153

View full text Add to dashboard Cite

show abstract

“…We evaluate the time complexity of this part to 2 144+48+8−5 = 2 195 encryptions. In conclusion, the data complexity is 2 121.5 chosen-plaintexts, the time complexity is 2 203.5 encryptions and the memory complexity is 2 201.5 128-bit blocks by a trade-off [13]. The 14-round attack on CLEFIA-192 is shown in Fig.…”

Section: /14-roundmentioning

confidence: 99%

“…Using the rebound-like idea, they showed that many values in precomputation table are not reached at all under the constraint of the truncated differential trail. At FSE 2014, Li et al proposed key-dependent sieve technique to attack 9-round AES-192 [13].…”

Section: Introductionmentioning

confidence: 99%

Improved Meet-in-the-Middle Distinguisher on Feistel Schemes

Zheng

2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Improved meet-in-the-middle cryptanalysis with efficient tabulation technique has been shown to be a very powerful form of cryptanalysis against SPN block ciphers. However, few literatures show the effectiveness of this cryptanalysis against Balanced-Feistel-Networks (BFN) and Generalized-Feistel-Networks (GFN) ciphers due to the stagger of affected trail and special truncated differential trail. In this paper, we describe a versatile and powerful algorithm for searching the best improved meet-in-the-middle distinguisher with efficient tabulation technique on word-oriented BFN and GFN block ciphers, which is based on recursion and greedy algorithm. To demonstrate the usefulness of our approach, we show key recovery attacks on 14/16-round CLEFIA-192/256 which are the best attacks. We also propose key recovery attacks on 13/15-round Camellia-192/256 (without F L/F L −1 ).

show abstract

“…As a result, they recover all the attacks in [10] and find new improved attacks on 8-round AES-192/256. At FSE 2014, Li et al [18] introduce the key-dependent sieve technique, which filters the wrong states based on the key relation, to further reduce the complexity in the precomputation phase. Besides, they show that the whole attack can be split up into some weak-key attacks according to the relations between the subkeys in the online phase and the precomputation phase.…”

Section: Introductionmentioning

confidence: 99%

“…AES is provably resistant against differential and linear attacks [5], but many other methods of cryptanalysis have been developed to attack AES, such as square attack [5,7,14,20], collision attack [17], meet-in-the-middle attack [8][9][10][11]13,18,22], impossible differential attack [19,21], biclique attack [4], related-key attack [1][2][3], known-key distinguisher [16] and chosen-key distinguisher [15]. Among these attacks, the known-key distinguisher and chosen-key distinguisher use the knowledge of the key and their goals are to distinguish the permutation from a random one.…”

Section: Introductionmentioning

confidence: 99%

Meet-in-the-middle attacks on 10-round AES-256

Li¹,

Jin²

2015

Des. Codes Cryptogr.

View full text Add to dashboard Cite

Meet-in-the-middle attack on AES is proposed by Demirci and Selçuk at FSE 2008, and improved greatly by Dunkelman et al. at ASIACRYPT 2010 and Derbez et al. at EUROCRYPT 2013 with various time/memory/data tradeoff techniques. At FSE 2014, Li et al.give the most efficient attack on 9-round AES-256 based on a 5-round meet-in-the-middle distinguisher. In this paper, we revisit Demirci and Selçuk's attack and present the first 6-round meet-in-the-middle distinguisher on AES-256 using the differential enumerate and key-dependent sieve techniques. Based on this distinguisher, we propose the first attack on 10-round AES-256 in the single-key model except biclique attack. Moreover, we can further reduce the data complexity by using several distinguishers in parallel and reduce the memory complexity by dividing the whole attack into a series of weak-key attacks. Finally, we can achieve the attack with a data complexity of 2 111 chosen plaintexts, a time complexity of 2 253 10-round AES encryptions and a memory complexity of 2 211.2 AES blocks.

show abstract

Improved Single-Key Attacks on 9-Round AES-192/256

Cited by 40 publications

References 16 publications

Tweaks and Keys for Block Ciphers: The TWEAKEY Framework

Tweaks and Keys for Block Ciphers: The TWEAKEY Framework

Improved Meet-in-the-Middle Distinguisher on Feistel Schemes

Meet-in-the-middle attacks on 10-round AES-256

Contact Info

Product

Resources

About