Advances in Cryptology – EUROCRYPT 2013

Volume 7881 of the series Lecture Notes in Computer Science pp 371-387

Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting

  • Patrick DerbezAffiliated withÉcole Normale Supérieure
  • , Pierre-Alain FouqueAffiliated withÉcole Normale SupérieureUniversité de Rennes
  • , Jérémy JeanAffiliated withÉcole Normale Supérieure

* Final gross prices may vary according to local VAT.

Get Access


In this paper, we revisit meet-in-the-middle attacks on AES in the single-key model and improve on Dunkelman, Keller and Shamir attacks at Asiacrypt 2010. We present the best attack on 7 rounds of AES-128 where data/time/memory complexities are below 2100. Moreover, we are able to extend the number of rounds to reach attacks on 8 rounds for both AES-192 and AES-256. This gives the best attacks on those two versions with a data complexity of 2107 chosen-plaintexts, a memory complexity of 296 and a time complexity of 2172 for AES-192 and 2196 for AES-256. Finally, we also describe the best attack on 9 rounds of AES-256 with 2120 chosen plaintexts and time and memory complexities of 2203. All these attacks have been found by carefully studying the number of reachable multisets in Dunkelman et al. attacks.