Abstract
In meet-in-the-middle (MITM) attacks, the sizes of the precomputation tables determine the effectiveness. In this paper, value constraints are presented to reduce the size of the precomputation table in MITM attacks on AES. Based on a differential property of linear combinations of multiple S-boxes, value constraints related to input or output in four and five rounds of AES are explored. Meanwhile, with these value constraints, a method of setting up non-linear equations is proposed to reduce the sizes of the precomputation tables by decreasing the number of byte parameters. Compared with the existing results, their sizes can be reduced by \(2^8\), \(2^{16}\), or \(2^{24}\). Finally, some attacks are improved with lower time and memory complexities.
Similar content being viewed by others
Data Availability
No new data were generated or analyzed in support of this research.
References
Bao Z., Guo J., List E.: Extended truncated-differential distinguishers on round-reduced AES. IACR Trans. Symmetric Cryptol. 2020(3), 197–261 (2020).
Bar-On A., Dunkelman O., Keller N., Ronen E., Shamir A.: Improved key recovery attacks on reduced-round AES with practical data and memory complexities. J. Cryptol. 33(3), 1003–1043 (2020).
Bardeh N., Rijmen V.: New key-recovery attack on reduced-round AES. IACR Trans. Symmetric Cryptol. 2022(2), 43–62 (2022).
Bardeh N., Rønjom, S.: The exchange attack: how to distinguish 6 rounds of AES with \(2^{88}\) chosen plaintexts. ASIACRYPT 2019. LNCS, vol. 11923, pp, 347-370. Springer, Heidelberg (2019)
Biham E. Keller N.: Cryptanalysis of reduced variants of Rijndael. AES Conference (2000)
Biryukov A.: The boomerang attack on 5 and 6-round reduced AES. AES 2004. LNCS, vol. 3373, pp. 11-15. Springer, Heidelberg (2005)
Bogdanov A., Khovratovich D., Rechberge C.: Biclique cryptanalysis of the full AES. ASIACRYPT 2011. LNCS, vol. 7073, pp. 344-371. Springer, Heidelberg (2011)
Bouillaguet C., Derbez P., Dunkelman O., Fouque P., Keller N., Rijmen V.: Low-data complexity attacks on AES. IEEE Trans. Inf. Theory 58(11), 7002–7017 (2012).
Boura C., Canteaut A., Coggia D.: A general proof framework for recent AES distinguishers. IACR Trans. Symmetric Cryptol. 2019(1), 170–191 (2019).
Cheon J.H., Kim M., Kim K., Jung-Yeun L., Kang S.: Improved impossible differential cryptanalysis of rijndael and crypton. ICISC 2001. LNCS, vol. 2288, pp. 39-49. Springer, Heidelberg (2002)
Daemen J., Knudsen L., Rijmen V.: The block cipher SQUARE. In: Biham E. (ed.) FSE 1997, vol. 1267, pp. 149–165. LNCS. Springer, Berlin (1997).
Daemen J., Rijmen V.: AES proposal: Rijndael. First Advanced Encryption Standard (AES) Conference (1998)
Demirci H., Selçuk A.A.: A meet-in-the-middle attack on 8-round AES. FSE 2008. LNCS, vol. 5086, pp. 116-126. Springer, Heidelberg (2008)
Demirci H., Selçuk A.A., Türe E.: A new meet-in-the-middle attack on the IDEA block cipher. SAC 2003, LNCS, vol. 3006, pp. 117-129. Springer, Heidelberg (2004)
Demirci H., Taşkın I., Çoban, M., Baysal, A.: Improved meet-in-the-middle attacks on AES. INDOCRYPT 2009. LNCS, vol. 5922, pp. 144-156. Springer, Heidelberg (2009)
Derbez P., Fouque P.-A.: Exhausting Demirci-Selçuk meet-in-the-middle attacks against reduced-round AES. FSE 2013. LNCS, vol. 8424, pp. 541-560. Springer, Heidelberg (2014)
Derbez P., Fouque P.-A., Jean J.: Improved key recovery attacks on reduced-round AES in the single-key setting. EUROCRYPT 2013. LNCS, vol. 7881, pp. 371-387. Springer, Heidelberg (2013)
Diffie W., Hellman M.E.: Special feature exhaustive cryptanalysis of the NBS data encryption standard. Computer 10, 74–84 (1977).
Dong X., Li L., Jia K., Wang X.: Improved attacks on reduced-round Camellia-128/192/256. CT-RSA 2015. LNCS, vol. 9048, pp. 59-83. Springer, Heidelberg (2015)
Dunkelman O., Keller N., Shamir A.: Improved single-key attacks on 8-round AES-192 and AES-256. ASIACRYPT 2010. LNCS, vol. 6477, pp. 158-176. Springer, Heidelberg (2010)
Ferguson N., Kelsey J., Lucks S., Schneier B., Stay M., Wagner D., Whiting D.: Improved cryptanalysis of Rijndael. FSE 2000. LNCS, vol. 1978, pp. 213-230 (2001)
Gilber H., Minier M.: A collision attack on 7 rounds of Rijndael. AES Candidate Conference, pp. 230-241 (2000)
Grassi L.: Mixture differential cryptanalysis: a new approach to distinguishers and attacks on round-reduced AES. IACR Trans. Symmetric Cryptol. 2018(2), 133–160 (2018).
Grassi L., Rechberger C., Rønjom S.: Subspace trail cryptanalysis and its applications to AES. IACR Trans. Symmetric Cryptol. 2016(2), 192–225 (2016).
Grassi L., Rechberger C., Rønjom S: A new structural-differential property of 5-round AES. EUROCRYPT 2017. LNCS, vol. 10211, pp. 289-317. Springer, Cham (2017)
Gilbert H., Peyrin T.: Super-Sbox cryptanalysis: improved attacks for AES-like permutations. FSE 2010. LNCS, vol. 6147, pp. 365-383. Springer, Heidelberg (2010)
Grassi L., Schofnegger M.: Mixture integral attacks on reduced-round AES with a known/secret S-Box. INDOCRYPT 2020. LNCS, vol. 12578, pp, 312-331. Springer, Heidelberg (2020)
Li L., Jia K., Wang X.: Improved single-key attacks on 9-round AES-192/256. FSE 2014. LNCS, vol. 8540, pp. 127-146. Springer, Heidelberg (2015)
Lu J.: Cryptanalysis of block ciphers. Doctoral Dissertation, Royal Holloway University of London, 15-104 (2015)
Lu J., Dunkelman, O., Keller, N., Kim, J.-S.: New impossible differential attacks on AES. INDOCRYPT 2008. LNCS, vol. 5365, pp. 279-293. Springer, Heidelberg (2008)
Mala H., Dakhilalian M., Rijmen V., Modarres-Hashemi, M.: Improved impossible differential cryptanalysis of 7-round AES-128. INDOCRYPT 2010. LNCS, vol. 6498, pp. 282-291. Springer, Heidelberg (2010)
Rønjom S., Bardeh N.G., Helleseth T. Yoyo tricks with AES. ASIACRYPT 2017. LNCS, vol. 10624, pp. 217-243. Springer, Cham (2017)
Sun B., Liu M., Guo J., Qu L., Rijmen V.: New insights on AES-like SPN cciphers. CRYPTO 2016. LNCS, vol. 9814, pp. 605-624. Springer, Heidelberg (2016)
Tiessen T.: Polytopic cryptanalysis. EUROCRYPT 2016. LNCS, vol. 9665, pp. 214-239. Springer, Heidelberg (2016)
Zhang W., Wu W., Feng D.: New results on impossible differential cryptanalysis of reduced AES. ICISC 2007. LNCS, vol. 4817, pp. 239-250. Springer, Heidelberg (2007)
Acknowledgements
This work was supported by National Natural Science Foundation of China [Grant Nos. 62302285, 62372370, 62002288] and Key Research and Development Program of Shaanxi [Grant No. 2023-YBGY-015].
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by M. Naya-Plasencia.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
A Special cases for Property 2 and Property 3 about S-boxes
For Property 2, there is one special case. When \(\Delta _{in}^{0,0}=\Delta _{in}^{1,0}=\Delta _{in}^{0}\) and \(\Delta _{in}^{0,1}=\Delta _{in}^{1,1}=\Delta _{in}^{1}\), it degenerates into the solution of a single S-box. Then, Corollary 1 can be achieved.
Corollary 1
Given four non-zero differences \(\Delta _{in}^{0}, \Delta _{in}^{1}, \Delta _{out}^0\), and \(\Delta _{out}^1\) in \({GF(2^8)}\),
has one solution for \(x_0, x_1\) in average, where \(a_{0,0},a_{0,1},a_{1,0}, a_{1,1}\in {GF(2^8)}\) are fixed coefficients. This property also applies to \({S^{ - 1}}\).
For Property 3, a similar conclusion can be obtained.
Corollary 2
Given \((t^2+t)\) non-zero differences \(\Delta _{in}^{i,j},\Delta _{out}^j \in {GF(2^8)}~ (i = 0,1, \cdots ,t - 1; j = 0,1, \cdots ,t - 1; t\in \{1,2,3,4\})\),
has one solution for \(x_0,x_1,\cdots ,x_{t-1}\) in average, where \({a_{i,j}} \in {GF(2^8)}\) is a fixed coefficient. This property also applies to \({S^{ - 1}}\).
B Improvements on GDS attacks with value constraints
DS attacks on 7-round and 8-round AES-192 with value constraints are studied in Sect. 4.1. At FSE 2014, Derbez et al. proposed GDS attacks on 7-round AES-128 and 9-round AES-256 with practical data complexities. In this section, these GDS attacks with value constraints will be discussed. Only the conclusions are given since the details are similar to those in Sect. 4.1.
1.1 B.1 An attack on 7-round AES-128
The property of four AES rounds [16] is first reviewed, where a generalized sequence is used. It is performed on the equation \(03 \cdot \Delta {Z_4}[8] \oplus \Delta {Z_4}[9] \oplus 02 \cdot \Delta {Z_4}[10] = \Delta {X_5}[8] \oplus \Delta {X_5}[9]\). Let \(e_{pre}=03 \cdot {Z_4}[8] \oplus {Z_4}[9] \oplus 02 \cdot {Z_4}[10]\) and \(e_{out}={X_5}[8] \oplus {X_5}[9]\).
Proposition 5
(4-round GDS property [16]) Let \(\{ X_1^0,X_1^1 \cdots , X_1^{255}\} \) be a \(\delta \)-set where the active byte is \(X_1^{}[0]\) and \(X_1^{i}[0]=i~( i=0,1,\cdots ,255)\). Consider the encryption of the \(\delta \)-set through four AES rounds (see the dotted box without circles in Fig. 11), and then the sequence \((e_{pre}^1\oplus e_{pre}^0,e_{pre}^1\oplus e_{pre}^0, \cdots , e_{pre}^{255}\oplus e_{pre}^0)\) takes about \({2^{19 \times 8}}\) values, which are determined by 19 parameters \(B_{pre}[{4 \hbox {-} round}~GDS] = {X_2^0}[col(0)]||{X_3^0}[SR^{-1}(col(0,2,3))]||\) \({K_3}[2;8;13]\).
For four AES rounds in Proposition 5, if a 2-byte constraint is added, 19 parameters \(B_{pre}[{4 \hbox {-} round}~GDS]\) can be reduced to \(19-2=17\) parameters \(B^{constraint}_{pre}[{4 \hbox {-} round}~GDS]\) as follows.
Observation 4
(4-round GDS property with a 2-byte constraint) In Proposition 5, if outputs of a tuple \((X_1^0,X_1^1,X_1^2)\) of the \(\delta \)-set conforms to
which is depicted in the dotted box of Fig. 11, then we have
Attack 4: An attack on 7-round AES-128 based on Observation 4.
We apply four AES rounds with a 2-byte value constraint to attack 7-round AES-128 by adding one round at the beginning and two rounds at the end (see Fig. 11). This attack is similar to Attack 1 in Sect. 4.1.2.
In the precomputation phase based on Observation 4, we have \(B^{constraint}_{pre}[{4 \hbox {-} round}~GDS] = {X_2^0}[col(0)]||{K_3}[2]|| {X_3^0}[SR^{-1}(col(0,2,3))]\). Thus, in order to compute and store all possible values of 29-byte sequences with the 17-byte \(B^{constraint}_{pre}[{4 \hbox {-} round}~GDS)]\), the \(\mathrm TIME_{pre}\) is \(29\times 2^{8\times 17}\times 1.25/7\approx 2^{138.4}\), and the MEMORY is \(29\times 2^{8\times 17}/16\approx 2^{137}\) 16-byte blocks.
In the online phase for attacking 7-round AES-128 with the key schedule \({KS_6}[SR(col(1,2))]\Rightarrow {KS_5}[5,8]\), we have \({K_{on}} {=} {K_{-1}}[SR^{-1}(col(0))]||{K_0}[0]||{KS_6}[SR(col(1,2))]\).
In Phase A for detecting the right triplet, the time complexity is \(2^{8}\times 2^{8\times 13}= 2^{112}\) memory accesses, which is equal to about \(2^{104}\) encryptions. In Phase B for checking the \(\delta \)-set, the time complexity is \(32 \times 2^{8\times 13}\times 1/7\approx 2^{106.4}\) encryptions with 13-byte \(K_{on}\). Thus, the \(\mathrm TIME_{on}\) is \(2^{106.4}\) encryptions.
All in all, the DATA is \(2^{32}\) chosen plaintexts, the MEMORY is \(2^{137}\) AES blocks, and the TIME (including \(\mathrm TIME_{pre}\) and \(\mathrm TIME_{on}\)) is \(2^{138.4}+2^{106.4}\approx 2^{138.4}\) encryptions.
One structure of \(2^{32}\) chosen plaintexts can be divided into \(2^{24}\) \(\delta \)-sets. However, only \(2^{24}\times 2^{-8}\times 2^{-8}=2^8\) \(\delta \)-sets remain when there are constraints that \(e_{on}^1 \oplus e_{on}^0 =CON\) and \(e_{on}^2 \oplus e_{on}^0 =CON\). Thus, after Demirci-Selçuk’s TMD tradeoff [13], the DATA is \(max({2^8 \times 2^{16+8}, 2^8 \times 2^{16+n}})\)=\(max({2^{32},2^{24+n}})\) chosen plaintexts, the MEMORY is \(2^{137-n}\) AES blocks, and the TIME is \(2^{138.4-n}+2^{106.4+n}\) encryptions. When \(n=16\), the DATA is \(2^{40}\) chosen plaintexts, the MEMORY is \(2^{121}\) AES blocks, and the TIME is \(2^{123.4}\) encryptions.
Attack 5: An attack on 7-round AES-256 based on Observation 4.
The attack on 7-round AES-128 described in Attack 4 can be applied to AES-256. But in that case \(KS_5\) and \(KS_6\) are independent, the TIME is increased by a factor of \(2^{16}\). After Demirci-Selçuk’s TMD tradeoff [13], the DATA is \(max({2^8 \times 2^{16+8}, 2^8 \times 2^{16+n}})\)=\(max({2^{32},2^{24+n}})\) chosen plaintexts, the MEMORY is \(2^{137-n}\) AES blocks, and the TIME is \(2^{138.4-n}+2^{122.4+n}\) encryptions. When \(n=8\), the DATA is \(2^{32}\) chosen plaintexts, the MEMORY is \(2^{129}\) AES blocks, and the TIME is \(2^{131.4}\) encryptions.
Attack 6: An attack on 7-round AES-192 based on Observation 4.
The attack on 7-round AES-192 is similar to the case of 7-round AES-128 except for the different attack path [16] and only 1-byte deduced subkey from other known subkeys. After Demirci-Selçuk’s TMD tradeoff [13], the DATA is \(max({2^8 \times 2^{16+8}, 2^8 \times 2^{16+n}})=max({2^{32},2^{24+n}})\) chosen plaintexts, the MEMORY is \(2^{137-n}\) AES blocks and the TIME is \(2^{138.4-n}+2^{114.4+n}\) encryptions. When \(n=12\), the DATA is \(2^{36}\) chosen plaintexts, the MEMORY is \(2^{125}\) AES blocks, and the TIME is \(2^{127.4}\) encryptions.
1.2 B.2 An attack on 9-round AES-256
The property of five AES rounds [16] is first reviewed, where a generalized sequence is used. It is performed on the equation \(07 \cdot \Delta {Z_5}[8] \oplus 07 \cdot \Delta {Z_5}[9] \oplus 02 \cdot \Delta {Z_5}[11] = 03 \cdot \Delta {X_6}[8] \oplus \Delta {X_6}[9]\). Let \(e_{pre}=07 \cdot {Z_5}[8] \oplus 07 \cdot {Z_5}[9] \oplus 02 \cdot {Z_5}[11]\) and \(e_{on}=03 \cdot {X_6}[8] \oplus {X_6}[9]\).
Proposition 6
(5-round \(\mathrm GDS_{256}\) property [16]) Let \(\{ W_0^0,W_0^1 \cdots ,W_0^{255}\} \) be a \(\delta \)-set where the active byte is \(W_0^{}[1]\) and \(W_0^{i}[1]=i~ (i=0,1,\cdots ,255)\). Consider the encryption of the \(\delta \)-set through five AES rounds (see the dotted box without circles in Fig. 12), and then the sequence \(( e_{pre}^1\oplus e_{pre}^0,e_{pre}^2\oplus e_{pre}^0, \cdots ,e_{pre}^{255}\oplus e_{pre}^0)\) takes about \({2^{35 \times 8}}\) values, which are determined by 35 parameters \(B_{pre}[{5 \hbox {-} round} GDS] = {X_2^0}[col(3)]||X_3^0||{X_4^0}[SR^{-1}(col(0,2,3))]||{K_4}[1;11;12]\).
For five full AES rounds in Proposition 6, if a 2-byte constraint is added, 35 parameters \(B_{pre}[{5 \hbox {-} round}~GDS]\) can be reduced to \(35-2=33\) parameters \(B^{constraint}_{pre}[{5 \hbox {-} round}~GDS]\) as follows.
Observation 5
(5-round \(\mathrm GDS_{256}\) property with a 2-byte constraint) In Proposition 6, if outputs of a tuple \((W_0^0,W_0^1,W_0^2)\) of the \(\delta \)-set conforms to
which is depicted in the dotted box of Fig. 12, then we have
Attack 7: An Attack on 9-round AES-256 based on Observation 5.
We apply five AES rounds with a 2-byte value constraint to attack 9-round AES-256 by adding one round at the beginning and three rounds at the end (see Fig. 12). This attack is similar to Attack 1 in Sect. 4.1.2.
In the precomputation phase based on Observation 5, we have \(B^{constraint}_{pre}[{5 \hbox {-} round}~GDS] = {X_2^0}[col(3)]||X_3^0|| {X_4^0}[SR^{-1}(col(0,2,3))]||{KS_4}[1]\). Thus, in order to compute and store all possible values of 29-byte sequence with the 33-byte \(B^{constraint}_{pre}[{5 \hbox {-} round}~GDS ]\), the \(\mathrm TIME_{pre}\) is \(29\times 2^{8\times 33}\times 2/9= 2^{266.8}\) encryptions, and the MEMORY is \(29\times 2^{8\times 33}/16 \approx 2^{265}\) 16-byte blocks for the 29-byte sequence.
In the online phase for attacking 9-round AES-256 with the key schedule \({K_8}\Rightarrow {KS_6}[9,12]\), we have \({K_{on}} = {K_{-1}}[SR^{-1}(col(0))]||{KS_7}[SR(col(2,3))]||{K_8}\). In Phase A for detecting the right triplet such that \(e_{on}^1 \oplus e_{on}^0 =CON\) and \(e_{on}^2 \oplus e_{on}^0 =CON\) for each \(K_{on}\), the time complexity is about \(2^8\times 2^{8\times 28}=2^{232}\) memory accesses, which is equal to about \(2^{224}\) encryptions. In Phase B for checking the \(\delta \)-set, the time complexity is about \(32\times 2^{8\times 28}\times 2/9=2^{226.8}\) encryptions with 28-byte \(K_{on}\). Thus, the \(\mathrm TIME_{on}\) is \(2^{226.8}\) encryptions.
All in all, the DATA is \(2^{32}\) chosen plaintexts, the MEMORY is \(2^{265}\) AES blocks, and the TIME (including \(\mathrm TIME_{pre}\) and \(\mathrm TIME_{on}\)) is \(2^{266.8}+2^{226.8}\) encryptions.
After Demirci-Selçuk’s TMD tradeoff [13], the DATA is \(max({2^{32},2^{24+n}})\) chosen plaintexts, the MEMORY is \(2^{265-n}\) AES blocks, and the TIME is \(2^{266.8-n}+2^{226.8+n}\) encryptions. When \(n=20\), the DATA is \(2^{44}\) chosen plaintexts, the MEMORY is \(2^{245}\) AES blocks, and the TIME is \(2^{247.8}\) encryptions.
C Improvements on another TDC attack with value constraints
A TDC attack on 9-round AES-192 with value constraints is studied in Sect. 4.2. In this section, another TDC attack on 9-round AES-256 with value constraints will be discussed. Only the conclusions are given since the details are similar to those in Sect. 4.2.
Proposition 7 gives the property of five AES rounds under 256 key bits in DS attacks.
Proposition 7
(5-round \(\mathrm DS _{256}\) property [17]) Let \(\{ W_0^0,W_0^1, \cdots , W_0^{255}\} \) be a \(\delta \)-set where the active byte is \(W_0^{}[1]\) and \(W_0^{i}[1]=i (i=0,1,\cdots ,255)\). Consider the encryption of the \(\delta \)-set through five AES rounds under 256 key bits (see the dotted box without circles in Fig. 13), and then the ordered sequence \((W_{5}^1[12] \oplus W_{5}[12], W_{5}^2[12]\oplus W_{5}[12], \cdots ,W_{5}^{255}[12]\oplus W_{5}[12])\) takes about \({2^{40 \times 8}}\) values, which are determined by 40 parameters \(B_{pre}[{5 \hbox {-} round}~DS_{256}]= {X_2}[col(3)]||{X_3}||X_4^{}||X_5^{}[S{R^{ - 1}}(col(3))]\).
Proposition 8 gives the property of five AES rounds under 256 key bits in TDC attacks.
Proposition 8
(5-round \(\mathrm TDC _{256}\) property [17]) In Proposition 7, if a pair \((W_0,W_0^{\prime })\) of the \(\delta \)-set conforms to a TDC (see the dotted box without circles in Fig. 13), then we have \(B_{pre}[{5 \hbox {-} round}~TDC_{256}]=\Delta {X_1}[1]||{X_1}[1]||{X_2}[col(3)]|| {X_3}||{X_4}[0;4;8]||{X_5}[12].\)
For five AES rounds under 256 key bits in Proposition 8, when the input \(\Delta {X_1}[1]\) and output \(\Delta {W_5}[12]\) in the TDC take \(n_0\) and \(n_1\) fixed constants, respectively, the parameters can be achieved with a (2, \(n_0n_1\)) constraint in Observation 6. The proof is similar to that in Observation 3.
Observation 6
(5-round \(\mathrm TDC _{256}\) property with a (2, \(n_0n_1\)) constraint) In Proposition 8, if inputs and outputs of a pair \((W_0,W_0^{\prime })\) of the \(\delta \)-set conform to
which is depicted in the dotted box of Fig. 13, then we have
\(\small {B^{constraint}_{pre}[{{5 \hbox {-} round}~TDC_{256}]}} \qquad {= \bigcup \limits _{\begin{array}{c} \scriptstyle \quad \quad \quad \quad \Delta {X_1}[1] \in \{ CON_{in}^0, \cdots ,CON_{in}^{{n_0 - 1}}\},\\ \scriptstyle {X_5}[S{R^{ - 1}}(col(3)] \in \{ \gamma (CON_{out}^0)\;, \cdots ,\gamma (CON_{out}^{n_1 - 1})\} \end{array}} {X_1}[1]||{X_2}[col(3)]||{X_3}||{X_4}[0;4;8].}\)
Attack 8: An Attack on 9-round AES-256 based on Observation 6
We apply five AES rounds with a \((2,n_0n_1)\) value constraint to attack 9-round AES-256 by adding one round at the beginning and three rounds at the end (see Fig. 13). The attack is similar to Attack 3 in Sect. 4.2.2.
In the precomputation phase based on Observation 6, we have
Thus, in order to compute and store all possible values of the 31-byte sequence with \(n_0\times n_1\times 2^{8\times 24}\) values of \(B^{constraint}_{pre}[{5 \hbox {-} round}~TDC_{256}]\), the \(\mathrm TIME_{pre}\) is \(31\times (n_0 \times n_1\times 2^{8\times 24})\times 2.5/9 \approx 2^{195.1}n_0n_1\) encryptions, and the MEMORY is \(31\times (n_0 \times n_1\times 2^{8\times 24})/16 \approx 2^{192.9}n_0n_1\) 16-byte blocks.
In the online phase for attacking 9-round AES-256 with the key schedule \(K_8 \Rightarrow KS_6[12]\), we have \({K_{on}} = {K_{ - 1}}[SR^{-1}(col(3)]||K{S_7}[SR(col(3)]||{K_8}\).Thus, the \(\mathrm TIME_{on}\) is \(32 \times 2^{8\times 24}\times 1.5/9=2^{194.5}\) encryptions with 24-byte \(K_{on}\) which is determined by Phase B.
All in all, the DATA is \(2^{129}/(n_0n_1)\) chosen plaintexts, the MEMORY is \(2^{193}n_0n_1\) AES blocks, and the TIME (including \(\mathrm TIME_{pre}\) and \(\mathrm TIME_{on}\)) is \(2^{195.1}n_0n_1+2^{194.5}\) encryptions. When \(n_0n_1=2^2\), the DATA is \(2^{127}\) chosen plaintexts, the MEMORY is \(2^{194.9}\) AES blocks and the TIME is \(2^{197.1}\) encryptions. When \(n_0n_1=2^8\), the DATA is \(2^{121}\) chosen plaintexts, the MEMORY is \(2^{201}\) AES blocks, and the TIME is \(2^{203.1}\) encryptions.
Using the technique in [16], whole attack can be split up into some weak-key attacks according to the relation \(K_3||K_8\Rightarrow K_{-1}[10;15]||K_4[11;12]\), and the memory complexity is reduced by \(2^{32}\).
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Dong, X., Liu, J., Wei, Y. et al. Meet-in-the-middle attacks on AES with value constraints. Des. Codes Cryptogr. (2024). https://doi.org/10.1007/s10623-024-01396-9
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10623-024-01396-9