Related-Key Cryptanalysis of the Full AES-192 and AES-256
In this paper we present two related-key attacks on the full AES. For AES-256 we show the first key recovery attack that works for all the keys and has 299.5 time and data complexity, while the recent attack by Biryukov-Khovratovich-Nikolić works for a weak key class and has much higher complexity. The second attack is the first cryptanalysis of the full AES-192. Both our attacks are boomerang attacks, which are based on the recent idea of finding local collisions in block ciphers and enhanced with the boomerang switching techniques to gain free rounds in the middle.
The extended version of this paper is available at http://eprint.iacr.org/2009/317.pdf.
KeywordsAES related-key attack boomerang attack
- 1.FIPS-197: Advanced Encryption Standard (November 2001), http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
- 5.Biham, E., Dunkelman, O., Keller, N.: Related-key boomerang and rectangle attacks. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 507–525. Springer, Heidelberg (2005)Google Scholar
- 7.Biryukov, A., Khovratovich, D., Nikolić, I.: Examples of differential multicollisions for 13 and 14 rounds of AES-256 (2009), http://eprint.iacr.org/2009/242.pdf
- 8.Chabaud, F., Joux, A.: Differential collisions in SHA-0. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 56. Springer, Heidelberg (1998)Google Scholar
- 11.Gilbert, H., Minier, M.: A collision attack on 7 rounds of Rijndael. In: AES Candidate Conference, pp. 230–241 (2000)Google Scholar
- 14.Lucks, S.: Ciphers secure against related-key attacks. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 359–370. Springer, Heidelberg (2004)Google Scholar