Paper 2009/317

Related-key Cryptanalysis of the Full AES-192 and AES-256

Alex Biryukov and Dmitry Khovratovich


In this paper we present two related-key attacks on the full AES. For AES-256 we show the first key recovery attack that works for all the keys and has $2^{99.5}$ time and data complexity, while the recent attack by Biryukov-Khovratovich-Nikolic works for a weak key class and has much higher complexity. The second attack is the first cryptanalysis of the full AES-192. Both our attacks are boomerang attacks, which are based on the recent idea of finding local collisions in block ciphers and enhanced with the boomerang switching techniques to gain free rounds in the middle.

Note: The attack on AES-256 improved to complexity 2^99.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Submitted to a conference.
AES-256AES-192related-key attacklocal collisionsboomerang switching
Contact author(s)
alex biryukov @ uni lu
2009-12-05: revised
2009-07-01: received
See all versions
Short URL
Creative Commons Attribution


      author = {Alex Biryukov and Dmitry Khovratovich},
      title = {Related-key Cryptanalysis of the Full AES-192 and AES-256},
      howpublished = {Cryptology ePrint Archive, Paper 2009/317},
      year = {2009},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.