Paper 2012/477

Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting

Patrick Derbez, Pierre-Alain Fouque, and Jérémy Jean


In this paper, we revisit meet-in-the-middle attacks on AES in the single-key model and improve on Dunkelman, Keller and Shamir attacks of Asiacrypt 2010. We present the best attack on 7 rounds of AES-128 where data/time/memory complexities are below $2^{100}$. Moreover, we are able to extend the number of rounds to reach attacks on 8 rounds for both AES-192 and AES-256. This gives the best attacks on those two versions with a data complexity of $2^{107}$ chosen-plaintexts, a memory complexity of $2^{96}$ and a time complexity of $2^{172}$ for AES-192 and $2^{196}$ for AES-256. Finally, we also describe the best attack on 9 rounds of AES-256 with $2^{120}$ chosen-plaintexts and time and memory complexities of $2^{203}$. All these attacks have been found by carefully studying the number of reachable multisets in Dunkelman et al. attacks.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Contact author(s)
Jeremy Jean @ ens fr
2012-08-21: received
Short URL
Creative Commons Attribution


      author = {Patrick Derbez and Pierre-Alain Fouque and Jérémy Jean},
      title = {Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting},
      howpublished = {Cryptology ePrint Archive, Paper 2012/477},
      year = {2012},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.