Paper 2018/527

Improved Key Recovery Attacks on Reduced-Round AES with Practical Data an d Memory Complexities

Achiya Bar-On, Orr Dunkelman, Nathan Keller, Eyal Ronen, and Adi Shamir


Determining the security of AES is a central problem in cryptanalysis, but progress in this area had been slow and only a handful of cryptanalytic techniques led to significant advancements. At Eurocrypt 2017 Grassi et al. presented a novel type of distinguisher for AES-like structures, but so far all the published attacks which were based on this distinguisher were inferior to previously known attacks in their complexity. In this paper we combine the technique of Grassi et al. with several other techniques in a novel way to obtain the best known key recovery attack on 5-round AES in the single-key model, reducing its overall complexity from about $2^{32}$ to less than $2^{22}$. Extending our techniques to 7-round AES, we obtain the best known attacks on AES-192 which use practical amounts of data and memory, breaking the record for such attacks which was obtained in 2000 by the classical Square attack.

Available format(s)
Secret-key cryptography
Publication info
A major revision of an IACR publication in CRYPTO 2018
AESMixture Differential
Contact author(s)
orrd @ cs haifa ac il
2018-12-29: revised
2018-06-04: received
See all versions
Short URL
Creative Commons Attribution


      author = {Achiya Bar-On and Orr Dunkelman and Nathan Keller and Eyal Ronen and Adi Shamir},
      title = {Improved Key Recovery Attacks on Reduced-Round AES with Practical Data an d Memory Complexities},
      howpublished = {Cryptology ePrint Archive, Paper 2018/527},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.