On simple and secure key distribution
CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
The Design of Rijndael
Weaknesses in the Key Scheduling Algorithm of RC4
SAC '01 Revised Papers from the 8th Annual International Workshop on Selected Areas in Cryptography
ASIACRYPT '92 Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques: Advances in Cryptology
Improved Cryptanalysis of Rijndael
FSE '00 Proceedings of the 7th International Workshop on Fast Software Encryption
Distinguisher and Related-Key Attack on the Full AES-256
CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
Related-Key Cryptanalysis of the Full AES-192 and AES-256
ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Breaking 104 Bit WEP in less than 60 seconds
WISA'07 Proceedings of the 8th international conference on Information security applications
Related-Key boomerang and rectangle attacks
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Related-key rectangle attacks on reduced AES-192 and AES-256
FSE'07 Proceedings of the 14th international conference on Fast Software Encryption
Pseudorandom functions and permutations provably secure against related-key attacks
CRYPTO'10 Proceedings of the 30th annual conference on Advances in cryptology
The (related-key) impossible boomerang attack and its application to the AES block cipher
Designs, Codes and Cryptography
Meet-in-the-middle preimage attacks on AES hashing modes and an application to whirlpool
FSE'11 Proceedings of the 18th international conference on Fast software encryption
Automatic search of attacks on round-reduced AES and applications
CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
EUROCRYPT'10 Proceedings of the 29th Annual international conference on Theory and Applications of Cryptographic Techniques
Biclique cryptanalysis of the full AES
ASIACRYPT'11 Proceedings of the 17th international conference on The Theory and Application of Cryptology and Information Security
A related-key attack on block ciphers with weak recurrent key schedules
FPS'11 Proceedings of the 4th Canada-France MITACS conference on Foundations and Practice of Security
EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
| Hi-index | 0.00 |
AES is the best known and most widely used block cipher. Its three versions (AES-128, AES-192, and AES-256) differ in their key sizes (128 bits, 192 bits and 256 bits) and in their number of rounds (10, 12, and 14, respectively). While for AES-128, there are no known attacks faster than exhaustive search, AES-192 and AES-256 were recently shown to be breakable by attacks which require 2176 and 299.5 time, respectively. While these complexities are much faster than exhaustive search, they are completely non-practical, and do not seem to pose any real threat to the security of AES-based systems. In this paper we aim to increase our understanding of AES security, and we concentrate on attacks with practical complexity, i.e., attacks that can be experimentally verified. We show attacks on reduced-round variants of AES-256 with up to 10 rounds with complexity which is feasible. One of our attacks uses only two related keys and 239 time to recover the complete 256-bit key of a 9-round version of AES-256 (the best previous attack on this variant required 4 related keys and 2120 time). Another attack can break a 10-round version of AES-256 in 245 time, but it uses a stronger type of related subkey attack (the best previous attack on this variant required 64 related keys and 2172 time). While the full AES-256 cannot be directly broken by these attacks, the fact that 10 rounds can be broken with such a low complexity raises serious concerns about the remaining safety margin offered by AES-256.