Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting

International audienceIn this paper, we revisit meet-in-the-middle attacks on AES in the single-key model and improve on Dunkelman, Keller and Shamir attacks at Asiacrypt 2010. We present the best attack on 7 rounds of AES-128 where data/time/memory complexities are below 2 100 . Moreover, we are able to extend the number of rounds to reach attacks on 8 rounds for both AES-192 and AES-256. This gives the best attacks on those two versions with a data complexity of 2 107 chosen-plaintexts, a memory complexity of 2 96 and a time complexity of 2 172 for AES-192 and 2 196 for AES-256. Finally, we also describe the best attack on 9 rounds of AES-256 with 2 120 chosen plaintexts and time and memory complexities of 2 203 . All these attacks have been found by carefully studying the number of reachable multisets in Dunkelman et al. attacks