Improved Meet-in-the-Middle Attacks on Nine Rounds of the AES-192 Block Cipher

In the single-key attack scenario, meet-in-the-middle (MitM) attack method has led to the best currently published cryptanalytic results on the AES block cipher, except biclique attack. Particularly, for AES with a 192-bit key (AES-192), Li et al. published 5-round MitM distinguishers and 9-round MitM attacks in 2014, by introducing the key-dependent sieve technique to reduce the number of unknown constants for a MitM distinguisher and using a so-called weak-key approach to reduce the memory complexity of an ordinary MitM attack, and their final main result is an attack on the first 9 rounds of AES-192 with a data complexity of \(2^{121}\) chosen plaintexts, a memory complexity of \(2^{181}\) bytes and a time complexity of \(2^{187.7}\) encryptions. In this paper, we observe that Li et al. used a wrong direction for the rotation operation of the AES-192 key schedule, which causes all their distinguishers and attacks to be seriously flawed, but fortunately we exploit a correct 5-round distinguisher with different active input and output byte positions, so that the resulting 9-round AES-192 attacks with/without Li et al.’s weak-key approach have the same complexities as Li et al.’s (flawed) attacks. Further, we give a trick to exploit two complicated additional one-byte linear relations (between the round keys of precomputation phase and the round keys of online phase) to further reduce memory complexity, and finally we make an attack on the 9-round AES-192 with a data complexity of \(2^{121}\) chosen plaintexts, a memory complexity of \(2^{172.3}\) bytes and a time complexity of \(2^{187.6}\) encryptions. Besides, we show that the 5-round MitM distinguisher can be extended to a 6-round MitM distinguisher, which can also attack the 9-round AES-192 with the same complexity. Our work corrects and improves Li et al.’s work, and the trick can potentially be used for MitM attacks on other block ciphers.