International Association
for Cryptologic Research

In this paper, we revisit meet-in-the-middle attacks on AES in the

single-key model and improve on Dunkelman, Keller and Shamir attacks

of Asiacrypt 2010. We present the best attack on 7 rounds of AES-128

where data/time/memory complexities are below $2^{100}$. Moreover, we

are able to extend the number of rounds to reach attacks on 8 rounds

for both AES-192 and AES-256. This gives the best attacks on those two

versions with a data complexity of $2^{107}$ chosen-plaintexts, a

memory complexity of $2^{96}$ and a time complexity of $2^{172}$ for

AES-192 and $2^{196}$ for AES-256. Finally, we also describe the best

attack on 9 rounds of AES-256 with $2^{120}$ chosen-plaintexts and

time and memory complexities of $2^{203}$. All these attacks have been

found by carefully studying the number of reachable multisets in

Dunkelman et al. attacks.