Related-key differential cryptanalysis of 192-bit key AES variants

Abstract

A related-key differential cryptanalysis is applied to the 192-bit key variant of AES. Although any 4-round differential trail has at least 25 active bytes, one can construct 5-round related-key differential trail that has only 15 active bytes and break six rounds with 2106 plaintext/ciphertext pairs and complexity 2112. The attack can be improved using truncated differentials. In this case, the number of required plaintext/ciphertext pairs is 281 and the complexity is about 286. Using impossible related-key differentials we can break seven rounds with 2111 plaintext/ciphertext pairs and computational complexity 2116. The attack on eight rounds requires 288 plaintext/ciphertext pairs and its complexity is about 2183 encryptions. In the case of differential cryptanalysis, if the iterated cipher is Markov cipher and the round keys are independent, then the sequence of differences at each round output forms a Markov chain and the cipher becomes resistant to differential cryptanalysis after sufficiently many rounds, but this is not true in the case of related-key differentials. It can be shown that if in addition the Markov cipher has K - f round function and the hypothesis of stochastic equivalence for related keys holds, then the iterated cipher is resistant to related-key differential attacks after sufficiently many rounds. © Springer-Verlag Berlin Heidelberg 2004.