Improved meet-in-the-middle attack on 10 rounds of the AES-256 block cipher

Meet-in-the-middle (MitM) attack method has led to the best currently published cryptanalytic results on the AES block cipher in the single-key attack scenario, except biclique attack. Particularly, for AES with a 256-bit key (AES-256), Li and Jin published a MitM attack on 10-round AES-256 in 2016, which has a data complexity of \(2^{111}\) chosen plaintexts, a memory complexity of \(2^{215.2}\) bytes and a time complexity of \(2^{253}\) 10-round AES-256 encryptions under so-called weak-key approach. In this paper, we observe that the memory complexity of Li and Jin’s attack should be \(2^{217.4}\) bytes, then we show that three other byte key relations can be used to further reduce the memory complexity in Li and Jin’s attack by decomposing Li and Jin’s big precomputational table into two smaller ones and using MixColumns’ property to connect the two smaller tables in online key-recovery phase, which produces a 10-round AES-256 attack with a memory complexity of \(2^{189}\) bytes and a time complexity of \(2^{255}\) 10-round AES encryptions, and finally we exploit a different 6-round MitM distinguisher to mount a 10-round AES-256 attack with a data complexity of \(2^{105}\) chosen plaintexts, a memory complexity of \(2^{189}\) bytes and a time complexity of \(2^{253.2}\) 10-round AES encryptions. Our final attack has a much smaller data and memory complexity and a marginally larger time complexity than Li and Jin’s attack.