Practical-Titled Attack on AES-128 Using Chosen-Text Relations

Related-key attacks on AES-192 and AES-256 have been presented at Crypto 2009 and Asiacrypt 2009. Although these results are already quite spectacular, they have been extended to practical-complexity attacks on AES variants with 10 rounds at Eurocrypt 2010. These advances in cryptanalysis are enabled by the introduction of a new type of related keys. Let the secret key be denoted by k, the round keys by ki and describe the action of the key schedule of an arbitrary AES variant by: ki = ψi(k), i = 1, 2 . . . The AES-256 adversary specifies two key-differences-in-the-middle 2, δ and queries the AES-256 implementation using the following related keys: k = ψ−3.5(ψ2.5(ψ(k) + aδ) + b2), a, b ∈ {0, 1}.