Fast Chosen-Key Distinguish Attacks on Round-Reduced AES-192

摘要

The open-key attack is a very popular research topic in the symmetric-key community recently. In this paper, we focus on the security of AES-192 in one of its settings, namely the chosen-key setting. First, thanks to the linear relations between most of AES-192 subkeys, we construct an 8-round chosen-key distinguishers for it using the meet-in-the-middle idea and the SuperSbox technique. Then we turn this distin-guisher into a key-recovery attack with a time complexity of one 8-round AES-192 encryption. Using the same approaches and with more efforts on exploiting the weak key schedule of this variant, 9-round chosen-key distinguishers is constructed and the master key is recovered afterwards at the cost of one 9-round AES-192 encryption. These results have been experimentally confirmed and two examples can be found in the appendix. While our work may not pose a threat to the security of AES-192 in a traditional way as those single-key recovery attacks do, we believe it do prove a non-trivial weakness in its key schedule to some extent and thus undermines its expectation as an ideal building block for hash functions.