{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,14]],"date-time":"2026-01-14T03:13:53Z","timestamp":1768360433930,"version":"3.49.0"},"reference-count":50,"publisher":"International Association for Cryptologic Research","issue":"4","license":[{"start":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T00:00:00Z","timestamp":1759968000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2025,12,2]]},"abstract":"<jats:p>As probably the most widespread block cipher, the AES has attracted tremendous cryptanalytical efforts since its standardization. In the single secret-key setting, Demirci-Selcuk Meet-in-the-Middle (DS-MitM) attacks have remained the state of the art on most rounds and have the lowest time complexities on all AES versions. However, after the research intensity had peaked with Derbez et al.'s seminal works from Eurocrypt'13 and FSE'13 and Li et al.'s improvements on the AES-192 at FSE'14, the generic technical evolution on DS-MitM attacks stagnated. Subsequent works automated the technique or concentrated on ciphers other than the AES. But it took one decade until Dong et al. (DCC'24) advanced the progress on DS-MitM attacks. Their approach uses constraints in both the offline and online phases, which produced improved attacks on AES-192 and -256 in the chosen-plaintext setting and on all versions in the practical-data setting.<\/jats:p>\n                  <jats:p>In this work, we demonstrate that Dong et al.'s use of constraints could be further improved, leading to better attacks on all versions of the AES with practical data complexity. We emphasize that our attacks do not threaten the security of the full AES versions but refine our understanding of their security margins under practical data settings.<\/jats:p>","DOI":"10.62056\/a33zzo-3y","type":"journal-article","created":{"date-parts":[[2026,1,8]],"date-time":"2026-01-08T23:39:47Z","timestamp":1767915587000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["New Records for Practical-data Chosen-plaintext Attacks on Round-reduced AES"],"prefix":"10.62056","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-2839-6687","authenticated-orcid":false,"given":"Zhenzhen","family":"Bao","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/03cve4549","id-type":"ROR","asserted-by":"publisher"}],"name":"Institute for Network Sciences and Cyberspace, Tsinghua University","place":["Beijing, 100084, China"]},{"name":"Zhongguancun Laboratory","place":["Beijing, China"]},{"id":[{"id":"https:\/\/ror.org\/02pn5rj08","id-type":"ROR","asserted-by":"publisher"}],"name":"State Key Laboratory of Cryptography and Digital Economy Security, Tsinghua University","place":["Beijing, 100084, 100084, China"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8847-6748","authenticated-orcid":false,"given":"Jian","family":"Guo","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/02e7b5302","id-type":"ROR","asserted-by":"publisher"}],"name":"Nanyang Technological University","place":["Nanyang Link 21, Singapore, 637371, Singapore"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0369-4901","authenticated-orcid":false,"given":"Eik","family":"List","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/02e7b5302","id-type":"ROR","asserted-by":"publisher"}],"name":"Nanyang Technological University","place":["Nanyang Link 21, Singapore, 637371, Singapore"]}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-0090-8101","authenticated-orcid":false,"given":"Haoyang","family":"Wang","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/0220qvk04","id-type":"ROR","asserted-by":"publisher"}],"name":"School of Computer Science, Shanghai Jiao Tong University","place":["800 Dongchuan Road, Shanghai, 200240, China"]}]}],"member":"48349","published-online":{"date-parts":[[2026,1,8]]},"reference":[{"key":"ref1:nist:2001","first-page":"1","article-title":"FIPS 197","author":"National Institute of Standards","year":"2001","journal-title":"National Institute of Standards and Technology, November"},{"key":"ref2:daemen:1998","volume-title":"AES Proposal: Rijndael","author":"Joan Daemen","year":"1999"},{"key":"ref3:DR02","isbn-type":"print","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-60769-5","volume-title":"The Design of Rijndael: AES - The Advanced Encryption\n  Standard","author":"Joan Daemen","year":"2002","ISBN":"https:\/\/id.crossref.org\/isbn\/3540425802"},{"key":"ref4:DBLP:conf\/fse\/DerbezF13","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"541","DOI":"10.1007\/978-3-662-43933-3_28","article-title":"Exhausting Demirci-Sel\u00e7uk Meet-in-the-Middle Attacks\n  Against Reduced-Round AES","volume":"8424","author":"Patrick Derbez","year":"2013"},{"key":"ref5:DBLP:conf\/crypto\/DerbezF16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"157","DOI":"10.1007\/978-3-662-53008-5_6","article-title":"Automatic Search of Meet-in-the-Middle and Impossible\n  Differential Attacks","volume":"9815","author":"Patrick Derbez","year":"2016"},{"key":"ref6:DBLP:conf\/asiacrypt\/DunkelmanKS10","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"158","DOI":"10.1007\/978-3-642-17373-8_10","article-title":"Improved Single-Key Attacks on 8-Round AES-192 and\n  AES-256","volume":"6477","author":"Orr Dunkelman","year":"2010"},{"key":"ref7:DBLP:journals\/joc\/DunkelmanKS15a","doi-asserted-by":"publisher","first-page":"397","DOI":"10.1007\/s00145-013-9159-4","article-title":"Improved Single-Key Attacks on 8-Round AES-192 and\n  AES-256","volume":"28","author":"Orr Dunkelman","year":"2015","journal-title":"Journal of Cryptology"},{"key":"ref8:DBLP:journals\/tit\/Sun21","doi-asserted-by":"publisher","first-page":"4838","DOI":"10.1109\/TIT.2021.3058377","article-title":"Provable Security Evaluation of Block Ciphers Against\n  Demirci-Sel\u00e7uk's Meet-in-the-Middle Attack","volume":"67","author":"Bing Sun","year":"2021","journal-title":"IEEE Trans. Inf. Theory"},{"key":"ref9:DBLP:journals\/dcc\/LiJ16","doi-asserted-by":"publisher","first-page":"459","DOI":"10.1007\/s10623-015-0113-3","article-title":"Meet-in-the-middle attacks on 10-round AES-256","volume":"80","author":"Rongjia Li","year":"2016","journal-title":"Designs, Codes, and Cryptography"},{"key":"ref10:DBLP:journals\/dcc\/LuZ24a","doi-asserted-by":"publisher","first-page":"957","DOI":"10.1007\/S10623-023-01323-4","article-title":"Improved meet-in-the-middle attack on 10 rounds of the\n  AES-256 block cipher","volume":"92","author":"Jiqiang Lu","year":"2024","journal-title":"Designs, Codes, and Cryptography"},{"key":"ref11:DBLP:conf\/asiacrypt\/BogdanovKR11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"344","DOI":"10.1007\/978-3-642-25385-0_19","article-title":"Biclique Cryptanalysis of the Full AES","volume":"7073","author":"Andrey Bogdanov","year":"2011"},{"key":"ref12:DBLP:journals\/tosc\/BouraCC19","doi-asserted-by":"publisher","first-page":"170","DOI":"10.13154\/TOSC.V2019.I1.170-191","article-title":"A General Proof Framework for Recent AES\n  Distinguishers","volume":"2019","author":"Christina Boura","year":"2019","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"ref13:DBLP:conf\/eurocrypt\/0001RR17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"289","DOI":"10.1007\/978-3-319-56614-6_10","article-title":"A New Structural-Differential Property of 5-Round AES","volume":"10211","author":"Lorenzo Grassi","year":"2017"},{"key":"ref14:DBLP:conf\/asiacrypt\/RonjomBH17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"217","DOI":"10.1007\/978-3-319-70694-8_8","article-title":"Yoyo Tricks with AES","volume":"10624","author":"Sondre R\u00f8njom","year":"2017"},{"key":"ref15:DBLP:journals\/tosc\/Grassi18","doi-asserted-by":"publisher","first-page":"133","DOI":"10.13154\/tosc.v2018.i2.133-160","article-title":"Mixture Differential Cryptanalysis: a New Approach to\n  Distinguishers and Attacks on round-reduced AES","volume":"2018","author":"Lorenzo Grassi","year":"2018","journal-title":"IACR Transactions on Symmetric Cryptology","ISSN":"https:\/\/id.crossref.org\/issn\/2519-173X","issn-type":"electronic"},{"key":"ref16:DBLP:conf\/crypto\/Bar-OnDKRS18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"185","DOI":"10.1007\/978-3-319-96881-0_7","article-title":"Improved Key Recovery Attacks on Reduced-Round AES with\n  Practical Data and Memory Complexities","volume":"10992","author":"Achiya Bar-On","year":"2018"},{"key":"ref17:DBLP:conf\/africacrypt\/BardehR19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"297","DOI":"10.1007\/978-3-030-23696-0_15","article-title":"Practical Attacks on Reduced-Round AES","volume":"11627","author":"Navid Ghaedi Bardeh","year":"2019"},{"key":"ref18:DBLP:conf\/asiacrypt\/BardehR19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"347","DOI":"10.1007\/978-3-030-34618-8_12","article-title":"The Exchange Attack: How to Distinguish Six Rounds of AES\n  with $2^{88.2}$ Chosen Plaintexts","volume":"11923","author":"Navid Ghaedi Bardeh","year":"2019"},{"key":"ref19:DBLP:conf\/indocrypt\/ChangWSW22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"422","DOI":"10.1007\/978-3-031-22912-1_19","article-title":"Improved Truncated Differential Distinguishers of AES\n  with Concrete S-Box","volume":"13774","author":"Chengcheng Chang","year":"2022"},{"key":"ref20:DBLP:conf\/eurocrypt\/DunkelmanKRS20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"280","DOI":"10.1007\/978-3-030-45721-1_11","article-title":"The Retracing Boomerang Attack","volume":"12105","author":"Orr Dunkelman","year":"2020"},{"key":"ref21:DBLP:journals\/tosc\/BardehR22","doi-asserted-by":"publisher","first-page":"43","DOI":"10.46586\/TOSC.V2022.I2.43-62","article-title":"New Key-Recovery Attack on Reduced-Round AES","volume":"2022","author":"Navid Ghaedi Bardeh","year":"2022","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"ref22:DBLP:journals\/joc\/BouraLNS18","doi-asserted-by":"publisher","first-page":"101","DOI":"10.1007\/s00145-016-9251-7","article-title":"Making the Impossible Possible","volume":"31","author":"Christina Boura","year":"2018","journal-title":"J. Cryptology"},{"key":"ref23:DBLP:conf\/asiacrypt\/BouraNS14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"179","DOI":"10.1007\/978-3-662-45611-8_10","article-title":"Scrutinizing and Improving Impossible Differential Attacks:\n  Applications to CLEFIA, Camellia, LBlock and Simon","volume":"8873","author":"Christina Boura","year":"2014"},{"key":"ref24:DBLP:conf\/eurocrypt\/LeurentP21","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"54","DOI":"10.1007\/978-3-030-77870-5_3","article-title":"New Representations of the AES Key Schedule","volume":"12696","author":"Ga\u00ebtan Leurent","year":"2021"},{"key":"ref25:DBLP:conf\/aes\/GilbertM00","first-page":"230","article-title":"A Collision Attack on 7 Rounds of Rijndael","author":"Henri Gilbert","year":"2000"},{"key":"ref26:DBLP:conf\/sacrypt\/DemirciST03","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"117","DOI":"10.1007\/978-3-540-24654-1_9","article-title":"A New Meet-in-the-Middle Attack on the IDEA Block\n  Cipher","volume":"3006","author":"H\u00fcseyin Demirci","year":"2003"},{"key":"ref27:DBLP:conf\/fse\/DemirciS08","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"116","DOI":"10.1007\/978-3-540-71039-4_7","article-title":"A Meet-in-the-Middle Attack on 8-Round AES","volume":"5086","author":"H\u00fcseyin Demirci","year":"2008"},{"key":"ref28:fse:2024","volume-title":"IACR ToSC Test-of-Time Award Page","author":"IACR","year":"2024"},{"key":"ref29:DBLP:journals\/iacr\/DerbezFJ12","first-page":"477","article-title":"Improved Key Recovery Attacks on Reduced-Round AES in the\n  Single-Key Setting","author":"Patrick Derbez","year":"2012","journal-title":"IACR Cryptology ePrint Archive"},{"key":"ref30:DBLP:conf\/eurocrypt\/DerbezFJ13","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"371","DOI":"10.1007\/978-3-642-38348-9_23","article-title":"Improved Key Recovery Attacks on Reduced-Round AES in the\n  Single-Key Setting","volume":"7881","author":"Patrick Derbez","year":"2013"},{"key":"ref31:DBLP:conf\/indocrypt\/MalaDRM10","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"282","DOI":"10.1007\/978-3-642-17401-8_20","article-title":"Improved Impossible Differential Cryptanalysis of 7-Round\n  AES-128","volume":"6498","author":"Hamid Mala","year":"2010"},{"key":"ref32:DBLP:conf\/fse\/LiJW14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"127","DOI":"10.1007\/978-3-662-46706-0_7","article-title":"Improved Single-Key Attacks on 9-Round AES-192\/256","volume":"8540","author":"Leibo Li","year":"2014"},{"key":"ref33:DBLP:journals\/cj\/LiuSGZZLLB19","doi-asserted-by":"publisher","first-page":"1761","DOI":"10.1093\/comjnl\/bxz059","article-title":"Improved Meet-in-the-Middle Attacks on Reduced-Round\n  Kiasu-BC and Joltik-BC","volume":"62","author":"Ya Liu","year":"2019","journal-title":"Comput. J."},{"key":"ref34:DBLP:journals\/ieicet\/TolbaAY16","doi-asserted-by":"publisher","first-page":"1888","DOI":"10.1587\/transfun.E99.A.1888","article-title":"A Meet in the Middle Attack on Reduced Round Kiasu-BC","volume":"99-A","author":"Mohamed Tolba","year":"2016","journal-title":"IEICE Trans. Fundam. Electron. Commun. Comput. Sci."},{"key":"ref35:DBLP:conf\/icics\/ChenSSH19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"233","DOI":"10.1007\/978-3-030-41579-2_14","article-title":"Automatic Demirci-Sel\u00e7uk Meet-in-the-Middle Attack on\n  SKINNY with Key-Bridging","volume":"11999","author":"Qiu Chen","year":"2019"},{"key":"ref36:DBLP:conf\/asiacrypt\/ShiSDTSH18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-030-03329-3_1","article-title":"Programming the Demirci-Sel\u00e7uk Meet-in-the-Middle\n  Attack with Constraints","volume":"11273","author":"Danping Shi","year":"2018"},{"key":"ref37:DBLP:conf\/eurocrypt\/ShiSSHY23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"67","DOI":"10.1007\/978-3-031-30634-1_3","article-title":"Exploiting Non-full Key Additions: Full-Fledged Automatic\n  Demirci-Sel\u00e7uk Meet-in-the-Middle Cryptanalysis of SKINNY","volume":"14007","author":"Danping Shi","year":"2023"},{"key":"ref38:DBLP:conf\/ctrsa\/LuZ24","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"136","DOI":"10.1007\/978-3-031-58868-6_6","article-title":"Improved Meet-in-the-Middle Attacks on Nine Rounds of the\n  AES-192 Block Cipher","volume":"14643","author":"Jiqiang Lu","year":"2024"},{"key":"ref39:lee:2024","doi-asserted-by":"publisher","first-page":"1212","DOI":"10.1587\/TRANSFUN.2023EAP1145","article-title":"Accurate False-Positive Probability of Multiset-Based\n  Demirci-Sel\u00e7uk Meet-in-the-Middle Attacks","volume":"107","author":"Dongjae Lee","year":"2024","journal-title":"IEICE Transactions on Fundamentals of Electronics,\n  Communications and Computer Sciences"},{"key":"ref40:dong:2024","doi-asserted-by":"publisher","first-page":"2423","DOI":"10.1007\/S10623-024-01396-9","article-title":"Meet-in-the-middle attacks on AES with value constraints","volume":"92","author":"Xiaoli Dong","year":"2024","journal-title":"Designs, Codes, and Cryptography"},{"key":"ref41:DBLP:conf\/fse\/KrovetzR11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"306","DOI":"10.1007\/978-3-642-21702-9_18","article-title":"The Software Performance of Authenticated-Encryption\n  Modes","volume":"6733","author":"Ted Krovetz","year":"2011"},{"key":"ref42:rfc7253","series-title":"Request for Comments","doi-asserted-by":"publisher","DOI":"10.17487\/RFC7253","volume-title":"The OCB Authenticated-Encryption Algorithm","author":"Ted Krovetz","year":"2014"},{"key":"ref43:ocbv11:caesar","volume-title":"OCB (v1.1)","author":"Ted Krovetz","year":"2016"},{"key":"ref44:DBLP:journals\/iacr\/DerbezF15","first-page":"259","article-title":"Exhausting Demirci-Sel\u00e7uk Meet-in-the-Middle Attacks\n  against Reduced-Round AES","author":"Patrick Derbez","year":"2015","journal-title":"IACR Cryptology ePrint Archive"},{"key":"ref45:DBLP:conf\/ispec\/WeiLH11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"222","DOI":"10.1007\/978-3-642-21031-0_17","article-title":"Meet-in-the-Middle Attack on 8 Rounds of the AES Block\n  Cipher under 192 Key Bits","volume":"6672","author":"Yongzhuang Wei","year":"2011"},{"key":"ref46:DBLP:journals\/tosc\/GrassiRR16","doi-asserted-by":"publisher","first-page":"192","DOI":"10.13154\/tosc.v2016.i2.192-225","article-title":"Subspace Trail Cryptanalysis and its Applications to AES","volume":"2016","author":"Lorenzo Grassi","year":"2017","journal-title":"IACR Transactions on Symmetric Cryptology"},{"key":"ref47:DBLP:conf\/fse\/DaemenKR97","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"149","DOI":"10.1007\/BFB0052343","article-title":"The block cipher Square","volume":"1267","author":"Joan Daemen","year":"1997"},{"key":"ref48:DBLP:conf\/indocrypt\/DemirciTCB09","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"144","DOI":"10.1007\/978-3-642-10628-6_10","article-title":"Improved Meet-in-the-Middle Attacks on AES","volume":"5922","author":"H\u00fcseyin Demirci","year":"2009"},{"key":"ref49:DBLP:conf\/fse\/DerbezP15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"190","DOI":"10.1007\/978-3-662-48116-5_10","article-title":"Meet-in-the-Middle Attacks and Structural Analysis of\n  Round-Reduced PRINCE","volume":"9054","author":"Patrick Derbez","year":"2015"},{"key":"ref50:DBLP:journals\/tosc\/BonnetainNS19","doi-asserted-by":"publisher","first-page":"55","DOI":"10.13154\/TOSC.V2019.I2.55-93","article-title":"Quantum Security Analysis of AES","volume":"2019","author":"Xavier Bonnetain","year":"2019","journal-title":"IACR Transactions on Symmetric Cryptology"}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2026,1,8]],"date-time":"2026-01-08T23:40:10Z","timestamp":1767915610000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/2\/4\/38"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,8]]},"references-count":50,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2026,1,8]]}},"URL":"https:\/\/doi.org\/10.62056\/a33zzo-3y","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1,8]]},"assertion":[{"value":"2025-10-09","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-12-02","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc2-4-82"}}