1

Is an MD-MITM attack possible for AES? As I know, we can break 2 rounds of AES. So we could apply the MD-MITM attack 5 times. This should significantly reduce the security of AES.

What stops us from these kinds of attacks? Why GOST was broken with such method and AES not?

Tom
  • 1,221
  • 6
  • 16
  • 1
    Actually: "Biclique attacks are known for having broken both full AES[1] and full IDEA,[2] though only with slight advantage over brute force." I don't think that you can state: vulnerable against MITM, so more vulnerable given MD-MITM (of course, as MITM is a degenerated form of MD-MITM, I guess it is at least as vulnerable though). I'll vote up as I'm interested to see if any parts of the algorithm have been specifically designed to avoid MITM though. – Maarten Bodewes Jun 28 '20 at 13:33
  • I forgot or didn't know about that type of attack. I will read about it. – Tom Jun 28 '20 at 14:12

1 Answers1

2

Why GOST was broken with such method and AES not?

MD-MITM attacks have been published e.g. against KATAN and GOST in https://eprint.iacr.org/2011/619. The authors stated that their attack is "suitable for lightweight ciphers with simple key schedules and block sizes smaller than key lengths". Another reason and the answer for this question is, that the attacked ciphers in that paper had a block lengths up to 64 bit, while AES has a block length of 128 bit and the space–time tradeoff would require too much space.

Yves
  • 51
  • 5