Multiple Impossible Differentials Attack on AES-192

The security of AES-192 against multiple impossible differentials attack is studied in this paper. Based on two types of impossible differentials for 4-round AES, two 7-round attack trails of AES-192 with the same plaintext and ciphertext difference structure are proposed. A new optimum combination of these two attack trails is applied in our attack so that the plaintext pairs can be reused and data complexity can be reduced. Furthermore, this new optimum combination also can reduce the time complexity in the master key recovering phase. Our attack can also reduce the number of subkeys by key schedule considerations. For each attack trail, only 15-byte subkeys need to be guessed. Combined with the master key recovering technique based on the key schedule algorithm, the early abort technique for plaintext pairs, and the sieve method for plaintext pairs based on quick sort etc., we have obtained the best result so far in terms of time complexity for impossible differential cryptanalysis of AES-192. The time, memory, and data complexities are 2109.2 7-round AES encryptions, 286.5 bytes and 2106.3 chosen plaintexts, respectively.