Meet-in-the-middle (MitM) attack method has led to the best currently published cryptanalytic results on the AES block cipher in the single-key attack scenario, except biclique attack. Particularly, for AES with a 256-bit key (AES-256), Li and Jin published a MitM attack on 10-round AES-256 in 2016, which has a data complexity of \(2^{111}\) chosen plaintexts, a memory complexity of \(2^{215.2}\) bytes and a time complexity of \(2^{253}\) 10-round AES-256 encryptions under so-called weak-key approach. In this paper, we observe that the memory complexity of Li and Jin’s attack should be \(2^{217.4}\) bytes, then we show that three other byte key relations can be used to further reduce the memory complexity in Li and Jin’s attack by decomposing Li and Jin’s big precomputational table into two smaller ones and using MixColumns’ property to connect the two smaller tables in online key-recovery phase, which produces a 10-round AES-256 attack with a memory complexity of \(2^{189}\) bytes and a time complexity of \(2^{255}\) 10-round AES encryptions, and finally we exploit a different 6-round MitM distinguisher to mount a 10-round AES-256 attack with a data complexity of \(2^{105}\) chosen plaintexts, a memory complexity of \(2^{189}\) bytes and a time complexity of \(2^{253.2}\) 10-round AES encryptions. Our final attack has a much smaller data and memory complexity and a marginally larger time complexity than Li and Jin’s attack.

中间相遇（MitM）攻击方法在单密钥攻击场景中的 AES 分组密码上取得了目前公布的最好的密码分析结果（biclique 攻击除外）。特别是，对于具有 256 位密钥的 AES（AES-256），Li 和 Jin 在 2016 年发布了针对 10 轮 AES-256 的 MitM 攻击，其数据复杂度为 \(2^{111}\) 选择的明文，内存复杂度为\(2^{215.2}\)字节，时间复杂度为\(2^{253}\)所谓弱密钥方法下的 10 轮 AES-256 加密。在本文中，我们观察到Li和Jin的攻击的内存复杂度应该是\(2^{217.4}\)字节，然后我们表明可以使用其他三个字节密钥关系来进一步降低Li和Jin的内存复杂度通过将 Li 和 Jin 的大预计算表分解为两个较小的表并使用 MixColumns 属性在在线密钥恢复阶段连接两个较小的表来进行攻击，这会产生 10 轮 AES-256 攻击，内存复杂度为 \(2 ^ {189}\)字节和时间复杂度为\(2^{255}\) 10 轮 AES 加密，最后我们利用不同的 6 轮 MitM 区分器对数据发起 10 轮 AES-256 攻击所选明文的复杂度为\(2^{105}\)，内存复杂度为\(2^{189}\)字节，时间复杂度为\(2^{253.2}\) 10 轮 AES 加密。与 Li 和 Jin 的攻击相比，我们最终的攻击具有更小的数据和内存复杂度以及稍大的时间复杂度。