Welcome to the resource topic for
**2009/242**

**Title:**

Examples of differential multicollisions for 13 and 14 rounds of AES-256

**Authors:**
Alex Biryukov, Dmitry Khovratovich, Ivica Nikolić

**Abstract:**

Here we present practical differential q-multicollisions for AES-256, which can be tested on any implementation of AES-256. In our paper “Distinguisher and Related-Key Attack on the Full AES-256” q-multicollisions are found with complexity q\cdot 2^{67}. We relax conditions on the plaintext difference \Delta_P allowing some bytes to vary and find multicollisions for 13 and 14 round AES with complexity q\cdot 2^{37}. Even with the relaxation there is still a large complexity gap between our algorithm and the lower bound that we have proved in Lemma 1. Moreover we believe that in practice finding even two fixed-difference collisions for a good cipher would be very challenging.

**ePrint:**
https://eprint.iacr.org/2009/242

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

**Example resources include:**
implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .