Improved preimage attacks on hash modes of 8-round AES-256

We observe the slow diffusion of the AES key schedule for 256-bit keys and find weakness which can be used in the preimage attack on its Davies-Meyer mode. Our preimage attack works for 8 rounds of AES-256 with the computational complexity of 2124.9. It is comparable with Bogdanov et al.’s biclique-based preimage attack on AES-256, which is applicable up to full rounds but has the computational complexity more than 2126.5. We also extend our result to the preimage attack on some well-known double-block-length hash modes assuming the underlying block cipher is 8-round AES-256, whose computational complexity is 2252.9.