Fast Software Encryption Attacks on AES

  • David Gstir
  • Martin Schläffer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7918)


In this work, we compare different faster than brute-force single-key attacks on the full AES in software. Contrary to dedicated hardware implementations, software implementations are more transparent and do not over-optimize a specific type of attack. We have analyzed and implemented a black-box brute-force attack, an optimized brute-force attack and a biclique attack on AES-128. Note that all attacks perform an exhaustive key search but the latter two do not need to recompute the whole cipher for all keys. To provide a fair comparison, we use CPUs with Intel AES-NI since these instructions tend to favor the generic black-box brute-force attack. Nevertheless, we are able to show that on Sandy Bridge the biclique attack on AES-128 is 17% faster, and the optimized brute-force attack is 3% faster than the black-box brute-force attack.


fast software encryption AES brute-force attack biclique attack Intel AES-NI 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Biryukov, A., Khovratovich, D.: Related-Key Cryptanalysis of the Full AES-192 and AES-256. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 1–18. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  2. 2.
    Bogdanov, A., Kavun, E.B., Paar, C., Rechberger, C., Yalcin, T.: Better than Brute-Force Optimized Hardware Architecture for Efficient Biclique Attacks on AES-128. In: Workshop records of Special-Purpose Hardware for Attacking Cryptographic Systems – SHARCS 2012, pp. 17–34 (2012),
  3. 3.
    Bogdanov, A., Khovratovich, D., Rechberger, C.: Biclique Cryptanalysis of the Full AES. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 344–371. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  4. 4.
    Fog, A.: Instruction tables – Lists of instruction latencies, throughputs and micro-operation breakdowns for Intel, AMD and VIA CPUs (2012), (accessed September 2, 2012)
  5. 5.
    Gaj, K.: ATHENa: Automated Tool for Hardware EvaluatioN (2012) , (accessed February 1, 2013)
  6. 6.
    Hellman, M.E.: A cryptanalytic time-memory trade-off. IEEE Transactions on Information Theory 26(4), 401–406 (1980)MathSciNetzbMATHCrossRefGoogle Scholar
  7. 7.
    Intel Corporation:ntel® Advanced Encryption Standard (AES) Instruction Set, White Paper. Tech. rep., Intel Mobility Group, Israel Development Center, Israel (January 2010)Google Scholar
  8. 8.
    Intel Corporation: Intel® 64 and IA-32 Architectures Software Developer’s Manual. Intel Corporation (March 2012)Google Scholar
  9. 9.
    NIST: Specification for the Advanced Encryption Standard (AES). National Institute of Standards and Technology (2001)Google Scholar
  10. 10.
    Sasaki, Y., Aoki, K.: Finding Preimages in Full MD5 Faster Than Exhaustive Search. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 134–152. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  11. 11.
    SHA-3 Zoo Editors: SHA-3 Hardware Implementations (2012), (accessed February 1, 2013)

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • David Gstir
    • 1
  • Martin Schläffer
    • 1
  1. 1.IAIKGraz University of TechnologyAustria

Personalised recommendations