Skip to main content

Bicliques with Minimal Data and Time Complexity for AES

Part of the Lecture Notes in Computer Science book series (LNSC,volume 8949)


In this paper, we re-evaluate the security-bound of full round AES against biclique attack. Under some reasonable restrictions, we exhaustively analyze the most promising class of biclique cryptanalysis as applied to AES through a computer-assisted search and find optimal attacks towards lowest computational and data complexities:

  • Among the attacks with the minimal data complexity of the unicity distance, the ones with computational complexity \(2^{126.67}\) (for AES-128), \(2^{190.9}\) (for AES-192) and \(2^{255}\) (for AES-256) are the fastest. Each attack just requires 2 (for AES-128 and AES-192) or 3 (for AES-256) known plaintexts for success probability 1. We obtain these results using the improved biclique attack proposed in Crypto’13.

  • Among the attacks with data complexity less than the full codebook, for AES-128, the ones of computational complexity \(2^{126.16}\) are fastest. Within these, the one with data complexity \(2^{64}\) requires the smallest amount of data. Thus, the original attack (with data complexity \(2^{88}\)) did not have the optimal data complexity for AES-128. Similar findings are observed for AES-192 as well (data complexity \(2^{48}\) as against \(2^{80}\) in the original attack). For AES-256, we find an attack that has a lower computational complexity of \(2^{254.31}\) as compared to the original attack complexity of \(2^{254.42}\).

  • Among all the attacks covered, the ones of computational complexity \(2^{125.56}\) (for AES-128), \(2^{189.51}\) (for AES-192) and \(2^{253.87}\) (for AES-256) are fastest, though requiring the full codebook. This can be considered as an indication of the limitations of the independent biclique attack approach as applied to AES.


  • Block ciphers
  • Biclique cryptanalysis
  • Meet-in-the-middle
  • Key recovery
  • Stars
  • AES-128
  • Minimum data complexity

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions


  1. 1.

    Such trails do not collapse into a single active byte in any of the key states.

  2. 2.

    Such trails do not collapse into a single active byte or two active bytes in any of the key states.

  3. 3.

    Here we consider double (\(i_1, i_2\)) as well as triple (\(i_1, i_2, i_3\)) difference injection in \(i\) trail such that all possible (\(i_1, i_2\)) / (\(i_1, i_2, i_3\)) columns have one zero byte/ two zero bytes respectively, after applying \(MixColumns^{-1}\).

  4. 4.

    One complete evaluation of AES-128, AES-192 and AES-256 corresponds to 200, 224 and 276 S-boxes respectively.

  5. 5.

    In [8], the attack complexity for AES-128 is mentioned as \(2^{125.69}\), however we could not validate it. Our analysis estimates this complexity to be \(2^{125.98}\).


  1. Abed, F., Forler, C., List, E., Lucks, S., Wenzel, J.: A framework for automated independent-biclique cryptanalysis. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 561–582. Springer, Heidelberg (2014)

    Google Scholar 

  2. Aoki, K., Sasaki, Y.: Preimage Attacks on One-Block MD4, 63-Step MD5 and More. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 103–119. Springer, Heidelberg (2009)

    Google Scholar 

  3. Aoki, K., Sasaki, Y.: Meet-in-the-middle preimage attacks against reduced SHA-0 and SHA-1. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 70–89. Springer, Heidelberg (2009)

    Google Scholar 

  4. Bogdanov, A., Kavun, E.B., Paar, C., Rechberger, C., Yalcin, T.: Better than brute-force optimized hardware architecture for effcient biclique attacks on AES-128. In: SHARCS 2012 - Special-Purpose Hardware for Attacking Cryptographic Systems. Washington D.C., USA, March 2012

    Google Scholar 

  5. Bogdanov, A., Khovratovich, D., Rechberger, C.: Biclique cryptanalysis of the full AES. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 344–371. Springer, Heidelberg (2011)

    Google Scholar 

  6. Bogdanov, A., Rechberger, C.: A 3-subset meet-in-the-middle attack: cryptanalysis of the lightweight block cipher KTANTAN. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 229–240. Springer, Heidelberg (2011)

    Google Scholar 

  7. Bouillaguet, C., Derbez, P., Fouque, P.-A.: Automatic Search of Attacks on Round-Reduced AES and Applications. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 169–187. Springer, Heidelberg (2011)

    Google Scholar 

  8. Canteaut, A., Naya-Plasencia, M., Vayssière, B.: Sieve-in-the-middle: improved MITM attacks (full version). Cryptology ePrint Archive, report 2013/324 (2013).

  9. Chaum, D., Evertse, J.-H.: Crytanalysis of DES with a reduced number of rounds: Sequences of linear factors in block ciphers. In: Williams, H.C. (ed.) Advances in Cryptology - CRYPTO 1985. Lecture Notes in Computer Science, vol. 218, pp. 192–211. Springer, Heidelberg (1985)

    Google Scholar 

  10. Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography. Springer, Heidelberg (2002)

    Google Scholar 

  11. Guo, J., Ling, S., Rechberger, C., Wang, H.: Advanced meet-in-the-middle preimage attacks: first results on full tiger, and improved results on MD4 and SHA-2. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 56–75. Springer, Heidelberg (2010)

    Google Scholar 

  12. Isobe, T.: A single-key attack on the full GOST block cipher. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 290–305. Springer, Heidelberg (2011)

    Google Scholar 

  13. Khovratovich, D., Leurent, G., Rechberger, C.: Narrow-bicliques: cryptanalysis of full IDEA. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 392–410. Springer, Heidelberg (2012)

    Google Scholar 

  14. Khovratovich, D., Rechberger, C., Savelieva, A.: Bicliques for preimages: attacks on Skein-512 and the SHA-2 family. Cryptology ePrint Archive, report 2011/286 (2011).

  15. Sasaki, Y., Aoki, K.: Finding preimages in full MD5 faster than exhaustive search. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 134–152. Springer, Heidelberg (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Mohona Ghosh .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Bogdanov, A., Chang, D., Ghosh, M., Sanadhya, S.K. (2015). Bicliques with Minimal Data and Time Complexity for AES. In: Lee, J., Kim, J. (eds) Information Security and Cryptology - ICISC 2014. ICISC 2014. Lecture Notes in Computer Science(), vol 8949. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-15942-3

  • Online ISBN: 978-3-319-15943-0

  • eBook Packages: Computer ScienceComputer Science (R0)