Improving the Biclique Cryptanalysis of AES

Conference paper

DOI: 10.1007/978-3-319-19962-7_3

Part of the Lecture Notes in Computer Science book series (LNCS, volume 9144)
Cite this paper as:
Tao B., Wu H. (2015) Improving the Biclique Cryptanalysis of AES. In: Foo E., Stebila D. (eds) Information Security and Privacy. ACISP 2015. Lecture Notes in Computer Science, vol 9144. Springer, Cham

Abstract

Biclique attack is currently the only key-recovery attack on the full AES with a single key. Bogdanov et al. applied it to all the three versions of AES by constructing bicliques with size \(2^8\times 2^8\) and reducing the number of S-boxes computed in the matching phase. Their results were improved later by better selections of differential characteristics in the biclique construction. In this paper, we improve the biclique attack by increasing the biclique size to \(2^{16}\times 2^8\) and \(2^{16}\times 2^{16}\). We have a biclique attack on each of the following AES versions:
  • AES-128 with time complexity \(2^{126.13}\) and data complexity \(2^{56}\),

  • AES-128 with time complexity \(2^{126.01}\) and data complexity \(2^{72}\),

  • AES-192 with time complexity \(2^{189.91}\) and data complexity \(2^{48}\), and

  • AES-256 with time complexity \(2^{254.27}\) and data complexity \(2^{40}\).

Our results have the best time complexities among all the existing key-recovery attacks with data less than the entire code book.

Keywords

AES Biclique attack Large biclique 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Nanyang Technological UniversitySingaporeRepublic of Singapore

Personalised recommendations