Improving the biclique cryptanalysis of AES
Biclique attack is currently the only key-recovery attack on the full AES with a single key.
Bogdanov et al. applied it to all the three versions of AES by constructing bicliques with size
2 8× 2 8 and reducing the number of S-boxes computed in the matching phase. Their results
were improved later by better selections of differential characteristics in the biclique
construction. In this paper, we improve the biclique attack by increasing the biclique size to 2
16× 2 8 and 2 16× 2 16. We have a biclique attack on each of the following AES versions …
Bogdanov et al. applied it to all the three versions of AES by constructing bicliques with size
2 8× 2 8 and reducing the number of S-boxes computed in the matching phase. Their results
were improved later by better selections of differential characteristics in the biclique
construction. In this paper, we improve the biclique attack by increasing the biclique size to 2
16× 2 8 and 2 16× 2 16. We have a biclique attack on each of the following AES versions …
Abstract
Biclique attack is currently the only key-recovery attack on the full AES with a single key. Bogdanov et al. applied it to all the three versions of AES by constructing bicliques with size and reducing the number of S-boxes computed in the matching phase. Their results were improved later by better selections of differential characteristics in the biclique construction. In this paper, we improve the biclique attack by increasing the biclique size to and . We have a biclique attack on each of the following AES versions:
- AES-128 with time complexity and data complexity ,
- AES-128 with time complexity and data complexity ,
- AES-192 with time complexity and data complexity , and
- AES-256 with time complexity and data complexity .
Our results have the best time complexities among all the existing key-recovery attacks with data less than the entire code book.
Springer
Showing the best result for this search. See all results