Bicliques with Minimal Data and Time Complexity for AES

TLDR: In this article, the authors exhaustively analyze the most promising class of biclique cryptanalysis as applied to AES through a computer-assisted search and find optimal attacks towards lowest computational and data complexities.

Abstract: In this paper, we re-evaluate the security-bound of full round AES against biclique attack. Under some reasonable restrictions, we exhaustively analyze the most promising class of biclique cryptanalysis as applied to AES through a computer-assisted search and find optimal attacks towards lowest computational and data complexities: Among the attacks with the minimal data complexity of the unicity distance, the ones with computational complexity \(2^{126.67}\) (for AES-128), \(2^{190.9}\) (for AES-192) and \(2^{255}\) (for AES-256) are the fastest. Each attack just requires 2 (for AES-128 and AES-192) or 3 (for AES-256) known plaintexts for success probability 1. We obtain these results using the improved biclique attack proposed in Crypto’13. Among the attacks with data complexity less than the full codebook, for AES-128, the ones of computational complexity \(2^{126.16}\) are fastest. Within these, the one with data complexity \(2^{64}\) requires the smallest amount of data. Thus, the original attack (with data complexity \(2^{88}\)) did not have the optimal data complexity for AES-128. Similar findings are observed for AES-192 as well (data complexity \(2^{48}\) as against \(2^{80}\) in the original attack). For AES-256, we find an attack that has a lower computational complexity of \(2^{254.31}\) as compared to the original attack complexity of \(2^{254.42}\). Among all the attacks covered, the ones of computational complexity \(2^{125.56}\) (for AES-128), \(2^{189.51}\) (for AES-192) and \(2^{253.87}\) (for AES-256) are fastest, though requiring the full codebook. This can be considered as an indication of the limitations of the independent biclique attack approach as applied to AES.