Bicliques with Minimal Data and Time Complexity for AES

Abstract. Biclique cryptanalysis is a recent technique that has been successfully applied to AES resulting in key recovery faster than brute force. However, a major hurdle in carrying out biclique cryptanalysis on AES is that it requires very high data complexity. This naturally warrants questions over the practical feasibility of implementing biclique attack in the real world. In Crypto’13, Canteaut et al. proposed biclique attack where the data complexity of the attack was reduced to a single plaintext-ciphertext pair. However, no application of the same on AES was suggested. In this paper, we re-evaluate the security-bound of full round AES against biclique attack. Under some reasonable restrictions, we exhaustively analyze the most promising class of biclique cryptanalysis as applied to AES through a computer-assisted search and find optimal attacks towards lowest computational and data complexities: – Among attacks with the minimal data complexity of the unicity distance, the ones with computational complexity 2 (for AES-128), 2 (for AES-192) and 2 (for AES-256) are the fastest. Each attack just requires 2 (for AES-128 and AES-192) or 3 (for AES-256) known plaintexts for success probability 1. We obtain these results using the improved biclique attack proposed in Crypto’13. – Among attacks with data complexity less than the full codebook, for AES-128, the ones of computational complexity 2 are fastest. Within these, the one with data complexity 2 requires the smallest amount of data. Thus, the original attack (with data complexity 2) did not have the optimal data complexity for AES-128. Similar findings are observed for AES-192 as well (data complexity 2 as against 2 in the original attack). For AES-256, we find an attack that has a lower computational complexity of 2 as compared to the original attack complexity of 2. – Among all attacks covered, the ones of computational complexity 2 (for AES-128), 2 (for AES192) and 2 (for AES-256) are fastest, though requiring the full codebook. This can be considered as an indication of the limitations of the independent-biclique attack approach as applied to AES.