Improving the Biclique cryptanalysis of AES

Abstract

Biclique attack is currently the only key-recovery attack on the full AES with a single key. Bogdanov et al. applied it to all the three versions of AES by constructing bicliques with size 28 × 28 and reducing the number of S-boxes computed in the matching phase. Their results were improved later by better selections of differential characteristics in the biclique construction. In this paper, we improve the biclique attack by increasing the biclique size to 216 × 28 and 216 × 216.We have a biclique attack on each of the following AES versions: – AES-128 with time complexity 2126.13 and data complexity 256, – AES-128 with time complexity 2126.01 and data complexity 272, – AES-192 with time complexity 2189.91 and data complexity 248, and – AES-256 with time complexity 2254.27 and data complexity 240. Our results have the best time complexities among all the existing key recovery attacks with data less than the entire code book.