论文信息 - Bicliques with Minimal Data and Time Complexity for AES

Bicliques with Minimal Data and Time Complexity for AES

In this paper, we re-evaluate the security-bound of full round AES against biclique attack. Under some reasonable restrictions, we exhaustively analyze the most promising class of biclique cryptanalysis as applied to AES through a computer-assisted search and find optimal attacks towards lowest computational and data complexities: Among the attacks with the minimal data complexity of the unicity distance, the ones with computational complexity \(2^{126.67}\) (for AES-128), \(2^{190.9}\) (for AES-192) and \(2^{255}\) (for AES-256) are the fastest. Each attack just requires 2 (for AES-128 and AES-192) or 3 (for AES-256) known plaintexts for success probability 1. We obtain these results using the improved biclique attack proposed in Crypto’13. Among the attacks with data complexity less than the full codebook, for AES-128, the ones of computational complexity \(2^{126.16}\) are fastest. Within these, the one with data complexity \(2^{64}\) requires the smallest amount of data. Thus, the original attack (with data complexity \(2^{88}\)) did not have the optimal data complexity for AES-128. Similar findings are observed for AES-192 as well (data complexity \(2^{48}\) as against \(2^{80}\) in the original attack). For AES-256, we find an attack that has a lower computational complexity of \(2^{254.31}\) as compared to the original attack complexity of \(2^{254.42}\). Among all the attacks covered, the ones of computational complexity \(2^{125.56}\) (for AES-128), \(2^{189.51}\) (for AES-192) and \(2^{253.87}\) (for AES-256) are fastest, though requiring the full codebook. This can be considered as an indication of the limitations of the independent biclique attack approach as applied to AES.

[1] Gaëtan Leurent,et al. Narrow-Bicliques: Cryptanalysis of Full IDEA , 2012, EUROCRYPT.

[2] Takanori Isobe,et al. A Single-Key Attack on the Full GOST Block Cipher , 2011, Journal of Cryptology.

[3] Yu Sasaki,et al. Finding Preimages in Full MD5 Faster Than Exhaustive Search , 2009, EUROCRYPT.

[4] Ferhat Karakoç,et al. Biclique Cryptanalysis of TWINE , 2012, CANS.

[5] Anne Canteaut,et al. Sieve-in-the-Middle: Improved MITM Attacks (Full Version) , 2013, IACR Cryptol. ePrint Arch..

[6] Yu Sasaki,et al. Meet-in-the-Middle Preimage Attacks Against Reduced SHA-0 and SHA-1 , 2009, CRYPTO.

[7] Stefan Lucks,et al. Biclique Cryptanalysis Of PRESENT , LED , And KLEIN Revision 2013-0520 , 2013 .

[8] Roberto Maria Avanzi,et al. Selected Areas in Cryptography, 15th International Workshop, SAC 2008, Sackville, New Brunswick, Canada, August 14-15, Revised Selected Papers , 2009, Selected Areas in Cryptography.

[9] Shao-zhen Chen,et al. Biclique Attack of the Full ARIA-256 , 2012, IACR Cryptol. ePrint Arch..

[10] Vincent Rijmen,et al. The Design of Rijndael , 2002, Information Security and Cryptography.

[11] Andrey Bogdanov,et al. Better than Brute-Force --- Optimized Hardware Architecture for Efficient Biclique Attacks on AES-128 , 2012 .

[12] Orr Dunkelman,et al. The effects of the omission of last round's MixColumns on AES , 2010, Inf. Process. Lett..

[13] Daesung Kwon,et al. Biclique Attack on the Full HIGHT , 2011, ICISC.

[14] Shai Halevi. Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2009. Proceedings , 2009, CRYPTO.

[15] Kenneth G. Paterson,et al. Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation , 2012, IACR Cryptol. ePrint Arch..

[16] Elisabeth Oswald,et al. A Comprehensive Evaluation of Mutual Information Analysis Using a Fair Evaluation Framework , 2011, CRYPTO.

[17] Pierre-Alain Fouque,et al. Automatic Search of Attacks on round-reduced AES and Applications , 2011, IACR Cryptol. ePrint Arch..

[18] Vincent Rijmen,et al. The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[19] Dmitry Khovratovich,et al. Bicliques for Preimages: Attacks on Skein-512 and the SHA-2 family , 2012, IACR Cryptol. ePrint Arch..

[20] John P. Steinberger,et al. The preimage security of double-block-length compression functions , 2011, IACR Cryptol. ePrint Arch..

[21] Huaxiong Wang,et al. Advanced Meet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Improved Results on MD4 and SHA-2 , 2010, ASIACRYPT.

[22] Xiaoli Yu,et al. Biclique Cryptanalysis of Reduced-Round Piccolo Block Cipher , 2012, ISPEC.

[23] Yu Sasaki,et al. Preimage Attacks on One-Block MD4, 63-Step MD5 and More , 2009, Selected Areas in Cryptography.

[24] Moti Yung,et al. A New Randomness Extraction Paradigm for Hybrid Encryption , 2009, EUROCRYPT.

[25] Gerhard Goos,et al. Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[26] Mark Manulis,et al. Cryptology and Network Security , 2012, Lecture Notes in Computer Science.

[27] Andrey Bogdanov,et al. Biclique Cryptanalysis of the Full AES , 2011, ASIACRYPT.

[28] David Chaum,et al. Crytanalysis of DES with a Reduced Number of Rounds: Sequences of Linear Factors in Block Ciphers , 1985, CRYPTO.

[29] Andrey Bogdanov,et al. A 3-Subset Meet-in-the-Middle Attack: Cryptanalysis of the Lightweight Block Cipher KTANTAN , 2010, IACR Cryptol. ePrint Arch..

[30] Takanori Isobe. A Single-Key Attack on the Full GOST Block Cipher , 2011, FSE.

[31] Markus Kasper,et al. The World is Not Enough: Another Look on Second-Order DPA , 2010, IACR Cryptol. ePrint Arch..

[32] Aggelos Kiayias,et al. Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[33] Stefan Lucks,et al. A Framework for Automated Independent-Biclique Cryptanalysis , 2013, FSE.

[34] Kyoji Shibutani,et al. Security Analysis of the Lightweight Block Ciphers XTEA, LED and Piccolo , 2012, ACISP.

[35] Hamid Mala. Biclique Cryptanalysis of the Block Cipher SQUARE , 2011, IACR Cryptol. ePrint Arch..