Biclique attack

A biclique attack is a variant of the meet-in-the-middle (MITM) method of cryptanalysis. It utilizes a biclique structure to extend the number of possibly attacked rounds by the MITM attack. Since biclique cryptanalysis is based on MITM attacks, it is applicable to both block ciphers and (iterated) hash-functions. Biclique attacks are known for having weakened both full AES[1] and full IDEA,[2] though only with slight advantage over brute force. It has also been applied to the KASUMI cipher and preimage resistance of the Skein-512 and SHA-2 hash functions.[3]

The biclique attack is still (as of April 2019) the best publicly known single-key attack on AES. The computational complexity of the attack is , and for AES128, AES192 and AES256, respectively. It is the only publicly known single-key attack on AES that attacks the full number of rounds.[1] Previous attacks have attacked round reduced variants (typically variants reduced to 7 or 8 rounds).

As the computational complexity of the attack is , it is a theoretical attack, which means the security of AES has not been broken, and the use of AES remains relatively secure. The biclique attack is nevertheless an interesting attack, which suggests a new approach to performing cryptanalysis on block ciphers. The attack has also rendered more information about AES, as it has brought into question the safety-margin in the number of rounds used therein.

  1. ^ a b Bogdanov, Andrey; Khovratovich, Dmitry; Rechberger, Christian. "Biclique Cryptanalysis of the Full AES" (PDF). Archived from the original (PDF) on 2012-06-14.
  2. ^ Khovratovich, Dmitry; Leurent, Gaëtan; Rechberger, Christian (2012). "Narrow-Bicliques: Cryptanalysis of Full IDEA". Eurocrypt 2012. pp. 392–410. CiteSeerX 10.1.1.352.9346.
  3. ^ Bicliques for Preimages: Attacks on Skein-512 and the SHA-2 family