AES Suffers and Survives

Biclique Cryptanalysis of the Full AES

State of the art for attacks on AES. AES with its wide-trail strategy was designed to withstand differential and linear cryptanalyses [15], so pure versions of these techniques have limited applications in attacks. With respect to AES, probably the most powerful single- key recovery methods designed so far are impossible differential cryptanalysis [5, 33] and Square attacks [14,20]. The impossible differential cryptanalysis yielded the first attack on 7-round AES-128 with non-marginal data complexity. The Square attack and its variations such as integral attack and multiset attack resulted in the cryptanalysis of round-reduced AES variants with lowest computational complexity to date, while the first attack on 8-round AES-192 with non-marginal data complexity has appeared only recently [20].

The situation is different in weaker attack models, where the related-key cryptanalysis was applied to the full versions of AES-192 and AES-256 [9], and the rebound attack demon- strated a non-random property in 8-round AES-128 [25,30]. However, there is little evidence so far that carrying over these techniques to the most practical single-secret-key model is feasible.


An FAQ on a previous (2009) attack: CryptoLUX > FAQ on the attacks

Leave a Reply