Biclique attack

A biclique attack is a variant of the meet-in-the-middle (MITM) method of cryptanalysis. It utilizes a biclique structure to extend the number of possibly attacked rounds by the MITM attack. Since biclique cryptanalysis is based on MITM attacks, it is applicable to both block ciphers and (iterated) hash-functions. Biclique attacks are known for having broken both full AES and full IDEA, though only with slight advantage over brute force. It has also been applied to the KASUMI cipher and preimage resistance of the Skein-512 and SHA-2 hash functions. A biclique attack is a variant of the meet-in-the-middle (MITM) method of cryptanalysis. It utilizes a biclique structure to extend the number of possibly attacked rounds by the MITM attack. Since biclique cryptanalysis is based on MITM attacks, it is applicable to both block ciphers and (iterated) hash-functions. Biclique attacks are known for having broken both full AES and full IDEA, though only with slight advantage over brute force. It has also been applied to the KASUMI cipher and preimage resistance of the Skein-512 and SHA-2 hash functions. The biclique attack is still (as of April 2019) the best publicly known single-key attack on AES. The computational complexity of the attack is 2 126.1 {displaystyle 2^{126.1}} , 2 189.7 {displaystyle 2^{189.7}} and 2 254.4 {displaystyle 2^{254.4}} for AES128, AES192 and AES256, respectively. It is the only publicly known single-key attack on AES that attacks the full number of rounds. Previous attacks have attacked round reduced variants (typically variants reduced to 7 or 8 rounds). As the computational complexity of the attack is 2 126.1 {displaystyle 2^{126.1}} , it is a theoretical attack, which means the security of AES has not been broken, and the use of AES remains relatively secure. The biclique attack is nevertheless an interesting attack, which suggests a new approach to performing cryptanalysis on block ciphers. The attack has also rendered more information about AES, as it has brought into question the safety-margin in the number of rounds used therein. The original MITM attack was first suggested by Diffie and Hellman in 1977, when they discussed the cryptanalytic properties of DES. They argued that the key-size was too small, and that reapplying DES multiple times with different keys could be a solution to the key-size; however, they advised against using double-DES and suggested triple-DES as a minimum, due to MITM attacks (MITM attacks can easily be applied to double-DES to reduce the security from 2 56 ∗ 2 {displaystyle 2^{56*2}} to just 2 ∗ 2 56 {displaystyle 2*2^{56}} , since one can independently bruteforce the first and the second DES-encryption if they have the plain- and ciphertext). Since Diffie and Hellman suggested MITM attacks, many variations have emerged that are useful in situations, where the basic MITM attack is inapplicable. The biclique attack variant was first suggested by Dmitry Khovratovich, Rechberger and Savelieva for use with hash-function cryptanalysis. However, it was Bogdanov, Khovratovich and Rechberger who showed how to apply the concept of bicliques to the secret-key setting including block-cipher cryptanalysis, when they published their attack on AES. Prior to this, MITM attacks on AES and many other block ciphers had received little attention, mostly due to the need for independent key bits between the two 'MITM subciphers' in order to facilitate the MITM attack — something that is hard to achieve with many modern key schedules, such as that of AES. For a general explanation of what a biclique structure is, see the article for bicliques. In a MITM attack, the keybits K 1 {displaystyle K_{1}} and K 2 {displaystyle K_{2}} , belonging to the first and second subcipher, need to be independent; that is, they need to be independent of each other, else the matched intermediate values for the plain- and ciphertext cannot be computed independently in the MITM attack (there are variants of MITM attacks, where the blocks can have shared key-bits. See the 3-subset MITM attack). This property is often hard to exploit over a larger number of rounds, due to the diffusion of the attacked cipher. Simply put: The more rounds you attack, the larger subciphers you will have. The larger subciphers you have, the fewer independent key-bits between the subciphers you will have to bruteforce independently. Of course, the actual number of independent key-bits in each subcipher depends on the diffusion properties of the key-schedule.