Content deleted Content added
TommyGundam (talk | contribs) m →Known attacks: patched up those 2 conference paper references so that they'll use {{cite book}} (both were later republished to the Lecture Notes in Computer Science, a book with isbn) |
Ira Leviton (talk | contribs) Fixed a reference. Please see Category:Articles using duplicate arguments in template calls. |
||
Line 149:
This known-key distinguishing attack is an improvement of the rebound, or the start-from-the-middle attack, against AES-like permutations, which view two consecutive rounds of permutation as the application of a so-called Super-S-box. It works on the 8-round version of AES-128, with a time complexity of 2<sup>48</sup>, and a memory complexity of 2<sup>32</sup>. 128-bit AES uses 10 rounds, so this attack is not effective against full AES-128.
The first [[key-recovery attack]]s on full AES were by Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger, and were published in 2011.<ref>{{Cite book |chapter=Biclique Cryptanalysis of the Full AES |title=Advances in Cryptology – ASIACRYPT 2011 |last=Bogdanov |first=Andrey |volume=7073 |pages=344-371 |last2=Khovratovich |first2=Dmitry |last3=Rechberger |first3=Christian |doi=10.1007/978-3-642-25385-0_19 |series=Lecture Notes in Computer Science |date=2011 |editor-first1=Dong Hoon |editor-last1=Lee |editor-first2=Xiaoyun |editor-last2=Wang |isbn=978-3-642-25385-0}}</ref> The attack is a [[biclique attack]] and is faster than brute force by a factor of about four. It requires 2<sup>126.2</sup> operations to recover an AES-128 key. For AES-192 and AES-256, 2<sup>190.2</sup> and 2<sup>254.6</sup> operations are needed, respectively. This result has been further improved to 2<sup>126.0</sup> for AES-128, 2<sup>189.9</sup> for AES-192 and 2<sup>254.3</sup> for AES-256,<ref name=":0">{{cite book |first=Biaoshuai |last=Tao |title=Information Security and Privacy |volume=9144 |pages=39–56 |first2=Hongjun |last2=Wu |chapter=Improving the Biclique Cryptanalysis of AES |date=2015 |doi=10.1007/978-3-319-19962-7_3 |series=Lecture Notes in Computer Science |isbn=978-3-319-19962-7
This is a very small gain, as a 126-bit key (instead of 128 bits) would still take billions of years to brute force on current and foreseeable hardware. Also, the authors calculate the best attack using their technique on AES with a 128-bit key requires storing 2<sup>88</sup> bits of data. That works out to about 38 trillion terabytes of data, which was more than all the data stored on all the computers on the planet in 2016.<ref>{{cite web |author=Jeffrey Goldberg |title=AES Encryption isn't Cracked |url=https://blog.agilebits.com/2011/08/18/aes-encryption-isnt-cracked/ |access-date=30 December 2014 |url-status=dead |archive-url=https://web.archive.org/web/20150108165723/https://blog.agilebits.com/2011/08/18/aes-encryption-isnt-cracked/ |archive-date=8 January 2015 |date=2011-08-18}}</ref> A paper in 2015 later improved the space complexity to 2<sup>56</sup> bits,<ref name=":0"/> which is 9007 terabytes (while still keeping a time complexity of 2<sup>126.2</sup>).
| |||