As AES progresses through multiple rounds, approximately how does it security increase round by round up to its maximum? I'm curious about the shape of the curve. Is it linear, some kind of exponential, a power law curve, etc.?
Asked
Active
Viewed 219 times
1 Answers
3
A few data points for AES-128. In 2018 Bar-On, Dunkelman, Keller, Ronan and Shamir described a 32-bit attack on 5 round AES (attack complexity here is the maximum of data, memory and computation requirements) and claimed a 99-bit attack on 7 round AES. The 2011 biclique cryptanalysis paper of Bogdanov, Khovratovich and Rechberger claims a 125.4-bit attack on 8 rounds and a 126.18-bit attack on 10 rounds. I'll claim a 128-bit attack against 11 rounds :-)
Based on our current knowledge then, perhaps it looks like an S-curve? Of course cryptanalytic effort has focussed strongly on larger numbers of rounds and I'd be hesitant to hypothesise any security vs. rounds function based on this.
ETA: The quoted figures for 8 and 10 rounds were for a related key biclique attack. The current best generic attack for 10 rounds is $2^{126.01}$
Daniel S
- 29,316
- 1
- 33
- 73