A pipeline architecture for factoring large integers with the quadratic sieve algorithm
SIAM Journal on Computing - Special issue on cryptography
The Design of Rijndael
Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers
ASIACRYPT '00 Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Improved Cryptanalysis of Rijndael
FSE '00 Proceedings of the 7th International Workshop on Fast Software Encryption
Factoring Large Numbers with the Twinkle Device (Extended Abstract)
CHES '99 Proceedings of the First International Workshop on Cryptographic Hardware and Embedded Systems
Area-Throughput Trade-Offs for Fully Pipelined 30 to 70 Gbits/s AES Processors
IEEE Transactions on Computers
Non-wafer-Scale Sieving Hardware for the NFS: Another Attempt to Cope with 1024-Bit
EUROCRYPT '07 Proceedings of the 26th annual international conference on Advances in Cryptology
Collision Search for Elliptic Curve Discrete Logarithm over GF(2m) with FPGA
CHES '07 Proceedings of the 9th international workshop on Cryptographic Hardware and Embedded Systems
IEEE Transactions on Computers
New Related-Key Boomerang Attacks on AES
INDOCRYPT '08 Proceedings of the 9th International Conference on Cryptology in India: Progress in Cryptology
New Impossible Differential Attacks on AES
INDOCRYPT '08 Proceedings of the 9th International Conference on Cryptology in India: Progress in Cryptology
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
Distinguisher and Related-Key Attack on the Full AES-256
CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
Related-Key Cryptanalysis of the Full AES-192 and AES-256
ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Cryptanalysis of the DECT standard cipher
FSE'10 Proceedings of the 17th international conference on Fast software encryption
Breaking ciphers with COPACOBANA –a cost-optimized parallel code breaker
CHES'06 Proceedings of the 8th international conference on Cryptographic Hardware and Embedded Systems
The boomerang attack on 5 and 6-round reduced AES
AES'04 Proceedings of the 4th international conference on Advanced Encryption Standard
Related-Key boomerang and rectangle attacks
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
EUROCRYPT'10 Proceedings of the 29th Annual international conference on Theory and Applications of Cryptographic Techniques
AFRICACRYPT'10 Proceedings of the Third international conference on Cryptology in Africa
A simpler sieving device: combining ECM and TWIRL
ICISC'06 Proceedings of the 9th international conference on Information Security and Cryptology
Improved time-memory trade-offs with multiple data
SAC'05 Proceedings of the 12th international conference on Selected Areas in Cryptography
A cryptanalytic time-memory trade-off
IEEE Transactions on Information Theory
Related-key rectangle attacks on reduced AES-192 and AES-256
FSE'07 Proceedings of the 14th international conference on Fast Software Encryption
Hi-index | 0.00 |
The block cipher Rijndael has undergone more than ten years of extensive cryptanalysis since its submission as a candidate for the Advanced Encryption Standard (AES) in April 1998. To date, most of the publicly-known cryptanalytic results are based on reduced-round variants of the AES (respectively Rijndael) algorithm. Among the few exceptions that target the full AES are the Related-Key Cryptanalysis (RKC) introduced at ASIACRYPT 2009 and attacks exploiting Time-Memory-Key (TMK) trade-offs such as demonstrated at SAC 2005. However, all these attacks are generally considered infeasible in practice due to their high complexity (i.e. 299.5 AES operations for RKC, 280 for TMK). In this paper, we evaluate the cost of cryptanalytic attacks on the full AES when using special-purpose hardware in the form of multi-core AES processors that are designed in a similar way as modern Graphics Processing Units (GPUs) such as the NVIDIA GT200b. Using today's VLSI technology would allow for the implementation of a GPU-like processor reaching a throughput of up to 1012 AES operations per second. An organization able to spend one trillion US$ for designing and building a supercomputer based on such processors could theoretically break the full AES in a time frame of as little as one year when using RKC, or in merely one month when performing a TMK attack. We also analyze different time-cost trade-offs and assess the implications of progress in VLSI technology under the assumption that Moore's law will continue to hold for the next ten years. These assessments raise some concerns about the long-term security of the AES.