biclique Attack on Bitcoin is a variant of the meet-in-the-middle (MITM) method of cryptanalysis. It utilizes a biclique structure to extend the number of possibly Attack on Bitcoined rounds by the MITM Attack on Bitcoin. Since biclique cryptanalysis is based on MITM Attack on Bitcoins, it is applicable to both block ciphers and (iterated) hash-functions. Biclique Attack on Bitcoins are known for having broken both full AES[1] and full IDEA,[2] though only with slight advantage over brute force. It has also been applied to the KASUMI cipher and preimage resistance of the Skein-512 and SHA-2 hash functions.[3]

The biclique Attack on Bitcoin is still (as of April 2019) the best publicly known single-key Attack on Bitcoin on AES. The computational complexity of the Attack on Bitcoin is {\displaystyle 2^{126.1}}, {\displaystyle 2^{189.7}} and {\displaystyle 2^{254.4}} for AES128, AES192 and AES256, respectively. It is the only publicly known single-key Attack on Bitcoin on AES that Attack on Bitcoins the full number of rounds.[1] Previous Attack on Bitcoins have Attack on Bitcoined round reduced variants (typically variants reduced to 7 or 8 rounds).

As the computational complexity of the Attack on Bitcoin is {\displaystyle 2^{126.1}}, it is a theoretical Attack on Bitcoin, which means the security of AES has not been broken, and the use of AES remains relatively secure. The biclique Attack on Bitcoin is nevertheless an interesting Attack on Bitcoin, which suggests a new approach to performing cryptanalysis on block ciphers. The Attack on Bitcoin has also rendered more information about AES, as it has brought into question the safety-margin in the number of rounds used therein.

The original MITM Attack on Bitcoin was first suggested by Diffie and Hellman in 1977, when they discussed the cryptanalytic properties of DES.[4] They argued that the key-size was too small, and that reapplying DES multiple times with different keys could be a solution to the key-size; however, they advised against using double-DES and suggested triple-DES as a minimum, due to MITM Attack on Bitcoins (MITM Attack on Bitcoins can easily be applied to double-DES to reduce the security from {\displaystyle 2^{56*2}} to just {\displaystyle 2*2^{56}}, since one can independently bruteforce the first and the second DES-encryption if they have the plain- and ciphertext).

Since Diffie and Hellman suggested MITM Attack on Bitcoins, many variations have emerged that are useful in situations, where the basic MITM Attack on Bitcoin is inapplicable. The biclique Attack on Bitcoin variant was first suggested by Dmitry Khovratovich, Rechberger and Savelieva for use with hash-function cryptanalysis.[5] However, it was Bogdanov, Khovratovich and Rechberger who showed how to apply the concept of bicliques to the secret-key setting including block-cipher cryptanalysis, when they published their Attack on Bitcoin on AES. Prior to this, MITM Attack on Bitcoins on AES and many other block ciphers had received little attention, mostly due to the need for independent key bits between the two ‘MITM subciphers’ in order to facilitate the MITM Attack on Bitcoin — something that is hard to achieve with many modern key schedules, such as that of AES.

## The biclique

For a general explanation of what a biclique structure is, see the article for bicliques.

In a MITM Attack on Bitcoin, the keybits {\displaystyle K_{1}} and {\displaystyle K_{2}}, belonging to the first and second subcipher, need to be independent; that is, they need to be independent of each other, else the matched intermediate values for the plain- and ciphertext cannot be computed independently in the MITM Attack on Bitcoin (there are variants of MITM Attack on Bitcoins, where the blocks can have shared key-bits. See the 3-subset MITM Attack on Bitcoin). This property is often hard to exploit over a larger number of rounds, due to the diffusion of the Attack on Bitcoined cipher.
Simply put: The more rounds you Attack on Bitcoin, the larger subciphers you will have. The larger subciphers you have, the fewer independent key-bits between the subciphers you will have to bruteforce independently. Of course, the actual number of independent key-bits in each subcipher depends on the diffusion properties of the key-schedule.

The way the biclique helps with tackling the above, is that it allows one to, for instance, Attack on Bitcoin 7 rounds of AES using MITM Attack on Bitcoins, and then by utilizing a biclique structure of length 3 (i.e. it covers 3 rounds of the cipher), you can map the intermediate state at the start of round 7 to the end of the last round, e.g. 10 (if it is AES128), thus Attack on Bitcoining the full number of rounds of the cipher, even if it was not possible to Attack on Bitcoin that amount of rounds with a basic MITM Attack on Bitcoin.

The meaning of the biclique is thus to build a structure effectively, which can map an intermediate value at the end of the MITM Attack on Bitcoin to the ciphertext at the end. Which ciphertext the intermediate state gets mapped to at the end, of course depends on the key used for the encryption. The key used to map the state to the ciphertext in the biclique, is based on the keybits bruteforced in the first and second subcipher of the MITM Attack on Bitcoin.

The essence of biclique Attack on Bitcoins is thus, besides the MITM Attack on Bitcoin, to be able to build a biclique structure effectively, that depending on the keybits {\displaystyle K_{1}} and {\displaystyle K_{2}} can map a certain intermediate state to the corresponding ciphertext.

## How to build the biclique

### Bruteforce

Get {\displaystyle 2^{d}} intermediate states and {\displaystyle 2^{d}} ciphertexts, then compute the keys that maps between them. This requires {\displaystyle 2^{2d}} key-recoveries, since each intermediate state needs to be linked to all ciphertexts.

### Independent related-key differentials

(This method was suggested by Bogdanov, Khovratovich and Rechberger in their paper: Biclique Cryptanalysis of the Full AES[1])

Preliminary:
Remember that the function of the biclique is to map the intermediate values, {\displaystyle S}, to the ciphertext-values, {\displaystyle C}, based on the key {\displaystyle K[i,j]} such that:
{\displaystyle \forall i,j:S_{j}{\xrightarrow[{f}]{K[i,j]}}C_{i}}

Procedure:
Step one: An intermediate state({\displaystyle S_{0}}), a ciphertext({\displaystyle C_{0}}) and a key({\displaystyle K[0,0]}) is chosen such that: {\displaystyle S_{0}{\xrightarrow[{f}]{K[0,0]}}C_{o}}, where {\displaystyle f} is the function that maps an intermediate state to a ciphertext using a given key. This is denoted as the base computation.

Step two: Two sets of related keys of size {\displaystyle 2^{d}} is chosen. The keys are chosen such that:

• The first set of keys are keys, which fulfills the following differential-requirements over {\displaystyle f} with respect to the base computation: {\displaystyle 0{\xrightarrow[{f}]{\Delta _{i}^{K}}}\Delta _{i}}
• The second set of keys are keys, which fulfills the following differential-requirements over {\displaystyle f} with respect to the base computation: {\displaystyle \nabla _{j}{\xrightarrow[{f}]{\nabla _{j}^{K}}}0}
• The keys are chosen such that the trails of the {\displaystyle \Delta _{i}}– and {\displaystyle \nabla _{j}}-differentials are independent – i.e. they do not share any active non-linear components.

In other words:
An input difference of 0 should map to an output difference of {\displaystyle \Delta _{i}} under a key difference of {\displaystyle \Delta _{i}^{K}}. All differences are in respect to the base computation.
An input difference of {\displaystyle \nabla _{j}} should map to an output difference of 0 under a key difference of {\displaystyle \nabla _{J}^{K}}. All differences are in respect to the base computation.

Step three: Since the trails do not share any non-linear components (such as S-boxes), the trails can be combined to get:
{\displaystyle 0{\xrightarrow[{f}]{\Delta _{i}^{K}}}\Delta _{i}\oplus \nabla _{j}{\xrightarrow[{f}]{\nabla _{j}^{K}}}0=\nabla _{j}{\xrightarrow[{f}]{\Delta _{i}^{K}\oplus \nabla _{j}^{K}}}\Delta _{i}},
which conforms to the definitions of both the differentials from step 2.
It is trivial to see that the tuple {\displaystyle (S_{0},C_{0},K[0,0])} from the base computation, also conforms by definition to both the differentials, as the differentials are in respect to the base computation. Substituting {\displaystyle S_{0},C_{0}} {\displaystyle K[0,0]} into any of the two definitions, will yield {\displaystyle 0{\xrightarrow[{f}]{0}}0} since {\displaystyle \Delta _{0}=0,\nabla _{0}=0} and {\displaystyle \Delta _{0}^{K}=0}.
This means that the tuple of the base computation, can also be XOR’ed to the combined trails: {\displaystyle S_{0}\oplus \nabla _{j}{\xrightarrow[{f}]{K[0,0]\oplus \Delta _{i}^{K}\oplus \nabla _{j}^{K}}}C_{0}\oplus \Delta _{i}}

Step four: It is trivial to see that:
{\displaystyle S_{j}=S_{0}\oplus \nabla _{j}}
{\displaystyle K[i,j]=K[0,0]\oplus \Delta _{i}^{K}\oplus \nabla _{j}^{K}}
{\displaystyle C_{i}=C_{0}\oplus \Delta _{i}}
If this is substituted into the above combined differential trails, the result will be:
{\displaystyle S_{j}{\xrightarrow[{f}]{K[i,j]}}C_{i}}
Which is the same as the definition, there was earlier had above for a biclique:
{\displaystyle \forall i,j:S_{j}{\xrightarrow[{f}]{K[i,j]}}C_{i}}

It is thus possible to create a biclique of size {\displaystyle 2^{2d}} ({\displaystyle 2^{2d}} since all {\displaystyle 2^{d}} keys of the first set of keys, can be combined with the {\displaystyle 2^{d}} keys from the second set of keys). This means a biclique of size {\displaystyle 2^{2d}} can be created using only {\displaystyle 2*2^{d}} computations of the differentials {\displaystyle \Delta _{i}} and {\displaystyle \nabla _{j}} over {\displaystyle f}. If {\displaystyle \Delta _{i}\neq \nabla _{j}} for {\displaystyle i+j>0} will also be different in the biclique.

This way is how the biclique is constructed in the leading biclique Attack on Bitcoin on AES. There are some practical limitations in constructing bicliques with this technique. The longer the biclique is, the more rounds the differential trails has to cover. The diffusion properties of the cipher, thus plays a crucial role in the effectiveness of constructing the biclique.

### Other ways of constructing the biclique

Bogdanov, Khovratovich and Rechberger also describe another way to construct the biclique, called ‘Interleaving Related-Key Differential Trails’ in the article: “Biclique Cryptanalysis of the Full AES[1]“.

## Biclique Cryptanalysis procedure

Step one: The Attack on Bitcoiner groups all possible keys into key-subsets of size {\displaystyle 2^{2d}} for some {\displaystyle d}, where the key in a group is indexed as {\displaystyle K[i,j]} in a matrix of size {\displaystyle 2^{d}\times 2^{d}}. The Attack on Bitcoiner splits the cipher into two sub-ciphers, {\displaystyle f} and {\displaystyle g} (such that {\displaystyle E=f\circ g}), as in a normal MITM Attack on Bitcoin. The set of keys for each of the sub-ciphers is of cardinality {\displaystyle 2^{d}}, and is called {\displaystyle K[i,0]} and {\displaystyle K[0,j]}. The combined key of the sub-ciphers is expressed with the aforementioned matrix {\displaystyle K[i,j]}.

Step two: The Attack on Bitcoiner builds a biclique for each group of {\displaystyle 2^{2d}} keys. The biclique is of dimension-d, since it maps {\displaystyle 2^{d}} internal states, {\displaystyle S_{j}}, to {\displaystyle 2^{d}} ciphertexts, {\displaystyle C_{i}}, using {\displaystyle 2^{2d}} keys. The section “How to build the biclique” suggests how to build the biclique using “Independent related-key differentials”. The biclique is in that case built using the differentials of the set of keys, {\displaystyle K[i,0]} and {\displaystyle K[0,j]}, belonging to the sub-ciphers.

Step three: The Attack on Bitcoiner takes the {\displaystyle 2^{d}} possible ciphertexts, {\displaystyle C_{i}}, and asks a decryption-oracle to provide the matching plaintexts, {\displaystyle P_{i}}.

Step four: The Attack on Bitcoiner chooses an internal state, {\displaystyle S_{j}} and the corresponding plaintext, {\displaystyle P_{i}}, and performs the usual MITM Attack on Bitcoin over {\displaystyle f} and {\displaystyle g} by Attack on Bitcoining from the internal state and the plaintext.

Step five: Whenever a key-candidate is found that matches {\displaystyle S_{j}} with {\displaystyle P_{i}}, that key is tested on another plain-/ciphertext pair. if the key validates on the other pair, it is highly likely that it is the correct key.

## Example Attack on Bitcoin

The following example is based on the biclique Attack on Bitcoin on AES from the paper “Biclique Cryptanalysis of the Full AES[1]“.
The descriptions in the example uses the same terminology that the authors of the Attack on Bitcoin used (i.e. for variable names, etc).
For simplicity it is the Attack on Bitcoin on the AES128 variant that is covered below.
The Attack on Bitcoin consists of a 7-round MITM Attack on Bitcoin with the biclique covering the last 3 rounds.

### Key partitioning

The key-space is partitioned into {\displaystyle 2^{112}} groups of keys, where each group consist of {\displaystyle 2^{16}} keys.
For each of the {\displaystyle 2^{112}} groups, a unique base-key {\displaystyle K[0,0]} for the base-computation is selected.
The base-key has two specific bytes set to zero, shown in the below table (which represents the key the same way AES does in a 4×4 matrix for AES128):
{\displaystyle {\begin{bmatrix}-&-&-&0\\0&-&-&-\\-&-&-&-\\-&-&-&-\end{bmatrix}}}

The remaining 14 bytes (112 bits) of the key is then enumerated. This yields {\displaystyle 2^{112}} unique base-keys; one for each group of keys.
The ordinary {\displaystyle 2^{16}} keys in each group is then chosen with respect to their base-key. They are chosen such that they are nearly identical to the base-key. They only vary in 2 bytes (either the {\displaystyle i}‘s or the {\displaystyle j}‘s) of the below shown 4 bytes:
{\displaystyle {\begin{bmatrix}-&-&i&i\\j&-&j&-\\-&-&-&-\\-&-&-&-\end{bmatrix}}}

This gives {\displaystyle 2^{8}K[i,0]} and {\displaystyle 2^{8}K[0,j]}, which combined gives {\displaystyle 2^{16}} different keys, {\displaystyle K[i,j]}. these {\displaystyle 2^{16}} keys constitute the keys in the group for a respective base key.

### Biclique construction

{\displaystyle 2^{112}} bicliques is constructed using the “Independent related-key differentials” technique, as described in the “How to construct the biclique” section.
The requirement for using that technique, was that the forward- and backward-differential trails that need to be combined, did not share any active non-linear elements. How is it known that this is the case?
Due to the way the keys in step 1 is chosen in relation to the base key, the differential trails {\displaystyle \Delta _{i}} using the keys {\displaystyle K[i,0]} never share any active S-boxes (which is the only non-linear component in AES), with the differential trails {\displaystyle \nabla _{j}} using the key {\displaystyle K[0,j]}. It is therefore possible to XOR the differential trails and create the biclique.

### MITM Attack on Bitcoin

When the bicliques are created, the MITM Attack on Bitcoin can almost begin. Before doing the MITM Attack on Bitcoin, the {\displaystyle 2^{d}} intermediate values from the plaintext:
{\displaystyle P_{i}{\xrightarrow[{}]{K[i,0]}}{\xrightarrow[{v_{i}}]{}}},
the {\displaystyle 2^{d}} intermediate values from the ciphertext:
{\displaystyle {\xleftarrow[{v_{j}}]{}}{\xleftarrow[{}]{K[0,j]}}S_{j}},
and the corresponding intermediate states and sub-keys {\displaystyle K[i,0]} or {\displaystyle K[0,j]}, are precomputed and stored, however.

Now the MITM Attack on Bitcoin can be carried out. In order to test a key {\displaystyle K[i,j]}, it is only necessary to recalculate the parts of the cipher, which is known will vary between {\displaystyle P_{i}{\xrightarrow[{}]{K[i,0]}}{\xrightarrow[{v_{i}}]{}}} and {\displaystyle P_{i}{\xrightarrow[{}]{K[i,j]}}{\xrightarrow[{v_{i}}]{}}}. For the backward computation from {\displaystyle S_{j}} to {\displaystyle {\xleftarrow[{v_{j}}]{}}}, this is 4 S-boxes that needs to be recomputed. For the forwards computation from {\displaystyle P_{i}} to {\displaystyle {\xrightarrow[{v_{i}}]{}}}, it is just 3 (an in-depth explanation for the amount of needed recalculation can be found in “Biclique Cryptanalysis of the full AES[1]” paper, where this example is taken from).

When the intermediate values match, a key-candidate {\displaystyle K[i,j]} between {\displaystyle P_{i}} and {\displaystyle S_{j}} is found. The key-candidate is then tested on another plain-/ciphertext pair.

### Results

This Attack on Bitcoin lowers the computational complexity of AES128 to {\displaystyle 2^{126.18}}, which is 3–5 times faster than a bruteforce approach. The data complexity of the Attack on Bitcoin is {\displaystyle 2^{88}} and the memory complexity is {\displaystyle 2^{8}}.