CriptoCam srl

Two weeks ago, we post and article about a “possible” vulnerability in AES algorithm. We have said something like…

WOW! The cryptanalysis season is started…

… too much prophetic!

After only a couple of days I learn via Bruce Schneier’s blog about the existence of a new impressive and totally actual vulnerability in the algorithm.

Bruce says:

This new attack, by Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, and Adi Shamir, is much more devastating. It is a completely practical attack against ten-round AES-256

Here the abstract of the article:

Abstract.
AES is the best known and most widely used block cipher. Its three versions (AES-128, AES-192, and AES-256) differ in their key sizes (128 bits, 192 bits and 256 bits) and in their number of rounds (10, 12, and 14, respectively). In the case of AES-128, there is no known attack which is faster than the 2¹²⁸ complexity of exhaustive search. However, AES-192 and AES-256 were recently shown to be breakable by attacks which require 2¹⁷⁶ and 2¹¹⁹ time, respectively. While these complexities are much faster than exhaustive search, they are completely non-practical, and do not seem to pose any real threat to the security of AES-based systems.In this paper we describe several attacks which can break with practical complexity variants of AES-256 whose number of rounds are comparable to that of AES-128. One of our attacks uses only two related keys and 2³⁹ time to recover the complete 256-bit key of a 9-round version of AES-256 (the best previous attack on this variant required 4 related keys and 2¹²⁰ time). Another attack can break a 10 round version of AES-256 in 2⁴⁵ time, but it uses a stronger type of related subkey attack (the best previous attack on this variant required 64 related keys and 2¹⁷² time).

The article also explain the possibility to attack an 11-round AES-256 with a 2⁷⁰ time requirement … not too bad at all.

Anyway no panic for three simple reasons:

The attack exploits the fact that the key schedule for 256-bit version is pretty lousy — something we pointed out in our 2000 paper — but doesn’t extend to AES with a 128-bit key.

It’s a related-key attack, which requires the cryptanalyst to have access to plaintexts encrypted with multiple keys that are related in a specific way.

The attack only breaks 11 rounds of AES-256. Full AES-256 has 14 rounds.

Three exposures (1, 2 and this one) in less than three months… What’s next?

Next generation fibers and superconducting detectors fostered the record:

http://www.physorg.com/news167390366.html

For technical details:

http://www.iop.org/EJ/article/1367-2630/11/7/075003/njp9_7_075003.pdf

Schneier spoke some days ago about a “non brute force attack” against AES algorithm.

The paper is “Related-key Cryptanalysis of the Full AES-192 and AES-256“:

Abstract. In this paper we present two related-key attacks on the full AES. For AES-256 we show the first key recovery attack that works for all the keys and has complexity 2¹¹⁹, while the recent attack by Biryukov-Khovratovich-Nikolic works for a weak key class and has higher complexity. The second attack is the first cryptanalysis of the full AES-192. Both our attacks are boomerang attacks, which are based on the recent idea of finding local collisions in block ciphers and enhanced with the boomerang switching techniques to gain free rounds in the middle.

The authors spoke about a possible reduction of complexity from 2¹¹⁹ to about 2^110.5

The attack is, and probably forever will be, theoretical. But remember: attacks always get better, they never get worse. Others will continue to improve on these numbers. While there’s no reason to panic, no reason to stop using AES, no reason to insist that NIST choose another encryption standard, this will certainly be a problem for some of the AES-based SHA-3 candidate hash functions.

We meditate about that

http://arxiv.org/abs/0906.4547

It is good to know also the dark side of QC…

http://arxiv.org/abs/quant-ph/0701168

Despite the above link dates January 2007, it is still very useful to understand the state of the art of current QC. The paper can contain some technicalities, but is always well readable though.

http://arxiv.org/abs/0904.4073

The above link contains the “SECOQC Business White Paper on QC”. SECOQC is the acronym of “Secure Communication based on Quantum Cryptography” and is the first European serious effort to build up a QC-based network. However the above link deals mainly with commerical aspects of QC. So it is for non-specialists. Enjoy!

Welcome to CriptoCam web resource. We are working hard to set online all possible information about us.

Stay tuned!