Two weeks ago, we post and article about a “possible” vulnerability in AES algorithm. We have said something like…
WOW! The cryptanalysis season is started…
… too much prophetic!
After only a couple of days I learn via Bruce Schneier’s blog about the existence of a new impressive and totally actual vulnerability in the algorithm.
Bruce says:
This new attack, by Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, and Adi Shamir, is much more devastating. It is a completely practical attack against ten-round AES-256
Here the abstract of the article:
Abstract.
AES is the best known and most widely used block cipher. Its three versions (AES-128, AES-192, and AES-256) differ in their key sizes (128 bits, 192 bits and 256 bits) and in their number of rounds (10, 12, and 14, respectively). In the case of AES-128, there is no known attack which is faster than the 2128 complexity of exhaustive search. However, AES-192 and AES-256 were recently shown to be breakable by attacks which require 2176 and 2119 time, respectively. While these complexities are much faster than exhaustive search, they are completely non-practical, and do not seem to pose any real threat to the security of AES-based systems.In this paper we describe several attacks which can break with practical complexity variants of AES-256 whose number of rounds are comparable to that of AES-128. One of our attacks uses only two related keys and 239 time to recover the complete 256-bit key of a 9-round version of AES-256 (the best previous attack on this variant required 4 related keys and 2120 time). Another attack can break a 10 round version of AES-256 in 245 time, but it uses a stronger type of related subkey attack (the best previous attack on this variant required 64 related keys and 2172 time).
The article also explain the possibility to attack an 11-round AES-256 with a 270 time requirement … not too bad at all.
Anyway no panic for three simple reasons:
- The attack exploits the fact that the key schedule for 256-bit version is pretty lousy — something we pointed out in our 2000 paper — but doesn’t extend to AES with a 128-bit key.
- It’s a related-key attack, which requires the cryptanalyst to have access to plaintexts encrypted with multiple keys that are related in a specific way.
- The attack only breaks 11 rounds of AES-256. Full AES-256 has 14 rounds.
Three exposures (1, 2 and this one) in less than three months… What’s next?
One Response to “Oops! AES did it again – Another pratical attack”
[...] mia personale “Cryptanalysis season“. A distanza di 6 mesi dai due lavori che hanno affondato un tagliente stiletto nei fianchi di chi riteneva che AES e SHA-3 fossero il [...]