Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Schneier on the AES

By Dacta in Technology
Mon Oct 16, 2000 at 09:38:37 PM EST
Tags: Software (all tags)
Software

In the latest issue of Bruce Schneier's Crypto-Gram newsletter, he talks about the selection of Rijndael as the final candidate for the Advanced Encryption Standard (AES) (About two-thirds the way down the page).


A quote from the article:

Rijndael was not my first choice, but it was one of the three algorithms I thought suitable for the standard. The Twofish team performed extensive cryptanalysis of Rijndael, and will continue to do so. While it was not the most secure choice (NIST said as much in their report), I do not believe there is any risk in using Rijndael to encrypt data.

I've been following it on and off over the time the it has been running, and I've been fairly impressed by the level of the discussion.

I think most people agree that one of the main reasons Rijndael was selected (over TwoFish, for instance) was the ease of implementation. Personally, I agree with this priority, but I can see an arguement that would state that most people are going to be used (presumably well-implemented) libraries for their encryption, so we shouldn't worry to much about it.

Should this have been as high a priority as it appears to have been, or was this appropriate, especially given that many hardware implementations will probably be created, which will be difficult to upgrade in the even of any problems?

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o latest issue
o Advanced Encryption Standard
o Also by Dacta


Display: Sort:
Schneier on the AES | 37 comments (34 topical, 3 editorial, 0 hidden)
Power attacks (3.63 / 11) (#4)
by tarka on Mon Oct 16, 2000 at 09:59:16 PM EST

It appears that one of the major concerns for the NIST in this decision. Rijndael is the only entrant that could be implemented to defend against these attacks without seriously hurting performance. It seems that ultra-strong theoretical security isn't important as defending against real-world hardware attacks. "Strong enough" is good enough. Schneier agrees with this too, in principle.


Tarka
"The comfort you demanded is now mandatory" -- Jello Biafra

What is a "Power Attack"? (2.60 / 5) (#5)
by Dacta on Mon Oct 16, 2000 at 10:16:02 PM EST



[ Parent ]
Power Attacks (5.00 / 5) (#9)
by nekonoir on Tue Oct 17, 2000 at 01:46:42 AM EST

Because one of the criteria for AES was smartcard implementations,
analysis of EMF/power consumption is a potential attack on your
encryption. Rijndael has almost *no* signature, due to the fact it
uses lots of XORs and no 'conventional' arithmetic. Twofish, OTOH
has a cyclic power/EMF signature that *may* allow a very gifted
cryptanalyst/hardware hacker to break that instance.

Shamelessly reworded from a discussion on *the other site*.

Oh I read both the Counterpane AES reports too.

Cheers
Daniel

[ Parent ]
Thermal Attacks (3.25 / 4) (#16)
by Garc on Tue Oct 17, 2000 at 10:47:36 AM EST

Also somewhat related, is the possibility of someone watching the very minute charges to temperature of smartcards. I'm not very well versed on this, or how it would work. Anyone have any more info?

garc
--
Tomorrow is going to be wonderful because tonight I do not understand anything. -- Niels Bohr
[ Parent ]
Really? (4.66 / 3) (#20)
by jovlinger on Tue Oct 17, 2000 at 03:37:37 PM EST

I thought power attacks were only applicable against ciphers where you had key-dependent operations. Like RSA, where the speed of encryption depends on the length of the key you are multiplying with. Thus, measuring the time it takes to encrypt data allows you to cut down the search space for the brute force attempt.

In which way is this applicable to any fiestel cipher (such as Two/Blow fish or DES)? I just don't see it.

Mind you, I'm not doubting you here, as many people much more versed in crypto arcana than I have said the same thing.

[ Parent ]
Ee: Really? (5.00 / 3) (#23)
by calmacil on Tue Oct 17, 2000 at 03:54:25 PM EST

Usually you see power attacks descussed with things like RSA, because they're easier[0]. But if an algorithm uses too many things like multiplications, or key-dependant rotations and the like, as opposed to S-boxes and XORs, then, in theory, a skilled attacker could gain some information about the key.
   -calmacil

[0] for values of easy that aren't very easy

[ Parent ]
See http://www.cryptography.com/dpa/index.html (4.50 / 2) (#28)
by Paul Crowley on Tue Oct 17, 2000 at 07:14:14 PM EST

Cryptography Research - Differential Power Analysis is by the inventors and has a lot of good info.
--
Paul Crowley aka ciphergoth. Crypto and sex politics. Diary.
[ Parent ]
Ahh (Timing Attacks?) (3.50 / 2) (#29)
by Dacta on Tue Oct 17, 2000 at 07:22:04 PM EST

Yes, I've read about them.

I was under the impression that neither Rijndael or TwoFish were vulnarable to this type of attack (or am I confusing this with Timing attacks, where you may be able to work out some information about the key by how long it takes to encrypt carefully selected information"?



[ Parent ]
Power/Thermal attacks (none / 0) (#32)
by scott@b on Wed Oct 18, 2000 at 11:59:33 AM EST

Note that power attacks, while a real threat, are currently more important then they need be because many of the hardware implementations haven't worried about this. Picking a method that is easy to implement as a contant path/power design helps a lot. But if you make it tough to open the smartcard and keep it functional, then relatively simple filtering and energy storage greatly reduces the practicbility of power analysis. Clock jittering also helps, as does designs that "smear" the execution of any single step of the process.

Consider a smartcard that contains a small energy storage device, one of the current "super-caps" or ion batteries. The card's outer envelop is shielding, the signal pins can be internally shorted to ground. The card gets plugged in, gets a small charge onits storage device, gets the data it needs to crunch on, shorts its signal pins, performs the operations, restores the signal pins and sends the results. Repeat as needed. The storage device decouples the card's power external consumption from the short term fluctuations caused by the computations, the shielding and pin shorting reduces EM radiation of the computations.

I don't think that thermal attacks are practical. The thermal mass of even a smartcard is fairly high compared to the time resolution needed to track the processing. If you opened the card and watched the chip you might be able to make out the thermal signatures of chunks of the circuitry heating and cooling as it pulls more or less power. But even there I would think that the chip's thermal mass would tnd to level out fast changes. Sandwiching the chip between a couple of slabs of BeO would take card of that, if the BeO provided some conductors used to provide routing to areas on the chip (an extra layer of metallization, in effect) then pulling the sandwich apart would be counterproductive.



[ Parent ]

I've seen a few things that make me more worried.. (none / 0) (#34)
by trhurler on Wed Oct 18, 2000 at 02:12:40 PM EST

than you are. In particular, you don't really care whether Billy Bob in his barn can hack your smartcard. You DO care if, say, a well financed criminal organization can do it. Things like metallic-film tamperproofing are hard to remove - but if you get the right gear, they're trivial to remove. Some of what I've seen is laser processes designed to do just this, but for different(and legitimate, as it turns out,) reasons. I've talked to people working on, of all things, genetic manipulation of bacteria to cause them to selectively destroy certain substances. Depending on the design, even with metal film shielding, it may be practical to use modified radiation signature attacks without ever attacking the card itself physically; if thermal won't work, EM probably will. There are other ways, and they all involve gear. Gear costs money. Organized criminals have money. You cannot count on any sort of "tamperproofing." It simply is not the case that a device can defend itself against essentially unlimited resources while still being cheap to manufacture. This makes devices that have no useful power variations to measure quite attractive.


--
'God dammit, your posts make me hard.' --LilDebbie

[ Parent ]
However ... (none / 0) (#36)
by scott@b on Wed Oct 18, 2000 at 03:54:17 PM EST

If someone has your card and the time to tear it apart, then a SEM will let them read the executing code+data, no matter what the power fluctuations are like. No need for any fancy bacteria or whatever, just standard shave the layers off.

So starting with money-bearing smart cards :
But if your card is missing then, like your checkbook or conventional credit card, you should notice this and get it deactivated. Figuring out something by any external analysis takes some time.

The real danger is in someone "sniffing" transactions in cercumstances where the card's user feels secure, being unaware that they are being hacked. In that case the card's owner has no reason to turn off their card, until the weird transactions turn up on the record.

Now for smart cards carrying personal information such as medical records, access code, and the like :
The theft of such a card would be of greater concern, if simple because of the amount of effort needed to secure anything threatened by revealed passcodes. Personal information - once that's uncovered then it's too late, a good reason to make such cards as secure as possible. But as I said at the start, if they have physical possesion of the card then uniform power consumtion won't stop the card from being cracked.

So long as someone else doesn't have physical control of the card, there are a number of methods to make it tough to snoop on the card's operation to crack it. The same methods used to protect a card/button from being opened for SEM reading can (and should) be used to protect it from being opened to defeat power/signal filtering.

Part of the point of putting conductive traces on the outer layers is to make it more work to make the card function after pulling those layers off - they are part of the traces just as t he metal on the chip itself. It is possible to make a chip such that it scrambles its contents if some of those connections are broken, making the problem even more difficult. Kill the card's internal keep-alive power and the chip randomises itself, pull the outer layers of the chip and the chip randomises itself.

And making the card that it does - receive data, isolate from the world, crunch data, connect to the world, transmit data - can really reduce EM snooping, unless the snooper has the card in their hands (in which case, see the start of the msg.) Slows things down a bit, note enough to matter I believe. You could even use optical coupling in a shrouded connector to reduce EM transmissions when exchanging data.

[ Parent ]

Rijndael=AES implies TWOFISH safe for use (2.45 / 11) (#6)
by redelm on Mon Oct 16, 2000 at 10:48:40 PM EST

Look, I don't want to get too conspiratorial, but does anyone seriously believe that the NIST, advised by the NSA would choose an encryption scheme they couldn't break?

Wars have been won and lost on encryption, and the NSA isn't about to have any encryption used as heavily as AES to be totally beyond their reading. It would violate their charter.

I would expect that they've found some _really_ obscure flaw in Rijndael that they don't expect anyone else to find. Or at least, not to publish even if they exploit it. The flaw should be subtile or the NSA loses face. OTOH this may not be such a bad piece of disinformation from the NSA PoV.

The conclusion I draw is that TWOFISH is probably safe for use by those who consider the NSA (and TLA allies) as a potential adversary.


Like DES (not!) (4.27 / 11) (#7)
by Dacta on Mon Oct 16, 2000 at 11:49:53 PM EST

I guess you mean sort of like the way the NSA intervened in the design of the S-Boxes of DES? Everyone assumed that was to make them weaker.

It turned out that the NSA's changes actually made them stronger against some types of attack. These attacks (differential cryptanalysis) weren't know in unclassified cricles until 20 (or so) years later, but they were actually developed by IBM during the design of DES. (See http://www.counterpane.com/crypto-gram-0006.html#DES)

I know some people will choose believe the consipricy theories. Personally, I think that it is unlikely the NSA knows of a real world attack on Rijndael. I might believe that they know of the possibilty of a academic attack on it that weakens it enough that they can use brute force on it, in exceptional circumstances. I'd expect the rest of the world to find this attack soon, but be unable to exploit it beacuse of a lack of computing power.

Look at DES. The NSA helped design that, and to this day no attack is better than brute force on it. That's pretty impressive.

As for TwoFish, even if you assume that the NSA has a break for Rijndael, what makes you think TwoFish is any safer? I think if the NSA can break (not brute force)Rijndael, then they can probably break all the AES candidates.

Don't forget that the AES selection process is the most one of the most rigourous processes ever. You put your algorithm up, and have a whole lot of the best mathematicians in the world try to destroy it. Don't forget these guys are highly motivated, too - even an academic attack on one of the AES candidates guarrentees you fame for life. That's ignoring the commercial pressure - if a company had been able to say "We designed AES", then imagine how much money they could have made in security consulting.





[ Parent ]
Not strictly accurate (3.50 / 6) (#10)
by Spinoza on Tue Oct 17, 2000 at 02:20:18 AM EST

Linear cryptanalysis is slightly better than brute force attacks on DES. It's just not much better.

[ Parent ]
Only in academic terms. (3.66 / 6) (#15)
by Paul Crowley on Tue Oct 17, 2000 at 08:32:04 AM EST

Linear cryptanalysis requires, IIRC, about 2^46 chosen plaintext-ciphertext pairs. A brute force attack is far more practical, as Deep Crack ( http://www.eff.org/descracker/ ) demonstrates.

However, it's interesting to speculate that perhaps the NSA didn't know about linear cryptanalysis...
--
Paul Crowley aka ciphergoth. Crypto and sex politics. Diary.
[ Parent ]
The algorithm is not the weak link in the chain. (3.50 / 8) (#8)
by swr on Mon Oct 16, 2000 at 11:52:28 PM EST

I would expect that they've found some _really_ obscure flaw in Rijndael that they don't expect anyone else to find. Or at least, not to publish even if they exploit it. The flaw should be subtile or the NSA loses face. OTOH this may not be such a bad piece of disinformation from the NSA PoV.

There is one fatal flaw, but there is nothing obscure about it:

Rijndael will invariably be part of a system designed, implemented, and used by human beings.

The conclusion I draw is that TWOFISH is probably safe for use by those who consider the NSA (and TLA allies) as a potential adversary.

Go ahead and consider Twofish "probably safe". Feel secure in your communications using Twofish, because it's not the AES. Encrypt information with Twofish that you would never trust to Rijndael. Right?

I hope the NSA properly compensated you for posting that. ;)



[ Parent ]
NSA is not that bad (3.42 / 7) (#12)
by Potsy on Tue Oct 17, 2000 at 05:55:02 AM EST

As another poster pointed out, the NSA actually intervened in the creation of DES to make it stronger not weaker. The reason for this is that the NSA is charged not just with trying to break "the enemy"'s communications, but also with keeping the "good guy"'s (i.e., the U.S. Govt.'s) communications secure. Thus, they have a vested interest in making sure that any encryption standard designated for use by the U.S. government is secure. That's why they went to the extra effort in making DES more secure, even if everyone was suspicious about it for a while. And AES is supposed to be a replacement for DES, thus it is likely that they will again try to make it as secure as possible.

That said, the NSA has not been involved at all in the AES selection process up to this point, so all this speculation is moot anyway.

[ Parent ]

NSA will most likely not use AES that much (3.25 / 4) (#17)
by Garc on Tue Oct 17, 2000 at 10:54:53 AM EST

Quoted from Bruce's article:
The NSA's non-endorsement of AES was very carefully worded: "The National Security Agency (NSA) wishes to congratulate the National Institute of Standards and Technology on the successful selection of an Advanced Encryption Standard (AES). It should serve the nation well. In particular, NSA intends to use the AES where appropriate in meeting the national security information protection needs of the United States government."

The quote is attributed to Michael J. Jacobs, Deputy Director for Information Systems Security at the National Security Agency.

Note the last sentence. The NSA has not stated that it will use AES to protect classified information. The NSA has not stated that it will use AES widely. It has simply stated that, "where appropriate," it will use AES to meet its "national security information protection needs."

In the past, the NSA has, on occasion, used DES to protect what was known as "sensitive but unclassified" information -- personnel records, unclassified messages, etc. -- and we all know how secure DES is. My guess is that they will use AES to protect a similar level of information, in instances where buying commercial products that implement AES is a cheaper alternative to whatever custom alternatives there are.

It is possible that they will eventually use AES for classified information. This would be a good thing. But my guess is that many more years of internal cryptanalysis are required first.

You can read the quote here: <http://www.nist.gov/public_affairs/releases/aescomments.htm>

For posterity's sake, I should mention that I hyperlinked the URL, the rest is verbatim.

HTH,
garc
--
Tomorrow is going to be wonderful because tonight I do not understand anything. -- Niels Bohr
[ Parent ]

NSA have been involved in the selection process. (4.66 / 3) (#18)
by Paul Crowley on Tue Oct 17, 2000 at 02:03:08 PM EST

Look at the proceedings from the AES3 conference: "Hardware Performance Simulations of Round 2 Advanced Encryption Standard Algorithms", Bryan Weeks, Mark Bean, Tom Rozylowski, Chris Ficke, National Security Agency. I was at AES3 and there were about a dozen NSA guys there, with badges reading either NSA, National Security Agency, or DoD. I even chatted to one about the paper I'd presented at FSE2000 a few days beforehand - I kept doubletaking during the conversation, but he was perfectly sensible and well informed.

I still don't think well of the NSA, but they are human. At least the ones they send to conferences are human. Or well disguised. NSA guy: "Can I have a copy of your paper?" Slashdotter Nic Weaver: "Don't you have it already?" NSA guy: "That's tacky!"
--
Paul Crowley aka ciphergoth. Crypto and sex politics. Diary.
[ Parent ]
NSA approved ALL FIVE final candidates. (4.00 / 9) (#13)
by Paul Crowley on Tue Oct 17, 2000 at 08:06:16 AM EST

NSA were effectively given a veto on the candidates before NIST made their decision. They reported they could see no reason why any of them should not win the competition.

Now either you think the NSA can break 32-round Serpent, or you're talking nonsense. For what it's worth I do not believe that the NSA attempted to intervene in the process to force a weaker candidate selection, but even if they had wanted to the way NIST ran the process was so transparent it woul have been very difficult to do so.

Rijndael is a good and worthy winner and I think we can be confident of its practical security.
--
Paul Crowley aka ciphergoth. Crypto and sex politics. Diary.
[ Parent ]
RE: Rijndael=AES implies TWOFISH safe for use (3.20 / 5) (#21)
by spaceghoti on Tue Oct 17, 2000 at 03:51:21 PM EST

In the words of a good friend of mine:

"There are two kinds of paranoia: absolute and insufficient."

No offense, but isn't conspiracy theory out of fashion?



"Humor. It is a difficult concept. It is not logical." -Saavik, ST: Wrath of Khan

[ Parent ]
Or to put it another way . . . (1.75 / 4) (#25)
by whuppy on Tue Oct 17, 2000 at 04:32:49 PM EST

"You can never be paranoid enough." - me

(I knew someone was going to steal my saying. I just knew it!)

[ Parent ]

Having seen full-blown clinical paranoia close up (3.50 / 2) (#31)
by Paul Crowley on Wed Oct 18, 2000 at 06:32:40 AM EST

Having seen full-blown clinical paranoia close up I'm very much inclined to disagree.

For what it's worth it doesn't make for good security engineering either. Read Bruce Schneier's "Secrets and Lies" - a little perspective goes a long way.
--
Paul Crowley aka ciphergoth. Crypto and sex politics. Diary.
[ Parent ]
Nope (3.00 / 3) (#35)
by trhurler on Wed Oct 18, 2000 at 02:28:17 PM EST

NSA probably knows a few tricks the world at large does not yet have, but practical attacks on well-built ciphers with 256 bit keys are not going to be among them. In the 1960s, paranoia was justifiable with respect to NSA, because they knew more about cryptography than -anyone.- However, even then, paranoid was -wrong.- NSA strengthened DES, rather than weakening it. These days, though, most cryptographers are not working for NSA, and most publish their work openly. Paranoia today is just an expression of the fact that you're one of those losers who thinks X-Files is a documentary. NSA has a vested interest in the security of AES, and they know that if they can break it, then it won't be long before others can too. (No, they don't use DES much, and won't use AES much either, at least for awhile, but they ARE chartered such that they have to protect the security of US government data, and lots of that will be encrypted using AES.)

All the AES candidates were approved by NSA. NSA, after saying, "yes, we like them all," had nothing more to do with the process; they could not have prevented NIST from selecting any given candidate. So, in addition to being paranoid, you are denying reality.


--
'God dammit, your posts make me hard.' --LilDebbie

[ Parent ]
Smells like team spirit (2.90 / 11) (#11)
by Akiramoeba on Tue Oct 17, 2000 at 05:54:18 AM EST

Looking back on all the keyboard wear 'n tear regarding this subject, it keeps amazing me how low below radar the SNR on the new AES is. True, I have plenty of sympathy for Rijndael, since I know the guys (well, at least one of them) and work at the department where it was developed. But I would at least expect some more insightful comments regarding elliptical curve encryption schemes, or technical info on Rijndael vs. Twofish - instead of this 'me like other team for brighter colors (ROAR)' arena thing. I mean, you can simply cut 'n paste the subject with anything from the presidential ellections to Coke vs. new Coke and 'what not'. Is there anybody out there who has actually looked at the freely available algorithms - or who has looked into the math at its foundations ? I mean, elliptical curves helped solve Fermat's theorem... a lot of interesting information can be shared on this subject. But for now, it's : 'Me intellectual, must shave back and bash meal over head'. *sigh*

huh? (3.00 / 4) (#22)
by jovlinger on Tue Oct 17, 2000 at 03:53:01 PM EST

I must admit that I thought I knew what elliptical curve was, but I can't figure out how it applies to rijndael or twofish or ANY symmetric cipher.

But then I'm uninformed (and not to hot at numberfield theory), and I also wear an aluminum lined baseball cap with my lucky 'coon tail attached to the back. You know, against the orbital mind control lasers.

Thus; I propose that you set the ball rolling by enlightening me, and I in return will take off cap (which is making a hellacious racket -- can't hear myself think) and try to understand.

[ Parent ]
Mathematical basis (3.00 / 5) (#26)
by Akiramoeba on Tue Oct 17, 2000 at 04:41:24 PM EST

You're right. Elliptic curves is used a lot for asymmetric encryption schemes. Rijndael is a symmetric block cypher. I have put things in a wrong perspective, where I wanted to show that I'm more interested in the basic (mathematical) principles underlying different encryption schemes. I myself don't know anything about this S-box stuff some of these schemes are operating with. And since that guy who invented is not in his office for a while, now that he's touring the world, I can't get the info first hand, unfortunately. Does that hat of yours take the craving away ? With all that pressure on the skull ? Anyway, the point that I wanted to make is exactly that people don't know what they're talking about (I'm the living proof 8). Instead, they turn this whole thing in 'pick a side and start shouting game'. It doesn't help me or anybody else to understand cryptography better if things are only expressed in 'it's made in the US, so it's better' term or any other arena/bumpersticker related terms (see /. and K5).

[ Parent ]
Rijndael is a great place to start learning! (4.25 / 4) (#30)
by Paul Crowley on Tue Oct 17, 2000 at 07:26:42 PM EST

Rijndael is certainly the most beautiful of the AES candidates, with an irresistable simplicity of design. If you can learn what arithmetic in GF(2^8) is all about, you can very quickly understand the cipher. From there, you can go on to understand the Square attack, or the proof that there are at least 25 active S-boxes in any 4-round trail. Brian Gladman's implementation is pretty readable, or you might prefer to implement it yourself - try doing the naive byte-level implementation for a change.

Cryptography is fascinating. Dive in.
--
Paul Crowley aka ciphergoth. Crypto and sex politics. Diary.
[ Parent ]
Good entry points (3.50 / 2) (#33)
by jovlinger on Wed Oct 18, 2000 at 02:10:22 PM EST

Actually, the best cipher for learning about general modern symmetric ciphers is probably DES. From that you pick up concepts such as key-schedules, f(ei/ie)stel networks, and s-boxes that crop up pretty much anywhere.

twofish and blowfish are both clearly in the DES family; while details such as what the mixing operations are, how to generate subkeys, et ali do vary substantially, the structures of these ciphers will be familiar to any and all who have looked at DES. Conservative design, you might say. This is a Good Thing.

Mars I believe was very different (memory is poor. May be I'm misattributing this from another entry), and predicated on a very different pedigree. This would likely have counted against it in the eyes of the judges.

I understand that rijndael is not a fiestel cipher, but I think it is based on very similar concepts. So once again, a conversant grasp of DES will allow you to quickly grasp the pertinent talking points.

[ Parent ]
Schneier thinks Rijndael will be broken in 5 years (4.50 / 10) (#14)
by Paul Crowley on Tue Oct 17, 2000 at 08:23:43 AM EST

...but this will be an *academic* break, completely useless to real attackers. Schneier also says that Rijndael is perfectly secure against any attacks that even the most resourceful attacker might be able to mount.

I'd rather have put the disclaimers in the headline but there wasn't room!

To clarify: Rijndael accepts up to a 256-bit key. In the academic crypto world, any attack cheaper than brute force which recovers the key counts as a break. OK, the attack might require all possible 2^128 plaintext-ciphertext pairs (the "entire codebook"), 2^240 compute cycles, and 2^240 memory: but that's fewer than the 2^256 cycles that brute force requires, so the attack counts as a break.

If you've any feel for how big big numbers are, you'll realise this attack is flat out impossible for any technology we can possibly imagine. I don't think the Universe is big enough to store 2^240 bytes of memory, for one thing. However, if I knew of such an attack, I'd publish straight away, and be feted as bright new star in the world of cryptanalysis. Right now I can't imagine how to get close to this goal.

For what it's worth, though, I think Schneier is probably right. He certainly knows as much as anyone in the world about breaking Rijndael, having put together the team that published the best attack (which is a related key attack, so it requires plaintext/ciphertext pairs from keys related to the target key as well as the target key itself - even this is fair game in the world of academic cryptanalisys) which breaks 9 rounds of a 14 round cipher with 2^224 steps. If someone can find a way to double the strength of the Square attack, the way David Wagner's "boomerang" doubles the strength of a differential attack, then we'll get all the way in.

Either way, Rijndael will soon be the world's best analysed cipher. And either way, I am entirely confident that no failing of Rijndael will ever result in a practical failing in any security system ever.
--
Paul Crowley aka ciphergoth. Crypto and sex politics. Diary.
Well, if we're being academic.... (4.20 / 5) (#19)
by krlynch on Tue Oct 17, 2000 at 02:03:49 PM EST

I don't think the Universe is big enough to store 2^240 bytes of memory, for one thing.

As long as we're being academic and all, here's the Particle Physics take on this cosmologically interesting question:

  • 2^256 = 1.1 x 10^77
  • 2^240 = 1.8 x 10^72
  • Degrees of freedom in the universe (something like a measurement of the number of particles, sortof) = 10^80

Therefore, speaking academically, of course, you could carry on something like 1000 simultaneous brute force attacks, or 60million of your "academically gifted" attacks.....if you could somehow figure out to use all of the available "computational hardware".

Academically speaking, of course :-)

[ Parent ]

chaining (2.33 / 3) (#24)
by jovlinger on Tue Oct 17, 2000 at 03:58:31 PM EST

What is the chaining called that will allow you to effectively use a larger key than block? You need to use the ciphertext to modify the key, nah that doesn't work.

hrm. I can't think of any use where a chosen plaintext attack requiring 2^blocksize pairs wouldn't work. And if blocksize is < keysize, this would mean that any key larger than the blocksize would be a waste.

Of course, chosenplaintext is hard to engineer, but this would count as an academic break, no?

[ Parent ]
Larger key than block (4.50 / 2) (#27)
by Paul Crowley on Tue Oct 17, 2000 at 07:08:39 PM EST

The only block cipher with a *smaller* key than block I can think of is DES; most modern block ciphers apart from the AES candidates have a 64-bit block and 128-bit key. IDEA, for example. Yes, getting the codebook is for most purposes as good as recovering the key, but it's not the same as recovering the key for academic purposes. A key larger than the blocksize is for practical purposes useful wherever it's difficult for the attacker to recover the entire codebook: ie virtually all the time.

You can use a larger key than block in any encryption chaining mode I know of. Chaining modes which modify the key based on the message are used for hashing (eg the Davis-Meyer modes).
--
Paul Crowley aka ciphergoth. Crypto and sex politics. Diary.
[ Parent ]
Schneier Shows Professionalism (3.50 / 2) (#37)
by AnUnnamedSource on Thu Oct 19, 2000 at 08:32:25 AM EST

I have been a fan of Bruce since the first edition of Applied Cryptography. I awaited with some anticipation his reaction to the selection and was not disappointed. He could have had a "sour grapes" attitude about the whole thing, especially considering his financial interest in the business, but didn't. I think he showed his true character with his praise for NIST, the selection process, and for Rijndael.

-- "On second thought, let's not go there. 'Tis a silly place."



Schneier on the AES | 37 comments (34 topical, 3 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!