lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20031025002911.GA16949@dmv.math.uni-rostock.de>
Date: Sat, 25 Oct 2003 02:29:11 +0200
From: Christian Ruediger Bahls <christian.bahls@....de>
To: bugtraq@...urityfocus.com, Michael Sierchio <kudzu@...ebras.com>
Subject: Re: XLS Attack on AES (Rijndael)


[2003-10-25 00:20] Michael Sierchio <kudzu@...ebras.com> wrote:
> latte1@...hmail.com wrote:
> >I read, some time ago, about a new form of attack on
> >the AES algorithm: Rijndael...
> Largely FUD (or FUDGE, if you will), and the inference drawn (AESbroken)
> is unwarranted.  Robshaw and Murphy seem to be voicing an aesthetic
> objection to the marked linearity in the diffusion layer -- even though
> they clearly state that this offers no clear advantage to conventional
> linear and differential cryptanalysis.  Also note that Robshaw worked
> on RSA's finalist candidate (RC6) for AES, though he appears never to
> have been given adequate credit.
Robshaw and Murphy[1] just described an isomorphic way to express Rijndael.
more important is the paper by Courtois and Pieprzyk[2] in which they describe
an algebraic attack on Rijndael.

expressing Rijndael over GF(2^8) [BES .. as suggested by Robshaw and Murphy]
basicly improves the properties of the equations matrix.

i don't think the question in case is whether aes is broken now,
but whether it will be broken in 10 years from now ..

i don't think last years findings are just about aesthetic objections ..

niels ferguson has been talking about aes' algebraic properties at HAL 2001 ..
[niels has been involved with designing twofish - another AES finalist ..]

bruce schneier[co-developer of twofish ..] has some doubts too,
  quoted from http://www.schneier.com/crypto-gram-0209.html:
[...] Courtois and Pieprzyk posted a paper outlining a new attack against Rijndael (AES) and Serpent. The authors used words like "optimistic evaluation" and "might be able to break" to soften their claims, but the paper described a better-than-brute-force attack against Serpent, and possibly one against Rijndael as well.
Basically, the attack works by trying to express the entire algorithm as multivariate quadratic polynomials, and then using an innovative technique to treat the terms of those polynomials as individual variables. This gives you a system of linear equations in a quadratically large number of variables, which you have to solve. There are a bunch of minimization techniques, and several other clever tricks you can use to make the solution easier. (This is a gross oversimplification of the paper; read it for more detail.)
[...]
At Crypto 2002, Murply and Robshaw published a surprising result, allowing all of AES to be expressed in a single field. They postulated a cipher called BES that treats each AES byte as an 8-byte vector. BES operates on blocks of 128 bytes; for a special subset of the plaintexts and keys, BES is isomorphic to AES. This representation has several nice properties that may make it easier to cryptanalyze.

in cryptogram october 2002 he relativates that a bit ..
.. though there seems some disagreement about the papers refered to by schneier
   (especially a lot of Prof. Moh's claims seem to be doubted)


there has been an article in the "New Scientist"
(New Scientist vol 178 issue 2398 - 07 June 2003, page 36)[4]:
[you can browse their archive with a 7-day trial membership]

so one probably would suggest to read the papers,
 and follow the proceeding of (Any)Crypt closely ..

> The question to ask is:  How well does Rijndael meet the design goals
> established by the NIST?"  And the answer, quite simply, is: "very well."
yes if you are talking about differential crypt analysis and the likes ..
.. though from time to time there appear new attack methods
   that obsolete whole classes of algorithms

at least the findings mentioned above cast some shadows about the
usability of aes in the long-term future ..

i suggest reading [3] and working from there on
(i might be terribly wrong though .. algebra is not my major)

yours

christian bahls
  maths student
  university of rostock
  germany

footnotes:
[1] Essential Algebraic Structure Within the AES (2002)
    http://citeseer.nj.nec.com/murphy02essential.html
[2] Cryptanalysis of Block Ciphers with Overdefined Systems of Equations (2002)
    (Asiacrypt 2002, LNCS 2501, pp. 267-287, Springer. )
    http://citeseer.nj.nec.com/courtois02cryptanalysis.html
[3] Comments on the Security of the AES and the XSL Technique
    http://citeseer.nj.nec.com/548008.html
[4] http://archive.newscientist.com/secure/article/article.jsp?rp=1&id=mg17823985.000
    [this link might be customized and will probably not work then]
-- 
  if you have an interesting or even challenging internship to offer ..
  please do not hesitate to contact me [am finishing my diploma] ..



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ