Status of attacks on AES?
Marcos el Ruptor
Ruptor at cryptolib.com
Sun Jun 4 17:52:38 EDT 2006
> I skimmed this. The start of the article says that after 3 rounds AES
> achieves perfect diffusion?!
1. It's "complete diffusion", not "perfect diffusion". Perfect diffusion is
a property meaning something completely different.
2. My post incorrectly stated that cryptographers believed that the AES
achieved complete diffusion after 3 rounds. In fact, in Rijndael complete
diffusion (every bit influences every bit in the block or state) is achieved
by the end of the second round. I have corrected the post.
> A simple square attack (that I teach in class in about 60 mins) recovers
> the key of 4-round AES with 256 chosen-plaintexts. The six-round attack
> isn't too much harder.
Isn't what you are referring to called "secure number of rounds"? In other
words the number of rounds after which no known attack exists that can break
the cipher faster than brute-forcing the key?
It looks like I have no choice but to invent a new term, "PRF rounds" - the
number of rounds after which each function that defines the value of each
bit of the block/state/output is a pseudo-random function (PRF) of all the
bits of the block/state/key/input, in other words a function
indistinguishable from random by any existing general purpose randomness
tests. Of course dedicate randomness tests exploiting the cipher structure
and utilising a significant amount of computational resources could be
effective in distinguishing a larger number of rounds from random, but
that's in the area of the "secure number of rounds" research.
"PRF rounds" is usually larger than the "complete diffusion rounds". For
most good ciphers it's usually somewhere between the "complete diffusion
rounds" and the "secure rounds", but for some ciphers it's either way over
the "secure rounds" or it never happens at all (LILI, KeeLoq, Trivium, etc).
Some ciphers maintain sparcity of their functions or their
distinguishability from random even if iterated perpetually.
I have corrected all the articles:
http://defectoscopy.com/forum/viewtopic.php?t=3
http://defectoscopy.com/results.html
and
http://defectoscopy.com/background.html
Ruptor
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list