[Cryptography] AES-256- More NIST-y? paranoia

[leichter at lrw.com]

On Oct 3, 2013, at 12:21 PM, Jerry Leichter <leichter at lrw.com> wrote:
> As *practical attacks today*, these are of no interest - related key attacks only apply in rather unrealistic scenarios, even a 2^119 strength is way beyond any realistic attack, and no one would use a reduced-round version of AES-256.
Expanding a bit on what I said:  Ideally, you'd like a cryptographic algorithm let you build a pair of black boxes.  I put my data and a key into my black box, send you the output; you put the received data and the same key (or a paired key) into your black box; and out comes the data I sent you, fully secure and authenticated.  Unfortunately, we have no clue how to build such black boxes.  Even if the black boxes implement just the secrecy transformation for a stream of blocks (i.e., they are symmetric block ciphers), if there's a related key attack, I'm in danger if I haven't chosen my keys carefully enough.

No protocol anyone is likely to use is subject to a related key attack, but it's one of those flaws that mean we haven't really gotten where we should.  Also, any flaw is a hint that there might be other, more dangerous flaws elsewhere.

If you think in these terms about asymmetric crypto, the situation is much, much worse.  It turns out that you have to be really careful about what you shove into those boxes, or you open yourself up to all kinds of attacks.  The classic paper on this subject is http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=4568385&url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel5%2F4568363%2F4568364%2F04568385.pdf%3Farnumber%3D4568385, the text for which appears to available only for a fee.

                                                        -- Jerry