Status of attacks on AES?
Marcos el Ruptor
Ruptor at cryptolib.com
Wed Jun 7 16:02:35 EDT 2006
> Right. But can you explain *why* you strongly believe in it?
In the last 10 years it never failed to tell the difference between good and
bad ciphers. The only thing that makes it controversial is its ability to
detect flaws in ciphers believed to be strong simply because no attacks
against them are found yet.
We do not believe in the approach "if no one broke it in N years, then
accept it as secure until they do" alone. We believe in combining it with
studying algebraic structure of the resulting functions from every angle
with automated tools, and if they display obvious sparsity or patterns in
the distribution of monomials of any algebraic degree, or if the size/output
or size/security proportions are too low, or if too many rounds are required
for a change to make those functions different in a way indistinguishable
from random (slow avalanche of change as we see it), the cipher should be
discarded even if no one can find a way to break it.
Here's an example: replace XOR with ADD in RC5 and try to attack it by any
means other than the Mod N attack found years after RC5... But our tests
immediately show that the cipher is easily breakable. They also immediately
show weakness of the first two bytes in RC4 and breakability of such ciphers
as A5, LILI, etc. The list can go on and on. Often there is no explanation
for years until an attack is found, but our tests help us detect presence of
flaws in seemingly strong ciphers in a matter of minutes. I personally do
not bother analysing ciphers that fail our tests - someone else will break
them sooner or later anyway. I immediately discard them as breakable and
concentrate on the hard ones to see if the cipher structure needs to be
addressed. But if the cipher doesn't have any odd components that it relies
on and that can be attacked individually and if its proportions are chosen
correctly, I accept it as secure.
The fact that Rijndael fails our tests so terribly prohibits me personally
from trusting it even though no attack breaking it has been published. I
would use Twofish or RC6 instead. Passing our tests combined with years of
public scrutiny makes me believe that Twofish and RC6 can be trusted.
Rijndael cannot.
Ruptor
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list