Status of attacks on AES?

Marcos el Ruptor Ruptor at cryptolib.com
Wed Jun 7 16:02:35 EDT 2006 

> Right. But can you explain *why* you strongly believe in it?

In the last 10 years it never failed to tell the difference between good and 
bad ciphers. The only thing that makes it controversial is its ability to 
detect flaws in ciphers believed to be strong simply because no attacks 
against them are found yet.

We do not believe in the approach "if no one broke it in N years, then 
accept it as secure until they do" alone. We believe in combining it with 
studying algebraic structure of the resulting functions from every angle 
with automated tools, and if they display obvious sparsity or patterns in 
the distribution of monomials of any algebraic degree, or if the size/output 
or size/security proportions are too low, or if too many rounds are required 
for a change to make those functions different in a way indistinguishable 
from random (slow avalanche of change as we see it), the cipher should be 
discarded even if no one can find a way to break it.

Here's an example: replace XOR with ADD in RC5 and try to attack it by any 
means other than the Mod N attack found years after RC5... But our tests 
immediately show that the cipher is easily breakable. They also immediately 
show weakness of the first two bytes in RC4 and breakability of such ciphers 
as A5, LILI, etc. The list can go on and on. Often there is no explanation 
for years until an attack is found, but our tests help us detect presence of 
flaws in seemingly strong ciphers in a matter of minutes. I personally do 
not bother analysing ciphers that fail our tests - someone else will break 
them sooner or later anyway. I immediately discard them as breakable and 
concentrate on the hard ones to see if the cipher structure needs to be 
addressed. But if the cipher doesn't have any odd components that it relies 
on and that can be attacked individually and if its proportions are chosen 
correctly, I accept it as secure.

The fact that Rijndael fails our tests so terribly prohibits me personally 
from trusting it even though no attack breaking it has been published. I 
would use Twofish or RC6 instead. Passing our tests combined with years of 
public scrutiny makes me believe that Twofish and RC6 can be trusted. 
Rijndael cannot.

Ruptor 


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list