Status of attacks on AES?

Steven M. Bellovin smb at cs.columbia.edu
Thu Jun 8 12:17:06 EDT 2006 

On Wed, 7 Jun 2006 15:02:35 -0500, "Marcos el Ruptor"
<Ruptor at cryptolib.com> wrote:

> > Right. But can you explain *why* you strongly believe in it?
> 
> In the last 10 years it never failed to tell the difference between good and 
> bad ciphers. The only thing that makes it controversial is its ability to 
> detect flaws in ciphers believed to be strong simply because no attacks 
> against them are found yet.

I shouldn't pursue this, but I will.  This is still proof by blatant
assertion.  It isn't "controversial" because it's not even worth thinking
about.  You've claimed that (a) you have a powerful but secret method for
analyzing ciphers, and (b) AES fails your tests.  That's nice.  Suppose I
said that when I calculated SHA-512 of the pdf version of the AES standard
mod 257 and found that it was prime (it's 5, if my script is correct), and
therefore AES was insecure. You'd laugh at me, and rightly so.

You say you have a method to evaluate ciphers.  Without full details, no
one can form their own judgment if it's valid or not.  (My "proposal"
clearly isn't valid.)  You say you've evaluated AES and other ciphers.
Without full details, we don't know if your evaluation is correct.

By contrast, see the controversy over the XSL attack an AES.  (The
Wikipedia article, http://en.wikipedia.org/wiki/XSL_attack, is a good
summary.)  There are claims and counterclaims, but everything is public.
Note in particular Coppersmith's claim that Courtois and Pieprzyk
overcounted the number of linearly independent equations -- their basic
method may or may not be correct -- Coppersmith himself says that the
"method has some merit, and is worth investigating" -- but they apparently
applied it incorrectly.

You should also explain why you're keeping the details secret.  The market
for new block ciphers is tiny.  No credible vendor is going to rely on a
cipher evaluated by an unproven technique.  (For that matter, the
near-universal consensus in the open community is proprietary ciphers are
generally worthless.)

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list