Status of attacks on AES?

Travis H. solinym at gmail.com
Mon Jun 12 08:54:59 EDT 2006 

On 6/8/06, Max <maxale at gmail.com> wrote:
> What they need is just to provide an access to their distinguisher in
> the form of blackbox.
> To prove its meaningfulness, the distinguisher must show consistent
> results in distinguishing AES-encrypted data (say, for a fixed
> plaintext without repeating blocks on their choice) from random data.

I may be stepping into the crossfire here, but on my reading of their
web page, they don't claim to be able to do that.  They claim to be
able to distinguish the low-order monomials formed by AES from a
random function up to the PRF round count*.  Perhaps it's my myopia,
but that seems to be different than coming up with an actual
distinguisher for real AES-encrypted data.  It seems that the
controversial assumption (that they are uninterested in debating) is
that such non-randomness in the low-order monomials implies, is
correlated with, is a good indicator of, a (potentially
certificational) weakness.

I'm curious what kind of algorithm might be used for coming up with
the low-order monomials (indeed, this seems to be the main mystery,
yes?).  I think I can see how one could generate high-order ones (and
reducing their order) by varying inputs in a black-box approach, but
my math muscles are horribly  developed, and the only way I can think
of for generating them from lowest to highest order is to track
changes in bit positions from round to round in forward operation,
which seems to imply white-box instrumentation.  Speculation welcome.

[*] Given some suite of non-randomness checks that don't include
anything tailored to the algorithm in question.
-- 
Scientia Est Potentia -- Eppur Si Muove -- Admire the Artist's Handiwork
Security "guru" for rent or hire - http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list