[Cryptography] AES-256- More NIST-y? paranoia

Watson Ladd watsonbladd at gmail.com
Thu Oct 3 21:59:20 EDT 2013


On Thu, Oct 3, 2013 at 3:25 PM, <leichter at lrw.com> wrote:

> On Oct 3, 2013, at 12:21 PM, Jerry Leichter <leichter at lrw.com> wrote:
> > As *practical attacks today*, these are of no interest - related key
> attacks only apply in rather unrealistic scenarios, even a 2^119 strength
> is way beyond any realistic attack, and no one would use a reduced-round
> version of AES-256.
> Expanding a bit on what I said:  Ideally, you'd like a cryptographic
> algorithm let you build a pair of black boxes.  I put my data and a key
> into my black box, send you the output; you put the received data and the
> same key (or a paired key) into your black box; and out comes the data I
> sent you, fully secure and authenticated.  Unfortunately, we have no clue
> how to build such black boxes.  Even if the black boxes implement just the
> secrecy transformation for a stream of blocks (i.e., they are symmetric
> block ciphers), if there's a related key attack, I'm in danger if I haven't
> chosen my keys carefully enough.
>
This is complete and utter bullshit if you can count, or make big enough
random numbers if you cannot. Read "Cryptography in NaCl" or
Rogaway's analysis of authenticated encryption modes in standards if you
don't believe this is a solved problem in theory, or heck, even the GCM or
CCM standards. Or Rogaways OCB paper.

>
> No protocol anyone is likely to use is subject to a related key attack,
> but it's one of those flaws that mean we haven't really gotten where we
> should.  Also, any flaw is a hint that there might be other, more dangerous
> flaws elsewhere.
>
PRP security does not imply security in the related-key model. It also
doesn't imply sPRP security. But you don't need it.
Now, if you are making a claim about block cipher constructions, go show me
why this matters by publishing an attack or some theoretical analysis about
related keys leading to good attacks in a stronger setting.

> If you think in these terms about asymmetric crypto, the situation is
> much, much worse.  It turns out that you have to be really careful about
> what you shove into those boxes, or you open yourself up to all kinds of
> attacks.  The classic paper on this subject is
> http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=4568385&url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel5%2F4568363%2F4568364%2F04568385.pdf%3Farnumber%3D4568385,
> the text for which appears to available only for a fee.


>                                                         -- Jerry
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>

Sincerely,
Watson Ladd

-- 
"Those who would give up Essential Liberty to purchase a little Temporary
Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131003/6002bc6a/attachment.html>


More information about the cryptography mailing list