[Cryptography] Dan Bernstein has a new blog entry on key breaking
Christian Huitema
huitema at huitema.net
Sat Nov 21 20:23:11 EST 2015
On Saturday, November 21, 2015 2:53 PM, Watson Ladd wrote:
>
> On Sat, Nov 21, 2015 at 5:23 PM, Phillip Hallam-Baker
> <phill at hallambaker.com> wrote:
> ...
> > OK to explain further. Yes, you have to do 2^128 operations but we are
> > not doing 2^128 crypto operations, we are just looking for ciphertext
> > blocks that match our cribs.
>
> To compare two lists with 2^64 elements requires only 2^64 operations,
> not 2^128. Furthermore, using distinguished point methods there are
> further savings. What DJB points out is that standard methods for
> reversing some values of a one-way function
> can be applied to AES(K, 0).
I get the reasoning, but I am not so sure of the applicability. The attack that DJB explains appears to be a known plain text attack. If I get 2^N targets to encrypt the same known plain text, then I have about 50% chance of finding one match after 2^(128-N) trials. If the plain text is not known, the odds are much worse. But if we admit that this is a known plaintext attack, we get a practicality issue. How often can the attacker predict the plaintext? Don't modern algorithm use some kind of IV to defeat such attacks?
-- Christian Huitema
More information about the cryptography
mailing list