[Cryptography] Rumor has it that AES-256 is broken (again!)
Kevin W. Wall
kevin.w.wall at gmail.com
Thu Jun 9 23:07:38 EDT 2016
On Jun 9, 2016 10:02 PM, "John Levine" <johnl at iecc.com> wrote:
>
> In article <CAOPE6Pi-BmXUdbrgCqkJFygmkMarzzYQrjcaTRq80G08TFAOkA at mail.gmail.com> you write:
> >http://yournewswire.com/encryption-security-may-not-be-secure-anymore/
> >
> >Sounds like total BS to me; like someone is being punked. I can't even
> >find any evidence of the paper itself existing. Supposedly, the title
> >of paper (from
> >another link) is:
> >
> > Factoring of Large Integers using Estimation of Weak Intermediate
> >Key Points along a Quadratic Curve
>
> The link in that article leads to what looks like a legit academic
> conference in August:
>
> http://www.mathematik.uni-kassel.de/ACA2016/
>
> The conference site doesn't have a list of papers, so we can assume
> it's been submitted, but who knows if it's been accepted, or what.
Yeah. I saw that too. First off, the link that I referenced referred to
the link you referenced as a link to a "University of Toronto press release",
which that most definitely wasn't. Last time I checked, UofT did not have
a German domain name. What appears to be the actual redacted press
release appears to be below the link. Secondly, I followed the link
you referenced
and looked for a list of accepted papers, but didn't find any. Thirdly, as
Jerry mentioned, if you've discovered a way to substantially reduce the
way to factor large integers, that would be much more germane to cracking
RSA than it would AES. And finally, it seemed to me that where the supposed
press release claimed:
After completion of the data mining experiment, the students
found that intermediate keys created specifically within the
AES-256 encryption algorithm had cryptographically weak
output that followed a Quadratic curve when initial keys
contained identifiable Fibonacci sequences, non-evenly divisible
values including PI, Catalan numbers and Mersenne primes which
allowed the students to estimate possible integer factors
allowing them to recover the initial encryption key within as
little as 100 hours compute time.
seems like it was full of BS to me. Note that this "press release"
says:
1) "intermediate keys" - That doesn't seem like a very realistic
threat model. Being able to substantiate such intermediate
data would seem as though it would allow you to observe lots
of other intermediate states and thus determine the key
directly.
2) The part about the cryptographically weak output followed
when initial keys (presumably the secret encryption key?)
contained "identifiable Fibonacci sequences, non-evenly
divisible values including PI, Catalan numbers and Mersenne
primes" seemed rather unrealistic. Instead of a chosen
plaintext attack or a chosen ciphertext attack it seems as
though they are describing a chosen KEY attack! (Although,
it could just be sloppy journalism in the press release and
are really trying to describe some sort of related key
attack.) But again, that doesn't seem to be a serious issue
if keys are chosen via a CSRNG based KDF and a random seed.
3) If this truly was a crypto breakthrough, would you not submit
this to a crypto conference where its ramifications would be
more truly appreciated? And it we really have some a
mathematical breakthrough in factoring, I think news of it
would be much more widespread as this would be an award
worthy accomplishment.
4) According to this link,
http://www.abovetopsecret.com/forum/thread1120355/pg1, this
press release was "copied from an unreleased draft". (BTW,
there is a useful explanation in a comment by StargateSG7
posted on 6/3/2016 at 12:14pm that refers to the "intermediate
keys" in the comments at the bottom of the post in the
above link. It looks like it seems to be referring to
keys generated from file-type headers or from plaintext
passwords perhaps that resulted in a significant reduction of
the potential keyspace that needed to be searched.
5) You gotta believe that the Five Eyes would be all over this and
not allow them to release it in the interest of national
security if it is really as ground-breaking as it claims.
Just my $.02,
-kevin
--
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
More information about the cryptography
mailing list