[Cryptography] Rumor has it that AES-256 is broken (again!)

Kevin W. Wall kevin.w.wall at gmail.com
Thu Jun 9 23:07:38 EDT 2016 

On Jun 9, 2016 10:02 PM, "John Levine" <johnl at iecc.com> wrote:
>
> In article <CAOPE6Pi-BmXUdbrgCqkJFygmkMarzzYQrjcaTRq80G08TFAOkA at mail.gmail.com> you write:
> >http://yournewswire.com/encryption-security-may-not-be-secure-anymore/
> >
> >Sounds like total BS to me; like someone is being punked. I can't even
> >find any evidence of the paper itself existing. Supposedly, the title
> >of paper (from
> >another link) is:
> >
> >    Factoring of Large Integers using Estimation of Weak Intermediate
> >Key Points along a Quadratic Curve
>
> The link in that article leads to what looks like a legit academic
> conference in August:
>
> http://www.mathematik.uni-kassel.de/ACA2016/
>
> The conference site doesn't have a list of papers, so we can assume
> it's been submitted, but who knows if it's been accepted, or what.

Yeah. I saw that too. First off, the link that I referenced referred to
the link you referenced as a link to a "University of Toronto press release",
which that most definitely wasn't. Last time I checked, UofT did not have
a German domain name. What appears to be the actual redacted press
release appears to be below the link. Secondly, I followed the link
you referenced
and looked for a list of accepted papers, but didn't find any. Thirdly, as
Jerry mentioned, if you've discovered a way to substantially reduce the
way to factor large integers, that would be much more germane to cracking
RSA than it would AES. And finally, it seemed to me that where the supposed
press release claimed:
    After completion of the data mining experiment, the students
    found that intermediate keys created specifically within the
    AES-256 encryption algorithm had cryptographically weak
    output that followed a Quadratic curve when initial keys
    contained identifiable Fibonacci sequences, non-evenly divisible
    values including PI, Catalan numbers and Mersenne primes which
    allowed the students to estimate possible integer factors
    allowing them to recover the initial encryption key within as
    little as 100 hours compute time.

seems like it was full of BS to me. Note that this "press release"
says:

    1) "intermediate keys" - That doesn't seem like a very realistic
       threat model. Being able to substantiate such intermediate
       data would seem as though it would allow you to observe lots
       of other intermediate states and thus determine the key
       directly.
    2) The part about the cryptographically weak output followed
       when initial keys (presumably the secret encryption key?)
       contained "identifiable Fibonacci sequences, non-evenly
       divisible values including PI, Catalan numbers and Mersenne
       primes" seemed rather unrealistic. Instead of a chosen
       plaintext attack or a chosen ciphertext attack it seems as
       though they are describing a chosen KEY attack! (Although,
       it could just be sloppy journalism in the press release and
       are really trying to describe some sort of related key
       attack.) But again, that doesn't seem to be a serious issue
       if keys are chosen via a CSRNG based KDF and a random seed.
    3) If this truly was a crypto breakthrough, would you not submit
       this to a crypto conference where its ramifications would be
       more truly appreciated? And it we really have some a
       mathematical breakthrough in factoring, I think news of it
       would be much more widespread as this would be an award
       worthy accomplishment.
    4) According to this link,
       http://www.abovetopsecret.com/forum/thread1120355/pg1, this
       press release was "copied from an unreleased draft". (BTW,
       there is a useful explanation in a comment by StargateSG7
       posted on 6/3/2016 at 12:14pm that refers to the "intermediate
       keys" in the comments at the bottom of the post in the
       above link. It looks like it seems to be referring to
       keys generated from file-type headers or from plaintext
       passwords perhaps that resulted in a significant reduction of
       the potential keyspace that needed to be searched.
    5) You gotta believe that the Five Eyes would be all over this and
       not allow them to release it in the interest of national
       security if it is really as ground-breaking as it claims.

Just my $.02,
-kevin
--
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.

More information about the cryptography mailing list