[Cryptography] Rumor has it that AES-256 is broken (again!)

Ray Dillinger bear at sonic.net
Fri Jun 10 16:52:07 EDT 2016

On 06/09/2016 11:52 AM, Kevin W. Wall wrote:
> http://yournewswire.com/encryption-security-may-not-be-secure-anymore/
> Sounds like total BS to me; like someone is being punked. I can't even
> find any evidence of the paper itself existing. Supposedly, the title
> of paper (from
> another link) is:
>     Factoring of Large Integers using Estimation of Weak Intermediate
> Key Points along a Quadratic Curve
> I have some nervous friends, so if someone could officially debunk,
> I'd be most appreciative.

I don't think anyone can *officially* debunk with absolute certainty,
because by definition we don't know what breakthroughs have yet to be
discovered. But this seems about as likely as the spontaneous
teleportation of a large solid body via simultaneous quantum
tunneling of every subatomic particle in that body and having it
arrive three feet away and still solid.  You'd need at least three
huge breakthroughs, one of which is extremely unlikely and two of
which are as close to impossible as nevermind.

1)  Major breakthrough in factoring reduces factoring time by many
    orders of magnitude.  Unlikely at best, and would qualify someone
    for a Nobel prize in mathematics. Factoring has gotten better,
    and may get better yet, but short of a 256-bit quantum computer
    (which they definitely didn't do, or it would have made front
    page headlines all over the world) nobody's getting that much
    of an edge in one jump.

2)  Unsuspected relationship of factoring to AES allows factoring
    to help anyone recover AES keys and/or decrypt AES.  This is
    so out-of-left-field that it would be unrelated to all prior
    mathematical work and knowledge. I would cheerfully bet one
    penny against life imprisonment on this, and call the guy who
    put up the penny a sucker.

3)  Hypothetical Factoring-based attack reduces AES256 by over 200
    bits of security. It is either 70 orders of magnitude faster
    than the biclique attack due to Bogdanov/Khovratovich/Rechberger,
    or 69.5 orders of magnitude faster and can be used together
    with it.  The biclique attack is the best known attack on
    AES, and it reduces AES256 complexity by about a factor of 4.
    It was a major breakthrough and used math that's actually
    known to be related to AES.

I would say that it's completely safe to ignore this rumor.  The odds
that the reporter just plain got the story wrong are googolplexes of
times greater than the odds that it's actually significant.  Reporters
getting stories just plain wrong, after all, has happened at least
once in the history of the universe.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160610/98a0eef5/attachment.sig>

More information about the cryptography mailing list