[Cryptography] AES related issue
Bart Preneel
bart.preneel at esat.kuleuven.be
Wed Mar 29 12:02:19 EDT 2017
On Wed, 29 Mar 2017, John Denker via cryptography wrote:
>> On 03/28/2017 11:54 PM, Philipp Gühring wrote:
>> I am currently playing around with an encryption/decryption module, which
>> claims to be using AES-256. Under normal circumstances, Encryption and
>> Decryption seem to work fine.
>> Now I tried to play a bit with the key during the decryption operation,
>> and when I seem to insert the wrong key, the module returns high entropy
>> blocks.
>> Surprisingly, the high entropy blocks contains only on average 7.58 bits
>> of entropy
>> per byte (it was in the range of 7.53-7.604).
>> The keys I inserted were similar to the original key, so possibly just
>> single bit-flips difference to the original key.
> AES is known to have horrible related-key weaknesses.
> To verify that the problem is here (rather than, say, in the
> measurement methods) repeat the experiment, but hash each key
> before feeding it to AES.
> Or (!) use something like ChaCha20 that doesn't screw up when
> given related keys.
The best related key attack on AES-256 requires four related keys
with a very specific relation and requires 2^{99.5} chosen texts
with a specific structure. The time complexity of the attack is 2^{99.5}.
For details: https://eprint.iacr.org/2009/317.pdf
Very nice cryptanalysis work, but it is not very likely that anyone will
see any biases in a casual experiment as described above (just to be
sure: this is an understatement).
I would categorize "horrible related-key weakness" as pure fear-mongering.
Let's focus on real problems.
-Bart
More information about the cryptography
mailing list