IETF Logo Mail Archive

Re: [Cfrg] matching AES security

Johannes Merkle <johannes.merkle@secunet.com> Thu, 31 July 2014 09:37 UTC

Return-Path: <Johannes.Merkle@secunet.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1061B1A063F for <cfrg@ietfa.amsl.com>; Thu, 31 Jul 2014 02:37:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fIb8FG0rVImy for <cfrg@ietfa.amsl.com>; Thu, 31 Jul 2014 02:37:40 -0700 (PDT)
Received: from a.mx.secunet.com (a.mx.secunet.com [195.81.216.161]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34E791A059F for <cfrg@irtf.org>; Thu, 31 Jul 2014 02:37:40 -0700 (PDT)
Received: from localhost (alg1 [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 0B0D21A0091; Thu, 31 Jul 2014 11:37:35 +0200 (CEST)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id M_Qjrkk02Yfr; Thu, 31 Jul 2014 11:37:30 +0200 (CEST)
Received: from mail-essen-01.secunet.de (unknown [10.53.40.204]) by a.mx.secunet.com (Postfix) with ESMTP id 2BD5F1A0066; Thu, 31 Jul 2014 11:37:30 +0200 (CEST)
Received: from [10.208.1.76] (10.208.1.76) by mail-essen-01.secunet.de (10.53.40.204) with Microsoft SMTP Server (TLS) id 14.3.195.1; Thu, 31 Jul 2014 11:37:32 +0200
Message-ID: <53DA0E5B.6020006@secunet.com>
Date: Thu, 31 Jul 2014 11:37:31 +0200
From: Johannes Merkle <johannes.merkle@secunet.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>, "D. J. Bernstein" <djb@cr.yp.to>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <20140730123336.29011.qmail@cr.yp.to> <CFFE99A0.18226%uri@ll.mit.edu>
In-Reply-To: <CFFE99A0.18226%uri@ll.mit.edu>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.208.1.76]
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/6c9gt_8h976ml7JRei33q2yqZAI
Subject: Re: [Cfrg] matching AES security
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Jul 2014 09:37:43 -0000

Blumenthal, Uri - 0558 - MITLL wrote on 30.07.2014 19:49:
> On 7/30/14 8:33 , "D. J. Bernstein" <djb@cr.yp.to> wrote:
>> There are standard attacks that break _all_ of 2^50 AES-128 keys using a
>> _total_ of 2^128 easy computations. Even worse, there are standard
>> attacks that find _at least one_ of the keys using just 2^78 easy
>> computations, a feasible computation today.
> 
> Could you please point me at a decent reference/description of this attack?
> 

The attack is very simple:
- Gather a list of 2^N cipher texts resulting from the _same_ plain text encrypted under 2^N random keys.
- For 2^(128-N) randomly chosen (different) keys, encrypt the known plain text and check if the resulting cipher text
matches one of the gathered cipher texts

Assuming the cipher to be a random permutation, a collision occurs with probability 1 - (1-2^(-N))^N which approximates
1-1/e. If you have sorted the list of gathered cipher texts, the attack takes 2^(128-N)*log(N) steps (and 2^N space).


-- 
Johannes

v2.23.0 | Report a Bug | By Email