IETF Logo Mail Archive

Re: [Cfrg] matching AES security

Sandy Harris <sandyinchina@gmail.com> Wed, 30 July 2014 20:55 UTC

Return-Path: <sandyinchina@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADEB41A041F for <cfrg@ietfa.amsl.com>; Wed, 30 Jul 2014 13:55:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CRklmX9o6XEz for <cfrg@ietfa.amsl.com>; Wed, 30 Jul 2014 13:55:00 -0700 (PDT)
Received: from mail-ie0-x231.google.com (mail-ie0-x231.google.com [IPv6:2607:f8b0:4001:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0929C1A041D for <cfrg@irtf.org>; Wed, 30 Jul 2014 13:54:59 -0700 (PDT)
Received: by mail-ie0-f177.google.com with SMTP id at20so2274115iec.8 for <cfrg@irtf.org>; Wed, 30 Jul 2014 13:54:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=31coeTrhBsS7z6eDWA2VRo1orOibk9zpK2/hmqQXH2c=; b=W04wd7wVhEk2JJuwnoX41aWyY6JfCJF3LJCsBz1EvsucWM4M7AuSsEE2foRdiVgF5E lJHRxKqlQ4xb9whWCeDTVb4kVwu2ufTqyh+DYT2qv/zPPlt+0bYpQF5attlrbEO65+Pi tHVoeYLJKMbZV47OTrAucvsV6jVaoBsg65Fv59riFR4egrQdagMfdV7VfnR/1gRXLwwn jmeWGMx14y/I+21yMsXmN2kqxZd430J/A6tGsTNmHuOuPgKeQmOa//uBlPO2ut8C7nLX n+rdc99uJYgFa0p9TNHfOzAiuMiRG7YUh8GZOdG0EC9bKo3bB+dW3EW8TQRFgLXVj3Dr KBig==
MIME-Version: 1.0
X-Received: by 10.50.32.10 with SMTP id e10mr11699427igi.7.1406753699079; Wed, 30 Jul 2014 13:54:59 -0700 (PDT)
Received: by 10.107.153.211 with HTTP; Wed, 30 Jul 2014 13:54:58 -0700 (PDT)
In-Reply-To: <20140730123336.29011.qmail@cr.yp.to>
References: <20140730123336.29011.qmail@cr.yp.to>
Date: Wed, 30 Jul 2014 16:54:58 -0400
Message-ID: <CACXcFmkidGmOyqAqo7oTmfS9nhu76gchb5GAnM1FEf078f_UTQ@mail.gmail.com>
From: Sandy Harris <sandyinchina@gmail.com>
To: cfrg@irtf.org
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/6tWXYvvxoUqt3NZ-lu7uk8vdDQY
Subject: Re: [Cfrg] matching AES security
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 20:55:01 -0000

D. J. Bernstein <djb@cr.yp.to> wrote:

> There are standard attacks that break _all_ of 2^50 AES-128 keys using a
> _total_ of 2^128 easy computations. Even worse, there are standard
> attacks that find _at least one_ of the keys using just 2^78 easy
> computations, a feasible computation today.
>
> These attacks assume that the attacker sees ciphertext for, e.g., an
> all-zero block encrypted under all of the keys. Sometimes protocols
> randomize their blocks to try to stop these attacks---but putting
> complications into protocols to compensate for a cipher's deficient
> security is _not_ a smart way to design a cryptographic system. For the
> past decade I've been recommending moving to larger cipher keys,
> precisely because of this attack against 128-bit keys.
....
> In a world of 2^50 AES-256 keys, there's an attack that already has a
> high probability of finding a key in time "only" 2^206.

Does the construction used in Enchilada solve those problems?
https://aezoo.compute.dtu.dk/doku.php?id=enchilada

It puts a 256-bit key into Chacha, then uses Chacha both to
generate AES round keys (so there is no 128-bit or 256-bit
AES key to attack) and to add whitening that changes for
every block (so common general attacks on block ciphers
all fail).

v2.23.0 | Report a Bug | By Email