Re: [Cfrg] A little room for AES-192 in TLS?

Leonard den Ottolander <> Mon, 16 January 2017 19:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0E26E129485 for <>; Mon, 16 Jan 2017 11:07:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.377
X-Spam-Status: No, score=-3.377 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001, URIBL_SBL=1.623, URIBL_SBL_A=0.1] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id e8ax6RG-myaG for <>; Mon, 16 Jan 2017 11:07:35 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 70801129486 for <>; Mon, 16 Jan 2017 11:07:35 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4414143 for <>; Mon, 16 Jan 2017 20:07:34 +0100 (CET)
X-Virus-Scanned: amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10026) with LMTP id ucUktmUYvdTK for <>; Mon, 16 Jan 2017 20:07:32 +0100 (CET)
Received: from [] (leonard-home []) by (Postfix) with ESMTPSA id 0E51B42 for <>; Mon, 16 Jan 2017 20:07:32 +0100 (CET)
From: Leonard den Ottolander <>
To: "" <>
In-Reply-To: <>
References: <> <1484577818.5104.1.camel@quad> <> <> <> <>
Content-Type: text/plain; charset="UTF-8"
Date: Mon, 16 Jan 2017 20:07:31 +0100
Message-ID: <1484593651.5104.49.camel@quad>
Mime-Version: 1.0
X-Mailer: Evolution 2.32.3 (2.32.3-36.1.lj.el6)
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [Cfrg] A little room for AES-192 in TLS?
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 16 Jan 2017 19:07:38 -0000

Hello Tony,

On Mon, 2017-01-16 at 10:09 -0800, Tony Arcieri wrote:
> I would rate the chances of a related key attack against TLS as
> "vanishingly small". The use of key derivation functions ensures keys will
> not be related.

How about a scenario where an adversary is able to compromise the
software in such a way that related keys are being generated
occasionally and possibly even used for encryption of known plain text
(protocol headers come to mind)? This scenario is assuming the adversary
is not fully in control of the source code but is capable to inject
subtle bugs "under the radar". Would AES-192 hold up better in such a
scenario than AES-256?

And how can one extrapolate the attacks and analyses mentioned in to use them as an indication of possible
cryptanalytic advances?

> In practice, AES-192 is generally not used: AES-128 and AES-256 are used
> almost exclusively. I think the general trend is to switch to AES-256 in
> new systems.

This is a circular argument. AES-192 is not generally used because it is
not in the specifications. Using that as an argument not to put it in
the specs is well, circular.

Bruce Schneier wrote about this in 2009: &

In the blog he states "The attack exploits the fact that the key
schedule for 256-bit version is pretty lousy -- something we pointed out
in our 2000 paper -- but doesn't extend to AES with a 128-bit key."

He even goes so far as to state "And for new applications I suggest that
people don't use AES-256."

> Adding AES-192 ciphersuites sounds like an awful lot of additional
> complexity both for specifiers and implementers for something I suspect no
> one will ever use.

A software like f.e. OpenSSL has an AES implementation that does support
AES-192. I'm not sure if the GCM code needs modifications for it to work
with AES-192, but for the rest all that is required is to add the
references to the new ciphers in the source code. I don't see how one
can qualify the addition of a few references to a list as "complex".

> Personally I would rather see that energy go into e.g.
> post-quantum ciphersuites.

I thought symmetric ciphers are considered somewhat quantum resistant so
I'm not sure the PQ argument is very valid here. Also, if AES-192 is
inherently more secure than AES-256 that would probably also be the case
in a PQ world.

By the way, I'm all for the implementation and specification of post
quantum symmetric ciphers. I could imagine something along the lines of
triple AES (GCM3 with mask 1 and 2 concatenated and XORed in the middle
with either mask 1 or 2 again.) Or perhaps an extension of Rijndael to
use a block of 256 bits and a key of 480 :) .

So the question remains if AES-192 has certain characteristics that
warrant inclusion. The fact that "the key schedule for 256-bit version
is pretty lousy" and the mentioned attacks have complexity of < 2^100
for AES-256, but > 2^179 for AES-192 might speak for it.


mount -t life -o ro /dev/dna /genetic/research