Re: [Cfrg] A little room for AES-192 in TLS?

"Paterson, Kenny" <> Thu, 19 January 2017 16:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 632CF129668 for <>; Thu, 19 Jan 2017 08:02:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.542
X-Spam-Status: No, score=0.542 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1.156, RCVD_IN_SORBS_WEB=3.599, SPF_HELO_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aijbtqmM04Mj for <>; Thu, 19 Jan 2017 08:02:53 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C57481293E1 for <>; Thu, 19 Jan 2017 08:02:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-rhul-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=J1LRniz0KZsSUPEYlo74duKxeP++W8qqilfJQ7gdvSI=; b=lPVbWLyUBWHrHVvauIU8EZpbnZgZCvM6pWsxDQ7Z47Pt26N+Xjc3Lw4Gz2jVxoRTsRvV2zrHsN8I7loqxArTFQWsL3l9M3Wzerm5F/laUi/531TTJqzHbFg+DbeJDFPw/JUZpOjcWgCGD1GwDUBFPiZllWrf+9NqmuI7ysEIm24=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.845.12; Thu, 19 Jan 2017 16:02:50 +0000
Received: from ([]) by ([]) with mapi id 15.01.0845.021; Thu, 19 Jan 2017 16:02:49 +0000
From: "Paterson, Kenny" <>
To: Leonard den Ottolander <>, "" <>
Thread-Topic: [Cfrg] A little room for AES-192 in TLS?
Date: Thu, 19 Jan 2017 16:02:49 +0000
Message-ID: <>
References: <> <1484577818.5104.1.camel@quad> <> <> <> <> <1484593651.5104.49.camel@quad> <> <1484662079.5135.49.camel@quad> <> <> <> <> <> <1484759562.5121.70.camel@quad>
In-Reply-To: <1484759562.5121.70.camel@quad>
Accept-Language: en-GB, en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
authentication-results: spf=none (sender IP is );
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: []
x-microsoft-exchange-diagnostics: 1; AM4PR0301MB1906; 7:6Miose6QYAOWMcZQL2BppVp8Tl3od3J3ycYaWmqlE4zbmAAVY5aKr2jOmeN8D3f+TtF5ZtunQ4/rOeIBixAO7s+w4Eh66QuhhruG0IsWVSGcSX3ntw1STDS9a0hrcX44gqGvvAhI8OzjETp3KX5dCDP64Pc6pKxyFTdch6BLcLALQOpTI5d1hN1yVd/RCUs16bIn20U5t44aGBm6kLXHFhBN/vgMuMLcvxko2vtkbaIaN+5a4FDmjncyasLlVxpUsm5Vkkim2JF82MQeU0Cnxrk1zdDyIsecILH9hjPZU406kdM1i5snKgWrbeSiBPJwCSb7a5WkcjVEOvB6ECS0SWyRU1+FSnUkcrmxYHVzwSH+EJUkuVWiEgvGyDJt4tAxMRSgQTKn5xPbWjX++oUaWBbrsxco3AP7rWMxUFLkKmuo4Q+AI4bXBcXm0R47HX2SgliwbO1YzOzyb9kbmeQyzg==
x-forefront-antispam-report: SFV:SKI; SCL:-1SFV:NSPM; SFS:(10009020)(6009001)(7916002)(39450400003)(24454002)(377424004)(199003)(189002)(42882006)(2950100002)(6486002)(77096006)(66066001)(6506006)(38730400001)(6436002)(102836003)(3846002)(99286003)(189998001)(5660300001)(25786008)(107886002)(6306002)(2900100001)(36756003)(6512007)(122556002)(92566002)(6116002)(74482002)(101416001)(54356999)(5001770100001)(4001350100001)(50986999)(229853002)(76176999)(97736004)(93886004)(2501003)(105586002)(106356001)(106116001)(8676002)(7736002)(83506001)(81156014)(81166006)(3280700002)(3660700001)(53936002)(575784001)(1720100001)(86362001)(2906002)(8936002)(68736007)(305945005); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0301MB1906;; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
x-ms-office365-filtering-correlation-id: 31caf459-4589-4125-eb37-08d440849e24
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001); SRVR:AM4PR0301MB1906;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6041248)(20161123562025)(20161123555025)(20161123564025)(20161123560025)(6072148); SRVR:AM4PR0301MB1906; BCL:0; PCL:0; RULEID:; SRVR:AM4PR0301MB1906;
x-forefront-prvs: 0192E812EC
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jan 2017 16:02:49.8342 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0301MB1906
Archived-At: <>
Subject: Re: [Cfrg] A little room for AES-192 in TLS?
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 19 Jan 2017 16:02:57 -0000

Hi Leonard,

On 18/01/2017 17:12, "Cfrg on behalf of Leonard den Ottolander"
< on behalf of> wrote:

>Hello Joan,
>On Tue, 2017-01-17 at 19:28 +0100, Joan Daemen wrote:
>> the related-key attacks against AES were interesting from an academic
>> point of view as they broke the security claim we made for Rijndael.
>A better link to the above research is
> .
>This research is rather condemning even though the authors do not claim
>these attacks are entirely practical yet they do state:
>"While neither AES-128 nor AES-256 can be directly broken by these
>attacks, the fact that their
>hybrid  (which  combines  the  smaller  number  of  rounds  from  AES-128
> along  with  the  larger  key
>size from AES-256) can be broken with such a low complexity raises
>serious concern about the
>remaining safety margin offered by the AES family of cryptosystems."

What this extract from the abstract does not mention is a critical phrase,
in the context of the current discussion about the use of AES in TLS,
namely: "in the related-key attack model".

>This criticism is valid for all AES versions. However:
>"The key schedules of AES-128 and AES-192 are slightly different, since
>they have to apply more
>mixing operations to the shorter key in order to produce the slightly
>smaller number of subkeys for the
>various rounds. This small difference in the key schedules plays a major
>role in making AES-256 more
>vulnerable to our attacks, in spite of its longer key and supposedly
>higher security."
>AES-256 appears to be more vulnerable than AES-192 (or AES-128) to these

Yes, for related-key attacks. But as has been explained several times
already in this thread, they are not relevant in the TLS context.

>I pointed out the example ( because the
>remarks it makes about the AES-256 key schedule seemed to indicate
>structural weaknesses. Because Richard insisted I dug a bit deeper I
>came up with the above which seems to confirm the "hunch" I was having
>that the weak key schedule in AES-256 is a problem in itself.
>> However, the attacks require very sophisticated manipulations of the
>> secret key by the attacker.
>Please don't use arguments that might be valid for one report to
>disqualify another. (This is a request made in general, Richard seems to
>be doing this in his last post also.) The argument related key attacks
>are mostly hypothetical applies to but
>not so much to .
>I quote:
>"The attacks are particularly well suited to counter modes
>of operation (AES-CTR), since the attacker can get all the chosen
>plaintexts he needs by starting from
>just two chosen initial values and running the counter mode in a natural
>This kind of manipulation seems not to be that far fetched...

Unfortunately, this quote is not relevant to the point that Joan was
making. Note first that the attacks in eprint 2009/374 are still in the
related-key attack setting. The quote you give refers to the format of the
*plaintexts* needed in the attack, not the relations between *keys* needed
for the attack. The latter requirements will not be met in the TLS context
because of the way in which key derivations are performed in that
protocol. In short, related-key attacks are not a concern for the use of
AES in the TLS setting.

>> As for including AES-192 in TLS, I don't see any benefits.
>AES-192 has been specified as a valid cipher just as much as AES-128 and
>AES-256. The exclusion from TLS was entirely arbitrary. The motivation
>for its exclusion is unclear. The wording in RFC-3268 is vague at best:
>"The AES supports key lengths of 128, 192 and 256 bits. However, this
>document only defines ciphersuites for 128- and 256-bit keys. This
>is to avoid unnecessary proliferation of ciphersuites."
>The fact that AES-256 appears to be not quite as strong as AES-192 might
>render the "proliferation of AES-192" much less unnecessary.

Again, in the related-key attack setting, which is not relevant for TLS.

>Though AES-192 is not a 256 bit cipher it seems still to be
>significantly stronger than AES-128 and does not share the weaknesses of
>AES-256. This I believe is a strong argument to include it in TLS.

It's not, because the related-key attack setting is not relevant for TLS.

>I do not see how the fact that we now have ChaCha20 is an argument not
>to include AES-192. AES-192 has been specified just as much as its
>siblings so it's exclusion from TLS is nothing but arbitrary. Why should
>we only have one algorithm to choose from? (Again, like I wasn't arguing
>against Camellia or AES-128 earlier so am I not arguing against ChaCha20
>here. But until we are all chachaing, salsaing and elliptic curving I
>would like access to decent crypto that is well established, well
>scrutinized and readily available.)
>Implementations are available in many cases (eg. openssl) and need only
>to be "unlocked" by making entries available in the spec. From the
>research I put forward AES-256 seems to have major flaws in the key
>schedule that AES-192 does not suffer from.

Only in the related-key attack setting, which is not relevant for TLS.

>On the one hand people argue against inclusion of AES-192 because it is
>not PQ-resitant, on the other hand people argue I should use AES-128. It
>all seems, again that word, rather arbitrary. And in general, the PQ
>argument does not hold for the current situation: We need decent crypto
>not just PQ but now as well.
>To sum up:
>- AES-192 was excluded from TLS for arbitrary reasons.
>- AES-256 has known weaknesses in its key schedule that some researcher
>consider severe.

Only in the related-key attack setting, which is not relevant for TLS.

>- AES-192 offers better security than AES-128. There is serious doubt
>AES-256 can offer the same level of security. This makes AES-192 a valid

Only in the related-key attack setting, which is not relevant for TLS.



>- Implementations of AES-192 are readily available.
>mount -t life -o ro /dev/dna /genetic/research
>Cfrg mailing list