IETF Logo Mail Archive

Re: [Cfrg] A little room for AES-192 in TLS?

Leonard den Ottolander <leonard-lists@den.ottolander.nl> Tue, 17 January 2017 14:08 UTC

Return-Path: <leonard-lists@den.ottolander.nl>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EAB6129460 for <cfrg@ietfa.amsl.com>; Tue, 17 Jan 2017 06:08:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.1
X-Spam-Level:
X-Spam-Status: No, score=-5.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6U7vDkl1qZ1l for <cfrg@ietfa.amsl.com>; Tue, 17 Jan 2017 06:08:02 -0800 (PST)
Received: from mail.ottolander.nl (mail.ottolander.nl [176.9.136.165]) by ietfa.amsl.com (Postfix) with ESMTP id 7DCE7127076 for <cfrg@irtf.org>; Tue, 17 Jan 2017 06:08:02 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.ottolander.nl (Postfix) with ESMTP id B65B543 for <cfrg@irtf.org>; Tue, 17 Jan 2017 15:08:01 +0100 (CET)
X-Virus-Scanned: amavisd-new at ottolander.nl
Received: from mail.ottolander.nl ([127.0.0.1]) by localhost (mail.ottolander.nl [127.0.0.1]) (amavisd-new, port 10026) with LMTP id ogS_DvCV9qHc for <cfrg@irtf.org>; Tue, 17 Jan 2017 15:08:00 +0100 (CET)
Received: from [192.168.0.60] (leonard-home [87.212.131.169]) by mail.ottolander.nl (Postfix) with ESMTPSA id 2FDD942 for <cfrg@irtf.org>; Tue, 17 Jan 2017 15:08:00 +0100 (CET)
From: Leonard den Ottolander <leonard-lists@den.ottolander.nl>
To: cfrg@irtf.org
In-Reply-To: <1df3ba4212e44f9d8e3e6fabf8610cc0@usma1ex-dag1mb1.msg.corp.akamai.com>
References: <20170115205926.853FB60A6D@jupiter.mumble.net> <1484577818.5104.1.camel@quad> <D4A2A7CE.57FDF%john.mattsson@ericsson.com> <CABcZeBPGxT=9iiChy4PxD_zMHWcHU=AhCLoe7wEHHtryw2rfwg@mail.gmail.com> <D4A2B50D.7E040%kenny.paterson@rhul.ac.uk> <CAHOTMVJrHBn4AR7PCJ14xKYCVjdxF7SiswiOABX_g6A5gsQGDg@mail.gmail.com> <1484593651.5104.49.camel@quad> <1df3ba4212e44f9d8e3e6fabf8610cc0@usma1ex-dag1mb1.msg.corp.akamai.com>
Content-Type: text/plain; charset="UTF-8"
Date: Tue, 17 Jan 2017 15:07:59 +0100
Message-ID: <1484662079.5135.49.camel@quad>
Mime-Version: 1.0
X-Mailer: Evolution 2.32.3 (2.32.3-36.1.lj.el6)
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/u8_kXXpAosydPASiH4mjzl7X7-k>
Subject: Re: [Cfrg] A little room for AES-192 in TLS?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jan 2017 14:08:05 -0000

On Mon, 2017-01-16 at 19:18 +0000, Salz, Rich wrote:
> > And how can one extrapolate the attacks and analyses mentioned in
> > http://eprint.iacr.org/2009/317 to use them as an indication of possible
> > cryptanalytic advances?
> 
> One simple idea, which I have suggested in the TLS mailing list, is
> that you search to see if anyone has done anything in this area in the
> past eight years.

Are you suggesting that because this research is 8 years old its
findings are not valid? So far noone has really answered the question if
the aforementioned analysis indicates that AES-192 might be more
resistant to cryptanalysis than AES-256.

So although I don't think the fact that the research I reference is 8
years old invalidates it in any way I dug around a bit.

http://eprint.iacr.org/2010/248 improves the attack on AES-192 from
2^176 to 2^169. The original attack against AES-256 in
http://eprint.iacr.org/2009/317 had complexity of 2^119 which they
improved to 2^99.5 soon after original publication.

And there is

https://books.google.nl/books?id=weETxBt-VAMC&pg=PA316&lpg=PA316&dq=aes+256+key+schedule+strength&source=bl&ots=GTfhsVdh7E&sig=y0ZE9_3OBCRbbpLHvq0PAAZqRmg&hl=en&sa=X&redir_esc=y#v=onepage&q=aes%20256%20key%20schedule%20strength&f=false

Advances in Cryptology - EUROCRYPT 2010: 29th Annual International
Conference...

This is only a partial paper, but I'll cite from the conclusions of Key
Recovery Attacks of Practical Complexity, 8 Conclusions (page 316):

"The main problem seems to be the key schedule of AES-256, which is "not
of industrial strength": It does not mix the initial key sufficiently,
it is too linear, and as a result it has unusually long key
differentials of probability 1. In addition the similarity between the
key schedule and the data encryption in AES makes it possible to
repeatedly cancel data differences with corresponding key differences
over many rounds. Ironically, the new attacks work best against AES-256
(which was supposed to be the strongest member of the AES family), and
do not currently seem to work against AES-128."

"The most disturbing aspect of the new attacks is that AES-256 can no
longer be considered as a safe black box construction, which can be
dropped into any security application with little thought about how it
is used."

> > > used almost exclusively. I think the general trend is to switch to
> > > AES-256 in new systems.
> > 
> > This is a circular argument.
> 
> Not quite.  It is an argument saying that we are using AES256 in spite of what one paper says.

I was responding to the first part of that paragraph: "In practice,
AES-192 is generally not used: AES-128 and AES-256 are used
almost exclusively." To that I say, AES-192 is not being used because
it's not in the specs. Then refusing to add it to the specs is what I
call a circular argument. And you cannot argue nobody wants to use it as
it is not available for use. If I wanted to I could not use AES-192
except in private use scenario's as noone is offering such ciphers, i.e.
there is noone to "talk AES-192 to". If such ciphers were available and
nobody would use them then you could draw the conclusion that "nobody
wants to use it".

> > I don't see how one can qualify the addition
> > of a few references to a list as "complex".
> 
> Have you done much software deployment, especially at Internet scale?
> This is about far more than just adding IANA entries.  Did you see my
> post in the  TLS group that talked to this?

I'm just not entirely convinced by your arguments. Have you seen any
breakage in middleboxes when the ARIA ciphers were added in 2011? I
acknowledge adding ciphers is not a zero effort, but to describe it as
complex is inaccurate.

As for software implementation, I already argued that if the cipher is
available in the software adding references so it can be used is
trivial. And implementers can always ignore the new ciphers in the list.
It's not like openssl broke because it ignores the ARIA ciphers
altogether.
 
> > So the question remains if AES-192 has certain characteristics that warrant
> > inclusion. The fact that "the key schedule for 256-bit version is pretty lousy"
> > and the mentioned attacks have complexity of < 2^100 for AES-256, but >
> > 2^179 for AES-192 might speak for it.
> 
> Has anyone but Bruce shared that viewpoint?

Well clearly the authors of Related-key Cryptanalysis of the Full
AES-192 and AES-256, Alex Biryukov and Dmitry Khovratovich agree with
him on the relatively poor quality of the key schedule of AES-256 even
though their wording is not quite as strong as his. Plus the authors of
the EuroCrypt article quoted above (the two previous authors and Orr
Dunkelman, Nathan Keller and Adi Shamir).

And there's references to that study in http://eprint.iacr.org/2011/710
and http://eprint.iacr.org/2016/025 so I guess you could count those
authors too.

Regards,
Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research

v2.23.0 | Report a Bug | By Email