[cryptography] Single-key key recovery for full AES

Ian G iang at iang.org
Sat Aug 20 12:12:26 EDT 2011

Curiously, AES is now being reported as "broken."


Yet, I'm sure I read earlier that the recovery attack was a few bits 
short of the brute force attack.  Here it is:

On 18/08/11 1:52 AM, Jack Lloyd wrote:
> http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf
>    - The first key recovery attack on the full AES-128 with computational complexity 2^126.1
>    - The first key recovery attack on the full AES-192 with computational complexity 2^189.7
>    - The first key recovery attack on the full AES-256 with computational complexity 2^254.4
>    - Attacks with lower complexity on the reduced-round versions of AES not considered before,
>     including an attack on 8-round AES-128 with complexity 2^124.9
>    - Preimage attacks on compression functions based on the full AES versions.

Ah, allegedly 2 bits off means broken:


    << Broken, in cryptographic circles, means that a means exists
    for deducing the encryption key, with certainty, in less than
    the 2^n operations (i.e. complete encryption cycles) that a
    brute-force attack would require. >>

Therefore, if we lop another 2 bits off, it's twice broken?  Or is that 
broken-squared?  To get down to a computationally reasonable number, 
bit-pair by bit-pair, do we need to break it 2^4 times?

Do cryptanalysts really write in such hyper-inflationary terms, leaving 
the rest of us to distinguish between English and noise?

>  As our attacks are of high
> computational complexity, they do not threaten the practical use of
> AES in any way.

Apparently not.  In order to reduce the temptation for bored journos 
appealing to News of the World reader expectations, perhaps we can come 
up with a way of talking that doesn't trash the ability for the rest of 
us to appreciate.

How about rating the bits off the top:

     - AES-128 attacked to B1.9
     - AES-192 attacked to B2.3
     - AES-256 attacked to B1.6

Or?  Just lambast whoever misuses the language, like we always do :)


More information about the cryptography mailing list