[cryptography] Single-key key recovery for full AES
iang at iang.org
Sat Aug 20 12:12:26 EDT 2011
Curiously, AES is now being reported as "broken."
Yet, I'm sure I read earlier that the recovery attack was a few bits
short of the brute force attack. Here it is:
On 18/08/11 1:52 AM, Jack Lloyd wrote:
> - The first key recovery attack on the full AES-128 with computational complexity 2^126.1
> - The first key recovery attack on the full AES-192 with computational complexity 2^189.7
> - The first key recovery attack on the full AES-256 with computational complexity 2^254.4
> - Attacks with lower complexity on the reduced-round versions of AES not considered before,
> including an attack on 8-round AES-128 with complexity 2^124.9
> - Preimage attacks on compression functions based on the full AES versions.
Ah, allegedly 2 bits off means broken:
<< Broken, in cryptographic circles, means that a means exists
for deducing the encryption key, with certainty, in less than
the 2^n operations (i.e. complete encryption cycles) that a
brute-force attack would require. >>
Therefore, if we lop another 2 bits off, it's twice broken? Or is that
broken-squared? To get down to a computationally reasonable number,
bit-pair by bit-pair, do we need to break it 2^4 times?
Do cryptanalysts really write in such hyper-inflationary terms, leaving
the rest of us to distinguish between English and noise?
> As our attacks are of high
> computational complexity, they do not threaten the practical use of
> AES in any way.
Apparently not. In order to reduce the temptation for bored journos
appealing to News of the World reader expectations, perhaps we can come
up with a way of talking that doesn't trash the ability for the rest of
us to appreciate.
How about rating the bits off the top:
- AES-128 attacked to B1.9
- AES-192 attacked to B2.3
- AES-256 attacked to B1.6
Or? Just lambast whoever misuses the language, like we always do :)
More information about the cryptography