[cryptography] Single-key key recovery for full AES

Kevin W. Wall kevin.w.wall at gmail.com
Sat Aug 20 13:23:07 EDT 2011

On Sat, Aug 20, 2011 at 12:12 PM, Ian G <iang at iang.org> wrote:
> Curiously, AES is now being reported as "broken."
> http://www.theregister.co.uk/2011/08/19/aes_crypto_attack/

Well, in the headlines they claim this, but if you read the article,
to their credit, the quote Nate Lawson as saying:

    “However, it doesn't compromise AES in any practical way.”

> Yet, I'm sure I read earlier that the recovery attack was a few bits short
> of the brute force attack.  Here it is:
> On 18/08/11 1:52 AM, Jack Lloyd wrote:
>> http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf
> ...
>>   - The first key recovery attack on the full AES-128 with computational
>> complexity 2^126.1
>>   - The first key recovery attack on the full AES-192 with computational
>> complexity 2^189.7
>>   - The first key recovery attack on the full AES-256 with computational
>> complexity 2^254.4
>>   - Attacks with lower complexity on the reduced-round versions of AES not
>> considered before,
>>    including an attack on 8-round AES-128 with complexity 2^124.9
>>   - Preimage attacks on compression functions based on the full AES
>> versions.
> Ah, allegedly 2 bits off means broken:

The claim "5 times as fast as brute force", so, yes, rougly 2 bits.

And besides, if the editors would have titled the article
"AES crypto barely broken", who would have read it,
except perhaps us geeks. At least they didn't claim
it is the end of the crypto world as we know it. (That
obviously has to wait until the aliens bring the NSA
quantum computers. ;-)

Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein

More information about the cryptography mailing list