Re: A link to attempt of an attack on AES



Ilmari Karonen wrote:
Mok-Kong Shen wrote:
But what I mean by dynamic keys are all generated by a single key,
so the work of "keeping track" (whatever that means) is the same
as using a single key in the tranditional way. (Please read the post
starting the thead "Dynamic change of encryption keys".)

Then you _are_ using a single key in the "traditional way", you just
have a funny (and probably slow) cipher.

I mentioned that there is a trade-off between processing cost and
desired security.

For some reason, you seem to be assuming that the well tested stock
cipher (such as AES) that you're using as part of your algorithm might
be vulnerable to attacks, but that whatever homebrew method you're
using to generate the keys passed to that cipher cannot be attacked
just as well. I'd ask why on earth you'd assume that, but I suspect
that it has simply never occurred to you that the same methods used to
attack ordinary ciphers can just as well be employed against the kinds
of key expansion schemes you suggest, or even against the combination
of such schemes with other ciphers. There's absolutely nothing
AES-specific about differential or linear cryptanalysis or any of the
other methods people have employed against it with varying (but so far
very limited) success.

I am certainly not the first person to dare to assume that AES could
be vulnerable. But look at the paper cited. It was these authors who
were not quite sure of the absolute vulnerability. (Or do you think
they were publishing nonsense?) As layman I couldn't assert that they
were wrong in having that thought (and I don't think they were wrong
in having that thought. You as expert can do that, but then please
address your critique to them directly not to a layman like me!

In any case, if your key generation method really was more secure than
AES, you should just ditch AES and use the key generation scheme
directly as a stream cipher.

I assumed that attacks of the cited paper (and other attacks published)
could have "certain" (nonzero)chance of success. You certainly could
assume differently, namely all there published attempts of attack were
"absolutely" ineffective. But, if you assume as I do, then the chance
of success with dynamic keys would be enormously less than the case
with a single key, because (1) the material available to break one key
is now only one pair of plaintext/ciphertext instead of the large number
of pairs (assumed available by the methods of attacks) and (2) it would
be economically too costly for the analyst, because, if the message has
n blocks, the total cost is n times the (by itself very high) cost to
break one key.

M. K. Shen
.



Relevant Pages

  • Re: A link to attempt of an attack on AES
    ... make it vulnerable to related key attacks. ... using a single key would mean that then the ... that could evidently be decisive in practice for his success or failure ...
    (sci.crypt)
  • Re: Polymorphic Ciphers
    ... is "good enough" to prevent brute force attacks the phrase "bits are ... true privacy depends on a heck of a lot more than what cipher I choose. ... | most or all commonly known symmetric encryption algorithm designs ... implement as a DPA resistant design [Daemens Noekeon block cipher is ...
    (sci.crypt)
  • Re: SHA1 broken
    ... Show me the proof that Serpent is immune to DC? ... > attacks are being stopped. ... > distinguishes the cipher from a random permutation is an attack. ... Khazad is comparable with cast5 in speed. ...
    (sci.crypt)
  • Re: Beginners Algorithm
    ... attacks than that against this RNG - it's fine for general-purpose use ... If you can get through all of that, you should have a secure cipher ... yourself a competent crypto programmer. ...
    (sci.crypt)
  • Re: Countering chosen-plaintext attacks
    ... If you assume that attacks ... another layer to cipher design ... Those unknown attacks are ... as that may be the case the standard for cipher design is ...
    (sci.crypt)