Re: A link to attempt of an attack on AES



Ilmari Karonen wrote:
Mok-Kong Shen wrote:
But what I mean by dynamic keys are all generated by a single key,
so the work of "keeping track" (whatever that means) is the same
as using a single key in the tranditional way. (Please read the post
starting the thead "Dynamic change of encryption keys".)

Then you _are_ using a single key in the "traditional way", you just
have a funny (and probably slow) cipher.

I mentioned that there is a trade-off between processing cost and
desired security.

For some reason, you seem to be assuming that the well tested stock
cipher (such as AES) that you're using as part of your algorithm might
be vulnerable to attacks, but that whatever homebrew method you're
using to generate the keys passed to that cipher cannot be attacked
just as well. I'd ask why on earth you'd assume that, but I suspect
that it has simply never occurred to you that the same methods used to
attack ordinary ciphers can just as well be employed against the kinds
of key expansion schemes you suggest, or even against the combination
of such schemes with other ciphers. There's absolutely nothing
AES-specific about differential or linear cryptanalysis or any of the
other methods people have employed against it with varying (but so far
very limited) success.

I am certainly not the first person to dare to assume that AES could
be vulnerable. But look at the paper cited. It was these authors who
were not quite sure of the absolute vulnerability. (Or do you think
they were publishing nonsense?) As layman I couldn't assert that they
were wrong in having that thought (and I don't think they were wrong
in having that thought. You as expert can do that, but then please
address your critique to them directly not to a layman like me!

In any case, if your key generation method really was more secure than
AES, you should just ditch AES and use the key generation scheme
directly as a stream cipher.

I assumed that attacks of the cited paper (and other attacks published)
could have "certain" (nonzero)chance of success. You certainly could
assume differently, namely all there published attempts of attack were
"absolutely" ineffective. But, if you assume as I do, then the chance
of success with dynamic keys would be enormously less than the case
with a single key, because (1) the material available to break one key
is now only one pair of plaintext/ciphertext instead of the large number
of pairs (assumed available by the methods of attacks) and (2) it would
be economically too costly for the analyst, because, if the message has
n blocks, the total cost is n times the (by itself very high) cost to
break one key.

M. K. Shen
.