Re: Weakness in AES found

On Aug 18, 1:09 pm, unruh <un...@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 2011-08-18, Jean-Marc Desperrier <jmd...@xxxxxxxxx> wrote:

Jean-Marc Desperrier wrote:
If doing 2^126 computations is even remotely realistic for you,  it'
probably not that big anymore, just around 300 yottabytes.

In other word, 2^126 computation is probably further away from the
computing power we currently have, than 300 yottabytes is from the
amount of data we are able to store.

However, I retought since my earlier message that progress on computing
power is much faster than the progress on the availability of a very
large address space that we can access *fast*.

So actually if I'm sure we'll be able to store 300 yottabytes of data
earlier than we'll be able to make 2^126 computations, I'm not so sure
300 yottabytes of data that is *fast* to access will really come
earlier. The recent trend is for fast increase in computing power *when*
a high locality of data is possible, performance crumbles if it's not
the case.

So it may be that on the day storing 300 yottabytes of data is feasible,
the cost of accessing one element randomly inside it will be higher than
the one of encrypting a AES block, and that on the day 300 yottabytes of
data that is fast to access becomes possible, computing power will
already be 4 time faster, so that 2^128 will be doable.

So in the absence of infinitively fast access to an infinitively large
amount of data, this attack might not truly weaken AES.

Of course more powerful attacks probably will be found. But they might
be significant only if they *also* reduce the amount of data required.
 From my very layman's reading of the attack, this may require attacks
that are of a completely different class, and whose mere existence is
not obvious from this one.

When you find a tiny crack into which to insert your crowbar, exactly
how the object will fracture is pretty unclear, or even whether it will.
This is a tinycrack. It itself does not weaken AES from what I have
read, but who knows what the appropriate crowbar will do.

One question I have to ask about this. Is that if this was written
and not suppressed during the AES contest itself. Would a different
cipher have been chosen or blessed? I think so and maybe this the
danger in having only one winner. Maybe its time to take another look
at some of the other possible candidates after all it is kind of
foolish to put all the eggs in one basket.

David A. Scott
My Crypto code old version
My Compression code
**TO EMAIL ME drop the roman "five" **
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged.
As a famous person once said "any cryptograhic
system is only as strong as its weakest link"