New AES Attack Documented 236
Posted
by
timothy
from the ponder-don't-panic dept.
from the ponder-don't-panic dept.
avxo writes "Bruce Schneier covers a new cryptanalytic related-key attack on AES that is better than brute force with a complexity of 2^119. According to an e-mail by the authors: 'We also expect that a careful analysis may reduce the complexities. As a preliminary result, we think that the complexity of the attack on AES-256 can be lowered from 2^119 to about 2^110.5 data and time. We believe that these results may shed a new light on the design of the key-schedules of block ciphers, but they pose no immediate threat for the real world applications that use AES.'"
Re:Improvement (Score:4, Informative)
erm only a 99.7% improvement.
Re:Complexity (Score:3, Informative)
Re:Complexity. (Score:5, Informative)
AES-128 uses keys which are 128 bits long. That means in order to "break AES" (in order to decrypt something you don't have the key to), all you have to do is try all possible keys of length 128 until you find one that works. That means you would have to try 2^128 different combinations, which is a lot.
What these people have done is found some clever way where you can break AES trying only 2^119 combinations. Effectively this means AES is no better than if it had used 119-bit keys instead of 128-bit keys. Sometimes you'll hear this colloquially as something like "AES has 119 bits of security", referring to how many combinations of keys you have to try before you find the one works.
2^119 is a massively large number. Trying 2^119 combinations is still terribly far outside of the realm of what all of the world's most powerful supercomputers combined could hope to do. This is an attack of theoretical interest, not practical interest.
Re:Complexity. (Score:2, Informative)
Except IYRTFA, the attack only works on AES-192 and AES-256. AES-128 is unaffected, which would seem to imply that, oddly, AES-128 could be stronger than AES-256 and AES-192 in some circumstances.
Re:Complexity. (Score:5, Informative)
Two things:
First, they are talking about AES-256.
Second, I find it useful to think about how much faster that is. In this case, it means it is 2^137 times faster than a pure brute force attack, which certainly seems impressive. Fortunately, as you mentioned, this is still far too difficult to be applied.
Just for fun, google this: 2^119 picoseconds in millenia
Re:Complexity (Score:5, Informative)
Could somebody rephrase that in a way that people like me, who aren't cryptography specialists can understand what they're talking about?
Sure I'll rephrase it for you. "Don't worry."
What? You wanted something deeper without having to know anything? Ok...so AES was thought to require 2^128 time units to brute force. So 2^119 time complexity means essentially that the new algorithm takes 2^119 units of time to complete which is a lot better, and they think it might be able to optimize it down to 2^110 units of time.
What a 'unit of time is' is a computing science hand-wave because it doesn't really matter what it is. When comparing algorithms for large problems you are interested in how it compares relative to other algorithms, not how much absolute time it will take on a Commodore 64 or Intel i7 or whether its programmed in Smalltalk vs C. Those details while important in their own right aren't really relevant to the comparison of the algorithms themselves.
A 2^110 algorithm is significantly better than a 2^119 algorithm for 'large problems' regardless of what we set the unit of time to be, and in turn 2^119 is much better than 2^128.
In practice the unit of time is rooted in how long it takes a computer to do 'an operation'. So it might be milliseconds or nanoseconds, or whatever. And the upshot is that even 2^110 is STILL gazillion years even if its programmed in C on an i7 and every i7 on the planet is contributing to the effort...
Hence... "Don't worry."
Its mathematically very interesting, but for the moment, its nothing to "worry" about.
Re:Complexity. (Score:4, Informative)
Bull.
a) AES is not based on prime numbers, nor is it a public-key cipher. you're thinking RSA or some other public-key cipher. Hence why RSA has to be at least 1024 (and now 2048 and up is recommended) bits long.
b) There's a lot more bull going around here. AES256 was believed to require 2^128 operations to bruteforce, not 2^256. Thus any question of 256 -> 119 is bull. It's 128 -> 119.
c) Brute-forcing a 64bit RC5 key took distributed.net years (and note that that was with the benefit of Moore's [so called] Law). Mind you, that actually required searching a 64bit keyspace.
Re:Complexity. (Score:2, Informative)
I believe the probability being halved has something to do with the birthday paradox. It's been a time where I could explain this better; if you wish to find out just search for it on Google... This page seems to have a good explanation too:
http://betterexplained.com/articles/understanding-the-birthday-paradox/ [betterexplained.com]
Re:Complexity (Score:5, Informative)
Interesting to note is that AES-128 is immune to this attack - it's now the strongest variant of AES. Everybody (like me) who thought the 256-bit and 192-bit were a waste of time now has a reason to be smug about it.
Reason: Both AES-192 and AES-256 are just AES-128 internally but they mess around with the key data between each loop of the encryption process. The new attack only works on the "messing around" part of the process so AES-128 is unaffected.
Re:2^119 is... (Score:2, Informative)
No, EFF's Deep Crack [wikipedia.org] brute-forced 2^56 - a fair way from 2^64.
Re:Complexity. (Score:3, Informative)
Re:Yawn (Score:5, Informative)
Given that the new theory lowers the time to break it with about 99.7% if it before took 1 million years it now only takes 3000 years.
Remember for everý less bit it takes to decrypt - it halves the time it takes to break a cipher.
Re:Complexity. (Score:3, Informative)
Google says:
2.10607966 × 10^13 millenia -- which equals about 21,000,000 billion years
With the new attack the figure is 2^110.5 trys, which is
(2^110.5) picoseconds = 5.81727815 × 10^10 millenia
a mere 58,000 billion years.
Looking at it another way, 119 - 110.5 = 8.5, which is the reduction of the exponent, giving 2^8.5 = 362. So knocking off 8.5 bits reduces the amount of time+effort by that ratio.
"Picosecond" is the assumed amount of time it takes for one attempt here, which I assume is reasonable given a massively-parallel attack machine.
Still, 58 trillion years...
Re:Complexity. (Score:1, Informative)
CPU power doubles about every 18 months (Moores Law)
Moore's Law never claimed this.
Re:Quantum Computers (Score:4, Informative)
The only advantage of QCs in breaking AES is that Grover's Algorithm can be applied for random guessing of the encryption key. AES-256 has 2^256 possible encryption keys. It takes a classical computer an average of n/2 guesses to find the right key, or 2^255 operations. However a QC running Grover's Algorithm does it in an average of approx sqrt(n) "guesses." This means that it takes about 2^128 operations to get the AES-256 key using a quantum computer.
As previous posters have mentioned, 2^128 is still far out of our reach. And to subvert QCs for this type of problem, all we have to do is double our key length to get the same security. Perhaps if we find a way to combine Grover's Algorithm with this new AES vulnerability, we can get it down to 2^60 to 2^64, but that is still extremely prohibitive. Additionally, that's a big "if," since Grover's Algorithm is intended for pure-guessing problems.
this a RELATED-KEY attack (Score:5, Informative)
The usual threat model for a cipher is either a "chosen plaintext attack" (CPA) or a "chosen ciphertext attack" (CCA). In both of those, you have a lot of plaintext-ciphertext pairs all encrypted under the same key, and your job is to use that info against the cipher. Not necessarily to actually compute the key (which would totally destroy the cipher) but even to be able to infer anything about it statistically (for example, to have a better than random chance of guessing whether a new plaintext/ciphertext pair was encrypted with the same key).
This attack is a related-key attack, which traditionally means that you get to see the same plaintext encrypted under enormous numbers (like 2^119 in this case) of different but related keys, rather than under the same key (or a "small" number of keys like a few trillion). This is a threat model that most ciphers aren't designed against and it's instead countered by designing the application to not rely on it. For example, don't use the cipher as a hash function by using the plaintext as a key and encrypting some constant. Properly designed crypto applications don't let attackers access the keys, and they generate their keys randomly rather than letting them be related. I don't think related-key attack resistance was part of the specification given to entrants of the AES contest, and IIRC the AES standard doesn't claim such resistance.
Nonetheless, the designers of Rijndael (the cipher that is the basis of AES) designed Rijndael to be "ideal", which among other things Rijndael was supposed resist related-key attacks, which was above and beyond the AES requirements.
This new discovery finds that the AES cipher in fact does not meet Rijndael's design goals. Rijndael's design goals, however, exceeded the requirements stated in the AES standardization process, and any applications using AES are supposed to only use the characteristics of AES stated in the standard. So, even if this attack were of low enough complexity to be practical, it STILL should not affect valid AES applications, unless they are relying on characteristics that AES was never promised to have.
Mod parent way the fuck up (Score:4, Informative)
Almost everyone here seems to be missing the bit in the summary that mentions that it's time and data complexity. It's not nearly as bad as 2^119 time and some tiny data.
Re:Complexity. (Score:2, Informative)
Re:Quantum Computers (Score:3, Informative)
There are several methods of public-key encryption which are secure against quantum computers. Try Lamport Signatures for a start:
http://en.wikipedia.org/wiki/Lamport_signature [wikipedia.org]
MOD PARENT DOWN (Score:1, Informative)
Parent is wrong. This is a related key attack and not one of the standard known plaintext attacks. AES-128 is supposed to have a complexity of 2^64 against those (please google before talking about the obvious "this is just for hashes"). So AES-256 is still better than AES-128.