Over the past couple of months, there have been two new cryptanalysis papers on AES. The attacks presented in the papers are not practical — they’re far too complex, they’re related-key attacks, and they’re against larger-key versions and not the 128-bit version that most implementations use — but they are impressive pieces of work all the same.
This new attack, by Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, and Adi Shamir, is much more devastating. It is a completely practical attack against ten-round AES-256:
[Editor Comment] Why is this information important? Certainly the fact that AES encryption is used at all points of the chain, makes it a valid area of interest.
But, is it merely FUD at this point? For the daily user, this info is nothing to lose sleep over. AES is not broken. Someone can’t open an AES encrypted movie at this point. But, it points out that rust and black-hats never sleep, and neither should white-hats. The library of a studio is theirs to protect for its owner for many years, if not many decades. This is pointing out that what seemed unthinkable not too many years ago is stumbling into the realm of possibility now.
In the article, Mr. Schneier makes recommendations about how to make better choises. It would be good for the powers that be to re-examine their choices and let everyone know that everything is fine. [End Editor Comment]
From Crypto-Gram: August 15, 2009 Anyone interested and capable of reading this blog should be subscribing to Crypto-Gram
Abstract. AES is the best known and most widely used block cipher. Its three versions (AES-128, AES-192, and AES-256) differ in their key sizes (128 bits, 192 bits and 256 bits) and in their number of rounds (10, 12, and 14, respectively). In the case of AES-128, there is no known attack which is faster than the 2^128 complexity of exhaustive search. However, AES-192 and AES-256 were recently shown to be breakable by attacks which require 2^176 and 2^119 time, respectively. While these complexities are much faster than exhaustive search, they are completely non-practical, and do not seem to pose any real threat to the security of AES-based systems.
In this paper we describe several attacks which can break with practical complexity variants of AES-256 whose number of rounds are comparable to that of AES-128. One of our attacks uses only two related keys and 2^39^ time to recover the complete 256-bit key of a 9-round version of AES-256 (the best previous attack on this variant required 4 related keys and 2^120 time). Another attack can break a 10 round version of AES-256 in 2^45 time, but it uses a stronger type of related subkey attack (the best previous attack on this variant required 64 related keys and 2^172 time).
They also describe an attack against 11-round AES-256 that requires 2^70 time — almost practical.
[Editor] The balance of the article is just as important as the above, explaining how critical this is and how it can be mitigated. It also includes references to the original work.
Read at: From Crypto-Gram: August 15, 2009