Hacker News new | comments | show | ask | jobs | submit login
New Attack on AES (schneier.com)
33 points by gthank 2946 days ago | hide | past | web | 11 comments | favorite

This is interesting news, but even if your software uses AES, there's nothing actionable in it for you.

You are 10,000x more likely to get busted up by a flaw in how you use a cipher than you are by a flaw in what your cipher is. You could use TEA, and it would still be overwhelmingly likely that your code would fail before the algorithm did.

In fact, anything you did to react to news like this would probably make you less secure. That's because AES has overwhelming library support, and whatever "stronger" cipher you might think of adopting won't. That means you'll have more DIY code, and more poorly reviewed library code, all with a bunch of implementation flaws lurking under the surface.

This is good advice, but don't let it talk you out of upgrading a library. System administration is still actionable in these cases.

Agreed. Moreover. If your software requires a source code change because something happened in cryptography research, you've probably done something wrong.

Maybe I'm not interpreting the results correctly, but does this mean that published attacks place AES-256 in a weaker position than AES-128?

2^119 certainly seems less than 2^128.

I skimmed the paper and they don't mention AES-128, and I assume that if it worked on AES-128 they would have mentioned it, but they don't. So maybe. Probably would need to email the authors and ask.

They describe that the attack depends on "minimizing the number of active S-boxes in the key-schedule" and that AES-192 is harder to attack than AES-256 because the key schedule has "better diffusion".

I'm guessing that they don't mention AES-128 because the attack simply doesn't work against the 128 bit key schedule for reasons related to the increased difficulty of attacking AES-192 with this technique.

If I'm reading the paper right, this is largely an attack on the AES key schedule -- so as far as this attack is concerned, AES-256 might indeed be weaker than AES-192.

Remember that the complexity to brute force AES-128 is 2^64 due to the birthday paradox. The complexity to break AES-256 is 2^119 and thus it is still harder to break than AES-128.

I'm not sure how you could use the birthday paradox to brute force a block cipher. You have a message you want to decrypt, and you don't know the key. A brute force attack is trying all the possible keys (2^128 for AES-128) and on average you will find the right one with 2^127 guesses.

I'm pretty sure the cryptanalysis is equally applicable. The summary (and maybe the paper) don't mention AES-128, but the attack uses "boomerang attacks, which are based on the recent idea of finding local collisions in block ciphers". This might affect AES-256 more than AES-128 because there are more chances for local collisions, but it will still be stronger.

Please ignore previous post. The new attack seems specific to larger AES keys, and doesn't affect AES-128 much, if at all.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact