Thread Links			Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

[STDS-P1619] Applicability of recent attacks on AES-256 to IEEE 1619 modes

To: STDS-P1619@xxxxxxxxxxxxxxxxx
Subject: [STDS-P1619] Applicability of recent attacks on AES-256 to IEEE 1619 modes
From: Matt Ball <matt.ball@xxxxxxxx>
Date: Thu, 6 Aug 2009 09:55:16 -0600
Delivered-to: mhonarc@xxxxxxxxxxxxxxxx
List-help: <http://listserv.ieee.org/cgi-bin/wa?LIST=STDS-P1619>, <mailto:LISTSERV@LISTSERV.IEEE.ORG?body=INFO%20STDS-P1619>
List-owner: <mailto:STDS-P1619-request@LISTSERV.IEEE.ORG>
List-subscribe: <mailto:STDS-P1619-subscribe-request@LISTSERV.IEEE.ORG>
List-unsubscribe: <mailto:STDS-P1619-unsubscribe-request@LISTSERV.IEEE.ORG>
Reply-to: Matt Ball <matt.ball@xxxxxxxx>

Hi Folks,

I'm sure you've all seen the recent news on cryptographic breaks of AES-256. Bruce Schneier has some good blog posts that cover these attacks:

Biryukov, Khovratovich, and Nikoli, Distinguisher and Related-Key Attack on the Full AES-256, May 28, 2009
Biryukov and Khovratovich, Related-key Cryptanalysis of the Full AES-192 and AES-256, June 28, 2009: (blog: http://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html
Biryukov, Dunkelman, Keller, Khovratovich, and Shamir, Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds, July 30, 2009 (blog: http://www.schneier.com/blog/archives/2009/07/another_new_aes.html)

So this begs the question: Are the IEEE P1619.x family of cryptographic modes affected by these results?

I believe that the general answer is 'no', but I'd like to hear from some cryptographers who have read the papers more closely to confirm this suspicion. Let me know your thoughts.

The first result (from May 28, 2009) only applies to a small percentage of keys, and is basically eclipsed by the second result.

The second result (from June 28, 2009) essentially shows that it is possible to recover the full AES-256 key after 2^119 encryption operations with related keys. In this model, the attacker can choose to encrypt or decrypt with different functions of the original key. In theory this means that AES-256 is weaker than AES-128, but in practice 2^119 operations is beyond the computation ability of human kind.

The third result (from July 31, 2009) shows that reduced-round AES-256 is broken pretty badly. However, this result does not apply to the full AES-256 with 14 rounds.

So far SISWG has standardized or is in the process of standardizing the following AES128/256 modes of operation:

XTS (XEX with Tweak and Ciphertext stealing)
GCM (Galois Counter Mode)
CCM (Counter with CBC MAC)
CBC-HMAC (Cipher Block Chaining with Hashed Message authentication code)
XTS-HMAC
EME2
XCB

--
Thanks!
-Matt

http://www.mavaball.net/
Cell: 303-717-2717

Follow-Ups:
- Re: [STDS-P1619] Applicability of recent attacks on AES-256 to IEEE 1619 modes
  - From: Shai Halevi
- Re: [STDS-P1619] Applicability of recent attacks on AES-256 to IEEE 1619 modes
  - From: David McGrew
- Re: [STDS-P1619] Applicability of recent attacks on AES-256 to IEEE 1619 modes
  - From: James Hughes

Prev by Date: Re: [STDS-P1619] Applicability of recent attacks on AES-256 to IEEE 1619 modes
Next by Date: [STDS-P1619] P1619.2 Sponsor Ballot Invitation extension until August 14th, 2009
Previous by thread: [STDS-P1619] P1619.2 Sponsor Ballot Invitation extension until August 14th, 2009
Next by thread: Re: [STDS-P1619] Applicability of recent attacks on AES-256 to IEEE 1619 modes
Index(es):
- Date
- Thread