Re: [STDS-P1619] Applicability of recent attacks on AES-256 to IEEE 1619 modes

[David McGrew <mcgrew@xxxxxxxxx>]

Hi Matt,

On Aug 6, 2009, at 8:55 AM, Matt Ball wrote:

Hi Folks,

I'm sure you've all seen the recent news on cryptographic breaks of AES-256.  Bruce Schneier has some good blog posts that cover these attacks:

• Biryukov, Khovratovich, and Nikoli, Distinguisher and Related-Key Attack on the Full AES-256, May 28, 2009
• Biryukov and Khovratovich, Related-key Cryptanalysis of the Full AES-192 and AES-256, June 28, 2009: (blog: http://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html
• Biryukov, Dunkelman, Keller, Khovratovich, and Shamir, Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds, July 30, 2009 (blog: http://www.schneier.com/blog/archives/2009/07/another_new_aes.html)
  

So this begs the question:  Are the IEEE P1619.x family of cryptographic modes affected by these results?

as impressive as they are, all of the new results are related-key attacks, and thus would not apply to any use of AES in which independent keys are chosen through some independent random or pseudorandom process.  

I believe that the general answer is 'no', but I'd like to hear from some cryptographers who have read the papers more closely to confirm this suspicion.  Let me know your thoughts.

The first result (from May 28, 2009) only applies to a small percentage of keys, and is basically eclipsed by the second result.

The second result (from June 28, 2009) essentially shows that it is possible to recover the full AES-256 key after 2^119 encryption operations with related keys.  In this model, the attacker can choose to encrypt or decrypt with different functions of the original key.  In theory this means that AES-256 is weaker than AES-128, but in practice 2^119 operations is beyond the computation ability of human kind.

The third result (from July 31, 2009) shows that reduced-round AES-256 is broken pretty badly.  However, this result does not apply to the full AES-256 with 14 rounds.

So far SISWG has standardized or is in the process of standardizing the following AES128/256 modes of operation:

• XTS (XEX with Tweak and Ciphertext stealing)
• GCM (Galois Counter Mode)
• CCM (Counter with CBC MAC)
• CBC-HMAC (Cipher Block Chaining with Hashed Message authentication code)
  
• XTS-HMAC
• EME2
• XCB
  

I suspect that none of the modes have any issues with related key attacks, but let me state for the record that GCM and XCB don't have any issues of this sort.

best,

David

--
Thanks!
-Matt

http://www.mavaball.net/
Cell: 303-717-2717