On 2009-Aug-06, at 11:09, David McGrew wrote: Hi Matt,
On Aug 6, 2009, at 8:55 AM, Matt Ball wrote: Hi Folks,
I'm sure you've all seen the recent news on cryptographic breaks of AES-256. Bruce Schneier has some good blog posts that cover these attacks:
- Biryukov, Khovratovich, and Nikoli, Distinguisher and Related-Key Attack on the Full AES-256, May 28, 2009
- Biryukov and Khovratovich, Related-key Cryptanalysis of the Full AES-192 and AES-256, June 28, 2009: (blog: http://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html
- Biryukov, Dunkelman, Keller, Khovratovich, and Shamir, Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds, July 30, 2009 (blog: http://www.schneier.com/blog/archives/2009/07/another_new_aes.html)
So this begs the question: Are the IEEE P1619.x family of cryptographic modes affected by these results?
as impressive as they are, all of the new results are related-key attacks, and thus would not apply to any use of AES in which independent keys are chosen through some independent random or pseudorandom process.
I concur with David's assessment.
It has long been suspected that a wide variety of block ciphers do not offer solid strong protection against relayed key attacks. Related key attacks are frequently not part of the threat model motivating block cipher design. The authors of these results are to be commended for their results showing that related key attacks may be performed against AES.
I believe the extent of the impact on IEEE 1619 SISWG is likely to be minimal if anything at this time. Obviously when work on P1619.0a begins (the single AES key schedule variant for XTS), the committee will certainly review the current status of this research AES as part of is due diligence. But that is likely to be as far is it goes for now.
chongo (Landon Curt Noll) /\oo/\
|