On 6/8/06, Max <[EMAIL PROTECTED]> wrote:
What they need is just to provide an access to their distinguisher in the form of blackbox. To prove its meaningfulness, the distinguisher must show consistent results in distinguishing AES-encrypted data (say, for a fixed plaintext without repeating blocks on their choice) from random data.
I may be stepping into the crossfire here, but on my reading of their web page, they don't claim to be able to do that. They claim to be able to distinguish the low-order monomials formed by AES from a random function up to the PRF round count*. Perhaps it's my myopia, but that seems to be different than coming up with an actual distinguisher for real AES-encrypted data. It seems that the controversial assumption (that they are uninterested in debating) is that such non-randomness in the low-order monomials implies, is correlated with, is a good indicator of, a (potentially certificational) weakness. I'm curious what kind of algorithm might be used for coming up with the low-order monomials (indeed, this seems to be the main mystery, yes?). I think I can see how one could generate high-order ones (and reducing their order) by varying inputs in a black-box approach, but my math muscles are horribly developed, and the only way I can think of for generating them from lowest to highest order is to track changes in bit positions from round to round in forward operation, which seems to imply white-box instrumentation. Speculation welcome. [*] Given some suite of non-randomness checks that don't include anything tailored to the algorithm in question. -- Scientia Est Potentia -- Eppur Si Muove -- Admire the Artist's Handiwork Security "guru" for rent or hire - http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
