Quoting Jonathan Katz <jk...@cs.umd.edu>:
On Mon, 14 Jun 2010, Alfonso De Gregorio wrote:
The last Thursday, Vincent Rijmen announced a new clever attack on
AES (and KASUMI) in a report posted to the Cryptology ePrint
Archive: Practical-Titled Attack on AES-128 Using Chosen-Text
Err...I read that paper by Rijmen as a bit of a joke. I think he was
poking fun at some of these unrealistic attack models.
Thanks for your email. It is the only comment received so far and is
I've been off the net for a much needed holiday and unable to reply
within the time I would have liked to. I'm sorry.
I can't speak for him, of course. Only Rijmen can tell and I'm adding
his address in cc.
Yet, I believe his emphasis was on the existence of zero-query attacks
on a symmetric encryption primitives -- he says the attack to be
zero-query as the adversary does not need to observe the ciphertext
the encryption oracle would output.
Now, I expect the unusual nature of the attack model might stir up a
lively discussion. My post was soliciting comments in this regard.
Still, I would like to respectfully disagree wrt the objectives given
to the paper, as to me the chosen-text relations model of analysis
appears to be interesting and relevant. There are two scenario worth
to be investigated:
The first one is the plausibility and power of the chosen-text
relations model of analysis as presented in his paper. I believe
there might be applications endangered by zero-query attacks.
I claim this might be the case of white-box implementations; and I
could be wrong.
No roll back
The second scenario arise when we consider the avenues of
analysis provided by chosen-text relations if we revoke the
adversary ability to roll back the encryption. If we do that, we
restore the analysis model to a variant of the DFA, where the
attacker can query both oracles. So, no zero-query but still
chosen-text relations to be exploited.
In the fault attacks setting, we expect from encryption primitives
secure under related-key attacks resistance to attempts to recover the
secret key by attackers tampering with the stored secret and observing
the outputs of cryptographic primitive under the modified key
(interesting in this regard the paper by Bellare and Cash to the
upcoming Crypto on PRFs and PRPs providing RKA-security).
In a similar way, it would be fascinating to have symmetric encryption
primitives secure under related plaintext attacks (RPA). They would
provide resistance to attackers tampering with interim data, observing
faulty ciphertext and querying the decryption oracle, before engaging
in the key extraction step. (Of course, from the implementation side,
fault tolerance techniques could be employed to protect crypto modules
from attacks exploiting chosen-text relations.)
Alfonso De Gregorio, http://Crypto.lo.gy
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com