Quoting Jonathan Katz <jk...@cs.umd.edu>:

On Mon, 14 Jun 2010, Alfonso De Gregorio wrote:

The last Thursday, Vincent Rijmen announced a new clever attack on AES (and KASUMI) in a report posted to the Cryptology ePrint Archive: Practical-Titled Attack on AES-128 Using Chosen-Text Relations, http://eprint.iacr.org/2010/337

Err...I read that paper by Rijmen as a bit of a joke. I think he was
poking fun at some of these unrealistic attack models.

Dear Jonathan,

Thanks for your email. It is the only comment received so far and is greatly appreciated! I've been off the net for a much needed holiday and unable to reply within the time I would have liked to. I'm sorry.

I can't speak for him, of course. Only Rijmen can tell and I'm adding his address in cc. Yet, I believe his emphasis was on the existence of zero-query attacks on a symmetric encryption primitives -- he says the attack to be zero-query as the adversary does not need to observe the ciphertext the encryption oracle would output.

Now, I expect the unusual nature of the attack model might stir up a lively discussion. My post was soliciting comments in this regard.

Still, I would like to respectfully disagree wrt the objectives given to the paper, as to me the chosen-text relations model of analysis appears to be interesting and relevant. There are two scenario worth to be investigated:

Zero query
The first one is the plausibility and power of the chosen-text
relations model of analysis as presented in his paper. I believe
there might be applications endangered by zero-query attacks.
I claim this might be the case of white-box implementations; and I could be wrong.

No roll back
The second scenario arise when we consider the avenues of
analysis provided by chosen-text relations if we revoke the
adversary ability to roll back the encryption. If we do that, we
restore the analysis model to a variant of the DFA, where the
attacker can query both oracles. So, no zero-query but still
chosen-text relations to be exploited.

In the fault attacks setting, we expect from encryption primitives secure under related-key attacks resistance to attempts to recover the secret key by attackers tampering with the stored secret and observing the outputs of cryptographic primitive under the modified key (interesting in this regard the paper by Bellare and Cash to the upcoming Crypto on PRFs and PRPs providing RKA-security).

In a similar way, it would be fascinating to have symmetric encryption primitives secure under related plaintext attacks (RPA). They would provide resistance to attackers tampering with interim data, observing faulty ciphertext and querying the decryption oracle, before engaging in the key extraction step. (Of course, from the implementation side, fault tolerance techniques could be employed to protect crypto modules from attacks exploiting chosen-text relations.)

Thanks again.



  Alfonso De Gregorio,  http://Crypto.lo.gy

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to