Re: Status of attacks on AES?

2006-06-12 Thread Travis H.

On 6/8/06, Max [EMAIL PROTECTED] wrote:

What they need is just to provide an access to their distinguisher in
the form of blackbox.
To prove its meaningfulness, the distinguisher must show consistent
results in distinguishing AES-encrypted data (say, for a fixed
plaintext without repeating blocks on their choice) from random data.


I may be stepping into the crossfire here, but on my reading of their
web page, they don't claim to be able to do that.  They claim to be
able to distinguish the low-order monomials formed by AES from a
random function up to the PRF round count*.  Perhaps it's my myopia,
but that seems to be different than coming up with an actual
distinguisher for real AES-encrypted data.  It seems that the
controversial assumption (that they are uninterested in debating) is
that such non-randomness in the low-order monomials implies, is
correlated with, is a good indicator of, a (potentially
certificational) weakness.

I'm curious what kind of algorithm might be used for coming up with
the low-order monomials (indeed, this seems to be the main mystery,
yes?).  I think I can see how one could generate high-order ones (and
reducing their order) by varying inputs in a black-box approach, but
my math muscles are horribly  developed, and the only way I can think
of for generating them from lowest to highest order is to track
changes in bit positions from round to round in forward operation,
which seems to imply white-box instrumentation.  Speculation welcome.

[*] Given some suite of non-randomness checks that don't include
anything tailored to the algorithm in question.
--
Scientia Est Potentia -- Eppur Si Muove -- Admire the Artist's Handiwork
Security guru for rent or hire - http://www.lightconsulting.com/~travis/ --
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Status of attacks on AES?

2006-06-09 Thread Max

On 6/8/06, Steven M. Bellovin [EMAIL PROTECTED] wrote:


You say you have a method to evaluate ciphers.  Without full details, no
one can form their own judgment if it's valid or not.  (My proposal
clearly isn't valid.)  You say you've evaluated AES and other ciphers.
Without full details, we don't know if your evaluation is correct.


I think they can prove their evaluation without publishing all the details.
What they need is just to provide an access to their distinguisher in
the form of blackbox.
To prove its meaningfulness, the distinguisher must show consistent
results in distinguishing AES-encrypted data (say, for a fixed
plaintext without repeating blocks on their choice) from random data.

Max

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Status of attacks on AES?

2006-06-08 Thread Steven M. Bellovin
On Wed, 7 Jun 2006 15:02:35 -0500, Marcos el Ruptor
[EMAIL PROTECTED] wrote:

  Right. But can you explain *why* you strongly believe in it?
 
 In the last 10 years it never failed to tell the difference between good and 
 bad ciphers. The only thing that makes it controversial is its ability to 
 detect flaws in ciphers believed to be strong simply because no attacks 
 against them are found yet.

I shouldn't pursue this, but I will.  This is still proof by blatant
assertion.  It isn't controversial because it's not even worth thinking
about.  You've claimed that (a) you have a powerful but secret method for
analyzing ciphers, and (b) AES fails your tests.  That's nice.  Suppose I
said that when I calculated SHA-512 of the pdf version of the AES standard
mod 257 and found that it was prime (it's 5, if my script is correct), and
therefore AES was insecure. You'd laugh at me, and rightly so.

You say you have a method to evaluate ciphers.  Without full details, no
one can form their own judgment if it's valid or not.  (My proposal
clearly isn't valid.)  You say you've evaluated AES and other ciphers.
Without full details, we don't know if your evaluation is correct.

By contrast, see the controversy over the XSL attack an AES.  (The
Wikipedia article, http://en.wikipedia.org/wiki/XSL_attack, is a good
summary.)  There are claims and counterclaims, but everything is public.
Note in particular Coppersmith's claim that Courtois and Pieprzyk
overcounted the number of linearly independent equations -- their basic
method may or may not be correct -- Coppersmith himself says that the
method has some merit, and is worth investigating -- but they apparently
applied it incorrectly.

You should also explain why you're keeping the details secret.  The market
for new block ciphers is tiny.  No credible vendor is going to rely on a
cipher evaluated by an unproven technique.  (For that matter, the
near-universal consensus in the open community is proprietary ciphers are
generally worthless.)

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Status of attacks on AES?

2006-06-07 Thread Whyte, William

 Good, bad, right, wrong, correct, incorrect, meaningful, meaningless... Who 
 knows? Don't ask us. We are simply trying to contribute something new that 
 we strongly believe in

Right. But can you explain *why* you strongly believe in it?

William

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Status of attacks on AES?

2006-06-06 Thread Steven M. Bellovin
On Sun, 4 Jun 2006 16:52:38 -0500, Marcos el Ruptor
[EMAIL PROTECTED] wrote:


 
 http://defectoscopy.com/forum/viewtopic.php?t=3
 
 http://defectoscopy.com/results.html
 and
 http://defectoscopy.com/background.html
 
Are there any peer-reviewed descriptions of your technique?  Right now,
all that site seems to have -- and forgive me if I've missed a link --
is a set of simple assertions about various ciphers, plus a fairly vague
background page.  Put another way, and I hate to be this blunt, is there
any reason to think your results are correct and/or meaningful?

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Status of attacks on AES?

2006-06-06 Thread Whyte, William

 Isn't what you are referring to called secure number of rounds? In other
 words the number of rounds after which no known attack exists that can break
 the cipher faster than brute-forcing the key?
 
 It looks like I have no choice but to invent a new term, PRF rounds - the
 number of rounds after which each function that defines the value of each
 bit of the block/state/output is a pseudo-random function (PRF) of all the
 bits of the block/state/key/input, in other words a function
 indistinguishable from random by any existing general purpose randomness
 tests. Of course dedicate randomness tests exploiting the cipher structure
 and utilising a significant amount of computational resources could be
 effective in distinguishing a larger number of rounds from random, but
 that's in the area of the secure number of rounds research.

Can you briefly explain how you determine the PRF rounds value?

William

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Status of attacks on AES?

2006-06-06 Thread Marcos el Ruptor

Can you briefly explain how you determine the PRF rounds value?

William


Your question belongs in our forums - 
http://defectoscopy.com/forum/viewforum.php?f=3 where it's already being 
discussed.


Ruptor 


[Moderator's note: no, actually, if you're going to mention it here,
you had better be prepared to explain and defend it here,
too. --Perry]
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Status of attacks on AES?

2006-06-04 Thread Marcos el Ruptor

I skimmed this.  The start of the article says that after 3 rounds AES
achieves perfect diffusion?!


1. It's complete diffusion, not perfect diffusion. Perfect diffusion is
a property meaning something completely different.

2. My post incorrectly stated that cryptographers believed that the AES
achieved complete diffusion after 3 rounds. In fact, in Rijndael complete
diffusion (every bit influences every bit in the block or state) is achieved
by the end of the second round. I have corrected the post.


A simple square attack (that I teach in class in about 60 mins) recovers
the key of 4-round AES with 256 chosen-plaintexts.  The six-round attack
isn't too much harder.


Isn't what you are referring to called secure number of rounds? In other
words the number of rounds after which no known attack exists that can break
the cipher faster than brute-forcing the key?

It looks like I have no choice but to invent a new term, PRF rounds - the
number of rounds after which each function that defines the value of each
bit of the block/state/output is a pseudo-random function (PRF) of all the
bits of the block/state/key/input, in other words a function
indistinguishable from random by any existing general purpose randomness
tests. Of course dedicate randomness tests exploiting the cipher structure
and utilising a significant amount of computational resources could be
effective in distinguishing a larger number of rounds from random, but
that's in the area of the secure number of rounds research.

PRF rounds is usually larger than the complete diffusion rounds. For
most good ciphers it's usually somewhere between the complete diffusion
rounds and the secure rounds, but for some ciphers it's either way over
the secure rounds or it never happens at all (LILI, KeeLoq, Trivium, etc).
Some ciphers maintain sparcity of their functions or their
distinguishability from random even if iterated perpetually.

I have corrected all the articles:

http://defectoscopy.com/forum/viewtopic.php?t=3

http://defectoscopy.com/results.html
and
http://defectoscopy.com/background.html

Ruptor


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Status of attacks on AES?

2006-05-13 Thread Max

On 5/3/06, Joachim Strombergson [EMAIL PROTECTED] wrote:


Just out of curiosity I tried to Google around for recent papers on
attacks against AES/Rijndael. I found the usual suspects with XLS
attacks and DJBs timing attack. But what is the current status of
attacks, anything new and exciting?


It worths to look at Nicolas T. Courtois' page: http://www.cryptosystem.net/aes/

Max

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Status of attacks on AES?

2006-05-11 Thread Taral

On 5/10/06, John R. Black [EMAIL PROTECTED] wrote:

I skimmed this.  The start of the article says that after 3 rounds AES
achieves perfect diffusion?!


No, it says their old ASD could not distinguish encrypted data from
random after 3 rounds.

--
Taral [EMAIL PROTECTED]
You can't prove anything.
   -- Gödel's Incompetence Theorem

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Status of attacks on AES?

2006-05-11 Thread Marcos el Ruptor
On Wed, 10 May 2006 10:01:57 -0600, John R. Black wrote

 On Thu, May 04, 2006 at 10:30:40AM -0500, Marcos el Ruptor wrote:
  
  http://defectoscopy.com/forum/viewtopic.php?t=3
  
  Expect new attacks soon enough.
  
 I skimmed this.  The start of the article says that after 3 rounds 
 AES achieves perfect diffusion?!

It doesn't say that. Obviously you didn't read the article. It says that the 
current version of our general purpose automated black-box tests can easily 
distinguish 4 rounds of the AES from random and it says that *if* the AES 
achieved complete diffusion [in the context of automated cryptanalysis] in 3 
rounds [as Whirlpool does for example], then maybe 10 rounds could suffice 
against most attacks although we would advise 12. But with 5 rounds required 
to pass our tests we have serious reasons to believe that the AES will be 
broken in the near future and that at least 20 rounds are required for it to 
be secure.

Ruptor

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Status of attacks on AES?

2006-05-11 Thread John R. Black
 On 5/10/06, John R. Black [EMAIL PROTECTED] wrote:
 I skimmed this.  The start of the article says that after 3 rounds AES
 achieves perfect diffusion?!
 
 No, it says their old ASD could not distinguish encrypted data from
 random after 3 rounds.
 
 -- 
 Taral [EMAIL PROTECTED]
 You can't prove anything.
-- Gödel's Incompetence Theorem

- End forwarded message -


I was refering to this statement from the article:

Data inputs with a single-bit difference spread over the entire data
block or key and encrypted with the AES cannot be distinguished from
random after more than 2 rounds, which made many cryptographers
believe for many years that 3 rounds of the AES achieve complete
diffusion.

I don't think any cryptographer believed for 10 seconds that AES achieved
complete diffusion after three rounds if that means it cannot be
distinguished from random.  There is not only a distinguishing attack on
_FOUR_ rounds of AES, but a key-recovery attack.  And it was given in the
Rijndael spec, so certainly was known before the AES was even named.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Status of attacks on AES?

2006-05-10 Thread John R. Black
On Thu, May 04, 2006 at 10:30:40AM -0500, Marcos el Ruptor wrote:
 
 http://defectoscopy.com/forum/viewtopic.php?t=3
 
 Expect new attacks soon enough.
 
I skimmed this.  The start of the article says that after 3 rounds AES
achieves perfect diffusion?!

A simple square attack (that I teach in class in about 60 mins) recovers 
the key of 4-round AES with 256 chosen-plaintexts.  The six-round attack
isn't too much harder.

Square (the cipher that preceded Rijndael and is very similar) was 8 rounds
to get past the 6-round attack.  During the AES vetting process they went
to 10 rounds for extra assurance (as much as anyone gets assurances from
the black art of blockcipher design).

john//

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Status of attacks on AES?

2006-05-05 Thread Elisabeth Oswald

Hi,

if current status refers to the latest published papers then
you can find a short overview over the best known attacks on

http://www.iaik.tugraz.at/research/krypto/AES/index.php


Elisabeth

Joachim Strombergson schrieb:

Aloha!

Just out of curiosity I tried to Google around for recent papers on 
attacks against AES/Rijndael. I found the usual suspects with XLS 
attacks and DJBs timing attack. But what is the current status of 
attacks, anything new and exciting?




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Status of attacks on AES?

2006-05-04 Thread Joachim Strombergson

Aloha!

Just out of curiosity I tried to Google around for recent papers on 
attacks against AES/Rijndael. I found the usual suspects with XLS 
attacks and DJBs timing attack. But what is the current status of 
attacks, anything new and exciting?


--
Med vänlig hälsning, Cheers!

Joachim Strömbergson

Joachim Strömbergson - ASIC designer, nice to *cute* animals.
snail:  phone:   mail  web:
Ö. Eriksbergsgatan 74  +46 31 - 12 14 01 [EMAIL PROTECTED]
417 63 Göteborg+46 733 75 97 02www.Strombergson.com/joachim


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Status of attacks on AES?

2006-05-04 Thread Marcos el Ruptor

Aloha!

Just out of curiosity I tried to Google around for recent papers on 
attacks against AES/Rijndael. I found the usual suspects with XLS 
attacks and DJBs timing attack. But what is the current status of 
attacks, anything new and exciting?


http://defectoscopy.com/forum/viewtopic.php?t=3

Expect new attacks soon enough.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]