is a paper by A. Biryukov et al., entitled 'Key recovery attacks of
practical complexity on AES variants with up to 10 rounds'.
In my 2nd post (15.11.2009) in the thread "Dynamic change of encryption
keys" I argue that in my understanding such attacks, ingenious as they
are, could nevertheless never be practically effective, if one can
tolerate some additional processing cost and employs dynamic keys
instead of using a single key to process a message. You are sincerely
invited to give your comments and critiques there, if any.
M. K. Shen
We already had a past discussion about this when the attack was
published. It was commonly understood that the attack does not apply
to how most people use AES since related [chosen ones at that] keys
are not practical, that any tampering with the stream would be
identified and the session terminated.
So the attack, while noteworthy and interesting isn't really a threat.
Also, it's not polite to start multiple threads all over USENET when
you're not getting the attention you think you deserve. People don't
reply to you because, well quite frankly, you're annoying and prone to
long drawn out discussions that involve no intellectual effort on your
part. There is little reward in others trying to share wisdom or
knowledge with you since you're impervious to new ideas or
information. If you want people to pay attention to you, reward their
effort and good will with a little professionalism.
Tom
Apparently there might be a more serious attack on the AES...
http://www.science.unitn.it/~sala/workshopcry09/abstract.html
Mike Scott
But my point goes actually much further. I mean other attacks (there
are surely many others) that are based on the use of a "single" key
(for the processing of voluminous meterials) can be similarly defended
through use of dynamic keys. I very much wonder why the researchers have
ignored hitherto the (in my view straightforward) possibility of dynamic
change of keys. This is similar to the case (that I also wonder) I
described in a recent thread about congruential PRNGs, where the
researchers ignored a simple possibility available to the user of
renerding a fundamental assumption underlying their analysis invalid.
Thus their results, considered as mathematical advancements, are
certainly extremely valuable/interesting, but the real effect/utility
for crypto practice is on the other hand unfortunately almost vacuous
in my humble view (if I may take the liberty to say so as a layman).
M. K. Shen
Question: How do you think cipher keys are normally produced for
content encryption?
And what does "dynamically changing" mean anyways? Is that like
"statically consistent?"
Tom
> Question: How do you think cipher keys are normally produced for
> content encryption?
>
> And what does "dynamically changing" mean anyways? Is that like
> "statically consistent?"
Sorry I don't quite understand you. I compare only the case of using
one single key and the case of using dynamic keys. Both starts with
one given key (thus the issue of "how" one get's that key is not
relevant in this context). Now, suppose one use, say, AES. In the
one case one uses that given key throughout the processing of a
message. In the other case one can use the given key e.g. in counter
mode to generate a sequence of keys to encrypt the individual blocks
(again using AES). Is there anything wrong in respect of security
for the second case? The processing cost is evidently higher in the
second case. But that's not the main point to be argued in the present
context. (This was explained in the post of mine starting the thread
"Dynamic chage of encryption keys". You seemed not to have read that.
Otherwise you wouldn't have asked about the meaning of "dynamically
changing", would you?)
M. K. Shen
First off, learn to break up your text more legibly.
Second, no.
Third, related keys implies an attacker can observe traffic with keys
that are related. Explain to me how AES is used normally that would
make it vulnerable to related key attacks. That's the point of my
question. Do you even know how ciphers are used today? How can you
suggest "fixes" to things you don't even get how they work anyways?
(and thus the useless cycle of MKS replies is continued...)
Tom
Still only a related-key attack, though... Nothing
that particularly worries me.
Greg.
--
Greg Rose
232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
Tom, STOP TALKING TO HIM! You're feeding the troll!
>Tom St Denis wrote:
>>> Mok-Kong Shen wrote:
>>>
>>>> http://eprint.iacr.org/2009/374.pdf
>>>> is a paper by A. Biryukov et al., entitled 'Key recovery attacks of
>>>> practical complexity on AES variants with up to 10 rounds'.
>>> In my 2nd post (15.11.2009) in the thread "Dynamic change of encryption
>>> keys" I argue that in my understanding such attacks, ingenious as they
>>> are, could nevertheless never be practically effective, if one can
>>> tolerate some additional processing cost and employs dynamic keys
>>> instead of using a single key to process a message. You are sincerely
>>> invited to give your comments and critiques there, if any.
>>
>> We already had a past discussion about this when the attack was
>> published. It was commonly understood that the attack does not apply
>> to how most people use AES since related [chosen ones at that] keys
>> are not practical, that any tampering with the stream would be
>> identified and the session terminated.
>> So the attack, while noteworthy and interesting isn't really a threat.
>But my point goes actually much further. I mean other attacks (there
>are surely many others) that are based on the use of a "single" key
>(for the processing of voluminous meterials) can be similarly defended
>through use of dynamic keys. I very much wonder why the researchers have
>ignored hitherto the (in my view straightforward) possibility of dynamic
>change of keys. This is similar to the case (that I also wonder) I
BEcause keeping track of those keys is a real pain. Remember you encrypt
things not only so the enemy cannot read them, but so the friend CAN
read them. That means they need the keys.
A one time pad is the ultimate in "dynamic change of key"-- every letter
has a different key. And it is useless because of the key exchange
problem.
>described in a recent thread about congruential PRNGs, where the
>researchers ignored a simple possibility available to the user of
>renerding a fundamental assumption underlying their analysis invalid.
>Thus their results, considered as mathematical advancements, are
>certainly extremely valuable/interesting, but the real effect/utility
>for crypto practice is on the other hand unfortunately almost vacuous
>in my humble view (if I may take the liberty to say so as a layman).
You may, and we may take the liberty of ignoring you.
>M. K. Shen
Dude, calm down, you're harshing my buzz. If I can't have a little
fun once in a while what's the point?
Tom
>> But my point goes actually much further. I mean other attacks (there
>> are surely many others) that are based on the use of a "single" key
>> (for the processing of voluminous meterials) can be similarly defended
>> through use of dynamic keys. I very much wonder why the researchers have
>> ignored hitherto the (in my view straightforward) possibility of dynamic
>> change of keys. This is similar to the case (that I also wonder) I
>
> BEcause keeping track of those keys is a real pain. Remember you encrypt
> things not only so the enemy cannot read them, but so the friend CAN
> read them. That means they need the keys.
> A one time pad is the ultimate in "dynamic change of key"-- every letter
> has a different key. And it is useless because of the key exchange
> problem.
But what I mean by dynamic keys are all generated by a single key,
so the work of "keeping track" (whatever that means) is the same
as using a single key in the tranditional way. (Please read the post
starting the thead "Dynamic change of encryption keys".)
M. K. Shen
> Third, related keys implies an attacker can observe traffic with keys
> that are related. Explain to me how AES is used normally that would
> make it vulnerable to related key attacks. That's the point of my
> question. Do you even know how ciphers are used today? How can you
> suggest "fixes" to things you don't even get how they work anyways?
> (and thus the useless cycle of MKS replies is continued...)
That the scenario assumed by the authors of the particular paper cited
is fairly unrealistic, is admitted by the authors themselves. My
critique is that there is 'another' way of seeing that the effort is
futile, because, even assuming they could under their assumed favourable
condition get a key, if each key encrypts only one block, then the cost
in getting the key is not economically justifiable for the return is
too little. This consideration applies evidently to other attempts of
obtaining encryption keys. If an algorithm is so safe that no attacks
can ever succeed, then using one single key (for ever) is certainly
prefectly o.k. But, assuming that there is a certain probability of
some attacker's success, using a single key would mean that then the
whole message is revealed. If dynamic keys are used, the attacker has
to work out all the different keys being used. If there are n keys
used, he has to do n times as much work. That's an essential difference
that could evidently be decisive in practice for his success or failure
in decrypting the message. This should be trivially evident.
M. K. Shen
Then you _are_ using a single key in the "traditional way", you just
have a funny (and probably slow) cipher.
For some reason, you seem to be assuming that the well tested stock
cipher (such as AES) that you're using as part of your algorithm might
be vulnerable to attacks, but that whatever homebrew method you're
using to generate the keys passed to that cipher cannot be attacked
just as well. I'd ask why on earth you'd assume that, but I suspect
that it has simply never occurred to you that the same methods used to
attack ordinary ciphers can just as well be employed against the kinds
of key expansion schemes you suggest, or even against the combination
of such schemes with other ciphers. There's absolutely nothing
AES-specific about differential or linear cryptanalysis or any of the
other methods people have employed against it with varying (but so far
very limited) success.
In any case, if your key generation method really was more secure than
AES, you should just ditch AES and use the key generation scheme
directly as a stream cipher.
(Ps. My apologies to the group for taking the bait. This will be my
last and only post in this thread.)
--
Ilmari Karonen
To reply by e-mail, please replace ".invalid" with ".net" in address.
I mentioned that there is a trade-off between processing cost and
desired security.
> For some reason, you seem to be assuming that the well tested stock
> cipher (such as AES) that you're using as part of your algorithm might
> be vulnerable to attacks, but that whatever homebrew method you're
> using to generate the keys passed to that cipher cannot be attacked
> just as well. I'd ask why on earth you'd assume that, but I suspect
> that it has simply never occurred to you that the same methods used to
> attack ordinary ciphers can just as well be employed against the kinds
> of key expansion schemes you suggest, or even against the combination
> of such schemes with other ciphers. There's absolutely nothing
> AES-specific about differential or linear cryptanalysis or any of the
> other methods people have employed against it with varying (but so far
> very limited) success.
I am certainly not the first person to dare to assume that AES could
be vulnerable. But look at the paper cited. It was these authors who
were not quite sure of the absolute vulnerability. (Or do you think
they were publishing nonsense?) As layman I couldn't assert that they
were wrong in having that thought (and I don't think they were wrong
in having that thought. You as expert can do that, but then please
address your critique to them directly not to a layman like me!
> In any case, if your key generation method really was more secure than
> AES, you should just ditch AES and use the key generation scheme
> directly as a stream cipher.
I assumed that attacks of the cited paper (and other attacks published)
could have "certain" (nonzero)chance of success. You certainly could
assume differently, namely all there published attempts of attack were
"absolutely" ineffective. But, if you assume as I do, then the chance
of success with dynamic keys would be enormously less than the case
with a single key, because (1) the material available to break one key
is now only one pair of plaintext/ciphertext instead of the large number
of pairs (assumed available by the methods of attacks) and (2) it would
be economically too costly for the analyst, because, if the message has
n blocks, the total cost is n times the (by itself very high) cost to
break one key.
M. K. Shen
>> For some reason, you seem to be assuming that the well tested stock
>> cipher (such as AES) that you're using as part of your algorithm might
>> be vulnerable to attacks, but that whatever homebrew method you're
>> using to generate the keys passed to that cipher cannot be attacked
>> just as well. I'd ask why on earth you'd assume that, but I suspect
>> that it has simply never occurred to you that the same methods used to
>> attack ordinary ciphers can just as well be employed against the kinds
>> of key expansion schemes you suggest, or even against the combination
>> of such schemes with other ciphers. There's absolutely nothing
>> AES-specific about differential or linear cryptanalysis or any of the
>> other methods people have employed against it with varying (but so far
>> very limited) success.
My previous respose was not complete. In what I suggested, the dynamic
keys are generated from a single key using a PRNG (common PRNG or
AES in counter mode). What is the vulnerability in that? Since
according to you AES is ok, then AES in counter mode is surely also
ok, isn't it? The essential point here is what I would designate
as 'indirectness'. The key that generates the dynamic keys is now
one step further away compared to the case when that key is directly
used to encrypt all blocks of a message. To break the scheme, one
has to break at two levels instead of one. And that's evidently
much harder.
M. K. Shen