[e-lang] Fwd: Chat with kpreid at waterpoint.org

David Wagner daw at cs.berkeley.edu
Mon Sep 21 00:26:16 EDT 2009 

Bill Frantz  wrote:
> I think David and I are in basic agreement about what this recent work
> means for our use of the SSL/TLS CipherSuites which include AES. To be
> specific, and to give David a chance to disagree:
>
>  Related key attacks should not be a problem given the use of
>  Diffie-Hellman key agreement and the way SSL/TLS generates keys.
>
>  SSL/TLS VatTP should use AES-128.
>
>  There isn't much practical benefit of using AES-192 or AES-256 over using
>  AES-128, and there are costs in additional compution.

This all sounds reasonable to me.

> Where we may disagree, and please remember that David is a much better
> cryptographer than me, is the long-term meaning of these attacks. I tend to
> see them as the start of a slowly crumbling edifice which may fall in the
> long term. David doesn't seem to see it that way.

I guess the reason I don't see it as the start of a slowly crumbling
edifice is that I don't find it a great surprise that AES is not
highly secure against related-key attacks.  There were related-key
attacks against AES right from the start (even if they didn't penetrate
through all the rounds).  And I always had the impression that AES's key
schedule was minimalistic; my (unscientific) impression had always been
that you're on slightly thinner ice to use AES in a context that must
resist related-key attacks (e.g., for an application that requires AES
to act like an ideal cipher, not just a PRP).

For instance, in 2002, I wrote:

  "Note that the AES has not been evaluated very carefully for security
  against related-key attacks, and what analysis has been done suggests
  that AES may have less margin of security against related-key attacks
  than against non-related-key attacks."

  http://www.cs.berkeley.edu/~daw/papers/rmac-nist02.ps 

and:

  "I'm not very confident that the security of AES against related-key
  attacks has been well-studied. [...]  Also, if you look at the AES key
  schedule, you'll see that it has a lot less "cryptographic goo" than
  the AES round function.  This makes me worry about assuming that AES
  can be safely modelled as an ideal cipher -- at the least, it seems
  to be less safe than assuming that AES is secure against standard
  chosen-plaintext/ciphertext attacks."

  http://www.ietf.org/mail-archive/web/cfrg/current/msg00143.html

And in 2004 I wrote:

  "AES's key schedule has not been as well-studied, and doesn't seem
  to have as much mixing and nonlinearity, as its main round structure.
  Put another way, I don't have quite as much confidence in the security
  of AES against related-key attacks as I do in its security against
  chosen-plaintext/ciphertext attacks."

  http://www.ietf.org/mail-archive/web/cfrg/current/msg00592.html

If they had found a non-related key attack on the cipher itself,
that would be more surprising and might warrant re-evaluation of
whether the foundation was crumbling.

More information about the e-lang mailing list