Status of attacks on AES?

Thread: Status of attacks on AES?

Search this list only Search all lists
Status of attacks on AES?
	2006-06-07 20:02:35
> Right. But can you explain why you strongly believe in it? In the last 10 years it never failed to tell the difference between good and bad ciphers. The only thing that makes it controversial is its ability to detect flaws in ciphers believed to be strong simply because no attacks against them are found yet. We do not believe in the approach "if no one broke it in N years, then accept it as secure until they do" alone. We believe in combining it with studying algebraic structure of the resulting functions from every angle with automated tools, and if they display obvious sparsity or patterns in the distribution of monomials of any algebraic degree, or if the size/output or size/security proportions are too low, or if too many rounds are required for a change to make those functions different in a way indistinguishable from random (slow avalanche of change as we see it), the cipher should be discarded even if no one can find a way to break it. Here's an example: replace XOR with ADD in RC5 and try to attack it by any means other than the Mod N attack found years after RC5... But our tests immediately show that the cipher is easily breakable. They also immediately show weakness of the first two bytes in RC4 and breakability of such ciphers as A5, LILI, etc. The list can go on and on. Often there is no explanation for years until an attack is found, but our tests help us detect presence of flaws in seemingly strong ciphers in a matter of minutes. I personally do not bother analysing ciphers that fail our tests - someone else will break them sooner or later anyway. I immediately discard them as breakable and concentrate on the hard ones to see if the cipher structure needs to be addressed. But if the cipher doesn't have any odd components that it relies on and that can be attacked individually and if its proportions are chosen correctly, I accept it as secure. The fact that Rijndael fails our tests so terribly prohibits me personally from trusting it even though no attack breaking it has been published. I would use Twofish or RC6 instead. Passing our tests combined with years of public scrutiny makes me believe that Twofish and RC6 can be trusted. Rijndael cannot. Ruptor ------------------------------------------------------------ --------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomometzdowd.com

[1]

about | contact Other archives ( Real Estate discussion Medical topics )