Is AES a Secure Cipher ?
independent AES security observatory,
maintained by Nicolas T. Courtois,
cryptologist and code-breaker (home page).
Frequently updated. Open for contribution.
NEWS / RECENT EVENTS:
Algebraic Cryptanalysis of
Block Ciphers in Practice
Press Releases About
Algebraic Attacks on AES and Other Ciphers.
What is AES / Rijndael
The Advanced Encryption Standard (AES) is the current encryption
standard (FIPS-197)
intended to be used by U.S. Government organisations to protect sensitive (and
even secret and top secret) information, see below.
It is also becoming a (de facto) global standard for commercial software and
hardware that use encryption or other security features.
On October 2nd, 2000, NIST selected Rijndael
as the Advanced Encryption Standard (FIPS-197)
and thus destined it for massive world-wide usage. Serpent was second in the
number of votes.
The security of AES/Rijndael.
Rijndael is an encryption algorithm that has been designed with the state of art in the cryptographic research and is still believed very secure by most of the people. It has been designed to have very strong resistance against the classical approximation attacks, such as linear cryptanalysis, differential cryptanalysis etc. However since Rijndael is very algebraic, new algebraic attacks appeared.
Algebraic attacks on
Rijndael.
In a recent paper (Asiacrypt 2002),
Nicolas Courtois and
Josef Pieprzyk show that Rijndael can be written as an overdefined
system of multivariate quadratic equations (MQ). For example authors show that
for 128-bit Rijndael,
the problem of recovering the secret key from one single plaintext can be
written as a system of 8000 quadratic
equations with 1600 binary
unknowns. Thus the security of Rijndael requires that there are no efficient
algorithms for solving such systems. In a paper published at Eurocrypt
2000 Shamir et al. describe an algorithm called XL (or/and FXL) able
to solve efficiently many such systems of equations. Attacking AES/Rijndael by
such a method requires only a few known plaintexts to succeed. If this method
can be made to work in practice, it is a major revolution in cryptanalysis:
all classical attacks on block ciphers such as linear/differential and other
approximation attacks require a number of plaintexts that is very big and grows
exponentially in the number of rounds.
In practice the algorithm XL fails (quite miserably) to break
Rijndael. However the system obtained from Rijndael is not random, and has many
special properties: it is overdefined, sparse and very structured. From this,
in a recent paper, Nicolas Courtois
and Josef Pieprzyk
investigate how to improve XL and adapt it to such special systems. They
propose a new class of attacks, attack, called XSL attacks.
There is no doubt that attacks such as XL and XSL do work in many interesting
cases. Unfortunately they are heuristic, and their behaviour is not well
understood. There are examples where these or similar attacks do behave in
practice as it is predicted, and there are examples where they don't.
This is how the security of AES became a hot topic.
Does XSL break AES / Rijndael ?
In the (widely read and commented) paper presented at
Asiacrypt 2002 conference, Courtois
and Pieprzyk show
an attack that might break AES 256
bits, but it is not certain. There are also
two different versions of the XSL attack that can be found on
eprint. These XSL attacks are very general, and can be applied (at
least in theory) to any block cipher. Later,
Murphy and Robshaw remarked that in the particular case of AES it is
more interesting to write equations over GF(256)
instead of over GF(2).
It is quite obvious how to do it, and it gives more or less the same
possibilities in terms of sizes and types of equations that can be written for
AES, with one important difference: the equations over
GF(256) are more sparse. One version of the XSL attack
over GF(256) seems to
break AES in about 2^87
or 2^100 operations.
The exact complexity of the attack is unknown and it is unclear if the attack
works as it stands (today's computers are not powerful enough to handle such
computations and check). Yet, nobody so far has been able to prove that it
will not work (see below). Moreoever, in the
field of algebraic attacks, it happens frequently that if an attack doesn't
work as described, a slight modification probably does. In general, it is lik
ely that in the future, the best attack on AES will be of the following form:
1. Use the equations over GF(256).
2. Apply one of the versions of XSL.
3. Apply a final step. The so called T' method, described in several papers,
may or may not be sufficient.
So far so good...
Is
AES / Rijndael a good cipher ?
Should it be used ? Does XSL attack work ?
The growing controversy around the ciphers recommended
by NIST, Nessie and the NSA.
The American NIST, the NSA and the European consortium Nessie, do recommend AES, and clearly want you to use AES (see above). In the Nessie press release (most people will only read this and never look at technical documents) we read: "No weaknesses have been identified in any of these 17 algorithms."
No weakness ? Really ? Should one use AES ?
Here are some elements that will help to answer this question.
The Security of
Rijndael/AES and the XSL Attack on Block Ciphers.
Survey and Strategic
Thinking Papers in Algebraic Attacks on Block Ciphers.
Papers Vaguely Related To
the Idea of Algebraic Attacks on Block Ciphers.
The Emergence of a New Science:
Algebraic Cryptanalysis.
On Algebraic Immunity of
Cipher Components (e.g. S-boxes).
Not only block ciphers can
be attacked by algebraic attacks:
Background work necessary for understanding the XSL attacks and various
algebraic attacks, but not directly relevant to block ciphers:
Relinearisation, XL algorithm, Gröbner bases, etc..
New Ideas and Special
Properties of AES.
A cipher as important as Rijndael should be under constant scrutiny...
More or less serious results on AES...
It is not because somebody says something, that it has to be true:
Interesting links:
The AES 1 million dollar challenge (or why there
should be such a thing)
Security of important ciphers used in practice:
Security of DES
AES: is the new encryption standard
already broken ?
New algebraic attacks on encrytion algorithms:
Algebraic attacks on block ciphers and AES
Algebraic attacks applied to stream
ciphers
Positive applications of multivariate equations:
promoting/about multivariate cryptography:
The McEliece_based short signature scheme CFS
The HFE cryptosystem home page
The Minrank Zero-knowledge
identification scheme
Quartz /Flash
/Sflash signature schemes
Nicolas Courtois research page
TTM cryptosystem,
GPT cryptosystem,
Open
Problems in Multivariate Cryptography (Stork Document)
Maintained by Nicolas T. Courtois
Last updated on 24th of August 2007.