New AES Attack Documented

avxo writes "Bruce Schneier covers a new cryptanalytic related-key attack on AES that is better than brute force with a complexity of 2^119. According to an e-mail by the authors: 'We also expect that a careful analysis may reduce the complexities. As a preliminary result, we think that the complexity of the attack on AES-256 can be lowered from 2^119 to about 2^110.5 data and time. We believe that these results may shed a new light on the design of the key-schedules of block ciphers, but they pose no immediate threat for the real world applications that use AES.'"

Improvement

[WaXHeLL]

That's only a 0.3% improvement!

Re:Improvement

[WaXHeLL]

erm only a 99.7% improvement.

Yawn

[Shikaku]

So instead of taking 1 million years to brute force, it will take .9 million years?

I totally made up those numbers but that's about the difference.

Re:Yawn

nach, instead of a trillion years it now takes only a billion.
thats about the difference.

and if you add more computers (a datacenter or such) and add new mathematics, this number will go down further, to say a thousand years.
thats where everybody using this should start worrying

Re:Yawn

The article seems to say that AES 256 can be lowered from 2^256 to 2^110.5... that's huge. For your example, if 2^256 iterations takes 1 million years, 2^110.5 iterations would take less than a second.

Re:Yawn

[a_n_d_e_r_s]

Given that the new theory lowers the time to break it with about 99.7% if it before took 1 million years it now only takes 3000 years.

Remember for everý less bit it takes to decrypt - it halves the time it takes to break a cipher.

Re:Yawn

Correct me if I'm wrong but I heard that for 128 bits if we had a supercomputer that was the size of a grain of sand that could test 1 key in the time it takes for light to cross the width of that grain of sand, and we put a layer 10 feet deep of this "sand" all over the Earth, it'd still take 1,000 years to crack.

Keeping that in mind, I don't think that "adding a datacenter" is going to make it crackable in the time the Parent suggests.

Re:Yawn

(((((2^110) / 1 000 000 000 000) / 60) / 60) / 24) / 365 = 4.11616633 Ã-- 10^13

If we have 1000 x 1 GHz processors, the attack was reduced to 4.12 x 10^13 years. Great... now i only have to play with my fingers... tu turu...

Re:Yawn

Do the math again, if 2^110.5 takes 1 second, 1^256 would take, 2.82860797 Ã-- 10^36 years, that's like three tenillion years (invented number).

Re:Yawn

[Eivind]

http://valerieaurora.org/hash.html
Pay special attention to the reaction of the "slashdotter" to "minor weakness found", and compare it to your reaction.
Remember, attacks always gets better, never worse. The first attack that weakens an algorithm *is* a big deal.

Oh, and reducing complexity from 2^128 to 2^110 isn't as it may appear a reduction of 10% in time-to-break, infact it's a reduction of 2^18 or about a factor of a million, so it's more like if before it took a million years, now it takes ONE year. Luckily for you, AES256 was at a lot more than a million years before the break, so there's still some air left in it.

Re:Yawn

Maybe that's why he said less than a second

Re:Yawn

[Arancaytar]

And if they manage to make another discovery like this, it could become 9 years...

Re:Yawn

nah... that's going quite a bit faster:

r ~= 6000km, A = 452 million km = 452 * 10^12 m = 4.52 * 10^20 mmÂ

h ~= 3 m = 3000 mm

V = 1.357 * 10^24 mmÂ

assuming non ideal cubistic packaging of spheric computers of 0.5 mm in diameter, we have 8 computers per mmÂ, that is

n = 1.085 * 10^25

computers available in our little cluster.

for s = 0.5 mm crossed by light speed, we've got

2000 * 3 * 10^8 = 6 * 10^11

calculations per second and per computer.

That is, our cluster, assuming Rpeak == Rmax, achieves

6.514 * 10^36

key tests per second. Now,

2^128 = 3.4 * 10^38

that is, we need about 52 seconds to be done.

Using a hexagonally oriented packing order instead of a cubic one, we have ~74% of the volume filled with computers instead of just ~52%. If we can still manage to cool that down, we reduce the computing time by a factor of 52/74 to

36 seconds

Reducing the size of our computers from 0.5 mm to 0.2 mm gives us 2.5^3 times as many computers working 2.5 times as fast, i.e. 39 times as many calculations per second.

Thus, with computers of 0.2 mm in diameter, packing them 10 feet high on all of the earth's surface, we can get the job done within a single second.

Yeah, let's do it ;-)

Re:Yawn

I don't think that "adding a datacenter" is going to make it crackable in the time the Parent suggests.
Uh oh.

Re:Yawn

I tried to look it up after I wrote that and everything I saw referred to a 256 bit key, not 128 as I originally heard and it only said that the layer would be 1 meter in depth, not 10 ft(~3m), so I'm definitely wrong about how long it would take to break this particular keyset(thanks for doing the math on that, I'm bright but don't have the patience sometimes) BUT a 256 bit key would indeed take bloody forever. At the rate that you suggest, a 256 bit key would take about 10,790,283,070,806,014,188,970,529,154,990 years IF I've done my calculations correctly. So I think I'm moving my LUKS encrypted partition to 256 bits or better if it exists.

Re:Yawn

[khellendros1984]

AES encryption is an actual government standard, FIPS-197. It's based on Rijndael encryption, which is capable of using any key that is 128 bits or longer, and divisible by 32 bits. If I remember correctly, the times to encrypt or decrypt should be basically identical, and increase linearly with the size of the key. So I don't know if any software actually implements a Rijndahl-type encryption with over 256 bit keys, but I don't see any reason that it wouldn't be technically possible.

Complexity

[techno-vampire]

TFA refers (as does the summary) to complexity of 2^119, and possibly lowering it to 2^110.5. Could somebody rephrase that in a way that people like me, who aren't cryptography specialists can understand what they're talking about?

Re:Complexity

I believe the complexity is a rough measure of how long it should take to break the code. So in this case, a reduction from 2^119 to 2^110.5 is approximately 360 times faster (that is, a 2^119 complexity attack takes 360 times as long as a 2^110.5 complexity attack).

Re:Complexity

[wealthychef]

Normally, "complexity" in computer science refers to how long it takes to do a given task, given the size of the task. It's usually expressed as O(blah), read, "Order of blah". For example, an O(n^2) ("order n squared") complexity means that if it takes "m" minutes to finish a problem of size x, then it will take 16m minutes to finish a problem of size 4x. I'm not familiar with the term "complexity" being used in this context and with these specific numbers.

Re:Complexity

[techno-vampire]

It's usually expressed as O(blah)...

Yeah; I know, and I'd not have wondered if they'd expressed it that way. It's good to know that I'm not the only reader that doesn't understand the terminology.

Re:Complexity

[vux984]

Could somebody rephrase that in a way that people like me, who aren't cryptography specialists can understand what they're talking about?

Sure I'll rephrase it for you. "Don't worry."

What? You wanted something deeper without having to know anything? Ok...so AES was thought to require 2^128 time units to brute force. So 2^119 time complexity means essentially that the new algorithm takes 2^119 units of time to complete which is a lot better, and they think it might be able to optimize it down to 2^110 units of time.

What a 'unit of time is' is a computing science hand-wave because it doesn't really matter what it is. When comparing algorithms for large problems you are interested in how it compares relative to other algorithms, not how much absolute time it will take on a Commodore 64 or Intel i7 or whether its programmed in Smalltalk vs C. Those details while important in their own right aren't really relevant to the comparison of the algorithms themselves.

A 2^110 algorithm is significantly better than a 2^119 algorithm for 'large problems' regardless of what we set the unit of time to be, and in turn 2^119 is much better than 2^128.

In practice the unit of time is rooted in how long it takes a computer to do 'an operation'. So it might be milliseconds or nanoseconds, or whatever. And the upshot is that even 2^110 is STILL gazillion years even if its programmed in C on an i7 and every i7 on the planet is contributing to the effort...

Hence... "Don't worry."

Its mathematically very interesting, but for the moment, its nothing to "worry" about.

Re:Complexity

[jrl87]

Basically they're looking for weaknesses in the encryption or a way to break the encryption. The basic idea is that if you have a x-bit key for you encryption system then you should be able to generate 2^x different keys. So for instance if you had 4-bit encryption, then you would have 4 bits that you could assign a value to. That is you have something like _ _ _ _ where each _ can be either a 1 or a 0. When you work out the number of unique ways you can make this assignment you get 16, or 2^4.

To break the encryption, you need to find the key. In the 4-bit example above, it is easy you just try all 16 of the possibilities. Now, if you raise the encryption strength to say 256-bit, you have 2^256 theoretically possible keys. Now, if you assume that you can check 30,000 keys per second it would take you well over a million years to check all of the keys (actually somewhere on the order of 10^60 years). So doing that is obviously not a practical solution.

So what they're doing is trying to find a method that is more efficient. There are sometimes reasons why certain keys don't need to be tested and there are statistical methods that should theoretically be more efficient that simply randomly trying keys. So previous to this study they think the complexity is 2^119. Though it's not quite right, you can think of this as the average number of keys you would have to try before getting the right one. With the method they are suggesting they are claiming that the complexity could be lowered to 2^110.5. Practically speaking, this doesn't really make cracking the key any easier. But in the future, who knows ...

Re:Complexity

[Cajun+Hell]

It means it just got roughly 400 times faster.

Re:Complexity

[Joce640k]

It means you only have to test 2^119 possible keys to break 256-bit AES - still far beyond what's ever going to be feasible (do the math - give everybody on the planet a million PCs running at 1THz and see how long it takes to do 2^119 things, then figure out where you're going to get that much electricity from)

Interesting to note is that AES-128 is immune to this attack - it's now the strongest variant of AES. Everybody (like me) who thought the 256-bit and 192-bit were a waste of time now has a reason to be smug about it.

Reason: Both AES-192 and AES-256 are just AES-128 internally but they mess around with the key data between each loop of the encryption process. The new attack only works on the "messing around" part of the process so AES-128 is unaffected.

Re:Complexity

I love that this got moderated redundant while a post that is essentially the same that comes AFTER this one gets modded insightful.

Oh look, that one was by a girl! Let's mod her up! WOWOWOWOWOWOWOWOWOWOW

Re:Complexity

[Joce640k]

No, 119 to 110.5 is the amount they predict this attack could be improved with more work.

If it reduces an attack 256-bit AES to 2^119 complexity then it's 2^137 times better, and 2^137 times better is half a metric asston.

Re:Complexity

No, there's already a simple time/memory tradeoff attack that reduces AES-256 to 2^128 in time and space, so they were just reducing it from 128 to 119, which is 512 times better.

Re:Complexity

[jcwayne]

... 2^137 times better is half a metric asston.

I measure algorithmic complexity in imperial asstons, you insensitive clod.

Re:Complexity

[techno-vampire]

Thank you. However, one question remains: is that the maximum number of keys, or the average number. Either way, of course, it's a huge number, but it does make a difference.

Re:Complexity

[techno-vampire]

What? You wanted something deeper without having to know anything?

Not quite. I wanted to learn enough to understand what they were talking about, even if I couldn't follow the math they used in the proof, and that you (and a few others) have given me. Thank you.

Re:Complexity

[Joce640k]

That's the maximum, the average would be half that.

...unless they're expecting you, in which case they can put the key towards the end of the keyspace to make it take longer. You could of course anticipate that move and start searching at the end but in return they could anticipate that and put it at the beginning. It's a Sicilian mind game.

Re:Complexity

[Joce640k]

Ok, sorry, didn't know about that attack. Still, the new attack looks more practical than the old one (aside from being better...!)

Re:Complexity

[techno-vampire]

What I'd do in a case like that is put it somewhere near the middle. That way, it's about the same time no matter which end you start at, and if you do start in the middle, you still have to guess if mine is above or below your starting point giving yourself a 50/50 chance of starting out by going in the wrong direction.

Re:Complexity

[dotgain]

Imperial Asstons are non-migratory

Re:Complexity

[Kjella]

I'm not familiar with the term "complexity" being used in this context and with these specific numbers.

Because it's not a problem that scales with n, it's an attack on one particular value of n. Ideally brute forcing an n-bit cipher has complexity O(2^n). For 256 bit AES, they've found an attack that instead of the ideal 2^256 attempts takes 2^119 attempts. But you can't say O(2^119) because that is equal to O(1), and any function with n would be false since it doesn't apply to other n. I guess you could say an attack with "complexity O(2^(n*119/256) for n=256" but you're likely to confuse a hundred times as many as are enlightened.

Re:Complexity

[NotQuiteReal]

Yeah, but if you include the word "password", "admin" or in your tests, you usually get the answer in a lot fewer than 2^119 test keys.

Re:Complexity

[man_of_mr_e]

Unless of course you start in the middle and expand outwards in both directions ;)

Re:Complexity

[onionman]

Interesting to note is that AES-128 is immune to this attack - it's now the strongest variant of AES.

NSA specifies AES-256 for Top Secret information in Suite-B products. NSA knows crypto. So, if NSA thinks that AES-256 is stronger than AES-128, and if recent results indicate that AES-256 only has 110 bits worth of strength, then one might wonder, "what is the actual security level of AES-128?"

Re:Complexity

[Repossessed]

Um, even if you brute force AES 128, wouldn't you only have a complexity of 2^64?

256 is still 360,000,000,000,000 times stronger than 128, even if they get it all the way down to the 2^110.5 complexity 256 will still be far far stronger.

Re:Complexity

[Skuto]

>Um, even if you brute force AES 128, wouldn't you only have a complexity of 2^64?

No. This is an encryption function, not a hash.

Re:Complexity

[PurplePhase]

So from other people's numbers, does this mean AES-256 and AES-192 break in 2^110-ish while AES-128 breaks in 2^128? Are there similarly comparable numbers for PGP, GPG, and, well, everything else? I'm still trying to figure out the best algorithm to choose and these metrics could help. Or should they?

Thanks!

Re:Complexity

However both 192 and 256 are _still_ stronger than 128. So what's there to be smug about? ;)

Re:Complexity

[Rockoon]

Please write down your randomly generated 256-bit key: 0000000000000000000000000000000000000000000000000000000000000000

Your data cannot be recovered without it!

Re:Complexity

[Mashiara]

To clarify the birthday problem is fundamental and it basically means that even in good algorithms one *on average* needs to check half of the possible key space to brute force the key.
 

In not-so-good algorithms (for example uneven distribution of keys) one can tune the search space and get away with checking much smaller amount of keys than half of the theoretical space.
 

And as stated earlier, cryptographers will consider an algo broken if there exist an attack that is better than pure brute force (need to check less than half of the keys), practical attacks are a wholly different matter.
 

And what comes to the MD5 debacle, it was known to be broken for ages and still was used for new certificates, that's just stupid. Granted SHA-1 is also broken, but for it there are no practical attacks, RIPEMD160 has no breaks yet but it seems it's not officially supported in SSL.

Re:Complexity

[Dr_Barnowl]

You just won the prize for being the person who explained it most succinctly without using exponents.

Re:Complexity

[pjt33]

The birthday problem is relevant for finding clashes in hash functions. The fact that on average you need to check half of a cipher key-space to brute force the key is an even more elementary result. Suppose you draw up a list of the keys in the order you will check them: K1 to Kn (one-based indexing makes the sum that's coming up easier), and let the true key be K. Then, assuming you don't have any information to allow you to check more probable keys first we have P(K=Ki) = 1 / n, so the expected number of keys checked is SUM_i=1^n P(K=Ki) * i = SUM_i=1^n (i/n) = (SUM_i=1^n i) / n = 0.5 n (n+1) / n = 0.5 (n+1).

Re:Complexity

[L4t3r4lu5]

That equation gives a value of 9191.24

Is one "complexity" 9191.24 times less-hard than decrypting an AES encrypted dataset?

How many VW Beetles is 9191.24 Complexities?

Re:Complexity

[L4t3r4lu5]

Yeah, but what is the average weight of an unladen Asston?

Re:Complexity

[Joce640k]

The NSA only employs geniuses, not gods. How about we wait 24 hours and see how they respond....?

Re:Complexity

[Joce640k]

...and when I say "strongest" I mean in a pure math sort of way.

Any attack which starts with things like "first you encrypt 2^128 carefully chosen plaintexts and store them in a hash table" isn't really an attack you should worry about.

Re:Complexity

[emlyncorrin]

Ok...so AES was thought to require 2^128 time units to brute force. So 2^119 time complexity means essentially that the new algorithm takes 2^119 units of time to complete which is a lot better, and they think it might be able to optimize it down to 2^110 units of time.

Where does 2^128 come from? I would have expected 2^255, since on average you need to try half of the 2^256 possible keys.

Re:Complexity

[digitrev]

3.1 years

The electricity problem is trivial, and left to the reader to solve for themselves.

Re:Complexity

[Just+Some+Guy]

Where does 2^128 come from? I would have expected 2^255, since on average you need to try half of the 2^256 possible keys.

The birthday attack says that you can brute force an n-bit system in an average of (n/2)-bit time.

Re:Complexity

[Just+Some+Guy]

Self-correction: ignore that. It's true of finding collisions in hash algorithms, but that's not what AES is. Basically, AES-192 and AES-256 are AES-128 plus a few goodies. Someone found that the extra bits actually reduced the strength below the 2^128 of AES-128 instead of increasing it.

Re:Complexity

You don't divide the exponent by two. You divide the result by two. In a power of two, you subtract one from the exponent. You have a 50% chance of having the correct AES-128 key with 2^127 keys.

Re:Complexity

[bkpark]

Yeah, but if you include the word "password", "admin" or in your tests, you usually get the answer in a lot fewer than 2^119 test keys.

The way AES algorithms are usually used, you are going to find very few passphrases that look like that. For one, it's not a hash algorithm so it's not used to obscure passwords (so no one would choose "admin"), and people who know enough to use it, i.e. for either loopback device encryption or even full disk encryption know enough not to use "password" for passphrase—at worst, they are going to use "passphrase" for passphrase.

On top of that, the implementation of cryptsetup in GNU/Linux (which is what people who use LUKS for full disk encryption mostly use) wouldn't even let you pick a password fewer than 20 characters (or was it 25 characters?).

So, if you test 100 "average" cases where AES algorithm was used, I would be surprised if you find even 10 where passphrases can be found by garden variety dictionary attack.

Re:Complexity

[Repossessed]

Ok, but then why have AES-256 at all if its only twice as good as 128 in the first place?

Furthers my stand on crypto, which is: DON'T

Crypto is broken. It's not IF, but WHEN. That's why crypto is pointless to use. this is why I use open source, and even keep all doors unlocked. It's pointless to try and protect propery, real or intellectual/imaginary.

Re:Furthers my stand on crypto, which is: DON'T

[wealthychef]

It's pointless to try and protect propery, real or intellectual/imaginary.

Really, would you mind posting your credit card information here please? Also your home address? I didn't think so.

Re:Furthers my stand on crypto, which is: DON'T

[The+End+Of+Days]

I get your point, but logically your response doesn't refute the OP directly.

Re:Furthers my stand on crypto, which is: DON'T

[caluml]

You can have it AES-256 encrypted if you like.

Re:Furthers my stand on crypto, which is: DON'T

[droopycom]

The point of cryptography is to protect stuff for a sufficiently long amount of time.

So you are right, its all about WHEN. WHEN IS the point, and is not pointless.

Re:Furthers my stand on crypto, which is: DON'T

[droopycom]

Refutation: Crypto is indeed all about WHEN. WHEN is not pointless, it is the point.

Re:Furthers my stand on crypto, which is: DON'T

[MaskedSlacker]

Don't feed the troll.

Re:Furthers my stand on crypto, which is: DON'T

Exactly.

Why do I care if you get my root password in 1000 years? I don't.

I care if you do within the next 6 months probably, but not in 1000 years.

It's all about the "when," baby.

Re:Furthers my stand on crypto, which is: DON'T

[atraintocry]

He's not joking. He found the pattern that describes all prime numbers. So did I. It's pretty simple in hindsight.

Wait, who's thaNO CARRIER

Re:Furthers my stand on crypto, which is: DON'T

[Arancaytar]

I'm sure there's a point when a troll gets obvious enough to be called "sarcastic". :P

Re:Furthers my stand on crypto, which is: DON'T

[david_thornley]

Actually, it is all about WHEN.

Good crypto can withstand any conceivable attack until the heat death of the Universe.

Really good crypto does that until the computer you're using to crack it disintegrate from proton decay.

Re:Furthers my stand on crypto, which is: DON'T

[MaskedSlacker]

Absolutely, but you still don't feed them. You either mark them +1 funny, or run with the joke. GP took it super-serial however.

Complexity.

[girlintraining]

For those who don't have a degree in oh-shit-that's-a-big-number, can someone give a comparative analysis of what "2^119" complexity means? I mean what else is "2^119" hard to solve? And yes, the math nerds are undoubtedly either dying of laughter or yelling at the screen for my abuse of powers of two... I don't care.

Re:Complexity.

I'll assume you know what asymptotic notation is. If an algorithm is O(2^n) then for every unit increase in the size of the input, the time to complete doubles. This algorithm takes 2^119 steps on a 256 bit input (AES-256). Which is a lot.

Re:Complexity.

[xZgf6xHx2uhoAj9D]

AES-128 uses keys which are 128 bits long. That means in order to "break AES" (in order to decrypt something you don't have the key to), all you have to do is try all possible keys of length 128 until you find one that works. That means you would have to try 2^128 different combinations, which is a lot.

What these people have done is found some clever way where you can break AES trying only 2^119 combinations. Effectively this means AES is no better than if it had used 119-bit keys instead of 128-bit keys. Sometimes you'll hear this colloquially as something like "AES has 119 bits of security", referring to how many combinations of keys you have to try before you find the one works.

2^119 is a massively large number. Trying 2^119 combinations is still terribly far outside of the realm of what all of the world's most powerful supercomputers combined could hope to do. This is an attack of theoretical interest, not practical interest.

Re:Complexity.

If you had a computer that could perform 7 libraries of congress per hogshead, it would take 4563 quintillion hectares to do the Kessel run in under 12 parsecs (per milliliter squared)

Re:Complexity.

[sammykrupa]

Well just look at how fast the numbers double:

1, 2, 4, 8,16, 32, 64, 128, 256, 512, 1024, 2048, 4096, 8192, 16384, 32768, 65536, 131072, 262144, 524288, 1048576
2097152
4194304
8388608
16777216
33554432
67108864

2^30 = 1 073 741 824
2^60 = 1.1529215 Ã-- 10^18

2^60 IS NOT one less than 2^61, it's HALF.

Re:Complexity.

[cpu_fusion]

Pardon me, but isn't the article about AES-256? So this is a much more significant drop in the number of bits.

Of course, I've only read the summary. This is slashdot, natch.

Re:Complexity.

[cperciva]

I mean what else is "2^119" hard to solve?

Finding a file which has an MD5 hash of either 000000000000000000000000000000XX or 000000000000000000000000000001XX for some pair of hexadecimal digits XX.

Computing the 2^100th bit of Pi (approximately -- the BBP algorithm has some factors of log thrown in, so I've dropped a factor of 2^19 to account for those).

Sorting a list of 31 elements using bogo-sort.

Re:Complexity.

[godrik]

A couple of years ago (2003), a cryptographic system was said to be secured if it requires more than 2^80 computation. I do not know what is the current standard and I have no clue how to find it.
However 2^110 is still way to large for us at the moment.
To give an estimation. Supose you have one million processors clocked at 10Ghz (which nobody have nowadays), you can do 10^6 * 10^10 = 10^16 ~= 2^48 computations per second. To crack AES and using this machine you'll need 2^110 / 2^48 = 2^62 seconds to do so which is approximatively 150 billions year.
The attack is of theoretical interest mainly but should tell people not to use AES with a cryptographical key smaller than 256.

Re:Complexity.

Except IYRTFA, the attack only works on AES-192 and AES-256. AES-128 is unaffected, which would seem to imply that, oddly, AES-128 could be stronger than AES-256 and AES-192 in some circumstances.

Re:Complexity.

[xZgf6xHx2uhoAj9D]

Oh dear, you're absolutely right. This is about AES-256. That's quite a significant attack indeed (though still not enough to make it practical).

Re:Complexity.

[nine-times]

Well I'm not particularly a math geek, but 2^10=1KB. 2^20=1MB. 2^30=1GB. And so on. So if you were storing 2^120 bits, it would be basically be a trillion trillion terabytes. Is that right? Someone feel free to check my math.

I mean, that doesn't give an explanation of the problem, so it doesn't really answer your question. But maybe it gives you an idea of scale? I guess by lowering the complexity of the attack by 2^8.5 it means that an encryption key that would take you 300 years to crack, you might now be able to crack it in a year...? I don't know. I'm not an encryption expert.

Re:Complexity.

[quercus.aeternam]

Two things:

First, they are talking about AES-256.

Second, I find it useful to think about how much faster that is. In this case, it means it is 2^137 times faster than a pure brute force attack, which certainly seems impressive. Fortunately, as you mentioned, this is still far too difficult to be applied.

Just for fun, google this: 2^119 picoseconds in millenia

Re:Complexity.

2^119 is a massively large number.

664613997892457936451903530140172288

Meh. I've seen bigger.

Re:Complexity.

[Mike+Buddha]

The attack doesn't work in AES-128 or AES-192. It only works on AES-256.

Re:Complexity.

To get you an idea, it would take a billion computers trying 1 key every nanosecond more than 20 billion years to try out all the key combinations of 2^119.
 

Re:Complexity.

[DriedClexler]

AES-128 uses keys which are 128 bits long. That means in order to "break AES" (in order to decrypt something you don't have the key to), all you have to do is try all possible keys of length 128 until you find one that works. That means you would have to try 2^128 different combinations, which is a lot.

What these people have done is found some clever way where you can break AES trying only 2^119 combinations.

Pff. Well if that's all they're claiming, then even I can do better. Hint: don't guess composite numbers! The two factors you have to find are prime!

Re:Complexity.

[SoVeryTired]

Well, it's the expected length of time you'd need to spend tossing a coin before you got 119 heads in a row. A very long time.

Re:Complexity.

[Chabo]

Yes, but how do you know if the potential factors are prime? Do you keep a giant list/table, or do you attempt to factor the potential prime?

Re:Complexity.

[NAR8789]

...and how, might I ask, are you generating your primes?

Re:Complexity.

[nine-times]

I'm confusing bits and bytes, so I'm wrong already. Oh well.

Re:Complexity.

[tabrisnet]

Bull.

a) AES is not based on prime numbers, nor is it a public-key cipher. you're thinking RSA or some other public-key cipher. Hence why RSA has to be at least 1024 (and now 2048 and up is recommended) bits long.

b) There's a lot more bull going around here. AES256 was believed to require 2^128 operations to bruteforce, not 2^256. Thus any question of 256 -> 119 is bull. It's 128 -> 119.

c) Brute-forcing a 64bit RC5 key took distributed.net years (and note that that was with the benefit of Moore's [so called] Law). Mind you, that actually required searching a 64bit keyspace.

Re:Complexity.

[bmajik]

Not only is 2^119 a big number...its around 6e35.

Wolfram says that the milky way galaxy weighs around 6e45 grams.

assuming 1 mol of electrons in 1 gram of galaxy, you're talking about 3e69 electrons in the whole galaxy.

I suppose it might be possible within the confines of our galaxy to do something 2^119 times. We do have enough electrons. That's an important upper bound to not violate.

Re:Complexity.

[dermoth666]

I believe the probability being halved has something to do with the birthday paradox. It's been a time where I could explain this better; if you wish to find out just search for it on Google... This page seems to have a good explanation too:

http://betterexplained.com/articles/understanding-the-birthday-paradox/

Re:Complexity.

[Joce640k]

If I'm reading the paper correctly, it appears that AES-128 is unaffected. (Please correct me if I'm wrong!)

Re:Complexity.

[dermoth666]

As far as I know, besides primes there's a bunch of random data that gets in key generation. Knowing the primes only make it slightly easier to crack the key.

By default PGP use a known set of primes to generate keys, and so far keys generated by it are still secure.

Re:Complexity.

[a_n_d_e_r_s]

CPU power doubles about every 18 months (Moores Law) so every 3 years a new computor can decrypt 2 bits more in the same time frame.

Thus to get it down to 80 bits from 119 it will take 39 bits divided by 2 times 3 or in about 60 years the AES will become breakable.

However given that Moores law is starting to get hard to continue with - it might take smore time than that. By that time the new crypto standard will probably use 1024 bits to be safe.

Re:Complexity.

[betterunixthanunix]

This is an attack on key schedules; the key schedule of AES-128 is different from that of AES-192 and AES-256, thus rendering it impervious to this particular attack. As the authors note, this sheds new light on key schedule design, much in the same way that differential cryptanalysis shed light on S-box design.

Re:Complexity.

[BitterOak]

I believe the probability being halved has something to do with the birthday paradox.

Actually, that just applies to secure hash functions (like MD5 and SHA, and the like) and not to block ciphers. If AES-256 can be cracked with only 2^119 calculations, that is a HUGE drop in security.

The reason that hash functions really only give you half as many bits of security as you have bits in the digest is that a hash is considered broken if you can find two messages which have the same hash. Since you can vary both messages, you only have to try 2^(n/2) as many, just like the birthday "paradox".

Re:Complexity.

that's what she said.

Re:Complexity.

[DriedClexler]

Note to self: never try to tell a cryptography joke.

Re:Complexity.

[Skuto]

Not really. The thing is that a break against AES-256 can use up to 2^256-1 operations and be considered faster than brute force. The same technique wouldn't count as a break against AES-128, because that is brute forceable in 2^128 anyway.

If there's an attack against AES-256 that takes 2^200 operations, it's considered a break. But this is still more effort than the one needed to just brute force AES-128. So AES-256 would still be more secure.

Re:Complexity.

[electrostatic]

Just for fun, google this: 2^119 picoseconds in millenia.

Google says:

2.10607966 × 10^13 millenia -- which equals about 21,000,000 billion years

With the new attack the figure is 2^110.5 trys, which is

(2^110.5) picoseconds = 5.81727815 × 10^10 millenia

a mere 58,000 billion years.

Looking at it another way, 119 - 110.5 = 8.5, which is the reduction of the exponent, giving 2^8.5 = 362. So knocking off 8.5 bits reduces the amount of time+effort by that ratio.

"Picosecond" is the assumed amount of time it takes for one attempt here, which I assume is reasonable given a massively-parallel attack machine.

Still, 58 trillion years...

Re:Complexity.

[AlHunt]

>Just for fun, google this: 2^119 picoseconds in millenia

And for even more fun - 64 minutes after the parent posted, the post itself was the first result.

Re:Complexity.

[RaymondKurzweil]

CPU power doubles about every 18 months (Moores Law)

Moore's Law never claimed this.

Re:Complexity.

[Kjella]

I think that's the only kind of number that makes sense without using the 2^x notation - 137 bits broken, 119 bits of strength left. It's lost over half the bitstrength. If it'd been the same for 128 bit keys, it'd be well into crackable ranges. That's really the big issueeasily here, why would this NOT affect 128 bit AES? Did they do something really, really smart in that version that leaves them immune? Or is it rather we don't want to set of every alarm bell there is?

Re:Complexity.

[wirelessbuzzers]

It's a time/memory/data trade-off. If you have 2^128 AES-256-encrypted copies of a known plaintext, you can already find one of the keys using 2^128 time. You just encrypt using 2^128 random keys and find collisions.

This attack does better by a factor of 2^9 = 512 if the keys are related in some way known to (or maybe chosen by) the attacker. They think they can get another factor of 2^9 out of it with a more careful analysis. Even so, this is only a theoretical weakness.

Re:Complexity.

Why limit yourself to electrons? Photons man, photons - they're the new "it" particle for computation!

Re:Complexity.

"can someone give a comparative analysis of what "2^119" complexity means?"

What is the exact location of the flight 449 recorders??

Re:Complexity.

[rawler]

Basically, it says how long it would take to be sure to crack it.

To give a comparison, most machines on the net today is clocked at ~4Ghz, that is 4 000 000 000 instructions per second. Imagine a CPU:s doped for only one thing, and one cpu-cycle would mean one key tested ( in reality, there's more like maybe 1000s of cycles/test or something like that ). That would mean that the cpu crunched 172 000 billions of tests per day. With that monster cpu, it would still take 5 billions of billion years to be sure to crunch that encryption.

Even if you filled the theoretical limits of todays internet (unfortunately, IPv6 is still the internet of tomorrow) with these monster machines, it would still take 1,25 billon years to be sure to find the key. This all is of course just theory. Who knows, if you're lucky you may get it in a tenth of that time, only 125 million years. ;)

As a footnote, for the cost of those monster-machines, the operational cost of them and the staff to support them, you'd be much better off bying an army. Physical security in most places is much weaker than AES currently, so it would be much easier just to force the secrets out.

Disclaimer: All this assumes turing-machines, where only one solution at a time can be evaluated. In a quantum-processor, you could theoretically do much better.

Re:Complexity.

[MaskedSlacker]

Apparently you missed the part about AES-256 being down to 2^119, which is less that 2^128.

Re:Complexity.

[MaskedSlacker]

No, they did something really stupid in the AES-256 version that made it vulnerable.

Re:Complexity.

[religious+freak]

Just for fun, wolfram-alpha it (doesn't exactly roll off the tongue, does it?). That is what it's designed to do, after all - plus I found the results a little more useful than google.

Re:Complexity.

[someSnarkyBastard]

Or they switch to the cipher they should have gone with, namely Serpent: http://en.wikipedia.org/wiki/Serpent_(cipher) http://www.cl.cam.ac.uk/~rja14/serpent.html For those too lazy to read the links, Rijndael (aka AES) is faster, simpler, and more elegantly designed than Serpent. Serpent is more conservative, slightly slower in software (faster in hardware though), and not quite as pretty aesthetically. Rijndael was chosen to become AES for its speed and simplicity, two things IMO that have minimal desirability in a cryptography algorithm.

Re:Complexity.

[MaskedSlacker]

Aw, now I don't get to make fun of you. Sadness.

Re:Complexity.

Quite nice - I enjoyed the following result when just putting in 2^119 picoseconds: 1.5x10^6 x universe age.

Re:Complexity.

[MaskedSlacker]

To give a comparison, most machines on the net today is clocked at ~4Ghz, that is 4 000 000 000 instructions per second

Uh, no they're not. But for the sake of mathematical illustration, I'll allow it.

Re:Complexity.

[rawler]

Actually, I wrote ghz first, but realized (when I was done with the entire post) I were a couple of years behind so doubled everything to more easily adjust stuff. ;)

Also 4ghz != 4 million instructions/second, which is a typo (clarified below).

In other words; two errors in one sentence. Can only be accomplished while watching the sun rise after not sleeping for a night. ;)

Re:Complexity.

[rawler]

Ergmh.. and "I wrote ghz" should be "I wrote 2 ghz". You know it's time to sleep when you have to correct the correction.

Re:Complexity.

[nine-times]

You can make fun of me anyway. It's a dumb mistake to make.

Re:Complexity.

[Hurricane78]

Just for you binary noobs without a calculator out there:

2^128 = 340,282,366,920,938,463,463,374,607,431,768,211,456 = ~ 3,4028237 * 10^38 = ~ 340282.4 decillion
2^119 = 664,613,997,892,457,936,451,903,530,140,172,288 = ~ 6.64614 * 10^35 = ~ 664.6 decillion
2^110 = 1,298,074,214,633,706,907,132,624,082,305,024 = ~ 1.2980742 * 10^33 = ~ 1.3 decillion

So in the most basic words: AEO just now got 512 times simpler to crack. And they say they they will get it down to 262144 times simpler than it originally had been. (262144 = 512 * 512)
Which would be a huge improvement. But still, as you can see from the number behind the 2^110, it would be an incredibly large number of tries before you tried all combinations to this "lock". :)

Now if you wanted to know how long, you would have to multiply that huge number by the time it takes your target computer system, to try one key, and check if it worked.
The only thing that would "help" here, were rainbow tables. But they would be so large, that we could not store them on this planet, or even solar system alone (from what I heard about the number of atoms being in it).

Now you might start to get a feeling for its security, even if you know nothing about cryptography at all. :)

Re:Complexity.

[Hurricane78]

Oh damn. I just noticed that I read trough the whole comment, previewed it, and STIL missed that the <pre> tags around the second paragraph did not get trough, and that I wrote AEO instead of AES.

It makes my penis go from A to Z on an US keyboard, when I think about this. ;)
.
.
. :(

Re:Complexity.

[mgblst]

Wow, -64 minutes? Google is good.

Re:Complexity.

[Lord+Ender]

How long would it take you to count to 2^119? The time it took to crack AES used to be a multiple of that.

Now how long would it take you to count to 2^110.5? The new time to crack AES is a multiple of that number, which anyone who went to college will tell you is MUCH smaller than 2^119. It's still a big number, though.

Re:Complexity.

[paul248]

Are you sure about that? Why shouldn't AES-256 be expected to require 2^256 operations to brute force?

Re:Complexity.

[orngjce223]

That's what I said! (See sig.)

Re:Complexity.

[Skuto]

It's irrelevant to the point. The explanation is about why an attack with a given complexity can be a break for Cipher-256 but not for Cipher-128, but not necessarily mean that Cipher-128 is stronger than Cipher-256.

If the break found would have been 2^129 instead of 2^119, what I described would have exactly been the case.

Re:Complexity.

[Skuto]

Only if 2^0 memory is involved. The attack requires 2^128 memory, which increases the total complexity.

Re:Complexity.

Well yes, the GP was irrelevant to a scenario that doesn't correspond to reality.

Re:Complexity.

no, its not down from 2^256 to 2^118.

This is a related key attack, so due to birthday paradox, its down from 2^128 to 2^118, which is means "1024" times better.
But this is neither true since each of the 2^128 "simple" brute force rounds is much simple than each of 2^118 new attack rounds. In fact, the new attack may in practice be slower than brute force

Re:Complexity.

Hehe, and now YOUR post is the first hit!

Re:Complexity.

[hey!]

This is not a technological advance. It is a scientific (or perhaps mathematical) advance.

The point is not that AES is broken; the point is that insights have been gained into its vulnerabilities. It's not necessarily the thin end of the wedge because we don't know whether such a wedge exists, but it could be *a* thin end of *a* wedge. Or it might not. If an AES crack is ever found, it might not be based on this discovery, but this discovery would still have its place in the history of the crack. It's like mathematical proof. Sometimes the first proof of a conjecture is complicated and messy, but then not too long after a shorter and more elegant proof is found. It may be that knowledge that something is provable is a motivation; or that lesser insight somehow fertilize mathematical imagination. It's hard to say because the process of mathematical creativity is so mysterious.

Re:Complexity.

[Skuto]

The original post was surprised that the attack worked against AES-256 but not AES-128. That isn't surprising. Reality is that It's fairly typical for the reasons I stated.

Even before this attack, 10 rounds of AES-256 were broken, but only 7 rounds of AES-128. That's not because AES-256 has weaker rounds than AES-128.

Re:Complexity.

[Joce640k]

]"why would this NOT affect 128 bit AES?"

AES-256 is really AES-128 in disguise. The only difference is that instead of having a single 128-bit key you alternate between the two halves of the 256 bit key at each step of the encryption process (ok, it's not a simple swap but you get the idea). This messing about with the key is what caused the weakness - it introduced a pattern into what should be a patternless output.

AES128 doesn't do this so it's immune.

Re:Complexity.

[Joce640k]

Um, the title of the paper is "Related-key Cryptanalysis of the Full AES-192 and AES-256". I'm guessing AES-192 is affected by this.

Re:Complexity.

[Joce640k]

Moore never said that, he said something about speed/price. Computers may cost $0.00001 in 60 years time but they're unlikely to be 2^39 times faster.

That's Today...

[Nom+du+Keyboard]

but they pose no immediate threat for the real world applications that use AES.

Funny how news of just about every major break of an existing cryptography system or secure hash method has started out with just about those same exact words.

Re:That's Today...

[parvin]

That's because ~362x faster than effectively forever is still effectively forever.

Re:That's Today...

[Godji]

Examples?

Re:That's Today...

[maxume]

The attack is 2^137 faster than forever. They figure they can enhance it to get an additional factor of 2^8.5.

Quantum Computers

[religious+freak]

Yeah, this is interesting math, but I don't think our cryptographic scheme is in danger until quantum computers become a stable and reliable source of heavy computing. Then we're all in trouble. How do you create a key, when the entire large number method is made obsolete by quantum computing? I haven't looked into it much, but I don't think anyone has found an answer yet.

To my knowledge quantum cryptography is still limited to very close distances, while cracking a crypto key is obviously not affected by this limitation.

Re:Quantum Computers

Aren't you effectively in the shit? I'm not quite sure what/how, but my sixth sense tells me that unless you have a secure means of communications (In which to transfer a one time pad, or something), you can't send any useful information and have it be impossible to read. Public key crypto seems to just bend this rule by making it damn difficult to read.

Re:Quantum Computers

[JambisJubilee]

You are not in the shit. Secure communication can be established on an insecure channel using quantum cryptography. Look it up on Wikipedia.

Re:Quantum Computers

[Chyeld]

I did but the article kept telling me that I'd only know if I were in deep shit if I opened the box...

Re:Quantum Computers

[Joce640k]

Quantum computers won't do much to break block ciphers, they'll only be useful against ciphers which rely on finding factors of large numbers.

The real-world applications for quantum computers are very limited.

Re:Quantum Computers

[Xtravar]

The government will require licenses to run quantum computers, and they'll be so fast that the FBI can run spyware on them without you noticing performance degradation! If you are innocent you have nothing to hide!!!

Re:Quantum Computers

[mathimus1863]

Parent is slightly off on the Quantum computing comment. Quantum computers can break cryptographic protocols based on the difficulty of integer factorization (RSA/PGP/GPG/PKI/SSL/TLS), and discrete-logarithms (all of the above plus elgamal, elliptic curves). However, AES is a block cipher which relies on neither of these pure-math problems.

The only advantage of QCs in breaking AES is that Grover's Algorithm can be applied for random guessing of the encryption key. AES-256 has 2^256 possible encryption keys. It takes a classical computer an average of n/2 guesses to find the right key, or 2^255 operations. However a QC running Grover's Algorithm does it in an average of approx sqrt(n) "guesses." This means that it takes about 2^128 operations to get the AES-256 key using a quantum computer.

As previous posters have mentioned, 2^128 is still far out of our reach. And to subvert QCs for this type of problem, all we have to do is double our key length to get the same security. Perhaps if we find a way to combine Grover's Algorithm with this new AES vulnerability, we can get it down to 2^60 to 2^64, but that is still extremely prohibitive. Additionally, that's a big "if," since Grover's Algorithm is intended for pure-guessing problems.

Re:Quantum Computers

[religious+freak]

Well, I don't think anyone has said it would be "impossible" to decrypt communication as we use it now, just pretty difficult. Of course, there are degrees of difficulty, and with quantum computers, the difficulty of breaking the types of keys we use now becomes much lower because of the superpositional state the qubits inhabit.

Re:Quantum Computers

[religious+freak]

I defer to your knowledge, since it looks like you've got more than I do, judging by your comment.

However, I was under the impression that due to the superpositional state of a qubit (i.e. being both 1 and 0) adding one extra qubit essentially doubles the effective power of the quantum computer (in terms of the very specific operations of finding factors for large numbers and searching data). So, once we are more effective at entangling qubits, we don't really have a defense against a brute force attack, unless we can come up with some exceedingly LARGE LARGE numbers...

Re:Quantum Computers

[someSnarkyBastard]

To bastardize a quote from Futurama: No fair! You changed the message by reading it!!

Re:Quantum Computers

[MaskedSlacker]

The real-world applications for quantum computers are very limited.

No, the real-world scenarios where quantum computers are a major improvement are limited. They can be used for everything normal computers are as well.

Re:Quantum Computers

[evilviper]

How do you create a key, when the entire large number method is made obsolete by quantum computing?

There are several methods of public-key encryption which are secure against quantum computers. Try Lamport Signatures for a start:

http://en.wikipedia.org/wiki/Lamport_signature

Re:Quantum Computers

[SeekerDarksteel]

How exactly does Grover's Algorithm help in this situation? With Grover's, you have an unsorted list and want to look up the position of an arbitrary element in the list. This takes O(n) sequentially, but O(sqrt(n)) with Grover's. It has absolutely nothing to do with guessing. In brute-forcing a block cipher, you have a large number of keys and you need to try each one sequentially. There's no lookup involved at all. I'm afraid I'm gonna have to call bullshit, something I need to do all too much in QC related topics.

Re:Quantum Computers

[miro+f]

we are in the shit because it's going to be a long time from the building of the first quantum computer capable of cracking any regular crypto message to the point where everyone can afford one.

During that time, how do you ensure security of your message?

Re:Quantum Computers

[SeekerDarksteel]

To clarify, quantum cryptography (which _should_ be called quantum key exchange) is just a method of exchanging a private key securely. This private key can then be used on an insecure channel. It is also ridiculously overhyped, particularly by people who don't fully understand it. Current implementations require a direct fiber-optic line between Alice and Bob, and is still vulnerable to man-in-the-middle attacks, presuming that the man in the middle is able to compromise both the direct quantum line as well as the insecure channel over which the measurement orientations are exchanged and later communication is established.

Re:Quantum Computers

[mathimus1863]

I probably should've linked to my post about Quantum Computing from yesterday.

The power of Quantum Computers is in getting really smart people to figure out how to take advantage of quantum interference to our benefit. There have been some really impressive results for a variety of pure-math problems that only a few people care about. But integer factorization and discrete-logarithms are among them - hence why QCs threaten most/all asymmetric encryption protocols (they're all based on one or both of those problems). However, for a vast array of problems, QCs won't offer us any computational improvement.

There are some improvements for more-practical algorithms, but the speed-up isn't usually as impressive. However, using Grover's algorithm to reduce a pure guessing problem from O(n) to O(sqrt(n)) is intriguing, to say the least.

Re:Quantum Computers

[Dolda2000]

If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011

While you, on the other hand, would need to learn to capitalize and write proper sentences. And yes, I read that using neither a calculator nor an ASCII chart. ;)

Re:Quantum Computers

[w0mprat]

IANAQP (I am not a quantum physist) but my understanding of the idea (and goal) of quantum computing is to use the physics of suposition to allow an arrangement of qubits to test all possible conditions of the logic set up in a single pass, rather than testing conditions iteratively as we do with logic today.

But this doesn't mean with the right arrangement of qubits, set up to represent the algorithim of a brute force key test, and assuming you are doing a simple match or statistical test of the decrypted data agains some sample data also tested by the arrangement of qubits, you could brute force a encryption key in one single iteration
?? ?

And further, that for something like AES-128, 256, 512 and higher you only need to a moderate increase the number of qubits for the quantum logic, rather than an stupidly exponential increase in the cycles of regular computation?

Re:Quantum Computers

[mathimus1863]

I took a class on QC, and I assure you that you are mis-reading Grover's Algorithm. It applies to any pure-guessing problem for which all possible answers are equally likely. If you can create a quantum circuit that can check whether a given key is correct, and no one key is any more likely than any other key, then you can apply Grover's algorithm.

It appears you are a little trigger-happy with calling BS.

Re:Quantum Computers

[mathimus1863]

In fact, I see you basically just spit out what was written on the "Grover's Algorithm" wiki page. Well, someone should update that page, because the "unsorted database search" is only one example of the usefulness of Grover's Algorithm.

Since you trust wiki so much, consider the wiki page on quantum computers which contains the explanation of Grover's algorithm as I described it.

I believe because of you, my post got modded down/out, which is a shame since I'm one of the few people here who's actually studied QCs before. Go read my other post about quantum computers.

Re:Quantum Computers

[religious+freak]

MOD PARENT UP!

You stated what I was trying to say much more intelligently and succinctly. My initial point was to say that this is a mathematical breakthrough, for sure, but won't really endanger or even impact our cryptographic security platform, but when quantum computers become more stable and a sufficient amount of qubits are entangled, I'm not aware of any backup plan which will still provide secure communication protocols over long distances. And well, that could be a pretty big problem.

Re:Quantum Computers

[TheTurtlesMoves]

There are some physics I know (I was one once...) that work on quantum computers. They don't think they will ever be faster at cracking than classic computers.

There are 2 reasons.

First a quantum computer construction complexity goes up to the power of qbits. ie a quantum computer with n qbits has construction complexity of O(2^n), so with Moores law in place the number of qbits goes up linearly with time... This is leaving out the extra qbits you need for error correcting with decoherence that makes adding qbits even harder.

Second a 128 qbit quantum computer cannot efficiently simulate a 129 qbit computer. Thus to factor 1024 bit primes you need at least a 1024 qbit computer. This is in contrast to a classic computer where it can emulate larger internal register computer in polynomial time.

There are other things to consider. They are not so good with classic encryption. ie cracking AES. In fact I don't think there is an algorithm to crack AES or other symmetric encryption methods. Also the algo is probably different for each type of block cipher. However I have not bothered to follow the literature on this.

Quantum computers seem to trade a hard math problem with a hard construction problem.... Oh but note we don't know if factoring is hard (ie not in P). Ironically we also don't know that P!=NP, or if trap door functions exist. We just think they do.

Re:Quantum Computers

[TheTurtlesMoves]

Now if that quantum circuit to check if a key is correct, depends on the key? That is the key changes the block cipher used? I don't think it applies since if you can make a classic circuit to decrypt then you should be able to make a quantum one that can check. But it is interesting to consider how the classic counterpart can make it hard to do. ie with lots of rounds.

Re:Quantum Computers

[Joce640k]

Grover's algorithm doesn't help with block ciphers. AES is secure from quantum attack.

2^119 is...

[AnotherBlackHat]

For those who are asking "what's 2^119 complexity mean?"

2^64 is about as hard a problem as we can reasonably solve these days.
2^80 is about as hard a problem as we can unreasonably solve. I.e. we can do it, but it would take the budget of a country for several years to do.
A can of soda has about 2^83 molecules in it.
2^119 is still way beyond anything we can reasonably do, but isn't so hard that we can rule out any theoretical possibility of solving it.
A house sized computer built of solid nano-compute units, each a few hundred molecules on a side, with a cycle time of about 10 petahertz could do it in less than a lifetime.
Perhaps possible but I wouldn't worry about it.
2^256 is so hard that it may not even be theoretically possible to solve - or maybe you could if you're willing to destroy a few solar systems, and wait a few million years.
While cracking 2^256 may not be theoretically impossible, it would be easier to look everywhere the information you want might be hidden - including inside the mind of your opponent - even if he's dead.

Re:2^119 is...

2^64 was solved by the EFF over a decade ago for less than $250K. Trivially by raw brute force. It's available to people with a bit of technical expertise and about $10k hardware budget as of maybe 3-5 years ago. It took them a few days then.

Look--I don't know what you consider reasonable--but calling 2^64 "about as hard as is reasonable". Maybe it isn't reasonable with your expertise, or on your desktop, or without a bit of dedicated budget--but it isn't just reasonable...it's *trivial* in a cryptographic context.

As far as I'm concerned, if it's below 2^128 it isn't good enough. Also--brute forcing 2^256 *is* theoretically impossible (at least, until you get into quantum mechanics).

Re:2^119 is...

While cracking 2^256 may not be theoretically impossible, it would be easier to look everywhere the information you want might be hidden - including inside the mind of your opponent - even if he's dead.

So you're saying that 256 bits should be enough for anyone?

Re:2^119 is...

[b00fhead]

No, EFF's Deep Crack brute-forced 2^56 - a fair way from 2^64.

Re:2^119 is...

[Dahamma]

2^64 was solved by the EFF over a decade ago for less than $250K. Trivially by raw brute force.

Actually, it was DES they cracked, which uses 56 bit keys, not 64. A 64 bit key would take 256 times longer. That 56 hours Deep Crack took would be 597 days for a 64 bit key, which is not "trivial".

It's available to people with a bit of technical expertise and about $10k hardware budget as of maybe 3-5 years ago. It took them a few days then.

From their site, in 2007 (2 years ago) it took an average or 6.4 days. Use Moore's law and knock that down to, say 36 hours today. That's still over a year for a 64 bit key.

Look--I don't know what you consider reasonable--but calling 2^64 "about as hard as is reasonable". Maybe it isn't reasonable with your expertise, or on your desktop, or without a bit of dedicated budget--but it isn't just reasonable...it's *trivial* in a cryptographic context.

Over a year to decrypt a message is not trivial... though yeah, it's clearly not complex enough for truly sensitive data (ie anything worth either waiting a year or spending a few million bucks to decrypt).

Re:2^119 is...

of course, there is always the 2^119 chance that you just happen to guess the answer on the first try.

Re:2^119 is...

[Kjella]

So you're saying that 256 bits should be enough for anyone?

Unless you discover reversible computing, yes. Otherwise you could have an infinitely fast computer, but even the Sun at E=mc^2 and 100% efficiency couldn't do it. It's not a speed limitation, it's an energy limitation. Take the Landauer limit at background radiation temperature. Plug that into a calculator and you get joules required:

(2^256) * 1.3806504 * (10^(-23)) * 2.72500 * ln(2) = 3.0196359 * 10^54

Energy of sun:
1.98892 * (10^30) * (299 792 458^2) = 1.78755215 * 10^47

Re:2^119 is...

one half of 2^120, but twice 2^118. ... also, 1 in 2^119 are the odds that each and every one of the first 2^4 people reading this got laid in the past 24 hours ...

Regards.

Re:2^119 is...

[someSnarkyBastard]

Over a year to decrypt a message is not trivial... though yeah, it's clearly not complex enough for truly sensitive data (ie anything worth either waiting a year or spending a few million bucks to decrypt).

maybe not trivial to you, but what if you wanted that secret to keep for more than one year? For me, I'd rather trivial be defined as within the span of my natural life. This is not unreasonable by the way, most modern ciphers should be able to stay secure until the sun expends its nuclear fuel and goes dark. (breakthroughs in prime factorization/finding discrete logarithms not withstanding)

Re:2^119 is...

[Tycho]

2^40 would take very little time on a home PC, an afternoon or maybe a day.

40 bits is also the size of the keyspace used by HDCP for HDMI and DVI, for "encrypted" HD displays. I don't feel like doing the math, but determining all of the 40-bit keys used in HDCP could probably be done in a short time on a reasonable home PC, using a man in the middle attack. However, for copying HD video, one would still probably get better quality by showing Macrovision, the MPAA, and the Blu-Ray consortium that using BD+ to protect BD-ROM discs is stupid. For the original developers it was a surprisingly good scam that they managed to pull off on the movie industry. BD+ attempts to determine what physical hardware a Turing-complete machine is running, using an obfuscated Java program. This is futile because another unauthorized Turing-complete machine can easily mimic the behavior of an authorized Blu-Ray player. The ability of any Turing-complete machine to execute the same program as another Turing-complete machine allows for emulation and is a cornerstone of the Church-Turing Thesis. For instance, if done properly, an Apple IIe could run the BD+ decryption program, thus mimicking an authorized Blu-Ray player. However, one should expect quite a bit of floppy disk swapping, and good luck finding enough 5.25" disks in usable shape, especially if you decide to play a 50GB movie on that machine. On the other hand, trying it on an older machine that used punch cards. Imagine the size of a 50GB punch card deck using standard IBM punch cards.

Re:2^119 is...

What is 'trivial depends entirely on your application. If you're sending out battlefield instructions, the usefulness of the information to the enemy may well expire in a matter of minutes or hours, so it doesn't make sense to use very strong crypto if using cheaper, simpler, more reliable, and lighter crypto machines for the troops in the field that will nevertheless stay secure for longer than that given all the computing power that the enemy is likely to throw at it is available. Does absolutely no good to the enemy commander to hear that you ordered your troops down the hidden western pass after your troops have already crossed it and are massacring his unprepared soldiers in a surprise attack. If you're sending out confidential business plans that will be executed in a month's time using a 64-bit encryption key, it does just as much good for your competitor to decrypt it in a year's time after you've already done what's in the encrypted instructions and have finally slaughtered his company in the market. Certainly there are applications that require really really strong crypto, but they not as numerous as one might think.

Re:2^119 is...

[tkw954]

you could have an infinitely fast computer, but even the Sun at E=mc^2 and 100% efficiency couldn't do it. It's not a speed limitation, it's an energy limitation. Take the Landauer limit at background radiation temperature. Plug that into a calculator and you get joules required: (2^256) * 1.3806504 * (10^(-23)) * 2.72500 * ln(2) = 3.0196359 * 10^54 Energy of sun: 1.98892 * (10^30) * (299 792 458^2) = 1.78755215 * 10^47

So you're saying I only need 17 million suns?

Re:2^119 is...

[babyrat]

You really shouldn't use the word theoretically in this case....

It is perhaps 'practically' impossible but in 'theory' I could simply guess the correct key on my first attempt. Or my second. It might be really really close to impossible, but not quite impossible.

Re:2^119 is...

[orange47]

but if you're lucky and pick the right key at first try, it would be solved almost instantly..

Re:2^119 is...

[hotrodent]

Why wouldn't you just attack the passphrase? Surely brute forcing even something like 733tPa55werd is easier than brute forcing the actual key?

Re:2^119 is...

[Kjella]

So you're saying I only need 17 million suns?

No, that was just showing 17 million suns as a lower bound with as few conditions as possible.
- Unless 8.5 million of those suns are antimatter suns, you have to collect it differently say fusion. That's about 5% efficient
- Let's assume you'll build Dyson spheres around all the suns covered in solar collectors with 50% efficiency.
- Checking one AES key is more than 1 bit flip, at least 128 bits * 10 bit flips

Already you're up to 17*10^6/0.05/0.5*128*10 = 870 billion suns - that's about 8-9 Milky Way galaxies. And there's still a lot of extremely unlikely conditions in there, by the time you've reached "realistic" conditions you're probably talking about burning through most of the known universe.

Re:2^119 is...

[Dahamma]

But what if you wanted that secret to keep for more than one year?

Yeah, hence the comment:

"it's clearly not complex enough for truly sensitive data (ie anything worth either waiting a year or spending a few million bucks to decrypt)."

Anyway, I wasn't trying to say a 64 bit key is good enough for much these days, I was just trying to point out that there is a significant difference between a 56 and 64 bit key, since the OP was a bit off (or 8 bits off) in the details...

Re:2^119 is...

[tkw954]

Already you're up to 17*10^6/0.05/0.5*128*10 = 870 billion suns - that's about 8-9 Milky Way galaxies. And there's still a lot of extremely unlikely conditions in there, by the time you've reached "realistic" conditions you're probably talking about burning through most of the known universe.

So you're saying that a length of rubber hose would be cheaper?

Where's the Hyperbole?

...but they pose no immediate threat for the real world applications that use AES.'"

Wait a minute... where's the fear mongering, sensationalism and hyperbole? You call this reporting? I want my money back.

Re:Where's the Hyperbole?

[fuzzyfuzzyfungus]

That quote is from a scientist, probably not a good source of hyperbole, on average. Just wait until a couple of quote/requote cycles have occurred, and you'll get Fox's "World's Scariest Cryptoanalytic breakthroughs: Do they threaten the children?"

Re:Where's the Hyperbole?

ZOMG!!! We gonna DIE!!!

Happy now? AC Wanker!

Re:Where's the Hyperbole?

[maugle]

Fox's "World's Scariest Cryptoanalytic breakthroughs: Do they threaten the children?"

Not frightening enough. Try "Coming up next: Have these scientists just told terrorists how to steal your children's identities?"

Re:Where's the Hyperbole?

[fuzzyfuzzyfungus]

We report, you decide...

What about an AES 512 or 1024??

[filesiteguy]

I don't know if the size of the hash has anything to do with the package or the resultant file, but what about simply doubling (or greater) the hash?

I did try to read the article, but got a bit lost when I began to read stuff like, "A basic boomerang distinguisher [12] is applied to a cipher EK(&#1;) which is
considered as a composition of two sub-ciphers: EK(1) = E1 2 E0. The &#12;rst sub-cipher is supposed to have a di&#11;erential &#11; ! &#12;, and the second one to have a..."

Man, it is hard being a PHB!

Re:What about an AES 512 or 1024??

[Sique]

I don't know if the size of the hash has anything to do with the package or the resultant file, but what about simply doubling (or greater) the hash?

Here comes the irony: The attack is possible, because AES-256 and AES-192 are "extended" versions of AES-128. While AES-128 still goes strong, the extended versions are attacked, and their complexity is reduced to at least 2^119. AES-128 remains at 2^128.

Re:What about an AES 512 or 1024??

[Tycho]

I'm a bit confused here, I remember reading an article on hardware hard drive encryption or perhaps something else, but the my understanding was that AES-256 was just performing AES-128 encryption on the data two times in a row. The logic was that is circumvented various legal restrictions on AES keys longer than 128 bits while still being just as hard to crack as single AES encryption with a 256 bit key. I'm uncertain if I remember it right, I may be confusing it with DES, however.

Re:What about an AES 512 or 1024??

[mlts]

That's DES that was used three times in an E-D-E mode (subkey 1 encrypts, subkey 2 decrypts, subkey 3 encrypts). This allows the dedicated DES hardware to be used to give 112 bits (not 168) of security. This was done out of necessity to have a modern keyspace until another cryptographic standard (AES) could be implemented.

Doing the same thing with AES would get far less returns. AES is a fast algorithm, and running AES-128 three times to have the bit width of AES-256 wouldn't increase security as much as people think. It would also be more CPU intensive than one run of AES-256 as well, and there are a lot of tasks AES is used for that are time sensitive. Finally, as of now, AES is still secure, and all doing a triple AES run would do is just burn up needed CPU cycles.

Instead of using AES multiple times, if there is serious concern that AES is weakened, people should consider using a cascade cypher, where they use AES with Serpent, Twofish, or another modern algorithm that supports at least a 128 (preferably 256) bit key, and a 128 bit block size. The algorithms would need to have the same block (not key) size for optimal processing.

From what I recall, if someone cascades three ciphers of 256 bits, they are not really going to get 768 bits of protection, they will get about 258 bits. However, the main advantage of a cipher cascade is that if one of the algorithms has been found to have a serious weakness, the other two will still protect the data, so an attacker will still have to deal with the full 256 bits of one of the algorithms used.

Fixed SSL Link

[Mr.+Sketch]

For some reason that SSL link to the paper uses the name of a server that doesn't have the SSL certificate so Firefox complains. Replacing the hostname gives this link that Firefox doesn't complain about:
https://www.cryptolux.org/mediawiki/uploads/1/1a/Aes-192-256.pdf

Only one thing come to my mind:

[geantvert]

http://xkcd.com/538/

Re:Hello!! Person with Key, meet Rubber Hose

[Qzukk]

What a coincidence! I use the starting lineup of the Green Bay Packers for my encryption key too!

decrypting this disinformation

Let me decrypt this disinformation for y'all. Namely:

"better than brute force with a complexity of 2^119"

If you lived a few days before this was discovered, you would expect "128 bits of security" in your AES. But now you only get 119. What's that extra 9 bits between friends? That's just a factor of 512. It means if a few weeks ago, someone would have had to pay $70 billion for hardware capable of decrypting your message within 600 days guaranteed (with an expected success time at the 300-day mark), now they only have to pay $136 million, obviously no big change. Oh and

"we think that the complexity of the attack on AES-256 can be lowered from 2^119 to about 2^110.5 data and time."

Which is another 8.5 bits, or a further factor of 362, leaving the tab at $377,000 for the equipment to brute-force your data within 600 days (with the expected success time at the 300-day mark). Really, it is hard to imagine how any organization might have $377,000 for such an activity but not $70 billion, so far as I can see this doesn't really change much of anything.

Actually, nerdless wanna be, 1 bit = 100% stronger

If 128 bits is good enough, 129 bits is twice as good as good enough. 130 bits is 4x, 131 is 8x, and so on. I am aware that nerdless wanna bes will never grok this binary stuff, but I know you don't know, and that's all that needs to be known, for the both of us.

My brain saw NES...

... and wondered if perhaps there were some bad cartridges being distributed these days.

Re:My brain saw NES...

[rafemonkey]

Don't feel bad... I assumed it had something to do with the NEO-GEO AES. Video game nerds unite!

Yes.

[Estanislao+Mart�nez]

It means if a few weeks ago, someone would have had to pay $70 billion for hardware capable of decrypting your message within 600 days guaranteed (with an expected success time at the 300-day mark), now they only have to pay $136 million, obviously no big change.

That is true in exactly the same way it is true that if it had rained during my walk yesterday, I would have gotten soaked.

Re:Yes.

More like, "I don't know if you went out in the rain yesterday or today, but I do know enough about the change in precipitation to know that if you had to be out in the rain for 10 minutes to get thoroughly soaked yesterday, you would have had to be out in the rain for 1.17 seconds to get just as soaked today."

You can argue that that's not much of a change in precipitation. Please, make that argument. Be my fucking guest.

Obligatory XKCD quote

[snikulin]

Security

Re:Obligatory XKCD quote

[Hurricane78]

Well, if your data is more important than your life, just use an encrypted keyfile on a USB stick, and destroy that stick on capture. Then even you won't be able to decrypt the data.

Re:Obligatory XKCD quote

I'm so sick of that XKCD comic and people passing it around, it's stupid and incorrect.
Plausible deniability
Stop spreading jokes you don't understand.

Re:Obligatory XKCD quote

[noppy]

rubber hose cryptanalysis.

Re:Obligatory XKCD quote

[drsmithy]

Plausible deniability

Chances are fairly high that what you consider "plausible" and what the person with the wrench considers "plausible" will not be the same.

you wet your pants

[epine]

Good life strategy: if you truly don't understand something, and you're not interested in learning, make a joke about it. Those who laugh identify themselves as your peers, while the rest of us will (normally) engage in a silent shunning so you'll never have to confront the anguish of feeling uniformed.

Not knowing the difference between a block cipher for bulk encryption and a public key cipher for key exchange is on par (in this neck of the woods) with not knowing the difference between a debt and a deficit, or the difference between mass and weight. You might wish to append finance and physics to your note to self.

What I don't get is your mirth circuit determined that a discussion on a cryptographic attack was in need of a mirth tweet, as if this kind of thread isn't drowning in misinformation/misunderstanding 99% of the time.

Around the advent of Netscape, I briefly dabbled in an online MUD of the tedious variety. In the name of realism, your character had to sleep a lot. The game did have one good feature. You would go "con bartender" (short for "consider kicking bartender's ass") and the game would respond "you wet your pants" if you were hopelessly outclassed.

> con mirth zeta function
You wet your pants!

Well, we can dream.

Re:you wet your pants

What I don't get is your mirth circuit determined that a discussion on a cryptographic attack was in need of a mirth tweet, as if this kind of thread isn't drowning in misinformation/misunderstanding 99% of the time.

Thank you for your valuable contribution to this thread.

this a RELATED-KEY attack

The usual threat model for a cipher is either a "chosen plaintext attack" (CPA) or a "chosen ciphertext attack" (CCA). In both of those, you have a lot of plaintext-ciphertext pairs all encrypted under the same key, and your job is to use that info against the cipher. Not necessarily to actually compute the key (which would totally destroy the cipher) but even to be able to infer anything about it statistically (for example, to have a better than random chance of guessing whether a new plaintext/ciphertext pair was encrypted with the same key).

This attack is a related-key attack, which traditionally means that you get to see the same plaintext encrypted under enormous numbers (like 2^119 in this case) of different but related keys, rather than under the same key (or a "small" number of keys like a few trillion). This is a threat model that most ciphers aren't designed against and it's instead countered by designing the application to not rely on it. For example, don't use the cipher as a hash function by using the plaintext as a key and encrypting some constant. Properly designed crypto applications don't let attackers access the keys, and they generate their keys randomly rather than letting them be related. I don't think related-key attack resistance was part of the specification given to entrants of the AES contest, and IIRC the AES standard doesn't claim such resistance.

Nonetheless, the designers of Rijndael (the cipher that is the basis of AES) designed Rijndael to be "ideal", which among other things Rijndael was supposed resist related-key attacks, which was above and beyond the AES requirements.

This new discovery finds that the AES cipher in fact does not meet Rijndael's design goals. Rijndael's design goals, however, exceeded the requirements stated in the AES standardization process, and any applications using AES are supposed to only use the characteristics of AES stated in the standard. So, even if this attack were of low enough complexity to be practical, it STILL should not affect valid AES applications, unless they are relying on characteristics that AES was never promised to have.

Mod parent way the fuck up

[Virak]

Almost everyone here seems to be missing the bit in the summary that mentions that it's time and data complexity. It's not nearly as bad as 2^119 time and some tiny data.

Regarding oh-shit-that's-a-big-number

[duffel]

ok, someone needs to check my math and logic because I'm basically asleep at the moment, but:

2^100.5 = 1.8e30
2^119 = 664613997892457936451903530140172288 = 6.6x10^35

In atoms:
Avogadro's number is 6x10^23.
1 mole of iron contains 6x10^23 Fe atoms, and has a mass of 55 grams. So, 2^119 atoms are 2^119/6^23 = 1e12 moles. This means that 2^119 atoms of iron would have a mass of 55 megatonnes. (1 tonne = 10^6g), which is (very roughly) the mass of a solid cube of iron 200 meters to the edge.
So, if you take a 200 m cube of iron, the number of atoms in that will be about 2^119. Which is pretty big.

The same math for 2^100.5 makes it roughly equal to the number of atoms in a cube of iron only 3 m across.

Compare that, though, to 2^256:
2^256 = 115792089237316195423570985008687907853269984665640564039457584007913129639936 = 10^77.

This is equal to the number of atoms in a cube of iron one light year (!) across.

So, from 2^256 to 2^119 and then to 2^100.5 are massive steps. But then again, bear in mind that 2^100.5 = 1.8x10^30 is still massive, so no worries as yet.

Unless I made a mistake. My formula from number of atoms to cube size is: ( numberOfAtoms/ (6e23 atoms per mole) * (55 g per mole) / (8 g per cubic cm) ) ^ (1/3). Output in cm.

Re:Regarding oh-shit-that's-a-big-number

Compare that, though, to 2^256:
2^256 = 115792089237316195423570985008687907853269984665640564039457584007913129639936 = 10^77.

This is equal to the number of atoms in a cube of iron one light year (!) across.

Eeeks... that makes it very, well, visible.

Though an iron cube of that size would immediately (well, within a year) collapse into a black hole.

Still, a nice analogy.

visualizing the improvement

[layer3switch]

2^256
26  25  24  23  22  21  20  19  18  17  16  15  14  13  12  11  10   9   8   7   6   5   4   3   2   1
115 792 089 237 316 195 423 570 985 008 687 907 853 269 984 665 640 564 039 457 584 007 913 129 639 936

2^119
12  11  10   9   8   7   6   5   4   3   2   1
664 613 997 892 457 936 451 903 530 140 172 288

2^110.5 (rounded off to nearest units)
12  11  10   9   8   7   6   5   4   3   2   1
  1 835 754 156 221 338 741 132 617 695 578 321

2 significant figures improvement!  That's freaking amazing.

Obligatory Cryptonomicon Quote

[froon]

If you want your secrets to remain secret past the end of your life expectancy, then, in order to choose a key length, you have to be a futurist. You have to anticipate how much faster computers will get during this time. You must also be a student of politics. Because if the entire world were to become a police state obsessed with recovering old secrets, then vast resources might be thrown at the problem of factoring large prime numbers.

So the length of the key that you use is, in and of itself, a code of sorts. A knowledgeable government eavesdropper, noting Randy's and Avi's use of a 4096-bit key, will conclude one of the following:

-Avi doesn't know what he's talking about. This can be ruled out with a bit of research into his past accomplishments. Or,

-Avi is clinically paranoid. This can also be ruled out with some research. Or,

-Avi is extremely optimistic about the future development of computer technology, or pessimistic about the political climate, or both. Or,

-Avi has a planning horizon that extends over a period of at least a century.

-- Neal Stephenson, Cryptonomicon

Re:Obligatory Cryptonomicon Quote

[jd]

So for the ultra-careful, you'd want a distributed key where the number of key fragments needed does not reveal the key length, merely the upper bound possible.

Re:Obligatory Cryptonomicon Quote

You had me up to "factoring large prime numbers". The definition of a prime number is that its only factors are itself and one.

Oh, and my money would be on both parts of option three.

Re:Obligatory Cryptonomicon Quote

[louiswins]

I'm pretty sure he meant "factoring large semiprimes".

Re:Obligatory Cryptonomicon Quote

[khellendros1984]

Asymmetric encryption systems (such as RSA) use key pairs (a set of two prime numbers) to generate the public and private keys. There are other numbers involved, but those two are the most important. Each of those is a large number, but they're only *probably* prime numbers, to cut down on the time generating keys. Since you're talking about huge numbers (my bank encrypts with 1024 bit keys), you don't actually have the time to verify that they're prime *for sure*. Anyhow, the private and public keys are generated in such a way that if you were able to successfully factor the public key, you could trivially derive the private key, which would allow you to unlock the entire communication stream. That's what's meant by "factoring large prime numbers" in this context.

Re:Actually, nerdless wanna be, 1 bit = 100% stron

actually, via basic statistics -- (10^119 - 10^110.5) / 10^119 = approx 99.7% improvement

Sigh... I'll repeat again:

[snikulin]

Lord Farquaad: I've tried to be fair to you creatures, now my patience has reached it's end! Tell me or I'll...
Gingerbread Man: NO! Not the buttons! Not my gumdrop buttons!
Lord Farquaad: Alright then! Who's hiding them?
Gingerbread Man: Ok. I'll tell you. Do you know... the muffin man?

No, you are not sick just yet...

[snikulin]

Just wait for their torture chambers...
You know, possibility of plausible deniability can and will be cross-checked and verified over there.

Re:No, you are not sick just yet...

But that's just the opposite extreme of the situation portrayed in the comic...

...opposite extreme...

[snikulin]

Why it's so?
$5 wrench is a perfect password-extraction device in experienced hands.
With all appropriate kicking and screaming, of course.

Re:...opposite extreme...

You obviously don't understand how plausible deniability is implemented in cryptographic products...

Re:...opposite extreme...

You obviously don't understand that the guy with the wrench doesn't care how plausible deniability is implemented in cryptographic products. He just cares that his boffin says that there is some free space in an encrypted file which could contain a hidden volume. He will keep going with the wrench until there is no unaccounted free space left or your remains finally stop twitching.

That's what puts me off using Truecrypt. I have used it when carrying a laptop with trade secrets (product designs and source code) but I was only visiting a relatively liberal state in the middle east, I wouldn't dare carry encrypted files into the Fascist States of America.

Re:...opposite extreme...

And how would that differ if you didn't use the plausible deniability features and if you did hand over your keys? The end result would be the same, meaning you are screwed no matter what you do in that scenario so you may as well use the plausible deniability features to protect your data since either way you are going to get tortured.

...destroy that stick on capture

[snikulin]

We have tried this approach at my company.
We were tasked to destroy a stick with sensitive data (the requester did not believe in formatting).

It was not easy!
The chip itself was quite a hardy one and we had to use a stationary drill to get it done.
I am afraid the capturing act will be very swift and disallowing of any such an activity.

Re:...destroy that stick on capture

[Muad'Dave]

If they ask you to do it again, you could try one of the following:

• Kill it with fire.
• Grind the chip off.
• Crush the chip with pliers.

Re:Actually, nerdless wanna be, 1 bit = 100% stron

[TheTurtlesMoves]

its bits, so that should be base 2, not 10. Doesn't change the numbers much however.

MOD PARENT DOWN

Parent is wrong. This is a related key attack and not one of the standard known plaintext attacks. AES-128 is supposed to have a complexity of 2^64 against those (please google before talking about the obvious "this is just for hashes"). So AES-256 is still better than AES-128.

Re:MOD PARENT DOWN

[Joce640k]

I'm gonna need a citation for that one. I never heard of known plaintext attacks on AES (and it wouldn't have certified by NSA if they existed). Yes, I googled "aes128 known plaintext" - got nothing. I think you're making it up.

FAQ

The authors have a useful FAQ regarding the attack here: https://cryptolux.org/FAQ_on_the_attacks

It's not practical

First: Don't panic.

This attack is not practical, it requires from what I read at least 2^62 encryptions with 4 related keys. Name me one transaction where that's likely to open to the attacker. Most things like SSL use only 1 key [then the next is randomly generated] and every SSL session so far in history has been far less than 2^66 bytes in length (nor were they with related texts). So it's an attack in the sense that yes, in theory you can break AES in very contrived [in the lab] scenarios. But under those circumstances you could already break AES-256 in 2^128 effort [hint: encrypt every plaintext and look it up].

What this attack REALLY shows is that AES cannot be used as an MD style hash. Which is fine because a real hash would be faster, and for MAC'ing purposes like CMAC, CCM, or GCM they don't operate in MD mode anyways.

"Crypto is always broken." is a myth

[0ptix]

That's a pretty common myth.

It might hold for most symmetric key cryptography algorithms (such as AES, SHA, MD5, DES, etc) however there is a whole other branch of (admitidely mainly theoretical) cryptography which relies on provable security. I.e. formal reductions showing that breaking security of the scheme is at least as hard as solving some difficult underlying problem. For such schemes it's a lot more plausable that there may simply not be a poly-time algorithm which solves them. (Take the short vector problem of lattice based crypto for example. To date we don't even have a _quantum_ algorithm that solves it efficiently let alone a classical one. Yet there are schemes that are at least as hard to break as that problem is difficult to solve.)

And of course then there is another branch of cryptography which considers information theoretic security. These are provably _unconditionally_ secure. (The most common example being the "one time pad".) For these algorithms, protocols, and applications as long as the under lying model is a good model of the real world there is simply no way to break security regardless of computing technology and future developments in algorithms.

So no. Crypto is not just broken. Quite a lot of modern crypto is actually pretty secure. (Now whether it's practically efficient is a whole other new ball game of course, but then that wasn't the claim...)

RTFA

[Calyth]

Try RTFA. The attack is against AES-256, which although the attack is still theoretical, 2^119 is more than collapsing the keylength to less than half its original size.

That actually doesn't look too good, because as pointed out by Scheier, attacks are only going to get better.

2^128, not 2^256

[aphexer]

Brute-forcing a n bit symmetric cipher like AES doesn't take O(2^n) steps to break worst-case, but it takes O(2^(n/2)) steps. So it's a reduction from 2^128 to 2^119 in the case of AES-256. Not from 2^256 to 2^119.

It takes 2^128 instead of 2^256 because of the birthday paradox.