New AES Attack Documented

← Back to Stories (view on slashdot.org)

Posted by timothy on Wednesday July 1, 2009 @09:50AM from the ponder-don't-panic dept.

avxo writes "Bruce Schneier covers a new cryptanalytic related-key attack on AES that is better than brute force with a complexity of 2^119. According to an e-mail by the authors: 'We also expect that a careful analysis may reduce the complexities. As a preliminary result, we think that the complexity of the attack on AES-256 can be lowered from 2^119 to about 2^110.5 data and time. We believe that these results may shed a new light on the design of the key-schedules of block ciphers, but they pose no immediate threat for the real world applications that use AES.'"

51 of 236 comments (clear)

Min score:

Reason:

Sort:

Yawn by Shikaku · 2009-07-01 09:56 · Score: 2, Insightful

So instead of taking 1 million years to brute force, it will take .9 million years?
I totally made up those numbers but that's about the difference.
1. Re:Yawn by a_n_d_e_r_s · 2009-07-01 10:55 · Score: 4, Informative
  
  Given that the new theory lowers the time to break it with about 99.7% if it before took 1 million years it now only takes 3000 years.
  Remember for everý less bit it takes to decrypt - it halves the time it takes to break a cipher.
  
  --
  Just saying it like it are.
2. Re:Yawn by Eivind · 2009-07-01 17:15 · Score: 2, Insightful
  
  http://valerieaurora.org/hash.html
  Pay special attention to the reaction of the "slashdotter" to "minor weakness found", and compare it to your reaction.
  Remember, attacks always gets better, never worse. The first attack that weakens an algorithm *is* a big deal.
  Oh, and reducing complexity from 2^128 to 2^110 isn't as it may appear a reduction of 10% in time-to-break, infact it's a reduction of 2^18 or about a factor of a million, so it's more like if before it took a million years, now it takes ONE year. Luckily for you, AES256 was at a lot more than a million years before the break, so there's still some air left in it.
Re:Improvement by WaXHeLL · 2009-07-01 09:56 · Score: 3, Informative

erm only a 99.7% improvement.

--
The troll with karma.
Complexity by techno-vampire · 2009-07-01 09:57 · Score: 2

TFA refers (as does the summary) to complexity of 2^119, and possibly lowering it to 2^110.5. Could somebody rephrase that in a way that people like me, who aren't cryptography specialists can understand what they're talking about?

--
Good, inexpensive web hosting
1. Re:Complexity by Anonymous Coward · 2009-07-01 10:03 · Score: 3, Insightful
  
  I believe the complexity is a rough measure of how long it should take to break the code. So in this case, a reduction from 2^119 to 2^110.5 is approximately 360 times faster (that is, a 2^119 complexity attack takes 360 times as long as a 2^110.5 complexity attack).
2. Re:Complexity by wealthychef · 2009-07-01 10:04 · Score: 2, Informative
  
  Normally, "complexity" in computer science refers to how long it takes to do a given task, given the size of the task. It's usually expressed as O(blah), read, "Order of blah". For example, an O(n^2) ("order n squared") complexity means that if it takes "m" minutes to finish a problem of size x, then it will take 16m minutes to finish a problem of size 4x. I'm not familiar with the term "complexity" being used in this context and with these specific numbers.
  
  --
  Currently hooked on AMP
3. Re:Complexity by vux984 · 2009-07-01 10:18 · Score: 4, Informative
  
  Could somebody rephrase that in a way that people like me, who aren't cryptography specialists can understand what they're talking about?
  Sure I'll rephrase it for you. "Don't worry."
  What? You wanted something deeper without having to know anything? Ok...so AES was thought to require 2^128 time units to brute force. So 2^119 time complexity means essentially that the new algorithm takes 2^119 units of time to complete which is a lot better, and they think it might be able to optimize it down to 2^110 units of time.
  What a 'unit of time is' is a computing science hand-wave because it doesn't really matter what it is. When comparing algorithms for large problems you are interested in how it compares relative to other algorithms, not how much absolute time it will take on a Commodore 64 or Intel i7 or whether its programmed in Smalltalk vs C. Those details while important in their own right aren't really relevant to the comparison of the algorithms themselves.
  A 2^110 algorithm is significantly better than a 2^119 algorithm for 'large problems' regardless of what we set the unit of time to be, and in turn 2^119 is much better than 2^128.
  In practice the unit of time is rooted in how long it takes a computer to do 'an operation'. So it might be milliseconds or nanoseconds, or whatever. And the upshot is that even 2^110 is STILL gazillion years even if its programmed in C on an i7 and every i7 on the planet is contributing to the effort...
  Hence... "Don't worry."
  Its mathematically very interesting, but for the moment, its nothing to "worry" about.
4. Re:Complexity by Joce640k · 2009-07-01 10:38 · Score: 5, Informative
  
  It means you only have to test 2^119 possible keys to break 256-bit AES - still far beyond what's ever going to be feasible (do the math - give everybody on the planet a million PCs running at 1THz and see how long it takes to do 2^119 things, then figure out where you're going to get that much electricity from)
  
  Interesting to note is that AES-128 is immune to this attack - it's now the strongest variant of AES. Everybody (like me) who thought the 256-bit and 192-bit were a waste of time now has a reason to be smug about it.
  
  Reason: Both AES-192 and AES-256 are just AES-128 internally but they mess around with the key data between each loop of the encryption process. The new attack only works on the "messing around" part of the process so AES-128 is unaffected.
  
  --
  No sig today...
5. Re:Complexity by jcwayne · 2009-07-01 11:11 · Score: 2, Funny
  
  ... 2^137 times better is half a metric asston.
  I measure algorithmic complexity in imperial asstons, you insensitive clod.
  
  --
  Failure to follow this advice may result in non-deterministic behavior.
6. Re:Complexity by dotgain · 2009-07-01 11:49 · Score: 2, Funny
  
  Imperial Asstons are non-migratory
7. Re:Complexity by Kjella · 2009-07-01 11:52 · Score: 3, Interesting
  
  I'm not familiar with the term "complexity" being used in this context and with these specific numbers.
  Because it's not a problem that scales with n, it's an attack on one particular value of n. Ideally brute forcing an n-bit cipher has complexity O(2^n). For 256 bit AES, they've found an attack that instead of the ideal 2^256 attempts takes 2^119 attempts. But you can't say O(2^119) because that is equal to O(1), and any function with n would be false since it doesn't apply to other n. I guess you could say an attack with "complexity O(2^(n*119/256) for n=256" but you're likely to confuse a hundred times as many as are enlightened.
  
  --
  Live today, because you never know what tomorrow brings
8. Re:Complexity by man_of_mr_e · 2009-07-01 13:41 · Score: 2, Insightful
  
  Unless of course you start in the middle and expand outwards in both directions ;)
  
  --
  If you need web hosting, you could do worse than here
9. Re:Complexity by Joce640k · 2009-07-01 21:55 · Score: 2, Funny
  
  ...and when I say "strongest" I mean in a pure math sort of way.
  
  Any attack which starts with things like "first you encrypt 2^128 carefully chosen plaintexts and store them in a hash table" isn't really an attack you should worry about.
  
  --
  No sig today...
Furthers my stand on crypto, which is: DON'T by Anonymous Coward · 2009-07-01 09:57 · Score: 4, Funny

Crypto is broken. It's not IF, but WHEN. That's why crypto is pointless to use. this is why I use open source, and even keep all doors unlocked. It's pointless to try and protect propery, real or intellectual/imaginary.
1. Re:Furthers my stand on crypto, which is: DON'T by droopycom · 2009-07-01 10:51 · Score: 4, Insightful
  
  Refutation: Crypto is indeed all about WHEN. WHEN is not pointless, it is the point.
Complexity. by girlintraining · 2009-07-01 09:57 · Score: 4, Funny

For those who don't have a degree in oh-shit-that's-a-big-number, can someone give a comparative analysis of what "2^119" complexity means? I mean what else is "2^119" hard to solve? And yes, the math nerds are undoubtedly either dying of laughter or yelling at the screen for my abuse of powers of two... I don't care.

--
#fuckbeta #iamslashdot #dicemustdie
1. Re:Complexity. by xZgf6xHx2uhoAj9D · 2009-07-01 10:05 · Score: 4, Informative
  
  AES-128 uses keys which are 128 bits long. That means in order to "break AES" (in order to decrypt something you don't have the key to), all you have to do is try all possible keys of length 128 until you find one that works. That means you would have to try 2^128 different combinations, which is a lot.
  What these people have done is found some clever way where you can break AES trying only 2^119 combinations. Effectively this means AES is no better than if it had used 119-bit keys instead of 128-bit keys. Sometimes you'll hear this colloquially as something like "AES has 119 bits of security", referring to how many combinations of keys you have to try before you find the one works.
  2^119 is a massively large number. Trying 2^119 combinations is still terribly far outside of the realm of what all of the world's most powerful supercomputers combined could hope to do. This is an attack of theoretical interest, not practical interest.
2. Re:Complexity. by cpu_fusion · 2009-07-01 10:11 · Score: 5, Insightful
  
  Pardon me, but isn't the article about AES-256? So this is a much more significant drop in the number of bits.
  Of course, I've only read the summary. This is slashdot, natch.
3. Re:Complexity. by godrik · 2009-07-01 10:13 · Score: 2, Interesting
  
  A couple of years ago (2003), a cryptographic system was said to be secured if it requires more than 2^80 computation. I do not know what is the current standard and I have no clue how to find it.
  However 2^110 is still way to large for us at the moment.
  To give an estimation. Supose you have one million processors clocked at 10Ghz (which nobody have nowadays), you can do 10^6 * 10^10 = 10^16 ~= 2^48 computations per second. To crack AES and using this machine you'll need 2^110 / 2^48 = 2^62 seconds to do so which is approximatively 150 billions year.
  The attack is of theoretical interest mainly but should tell people not to use AES with a cryptographical key smaller than 256.
4. Re:Complexity. by Anonymous Coward · 2009-07-01 10:13 · Score: 2, Informative
  
  Except IYRTFA, the attack only works on AES-192 and AES-256. AES-128 is unaffected, which would seem to imply that, oddly, AES-128 could be stronger than AES-256 and AES-192 in some circumstances.
5. Re:Complexity. by quercus.aeternam · 2009-07-01 10:16 · Score: 5, Informative
  
  Two things:
  First, they are talking about AES-256.
  Second, I find it useful to think about how much faster that is. In this case, it means it is 2^137 times faster than a pure brute force attack, which certainly seems impressive. Fortunately, as you mentioned, this is still far too difficult to be applied.
  Just for fun, google this: 2^119 picoseconds in millenia
6. Re:Complexity. by Anonymous Coward · 2009-07-01 10:16 · Score: 3, Interesting
  
  2^119 is a massively large number.
  664613997892457936451903530140172288
  Meh. I've seen bigger.
7. Re:Complexity. by tabrisnet · 2009-07-01 10:32 · Score: 3, Informative
  
  Bull.
  a) AES is not based on prime numbers, nor is it a public-key cipher. you're thinking RSA or some other public-key cipher. Hence why RSA has to be at least 1024 (and now 2048 and up is recommended) bits long.
  b) There's a lot more bull going around here. AES256 was believed to require 2^128 operations to bruteforce, not 2^256. Thus any question of 256 -> 119 is bull. It's 128 -> 119.
  c) Brute-forcing a 64bit RC5 key took distributed.net years (and note that that was with the benefit of Moore's [so called] Law). Mind you, that actually required searching a 64bit keyspace.
8. Re:Complexity. by dermoth666 · 2009-07-01 10:38 · Score: 2, Informative
  
  I believe the probability being halved has something to do with the birthday paradox. It's been a time where I could explain this better; if you wish to find out just search for it on Google... This page seems to have a good explanation too:
  http://betterexplained.com/articles/understanding-the-birthday-paradox/
9. Re:Complexity. by betterunixthanunix · 2009-07-01 10:48 · Score: 2, Informative
  
  This is an attack on key schedules; the key schedule of AES-128 is different from that of AES-192 and AES-256, thus rendering it impervious to this particular attack. As the authors note, this sheds new light on key schedule design, much in the same way that differential cryptanalysis shed light on S-box design.
  
  --
  Palm trees and 8
10. Re:Complexity. by BitterOak · 2009-07-01 10:49 · Score: 2, Interesting
  
  I believe the probability being halved has something to do with the birthday paradox.
  Actually, that just applies to secure hash functions (like MD5 and SHA, and the like) and not to block ciphers. If AES-256 can be cracked with only 2^119 calculations, that is a HUGE drop in security.
  The reason that hash functions really only give you half as many bits of security as you have bits in the digest is that a hash is considered broken if you can find two messages which have the same hash. Since you can vary both messages, you only have to try 2^(n/2) as many, just like the birthday "paradox".
  
  --
  If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
11. Re:Complexity. by Anonymous Coward · 2009-07-01 10:50 · Score: 2, Funny
  
  that's what she said.
12. Re:Complexity. by DriedClexler · 2009-07-01 10:58 · Score: 2, Funny
  
  Note to self: never try to tell a cryptography joke.
  
  --
  Information theory is life. The rest is just the KL divergence.
13. Re:Complexity. by electrostatic · 2009-07-01 11:11 · Score: 3, Informative
  
  Just for fun, google this: 2^119 picoseconds in millenia.
  Google says:
  
  2.10607966 × 10^13 millenia -- which equals about 21,000,000 billion years
  
  With the new attack the figure is 2^110.5 trys, which is
  
  (2^110.5) picoseconds = 5.81727815 × 10^10 millenia
  
  a mere 58,000 billion years.
  
  Looking at it another way, 119 - 110.5 = 8.5, which is the reduction of the exponent, giving 2^8.5 = 362. So knocking off 8.5 bits reduces the amount of time+effort by that ratio.
  
  "Picosecond" is the assumed amount of time it takes for one attempt here, which I assume is reasonable given a massively-parallel attack machine.
  
  Still, 58 trillion years...
14. Re:Complexity. by AlHunt · 2009-07-01 11:21 · Score: 5, Interesting
  
  >Just for fun, google this: 2^119 picoseconds in millenia
  And for even more fun - 64 minutes after the parent posted, the post itself was the first result.
  
  --
  1 in 4 Maine children in struggle with hunger.
15. Re:Complexity. by rawler · 2009-07-01 11:43 · Score: 2, Interesting
  
  Basically, it says how long it would take to be sure to crack it.
  To give a comparison, most machines on the net today is clocked at ~4Ghz, that is 4 000 000 000 instructions per second. Imagine a CPU:s doped for only one thing, and one cpu-cycle would mean one key tested ( in reality, there's more like maybe 1000s of cycles/test or something like that ). That would mean that the cpu crunched 172 000 billions of tests per day. With that monster cpu, it would still take 5 billions of billion years to be sure to crunch that encryption.
  Even if you filled the theoretical limits of todays internet (unfortunately, IPv6 is still the internet of tomorrow) with these monster machines, it would still take 1,25 billon years to be sure to find the key. This all is of course just theory. Who knows, if you're lucky you may get it in a tenth of that time, only 125 million years. ;)
  As a footnote, for the cost of those monster-machines, the operational cost of them and the staff to support them, you'd be much better off bying an army. Physical security in most places is much weaker than AES currently, so it would be much easier just to force the secrets out.
  Disclaimer: All this assumes turing-machines, where only one solution at a time can be evaluated. In a quantum-processor, you could theoretically do much better.
16. Re:Complexity. by someSnarkyBastard · 2009-07-01 12:19 · Score: 2, Informative
  
  Or they switch to the cipher they should have gone with, namely Serpent: http://en.wikipedia.org/wiki/Serpent_(cipher) http://www.cl.cam.ac.uk/~rja14/serpent.html For those too lazy to read the links, Rijndael (aka AES) is faster, simpler, and more elegantly designed than Serpent. Serpent is more conservative, slightly slower in software (faster in hardware though), and not quite as pretty aesthetically. Rijndael was chosen to become AES for its speed and simplicity, two things IMO that have minimal desirability in a cryptography algorithm.
17. Re:Complexity. by nine-times · 2009-07-01 14:06 · Score: 2, Insightful
  
  You can make fun of me anyway. It's a dumb mistake to make.
Quantum Computers by religious+freak · 2009-07-01 10:05 · Score: 2, Insightful

Yeah, this is interesting math, but I don't think our cryptographic scheme is in danger until quantum computers become a stable and reliable source of heavy computing. Then we're all in trouble. How do you create a key, when the entire large number method is made obsolete by quantum computing? I haven't looked into it much, but I don't think anyone has found an answer yet.

To my knowledge quantum cryptography is still limited to very close distances, while cracking a crypto key is obviously not affected by this limitation.

--
If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
1. Re:Quantum Computers by JambisJubilee · 2009-07-01 10:18 · Score: 2, Insightful
  
  You are not in the shit. Secure communication can be established on an insecure channel using quantum cryptography. Look it up on Wikipedia.
2. Re:Quantum Computers by mathimus1863 · 2009-07-01 11:31 · Score: 4, Informative
  
  Parent is slightly off on the Quantum computing comment. Quantum computers can break cryptographic protocols based on the difficulty of integer factorization (RSA/PGP/GPG/PKI/SSL/TLS), and discrete-logarithms (all of the above plus elgamal, elliptic curves). However, AES is a block cipher which relies on neither of these pure-math problems.
  
  The only advantage of QCs in breaking AES is that Grover's Algorithm can be applied for random guessing of the encryption key. AES-256 has 2^256 possible encryption keys. It takes a classical computer an average of n/2 guesses to find the right key, or 2^255 operations. However a QC running Grover's Algorithm does it in an average of approx sqrt(n) "guesses." This means that it takes about 2^128 operations to get the AES-256 key using a quantum computer.
  
  As previous posters have mentioned, 2^128 is still far out of our reach. And to subvert QCs for this type of problem, all we have to do is double our key length to get the same security. Perhaps if we find a way to combine Grover's Algorithm with this new AES vulnerability, we can get it down to 2^60 to 2^64, but that is still extremely prohibitive. Additionally, that's a big "if," since Grover's Algorithm is intended for pure-guessing problems.
3. Re:Quantum Computers by evilviper · 2009-07-01 13:32 · Score: 2, Informative
  
  How do you create a key, when the entire large number method is made obsolete by quantum computing?
  There are several methods of public-key encryption which are secure against quantum computers. Try Lamport Signatures for a start:
  http://en.wikipedia.org/wiki/Lamport_signature
  
  --
  Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
4. Re:Quantum Computers by mathimus1863 · 2009-07-01 13:42 · Score: 2, Insightful
  
  I probably should've linked to my post about Quantum Computing from yesterday.
  
  The power of Quantum Computers is in getting really smart people to figure out how to take advantage of quantum interference to our benefit. There have been some really impressive results for a variety of pure-math problems that only a few people care about. But integer factorization and discrete-logarithms are among them - hence why QCs threaten most/all asymmetric encryption protocols (they're all based on one or both of those problems). However, for a vast array of problems, QCs won't offer us any computational improvement.
  
  There are some improvements for more-practical algorithms, but the speed-up isn't usually as impressive. However, using Grover's algorithm to reduce a pure guessing problem from O(n) to O(sqrt(n)) is intriguing, to say the least.
5. Re:Quantum Computers by mathimus1863 · 2009-07-01 14:50 · Score: 2, Interesting
  
  I took a class on QC, and I assure you that you are mis-reading Grover's Algorithm. It applies to any pure-guessing problem for which all possible answers are equally likely. If you can create a quantum circuit that can check whether a given key is correct, and no one key is any more likely than any other key, then you can apply Grover's algorithm.
  
  It appears you are a little trigger-happy with calling BS.
6. Re:Quantum Computers by TheTurtlesMoves · 2009-07-01 18:58 · Score: 2, Interesting
  
  There are some physics I know (I was one once...) that work on quantum computers. They don't think they will ever be faster at cracking than classic computers.
  
  There are 2 reasons.
  
  First a quantum computer construction complexity goes up to the power of qbits. ie a quantum computer with n qbits has construction complexity of O(2^n), so with Moores law in place the number of qbits goes up linearly with time... This is leaving out the extra qbits you need for error correcting with decoherence that makes adding qbits even harder.
  
  Second a 128 qbit quantum computer cannot efficiently simulate a 129 qbit computer. Thus to factor 1024 bit primes you need at least a 1024 qbit computer. This is in contrast to a classic computer where it can emulate larger internal register computer in polynomial time.
  
  There are other things to consider. They are not so good with classic encryption. ie cracking AES. In fact I don't think there is an algorithm to crack AES or other symmetric encryption methods. Also the algo is probably different for each type of block cipher. However I have not bothered to follow the literature on this.
  
  Quantum computers seem to trade a hard math problem with a hard construction problem.... Oh but note we don't know if factoring is hard (ie not in P). Ironically we also don't know that P!=NP, or if trap door functions exist. We just think they do.
  
  --
  The Grey Goo disaster happened 3 billion years ago. This rock is covered in self replicating machines!
2^119 is... by AnotherBlackHat · 2009-07-01 10:13 · Score: 5, Interesting

For those who are asking "what's 2^119 complexity mean?"
2^64 is about as hard a problem as we can reasonably solve these days.
2^80 is about as hard a problem as we can unreasonably solve. I.e. we can do it, but it would take the budget of a country for several years to do.
A can of soda has about 2^83 molecules in it.
2^119 is still way beyond anything we can reasonably do, but isn't so hard that we can rule out any theoretical possibility of solving it.
A house sized computer built of solid nano-compute units, each a few hundred molecules on a side, with a cycle time of about 10 petahertz could do it in less than a lifetime.
Perhaps possible but I wouldn't worry about it.
2^256 is so hard that it may not even be theoretically possible to solve - or maybe you could if you're willing to destroy a few solar systems, and wait a few million years.
While cracking 2^256 may not be theoretically impossible, it would be easier to look everywhere the information you want might be hidden - including inside the mind of your opponent - even if he's dead.
1. Re:2^119 is... by b00fhead · 2009-07-01 10:41 · Score: 2, Informative
  
  No, EFF's Deep Crack brute-forced 2^56 - a fair way from 2^64.
2. Re:2^119 is... by Kjella · 2009-07-01 11:16 · Score: 4, Interesting
  
  So you're saying that 256 bits should be enough for anyone?
  Unless you discover reversible computing, yes. Otherwise you could have an infinitely fast computer, but even the Sun at E=mc^2 and 100% efficiency couldn't do it. It's not a speed limitation, it's an energy limitation. Take the Landauer limit at background radiation temperature. Plug that into a calculator and you get joules required:
  (2^256) * 1.3806504 * (10^(-23)) * 2.72500 * ln(2) = 3.0196359 * 10^54
  Energy of sun:
  1.98892 * (10^30) * (299 792 458^2) = 1.78755215 * 10^47
  
  --
  Live today, because you never know what tomorrow brings
3. Re:2^119 is... by Tycho · 2009-07-01 13:43 · Score: 2, Interesting
  
  2^40 would take very little time on a home PC, an afternoon or maybe a day.
  40 bits is also the size of the keyspace used by HDCP for HDMI and DVI, for "encrypted" HD displays. I don't feel like doing the math, but determining all of the 40-bit keys used in HDCP could probably be done in a short time on a reasonable home PC, using a man in the middle attack. However, for copying HD video, one would still probably get better quality by showing Macrovision, the MPAA, and the Blu-Ray consortium that using BD+ to protect BD-ROM discs is stupid. For the original developers it was a surprisingly good scam that they managed to pull off on the movie industry. BD+ attempts to determine what physical hardware a Turing-complete machine is running, using an obfuscated Java program. This is futile because another unauthorized Turing-complete machine can easily mimic the behavior of an authorized Blu-Ray player. The ability of any Turing-complete machine to execute the same program as another Turing-complete machine allows for emulation and is a cornerstone of the Church-Turing Thesis. For instance, if done properly, an Apple IIe could run the BD+ decryption program, thus mimicking an authorized Blu-Ray player. However, one should expect quite a bit of floppy disk swapping, and good luck finding enough 5.25" disks in usable shape, especially if you decide to play a 50GB movie on that machine. On the other hand, trying it on an older machine that used punch cards. Imagine the size of a 50GB punch card deck using standard IBM punch cards.
  
  --
  Impersonating Tycho from Penny Arcade since before there was a PA.
Obligatory XKCD quote by snikulin · 2009-07-01 11:28 · Score: 5, Funny

Security
this a RELATED-KEY attack by Anonymous Coward · 2009-07-01 11:39 · Score: 5, Informative

The usual threat model for a cipher is either a "chosen plaintext attack" (CPA) or a "chosen ciphertext attack" (CCA). In both of those, you have a lot of plaintext-ciphertext pairs all encrypted under the same key, and your job is to use that info against the cipher. Not necessarily to actually compute the key (which would totally destroy the cipher) but even to be able to infer anything about it statistically (for example, to have a better than random chance of guessing whether a new plaintext/ciphertext pair was encrypted with the same key).
This attack is a related-key attack, which traditionally means that you get to see the same plaintext encrypted under enormous numbers (like 2^119 in this case) of different but related keys, rather than under the same key (or a "small" number of keys like a few trillion). This is a threat model that most ciphers aren't designed against and it's instead countered by designing the application to not rely on it. For example, don't use the cipher as a hash function by using the plaintext as a key and encrypting some constant. Properly designed crypto applications don't let attackers access the keys, and they generate their keys randomly rather than letting them be related. I don't think related-key attack resistance was part of the specification given to entrants of the AES contest, and IIRC the AES standard doesn't claim such resistance.
Nonetheless, the designers of Rijndael (the cipher that is the basis of AES) designed Rijndael to be "ideal", which among other things Rijndael was supposed resist related-key attacks, which was above and beyond the AES requirements.
This new discovery finds that the AES cipher in fact does not meet Rijndael's design goals. Rijndael's design goals, however, exceeded the requirements stated in the AES standardization process, and any applications using AES are supposed to only use the characteristics of AES stated in the standard. So, even if this attack were of low enough complexity to be practical, it STILL should not affect valid AES applications, unless they are relying on characteristics that AES was never promised to have.
Mod parent way the fuck up by Virak · 2009-07-01 11:53 · Score: 3, Informative

Almost everyone here seems to be missing the bit in the summary that mentions that it's time and data complexity. It's not nearly as bad as 2^119 time and some tiny data.
Obligatory Cryptonomicon Quote by froon · 2009-07-01 12:42 · Score: 5, Interesting

If you want your secrets to remain secret past the end of your life expectancy, then, in order to choose a key length, you have to be a futurist. You have to anticipate how much faster computers will get during this time. You must also be a student of politics. Because if the entire world were to become a police state obsessed with recovering old secrets, then vast resources might be thrown at the problem of factoring large prime numbers.
So the length of the key that you use is, in and of itself, a code of sorts. A knowledgeable government eavesdropper, noting Randy's and Avi's use of a 4096-bit key, will conclude one of the following:
-Avi doesn't know what he's talking about. This can be ruled out with a bit of research into his past accomplishments. Or,
-Avi is clinically paranoid. This can also be ruled out with some research. Or,
-Avi is extremely optimistic about the future development of computer technology, or pessimistic about the political climate, or both. Or,
-Avi has a planning horizon that extends over a period of at least a century.
-- Neal Stephenson, Cryptonomicon
Sigh... I'll repeat again: by snikulin · 2009-07-01 15:30 · Score: 4, Funny

Lord Farquaad: I've tried to be fair to you creatures, now my patience has reached it's end! Tell me or I'll...
Gingerbread Man: NO! Not the buttons! Not my gumdrop buttons!
Lord Farquaad: Alright then! Who's hiding them?
Gingerbread Man: Ok. I'll tell you. Do you know... the muffin man?
"Crypto is always broken." is a myth by 0ptix · 2009-07-02 04:00 · Score: 2, Interesting

That's a pretty common myth.

It might hold for most symmetric key cryptography algorithms (such as AES, SHA, MD5, DES, etc) however there is a whole other branch of (admitidely mainly theoretical) cryptography which relies on provable security. I.e. formal reductions showing that breaking security of the scheme is at least as hard as solving some difficult underlying problem. For such schemes it's a lot more plausable that there may simply not be a poly-time algorithm which solves them. (Take the short vector problem of lattice based crypto for example. To date we don't even have a _quantum_ algorithm that solves it efficiently let alone a classical one. Yet there are schemes that are at least as hard to break as that problem is difficult to solve.)

And of course then there is another branch of cryptography which considers information theoretic security. These are provably _unconditionally_ secure. (The most common example being the "one time pad".) For these algorithms, protocols, and applications as long as the under lying model is a good model of the real world there is simply no way to break security regardless of computing technology and future developments in algorithms.

So no. Crypto is not just broken. Quite a lot of modern crypto is actually pretty secure. (Now whether it's practically efficient is a whole other new ball game of course, but then that wasn't the claim...)