New Research Cracks AES Keys 3-5x Faster

← Back to Stories (view on slashdot.org)

New Research Cracks AES Keys 3-5x Faster

Posted by Unknown on Thursday August 18, 2011 @12:53PM from the before-the-heat-death-of-the-universe dept.

Landing his first accepted submission, qpgmr writes "AES, generally thought to be the gold standard for encryption, is showing weaknesses. From Computerworld: 'Researchers from Microsoft and the [Belgian] Katholieke Universiteit Leuven have discovered a way to break the widely used Advanced Encryption Standard, the encryption algorithm used to secure most all online transactions and wireless communications.'" The full paper has lots of details. Note that it would still take a few billion years with current computers to actually break anything, but there may be further vunerabilities yet to be discovered.

176 comments

Min score:

Reason:

Sort:

"current computers" by Anonymous Coward · 2011-08-18 12:55 · Score: 0, Troll

Note that it would still take a few billion years with current computers

That's about... oh... 20 minutes using NSA equipment.
1. Re:"current computers" by SquirrelDeth · 2011-08-18 13:02 · Score: 3, Insightful
  
  Or it would only take a year with a few billion computers.
2. Re:"current computers" by Nialin · 2011-08-18 13:02 · Score: 5, Funny
  
  No, they just use Keyloggers.
3. Re:"current computers" by CharlyFoxtrot · 2011-08-18 13:10 · Score: 0
  
  That's about... oh... 20 minutes using NSA equipment.
  The equipment in question being the large wrench they use to knock the password out of you.
  Well to be fair it's actually more like 12 hours to whisk you away to an undisclosed middle eastern location, then 20 minutes of "cracking", but still.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
4. Re:"current computers" by JoshuaZ · 2011-08-18 13:27 · Score: 1
  
  That's about... oh... 20 minutes using NSA equipment In order for this sort of thing to be cracked quickly one would need either ridiculously fast computers even by the standards of something like the NSA. It is more plausible that the NSA is aware of improved algorithms that would allow much faster key recovery. In that case, this improvement is likely irrelevant. It is more likely that they will be able to break things due to implementational problems such rather than direct key retreivable. So I'd be more concerned about side-channel attacks and the like. Also, obligatory xkcd: http://xkcd.com/538/.
5. Re:"current computers" by DragonTHC · 2011-08-18 14:09 · Score: 4, Funny
  
  you mean our equipment?
  it's widely known that the NSA uses all known operating systems for distributing computing tasks.
  So every windows computer connected to the Internet will accept NSA task packets and compute them and send them back. It does this seamlessly though so the user never sees anything. They built it into the TCP/IP stack. It just becomes easier with windows and even Linux. (SELinux anyone?)
  
  --
  They're using their grammar skills there.
6. Re:"current computers" by Anonymous Coward · 2011-08-18 14:26 · Score: 1
  
  May I interest you in one of my premium tin foil hats?
7. Re:"current computers" by UnknowingFool · 2011-08-18 14:42 · Score: 1, Insightful
  
  Not necessarily. Some problems are not solved faster by parallel computing. ie. If it take 9 months for a 1 woman to have baby, you can't get 9 women to have a baby in one month.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
8. Re:"current computers" by Pete+Venkman · 2011-08-18 15:03 · Score: 1
  
  *coughcough*proveit*cough*
9. Re:"current computers" by calgar99 · 2011-08-18 15:04 · Score: 1
  
  You're not doing it right.
10. Re:"current computers" by lorenlal · 2011-08-18 15:12 · Score: 1
  
  *cough*whoosh*cough*
11. Re:"current computers" by lordholm · 2011-08-18 17:27 · Score: 1
  
  No, but you can pipeline it and have one baby per month if you wait one month between creating each baby. This gives you a throughput of one per month after the initial setup time.
  
  --
  "Civis Europaeus sum!"
12. Re:"current computers" by shaitand · 2011-08-18 17:30 · Score: 3, Informative
  
  An interesting observation. Though it is dampened by the fact that brute forcing encryption is pretty much the poster child of an application that lends itself well to parallel processing.
13. Re:"current computers" by dido · 2011-08-18 19:07 · Score: 4, Informative
  
  No. To crack AES-128 the attack still requires work of the order of 2^126.1. A machine capable of cracking a 56-bit DES key in a second might be built for about US$5B, going by the price of the COPACABANA FPGA-based DES cracker (US$10,000 for a machine that can crack 56-bit keys in 6 days). Such a machine would take 140 trillion years to crack AES-128 by brute force, or 38 trillion years to crack AES-128 using the algorithm. If you had 38 trillion of these machines you could conceivably crack an AES-128 password in a year. But to give you some idea of how big 38 trillion is, if each of these 38 trillion machines could be made to fit in a 1U server box, the rack would be just over 1.672e8 km high, just a bit over one astronomical unit. You could build a bridge from the earth to the sun with that. If you spread that many machines out, they'd cover 8,892,000 square kilometers, which is more than the total area of the lower 48 states of the US, and you'd have enough machines left over to pave over just about half of Alaska. If they ran at 100 W each, the project would require 3.3288e16 kWh of energy, or 1.2e23 joules, about a thousand times more than the world's annual energy consumption.
  For 256-bit keys the problem is even worse. The algorithm has a complexity of 2^254.4. The energy requirement of that staggering number, assuming a computer able to operate at the von Neumann-Landauer limit of ln(2)kT energy per bit flip, running at a temperature of 2.7 K, would require a staggering 1.24e54 J of energy, about the equivalent of 10 billion supernovas, or about a thousandth of the total mass-energy of the Milky Way Galaxy.
  
  --
  Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
14. Re:"current computers" by intellitech · 2011-08-18 20:36 · Score: 1
  
  And if you order now, you'll receive not one, but TWO, free bath robes, and a children's bible for junior. Call now, because this offer won't last long.
  
  --
  vos nescitis quicquam, nec cogitatis quia expedit nobis ut unus moriatur homo pro populo et non tota gens pereat.
15. Re:"current computers" by RivenAleem · 2011-08-18 22:01 · Score: 1
  
  So, you're saying we might have to work weekends?
16. Re:"current computers" by gmueckl · 2011-08-18 22:59 · Score: 1
  
  But wasn't AES chosen from a hos of candidates by the NSA? As far as I remember, they had external cryptography experts on that.
  If you are a guy who thinks tinfoil hats are fashionable, you might come to think that the NSA might have chosen AES because they knew how to break it all along, but none of the civilian experts saw flaws in it. Now, the first one of the deliberate flaws actually showed up. While I believe that any such organization would pull that kind of stunt in an instant, I do not believe that they have quite that much advanced knowledge about cryptography. These people are there to spy and coerce, so they are also as Machiavellian and manipulative as they can get.
  
  --
  http://www.moonlight3d.eu/
17. Re:"current computers" by datapharmer · 2011-08-19 00:15 · Score: 1
  
  Which is great and all until they use them quantum backscatter thingamabobs to read your login from your noggin while your noddin'. Then they get your password and decrypt in a matter of seconds.
  
  --
  Get a web developer
18. Re:"current computers" by datapharmer · 2011-08-19 00:26 · Score: 1
  
  Is that why customers always tell me their computer feels slow after a while and the only way to fix it is to reinstall the OS? I just thought it was malware ridden and the "registry fixer" they ran (that was also coercion-ware) borked it beyond all chance of repair.
  
  --
  Get a web developer
19. Re:"current computers" by GooberToo · 2011-08-19 00:45 · Score: 1
  
  The algorithm is known to be secure. Even with this compromise, according to several crypto guys I've read responses from, even by today's standard AES is very much secure. They did saw if you apply the current computing trends, likely it won't be, on the upper end, in another decade or two.
  So even with this weakness, assuming the NSA has vastly more massive computing power available than anyone things, it would require ALL of their computing power for a considerable duration. So pragmatically, this has zero implications the NSA today.
20. Re:"current computers" by Kentari · 2011-08-19 00:46 · Score: 1
  
  So you move the embryos/foetuses to another uterus every month? I don't think you grasped either pregancy or pipelines completly...
21. Re:"current computers" by morgauxo · 2011-08-19 00:47 · Score: 1
  
  Ooh Ooh Can we pave over the half that Sarah Palin comes from?
22. Re:"current computers" by morgauxo · 2011-08-19 00:50 · Score: 1
  
  I think you've been read too many times
23. Re:"current computers" by gmueckl · 2011-08-19 00:54 · Score: 2
  
  What do you mean by "known to be secure"? Do you mean that nobody knows how to break it or that there is a formal proof that no shortcuts for brute force attacks exist?
  
  --
  http://www.moonlight3d.eu/
24. Re:"current computers" by Joce640k · 2011-08-19 01:21 · Score: 1
  
  All this attack shows is that AES should have had a couple more rounds built into it, ie. the number of rounds wasn't sufficient to remove all trace of the key. You can recover 2 or 3 key bits with less work than a brute force search.
  I'm not sure how they chose the number of rounds for AES but it doesn't seem like there was much of a safety margin (only ten loops with a 128 bit key??)
  Short version: The algorithm is still secure, we just need to increase the loop count a bit.
  
  --
  No sig today...
25. Re:"current computers" by GooberToo · 2011-08-19 01:30 · Score: 1
  
  Seriously?
26. Re:"current computers" by tehcyder · 2011-08-19 01:37 · Score: 1
  
  OK, so it's difficult, but theoreically possible?!
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
27. Re:"current computers" by black+soap · 2011-08-19 01:39 · Score: 1
  
  So, by analogy, in the time it takes to crack one encryption code, we can crack them all?
28. Re:"current computers" by black+soap · 2011-08-19 01:42 · Score: 1
  
  Even more plausibly: NSA knows your password and private key already, even if they don't have backdoors into your encryption software.
29. Re:"current computers" by X0563511 · 2011-08-19 07:12 · Score: 1
  
  Yes, well, this just so happens to be one of those problems that is suited very well for parallel computation.
  Everyone gets a chunk of ciphertext and an assignment of keyspace to chew through. Whoever wins the lottery and gets meaningful cleartext out of it reports back to "dispatch."
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
30. Re:"current computers" by X0563511 · 2011-08-19 07:14 · Score: 1
  
  The operative word being "theoretically" - meaning "Possible in theory" which in no way means "Possible in practicality"
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
31. Re:"current computers" by Anonymous Coward · 2011-08-19 07:16 · Score: 0
  
  An interesting observation. Though it is dampened by the fact that brute forcing encryption is pretty much the poster child of an application that lends itself well to parallel processing.
  Such as killing nine babies...
32. Re:"current computers" by X0563511 · 2011-08-19 07:17 · Score: 1
  
  No, it wasn't. NIST did that, and they did it mostly because:
  1. Most finalists voted for themselves as first place
  2. Most finalists voted for Rijndael
  It is worth noting however that Rijndael was voted over Serpent primarily because Rijndael was significantly faster, where Serpent was significantly stronger!
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
33. Re:"current computers" by X0563511 · 2011-08-19 07:18 · Score: 1
  
  Er, make 2 read:
  2. Most finalists voted for Rijndael as runner-up
  (new slashdot + network service trouble = fail)
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Insert crack joke here by Osgeld · 2011-08-18 12:55 · Score: 0

n/t
Correction by CharlyFoxtrot · 2011-08-18 12:58 · Score: 5, Informative

The Katholieke Universiteit Leuven (KUL) is a Belgian, specifically Flemish, university not Dutch.

--
If all else fails, immortality can always be assured by spectacular error.
1. Re:Correction by Anonymous Coward · 2011-08-18 13:53 · Score: 0
  
  not Dutch yet
  FTFY
2. Re:Correction by Anonymous Coward · 2011-08-18 18:59 · Score: 0
  
  Seems like they teach Ingleesh, specifically Noparsingleesh, language not English.
3. Re:Correction by CharlyFoxtrot · 2011-08-18 21:13 · Score: 3, Funny
  
  Cool, the mods changed the summary. Since the error was in TFA this means we are in the historically nearly unprecedented situation of having a summary that's more correct than TFA ;-)
  (What I meant to say is, good job.)
  
  --
  If all else fails, immortality can always be assured by spectacular error.
4. Re:Correction by packman · 2011-08-19 00:14 · Score: 1
  
  Funny thing is, Joan Daemen and Vincent Rijmen - the ones who developed the Rijndael which later became AES, both worked at the KUL...
5. Re:Correction by tehcyder · 2011-08-19 01:43 · Score: 1
  
  Cool, the mods changed the summary. Since the error was in TFA this means we are in the historically nearly unprecedented situation of having a summary that's more correct than TFA ;-) (What I meant to say is, good job.)
  Er, hopefully it was the near legendary "slashdot editors" who changed the summary.
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
6. Re:Correction by CharlyFoxtrot · 2011-08-19 02:57 · Score: 1
  
  Yeah, that's what I meant. Got my nomenclature mixed up.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
That's some mighty fine print you got there... by geekmux · 2011-08-18 13:06 · Score: 4, Interesting

"New Research Cracks AES Keys 3-5x Faster"
(the fine print)

"it would still take a few billion years with current computers to actually break anything.."
1. Re:That's some mighty fine print you got there... by a_n_d_e_r_s · 2011-08-18 13:15 · Score: 1
  
  Given Moores law a crypto attack will get double the speed about every 2 years so it was known from the start
  that AES had a limited time to be secure. It was just a matter of time until the crypte lenght become too short given the CPU power you can add to break it.
  So this means that we just have to upgrade to a new krypto about 4 years earlier then if it had not been found for it to still be safe.
  
  --
  Just saying it like it are.
2. Re:That's some mighty fine print you got there... by FuzzyDaddy · 2011-08-18 13:17 · Score: 4, Interesting
  
  Or "New attack reduces 256 bit key strength by two bits"
  
  --
  It's not wasting time, I'm educating myself.
3. Re:That's some mighty fine print you got there... by Anonymous Coward · 2011-08-18 13:28 · Score: 0
  
  That's not what Moore's law says.
4. Re:That's some mighty fine print you got there... by Anonymous Coward · 2011-08-18 13:37 · Score: 0
  
  Right, but it's a trivial consequence of Moore's Law.
  Assume that you have an integrated circuit (e.g a computer) which cracks AES keys. Moore's law says that every 2 years the density of an integrated circuit doubles. So in 2 years, you will be able to put two crackers on one circuit of the same size, thus cracking AES twice as fast.
5. Re:That's some mighty fine print you got there... by afidel · 2011-08-18 13:42 · Score: 1
  
  No, AES-256 would take the energy of every atom in the earth to brute force using known methods (it was in the same order of magnitude anyway, saw the calculations once).
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
6. Re:That's some mighty fine print you got there... by Baloroth · 2011-08-18 13:42 · Score: 1
  
  Ah. So it might be enough time to develop a new standard.
  Incidentally, do any of these calculations of "a billion years" take into account Moore's Law? Has anyone developed an actual calculation taking into account the rate of computer advancement? (It'd still be secure enough for daily use, but still.) Some quick math shows that if computers double in power every 2 years, then the time to break it halves every 2 years. Or, in 60 (2*2^30=~ 1 billion) years computers will be 1 billion times more powerful and will be able to break AES in a few years, instead of a few billion. Assuming Moore's law continues, and that we don't switch to an entirely new computational system (i.e. quantum computers) in the mean time. .
  Of course, you can always increase the key length (8196-bit encryption, anyone?)...
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
7. Re:That's some mighty fine print you got there... by Entrope · 2011-08-18 13:43 · Score: 1
  
  The fine print from the summary isn't even quite accurate -- the attack complexity is slightly more than 2^125. If you assume computers can check about a billion (2^30) keys per second, and given that you have about 2^25 seconds in a year, you would need about a trillion (2^40) computers to guarantee success in a billion years. (125=30+25+40+30.)
8. Re:That's some mighty fine print you got there... by mysidia · 2011-08-18 13:43 · Score: 1
  
  Or "New attack reduces 256 bit key strength by two bits"
  I'm not too worried about it, as i've already switched to Triple-Rjindeal scheme, eg 3AES256 with a keying analogous to 3DES keying option 1
  So they're reducing a 768 bit key strength by what, 0.2% ?
9. Re:That's some mighty fine print you got there... by KingMotley · 2011-08-18 13:45 · Score: 1
  
  Umm.. It's close enough. Moores laws states that you can place twice the number of transistors in the same space every 2 years. This is roughly the same as twice the speed every two years, and it would be assuming you are just adding more cores and producing the same die size.
10. Re:That's some mighty fine print you got there... by doublebackslash · 2011-08-18 13:50 · Score: 2
  
  http://everything2.com/user/dogganos/writeups/Thermodynamics+limits+on+cryptanalysis
  Who cares about Moore's law. Read that.
  Now it STILL might get broken. Attacks better than brute force are always the largest threat. However nobody need worry about the brute force computer to break their codes. Not even quantum computers help here, by the way. See Grovers Algorithm. Preview: "Grover's algorithm is a quantum algorithm for searching an unsorted database with N entries in O(N1/2) time and using O(log N) storage space" Not so good.
  
  --
  md5sum /boot/vmlinuz
  d41d8cd98f00b204e9800998ecf8427e /boot/vmlinuz
11. Re:That's some mighty fine print you got there... by Bengie · 2011-08-18 14:25 · Score: 2
  
  Yeah, my cousin took an advanced cryptography class for CS, and his teacher ran the math on brute forcing a 256bit key with the theoretical physical minimum amount of energy required with ultra-advanced technology, on average would consume more usable energy than there is in the MilkyWay.
  Brute forcing is out of the question for sure, unless we start to consume galaxies for energy.
  Unfortunately, AES isn't perfect, and it's effective strength is much lower than 256bit. The 3-5x reduction might be enough to bring it near the realm of practical with enough money.
12. Re:That's some mighty fine print you got there... by kelemvor4 · 2011-08-18 14:29 · Score: 2
  
  That's weak, you need at least 1Gigabit key strength to protect your emails. Man up.
13. Re:That's some mighty fine print you got there... by Anonymous Coward · 2011-08-18 14:37 · Score: 0
  
  There is no evidence that 3 rounds of AES is any more secure than plain AES. Double DES is actually weaker than single DES; there is the possibility that a single decryption step can decrypt multiple AES passes. Nobody actually bothered to invest too much time analyzing multiple AES passes, so by using triple AES you are just using security by obscurity.
14. Re:That's some mighty fine print you got there... by Anonymous Coward · 2011-08-18 14:44 · Score: 0
  
  Ewscray atthay, Iway ustjay useway igpay atinlay. Ytray
  ackingcray atthay!
15. Re:That's some mighty fine print you got there... by Anonymous Coward · 2011-08-18 14:47 · Score: 4, Informative
  
  E=MC^2 you fucking retard
16. Re:That's some mighty fine print you got there... by 0123456 · 2011-08-18 14:51 · Score: 3, Informative
  
  Lets say it takes 2 billion years to crack 1 key.
  Two billion years? At a billion keys per second I make it around 10^60 years to brute-force a 256-bit key. Use a billion gigakey crackers and you'd still take 10^50 years.
  That was the whole point of picking a 256-bit key. It's not crackable by brute force using conventional computers even in theory until you control most of the mass of the universe.
  Any AES-256 crack will be based on algorithmic flaws or quantum cryptography, not brute-force with conventional computers.
17. Re:That's some mighty fine print you got there... by afidel · 2011-08-18 14:56 · Score: 1
  
  Ahem
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
18. Re:That's some mighty fine print you got there... by Baloroth · 2011-08-18 15:07 · Score: 2
  
  Reversible Computing
  It could theoretically overcome the limits of thermodynamics on computers. Basically, AFAICT it requires us to (nearly) perfectly observe the computer so that we could reverse any changes that take place in the system, so they would generate very, very little entropy (limited by how well we could build them.) Essentially, they can reuse any energy already used in computation with a very low degree of loss. Also, you might want to look at "Adiabatic quantum computation". Essentially this low-entropy system, but with quantum computers (so faster at brute-forcing).
  Regardless, the point of TFA is that AES isn't perfectly secure, so strict brute-forcing isn't necessary. And we have no real evidence that the construction of a perfect system is possible. Nor, for that matter, that P!=NP, which is a more or less essential assumption in public-key cryptography. If it isn't, then as the key size grows, time to brute-force increases linearly, not exponentially as we think it does. It might be entirely possible that a new mathematical system could calculate a 256-bit key in hours, instead of billions of years. Doubtful, but no one really knows.
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
19. Re:That's some mighty fine print you got there... by Bengie · 2011-08-18 15:15 · Score: 1
  
  Which is why I said "brute force"
  From one of the links going around:
  "...having an ideal computer, working at the freezing temperature of 3.2 Kelvin...
  Even sucking all the energy from a supernova would be just enough to pass through all states of a 219-bit counter... So, it is clear that a 256-bit key (which, just to be represented while we brute-force it on our ideal computer, would require the energy that 400.000.000.000.000.000.000 suns like our sun radiate in a year...) seems errrr... kinda difficult to brute-force..."
  Its "effective" key size is smaller because of logic flaws.
20. Re:That's some mighty fine print you got there... by Skarecrow77 · 2011-08-18 15:33 · Score: 2
  
  I use 1.21 jiga-bit flux encryption.
  As soon as I think up something that I need to encrypt, I bang my head into the sink until I forget it, confident that I'll come back in time from the future (or send a suitable representative in a life vest) to remind myself what it is I wanted encrypted when I need the information.
21. Re:That's some mighty fine print you got there... by AchilleTalon · 2011-08-18 16:03 · Score: 1
  
  Moore's Law maybe violated as soon as you reached the atomic scale. Soon or later, Moore's law will be violated. You cannot project it in the future ad infinitum.
  
  --
  Achille Talon
  Hop!
22. Re:That's some mighty fine print you got there... by Anonymous Coward · 2011-08-18 16:26 · Score: 0
  
  Your notation is a little unclear but Grover's algorithm actually runs in sqrt(n) time which would effectively halve the number of bits in a cipher, bringing AES 128 well within reach (similar to cracking DES now).
23. Re:That's some mighty fine print you got there... by frozentier · 2011-08-18 16:41 · Score: 1
  
  "New Research Cracks AES Keys 3-5x Faster"
  (the fine print)
  
  "it would still take a few billion years with current computers to actually break anything.."
  Yeah, but that still means were down to 5 billion years from the previous 25 billion years, right?
24. Re:That's some mighty fine print you got there... by bondsbw · 2011-08-18 16:48 · Score: 1
  
  Nor, for that matter, that P!=NP, which is a more or less essential assumption in public-key cryptography. If it isn't, then as the key size grows, time to brute-force increases linearly, not exponentially as we think it does.
  Not necessarily. Even assuming P = NP, the conversion from the NP problem to the equivalent P problem doesn't necessarily take linear time. And it doesn't mean that the P solution itself can run in linear time. If it turns out that both the conversion and the P solution are O(n^10^10^10^10^10), they would be practically worthless for anything.
  
  --
  All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
25. Re:That's some mighty fine print you got there... by mcrbids · 2011-08-18 18:17 · Score: 1
  
  As stated elsewhere, there are various ways around this limitation, including the use of reversible computing which works by "borrowing" entropy resulting in an extremely low entropy computation mechanism.
  
  --
  I have no problem with your religion until you decide it's reason to deprive others of the truth.
26. Re:That's some mighty fine print you got there... by zebslash · 2011-08-18 19:33 · Score: 2
  
  I learned from *MY* CS teachers back in the 90s that all cryptography is crackable given enough time.
  Well, they forgot to teach you about the one-time pad.
27. Re:That's some mighty fine print you got there... by maxwell+demon · 2011-08-18 20:09 · Score: 1
  
  Nor, for that matter, that P!=NP, which is a more or less essential assumption in public-key cryptography. If it isn't, then as the key size grows, time to brute-force increases linearly, not exponentially as we think it does.
  Not necessarily. Even assuming P = NP, the conversion from the NP problem to the equivalent P problem doesn't necessarily take linear time. And it doesn't mean that the P solution itself can run in linear time. If it turns out that both the conversion and the P solution are O(n^10^10^10^10^10), they would be practically worthless for anything.
  You don't have to go to such ridiculously large numbers. Even O(n^100) is basically unmanageable. It would mean that if the 64-bit case can be solved in a nanosecond (i.e. about 3 clock cycles on a current processor), the 128 bit case will need about 4*10^13 years, or close to 3000 times the age of the universe. I'd say that's pretty secure.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
28. Re:That's some mighty fine print you got there... by fyngyrz · 2011-08-18 20:19 · Score: 1
  
  Look. Brute force: Division... divide a million by three, by subtracting three from the dividend and counting how many times it happens before the dividend rolls past zero. 333k cycles. Now do long division. 8 cycles. Snap, it's done.
  Now jump forward a decade or two... quantum computing... probabilistic algorithms... Snap, AES is cracked. Never assume that today's technology will be applied to tomorrow's problems. If you do -- everything you come up with is very likely to be wrong.
  Finally -- never assume the NSA and it's sibling agencies are using what YOU consider to be today's technology. Also very likely to be wrong.
  
  --
  I've fallen off your lawn, and I can't get up.
29. Re:That's some mighty fine print you got there... by maxwell+demon · 2011-08-18 20:45 · Score: 1
  
  There is no evidence that 3 rounds of AES is any more secure than plain AES.
  What? Next you'll claim that my use of triple-ROT13 is not any more secure than single ROT13! :-)
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
30. Re:That's some mighty fine print you got there... by Anonymous Coward · 2011-08-18 21:33 · Score: 1
  
  Come on, don't crush the singularitarians' hopes that brutally!
31. Re:That's some mighty fine print you got there... by delt0r · 2011-08-18 22:06 · Score: 1
  
  Reversible computing reduces, but does not remove the limit. Basically anything that has a different number of inputs to outputs must have a non zero entropy logic. Since things like adders are like this (twice as many inputs as output) etc, then you can't reduce to levels that solve the problem. Note the calculation on the energy required is not from the entropy limit of a logic gate, but the "entropy" of just that many keys.
  
  --
  If information wants to be free, why does my internet connection cost so much?
32. Re:That's some mighty fine print you got there... by Anonymous Coward · 2011-08-18 22:09 · Score: 0
  
  I use 1.21 jiga-bit flux encryption.
  As soon as I think up something that I need to encrypt, I bang my head into the sink until I forget it, confident that I'll come back in time from the future (or send a suitable representative in a life vest) to remind myself what it is I wanted encrypted when I need the information.
  lmao
33. Re:That's some mighty fine print you got there... by delt0r · 2011-08-18 22:14 · Score: 1
  
  Block Ciphers and their kin are not cracked by quantum computers. They only reduce the search space by a square root. ie half the key size. Since quite a few modes of using these ciphers gives time/memory trade off attacks that give the same square root key size reduction (ie hash functions and birthday attacks), its not really a problem.
  
  --
  If information wants to be free, why does my internet connection cost so much?
34. Re:That's some mighty fine print you got there... by owlstead · 2011-08-18 23:25 · Score: 1
  
  ECRYPT II specifically lists AES-256 as protected against analysis by quantum computer (unless Shor's algorithim applies), People should be more worried about asymmetric crypto, although even there alternatives have been developed. As a fully capable quantum computer won't spring into existence suddenly, I presume we would have a few years to switch.
  "Both of the fundamental intractability assumptions on integer factoring and discrete loga-
  rithms break down if a (large) quantum computer could be built as demonstrated by Shor,
  [236]. For instance, integers N can be factored in only O(log3 N ) “steps” on such a machine.
  We are, however, quite far from realizing such a device. In [249], an experimental result for
  factoring the “toy” number N = 15 is reported with a run-time of just under one second.
  For symmetric cryptography, the effect would also be dramatic, though not devastating.
  By the generic search algorithm due to Grover, [95], key-sizes are in effect cut in half. Also
  this algorithm has been implemented on small toy examples, [56]. A quantum computer
  would also imply finding n-bit hash function collisions with complexity 2n/3 , [44]. However,
  in the full-cost model this attack is no faster than attacks on classical computers because the
  quantum computer would need to be of size 2n/3 [27].
  The recommendations in this report assumes (large) quantum computers do not become
  a reality in the near future."
35. Re:That's some mighty fine print you got there... by Anonymous Coward · 2011-08-18 23:30 · Score: 0
  
  p>Unfortunately, AES isn't perfect, and it's effective strength is much lower than 256bit. The 3-5x reduction might be enough to bring it near the realm of practical with enough money.
  Unfortunately no cipher except the OTP is perfect.
36. Re:That's some mighty fine print you got there... by Anonymous Coward · 2011-08-18 23:56 · Score: 0
  
  Wasn't AES 256 already reduced below AES 192's strength? So that would make this, at best, a 190-bit key, which is a LONG way short of 256-bit: 7.3x10^19 times weaker than intended, to be precise. That's easily enough to start asking whether 256-bit serpent or twofish would be a better choice.
37. Re:That's some mighty fine print you got there... by archen · 2011-08-19 00:58 · Score: 1
  
  There's always Camellia as an alternative. It was developed by the Japanese and has been approved by the European Union as an encryption standard. It's supposed to be about equivalent to AES but obviously hasn't had the rigorous audits and tests since it's less common. Some web browsers, and operating systems (and OpenSSL) already support it.
38. Re:That's some mighty fine print you got there... by Twylite · 2011-08-19 01:02 · Score: 2
  
  There is an existing key schedule attack against AES-256 (attack complexity 2^119) and AES-192 (complexity 2^176). The existing attack is a related-key attack, and some modes of operation (e.g. XTS as used by TrueCrypt) are not vulnerable to it.
  The big deal about this paper is that it (a) operates in a single-key model, rather than requiring a related-key; and (b) is the first attack against full round AES-128.
  The reason that AES remains a better choice than serpent or twofish is precisely because this sort of cryptanalysis is going on - we gain more knowledge about the weak points of AES and higher confidence in exactly what security strength it offers. Ciphers with less rigorous study may just be offering the appearance of security because we know less about their weaknesses.
  
  --
  i-name =twylite [http://public.xdi.org/=twylite], see idcommons.net
39. Re:That's some mighty fine print you got there... by Anonymous Coward · 2011-08-19 01:07 · Score: 0
  
  True, all cryptographic methods are "crackable". The more information you have up front, the faster the crack.
  But let's assume a brute force attack. That is, access to little information other than the encryption method and access to the encrypted data. For this attack, the NSA builds custom ASICs containing AES cores that are that are capable of processing one key per clock cycle. Their ASIC is designed to operate at 3 GHz per core. On each ASIC they manage to populate 1024 cores. In their system they have 100,000 ASICs. Big system and lots of money.
  So, 3x10^9 * 1024 * 100,000 = 3.072*10^17 keys per second.
  From the paper, a computational complexity of 2^126.1 for AES-128 is sufficient.
  2^126.1 / (3.072*10^17) ~= 2.97*10^20 seconds to process the entire keyspace in AES-128 with the NSA cluster.
  Thats ~= 9.4*10^12 years for AES-128.
  Let's assume that we are able to double our processing capabilities every subsequent year in this system.
  1 year from now (2x), ~=1.48*10^19 seconds
  10 years from now (1024x), 2.898*10^17 seconds.
  20 years from now (>1Mx), 2.83*10^14 seconds.
  40 years from now (>1Bx), 2.51*10^8 seconds.
  80 years from now(1.24*10^24x), 246 microseconds.
  With some wild assumptions, at 40 years from now it would take an approximate 8 years to traverse the keyspace.
  At 80 years, much less than a second.
  By the way, we'd be taking about a completely different technology (not silicon) at 80 years from now and an enormous system. Try to figure out the number of cores or the clock speed we'd be running at. Something beyond the realm of Quantum computing. Or, maybe an entire planet devoted towards crunching the keys?
  Great morning brain teaser.
  In my opinion, not feasible until better attacks are presented. The research paper demonstrates progress along those lines.
40. Re:That's some mighty fine print you got there... by Joce640k · 2011-08-19 01:44 · Score: 1
  
  Given Moores law a crypto attack will get double the speed about every 2 years so it was known from the start
  that AES had a limited time to be secure. It was just a matter of time until the crypte lenght become too short given the CPU power you can add to break it.
  I don't think you quite grasp the scale of the numbers here. It's easy to say "just use a million PCs" but setting up that many PCs, powering them all and just plain keeping them all running is way harder than you think. Numbers in the tens of thousands is probably more realistic (even for the NSA).
  Quoting Moore's Law doesn't work either: A better way to think of it is to figure out how much energy you'd need to brute force a 128-bit crypto key. Assuming the lowest power unit possible to check a key, ie. one electron transition, you'll still need about 10^20 joules of energy to crack the key. Where are you going to get that much energy from?
  Clue: Its close to what the entire Sun puts out, ie. the heat generated by your PC farm would be enough to melt the Earth.
  (And in reality there's NO WAY you could check an AES key with so little energy, you'll need many orders of magnitude more...)
  
  --
  No sig today...
41. Re:That's some mighty fine print you got there... by tehcyder · 2011-08-19 01:47 · Score: 1
  
  Brute forcing is out of the question for sure, unless we start to consume galaxies for energy.
  It's OK as long as it's other people's galaxies and not our own though isn't it?
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
42. Re:That's some mighty fine print you got there... by black+soap · 2011-08-19 01:47 · Score: 1
  
  So we won't be able to put more transistors per square inch into a chip after a certain point. Do you think we will keep finding better layouts, making the transistors cheaper, or improving connectivity between chips? Or will we say "well, we can't make them any smaller. Our work is done. Anybody want to go play frisbee?"
43. Re:That's some mighty fine print you got there... by tehcyder · 2011-08-19 01:50 · Score: 1
  
  And the energy of every atom corresponds to cracking a cipher in what way exactly, you fucking retard?
  Someone above calculated how much energy would be used by 38 trillion computers in parallel working to brute force AES encryyption.
  
  Executive summary: a lot.
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
44. Re:That's some mighty fine print you got there... by black+soap · 2011-08-19 01:50 · Score: 1
  
  1Gigabit key might be fine for encrypting tweets, but what if I want to secure something larger?
45. Re:That's some mighty fine print you got there... by Joce640k · 2011-08-19 01:52 · Score: 1
  
  Doesn't matter: Do the math with a single electron transition per key and you still need to capture the entire energy output of the Sun to brute force a 128-bit key in a useful time. Not going to happen.
  
  --
  No sig today...
46. Re:That's some mighty fine print you got there... by Joce640k · 2011-08-19 01:55 · Score: 1
  
  i've already switched to Triple-Rjindeal scheme, eg 3AES256
  with a keying analogous to 3DES keying option 1
  You're doing it wrong:
  a) There's no proof that this will increase the strength, it might weaken it.
  b) You'd be better off adding whitening (ie. AESX, analogous to DESX)
  c) Much better to just increase the number of rounds in standard AES.
  (Yeah, I know you were being facetious, but...)
  
  --
  No sig today...
47. Re:That's some mighty fine print you got there... by Khyber · 2011-08-19 04:08 · Score: 1
  
  "Moores laws states that you can place twice the number of transistors in the same space every 2 years."
  No, Moore's Law states that the number of COMPONENTS in an integrated circuit doubles roughly every two years. This does NOT imply solely that transistors alone are being added.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
48. Re:That's some mighty fine print you got there... by Aqualung812 · 2011-08-19 04:43 · Score: 1
  
  So we won't be able to put more transistors per square inch into a chip after a certain point
  The point is, that IS Moore's Law. It doesn't say that there will be cheaper transistors, only that the number of them that fit on a chip will increase. Again, at some point, you're down to atoms & there is no more room to squeeze them in.
  To your point, I do think we'll still keep making processors faster at some rate, but it won't have anything to do with Moore's Law when we stop putting more transistors on a chip.
  
  --
  Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
49. Re:That's some mighty fine print you got there... by kbolino · 2011-08-19 05:43 · Score: 1
  
  http://www.wolframalpha.com/input/?i=solve+integral+of+2^58*2^%281.97e-08*t%29+from+0+to+x+equal+to+2^126
  It would take about 2.1 billion seconds (about 64 years) using all of the available computing power on the Earth, starting from this moment forward, assuming that the available processing power doubles every 18 months, and every computer were singularly dedicated to the task for the entire period, to crack AES-128 (yes, the 128-bit version) using the techniques described in this article.
  Assumptions:
  2^58 = total computer power in the world (the most powerful supercomputer can perform 2^53 operations per second, the whole TOP500 combined can perform 2^56)
  2^126 = average number of operations to crack AES-128
50. Re:That's some mighty fine print you got there... by kbolino · 2011-08-19 05:44 · Score: 1
  
  Correct link: http://www.wolframalpha.com/input/?i=solve+integral+of+2^58*2^%281.97e-08*t%29+from+0+to+x+equal+to+2^126
51. Re:That's some mighty fine print you got there... by wings · 2011-08-19 05:48 · Score: 1
  
  Or "New attack reduces 256 bit key strength by two bits"
  So it's just a two bit hack.
52. Re:That's some mighty fine print you got there... by X0563511 · 2011-08-19 07:23 · Score: 1
  
  d) just use serpent instead
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
53. Re:That's some mighty fine print you got there... by mysidia · 2011-08-19 13:32 · Score: 1
  
  a) There's no proof that this will increase the strength, it might weaken it.
  There's no possibility it would weaken it. We're not talking about ROT13 here.
  If it did "weaken it", that would be equivalent to having found a major flaw in AES... it would mean I could take other people's AES encrypted ciphertext, apply an encrypt and decrypt operations with known keys, and thus weaken an adversary's ciphertext...
  Secondly.... if the 3DES approach doesn't "strengthen it" you have also found a flaw in AES; specifically, you've found a ciphertext that AES cannot secure
54. Re:That's some mighty fine print you got there... by FuzzyDaddy · 2011-08-21 08:38 · Score: 1
  
  It could weaken it if you do each round of encryption with the same key. Clearly if you use a different key for each round, it can't weaken it per your logic.
  
  --
  It's not wasting time, I'm educating myself.
55. Re:That's some mighty fine print you got there... by mysidia · 2011-08-21 09:24 · Score: 1
  
  Keying option 1 means 3 independent keys; K1 K2 K3 that have no relationship between each other; each operation is in CBC mode with independent keys. A block of plaintext to be protected after padding/formatting is first XOR'ed with the previous block encrypted with K1 (or the IV), then itself encrypted with K1, next this block is decrypted with K2 after being XOR'ed with the previous block after K2 decrypt, finally it's XOR'ed with the previous block encrypted with K3, and then encrypted with K3 itself
  r1Block[0] = Random_IV1
  r2Block[0] = Random_IV2
  CipherBlock[0] = Random_IV3
  for i from 1 to nblocks...
  r1Block[i] = E ( k1, PlainBlock[i] ^ r1Block[i - 1] )
  then
  r2Block[i] = E ( k2, r1Block[i] ^ r2Block[i - 1] )
  then
  CipherBlock[i] = E ( k3, r2Block[i] ^ CipherBlock[i-1] )
  bzero r1Block
  bzero r2Block
  bzero PlainBlock
Bruce Schneier's take by condition-label-red · 2011-08-18 13:07 · Score: 4, Informative

linky...

--
Lorem ipsum dolor sit amet, consectetuer adipiscing elit.
1. Re:Bruce Schneier's take by Anonymous Coward · 2011-08-18 13:17 · Score: 0
  
  The quote he gives at the bottom of the link is a bit too pessimistic (or optimistic if you're a cracker):
  
  Again, I repeat the saying I've heard came from inside the NSA: "Attacks always get better; they never get worse."
  "Attacks might get better, but they never get worse."
  (Fixed that For Bruce Schneier)
2. Re:Bruce Schneier's take by ThatsMyNick · 2011-08-18 14:06 · Score: 1
  
  Nope, they always do! (Unless you can provide an example where they havent, the statement stands)
3. Re:Bruce Schneier's take by Anonymous Coward · 2011-08-18 15:03 · Score: 0
  
  Ahem. It's easy to prove that cracks don't always get better.
  Let X be the fastest crack possible for a given encoding.
  Try to improve upon X.
  Fail. (Hint: By its definition, X cannot be improved upon.)
  Q.E.D.
  p.s. It may be decades/centuries before anyone can prove that X is actually the fastest, but that doesn't change the fact that X cannot be improved upon.
4. Re:Bruce Schneier's take by Entrope · 2011-08-18 15:41 · Score: 1
  
  Has anyone come up with better attacks on ROT13 lately?
  There are also putatively strong cryptosystems that have simply not been the focus of much recent study, and so nobody has devised better attacks on them, even though better attacks probably exist.
5. Re:Bruce Schneier's take by Yaur · 2011-08-18 16:11 · Score: 2
  
  one time pad
6. Re:Bruce Schneier's take by fyngyrz · 2011-08-18 20:25 · Score: 1
  
  Camera. Keylogger. Drugs. A dull, but ragged edged knife. Waterboarding. Possession of your daughter. Need I go on? There are always new attacks. Security is not what you think it is; consequently, neither is encryption, from ROT13 to the most advanced thing you're aware of (which is unlikely to be the most advanced thing the government is aware of, btw.)
  All encryption does is secure one avenue. There are always others.
  
  --
  I've fallen off your lawn, and I can't get up.
7. Re:Bruce Schneier's take by Entrope · 2011-08-18 23:07 · Score: 1
  
  Except for waterboarding and maybe keyloggers, none of those are new. They are also not attacks in the sense that everyone else is talking about.
8. Re:Bruce Schneier's take by Anonymous Coward · 2011-08-18 23:33 · Score: 0
  
  You assume that there exists a "fastest crack possible for a given encoding". You have to show that this is true for your proof to be correct !
9. Re:Bruce Schneier's take by black+soap · 2011-08-19 01:57 · Score: 1
  
  Waterboarding is not a new technique by any stretch of the imagination http://en.wikipedia.org/wiki/Waterboarding#Historical_uses. Keylogger is an old technique+"with a computer".
A billion years? by Anonymous Coward · 2011-08-18 13:15 · Score: 0

Who writes this stuff? Anyway, it surely is a long time. But should we be concerned? Read on http://csharptest.net/?p=523
A few billion years by Doodlesmcpooh · 2011-08-18 13:22 · Score: 1

Surely a few billion years is the time it takes to try all the possible passwords. Although the chances are slim is it not entirely possible that a file could be cracked in seconds if you got lucky?
1. Re:A few billion years by Anonymous Coward · 2011-08-18 13:45 · Score: 0
  
  "The password is 12345..."
  "12345, thats the combination on my luggage!"
2. Re:A few billion years by Anonymous Coward · 2011-08-18 13:55 · Score: 0
  
  Given the sloppy way in which most people choose their passwords, the change of getting lucky is almost 100%.
3. Re:A few billion years by AK+Marc · 2011-08-18 14:20 · Score: 1
  
  A slashdotter never has a 100% chance of getting lucky.
  
  --
  Learn to love Alaska
4. Re:A few billion years by CamoCoatJoe · 2011-08-18 14:27 · Score: 1
  
  Surely a few billion years is the time it takes to try all the possible passwords.
  Not at all. Sell your supercomputer, buy savings bonds from various governments (or gold if you insist), buy a better supercomputer in 90 years, crack in 10 years after that.
  YMMV
  
  --
  This is not a signature.
5. Re:A few billion years by PhunkySchtuff · 2011-08-18 20:15 · Score: 1
  
  Yes, that's what probability and statistics are all about. The time quoted to break an encryption method generally is either worst case or worst case/2
  
  --
  Specialist Mac support for creative pros, Melbourne
6. Re:A few billion years by fyngyrz · 2011-08-18 20:26 · Score: 1
  
  Some RealDolls(tm) would tell you otherwise. If they could.
  
  --
  I've fallen off your lawn, and I can't get up.
7. Re:A few billion years by maxwell+demon · 2011-08-18 20:33 · Score: 1
  
  A slashdotter never has a 100% chance of getting lucky.
  That's wrong. All you have to do is to start up nethack at full moon.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
We get all those little countries confused. by iluvcapra · 2011-08-18 13:43 · Score: 1

(sic) "Dutch Katholieke Universiteit Leuven."
Leuven/Louvain is in Belgium, not the Netherlands.

--
Don't blame me, I voted for Baltar.
1. Re:We get all those little countries confused. by Anonymous Coward · 2011-08-18 19:19 · Score: 0
  
  Hell, I'm Luxemburgish (really), and I can't tell them apart!
  Belge an Holland, firwaat musst dir äech* esou ähnlech sin??
  ___
  * No, that's not wrong. That's a dialect! Yes, this country of 400,000 people actually has many dialects!
The AES-128 "crack" requires 2^88 bytes of storage by yeremein · 2011-08-18 13:51 · Score: 2

To put that number in perspective, it would take a stack of 4GB hard drives extending past the orbit of Saturn...
Re:The AES-128 "crack" requires 2^88 bytes of stor by Anonymous Coward · 2011-08-18 13:53 · Score: 0

How many libraries of congress?
Unbreakable? by Anonymous Coward · 2011-08-18 14:01 · Score: 0

From the article:
"But the work, the result of a long-term cryptanalysis project, could be the first chink in the armor of the AES standard, previously considered unbreakable."
I would love to know who considered AES, or any from crypto for that matter, "unbreakable". In the olden days, when the Earth was young, crypto/security experts were naive and were ego driven into thinking they could be the one to produce the unbreakable crypto solution. However, after a few decades of failure, now anybody and everybody in the industry understands that "unbreakable" is just a fantasy.
No security expert, especially a crypto expert, worth their salt would believe any solution is unbreakable. There may be some solutions that have not been broken yet, some not worth the effort, and some because the effort has not gone on long enough. In the end, any crypto solution is breakable, and if it hasn't been broken yet, it will be; it's just a matter of time.
While any crypto will eventually be broken, what matters is, can it be broken in time to do anything useful; for an attacker to leverage the data attained and undermine the vested parties. If an attacker attempts to hook into a financial transaction, can the crypto solution secure the transaction long enough to prevent the attacker from leveraging the data in the transaction. Or, if a user needs to secure the confidentiality of data, can the crypto solution assure effectiveness until the data is either destroyed by the user, or until a new confidentiality solution is implemented, or until the user decides it no longer requires confidentiality. Just some examples.
1. Re:Unbreakable? by CamoCoatJoe · 2011-08-18 14:55 · Score: 1
  
  OTP is unbreakable, but you could argue that it isn't a "solution". :^)
  
  Or, if a user needs to secure the confidentiality of data, can the crypto solution assure effectiveness until the data is either destroyed by the user, or until a new confidentiality solution is implemented, or until the user decides it no longer requires confidentiality.
  If I steal your hard drive, you can't destroy the data anymore, or replace the solution on that hard drive. Even if I don't steal it, you're relying on having a secure way to destroy the data. OTOH, how much is a few bad sectors of old data worth?
  If you can count on detecting the breach, and can take steps to make the data unimportant more quickly (change passwords, report card numbers stolen), then you just need enough time to react. If you can't do something like that, then the crypto needs to last until the data isn't sensitive anymore.
  
  --
  This is not a signature.
2. Re:Unbreakable? by Skarecrow77 · 2011-08-18 15:40 · Score: 1
  
  I would love to know who considered AES, or any from crypto for that matter, "unbreakable".
  Dan Brown.
  Read digital fortress. It's actually quite an enjoyable ride, as long as you note right up front that Dan Brown's version of reality read like James Bond's version of international relations.
3. Re:Unbreakable? by kbolino · 2011-08-19 01:36 · Score: 1
  
  The one-time pad is, from an information theoretic perspective, perfectly secure. Essentially, you take a randomly generated key of the same length as your message and perform some operation between the two (it needn't be any more complicated than a bitwise XOR) that completely obscures the message and the key. Provided that you never use the same key twice, there is no way for someone else, knowing only the ciphertext, to obtain either the message or the key, apart from brute force. If the message is sufficiently long, then so is the key, and then even brute force is infeasible.
  Obviously, this method is not practical for general use, but it is useful where there is an accessible and secure side channel (secure wire, military courier, etc.) through which to distribute the one-time key. It is vulnerable to side-channel attacks, but only complete ones. Knowing part of the key will only allow you to decrypt the equivalent part of the message; assuming the key was truly random, there is no way to derive the remaining parts.
4. Re:Unbreakable? by Joce640k · 2011-08-19 02:07 · Score: 1
  
  However, after a few decades of failure, now anybody and everybody in the industry understands that "unbreakable" is just a fantasy.
  a) DES has never been broken, nor is it likely to be. The best known attack against DES is brute force (discarding the impractical attacks...)
  b) There's no reason to believe we can't make a 128-bit cypher which is as secure as DES.
  (in fact AES with more rounds is probably as secure as DES, the only thing this new attack has shown is that AES needs more rounds)
  
  --
  No sig today...
Re:The AES-128 "crack" requires 2^88 bytes of stor by Anonymous Coward · 2011-08-18 14:02 · Score: 1

Any time someone publishes an algorithm that requires such insane space requirements, I have to question their analysis. Often they assume O(1) random lookup when any real implementation would be O(log(n)). Such a difference could easily cause this "5x" crack to have worse performance than brute-force.
p.s. Who the hell still uses 4GB drives? Saying 1/500th of the way to Saturn with 2TB drives doesn't sound as cool I guess.
Algorithm by Anonymous Coward · 2011-08-18 14:10 · Score: 0

or it didn't happen.
And what do its authors say about this method? by jthill · 2011-08-18 14:14 · Score: 1

They say, as the payload sentence of the abstract,

As our attacks are of high computational complexity, they do not threaten the practical use of AES in any way.

--
As always, all IMO. Insert "I think" everywhere grammatically possible.
Re:mod parent down! by CamoCoatJoe · 2011-08-18 14:23 · Score: 1

liar

--
This is not a signature.
512 bit or more? by Twinbee · 2011-08-18 14:58 · Score: 1

As someone who knows next to nothing about encryption, here's a question. If this ever becomes a problem, can't one VERY easily increase the bit count from 256 to 512 or more for an exponentially stronger encryption?
And more generally, I've heard these algorithms are very complicated. Rather than having this enormous complexity, can't you use a simpler, more elegant math algorithm, and again, just increase the bit count say from 256 to 512bit or more? Or does math not support that?
In this age of terabytes, does it really matter if we all save a few bits?

--
Why OpalCalc is the best Windows calc
1. Re:512 bit or more? by Entrope · 2011-08-18 15:36 · Score: 2
  
  It is usually not practical to pick "a simpler, more elegant math algorithm" because those are easy -- or at least easier -- to break. As someone mentioned up-thread, and as Bruce Schneier likes to remind us, attacks tend to get better over time -- they never get worse.
  Modern cryptosystems are carefully tuned to resist a lot of clever attacks. Probably every stage in every (credibly) proposed encryption scheme has been closely examined by very smart people to understand its behavior and look for weaknesses. Existing systems have very elegant structures that are simple in most respects, but they are complicated in certain ways because consistently simple designs are much easier to exploit.
  (As a further complicating factor, using a longer key generally requires using more internal state and more rounds. You might -- or might not -- be able to double the block size, but to move from 128-bit to 256-bit keys, you are very likely to need to increase your cipher from [say] 8 rounds to 12. This means at least a 50% increase in execution time for the same amount of data, and possibly more. If the increased size bumps your S-boxes, state and code out of L1 cache, it will be much worse. If you cannot double the block size, but need to double your internal state size for the larger key, that will add another doubling of execution time.)
2. Re:512 bit or more? by The+Dancing+Panda · 2011-08-18 15:45 · Score: 1
  
  To try to answer your question as simply as possible: Yes, and No. It is generally fairly easy to increase the bit count, but then you have to go through and reencrypt all your data, which takes time, and energy, and depending on the attack, you still might be susceptible.
  
  The reason the algorithms are complex is because they can't be easily reversible. It can't be obvious from the encrypted text as to what the key is, or what the decrypted message is, otherwise your encryption is useless. These algorithm's are elegant, they are just complex and take a lot of processor power to run.
3. Re:512 bit or more? by flonker · 2011-08-18 18:41 · Score: 1
  
  Increasing key size is not simply a matter of encoding things twice, as there may be an attack where they can take a shortcut, reducing the practical key strength.
  Some additional reading:
  http://x5.net/faqs/crypto/q61.html
  http://x5.net/faqs/crypto/q85.html
4. Re:512 bit or more? by slew · 2011-08-18 18:44 · Score: 1
  
  As someone who knows next to nothing about encryption, here's a question. If this ever becomes a problem, can't one VERY easily increase the bit count from 256 to 512 or more for an exponentially stronger encryption?
  And more generally, I've heard these algorithms are very complicated. Rather than having this enormous complexity, can't you use a simpler, more elegant math algorithm, and again, just increase the bit count say from 256 to 512bit or more? Or does math not support that?
  In this age of terabytes, does it really matter if we all save a few bits?
  Cipher design is pretty complicated, but with a little bit of hand-waving, it might be able to explain the problem.
  The task of creating a cipher (encryption algorithm) is basically the same problem as creating set of algorithms for shuffling a deck of cards a certain way. The deck of cards starts in order and the data you want to encrypt is where the deck is "cut". Then you shuffle the cards using some instructions (set by the key) and then you figure out where in the deck that card ended up. You decrypt by just doing the steps in reverse (effectively unshuffling the cards).
  Now the trick of making an encryption algorithm is to have a set of algorithm where every possible key describes scrambling instructions that results in a completely different shuffle such that they aren't really related in any easy to crack way. The problem is that we don't really know how to do that effectively (this random permutation construction problem is related to one of the open problems of group theory).
  If you describe your set of shuffling algorithm with very simple math, it is generally actually easier to attack mathematically. It takes lots of scrambling instructions to make up for the simple math (which makes your encryption complicated by length). With more complicated math it makes it harder to attack mathematically (in the case of AES and other modern ciphers, substitution tables are used to implement the complicated math).
  So given we don't know how to simply construct sets of these random shuffling algorithms, how would we know that the design we came up with there is a "weakness" where for a sub-set of keys a certain sub-set of plaintext values map to some sub-set of cipher-text values (a sub-group/ideal or some other group-theoretic structure that can be easily analyzed and defeated). That's a big problem which nobody has an answer for yet, but if the sets are small enough that humans can analyze them, it's easier to see if they *might* have some weakness. If it's a huge set, no human could probably analyze them.
  Actually if you really look at the guts of AES and other modern ciphers, they are actually constructed with very elegant math which is iterated (over several rounds). As an example, AES is a very straight forward iterations of two different SP (Substitution/Permutation) networks (one for the key schedule and another for the data). AES-128 runs this iteration 10 times, and AES-256 runs this iteration 14 times. The key and the data enter different SP networks and after each S and P stage the data stage is xored with the output of the corresponding key stage before heading into the next data S and P stage.
  The AES permutation stages are basically just row shifts and small column "multiplications" (in a Galois field). This is a very simple "shuffle" of the data across the 128-bit data width. The AES substitution tables are sets of 8bit to 8bit tables which were constructed mathematically (to avoid any fears that they were created with back-doors which was a concern with the original DES substitution tables). This is basically a complicated 256 card random deck shuffle. All the operations can be implemented fairly easily on things as simple as a 8-bit microprocessor (8-bit lookup tables is the most complicated thing, the rest are just shifts and xors).
  W/o the substitution table, all the shuffling would be really easy to invert mathematically. The set of AES substitution
Breaking Crypto... by Anonymous Coward · 2011-08-18 15:15 · Score: 0

I've done better attacks on RSA - I've reduced the area of attack primes by many orders of magnitude. AES is a very complex algorithm however.
Re:The AES-128 "crack" requires 2^88 bytes of stor by Skarecrow77 · 2011-08-18 15:38 · Score: 1

My porn collection would require a stack 3.5" floppy disks at -least- 12 or 15 feet high.
Re:The AES-128 "crack" requires 2^88 bytes of stor by lbates_35476 · 2011-08-18 15:46 · Score: 1

4GB hard drives? Is this 2001 or did you mean 4TB drives?
Re:The AES-128 "crack" requires 2^88 bytes of stor by gstrickler · 2011-08-18 16:30 · Score: 1

Well, here's a better visual. Using 2TB (2^41 bits), you would need 2^47 drives. Using 3.5" (1" x 4" x 5.25") drives, arranged into cubes 24 high x 6 wide x 4 deep (allowing ~1/4" for power and data cables on the depth), you get 476 drives in a 24" cube (2'). For simplicity, let's call it 256 (2^8) drives in a 2' cube, allowing some space for cooling and mounting hardware. That means you need 2^39 such cubes. That's a cube 2^13 (8192) x 2' on each side. 8192 x 2 = 16384' = ~ 3.1mi (~5km) per side. That's 4x as high as the tallest building in the world and larger than the largest "downtown" in the world. Alter the shape into a more conical structure and you have a literal mountain of hard drives.

--
make imaginary.friends COUNT=100 VISIBLE=false
Re:The AES-128 "crack" requires 2^88 bytes of stor by Anonymous Coward · 2011-08-18 16:55 · Score: 0

How would it be log(n)? They are just precomputing a bunch of plaintext-ciphertext pairs and storing them in a hash table. Hash tables are constant time access.
Re:The AES-128 "crack" requires 2^88 bytes of stor by AchilleTalon · 2011-08-18 17:23 · Score: 1

And on the power consumption side, these will consume about 1 million TW.

--
Achille Talon
Hop!
Re:The AES-128 "crack" requires 2^88 bytes of stor by Anonymous Coward · 2011-08-18 17:26 · Score: 0

can you even buy 4gb harddrives?
Re:The AES-128 "crack" requires 2^88 bytes of stor by complete+loony · 2011-08-18 17:36 · Score: 1

135TB in a 4U Blackblaze storage pod, 280 rack units in a 20' x 8' [ ... x 8' high? ] shipping container, gives 9.5PB or log2(135 * 8 * 10^12 * 280 / 4) 2^56 bits of raw online storage.
So now you *only* need 4 billion (2^32) shipping containers... yeah right. Stacking them 8 high, with no space for walkways or roads, would cover an area at least 55 miles on each side.

--
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
Re:The AES-128 "crack" requires 2^88 bytes of stor by flonker · 2011-08-18 18:29 · Score: 4, Funny

The NSA called. They deny that any such data center exists.
Yet more milking of the GreatCow (TM) by GrandTeddyBearOfDoom · 2011-08-18 19:07 · Score: 1

It seems that those who know that in a Universe containing Humans who have Free Will and Choice, P actually equals NP since the Human Mind is a Nondeterministic Universal Machine which permeates Universal Computability. A functional NDTM chooses by irreducible free will. A computer can harness this by taking input from its user. Without human users, AI is weak, but together WE ARE STRONG! Hoom.

--
-- The Grand Teddy Bear has Spoken: "Windows 8 Source Code Available NOW! more disgusting than your pr..."
Re:The AES-128 "crack" requires 2^88 bytes of stor by Psilax · 2011-08-18 19:16 · Score: 1

Is my math wrong but i come to different numbers:

20'x8'
135TB * 280 = 36.9 PB
2^88 Bytes = 274 877 906 944 PB
=> ~ 7.5 Billion shipping containers

1 container = 160 ft => 1miles = ~174240 containers => ~43000miles
=> stack 8 high => 5380miles => 73 miles to each side

40'x8'
135TB * 1400 = 184.6PB
=> ~ 1.5 Billion shipping containers
1 container = 320ft => 1 miles = ~87120 containers => ~17220miles
=> stack 8 high => 2152miles => 47 miles to each side

maybe there is some space left beneath area 51
Broken by Microsoft?? by AftanGustur · 2011-08-18 19:19 · Score: 3, Informative

If you choose to believe some of the articles, it was Microsoft who "broke" this encryption algorithm.
However, if you read the actual research paper the first page explicitly explains the relation between Microsoft and the researchers as "The authors were visiting Microsoft Research Redmond while working on these results."

--
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
1. Re:Broken by Microsoft?? by AftanGustur · 2011-08-18 19:39 · Score: 1
  
  The original press release by KU Leuven can be found Here
  Science Daily correctly summarizes the true meaning of this research: First Flaws in the Advanced Encryption Standard Used for Internet Banking Identified
  
  --
  echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
2. Re:Broken by Microsoft?? by Anonymous Coward · 2011-08-18 22:12 · Score: 0
  
  More specifically, they were watching an MS guy "administering" his win7 pc, that is, playing whack a mole with popups, discovering the panel requiring confirmation to install hidden behind other windows, the multiple update naggings, and suddenly.... cracking AES seemed soooo easy.
3. Re:Broken by Microsoft?? by Anonymous Coward · 2011-08-18 22:18 · Score: 1
  
  Dmitry Khovratovich is a Microsoft Researcher and the other two are from Dutch Katholieke Universiteit visiting MSR.
4. Re:Broken by Microsoft?? by owlstead · 2011-08-18 23:38 · Score: 1
  
  Yeah, I didn't expect they were looking at Windows 7 search to find anything. I expect they were just visiting Niels Ferguson and got talked over to include Microsoft in the paper.
Re:The AES-128 "crack" requires 2^88 bytes of stor by Anonymous Coward · 2011-08-18 19:41 · Score: 0

Hash tables are constant time access.
That's true in your PC, but it's not true on the scale we're talking about. ;)
Once you leave the confines of the PC, it's a bit more obvious that memory access is O(memory-bits). Imagine that you're doing memory-mapped IO across a serial bus (e.g. USB or SATA). Keep doubling the number of external hard drives until you get it.
---
p.s. Now imagine an array of memory units (DRAM modules or hard drives) too large to fit on the planet. Suddenly the speed of light delays are going to start eating your lunch, and you'll have to start worrying about O(cube-root(bits)) average speed-of-light propagation delay. Keep multiplying the number of memory units by 8 until you get it.
p.p.s. No fair imagining that the array is so massive that it becomes a black hole.
Re:The AES-128 "crack" requires 2^88 bytes of stor by complete+loony · 2011-08-18 20:30 · Score: 1

That's a 135TB, *4U* server. And I was counting 2^88 data storage as bits not bytes, though I'm not sure if the paper specifies the size of a data object anywhere. So (( 2^32 / 8 ) * 20' * 8' )^1/2 = 293K feet per side.
The blackblaze is a full length server case, so you wouldn't fit 1400 of them into the 40' container.

--
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
Key schedule by Anonymous Coward · 2011-08-18 20:39 · Score: 0

Every single attack against AES that I have heard of until this date has taken advantage of some weaknesses in the key schedule. This one is no different. It seems like it is about time to design a new key schedule for AES while keeping the main cipher the same. The new key schedule should be a pseudorandom function generated from the key to avoid those attacks that reconstruct the key schedule after memory has been turned off for a little while and some of the bits in the schedule has been corrupted. If the key schedule wasn't so regular it would only take very few corrupted bits in the schedule before it is faster to brute force the key than to figure out which of the bits in the schedule are corrupted.
Obviously a pseudorandom key schedule would be much slower than the current key schedule. But for most uses you will encrypt a lot of data once you have set up the schedule, so a more expensive schedule is an acceptable price. Personally I'd look a little bit on blowfish for inspiration on how to make a strong key schedule.
If a new key schedule is defined, I think it might be worthwhile to increase the number of rounds a little bit. It seems the initial safety margin was a bit on the small side. This of course will not just slow down generation of the key schedule but also slow down the main cipher. But that may be a price worth paying.
Hopefully hardware to compute AES was designed in a way that you can give it a key schedule generated in a different way, and tell it how many rounds to use. If hardware was limited to exactly the three numbers used by the original AES, that would be unfortunate. If such hardware is known to exist the new number of rounds could be decided as follows. 128 bit key, 14 rounds. 192 bit key, 14 rounds. 256 bit key 20 rounds. That way hardware that is able to do 14 rounds (currently used with 256 bit keys) will work for 128 and 192 bit keys, and hardware that is able to do 10 rounds (currently used with 128 bit keys) will work for the 256 bit keys by using it twice.
1. Re:Key schedule by Joce640k · 2011-08-19 02:12 · Score: 1
  
  It's much easier to add a couple more rounds of encryption.
  
  --
  No sig today...
2. Re:Key schedule by Anonymous Coward · 2011-08-19 10:50 · Score: 0
  
  It's much easier to add a couple more rounds of encryption.
  True, but that doesn't solve the problem with being able to recover the key schedule from RAM after it has been powered off for a bit. In fact more rounds means longer key schedule, which again means it is easier to recover from RAM. That is strictly speaking not a vulnerability in the cipher, but it still is an attack vector against some systems. When making an incompatible change it may be better to replace it with something that address all known problems with AES and not just some of them.
  Moreover a better key schedule is better for performance in the majority of cases than increasing the number of rounds enough to get the same level of security. You can both replace the key schedule and increase the number of rounds, that way it doesn't have to be increased as much as it would without a change to the key schedule.
  Notice how previous attacks turned out to result in AES256 being weaker than AES128. The cipher itself was exactly the same except from the more rounds. The only reason an attack like that was possible at all was because the key schedule for AES256 was a bit different and turned out to be weaker.
  You can't make a provably secure cipher, but you can make one that you can prove doesn't get weaker as you increase the key size.
Re:The AES-128 "crack" requires 2^88 bytes of stor by gstrickler · 2011-08-18 20:43 · Score: 1

Some minor corrections to my post above. 2TB is 2^41 bytes (not bits). 3.5" form factor is 1" x 4" x 5.75" (not 5.25").
Someone mentioned power usage. Assuming 5W/drive typical/average power, 5 x 2^47 = ~700TW. This is approximately 47x the 2008 worldwide energy consumption rate.

--
make imaginary.friends COUNT=100 VISIBLE=false
Bits aren't really the issue by Sycraft-fu · 2011-08-18 22:04 · Score: 1

I don't know that you'll ever be able to brute force a 256-bit key, presuming that there are no weaknesses and you get all 256-bits of entropy. I mean the energy levels involved would be, like, galactic (as in the energy contained in a galaxy) in scale. So until we develop a completely different method of computing, that isn't a problem.
The problem comes in when you are able to find weaknesses in the algorithm and break rounds of it, and thus decrease the complexity. So really, more rounds are the more useful thing to have than a larger key. That was one of the criticisms of AES is that it doesn't have a lot of rounds. What is has was determined to be sufficient, and history has bore that out (it is the most analyzed cryptosystem in history and is still strong) but there wasn't the margin that some like Schiner would have liked.
Now in either case the problem you run in to is processor power. Remember that for real world use, you want to be able to do encryption as part of other tasks. I don't want to have my computer sit and do nothing but encryption, I want it to work in the background. Like say I want to use full disk encryption. Ok well that means that the encryption has to run in realtime, in the background. So not only does it need to be able to stream at like 500MB/sec so as to not slow things down, but it really needs to be able to do that without taking up too much of my CPU so my system doesn't bog down.
The more complex the encryption, the harder it is to do that. Get massive key sizes, hundreds of rounds, and you've built some great security margins in, but at what cost? Maybe nobody uses it because it is too damn slow.
In terms of complexity, that is actually a criticism of AES. It is one of the few that has a rather simple and elegant mathematical definition. That worries some cryptographers as it may mean there is a simple mathematical method to reduce the complexity of solving it.
I have a method... by Haedrian · 2011-08-18 22:25 · Score: 1

I have a method to crack them 10 times faster.
Its called using 10 machines.
That said its not going to make much of a difference if you're pressed for time because the universe is going to die of death-heat before you finished.
Re:The AES-128 "crack" requires 2^88 bytes of stor by Quantum_Infinity · 2011-08-18 22:25 · Score: 1

Um, yeah it does. Haven't you heard of Area 51?
REQ: obligatory and germane XKCD plz by catmistake · 2011-08-18 23:12 · Score: 1

tia

--
The Admin and the Engineer
Re:The AES-128 "crack" requires 2^88 bytes of stor by owlstead · 2011-08-18 23:30 · Score: 1

In the time it would take to create such a thing efficiently, it would probably be possible to do it in 1/4th of the size :)
Paranoid take by owlstead · 2011-08-18 23:43 · Score: 1

They build in this weakness to be able to present the paper - one more paper to let your research institute exist! AES is (mostly/partly?) from Leuven.
Nah, just joking, Leuven is pretty well respected, I don't think it will disappear overnight.
Not China? by dwater · 2011-08-19 00:11 · Score: 1

If this was China, you'd all be up in arms, firearms, probably.

--
Max.
Re:The AES-128 "crack" requires 2^88 bytes of stor by Anonymous Coward · 2011-08-19 00:18 · Score: 0

You didn't paraphrase them correctly.
The NSA neither denies nor confirms that any such data center or data centers do exist or do not exist.
Re:The AES-128 "crack" requires 2^88 bytes of stor by lyml · 2011-08-19 01:21 · Score: 1

Twenty years ago hard drives were 100 MB. Now they are 2 TB, that's a x20000 increase roughly 2^14 increase. If the trend continues (I have no idea when we will hit a hard wall in storage space) it will probably fit into something the size of a thumb drive in 60 years.
Re:The AES-128 "crack" requires 2^88 bytes of stor by Anonymous Coward · 2011-08-19 01:52 · Score: 0

That's not very far. I can see Saturn from my house.
Re:The AES-128 "crack" requires 2^88 bytes of stor by black+soap · 2011-08-19 02:00 · Score: 1

In the time it would take to create such a thing efficiently, it would probably be possible to do it in 1/4th of the size :)
And in the time it would take the government to build such a thing, it will have become commodity desktop hardware.
rolling the decades by epine · 2011-08-19 04:57 · Score: 1

Now jump forward a decade or two... [] Snap, AES is cracked. Never assume that today's technology will be applied to tomorrow's problems. If you do -- everything you come up with is very likely to be wrong.
Nothing amazes me more about the human condition than the pornographic attraction of not having to think. It's as if our giant brain achieves maximal jizz by turning itself off.
Transmutation of lead into gold has been pondered for at least 300 decades. But it's good to know that in 300+epsilon, mission accomplished. I've never understood the attraction of reverse inference from hubris: find a bunch of stuffed shirts with jumbo pocket protectors yammering as if they had a giant brain (long after they have switched it off), write down all the things they got wrong, conclude the opposite, Bob's your uncle. Genius without effort. Don't add water, lather, rinse, or repeat.
This kind of thing is people who have switched their brain off drawing inference over larger pools of people who switched their brains off. What could go wrong? Nearly every principle of robust statistics is violated by inference on low-hanging counter-examples of hubris pricked.
A few examples higher up the tree: chemical process to transmute lead into gold, faster than light space travel, anti-gravity machine, perpetual motion yielding exploitable work.
If the Babylonians had discovered the fountain of youth, there would be some sprightly poster here with a six digit negative slashdot ID crying out "but I said it could never be done 3000! years ago!! and it still!!! hasn't!!!!" supposing Babylonians are prone to excess with chisel marks.
Suppose I could offer you the wager that if you go without until AES is broken, the gods of well-earned entitlement will deliver 700 air-brushed virgins (of your preference gender) for your eternal pleasure. Would that be enough to turn your brain back on? Or would you grab for a pair of decades and roll the dice?
Of perhaps among the exponential sample space of ridiculous things we haven't invented yet (and never will) some of the problems are impossibly hard independent of our impatience level or proneness to jump to conclusions.
All Turing machines halt if you wait long enough, supposing waiting until it doesn't is the only falsification that meets brain-on-dialtone acceptance standards.
another look at 700 virgins by epine · 2011-08-19 05:22 · Score: 1

Since breaking AES by brute force is about as respectable as pursuit of the fountain of youth, it made me think about my proposal of 700 virgins, assuming they behave like women scorned as you advance through the starving ranks. Since we're in the business of breaking AES by brute force, let's assume we've already solved the problem of living forever. This is a true proposition for testing your faith in the stopping algorithm.
Secretary problem
The probability here is 1-1/e that you'll wind up spending forever-1 nights with the 700'th virgin as not delivered on xmas morning, with a mean memory of 350 other xmas packages who would brighten eternity oh so much better.
Think hard, you're playing for keeps.