1. AES seems weak. 2. Linear time secure cryptography
نویسنده
چکیده
We describe a new simple but more powerful form of linear cryptanalysis. It appears to break AES (and undoubtably other cryptosystems too, e.g. SKIPJACK). The break is “nonconstructive,” i.e. we make it plausible (e.g. prove it in certain approximate probabilistic models) that a small algorithm for quickly determining AES-256 keys from plaintext-ciphertext pairs exists – but without constructing the algorithm. The attack’s runtime is comparable to performing 64 encryptions where w is the (unknown) minimum Hamming weight in certain binary linear error-correcting codes (BLECCs) associated with AES-256. If w < 43 then our attack is faster than exhaustive key search; probably w < 10. (Also there should be ciphertext-only attacks if the plaintext is natural En-
منابع مشابه
AES-like ciphers: are special S-boxes better then random ones? (Virtual isomorphisms again)
In [eprint.iacr.org/2012/663] method of virtual isomorphisms of ciphers was applied for differential/linear cryptanalysis of AES. It was shown that AES seems to be weak against those attacks. That result can be generalized to AES-like ciphers, which diffusion map is a block matrix, and its block size is the same as the S-box size. S-box is possibly weak if it is affine equivalent to a substitut...
متن کاملProvably Secure Masking of AES
A general method to secure cryptographic algorithms against side-channel attacks is the use of randomization techniques and, in particular, masking. Roughly speaking, using random values unknown to an adversary one masks the input to a cryptographic algorithm. As a result, the intermediate results in the algorithm computation are uncorrelated to the input and the adversary cannot obtain any use...
متن کاملComparison between PKI (RSA-AES) and AEAD (AES-EAX PSK) Cryptography Systems for Use in SMS-Based Secure Transmissions
In today’s mobile communication systems, security offered by the network operator is often limited to the wireless link. This means that data delivered through mobile networks are not sufficiently protected. In the particular growing field of interest of machine-to-machine (M2M) communications, these applications typically require a mobile, secure and reliable means of data communication. This ...
متن کاملQuantum Key Distribution Without Sifting
We propose a novel quantum key distribution protocol that uses AES to expand an initial secret, allowing us to individually authenticate every qubit, with tags that are efficient to construct. In exchange for an increase in the amount of classical data to be transmitted, the tags can be handled such that they allow secure key generation from two photon states, and make BB84 exactly 100% efficie...
متن کاملStructural Evaluation of AES and Chosen-Key Distinguisher of 9-Round AES-128
While the symmetric-key cryptography community has now a good experience on how to build a secure and efficient fixed permutation, it remains an open problem how to design a key-schedule for block ciphers, as shown by the numerous candidates broken in the related-key model or in a hash function setting. Provable security against differential and linear cryptanalysis in the related-key scenario ...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2007 شماره
صفحات -
تاریخ انتشار 2007