Practical AES attacks get closer

Cryptologists have now developed even more sophisticated attacks on AES encryption systems. According to crypto expert Bruce Schneier, a team consisting of Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich and Adi Shamir have managed to crack reduced versions of AES-256 in practical length of time. Attacking nine-round AES-256 required 2³⁹ time, which is even feasible with an ordinary PC, while ten-round would require 2⁴⁵. The time required for eleven rounds, however, is just above practicality at 2⁷⁰. The attack exploits a vulnerability in the key schedule, a function AES-256 uses to derive sub-keys from the main key.

While the new attacks represent major progress in the cryptanalysis of AES, they are still irrelevant for attacks against real-world AES implementations and this is not only because of the reduced number of rounds (by default, AES-256 uses 14 rounds). Also, the attack is a related-key attack, which means that the attacker must have access to the plaintext of several units of ciphertext encrypted with keys that are related in a specific way. Such scenarios can theoretically only be found, for example, in hard disk encryption and network protocols, where the individual block keys are generated in such a weak way.

That the new methods are completely ineffective, or nearly so, when attacking AES-128, which has the shortest keys, seems at first glance, contradictory. The reason: Long keys provide a bigger target, that is more bits, for the cryptologists to establish mathematical relationships. To maintain the integrity of AES encryption Schneier suggests increasing the number of rounds before the first practical attacks reach reach the number of rounds used by standard AES: from ten to 16 for AES-128, from twelve to 20 for AES-192, and from 14 to 28 for AES-256. However, this considerably slows down the encryption process.

See also:

• "Luxembourg attacks" on AES encryption, a report from The H.

(crve)