Time+Place: Thursday 24/12/2009 14:30 Room 337-8 Taub Bld.
Title: Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds
Speaker: Orr Dunkelman http://www.wisdom.weizmann.ac.il/~orrd/
Affiliation: Weizmann Institute
Host: Johann Makowsky

Abstract:


AES is the best known and most widely used block cipher. Its three versions
(AES-128, AES-192, and AES-256) differ in their key sizes (128 bits, 192
bits and 256 bits) and in their number of rounds (10, 12, and 14,
respectively). In the case of AES-128, there is no known attack which is
faster than the 2^{128} complexity of exhaustive search. However, AES-192
and AES-256 were recently shown to be breakable by attacks which require
2^{176} and 2^{100} time, respectively. While these complexities are much
faster than exhaustive search, they are completely non-practical, and do not
seem to pose any real threat to the security of AES-based systems.

In this talk we describe several attacks which can break with practical
complexity variants of AES-256 whose number of rounds are comparable to that
of AES-128. One of our attacks uses only two related keys and 2^{39} time to
recover the complete 256-bit key of a 9-round version of AES-256 (the best
previous attack on this variant required 4 related keys and 2^{120} time).
Another attack can break a 10 round version of AES-256 in 2^{45} time, but
it uses a stronger type of related subkey attack (the best previous attack
on this variant required 64 related keys by these attacks, the fact that
their hybrid (which combines the smaller number of rounds from AES-128 along
with the larger key size from AES-256) can be broken with such a low
complexity raises serious concern about the remaining safety margin offered
by the AES family of cryptosystems.

This is joint work with Alex Biryukov, Nathan Keller, Dmitry Khovratovich,
and Adi Shamir.