Cryptography Reference
In-Depth Information
An 'alarmingly interesting' article by Niels Ferguson, Richard Schroeppel, and
Doug Whiting of May 2001 [FergSchrWhit] shows vividly that this is far from
being paranoia. The article describes how an astonishingly simple represen-
tation of the Rijndael transformation as a sum of continued fractions can be
found. Though there would then be about 2
25
five-step (well over 33 million)
continued fractions on either side of the equation, if it helped to mount an
attack, then such an attack would perhaps be practically feasible. However,
nobody yet has any idea what this attack would look like.
Another work by Nicolas Courtois and Josef Pieprzyk that appeared in 2002
[CourtPiep] (see also
eprint.iacr.org/2002/044
) caused quite some hurly-burly.
The so-called
XSL
(
Extended Sparse Linearization
)
method
exploits the fact
that AES can be represented as a system of 8000 square equations with 1600
variables. A number of scientists (including Don Coppersmith, among others)
heavily criticized this article. The main arguments were that the cost required
was impossible to estimate, and that the method was not demonstrated in a
practical example. It seems that the attack in the form
presented
does not
represent a risk in practice. However, I find four points pretty alarming:
•
Attacks always improve; they never deteriorate.
•
In addition to AES, it would be Serpent, the AES final candidate estimated
to be the most secure, of all candidates that would be vulnerable to this
method, if it really works.
•
This attack would require only few plaintexts, in contrast to differential
and linear cryptanalysis. If the computational effort could be reduced to
something realistic, then this would be the first practicable attack against
a modern algorithm — and then AES of all algorithms!
•
Also in contrast to differential and linear cryptanalysis, the number of
rounds or keys does not play a significant role. This is alarming in view
of the fact that increasing the number of rounds and/or the key length
was thought to be a 'secure bank'.
Current and qualified information about this issue can also be found in Wikipedia
at
en.wikipedia.org/wiki/XSL_attack
.
So it is understandable indeed that people justly worried about the strikingly
simple structure of Rijndael. One should bear in mind that there are algorithms
other than AES. My personal tip: Twofish.
