Cryptography Reference
In-Depth Information
not effective. A clear presentation of the algebraic aspects of AES and of the tools
that could eventually be used to mount a successful algebraic attack is given in [49].
We have already mentioned that there is no proof that AES is a pseudo-random
permutation and the same can be said of all other efficient block ciphers used in
practice. In fact, there are some recent attacks that show that AES deviates from the
ideal behavior. One of them is the
related-key attack
(RKA) presented in [25], which
allows a key-recovery for AES-256 in 2
99
.
5
steps. In the RKAmodel, the block cipher
can be queried not only under the target key but also under other keys derived from
it in ways chosen by the adversary, which makes these attacks virtually impossible
to implement in practice and hence not too significant. However, still more recently,
a new attack that does not require related keys and is inspired by the meet-in-the
-middle attacks against hash functions, was presented in [32]. This is a key-recovery
attack against AES-128 and requires only 2
126
.
1
steps. Thus this attack recovers the
key about four times faster that a pure brute-force attack, and a similar advantage
factor holds for the similar attacks against AES-192 and AES-256. These are the
first shortcut attacks on the full AES and, while they have no practical consequences
because of their high complexity, they should certainly be watched.
In conclusion, the only successful practical attacks against AES so far are side-
channel attacks against specific implementations. Thus, AES is for now considered
secure and, in fact, it was approved to protect classified information by the US
Government in 2003 and included in NSA's Suite B Cryptography ([149]).
4.3 Modes of Operation
Modes of operation are algorithms that allow the encryption of arbitrary-length mes-
sages using a block cipher and, moreover, can provide the non-deterministic encryp-
tion that is necessary to achieve CPA security. Originally, a couple of such modes
were specified for DES and, more recently, NIST specified five confidentiality modes
to be used with symmetric block ciphers and, in particular, with AES (see [68]). In
this section we review these five modes and we show how some of them can be used
to build CPA secure encryption schemes. In particular, we prove that this is the case
for a version of counter mode when used in combination with a block cipher which
is a pseudo-random permutation.
4.3.1 Confidentiality Modes
Next, we describe the five confidentiality modes specified in [68].
