Application To Block Ciphers
Courtois and Pieprzyk (2002) observed that AES (Rijndael) and partially also Serpent could be expressed as a system of quadratic equations. The variables represent not just the plaintext, ciphertext and key bits, but also various intermediate values within the algorithm. The S-box of AES appears to be especially vulnerable to this type of analysis, as it is based on the algebraically simple inverse function. Subsequently, other ciphers have been studied to see what systems of equations can be produced (Biryukov and De Cannière, 2003), including Camellia, KHAZAD, MISTY-1 and KASUMI. Unlike other forms of cryptanalysis, such as differential and linear cryptanalysis, only one or two known plaintexts are required.
The XSL algorithm is tailored to solve the type of equation systems that are produced. Courtois and Pieprzyk estimate that an "optimistic evaluation shows that the XSL attack might be able to break Rijndael 256 bits and Serpent for key lengths 192 and 256 bits." Their analysis, however, is not universally accepted. For example:
- "I believe that the Courtois-Pieprzyk work is flawed. They overcount the number of linearly independent equations. The result is that they do not in fact have enough linear equations to solve the system, and the method does not break Rijndael...The method has some merit, and is worth investigating, but it does not break Rijndael as it stands." –Don Coppersmith, .
In AES 4 Conference, Bonn 2004, one of the inventors of Rijndael, Vincent Rijmen, commented, "The XSL attack is not an attack. It is a dream." Promptly Courtois answered "It will become your nightmare". However neither any later paper or any actions by the NSA or NIST give any support to this remark by Courtois.
In 2003, Murphy and Robshaw discovered an alternative description of AES, embedding it in a larger cipher called "BES", which can be described using very simple operations over a single field, GF(28). An XSL attack mounted on this system yields a simpler set of equations which would break AES with complexity of around 2100, if the Courtois and Pieprzyk analysis is correct. In 2005 Cid and Leurent gave evidence that, in its proposed form, the XSL algorithm does not provide an efficient method for solving the AES system of equations; however Courtois disputes their findings. At FSE 2007, Chu-Wee Lim and Khoongming Khoo showed that it cannot possibly work as presented.
Even if XSL works against some modern algorithms, the attack currently poses little danger in terms of practical security. Like many modern cryptanalytic results, it would be a so-called "certificational weakness": while faster than a brute force attack, the resources required are still huge, and it is very unlikely that real-world systems could be compromised by using it. Future improvements could increase the practicality of an attack, however. Because this type of attack is new and unexpected, some cryptographers have expressed unease at the algebraic simplicity of ciphers like Rijndael. Bruce Schneier and Niels Ferguson write, "We have one criticism of AES: we don't quite trust the security…What concerns us the most about AES is its simple algebraic structure… No other block cipher we know of has such a simple algebraic representation. We have no idea whether this leads to an attack or not, but not knowing is reason enough to be skeptical about the use of AES." (Practical Cryptography, 2003, pp56–57)
Read more about this topic: XSL Attack
Famous quotes containing the words application to, application and/or block:
“The receipt to make a speaker, and an applauded one too, is short and easy.—Take of common sense quantum sufficit, add a little application to the rules and orders of the House, throw obvious thoughts in a new light, and make up the whole with a large quantity of purity, correctness, and elegancy of style.”
—Philip Dormer Stanhope, 4th Earl Chesterfield (1694–1773)
“My business is stanching blood and feeding fainting men; my post the open field between the bullet and the hospital. I sometimes discuss the application of a compress or a wisp of hay under a broken limb, but not the bearing and merits of a political movement. I make gruel—not speeches; I write letters home for wounded soldiers, not political addresses.”
—Clara Barton (1821–1912)
“It is, in both cases, that a spiritual life has been imparted to nature; that the solid seeming block of matter has been pervaded and dissolved by a thought; that this feeble human being has penetrated the vast masses of nature with an informing soul, and recognised itself in their harmony, that is, seized their law. In physics, when this is attained, the memory disburthens itself of its cumbrous catalogues of particulars, and carries centuries of observation in a single formula.”
—Ralph Waldo Emerson (1803–1882)