Application To Block Ciphers
Courtois and Pieprzyk (2002) observed that AES (Rijndael) and partially also Serpent could be expressed as a system of quadratic equations. The variables represent not just the plaintext, ciphertext and key bits, but also various intermediate values within the algorithm. The S-box of AES appears to be especially vulnerable to this type of analysis, as it is based on the algebraically simple inverse function. Subsequently, other ciphers have been studied to see what systems of equations can be produced (Biryukov and De Cannière, 2003), including Camellia, KHAZAD, MISTY-1 and KASUMI. Unlike other forms of cryptanalysis, such as differential and linear cryptanalysis, only one or two known plaintexts are required.
The XSL algorithm is tailored to solve the type of equation systems that are produced. Courtois and Pieprzyk estimate that an "optimistic evaluation shows that the XSL attack might be able to break Rijndael 256 bits and Serpent for key lengths 192 and 256 bits." Their analysis, however, is not universally accepted. For example:
- "I believe that the Courtois-Pieprzyk work is flawed. They overcount the number of linearly independent equations. The result is that they do not in fact have enough linear equations to solve the system, and the method does not break Rijndael...The method has some merit, and is worth investigating, but it does not break Rijndael as it stands." –Don Coppersmith, .
In AES 4 Conference, Bonn 2004, one of the inventors of Rijndael, Vincent Rijmen, commented, "The XSL attack is not an attack. It is a dream." Promptly Courtois answered "It will become your nightmare". However neither any later paper or any actions by the NSA or NIST give any support to this remark by Courtois.
In 2003, Murphy and Robshaw discovered an alternative description of AES, embedding it in a larger cipher called "BES", which can be described using very simple operations over a single field, GF(28). An XSL attack mounted on this system yields a simpler set of equations which would break AES with complexity of around 2100, if the Courtois and Pieprzyk analysis is correct. In 2005 Cid and Leurent gave evidence that, in its proposed form, the XSL algorithm does not provide an efficient method for solving the AES system of equations; however Courtois disputes their findings. At FSE 2007, Chu-Wee Lim and Khoongming Khoo showed that it cannot possibly work as presented.
Even if XSL works against some modern algorithms, the attack currently poses little danger in terms of practical security. Like many modern cryptanalytic results, it would be a so-called "certificational weakness": while faster than a brute force attack, the resources required are still huge, and it is very unlikely that real-world systems could be compromised by using it. Future improvements could increase the practicality of an attack, however. Because this type of attack is new and unexpected, some cryptographers have expressed unease at the algebraic simplicity of ciphers like Rijndael. Bruce Schneier and Niels Ferguson write, "We have one criticism of AES: we don't quite trust the security…What concerns us the most about AES is its simple algebraic structure… No other block cipher we know of has such a simple algebraic representation. We have no idea whether this leads to an attack or not, but not knowing is reason enough to be skeptical about the use of AES." (Practical Cryptography, 2003, pp56–57)
Read more about this topic: XSL Attack
Famous quotes containing the words application to, application and/or block:
“If you would be a favourite of your king, address yourself to his weaknesses. An application to his reason will seldom prove very successful.”
—Philip Dormer Stanhope, 4th Earl Chesterfield (16941773)
“Five oclock tea is a phrase our rude forefathers, even of the last generation, would scarcely have understood, so completely is it a thing of to-day; and yet, so rapid is the March of the Mind, it has already risen into a national institution, and rivals, in its universal application to all ranks and ages, and as a specific for all the ills that flesh is heir to, the glorious Magna Charta.”
—Lewis Carroll [Charles Lutwidge Dodgson] (18321898)
“When the landscape buckles and jerks around, when a dust column of debris rises from the collapse of a block of buildings on bodies that could have been your own, when the staves of history fall awry and the barrel of time bursts apart, some turn to prayer, some to poetry: words in the memory, a stained book carried close to the body, the notebook scribbled by handa center of gravity.”
—Adrienne Rich (b. 1929)