Application To Block Ciphers
Courtois and Pieprzyk (2002) observed that AES (Rijndael) and partially also Serpent could be expressed as a system of quadratic equations. The variables represent not just the plaintext, ciphertext and key bits, but also various intermediate values within the algorithm. The S-box of AES appears to be especially vulnerable to this type of analysis, as it is based on the algebraically simple inverse function. Subsequently, other ciphers have been studied to see what systems of equations can be produced (Biryukov and De Cannière, 2003), including Camellia, KHAZAD, MISTY-1 and KASUMI. Unlike other forms of cryptanalysis, such as differential and linear cryptanalysis, only one or two known plaintexts are required.
The XSL algorithm is tailored to solve the type of equation systems that are produced. Courtois and Pieprzyk estimate that an "optimistic evaluation shows that the XSL attack might be able to break Rijndael 256 bits and Serpent for key lengths 192 and 256 bits." Their analysis, however, is not universally accepted. For example:
- "I believe that the Courtois-Pieprzyk work is flawed. They overcount the number of linearly independent equations. The result is that they do not in fact have enough linear equations to solve the system, and the method does not break Rijndael...The method has some merit, and is worth investigating, but it does not break Rijndael as it stands." –Don Coppersmith, .
In AES 4 Conference, Bonn 2004, one of the inventors of Rijndael, Vincent Rijmen, commented, "The XSL attack is not an attack. It is a dream." Promptly Courtois answered "It will become your nightmare". However neither any later paper or any actions by the NSA or NIST give any support to this remark by Courtois.
In 2003, Murphy and Robshaw discovered an alternative description of AES, embedding it in a larger cipher called "BES", which can be described using very simple operations over a single field, GF(28). An XSL attack mounted on this system yields a simpler set of equations which would break AES with complexity of around 2100, if the Courtois and Pieprzyk analysis is correct. In 2005 Cid and Leurent gave evidence that, in its proposed form, the XSL algorithm does not provide an efficient method for solving the AES system of equations; however Courtois disputes their findings. At FSE 2007, Chu-Wee Lim and Khoongming Khoo showed that it cannot possibly work as presented.
Even if XSL works against some modern algorithms, the attack currently poses little danger in terms of practical security. Like many modern cryptanalytic results, it would be a so-called "certificational weakness": while faster than a brute force attack, the resources required are still huge, and it is very unlikely that real-world systems could be compromised by using it. Future improvements could increase the practicality of an attack, however. Because this type of attack is new and unexpected, some cryptographers have expressed unease at the algebraic simplicity of ciphers like Rijndael. Bruce Schneier and Niels Ferguson write, "We have one criticism of AES: we don't quite trust the security…What concerns us the most about AES is its simple algebraic structure… No other block cipher we know of has such a simple algebraic representation. We have no idea whether this leads to an attack or not, but not knowing is reason enough to be skeptical about the use of AES." (Practical Cryptography, 2003, pp56–57)
Read more about this topic: XSL Attack
Famous quotes containing the words application to, application and/or block:
“The receipt to make a speaker, and an applauded one too, is short and easy.—Take of common sense quantum sufficit, add a little application to the rules and orders of the House, throw obvious thoughts in a new light, and make up the whole with a large quantity of purity, correctness, and elegancy of style.”
—Philip Dormer Stanhope, 4th Earl Chesterfield (1694–1773)
“We will not be imposed upon by this vast application of forces. We believe that most things will have to be accomplished still by the application called Industry. We are rather pleased, after all, to consider the small private, but both constant and accumulated, force which stands behind every spade in the field. This it is that makes the valleys shine, and the deserts really bloom.”
—Henry David Thoreau (1817–1862)
“Painting consumes labour not disproportionate to its effect; but a fellow will hack half a year at a block of marble to make something in stone that hardly resembles a man. The value of statuary is owing to its difficulty. You would not value the finest head cut upon a carrot.”
—Samuel Johnson (1709–1784)