Learn How to Break AES
21 comments
·March 4, 2025underdeserver
tialaramex
In fact it is IMO unlikely this primitive will ever be broken. Its predecessor, DES was "broken" only in the sense that it was intended to be possible to break it with enough computing power when it shipped, as a NOBUS (Nobody But Us can break it) by the US government. In 1975 this is a NOBUS, in 2025 it's basically saying "Please hack us China" so we don't do that any more.
Although cryptanalysis of DES did reveal some flaws, the actual breaks, including ones you'd use today if tasked to break DES at scale, all target exactly the two deliberately chosen weaknesses from when it was designed 50 years ago - its keys are too small and its block sizes are too short, that's all, and that's enough.
In AES neither of these flaws is present, hence I am not alone in thinking we probably won't ever build another one.
You might think well, in 50 years we'll have better computers so that's dumb. Nope. Unless there's an actual mathematical break what runs out isn't mere human ingenuity, it's plain physics.
cakealert
Modern ciphers including AES subscribe to the philosophy of using a simple round and then repeat it a bunch of times.
While this is most likely sound (due to the sensitivity to initial conditions aka avalanche effect) there is a small chance that this creates a mathematical structure that will one day get exploited.
AES is even more vulnerable to this chance than usual because it actually uses mathematical functions for several of its components (the sbox and the 32-bit linear permutation). No one has been able to exploit this combination yet though.
Contrast this with SHA-2 for example, it's an unbalanced Feistel permutation that had a lot of 'random' nonlinear crap thrown in. SHA-2 can actually be used as a block cipher (SHACAL-2) however there is no HW acceleration for the inverse permutation - so you would be limited to CTR-like modes.
tptacek
Exploitable mathematical structure arising purely from the concept of an iterated cipher is probably what Nick meant there by "an actual mathematical break". SHACAL-2 is also an iterated cipher with a relatively simple round structure.
hinkley
> in 2025 it's basically saying "Please hack us China" so we don't do that any more.
It took almost two decades to explain that to sitting presidents and Congress.
'We' have been telling 'them' that shit won't scale since at least the 90's.
Everyone forgets about Al Gore's black sheep - the Clipper Chip.
randomtoast
Grovers algorithm can brute-force a 128-bit symmetric cryptographic key in roughly 2^64 iterations (on a quantum computer which we likely have in 50 years), instead of 2^128. Now, lets find another attack vector (maybe with the help of AI) that reduces the 64 a bit and you are in the realm of feasibility.
adgjlsfhk1
2^64 work that is non-paralellizable isn't a threat. 64 bits of classical security is insufficient because computers can do thousands of operations in parallel, and you can combine the effort of millions of computers. Grover's algorithm gives you a sequential complexity of 2^64, so if you have a quantum comptuer with a clock speed of 20GHZ (current quantum computers are in the khz to low mhz range), and you pretend that the quantum computer can process 14 rounds of AES per clock cycle (in reality it would be hundreds of cycles), it will take a quantum computer running for 30 years continuously to crack a single key (and if the temperature ever rises 1 millionth of a degree or the computer loses power for a nanosecond, you have to start over).
metacritic12
But everyone will upgrade to AES-256 (many system already has), and that truly will be the final symmetric algo even with moore's law.
userbinator
Certainly one of the most clickbaity titles I've seen.
tptacek
David Wong hasn't been at NCC Cryptography for a long time, so I assume we'll be waiting a long time before we get to Linear and Differential cryptanalysis, but if that's a thing you're interested in, what you want is the Heys tutorial:
http://www.cs.bc.edu/~straubin/crypto2017/heys.pdf
My recommendation: print it out to a PDF with huge margins so you can make notes, and then work through all the worked examples.
MontagFTB
If you're interested in this sort of thing, I cannot recommend the cryptopals crypto challenges enough. They are a series of project that take you from XOR up through breaking AES and beyond:
cinntaile
You also have https://cryptohack.org/
null
Retr0id
Neat, I'm looking forward to the Differential Cryptanalysis portion! It's something I've tried to learn in the past but I've been struggling to find approachable resources.
alabhyajindal
This looks very nice! Thank you!
I'm currently taking Cryptography at university and I find the resources online to be quite scarce. I mostly find myself reading Wikipedia. I don't know if I'm missing some background knowledge but some of the math notations tend to be quite difficult to understand. I have spent around 10 hours trying to understand Differential Cryptanalysis unsuccessfully!
__alexander
If you haven’t seen it already, check out “Understanding Cryptography: A Textbook for Students and Practitioners”. Probably one of the best and approachable books on cryptography. Plus all the lectures are on YouTube so you can read a chapter and then watch the lecture. Also with the math notation, you a take a photo of it and ask ChatGPT to try to explain it.
alabhyajindal
Thank you! I'll take a look! Yes, I agree with the suggestion on math notation - I should start doing that.
zelphirkalt
Yeah when it comes to math Wikipedia is rarely a good introduction to any topic. Maybe if one studied mathematics before or something, but definitely not for most other people.
oulipo
Cool! Would be nice to also include side-channel attacks
tptacek
Side channels aren't block cipher cryptanalysis. There's some very basic side channel stuff in Cryptopals, but modern side channel analysis is primarily microarchitectural, which is a significant change in focus, and someone should do a standalone resource on that.
Just in case anyone's wondering, AES - the regular AES-128, 192 or 256 - is not publicly broken (yet).