Is AES secure enough?

There's been a lot of discussion in the past day or so about the security of the AES encryption algorithm. There's a paper by Alex Biryukov and Dmitry Khovratovich that describes an attack against AES-256 that can be done in much less time that brute-force exhaustion: 2119 trial encryptions instead of 2256. That's a huge difference. Is AES now so weak that we need to worry about it?

Absolutely not.

The attack that Biryukov and Khovratovich found also takes lots of data for it to work. Their attack that can be done in 2119 time also takes the same amount of data: 2119. That's a lot of ciphertexts.

The best estimates that I've seen say that the entire world produces a few exabytes of data per year. This estimate is actually from a few years ago, so it isn't that current. Let's suppose that the amount of data being created doubles each year. If that's the case, we probably have a few zettabytes of data being created per year right now.

A zettabyte is 1021 bytes, or about 270 bytes. That's a lot of data, but it's still a long way from 2119 ciphertexts. This means that an attack that takes that much data is totally impractical. Even if we assume that all of the data in the world is being used in an attack that's trying to recover a single AES key, it's still not enough. It would take roughly the amount of data that the entire world will produce in the next 50 years or so to get the amount of data that we'd need. And even then, the amount of time required is still prohibitive.

It's interesting that Biryukov and Khovratovich found a significant weakness in AES, and their work may give useful insights into how to design better symmetric encryption algorithms, but it's not the sort of weakness that anyone can actually use to actually recover data that's encrypted with AES.

  • Rob Adams

    Even so an attack that eliminates 99.99999999999999999999999999999999999999942602% of the work needed to defeat AES-256 is pretty stunning.


  • Luther Martin

    And the fact that you can cut off 99.99999999999999999999999999999999999999942602% of the work and still have a computation that’s infeasible should give us an idea of exactly how much effort is involved in attacking a cryptographic algorithm.


Leave a Reply

Your email address will not be published. Required fields are marked *