[tahoe-dev] AES-256 is looking worse

Zooko O'Whielacronx zookog at gmail.com
Fri Jul 31 09:21:06 PDT 2009


Folks:

I've already been investigating for a long time the possibility of
switching from AES-256 to XSalsa20 for future versions of Tahoe-LAFS.
Today's announcement that AES-256 is weaker than we previously thought
makes the issue more urgent.  Here's a blog entry I just posted about
this (also appended):

http://testgrid.allmydata.org:3567/uri/URI:DIR2-RO:j74uhg25nwdpjpacl6rkat2yhm:kav7ijeft5h7r7rxdp5bgtlt3viv32yabqajkrdykozia5544jqa/wiki.html

Regards,

Zooko

------- begin appended blog entry

Wow!  Cryptographers have devised even more effective ways to crack a
weakened variant of ~AES-256: [[Schneier's blog
entry|http://www.schneier.com/blog/archives/2009/07/another_new_aes.html]].
This doesn't mean that anyone who is current relying on AES is
vulnerable, but it does increase the likelihood that in the future
someone will come up with a way to crack the full-strength AES.  This
means that for long-term storage (such as in [[the Tahoe-LAFS storage
system|http://allmydata.org]]), it might be better to encrypt with a
stronger cipher such as Salsa20 (actually ~XSalsa20, which is just
Salsa20 with a larger initialization vector) or, as Bruce Schneier
suggests, AES with extra rounds.

It is ironic that ~AES-256 is the only algorithm approved for TOP
SECRET by the U.S. government (~AES-128 is approved for SECRET but not
for TOP SECRET). ~AES-256 has now been revealed as being weaker than
~AES-128. The other issue is that large-scale practical quantum
computers (if they existed) could crack any cipher with a mere 128-bit
key, but not a good cipher with a 256-bit key. This might mean that
~AES-256 would be vulnerable if there were a sufficiently powerful
quantum computer.

That would mean there is now no encryption algorithm which is both
secure against quantum computers and approved by the U.S. government
for TOP SECRET.

I was recently pondering whether the next iteration of ~Tahoe-LAFS
should switch from ~AES-256 to ~XSalsa20.  The benefits I was
considering were that ~XSalsa20 is probably more secure than ~AES-256
(see [[the Tahoe-LAFS
Bibliography|http://allmydata.org/trac/tahoe/wiki/Bibliography]],
especially the practical issue of side-channel attacks) and is
certainly much faster.  The drawbacks were that ~XSalsa20 is newer and
less widely studied and that it wasn't approved for U.S. government
usage.  This new attack on ~AES-256 makes my dilemma all the more
pointed.


More information about the tahoe-dev mailing list