Is AES (or DES) provably secure? What is the hardness assumption underlying these cryptosystems?

Question

I have taken a course in applied Cryptography. I do not understand the hardness problem underlying AES (or DES).

As in RSA is based on the RSA assumption. ElGamal is based on the hardness of descrete logarithm problem. Most of the lattice crypto is based on the LWE assumption which itself is based on the hardness of BDD problem. What is the hardness problem that guaranties the security of AES? (Or DES)

In other words if there is an oracle R that can break AES. Can I use this oracle as a subroutine to solve some really hard problem? If yes, what is the reduction?

Geoffroy Couteau · Accepted Answer · 2017-02-28T20:32:49.013

5

No, there is no reduction from AES to any well-known hardness assumption; in other words, the hypothesis that AES is secure is an assumption by itself.

In fact, this is the case for every practical symmetric cipher that you can think off; provable constructions from a one-way function would be completely impractical.

edited Feb 28 '17 at 20:32

answered Feb 28 '17 at 19:40

Geoffroy Couteau

21,719
2
55
78

Is AES (or DES) provably secure? What is the hardness assumption underlying these cryptosystems?

1 Answers1