5

Read a post on Schneiers blog (and again 2011) about increasing the number of rounds for AES from to "AES-128 at 16 rounds, AES-192 at 20 rounds, and AES-256 at 28 rounds" to raise the security. However, I did wonder where these figures came from. According to Schneier "hey're off the top of my head, and certainly not the last word on the topic", and a previous topic on stackexchange "more rounds means more security against cryptanalysis, simply, since there is more confusion and diffusion".

My question is:

  1. Could any high number of rounds do for SPN and Feistel ciphers like AES, Serpent or Twofish? Or would/could the ciphers end up being weaker after a certain X number of rounds? Or maybe even repeat some patterns?

  2. How much more secure can AES, Serpent or Twofish become if the rounds increases? Would AES, for example, be strong as whatnot if the number of rounds were to be ridiculously increased?

Community
  • 1
marluh
  • 63
  • 5

1 Answers1

8

Usually, more rounds increase security as long as subkeys are independent of each other. That's a critical point.

Consider AES-128 as currently defined, with its ten rounds; that's eleven 128-bit subkeys. Adding six rounds means adding six extra 128-bit subkeys. The original AES-128 is still there. If the six extra subkeys are generated independently of the first eleven subkeys, then they cannot decrease security. Security can thus only increase. However, there are important caveats:

  • In practice, subkeys are not independent of each other. They are produced from the encryption key using a process (the key schedule) which is rather simple and cannot be considered to be a reasonably secure PRNG by itself. The AES key schedule is known to be somewhat weak to analysis, when pushed outside of its intended usage scenario (e.g. it has non-fatal related-key attacks).

  • If extra rounds do not decrease security, there is no guarantee that they will increase security. Personally, I tend to refuse to consider an algorithm stronger than another as long as both are in the "cannot break it" zone. Such comparisons rely on prophetic assumptions on how technology will evolve in the far future, sometimes quite far in the absurd (it makes little sense to compare 230-bit keys with 260-bit keys while still using an hypothetical classical computer, since it would require eating full stars to power it).

Increasing the number of rounds is more about building trust. That's still science, but not computer science; rather psychology. Increasing the number of rounds gives the feeling that "we are doing something against attacks". It is like making some offerings to Nammu, Sumerian goddess of the sea, before going on a cruise; at least, it won't harm -- except for the off-chance that Poseidon gets displeased at your allegiance to the competition... In the case of AES, increasing the number of rounds does lower performance, although this is not significant in most contexts (AES encryption speed is rarely a bottleneck; e.g. Microsoft measured that applying AES-based Transparent Data Encryption on SQL Server implied an average CPU overhead of 3 to 5%, no more).

Thomas Pornin
  • 88,324
  • 16
  • 246
  • 315