[147487] in cryptography@c2.net mail archive
Re: [Cryptography] AES-256- More NIST-y? paranoia
daemon@ATHENA.MIT.EDU (Jerry Leichter)
Thu Oct 3 12:41:38 2013
X-Original-To: cryptography@metzdowd.com
From: Jerry Leichter <leichter@lrw.com>
In-Reply-To: <524D7A9C.5000809@gladman.plus.com>
Date: Thu, 3 Oct 2013 12:21:26 -0400
To: Brian Gladman <brg@gladman.plus.com>
Cc: Ray Dillinger <bear@sonic.net>, cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Oct 3, 2013, at 10:09 AM, Brian Gladman <brg@gladman.plus.com> wrote:
>> Leaving aside the question of whether anyone "weakened" it, is it
>> true that AES-256 provides comparable security to AES-128?
>
> I may be wrong about this, but if you are talking about the theoretical
> strength of AES-256, then I am not aware of any attacks against it that
> come even remotely close to reducing its effective key length to 128
> bits. So my answer would be 'no'.
There are *related key* attacks against full AES-192 and AES-256 with complexity 2^119. http://eprint.iacr.org/2009/374 reports on improved versions of these attacks against *reduced round variants" of AES-256; for a 10-round variant of AES-256 (the same number of rounds as AES-128), the attacks have complexity 2^45 (under a "strong related sub-key" attack).
None of these attacks gain any advantage when applied to AES-128.
As *practical attacks today*, these are of no interest - related key attacks only apply in rather unrealistic scenarios, even a 2^119 strength is way beyond any realistic attack, and no one would use a reduced-round version of AES-256.
As a *theoretical checkpoint on the strength of AES* ... the abstract says the results "raise[s] serious concern about the remaining safety margin offered by the AES family of cryptosystems".
The contact author on this paper, BTW, is Adi Shamir.
> But, having said that, I consider the use of AES-256 in place of AES-128
> to be driven more by marketing hype than by reality. The theoreticaal
> strength of modern cryptographic algorithms is the least of our worries
> in producing practical secure systems.
100% agreement.
-- Jerry
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography