[25245] in cryptography@c2.net mail archive
Re: Status of attacks on AES?
daemon@ATHENA.MIT.EDU (John R. Black)
Thu May 11 09:59:15 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 10 May 2006 23:22:33 -0600
From: "John R. Black" <John.Black@Colorado.EDU>
To: cryptography@metzdowd.com
> On 5/10/06, John R. Black <John.Black@colorado.edu> wrote:
> >I skimmed this. The start of the article says that after 3 rounds AES
> >achieves perfect diffusion?!
>
> No, it says their old ASD could not distinguish encrypted data from
> random after 3 rounds.
>
> --
> Taral <taralx@gmail.com>
> "You can't prove anything."
> -- Gödel's Incompetence Theorem
----- End forwarded message -----
I was refering to this statement from the article:
Data inputs with a single-bit difference spread over the entire data
block or key and encrypted with the AES cannot be distinguished from
random after more than 2 rounds, which made many cryptographers
believe for many years that 3 rounds of the AES achieve complete
diffusion.
I don't think any cryptographer believed for 10 seconds that AES achieved
"complete diffusion" after three rounds if that means it "cannot be
distinguished from random." There is not only a distinguishing attack on
_FOUR_ rounds of AES, but a key-recovery attack. And it was given in the
Rijndael spec, so certainly was known before the AES was even named.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
