On Oct 7, 2013, at 12:55 PM, Jerry Leichter wrote:
On Oct 7, 2013, at 11:45 AM, Arnold Reinhold a...@me.com wrote:
If we are going to always use a construction like AES(KDF(key)), as Nico
suggests, why not go further and use a KDF with variable length output like
Keccak to replace the AES
On Oct 8, 2013, at 6:10 PM, Arnold Reinhold wrote:
On Oct 7, 2013, at 12:55 PM, Jerry Leichter wrote:
On Oct 7, 2013, at 11:45 AM, Arnold Reinhold a...@me.com wrote:
If we are going to always use a construction like AES(KDF(key)), as Nico
suggests, why not go further and use a KDF with
On Oct 4, 2013, at 12:20 PM, Ray Dillinger wrote:
So, it seems that instead of AES256(key) the cipher in practice should be
AES256(SHA256(key)).
Is it not the case that (assuming SHA256 is not broken) this
defines a cipher
effectively immune to the related-key attack?
So you're
Le 7 oct. 2013 à 17:45, Arnold Reinhold a...@me.com a écrit :
other cipher algorithms are unlikely to catch up in performance in the
foreseeable future
You should take a look a this algorithm : http://eprint.iacr.org/2013/551.pdf
- The block size is variable and unknown from an attacker.
-
On Thu, Oct 3, 2013 at 12:21 PM, Jerry Leichter leich...@lrw.com wrote:
On Oct 3, 2013, at 10:09 AM, Brian Gladman b...@gladman.plus.com wrote:
Leaving aside the question of whether anyone weakened it, is it
true that AES-256 provides comparable security to AES-128?
I may be wrong about
On Sun, Oct 6, 2013 at 9:10 PM, Phillip Hallam-Baker hal...@gmail.com wrote:
I am even
starting to think that maybe we should start using the NSA checksum
approach.
Incidentally, that checksum could be explained simply by padding prepping an
EC encrypted session key. PKCS#1 has similar stuff
If we are going to always use a construction like AES(KDF(key)), as Nico
suggests, why not go further and use a KDF with variable length output like
Keccak to replace the AES key schedule? And instead of making provisions to
drop in a different cipher should a weakness be discovered in AES,
On Oct 7, 2013, at 11:45 AM, Arnold Reinhold a...@me.com wrote:
If we are going to always use a construction like AES(KDF(key)), as Nico
suggests, why not go further and use a KDF with variable length output like
Keccak to replace the AES key schedule? And instead of making provisions to
On Mon, Oct 07, 2013 at 11:45:56AM -0400, Arnold Reinhold wrote:
If we are going to always use a construction like AES(KDF(key)), as
Nico suggests, why not go further and use a KDF with variable length
output like Keccak to replace the AES key schedule? And instead of
Note, btw, that Keccak is
On Fri, Oct 4, 2013 at 11:20 AM, Ray Dillinger b...@sonic.net wrote:
So, it seems that instead of AES256(key) the cipher in practice should be
AES256(SHA256(key)).
More like: use a KDF and separate keys (obtained by applying a KDF to
a root key) for separate but related purposes.
For example,
On 10/03/2013 06:59 PM, Watson Ladd wrote:
On Thu, Oct 3, 2013 at 3:25 PM,leich...@lrw.com wrote:
On Oct 3, 2013, at 12:21 PM, Jerry Leichterleich...@lrw.com wrote:
As *practical attacks today*, these are of no interest - related key
attacks only apply in rather unrealistic scenarios, even
On Oct 4, 2013, at 12:20 PM, Ray Dillinger wrote:
So, it seems that instead of AES256(key) the cipher in practice should be
AES256(SHA256(key)).
Is it not the case that (assuming SHA256 is not broken) this defines a cipher
effectively immune to the related-key attack?
Yes, but think about
On Thu, Oct 3, 2013 at 3:25 PM, leich...@lrw.com wrote:
On Oct 3, 2013, at 12:21 PM, Jerry Leichter leich...@lrw.com wrote:
As *practical attacks today*, these are of no interest - related key
attacks only apply in rather unrealistic scenarios, even a 2^119 strength
is way beyond any
On 10/02/2013 02:13 PM, Brian Gladman wrote:
The NIST specification only eliminated Rijndael options - none of the
Rijndael options included in AES were changed in any way by NIST.
Leaving aside the question of whether anyone weakened it, is it
true that AES-256 provides comparable security
I know others have already knocked this one down, but we are now in an
area where conspiracy theories are real, so for avoidance of doubt...
On 2/10/13 00:58 AM, Peter Fairbrother wrote:
AES, the latest-and-greatest block cipher, comes in two main forms -
AES-128 and AES-256.
AES-256 is
On 03/10/2013 04:13, Ray Dillinger wrote:
On 10/02/2013 02:13 PM, Brian Gladman wrote:
The NIST specification only eliminated Rijndael options - none of the
Rijndael options included in AES were changed in any way by NIST.
Leaving aside the question of whether anyone weakened it, is it
On Oct 3, 2013, at 10:09 AM, Brian Gladman b...@gladman.plus.com wrote:
Leaving aside the question of whether anyone weakened it, is it
true that AES-256 provides comparable security to AES-128?
I may be wrong about this, but if you are talking about the theoretical
strength of AES-256, then
On Wed, Oct 2, 2013 at 8:13 PM, Ray Dillinger b...@sonic.net wrote:
Leaving aside the question of whether anyone weakened it, is it
true that AES-256 provides comparable security to AES-128?
No, there's a common misconception that the related key attacks make
AES-256 worse than AES-128
On Oct 3, 2013, at 12:21 PM, Jerry Leichter leich...@lrw.com wrote:
As *practical attacks today*, these are of no interest - related key attacks
only apply in rather unrealistic scenarios, even a 2^119 strength is way
beyond any realistic attack, and no one would use a reduced-round version
On Oct 1, 2013, at 5:58 PM, Peter Fairbrother wrote:
[and why doesn't AES-256 have 256-bit blocks???]
Because there's no security advantage, but a practical disadvantage.
When blocks are small enough, the birthday paradox may imply repeated blocks
after too short a time to be comfortable.
On Oct 1, 2013, at 5:58 PM, Peter Fairbrother zenadsl6...@zen.co.uk wrote:
AES, the latest-and-greatest block cipher, comes in two main forms - AES-128
and AES-256.
AES-256 is supposed to have a brute force work factor of 2^256 - but we find
that in fact it actually has a very similar
On 02/10/2013 13:58, John Kelsey wrote:
On Oct 1, 2013, at 5:58 PM, Peter Fairbrother zenadsl6...@zen.co.uk wrote:
AES, the latest-and-greatest block cipher, comes in two main forms - AES-128
and AES-256.
AES-256 is supposed to have a brute force work factor of 2^256 - but we
find that
AES, the latest-and-greatest block cipher, comes in two main forms -
AES-128 and AES-256.
AES-256 is supposed to have a brute force work factor of 2^256 - but we
find that in fact it actually has a very similar work factor to that of
AES-128, due to bad subkey scheduling.
Thing is, that
23 matches
Mail list logo
