I skimmed this. The start of the article says that after 3 rounds AES achieves perfect diffusion?!
1. It's "complete diffusion", not "perfect diffusion". Perfect diffusion is a property meaning something completely different. 2. My post incorrectly stated that cryptographers believed that the AES achieved complete diffusion after 3 rounds. In fact, in Rijndael complete diffusion (every bit influences every bit in the block or state) is achieved by the end of the second round. I have corrected the post.
A simple square attack (that I teach in class in about 60 mins) recovers the key of 4-round AES with 256 chosen-plaintexts. The six-round attack isn't too much harder.
Isn't what you are referring to called "secure number of rounds"? In other words the number of rounds after which no known attack exists that can break the cipher faster than brute-forcing the key? It looks like I have no choice but to invent a new term, "PRF rounds" - the number of rounds after which each function that defines the value of each bit of the block/state/output is a pseudo-random function (PRF) of all the bits of the block/state/key/input, in other words a function indistinguishable from random by any existing general purpose randomness tests. Of course dedicate randomness tests exploiting the cipher structure and utilising a significant amount of computational resources could be effective in distinguishing a larger number of rounds from random, but that's in the area of the "secure number of rounds" research. "PRF rounds" is usually larger than the "complete diffusion rounds". For most good ciphers it's usually somewhere between the "complete diffusion rounds" and the "secure rounds", but for some ciphers it's either way over the "secure rounds" or it never happens at all (LILI, KeeLoq, Trivium, etc). Some ciphers maintain sparcity of their functions or their distinguishability from random even if iterated perpetually. I have corrected all the articles: http://defectoscopy.com/forum/viewtopic.php?t=3 http://defectoscopy.com/results.html and http://defectoscopy.com/background.html Ruptor --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
