On Thu, Oct 31, 2013 at 10:02 PM, Hauke Laging <mailinglis...@hauke-laging.de> wrote: > Am Do 31.10.2013, 16:31:02 schrieb Daniel Kahn Gillmor: > >> http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverable >> s/algorithms-key-sizes-and-parameters-report > > There is one point I don't understand: > > [3.6 Recommendations] > > "there is general agreement this should be above the 100-bit level" > > "for long term use AES-256" > > But this http://eprint.iacr.org/2009/317 (mentioned by the German Wikipedia > article for AES) claims that AES-256 was down to 99.5 bits.
That attack is only valid if different messages have related keys. If the keys are chosen randomly, the attack does not apply. I'm not aware of any crypto system that implements AES with related keys (though if anyone knows of some, I'd like to know so I can avoid it). See https://en.wikipedia.org/wiki/Related-key_attack and https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security for details . According to the Wiki, the best attack on full-round AES-256 not using related keys requires 254.4 operations (see https://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf ). Cheers! -Pete -- Pete Stephenson _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
