Re: [Cryptography] AES state of the art...
On Mon, 9 Sep 2013 14:18:41 +0300 Alexander Klimov wrote: > On Sun, 8 Sep 2013, Perry E. Metzger wrote: > > What's the current state of the art of attacks against AES? Is the > > advice that AES-128 is (slightly) more secure than AES-256, at > > least in theory, still current? > > I am not sure what is the exact attack you are talking about, but I > guess you misunderstood the result that says: "the attack works > against AES-256, but not against AES-128" as meaning that AES-128 > is more secure. It can be the case that to break AES-128 the attack > needs 2^240 time, while to break AES-256 it needs 2^250 time. Here > AES-128 is not technically broken, since 2^240 > 2^128, but AES-256 > is broken, since 2^250 < 2^256, OTOH, AES-256 is still more secure > against the attack. > There is a related key attack against AES-256 that breaks it in order 2^99.5, far worse than 2^250! However, several people seem to have assured me (in private email) that they think such related key attacks are not important in practice. Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] AES state of the art...
On Sun, Sep 8, 2013 at 3:33 PM, Perry E. Metzger wrote: > What's the current state of the art of attacks against AES? Is the > advice that AES-128 is (slightly) more secure than AES-256, at least > in theory, still current? No. I assume that advice comes from related key attacks on AES, and Bruce Schneier's blog posts about them: https://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html https://www.schneier.com/blog/archives/2009/07/another_new_aes.html For some reason people read these blog posts and thought, for whatever reason, that Schneier recommends AES-128 over AES-256. However, that is not the case. Here's a relevant page from Schneier's book Cryptography Engineering in which he recommends AES-256 (or switching to an algorithm without known attacks): https://pbs.twimg.com/media/BEvLoglCcAAqg4E.jpg -- Tony Arcieri ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] AES state of the art...
On Sun, 8 Sep 2013, Perry E. Metzger wrote: > What's the current state of the art of attacks against AES? Is the > advice that AES-128 is (slightly) more secure than AES-256, at least > in theory, still current? I am not sure what is the exact attack you are talking about, but I guess you misunderstood the result that says: "the attack works against AES-256, but not against AES-128" as meaning that AES-128 is more secure. It can be the case that to break AES-128 the attack needs 2^240 time, while to break AES-256 it needs 2^250 time. Here AES-128 is not technically broken, since 2^240 > 2^128, but AES-256 is broken, since 2^250 < 2^256, OTOH, AES-256 is still more secure against the attack. -- Regards, ASK ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] AES state of the art...
What's the current state of the art of attacks against AES? Is the advice that AES-128 is (slightly) more secure than AES-256, at least in theory, still current? (I'm also curious as to whether anyone has ever proposed fixes to the weaknesses in the key schedule...) Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography