Status of attacks on AES?
John R. Black
John.Black at Colorado.EDU
Thu May 11 01:22:33 EDT 2006
> On 5/10/06, John R. Black <John.Black at colorado.edu> wrote:
> >I skimmed this. The start of the article says that after 3 rounds AES
> >achieves perfect diffusion?!
>
> No, it says their old ASD could not distinguish encrypted data from
> random after 3 rounds.
>
> --
> Taral <taralx at gmail.com>
> "You can't prove anything."
> -- Gödel's Incompetence Theorem
----- End forwarded message -----
I was refering to this statement from the article:
Data inputs with a single-bit difference spread over the entire data
block or key and encrypted with the AES cannot be distinguished from
random after more than 2 rounds, which made many cryptographers
believe for many years that 3 rounds of the AES achieve complete
diffusion.
I don't think any cryptographer believed for 10 seconds that AES achieved
"complete diffusion" after three rounds if that means it "cannot be
distinguished from random." There is not only a distinguishing attack on
_FOUR_ rounds of AES, but a key-recovery attack. And it was given in the
Rijndael spec, so certainly was known before the AES was even named.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list