[Cryptography] AES-256- More NIST-y? paranoia
Jerry Leichter
leichter at lrw.com
Thu Oct 3 12:21:26 EDT 2013
On Oct 3, 2013, at 10:09 AM, Brian Gladman <brg at gladman.plus.com> wrote:
>> Leaving aside the question of whether anyone "weakened" it, is it
>> true that AES-256 provides comparable security to AES-128?
>
> I may be wrong about this, but if you are talking about the theoretical
> strength of AES-256, then I am not aware of any attacks against it that
> come even remotely close to reducing its effective key length to 128
> bits. So my answer would be 'no'.
There are *related key* attacks against full AES-192 and AES-256 with complexity 2^119. http://eprint.iacr.org/2009/374 reports on improved versions of these attacks against *reduced round variants" of AES-256; for a 10-round variant of AES-256 (the same number of rounds as AES-128), the attacks have complexity 2^45 (under a "strong related sub-key" attack).
None of these attacks gain any advantage when applied to AES-128.
As *practical attacks today*, these are of no interest - related key attacks only apply in rather unrealistic scenarios, even a 2^119 strength is way beyond any realistic attack, and no one would use a reduced-round version of AES-256.
As a *theoretical checkpoint on the strength of AES* ... the abstract says the results "raise[s] serious concern about the remaining safety margin offered by the AES family of cryptosystems".
The contact author on this paper, BTW, is Adi Shamir.
> But, having said that, I consider the use of AES-256 in place of AES-128
> to be driven more by marketing hype than by reality. The theoreticaal
> strength of modern cryptographic algorithms is the least of our worries
> in producing practical secure systems.
100% agreement.
-- Jerry
More information about the cryptography
mailing list